Zyxel P-2602HW-D1A Router Manual PDF (Setup & Configuration Guide)

Page 216 / 427 Scroll up to view Page 211 - 215

P-2602H(W)(L)-DxA Series User’s Guide

216

Chapter 16 Introduction to IPSec

Figure 117

Encryption and Decryption

16.1.3.2

Data Confidentiality

The IPSec sender can encrypt packets before transmitting them across a network.

16.1.3.3

Data Integrity

The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not

been altered during transmission.

16.1.3.4

Data Origin Authentication

The IPSec receiver can verify the source of IPSec packets. This service depends on the data

integrity service.

16.1.4

VPN Applications

The ZyXEL Device supports the following VPN applications.

•

Linking Two or More Private Networks Together

Connect branch offices and business partners over the Internet with significant cost

savings and improved performance when compared to leased lines between sites.

•

Accessing Network Resources When NAT Is Enabled

When NAT is enabled, remote users are not able to access hosts on the LAN unless the

host is designated a public LAN server for that specific protocol. Since the VPN tunnel

terminates inside the LAN, remote users will be able to access all computers that use

private IP addresses on the LAN.

•

Unsupported IP Applications

A VPN tunnel may be created to add support for unsupported emerging IP applications.

See

Chapter 1 on page 37

for an example of a VPN application.

16.2

IPSec Architecture

The overall IPSec architecture is shown as follows.

Page 217 / 427

P-2602H(W)(L)-DxA Series User’s Guide

Chapter 16 Introduction to IPSec

217

Figure 118

IPSec Architecture

16.2.1

IPSec Algorithms

The

ESP

(Encapsulating Security Payload) Protocol (RFC 2406) and

AH

(Authentication

Header) protocol (RFC 2402) describe the packet formats and the default standards for packet

structure (including implementation algorithms).

The Encryption Algorithm describes the use of encryption techniques such as DES (Data

Encryption Standard) and Triple DES algorithms.

The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404,

provide an authentication mechanism for the

AH

and

ESP

protocols. Please see

Section 17.2

on page 221

for more information.

16.2.2

Key Management

Key management allows you to determine whether to use IKE (ISAKMP) or manual key

configuration in order to set up a VPN.

16.3

Encapsulation

The two modes of operation for IPSec VPNs are

Transport

mode and

Tunnel

mode.

Page 218 / 427

P-2602H(W)(L)-DxA Series User’s Guide

218

Chapter 16 Introduction to IPSec

Figure 119

Transport and Tunnel Mode IPSec Encapsulation

16.3.1

Transport Mode

Transport

mode is used to protect upper layer protocols and only affects the data in the IP

packet. In

Transport

mode, the IP packet contains the security protocol (

AH

or

ESP

) located

after the original IP header and options, but before any upper layer protocols contained in the

packet (such as TCP and UDP).

With

ESP,

protection is applied only to the upper layer protocols contained in the packet. The

IP header information and options are not used in the authentication process. Therefore, the

originating IP address cannot be verified for integrity against the data.

With the use of

AH

as the security protocol, protection is extended forward into the IP header

to verify the integrity of the entire packet by use of portions of the original IP header in the

hashing process.

16.3.2

Tunnel Mode

Tunnel

mode encapsulates the entire IP packet to transmit it securely. A

Tunnel

mode is

required for gateway services to provide access to internal systems.

Tunnel

mode is

fundamentally an IP tunnel with authentication and encryption. This is the most common

mode of operation.

Tunnel

mode is required for gateway to gateway and host to gateway

communications.

Tunnel

mode communications have two sets of IP headers:

•

Outside header

: The outside IP header contains the destination IP address of the VPN

gateway.

•

Inside header

: The inside IP header contains the destination IP address of the final

system behind the VPN gateway. The security protocol appears after the outer IP header

and before the inside IP header.

16.4

IPSec and NAT

Read this section if you are running IPSec on a host computer behind the ZyXEL Device.

Page 219 / 427

P-2602H(W)(L)-DxA Series User’s Guide

Chapter 16 Introduction to IPSec

219

NAT is incompatible with the

AH

protocol in both

Transport

and

Tunnel

mode. An IPSec

VPN using the

AH

protocol digitally signs the outbound packet, both data payload and

headers, with a hash value appended to the packet. When using

AH

protocol, packet contents

(the data payload) are not encrypted.

A NAT device in between the IPSec endpoints will rewrite either the source or destination

address with one of its own choosing. The VPN device at the receiving end will verify the

integrity of the incoming packet by computing its own hash value, and complain that the hash

value appended to the received packet doesn't match. The VPN device at the receiving end

doesn't know about the NAT in the middle, so it assumes that the data has been maliciously

altered.

IPSec using

ESP

in

Tunnel

mode encapsulates the entire original packet (including headers)

in a new IP packet. The new IP packet's source address is the outbound address of the sending

VPN gateway, and its destination address is the inbound address of the VPN device at the

receiving end. When using

ESP

protocol with authentication, the packet contents (in this case,

the entire original packet) are encrypted. The encrypted contents, but not the new headers, are

signed with a hash value appended to the packet.

Tunnel

mode

ESP

with authentication is compatible with NAT because integrity checks are

performed over the combination of the "original header plus original payload," which is

unchanged by a NAT device.

Transport

mode

ESP

with authentication is not compatible with NAT.

Table 79

VPN and NAT

SECURITY PROTOCOL

MODE

NAT

AH

Transport

N

AH

Tunnel

N

ESP

Transport

N

ESP

Tunnel

Y

Page 220 / 427

P-2602H(W)(L)-DxA Series User’s Guide

220

Chapter 16 Introduction to IPSec

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share