What You Need To Know About Ipsec Vpn - ZyXEL Communications ZyWall USG 2000 User Manual

Chapter 21 IPSec VPN
• Use the VPN Gateway screens (see
the ZyWALL's VPN gateways. A VPN gateway specifies the IPSec routers at
either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can
also activate and deactivate each VPN gateway.
• Use the VPN Concentrator screens (see
several IPSec VPN connections into a single secure network.
• Use the SA Monitor screen (see
manage the active IPSec SAs.

21.1.2 What You Need to Know About IPSec VPN

An IPSec VPN tunnel is usually established in two phases. Each phase establishes
a security association (SA), a contract indicating what security parameters the
ZyWALL and the remote IPSec router will use. The first phase establishes an
Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
The second phase uses the IKE SA to securely establish an IPSec SA through
which the ZyWALL and remote IPSec router can send data between computers on
the local network and remote network. This is illustrated in the following figure.
Figure 210 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in
network B. Inside networks A and B, the data is transmitted the same way data is
normally transmitted in the networks. Between routers X and Y, the data is
protected by tunneling, encryption, authentication, and other security features of
the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE
SA first.
330
Section 21.2.1 on page
Section 21.4 on page
Section 21.5 on page
ZyWALL USG 2000 User's Guide
334) to manage
354) to combine
357) to display and