Negotiation Mode; Vpn, Nat, And Nat Traversal; Figure 87 Vpn/Nat Example - ZyXEL Communications P-335U User Manual
802.11a/g wireless router
Hide thumbs
Also See for P-335U:
- Quick start manual (126 pages) ,
- Specifications (2 pages) ,
- User manual (330 pages)
Table of Contents
Advertisement
Table 50 VPN Example: Mismatching ID Type and Content
ZYXEL DEVICE
Peer ID type: IP
Peer ID content:
13.1.2.4 Negotiation Mode
There are two negotiation modes: main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1-2: The ZyXEL Device sends its proposals to the remote IPSec router. The remote
IPSec router selects an acceptable proposal and sends it back to the ZyXEL Device.
Steps 3-4: The ZyXEL Device and the remote IPSec router participate in a Diffie-Hellman key
exchange, based on the accepted DH key group, to establish a shared secret.
Steps 5-6: Finally, the ZyXEL Device and the remote IPSec router generate an encryption key
from the shared secret, encrypt their identities, and exchange their encrypted identity
information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA.
Step 1: The ZyXEL Device sends its proposals to the remote IPSec router. It also starts the
Diffie-Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router
for authentication.
Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyXEL
Device. It also finishes the Diffie-Hellman key exchange, authenticates the ZyXEL Device,
and sends its (unencrypted) identity to the ZyXEL Device for authentication.
Step 3: The ZyXEL Device authenticates the remote IPSec router and confirms that the IKE
SA is established.
Aggressive mode does not provide as much security as main mode because the identity of the
ZyXEL Device and the identity of the remote IPSec router are not encrypted. It is usually used
when the address of the initiator is not known by the responder and both parties want to use
pre-shared keys for authentication (for example, telecommuters).
13.1.2.5 VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 87 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and
router Y try to establish a VPN tunnel, the authentication fails because it depends on this
information. The routers cannot establish a VPN tunnel.
Chapter 13 IPSec VPN
1.1.1.15
P-334U/P-335U User's Guide
REMOTE IPSEC ROUTER
Peer ID type: E-mail
Peer ID content: tom@yourcompany.com
143
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
