ZyXEL Communications eir F1000 User Manual page 214

Chapter 18 VPN
Table 94 Security > IPSec VPN: Add/Edit
LABEL
IP Address for
VPN
IP Subnetmask
Tunnel access
from remote IP
addresses
IP Address for
VPN
IP Subnetmask
Protocol
Key Exchange
Method
Authentication
Method
Pre-Shared Key
Local ID Type
214
DESCRIPTION
If Single Address is selected, enter a (static) IP address on the LAN behind your Device.
If Subnet is selected, specify IP addresses on a network by their subnet mask by entering
a (static) IP address on the LAN behind your Device. Then enter the subnet mask to
identify the network address.
If Subnet is selected, enter the subnet mask to identify the network address.
Select Single Address to have only one remote LAN IP address use the VPN tunnel.
Select Subnet to specify remote LAN IP addresses by their subnet mask.
If Single Address is selected, enter a (static) IP address on the LAN behind the remote
IPSec's router.
If Subnet is selected, specify IP addresses on a network by their subnet mask by entering
a (static) IP address on the LAN behind the remote IPSec's router. Then enter the subnet
mask to identify the network address.
If Subnet is selected, enter the subnet mask to identify the network address.
Select which protocol you want to use in the IPSec SA. Choices are:
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not encryption. If you select AH, you must select an
Integraty Algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its
authentication is weaker. If you select ESP, you must select an Encryption Agorithm
and Integraty Algorithm.
Both AH and ESP increase processing requirements and latency (delay). The Device and
remote IPSec router must use the same active protocol.
Select the key exchange method:
Auto(IKE) - Select this to use automatic IKE key management VPN connection policy.
Manual - Select this option to configure a VPN connection policy that uses a manual key
instead of IKE key management. This may be useful if you have problems with IKE key
management.
Note: Only use manual key as a temporary solution, because it is not as secure as a regular
IPSec SA.
Select Pre-Shared Key to use a pre-shared key for authentication, and type in your pre-
shared key. A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation. It is called "pre-shared" because you have to share it with another party
before you can communicate with them over a secure connection.
Select Certificate (X.509) to use a certificate for authentication.
Type your pre-shared key in this field. A pre-shared key identifies a communicating party
during a phase 1 IKE negotiation.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9",
"A-F") characters. You must precede a hexadecimal key with a "0x" (zero x), which is not
counted as part of the 16 to 62 character range for the key. For example, in
"0x0123456789ABCDEF", "0x" denotes that the key is hexadecimal and
"0123456789ABCDEF" is the key itself.
Select IP to identify the Device by its IP address.
Select E-mail to identify this Device by an e-mail address.
Select DNS to identify this Device by a domain name.
Select ASN1DN (Abstract Syntax Notation one - Distinguished Name) to this Device by
the subject field in a certificate. This is used only with certificate-based authentication.
eir F1000 Modem User's Guide