ZyXEL NBG-460N User Guide - Page 209
Negotiation Mode
View all ZyXEL NBG-460N manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 209 highlights
Chapter 15 IPSec VPN domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist. The NBG-460N and the remote IPSec router each has its own identity, so each one must store two sets of information, one for itself and one for the other router. Local ID type and ID content refers to the ID type and ID content that applies to the router itself, and peer ID type and ID content refers to the ID type and ID content that applies to the other router in the IKE SA. Note: The NBG-460N's local and peer ID type and ID content must match the remote IPSec router's peer and local ID type and ID content, respectively. In the following example, the ID type and content match so the NBG-460N and the remote IPSec router authenticate each other successfully. Table 69 VPN Example: Matching ID Type and Content NBG-460N REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: [email protected] In the following example, the ID type and content do not match so the authentication fails and the NBG-460N and the remote IPSec router cannot establish an IKE SA. Table 70 VPN Example: Mismatching ID Type and Content NBG-460N REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.15 Peer ID content: [email protected] 15.6.5 Negotiation Mode There are two negotiation modes: main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1-2: The NBG-460N sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the NBG460N. NBG-460N User's Guide 209