3 active protocol, 4 encapsulation, 3 active protocol 14.6.4 encapsulation – ZyXEL Communications ZyWALL 2 Plus User Manual

Chapter 14 IPSec VPN

ZyWALL 2 Plus User’s Guide

272

14.6.3 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).

"

The ZyWALL and remote IPSec router must use the same active protocol.

Usually, you should select ESP. AH does not support encryption, and ESP is more suitable
with NAT.

14.6.4 Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is
more secure. Transport mode is only used when the IPSec SA is used for communication
between the ZyWALL and remote IPSec router (for example, for remote management), not
between computers on the local and remote networks.

"

The ZyWALL and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:

• Outside header: The outside IP header contains the IP address of the ZyWALL or remote

IPSec router, whichever is the destination.

• Inside header: The inside IP header contains the IP address of the computer behind the

ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears
between the IP headers.

Figure 180 VPN: Transport and Tunnel Mode Encapsulation

Original Packet

IP Header

TCP

Header

Data

Transport Mode Packet

IP Header

AH/ESP

Header

TCP

Header

Data

Tunnel Mode Packet

IP Header

AH/ESP

Header

IP Header

TCP

Header

Data