ZyXEL NBG-460N User Guide - Page 211
IPSec Protocol, Encapsulation
View all ZyXEL NBG-460N manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 211 highlights
Chapter 15 IPSec VPN IPSec protocol is ESP. (See IPSec Protocol on page 211 for more information about active protocols.) If router A does not have an IPSec pass-through or if the IPSec protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel. You have to do the following things to set up NAT traversal. • Enable NAT traversal on the NBG-460N and remote IPSec router. • Configure the NAT router to forward packets with the extra header unchanged. The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the NBG-460N and remote IPSec router support. 15.6.7 IPSec Protocol The IPSec protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two IPSec protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The NBG-460N and remote IPSec router must use the same IPSec protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 15.6.8 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the NBG-460N and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The NBG-460N and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 130 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data NBG-460N User's Guide 211