ZyXEL Communications ZyWALL 1000 User Manual
Chapter 20 IPSec VPN
ZyWALL USG 1000 User’s Guide
307
It takes several steps to establish an IKE SA. The negotiation mode determines how many.
There are two negotiation modes--main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
There are two negotiation modes--main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
"
Both routers must use the same negotiation mode.
These modes are discussed in more detail in
. Main mode is used
in various examples in the rest of this section.
20.4.1.1 IP Addresses of the ZyWALL and Remote IPSec router
To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and remote IPSec
router. You can usually enter a static IP address or a domain name for either or both IP
addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP
address of a port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the
remote IPSec router can have any IP address. In this case, only the remote IPSec router can
initiate an IKE SA because the ZyWALL does not know the IP address of the remote IPSec
router. This is often used for telecommuters.
router. You can usually enter a static IP address or a domain name for either or both IP
addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP
address of a port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the
remote IPSec router can have any IP address. In this case, only the remote IPSec router can
initiate an IKE SA because the ZyWALL does not know the IP address of the remote IPSec
router. This is often used for telecommuters.
20.4.1.2 IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm,
and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE
SA. In main mode, this is done in steps 1 and 2, as illustrated next.
and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE
SA. In main mode, this is done in steps 1 and 2, as illustrated next.
Figure 201 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you
can only set up one proposal.) Each proposal consists of an encryption algorithm,
authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
The remote IPSec router selects an acceptable proposal and sends the accepted proposal back
to the ZyWALL. If the remote IPSec router rejects all of the proposals, the ZyWALL and
remote IPSec router cannot establish an IKE SA.
can only set up one proposal.) Each proposal consists of an encryption algorithm,
authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA.
The remote IPSec router selects an acceptable proposal and sends the accepted proposal back
to the ZyWALL. If the remote IPSec router rejects all of the proposals, the ZyWALL and
remote IPSec router cannot establish an IKE SA.
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group