ZyXEL Communications P-334WT Support Notes page 37

Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec
service for other machines lacking of IPSec capability.
In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP
payload including user data.
There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can
operate in either transport mode and tunnel mode.
9. What is SA?
A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will
use.
10. What is IKE?
IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key
configuration to set up a VPN.
There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and
phase 2 uses that SA to negotiate SAs for IPSec.
11. What is Pre-Shared Key?
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it
with another party before you can communicate with them over a secure connection.
12. What are the differences between IKE and manual key VPN?
The only difference between IKE and manual key is how the encryption keys and SPIs are determined.
For IKE VPN, the key and SPIs are negotiated from one VPN gateway to the other. Afterward, two VPN gateways use this
negotiated keys and SPIs to send packets between two networks.
For manual key VPN, the encryption key, authentication key (if needed), and SPIs are predetermined by the administrator when
configuring the security association.
IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection.
13. What is Phase 1 ID for?
In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the
incoming request. However, in some application, remote VPN box or client software is using an IP address dynamically assigned from ISP,
so P-334WT needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE
payload, there are local and peer ID field to achieve this.
14. What is FQDN?
FQDN(Fully Qualified Domain Name), IKE standard takes it as one type of Phase 1 ID.
As we mentioned, Phase 1 ID is an identification for each VPN peer. The type of Phase 1 ID may be IP/FQDN(DNS)/Ueser FQDN(E-
mail). The content of Phase 1 ID depends on the Phase 1 ID type. The following is an example for how to configure phase 1 ID.
ID type Content
------------------------------------
IP 202.132.154.1
DNS www.zyxel.com