Chapter 14 IPSec VPN
14.6.3 Active ProtocolThe active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406).
"The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
14.6.4EncapsulationThere are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
"The ZyWALL and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
Figure 180 VPN: Transport and Tunnel Mode Encapsulation
|
|
|
|
|
|
|
Original Packet | IP Header | TCP | Data |
|
|
|
|
| Header |
|
|
|
|
Transport Mode Packet |
|
|
|
|
|
|
|
|
|
|
|
| |
IP Header | AH/ESP | TCP | Data |
|
| |
|
| Header | Header |
|
|
|
Tunnel Mode Packet |
|
|
|
|
|
|
|
|
|
|
|
| |
IP Header | AH/ESP | IP Header | TCP | Data |
| |
|
| Header |
| Header |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers:
•Outside header: The outside IP header contains the IP address of the ZyWALL or remote IPSec router, whichever is the destination.
•Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers.
272 |
| |
ZyWALL 2 Plus User’s Guide |
| |
|
|
|