Chapter 20 IPSec VPN

For example, in Table 93 on page 310, the ZyWALL and the remote IPSec router authenticate each other successfully. In contrast, in Table 94 on page 310, the ZyWALL and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA.

Table 93 VPN Example: Matching ID Type and Content

ZYWALL

REMOTE IPSEC ROUTER

Local ID type: E-mail

Local ID type: IP

 

 

Local ID content: tom@yourcompany.com

Local ID content: 1.1.1.2

 

 

Peer ID type: IP

Peer ID type: E-mail

 

 

Peer ID content: 1.1.1.2

Peer ID content: tom@yourcompany.com

 

 

Table 94 VPN Example: Mismatching ID Type and Content

ZYWALL

REMOTE IPSEC ROUTER

Local ID type: E-mail

Local ID type: IP

 

 

Local ID content: tom@yourcompany.com

Local ID content: 1.1.1.2

 

 

Peer ID type: IP

Peer ID type: E-mail

 

 

Peer ID content: 1.1.1.20

Peer ID content: tom@yourcompany.com

 

 

It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your ZyWALL provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel.

20.4.2 Additional Topics for IKE SA

This section provides more information about IKE SA.

20.4.2.1 Negotiation Mode

There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.

Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.

Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an encryption key (from the shared secret), encrypt their identities, and exchange their encrypted identity information for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used in remote-access situations, where the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication. For example, the remote IPSec router may be a telecommuter who does not have a static IP address.

310

 

ZyWALL USG 1000 User’s Guide