User manual
Chapter 25 IPSec VPN
ZyWALL USG 300 User’s Guide
501
feature, router X and router Y can establish a VPN tunnel as long as the active
protocol is ESP. (See Active Protocol on page 502 for more information about
active protocols.)
If router A does not have an IPSec pass-thru or if the active protocol is AH, you
can solve this problem by enabling NAT traversal. In NAT traversal, router X and
router Y add an extra header to the IKE SA and IPSec SA packets. If you configure
router A to forward these packets unchanged, router X and router Y can establish
a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the ZyWALL and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged.
(See the field description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the
standard(s) the ZyWALL and remote IPSec router support.
Extended Authentication
Extended authentication is often used when multiple IPSec routers use the same
VPN tunnel to connect to a single IPSec router. For example, this might be used
with telecommuters.
In extended authentication, one of the routers (the ZyWALL or the remote IPSec
router) provides a user name and password to the other router, which uses a local
user database and/or an external server to verify the user name and password. If
the user name or password is wrong, the routers do not establish an IKE SA.
You can set up the ZyWALL to provide a user name and password to the remote
IPSec router, or you can set up the ZyWALL to check a user name and password
that is provided by the remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE
SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10
in main mode, steps 4-7 in aggressive mode).
Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other
with certificates. In this case, you do not have to set up the pre-shared key, local
identity, or remote identity because the certificates provide this information
instead.
• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check
the signatures on each other’s certificates. Unlike pre-shared keys, the
signatures do not have to match.