ZyXEL Communications P-2812HNU-51c 12.2 What You Need to Know

Chapter 12 IPSec VPN

12.2 What You Need to Know

A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the P- 2812HNU-51c and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the P-2812HNU-51c and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the P-2812HNU-51c and remote IPSec router can send data between computers on the local network and remote network. The following figure illustrates this.

Figure 128 VPN: IKE SA and IPSec SA

AB

IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X and Y established first.

Remote IPSec Gateway Address

Remote IPSec Gateway Address is the WAN IP address or domain name of the remote IPSec router (secure gateway).

If the remote secure gateway has a static WAN IP address, enter it in the Remote IPSec Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one) in the Remote IPSec Gateway Address field.

You can also enter a remote IPSec gateway’s domain name in the Remote IPSec Gateway Address field if the remote gateway has a dynamic WAN IP address and is using DDNS. The P-2812HNU-51c has to rebuild the VPN tunnel each time the remote gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address).