Home » ZyXEL Manuals » Networking » ZyXEL SBG3300-NB00 » Manual Viewer

ZyXEL SBG3300-NB00 User Guide - Page 284

Extended Authentication, IPSecVPN, Radius, Local DB, Extended Authentication XAUTH, Maintenance,

Get ZyXEL SBG3300-NB00 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 284 highlights

Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL Key Group DESCRIPTION Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number Dead Peer Detection (DPD) Extended Authentication (XAUTH) The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. Select this check box if you want the Device to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If there has been no traffic for at least 15 seconds, the Device sends a message to the remote IPSec router. If the remote IPSec router responds, the Device transmits the data. If the remote IPSec router does not respond, the Device shuts down the IKE SA. When multiple IPSec routers use the same VPN tunnel to connect to a single VPN tunnel (telecommuters sharing a tunnel for example), use extended authentication to enforce a user name and password check. This way even though they all know the VPN tunnel's security settings, each still has to provide a unique user name and password. Select the checkbox if one of the routers (the Device or the remote IPSec router) verifies a user name and password from the other router using the local user database and/or an external server. Note: If you want to use Radius for Extended Authentication (XAUTH), you need to configure the settings in the VPN > IPSecVPN > Radius screen beforehand. See Section 20.6 on page 287. Server Mode Client Mode Phase 2 SA Life Time Tunnel Mode Note: If you want to use Local DB for Extended Authentication (XAUTH), make sure the user account exists in the Maintenance > User Account screen. Select this if the Device authenticates the user name and password from the remote IPSec router. You also have to select the authentication method, which specifies how the Device authenticates this information. Select this radio button if the Device provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. Phase 2 Encryption can have up to 3 different algorithms and Authentication can have up to 2 different algorithms. To add new algorithms, click the Add button next to Encryption or Authentication. Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Device automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. Select the security protocols used for an SA. Choices are: AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not encryption. If you select AH, you must select an Authentication algorithm. ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, you must select an Encryption algorithm and Authentication algorithm. Both AH and ESP increase processing requirements and latency (delay). The Device and remote IPSec router must use the same active protocol. 284 SBG3300-N Series User's Guide

Section	Page
SBG3300-N Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	15
Introducing the Device	17
1.1 Overview	17
1.2 Ways to Manage the Device	17
1.3 Good Habits for Managing the Device	17
1.4 Applications for the Device	18
1.4.1 Internet Access	18
1.4.2 Device’s USB Support	19
1.5 LEDs (Lights)	19
1.6 The RESET Button	21
1.7 Wireless Access	21
1.7.1 Using the WLAN Button	21
The Web Configurator	23
2.1 Overview	23
2.1.1 Accessing the Web Configurator	23
2.2 Web Configurator Layout	25
2.2.1 Title Bar	25
2.2.2 Main Window	26
2.2.3 Navigation Panel	26
Quick Start	31
3.1 Overview	31
3.2 Quick Start Setup	31
Tutorials	35
4.1 Overview	35
4.2 Setting Up an ADSL PPPoE Connection	35
4.3 Setting Up a Secure Wireless Network	38
4.3.1 Configuring the Wireless Network Settings	38
4.3.2 Using WPS	40
4.3.3 Without WPS	43
4.4 Setting Up Multiple Wireless Groups	44
4.5 Configuring Static Route for Routing to Another Network	47
4.6 Configuring QoS Queue and Class Setup	50
4.7 Access the Device Using DDNS	53
4.7.1 Registering a DDNS Account on www.dyndns.org	53
4.7.2 Configuring DDNS on Your Device	54
4.7.3 Testing the DDNS Setting	54
4.8 Configuring the MAC Address Filter	55
4.9 Access Your Shared Files From a Computer	56
4.10 Certificate Configuration for VPN	57
4.11 Examples of Configuring IPSec VPN Rules	60
4.11.1 Example 1: Use 3DES Encryption	60
4.11.2 Example 2: Use AES128 Encryption	63
4.11.3 Example 3: Configuring a Site-to-Site with Dynamic Peer Rule	64
4.11.4 Example 4: Configuring a Remote Access Rule	64
4.12 PPTP VPN Tutorial	65
4.12.1 Configuring PPTP VPN Setup (Server)	65
4.12.2 Configuring PPTP VPN on Windows (Client)	66
4.12.3 Configuring PPTP VPN on Android Devices (Client)	81
4.12.4 Configuring PPTP VPN in iOS Devices (Client)	83
4.13 L2TP VPN Tutorial	85
4.13.1 Configuring the Default_L2TPVPN IPSec VPN Rule (Server)	86
4.13.2 Configuring the L2TP VPN Setup (Server)	87
4.13.3 Configuring L2TP VPN in Windows (Client)	88
4.13.4 Configuring L2TP VPN on Windows 7 and Vista	90
4.13.5 Configuring L2TP VPN on Windows XP	101
4.13.6 Configuring L2TP VPN on Android Devices (Client)	107
4.13.7 Configuring L2TP VPN in iOS Devices (Client)	110
Technical Reference	113
Status Screens	115
5.1 Overview	115
5.2 The Status Screen	115
Broadband	119
6.1 Overview	119
6.1.1 What You Can Do in this Chapter	119
6.1.2 What You Need to Know	120
6.1.3 Before You Begin	123
6.2 The Broadband Screen	123
6.2.1 Add/Edit Internet Connection	125
6.3 The 3G WAN Screen	133
6.4 The Add New 3G Dongle Screen	136
6.4.1 Add 3G Dongle Information	136
6.5 The Advanced Screen	137
6.6 The 802.1x Screen	138
6.6.1 Edit 802.1x Settings	139
6.7 The multi-WAN Screen	139
6.7.1 Add/Edit multi-WAN	140
6.7.2 How to Configure multi-WAN for Load Balancing and Failover	141
6.8 Technical Reference	142
Wireless	147
7.1 Overview	147
7.1.1 What You Can Do in this Chapter	147
7.1.2 What You Need to Know	148
7.2 The General Screen	148
7.2.1 No Security	151
7.2.2 Basic (WEP Encryption)	151
7.2.3 More Secure (WPA(2)-PSK)	153
7.2.4 WPA(2) Authentication	154
7.3 The More AP Screen	155
7.3.1 Edit More AP	156
7.4 MAC Authentication	158
7.5 The WPS Screen	159
7.6 The WMM Screen	160
7.7 The Others Screen	161
7.8 The Channel Status Screen	163
7.9 Technical Reference	163
7.9.1 Wireless Network Overview	163
7.9.2 Additional Wireless Terms	165
7.9.3 Wireless Security Overview	165
7.9.4 Signal Problems	167
7.9.5 BSS	168
7.9.6 MBSSID	168
7.9.7 Preamble Type	169
7.9.8 WiFi Protected Setup (WPS)	169
LAN	177
8.1 Overview	177
8.1.1 What You Can Do in this Chapter	177
8.1.2 What You Need To Know	178
8.1.3 Before You Begin	179
8.2 The LAN Setup Screen	179
8.3 The Static DHCP Screen	182
8.4 The UPnP Screen	184
8.5 Installing UPnP in Windows Example	185
8.6 Using UPnP in Windows XP Example	188
8.7 The Additional Subnet Screen	194
8.8 The 5th Ethernet Port Screen	195
8.9 Technical Reference	195
8.9.1 LANs, WANs and the Device	196
8.9.2 DHCP Setup	196
8.9.3 DNS Server Addresses	196
8.9.4 LAN TCP/IP	197
Routing	199
9.1 Overview	199
9.1.1 What You Can Do in this Chapter	199
9.2 The Routing Screen	200
9.2.1 Add/Edit Static Route	201
9.3 The Policy Forwarding Screen	201
9.3.1 Add/Edit Policy Forwarding	203
9.4 The RIP Screen	203
Quality of Service (QoS)	205
10.1 Overview	205
10.1.1 What You Can Do in this Chapter	205
10.2 What You Need to Know	206
10.3 The Quality of Service General Screen	207
10.4 The Queue Setup Screen	208
10.4.1 Adding a QoS Queue	210
10.5 The Class Setup Screen	210
10.5.1 Add/Edit QoS Class	212
10.6 The QoS Policer Setup Screen	215
10.6.1 Add/Edit a QoS Policer	216
10.7 The QoS Monitor Screen	217
10.8 Technical Reference	218
Network Address Translation (NAT)	223
11.1 Overview	223
11.1.1 What You Can Do in this Chapter	223
11.1.2 What You Need To Know	223
11.2 The Port Forwarding Screen	224
11.2.1 Add/Edit Port Forwarding	226
11.3 The Applications Screen	227
11.3.1 Add New Application	228
11.4 The Port Triggering Screen	228
11.4.1 Add/Edit Port Triggering Rule	230
11.5 The DMZ Screen	231
11.6 The ALG Screen	232
11.7 The Address Mapping Screen	232
11.7.1 Add/Edit Address Mapping Rule	233
11.8 Technical Reference	234
11.8.1 NAT Definitions	234
11.8.2 What NAT Does	235
11.8.3 How NAT Works	236
11.8.4 NAT Application	237
Dynamic DNS Setup	239
12.1 Overview	239
12.1.1 What You Can Do in this Chapter	239
12.1.2 What You Need To Know	240
12.2 The DNS Entry Screen	240
12.2.1 Add/Edit DNS Entry	241
12.3 The Dynamic DNS Screen	241
Interface Group	243
13.1 Overview	243
13.2 The Interface Group Screen	243
13.2.1 Interface Group Configuration	244
13.2.2 Interface Grouping Criteria	245
USB Service	247
14.1 Overview	247
14.1.1 What You Can Do in this Chapter	247
14.1.2 What You Need To Know	247
14.2 The File Sharing Screen	248
14.2.1 Before You Begin	248
Firewall	251
15.1 Overview	251
15.1.1 What You Can Do in this Chapter	251
15.1.2 What You Need to Know	252
15.2 The Firewall Screen	253
15.3 The Service Screen	253
15.3.1 Add/Edit a Service	255
15.4 The Access Control Screen	256
15.4.1 Add/Edit an ACL Rule	257
15.5 The DoS Screen	258
MAC Filter	261
16.1 Overview	261
16.2 The MAC Filter Screen	261
User Access Control	263
17.1 Overview	263
17.2 The User Access Control Screen	263
17.2.1 Add/Edit a User Access Control Rule	264
Scheduler Rules	267
18.1 Overview	267
18.2 The Scheduler Rules Screen	267
18.2.1 Add/Edit a Schedule	268
Certificates	269
19.1 Overview	269
19.1.1 What You Can Do in this Chapter	269
19.2 What You Need to Know	269
19.3 The Local Certificates Screen	270
19.3.1 Create Certificate Request	271
19.3.2 Load Signed Certificate	272
19.4 The Trusted CA Screen	273
19.4.1 View Trusted CA Certificate	274
19.4.2 Import Trusted CA Certificate	275
IPSec VPN	277
20.1 Overview	277
20.2 What You Can Do in this Chapter	277
20.3 What You Need To Know	278
20.4 The Setup Screen	278
20.4.1 Add/Edit VPN Rule	279
20.4.2 The VPN Connection Add/Edit Screen	280
20.4.3 The Default_L2TPVPN IPSec VPN Rule	286
20.5 The IPSec VPN Monitor Screen	287
20.6 The Radius Screen	287
20.7 Technical Reference	288
20.7.1 IPSec Architecture	289
20.7.2 Encapsulation	290
20.7.3 IKE Phases	291
20.7.4 Negotiation Mode	291
20.7.5 IPSec and NAT	292
20.7.6 VPN, NAT, and NAT Traversal	292
20.7.7 ID Type and Content	293
20.7.8 Pre-Shared Key	294
20.7.9 Diffie-Hellman (DH) Key Groups	295
PPTP VPN	296
21.1 Overview	296
21.2 What You Can Do in this Chapter	296
21.3 PPTP VPN Setup	297
21.4 The PPTP VPN Monitor Screen	298
21.5 PPTP VPN Troubleshooting Tips	298
L2TP VPN	301
22.1 Overview	301
22.1.1 What You Can Do in this Chapter	301
22.2 L2TP VPN Screen	302
22.3 The L2TP VPN Monitor Screen	303
22.4 L2TP VPN Troubleshooting Tips	303
Log	307
23.1 Overview	307
23.1.1 What You Can Do in this Chapter	307
23.1.2 What You Need To Know	307
23.2 The System Log Screen	308
23.3 The Security Log Screen	309
Network Status	311
24.1 Overview	311
24.1.1 What You Can Do in this Chapter	311
24.2 The WAN Status Screen	311
24.3 The LAN Status Screen	312
ARP Table	315
25.1 Overview	315
25.1.1 How ARP Works	315
25.2 ARP Table Screen	315
Routing Table	317
26.1 Overview	317
26.2 The Routing Table Screen	317
IGMP Status	319
27.1 Overview	319
27.2 The IGMP Group Status Screen	319
xDSL Statistics	321
28.1 The xDSL Statistics Screen	321
User Account	325
29.1 Overview	325
29.2 The User Account Screen	325
29.2.1 Add/Edit a Users Account	326
Remote Management	329
30.1 Overview	329
30.2 The Remote MGMT Screen	329
TR-069 Client	331
31.1 Overview	331
31.2 The TR-069 Client Screen	331
SNMP	333
32.1 The SNMP Agent Screen	333
Time	335
33.1 Overview	335
33.2 The Time Screen	335
E-mail Notification	339
34.1 Overview	339
34.2 The Email Notification Screen	339
34.2.1 Email Notification Edit	340
Logs Setting	341
35.1 Overview	341
35.2 The Log Setting Screen	341
35.2.1 Example E-mail Log	342
Firmware Upgrade	345
36.1 Overview	345
36.2 The Firmware Screen	345
Configuration	347
37.1 Overview	347
37.2 The Configuration Screen	347
37.3 The Reboot Screen	349
Diagnostic	350
38.1 Overview	350
38.1.1 What You Can Do in this Chapter	350
38.2 What You Need to Know	350
38.3 Ping & TraceRoute & NsLookup	351
38.4 802.1ag	352
38.5 OAM Ping Test	353
Troubleshooting	355
39.1 Power, Hardware Connections, and LEDs	355
39.2 Device Access and Login	356
39.3 Internet Access	358
39.4 Wireless Internet Access	359
39.5 USB Device Connection	360
39.6 UPnP	360
Setting up Your Computer’s IP Address	363
IP Addresses and Subnetting	385
Pop-up Windows, JavaScript and Java Permissions	393
Wireless LANs	403
IPv6	417
Services	425
Legal Information	429

Match case Limit results 1 per page

Chapter 20 IPSec VPN

SBG3300-N Series User’s Guide

284

Key Group

Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.

Choices are:

DH1

- use a 768-bit random number

DH2

- use a 1024-bit random number

DH5

- use a 1536-bit random number

The longer the key, the more secure the encryption, but also the longer it takes to

encrypt and decrypt information. Both routers must use the same DH key group.

Dead Peer Detection

(DPD)

Select this check box if you want the Device to make sure the remote IPSec router is

there before it transmits data through the IKE SA. The remote IPSec router must

support DPD. If there has been no traffic for at least 15 seconds, the Device sends a

message to the remote IPSec router. If the remote IPSec router responds, the Device

transmits the data. If the remote IPSec router does not respond, the Device shuts down

the IKE SA.

Extended

Authentication

(XAUTH)

When multiple IPSec routers use the same VPN tunnel to connect to a single VPN tunnel

(telecommuters sharing a tunnel for example), use extended authentication to enforce

a user name and password check. This way even though they all know the VPN tunnel’s

security settings, each still has to provide a unique user name and password.

Select the checkbox if one of the routers (the Device or the remote IPSec router)

verifies a user name and password from the other router using the local user database

and/or an external server.

Note: If you want to use Radius for

Extended Authentication (

XAUTH

)

, you need to

configure the settings in the

VPN

IPSecVPN

Radius

screen beforehand. See

Section 20.6 on page 287

Note: If you want to use

Local DB

for

Extended Authentication (XAUTH)

, make sure

the user account exists in the

Maintenance

User Account

screen.

Server Mode

Select this if the Device authenticates the user name and password from the remote

IPSec router. You also have to select the authentication method, which specifies how

the Device authenticates this information.

Client Mode

Select this radio button if the Device provides a username and password to the remote

IPSec router for authentication. You also have to provide the

User Name

and the

Password

Phase 2

Encryption

can have up to 3 different algorithms and

Authentication

can

have up to 2 different algorithms. To add new algorithms, click the

Add

button next to

Encryption

Authentication

SA Life Time

Type the maximum number of seconds the IPSec SA can last. Shorter life times provide

better security. The Device automatically negotiates a new IPSec SA before the current

one expires, if there are users who are accessing remote resources.

Tunnel Mode

Select the security protocols used for an SA. Choices are:

(RFC 2402) - provides integrity, authentication, sequence integrity (replay

resistance), and non-repudiation but not encryption. If you select

, you must select

Authentication

algorithm.

ESP

(RFC 2406) - provides encryption and the same services offered by AH, but its

authentication is weaker. If you select

ESP

, you must select an

Encryption

algorithm

and Authentication algorithm.

Both

and

ESP

increase processing requirements and latency (delay).

The Device and remote IPSec router must use the same active protocol.

Table 90

VPN > IPSec VPN > Setup > Edit (continued)

LABEL

DESCRIPTION