Filter
Top Products
Chapter 20 IPSec VPN
ZyWALL USG 100/200 Series User’s Guide
378
Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or
an external server to verify the user name and password. If the user name or password is
wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router,
or you can set up the ZyWALL to check a user name and password that is provided by the
remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These
steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7
in aggressive mode).
Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other with
certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote
identity because the certificates provide this information instead.
• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the
signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have
to match.
• The local and peer ID type and content come from the certificates.
" You must set up the certificates for the ZyWALL and remote IPSec router first.
Regular Expressions in Searching IPSec SAs
A question mark (?) lets a single character in the VPN connection or policy name vary. For
example, use “a?c” (without the quotation marks) to specify abc, acc and so on.
Wildcards (*) let multiple VPN connection or policy names match the pattern. For example,
use “*abc” (without the quotation marks) to specify any VPN connection or policy name that
ends with “abc”. A VPN connection named “testabc” would match. There could be any
number (of any type) of characters in front of the “abc” at the end and the VPN connection or
policy name would still match. A VPN connection or policy name named “testacc” for
example would not match.
A * in the middle of a VPN connection or policy name has the ZyWALL check the beginning
and end and ignore the middle. For example, with “abc*123”, any VPN connection or policy
name starting with “abc” and ending in “123” matches, no matter how many characters are in
between.
The whole VPN connection or policy name has to match if you do not use a question mark or
asterisk.