Home » ZyXEL Manuals » Networking » ZyXEL NBG-460N » Manual Viewer

ZyXEL NBG-460N User Guide - Page 199

Secure Gateway, Address, Secure Gateway Address, Domain Name, E-mail, Aggressive

Get ZyXEL NBG-460N PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 199 highlights

Chapter 15 IPSec VPN Table 66 Security > VPN > General > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION Peer Content The configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-460N will use the address in the Secure Gateway Address field (refer to the Secure Gateway Address field description). For Domain Name or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. It is recommended that you type an IP address other than 0.0.0.0 or use the Domain Name or E-mail ID type in the following situations: IKE Phase 1 Negotiation Mode Encryption Algorithm • When there is a NAT router between the two IPSec routers. • When you want the NBG-460N to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses. Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode. Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm Authentication Algorithm SA Life Time (Seconds) The NBG-460N and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput. Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 180 to 3,000,000 seconds (almost 35 days). Key Group A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number NBG-460N User's Guide 199

Section	Page
NBG-460N	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
Introduction	21
Getting to Know Your NBG-460N	23
1.1 Overview	23
1.2 Applications	23
1.3 Wireless Applications	24
1.3.1 Router Mode	24
1.3.2 AP Mode	25
1.3.3 Router vs. AP	26
1.4 Ways to Manage the NBG-460N	26
1.5 Good Habits for Managing the NBG-460N	27
1.6 LEDs	27
The WPS Button	29
2.1 Overview	29
Introducing the Web Configurator	31
3.1 Web Configurator Overview	31
3.2 Accessing the Web Configurator	31
3.3 Resetting the NBG-460N	33
3.3.1 Procedure to Use the Reset Button	33
3.4 Navigating the Web Configurator	33
3.5 The Status Screen in Router Mode	34
3.5.1 Navigation Panel	37
3.5.2 Summary: Any IP Table	39
3.5.3 Summary: Bandwidth Management Monitor	39
3.5.4 Summary: DHCP Table	40
3.5.5 Summary: Packet Statistics	41
3.5.6 Summary: VPN Monitor	42
3.5.7 Summary: Wireless Station Status	43
Connection Wizard	45
4.1 Wizard Setup	45
4.2 Connection Wizard: STEP 1: System Information	46
4.2.1 System Name	46
4.2.2 Domain Name	47
4.3 Connection Wizard: STEP 2: Wireless LAN	48
4.3.1 Basic (WEP) Security	49
4.3.2 Extend (WPA-PSK or WPA2-PSK) Security	50
4.4 Connection Wizard: STEP 3: Internet Configuration	51
4.4.1 Ethernet Connection	52
4.4.2 PPPoE Connection	52
4.4.3 PPTP Connection	53
4.4.4 Your IP Address	55
4.4.5 WAN IP Address Assignment	55
4.4.6 IP Address and Subnet Mask	56
4.4.7 DNS Server Address Assignment	57
4.4.8 WAN IP and DNS Server Address Assignment	57
4.4.9 WAN MAC Address	58
4.5 Connection Wizard: STEP 4: Bandwidth management	59
4.6 Connection Wizard Complete	60
Tutorials	63
5.1 Overview	63
5.2 How to Connect to the Internet from an AP	63
5.2.1 Configure Wireless Security Using WPS on both your NBG-460N and Wireless Client	63
5.2.2 Enable and Configure Wireless Security without WPS on your NBG-460N	67
5.2.3 Configure Your Notebook	68
5.3 Site-To-Site VPN Tunnel Tutorial	70
5.3.1 Configuring Bob’s NBG-460N VPN Settings	71
5.3.2 Configuring Jack’s NBG-460N VPN Settings	73
5.3.3 Checking the VPN Connection	75
5.4 Bandwidth Management for your Network	76
5.4.1 Configuring Bandwidth Management by Application	76
5.4.2 Configuring Bandwidth Management by Custom Application	77
5.4.3 Configuring Bandwidth Allocation by IP or IP Range	78
AP Mode	81
6.1 Overview	81
6.2 Setting your NBG-460N to AP Mode	81
6.3 The Status Screen	82
6.3.1 Navigation Panel	84
6.4 Configuring Your Settings	86
6.4.1 LAN Settings	86
6.4.2 WLAN and Maintenance Settings	87
6.5 Logging in to the Web Configurator in AP Mode	88
Network	89
Wireless LAN	91
7.1 Overview	91
7.2 What You Can Do	92
7.3 What You Should Know	92
7.3.1 Wireless Security Overview	92
7.4 General Wireless LAN Screen	95
7.4.1 No Security	96
7.4.2 WEP Encryption	97
7.4.3 WPA-PSK/WPA2-PSK	100
7.4.4 WPA/WPA2	101
7.5 MAC Filter Screen	103
7.6 Wireless LAN Advanced Screen	105
7.7 Quality of Service (QoS) Screen	105
7.7.1 Application Priority Configuration	107
7.8 WPS Screen	109
7.9 WPS Station Screen	110
7.10 Scheduling Screen	110
7.11 Technical Reference	112
7.11.1 Roaming	112
7.11.2 Quality of Service	114
7.12 WiFi Protected Setup	115
7.12.1 iPod Touch Web Configurator	115
7.12.2 Login Screen	116
7.12.3 System Status	116
7.12.4 WPS in Progress	119
7.12.5 Port Forwarding	119
7.13 Accessing the iPod Touch Web Configurator	121
7.13.1 Accessing the iPod Touch Web Configurator	121
WAN	123
8.1 Overview	123
8.2 What You Can Do	123
8.3 What You Need To Know	124
8.3.1 Configuring Your Internet Connection	124
8.3.2 Multicast	125
8.3.3 IPTV STB Port	126
8.3.4 NetBIOS over TCP/IP	128
8.3.5 Auto-Bridge	128
8.4 Internet Connection	129
8.4.1 Ethernet Encapsulation	129
8.4.2 PPPoE Encapsulation	131
8.4.3 PPTP Encapsulation	134
8.5 Advanced WAN Screen	136
8.6 Technical Reference	138
8.6.1 IGMP	138
LAN	139
9.1 Overview	139
9.2 What You Can Do	139
9.3 What You Need To Know	140
9.3.1 IP Pool Setup	140
9.3.2 LAN TCP/IP	140
9.4 LAN IP Screen	140
9.5 LAN IP Alias	141
9.6 Advanced LAN Screen	142
9.7 Technical Reference	143
9.7.1 LANs, WANs and the ZyXEL Device	143
9.7.2 Any IP	144
DHCP	147
10.1 Overview	147
10.2 What You Can Do	147
10.3 What You Need To Know	147
10.4 DHCP General Screen	148
10.5 DHCP Advanced Screen	148
10.6 Client List Screen	150
Network Address Translation (NAT)	153
11.1 Overview	153
11.2 What You Can Do	154
11.3 General NAT Screen	154
11.4 NAT Application Screen	155
11.4.1 Game List Example	158
11.4.2 Configuring Servers Behind Port Forwarding Example	158
11.5 NAT Advanced Screen	159
11.5.1 Trigger Port Forwarding Example	161
11.5.2 Two Points To Remember About Trigger Ports	162
Dynamic DNS	163
12.1 Overview	163
12.2 What You Can Do	163
12.3 What You Need To Know	163
12.3.1 DynDNS Wildcard	163
12.4 Dynamic DNS Screen	164
Security	167
Firewall	169
13.1 Overview	169
13.2 What You Can Do	169
13.3 What You Need To Know	170
13.3.1 About the NBG-460N Firewall	170
13.3.2 Triangle Routes	170
13.3.3 Triangle Routes and IP Alias	171
13.4 General Firewall Screen	172
13.5 Services Screen	172
13.5.1 The Add Firewall Rule Screen	175
Content Filtering	179
14.1 Overview	179
14.2 What You Can Do	179
14.3 What You Need To Know	179
14.3.1 Content Filtering Profiles	179
14.4 Filter Screen	181
14.5 Schedule Screen	183
14.6 Technical Reference	183
14.6.1 Customizing Keyword Blocking URL Checking	184
IPSec VPN	185
15.1 Overview	185
15.2 What You Can Do	185
15.3 What You Need To Know	186
15.3.1 IKE SA (IKE Phase 1) Overview	186
15.3.2 IPSec SA (IKE Phase 2) Overview	187
15.4 The General Screen	188
15.4.1 VPN Rule Setup (Basic)	189
15.4.2 VPN Rule Setup (Advanced)	194
15.4.3 VPN Rule Setup (Manual)	201
15.5 The SA Monitor Screen	205
15.6 Technical Reference	206
15.6.1 VPN and Remote Management	206
15.6.2 IKE SA Proposal	207
15.6.3 Diffie-Hellman (DH) Key Exchange	208
15.6.4 Authentication	208
15.6.5 Negotiation Mode	209
15.6.6 VPN, NAT, and NAT Traversal	210
15.6.7 IPSec Protocol	211
15.6.8 Encapsulation	211
15.6.9 IPSec SA Proposal and Perfect Forward Secrecy	212
15.6.10 Additional IPSec VPN Topics	212
Management	215
Static Route	217
16.1 Overview	217
16.2 What You Can Do	217
16.3 IP Static Route Screen	218
16.3.1 Static Route Setup Screen	219
Bandwidth Management	221
17.1 Overview	221
17.2 What You Can Do	221
17.3 What You Need To Know	222
17.4 General Configuration Screen	222
17.5 Advanced Configuration	224
17.5.1 Rule Configuration with the Pre-defined Service	226
17.5.2 Rule Configuration: User Defined Service Rule Configuration	227
17.6 Monitor Screen	228
17.7 Technical References	229
17.7.1 Predefined Bandwidth Management Services	229
17.7.2 Default Bandwidth Management Classes and Priorities	230
17.7.3 Bandwidth Management Priorities	231
Remote Management	233
18.1 Overview	233
18.2 What You Can Do	233
18.3 What You Need To Know	234
18.3.1 Remote Management Limitations	234
18.3.2 Remote Management and NAT	234
18.3.3 System Timeout	234
18.4 WWW Screen	235
18.5 Telnet Screen	236
18.6 FTP Screen	236
18.7 DNS Screen	237
Universal Plug-and-Play (UPnP)	239
19.1 Overview	239
19.2 What You Can Do	239
19.3 What You Need to Know	239
19.3.1 NAT Traversal	239
19.3.2 Cautions with UPnP	240
19.4 UPnP Screen	240
19.5 Technical Reference	241
19.5.1 Using UPnP in Windows XP Example	241
19.5.2 Web Configurator Easy Access	244
Maintenance and Troubleshooting	247
System	249
20.1 Overview	249
20.2 What You Can Do	249
20.3 System General Screen	249
20.4 Time Setting Screen	251
Logs	255
21.1 Overview	255
21.2 What You Can Do	255
21.3 What You Need to Know	255
21.4 View Log Screen	256
21.5 Log Settings	257
21.6 Technical Reference	260
21.6.1 Log Descriptions	260
Tools	275
22.1 Overview	275
22.2 What You Can Do	275
22.3 Firmware Upload Screen	275
22.4 Configuration Screen	278
22.4.1 Backup Configuration	278
22.4.2 Restore Configuration	278
22.4.3 Back to Factory Defaults	280
22.5 Restart Screen	280
22.6 Wake On LAN	281
22.7 Green	281
Configuration Mode	283
23.1 Overview	283
23.2 What You Can Do	283
23.3 General Screen	283
Sys Op Mode	285
24.1 Overview	285
24.2 What You Can Do	285
24.3 What You Need to Know	285
24.4 General Screen	287
Language	289
25.1 Language Screen	289
Troubleshooting	291
26.1 Power, Hardware Connections, and LEDs	291
26.2 NBG-460N Access and Login	292
26.3 Internet Access	294
26.4 Resetting the NBG-460N to Its Factory Defaults	296
26.5 Wireless Router/AP Troubleshooting	297
26.6 Advanced Features	297
Product Specifications and Wall- Mounting Instructions	299
Appendices and Index	305
Pop-up Windows, JavaScripts and Java Permissions	307
IP Addresses and Subnetting	315
Setting up Your Computer’s IP Address	325
27.0.1 Verifying Settings	342
Wireless LANs	343
27.0.2 WPA(2)-PSK Application Example	353
27.0.3 WPA(2) with RADIUS Application Example	353
Services	355
Legal Information	359

Match case Limit results 1 per page

Chapter 15 IPSec VPN

NBG-460N User’s Guide

199

Peer Content

The configuration of the peer content depends on the peer ID type.

For

, type the IP address of the computer with which you will make

the VPN connection. If you configure this field to

0.0.0.0

or leave it

blank, the NBG-460N will use the address in the

Secure Gateway

Address

field (refer to the

Secure Gateway Address

field

description).

For

Domain Name

E-mail

, type a domain name or e-mail address

by which to identify the remote IPSec router. Use up to 31 ASCII

characters including spaces, although trailing spaces are truncated.

The domain name or e-mail address is for identification purposes only

and can be any string.

It is recommended that you type an IP address other than

0.0.0.0

use the

Domain Name

E-mail

ID type in the following situations:

•

When there is a NAT router between the two IPSec routers.

•

When you want the NBG-460N to distinguish between VPN

connection requests that come in from remote IPSec routers with

dynamic WAN IP addresses.

IKE Phase 1

Negotiation Mode

Select

Main

Aggressive

from the drop-down list box. Multiple SAs

connecting through a secure gateway must have the same

negotiation mode.

Encryption

Algorithm

Select which key size and encryption algorithm to use in the IKE SA.

Choices are:

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

The NBG-460N and the remote IPSec router must use the same

algorithms and keys. Longer keys require more processing power,

resulting in increased latency and decreased throughput.

Authentication

Algorithm

Select which hash algorithm to use to authenticate packet data in the

IKE SA. Choices are

SHA1

and

MD5

SHA1

is generally considered

stronger than

MD5

, but it is also slower.

SA Life Time

(Seconds)

Define the length of time before an IKE SA automatically renegotiates

in this field. It may range from 180 to 3,000,000 seconds (almost 35

days).

A short SA Life Time increases security by forcing the two VPN

gateways to update the encryption and authentication keys.

However, every time the VPN tunnel renegotiates, all users accessing

remote resources are temporarily disconnected.

Key Group

Select which Diffie-Hellman key group (DH

) you want to use for

encryption keys. Choices are:

DH1

- use a 768-bit random number

DH2

- use a 1024-bit random number

Table 66

Security > VPN > General > Rule Setup: IKE (Advanced)

(continued)

LABEL

DESCRIPTION