1 local network and remote network, 2 active protocol, 3 encapsulation – ZyXEL Communications P-2608HWL-Dx Series User Manual

P-2608HWL-Dx Series User’s Guide

228

Chapter 18 IPSec VPN

18.1.3.1 Local Network and Remote Network

In IPSec SA terminology, the local network, the one(s) connected to the ZyXEL Device, may
be called the local policy. Similarly, the remote network, the one(s) connected to the remote
IPSec router, may be called the remote policy.

18.1.3.2 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security
Payload, RFC 2406).

Note: The ZyXEL Device and remote IPSec router must use the same active

protocol. ESP is recommended.

ESP is recommended because AH does not support encryption and ESP is more suitable with
NAT. Use AH only if the remote IPSec router does not support ESP.

18.1.3.3 Encapsulation

There are two ways to encapsulate packets. These modes are illustrated below.

In tunnel mode, the ZyXEL Device encapsulates the entire IP packet. As a result, there are two
IP headers, as well as the header for the active protocol.

• Outside header: The outside IP header contains the IP addresses of the ZyXEL Device

and remote IPSec router.

• AH/ESP header: The header for the active protocol encapsulates the original packet.
• Inside header: The inside IP header contains the IP address of the computers behind the

ZyXEL Device or remote IPSec router.

Figure 125 VPN: Transport and Tunnel Mode Encapsulation

Original Packet IP Header

TCP

Header

Data

Transport Mode Packet IP Header

AH/ESP

Header

TCP

Header

Data

Tunnel Mode Packet IP Header

AH/ESP

Header

IP Header

TCP

Header

Data