ZyXEL Communications wireless n gigbit router zyxel Manual Do Utilizador
Chapter 15 IPSec VPN
NBG-460N User’s Guide
222
In the following example, the ID type and content do not match so the
authentication fails and the NBG-460N and the remote IPSec router cannot
establish an IKE SA.
authentication fails and the NBG-460N and the remote IPSec router cannot
establish an IKE SA.
15.6.5 Negotiation Mode
There are two negotiation modes: main mode and aggressive mode. Main mode
provides better security, while aggressive mode is faster.
provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1-2: The NBG-460N sends its proposals to the remote IPSec router. The
remote IPSec router selects an acceptable proposal and sends it back to the NBG-
460N.
remote IPSec router selects an acceptable proposal and sends it back to the NBG-
460N.
Steps 3-4: The NBG-460N and the remote IPSec router participate in a Diffie-
Hellman key exchange, based on the accepted DH key group, to establish a
shared secret.
Hellman key exchange, based on the accepted DH key group, to establish a
shared secret.
Steps 5-6: Finally, the NBG-460N and the remote IPSec router generate an
encryption key from the shared secret, encrypt their identities, and exchange their
encrypted identity information for authentication.
encryption key from the shared secret, encrypt their identities, and exchange their
encrypted identity information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA.
Step 1: The NBG-460N sends its proposals to the remote IPSec router. It also
starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the
remote IPSec router for authentication.
starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the
remote IPSec router for authentication.
Step 2:
The remote IPSec router selects an acceptable proposal and sends it back
to the NBG-460N. It also finishes the Diffie-Hellman key exchange, authenticates
the NBG-460N, and sends its (unencrypted) identity to the NBG-460N for
authentication.
the NBG-460N, and sends its (unencrypted) identity to the NBG-460N for
authentication.
Peer ID type: IP
Peer ID type: E-mail
Peer ID content: 1.1.1.2
Peer ID content: tom@yourcompany.com
Table 73 VPN Example: Mismatching ID Type and Content
NBG-460N
REMOTE IPSEC ROUTER
Local ID type: E-mail
Local ID type: IP
Local ID content: tom@yourcompany.com
Local ID content:
1.1.1.2
Peer ID type: IP
Peer ID type: E-mail
Peer ID content:
1.1.1.15
Peer ID content: tom@yourcompany.com
Table 72 VPN Example: Matching ID Type and Content
NBG-460N
REMOTE IPSEC ROUTER