1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Wireless Router
  5. X550N - V3.60
  6. User manual

Ipsec Sa Proposal And Perfect Forward Secrecy; Additional Ipsec Vpn Topics - ZyXEL Communications X550N - V3.60 User Manual

X550n series wireless n gigabit router
Hide thumbs
Table of Contents

Advertisement

In tunnel mode, the X550N uses the IPSec protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the X550N or remote
IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the
X550N or remote IPSec router. The header for the IPSec protocol (AH or ESP) appears
between the IP headers.
In transport mode, the encapsulation depends on the IPSec protocol. With AH, the X550N
includes part of the original IP header when it encapsulates the packet. With ESP, however, the
X550N does not include the IP header when it encapsulates the packet, so it is not possible to
verify the integrity of the source IP address.

IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see
except that you also have the choice whether or not the X550N and remote IPSec router
perform a new DH key exchange every time an IPSec SA is established. This is called Perfect
Forward Secrecy (PFS).
If you enable PFS, the X550N and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are
generated. As a result, if one encryption key is compromised, other encryption keys remain
secure.
If you do not enable PFS, the X550N and remote IPSec router use the same root key that was
generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not
require such security.

Additional IPSec VPN Topics

This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or
both. Relationships between the topics are also highlighted.
SA Life Time
SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times
out, the X550N automatically renegotiates the SA in the following situations:
• There is traffic when the SA life time expires
• The IPSec SA is configured on the X550N as nailed up (see below)
Otherwise, the X550N must re-negotiate the SA the next time someone wants to send traffic.
Note: If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays
connected.
X550N Series User's Guide
Chapter 15 IPSec VPN
IKE SA Proposal on page
184),
189

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications X550N - V3.60

Related Content for ZyXEL Communications X550N - V3.60

This manual is also suitable for:

X550nX550nh

Table of Contents