ZyXEL Communications 1000 User Manual

Chapter 25 IPSec VPN

ZyWALL USG 1000 User’s Guide

• Use  the  VPN Gateway screens  (see 

) to manage 

the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at 

either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can 

also activate and deactivate each VPN gateway.

• Use  the  VPN Concentrator screens (see 

) to combine 

several IPSec VPN connections into a single secure network.

An IPSec VPN tunnel is usually established in two phases. Each phase establishes 
a security association (SA), a contract indicating what security parameters the 
ZyWALL and the remote IPSec router will use. The first phase establishes an 
Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router. 
The second phase uses the IKE SA to securely establish an IPSec SA through 
which the ZyWALL and remote IPSec router can send data between computers on 
the local network and remote network. This is illustrated in the following figure.

Figure 327   VPN: IKE SA and IPSec SA 

In this example, a computer in network A is exchanging data with a computer in 
network B. Inside networks A and B, the data is transmitted the same way data is 
normally transmitted in the networks. Between routers X and Y, the data is 
protected by tunneling, encryption, authentication, and other security features of 
the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE 
SA first.