Ipsec Sa Overview - ZyXEL Communications ZYWALL USG 20 Manual

Certificates
It is possible for the ZyWALL and remote IPSec router to authenticate each other
with certificates. In this case, you do not have to set up the pre-shared key, local
identity, or remote identity because the certificates provide this information
instead.
• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check
the signatures on each other's certificates. Unlike pre-shared keys, the
signatures do not have to match.
• The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the ZyWALL and remote IPSec router first.

IPSec SA Overview

Once the ZyWALL and remote IPSec router have established the IKE SA, they can
securely negotiate an IPSec SA through which to send data between computers on
the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of an IPSec SA.
Local Network and Remote Network
In an IPSec SA, the local network, the one(s) connected to the ZyWALL, may be
called the local policy. Similarly, the remote network, the one(s) connected to the
remote IPSec router, may be called the remote policy.
Active Protocol
The active protocol controls the format of each packet. It also specifies how much
of each packet is protected by the encryption and authentication algorithms. IPSec
VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP
(Encapsulating Security Payload, RFC 2406).
Note: The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more
suitable with NAT.
ZyWALL USG 20/20W User's Guide
Chapter 23 IPSec VPN
421