|
| |
| Table 50 VPN Example: Mismatching ID Type and Content | |
| ZYXEL DEVICE | REMOTE IPSEC ROUTER |
| Peer ID type: IP | Peer ID type: |
|
|
|
| Peer ID content: 1.1.1.15 | Peer ID content: tom@yourcompany.com |
|
|
|
13.1.2.4 Negotiation Mode
There are two negotiation modes: main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps
Steps
Steps
In contrast, aggressive mode only takes three steps to establish an IKE SA.
Step 1: The ZyXEL Device sends its proposals to the remote IPSec router. It also starts the
Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyXEL Device. It also finishes the
Step 3: The ZyXEL Device authenticates the remote IPSec router and confirms that the IKE SA is established.
Aggressive mode does not provide as much security as main mode because the identity of the ZyXEL Device and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use
13.1.2.5 VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 87 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel.
Chapter 13 IPSec VPN | 143 |