ZyXEL 793H 사용자 가이드

 Chapter 11 IPSec VPN

P-793H User’s Guide

"

An IPSec SA stays connected even if the underlying IKE SA is not available 
anymore.

This section introduces the key components of IPSec SA.

In IPSec SA terminology, the local network, the one(s) connected to the ZyXEL Device, may 
be called the local policy. Similarly, the remote network, the one(s) connected to the remote 
IPSec router, may be called the remote policy.

The active protocol controls the format of each packet. It also specifies how much of each 
packet is protected by the encryption and authentication algorithms. IPSec VPN includes two 
active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security 
Payload, RFC 2406).

"

The ZyXEL Device and remote IPSec router must use the same active 
protocol. ESP is recommended.

ESP is recommended because AH does not support encryption and ESP is more suitable with 
NAT. Use AH only if the remote IPSec router does not support ESP.

There are two ways to encapsulate packets. These modes are illustrated below.

In tunnel mode, the ZyXEL Device encapsulates the entire IP packet. As a result, there are two 
IP headers, as well as the header for the active protocol.

• Outside header: The outside IP header contains the IP addresses of the ZyXEL Device and 

remote IPSec router.

• AH/ESP header: The header for the active protocol encapsulates the original packet.

Figure 81   VPN: Transport and Tunnel Mode Encapsulation

IP Header

TCP 

Header

Data

IP Header

AH/ESP 

Header

TCP 

Header

Data

IP Header

AH/ESP 

Header

IP Header

TCP 

Header

Data