Chapter 30 IPSec VPN
UAG5100 User’s Guide
308
In extended authentication, one of the routers (the UAG or the remote IPSec router) provides a
user name and password to the other router, which uses a local user database and/or an external
server to verify the user name and password. If the user name or password is wrong, the routers
do not establish an IKE SA.
You can set up the UAG to provide a user name and password to the remote IPSec router, or you
can set up the UAG to check a user name and password that is provided by the remote IPSec
router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps
occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in
aggressive mode).
Certificates
It is possible for the UAG and remote IPSec router to authenticate each other with certificates. In
this case, you do not have to set up the pre-shared key, local identity, or remote identity because
the certificates provide this information instead.
• Instead of using the pre-shared key, the UAG and remote IPSec router check the signatures on
each other’s certificates. Unlike pre-shared keys, the signatures do not have to match.
• The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the UAG and remote IPSec router first.
IPSec SA Overview
Once the UAG and remote IPSec router have established the IKE SA, they can securely negotiate an
IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of an IPSec SA.
Local Network and Remote Network
In an IPSec SA, the local network, the one(s) connected to the UAG, may be called the local policy.
Similarly, the remote network, the one(s) connected to the remote IPSec router, may be called the
remote policy.
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each packet is
protected by the encryption and authentication algorithms. IPSec VPN includes two active
protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC
2406).
Note: The UAG and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.