Ipsec Sa Overview; Local Network And Remote Network; Active Protocol; Figure 154 Vpn: Ike Sa And Ipsec Sa - ZyXEL Communications ZyWALL 1050 User Manual

ZyWALL 1050 User's Guide

Figure 154 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B.
Inside networks A and B, the data is transmitted the same way data is normally transmitted in
the networks. Between routers X and Y, the data is protected by tunneling, encryption,
authentication, and other security features of the IPSec SA. The IPSec SA is secure because
routers X and Y established the IKE SA first.
The rest of this section discusses IKE SA and IPSec SA in more detail.

12.1.1 IPSec SA Overview

Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely
negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of an IPSec SA.

12.1.1.1 Local Network and Remote Network

In IPSec SA, the local network, the one(s) connected to the ZyWALL, may be called the local
policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be
called the remote policy.

12.1.1.2 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
Note: The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable
with NAT.
224 Chapter 12 IPSec VPN