Table 101 Vpn Example: Mismatching Id Type And Content - ZyXEL Communications ZYWALL 35 User Manual
Internet security appliance
Hide thumbs
Also See for ZYWALL 35:
- User manual (832 pages) ,
- Support notes (335 pages) ,
- Quick start manual (142 pages)
Table of Contents
Advertisement
Chapter 18 IPSec VPN
In the following example, the ID type and content do not match so the authentication fails and
the ZyWALL and the remote IPSec router cannot establish an IKE SA.
Table 101 VPN Example: Mismatching ID Type and Content
ZYWALL
Local ID type: E-mail
Local ID content: tom@yourcompany.com
Peer ID type: IP
Peer ID content:
It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router.
In this case, you usually set the peer ID type to Any. This is not as secure as other peer ID
types, however.
18.3.1.2.1 Certificates
It is also possible for the ZyWALL and remote IPSec router to authenticate each other with
certificates. In this case, the authentication process is different.
• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check each
other's certificates.
• The local ID type and ID content come from the certificate. On the ZyWALL, you simply
select which certificate to use.
• If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router
using the trusted certificates and trusted CAs you have set up. Alternatively, if you want to
use a specific certificate to authenticate the remote IPSec router, you can use the
information in the certificate to specify the peer ID type and ID content.
You must set up the certificates for the ZyWALL and remote IPSec router
before you can use certificates in IKE SA. See
more information about certificates.
18.3.1.3 Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
Extended authentication occurs right after the authentication described in
page
356.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or
an external server to verify the user name and password. If the user name or password is
wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router,
or you can set up the ZyWALL to check a user name and password that is provided by the
remote IPSec router.
358
1.1.1.15
REMOTE IPSEC ROUTER
Local ID type: IP
Local ID content:
1.1.1.2
Peer ID type: E-mail
Peer ID content: tom@yourcompany.com
Chapter 19 on page 395
ZyWALL 5/35/70 Series User's Guide
for
Section 18.3.1.2 on
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
