ZyXEL Communications Vantage CNM 2.3 User Manual page 143

Table 50 Device Operation > Device Configuration > Security > VPN > VPN Rules
(IKE) > Gateway Policy Add/Edit
LABEL
Pre-Shared Key
Certificate
Local ID Type
Content
Vantage CNM User's Guide
DESCRIPTION
Select the Pre-Shared Key radio button and type your pre-shared
key in this field. A pre-shared key identifies a communicating party
during a phase 1 IKE negotiation. It is called "pre-shared" because
you have to share it with another party before you can
communicate with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62
hexadecimal ("0-9", "A-F") characters. You must precede a
hexadecimal key with a "0x (zero x), which is not counted as part of
the 16 to 62 character range for the key. For example, in
"0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key.
You will receive a PYLD_MALFORMED (payload malformed) packet if
the same pre-shared key is not used on both ends.
Select the Certificate radio button to identify the device by a
certificate.
Use the drop-down list box to select the certificate to use for this
VPN tunnel. You must have certificates already configured in the My
Certificates screen. Click My Certificates to go to the My
Certificates screen where you can view the device's list of
certificates.
Select IP to identify this device by its IP address.
Select DNS to identify this device by a domain name.
Select E-mail to identify this device by an e-mail address.
You do not configure the local ID type and content when you set
Authentication Key to Certificate. The device takes them from
the certificate you select.
When you select IP in the Local ID Type field, type the IP address
of your computer in the local Content field. The device
automatically uses the IP address in the My ZyWALL field (refer to
the My ZyWALL field description) if you configure the local
Content field to 0.0.0.0 or leave it blank.
It is recommended that you type an IP address other than 0.0.0.0
in the local Content field or use the DNS or E-mail ID type in the
following situations.
• When there is a NAT router between the two IPSec routers.
• When you want the remote IPSec router to be able to distinguish
between VPN connection requests that come in from IPSec
routers with dynamic WAN IP addresses.
When you select DNS or E-mail in the Local ID Type field, type a
domain name or e-mail address by which to identify this device in
the local Content field. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or
e-mail address is for identification purposes only and can be any
string.
Chapter 6 Device Security Settings
143