ZyXEL Communications ZyWALL 1000 User Manual
Chapter 20 IPSec VPN
ZyWALL USG 1000 User’s Guide
311
20.4.2.2 VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 204 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and
router Y try to establish a VPN tunnel, the authentication fails because it depends on this
information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A
recognize VPN packets and route them appropriately. If router A has this feature, router X and
router Y can establish a VPN tunnel as long as the active protocol is ESP. (See
router Y try to establish a VPN tunnel, the authentication fails because it depends on this
information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-thru feature. This feature helps router A
recognize VPN packets and route them appropriately. If router A has this feature, router X and
router Y can establish a VPN tunnel as long as the active protocol is ESP. (See
for more information about active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you can solve this
problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra
header to the IKE SA and IPSec SA packets. If you configure router A to forward these
packets unchanged, router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra
header to the IKE SA and IPSec SA packets. If you configure router A to forward these
packets unchanged, router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the ZyWALL and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the
• Configure the NAT router to forward packets with the extra header unchanged. (See the
field description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the
ZyWALL and remote IPSec router support.
ZyWALL and remote IPSec router support.
20.4.2.3 Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to
connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or
an external server to verify the user name and password. If the user name or password is
wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router,
or you can set up the ZyWALL to check a user name and password that is provided by the
remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These
steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7
in aggressive mode).
connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec router)
provides a user name and password to the other router, which uses a local user database and/or
an external server to verify the user name and password. If the user name or password is
wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote IPSec router,
or you can set up the ZyWALL to check a user name and password that is provided by the
remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These
steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7
in aggressive mode).
20.4.2.4 Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other with
certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote
identity because the certificates provide this information instead.
certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote
identity because the certificates provide this information instead.