Справочник Пользователя для ZyXEL Communications 5 Series

Chapter 19 IPSec VPN

ZyWALL 5/35/70 Series User’s Guide

• Use the VPN Global Setting screen (see 

) to change settings 

that apply to all of your VPN tunnels. 

An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security 
association (SA), a contract indicating what security parameters the ZyWALL and the remote 
IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between 
the ZyWALL and remote IPSec router. The second phase uses the IKE SA to securely 
establish an IPSec SA through which the ZyWALL and remote IPSec router can send data 
between computers on the local network and remote network. This is illustrated in the 
following figure.

Figure 206   VPN: IKE SA and IPSec SA 

In this example, a computer in network A is exchanging data with a computer in network B. 
Inside networks A and B, the data is transmitted the same way data is normally transmitted in 
the networks. Between routers X and Y, the data is protected by tunneling, encryption, 
authentication, and other security features of the IPSec SA. The IPSec SA is established 
securely using the IKE SA that routers X and Y established first.

A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or 
network.

• A gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end 

of a VPN tunnel. The IKE SA provides a secure connection between the ZyWALL and 
remote IPSec router.

• A network policy contains the IPSec SA settings. It specifies which devices (behind the 

IPSec routers) can use the VPN tunnel.