![background image](/i/zyxel/144701/zyxel-zywall-2wg-ee/h/zyxel-zywall-2wg-ee-340.png)
Chapter 15 IPSec VPN Screens
ZyWALL 2WG User’s Guide
340
"
The ZyWALL and remote IPSec router must use the same active protocol.
Usually, you should select ESP. AH does not support encryption, and ESP is more suitable
with NAT.
Encapsulation
There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is
more secure. Transport mode is only used when the IPSec SA is used for communication
between the ZyWALL and remote IPSec router (for example, for remote management), not
between computers on the local and remote networks.
"
The ZyWALL and remote IPSec router must use the same encapsulation.
These modes are illustrated below.
In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:
• Outside header: The outside IP header contains the IP address of the ZyWALL or remote
IPSec router, whichever is the destination.
• Inside header: The inside IP header contains the IP address of the computer behind the
ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears
between the IP headers.
In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL
includes part of the original IP header when it encapsulates the packet. With ESP, however, the
ZyWALL does not include the IP header when it encapsulates the packet, so it is not possible
to verify the integrity of the source IP address.
Figure 219
VPN: Transport and Tunnel Mode Encapsulation
Original Packet
IP Header
TCP
Header
Data
Transport Mode Packet
IP Header
AH/ESP
Header
TCP
Header
Data
Tunnel Mode Packet
IP Header
AH/ESP
Header
IP Header
TCP
Header
Data