Active Protocol; Encapsulation; Figure 166 Virtual Mapping Of Local And Remote Network Ip Addresses - ZyXEL Communications ZYWALL 2 PLUS User Manual

• On ZyWALL A, you specify 172.21.2.2 to 172.21.2.27 as the remote network. On
ZyWALL B, you specify 10.0.0.2 to 10.0.0.4 as the remote network.

Figure 166 Virtual Mapping of Local and Remote Network IP Addresses

Computers on network X use IP addresses 192.168.1.2 to 192.168.1.4 to access local network
devices and IP addresses 172.21.2.2 to 172.21.2.27 to access the remote network devices.
Computers on network Y use IP addresses 192.168.1.2 to 192.168.1.27 to access local
network devices and IP addresses 10.0.0.2 to 10.0.0.4 to access the remote network devices.

14.6.3 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable
with NAT.

14.6.4 Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is
more secure. Transport mode is only used when the IPSec SA is used for communication
between the ZyWALL and remote IPSec router (for example, for remote management), not
between computers on the local and remote networks.
ZyWALL 2 Plus User's Guide
Chapter 14 IPSec VPN
253