Support User Manuals

ZyXEL Communications 1100 Network Router User Manual

Open as PDF

of 562

Chapter 20 IPSec VPN

ZyWALL 110/310/1100 Series User’s Guide

310

Extended Authentication

Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to

connect to a single IPSec router. For example, this might be used with telecommuters.

In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a

user name and password to the other router, which uses a local user database and/or an external

server to verify the user name and password. If the user name or password is wrong, the routers

do not establish an IKE SA.

You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or

you can set up the ZyWALL to check a user name and password that is provided by the remote

IPSec router.

If you use extended authentication, it takes four more steps to establish an IKE SA. These steps

occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in

aggressive mode).

Certificates

It is possible for the ZyWALL and remote IPSec router to authenticate each other with certificates.

In this case, you do not have to set up the pre-shared key, local identity, or remote identity because

the certificates provide this information instead.

• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures

on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match.

• The local and peer ID type and content come from the certificates.

Note: You must set up the certificates for the ZyWALL and remote IPSec router first.

IPSec SA Overview

Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely

negotiate an IPSec SA through which to send data between computers on the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

Local Network and Remote Network

In an IPSec SA, the local network, the one(s) connected to the ZyWALL, may be called the local

policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be

called the remote policy.

Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each packet is

protected by the encryption and authentication algorithms. IPSec VPN includes two active

protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC

2406).

previous next