ZyWALL 5/35/70 Series User’s Guide

Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued)

LABEL

DESCRIPTION

 

 

Peer ID Type

Select from the following when you set Authentication Key to Pre-shared Key.

 

• Select IP to identify the remote IPSec router by its IP address.

 

• Select DNS to identify the remote IPSec router by a domain name.

 

• Select E-mailto identify the remote IPSec router by an e-mail address.

 

Select from the following when you set Authentication Key to Certificate.

 

• Select IP to identify the remote IPSec router by the IP address in the subject

 

alternative name field of the certificate it uses for this VPN connection.

 

• Select DNS to identify the remote IPSec router by the domain name in the

 

subject alternative name field of the certificate it uses for this VPN connection.

 

• Select E-mailto identify the remote IPSec router by the e-mail address in the

 

subject alternative name field of the certificate it uses for this VPN connection.

 

• Select Subject Name to identify the remote IPSec router by the subject name

 

of the certificate it uses for this VPN connection.

 

• Select Any to have the ZyWALL not check the remote IPSec router's ID.

 

 

Content

The configuration of the peer content depends on the peer ID type.

 

Do the following when you set Authentication Key to Pre-shared Key.

 

• For IP, type the IP address of the computer with which you will make the VPN

 

connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyWALL

 

will use the address in the Remote Gateway Address field (refer to the

 

Remote Gateway Address field description).

 

• For DNS or E-mail, type a domain name or e-mail address by which to identify

 

the remote IPSec router. Use up to 31 ASCII characters including spaces,

 

although trailing spaces are truncated. The domain name or e-mail address is

 

for identification purposes only and can be any string.

 

It is recommended that you type an IP address other than 0.0.0.0 or use the DNS

 

or E-mailID type in the following situations:

 

• When there is a NAT router between the two IPSec routers.

 

• When you want the ZyWALL to distinguish between VPN connection requests

 

that come in from remote IPSec routers with dynamic WAN IP addresses.

 

Do the following when you set Authentication Key to Certificate.

 

• For IP, type the IP address from the subject alternative name field of the

 

certificate the remote IPSec router will use for this VPN connection. If you

 

configure this field to 0.0.0.0 or leave it blank, the ZyWALL will use the

 

address in the Remote Gateway Address field (refer to the Remote

 

Gateway Address field description).

 

• For DNS or E-mail, type the domain name or e-mail address from the subject

 

alternative name field of the certificate the remote IPSec router will use for this

 

VPN connection.

 

• For Subject Name, type the subject name of the certificate the remote IPSec

 

router will use for this VPN connection. Use up to255 ASCII characters

 

including spaces.

 

• For Any, the peer Content field is not available.

 

• Regardless of how you configure the ID Type and Content fields, two active

 

SAs cannot have both the local and remote IP address ranges overlap

 

between rules.

Extended

 

Authentication

 

Enable Extended

Select this check box to activate extended authentication.

Authentication

 

Chapter 19 VPN Screens

318