Figure 81 Vpn: Transport And Tunnel Mode Encapsulation - ZyXEL Communications G.SHDSL.bis 4-port Security Gateway P-793H User Manual

An IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of IPSec SA.
11.1.3.1 Local Network and Remote Network
In IPSec SA terminology, the local network, the one(s) connected to the ZyXEL Device, may
be called the local policy. Similarly, the remote network, the one(s) connected to the remote
IPSec router, may be called the remote policy.
11.1.3.2 Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
The ZyXEL Device and remote IPSec router must use the same active
protocol. ESP is recommended.
ESP is recommended because AH does not support encryption and ESP is more suitable with
NAT. Use AH only if the remote IPSec router does not support ESP.
11.1.3.3 Encapsulation
There are two ways to encapsulate packets. These modes are illustrated below.

Figure 81 VPN: Transport and Tunnel Mode Encapsulation

Original Packet
Transport Mode Packet
Tunnel Mode Packet
In tunnel mode, the ZyXEL Device encapsulates the entire IP packet. As a result, there are two
IP headers, as well as the header for the active protocol.
• Outside header: The outside IP header contains the IP addresses of the ZyXEL Device and
remote IPSec router.
• AH/ESP header: The header for the active protocol encapsulates the original packet.
P-793H User's Guide
IP Header TCP Data
Header
IP Header AH/ESP TCP
Header Header
IP Header AH/ESP IP Header
Header
Chapter 11 IPSec VPN
Data
TCP Data
Header
159