ZyXEL Communications USG 2000 User Manual

Chapter 25 IPSec VPN

ZyWALL USG 2000 User’s Guide

• The local and peer ID type and content come from the certificates.

Note: You must set up the certificates for the ZyWALL and remote IPSec router first.

Once the ZyWALL and remote IPSec router have established the IKE SA, they can 
securely negotiate an IPSec SA through which to send data between computers on 
the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available 

anymore.

This section introduces the key components of an IPSec SA.

In an IPSec SA, the local network, the one(s) connected to the ZyWALL, may be 
called the local policy. Similarly, the remote network, the one(s) connected to the 
remote IPSec router, may be called the remote policy.

The active protocol controls the format of each packet. It also specifies how much 
of each packet is protected by the encryption and authentication algorithms. IPSec 
VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP 
(Encapsulating Security Payload, RFC 2406).

Note: The ZyWALL and remote IPSec router must use the same active protocol.

Usually, you should select ESP. AH does not support encryption, and ESP is more 
suitable with NAT.

There are two ways to encapsulate packets. Usually, you should use tunnel mode 
because it is more secure. Transport mode is only used when the IPSec SA is used 
for communication between the ZyWALL and remote IPSec router (for example, 
for remote management), not between computers on the local and remote 
networks.

Note: The ZyWALL and remote IPSec router must use the same encapsulation.