ZyXEL Communications ZYWALL USG 2000 Manual page 373
Unified security gateway
Hide thumbs
Also See for ZYWALL USG 2000:
- User manual (1114 pages) ,
- Support notes (227 pages) ,
- Quick start manual (120 pages)
Table of Contents
Advertisement
Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same
VPN tunnel to connect to a single IPSec router. For example, this might be used
with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec
router) provides a user name and password to the other router, which uses a local
user database and/or an external server to verify the user name and password. If
the user name or password is wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote
IPSec router, or you can set up the ZyWALL to check a user name and password
that is provided by the remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE
SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10
in main mode, steps 4-7 in aggressive mode).
Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other
with certificates. In this case, you do not have to set up the pre-shared key, local
identity, or remote identity because the certificates provide this information
instead.
• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check
the signatures on each other's certificates. Unlike pre-shared keys, the
signatures do not have to match.
• The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the ZyWALL and remote IPSec router first.
Regular Expressions in Searching IPSec SAs
A question mark (?) lets a single character in the VPN connection or policy name
vary. For example, use "a?c" (without the quotation marks) to specify abc, acc and
so on.
Wildcards (*) let multiple VPN connection or policy names match the pattern. For
example, use "*abc" (without the quotation marks) to specify any VPN connection
or policy name that ends with "abc". A VPN connection named "testabc" would
match. There could be any number (of any type) of characters in front of the "abc"
at the end and the VPN connection or policy name would still match. A VPN
connection or policy name named "testacc" for example would not match.
ZyWALL USG 2000 User's Guide
Chapter 21 IPSec VPN
373
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications ZYWALL USG 2000
Related Products for ZyXEL Communications ZYWALL USG 2000
- ZyXEL Communications ZYWALL USG 20W
- ZyXEL Communications USG210
- ZyXEL Communications ZyWall USG20W-VPN
- ZyXEL Communications ZyWall USG20-VPN
- ZyXEL Communications ZYWALL USG 300
- ZyXEL Communications USG-50 - V2.21 ED 1
- ZyXEL Communications USG-100@USG-200 - V2.20 ED 2
- ZyXEL Communications USG-300 - V2.20 ED 2