Home » ZyXEL Manuals » Networking » ZyXEL P-335U » Manual Viewer

ZyXEL P-335U User Guide - Page 146

Additional IPSec VPN Topics

Get ZyXEL P-335U PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 146 highlights

P-334U/P-335U User's Guide If you do not enable PFS, the ZyXEL Device and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. 13.1.4 Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. 13.1.4.1 SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the ZyXEL Device automatically renegotiates the SA in the following situations: • There is traffic when the SA life time expires • The IPSec SA is configured on the ZyXEL Device as nailed up (see below) Otherwise, the ZyXEL Device must re-negotiate the SA the next time someone wants to send traffic. Note: If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to keep alive Normally, the ZyXEL Device drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set the IPSec SA to keep alive , the ZyXEL Device automatically renegotiates the IPSec SA when the SA life time expires, and it does not drop the IPSec SA if there is no inbound traffic. Note: The SA life time and keep alive settings only apply if the rule identifies the remote IPSec router by a static IP address or a domain name. If the Secure Gateway Address field is set to 0.0.0.0, the ZyXEL Device cannot initiate the tunnel (and cannot renegotiate the SA). 13.1.4.2 Encryption and Authentication Algorithms In most ZyXEL Devices, you can select one of the following encryption algorithms for each proposal. The encryption algorithms are listed here in order from weakest to strongest. • Data Encryption Standard (DES) is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. • Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES. You can select one of the following authentication algorithms for each proposal. The algorithms are listed here in order from weakest to strongest. • MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data. • SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data. 146 Chapter 13 IPSec VPN

Section	Page
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	7
Customer Support	8
Table of Contents	11
List of Figures	19
List of Tables	25
Preface	29
1. Getting to Know Your ZyXEL Device	31
1.1 ZyXEL Device Overview	31
1.2 Applications for the ZyXEL Device	31
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem	31
1.2.2 Wireless LAN Application	32
1.2.3 Print Server and Router Combined Application (P-335U Only)	33
1.2.4 VPN Application (P-335U Only)	33
1.3 Ways to Manage the ZyXEL Device	33
1.4 Good Habits for Managing Your ZyXEL Device	34
1.4.1 Front Panel LEDs	34
2. Introducing the Web Configurator	37
2.1 Web Configurator Overview	37
2.2 Accessing the Web Configurator	37
2.3 Resetting the ZyXEL Device	38
2.3.1 Procedure to Use the Reset Button	38
2.4 Navigating the Web Configurator	38
2.4.1 Navigation Panel	41
2.4.2 Summary: Bandwidth Management Monitor	43
2.4.3 Summary: DHCP Table	44
2.4.4 Summary: Packet Statistics	45
2.4.5 VPN Monitor	46
2.4.6 Summary: Wireless Station Status	46
3. Connection Wizard	49
3.1 Wizard Setup	49
3.2 Connection Wizard: STEP 1: System Information	50
3.2.1 System Name	50
3.2.2 Domain Name	51
3.3 Connection Wizard: STEP 2: Wireless LAN	51
3.3.1 Basic(WEP) Security	53
3.3.2 Extend(WPA-PSK or WPA2-PSK) Security	54
3.3.3 OTIST	55
3.4 Connection Wizard: STEP 3: Internet Configuration	56
3.4.1 Ethernet Connection	56
3.4.2 PPPoE Connection	57
3.4.3 PPTP Connection	58
3.4.4 Your IP Address	60
3.4.5 WAN IP Address Assignment	60
3.4.6 IP Address and Subnet Mask	61
3.4.7 DNS Server Address Assignment	61
3.4.8 WAN IP and DNS Server Address Assignment	62
3.4.9 WAN MAC Address	63
3.5 Connection Wizard: STEP 4: Bandwidth management	64
3.6 Connection Wizard Complete	65
4. Wireless LAN	67
4.1 Wireless Network Overview	67
4.2 Wireless Security Overview	68
4.2.1 SSID	68
4.2.2 MAC Address Filter	68
4.2.3 User Authentication	68
4.2.4 Encryption	69
4.2.5 One-Touch Intelligent Security Technology (OTIST)	70
4.3 General Wireless LAN Screen	70
4.3.1 No Security	71
4.3.2 WEP Encryption	72
4.3.3 WPA-PSK/WPA2-PSK	74
4.3.4 WPA/WPA2	75
4.4 OTIST	77
4.4.1 Enabling OTIST	78
4.4.1.1 AP	78
4.4.1.2 Wireless Client	79
4.4.2 Starting OTIST	80
4.4.3 Notes on OTIST	80
4.5 MAC Filter	81
4.6 Wireless LAN Advanced Screen	83
5. Wireless Tutorial	85
5.1 Example Parameters	85
5.2 Configuring the AP	85
5.3 Configuring the Wireless Client	87
5.3.1 Connecting to a Wireless LAN	88
5.3.2 Creating and Using a Profile	90
6. WAN	95
6.1 WAN Overview	95
6.2 WAN MAC Address	95
6.3 Internet Connection	95
6.3.1 Ethernet Encapsulation	95
6.3.2 PPPoE Encapsulation	97
6.3.3 PPTP Encapsulation	100
6.4 Advanced WAN Screen	103
7. LAN	105
7.1 LAN Overview	105
7.1.1 IP Pool Setup	105
7.1.2 System DNS Servers	105
7.2 LAN TCP/IP	105
7.2.1 Factory LAN Defaults	105
7.2.2 IP Address and Subnet Mask	106
7.2.3 Multicast	106
7.3 LAN IP Screen	106
7.4 LAN IP Alias	107
7.5 Advanced LAN Screen	108
8. DHCP Server	111
8.1 DHCP	111
8.2 DHCP Server General Screen	111
8.3 DHCP Server Advanced Screen	112
8.4 Client List Screen	113
9. Network Address Translation (NAT)	115
9.1 NAT Overview	115
9.2 Using NAT	115
9.2.1 Port Forwarding: Services and Port Numbers	115
9.2.2 Configuring Servers Behind Port Forwarding (Example)	116
9.3 General NAT Screen	116
9.4 NAT Application Screen	117
9.4.1 Game List Example	119
9.5 Trigger Port Forwarding	120
9.5.1 Trigger Port Forwarding Example	121
9.5.2 Two Points To Remember About Trigger Ports	121
9.6 NAT Advanced Screen	121
10. Dynamic DNS	125
10.1 Dynamic DNS Introduction	125
10.1.1 DynDNS Wildcard	125
10.2 Dynamic DNS Screen	125
11. Firewall	127
11.1 Introduction to Firewall	127
11.1.1 What is a Firewall?	127
11.1.2 Stateful Inspection Firewall.	127
11.1.3 About the ZyXEL Device Firewall	127
11.1.4 Guidelines For Enhancing Security With Your Firewall	128
11.2 General Firewall Screen	128
11.3 Services Screen	129
12. Content Filtering	133
12.1 Introduction to Content Filtering	133
12.2 Restrict Web Features	133
12.3 Days and Times	133
12.4 Filter Screen	133
12.5 Schedule	135
12.6 Customizing Keyword Blocking URL Checking	136
12.6.1 Domain Name or IP Address URL Checking	136
12.6.2 Full Path URL Checking	136
12.6.3 File Name URL Checking	137
13. IPSec VPN	139
13.1 IPSec VPN Overview	139
13.1.1 IKE SA (IKE Phase 1) Overview	140
13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router	140
13.1.2 IKE SA Setup	140
13.1.2.1 IKE SA Proposal	141
13.1.2.2 Diffie-Hellman (DH) Key Exchange	141
13.1.2.3 Authentication	141
13.1.2.4 Negotiation Mode	143
13.1.2.5 VPN, NAT, and NAT Traversal	143
13.1.3 IPSec SA (IKE Phase 2) Overview	144
13.1.3.1 Local Network and Remote Network	144
13.1.3.2 IPSec Protocol	144
13.1.3.3 Encapsulation	145
13.1.3.4 IPSec SA Proposal and Perfect Forward Secrecy	145
13.1.4 Additional IPSec VPN Topics	146
13.1.4.1 SA Life Time	146
13.1.4.2 Encryption and Authentication Algorithms	146
13.2 Remote DNS Server	147
13.3 VPN Summary	147
13.4 VPN Rule Setup (IKE)	148
13.5 Advanced VPN Rule Setup (IKE)	153
13.6 IPSec SA Using Manual Keys	159
13.6.1 IPSec SA Proposal Using Manual Keys	160
13.6.2 Authentication and the Security Parameter Index (SPI)	160
13.7 VPN Rule Setup (Manual)	160
13.8 VPN SA Monitor	164
13.9 VPN Global Setting	165
13.10 Telecommuter VPN/IPSec Examples	165
13.10.1 Telecommuters Sharing One VPN Rule Example	166
13.10.2 Telecommuters Using Unique VPN Rules Example	166
13.11 VPN and Remote Management	168
14. Static Route Screens	169
14.1 Static Route Overview	169
14.2 IP Static Route Screen	170
14.2.1 Static Route Setup Screen	171
15. Bandwidth Management	173
15.1 Bandwidth Management Overview	173
15.2 Application-based Bandwidth Management	173
15.3 Subnet-based Bandwidth Management	174
15.4 Application and Subnet-based Bandwidth Management	174
15.5 Bandwidth Management Priorities	175
15.6 Predefined Bandwidth Management Services	175
15.6.1 Services and Port Numbers	176
15.7 Default Bandwidth Management Classes and Priorities	178
15.8 Bandwidth Management General Configuration	179
15.9 Bandwidth Management Advanced Configuration	180
15.9.1 Rule Configuration with the Pre-defined Service	182
15.9.2 Rule Configuration with the User-defined Service	183
15.10 Bandwidth Management Monitor	184
16. Remote Management Screens	185
16.1 Remote Management Overview	185
16.1.1 Remote Management Limitations	185
16.1.2 Remote Management and NAT	186
16.1.3 System Timeout	186
16.2 WWW Screen	186
16.3 Telnet	187
16.4 Telnet Screen	187
16.5 FTP Screen	188
16.6 DNS Screen	189
17. UPnP	191
17.1 Universal Plug and Play Overview	191
17.1.1 How Do I Know If I'm Using UPnP?	191
17.1.2 NAT Traversal	191
17.1.3 Cautions with UPnP	191
17.2 UPnP and ZyXEL	192
17.3 UPnP Screen	192
17.4 Installing UPnP in Windows Example	193
17.4.1 Installing UPnP in Windows Me	193
17.4.2 Installing UPnP in Windows XP	194
17.5 Using UPnP in Windows XP Example	195
17.5.1 Auto-discover Your UPnP-enabled Network Device	195
17.5.2 Web Configurator Easy Access	196
17.5.3 Web Configurator Easy Access	197
18. Print Server	199
18.1 Print Server Overview	199
18.2 ZyXEL Device Print Server	199
18.3 Print Server Screen	200
19. Print Server Driver Setup	201
19.1 Installation Requirements	201
19.2 Windows 95/98 SE/Me/2000/XP/NT 4.0	201
19.2.1 Print Server Driver Setup Wizard	202
19.2.2 Adding a New Printer	207
19.3 Macintosh OS X	211
20. System	215
20.1 System Overview	215
20.2 System General Screen	215
20.3 Time Setting Screen	216
21. Logs	219
21.1 View Log	219
21.2 Log Settings	220
22. Tools	223
22.1 Firmware Upload Screen	223
22.2 Configuration Screen	224
22.2.1 Backup Configuration	225
22.2.2 Restore Configuration	225
22.2.3 Back to Factory Defaults	226
22.3 Restart Screen	227
23. Configuration Mode	229
24. Troubleshooting	231
24.1 Problems Starting Up the ZyXEL Device	231
24.2 Problems with the LAN	231
24.3 Problems with the WAN	232
24.4 Problems Accessing the ZyXEL Device	233
24.5 Problems with Restricted Web Pages and Keyword Blocking	233
24.5.1 Pop-up Windows, JavaScripts and Java Permissions	235
24.5.1.1 Internet Explorer Pop-up Blockers	235
24.5.1.2 JavaScripts	238
24.5.1.3 Java Permissions	240
24.5.2 ActiveX Controls in Internet Explorer	242
A. Product Specifications	245
B. Print Server Specifications	249
ZyXEL Device Print Server Compatible USB Printers	250
C. Setting up Your Computer’s IP Address	255
Windows 95/98/Me	255
Installing Components	256
Configuring	257
Verifying Settings	258
Windows 2000/NT/XP	258
Verifying Settings	263
Macintosh OS 8/9	263
Verifying Settings	265
Macintosh OS X	265
Verifying Settings	266
Linux	266
Using the K Desktop Environment (KDE)	267
Using Configuration Files	268
Verifying Settings	270
D. IP Subnetting	271
IP Addressing	271
IP Classes	271
Subnet Masks	272
Subnetting	272
Example: Two Subnets	273
Example: Four Subnets	275
Example Eight Subnets	276
Subnetting With Class A and Class B Networks.	277
E. Wireless LANs	279
Wireless LAN Topologies	279
Ad-hoc Wireless LAN Configuration	279
BSS	279
ESS	280
Channel	281
RTS/CTS	281
Fragmentation Threshold	282
Preamble Type	283
IEEE 802.11g Wireless LAN	283
Wireless Security Overview	284
IEEE 802.1x	284
RADIUS	284
Types of RADIUS Messages	285
Types of Authentication	286
EAP-MD5 (Message-Digest Algorithm 5)	286
EAP-TLS (Transport Layer Security)	286
EAP-TTLS (Tunneled Transport Layer Service)	286
PEAP (Protected EAP)	286
LEAP	287
Dynamic WEP Key Exchange	287
WPA and WPA2	287
Encryption	288
User Authentication	289
Wireless Client WPA Supplicants	289
WPA(2) with RADIUS Application Example	289
WPA(2)-PSK Application Example	290
Security Parameters Summary	291
F. Log Descriptions	293
Log Commands	307
Configuring What You Want the ZyXEL Device to Log	307
Displaying Logs	308
Log Command Example	308
G. Services	309
H. Internal SPTGEN	313
Internal SPTGEN Overview	313
The Configuration Text File Format	313
Internal SPTGEN File Modification - Important Points to Remember	314
Internal SPTGEN FTP Download Example	314
Internal SPTGEN FTP Upload Example	315
Example Internal SPTGEN Menus	316
Command Examples	328
I. Triangle Route	329
The Ideal Setup	329
The “Triangle Route” Problem	329
The “Triangle Route” Solutions	330
IP Aliasing	330
Index	331
A	331
B	331
C	331
D	331
E	331
F	332
G	332
H	332
I	332
J	333
K	333
L	333
M	333
N	333
O	333
P	333
R	333
S	334
T	334
U	334
V	334
W	334

Match case Limit results 1 per page

P-334U/P-335U User’s Guide

146

Chapter 13 IPSec VPN

If you do not enable PFS, the ZyXEL Device and remote IPSec router use the same root key

that was generated when the IKE SA was established to generate encryption keys.

The DH key exchange is time-consuming and may be unnecessary for data that does not

require such security.

13.1.4

Additional IPSec VPN Topics

This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or

both. Relationships between the topics are also highlighted.

13.1.4.1

SA Life Time

SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times

out, the ZyXEL Device automatically renegotiates the SA in the following situations:

•

There is traffic when the SA life time expires

•

The IPSec SA is configured on the ZyXEL Device as nailed up (see below)

Otherwise, the ZyXEL Device must re-negotiate the SA the next time someone wants to send

traffic.

Note:

If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays

connected.

An IPSec SA can be set to

keep alive

Normally, the ZyXEL Device drops the IPSec SA when

the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set

the IPSec SA to keep alive , the ZyXEL Device automatically renegotiates the IPSec SA when

the SA life time expires, and it does not drop the IPSec SA if there is no inbound traffic.

Note:

The SA life time and keep alive settings only apply if the rule identifies the

remote IPSec router by a static IP address or a domain name. If the

Secure

Gateway Address

field is set to

0.0.0.0

, the ZyXEL Device cannot initiate the

tunnel (and cannot renegotiate the SA).

13.1.4.2

Encryption and Authentication Algorithms

In most ZyXEL Devices, you can select one of the following encryption algorithms for each

proposal. The encryption algorithms are listed here in order from weakest to strongest.

•

Data Encryption Standard (DES) is a widely used (but breakable) method of data

encryption. It applies a 56-bit key to each 64-bit block of data.

•

Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys,

effectively tripling the strength of DES.

You can select one of the following authentication algorithms for each proposal. The

algorithms are listed here in order from weakest to strongest.

•

MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.

•

SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.