ZyXEL Communications wireless n gigbit router zyxel User Manual
Chapter 15 IPSec VPN
NBG-460N User’s Guide
225
In transport mode, the encapsulation depends on the IPSec protocol. With AH, the
NBG-460N includes part of the original IP header when it encapsulates the packet.
With ESP, however, the NBG-460N does not include the IP header when it
encapsulates the packet, so it is not possible to verify the integrity of the source IP
address.
NBG-460N includes part of the original IP header when it encapsulates the packet.
With ESP, however, the NBG-460N does not include the IP header when it
encapsulates the packet, so it is not possible to verify the integrity of the source IP
address.
15.6.9 IPSec SA Proposal and Perfect Forward Secrecy
An IPSec SA proposal is similar to an IKE SA proposal (see
), except that you also have the choice whether or not the NBG-460N
and remote IPSec router perform a new DH key exchange every time an IPSec SA
is established. This is called Perfect Forward Secrecy (PFS).
is established. This is called Perfect Forward Secrecy (PFS).
If you enable PFS, the NBG-460N and remote IPSec router perform a DH key
exchange every time an IPSec SA is established, changing the root key from which
encryption keys are generated. As a result, if one encryption key is compromised,
other encryption keys remain secure.
exchange every time an IPSec SA is established, changing the root key from which
encryption keys are generated. As a result, if one encryption key is compromised,
other encryption keys remain secure.
If you do not enable PFS, the NBG-460N and remote IPSec router use the same
root key that was generated when the IKE SA was established to generate
encryption keys.
root key that was generated when the IKE SA was established to generate
encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that
does not require such security.
does not require such security.
15.6.10 Additional IPSec VPN Topics
This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec
SAs or both. Relationships between the topics are also highlighted.
SAs or both. Relationships between the topics are also highlighted.
SA Life Time
SAs have a lifetime that specifies how long the SA lasts until it times out. When an
SA times out, the NBG-460N automatically renegotiates the SA in the following
situations:
SA times out, the NBG-460N automatically renegotiates the SA in the following
situations:
• There is traffic when the SA life time expires
• The IPSec SA is configured on the NBG-460N as nailed up (see below)
• The IPSec SA is configured on the NBG-460N as nailed up (see below)
Otherwise, the NBG-460N must re-negotiate the SA the next time someone wants
to send traffic.
to send traffic.
Note: If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays
connected.