Support User Manuals

ZyXEL Communications EMG5324-D10A IP Phone User Manual

Open as PDF

of 382

Chapter 17 VPN

EMG5324-D10A User’s Guide

217

The two Devices in this example can complete negotiation and establish a VPN tunnel.

The two Devices in this example cannot complete their negotiation because Device B’s Local ID

type is IP, but Device A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in

the IPSEC LOG.

17.6.9 Pre-Shared Key

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section

17.6.5 on page 214 for more on IKE phases). It is called “pre-shared” because you have to share it

with another party before you can communicate with them over a secure connection.

17.6.10 Diffie-Hellman (DH) Key Groups

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a

shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA

setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-

Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers

have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.

17.6.11 Telecommuter VPN/IPSec Examples

The following examples show how multiple telecommuters can make VPN connections to a single

Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The

Device at headquarters has a static public IP address.

17.6.11.1 Telecommuters Sharing One VPN Rule Example

See the following figure and table for an example configuration that allows multiple telecommuters

(A, B and C in the figure) to use one VPN rule to simultaneously access a Device at headquarters

(HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP

Table 75 Matching ID Type and Content Configuration Example

DEVICE A DEVICE B

Local ID type: E-mail Local ID type: IP

Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2

Peer ID type: IP Peer ID type: E-mail

Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com

Table 76 Mismatching ID Type and Content Configuration Example

DEVICE A DEVICE B

Local ID type: IP Local ID type: IP

Local ID content: 1.1.1.10 Local ID content: 1.1.1.10

Peer ID type: E-mail Peer ID type: IP

Peer ID content: aa@yahoo.com Peer ID content: N/A

previous next