ZyXEL Communications ZyWALL 110 User Manual page 386
Hide thumbs
Also See for ZyWALL 110:
- User manual (1090 pages) ,
- Handbook (749 pages) ,
- Handbook & instructions (255 pages)
Table of Contents
Advertisement
Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive
Mode does not.
During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to
negotiate Security Associations for IPsec. The negotiation results in a minimum of two
unidirectional security associations (one inbound and one outbound). Phase 2 uses Quick Mode
(only). Quick mode occurs after IKE has established the secure tunnel in Phase 1. It negotiates a
shared IPSec policy, derives shared secret keys used for the IPSec security algorithms, and
establishes IPSec SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA
lifetime expires.
In the ZyWALL/USG, use the VPN Connection tab to set up Phase 2 and the VPN Gateway tab to
set up Phase 1.
Some differences between IKEv1 and IKEv2 include:
• IKEv2 uses less bandwidth than IKEv1. IKEv2 uses one exchange procedure with 4 messages.
IKEv1 uses two phases with Main Mode (9 messages) or Aggressive Mode (6 messages) in phase
1.
• IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-
Auth. EAP is important when connecting to existing enterprise authentication systems.
• IKEv2 always uses NAT traversal and Dead Peer Detection (DPD), but they can be disabled in
IKEv1 using ZyWALL/USG firmware (the default is on).
• Configuration payload (includes the IP address pool in the VPN setup data) is supported in IKEv2
(off by default), but not in IKEv1.
• Narrowed (has the SA apply only to IP addresses in common between the ZyWALL/USG and the
remote IPSec router) is supported in IKEv2, but not in IKEv1.
• The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is
still up or not. If the check fails (the tunnel is down), IKEv2 can re-establish the connection
automatically. The ZyWALL/USG uses firmware to perform connectivity checks when using IKEv1.
SSL VPN
SSL VPN uses remote users' web browsers to provide the easiest-to-use of the ZyWALL/USG's VPN
solutions. A user just browses to the ZyWALL/USG's web address and enters his user name and
password to securely connect to the ZyWALL/USG's network. Remote users do not need to
configure security settings. Here a user uses his browser to securely connect to network resources
in the same way as if he were part of the internal network. See
on SSL VPN.
Chapter 22 IPSec VPN
ZyWALL/USG Series User's Guide
386
Chapter 23 on page 420
for more
- Quick Links:
- Web Configurator
- Web Configurator Access
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications ZyWALL 110
Related Products for ZyXEL Communications ZyWALL 110
- ZyXEL Communications 11Mbps Wireless LAN PC Card
- ZyXEL Communications Prestige 128L
- ZyXEL Communications Internet Security Gateway 10~100 Series
- ZyXEL Communications PRESTIGE 128
- ZyXEL Communications Version 1.03
- ZyXEL Communications Prestige 128Plus
- ZyXEL Communications USG FLEX 100H
- ZyXEL Communications 100230