ZyXEL Communications USG40 User Manual page 567
Zywall/usg series
Hide thumbs
Also See for USG40:
- User manual (742 pages) ,
- Handbook (810 pages) ,
- Reference manual (665 pages)
Table of Contents
Advertisement
Figure 388 VPN: Transport and Tunnel Mode Encapsulation
Tunnel Mode Packet
In tunnel mode, the ZyWALL/USG uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the ZyWALL/USG or remote
IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL/
USG or remote IPSec router. The header for the active protocol (AH or ESP) appears between the
IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL/USG
includes part of the original IP header when it encapsulates the packet. With ESP, however, the
ZyWALL/USG does not include the IP header when it encapsulates the packet, so it is not possible
to verify the integrity of the source IP address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see
that you also have the choice whether or not the ZyWALL/USG and remote IPSec router perform a
new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy
(PFS).
If you enable PFS, the ZyWALL/USG and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are generated.
As a result, if one encryption key is compromised, other encryption keys remain secure.
If you do not enable PFS, the ZyWALL/USG and remote IPSec router use the same root key that
was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not require
such security.
PFS is ignored in initial IKEv2 authentication but is used when reauthenticating.
Additional Topics for IPSec SA
This section provides more information about IPSec SA in your ZyWALL/USG.
Authentication and the Security Parameter Index (SPI)
For authentication, the ZyWALL/USG and remote IPSec router use the SPI, instead of pre-shared
keys, ID type and content. The SPI is an identification number.
Note: The ZyWALL/USG and remote IPSec router must use the same SPI.
NAT for Inbound and Outbound Traffic
The ZyWALL/USG can translate the following types of network addresses in IPSec SA.
Chapter 29 IPSec VPN
IP Header
AH/ESP
Header
ZyWALL/USG Series User's Guide
567
IP Header
TCP
Header
IKE SA Proposal on page
Data
561), except
- Quick Links:
- Web Configurator
- Web Configurator Access
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications USG40
Related Products for ZyXEL Communications USG40
- ZyXEL Communications ZYWALL USG 300
- ZyXEL Communications USG-50 - V2.21 ED 1
- ZyXEL Communications USG-100@USG-200 - V2.20 ED 2
- ZyXEL Communications USG-300 - V2.20 ED 2
- ZyXEL Communications ZYWALL USG 20W
- ZyXEL Communications UAG Series
- ZyXEL Communications ZyWALL USG100-Plus
- ZyXEL Communications ZyWALL USG 2000