ZyXEL NBG-460N User Guide - Page 210
VPN, NAT, and NAT Traversal
View all ZyXEL NBG-460N manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 210 highlights
Chapter 15 IPSec VPN Steps 3-4: The NBG-460N and the remote IPSec router participate in a DiffieHellman key exchange, based on the accepted DH key group, to establish a shared secret. Steps 5-6: Finally, the NBG-460N and the remote IPSec router generate an encryption key from the shared secret, encrypt their identities, and exchange their encrypted identity information for authentication. In contrast, aggressive mode only takes three steps to establish an IKE SA. Step 1: The NBG-460N sends its proposals to the remote IPSec router. It also starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for authentication. Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the NBG-460N. It also finishes the Diffie-Hellman key exchange, authenticates the NBG-460N, and sends its (unencrypted) identity to the NBG-460N for authentication. Step 3: The NBG-460N authenticates the remote IPSec router and confirms that the IKE SA is established. Aggressive mode does not provide as much security as main mode because the identity of the NBG-460N and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters). 15.6.6 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 129 VPN/NAT Example 210 If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-through feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the NBG-460N User's Guide