Filter
Top Products
Chapter 20 IPSec VPN
ZyWALL 110/310/1100 Series User’s Guide
309
Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router
selects an acceptable proposal and sends it back to the ZyWALL.
Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys for authentication
and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish
a shared secret.
Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an encryption key (from the
shared secret), encrypt their identities, and exchange their encrypted identity information for
authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does
not provide as much security because the identity of the ZyWALL and the identity of the remote
IPSec router are not encrypted. It is usually used in remote-access situations, where the address of
the initiator is not known by the responder and both parties want to use pre-shared keys for
authentication. For example, the remote IPSec router may be a telecommuter who does not have a
static IP address.
VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 190 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and
router Y try to establish a VPN tunnel, the authentication fails because it depends on this
information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A
recognize VPN packets and route them appropriately. If router A has this feature, router X and
router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Active Protocol on
page 310 for more information about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this
problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to
the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged,
router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the ZyWALL and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the
ZyWALL and remote IPSec router support.
A
X
Y