Chapter 11 IPSec VPN
USG FLEX H Series User’s Guide
159
shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode
or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not.
During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate
Security Associations for IPSec. The negotiation results in a minimum of two unidirectional security
associations (one inbound and one outbound). Phase 2 uses Quick Mode (only). Quick mode occurs
after IKE has established the secure tunnel in Phase 1. It negotiates a shared IPSec policy, derives shared
secret keys used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode is also used to
renegotiate a new IPSec SA when the IPSec SA lifetime expires.
Some differences between IKEv1 and IKEv2 include:
• IKEv2 uses less bandwidth than IKEv1. IKEv2 uses one exchange procedure with 4 messages. IKEv1 uses
two phases with Main Mode (9 messages) or Aggressive Mode (6 messages) in phase 1.
• IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth.
EAP is important when connecting to existing enterprise authentication systems.
• IKEv2 always uses NAT traversal and Dead Peer Detection (DPD), but they can be disabled in IKEv1
using Zyxel Device firmware (the default is on).
• Configuration payload (includes the IP address pool in the VPN setup data) is supported in IKEv2 (off
by default), but not in IKEv1.
• Narrowed is supported in IKEv2, but not in IKEv1. Narrowed has the SA apply only to IP addresses in
common between the Zyxel Device and the remote IPSec router.
• The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is still up
or not. If the check fails (the tunnel is down), IKEv2 can re-establish the connection automatically. The
Zyxel Device uses firmware to perform connectivity checks when using IKEv1.
11.2 IPSec VPN Background Information
Here is some more detailed IPSec VPN background information.
IKE SA Overview
The IKE SA provides a secure connection between the Zyxel Device and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two
negotiation modes for IKEv1--main mode and aggressive mode. Main mode provides better security,
while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
These modes are discussed in more detail in Negotiation Mode. Main mode is used in various examples
in the rest of this section.
The Zyxel Device supports IKEv1 and IKEv2. See Section 11.1 on page 158 for more information.
IP Addresses of the Zyxel Device and Remote IPSec Router
To set up an IKE SA, you have to specify the IP addresses of the Zyxel Device and remote IPSec router.
You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes,
To Next Page
Loading...
