1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 82
Page 406 / 944 Scroll up to view Page 401 - 405
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
406
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode
because it is more secure. Transport mode is only used when the IPSec SA is used
for communication between the ZyWALL and remote IPSec router (for example,
for remote management), not between computers on the local and remote
networks.
Note: The ZyWALL and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP
packet. As a result, there are two IP headers:
Outside header: The outside IP header contains the IP address of the ZyWALL or
remote IPSec router, whichever is the destination.
Inside header: The inside IP header contains the IP address of the computer
behind the ZyWALL or remote IPSec router. The header for the active protocol
(AH or ESP) appears between the IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the
ZyWALL includes part of the original IP header when it encapsulates the packet.
With ESP, however, the ZyWALL does not include the IP header when it
encapsulates the packet, so it is not possible to verify the integrity of the source IP
address.
IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see
IKE SA Proposal on
page 399
), except that you also have the choice whether or not the ZyWALL and
remote IPSec router perform a new DH key exchange every time an IPSec SA is
established. This is called Perfect Forward Secrecy (PFS).
Figure 238
VPN: Transport and Tunnel Mode Encapsulation
Original Packet
IP Header
TCP
Header
Data
Transport Mode Packet
IP Header
AH/ESP
Header
TCP
Header
Data
Tunnel Mode Packet
IP Header
AH/ESP
Header
IP Header
TCP
Header
Data
Page 407 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
407
If you enable PFS, the ZyWALL and remote IPSec router perform a DH key
exchange every time an IPSec SA is established, changing the root key from which
encryption keys are generated. As a result, if one encryption key is compromised,
other encryption keys remain secure.
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root
key that was generated when the IKE SA was established to generate encryption
keys.
The DH key exchange is time-consuming and may be unnecessary for data that
does not require such security.
Additional Topics for IPSec SA
This section provides more information about IPSec SA in your ZyWALL.
IPSec SA using Manual Keys
You might set up an IPSec SA using manual keys when you want to establish a
VPN tunnel quickly, for example, for troubleshooting. You should only do this as a
temporary solution, however, because it is not as secure as a regular IPSec SA.
In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not
establish an IKE SA. They only establish an IPSec SA. As a result, an IPSec SA
using manual keys has some characteristics of IKE SA and some characteristics of
IPSec SA. There are also some differences between IPSec SA using manual keys
and other types of SA.
IPSec SA Proposal using Manual Keys
In an IPSec SA using manual keys, you can only specify one encryption algorithm
and one authentication algorithm. You cannot specify several proposals. There is
no DH key exchange, so you have to provide the encryption key and the
authentication key the ZyWALL and remote IPSec router use.
Note: The ZyWALL and remote IPSec router must use the same encryption key and
authentication key.
Authentication and the Security Parameter Index (SPI)
For authentication, the ZyWALL and remote IPSec router use the SPI, instead of
pre-shared keys, ID type and content. The SPI is an identification number.
Note: The ZyWALL and remote IPSec router must use the same SPI.
Page 408 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
408
NAT for Inbound and Outbound Traffic
The ZyWALL can translate the following types of network addresses in IPSec SA.
Source address in outbound packets - this translation is necessary if you want
the ZyWALL to route packets from computers outside the local network through
the IPSec SA.
Source address in inbound packets - this translation hides the source address of
computers in the remote network.
Destination address in inbound packets - this translation is used if you want to
forward packets (for example, mail) from the remote network to a specific
computer (like the mail server) in the local network.
Each kind of translation is explained below. The following example is used to help
explain each one.
Figure 239
VPN Example: NAT for Inbound and Outbound Traffic
Source Address in Outbound Packets (Outbound Traffic, Source NAT)
This translation lets the ZyWALL route packets from computers that are not part of
the specified local network (local policy) through the IPSec SA. For example, in
Figure 239 on page 408
, you have to configure this kind of translation if you want
computer
M
to establish a connection with any computer in the remote network
(
B
). If you do not configure it, the remote IPSec router may not route messages
for computer
M
through the IPSec SA because computer
M
’s IP address is not part
of its local policy.
To set up this NAT, you have to specify the following information:
Source - the original source address; most likely, computer
M
’s network.
Page 409 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
409
Destination - the original destination address; the remote network (
B
).
SNAT - the translated source address; the local network (
A
).
Source Address in Inbound Packets (Inbound Traffic, Source NAT)
You can set up this translation if you want to change the source address of
computers in the remote network. To set up this NAT, you have to specify the
following information:
Source - the original source address; the remote network (
B
).
Destination - the original destination address; the local network (
A
).
SNAT - the translated source address; a different IP address (range of
addresses) to hide the original source address.
Destination Address in Inbound Packets (Inbound Traffic, Destination
NAT)
You can set up this translation if you want the ZyWALL to forward some packets
from the remote network to a specific computer in the local network. For example,
in
Figure 239 on page 408
, you can configure this kind of translation if you want to
forward mail from the remote network to the mail server in the local network (
A
).
You have to specify one or more rules when you set up this kind of NAT. The
ZyWALL checks these rules similar to the way it checks rules for a firewall. The
first part of these rules define the conditions in which the rule apply.
Original IP - the original destination address; the remote network (
B
).
Protocol - the protocol [TCP, UDP, or both] used by the service requesting the
connection.
Original Port - the original destination port or range of destination ports; in
Figure 239 on page 408
, it might be port 25 for SMTP.
The second part of these rules controls the translation when the condition is
satisfied.
Mapped IP - the translated destination address; in
Figure 239 on page 408
, the
IP address of the mail server in the local network (
A
).
Mapped Port - the translated destination port or range of destination ports.
The original port range and the mapped port range must be the same size.
Page 410 / 944
Chapter 23 IPSec VPN
ZyWALL USG 50 User’s Guide
410

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top