Chapter 20 IPSec VPN

Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL

DESCRIPTION

Peer Gateway

Select how the IP address of the remote IPSec router in the IKE SA is defined.

Address

Select Static Address to enter the domain name or the IP address of the remote

 

IPSec router. You can provide a second IP address or domain name for the

 

ZyWALL to try if it cannot establish an IKE SA with the first one.

 

Select Dynamic Address if the remote IPSec router has a dynamic IP address

 

(and does not use DDNS).

 

 

Authentication

Click Advanced to display more settings. Click Basic to display fewer settings.

 

Note: The ZyWALL and remote IPSec router must use the same

 

authentication method to establish the IKE SA.

 

 

Pre-Shared

Select this to have the ZyWALL and remote IPSec router use a pre-shared key

Key

(password) to identify each other when they negotiate the IKE SA. Type the pre-

 

shared key in the field to the right. The pre-shared key can be

 

• 8 - 32 alphanumeric characters or ,;`~!@#$%^&*()_+\{}':./<>=-".

 

• 16 - 64 hexadecimal (0-9, A-F) characters, preceded by “0x”.

 

If you want to enter the key in hexadecimal, type “0x” at the beginning of the key.

 

For example, "0x0123456789ABCDEF" is in hexadecimal format; in

 

“0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must

 

enter twice as many characters as listed above.

 

The ZyWALL and remote IPSec router must use the same pre-shared key.

 

 

Certificate

Select this to have the ZyWALL and remote IPSec router use certificates to

 

authenticate each other when they negotiate the IKE SA. Then select the

 

certificate the ZyWALL uses to identify itself to the remote IPsec router.

 

This certificate is one of the certificates in My Certificates. If this certificate is

 

self-signed, import it into the remote IPsec router. If this certificate is signed by a

 

CA, the remote IPsec router must trust that CA.

 

Note: The IPSec routers must trust each other’s certificates.

 

The ZyWALL uses one of its Trusted Certificates to authenticate the remote

 

IPSec router’s certificate. The trusted certificate can be a self-signed certificate or

 

that of a trusted CA that signed the remote IPSec router’s certificate.

 

 

Local ID Type

This field is read-only if the ZyWALL and remote IPSec router use certificates to

 

identify each other. Select which type of identification is used to identify the

 

ZyWALL during authentication. Choices are:

 

IP - the ZyWALL is identified by an IP address

 

DNS - the ZyWALL is identified by a domain name

 

E-mail- the ZyWALL is identified by an e-mail address

 

 

Content

This field is read-only if the ZyWALL and remote IPSec router use certificates to

 

identify each other. Type the identity of the ZyWALL during authentication. The

 

identity depends on the Local ID Type.

 

IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP address

 

specified in the My Address field. This is not recommended in the following

 

situations:

 

• There is a NAT router between the ZyWALL and remote IPSec router.

 

• You want the remote IPSec router to be able to distinguish between IPSec SA

 

requests that come from IPSec routers with dynamic WAN IP addresses.

 

In these situations, use a different IP address, or use a different Local ID Type.

 

DNS - type the domain name; you can use up to 31 ASCII characters including

 

spaces, although trailing spaces are truncated. This value is only used for

 

identification and can be any string.

 

E-mail- the ZyWALL is identified by an e-mail address; you can use up to 31

 

ASCII characters including spaces, although trailing spaces are truncated. This

 

value is only used for identification and can be any string.

366

 

ZyWALL USG 100/200 Series User’s Guide