ZyXEL Communications ISG50-ISDN User Manual page 392

Chapter 24 IPSec VPN
Active Protocol
The active protocol controls the format of each packet. It also specifies how much of each packet is
protected by the encryption and authentication algorithms. IPSec VPN includes two active
protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC
2406).
Note: The ISG50 and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more
secure. Transport mode is only used when the IPSec SA is used for communication between the
ISG50 and remote IPSec router (for example, for remote management), not between computers on
the local and remote networks.
Note: The ISG50 and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
Figure 257 VPN: Transport and Tunnel Mode Encapsulation
Original Packet
Transport Mode Packet
Tunnel Mode Packet
In tunnel mode, the ISG50 uses the active protocol to encapsulate the entire IP packet. As a result,
there are two IP headers:
• Outside header: The outside IP header contains the IP address of the ISG50 or remote IPSec
router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the ISG50 or
remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP
headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the ISG50 includes
part of the original IP header when it encapsulates the packet. With ESP, however, the ISG50 does
not include the IP header when it encapsulates the packet, so it is not possible to verify the
integrity of the source IP address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see
that you also have the choice whether or not the ISG50 and remote IPSec router perform a new DH
key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).
392
IP Header TCP Data
Header
IP Header AH/ESP TCP
Header Header
IP Header AH/ESP IP Header
Header
Data
TCP Data
Header
IKE SA Proposal on page
ISG50 User's Guide
387), except