ZyXEL Communications 110, 1100, 310 DNS, DNS, DNS, Any, E-mail, E-mail, My Address, Subject Name, Local ID Type, on the Local ID Type

Chapter 20 IPSec VPN

Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL	DESCRIPTION
Certificate	Select this to have the ZyWALL and remote IPSec router use certificates to authenticate
	each other when they negotiate the IKE SA. Then select the certificate the ZyWALL uses
	to identify itself to the remote IPsec router.
	This certificate is one of the certificates in My Certificates. If this certificate is self-
	signed, import it into the remote IPsec router. If this certificate is signed by a CA, the
	remote IPsec router must trust that CA.
	Note: The IPSec routers must trust each other’s certificates.
	The ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec
	router’s certificate. The trusted certificate can be a self-signed certificate or that of a
	trusted CA that signed the remote IPSec router’s certificate.

Local ID Type	This field is read-only if the ZyWALL and remote IPSec router use certificates to identify
	each other. Select which type of identification is used to identify the ZyWALL during
	authentication. Choices are:
	IP - the ZyWALL is identified by an IP address
	DNS - the ZyWALL is identified by a domain name
	E-mail- the ZyWALL is identified by the string specified in this field

Content	This field is read-only if the ZyWALL and remote IPSec router use certificates to identify
	each other. Type the identity of the ZyWALL during authentication. The identity depends
	on the Local ID Type.
	IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP address specified
	in the My Address field. This is not recommended in the following situations:
	• There is a NAT router between the ZyWALL and remote IPSec router.
	• You want the remote IPSec router to be able to distinguish between IPSec SA
	requests that come from IPSec routers with dynamic WAN IP addresses.
	In these situations, use a different IP address, or use a different Local ID Type.
	DNS - type the fully qualified domain name (FQDN). This value is only used for
	identification and can be any string that matches the peer ID string.
	E-mail- the ZyWALL is identified by the string you specify here; you can use up to 63
	ASCII characters including spaces, although trailing spaces are truncated. This value is
	only used for identification and can be any string.

Peer ID Type	Select which type of identification is used to identify the remote IPSec router during
	authentication. Choices are:
	IP - the remote IPSec router is identified by an IP address
	DNS - the remote IPSec router is identified by a domain name
	E-mail- the remote IPSec router is identified by the string specified in this field
	Any - the ZyWALL does not check the identity of the remote IPSec router
	If the ZyWALL and remote IPSec router use certificates, there is one more choice.
	Subject Name - the remote IPSec router is identified by the subject name in the
	certificate

298
298	ZyWALL 110/310/1100 Series User’s Guide