ZyXEL Communications ZYWALL 5 - V4.04 Guía de usuario descargar pdf (Pagina 176)

ZyXEL Confidential

404XD3C0.docx

176/181

ZyXEL VPN Client

Security Gateway: 1.1.1.1

Phase one Authentication method: Preshare Key

Remote: 192.168.1.0/24

In example 1, user may wonder why ZyWALL swap to dynamic rule even VPN client

only set authentication method as “Preshare Key” not “Preshare Key+XAuth”. The root

cause is that currently ZyXEL VPN Cient will send XAuth VID no matter what

authentication mode that him set. Because of the XAuth VID, ZyWALL will swap to

dynamic rule.

This unexpected rule swap result is a limitation of our design. For ZyWALL, when we

got initiator’s XAuth VID in IKE Phase One period, we know initiator can support XAuth.

To take account of security, we will judge that initiator want to do XAuth, and we will

search one matched IKE Phase One rule with XAuth server mode as the top priority. To

our rule swap scheme, we search static rule first then dynamic rule. In example 1, we will

find the static rule, named “Rule_B”, to build phase one tunnel at first. After finished IKE

phase one negotiation, we known initiator want to do XAuth. Since Rule_B has no XAuth

server mode, we try to search another rule with correct IKE Phase One parameter and

XAuth server mode. The search result will lead us to swap rule to dynamic rule, named

“Rule_A”. Thus to build VPN tunnel will fail by Phase Two local ip mismatch.

To avoid this scenario, the short-term solution is that we recommend user to set two

IKE rule with different Phase One parameter. The long-term solution is that VPN Client

needs to modify the XAuth VID behavior. VPN Client should not send XAuth VID when

authentication method is “Preshare key”, but send XAuth VID when authentication

method is “Preshare key+XAuth”.

Appendix 11 The mechanism of Gratuitous ARP in the ZyWALL

In the past, if the ZyWALL gets a gratuitous ARP it will not update the sender's

MAC mapping into its ARP table. In current design, if you turn on 'ip arp ackGratuitous

active yes', the ZyWALL will response such packet depends on two case: 'ip arp

ackGratuitous forceUpdate on' or 'ip arp ackGratuitous forceUpdate off'. if you turn on

forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping

into the ARP table, otherwise if turn off forceUpdate, then the ZyWALL gets gratuitous

1 2 ... 171 172 173 174 175 176 177 178 179 180 181

Sin comentarios

ZyXEL Communications ZYWALL 5 - V4.04 Guía de usuario Pagina 176