ZyXEL Communications 2 Plus User Manual

Chapter 14 IPSec VPN

ZyWALL 2 Plus User’s Guide

The active protocol controls the format of each packet. It also specifies how much of each 
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two 
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security 
Payload, RFC 2406).

"

The ZyWALL and remote IPSec router must use the same active protocol.

Usually, you should select ESP. AH does not support encryption, and ESP is more suitable 
with NAT.

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is 
more secure. Transport mode is only used when the IPSec SA is used for communication 
between the ZyWALL and remote IPSec router (for example, for remote management), not 
between computers on the local and remote networks.

"

The ZyWALL and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a 
result, there are two IP headers:

• Outside header: The outside IP header contains the IP address of the ZyWALL or remote 

IPSec router, whichever is the destination.

• Inside header: The inside IP header contains the IP address of the computer behind the 

ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears 
between the IP headers.

Figure 180   VPN: Transport and Tunnel Mode Encapsulation

IP Header

TCP 

Header

Data

IP Header

AH/ESP 

Header

TCP 

Header

Data

IP Header

AH/ESP 

Header

IP Header

TCP 

Header

Data