Chapter 20 IPSec VPN
ZyWALL ATP Series User’s Guide
409
It is also possible to configure the Zyxel Device to ignore the identity of the remote IPSec router. In this
case, you usually set the peer ID type to
Any
. This is less secure, so you should only use this if your Zyxel
Device provides another way to check the identity of the remote IPSec router (for example, extended
authentication) or if you are troubleshooting a VPN tunnel.
Additional Topics for IKE SA
This section provides more information about IKE SA.
Negotiation Mode
There are two negotiation modes--main mode and aggressive mode. Main mode provides better
security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The Zyxel Device sends its proposals to the remote IPSec router. The remote IPSec router
selects an acceptable proposal and sends it back to the Zyxel Device.
Steps 3 - 4: The Zyxel Device and the remote IPSec router exchange pre-shared keys for authentication
and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a
shared secret.
Steps 5 - 6: Finally, the Zyxel Device and the remote IPSec router generate an encryption key (from the
shared secret), encrypt their identities, and exchange their encrypted identity information for
authentication.
In contrast, aggressive
mode only takes three steps to establish an IKE SA. Aggressive mode does not
provide as much security because the identity of the Zyxel Device and the identity of the remote IPSec
router are not encrypted. It is usually used in remote-access situations, where the address of the initiator
is not known by the responder and both parties want to use pre-shared keys for authentication. For
example, the remote IPSec router may be a telecommuter who does not have a static IP address.
VPN, NAT, and NAT Traversal
In the following example, there is another router (
A
) between router
X
and router
Y
.
Table 163 VPN Example: Mismatching ID Type and Content
ZYXEL DEVICE
REMOTE IPSEC ROUTER
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.20
Peer ID content: tom@yourcompany.com