Support User Manuals

ZyXEL Communications 35 Series Network Router User Manual

Open as PDF

of 807

ZyWALL 5/35/70 Series User’s Guide

311 Chapter 19 VPN Screens

Figure 146 NAT Router Between IPSec Routers

Normally you cannot set up a VPN connection with a NAT router between the two IPSec

routers because the NAT router changes the header of the IPSec packet. In the previous figure,

IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes

the IPSec packet’s header so it does not match the header for which IPSec router B is

checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built.

NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The

NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router

B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN

connection.

19.6.1 NAT Traversal Configuration

For NAT traversal to work you must:

• Use ESP security protocol (in either transport or tunnel mode).

• Use IKE keying mode.

• Enable NAT traversal on both IPSec endpoints.

In order for IPSec router A (see Figure 146 on page 311) to receive an initiating IPSec packet

from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A.

19.7 ID Type and Content

With aggressive negotiation mode (see Section 19.8.1 on page 314), the ZyWALL identifies

incoming SAs by ID type and content since this identifying information is not encrypted. This

enables the ZyWALL to distinguish between multiple rules for SAs that connect from remote

IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate

passwords to simultaneously connect to the ZyWALL from IPSec routers with dynamic IP

addresses (see

Section 19.18.2 on page 338 for a telecommuter configuration example).

Note: Regardless of the ID type and content configuration, the ZyWALL does not

allow you to save multiple active rules with overlapping local and remote IP

addresses.

With main mode (see Section 19.8.1 on page 314), the ID type and content are encrypted to

provide identity protection. In this case the ZyWALL can only distinguish between up to 12

different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP

addresses. The ZyWALL can distinguish up to 12 incoming SAs because you can select

previous next