ZyXEL Communications ZyWALL USG 300 User Manual page 349

Table 119 VPN > IPSec VPN > VPN Gateway > Edit (continued)
LABEL
Peer Gateway
Address
Authentication
Pre-Shared
Key
Certificate
Local ID Type
Content
ZyWALL USG 300 User's Guide
DESCRIPTION
Select how the IP address of the remote IPSec router in the IKE SA is defined.
Select Static Address to enter the domain name or the IP address of the remote
IPSec router. You can provide a second IP address or domain name for the
ZyWALL to try if it cannot establish an IKE SA with the first one.
Select Dynamic Address if the remote IPSec router has a dynamic IP address
(and does not use DDNS).
Click Advanced to display more settings. Click Basic to display fewer settings.
Note: The ZyWALL and remote IPSec router must use the same
authentication method to establish the IKE SA.
Select this to have the ZyWALL and remote IPSec router use a pre-shared key
(password) to identify each other when they negotiate the IKE SA. Type the pre-
shared key in the field to the right. The pre-shared key can be
• 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./<>=-".
• 16 - 64 hexadecimal (0-9, A-F) characters, preceded by "0x".
If you want to enter the key in hexadecimal, type "0x" at the beginning of the key.
For example, "0x0123456789ABCDEF" is in hexadecimal format; in
"0123456789ABCDEF" is in ASCII format. If you use hexadecimal, you must
enter twice as many characters as listed above.
The ZyWALL and remote IPSec router must use the same pre-shared key.
Select this to have the ZyWALL and remote IPSec router use certificates to
authenticate each other when they negotiate the IKE SA. Then select the
certificate the ZyWALL uses to identify itself to the remote IPsec router.
This certificate is one of the certificates in My Certificates. If this certificate is
self-signed, import it into the remote IPsec router. If this certificate is signed by a
CA, the remote IPsec router must trust that CA.
Note: The IPSec routers must trust each other's certificates.
The ZyWALL uses one of its Trusted Certificates to authenticate the remote
IPSec router's certificate. The trusted certificate can be a self-signed certificate or
that of a trusted CA that signed the remote IPSec router's certificate.
This field is read-only if the ZyWALL and remote IPSec router use certificates to
identify each other. Select which type of identification is used to identify the
ZyWALL during authentication. Choices are:
IP - the ZyWALL is identified by an IP address
DNS - the ZyWALL is identified by a domain name
E-mail - the ZyWALL is identified by an e-mail address
This field is read-only if the ZyWALL and remote IPSec router use certificates to
identify each other. Type the identity of the ZyWALL during authentication. The
identity depends on the Local ID Type.
IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP address
specified in the My Address field. This is not recommended in the following
situations:
• There is a NAT router between the ZyWALL and remote IPSec router.
• You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
In these situations, use a different IP address, or use a different Local ID Type.
DNS - type the domain name; you can use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. This value is only used for
identification and can be any string.
E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31
ASCII characters including spaces, although trailing spaces are truncated. This
value is only used for identification and can be any string.
Chapter 21 IPSec VPN
349