ZyXEL Communications ISG50 User Manual
Chapter 24 IPSec VPN
ISG50 User’s Guide
368
24.1.2 What You Need to Know
An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters the ISG50 and the remote IPSec
router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ISG50
and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA
through which the ISG50 and remote IPSec router can send data between computers on the local
network and remote network. This is illustrated in the following figure.
association (SA), a contract indicating what security parameters the ISG50 and the remote IPSec
router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ISG50
and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA
through which the ISG50 and remote IPSec router can send data between computers on the local
network and remote network. This is illustrated in the following figure.
Figure 247
VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in network B. Inside
networks A and B, the data is transmitted the same way data is normally transmitted in the
networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication,
and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y
established the IKE SA first.
networks A and B, the data is transmitted the same way data is normally transmitted in the
networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication,
and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y
established the IKE SA first.
X
Y