Chapter 15 IPSec VPN

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in Section 15.6.5 on page 222. Main mode is used in various examples in the rest of this section.

IP Addresses of the NBG-460N and Remote IPSec Router

In the NBG-460N, you have to specify the IP addresses of the NBG-460N and the remote IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the NBG-460N. Sometimes, your NBG-460N might also offer another alternative, such as using the IP address of a port or interface.

You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA.

15.3.2 IPSec SA (IKE Phase 2) Overview

Once the NBG-460N and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore.

Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the NBG-460N and may be called the local policy. Similarly, the remote network consists of the devices connected to the remote IPSec router and may be called the remote policy.

Note: It is not recommended to set a VPN rule’s local and remote network settings both to 0.0.0.0 (any). This causes the NBG-460N to try to forward all access attempts (to the local network, the Internet or even the NBG-460N) to the remote IPSec router. In this case, you can no longer manage the NBG-460N.

NBG-460N User’s Guide

197

Page 197
Image 197
ZyXEL Communications wireless n gigbit router zyxel IPSec SA IKE Phase 2 Overview, 197, Local Network and Remote Network