Home » ZyXEL Manuals » Networking » ZyXEL P-660HNU-F1 » Manual Viewer

ZyXEL P-660HNU-F1 User Guide - Page 219

Pre-Shared Key, 16.6.10 Diffie-Hellman (DH) Key Groups, 16.6.11 Telecommuter VPN/IPSec Examples

Get ZyXEL P-660HNU-F1 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 219 highlights

Chapter 16 VPN 16.6.8.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel. Table 70 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: [email protected] The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B's Local ID type is IP, but ZyXEL Device A's Peer ID type is set to E-mail. An "ID mismatched" message displays in the IPSEC LOG. Table 71 Mismatching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: IP Local ID type: IP Local ID content: 1.1.1.10 Local ID content: 1.1.1.10 Peer ID type: E-mail Peer ID type: IP Peer ID content: [email protected] Peer ID content: N/A 16.6.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 16.6.5 on page 216 for more on IKE phases). It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. 16.6.10 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 - DH2) DiffieHellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys. 16.6.11 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyXEL Device at headquarters has a static public IP address. 16.6.11.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyXEL Device at headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the ADSL Series User's Guide 219

Section	Page
ADSL Router Series	1
Videos	2
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
User’s Guide	19
Introduction	21
1.1 Overview	21
1.2 Applications for the ZyXEL Device	21
1.2.1 Internet Access	21
1.2.2 Wireless Connection	22
1.2.3 ZyXEL Device’s USB and Print Server Support	22
1.3 The WPS/WLAN Button	23
1.4 Ways to Manage the ZyXEL Device	24
1.5 Good Habits for Managing the ZyXEL Device	25
1.6 The RESET Button	25
Introducing the Web Configurator	27
2.1 Overview	27
2.1.1 Accessing the Web Configurator	27
2.2 The Web Configurator Layout	29
2.2.1 Title Bar	29
2.2.2 Main Window	30
2.2.3 Navigation Panel	30
2.3 User Mode	32
2.3.1 Overview	32
2.3.2 What You Can Do	32
2.3.3 Navigation Panel	33
2.3.4 Network Map	33
2.3.5 Control Panel	34
2.3.6 Power Saving	34
2.3.7 Content Filter	35
2.3.8 Firewall	36
2.3.9 Wireless Security	37
2.3.10 WPS	38
2.3.11 Media Server	38
Tutorials	41
3.1 Overview	41
3.2 Setting Up Your DSL Connection	41
3.3 How to Set up a Wireless Network	44
3.3.1 Example Parameters	44
3.3.2 Configuring the ADSL Device	44
3.3.3 Connecting Wirelessly to your ADSL Device	46
3.3.4 Configuring the Wireless Client using the WPS PIN number	48
3.4 Setting Up NAT Port Forwarding to Allow Access to Network Servers from the Internet	49
3.5 Using the File Sharing Feature	50
3.5.1 Set Up File Sharing	51
3.5.2 Access Your Shared Files From a Computer	54
3.6 Using the Print Server Feature	56
3.7 Configuring the MAC Address Filter for Restricting Wireless Internet Access	70
3.8 Configuring Static Route for Routing to Another Network	71
3.9 Configuring QoS Queue and Class Setup	73
3.10 Access the ADSL Device Using DDNS	77
3.10.1 Registering a DDNS Account on www.dyndns.org	78
3.10.2 Configuring DDNS on Your ADSL Device	78
3.10.3 Testing the DDNS Setting	79
Technical Reference	81
Connection Status and System Info Screens	83
4.1 Overview	83
4.2 The Connection Status Screen	83
4.3 The System Info Screen	84
Broadband	87
5.1 Overview	87
5.1.1 What You Can Do in this Chapter	87
5.1.2 What You Need to Know	87
5.1.3 Before You Begin	88
5.2 The Broadband Screen	88
5.2.1 Add/Edit Internet Connection	89
5.3 Technical Reference	100
Wireless	105
6.1 Overview	105
6.1.1 What You Can Do in this Chapter	105
6.1.2 Wireless Network Overview	105
6.1.3 Before You Begin	107
6.2 The Wireless General Screen	107
6.2.1 No Security	109
6.2.2 Basic (Static WEP/Shared WEP Encryption)	109
6.2.3 More Secure (WPA(2)-PSK)	111
6.2.4 WPA(2) Authentication	112
6.3 The More AP Screen	113
6.3.1 Edit More AP	114
6.4 The WPS Screen	115
6.5 The WMM Screen	117
6.6 Scheduling Screen	118
6.7 Technical Reference	119
6.7.1 Additional Wireless Terms	119
6.7.2 Wireless Security Overview	119
6.7.3 Signal Problems	122
6.7.4 BSS	122
6.7.5 MBSSID	122
6.7.6 WiFi Protected Setup (WPS)	123
Home Networking	131
7.1 Overview	131
7.1.1 What You Can Do in this Chapter	131
7.1.2 What You Need To Know	131
7.2 The LAN Setup Screen	134
7.3 The Static DHCP Screen	136
7.3.1 Before You Begin	136
7.4 The UPnP Screen	137
7.5 The File Sharing Screen	138
7.5.1 Before You Begin	139
7.5.2 Add/Edit File Sharing	140
7.5.3 Add New User	141
7.6 The Media Server Screen	142
7.6.1 The Media Server Screen	142
7.7 The Print Server Screen	143
7.7.1 Before You Begin	143
7.8 Technical Reference	144
7.9 Installing UPnP in Windows Example	148
7.10 Using UPnP in Windows XP Example	151
Routing	157
8.1 Overview	157
8.2 Configuring Static Route	157
8.2.1 Add/Edit Static Route	158
DNS Route	161
9.1 Overview	161
9.1.1 What You Can Do in this Chapter	161
9.2 The DNS Route Screen	162
9.2.1 Add/Edit DNS Route Edit	162
Quality of Service (QoS)	165
10.1 Overview	165
10.1.1 What You Can Do in this Chapter	165
10.1.2 What You Need to Know	165
10.2 The QoS General Screen	166
10.3 The Queue Setup Screen	167
10.3.1 Add/Edit a QoS Queue	168
10.4 The Class Setup Screen	169
10.4.1 Add/Edit QoS Class	170
10.5 The QoS Monitor Screen	173
10.6 QoS Technical Reference	173
10.6.1 IP Precedence	174
10.6.2 DiffServ	174
Network Address Translation (NAT)	175
11.1 Overview	175
11.1.1 What You Can Do in this Chapter	175
11.1.2 What You Need To Know	175
11.2 The Port Forwarding Screen	176
11.2.1 The Port Forwarding Screen	177
11.2.2 The Port Forwarding Edit Screen	177
11.3 The Sessions Screen	178
11.4 The ALG Screen	179
11.5 Technical Reference	180
11.5.1 NAT Definitions	180
11.5.2 What NAT Does	180
11.5.3 How NAT Works	180
Dynamic DNS	183
12.1 Overview	183
12.1.1 What You Need To Know	183
12.2 The Dynamic DNS Screen	183
Firewall	185
13.1 Overview	185
13.1.1 What You Can Do in this Chapter	185
13.1.2 What You Need to Know	185
13.2 The General Screen	186
13.3 The Services Screen	187
13.4 Firewall Technical Reference	188
13.4.1 Guidelines For Enhancing Security With Your Firewall	188
13.4.2 Security Considerations	188
MAC Filter	191
14.1 Overview	191
14.1.1 What You Need to Know	191
14.2 The MAC Filter Screen	191
Certificates	193
15.1 Overview	193
15.1.1 What You Can Do in this Chapter	193
15.1.2 What You Need to Know	193
15.1.3 Verifying a Certificate	195
15.2 Local Certificates	196
15.2.1 Trusted CAs	197
15.2.2 Trusted CA Import	198
15.2.3 View Certificate	198
15.3 VPN Certificates	199
15.3.1 Import Certificate	200
VPN	203
16.1 Overview	203
16.1.1 What You Can Do in the VPN Screens	203
16.1.2 What You Need to Know About IPSec VPN	203
16.1.3 Before You Begin	205
16.2 VPN Setup Screen	205
16.3 The VPN Edit Screen	206
16.4 Configuring Advanced Settings	210
16.5 Viewing SA Monitor	212
16.6 IPSec VPN Technical Reference	212
16.6.1 IPSec Architecture	212
16.6.2 IPSec and NAT	213
16.6.3 VPN, NAT, and NAT Traversal	214
16.6.4 Encapsulation	215
16.6.5 IKE Phases	216
16.6.6 Negotiation Mode	217
16.6.7 Remote DNS Server	217
16.6.8 ID Type and Content	218
16.6.9 Pre-Shared Key	219
16.6.10 Diffie-Hellman (DH) Key Groups	219
16.6.11 Telecommuter VPN/IPSec Examples	219
System Monitor	223
17.1 Overview	223
17.1.1 What You Can Do in this Chapter	223
17.2 The WAN Status Screen	223
17.3 The LAN Status Screen	224
17.4 The NAT Status Screen	225
User Account	227
18.1 Overview	227
18.2 The User Account Screen	227
Remote MGMT	229
19.1 Overview	229
19.1.1 What You Need to Know	229
19.2 The Remote MGMT Screen	229
System	231
20.1 Overview	231
20.1.1 What You Need to Know	231
20.2 The System Screen	231
Time Setting	233
21.1 Overview	233
21.2 The Time Setting Screen	233
Log Setting	235
22.1 Overview	235
22.2 The Log Setting Screen	235
Firmware Upgrade	237
23.1 Overview	237
23.2 The Firmware Screen	237
Backup/Restore	239
24.1 Overview	239
24.2 The Backup/Restore Screen	239
24.3 The Reboot Screen	241
Diagnostic	243
25.1 Overview	243
25.1.1 What You Can Do in this Chapter	243
25.2 The Ping Screen	243
25.3 The DSL Line Screen	244
Troubleshooting	247
26.1 Overview	247
26.2 Power, Hardware Connections, and LEDs	247
26.3 ZyXEL Device Access and Login	248
26.4 Internet Access	250
26.5 Wireless Internet Access	251
26.6 USB Device Connection	252
26.7 UPnP	253
Product Specifications	255
IP Addresses and Subnetting	263
Setting Up Your Computer’s IP Address	273
Pop-up Windows, Java Script and Java Permissions	303
Wireless LANs	311
Common Services	331
Open Software Announcements	335
Legal Information	357

Match case Limit results 1 per page

Chapter 16 VPN

ADSL Series User’s Guide

219

16.6.8.1

ID Type and Content Examples

Two IPSec routers must have matching ID type and content configuration in order to set up a VPN

tunnel.

The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel.

The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B’s

Local ID type

, but ZyXEL Device A’s

Peer ID type

is set to

E-mail

. An “ID mismatched”

message displays in the IPSEC LOG.

16.6.9

Pre-Shared Key

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see

Section

16.6.5 on page 216

for more on IKE phases). It is called “pre-shared” because you have to share it

with another party before you can communicate with them over a secure connection.

16.6.10

Diffie-Hellman (DH) Key Groups

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a

shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA

setup to establish session keys. 768-bit (Group 1 -

DH1

) and 1024-bit (Group 2 –

DH2

) Diffie-

Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers

have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.

16.6.11

Telecommuter VPN/IPSec Examples

The following examples show how multiple telecommuters can make VPN connections to a single

ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP

addresses. The ZyXEL Device at headquarters has a static public IP address.

16.6.11.1

Telecommuters Sharing One VPN Rule Example

See the following figure and table for an example configuration that allows multiple telecommuters

(

and

in the figure) to use one VPN rule to simultaneously access a ZyXEL Device at

headquarters (

in the figure). The telecommuters do not have domain names mapped to the

Table 70

Matching ID Type and Content Configuration Example

ZYXEL DEVICE A

ZYXEL DEVICE B

Local ID type: E-mail

Local ID type: IP

Local ID content: [email protected]

Local ID content: 1.1.1.2

Peer ID type: IP

Peer ID type: E-mail

Peer ID content: 1.1.1.2

Peer ID content: [email protected]

Table 71

Mismatching ID Type and Content Configuration Example