Active Protocol; Encapsulation; Figure 201 Vpn: Transport And Tunnel Mode Encapsulation - ZyXEL Communications ZyXEL ZyWALL 2WG User Manual

Chapter 14 IPSec VPN

14.6.3 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable
with NAT.

14.6.4 Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is
more secure. Transport mode is only used when the IPSec SA is used for communication
between the ZyWALL and remote IPSec router (for example, for remote management), not
between computers on the local and remote networks.
The ZyWALL and remote IPSec router must use the same encapsulation.
These modes are illustrated below.

Figure 201 VPN: Transport and Tunnel Mode Encapsulation

Original Packet
Transport Mode Packet
Tunnel Mode Packet
In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the ZyWALL or remote
IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the
ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears
between the IP headers.
320
IP Header TCP Data
Header
IP Header AH/ESP TCP
Header Header
IP Header AH/ESP IP Header
Header
Data
TCP Data
Header
ZyWALL 2WG User's Guide