Chapter 20 IPSec VPN
20.4.2.2 VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 204 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec
If router A does not have an IPSec
You have to do the following things to set up NAT traversal.
•Enable NAT traversal on the ZyWALL and remote IPSec router.
•Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support.
20.4.2.3 Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or you can set up the ZyWALL to check a user name and password that is provided by the remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps
20.4.2.4 Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the
| 311 |
ZyWALL USG 1000 User’s Guide | |
|
|