beautypg.com

5 extended authentication – ZyXEL Communications P-2608HWL-Dx Series User Manual

Page 225

background image

P-2608HWL-Dx Series User’s Guide

Chapter 18 IPSec VPN

225

In the following example, the authentication fails, so they cannot establish an IKE SA.

It is also possible to configure the ZyXEL Device to ignore the identity of the remote IPSec
router. In this case, you usually set the peer ID type to Any. This is not as secure as other peer
ID types, however.

18.1.1.4.1 Certificates

It is also possible for the ZyXEL Device and remote IPSec router to authenticate each other
with certificates. In this case, the authentication process is different.

• Instead of using the pre-shared key, the ZyXEL Device and remote IPSec router check

each other’s certificates.

• The local ID type and ID content come from the certificate. On the ZyXEL Device, you

simply select which certificate to use.

• If you set the peer ID type to Any, the ZyXEL Device authenticates the remote IPSec

router using the trusted certificates and trusted CAs you have set up. Alternatively, if you
want to use a specific certificate to authenticate the remote IPSec router, you can use the
information in the certificate to specify the peer ID type and ID content.

Note: You must set up the certificates for the ZyXEL Device and remote IPSec router

before you can use certificates in IKE SA. See

Chapter 19 on page 249

for

more information about certificates.

18.1.1.5 Extended Authentication

Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
Extended authentication occurs right after the authentication described in

Section 18.1.1.4 on

page 224

.

In extended authentication, one of the routers (the ZyXEL Device or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or
an external server to verify the user name and password. If the user name or password is
wrong, the routers do not establish an IKE SA.

You can set up the ZyXEL Device to provide a user name and password to the remote IPSec
router, or you can set up the ZyXEL Device to check a user name and password that is
provided by the remote IPSec router.

Table 82 VPN Example: Mismatching ID Type and Content

ZYXEL DEVICE

REMOTE IPSEC ROUTER

Local ID type: E-mail

Local ID type: IP

Local ID content: [email protected]

Local ID content:

1.1.1.2

Peer ID type: IP

Peer ID type: E-mail

Peer ID content:

1.1.1.15

Peer ID content: [email protected]

See also other documents in the category ZyXEL Communications Hardware: