ZyXEL Communications ZYWALL USG 2000 Manual page 371

ZyWALL and the remote IPSec router cannot authenticate each other and,
therefore, cannot establish an IKE SA.
Table 114 VPN Example: Matching ID Type and Content
ZYWALL
Local ID type: E-mail
Local ID content: tom@yourcompany.com
Peer ID type: IP
Peer ID content: 1.1.1.2
Table 115 VPN Example: Mismatching ID Type and Content
ZYWALL
Local ID type: E-mail
Local ID content: tom@yourcompany.com
Peer ID type: IP
Peer ID content: 1.1.1.20
It is also possible to configure the ZyWALL to ignore the identity of the remote
IPSec router. In this case, you usually set the peer ID type to Any. This is less
secure, so you should only use this if your ZyWALL provides another way to check
the identity of the remote IPSec router (for example, extended authentication) or
if you are troubleshooting a VPN tunnel.
Additional Topics for IKE SA
This section provides more information about IKE SA.
Negotiation Mode
There are two negotiation modes--main mode and aggressive mode. Main mode
provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The
remote IPSec router selects an acceptable proposal and sends it back to the
ZyWALL.
Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys
for authentication and participate in a Diffie-Hellman key exchange, based on the
accepted DH key group, to establish a shared secret.
Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an
encryption key (from the shared secret), encrypt their identities, and exchange
their encrypted identity information for authentication.
ZyWALL USG 2000 User's Guide
Chapter 21 IPSec VPN
REMOTE IPSEC ROUTER
Local ID type: IP
Local ID content: 1.1.1.2
Peer ID type: E-mail
Peer ID content: tom@yourcompany.com
REMOTE IPSEC ROUTER
Local ID type: IP
Local ID content: 1.1.1.2
Peer ID type: E-mail
Peer ID content: tom@yourcompany.com
371