Local Network And Remote Network; Active Protocol; Encapsulation; Figure 77 Vpn: Transport And Tunnel Mode Encapsulation - ZyXEL Communications P-793H User Manual

Note: An IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of IPSec SA.

11.1.3.1 Local Network and Remote Network

In IPSec SA terminology, the local network, the one(s) connected to the ZyXEL Device, may
be called the local policy. Similarly, the remote network, the one(s) connected to the remote
IPSec router, may be called the remote policy.

11.1.3.2 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
Note: The ZyXEL Device and remote IPSec router must use the same active
protocol. ESP is recommended.
ESP is recommended because AH does not support encryption and ESP is more suitable with
NAT. Use AH only if the remote IPSec router does not support ESP.

11.1.3.3 Encapsulation

There are two ways to encapsulate packets. These modes are illustrated below.

Figure 77 VPN: Transport and Tunnel Mode Encapsulation

Transport Mode Packet
Tunnel Mode Packet
In tunnel mode, the ZyXEL Device encapsulates the entire IP packet. As a result, there are two
IP headers, as well as the header for the active protocol.
• Outside header: The outside IP header contains the IP addresses of the ZyXEL Device
and remote IPSec router.
• AH/ESP header: The header for the active protocol encapsulates the original packet.
Chapter 11 IPSec VPN
Original Packet IP Header
IP Header
IP Header
TCP Data
Header
AH/ESP TCP
Header Header
AH/ESP IP Header
Header
P-793H User's Guide
Data
TCP Data
Header
161