1 nat traversal configuration, 2 x-auth (extended authentication), 3 remote dns server – ZyXEL Communications ZyXEL ZyWALL 35 User Manual

Page 246: Figure 116 nat router between ipsec routers

Advertising
background image

ZyWALL 35 User’s Guide

244

Chapter 14 VPN Screens

Figure 116 NAT Router Between IPSec Routers

Normally you cannot set up a VPN connection with a NAT router between the two IPSec
routers because the NAT router changes the header of the IPSec packet. In the previous figure,
IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes
the IPSec packet’s header so it does not match the header for which IPSec router B is
checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built.
NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The
NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router
B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN
connection.

14.7.1 NAT Traversal Configuration

For NAT traversal to work you must:

• Use ESP security protocol (in either transport or tunnel mode).
• Use IKE keying mode.
• Enable NAT traversal on both IPSec endpoints.

In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec
router B, set the NAT router to forward UDP port 500 to IPSec router A.

14.7.2 X-Auth (Extended Authentication)

Extended authentication provides added security by allowing you to use usernames and
passwords for VPN connections. This is especially helpful when multiple ZyWALLs use one
VPN rule to connect to a single ZyWALL. An attacker cannot make a VPN connection
without a valid username and password.
The extended authentication server checks the user names and passwords of the extended
authentication clients before completing the IPSec connection (

see the Authentication Server

section

).

A ZyWALL can be an extended authentication server for some VPN connections and an
extended authentication client for other VPN connections.

14.7.3 Remote DNS Server

In cases where you want to use domain names to access Intranet servers on a remote network
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the
LAN or from the ISP since these DNS servers cannot resolve domain names to private IP
addresses on the remote network

Advertising
See also other documents in the category ZyXEL Communications Hardware: