Ike Sa Overview; Figure 201 Vpn: Ike Sa And Ipsec Sa - ZyXEL Communications ZYWALL 35 User Manual

Chapter 18 IPSec VPN
A VPN tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters the ZyWALL and the remote
IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between
the ZyWALL and remote IPSec router. The second phase uses the IKE SA to securely
establish an IPSec SA through which the ZyWALL and remote IPSec router can send data
between computers on the local network and remote network. The following figure illustrates
this.

Figure 201 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B.
Inside networks A and B, the data is transmitted the same way data is normally transmitted in
the networks. Between routers X and Y, the data is protected by tunneling, encryption,
authentication, and other security features of the IPSec SA. The IPSec SA is established
securely using the IKE SA that routers X and Y established first.
The rest of this section discusses IKE SA and IPSec SA in more detail.

18.1.1 IKE SA Overview

The IKE SA provides a secure connection between the ZyWALL and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines the number of
steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode
provides better security, while aggressive mode is faster.
Both routers must use the same negotiation mode.
These modes are discussed in more detail in
in various examples in the rest of this section.
18.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router
In the ZyWALL, you have to specify the IP addresses of the ZyWALL and the remote IPSec
router to establish an IKE SA.
352
Section 18.3.1.4 on page
ZyWALL 5/35/70 Series User's Guide
359. Main mode is used