ZyXEL Communications P-2608HWL-Dx Series User Manual

P-2608HWL-Dx Series User’s Guide

222

Chapter 18 IPSec VPN

Figure 120   VPN: IKE SA and IPSec SA 

In this example, a computer in network A is exchanging data with a computer in network B. 
Inside networks A and B, the data is transmitted the same way data is normally transmitted in 
the networks. Between routers X and Y, the data is protected by the tunneling, encryption, and 
authentication of the IPSec SA. The IPSec SA is established securely using the IKE SA that 
routers X and Y established first.

The rest of this section discusses IKE SA and IPSec SA in more detail.

The IKE SA provides a secure connection between the ZyXEL Device and remote IPSec 
router.

It takes several steps to establish an IKE SA. The negotiation mode determines how many 
steps are required. There are two negotiation modes: main mode and aggressive mode. Main 
mode provides better security, while aggressive mode is faster.

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in 

. The examples in 

this section use main mode.

In the ZyXEL Device, you have to specify the IP addresses of the ZyXEL Device and the 
remote IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the ZyXEL Device. 
Sometimes, your ZyXEL Device might also offer another alternative, such as using the IP 
address of a port or interface.

You can usually provide a static IP address or a domain name for the remote IPSec router as 
well. Sometimes, you might not know the IP address of the remote IPSec router (for example, 
telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router 
can initiate an IKE SA.