ZyXEL Communications 5 Series User Manual page 391

You must set up the certificates for the ZyWALL and remote IPSec router
before you can use certificates in IKE SA. See
more information about certificates.
Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
Extended authentication occurs right after the authentication described in
page 389.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or
an external server to verify the user name and password. If the user name or password is
wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router,
or you can set up the ZyWALL to check a user name and password that is provided by the
remote IPSec router.
Negotiation Mode
There are two negotiation modes: main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1-2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec
router selects an acceptable proposal and sends it back to the ZyWALL.
Steps 3-4: The ZyWALL and the remote IPSec router participate in a Diffie-Hellman key
exchange, based on the accepted DH key group, to establish a shared secret.
Steps 5-6: Finally, the ZyWALL and the remote IPSec router generate an encryption key from
the shared secret, encrypt their identities, and exchange their encrypted identity information
for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA.
Step 1: The ZyWALL sends its proposals to the remote IPSec router. It also starts the Diffie-
Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for
authentication.
Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the
ZyWALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyWALL, and
sends its (unencrypted) identity to the ZyWALL for authentication.
Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is
established.
Aggressive mode does not provide as much security as main mode because the identity of the
ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used
when the address of the initiator is not known by the responder and both parties want to use
pre-shared keys for authentication (for example, telecommuters).
ZyWALL 5/35/70 Series User's Guide
Chapter 19 IPSec VPN
Chapter 20 on page 399
Authentication on
for
391