ZyWALL/USG Series User’s Guide
534
CHAPTER 29
IPSec VPN
29.1 Virtual Private Networks (VPN) Overview
A virtual private network (VPN) provides secure communications between sites without the expense
of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication,
access control and auditing. It is used to transport traffic over the Internet or any insecure network
that uses TCP/IP for communication.
IPSec VPN
Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client
software. This standards-based VPN offers flexible solutions for secure data communications across
a public network. IPSec is built around a number of standardized cryptographic techniques to
provide confidentiality, data integrity and authentication at the IP layer. The ZyWALL/USG can also
combine multiple IPSec VPN connections into one secure network. Here local ZyWALL/USG X uses
an IPSec VPN tunnel to remote (peer) ZyWALL/USG Y to connect the local (A) and remote (B)
networks.
Figure 372 IPSec VPN Example
Internet Key Exchange (IKE): IKEv1 and IKEv2
The ZyWALL/USG supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic. IKE (Internet Key Exchange)
is a protocol used in setting up security associations that allows two parties to send data securely.
IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to
set up a shared session secret from which encryption keys are derived. A security policy for each
peer must be manually created.
IPSec VPN consists of two phases: Phase 1 and Phase 2. Phase 1's purpose is to establish a secure
authenticated communication channel by using the Diffie–Hellman key exchange algorithm to
generate a shared secret key to encrypt IKE communications. This negotiation results in one single
bi-directional ISAKMP Security Association (SA). The authentication can be performed using either
pre-shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either
To Next Page
Loading...
