IPSec VPN
Virtual Private Networks (VPN) Overview
A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
IPSec VPN
Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client software. This standards-based VPN offers flexible solutions for secure data communications across a public network. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer. The Zyxel Device can also combine multiple IPSec VPN connections into one secure network.
Internet Key Exchange (IKE): IKEv1 and IKEv2
The Zyxel Device supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely.
IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived. A security policy for each peer must be manually created.
IPSec VPN consists of two phases: Phase 1 and Phase 2. Phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, but Aggressive Mode does not.
During Phase 2, the remote IPSec routers use the secure channel established in Phase 1 to negotiate Security Associations for IPSec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 uses Quick Mode (only). Quick mode occurs after IKE has established the secure tunnel in Phase 1. It negotiates a shared IPSec policy, derives shared secret keys used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires.
In the Zyxel Device, use the VPN Connection tab to set up Phase 2 and the VPN Gateway tab to set up Phase 1.
Some differences between IKEv1 and IKEv2 include:
• IKEv2 uses less bandwidth than IKEv1. IKEv2 uses one exchange procedure with 4 messages. IKEv1 uses two phases with Main Mode (9 messages) or Aggressive Mode (6 messages) in phase 1.
• IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
• IKEv2 always uses NAT traversal and Dead Peer Detection (DPD), but they can be disabled in IKEv1 using Zyxel Device firmware (the default is on).
• Configuration payload (includes the IP address pool in the VPN setup data) is supported in IKEv2 (off by default), but not in IKEv1.
• Narrowed is supported in IKEv2, but not in IKEv1. Narrowed has the SA apply only to IP addresses in common between the Zyxel Device and the remote IPSec router.
• The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is still up or not. If the check fails (the tunnel is down), IKEv2 can re-establish the connection automatically. The Zyxel Device uses firmware to perform connectivity checks when using IKEv1.
SSL VPN
SSL VPN uses remote users’ web browsers to provide the easiest-to-use of the Zyxel Device’s VPN solutions. A user just browses to the Zyxel Device’s web address and enters his user name and password to securely connect to the Zyxel Device’s network. Remote users do not need to configure security settings.
L2TP VPN
L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software. For example, configure sales representatives’ laptops, tablets, or smartphones to securely connect to the Zyxel Device’s network.
• Use the VPN Connection screens (see The VPN Connection Screen) to specify which IPSec VPN gateway an IPSec VPN connection policy uses, which devices behind the IPSec routers can use the VPN tunnel, and the IPSec SA settings (phase 2 settings). You can also activate or deactivate and connect or disconnect each VPN connection (each IPSec SA).
• Use the VPN Gateway screens (see VPN Connection Add/Edit) to manage the Zyxel Device’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway.
• Use the VPN Concentrator screens (see VPN Concentrator) to combine several IPSec VPN connections into a single secure network.
• Use the Configuration Provisioning screen (see Zyxel Device IPSec VPN Client Configuration Provisioning) to set who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client.
What You Need to Know
An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the Zyxel Device and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the Zyxel Device and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the Zyxel Device and remote IPSec router can send data between computers on the local network and remote network.
Application Scenarios
The Zyxel Device’s application scenarios make it easier to configure your VPN connection settings.
Site-to-site | Site-to-site with dynamic peer | Remote Access (Server Role) | Remote Access (client Role) | Vpn Tunnel Interface |
|---|---|---|---|---|
Choose this if the remote IPSec router has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. The remote IPSec router can also initiate the VPN tunnel if this Zyxel Device has a static IP address or a domain name. | Choose this if the remote IPSec router has a dynamic IP address. You don’t specify the remote IPSec router’s address, but you specify the remote policy (the addresses of the devices behind the remote IPSec router). This Zyxel Device must have a static IP address or a domain name. Only the remote IPSec router can initiate the VPN tunnel. | Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. You don’t specify the addresses of the client IPSec routers or the remote policy. This creates a dynamic IPSec VPN rule that can let multiple clients connect. Only the clients can initiate the VPN tunnel. | Choose this to connect to an IPSec server. This Zyxel Device is the client (dial-in user). Client role Zyxel Devices initiate IPSec VPN connections to a server role Zyxel Device. This Zyxel Device can have a dynamic IP address. The IPSec server doesn’t configure this Zyxel Device’s IP address or the addresses of the devices behind it. Only this Zyxel Device can initiate the VPN tunnel. | Choose this to set up a VPN tunnel interface to bind with a VPN connection. The Zyxel Device can use the interface to do load balancing using a specific Trunk. The remote IPSec router should have a static IP address or a domain name. |
Finding Out More
• See IPSec VPN Background Information for IPSec VPN background information.
Before You Begin
This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting.
You should set up the following features before you set up the VPN tunnel.
• In any VPN connection, you have to select address objects to specify the local policy and remote policy. You should set up the address objects first.In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the Zyxel Device uses as its IP address when it establishes the IKE SA. You should set up the interface first.
• In a VPN gateway, you can enable extended authentication. If the Zyxel Device is in server mode, you should set up the authentication method (AAA server) first. The authentication method specifies how the Zyxel Device authenticates the remote IPSec router.
• In a VPN gateway, the Zyxel Device and remote IPSec router can use certificates to authenticate each other. Make sure the Zyxel Device and the remote IPSec router will trust each other’s certificates.
The VPN Connection Screen
The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate or deactivate and connect or disconnect each VPN connection (each IPSec SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Label | Description |
|---|---|
Global Setting | The following two fields are for all IPSec VPN policies. Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website. |
Use Policy Route to control dynamic IPSec rules | Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes. The Zyxel Device automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes. Clear this to have the Zyxel Device automatically obtain source and destination addresses for all dynamic IPSec rules. |
Ignore “Don't Fragment” setting in packet header | Select this to fragment packets larger than the MTU (Maximum Transmission Unit) that have the “Don't Fragment” bit in the IP header turned on. When you clear this the Zyxel Device drops packets larger than the MTU that have the “Don't Fragment” bit in the header turned on. |
IPv4 / IPv6 Configuration | |
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Connect | To connect an IPSec SA, select it and click Connect. |
Disconnect | To disconnect an IPSec SA, select it and click Disconnect. |
References | Select an entry and click References to open a screen that shows which settings use the entry. |
# | This field is a sequential value, and it is not associated with a specific connection. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The connect icon is lit when the interface is connected and dimmed when it is disconnected. |
Name | This field displays the name of the IPSec SA. |
VPN Gateway | This field displays the VPN gateway in use for this VPN connection. |
Gateway IP Version | This field displays what IP version the associated VPN gateway(s) is using. An IPv4 gateway may use an IKEv1 or IKEv2 SA. An IPv6 gateway may use IKEv2 only. |
Policy | This field displays the local policy and the remote policy, respectively. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
VPN Connection Add/Edit
The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. To access this screen, go to the Configuration > VPN Connection screen , and click either the Add icon or an Edit icon.
Label | Description |
|---|---|
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
General Settings | |
Enable | Select this check box to activate this VPN connection. |
Connection Name | Type the name used to identify this IPSec SA. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
Nailed-Up | Select this if you want the Zyxel Device to automatically renegotiate the IPSec SA when the SA life time expires. |
Enable Replay Detection | Select this check box to detect and reject old or duplicate packets to protect against Denial-of-Service attacks. |
Enable NetBIOS Broadcast over IPSec | Select this check box if you the Zyxel Device to send NetBIOS (Network Basic Input/Output System) packets through the IPSec SA. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa. |
MSS Adjustment | Select Custom Size to set a specific number of bytes for the Maximum Segment Size (MSS) meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection. Some VPN clients may not be able to use a custom MSS size if it is set too small. In that case those VPN clients will ignore the size set here and use the minimum size that they can use. Select Auto to have the Zyxel Device automatically set the MSS for this VPN connection. |
Narrowed | This is visible when you select any options in the VPN Gateway section except for VPN Tunnel Interface. If the IP range on the Zyxel Device (local policy) and the local IP range on the remote IPSec router overlap in an IKEv2 SA, then you may select Narrowed to have the SA only apply to the IP addresses in common. Here are some examples. Zyxel Device (local policy) Remote IPSec router IKEv2 SA-1 192.168.20.0/24 192.168.20.1 ~ 192.168.20.20 Narrowed 192.168.20.1 ~ 192.168.20.20 IKEv2 SA- 2 192.168.30.50 ~ 192.168.30.70 192.168.30.60 ~ 192.168.30.80 Narrowed 192.168.30.60 ~ 192.168.30.70 |
VPN Gateway | |
Application Scenario | Select the scenario that best describes your intended VPN connection. Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel. Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. Remote Access (Client Role) - Choose this to connect to an IPSec server. This Zyxel Device is the client (dial-in user) and can initiate the VPN tunnel. VPN Tunnel Interface - Choose this to set up a VPN tunnel interface to bind with a VPN connection. The Zyxel Device can use the interface to do load balancing using a specific Trunk. The remote IPSec router should have a static IP address or a domain name. See Configuration > Network > Interface > VTI. |
VPN Gateway | Select the VPN gateway this VPN connection is to use or select Create Object to add another VPN gateway for this VPN connection to use. |
Policy | |
Local Policy | Select the address corresponding to the local network. Use Create new Object if you need to configure a new one. |
Remote Policy | Select the address corresponding to the remote network. Use Create new Object if you need to configure a new one. |
Enable GRE over IPSec | Select this to allow traffic using the Generic Routing Encapsulation (GRE) tunneling protocol through an IPSec tunnel. |
Policy Enforcement | Clear this to allow traffic with source and destination IP addresses that do not match the local and remote policy to use the VPN tunnel. Leave this cleared for free access between the local and remote networks. Selecting this restricts who can use the VPN tunnel. The Zyxel Device drops traffic with source and destination IP addresses that do not match the local and remote policy. |
Mode Config | This is visible when you select Remote Access (Server Role) and a VPN Gateway. |
Enable Mode Config | Select this to have the IPSec VPN client receive an IP address, DNS and WINS information from the Zyxel Device. |
IP Address Pool | Select an address object from the drop-down list box. |
First DNS Server (Optional) | The Domain Name System (DNS) maps a domain name to an IP address and vice versa. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN. Enter a DNS server's IP address. |
Second DNS Server (Optional) | Enter a secondary DNS server's IP address that is checked if the first one is unavailable. |
First WINS Server (Optional) | Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. |
Second WINS Server (Optional) | Enter a secondary WINS server's IP address that is checked if the first one is unavailable. |
Configuration Payload | This is only available when you have created an IKEv2 Gateway and are using Remote Access (Server Role). |
Enable Configuration Payload | Select this to have at least have the IP address pool included in the VPN setup data. |
IP Address Pool: | Select an address object from the drop-down list box. |
First DNS Server (optional) | The Domain Name System (DNS) maps a domain name to an IP address and vice versa. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN. Enter a DNS server's IP address. |
Second DNS Server (Optional) | Enter a secondary DNS server's IP address that is checked if the first one is unavailable. |
First WINS Server (Optional) | Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. |
Second WINS Server (Optional) | Enter a secondary WINS server's IP address that is checked if the first one is unavailable. |
Phase 2 Settings | |
SA Life Time | Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Zyxel Device automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. |
Active Protocol | Select which protocol you want to use in the IPSec SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption. If you select AH, you must select an Authentication algorithm. ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, you must select an Encryption algorithm and Authentication algorithm. Both AH and ESP increase processing requirements and latency (delay). The Zyxel Device and remote IPSec router must use the same active protocol. |
Encapsulation | Select which type of encapsulation the IPSec SA uses. Choices are Tunnel - this mode encrypts the IP header information and the data. Transport - this mode only encrypts the data. The Zyxel Device and remote IPSec router must use the same encapsulation. |
Proposal | Use this section to manage the encryption algorithm and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IPSec SA. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. |
Encryption | This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The Zyxel Device and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. |
Authentication | Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. The Zyxel Device and the remote IPSec router must both have a proposal that uses the same authentication algorithm. |
Perfect Forward Secrecy (PFS) | Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: none - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number DH14 - enable PFS and use a 2048 bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. PFS is ignored in initial IKEv2 authentication but is used when re-authenticating. |
Related Settings | |
Zone | Select the security zone into which to add this VPN connection policy. Any security rules or settings configured for the selected zone apply to this VPN connection policy. |
Connectivity Check | The Zyxel Device can regularly check the VPN connection to the gateway you specified to make sure it is still available. |
Enable Connectivity Check | Select this to turn on the VPN connection check. |
Check Method | Select how the Zyxel Device checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the Zyxel Device regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings. Select tcp to have the Zyxel Device regularly perform a TCP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection. |
Check Port | This field displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. |
Check Period | Enter the number of seconds between connection check attempts. |
Check Timeout | Enter the number of seconds to wait for a response before the attempt is a failure. |
Check Fail Tolerance | Enter the number of consecutive failures allowed before the Zyxel Device disconnects the VPN tunnel. The Zyxel Device resumes using the first peer gateway address when the VPN connection passes the connectivity check. |
Check this Address | Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. |
Check the First and Last IP Address in the Remote Policy | Select this to have the Zyxel Device check the connection to the first and last IP addresses in the connection’s remote policy. Make sure one of these is the peer gateway’s LAN IP address. |
Log | Select this to have the Zyxel Device generate a log every time it checks this VPN connection. |
Inbound/Outbound traffic NAT | |
Outbound Traffic | |
Source NAT | This translation hides the source address of computers in the local network. It may also be necessary if you want the Zyxel Device to route packets from computers outside the local network through the IPSec SA. |
Source | Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). |
Destination | Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the remote network. |
SNAT | Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). |
Inbound Traffic | |
Source NAT | This translation hides the source address of computers in the remote network. |
Source | Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the remote network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). |
Destination | Select the address object that represents the original destination address (or select Create Object to configure a new one). This is the address object for the local network. |
SNAT | Select the address object that represents the translated source address (or select Create Object to configure a new one). This is the address that hides the original source address. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). |
Destination NAT | This translation forwards packets (for example, mail) from the remote network to a specific computer (for example, the mail server) in the local network. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Move | To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. |
# | This field is a sequential value, and it is not associated with a specific NAT record. However, the order of records is the sequence in which conditions are checked and executed. |
Original IP | Select the address object that represents the original destination address. This is the address object for the remote network. |
Mapped IP | Select the address object that represents the desired destination address. For example, this is the address object for the mail server. |
Protocol | Select the protocol required to use this translation. Choices are: TCP, UDP, or All. |
Original Port Start / Original Port End | These fields are available if the protocol is TCP or UDP. Enter the original destination port or range of original destination ports. The size of the original port range must be the same size as the size of the mapped port range. |
Mapped Port Start / Mapped Port End | These fields are available if the protocol is TCP or UDP. Enter the translated destination port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range. |
OK | Click OK to save the changes. |
Cancel | Click Cancel to discard all changes and return to the main VPN screen. |
The VPN Gateway Screen
The VPN Gateway summary screen displays the IPSec VPN gateway policies in the Zyxel Device, as well as the Zyxel Device’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway.
Label | Description |
|---|---|
Add | Click this to create a new entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
References | Select an entry and click References to open a screen that shows which settings use the entry. |
# | This field is a sequential value, and it is not associated with a specific VPN gateway. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This field displays the name of the VPN gateway |
My address | This field displays the interface or a domain name the Zyxel Device uses for the VPN gateway. |
Secure Gateway | This field displays the IP address(es) of the remote IPSec routers. |
VPN Connection | This field displays VPN connections that use this VPN gateway. |
IKE Version | This field displays whether the gateway is using IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely. See Virtual Private Networks (VPN) Overview for more information on IKEv1 and IKEv2. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
The VPN Gateway Add/Edit Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one.
Label | Description |
|---|---|
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Create New Object | Use to configure any new settings objects that you need to use in this screen. |
General Settings | |
Enable | Select this to activate the VPN Gateway policy. |
VPN Gateway Name | Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
IKE Version | |
IKEv1 / IKEv2 | Select IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely. See Virtual Private Networks (VPN) Overview for more information on IKEv1 and IKEv2. |
Gateway Settings | |
My Address | Select how the IP address of the Zyxel Device in the IKE SA is defined. If you select Interface, select the Ethernet interface, VLAN interface, virtual Ethernet interface, virtual VLAN interface or PPPoE/PPTP interface. The IP address of the Zyxel Device in the IKE SA is the IP address of the interface. If you select Domain Name / IP, enter the domain name or the IP address of the Zyxel Device. The IP address of the Zyxel Device in the IKE SA is the specified IP address or the IP address corresponding to the domain name. 0.0.0.0 is not generally recommended as it has the Zyxel Device accept IPSec requests destined for any interface address on the Zyxel Device. |
Peer Gateway Address | Select how the IP address of the remote IPSec router in the IKE SA is defined. Select Static Address to enter the domain name or the IP address of the remote IPSec router. You can provide a second IP address or domain name for the Zyxel Device to try if it cannot establish an IKE SA with the first one. Fall back to Primary Peer Gateway when possible: When you select this, if the connection to the primary address goes down and the Zyxel Device changes to using the secondary connection, the Zyxel Device will reconnect to the primary address when it becomes available again and stop using the secondary connection. Users will lose their VPN connection briefly while the Zyxel Device changes back to the primary connection. To use this, the peer device at the secondary address cannot be set to use a nailed-up VPN connection. In the Fallback Check Interval field, set how often to check if the primary address is available. Select Dynamic Address if the remote IPSec router has a dynamic IP address (and does not use DDNS). |
Authentication |  The Zyxel Device and remote IPSec router must use the same authentication method to establish the IKE SA. |
Pre-Shared Key | Select this to have the Zyxel Device and remote IPSec router use a pre-shared key (password) of up to 128 characters to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right. The pre-shared key can be: • alphanumeric characters or ,;.|`~!@#$%^&*()_+\{}':./<>=-" • pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”. Type “0x” at the beginning of a hexadecimal key. For example, "0x0123456789ABCDEF" is in hexadecimal format; “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The Zyxel Device and remote IPSec router must use the same pre-shared key. Select unmasked to see the pre-shared key in readable plain text. |
Certificate | Select this to have the Zyxel Device and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the Zyxel Device uses to identify itself to the remote IPSec router. This certificate is one of the certificates in My Certificates. If this certificate is self-signed, import it into the remote IPsec router. If this certificate is signed by a CA, the remote IPsec router must trust that CA. The IPSec routers must trust each other’s certificates. The Zyxel Device uses one of its Trusted Certificates to authenticate the remote IPSec router’s certificate. The trusted certificate can be a self-signed certificate or that of a trusted CA that signed the remote IPSec router’s certificate. |
User-based PSK | User-based PSK (IKEv1 only) generates and manages separate pre-shared keys for every user. This enables multiple users, each with a unique key, to access the same VPN gateway policy with one-to-one authentication and strong encryption. Access can be denied on a per-user basis thus allowing VPN SA user-based policies. Click User-Based PSK then select a user or group object who is allowed VPN SA access using this VPN gateway policy. This is for IKEv1 only. |
Local ID Type | This field is read-only if the Zyxel Device and remote IPSec router use certificates to identify each other. Select which type of identification is used to identify the Zyxel Device during authentication. Choices are: IPv4 or IPv6 - the Zyxel Device is identified by an IP address DNS - the Zyxel Device is identified by a domain name E-mail - the Zyxel Device is identified by the string specified in this field |
Content | This field is read-only if the Zyxel Device and remote IPSec router use certificates to identify each other. Type the identity of the Zyxel Device during authentication. The identity depends on the Local ID Type. IP - type an IP address; if you type 0.0.0.0, the Zyxel Device uses the IP address specified in the My Address field. This is not recommended in the following situations: • There is a NAT router between the Zyxel Device and remote IPSec router. • You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses. In these situations, use a different IP address, or use a different Local ID Type. DNS - type the fully qualified domain name (FQDN). This value is only used for identification and can be any string that matches the peer ID string. E-mail - the Zyxel Device is identified by the string you specify here; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. |
Peer ID Type | Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by the string specified in this field Any - the Zyxel Device does not check the identity of the remote IPSec router If the Zyxel Device and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate |
Content | This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. If the Zyxel Device and remote IPSec router do not use certificates, IP - type an IP address; see the note at the end of this description. DNS - type the fully qualified domain name (FQDN). This value is only used for identification and can be any string that matches the peer ID string. E-mail - the remote IPSec router is identified by the string you specify here; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. If the Zyxel Device and remote IPSec router use certificates, type the following fields from the certificate used by the remote IPSec router. IP - subject alternative name field; see the note at the end of this description. DNS - subject alternative name field E-mail - subject alternative name field Subject Name - subject name (maximum 255 ASCII characters, including spaces) If Peer ID Type is IP, please read the rest of this section.If you type 0.0.0.0, the Zyxel Device uses the IP address specified in the Secure Gateway Address field. This is not recommended in the following situations: • There is a NAT router between the Zyxel Device and remote IPSec router. • You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses. In these situations, use a different IP address, or use a different Peer ID Type. |
Phase 1 Settings | |
SA Life Time (Seconds) | Type the maximum number of seconds the IKE SA can last. When this time has passed, the Zyxel Device and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. |
Negotiation Mode | Select the negotiation mode to use to negotiate the IKE SA. Choices are Main - this encrypts the Zyxel Device’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The Zyxel Device and the remote IPSec router must use the same negotiation mode. |
Proposal | Use this section to manage the encryption algorithm and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. |
Encryption | Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The Zyxel Device and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput. |
Authentication | Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. The remote IPSec router must use the same authentication algorithm. |
Key Group | Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number DH14 - use a 2048 bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. |
NAT Traversal | Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol. • There are one or more NAT routers between the Zyxel Device and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged. This field applies for IKEv1 only. NAT Traversal is always performed when you use IKEv2. |
Dead Peer Detection (DPD) | Select this check box if you want the Zyxel Device to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If there has been no traffic for at least 15 seconds, the Zyxel Device sends a message to the remote IPSec router. If the remote IPSec router responds, the Zyxel Device transmits the data. If the remote IPSec router does not respond, the Zyxel Device shuts down the IKE SA. If the remote IPSec router does not support DPD, see if you can use the VPN connection connectivity check (see VPN Connection Add/Edit). This field applies for IKEv1 only. Dead Peer Detection (DPD) is always performed when you use IKEv2. |
X Auth / Extended Authentication Protocol | This part of the screen displays X-Auth when using IKEv1 and Extended Authentication Protocol when using IKEv2. |
X-Auth | This displays when using IKEv1. When different users use the same VPN tunnel to connect to the Zyxel Device (telecommuters sharing a tunnel for example), use X-auth to enforce a user name and password check. This way even though telecommuters all know the VPN tunnel’s security settings, each still has to provide a unique user name and password. |
Enable Extended Authentication | Select this if one of the routers (the Zyxel Device or the remote IPSec router) verifies a user name and password from the other router using the local user database and/or an external server. |
Server Mode | Select this if the Zyxel Device authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the Zyxel Device authenticates this information. |
AAA Method | Select the authentication method, which specifies how the Zyxel Device authenticates this information. |
Allowed User | Extended authentication now supports an allowed user. Select what users should be authenticated. |
Client Mode | Select this radio button if the Zyxel Device provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. |
User Name | This field is required if the Zyxel Device is in Client Mode for extended authentication. Type the user name the Zyxel Device sends to the remote IPSec router. The user name can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed. |
Password | This field is required if the Zyxel Device is in Client Mode for extended authentication. Type the password the Zyxel Device sends to the remote IPSec router. The password can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed. |
Retype to Confirm | Type the exact same password again here to make sure an error was not made when typing it originally. |
Extended Authentication Protocol | This displays when using IKEv2. EAP uses a certificate for authentication. |
Enable Extended Authentication Protocol | Select this if one of the routers (the Zyxel Device or the remote IPSec router) verifies a user name and password from the other router using the local user database and/or an external server or a certificate. |
Allowed Auth Method | This field displays the authentication method that is used to authenticate the users. |
Server Mode | Select this if the Zyxel Device authenticates the user name and password from the remote IPSec router. You also have to select an AAA method, which specifies how the Zyxel Device authenticates this information and who may be authenticated (Allowed User). |
Client Mode | Select this radio button if the Zyxel Device provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. |
User Name | This field is required if the Zyxel Device is in Client Mode for extended authentication. Type the user name the Zyxel Device sends to the remote IPSec router. The user name can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed. |
Password | This field is required if the Zyxel Device is in Client Mode for extended authentication. Type the password the Zyxel Device sends to the remote IPSec router. The password can be 1-31 ASCII characters. It is case-sensitive, but spaces are not allowed. |
Retype to Confirm | Type the exact same password again here to make sure an error was not made when typing it originally. |
OK | Click OK to save your settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
VPN Concentrator
A VPN concentrator combines several IPSec VPN connections into one secure network.
In a fully-meshed VPN topology, there is a VPN connection between every pair of routers. In a hub-and-spoke VPN topology, there is a VPN connection between each spoke router and the hub router, which uses the VPN concentrator. The VPN concentrator routes VPN traffic between the spoke routers and itself.
A VPN concentrator reduces the number of VPN connections that you have to set up and maintain on the network. You might also be able to consolidate the policy routes in each spoke router, depending on the IP addresses and subnets of each spoke.
However a VPN concentrator is not for every situation. The hub router is a single failure point, so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally (maintenance, for example). There is also more burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out to which spoke to route it, encrypts it, and sends it to the appropriate spoke. Therefore, a VPN concentrator is more suitable when there is a minimum amount of traffic between spoke routers.
VPN Concentrator Requirements and Suggestions
Consider the following when using the VPN concentrator.
• The local IP addresses configured in the VPN rules should not overlap.
• The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke.
• To have all Internet access from the spoke routers go through the VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
• Your security policies can still block VPN packets.
VPN Concentrator Screen
The VPN Concentrator summary screen displays the VPN concentrators in the Zyxel Device.
Label | Description |
|---|---|
IPv4/IPv6 Configuration | Choose to configure for IPv4 or IPv6 traffic. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This field is a sequential value, and it is not associated with a specific concentrator. |
Name | This field displays the name of the VPN concentrator. |
Group Members | These are the VPN connection policies that are part of the VPN concentrator. |
The VPN Concentrator Add/Edit Screen
Use the VPN Concentrator Add/Edit screen to create or edit a VPN concentrator.
Label | Description |
|---|---|
Name | Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. |
Member | Select the concentrator’s IPSec VPN connection policies. You must disable policy enforcement in each member. IPSec VPN connection policies that do not belong to a VPN concentrator appear under Available. Select any VPN connection policies that you want to add to the VPN concentrator and click the right arrow button to add them. The VPN concentrator’s member VPN connections appear under Member. Select any VPN connections that you want to remove from the VPN concentrator, and click the left arrow button to remove them. |
OK | Click OK to save your changes in the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Zyxel Device IPSec VPN Client Configuration Provisioning
Use the Configuration > VPN > IPSec VPN > Configuration Provisioning screen to configure who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client. In the Zyxel Device IPSec VPN Client, you just need to enter the IP address of the to get all the VPN rule settings automatically. You do not need to manually configure all rule settings in the Zyxel Device IPSec VPN client.
VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the following settings:
• AH active protocol
• NULL encryption
• SHA512 authentication
• A subnet or range remote policy
The following VPN Gateway rules configured on the Zyxel Device cannot be provisioned to the IPSec VPN Client:
• IPv4 rules with IKEv2 version
• IPv4 rules with User-based PSK authentication
Note: You must enable IPv6 in System > IPv6 to activate IPv6 VPN tunneling rules.
In the Zyxel Device Quick Setup wizard, you can use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that will not violate these restrictions.
Label | Description |
|---|---|
Enable Configuration Provisioning | Select this for users to be able to retrieve VPN rule settings using the Zyxel Device IPSec VPN client. |
Client Authentication Method | Choose how users should be authenticated. They can be authenticated using the local database on the Zyxel Device or an external authentication database such as LDAP, Active Directory or RADIUS. default is a method you configured in Object > Auth Method. You may configure multiple methods there. If you choose the local database on the Zyxel Device, then configure users using the Object > User/Group screen. If you choose LDAP, Active Directory or RADIUS authentication servers, then configure users on the respective server. |
Configuration | When you add or edit a configuration provisioning entry, you are allowed to set the VPN Connection and Allowed User fields. Duplicate entries are not allowed. You cannot select the same VPN Connection and Allowed User pair in a new entry if the same pair exists in a previous entry. You can bind different rules to the same user, but the Zyxel Device will only allow VPN rule setting retrieval for the first match found. |
Add | Click Add to bind a configured VPN rule to a user or group. Only that user or group may then retrieve the specified VPN rule settings. If you click Add without selecting an entry in advance then the new entry appears as the first entry. Entry order is important as the Zyxel Device searches entries in the order listed here to find a match. After a match is found, the Zyxel Device stops searching. If you want to add an entry as number three for example, then first select entry 2 and click Add. To reorder an entry, use Move. |
Edit | Select an existing entry and click Edit to change its settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. Make sure that Enable Configuration Provisioning is also selected. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | Use Move to reorder a selected entry. Select an entry, click Move, type the number where the entry should be moved, press <ENTER>, then click Apply. |
Status | This icon shows if the entry is active (yellow) or not (gray). VPN rule settings can only be retrieved when the entry is activated (and Enable Configuration Provisioning is also selected). |
Priority | Priority shows the order of the entry in the list. Entry order is important as the Zyxel Device searches entries in the order listed here to find a match. After a match is found the Zyxel Device stops searching. |
VPN Connection | This field shows all configured VPN rules that match the rule criteria for the Zyxel Device IPSec VPN client. Select a rule to bind to the associated user or group. |
Allowed User | Select which user or group of users is allowed to retrieve the associated VPN rule settings using the Zyxel Device IPSec VPN client. A user may belong to a number of groups. If entries are configured for different groups, the Zyxel Device will allow VPN rule setting retrieval based on the first match found. Users of type admin or limited-admin are not allowed. |
Type | This field shows how traffic is tunneled from the Zyxel Device to the Zyxel VPN client: • 6in4 (tunnel IPv6 traffic from the Zyxel Device to the Zyxel client in an IPv4 network); • 4in6 (tunnel IPv4 traffic from the Zyxel Device to the Zyxel VPN client in an IPv6 network); • 4in4 (tunnel IPv4 traffic from the Zyxel Device to the Zyxel VPN client in an IPv4 network). |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
IPSec VPN Background Information
Here is some more detailed IPSec VPN background information.
IKE SA Overview
The IKE SA provides a secure connection between the Zyxel Device and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
The Zyxel Device supports IKEv1 and IKEv2. See Virtual Private Networks (VPN) Overview for more information.
IP Addresses of the Zyxel Device and Remote IPSec Router
To set up an IKE SA, you have to specify the IP addresses of the Zyxel Device and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your Zyxel Device might offer another alternative, such as using the IP address of a port or interface, as well.
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the Zyxel Device and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2.
The Zyxel Device sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the Zyxel Device wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the Zyxel Device. If the remote IPSec router rejects all of the proposals, the Zyxel Device and remote IPSec router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.
In most Zyxel Devices, you can select one of the following encryption algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES.
• Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
Some Zyxel Devices also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data.
In most Zyxel Devices, you can select one of the following authentication algorithms for each proposal. The algorithms are listed in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data.SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data.
Diffie-Hellman (DH) Key Exchange
The Zyxel Device and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4.
DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt.
Authentication
Before the Zyxel Device and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities.
In main mode, the Zyxel Device and remote IPSec router authenticate each other in steps 5 and 6. The identities are also encrypted using the encryption algorithm and encryption key the Zyxel Device and remote IPSec router selected in previous steps.
You have to create (and distribute) a pre-shared key. The Zyxel Device and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged.
Note: The Zyxel Device and the remote IPSec router must use the same pre-shared key.
Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or email address. The content is only used for identification. Any domain name or email address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the Zyxel Device’s or remote IPSec router’s properties.
The Zyxel Device and the remote IPSec router have their own identities, so both of them must store two sets of information, one for themselves and one for the other router. Local ID type and content refers to the ID type and content that applies to the router itself, and peer ID type and content refers to the ID type and content that applies to the other router.
Note: The Zyxel Device’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively.
For example, in the next table, the Zyxel Device and the remote IPSec router authenticate each other successfully. In contrast, in the following table, the Zyxel Device and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA.
Zyxel Device | Remote IPSec router |
|---|---|
Local ID type: E-mail | Local ID type: IP |
Local ID content: tom@yourcompany.com | Local ID content: 1.1.1.2 |
Peer ID type: IP | Peer ID type: E-mail |
Peer ID content: 1.1.1.2 | Peer ID content: tom@yourcompany.com |
Zyxel Device | Remote IPSec router |
|---|---|
Local ID type: E-mail | Local ID type: IP |
Local ID content: tom@yourcompany.com | Local ID content: 1.1.1.2 |
Peer ID type: IP | Peer ID type: E-mail |
Peer ID content: 1.1.1.20 | Peer ID content: tom@yourcompany.com |
It is also possible to configure the Zyxel Device to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your Zyxel Device provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel.
Additional Topics for IKE SA
This section provides more information about IKE SA.
Negotiation Mode
There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Main mode takes six steps to establish an IKE SA.
Steps 1 - 2: The Zyxel Device sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the Zyxel Device.
Steps 3 - 4: The Zyxel Device and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.
Steps 5 - 6: Finally, the Zyxel Device and the remote IPSec router generate an encryption key (from the shared secret), encrypt their identities, and exchange their encrypted identity information for authentication.
In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not provide as much security because the identity of the Zyxel Device and the identity of the remote IPSec router are not encrypted. It is usually used in remote-access situations, where the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication. For example, the remote IPSec router may be a telecommuter who does not have a static IP address.
VPN, NAT, and NAT Traversal
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the Zyxel Device and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.)
The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device and remote IPSec router support.
X-Auth / Extended Authentication
X-Auth / Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
In extended authentication, one of the routers (the Zyxel Device or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, the routers do not establish an IKE SA.
You can set up the Zyxel Device to provide a user name and password to the remote IPSec router, or you can set up the Zyxel Device to check a user name and password that is provided by the remote IPSec router.
If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode).
Certificates
It is possible for the Zyxel Device and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead.
• Instead of using the pre-shared key, the Zyxel Device and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match.
• The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the Zyxel Device and remote IPSec router first.
IPSec SA Overview
Once the Zyxel Device and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore.
This section introduces the key components of an IPSec SA.
Local Network and Remote Network
In an IPSec SA, the local network, the one(s) connected to the Zyxel Device, may be called the local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be called the remote policy.
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406).
Note: The Zyxel Device and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the Zyxel Device and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Note: The Zyxel Device and remote IPSec router must use the same encapsulation.
In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the Zyxel Device or remote IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the Zyxel Device or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the Zyxel Device includes part of the original IP header when it encapsulates the packet. With ESP, however, the Zyxel Device does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal), except that you also have the choice whether or not the Zyxel Device and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).
If you enable PFS, the Zyxel Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
If you do not enable PFS, the Zyxel Device and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not require such security.
PFS is ignored in initial IKEv2 authentication but is used when re-authenticating.
Additional Topics for IPSec SA
This section provides more information about IPSec SA in your Zyxel Device.
Authentication and the Security Parameter Index (SPI)
For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number.
Note: The Zyxel Device and remote IPSec router must use the same SPI.
NAT for Inbound and Outbound Traffic
The Zyxel Device can translate the following types of network addresses in IPSec SA.
• Source address in outbound packets - this translation is necessary if you want the Zyxel Device to route packets from computers outside the local network through the IPSec SA.
• Source address in inbound packets - this translation hides the source address of computers in the remote network.
• Destination address in inbound packets - this translation is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network.
Source Address in Outbound Packets (Outbound Traffic, Source NAT)
This translation lets the Zyxel Device route packets from computers that are not part of the specified local network (local policy) through the IPSec SA.
To set up this NAT, you have to specify the following information:
• Source - the original source address
• Destination - the original destination address
• SNAT - the translated source address
Source Address in Inbound Packets (Inbound Traffic, Source NAT)
You can set up this translation if you want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information:
• Source - the original source address
• Destination - the original destination address
• SNAT - the translated source address; a different IP address (range of addresses) to hide the original source address
Destination Address in Inbound Packets (Inbound Traffic, Destination NAT)
You can set up this translation if you want the Zyxel Device to forward some packets from the remote network to a specific computer in the local network.
You have to specify one or more rules when you set up this kind of NAT. The Zyxel Device checks these rules similar to the way it checks rules for a security policy. The first part of these rules define the conditions in which the rule apply.
• Original IP - the original destination address
• Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection
• Original Port - the original destination port or range of destination ports
The second part of these rules controls the translation when the condition is satisfied.
• Mapped IP - the translated destination address
• Mapped Port - the translated destination port or range of destination ports
The original port range and the mapped port range must be the same size.