ZyXEL P-660HNU-F1 User Guide - Page 219
Pre-Shared Key, 16.6.10 Diffie-Hellman (DH) Key Groups, 16.6.11 Telecommuter VPN/IPSec Examples
View all ZyXEL P-660HNU-F1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 219 highlights
Chapter 16 VPN 16.6.8.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel. Table 70 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: [email protected] The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B's Local ID type is IP, but ZyXEL Device A's Peer ID type is set to E-mail. An "ID mismatched" message displays in the IPSEC LOG. Table 71 Mismatching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: IP Local ID type: IP Local ID content: 1.1.1.10 Local ID content: 1.1.1.10 Peer ID type: E-mail Peer ID type: IP Peer ID content: [email protected] Peer ID content: N/A 16.6.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 16.6.5 on page 216 for more on IKE phases). It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. 16.6.10 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 - DH2) DiffieHellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys. 16.6.11 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyXEL Device at headquarters has a static public IP address. 16.6.11.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyXEL Device at headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the ADSL Series User's Guide 219