Home » ZyXEL Manuals » Networking » ZyXEL NBG-460N » Manual Viewer

ZyXEL NBG-460N User Guide - Page 212

IPSec SA Proposal and Perfect Forward Secrecy, Additional IPSec VPN Topics

Get ZyXEL NBG-460N PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 212 highlights

Chapter 15 IPSec VPN Figure 130 VPN: Transport and Tunnel Mode Encapsulation Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the NBG-460N uses the IPSec protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contains the IP address of the NBG-460N or remote IPSec router, whichever is the destination. • Inside header: The inside IP header contains the IP address of the computer behind the NBG-460N or remote IPSec router. The header for the IPSec protocol (AH or ESP) appears between the IP headers. In transport mode, the encapsulation depends on the IPSec protocol. With AH, the NBG-460N includes part of the original IP header when it encapsulates the packet. With ESP, however, the NBG-460N does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address. 15.6.9 IPSec SA Proposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal on page 207), except that you also have the choice whether or not the NBG-460N and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). If you enable PFS, the NBG-460N and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. If you do not enable PFS, the NBG-460N and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. 15.6.10 Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. 212 NBG-460N User's Guide

Section	Page
NBG-460N	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
Introduction	21
Getting to Know Your NBG-460N	23
1.1 Overview	23
1.2 Applications	23
1.3 Wireless Applications	24
1.3.1 Router Mode	24
1.3.2 AP Mode	25
1.3.3 Router vs. AP	26
1.4 Ways to Manage the NBG-460N	26
1.5 Good Habits for Managing the NBG-460N	27
1.6 LEDs	27
The WPS Button	29
2.1 Overview	29
Introducing the Web Configurator	31
3.1 Web Configurator Overview	31
3.2 Accessing the Web Configurator	31
3.3 Resetting the NBG-460N	33
3.3.1 Procedure to Use the Reset Button	33
3.4 Navigating the Web Configurator	33
3.5 The Status Screen in Router Mode	34
3.5.1 Navigation Panel	37
3.5.2 Summary: Any IP Table	39
3.5.3 Summary: Bandwidth Management Monitor	39
3.5.4 Summary: DHCP Table	40
3.5.5 Summary: Packet Statistics	41
3.5.6 Summary: VPN Monitor	42
3.5.7 Summary: Wireless Station Status	43
Connection Wizard	45
4.1 Wizard Setup	45
4.2 Connection Wizard: STEP 1: System Information	46
4.2.1 System Name	46
4.2.2 Domain Name	47
4.3 Connection Wizard: STEP 2: Wireless LAN	48
4.3.1 Basic (WEP) Security	49
4.3.2 Extend (WPA-PSK or WPA2-PSK) Security	50
4.4 Connection Wizard: STEP 3: Internet Configuration	51
4.4.1 Ethernet Connection	52
4.4.2 PPPoE Connection	52
4.4.3 PPTP Connection	53
4.4.4 Your IP Address	55
4.4.5 WAN IP Address Assignment	55
4.4.6 IP Address and Subnet Mask	56
4.4.7 DNS Server Address Assignment	57
4.4.8 WAN IP and DNS Server Address Assignment	57
4.4.9 WAN MAC Address	58
4.5 Connection Wizard: STEP 4: Bandwidth management	59
4.6 Connection Wizard Complete	60
Tutorials	63
5.1 Overview	63
5.2 How to Connect to the Internet from an AP	63
5.2.1 Configure Wireless Security Using WPS on both your NBG-460N and Wireless Client	63
5.2.2 Enable and Configure Wireless Security without WPS on your NBG-460N	67
5.2.3 Configure Your Notebook	68
5.3 Site-To-Site VPN Tunnel Tutorial	70
5.3.1 Configuring Bob’s NBG-460N VPN Settings	71
5.3.2 Configuring Jack’s NBG-460N VPN Settings	73
5.3.3 Checking the VPN Connection	75
5.4 Bandwidth Management for your Network	76
5.4.1 Configuring Bandwidth Management by Application	76
5.4.2 Configuring Bandwidth Management by Custom Application	77
5.4.3 Configuring Bandwidth Allocation by IP or IP Range	78
AP Mode	81
6.1 Overview	81
6.2 Setting your NBG-460N to AP Mode	81
6.3 The Status Screen	82
6.3.1 Navigation Panel	84
6.4 Configuring Your Settings	86
6.4.1 LAN Settings	86
6.4.2 WLAN and Maintenance Settings	87
6.5 Logging in to the Web Configurator in AP Mode	88
Network	89
Wireless LAN	91
7.1 Overview	91
7.2 What You Can Do	92
7.3 What You Should Know	92
7.3.1 Wireless Security Overview	92
7.4 General Wireless LAN Screen	95
7.4.1 No Security	96
7.4.2 WEP Encryption	97
7.4.3 WPA-PSK/WPA2-PSK	100
7.4.4 WPA/WPA2	101
7.5 MAC Filter Screen	103
7.6 Wireless LAN Advanced Screen	105
7.7 Quality of Service (QoS) Screen	105
7.7.1 Application Priority Configuration	107
7.8 WPS Screen	109
7.9 WPS Station Screen	110
7.10 Scheduling Screen	110
7.11 Technical Reference	112
7.11.1 Roaming	112
7.11.2 Quality of Service	114
7.12 WiFi Protected Setup	115
7.12.1 iPod Touch Web Configurator	115
7.12.2 Login Screen	116
7.12.3 System Status	116
7.12.4 WPS in Progress	119
7.12.5 Port Forwarding	119
7.13 Accessing the iPod Touch Web Configurator	121
7.13.1 Accessing the iPod Touch Web Configurator	121
WAN	123
8.1 Overview	123
8.2 What You Can Do	123
8.3 What You Need To Know	124
8.3.1 Configuring Your Internet Connection	124
8.3.2 Multicast	125
8.3.3 IPTV STB Port	126
8.3.4 NetBIOS over TCP/IP	128
8.3.5 Auto-Bridge	128
8.4 Internet Connection	129
8.4.1 Ethernet Encapsulation	129
8.4.2 PPPoE Encapsulation	131
8.4.3 PPTP Encapsulation	134
8.5 Advanced WAN Screen	136
8.6 Technical Reference	138
8.6.1 IGMP	138
LAN	139
9.1 Overview	139
9.2 What You Can Do	139
9.3 What You Need To Know	140
9.3.1 IP Pool Setup	140
9.3.2 LAN TCP/IP	140
9.4 LAN IP Screen	140
9.5 LAN IP Alias	141
9.6 Advanced LAN Screen	142
9.7 Technical Reference	143
9.7.1 LANs, WANs and the ZyXEL Device	143
9.7.2 Any IP	144
DHCP	147
10.1 Overview	147
10.2 What You Can Do	147
10.3 What You Need To Know	147
10.4 DHCP General Screen	148
10.5 DHCP Advanced Screen	148
10.6 Client List Screen	150
Network Address Translation (NAT)	153
11.1 Overview	153
11.2 What You Can Do	154
11.3 General NAT Screen	154
11.4 NAT Application Screen	155
11.4.1 Game List Example	158
11.4.2 Configuring Servers Behind Port Forwarding Example	158
11.5 NAT Advanced Screen	159
11.5.1 Trigger Port Forwarding Example	161
11.5.2 Two Points To Remember About Trigger Ports	162
Dynamic DNS	163
12.1 Overview	163
12.2 What You Can Do	163
12.3 What You Need To Know	163
12.3.1 DynDNS Wildcard	163
12.4 Dynamic DNS Screen	164
Security	167
Firewall	169
13.1 Overview	169
13.2 What You Can Do	169
13.3 What You Need To Know	170
13.3.1 About the NBG-460N Firewall	170
13.3.2 Triangle Routes	170
13.3.3 Triangle Routes and IP Alias	171
13.4 General Firewall Screen	172
13.5 Services Screen	172
13.5.1 The Add Firewall Rule Screen	175
Content Filtering	179
14.1 Overview	179
14.2 What You Can Do	179
14.3 What You Need To Know	179
14.3.1 Content Filtering Profiles	179
14.4 Filter Screen	181
14.5 Schedule Screen	183
14.6 Technical Reference	183
14.6.1 Customizing Keyword Blocking URL Checking	184
IPSec VPN	185
15.1 Overview	185
15.2 What You Can Do	185
15.3 What You Need To Know	186
15.3.1 IKE SA (IKE Phase 1) Overview	186
15.3.2 IPSec SA (IKE Phase 2) Overview	187
15.4 The General Screen	188
15.4.1 VPN Rule Setup (Basic)	189
15.4.2 VPN Rule Setup (Advanced)	194
15.4.3 VPN Rule Setup (Manual)	201
15.5 The SA Monitor Screen	205
15.6 Technical Reference	206
15.6.1 VPN and Remote Management	206
15.6.2 IKE SA Proposal	207
15.6.3 Diffie-Hellman (DH) Key Exchange	208
15.6.4 Authentication	208
15.6.5 Negotiation Mode	209
15.6.6 VPN, NAT, and NAT Traversal	210
15.6.7 IPSec Protocol	211
15.6.8 Encapsulation	211
15.6.9 IPSec SA Proposal and Perfect Forward Secrecy	212
15.6.10 Additional IPSec VPN Topics	212
Management	215
Static Route	217
16.1 Overview	217
16.2 What You Can Do	217
16.3 IP Static Route Screen	218
16.3.1 Static Route Setup Screen	219
Bandwidth Management	221
17.1 Overview	221
17.2 What You Can Do	221
17.3 What You Need To Know	222
17.4 General Configuration Screen	222
17.5 Advanced Configuration	224
17.5.1 Rule Configuration with the Pre-defined Service	226
17.5.2 Rule Configuration: User Defined Service Rule Configuration	227
17.6 Monitor Screen	228
17.7 Technical References	229
17.7.1 Predefined Bandwidth Management Services	229
17.7.2 Default Bandwidth Management Classes and Priorities	230
17.7.3 Bandwidth Management Priorities	231
Remote Management	233
18.1 Overview	233
18.2 What You Can Do	233
18.3 What You Need To Know	234
18.3.1 Remote Management Limitations	234
18.3.2 Remote Management and NAT	234
18.3.3 System Timeout	234
18.4 WWW Screen	235
18.5 Telnet Screen	236
18.6 FTP Screen	236
18.7 DNS Screen	237
Universal Plug-and-Play (UPnP)	239
19.1 Overview	239
19.2 What You Can Do	239
19.3 What You Need to Know	239
19.3.1 NAT Traversal	239
19.3.2 Cautions with UPnP	240
19.4 UPnP Screen	240
19.5 Technical Reference	241
19.5.1 Using UPnP in Windows XP Example	241
19.5.2 Web Configurator Easy Access	244
Maintenance and Troubleshooting	247
System	249
20.1 Overview	249
20.2 What You Can Do	249
20.3 System General Screen	249
20.4 Time Setting Screen	251
Logs	255
21.1 Overview	255
21.2 What You Can Do	255
21.3 What You Need to Know	255
21.4 View Log Screen	256
21.5 Log Settings	257
21.6 Technical Reference	260
21.6.1 Log Descriptions	260
Tools	275
22.1 Overview	275
22.2 What You Can Do	275
22.3 Firmware Upload Screen	275
22.4 Configuration Screen	278
22.4.1 Backup Configuration	278
22.4.2 Restore Configuration	278
22.4.3 Back to Factory Defaults	280
22.5 Restart Screen	280
22.6 Wake On LAN	281
22.7 Green	281
Configuration Mode	283
23.1 Overview	283
23.2 What You Can Do	283
23.3 General Screen	283
Sys Op Mode	285
24.1 Overview	285
24.2 What You Can Do	285
24.3 What You Need to Know	285
24.4 General Screen	287
Language	289
25.1 Language Screen	289
Troubleshooting	291
26.1 Power, Hardware Connections, and LEDs	291
26.2 NBG-460N Access and Login	292
26.3 Internet Access	294
26.4 Resetting the NBG-460N to Its Factory Defaults	296
26.5 Wireless Router/AP Troubleshooting	297
26.6 Advanced Features	297
Product Specifications and Wall- Mounting Instructions	299
Appendices and Index	305
Pop-up Windows, JavaScripts and Java Permissions	307
IP Addresses and Subnetting	315
Setting up Your Computer’s IP Address	325
27.0.1 Verifying Settings	342
Wireless LANs	343
27.0.2 WPA(2)-PSK Application Example	353
27.0.3 WPA(2) with RADIUS Application Example	353
Services	355
Legal Information	359

Match case Limit results 1 per page

Chapter 15 IPSec VPN

NBG-460N User’s Guide

212

In tunnel mode, the NBG-460N uses the IPSec protocol to encapsulate the entire

IP packet. As a result, there are two IP headers:

•

Outside header: The outside IP header contains the IP address of the NBG-460N

or remote IPSec router, whichever is the destination.

•

Inside header: The inside IP header contains the IP address of the computer

behind the NBG-460N or remote IPSec router. The header for the IPSec protocol

(AH or ESP) appears between the IP headers.

In transport mode, the encapsulation depends on the IPSec protocol. With AH, the

NBG-460N includes part of the original IP header when it encapsulates the packet.

With ESP, however, the NBG-460N does not include the IP header when it

encapsulates the packet, so it is not possible to verify the integrity of the source IP

address.

15.6.9

IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see

IKE SA Proposal on

page 207

), except that you also have the choice whether or not the NBG-460N

and remote IPSec router perform a new DH key exchange every time an IPSec SA

is established. This is called Perfect Forward Secrecy (PFS).

If you enable PFS, the NBG-460N and remote IPSec router perform a DH key

exchange every time an IPSec SA is established, changing the root key from which

encryption keys are generated. As a result, if one encryption key is compromised,

other encryption keys remain secure.

If you do not enable PFS, the NBG-460N and remote IPSec router use the same

root key that was generated when the IKE SA was established to generate

encryption keys.

The DH key exchange is time-consuming and may be unnecessary for data that

does not require such security.

15.6.10

Additional IPSec VPN Topics

This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec

SAs or both. Relationships between the topics are also highlighted.

Transport Mode Packet

IP Header

AH/ESP

Header

TCP

Header

Data

Tunnel Mode Packet

IP Header

AH/ESP

Header

IP Header

TCP

Header

Data

Figure 130

VPN: Transport and Tunnel Mode Encapsulation