1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. NBG5615
    5. /
  5. 28
Page 136 / 252 Scroll up to view Page 131 - 135
Chapter 18 IPSec VPN
NBG5715 User’s Guide
136
18.7.1
IPSec Architecture
The overall IPSec architecture is shown as follows.
Figure 83
IPSec Architecture
IPSec Algorithms
The
ESP
(Encapsulating Security Payload) Protocol (RFC 2406) and
AH
(Authentication Header)
protocol (RFC 2402) describe the packet formats and the default standards for packet structure
(including implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption
Standard) and Triple DES algorithms.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an
authentication mechanism for the
AH
and
ESP
protocols.
Key Management
Key management allows you to determine whether to use IKE (ISAKMP) or manual key
configuration in order to set up a VPN.
18.7.2
Encapsulation
The two modes of operation for IPSec VPNs are
Transport
mode and
Tunnel
mode. At the time of
writing, the NBG5715 supports
Tunnel
mode only.
Page 137 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
137
Figure 84
Transport and Tunnel Mode IPSec Encapsulation
Transport Mode
Transport
mode is used to protect upper layer protocols and only affects the data in the IP packet.
In
Transport
mode, the IP packet contains the security protocol (
AH
or
ESP
) located after the
original IP header and options, but before any upper layer protocols contained in the packet (such
as TCP and UDP).
With
ESP,
protection is applied only to the upper layer protocols contained in the packet. The IP
header information and options are not used in the authentication process. Therefore, the
originating IP address cannot be verified for integrity against the data.
With the use of
AH
as the security protocol, protection is extended forward into the IP header to
verify the integrity of the entire packet by use of portions of the original IP header in the hashing
process.
Tunnel Mode
Tunnel
mode encapsulates the entire IP packet to transmit it securely. A
Tunnel
mode is required
for gateway services to provide access to internal systems.
Tunnel
mode is fundamentally an IP
tunnel with authentication and encryption. This is the most common mode of operation.
Tunnel
mode is required for gateway to gateway and host to gateway communications.
Tunnel
mode
communications have two sets of IP headers:
Outside header
: The outside IP header contains the destination IP address of the VPN gateway.
Inside header
: The inside IP header contains the destination IP address of the final system
behind the VPN gateway. The security protocol appears after the outer IP header and before the
inside IP header.
18.7.3
IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)
and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses
that SA to negotiate SAs for IPSec.
Page 138 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
138
Figure 85
Two Phases to Set Up the IPSec SA
In phase 1 you must:
Choose a negotiation mode.
Authenticate the connection by entering a pre-shared key.
Choose an encryption algorithm.
Choose an authentication algorithm.
Choose a Diffie-Hellman public-key cryptography key group (
DH1
or
DH2
)
.
Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up
before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA
times out when an IPSec SA is already established, the IPSec SA stays connected.
In phase 2 you must:
Choose an encryption algorithm.
Choose an authentication algorithm
Choose a Diffie-Hellman public-key cryptography key group
.
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay
up before it times out. The NBG5715 automatically renegotiates the IPSec SA if there is traffic
when the IPSec SA lifetime period expires. If an IPSec SA times out, then the IPSec router must
renegotiate the SA the next time someone attempts to send traffic.
18.7.4
Negotiation Mode
The phase 1
Negotiation Mode
you select determines how the Security Association (SA) will be
established for each connection through IKE negotiations.
Main Mode
ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation,
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode
features identity protection (your identity is not revealed in the negotiation).
Page 139 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
139
Aggressive Mode
is quicker than
Main Mode
because it eliminates several steps when the
communicating parties are negotiating authentication (phase 1). However the trade-off is that
faster speed limits its negotiating power and it also does not provide identity protection. It is
useful in remote access situations where the address of the initiator is not know by the responder
and both parties want to use pre-shared key authentication.
18.7.5
IPSec and NAT
Read this section if you are running IPSec on a host computer behind the NBG5715.
NAT is incompatible with the
AH
protocol in both
Transport
and
Tunnel
mode. An IPSec VPN using
the
AH
protocol digitally signs the outbound packet, both data payload and headers, with a hash
value appended to the packet. When using
AH
protocol, packet contents (the data payload) are not
encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination address
with one of its own choosing. The VPN device at the receiving end will verify the integrity of the
incoming packet by computing its own hash value, and complain that the hash value appended to
the received packet doesn't match. The VPN device at the receiving end doesn't know about the
NAT in the middle, so it assumes that the data has been maliciously altered.
IPSec using
ESP
in
Tunnel
mode encapsulates the entire original packet (including headers) in a
new IP packet. The new IP packet's source address is the outbound address of the sending VPN
gateway, and its destination address is the inbound address of the VPN device at the receiving end.
When using
ESP
protocol with authentication, the packet contents (in this case, the entire original
packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash
value appended to the packet.
Tunnel
mode
ESP
with authentication is compatible with NAT because integrity checks are
performed over the combination of the "original header plus original payload," which is unchanged
by a NAT device.
Transport
mode
ESP
with authentication is not compatible with NAT.
18.7.6
VPN, NAT, and NAT Traversal
NAT is incompatible with the AH protocol in both transport
and tunnel
mode. An IPSec VPN using
the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash
value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or
destination address. As a result, the VPN device at the receiving end finds a mismatch between the
hash value and the data and assumes that the data has been maliciously altered.
NAT is not normally compatible with ESP in transport mode either, but the NBG5715’s
NAT
Traversal
feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when
there are NAT routers between the two IPSec routers.
Table 58
VPN and NAT
SECURITY PROTOCOL
MODE
NAT
AH
Transport
N
AH
Tunnel
N
ESP
Transport
N
ESP
Tunnel
Y
Page 140 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
140
Figure 86
NAT Router Between IPSec Routers
Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because
the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding
a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP
port 500 header unchanged. In the above figure, when IPSec router
A
tries to establish an IKE SA,
IPSec router
B
checks the UDP port 500 header, and IPSec routers
A
and
B
build the IKE SA.
For NAT traversal to work, you must:
Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
Set the NAT router to forward UDP port 500 to IPSec router
A
.
Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the
combination of the "original header plus original payload," which is unchanged by a NAT device. The
compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following
table.
Y* - This is supported in the NBG5715 if you enable NAT traversal.
18.7.7
ID Type and Content
With aggressive negotiation mode (see
Section 18.7.4 on page 138
), the NBG5715 identifies
incoming SAs by ID type and content since this identifying information is not encrypted. This
enables the NBG5715 to distinguish between multiple rules for SAs that connect from remote IPSec
routers that have dynamic WAN IP addresses.
Regardless of the ID type and content configuration, the NBG5715 does not allow you to save
multiple active rules with overlapping local and remote IP addresses.
With main mode (see
Section 18.7.4 on page 138
), the ID type and content are encrypted to
provide identity protection. In this case the NBG5715 can only distinguish between up to 12
different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP
addresses. The NBG5715 can distinguish up to 48 incoming SAs because you can select between
three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1)
and eight key groups when you configure a VPN rule (see
Section 18.4 on page 123
). The ID type
and content act as an extra level of identification for incoming SAs.
Table 59
VPN and NAT
SECURITY PROTOCOL
MODE
NAT
AH
Transport
N
AH
Tunnel
N
ESP
Transport
Y*
ESP
Tunnel
Y
A
B

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top