Home » ZyXEL Manuals » Networking » ZyXEL SBG3300-NB00 » Manual Viewer

ZyXEL SBG3300-NB00 User Guide - Page 285

Table 90, Label, Description

Get ZyXEL SBG3300-NB00 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 285 highlights

Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL Encapsulation DESCRIPTION Select which type of encapsulation the IPSec SA uses. Choices are: Tunnel - this mode encrypts the IP header information and the data. Transport - this mode only encrypts the data. If you set Encapsulation to Transport, Policy (Local and Remote) is not applicable. Encryption The Device and remote IPSec router must use the same encapsulation. Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm Authentication Perfect Forward Secrecy (PFS) The Device and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput. Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number Policy PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. You cannot use a Policy (Local and Remote pair) that already exists in other enabled IPsec rules with Site-to-Site or Site-to-Site with Dynamic Peer as the Application Scenario. The following are two examples: 1. Example1: IPsec rule vpn1 has Local Policy set as 192.168.1.0 / 255.255.255.0 and Remote Policy as 10.10.1.0 / 255.255.255.0. You cannot use the same policy configuration for other IPSec rules. However, you can set Local Policy as 192.168.1.0 / 255.255.255.0 and Remote Policy as 192.168.200.0 / 255.255.255.0 for a new IPSec rule vpn2. Local/Remote IP Type 2. Example2: IPSec rule vpn1 has Local Policy set as 192.168.1.100 and Remote Policy as 10.10.1.33. You cannot use the same policy configuration for other IPSec rules. However, you can set Local Policy as 192.168.1.100 and Remote Policy as 10.10.1.34 for a new IPSec rule vpn2. Use the drop-down list box to choose Single, Range or Subnet. Select Single for a single IP address. Select Range to enter a range of IP addresses in the Local/Remote IP Address Start and Local/Remote IP Address End fields. Select Subnet to specify IP addresses on a network by their subnet mask. SBG3300-N Series User's Guide 285

Section	Page
SBG3300-N Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	15
Introducing the Device	17
1.1 Overview	17
1.2 Ways to Manage the Device	17
1.3 Good Habits for Managing the Device	17
1.4 Applications for the Device	18
1.4.1 Internet Access	18
1.4.2 Device’s USB Support	19
1.5 LEDs (Lights)	19
1.6 The RESET Button	21
1.7 Wireless Access	21
1.7.1 Using the WLAN Button	21
The Web Configurator	23
2.1 Overview	23
2.1.1 Accessing the Web Configurator	23
2.2 Web Configurator Layout	25
2.2.1 Title Bar	25
2.2.2 Main Window	26
2.2.3 Navigation Panel	26
Quick Start	31
3.1 Overview	31
3.2 Quick Start Setup	31
Tutorials	35
4.1 Overview	35
4.2 Setting Up an ADSL PPPoE Connection	35
4.3 Setting Up a Secure Wireless Network	38
4.3.1 Configuring the Wireless Network Settings	38
4.3.2 Using WPS	40
4.3.3 Without WPS	43
4.4 Setting Up Multiple Wireless Groups	44
4.5 Configuring Static Route for Routing to Another Network	47
4.6 Configuring QoS Queue and Class Setup	50
4.7 Access the Device Using DDNS	53
4.7.1 Registering a DDNS Account on www.dyndns.org	53
4.7.2 Configuring DDNS on Your Device	54
4.7.3 Testing the DDNS Setting	54
4.8 Configuring the MAC Address Filter	55
4.9 Access Your Shared Files From a Computer	56
4.10 Certificate Configuration for VPN	57
4.11 Examples of Configuring IPSec VPN Rules	60
4.11.1 Example 1: Use 3DES Encryption	60
4.11.2 Example 2: Use AES128 Encryption	63
4.11.3 Example 3: Configuring a Site-to-Site with Dynamic Peer Rule	64
4.11.4 Example 4: Configuring a Remote Access Rule	64
4.12 PPTP VPN Tutorial	65
4.12.1 Configuring PPTP VPN Setup (Server)	65
4.12.2 Configuring PPTP VPN on Windows (Client)	66
4.12.3 Configuring PPTP VPN on Android Devices (Client)	81
4.12.4 Configuring PPTP VPN in iOS Devices (Client)	83
4.13 L2TP VPN Tutorial	85
4.13.1 Configuring the Default_L2TPVPN IPSec VPN Rule (Server)	86
4.13.2 Configuring the L2TP VPN Setup (Server)	87
4.13.3 Configuring L2TP VPN in Windows (Client)	88
4.13.4 Configuring L2TP VPN on Windows 7 and Vista	90
4.13.5 Configuring L2TP VPN on Windows XP	101
4.13.6 Configuring L2TP VPN on Android Devices (Client)	107
4.13.7 Configuring L2TP VPN in iOS Devices (Client)	110
Technical Reference	113
Status Screens	115
5.1 Overview	115
5.2 The Status Screen	115
Broadband	119
6.1 Overview	119
6.1.1 What You Can Do in this Chapter	119
6.1.2 What You Need to Know	120
6.1.3 Before You Begin	123
6.2 The Broadband Screen	123
6.2.1 Add/Edit Internet Connection	125
6.3 The 3G WAN Screen	133
6.4 The Add New 3G Dongle Screen	136
6.4.1 Add 3G Dongle Information	136
6.5 The Advanced Screen	137
6.6 The 802.1x Screen	138
6.6.1 Edit 802.1x Settings	139
6.7 The multi-WAN Screen	139
6.7.1 Add/Edit multi-WAN	140
6.7.2 How to Configure multi-WAN for Load Balancing and Failover	141
6.8 Technical Reference	142
Wireless	147
7.1 Overview	147
7.1.1 What You Can Do in this Chapter	147
7.1.2 What You Need to Know	148
7.2 The General Screen	148
7.2.1 No Security	151
7.2.2 Basic (WEP Encryption)	151
7.2.3 More Secure (WPA(2)-PSK)	153
7.2.4 WPA(2) Authentication	154
7.3 The More AP Screen	155
7.3.1 Edit More AP	156
7.4 MAC Authentication	158
7.5 The WPS Screen	159
7.6 The WMM Screen	160
7.7 The Others Screen	161
7.8 The Channel Status Screen	163
7.9 Technical Reference	163
7.9.1 Wireless Network Overview	163
7.9.2 Additional Wireless Terms	165
7.9.3 Wireless Security Overview	165
7.9.4 Signal Problems	167
7.9.5 BSS	168
7.9.6 MBSSID	168
7.9.7 Preamble Type	169
7.9.8 WiFi Protected Setup (WPS)	169
LAN	177
8.1 Overview	177
8.1.1 What You Can Do in this Chapter	177
8.1.2 What You Need To Know	178
8.1.3 Before You Begin	179
8.2 The LAN Setup Screen	179
8.3 The Static DHCP Screen	182
8.4 The UPnP Screen	184
8.5 Installing UPnP in Windows Example	185
8.6 Using UPnP in Windows XP Example	188
8.7 The Additional Subnet Screen	194
8.8 The 5th Ethernet Port Screen	195
8.9 Technical Reference	195
8.9.1 LANs, WANs and the Device	196
8.9.2 DHCP Setup	196
8.9.3 DNS Server Addresses	196
8.9.4 LAN TCP/IP	197
Routing	199
9.1 Overview	199
9.1.1 What You Can Do in this Chapter	199
9.2 The Routing Screen	200
9.2.1 Add/Edit Static Route	201
9.3 The Policy Forwarding Screen	201
9.3.1 Add/Edit Policy Forwarding	203
9.4 The RIP Screen	203
Quality of Service (QoS)	205
10.1 Overview	205
10.1.1 What You Can Do in this Chapter	205
10.2 What You Need to Know	206
10.3 The Quality of Service General Screen	207
10.4 The Queue Setup Screen	208
10.4.1 Adding a QoS Queue	210
10.5 The Class Setup Screen	210
10.5.1 Add/Edit QoS Class	212
10.6 The QoS Policer Setup Screen	215
10.6.1 Add/Edit a QoS Policer	216
10.7 The QoS Monitor Screen	217
10.8 Technical Reference	218
Network Address Translation (NAT)	223
11.1 Overview	223
11.1.1 What You Can Do in this Chapter	223
11.1.2 What You Need To Know	223
11.2 The Port Forwarding Screen	224
11.2.1 Add/Edit Port Forwarding	226
11.3 The Applications Screen	227
11.3.1 Add New Application	228
11.4 The Port Triggering Screen	228
11.4.1 Add/Edit Port Triggering Rule	230
11.5 The DMZ Screen	231
11.6 The ALG Screen	232
11.7 The Address Mapping Screen	232
11.7.1 Add/Edit Address Mapping Rule	233
11.8 Technical Reference	234
11.8.1 NAT Definitions	234
11.8.2 What NAT Does	235
11.8.3 How NAT Works	236
11.8.4 NAT Application	237
Dynamic DNS Setup	239
12.1 Overview	239
12.1.1 What You Can Do in this Chapter	239
12.1.2 What You Need To Know	240
12.2 The DNS Entry Screen	240
12.2.1 Add/Edit DNS Entry	241
12.3 The Dynamic DNS Screen	241
Interface Group	243
13.1 Overview	243
13.2 The Interface Group Screen	243
13.2.1 Interface Group Configuration	244
13.2.2 Interface Grouping Criteria	245
USB Service	247
14.1 Overview	247
14.1.1 What You Can Do in this Chapter	247
14.1.2 What You Need To Know	247
14.2 The File Sharing Screen	248
14.2.1 Before You Begin	248
Firewall	251
15.1 Overview	251
15.1.1 What You Can Do in this Chapter	251
15.1.2 What You Need to Know	252
15.2 The Firewall Screen	253
15.3 The Service Screen	253
15.3.1 Add/Edit a Service	255
15.4 The Access Control Screen	256
15.4.1 Add/Edit an ACL Rule	257
15.5 The DoS Screen	258
MAC Filter	261
16.1 Overview	261
16.2 The MAC Filter Screen	261
User Access Control	263
17.1 Overview	263
17.2 The User Access Control Screen	263
17.2.1 Add/Edit a User Access Control Rule	264
Scheduler Rules	267
18.1 Overview	267
18.2 The Scheduler Rules Screen	267
18.2.1 Add/Edit a Schedule	268
Certificates	269
19.1 Overview	269
19.1.1 What You Can Do in this Chapter	269
19.2 What You Need to Know	269
19.3 The Local Certificates Screen	270
19.3.1 Create Certificate Request	271
19.3.2 Load Signed Certificate	272
19.4 The Trusted CA Screen	273
19.4.1 View Trusted CA Certificate	274
19.4.2 Import Trusted CA Certificate	275
IPSec VPN	277
20.1 Overview	277
20.2 What You Can Do in this Chapter	277
20.3 What You Need To Know	278
20.4 The Setup Screen	278
20.4.1 Add/Edit VPN Rule	279
20.4.2 The VPN Connection Add/Edit Screen	280
20.4.3 The Default_L2TPVPN IPSec VPN Rule	286
20.5 The IPSec VPN Monitor Screen	287
20.6 The Radius Screen	287
20.7 Technical Reference	288
20.7.1 IPSec Architecture	289
20.7.2 Encapsulation	290
20.7.3 IKE Phases	291
20.7.4 Negotiation Mode	291
20.7.5 IPSec and NAT	292
20.7.6 VPN, NAT, and NAT Traversal	292
20.7.7 ID Type and Content	293
20.7.8 Pre-Shared Key	294
20.7.9 Diffie-Hellman (DH) Key Groups	295
PPTP VPN	296
21.1 Overview	296
21.2 What You Can Do in this Chapter	296
21.3 PPTP VPN Setup	297
21.4 The PPTP VPN Monitor Screen	298
21.5 PPTP VPN Troubleshooting Tips	298
L2TP VPN	301
22.1 Overview	301
22.1.1 What You Can Do in this Chapter	301
22.2 L2TP VPN Screen	302
22.3 The L2TP VPN Monitor Screen	303
22.4 L2TP VPN Troubleshooting Tips	303
Log	307
23.1 Overview	307
23.1.1 What You Can Do in this Chapter	307
23.1.2 What You Need To Know	307
23.2 The System Log Screen	308
23.3 The Security Log Screen	309
Network Status	311
24.1 Overview	311
24.1.1 What You Can Do in this Chapter	311
24.2 The WAN Status Screen	311
24.3 The LAN Status Screen	312
ARP Table	315
25.1 Overview	315
25.1.1 How ARP Works	315
25.2 ARP Table Screen	315
Routing Table	317
26.1 Overview	317
26.2 The Routing Table Screen	317
IGMP Status	319
27.1 Overview	319
27.2 The IGMP Group Status Screen	319
xDSL Statistics	321
28.1 The xDSL Statistics Screen	321
User Account	325
29.1 Overview	325
29.2 The User Account Screen	325
29.2.1 Add/Edit a Users Account	326
Remote Management	329
30.1 Overview	329
30.2 The Remote MGMT Screen	329
TR-069 Client	331
31.1 Overview	331
31.2 The TR-069 Client Screen	331
SNMP	333
32.1 The SNMP Agent Screen	333
Time	335
33.1 Overview	335
33.2 The Time Screen	335
E-mail Notification	339
34.1 Overview	339
34.2 The Email Notification Screen	339
34.2.1 Email Notification Edit	340
Logs Setting	341
35.1 Overview	341
35.2 The Log Setting Screen	341
35.2.1 Example E-mail Log	342
Firmware Upgrade	345
36.1 Overview	345
36.2 The Firmware Screen	345
Configuration	347
37.1 Overview	347
37.2 The Configuration Screen	347
37.3 The Reboot Screen	349
Diagnostic	350
38.1 Overview	350
38.1.1 What You Can Do in this Chapter	350
38.2 What You Need to Know	350
38.3 Ping & TraceRoute & NsLookup	351
38.4 802.1ag	352
38.5 OAM Ping Test	353
Troubleshooting	355
39.1 Power, Hardware Connections, and LEDs	355
39.2 Device Access and Login	356
39.3 Internet Access	358
39.4 Wireless Internet Access	359
39.5 USB Device Connection	360
39.6 UPnP	360
Setting up Your Computer’s IP Address	363
IP Addresses and Subnetting	385
Pop-up Windows, JavaScript and Java Permissions	393
Wireless LANs	403
IPv6	417
Services	425
Legal Information	429

Match case Limit results 1 per page

Chapter 20 IPSec VPN

SBG3300-N Series User’s Guide

285

Encapsulation

Select which type of encapsulation the IPSec SA uses. Choices are:

Tunnel

- this mode encrypts the IP header information and the data.

Transport

- this mode only encrypts the data. If you set

Encapsulation

Transport

, Policy (Local and Remote) is not applicable.

The Device and remote IPSec router must use the same encapsulation.

Encryption

Select which key size and encryption algorithm to use in the IKE SA.

Choices are:

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

AES128

- a 128-bit key with the AES encryption algorithm

AES192

- a 192-bit key with the AES encryption algorithm

AES256

- a 256-bit key with the AES encryption algorithm

The Device and the remote IPSec router must use the same algorithms and keys.

Longer keys require more processing power, resulting in increased latency and

decreased throughput.

Authentication

Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices

are

SHA1

and

MD5

SHA1

is generally considered stronger than

MD5

, but it is also

slower.

Perfect Forward

Secrecy (PFS)

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do,

which Diffie-Hellman key group to use for encryption. Choices are:

DH1

- enable PFS and use a 768-bit random number

DH2

- enable PFS and use a 1024-bit random number

DH5

- enable PFS and use a 1536-bit random number

PFS changes the root key that is used to generate encryption keys for each IPSec SA.

The longer the key, the more secure the encryption, but also the longer it takes to

encrypt and decrypt information. Both routers must use the same DH key group.

Policy

You cannot use a Policy (Local and Remote pair) that already exists in other enabled

IPsec rules with

Site-to-Site

Site-to-Site with Dynamic Peer

as the

Application

Scenario

. The following are two examples:

Example1: IPsec rule

vpn1

has

Local Policy

set as 192.168.1.0 / 255.255.255.0

and

Remote Policy

as 10.10.1.0 / 255.255.255.0. You cannot use the same policy

configuration for other IPSec rules. However, you can set

Local Policy

192.168.1.0 / 255.255.255.0 and

Remote Policy

192.168.200.0 /

255.255.255.0 for a new IPSec rule

vpn2

Example2: IPSec rule

vpn1

has

Local Policy

set as 192.168.1.100 and

Remote

Policy

as 10.10.1.33. You cannot use the same policy configuration for other IPSec

rules. However, you can set

Local Policy

as 192.168.1.100 and

Remote Policy

10.10.1.34 for a new IPSec rule

vpn2

Local/Remote IP

Type

Use the drop-down list box to choose

Single

Range

Subnet

. Select

Single

for a

single IP address. Select

Range

to enter a range of IP addresses in the

Local/Remote

IP Address Start

and

Local/Remote IP Address End

fields. Select

Subnet

specify IP addresses on a network by their subnet mask.

Table 90

VPN > IPSec VPN > Setup > Edit (continued)

LABEL

DESCRIPTION