Manualshelf

User's Manual

ManualsBrandsZyXEL ManualsNetwork RouterZyXEL ZyXEL Communications Network Router wireless n gigbit router zyxel
191192193194195196197198199200
Chapter 15 IPSec VPN
NBG-460N User’s Guide
196
•Use the SA Monitor screen (Section 15.5 on page 218) to display and manage
active VPN connections.
15.3 What You Need To Know
A VPN tunnel is usually established in two phases. Each phase establishes a
security association (SA), a contract indicating what security parameters the NBG-
460N and the remote IPSec router will use.
The first phase establishes an Internet Key Exchange (IKE) SA between the NBG-
460N and remote IPSec router. The second phase uses the IKE SA to securely
establish an IPSec SA through which the NBG-460N and remote IPSec router can
send data between computers on the local network and remote network. The
following figure illustrates this.
Figure 129 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in
network B. Inside networks A and B, the data is transmitted the same way data is
normally transmitted in the networks. Between routers X and Y, the data is
protected by tunneling, encryption, authentication, and other security features of
the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X
and Y established first.
15.3.1 IKE SA (IKE Phase 1) Overview
The IKE SA provides a secure connection between the NBG-460N and remote
IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines
the number of steps to use. There are two negotiation modes--main mode and
aggressive mode. Main mode provides better security, while aggressive mode is
faster.