Chapter 14 IPSec VPN
Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. It also finishes the
Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established.
Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use
14.3.1.5 VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 176 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec
If router A does not have an IPSec
You have to do the following things to set up NAT traversal.
•Enable NAT traversal on the ZyWALL and remote IPSec router.
•Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support.
14.4 Additional IPSec VPN Topics
This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted.
| 261 |
ZyWALL 2 Plus User’s Guide | |
|
|