1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 46
Page 226 / 427 Scroll up to view Page 221 - 225
P-2602H(W)(L)-DxA Series User’s Guide
226
Chapter 17 VPN Screens
17.7
VPN, NAT, and NAT Traversal
NAT is incompatible with the AH protocol in both transport
and tunnel
mode. An IPSec VPN
using the AH protocol digitally signs the outbound packet, both data payload and headers,
with a hash value appended to the packet, but a NAT device between the IPSec endpoints
rewrites the source or destination address. As a result, the VPN device at the receiving end
finds a mismatch between the hash value and the data and assumes that the data has been
maliciously altered.
NAT is not normally compatible with ESP in transport mode either, but the ZyXEL Device’s
NAT Traversal
feature provides a way to handle this. NAT traversal allows you to set up an
IKE SA when there are NAT routers between the two IPSec routers.
Figure 122
NAT Router Between IPSec Routers
Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers
because the NAT router changes the header of the IPSec packet. NAT traversal solves the
problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the
IPSec packet with the UDP port 500 header unchanged. In
Figure 122 on page 226
, when
IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header,
and IPSec routers A and B build the IKE SA.
For NAT traversal to work, you must:
Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
Set the NAT router to forward UDP port 500 to IPSec router A.
Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed
over the combination of the "original header plus original payload," which is unchanged by a
NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is
summarized in the following table.
Table 82
VPN and NAT
SECURITY PROTOCOL
MODE
NAT
AH
Transport
N
AH
Tunnel
N
ESP
Transport
Y*
ESP
Tunnel
Y
Page 227 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
227
Y* - This is supported in the ZyXEL Device if you enable NAT traversal.
17.8
Remote DNS Server
In cases where you want to use domain names to access Intranet servers on a remote network
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the
LAN or from the ISP since these DNS servers cannot resolve domain names to private IP
addresses on the remote network
The following figure depicts an example where three VPN tunnels are created from ZyXEL
Device A; one to branch office 2, one to branch office 3 and another to headquarters. In order
to access computers that use private domain names on the headquarters (HQ) network, the
ZyXEL Device at branch office 1 uses the Intranet DNS server in headquarters. The DNS
server feature for VPN does not work with Windows 2000 or Windows XP.
Figure 123
VPN Host using Intranet DNS Server Example
If you do not specify an Intranet DNS server on the remote network, then the VPN host must
use IP addresses to access the computers on the remote network.
17.9
ID Type and Content
With aggressive negotiation mode (see
Section 17.12.1 on page 235
), the ZyXEL Device
identifies incoming SAs by ID type and content since this identifying information is not
encrypted. This enables the ZyXEL Device to distinguish between multiple rules for SAs that
connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can
use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers
with dynamic IP addresses (see
Section 17.18 on page 244
for a telecommuter configuration
example).
Page 228 / 427
P-2602H(W)(L)-DxA Series User’s Guide
228
Chapter 17 VPN Screens
Regardless of the ID type and content configuration, the ZyXEL Device does not allow you to
save multiple active rules with overlapping local and remote IP addresses.
With main mode (see
Section 17.12.1 on page 235
), the ID type and content are encrypted to
provide identity protection. In this case the ZyXEL Device can only distinguish between up to
12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP
addresses. The ZyXEL Device can distinguish up to 12 incoming SAs because you can select
between three encryption algorithms (DES, 3DES and AES), two authentication algorithms
(MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule
(see
Section 17.13 on page 236
). The ID type and content act as an extra level of identification
for incoming SAs.
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
Table 83
Local ID Type and Content Fields
LOCAL ID TYPE=
CONTENT=
IP
Type the IP address of your computer or leave the field blank to have the ZyXEL
Device automatically use its own IP address.
DNS
Type a domain name (up to 31 characters) by which to identify this ZyXEL Device.
E-mail
Type an e-mail address (up to 31 characters) by which to identify this ZyXEL
Device.
The domain name or e-mail address that you use in the
Content
field is used for
identification purposes only and does not need to be a real domain name or e-mail
address.
Table 84
Peer ID Type and Content Fields
PEER ID TYPE=
CONTENT=
IP
Type the IP address of the computer with which you will make the VPN connection
or leave the field blank to have the ZyXEL Device automatically use the address in
the
Secure Gateway
field.
DNS
Type a domain name (up to 31 characters) by which to identify the remote IPSec
router.
E-mail
Type an e-mail address (up to 31 characters) by which to identify the remote IPSec
router.
The domain name or e-mail address that you use in the
Content
field is used for
identification purposes only and does not need to be a real domain name or e-mail
address. The domain name also does not have to match the remote router’s IP
address or what you configure in the
Secure Gateway Addr
field below.
Page 229 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
229
17.9.1
ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a
VPN tunnel.
The two ZyXEL Devices in this example can complete negotiation and establish a VPN
tunnel.
The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL
Device B’s
Local ID type
is
IP
, but ZyXEL Device A’s
Peer ID type
is set to
E-mail
. An “ID
mismatched” message displays in the IPSEC LOG.
17.10
Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation
(see
Section 17.12 on page 234
for more on IKE phases). It is called “pre-shared” because you
have to share it with another party before you can communicate with them over a secure
connection.
17.11
Editing VPN Policies
Click an
Edit
icon in the
VPN Setup Screen
to edit VPN policies.
Table 85
Matching ID Type and Content Configuration Example
ZYXEL DEVICE A
ZYXEL DEVICE B
Local ID type: E-mail
Local ID type: IP
Local ID content: [email protected]
Local ID content: 1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: [email protected]
Table 86
Mismatching ID Type and Content Configuration Example
ZYXEL DEVICE A
ZYXEL DEVICE B
Local ID type: IP
Local ID type: IP
Local ID content: 1.1.1.10
Local ID content: 1.1.1.10
Peer ID type: E-mail
Peer ID type: IP
Peer ID content: [email protected]
Peer ID content: N/A
Page 230 / 427
P-2602H(W)(L)-DxA Series User’s Guide
230
Chapter 17 VPN Screens
Figure 124
Edit VPN Policies
The following table describes the fields in this screen.
Table 87
Edit VPN Policies
LABEL
DESCRIPTION
IPSec Setup
Active
Select this check box to activate this VPN policy. This option determines whether
a VPN rule is applied before a packet leaves the firewall.
Keep Alive
Select either
Yes
or
No
from the drop-down list box.
Select
Yes
to have the ZyXEL Device automatically reinitiate the SA after the SA
lifetime times out, even if there is no traffic. The remote IPSec router must also
have keep alive enabled in order for this feature to work.

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top