ZyXEL Communications ZyWall 110 User Manual page 624

Table 223 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL DESCRIPTION
Peer ID Type Select which type of identification is used to identify the remote IPSec router during
authentication. Choices are:
IP - the remote IPSec router is identified by an IP address
DNS - the remote IPSec router is identified by a domain name
E-mail - the remote IPSec router is identified by the string specified in this field
Any - the Zyxel Device does not check the identity of the remote IPSec router
If the Zyxel Device and remote IPSec router use certificates, there is one more choice.
Subject Name - the remote IPSec router is identified by the subject name in the certificate
Content This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router
during authentication. The identity depends on the Peer ID Type.
If the Zyxel Device and remote IPSec router do not use certificates,
IP - type an IP address; see the note at the end of this description.
DNS - type the fully qualified domain name (FQDN). This value is only used for identification
and can be any string that matches the peer ID string.
E-mail - the remote IPSec router is identified by the string you specify here; you can use up
to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is
only used for identification and can be any string.
If the Zyxel Device and remote IPSec router use certificates, type the following fields from
the certificate used by the remote IPSec router.
IP - subject alternative name field; see the note at the end of this description.
DNS - subject alternative name field
E-mail - subject alternative name field
Subject Name - subject name (maximum 255 ASCII characters, including spaces)
Note: If Peer ID Type is IP, please read the rest of this section.
If you type 0.0.0.0, the Zyxel Device uses the IP address specified in the Secure Gateway
Address field. This is not recommended in the following situations:
•
•
In these situations, use a different IP address, or use a different Peer ID Type.
Phase 1 Settings
SA Life Time Type the maximum number of seconds the IKE SA can last. When this time has passed, the
(Seconds)
Zyxel Device and remote IPSec router have to update the encryption and authentication
keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however.
Negotiation Select the negotiation mode to use to negotiate the IKE SA. Choices are
Mode
Main - this encrypts the Zyxel Device's and remote IPSec router's identities but takes more
time to establish the IKE SA
Aggressive - this is faster but does not encrypt the identities
The Zyxel Device and the remote IPSec router must use the same negotiation mode.
Proposal Use this section to manage the encryption algorithm and authentication algorithm pairs the
Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA.
Add Click this to create a new entry.
Chapter 30 IPSec VPN
There is a NAT router between the Zyxel Device and remote IPSec router.
You want the remote IPSec router to be able to distinguish between IPSec SA requests
that come from IPSec routers with dynamic WAN IP addresses.
ZyWALL USG Series User's Guide
624