1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-661HNU-F1
    5. /
  5. 48
Page 236 / 404 Scroll up to view Page 231 - 235
Chapter 16 VPN
P-661HNU-Fx User’s Guide
236
(see
Section 16.4 on page 226
). The ID type and content act as an extra level of
identification for incoming SAs.
The type of ID can be a domain name, an IP address or an e-mail address. The
content is the IP address, domain name, or e-mail address.
16.6.8.1
ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order
to set up a VPN tunnel.
Table 63
Local ID Type and Content Fields
LOCAL ID
TYPE=
CONTENT=
IP
Type the IP address of your computer or leave the field blank to have
the ZyXEL Device automatically use its own IP address.
DNS
Type a domain name (up to 31 characters) by which to identify this
ZyXEL Device.
E-mail
Type an e-mail address (up to 31 characters) by which to identify this
ZyXEL Device.
The domain name or e-mail address that you use in the
Content
field is
used for identification purposes only and does not need to be a real
domain name or e-mail address.
Table 64
Peer ID Type and Content Fields
PEER ID
TYPE=
CONTENT=
IP
Type the IP address of the computer with which you will make the VPN
connection or leave the field blank to have the ZyXEL Device
automatically use the address in the
Secure Gateway Address
field.
DNS
Type a domain name (up to 31 characters) by which to identify the
remote IPSec router.
E-mail
Type an e-mail address (up to 31 characters) by which to identify the
remote IPSec router.
The domain name or e-mail address that you use in the
Content
field is
used for identification purposes only and does not need to be a real
domain name or e-mail address. The domain name also does not have to
match the remote router’s IP address or what you configure in the
Secure Gateway Address
field below.
Page 237 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
237
The two ZyXEL Devices in this example can complete negotiation and establish a
VPN tunnel.
The two ZyXEL Devices in this example cannot complete their negotiation because
ZyXEL Device B’s
Local ID type
is
IP
, but ZyXEL Device A’s
Peer ID type
is set
to
E-mail
. An “ID mismatched” message displays in the IPSEC LOG.
16.6.9
Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation (see
Section 16.6.5 on page 233
for more on IKE phases). It is called
“pre-shared” because you have to share it with another party before you can
communicate with them over a secure connection.
16.6.10
Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties
to establish a shared secret over an unsecured communications channel. Diffie-
Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 -
DH1
) and 1024-bit (Group 2 –
DH2
) Diffie-Hellman groups are supported. Upon
completion of the Diffie-Hellman exchange, the two peers have a shared secret,
but the IKE SA is not authenticated. For authentication, use pre-shared keys.
16.6.11
Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN
connections to a single ZyXEL Device at headquarters. The telecommuters use
IPSec routers with dynamic WAN IP addresses. The ZyXEL Device at headquarters
has a static public IP address.
Table 65
Matching ID Type and Content Configuration Example
ZYXEL DEVICE A
ZYXEL DEVICE B
Local ID type: E-mail
Local ID type: IP
Local ID content:
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: [email protected]
Table 66
Mismatching ID Type and Content Configuration Example
ZYXEL DEVICE A
ZYXEL DEVICE B
Local ID type: IP
Local ID type: IP
Local ID content: 1.1.1.10
Local ID content: 1.1.1.10
Peer ID type: E-mail
Peer ID type: IP
Peer ID content: [email protected]
Peer ID content: N/A
Page 238 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
238
16.6.11.1
Telecommuters Sharing One VPN Rule Example
See the following figure and table for an example configuration that allows
multiple telecommuters (
A
,
B
and
C
in the figure) to use one VPN rule to
simultaneously access a ZyXEL Device at headquarters (
HQ
in the figure). The
telecommuters do not have domain names mapped to the WAN IP addresses of
their IPSec routers. The telecommuters must all use the same IPSec parameters
but the local IP addresses (or ranges of addresses) should not overlap.
Figure 106
Telecommuters Sharing One VPN Rule Example
16.6.11.2
Telecommuters Using Unique VPN Rules Example
In this example the telecommuters (
A
,
B
and
C
in the figure) use IPSec routers
with domain names that are mapped to their dynamic WAN IP addresses (use
Dynamic DNS to do this).
With aggressive negotiation mode (see
Section 16.6.6 on page 234
), the ZyXEL
Device can use the ID types and contents to distinguish between VPN rules.
Telecommuters can each use a separate VPN rule to simultaneously access a
ZyXEL Device at headquarters. They can use different IPSec parameters. The local
IP addresses (or ranges of addresses) of the rules configured on the ZyXEL Device
Table 67
Telecommuters Sharing One VPN Rule Example
FIELDS
TELECOMMUTERS
HEADQUARTERS
My IP Address:
0.0.0.0 (dynamic IP address
assigned by the ISP)
Public static IP address
Secure Gateway
IP Address:
Public static IP address
0.0.0.0
With this IP address
only the telecommuter can initiate
the IPSec tunnel.
Local IP Address:
Telecommuter A: 192.168.2.12
Telecommuter B: 192.168.3.2
Telecommuter C: 192.168.4.15
192.168.1.10
Remote IP
Address:
192.168.1.10
0.0.0.0 (N/A)
LAN
192.168.2.12
LAN
192.168.3.2
LAN
192.168.4.15
A
B
C
LAN
192.168.1.10
HQ
Page 239 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
239
at headquarters can overlap. The local IP addresses of the rules configured on the
telecommuters’ IPSec routers should not overlap.
See the following table and figure for an example where three telecommuters
each use a different VPN rule for a VPN connection with a ZyXEL Device located at
headquarters. The ZyXEL Device at headquarters (
HQ
in the figure) identifies
each incoming SA by its ID type and content and uses the appropriate VPN rule to
establish the VPN connection.
The ZyXEL Device at headquarters can also initiate VPN connections to the
telecommuters since it can find the telecommuters by resolving their domain
names.
Figure 107
Telecommuters Using Unique VPN Rules Example
Table 68
Telecommuters Using Unique VPN Rules Example
TELECOMMUTERS
HEADQUARTERS
All Telecommuter Rules:
All Headquarters Rules:
0.0.0.0
My IP Address: bigcompanyhq.com
Secure Gateway Address:
bigcompanyhq.com
Local IP Address: 192.168.1.10
Remote IP Address: 192.168.1.10
Local ID Type: E-mail
Peer ID Type: E-mail
Local ID Content: [email protected]
Peer ID Content: [email protected]
Telecommuter A
(telecommutera.dydns.org)
Headquarters ZyXEL Device Rule 1:
Local ID Type: IP
Peer ID Type: IP
Local ID Content: 192.168.2.12
Peer ID Content: 192.168.2.12
Local IP Address: 192.168.2.12
Secure Gateway Address:
telecommuter1.com
Remote Address 192.168.2.12
LAN
192.168.2.12
LAN
192.168.3.2
LAN
192.168.4.15
A
B
C
LAN
192.168.1.10
HQ
Page 240 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
240
Telecommuter B
(telecommuterb.dydns.org)
Headquarters ZyXEL Device Rule 2:
Local ID Type: DNS
Peer ID Type: DNS
Local ID Content: telecommuterb.com
Peer ID Content: telecommuterb.com
Local IP Address: 192.168.3.2
Secure Gateway Address:
telecommuterb.com
Remote Address 192.168.3.2
Telecommuter C
(telecommuterc.dydns.org)
Headquarters ZyXEL Device Rule 3:
Local ID Type: E-mail
Peer ID Type: E-mail
Local ID Content: [email protected]
Peer ID Content: [email protected]
Local IP Address: 192.168.4.15
Secure Gateway Address:
telecommuterc.com
Remote Address 192.168.4.15
Table 68
Telecommuters Using Unique VPN Rules Example (continued)
TELECOMMUTERS
HEADQUARTERS

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top