3 ipsec sa (ike phase 2) overview, 1 local network and remote network, 2 ipsec protocol – ZyXEL Communications P-334U User Manual

Page 144

Advertising
background image

P-334U/P-335U User’s Guide

144

Chapter 13 IPSec VPN

Most routers like router A now have an IPSec pass-through feature. This feature helps router A
recognize VPN packets and route them appropriately. If router A has this feature, router X and
router Y can establish a VPN tunnel as long as the IPSec protocol is ESP. (See

IPSec Protocol

on page 144

for more information about active protocols.)

If router A does not have an IPSec pass-through or if the IPSec protocol is AH, you can solve
this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra
header to the IKE SA and IPSec SA packets. If you configure router A to forward these
packets unchanged, router X and router Y can establish a VPN tunnel.
You have to do the following things to set up NAT traversal.

• Enable NAT traversal on the ZyXEL Device and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged.

The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the
ZyXEL Device and remote IPSec router support.

13.1.3 IPSec SA (IKE Phase 2) Overview

Once the ZyXEL Device and remote IPSec router have established the IKE SA, they can
securely negotiate an IPSec SA through which to send data between computers on the
networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

13.1.3.1 Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the ZyXEL Device and
may be called the local policy. Similarly, the remote network consists of the devices connected
to the remote IPSec router and may be called the remote policy.

Note: It is not recommended to set a VPN rule’s local and remote network settings

both to 0.0.0.0 (any). This causes the ZyXEL Device to try to forward all access
attempts (to the local network, the Internet or even the ZyXEL Device) to the
remote IPSec router. In this case, you can no longer manage the ZyXEL
Device.

13.1.3.2 IPSec Protocol

The IPSec protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
IPSec protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).

Note: The ZyXEL Device and remote IPSec router must use the same IPSec

protocol.

Advertising
This manual is related to the following products:

P-335U

Popular Brands
Popular manuals