Filter
Top Products
Chapter 20 IPSec VPN
ZyWALL 110/310/1100 Series User’s Guide
312
If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was
generated when the IKE SA was established to generate encryption keys.
The DH key exchange is time-consuming and may be unnecessary for data that does not require
such security.
Additional Topics for IPSec SA
This section provides more information about IPSec SA in your ZyWALL.
IPSec SA using Manual Keys
You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly,
for example, for troubleshooting. You should only do this as a temporary solution, however,
because it is not as secure as a regular IPSec SA.
In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA.
They only establish an IPSec SA. As a result, an IPSec SA using manual keys has some
characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences
between IPSec SA using manual keys and other types of SA.
IPSec SA Proposal using Manual Keys
In an IPSec SA using manual keys, you can only specify one encryption algorithm and one
authentication algorithm. You cannot specify several proposals. There is no DH key exchange, so
you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec
router use.
Note: The ZyWALL and remote IPSec router must use the same encryption key and
authentication key.
Authentication and the Security Parameter Index (SPI)
For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys,
ID type and content. The SPI is an identification number.
Note: The ZyWALL and remote IPSec router must use the same SPI.
NAT for Inbound and Outbound Traffic
The ZyWALL can translate the following types of network addresses in IPSec SA.
• Source address in outbound packets - this translation is necessary if you want the ZyWALL to
route packets from computers outside the local network through the IPSec SA.
• Source address in inbound packets - this translation hides the source address of computers in the
remote network.
• Destination address in inbound packets - this translation is used if you want to forward packets
(for example, mail) from the remote network to a specific computer (like the mail server) in the
local network.
Each kind of translation is explained below. The following example is used to help explain each one.