Using xAuth on ZyWALL to ZyWALL Tunneling

  1. Setup ZyWALL A (Server)
  2. Setup ZyWALL B (Client)

This page guides us how to use xAuth (Extended Authentication) between two ZyWALL boxes. xAuth leverages traditional RADIUS authentication method in IPSec/VPN. With xAuth, network administrators can apply user level access control over IPSec VPN. 

Managing different pre-shared keys for different mobile users would be a big headache for network administrators. With xAuth, multiple users can shared the same pre-shared key, but their access to central network will be further checked via RADIUS server in central side. Network administrators can utilize their RADIUS server for authentication of IPSec connection.

xAuth is a protocol with client and server architecture. ZyWALL supports both client and server mode. Between IKE phase 1 and phase 2 negotiation, a client needs to send user name & password to server for authentication purpose. Then the server would forward the user name & password to RADIUS server for checking. ZyWALL also provides internal database in server mode. With internal database, administrators don't need to build up the external RADIUS server.

 topology1.gif (23564 bytes)

The IP addresses we use in this example are as shown below.

LAN 1 

 ZyWALL A ZyWALL B LAN 2
192.168.1.0/24 LAN: 192.168.1.1
WAN:  202.132.154.1		 LAN: 192.168.2.1
WAN:  168.10.10.66

192.168.2.0/24

1. Setup ZyWALL A (Server)

  1. Use a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to SECURITY->VPN->Press Add button
  3. check Active check box and give a name to this policy.
  4. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in ZyWALL B.
  5. Check Enable Extended Authentication, and select Server Mode
  6. In Local Policy, input LAN 1's IP and subnetmask.
  7. In Remote Policy, input LAN 2's IP and subnetmask.
  8. My IP Addr is the WAN IP of ZyWALL A.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is ZyWALL B WAN IP in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in ZyWALL B.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

Setup Phase 1 and Phase 2 parameters in Advanced page.

14. Go to SECURITY->AUTH SERVER

Configure User Name and Password you would like to assign to the remote VPN users in Local User Database. Please note that ZyWALL shares the same database with WLAN 802.1x for xAuth.

Or configure RADIUS server's IP address, so that the user name and password would be forward to the external RADIUS server.

2. Setup ZyWALLB (Client)

  1. Use a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to SECURITY->VPN->Press Add button
  3. check Active check box and give a name to this policy.
  4. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in ZyWALL B.
  5. Check Enable Extended Authentication, and select Client Mode, and enter the user name & password.
  6. In Local Policy, input LAN 2's IP and subnetmask.
  7. In Remote Policy, input LAN 1's IP and subnetmask.
  8. My IP Addr is the WAN IP of ZyWALL A.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is ZyWALL B WAN IP in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in ZyWALL B.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

Check Phase 1 and Phase 2 parameters via pressing Advanced button.