Ipsec Vpn Background Information - ZyXEL Communications ZYWALL USG 20 Manual

23.4 IPSec VPN Background Information

Here is some more detailed IPSec VPN background information.
IKE SA Overview
The IKE SA provides a secure connection between the ZyWALL and remote IPSec
router.
It takes several steps to establish an IKE SA. The negotiation mode determines
how many. There are two negotiation modes--main mode and aggressive mode.
Main mode provides better security, while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
These modes are discussed in more detail in
mode is used in various examples in the rest of this section.
IP Addresses of the ZyWALL and Remote IPSec Router
To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and
remote IPSec router. You can usually enter a static IP address or a domain name
for either or both IP addresses. Sometimes, your ZyWALL might offer another
alternative, such as using the IP address of a port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This
means that the remote IPSec router can have any IP address. In this case, only
the remote IPSec router can initiate an IKE SA because the ZyWALL does not
know the IP address of the remote IPSec router. This is often used for
telecommuters.
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication
algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec
router use in the IKE SA. In main mode, this is done in steps 1 and 2, as
illustrated next.
Figure 245 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
ZyWALL USG 20/20W User's Guide
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
Chapter 23 IPSec VPN
Negotiation Mode on page 419. Main
415