ZyXEL VMG8324 User Guide - Page 233
ID Type and Content
View all ZyXEL VMG8324 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 233 highlights
Figure 142 NAT Router Between IPSec Routers Chapter 20 VPN A B Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA. For NAT traversal to work, you must: • Use ESP security protocol (in either transport or tunnel mode). • Use IKE keying mode. • Enable NAT traversal on both IPSec endpoints. • Set the NAT router to forward UDP port 500 to IPSec router A. Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table. Table 107 VPN and NAT SECURITY PROTOCOL AH AH ESP ESP MODE Transport Tunnel Transport Tunnel NAT N N Y* Y Y* - This is supported in the Device if you enable NAT traversal. 20.5.7 ID Type and Content With aggressive negotiation mode (see Section 20.5.4 on page 231), the Device identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Regardless of the ID type and content configuration, the Device does not allow you to save multiple active rules with overlapping local and remote IP addresses. With main mode (see Section 20.5.4 on page 231), the ID type and content are encrypted to provide identity protection. In this case the Device can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Device can distinguish up to 48 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see Section 20.2 on page 221). The ID type and content act as an extra level of identification for incoming SAs. VMG8324-B10A / VMG8324-B30A Series User's Guide 233