ZyXEL ZyWALL ATP700 User Guide - Page 451
Certificates, IPSec SA Overview, Local Network and Remote Network, Active Protocol, Encapsulation
View all ZyXEL ZyWALL ATP700 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 451 highlights
Chapter 19 IPSec VPN Certificates It is possible for the Zyxel Device and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead. • Instead of using the pre-shared key, the Zyxel Device and remote IPSec router check the signatures on each other's certificates. Unlike pre-shared keys, the signatures do not have to match. • The local and peer ID type and content come from the certificates. Note: You must set up the certificates for the Zyxel Device and remote IPSec router first. IPSec SA Overview Once the Zyxel Device and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks. Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This section introduces the key components of an IPSec SA. Local Network and Remote Network In an IPSec SA, the local network, the one(s) connected to the Zyxel Device, may be called the local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be called the remote policy. Active Protocol The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The Zyxel Device and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the Zyxel Device and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The Zyxel Device and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 318 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data ZyWALL ATP Series User's Guide 451