ZyXEL Communications SBG3500-N000 User Manual page 261

Table 89 VPN > IPSec VPN > Setup > Edit (continued)
LABEL
Authentication
Key Exchange Mode: Auto, Manual.
Auto
Pre-Shared Key
Certificate
Local/Remote ID
Type
Manual
SPI (HEX)
SBG3500-N000 User's Guide
DESCRIPTION
Note: The SBG3500-N and remote IPSec router must use the same authentication
method to establish the IKE SA.
Select this to have the SBG3500-N and remote IPSec router use a pre-shared key
(password) to identify each other when they negotiate the IKE SA. Type the pre-shared
key in the field to the right. The pre-shared key can be
• 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-".
• 8 - 32 pairs of hexadecimal (0-9, A-F) characters, preceded by "0x".
If you want to enter the key in hexadecimal, type "0x" at the beginning of the key. For
example, "0x0123456789ABCDEF" is in hexadecimal format; in "0123456789ABCDEF"
is in ASCII format. If you use hexadecimal, you must enter twice as many characters
since you need to enter pairs.
The SBG3500-N and remote IPSec router must use the same pre-shared key.
Note: All remote access application scenario of IPsec rules must use the same pre-
shared key.
In order to use Certificate for IPsec authentication, you need to add new host
certificates in the Security > Certificates screen. See a tutorial on how to add new
host certificates in Chapter 4 on page
Select this to have the SBG3500-N and remote IPSec router use certificates to
authenticate each other when they negotiate the IKE SA. Then select the certificate the
SBG3500-N uses to identify itself to the remote IPsec router.
This certificate is one of the certificates in Certificates. If this certificate is self-signed,
import it into the remote IPsec router. If this certificate is signed by a CA, the remote
IPsec router must trust that CA.
Note: The IPSec routers must trust each other's certificates.
The SBG3500-N uses one of its Trusted Certificates to authenticate the remote IPSec
router's certificate. The trusted certificate can be a self-signed certificate or that of a
trusted CA that signed the remote IPSec router's certificate.
Select which type of identification is used to identify the SBG3500-N during
authentication.
Any - The SBG3500-N does not check the identity of the itself/remote IPSec router.
IP - The SBG3500-N/remote IPSec router is identified by its IP address.
FQDN - The SBG3500-N/remote IPSec router is identified by a domain name.
User-FQDN - The SBG3500-N/remote IPSec router is identified by an e-mail address.
Note: The options FQDN and User-FQDN of Local ID Type and Remote ID Type are not
applicable if you select Main as the Negotiation Mode with Pre-Shared Key.
Type a hexadecimal value (between 256 and 4095) for the Security Parameter Index
(SPI). Make sure the remote VPN endpoint has the same value in its SPI field.
61.
Chapter 20 IPSec VPN
261