ZyXEL Communications wireless n gigbit router zyxel User Manual
Chapter 15 IPSec VPN
NBG-460N User’s Guide
196
• Use the SA Monitor screen (
) to display and manage
active VPN connections.
15.3 What You Need To Know
A VPN tunnel is usually established in two phases. Each phase establishes a
security association (SA), a contract indicating what security parameters the NBG-
460N and the remote IPSec router will use.
security association (SA), a contract indicating what security parameters the NBG-
460N and the remote IPSec router will use.
The first phase establishes an Internet Key Exchange (IKE) SA between the NBG-
460N and remote IPSec router. The second phase uses the IKE SA to securely
establish an IPSec SA through which the NBG-460N and remote IPSec router can
send data between computers on the local network and remote network. The
following figure illustrates this.
460N and remote IPSec router. The second phase uses the IKE SA to securely
establish an IPSec SA through which the NBG-460N and remote IPSec router can
send data between computers on the local network and remote network. The
following figure illustrates this.
Figure 129 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in
network B. Inside networks A and B, the data is transmitted the same way data is
normally transmitted in the networks. Between routers X and Y, the data is
protected by tunneling, encryption, authentication, and other security features of
the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X
and Y established first.
network B. Inside networks A and B, the data is transmitted the same way data is
normally transmitted in the networks. Between routers X and Y, the data is
protected by tunneling, encryption, authentication, and other security features of
the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X
and Y established first.
15.3.1 IKE SA (IKE Phase 1) Overview
The IKE SA provides a secure connection between the NBG-460N and remote
IPSec router.
IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines
the number of steps to use. There are two negotiation modes--main mode and
aggressive mode. Main mode provides better security, while aggressive mode is
faster.
the number of steps to use. There are two negotiation modes--main mode and
aggressive mode. Main mode provides better security, while aggressive mode is
faster.