Support User Manuals

ZyXEL Communications ZyWALL 1000 Network Router User Manual

Open as PDF

of 780

Chapter 20 IPSec VPN

ZyWALL USG 1000 User’s Guide

307

It takes several steps to establish an IKE SA. The negotiation mode determines how many.

There are two negotiation modes--main mode and aggressive mode. Main mode provides

better security, while aggressive mode is faster.

" Both routers must use the same negotiation mode.

These modes are discussed in more detail in Section 20.4.2.1 on page 310. Main mode is used

in various examples in the rest of this section.

20.4.1.1 IP Addresses of the ZyWALL and Remote IPSec router

To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and remote IPSec

router. You can usually enter a static IP address or a domain name for either or both IP

addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP

address of a port or interface, as well.

You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the

remote IPSec router can have any IP address. In this case, only the remote IPSec router can

initiate an IKE SA because the ZyWALL does not know the IP address of the remote IPSec

router. This is often used for telecommuters.

20.4.1.2 IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm,

and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE

SA. In main mode, this is done in steps 1 and 2, as illustrated next.

Figure 201 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal

The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you

can only set up one proposal.) Each proposal consists of an encryption algorithm,

authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.

The remote IPSec router selects an acceptable proposal and sends the accepted proposal back

to the ZyWALL. If the remote IPSec router rejects all of the proposals, the ZyWALL and

remote IPSec router cannot establish an IKE SA.

One or more proposals, each one consisting of:

- encryption algorithm

- authentication algorithm

- Diffie-Hellman key group

previous next