Table of Contents
Advertisement
Chapter 13 IPSec
13.1.2 What You Need to Know
A VPN tunnel is usually established in two phases. Each phase establishes a
security association (SA), a contract indicating what security parameters the
ZyXEL Device and the remote IPSec router will use. The first phase establishes an
Internet Key Exchange (IKE) SA between the ZyXEL Device and remote IPSec
router. The second phase uses the IKE SA to securely establish an IPSec SA
through which the ZyXEL Device and remote IPSec router can send data between
computers on the local network and remote network. The following figure
illustrates this.
Figure 75 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in
network B. Inside networks A and B, the data is transmitted the same way data is
normally transmitted in the networks. Between routers X and Y, the data is
protected by tunneling, encryption, authentication, and other security features of
the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X
and Y established first.
Remote IPSec Gateway Address
Remote IPSec Gateway Address is the WAN IP address or domain name of the
remote IPSec router (secure gateway).
If the remote secure gateway has a static WAN IP address, enter it in the Remote
IPSec Gateway Address field. You may alternatively enter the remote secure
gateway's domain name (if it has one) in the Remote IPSec Gateway Address
field.
You can also enter a remote secure gateway's domain name in the Remote IPSec
Gateway Address field if the remote secure gateway has a dynamic WAN IP
address and is using DDNS. The ZyXEL Device has to rebuild the VPN tunnel each
time the remote secure gateway's WAN IP address changes (there may be a delay
until the DDNS servers are updated with the remote gateway's new WAN IP
address).
178
A
X
IPSec SA
Y
IKE SA
B
P-660HN-51 User's Guide
Hide quick links:
Advertisement
Table of Contents
