ZyXEL Communications USG40 User Manual page 566
Zywall/usg series
Hide thumbs
Also See for USG40:
- User manual (742 pages) ,
- Handbook (810 pages) ,
- Reference manual (665 pages)
Table of Contents
Advertisement
• Instead of using the pre-shared key, the ZyWALL/USG and remote IPSec router check the
signatures on each other's certificates. Unlike pre-shared keys, the signatures do not have to
match.
• The local and peer ID type and content come from the certificates.
Note: You must set up the certificates for the ZyWALL/USG and remote IPSec router first.
IPSec SA Overview
Once the ZyWALL/USG and remote IPSec router have established the IKE SA, they can securely
negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of an IPSec SA.
Local Network and Remote Network
In an IPSec SA, the local network, the one(s) connected to the ZyWALL/USG, may be called the
local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may
be called the remote policy.
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each packet is
protected by the encryption and authentication algorithms. IPSec VPN includes two active
protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC
2406).
Note: The ZyWALL/USG and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more
secure. Transport mode is only used when the IPSec SA is used for communication between the
ZyWALL/USG and remote IPSec router (for example, for remote management), not between
computers on the local and remote networks.
Note: The ZyWALL/USG and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
Figure 388 VPN: Transport and Tunnel Mode Encapsulation
Original Packet
Transport Mode Packet
Chapter 29 IPSec VPN
IP Header
TCP
Header
IP Header
AH/ESP
Header
ZyWALL/USG Series User's Guide
566
Data
TCP
Data
Header
- Quick Links:
- Web Configurator
- Web Configurator Access
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications USG40
Related Products for ZyXEL Communications USG40
- ZyXEL Communications ZYWALL USG 300
- ZyXEL Communications USG-50 - V2.21 ED 1
- ZyXEL Communications USG-100@USG-200 - V2.20 ED 2
- ZyXEL Communications USG-300 - V2.20 ED 2
- ZyXEL Communications ZYWALL USG 20W
- ZyXEL Communications UAG Series
- ZyXEL Communications ZyWALL USG100-Plus
- ZyXEL Communications ZyWALL USG 2000