ZyXEL Communications ZyWall 110 User Manual page 636
Hide thumbs
Also See for ZyWall 110:
- User manual (829 pages) ,
- Handbook (749 pages) ,
- Handbook & instructions (255 pages)
Table of Contents
Advertisement
Chapter 30 IPSec VPN
Figure 441 VPN/NAT Example
A
Y
X
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try
to establish a VPN tunnel, the authentication fails because it depends on this information. The routers
cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN
packets and route them appropriately. If router A has this feature, router X and router Y can establish a
VPN tunnel as long as the active protocol is ESP. (See
Active Protocol on page 637
for more information
about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this problem by
enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and
IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y
can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the Zyxel Device and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device
and remote IPSec router support.
X-Auth / Extended Authentication
X-Auth / Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the Zyxel Device or the remote IPSec router) provides a
user name and password to the other router, which uses a local user database and/or an external
server to verify the user name and password. If the user name or password is wrong, the routers do not
establish an IKE SA.
You can set up the Zyxel Device to provide a user name and password to the remote IPSec router, or
you can set up the Zyxel Device to check a user name and password that is provided by the remote
IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at
the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode).
ZyWALL USG Series User's Guide
636
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications ZyWall 110
Related Products for ZyXEL Communications ZyWall 110
- ZyXEL Communications ZYWALL 1050 - V1.00 EDITION 1
- ZyXEL Communications ZyWALL 1100 Series
- ZyXEL Communications ZyWALL 310 Series
- ZyXEL Communications ZyWall ZLD Series
- ZyXEL Communications ZyWall ATP series
- ZyXEL Communications 1123-NI
- ZyXEL Communications 1123-AC
- ZyXEL Communications 11Mbps Wireless LAN PC Card
- ZyXEL Communications Prestige 128L
- ZyXEL Communications Internet Security Gateway 10~100 Series
- ZyXEL Communications PRESTIGE 128
- ZyXEL Communications Version 1.03
- ZyXEL Communications Prestige 128Plus
- ZyXEL Communications USG FLEX 100H
- ZyXEL Communications 100 Series
- ZyXEL Communications Draft 802.11n Wireless Broadband 1-NBG-415N