![background image](/i/zyxel/144701/zyxel-zywall-2wg-ee/h/zyxel-zywall-2wg-ee-338.png)
Chapter 15 IPSec VPN Screens
ZyWALL 2WG User’s Guide
338
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
IPSec SA Overview
Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely
negotiate an IPSec SA through which to send data between computers on the networks.
"
The IPSec SA stays connected even if the underlying IKE SA is not available
anymore.
This section introduces the key components of an IPSec SA.
Local and Remote Networks
In an IPSec SA, the local network consists of devices connected to the ZyWALL and may be
called the local policy. Similarly, the remote network consists of the devices connected to the
remote IPSec router and may be called the remote policy.
You can configure a remote network as 0.0.0.0 (any) when:
• Forwarding all outgoing traffic to the remote gateway.
• The remote network's addresses are unknown or there are many remote networks using
one VPN rule (see
for an example of telecommuters sharing
one VPN rule).
"
It is not recommended to set a VPN rule’s local and remote network settings
both to 0.0.0.0 (any).
In most cases you should use virtual address mapping (see
Virtual Address Mapping on page
338
) to avoid overlapping local and remote network IP addresses. See
for how the ZyWALL handles overlapping local and remote network IP addresses.
Virtual Address Mapping
Virtual address mapping (NAT over IPSec) changes the source IP addresses of packets from
your local devices to virtual IP addresses before sending them through the VPN tunnel.