Table of Contents
Advertisement
Chapter 20 IPSec VPN
Figure 281 VPN/NAT Example
A
Y
X
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try
to establish a VPN tunnel, the authentication fails because it depends on this information. The routers
cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN
packets and route them appropriately. If router A has this feature, router X and router Y can establish a
VPN tunnel as long as the active protocol is ESP. (See
Active Protocol on page 411
for more information
about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by
enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and
IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y
can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the Zyxel Device and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device
and remote IPSec router support.
X-Auth / Extended Authentication
X-Auth / Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the Zyxel Device or the remote IPSec router) provides a
user name and password to the other router, which uses a local user database and/or an external
server to verify the user name and password. If the user name or password is wrong, the routers do not
establish an IKE SA.
You can set up the Zyxel Device to provide a user name and password to the remote IPSec router, or
you can set up the Zyxel Device to check a user name and password that is provided by the remote
IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at
the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode).
ZyWALL ATP Series User's Guide
410
- Quick Links:
- Web Configurator
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications ZyWall ATP series
Related Products for ZyXEL Communications ZyWall ATP series
- ZyXEL Communications ZyWALL USG Series
- ZyXEL Communications ZyWALL 310
- ZyXEL Communications ZyWALL 310 Series
- ZyXEL Communications ZyWall ZLD Series
- ZyXEL Communications ZLD
- ZyXEL Communications ZyWALL ATP Series
- ZyXEL Communications ZyWALL 10
- ZyXEL Communications Internet Security Appliance ZyWALL5UTM 4.0