2 what you need to know about ipsec vpn, 3 before you begin, Figure 250 vpn: ike sa and ipsec sa – ZyXEL Communications 200 Series User Manual
Page 352
Chapter 20 IPSec VPN
ZyWALL USG 100/200 Series User’s Guide
352
• Use the VPN Concentrator screens (see
) to combine several
IPSec VPN connections into a single secure network.
• Use the SA Monitor screen (see
) to display and manage the
active IPSec SAs.
20.1.2 What You Need to Know About IPSec VPN
An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters the ZyWALL and the remote
IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between
the ZyWALL and remote IPSec router. The second phase uses the IKE SA to securely
establish an IPSec SA through which the ZyWALL and remote IPSec router can send data
between computers on the local network and remote network. This is illustrated in the
following figure.
Figure 250 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in network B.
Inside networks A and B, the data is transmitted the same way data is normally transmitted in
the networks. Between routers X and Y, the data is protected by tunneling, encryption,
authentication, and other security features of the IPSec SA. The IPSec SA is secure because
routers X and Y established the IKE SA first.
Dynamic IPSec VPN Rules
A dynamic IPSec VPN rule does not specify the remote IPSec router’s IP address or domain
name. So a remote IPSec router with a dynamic IP address can initiate a VPN tunnel to the
ZyWALL. Only the remote IPSec router can initiate a dynamic VPN tunnel.
Finding Out More
• See
for related information on these screens.
• See
for IPSec VPN background information.
• See
for an example of configuring IPSec VPN.
20.1.3 Before You Begin
This section briefly explains the relationship between VPN tunnels and other features. It also
gives some basic suggestions for troubleshooting.