Home » ZyXEL Manuals » Networking » ZyXEL P-660HNU-F1 » Manual Viewer

ZyXEL P-660HNU-F1 User Guide - Page 214

VPN, NAT, and NAT Traversal, Table 66, SECURITY PROTOCOL

Get ZyXEL P-660HNU-F1 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 214 highlights

Chapter 16 VPN IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT. Table 66 VPN and NAT SECURITY PROTOCOL AH AH ESP ESP MODE Transport Tunnel Transport Tunnel NAT N N N Y 16.6.3 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address. As a result, the VPN device at the receiving end finds a mismatch between the hash value and the data and assumes that the data has been maliciously altered. NAT is not normally compatible with ESP in transport mode either, but the ZyXEL Device's NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers. Figure 111 NAT Router Between IPSec Routers A B Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. In Figure 111 on page 214, when IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA. For NAT traversal to work, you must: • Use ESP security protocol (in either transport or tunnel mode). • Use IKE keying mode. • Enable NAT traversal on both IPSec endpoints. 214 ADSL Series User's Guide

Section	Page
ADSL Router Series	1
Videos	2
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
User’s Guide	19
Introduction	21
1.1 Overview	21
1.2 Applications for the ZyXEL Device	21
1.2.1 Internet Access	21
1.2.2 Wireless Connection	22
1.2.3 ZyXEL Device’s USB and Print Server Support	22
1.3 The WPS/WLAN Button	23
1.4 Ways to Manage the ZyXEL Device	24
1.5 Good Habits for Managing the ZyXEL Device	25
1.6 The RESET Button	25
Introducing the Web Configurator	27
2.1 Overview	27
2.1.1 Accessing the Web Configurator	27
2.2 The Web Configurator Layout	29
2.2.1 Title Bar	29
2.2.2 Main Window	30
2.2.3 Navigation Panel	30
2.3 User Mode	32
2.3.1 Overview	32
2.3.2 What You Can Do	32
2.3.3 Navigation Panel	33
2.3.4 Network Map	33
2.3.5 Control Panel	34
2.3.6 Power Saving	34
2.3.7 Content Filter	35
2.3.8 Firewall	36
2.3.9 Wireless Security	37
2.3.10 WPS	38
2.3.11 Media Server	38
Tutorials	41
3.1 Overview	41
3.2 Setting Up Your DSL Connection	41
3.3 How to Set up a Wireless Network	44
3.3.1 Example Parameters	44
3.3.2 Configuring the ADSL Device	44
3.3.3 Connecting Wirelessly to your ADSL Device	46
3.3.4 Configuring the Wireless Client using the WPS PIN number	48
3.4 Setting Up NAT Port Forwarding to Allow Access to Network Servers from the Internet	49
3.5 Using the File Sharing Feature	50
3.5.1 Set Up File Sharing	51
3.5.2 Access Your Shared Files From a Computer	54
3.6 Using the Print Server Feature	56
3.7 Configuring the MAC Address Filter for Restricting Wireless Internet Access	70
3.8 Configuring Static Route for Routing to Another Network	71
3.9 Configuring QoS Queue and Class Setup	73
3.10 Access the ADSL Device Using DDNS	77
3.10.1 Registering a DDNS Account on www.dyndns.org	78
3.10.2 Configuring DDNS on Your ADSL Device	78
3.10.3 Testing the DDNS Setting	79
Technical Reference	81
Connection Status and System Info Screens	83
4.1 Overview	83
4.2 The Connection Status Screen	83
4.3 The System Info Screen	84
Broadband	87
5.1 Overview	87
5.1.1 What You Can Do in this Chapter	87
5.1.2 What You Need to Know	87
5.1.3 Before You Begin	88
5.2 The Broadband Screen	88
5.2.1 Add/Edit Internet Connection	89
5.3 Technical Reference	100
Wireless	105
6.1 Overview	105
6.1.1 What You Can Do in this Chapter	105
6.1.2 Wireless Network Overview	105
6.1.3 Before You Begin	107
6.2 The Wireless General Screen	107
6.2.1 No Security	109
6.2.2 Basic (Static WEP/Shared WEP Encryption)	109
6.2.3 More Secure (WPA(2)-PSK)	111
6.2.4 WPA(2) Authentication	112
6.3 The More AP Screen	113
6.3.1 Edit More AP	114
6.4 The WPS Screen	115
6.5 The WMM Screen	117
6.6 Scheduling Screen	118
6.7 Technical Reference	119
6.7.1 Additional Wireless Terms	119
6.7.2 Wireless Security Overview	119
6.7.3 Signal Problems	122
6.7.4 BSS	122
6.7.5 MBSSID	122
6.7.6 WiFi Protected Setup (WPS)	123
Home Networking	131
7.1 Overview	131
7.1.1 What You Can Do in this Chapter	131
7.1.2 What You Need To Know	131
7.2 The LAN Setup Screen	134
7.3 The Static DHCP Screen	136
7.3.1 Before You Begin	136
7.4 The UPnP Screen	137
7.5 The File Sharing Screen	138
7.5.1 Before You Begin	139
7.5.2 Add/Edit File Sharing	140
7.5.3 Add New User	141
7.6 The Media Server Screen	142
7.6.1 The Media Server Screen	142
7.7 The Print Server Screen	143
7.7.1 Before You Begin	143
7.8 Technical Reference	144
7.9 Installing UPnP in Windows Example	148
7.10 Using UPnP in Windows XP Example	151
Routing	157
8.1 Overview	157
8.2 Configuring Static Route	157
8.2.1 Add/Edit Static Route	158
DNS Route	161
9.1 Overview	161
9.1.1 What You Can Do in this Chapter	161
9.2 The DNS Route Screen	162
9.2.1 Add/Edit DNS Route Edit	162
Quality of Service (QoS)	165
10.1 Overview	165
10.1.1 What You Can Do in this Chapter	165
10.1.2 What You Need to Know	165
10.2 The QoS General Screen	166
10.3 The Queue Setup Screen	167
10.3.1 Add/Edit a QoS Queue	168
10.4 The Class Setup Screen	169
10.4.1 Add/Edit QoS Class	170
10.5 The QoS Monitor Screen	173
10.6 QoS Technical Reference	173
10.6.1 IP Precedence	174
10.6.2 DiffServ	174
Network Address Translation (NAT)	175
11.1 Overview	175
11.1.1 What You Can Do in this Chapter	175
11.1.2 What You Need To Know	175
11.2 The Port Forwarding Screen	176
11.2.1 The Port Forwarding Screen	177
11.2.2 The Port Forwarding Edit Screen	177
11.3 The Sessions Screen	178
11.4 The ALG Screen	179
11.5 Technical Reference	180
11.5.1 NAT Definitions	180
11.5.2 What NAT Does	180
11.5.3 How NAT Works	180
Dynamic DNS	183
12.1 Overview	183
12.1.1 What You Need To Know	183
12.2 The Dynamic DNS Screen	183
Firewall	185
13.1 Overview	185
13.1.1 What You Can Do in this Chapter	185
13.1.2 What You Need to Know	185
13.2 The General Screen	186
13.3 The Services Screen	187
13.4 Firewall Technical Reference	188
13.4.1 Guidelines For Enhancing Security With Your Firewall	188
13.4.2 Security Considerations	188
MAC Filter	191
14.1 Overview	191
14.1.1 What You Need to Know	191
14.2 The MAC Filter Screen	191
Certificates	193
15.1 Overview	193
15.1.1 What You Can Do in this Chapter	193
15.1.2 What You Need to Know	193
15.1.3 Verifying a Certificate	195
15.2 Local Certificates	196
15.2.1 Trusted CAs	197
15.2.2 Trusted CA Import	198
15.2.3 View Certificate	198
15.3 VPN Certificates	199
15.3.1 Import Certificate	200
VPN	203
16.1 Overview	203
16.1.1 What You Can Do in the VPN Screens	203
16.1.2 What You Need to Know About IPSec VPN	203
16.1.3 Before You Begin	205
16.2 VPN Setup Screen	205
16.3 The VPN Edit Screen	206
16.4 Configuring Advanced Settings	210
16.5 Viewing SA Monitor	212
16.6 IPSec VPN Technical Reference	212
16.6.1 IPSec Architecture	212
16.6.2 IPSec and NAT	213
16.6.3 VPN, NAT, and NAT Traversal	214
16.6.4 Encapsulation	215
16.6.5 IKE Phases	216
16.6.6 Negotiation Mode	217
16.6.7 Remote DNS Server	217
16.6.8 ID Type and Content	218
16.6.9 Pre-Shared Key	219
16.6.10 Diffie-Hellman (DH) Key Groups	219
16.6.11 Telecommuter VPN/IPSec Examples	219
System Monitor	223
17.1 Overview	223
17.1.1 What You Can Do in this Chapter	223
17.2 The WAN Status Screen	223
17.3 The LAN Status Screen	224
17.4 The NAT Status Screen	225
User Account	227
18.1 Overview	227
18.2 The User Account Screen	227
Remote MGMT	229
19.1 Overview	229
19.1.1 What You Need to Know	229
19.2 The Remote MGMT Screen	229
System	231
20.1 Overview	231
20.1.1 What You Need to Know	231
20.2 The System Screen	231
Time Setting	233
21.1 Overview	233
21.2 The Time Setting Screen	233
Log Setting	235
22.1 Overview	235
22.2 The Log Setting Screen	235
Firmware Upgrade	237
23.1 Overview	237
23.2 The Firmware Screen	237
Backup/Restore	239
24.1 Overview	239
24.2 The Backup/Restore Screen	239
24.3 The Reboot Screen	241
Diagnostic	243
25.1 Overview	243
25.1.1 What You Can Do in this Chapter	243
25.2 The Ping Screen	243
25.3 The DSL Line Screen	244
Troubleshooting	247
26.1 Overview	247
26.2 Power, Hardware Connections, and LEDs	247
26.3 ZyXEL Device Access and Login	248
26.4 Internet Access	250
26.5 Wireless Internet Access	251
26.6 USB Device Connection	252
26.7 UPnP	253
Product Specifications	255
IP Addresses and Subnetting	263
Setting Up Your Computer’s IP Address	273
Pop-up Windows, Java Script and Java Permissions	303
Wireless LANs	311
Common Services	331
Open Software Announcements	335
Legal Information	357

Match case Limit results 1 per page

Chapter 16 VPN

ADSL Series User’s Guide

214

IPSec using

ESP

Tunnel

mode encapsulates the entire original packet (including headers) in a

new IP packet. The new IP packet's source address is the outbound address of the sending VPN

gateway, and its destination address is the inbound address of the VPN device at the receiving end.

When using

ESP

protocol with authentication, the packet contents (in this case, the entire original

packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash

value appended to the packet.

Tunnel

mode

ESP

with authentication is compatible with NAT because integrity checks are

performed over the combination of the "original header plus original payload," which is unchanged

by a NAT device.

Transport

mode

ESP

with authentication is not compatible with NAT.

16.6.3

VPN, NAT, and NAT Traversal

NAT is incompatible with the AH protocol in both transport

and tunnel

mode. An IPSec VPN using

the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash

value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or

destination address. As a result, the VPN device at the receiving end finds a mismatch between the

hash value and the data and assumes that the data has been maliciously altered.

NAT is not normally compatible with ESP in transport mode either, but the ZyXEL Device’s

NAT

Traversal

feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when

there are NAT routers between the two IPSec routers.

Figure 111

NAT Router Between IPSec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because

the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding

a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP

port 500 header unchanged. In

Figure 111 on page 214

, when IPSec router

tries to establish an

IKE SA, IPSec router

checks the UDP port 500 header, and IPSec routers

and

build the IKE

SA.

For NAT traversal to work, you must:

•

Use ESP security protocol (in either transport or tunnel mode).

•

Use IKE keying mode.

•

Enable NAT traversal on both IPSec endpoints.

Table 66

VPN and NAT

SECURITY PROTOCOL

MODE

NAT

Transport

Tunnel

ESP

Transport

ESP

Tunnel