ZyXEL Communications ZyWall 110 User Manual page 393

Table 165 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued)
LABEL DESCRIPTION
Pre-Shared Key Select this to have the ZyWALL/USG and remote IPSec router use a pre-shared key
(password) to identify each other when they negotiate the IKE SA. Type the pre-shared
key in the field to the right. The pre-shared key can be:
•
•
Type "0x" at the beginning of a hexadecimal key. For example,
"0x0123456789ABCDEF" is in hexadecimal format; "0123456789ABCDEF" is in ASCII
format. If you use hexadecimal, you must enter twice as many characters since you
need to enter pairs.
The ZyWALL/USG and remote IPSec router must use the same pre-shared key.
Select unmasked to see the pre-shared key in readable plain text.
Certificate Select this to have the ZyWALL/USG and remote IPSec router use certificates to
authenticate each other when they negotiate the IKE SA. Then select the certificate the
ZyWALL/USG uses to identify itself to the remote IPsec router.
This certificate is one of the certificates in My Certificates. If this certificate is self-
signed, import it into the remote IPsec router. If this certificate is signed by a CA, the
remote IPsec router must trust that CA.
Note: The IPSec routers must trust each other's certificates.
The ZyWALL/USG uses one of its Trusted Certificates to authenticate the remote
IPSec router's certificate. The trusted certificate can be a self-signed certificate or that
of a trusted CA that signed the remote IPSec router's certificate.
User-based PSK User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for
every user. This enables multiple users, each with a unique key, to access the same
VPN gateway policy with one-to-one authentication and strong encryption. Access can
be denied on a per-user basis thus allowing VPN SA user-based policies. Click User-
Based PSK then select a user or group object who is allowed VPN SA access using this
VPN gateway policy. This is for IKEv1 only.
Local ID Type This field is read-only if the ZyWALL/USG and remote IPSec router use certificates to
identify each other. Select which type of identification is used to identify the ZyWALL/
USG during authentication. Choices are:
IPv4 or IPv6 - the ZyWALL/USG is identified by an IP address
DNS - the ZyWALL/USG is identified by a domain name
E-mail - the ZyWALL/USG is identified by the string specified in this field
Content This field is read-only if the ZyWALL/USG and remote IPSec router use certificates to
identify each other. Type the identity of the ZyWALL/USG during authentication. The
identity depends on the Local ID Type.
IP - type an IP address; if you type 0.0.0.0, the ZyWALL/USG uses the IP address
specified in the My Address field. This is not recommended in the following situations:
•
•
In these situations, use a different IP address, or use a different Local ID Type.
DNS - type the fully qualified domain name (FQDN). This value is only used for
identification and can be any string that matches the peer ID string.
E-mail - the ZyWALL/USG is identified by the string you specify here; you can use up
to 63 ASCII characters including spaces, although trailing spaces are truncated. This
value is only used for identification and can be any string.
Chapter 22 IPSec VPN
alphanumeric characters or ,;.|`~!@#$%^&*()_+\{}':./<>=-"
pairs of hexadecimal (0-9, A-F) characters, preceded by "0x".
There is a NAT router between the ZyWALL/USG and remote IPSec router.
You want the remote IPSec router to be able to distinguish between IPSec SA
requests that come from IPSec routers with dynamic WAN IP addresses.
ZyWALL/USG Series User's Guide
393