ZyXEL ZyWALL ATP700 User Guide - Page 452
IPSec SA Proposal and Perfect Forward Secrecy, Additional Topics for IPSec SA, Authentication
View all ZyXEL ZyWALL ATP700 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 452 highlights
Chapter 19 IPSec VPN Figure 318 VPN: Transport and Tunnel Mode Encapsulation Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contains the IP address of the Zyxel Device or remote IPSec router, whichever is the destination. • Inside header: The inside IP header contains the IP address of the computer behind the Zyxel Device or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers. In transport mode, the encapsulation depends on the active protocol. With AH, the Zyxel Device includes part of the original IP header when it encapsulates the packet. With ESP, however, the Zyxel Device does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address. IPSec SA Proposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal), except that you also have the choice whether or not the Zyxel Device and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). If you enable PFS, the Zyxel Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. If you do not enable PFS, the Zyxel Device and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. PFS is ignored in initial IKEv2 authentication but is used when re-authenticating. Additional Topics for IPSec SA This section provides more information about IPSec SA in your Zyxel Device. Authentication and the Security Parameter Index (SPI) For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. ZyWALL ATP Series User's Guide 452