ZyXEL Communications 310 User Manual page 311
Vpn firewall
Hide thumbs
Also See for 310:
- User manual (161 pages) ,
- User manual (199 pages) ,
- User manual (107 pages)
Table of Contents
Advertisement
Note: The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more
secure. Transport mode is only used when the IPSec SA is used for communication between the
ZyWALL and remote IPSec router (for example, for remote management), not between computers
on the local and remote networks.
Note: The ZyWALL and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
Figure 191 VPN: Transport and Tunnel Mode Encapsulation
Original Packet
Transport Mode Packet
Tunnel Mode Packet
In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the ZyWALL or remote IPSec
router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL
or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP
headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL includes
part of the original IP header when it encapsulates the packet. With ESP, however, the ZyWALL
does not include the IP header when it encapsulates the packet, so it is not possible to verify the
integrity of the source IP address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see
that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new
DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy
(PFS).
If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an
IPSec SA is established, changing the root key from which encryption keys are generated. As a
result, if one encryption key is compromised, other encryption keys remain secure.
ZyWALL 110/310/1100 Series User's Guide
IP Header
TCP
Data
Header
IP Header
AH/ESP
TCP
Header
Header
IP Header
AH/ESP
IP Header
Header
Chapter 20 IPSec VPN
Data
TCP
Data
Header
IKE SA Proposal on page
306), except
311
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications 310
Related Products for ZyXEL Communications 310
- ZyXEL Communications Prestige 314 PLUS
- ZyXEL Communications ZyXEL Prestige 304
- ZyXEL Communications ZyXEL ZyWALL 30W
- ZyXEL Communications ZYWALL 35 - V4.04
- ZyXEL Communications PRESTIGE 324
- ZyXEL Communications Unified Security Gateway ZyWALL 300
- ZyXEL Communications Prestige 316
- ZyXEL Communications 35 Series