Encapsulation; Ipsec Sa Proposal And Perfect Forward Secrecy; Figure 179 Vpn: Transport And Tunnel Mode Encapsulation - ZyXEL Communications ZyWall 5 Series User Manual

Internet security appliance

Hide thumbs Also See for ZyWall 5 Series:

Table of Contents

Usually, you should select ESP. AH does not support encryption, and ESP is more suitable

18.6.0.3 Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is

more secure. Transport mode is only used when the IPSec SA is used for communication

between the ZyWALL and remote IPSec router (for example, for remote management), not

between computers on the local and remote networks.

Note: The ZyWALL and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

Transport Mode Packet

Tunnel Mode Packet

In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a

result, there are two IP headers:

• Outside header: The outside IP header contains the IP address of the ZyWALL or remote

IPSec router, whichever is the destination.

• Inside header: The inside IP header contains the IP address of the computer behind the

ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP)

appears between the IP headers.

In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL

includes part of the original IP header when it encapsulates the packet. With ESP, however,

the ZyWALL does not include the IP header when it encapsulates the packet, so it is not

possible to verify the integrity of the source IP address.

An IPSec SA proposal is similar to an IKE SA proposal (see

except that you also have the choice whether or not the ZyWALL and remote IPSec router

perform a new DH key exchange every time an IPSec SA is established. This is called Perfect

Forward Secrecy (PFS).

Chapter 18 IPSec VPN

Original Packet

ZyWALL 5/35/70 Series User's Guide

Section 18.3.1 on page

Zywall 70 series Zywall 35 series