1 local network and remote network, 2 active protocol, 3 encapsulation – ZyXEL Communications G.SHDSL.bis 4-port Security Gateway P-793H User Manual

P-793H User’s Guide

Chapter 11 IPSec VPN

161

Note: An IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of IPSec SA.

11.1.3.1 Local Network and Remote Network

In IPSec SA terminology, the local network, the one(s) connected to the ZyXEL Device, may
be called the local policy. Similarly, the remote network, the one(s) connected to the remote
IPSec router, may be called the remote policy.

11.1.3.2 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).

Note: The ZyXEL Device and remote IPSec router must use the same active

protocol. ESP is recommended.

ESP is recommended because AH does not support encryption and ESP is more suitable with
NAT. Use AH only if the remote IPSec router does not support ESP.

11.1.3.3 Encapsulation

There are two ways to encapsulate packets. These modes are illustrated below.

In tunnel mode, the ZyXEL Device encapsulates the entire IP packet. As a result, there are two
IP headers, as well as the header for the active protocol.

• Outside header: The outside IP header contains the IP addresses of the ZyXEL Device

and remote IPSec router.

• AH/ESP header: The header for the active protocol encapsulates the original packet.

Figure 77 VPN: Transport and Tunnel Mode Encapsulation

Original Packet IP Header

TCP

Header

Data

Transport Mode Packet IP Header

AH/ESP

Header

TCP

Header

Data

Tunnel Mode Packet IP Header

AH/ESP

Header

IP Header

TCP

Header

Data