User`s guide

P-793H v2 Support Notes

For IKE VPN, the key and SPIs are negotiated from one VPN gateway to the

other. Afterward, two VPN gateways use this negotiated keys and SPIs to send

packets between two networks.

For manual key VPN, the encryption key, authentication key (if needed), and

SPIs are predetermined by the administrator when configuring the security

association.

IKE is more secure than manual key, because IKE negotiation can generate

new keys and SPIs randomly for the VPN connection.

13. What is Phase 1 ID for?

In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator

to decide which VPN rule must be used to serve the incoming request. However,

in some application, remote VPN box or client software is using an IP address

dynamically assigned from ISP, so P-793H v2 needs additional information to

make the decision. Such additional information is what we call phase 1 ID. In

the IKE payload, there are local and peer ID field to achieve this.

14. What is FQDN?

FQDN(Fully Qualified Domain Name), IKE standard takes it as one type of

Phase 1 ID.

As we mentioned, Phase 1 ID is an identification for each VPN peer. The type

of Phase 1 ID may be IP/FQDN(DNS)/User FQDN(E-mail). The content of

Phase 1 ID depends on the Phase 1 ID type. The following is an example for

how to configure phase 1 ID.

ID type Content

------------------------------------

IP 202.132.154.1

DNS www.zyxel.com

E-mail support@zyxel.com.tw

Please note that, in P-793H v2, if "DNS" or "E-mail" type is chosen, you can still

use a random string as the content, such as "this_is_P-793H v2". It's not

necessary to follow the format exactly.

By default, P-793H v2 takes IP as phase 1 ID type for itself and it's remote

peer. But if it's remote peer is using DNS or E-mail, you have to adjust the

settings to pass phase 1 ID checking.