Chapter 11 IPSec VPN
USG FLEX H Series User’s Guide
163
Steps 3 - 4: The Zyxel Device and the remote IPSec router exchange pre-shared keys for authentication
and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a
shared secret.
Steps 5 - 6: Finally, the Zyxel Device and the remote IPSec router generate an encryption key (from the
shared secret), encrypt their identities, and exchange their encrypted identity information for
authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not
provide as much security because the identity of the Zyxel Device and the identity of the remote IPSec
router are not encrypted. It is usually used in remote-access situations, where the address of the initiator
is not known by the responder and both parties want to use pre-shared keys for authentication. For
example, the remote IPSec router may be a telecommuter who does not have a static IP address.
VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 116 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try
to establish a VPN tunnel, the authentication fails because it depends on this information. The routers
cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN
packets and route them appropriately. If router A has this feature, router X and router Y can establish a
VPN tunnel as long as the active protocol is ESP. (See
Active Protocol on page 164 for more information
about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by
enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and
IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y
can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the Zyxel Device and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device
and remote IPSec router support.
To Next Page
Loading...
