1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-661HNU-F1
    5. /
  5. 47
Page 231 / 404 Scroll up to view Page 226 - 230
Chapter 16 VPN
P-661HNU-Fx User’s Guide
231
16.6.3
VPN, NAT, and NAT Traversal
NAT is incompatible with the AH protocol in both transport
and tunnel
mode. An
IPSec VPN using the AH protocol digitally signs the outbound packet, both data
payload and headers, with a hash value appended to the packet, but a NAT device
between the IPSec endpoints rewrites the source or destination address. As a
result, the VPN device at the receiving end finds a mismatch between the hash
value and the data and assumes that the data has been maliciously altered.
NAT is not normally compatible with ESP in transport mode either, but the ZyXEL
Device’s
NAT Traversal
feature provides a way to handle this. NAT traversal
allows you to set up an IKE SA when there are NAT routers between the two IPSec
routers.
Figure 102
NAT Router Between IPSec Routers
Normally you cannot set up an IKE SA with a NAT router between the two IPSec
routers because the NAT router changes the header of the IPSec packet. NAT
traversal solves the problem by adding a UDP port 500 header to the IPSec
packet. The NAT router forwards the IPSec packet with the UDP port 500 header
unchanged. In
Figure 102 on page 231
, when IPSec router
A
tries to establish an
IKE SA, IPSec router
B
checks the UDP port 500 header, and IPSec routers
A
and
B
build the IKE SA.
For NAT traversal to work, you must:
Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
Set the NAT router to forward UDP port 500 to IPSec router
A
.
Finally, NAT is compatible with ESP in tunnel mode because integrity checks are
performed over the combination of the "original header plus original payload,"
ESP
Transpor
t
N
ESP
Tunnel
Y
Table 61
VPN and NAT (continued)
SECURITY PROTOCOL
MODE
NAT
A
B
Page 232 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
232
which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in
tunnel and transport modes is summarized in the following table.
Y* - This is supported in the ZyXEL Device if you enable NAT traversal.
16.6.4
Encapsulation
The two modes of operation for IPSec VPNs are
Transport
mode and
Tunnel
mode.
Figure 103
Transport and Tunnel Mode IPSec Encapsulation
Tunnel Mode
Tunnel
mode encapsulates the entire IP packet to transmit it securely. A
Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel
mode is fundamentally an IP tunnel with authentication and encryption.
This is the most common mode of operation.
Tunnel
mode is required for
gateway to gateway and host to gateway communications.
Tunnel
mode
communications have two sets of IP headers:
Outside header
: The outside IP header contains the destination IP address of
the VPN gateway.
Inside header
: The inside IP header contains the destination IP address of the
final system behind the VPN gateway. The security protocol appears after the
outer IP header and before the inside IP header.
Table 62
VPN and NAT
SECURITY
PROTOCOL
MODE
NAT
AH
Transport
N
AH
Tunnel
N
ESP
Transport
Y*
ESP
Tunnel
Y
Page 233 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
233
16.6.5
IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an
IKE SA and the second one uses that SA to negotiate SAs for IPSec.
Figure 104
Two Phases to Set Up the IPSec SA
In phase 1 you must:
Choose a negotiation mode.
Authenticate the connection by entering a pre-shared key.
Choose an encryption algorithm.
Choose an authentication algorithm.
Choose a Diffie-Hellman public-key cryptography key group (
DH1
or
DH2
)
.
Set the IKE SA lifetime. This field allows you to determine how long an IKE SA
should stay up before it times out. An IKE SA times out when the IKE SA lifetime
period expires. If an IKE SA times out when an IPSec SA is already established,
the IPSec SA stays connected.
In phase 2 you must:
Choose which protocol to use (
ESP
or
AH
) for the IKE key exchange.
Choose an encryption algorithm.
Choose an authentication algorithm
Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman
public-key cryptography – see
Appendix D on page 335
. Select
None
(the
default) to disable PFS.
• Choose
Tunnel
mode or
Transport
mode.
Page 234 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
234
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec
SA should stay up before it times out. The ZyXEL Device automatically
renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period
expires. The ZyXEL Device also automatically renegotiates the IPSec SA if both
IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA
times out, then the IPSec router must renegotiate the SA the next time
someone attempts to send traffic.
16.6.6
Negotiation Mode
The phase 1
Negotiation Mode
you select determines how the Security
Association (SA) will be established for each connection through IKE negotiations.
Main Mode
ensures the highest level of security when the communicating
parties are negotiating authentication (phase 1). It uses 6 messages in three
round trips: SA negotiation, Diffie-Hellman exchange and an exchange of
nonces (a nonce is a random number). This mode features identity protection
(your identity is not revealed in the negotiation).
16.6.7
Remote DNS Server
In cases where you want to use domain names to access Intranet servers on a
remote network that has a DNS server, you must identify that DNS server. You
cannot use DNS servers on the LAN or from the ISP since these DNS servers
cannot resolve domain names to private IP addresses on the remote network
The following figure depicts an example where three VPN tunnels are created from
ZyXEL Device A; one to branch office 2, one to branch office 3 and another to
headquarters. In order to access computers that use private domain names on the
headquarters (HQ) network, the ZyXEL Device at branch office 1 uses the Intranet
Page 235 / 404
Chapter 16 VPN
P-661HNU-Fx User’s Guide
235
DNS server in headquarters. The DNS server feature for VPN does not work with
Windows 2000 or Windows XP.
Figure 105
VPN Host using Intranet DNS Server Example
If you do not specify an Intranet DNS server on the remote network, then the VPN
host must use IP addresses to access the computers on the remote network.
16.6.8
ID Type and Content
With aggressive negotiation mode (see
Section 16.6.6 on page 234
), the ZyXEL
Device identifies incoming SAs by ID type and content since this identifying
information is not encrypted. This enables the ZyXEL Device to distinguish
between multiple rules for SAs that connect from remote IPSec routers that have
dynamic WAN IP addresses. Telecommuters can use separate passwords to
simultaneously connect to the ZyXEL Device from IPSec routers with dynamic IP
addresses (see
Section 16.6.11 on page 237
for a telecommuter configuration
example).
Regardless of the ID type and content configuration, the ZyXEL Device does not
allow you to save multiple active rules with overlapping local and remote IP
addresses.
With main mode (see
Section 16.6.6 on page 234
), the ID type and content are
encrypted to provide identity protection. In this case the ZyXEL Device can only
distinguish between up to 12 different incoming SAs that connect from remote
IPSec routers that have dynamic WAN IP addresses. The ZyXEL Device can
distinguish up to 12 incoming SAs because you can select between three
encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5
and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule
Remote
IPSec Router
HQ
10.1.1.1/200
Intranet DNS
10.1.1.10
ISP DNS Servers
212.54.64.170
212.54.54.171
LAN
DNS:212.54.64.170
212.54.64.171
A
VPN DNS: 10.1.1.10
= VPN Tunnel
2
192.168.1.1/50
3
172.16.1.1/50
1

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top