What is Phase 1 ID for?
In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request. However, in some application, remote VPN box or client software is using an IP address dynamically assigned from ISP, so ZyWALL needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there are local and peer ID field to achieve this.
There are two phases in every IKE negotiation-phase 1 (Authentication) and phase 2 (Key exchange). Phase 1 established an IKE SA and phase 2 uses that SA to negotiate SAs from IPSec. In IKE phase 1 negotiation, phase 1 ID is the identification for each VPN peer. By default, IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request. However, in same application, remote VPN gateway or client software is using a dynamic IP address assigned from ISP. So, the type of Phase 1 ID may be IP/FQDN (DNS)/Distinguished Name. The content of phase 1 ID depends on the Phase 1 ID type. For example: 220.132.174.240 (IP address), micronet.dyndns.org (FQDN or Domain Name) and support@micronet.com (Distinguished Name). If you choose Distinguished Name to use, you can still use a random string: it is not necessary to follow the format exactly.
