Руководство Пользователя для ZyXEL 793H
Chapter 11 IPSec VPN
P-793H User’s Guide
158
Aggressive mode does not provide as much security as main mode because the identity of the
ZyXEL Device and the identity of the remote IPSec router are not encrypted. It is usually used
when the address of the initiator is not known by the responder and both parties want to use
pre-shared keys for authentication (for example, telecommuters).
ZyXEL Device and the identity of the remote IPSec router are not encrypted. It is usually used
when the address of the initiator is not known by the responder and both parties want to use
pre-shared keys for authentication (for example, telecommuters).
11.1.2.2 VPN, NAT and NAT Traversal
In the following example, there is another router (A) between router X and router Y.
Figure 80 VPN/NAT Example
If router A does NAT, it might change IP addresses (source or destination), port numbers
(source or destination), or any combination of these. If router X and router Y try to establish a
VPN tunnel, the authentication fails because authentication depends on the original IP
addresses and port numbers.
Most routers that support NAT (like router A) have an IPSec pass-through feature. This
feature helps router A recognize VPN packets and route them appropriately. If router A has
this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is
ESP. (See
(source or destination), or any combination of these. If router X and router Y try to establish a
VPN tunnel, the authentication fails because authentication depends on the original IP
addresses and port numbers.
Most routers that support NAT (like router A) have an IPSec pass-through feature. This
feature helps router A recognize VPN packets and route them appropriately. If router A has
this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is
ESP. (See
Section 11.1.3.2 on page 159
for more information about active protocols.)
If router A does not have an IPSec pass-through or if the active protocol is AH, you can solve
this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra
header to the IKE SA and IPSec SA packets. If you configure router A to forward these
packets unchanged, router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra
header to the IKE SA and IPSec SA packets. If you configure router A to forward these
packets unchanged, router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the ZyXEL Device and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. The extra
• Configure the NAT router to forward packets with the extra header unchanged. The extra
header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyXEL
Device and remote IPSec router support.
Device and remote IPSec router support.
"
You must enable NAT traversal on the ZyXEL Device and the remote IPSec
router, and you must configure the NAT router to forward packets with the
extra header unchanged.
router, and you must configure the NAT router to forward packets with the
extra header unchanged.
11.1.3 IPSec SA Overview
Once the ZyXEL Device and remote IPSec router have established the IKE SA, they can use
the IKE SA to securely negotiate IPSec SAs through which to send data between computers on
the networks.
the IKE SA to securely negotiate IPSec SAs through which to send data between computers on
the networks.