ZyXEL Communications 2 Plus User Manual
Chapter 14 IPSec VPN
ZyWALL 2 Plus User’s Guide
273
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL
includes part of the original IP header when it encapsulates the packet. With ESP, however,
the ZyWALL does not include the IP header when it encapsulates the packet, so it is not
possible to verify the integrity of the source IP address.
includes part of the original IP header when it encapsulates the packet. With ESP, however,
the ZyWALL does not include the IP header when it encapsulates the packet, so it is not
possible to verify the integrity of the source IP address.
14.6.5 IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see
),
except that you also have the choice whether or not the ZyWALL and remote IPSec router
perform a new DH key exchange every time an IPSec SA is established. This is called Perfect
Forward Secrecy (PFS).
If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are
generated. As a result, if one encryption key is compromised, other encryption keys remain
secure.
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that
was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not
require such security.
perform a new DH key exchange every time an IPSec SA is established. This is called Perfect
Forward Secrecy (PFS).
If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are
generated. As a result, if one encryption key is compromised, other encryption keys remain
secure.
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that
was generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not
require such security.
14.7 VPN Rules (IKE) Network Policy Edit
Click SECURITY > VPN and the add network policy (
) icon or a network policy’s edit
icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use
this screen to configure a network policy. A network policy identifies the devices behind the
IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and
other settings needed to negotiate a phase 2 IPSec SA.
this screen to configure a network policy. A network policy identifies the devices behind the
IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and
other settings needed to negotiate a phase 2 IPSec SA.