1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Wireless Router
  5. NBG-460N
  6. User manual

Table 68 Vpn Example: Mismatching Id Type And Content; Negotiation Mode - ZyXEL Communications NBG-460N User Manual

Wireless n gigabit router
Hide thumbs Also See for NBG-460N:
Table of Contents

Advertisement

In the following example, the ID type and content do not match so the authentication fails and
the NBG460N and the remote IPSec router cannot establish an IKE SA.

Table 68 VPN Example: Mismatching ID Type and Content

NBG460N
Local ID type: E-mail
Local ID content: tom@yourcompany.com
Peer ID type: IP
Peer ID content:

Negotiation Mode

There are two negotiation modes: main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1-2: The NBG460N sends its proposals to the remote IPSec router. The remote IPSec
router selects an acceptable proposal and sends it back to the NBG460N.
Steps 3-4: The NBG460N and the remote IPSec router participate in a Diffie-Hellman key
exchange, based on the accepted DH key group, to establish a shared secret.
Steps 5-6: Finally, the NBG460N and the remote IPSec router generate an encryption key from
the shared secret, encrypt their identities, and exchange their encrypted identity information
for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA.
Step 1: The NBG460N sends its proposals to the remote IPSec router. It also starts the Diffie-
Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for
authentication.
Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the
NBG460N. It also finishes the Diffie-Hellman key exchange, authenticates the NBG460N,
and sends its (unencrypted) identity to the NBG460N for authentication.
Step 3: The NBG460N authenticates the remote IPSec router and confirms that the IKE SA is
established.
Aggressive mode does not provide as much security as main mode because the identity of the
NBG460N and the identity of the remote IPSec router are not encrypted. It is usually used
when the address of the initiator is not known by the responder and both parties want to use
pre-shared keys for authentication (for example, telecommuters).
VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
NBG460N User's Guide
1.1.1.15
Chapter 15 IPSec VPN
REMOTE IPSEC ROUTER
Local ID type: IP
Local ID content:
1.1.1.2
Peer ID type: E-mail
Peer ID content: tom@yourcompany.com
187
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications NBG-460N

Related Content for ZyXEL Communications NBG-460N

Table of Contents