ZyXEL Communications 100 Series, 200 Series 20.1.3Before You Begin, 20.1.2What You Need to Know About IPSec VPN

Chapter 20 IPSec VPN

•Use the VPN Concentrator screens (see Section 20.4 on page 369) to combine several IPSec VPN connections into a single secure network.

•Use the SA Monitor screen (see Section 20.5 on page 371) to display and manage the active IPSec SAs.

An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure.

Figure 250 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first.

Dynamic IPSec VPN Rules

A dynamic IPSec VPN rule does not specify the remote IPSec router’s IP address or domain name. So a remote IPSec router with a dynamic IP address can initiate a VPN tunnel to the ZyWALL. Only the remote IPSec router can initiate a dynamic VPN tunnel.

Finding Out More

•See Section 5.4.4 on page 114 for related information on these screens.

•See Section 20.6 on page 373 for IPSec VPN background information.

•See Section 6.4 on page 144 for an example of configuring IPSec VPN.

This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting.