ZyXEL P-335U User Guide - Page 143
Negotiation Mode
View all ZyXEL P-335U manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 143 highlights
P-334U/P-335U User's Guide Table 50 VPN Example: Mismatching ID Type and Content ZYXEL DEVICE REMOTE IPSEC ROUTER Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.15 Peer ID content: [email protected] 13.1.2.4 Negotiation Mode There are two negotiation modes: main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1-2: The ZyXEL Device sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyXEL Device. Steps 3-4: The ZyXEL Device and the remote IPSec router participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret. Steps 5-6: Finally, the ZyXEL Device and the remote IPSec router generate an encryption key from the shared secret, encrypt their identities, and exchange their encrypted identity information for authentication. In contrast, aggressive mode only takes three steps to establish an IKE SA. Step 1: The ZyXEL Device sends its proposals to the remote IPSec router. It also starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for authentication. Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyXEL Device. It also finishes the Diffie-Hellman key exchange, authenticates the ZyXEL Device, and sends its (unencrypted) identity to the ZyXEL Device for authentication. Step 3: The ZyXEL Device authenticates the remote IPSec router and confirms that the IKE SA is established. Aggressive mode does not provide as much security as main mode because the identity of the ZyXEL Device and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters). 13.1.2.5 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 87 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Chapter 13 IPSec VPN 143