ZyXEL Communications P-2608HWL-Dx Series User Manual

P-2608HWL-Dx Series User’s Guide

226

Chapter 18 IPSec VPN

This section provides more information about IKE SA.

There are two negotiation modes: main mode and aggressive mode. Main mode provides 
better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1-2: The ZyXEL Device sends its proposals to the remote IPSec router. The remote 
IPSec router selects an acceptable proposal and sends it back to the ZyXEL Device.

Steps 3-4: The ZyXEL Device and the remote IPSec router participate in a Diffie-Hellman key 
exchange, based on the accepted DH key group, to establish a shared secret.

Steps 5-6: Finally, the ZyXEL Device and the remote IPSec router generate an encryption key 
from the shared secret, encrypt their identities, and exchange their encrypted identity 
information for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA.

Step 1: The ZyXEL Device sends its proposals to the remote IPSec router. It also starts the 
Diffie-Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router 
for authentication.

Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyXEL 
Device. It also finishes the Diffie-Hellman key exchange, authenticates the ZyXEL Device, 
and sends its (unencrypted) identity to the ZyXEL Device for authentication.

Step 3: The ZyXEL Device authenticates the remote IPSec router and confirms that the IKE 
SA is established.

Aggressive mode does not provide as much security as main mode because the identity of the 
ZyXEL Device and the identity of the remote IPSec router are not encrypted. It is usually used 
when the address of the initiator is not known by the responder and both parties want to use 
pre-shared keys for authentication (for example, telecommuters).

In the following example, there is another router (A) between router X and router Y.