ZyXEL UAG4100 User Guide - Page 351
Table 158, Label, Description
View all ZyXEL UAG4100 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 351 highlights
Chapter 30 IPSec VPN Table 158 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL Certificate DESCRIPTION Select this to have the UAG and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the UAG uses to identify itself to the remote IPSec router. This certificate is one of the certificates in My Certificates. If this certificate is selfsigned, import it into the remote IPsec router. If this certificate is signed by a CA, the remote IPsec router must trust that CA. Note: The IPSec routers must trust each other's certificates. User Based PSK Local ID Type Content Peer ID Type The UAG uses one of its Trusted Certificates to authenticate the remote IPSec router's certificate. The trusted certificate can be a self-signed certificate or that of a trusted CA that signed the remote IPSec router's certificate. User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for every user. This enables multiple users, each with a unique key, to access the same VPN gateway policy with one-to-one authentication and strong encryption. Access can be denied on a per-user basis thus allowing VPN SA user-based policies. Click User Based PSK then select a user or group object who is allowed VPN SA access using this VPN gateway policy. This is for IKEv1 only. This field is read-only if the UAG and remote IPSec router use certificates to identify each other. Select which type of identification is used to identify the UAG during authentication. Choices are: IPv4 - the UAG is identified by an IP address DNS - the UAG is identified by a domain name E-mail - the UAG is identified by the string specified in this field This field is read-only if the UAG and remote IPSec router use certificates to identify each other. Type the identity of the UAG during authentication. The identity depends on the Local ID Type. IPv4 - type an IP address; if you type 0.0.0.0, the UAG uses the IP address specified in the My Address field. This is not recommended in the following situations: • There is a NAT router between the UAG and remote IPSec router. • You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses. In these situations, use a different IP address, or use a different Local ID Type. DNS - type the domain name; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. E-mail - the UAG is identified by the string you specify here; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IPv4 - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by the string specified in this field Any - the UAG does not check the identity of the remote IPSec router If the UAG and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate UAG Series User's Guide 351