ZyXEL Communications 200 Series Benutzerhandbuch

Chapter 20 IPSec VPN

ZyWALL USG 100/200 Series User’s Guide

• Use the VPN Concentrator screens (see 

) to combine several 

IPSec VPN connections into a single secure network.

• Use the SA Monitor screen (see 

) to display and manage the 

active IPSec SAs.

An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security 
association (SA), a contract indicating what security parameters the ZyWALL and the remote 
IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between 
the ZyWALL and remote IPSec router. The second phase uses the IKE SA to securely 
establish an IPSec SA through which the ZyWALL and remote IPSec router can send data 
between computers on the local network and remote network. This is illustrated in the 
following figure.

Figure 250   VPN: IKE SA and IPSec SA 

In this example, a computer in network A is exchanging data with a computer in network B. 
Inside networks A and B, the data is transmitted the same way data is normally transmitted in 
the networks. Between routers X and Y, the data is protected by tunneling, encryption, 
authentication, and other security features of the IPSec SA. The IPSec SA is secure because 
routers X and Y established the IKE SA first.

A dynamic IPSec VPN rule does not specify the remote IPSec router’s IP address or domain 
name. So a remote IPSec router with a dynamic IP address can initiate a VPN tunnel to the 
ZyWALL. Only the remote IPSec router can initiate a dynamic VPN tunnel. 

• See 

 for related information on these screens.

• See 

 for IPSec VPN background information.

• See 

 for an example of configuring IPSec VPN.

This section briefly explains the relationship between VPN tunnels and other features. It also 
gives some basic suggestions for troubleshooting.