ZyXEL Communications ZyWALL USG 300 User Manual page 506

Chapter 25 IPSec VPN
Negotiation Mode
There are two negotiation modes--main mode and aggressive mode. Main mode
provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The
remote IPSec router selects an acceptable proposal and sends it back to the
ZyWALL.
Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys
for authentication and participate in a Diffie-Hellman key exchange, based on the
accepted DH key group, to establish a shared secret.
Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an
encryption key (from the shared secret), encrypt their identities, and exchange
their encrypted identity information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA.
Aggressive mode does not provide as much security because the identity of the
ZyWALL and the identity of the remote IPSec router are not encrypted. It is
usually used in remote-access situations, where the address of the initiator is not
known by the responder and both parties want to use pre-shared keys for
authentication. For example, the remote IPSec router may be a telecommuter who
does not have a static IP address.
VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router
Y.
Figure 366 VPN/NAT Example
A
Y
X
If router A does NAT, it might change the IP addresses, port numbers, or both. If
router X and router Y try to establish a VPN tunnel, the authentication fails
because it depends on this information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps
router A recognize VPN packets and route them appropriately. If router A has this
506
ZyWALL USG 300 User's Guide