Support User Manuals

ZyXEL Communications P-335U Personal Computer User Manual

Open as PDF

of 335

P-334U/P-335U User’s Guide

144 Chapter 13 IPSec VPN

Most routers like router A now have an IPSec pass-through feature. This feature helps router A

recognize VPN packets and route them appropriately. If router A has this feature, router X and

router Y can establish a VPN tunnel as long as the IPSec protocol is ESP. (See

IPSec Protocol

on page 144 for more information about active protocols.)

If router A does not have an IPSec pass-through or if the IPSec protocol is AH, you can solve

this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra

header to the IKE SA and IPSec SA packets. If you configure router A to forward these

packets unchanged, router X and router Y can establish a VPN tunnel.

You have to do the following things to set up NAT traversal.

• Enable NAT traversal on the ZyXEL Device and remote IPSec router.

• Configure the NAT router to forward packets with the extra header unchanged.

The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the

ZyXEL Device and remote IPSec router support.

13.1.3 IPSec SA (IKE Phase 2) Overview

Once the ZyXEL Device and remote IPSec router have established the IKE SA, they can

securely negotiate an IPSec SA through which to send data between computers on the

networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

13.1.3.1 Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the ZyXEL Device and

may be called the local policy. Similarly, the remote network consists of the devices connected

to the remote IPSec router and may be called the remote policy.

Note: It is not recommended to set a VPN rule’s local and remote network settings

both to 0.0.0.0 (any). This causes the ZyXEL Device to try to forward all access

attempts (to the local network, the Internet or even the ZyXEL Device) to the

remote IPSec router. In this case, you can no longer manage the ZyXEL

Device.

13.1.3.2 IPSec Protocol

The IPSec protocol controls the format of each packet. It also specifies how much of each

packet is protected by the encryption and authentication algorithms. IPSec VPN includes two

IPSec protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security

Payload, RFC 2406).

Note: The ZyXEL Device and remote IPSec router must use the same IPSec

protocol.

previous next