ZyXEL Communications wireless n gigbit router zyxel User Manual

Chapter 15 IPSec VPN

NBG-460N User’s Guide

In the following example, the ID type and content do not match so the 
authentication fails and the NBG-460N and the remote IPSec router cannot 
establish an IKE SA.

There are two negotiation modes: main mode and aggressive mode. Main mode 
provides better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1-2: The NBG-460N sends its proposals to the remote IPSec router. The 
remote IPSec router selects an acceptable proposal and sends it back to the NBG-
460N.

Steps 3-4: The NBG-460N and the remote IPSec router participate in a Diffie-
Hellman key exchange, based on the accepted DH key group, to establish a 
shared secret.

Steps 5-6: Finally, the NBG-460N and the remote IPSec router generate an 
encryption key from the shared secret, encrypt their identities, and exchange their 
encrypted identity information for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA.

Step 1: The NBG-460N sends its proposals to the remote IPSec router. It also 
starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the 
remote IPSec router for authentication.

The remote IPSec router selects an acceptable proposal and sends it back 

to the NBG-460N. It also finishes the Diffie-Hellman key exchange, authenticates 
the NBG-460N, and sends its (unencrypted) identity to the NBG-460N for 
authentication.

Peer ID type: IP

Peer ID type: E-mail

Peer ID content: 1.1.1.2

Peer ID content: tom@yourcompany.com

Table 73   VPN Example: Mismatching ID Type and Content

Local ID type: E-mail

Local ID type: IP

Local ID content: tom@yourcompany.com

Local ID content: 

Peer ID type: IP

Peer ID type: E-mail

Peer ID content: 

Peer ID content: tom@yourcompany.com

Table 72   VPN Example: Matching ID Type and Content