ZyXEL Communications ZyWALL5UTM 4.0 19.1 VPN/IPSec Overview, 19.2 IPSec Algorithms, 19.2.1 AH (Authentication Header) Protocol, 19.2.2 ESP (Encapsulating Security Payload) Protocol

ZyWALL 5/35/70 Series User’s Guide

CH A P T E R 19

VPN Screens

This chapter introduces the VPN Web Configurator. See Chapter 30 on page 468 for information on viewing logs and Appendix S on page 770 for IPSec log descriptions.

19.1 VPN/IPSec Overview

Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.

19.2 IPSec Algorithms

The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. Once the SA is established, the transport of data may commence.

19.2.1 AH (Authentication Header) Protocol

AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.

In applications where confidentiality is not required or not sanctioned by government encryption restrictions, an AH can be employed to ensure integrity. This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator.

19.2.2 ESP (Encapsulating Security Payload) Protocol

The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be authenticated.

An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted.