Chapter 29 IPSec VPN
ZyWALL/USG Series User’s Guide
537
29.1.2 What You Need to Know
An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters the ZyWALL/USG and the remote
IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the
ZyWALL/USG and remote IPSec router. The second phase uses the IKE SA to securely establish an
IPSec SA through which the ZyWALL/USG and remote IPSec router can send data between
computers on the local network and remote network. This is illustrated in the following figure.
Figure 375 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in network B. Inside
networks A and B, the data is transmitted the same way data is normally transmitted in the
networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication,
and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y
established the IKE SA first.
To Next Page
Loading...
