ZyXEL Communications wireless n gigbit router zyxel Manual Do Utilizador

Chapter 15 IPSec VPN

NBG-460N User’s Guide

The IPSec protocol controls the format of each packet. It also specifies how much 
of each packet is protected by the encryption and authentication algorithms. IPSec 
VPN includes two IPSec protocols, AH (Authentication Header, RFC 2402) and ESP 
(Encapsulating Security Payload, RFC 2406).

Note: The NBG-460N and remote IPSec router must use the same IPSec protocol.

Usually, you should select ESP. AH does not support encryption, and ESP is more 
suitable with NAT.

There are two ways to encapsulate packets. Usually, you should use tunnel mode 
because it is more secure. Transport mode is only used when the IPSec SA is used 
for communication between the NBG-460N and remote IPSec router (for example, 
for remote management), not between computers on the local and remote 
networks.

Note: The NBG-460N and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

In tunnel mode, the NBG-460N uses the IPSec protocol to encapsulate the entire 
IP packet. As a result, there are two IP headers:

• Outside header: The outside IP header contains the IP address of the NBG-460N 

or remote IPSec router, whichever is the destination.

• Inside header: The inside IP header contains the IP address of the computer 

behind the NBG-460N or remote IPSec router. The header for the IPSec protocol 

(AH or ESP) appears between the IP headers.

Figure 141   VPN: Transport and Tunnel Mode Encapsulation

IP Header TCP 

Header

Data

Transport Mode Packet IP Header AH/ESP 

Header

TCP 
Header

Data

IP Header AH/ESP 

Header

IP Header TCP 

Header

Data