8 id type and content – ZyXEL Communications ZyXEL ZyWALL 35 User Manual

ZyWALL 35 User’s Guide

Chapter 14 VPN Screens

245

The following figure depicts an example where three VPN tunnels are created from ZyWALL
A; one to branch office 2, one to branch office 3 and another to headquarters. In order to
access computers that use private domain names on the headquarters (HQ) network, the
ZyWALL at branch office 1 uses the Intranet DNS server in headquarters. The DNS server
feature for VPN does not work with Windows 2000 or Windows XP

Figure 117 VPN Host using Intranet DNS Server Example

14.8 ID Type and Content

With aggressive negotiation mode (

see the Negotiation Mode section

), the ZyWALL identifies

incoming SAs by ID type and content since this identifying information is not encrypted. This
enables the ZyWALL to distinguish between multiple rules for SAs that connect from remote
IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate
passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP
addresses (

see the Telecommuters Using Unique VPN Rules Example section

for a

telecommuter configuration example).

With main mode (

see the Negotiation Mode section

), the ID type and content are encrypted to

provide identity protection. In this case the ZyWALL can only distinguish between up to 12
different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP
addresses. The ZyWALL can distinguish up to 12 incoming SAs because you can select

Note: If you do not specify an Intranet DNS server on the
remote network, then the VPN host must use IP addresses to
access the computers on the remote network.

Note: Regardless of the ID type and content configuration, the
ZyWALL does not allow you to save multiple active rules with
overlapping local and remote IP addresses.