Ipsec Vpn Background Information - ZyXEL Communications ZyWALL USG 100 Series User Manual

Table 129 VPN > IPSec VPN > SA Monitor (continued)
LABEL
Disconnect
Refresh

21.6 IPSec VPN Background Information

Here is some more detailed IPSec VPN background information.
IKE SA Overview
The IKE SA provides a secure connection between the ZyWALL and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines how many.
There are two negotiation modes--main mode and aggressive mode. Main mode provides
better security, while aggressive mode is faster.
Both routers must use the same negotiation mode.
These modes are discussed in more detail in
used in various examples in the rest of this section.
IP Addresses of the ZyWALL and Remote IPSec Router
To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and remote IPSec
router. You can usually enter a static IP address or a domain name for either or both IP
addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP
address of a port or interface, as well.
You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the
remote IPSec router can have any IP address. In this case, only the remote IPSec router can
initiate an IKE SA because the ZyWALL does not know the IP address of the remote IPSec
router. This is often used for telecommuters.
IKE SA Proposal
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm,
and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE
SA. In main mode, this is done in steps 1 and 2, as illustrated next.
ZyWALL USG 100/200 Series User's Guide
DESCRIPTION
This field is displayed if the IPSec SA does not use manual keys.
Click the Disconnect icon next to an IPSec SA to disconnect it.
Click Refresh to update the information in the display.
Negotiation Mode on page
Chapter 21 IPSec VPN
387. Main mode is
383