ZyXEL Communications P-660HN-51 - ID Type and Content

To Next Page

To Previous Page

Chapter 13 IPSec

P-660HN-51 User’s Guide

162

Figure 84 NAT Router Between IPSec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT

router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port

500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header

unchanged. In the above figure, when IPSec router A tries to establish an IKE SA, IPSec router B checks

the UDP port 500 header, and IPSec routers A and B build the IKE SA.

For NAT traversal to work, you must:

• Use ESP security protocol (in either transport or tunnel mode).

• Use IKE keying mode.

• Enable NAT traversal on both IPSec endpoints.

• Set the NAT router to forward UDP port 500 to IPSec router A.

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the

combination of the "original header plus original payload," which is unchanged by a NAT device. The

compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table.

Y* - This is supported in the Zyxel Device if you enable NAT traversal.

13.4.7 ID Type and Content

With aggressive negotiation mode (see Section 13.4.4 on page 160), the Zyxel Device identifies

incoming SAs by ID type and content since this identifying information is not encrypted. This enables the

Zyxel Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that

have dynamic WAN IP addresses.

Regardless of the ID type and content configuration, the Zyxel Device does not allow you to save

multiple active rules with overlapping local and remote IP addresses.

With main mode (see Section 13.4.4 on page 160), the ID type and content are encrypted to provide

identity protection. In this case the Zyxel Device can only distinguish between up to 12 different

incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Zyxel

Device can distinguish up to 48 incoming SAs because you can select between three encryption

algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups

when you configure a VPN rule (see Section 13.2 on page 148). The ID type and content act as an extra

level of identification for incoming SAs.

Table 59 VPN and NAT

SECURITY PROTOCOL MODE NAT

AH Transport N

AH Tunnel N

ESP Transport Y*

ESP Tunnel Y

Other manuals for ZyXEL Communications P-660HN-51