Home » ZyXEL Manuals » Network Security & Firewall Devices » ZyXEL ZyWALL ATP700 » Manual Viewer

ZyXEL ZyWALL ATP700 User Guide - Page 452

IPSec SA Proposal and Perfect Forward Secrecy, Additional Topics for IPSec SA, Authentication

View all ZyXEL ZyWALL ATP700 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 452 highlights

Chapter 19 IPSec VPN Figure 318 VPN: Transport and Tunnel Mode Encapsulation Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contains the IP address of the Zyxel Device or remote IPSec router, whichever is the destination. • Inside header: The inside IP header contains the IP address of the computer behind the Zyxel Device or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers. In transport mode, the encapsulation depends on the active protocol. With AH, the Zyxel Device includes part of the original IP header when it encapsulates the packet. With ESP, however, the Zyxel Device does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address. IPSec SA Proposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal), except that you also have the choice whether or not the Zyxel Device and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). If you enable PFS, the Zyxel Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. If you do not enable PFS, the Zyxel Device and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. PFS is ignored in initial IKEv2 authentication but is used when re-authenticating. Additional Topics for IPSec SA This section provides more information about IPSec SA in your Zyxel Device. Authentication and the Security Parameter Index (SPI) For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. ZyWALL ATP Series User's Guide 452

Section	Page
ZyWALL ATP Series	1
Document Conventions	3
Contents Overview	4
Table of Contents	6
User’s Guide	24
Introduction	25
1.1 Overview	25
1.1.1 Model Feature Differences	25
1.2 Registration at myZyxel	26
1.2.1 Grace Period	27
1.2.2 Applications	27
1.3 Management Overview	30
1.4 Web Configurator	31
1.4.1 Web Configurator Access	31
1.4.2 Web Configurator Screens Overview	34
1.4.3 Navigation Panel	38
1.4.4 Tables and Lists	46
Initial Setup Wizard	50
2.1 Initial Setup Wizard Screens	50
2.1.1 Internet Access Setup - WAN Interface	50
2.1.2 Internet Access: Ethernet	51
2.1.3 Internet Access: PPPoE	52
2.1.4 Internet Access: PPTP	54
2.1.5 Internet Access: L2TP	56
2.1.6 Internet Access Setup - Second WAN Interface	58
2.1.7 Internet Access: Congratulations	59
2.1.8 Date and Time Settings	60
2.1.9 Register Device	60
2.1.10 Activate Service	62
2.1.11 Service Settings	63
2.1.12 Service Settings: SecuReporter	64
2.1.13 Wireless Settings: Management Mode	65
2.1.14 Wireless Settings: AP Controller	66
2.1.15 Wireless Settings: SSID & Security	66
2.1.16 Remote Management	67
Hardware, Interfaces and Zones	69
3.1 Hardware Overview	69
3.1.1 Front Panels	69
3.1.2 Rear Panels	71
3.2 Installation Scenarios	72
3.2.1 Desktop Installation Procedure	73
3.2.2 Rack-mounting	74
3.2.3 Wall-mounting	75
3.3 Default Zones, Interfaces, and Ports	77
3.4 Stopping the Zyxel Device	78
Quick Setup Wizards	79
4.1 Quick Setup Overview	79
4.2 WAN Interface Quick Setup	80
4.2.1 Choose an Ethernet Interface	80
4.2.2 Select WAN Type	81
4.2.3 Configure WAN IP Settings	81
4.2.4 ISP and WAN and ISP Connection Settings	82
4.2.5 Quick Setup Interface Wizard: Summary	85
4.3 VPN Setup Wizard	86
4.3.1 Welcome	86
4.3.2 VPN Setup Wizard: Wizard Type	87
4.3.3 VPN Express Wizard - Scenario	88
4.3.4 VPN Express Wizard - Configuration	89
4.3.5 VPN Express Wizard - Summary	89
4.3.6 VPN Express Wizard - Finish	90
4.3.7 VPN Advanced Wizard - Scenario	91
4.3.8 VPN Advanced Wizard - Phase 1 Settings	92
4.3.9 VPN Advanced Wizard - Phase 2	94
4.3.10 VPN Advanced Wizard - Summary	95
4.3.11 VPN Advanced Wizard - Finish	97
4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type	98
4.4.1 Configuration Provisioning Express Wizard - VPN Settings	98
4.4.2 Configuration Provisioning VPN Express Wizard - Configuration	99
4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary	100
4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish	101
4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario	102
4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings	103
4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2	104
4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary	105
4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard - Finish	108
4.5 VPN Settings for L2TP VPN Settings Wizard	108
4.5.1 L2TP VPN Settings	109
4.5.2 L2TP VPN Settings	110
4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary	110
4.5.4 VPN Settings for L2TP VPN Setting Wizard - Completed	112
4.6 Wireless Setup Wizard	112
4.6.1 Management Mode	113
4.6.2 SSID	113
4.6.3 Radio	115
4.6.4 Summary	116
4.6.5 Wizard Completed	117
Dashboard	118
5.1 Overview	118
5.1.1 What You Can Do in this Chapter	118
5.2 The General Screen	118
5.2.1 Device Information Screen	120
5.2.2 System Status Screen	121
5.2.3 Tx/Rx Statistics	121
5.2.4 The Latest Logs Screen	122
5.2.5 System Resources Screen	122
5.2.6 DHCP Table Screen	123
5.2.7 Number of Login Users Screen	124
5.2.8 Current Login User	125
5.2.9 VPN Status	125
5.2.10 SSL VPN Status	126
5.3 The Advanced Threat Protection Screen	126
Technical Reference	128
Monitor	129
6.1 Overview	129
6.1.1 What You Can Do in this Chapter	129
6.2 The Port Statistics Screen	131
6.2.1 The Port Statistics Graph Screen	132
6.3 Interface Status Screen	133
6.4 The Traffic Statistics Screen	137
6.5 The Session Monitor Screen	139
6.6 The Login Users Screen	141
6.7 IGMP Statistics	143
6.8 The DDNS Status Screen	144
6.9 IP/MAC Binding	144
6.10 Cellular Status Screen	145
6.10.1 More Information	148
6.11 The UPnP Port Status Screen	149
6.12 USB Storage Screen	150
6.13 Ethernet Neighbor Screen	151
6.14 FQDN Object Screen	152
6.15 AP Information: AP List	154
6.15.1 AP List: More Information	157
6.15.2 AP List: Config AP	160
6.16 AP Information: Radio List	162
6.16.1 Radio List: More Information	164
6.17 AP Information: Built-in AP	165
6.18 AP Information: Top N APs	166
6.19 AP Information: Single AP	168
6.20 ZyMesh	169
6.21 SSID Info	170
6.22 Station Info: Station List	170
6.23 Station Info: Top N Stations	171
6.24 Station Info: Single Station	172
6.25 Detected Device	173
6.26 The IPSec Screen	174
6.27 The SSL Screen	176
6.28 The L2TP over IPSec Screen	176
6.29 The App Patrol Screen	177
6.30 The Content Filter Screen	178
6.31 The Anti-Malware Screen	180
6.32 The Reputation Filter Screen	182
6.33 The IDP Screen	184
6.34 Sandboxing	186
6.35 The Email Security Screens	187
6.35.1 Email Security Summary	187
6.35.2 The Email Security Status Screen	189
6.36 The SSL Inspection Screens	191
6.36.1 Certificate Cache List	192
6.37 Log Screens	193
6.37.1 View Log	193
6.37.2 View AP Log	195
Licensing	198
7.1 Registration Overview	198
7.1.1 What you Need to Know	198
7.1.2 Registration Screen	199
7.1.3 Service Screen	200
7.2 Signature Update	201
7.2.1 What you Need to Know	201
7.2.2 The Signature Screen	202
7.2.3 Auto Update	202
Wireless	204
8.1 Overview	204
8.1.1 What You Can Do in this Chapter	204
8.2 Built-in AP	204
8.2.1 Wireless > Built-in AP > General >Add/Edit SSID	206
8.2.2 Wireless > Built-in AP > Radio	209
8.3 Controller Screen	215
8.3.1 Connecting an AP to the Zyxel Device	215
8.3.2 Connecting an AP to the Zyxel Device Manually	216
8.3.3 Connecting an AP to the Zyxel Device Using DHCP Option 138	216
8.4 AP Management Screens	217
8.4.1 Mgnt. AP List	217
8.4.2 AP Policy	222
8.4.3 AP Group	223
8.4.4 Firmware	229
8.5 Rogue AP	230
8.5.1 Add/Edit Rogue/Friendly List	232
8.6 Auto Healing	233
8.7 RTLS Overview	234
8.7.1 What You Can Do in this Chapter	234
8.7.2 Before You Begin	234
8.7.3 Configuring RTLS	235
8.8 Technical Reference	236
8.8.1 Dynamic Channel Selection	236
8.8.2 Load Balancing	237
Interfaces	238
9.1 Interface Overview	238
9.1.1 What You Can Do in this Chapter	238
9.1.2 What You Need to Know	238
9.1.3 What You Need to Do First	243
9.2 Port Role	243
9.3 Port Configuration	244
9.4 Ethernet Summary Screen	245
9.4.1 Ethernet Edit	247
9.4.2 Proxy ARP	263
9.4.3 Virtual Interfaces	264
9.4.4 References	265
9.4.5 Add/Edit DHCPv6 Request/Release Options	266
9.4.6 Add/Edit DHCP Extended Options	267
9.5 PPP Interfaces	268
9.5.1 PPP Interface Summary	269
9.5.2 PPP Interface Add or Edit	270
9.6 Cellular Configuration Screen	275
9.6.1 Cellular Choose Slot	278
9.6.2 Add / Edit Cellular Configuration	278
9.7 Tunnel Interfaces	284
9.7.1 Configuring a Tunnel	286
9.7.2 Tunnel Add or Edit Screen	287
9.8 VLAN Interfaces	291
9.8.1 VLAN Summary Screen	292
9.8.2 VLAN Add/Edit	293
9.9 Bridge Interfaces	304
9.9.1 Bridge Summary	306
9.9.2 Bridge Add/Edit	307
9.10 VTI	318
9.10.1 Restrictions for IPSec Virtual Tunnel Interface	318
9.10.2 VTI Screen	319
9.10.3 VTI Add/Edit	319
9.11 Trunk Overview	323
9.11.1 What You Need to Know	323
9.12 The Trunk Summary Screen	326
9.12.1 Configuring a User-Defined Trunk	327
9.12.2 Configuring the System Default Trunk	329
9.13 Interface Technical Reference	330
Routing	335
10.1 Policy and Static Routes Overview	335
10.1.1 What You Can Do in this Chapter	335
10.1.2 What You Need to Know	336
10.2 Policy Route Screen	337
10.2.1 Policy Route Edit Screen	339
10.3 IP Static Route Screen	344
10.3.1 Static Route Add/Edit Screen	344
10.4 Policy Routing Technical Reference	346
10.5 Routing Protocols Overview	346
10.5.1 What You Need to Know	347
10.6 The RIP Screen	347
10.7 The OSPF Screen	349
10.7.1 Configuring the OSPF Screen	352
10.7.2 OSPF Area Add/Edit Screen	353
10.7.3 Virtual Link Add/Edit Screen	355
10.8 BGP (Border Gateway Protocol)	356
10.8.1 Allow BGP Packets to Enter the Zyxel Device	357
10.8.2 Configuring the BGP Screen	357
10.8.3 The BGP Neighbors Screen	359
10.8.4 Example Scenario	360
DDNS	362
11.1 DDNS Overview	362
11.1.1 What You Can Do in this Chapter	362
11.1.2 What You Need to Know	362
11.2 The DDNS Screen	363
11.2.1 The Dynamic DNS Add/Edit Screen	364
NAT	368
12.1 NAT Overview	368
12.1.1 What You Can Do in this Chapter	368
12.1.2 What You Need to Know	368
12.2 The NAT Screen	369
12.2.1 The NAT Add/Edit Screen	371
12.3 NAT Technical Reference	374
Redirect Service	376
13.1 Overview	376
13.1.1 HTTP Redirect	376
13.1.2 SMTP Redirect	376
13.1.3 What You Can Do in this Chapter	377
13.1.4 What You Need to Know	377
13.2 The Redirect Service Screen	379
13.2.1 The Redirect Service Edit Screen	380
ALG	382
14.1 ALG Overview	382
14.1.1 What You Need to Know	382
14.1.2 Before You Begin	385
14.2 The ALG Screen	385
14.3 ALG Technical Reference	387
UPnP	389
15.1 UPnP and NAT-PMP Overview	389
15.2 What You Need to Know	389
15.2.1 NAT Traversal	389
15.2.2 Cautions with UPnP and NAT-PMP	390
15.3 UPnP Screen	390
15.4 Technical Reference	391
15.4.1 Turning on UPnP in Windows 7 Example	391
15.4.2 Turn on UPnP in Windows 10 Example	395
15.4.3 Auto-discover Your UPnP-enabled Network Device	397
15.4.4 Web Configurator Easy Access in Windows 7	400
15.4.5 Web Configurator Easy Access in Windows 10	402
IP/MAC Binding	404
16.1 IP/MAC Binding Overview	404
16.1.1 What You Can Do in this Chapter	404
16.1.2 What You Need to Know	404
16.2 IP/MAC Binding Summary	405
16.2.1 IP/MAC Binding Edit	406
16.2.2 Static DHCP Edit	407
16.3 IP/MAC Binding Exempt List	408
Layer 2 Isolation	409
17.1 Overview	409
17.1.1 What You Can Do in this Chapter	409
17.2 Layer-2 Isolation General Screen	409
17.3 White List Screen	410
17.3.1 Add/Edit White List Rule	411
DNS Inbound LB	413
18.1 DNS Inbound Load Balancing Overview	413
18.1.1 What You Can Do in this Chapter	413
18.2 The DNS Inbound LB Screen	414
18.2.1 The DNS Inbound LB Add/Edit Screen	415
18.2.2 The DNS Inbound LB Add/Edit Member Screen	417
IPSec VPN	419
19.1 Virtual Private Networks (VPN) Overview	419
19.1.1 What You Can Do in this Chapter	421
19.1.2 What You Need to Know	421
19.1.3 Before You Begin	424
19.2 The VPN Connection Screen	424
19.2.1 The VPN Connection Add/Edit Screen	426
19.3 The VPN Gateway Screen	433
19.3.1 The VPN Gateway Add/Edit Screen	434
19.4 VPN Concentrator	441
19.4.1 VPN Concentrator Requirements and Suggestions	441
19.4.2 VPN Concentrator Screen	442
19.4.3 The VPN Concentrator Add/Edit Screen	442
19.5 Zyxel Device IPSec VPN Client Configuration Provisioning	443
19.6 IPSec VPN Background Information	445
SSL VPN	455
20.1 Overview	455
20.1.1 What You Can Do in this Chapter	455
20.1.2 What You Need to Know	455
20.2 The SSL Access Privilege Screen	456
20.2.1 The SSL Access Privilege Policy Add/Edit Screen	457
20.3 The SSL Global Setting Screen	459
L2TP VPN	461
21.1 Overview	461
21.1.1 What You Can Do in this Chapter	461
21.1.2 What You Need to Know	461
21.2 L2TP VPN Screen	462
21.2.1 Example: L2TP and Zyxel Device Behind a NAT Router	464
BWM (Bandwidth Management)	467
22.1 Overview	467
22.1.1 What You Can Do in this Chapter	467
22.1.2 What You Need to Know	467
22.2 The Bandwidth Management Configuration	471
22.2.1 The Bandwidth Management Add/Edit Screen	474
Web Authentication	483
23.1 Web Auth Overview	483
23.1.1 What You Can Do in this Chapter	483
23.1.2 What You Need to Know	484
23.2 Web Authentication General Screen	484
23.2.1 User-aware Access Control Example	489
23.2.2 Authentication Type Screen	495
23.2.3 Custom Web Portal / User Agreement File Screen	499
23.3 SSO Overview	500
23.4 SSO - Zyxel Device Configuration	502
23.4.1 Configuration Overview	502
23.4.2 Configure the Zyxel Device to Communicate with SSO	502
23.4.3 Enable Web Authentication	503
23.4.4 Create a Security Policy	505
23.4.5 Configure User Information	506
23.4.6 Configure an Authentication Method	507
23.4.7 Configure Active Directory	508
23.5 SSO Agent Configuration	509
Security Policy	512
24.1 Overview	512
24.2 One Security	513
24.3 What You Can Do in this Chapter	516
24.3.1 What You Need to Know	516
24.4 The Security Policy Screen	518
24.4.1 Configuring the Security Policy Control Screen	519
24.4.2 The Security Policy Control Add/Edit Screen	523
24.5 Anomaly Detection and Prevention Overview	524
24.5.1 The Anomaly Detection and Prevention General Screen	525
24.5.2 Creating New ADP Profiles	526
24.5.3 Traffic Anomaly Profiles	527
24.5.4 Protocol Anomaly Profiles	530
24.6 The Session Control Screen	533
24.6.1 The Session Control Add/Edit Screen	534
24.7 Security Policy Example Applications	535
Application Patrol	538
25.1 Overview	538
25.1.1 What You Can Do in this Chapter	538
25.1.2 What You Need to Know	538
25.2 Application Patrol Profile	539
25.2.1 Profile Action: Apply to a Security Policy	540
25.2.2 Application Patrol Profile > Add/Edit - My Application	543
25.2.3 Application Patrol Profile > Add/Edit - Query Result	544
Content Filter	547
26.1 Overview	547
26.1.1 What You Can Do in this Chapter	547
26.1.2 What You Need to Know	547
26.1.3 Before You Begin	549
26.2 Content Filter Profile Screen	549
26.2.1 Apply to a Security Policy	550
26.2.2 Content Filter Add Profile Category Service	553
26.2.3 Content Filter Add Filter Profile Custom Service	566
26.3 Content Filter Trusted Web Sites Screen	568
26.4 Content Filter Forbidden Web Sites Screen	569
26.5 Content Filter Technical Reference	570
Anti-Malware	572
27.1 Overview	572
27.1.1 What You Can Do in this Chapter	576
27.2 Anti-Malware Screen	577
27.3 The White List Screen	581
27.4 The Black List Screen	582
27.5 Anti-Malware Signature Searching	583
27.6 Anti-Malware Technical Reference	584
Reputation Filter	586
28.1 Overview	586
28.1.1 What You Need to Know	586
28.1.2 What You Can Do in this Chapter	586
28.2 IP Reputation Screen	586
28.2.1 IP Reputation White List Screen	590
28.2.2 IP Reputation Black List Screen	590
28.3 URL Threat Filter Screen	591
28.3.1 URL Threat Filter White List Screen	593
28.3.2 URL Threat Filter Black List Screen	594
IDP	596
29.1 Overview	596
29.1.1 What You Can Do in this Chapter	596
29.1.2 What You Need To Know	596
29.1.3 Before You Begin	596
29.2 The IDP Screen	597
29.2.1 Query Example	601
29.3 IDP Custom Signatures	602
29.3.1 Add / Edit Custom Signatures	603
29.3.2 Custom Signature Example	607
29.3.3 Applying Custom Signatures	609
29.3.4 Verifying Custom Signatures	610
29.4 The White List Screen	610
29.5 IDP Technical Reference	611
Sandboxing	614
30.1 Overview	614
30.1.1 What You Need to Know	615
30.2 Sandboxing Screen	615
Email Security	618
31.1 Overview	618
31.1.1 What You Can Do in this Chapter	618
31.1.2 What You Need to Know	618
31.2 Before You Begin	619
31.3 The Email Security Screen	620
31.4 The Black List / White List Screen	622
31.4.1 The Black or White List Add/Edit Screen	623
31.4.2 Regular Expressions in Black or White List Entries	625
31.5 Email Security Technical Reference	625
SSL Inspection	629
32.1 Overview	629
32.1.1 What You Can Do in this Chapter	629
32.1.2 What You Need To Know	629
32.1.3 Before You Begin	630
32.2 The SSL Inspection Profile Screen	630
32.2.1 Apply to a Security Policy	631
32.2.2 Add / Edit SSL Inspection Profiles	634
32.3 Exclude List Screen	635
32.4 Certificate Update Screen	637
32.5 Install a CA Certificate in a Browser	638
IP Exception	641
33.1 Overview	641
33.2 The IP Exception Screen	641
33.2.1 The IP Exception Add/Edit Screen	642
Object	644
34.1 Zones Overview	644
34.1.1 What You Need to Know	644
34.1.2 The Zone Screen	645
34.2 User/Group Overview	647
34.2.1 What You Need To Know	647
34.2.2 User/Group User Summary Screen	649
34.2.3 User/Group Group Summary Screen	654
34.2.4 User/Group Setting Screen	655
34.2.5 User/Group MAC Address Summary Screen	660
34.2.6 User /Group Technical Reference	662
34.3 AP Profile Overview	662
34.3.1 Radio Screen	663
34.3.2 SSID Screen	669
34.4 MON Profile	678
34.4.1 Overview	678
34.4.2 Configuring MON Profile	679
34.4.3 Add/Edit MON Profile	680
34.4.4 Technical Reference	681
34.5 ZyMesh Overview	682
34.5.1 ZyMesh Profile	684
34.5.2 Add/Edit ZyMesh Profile	685
34.6 Address/Geo IP Overview	685
34.6.1 What You Need To Know	686
34.6.2 Address Summary Screen	686
34.6.3 Address Group Summary Screen	690
34.6.4 Geo IP Summary Screen	692
34.7 Service Overview	695
34.7.1 What You Need to Know	695
34.7.2 The Service Summary Screen	696
34.7.3 The Service Group Summary Screen	698
34.8 Schedule Overview	700
34.8.1 What You Need to Know	700
34.8.2 The Schedule Screen	701
34.8.3 The Schedule Group Screen	704
34.9 AAA Server Overview	705
34.9.1 Directory Service (AD/LDAP)	706
34.9.2 RADIUS Server	706
34.9.3 ASAS	706
34.9.4 What You Need To Know	707
34.9.5 Active Directory or LDAP Server Summary	708
34.9.6 RADIUS Server Summary	712
34.10 Auth. Method Overview	715
34.10.1 Before You Begin	715
34.10.2 Example: Selecting a VPN Authentication Method	715
34.10.3 Authentication Method Objects	716
34.10.4 Two-Factor Authentication VPN Access	718

Match case Limit results 1 per page

Chapter 19 IPSec VPN

ZyWALL ATP Series User’s Guide

452

In tunnel mode, the Zyxel Device uses the active protocol to encapsulate the entire IP packet. As a

result, there are two IP headers:

•

Outside header: The outside IP header contains the IP address of the Zyxel Device or remote IPSec

router, whichever is the destination.

•

Inside header: The inside IP header contains the IP address of the computer behind the Zyxel Device

or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP

headers.

In transport mode, the encapsulation depends on the active protocol. With AH, the Zyxel Device

includes part of the original IP header when it encapsulates the packet. With ESP, however, the Zyxel

Device does not include the IP header when it encapsulates the packet, so it is not possible to verify the

integrity of the source IP address.

IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see

IKE SA Proposal

), except that you also have the

choice whether or not the Zyxel Device and remote IPSec router perform a new DH key exchange every

time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).

If you enable PFS, the Zyxel Device and remote IPSec router perform a DH key exchange every time an

IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if

one encryption key is compromised, other encryption keys remain secure.

If you do not enable PFS, the Zyxel Device and remote IPSec router use the same root key that was

generated when the IKE SA was established to generate encryption keys.

The DH key exchange is time-consuming and may be unnecessary for data that does not require such

security.

PFS is ignored in initial IKEv2 authentication but is used when re-authenticating.

Additional Topics for IPSec SA

This section provides more information about IPSec SA in your Zyxel Device.

Authentication and the Security Parameter Index (SPI)

For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID

type and content. The SPI is an identification number.

Note: The Zyxel Device and remote IPSec router must use the same SPI.

Transport Mode Packet

IP Header

AH/ESP

Header

TCP Header

Data

Tunnel Mode Packet

IP Header

AH/ESP

Header

IP Header

TCP Header

Data

Figure 318

VPN: Transport and Tunnel Mode Encapsulation