Additional Ipsec Vpn Topics; Active Protocols, Encryption Algorithms, And Authentication Algorithms - ZyXEL Communications ZyWALL 2Plus User Manual

uniquely identify a particular security association. When an IPSec SA using manual keys is
established, the SPI is transmitted from the remote IPSec router to the ZyWALL. The
ZyWALL then uses the network, encryption and key values that the administrator associated
with the SPI to establish the IPSec SA.
Note: Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
You also have to specify the encapsulation and active protocol, which are the same
characteristics required in other types of IPSec SAs. These characteristics are discussed in
detail in Section 11.1.4.2 on page 189
IPSec SAs using manual keys do not require DHx key groups or PFS. In addition, IPSec SAs
using manual keys do not support NAT traversal or many other IPSec SA properties. These
IPSec SAs also do not have SA life times.

11.1.4 Additional IPSec VPN Topics

This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or
both. Relationships between the topics are also highlighted.

11.1.4.1 Active Protocols, Encryption Algorithms, and Authentication Algorithms

To create an IPSec SA, you must specify an active protocol to describe the packet formats and
the default standards for packet structure (including implementation algorithms). The
ZyWALL offers AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).
The AH protocol was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality. In contrast, the ESP protocol offers
encryption and payload padding to conceal the information in the packet, but it has limited
authenticating properties because IP header information is not included in authentication.
Chapter 11 IPSec VPN
and Section 11.1.4.1 on page
ZyWALL 2 Plus User's Guide
187, respectively.
187