Home » ZyXEL Manuals » Networking » ZyXEL P-792H v2 » Manual Viewer

ZyXEL P-792H v2 User Guide - Page 174

IPSec and NAT

Get ZyXEL P-792H v2 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 174 highlights

Chapter 12 VPN IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms. The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404), provide an authentication mechanism for the AH and ESP protocols. Key Management Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 12.9.2 IPSec and NAT Read this section if you are running IPSec on a host computer behind the P-792H v2. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered. IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. 174 P-792H v2 User's Guide

Section	Page
P-792H v2	1
About This User's Guide	3
Document Conventions	6
Safety Warnings	8
Contents Overview	9
Table of Contents	11
User’s Guide	23
Getting To Know Your P-792H v2	25
1.1 Overview	25
1.1.1 High-speed Internet Access with G.SHDSL	25
1.1.2 High-speed Point-to-point Connections	26
1.2 Ways to Manage the P-792H v2	26
1.3 Good Habits for Managing the P-792H v2	27
1.4 LEDs	27
1.5 The RESET Button	28
1.5.1 Using the RESET Button	28
Introducing the Web Configurator	29
2.1 Web Configurator Overview	29
2.2 Accessing the Web Configurator	29
2.3 Web Configurator Main Screen	31
2.3.1 Title Bar	32
2.3.2 Navigation Panel	32
2.3.3 Main Window	35
2.3.4 Status Bar	35
Status Screens	37
3.1 Overview	37
3.2 The Status Screen	37
3.3 Client List	40
3.4 Status: VPN Status	40
3.5 Any IP Table	40
3.6 Packet Statistics	41
Internet Setup Wizard	43
4.1 Overview	43
4.2 Internet Access Wizard Setup	43
4.2.1 Manual Configuration	46
Tutorial	53
5.1 Overview	53
5.2 Configuring Point-to-point Connection	53
5.2.1 Set Up the Server	54
5.2.2 Set Up the Client	55
5.2.3 Connect the P-792H v2s	55
Technical Reference	57
WAN Setup	59
6.1 Overview	59
6.1.1 What You Can Do in the WAN Screens	59
6.1.2 What You Need to Know About WAN	60
6.1.3 Before You Begin	61
6.2 The Internet Access Setup Screen	62
6.2.1 Advanced Internet Access Setup	66
6.3 The More Connections Screen	68
6.3.1 More Connections Edit	70
6.3.2 Configuring More Connections Advanced Setup	73
6.4 The WAN Backup Setup Screen	75
6.5 WAN Technical Reference	76
6.5.1 Encapsulation	76
6.5.2 Multiplexing	78
6.5.3 VPI and VCI	78
6.5.4 IP Address Assignment	78
6.5.5 Nailed-Up Connection (PPP)	79
6.5.6 NAT	79
6.6 Metric	79
6.7 Traffic Redirect	80
6.8 Traffic Shaping	81
6.8.1 ATM Traffic Classes	82
LAN Setup	85
7.1 Overview	85
7.1.1 What You Can Do in the LAN Screens	85
7.1.2 What You Need To Know About LAN	86
7.1.3 Before You Begin	87
7.2 The IP Screen	87
7.2.1 The Advanced LAN IP Setup Screen	88
7.3 The DHCP Setup Screen	90
7.4 The Client List Screen	92
7.5 The IP Alias Screen	93
7.5.1 Configuring the LAN IP Alias Screen	94
7.6 LAN Technical Reference	95
7.6.1 LANs, WANs and the ZyXEL Device	95
7.6.2 DHCP Setup	96
7.6.3 DNS Server Addresses	96
7.6.4 LAN TCP/IP	97
7.6.5 RIP Setup	98
7.6.6 Multicast	98
Network Address Translation (NAT)	101
8.1 Overview	101
8.1.1 What You Can Do in the NAT Screens	101
8.1.2 What You Need To Know About NAT	101
8.2 The NAT General Setup Screen	103
8.3 The Port Forwarding Screen	104
8.3.1 Configuring the Port Forwarding Screen	105
8.3.2 The Port Forwarding Rule Edit Screen	106
8.4 The Address Mapping Screen	107
8.4.1 The Address Mapping Rule Edit Screen	109
8.5 The ALG Screen	111
8.6 NAT Technical Reference	111
8.6.1 NAT Definitions	111
8.6.2 What NAT Does	112
8.6.3 How NAT Works	113
8.6.4 NAT Application	114
8.6.5 NAT Mapping Types	114
Firewalls	117
9.1 Overview	117
9.1.1 What You Can Do in the Firewall Screens	117
9.1.2 What You Need to Know About Firewall	118
9.1.3 Firewall Rule Setup Example	119
9.2 The Firewall General Screen	122
9.3 The Firewall Rule Screen	124
9.3.1 Configuring Firewall Rules	126
9.3.2 Customized Services	128
9.3.3 Configuring a Customized Service	129
9.4 The Firewall Threshold Screen	129
9.4.1 Threshold Values	130
9.4.2 Configuring Firewall Thresholds	131
9.5 Firewall Technical Reference	133
9.5.1 Firewall Rules Overview	133
9.5.2 Guidelines For Enhancing Security With Your Firewall	134
9.5.3 Security Considerations	135
9.5.4 Triangle Route	135
Content Filtering	139
10.1 Overview	139
10.1.1 What You Can Do in the Content Filter Screens	139
10.1.2 What You Need to Know About Content Filtering	139
10.1.3 Before You Begin	139
10.1.4 Content Filtering Example	140
10.2 The Keyword Screen	142
10.3 The Schedule Screen	143
10.4 The Trusted Screen	144
Certificates	145
11.1 Overview	145
11.1.1 What You Need to Know About Certificates	145
11.1.2 Verifying a Certificate	146
11.2 The Trusted CAs Screen	147
11.2.1 Trusted CA Import	149
11.2.2 Trusted CA Details	150
11.3 Certificates Technical Reference	152
11.3.1 Certificates Overview	152
11.3.2 Private-Public Certificates	152
VPN	155
12.1 Overview	155
12.1.1 What You Can Do in the VPN Screens	155
12.1.2 What You Need to Know About IPSec VPN	156
12.1.3 Before You Begin	157
12.2 VPN Setup Screen	157
12.3 The VPN Edit Screen	160
12.4 Configuring Advanced IKE Settings	165
12.5 Manual Key Setup	167
12.5.1 Security Parameter Index (SPI)	168
12.6 Configuring Manual Key	168
12.7 Viewing SA Monitor	171
12.8 Configuring VPN Global Setting	172
12.9 IPSec VPN Technical Reference	173
12.9.1 IPSec Architecture	173
12.9.2 IPSec and NAT	174
12.9.3 VPN, NAT, and NAT Traversal	175
12.9.4 Encapsulation	176
12.9.5 IKE Phases	177
12.9.6 Negotiation Mode	178
12.9.7 Keep Alive	178
12.9.8 Remote DNS Server	179
12.9.9 ID Type and Content	180
12.9.10 Pre-Shared Key	182
12.9.11 Diffie-Hellman (DH) Key Groups	182
12.9.12 Telecommuter VPN/IPSec Examples	182
Static Route	187
13.1 Overview	187
13.2 The Static Route Screen	188
13.2.1 Static Route Edit	189
802.1Q/1P	191
14.1 Overview	191
14.1.1 What You Can Do in the 802.1Q/1P Screens	191
14.1.2 What You Need to Know About 802.1Q/1P	191
14.1.3 802.1Q/1P Example	193
14.2 The 802.1Q/1P Group Setting Screen	197
14.2.1 Editing 802.1Q/1P Group Setting	198
14.3 The 802.1Q/1P Port Setting Screen	199
Quality of Service (QoS)	201
15.1 Overview	201
15.2 QoS Overview	201
15.2.1 What You Can Do in the QoS Screens	202
15.2.2 What You Need to Know About QoS	202
15.2.3 QoS Class Setup Example	203
15.3 The QoS General Screen	207
15.4 The Class Setup Screen	208
15.4.1 The Class Configuration Screen	210
15.5 The QoS Monitor Screen	214
15.6 QoS Technical Reference	215
15.6.1 IEEE 802.1Q Tag	215
15.6.2 IP Precedence	215
15.6.3 DiffServ	216
15.6.4 Automatic Priority Queue Assignment	216
Dynamic DNS Setup	219
16.1 Overview	219
16.1.1 What You Need To Know About DDNS	219
16.2 The Dynamic DNS Screen	220
Remote Management	223
17.1 Overview	223
17.1.1 What You Can Do in the Remote Management Screens	224
17.1.2 What You Need to Know About Remote Management	224
17.2 The WWW Screen	225
17.2.1 Configuring the WWW Screen	225
17.3 The Telnet Screen	226
17.4 The FTP Screen	227
17.5 The SNMP Screen	228
17.5.1 Supported MIBs	230
17.5.2 SNMP Traps	230
17.5.3 Configuring SNMP	231
17.6 The DNS Screen	232
17.7 The ICMP Screen	233
Universal Plug-and-Play (UPnP)	235
18.1 Overview	235
18.1.1 What You Can Do in the UPnP Screen	235
18.1.2 What You Need to Know About UPnP	235
18.2 The UPnP Screen	237
18.3 Installing UPnP in Windows Example	237
18.4 Using UPnP in Windows XP Example	241
System Settings	247
19.1 Overview	247
19.1.1 What You Can Do in the System Settings Screens	247
19.1.2 What You Need to Know About System Settings	247
19.2 The General Screen	248
19.3 The Time Setting Screen	250
Logs	253
20.1 Overview	253
20.1.1 What You Can Do in the Log Screens	253
20.1.2 What You Need To Know About Logs	253
20.2 The View Log Screen	254
20.3 The Log Settings Screen	255
20.4 SMTP Error Messages	257
20.4.1 Example E-mail Log	257
20.5 Log Descriptions	258
Tools	267
21.1 Overview	267
21.1.1 What You Can Do in the Tool Screens	267
21.1.2 What You Need To Know About Tools	268
21.1.3 Before You Begin	269
21.1.4 Tool Examples	269
21.2 The Firmware Screen	275
21.3 The Configuration Screen	277
21.4 The Restart Screen	279
Diagnostic	281
22.1 Overview	281
22.1.1 What You Can Do in the Diagnostic Screens	281
22.2 The General Diagnostic Screen	281
22.3 The DSL Line Diagnostic Screen	282
Introducing the SMT	285
23.1 Accessing the SMT	285
23.2 SMT Menu Items	286
23.3 Navigating the SMT Interface	289
General Setup	291
24.1 Configuring General Setup	291
24.1.1 Configuring Dynamic DNS	292
WAN Setup	295
25.1 WAN Setup	295
25.2 Configuring Traffic Redirect	297
LAN Setup	299
26.1 Accessing the LAN Menus	299
26.2 LAN Port Filter Setup	299
26.3 TCP/IP and DHCP Setup Menu	300
26.4 LAN IP Alias	302
Internet Access Setup	303
27.1 Internet Access Setup	303
Remote Node Setup	307
28.1 Introduction to Remote Node Setup	307
28.2 Remote Node Setup	307
28.3 Remote Node Profile	308
28.4 Remote Node Network Layer Options	310
28.5 Remote Node Filter	312
28.6 Remote Node ATM Layer Options	314
28.7 Advance Setup Options	315
Static Route Setup	317
29.1 IP Static Route Setup	317
29.2 Bridge Static Route Setup	319
NAT Setup	321
30.1 Using NAT	321
30.1.1 SUA (Single User Account) Versus NAT	321
30.1.2 Applying NAT	322
30.2 NAT Setup	323
30.2.1 Address Mapping Sets	324
30.3 Configuring a Server behind NAT	327
30.4 General NAT Examples	328
30.4.1 Internet Access Only	329
30.4.2 Example 2: Internet Access with a Default Server	330
30.4.3 Example 3: Multiple Public IP Addresses With Inside Servers	330
30.4.4 Example 4: NAT Unfriendly Application Programs	334
Firewall Setup	337
31.1 Using P-792H v2 SMT Menus	337
31.1.1 Activating the Firewall	337
Filter Configuration	339
32.1 Introduction to Filters	339
32.1.1 The Filter Structure of the P-792H v2	340
32.2 Configuring a Filter Set	342
32.2.1 Configuring a Filter Rule	344
32.2.2 Configuring a TCP/IP Filter Rule	344
32.2.3 Configuring a Generic Filter Rule	348
32.3 Example Filter	349
32.4 Filter Types and NAT	351
32.5 Firewall Versus Filters	352
32.6 Applying a Filter	352
32.6.1 Applying LAN Filters	352
32.6.2 Applying Remote Node Filters	353
System Password	355
System Information & Diagnosis	357
34.1 Introduction to System Status	357
34.2 System Status	357
34.3 System Information and Console Port Speed	359
34.3.1 System Information	360
34.3.2 Console Port Speed	361
34.4 Log and Trace	361
34.4.1 Viewing Error Log	361
34.4.2 Syslog Logging	362
34.5 Diagnostic	366
Firmware and Configuration File Maintenance	369
35.1 Introduction	369
35.2 Filename Conventions	369
35.3 Backup Configuration	370
35.3.1 Backup Configuration	371
35.3.2 Using the FTP Command from the Command Line	371
35.3.3 Example of FTP Commands from the Command Line	372
35.3.4 GUI-based FTP Clients	372
35.3.5 File Maintenance Over WAN	372
35.3.6 Backup Configuration Using TFTP	373
35.3.7 TFTP Command Example	373
35.3.8 GUI-based TFTP Clients	374
35.3.9 Backup Via Console Port	374
35.4 Restore Configuration	375
35.4.1 Restore Using FTP	376
35.4.2 Restore Using FTP Session Example	377
35.4.3 Restore Via Console Port	377
35.5 Uploading Firmware and Configuration Files	378
35.5.1 Firmware File Upload	378
35.5.2 Configuration File Upload	379
35.5.3 FTP File Upload Command from the DOS Prompt Example	380
35.5.4 FTP Session Example of Firmware File Upload	380
35.5.5 TFTP File Upload	381
35.5.6 TFTP Upload Command Example	381
35.5.7 Uploading Via Console Port	382
35.5.8 Uploading Firmware File Via Console Port	382
35.5.9 Example Xmodem Firmware Upload Using HyperTerminal	383
35.5.10 Uploading Configuration File Via Console Port	383
35.5.11 Example Xmodem Configuration Upload Using HyperTerminal	384
Menus 24.8 to 24.11	385
36.1 Command Interpreter Mode	385
36.1.1 Command Syntax	385
36.1.2 Command Usage	386
36.2 Call Control Support	386
36.2.1 Budget Management	387
36.3 Time and Date Setting	388
36.4 Remote Management	391
36.4.1 Remote Management Limitations	391
Schedule Setup	393
37.1 Schedule Set Overview	393
37.2 Schedule Setup	393
37.3 Schedule Set Setup	394
Troubleshooting	397
38.1 Power, Hardware Connections, and LEDs	397
38.2 P-792H v2 Access and Login	398
38.3 Internet Access	400
38.4 Network Connections	401
Product Specifications	403
Wall-mounting Instructions	409
Setting up Your Computer’s IP Address	411
Pop-up Windows, JavaScripts and Java Permissions	435
IP Addresses and Subnetting	445
Services	455
Legal Information	459

Match case Limit results 1 per page

Chapter 12 VPN

P-792H v2 User’s Guide

174

IPSec Algorithms

The

ESP

(Encapsulating Security Payload) Protocol (RFC 2406) and

(Authentication Header) protocol (RFC 2402) describe the packet formats and the

default standards for packet structure (including implementation algorithms).

The Encryption Algorithm describes the use of encryption techniques such as DES

(Data Encryption Standard) and Triple DES algorithms.

The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC

2404), provide an authentication mechanism for the

and

ESP

protocols.

Key Management

Key management allows you to determine whether to use IKE (ISAKMP) or

manual key configuration in order to set up a VPN.

12.9.2

IPSec and NAT

Read this section if you are running IPSec on a host computer behind the P-792H

v2.

NAT is incompatible with the

protocol in both

Transport

and

Tunnel

mode.

An IPSec VPN using the

protocol digitally signs the outbound packet, both data

payload and headers, with a hash value appended to the packet. When using

protocol, packet contents (the data payload) are not encrypted.

A NAT device in between the IPSec endpoints will rewrite either the source or

destination address with one of its own choosing. The VPN device at the receiving

end will verify the integrity of the incoming packet by computing its own hash

value, and complain that the hash value appended to the received packet doesn't

match. The VPN device at the receiving end doesn't know about the NAT in the

middle, so it assumes that the data has been maliciously altered.

IPSec using

ESP

Tunnel

mode encapsulates the entire original packet

(including headers) in a new IP packet. The new IP packet's source address is the

outbound address of the sending VPN gateway, and its destination address is the

inbound address of the VPN device at the receiving end. When using

ESP

protocol

with authentication, the packet contents (in this case, the entire original packet)

are encrypted. The encrypted contents, but not the new headers, are signed with

a hash value appended to the packet.

Tunnel

mode

ESP

with authentication is compatible with NAT because integrity

checks are performed over the combination of the "original header plus original

payload," which is unchanged by a NAT device.