K08. What Is Ipsec; K10. What Is Pre-Shared Key - ZyXEL Communications ZyWall 35 Support Notes

ZyWALL 35 Support Notes

K08. What is IPSec?

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security
services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition,
IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. The IPSec
provides cryptographic security services. These services allow for authentication, integrity, access control,
and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and
verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you
have so many options, IPSec is truly the most extensible and complete network security solution.
What secure protocols does IPSec support?
There are two protocols provided by IPSec, they are AH (Authentication Header, protocol number 51)
and ESP (Encapsulated Security Payload, protocol number 50).
What are the differences between 'Transport mode' and 'Tunnel mode?
The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the
upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data
generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines
lacking of IPSec capability.
In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling
mode protects the entire IP payload including user data.
There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both
IPSec protocols, AH and ESP, can operate in either transport mode or tunnel mode.
K09. What is SA?
A Security Association (SA) is a contract between two parties indicating what security parameters, such
as keys and algorithms they will use.
What is IKE?
IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE
(ISAKMP) or manual key configuration to set up a VPN.
There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange).
Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

K10. What is Pre-Shared Key?

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called
'Pre-shared' because you have to share it with another party before you can communicate with them over
a secure connection.
320
All contents copyright (c) 2006 ZyXEL Communications Corporation.