8 ike phases, Figure 147 two phases to set up the ipsec sa – ZyXEL Communications Internet Security Appliance ZyWALL5UTM 4.0 User Manual

ZyWALL 5/35/70 Series User’s Guide

309

Chapter 19 VPN Screens

The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s
Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An ID mismatched
message displays in the IPSec log.

Table 98 Mismatching ID Type and Content Configuration Example

ZYWALL A

ZYWALL B

Local ID type: IP

Local ID type: IP

Local ID content: 1.1.1.10

Local ID content: 1.1.1.10

Peer ID type: E-mail

Peer ID type: IP

Peer ID content: [email protected]

Peer ID content: N/A

19.8 IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and
the second one uses that SA to negotiate SAs for IPSec.

Figure 147 Two Phases to Set Up the IPSec SA

In phase 1 you must:

• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.

Peer ID type: IP

Peer ID type: E-mail

Peer ID content: 1.1.1.2

Peer ID content: [email protected]

Table 97 Matching ID Type and Content Configuration Example

ZYWALL A

ZYWALL B