Chapter 30 IPSec VPN
UAG Series User’s Guide
358
Steps 5 - 6: Finally, the UAG and the remote IPSec router generate an encryption key (from the
shared secret), encrypt their identities, and exchange their encrypted identity information for
authentication.
In contrast, aggressive
mode only takes three steps to establish an IKE SA. Aggressive mode does
not provide as much security because the identity of the UAG and the identity of the remote IPSec
router are not encrypted. It is usually used in remote-access situations, where the address of the
initiator is not known by the responder and both parties want to use pre-shared keys for
authentication. For example, the remote IPSec router may be a telecommuter who does not have a
static IP address.
VPN, NAT, and NAT Traversal
In the following example, there is another router (
A
) between router
X
and router
Y
.
Figure 248
VPN/NAT Example
If router
A
does NAT, it might change the IP addresses, port numbers, or both. If router
X
and
router
Y
try to establish a VPN tunnel, the authentication fails because it depends on this
information. The routers cannot establish a VPN tunnel.
Most routers like router
A
now have an IPSec pass-thru feature. This feature helps router
A
recognize VPN packets and route them appropriately. If router
A
has this feature, router
X
and
router
Y
can establish a VPN tunnel as long as the active protocol is ESP. (See
for more information about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this
problem by enabling NAT traversal. In NAT traversal, router
X
and router
Y
add an extra header to
the IKE SA and IPSec SA packets. If you configure router
A
to forward these packets unchanged,
router
X
and router
Y
can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the UAG and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field
description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the UAG
and remote IPSec router support.
Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
A
X
Y