ZyXEL Communications ZyWALL 1000 manual 309

Chapter 20 IPSec VPN

In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps.

Figure 203 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)

Step 5:

pre-shared key

ZyWALL identity, consisting of

- ID type - content Step 6: pre-shared key

Remote IPSec router identity, consisting of

- ID type - content

You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.

"The ZyWALL and the remote IPSec router must use the same pre-shared key.

Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e- mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the ZyWALL’s or remote IPSec router’s properties.

The ZyWALL and the remote IPSec router have their own identities, so both of them must store two sets of information, one for themselves and one for the other router. Local ID type and content refers to the ID type and content that applies to the router itself, and peer ID type and content refers to the ID type and content that applies to the other router.

"The ZyWALL’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively.