Home » ZyXEL Manuals » Bridges & Routers » ZyXEL NBG5715 » Manual Viewer

ZyXEL NBG5715 User Guide - Page 139

IPSec and NAT, 18.7.6 VPN, NAT, and NAT Traversal, Aggressive Mode, Main Mode, Transport

Add to My Manuals
Save this manual to your list of manuals

Page 139 highlights

Chapter 18 IPSec VPN • Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication. 18.7.5 IPSec and NAT Read this section if you are running IPSec on a host computer behind the NBG5715. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered. IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT. Table 58 VPN and NAT SECURITY PROTOCOL AH AH ESP ESP MODE Transport Tunnel Transport Tunnel NAT N N N Y 18.7.6 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address. As a result, the VPN device at the receiving end finds a mismatch between the hash value and the data and assumes that the data has been maliciously altered. NAT is not normally compatible with ESP in transport mode either, but the NBG5715's NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers. NBG5715 User's Guide 139

Section	Page
NBG5715	1
Contents Overview	3
Table of Contents	5
User’s Guide	13
Introduction	15
1.1 Overview	15
1.2 Applications	16
1.3 Ways to Manage the NBG5715	16
1.4 Good Habits for Managing the NBG5715	16
1.5 LEDs	17
1.6 Wall Mounting	19
The WPS Button	21
2.1 Overview	21
ZyXEL NetUSB Share Center Utility	23
3.1 Overview	23
3.1.1 Quick Setup	23
3.1.2 Installing ZyXEL NetUSB Share Center Utility	23
3.2 The ZyXEL NetUSB Share Center Utility	24
3.2.1 The Menus	25
3.2.2 The Share Center Configuration Window	26
3.2.3 The Auto-Connect Printer List Window	26
3.3 Manually Connecting to USB Devices	27
3.4 Automatically Connecting to a USB Printer	28
Introducing the Web Configurator	29
4.1 Overview	29
4.2 Accessing the Web Configurator	29
4.2.1 Login Screen	29
4.2.2 Weather Edit	30
4.2.3 Time/Date Edit	31
4.3 Resetting the NBG5715	31
4.3.1 How to Use the RESET Button	31
Monitor and Summary	33
5.1 Overview	33
5.2 What You Can Do in this Chapter	33
5.3 The Log Screen	33
5.3.1 View Log	34
5.4 DHCP Table	34
5.5 Packet Statistics	35
5.6 VPN Monitor	36
5.7 WLAN_2.4G/5G Station Status	37
NBG5715 Modes	39
6.1 Overview	39
6.1.1 Web Configurator Modes	39
Easy Mode	41
7.1 Overview	41
7.2 What You Can Do in this Chapter	42
7.3 Navigation Panel	42
7.4 Network Map	43
7.5 Control Panel	44
7.5.1 Game Engine	44
7.5.2 Power Saving	45
7.5.3 Content Filter	46
7.5.4 Bandwidth MGMT	47
7.5.5 Firewall	47
7.5.6 Wireless Security	47
7.5.7 WPS	48
7.6 Status Screen in Easy Mode	49
Router Mode	51
8.1 Overview	51
8.2 Router Mode Status Screen	51
8.2.1 Navigation Panel	54
Tutorials	57
9.1 Overview	57
9.2 Set Up a Wireless Network with WPS	57
9.2.1 Push Button Configuration (PBC)	57
9.2.2 PIN Configuration	59
9.3 Configure Wireless Security without WPS	60
9.3.1 Configure Your Notebook	61
Technical Reference	65
WAN	67
10.1 Overview	67
10.2 What You Can Do in this Chapter	67
10.3 What You Need To Know	67
10.3.1 Configuring Your Internet Connection	67
10.3.2 Multicast	69
10.4 The Broadband Screen	69
10.4.1 Ethernet Encapsulation	69
10.4.2 PPPoE Encapsulation	71
10.5 The Advanced Screen	72
Wireless LAN	75
11.1 Overview	75
11.1.1 What You Can Do in this Chapter	76
11.1.2 What You Should Know	76
11.2 The General Wireless LAN Screen	79
11.3 Wireless Security Modes	81
11.3.1 No Security	81
11.3.2 WEP Encryption	81
11.3.3 WPA-PSK/WPA2-PSK	83
11.3.4 WPA/WPA2	83
11.4 The MAC Filter Screen	85
11.5 The Wireless LAN Advanced Screen	86
11.6 The QoS Screen	87
11.7 The WPS Screen	87
11.8 The WPS Station Screen	89
11.9 The Scheduling Screen	89
LAN	91
12.1 Overview	91
12.2 What You Can Do in this Chapter	91
12.3 What You Need To Know	91
12.3.1 IP Pool Setup	92
12.3.2 LAN TCP/IP	92
12.4 The LAN IP Screen	92
12.5 The IP Alias Screen	93
DHCP Server	95
13.1 Overview	95
13.1.1 What You Can Do in this Chapter	95
13.1.2 What You Need To Know	95
13.2 The DHCP Server General Screen	95
13.3 The DHCP Server Advanced Screen	96
13.4 The Client List Screen	97
NAT	99
14.1 Overview	99
14.1.1 What You Can Do in this Chapter	99
14.1.2 What You Need To Know	100
14.2 The NAT General Screen	101
14.3 The Port Forwarding Screen	102
14.3.1 Port Forwarding Edit Screen	104
14.4 The NAT Advance Screen	105
14.5 Technical Reference	106
14.5.1 NATPort Forwarding: Services and Port Numbers	106
14.5.2 NAT Port Forwarding Example	106
14.5.3 Trigger Port Forwarding	107
14.5.4 Trigger Port Forwarding Example	107
14.5.5 Two Points To Remember About Trigger Ports	108
Dynamic DNS	109
15.1 Overview	109
15.1.1 What You Need To Know	109
15.2 The Dynamic DNS Screen	109
Static Route	111
16.1 Overview	111
16.2 The Static Route Screen	111
16.2.1 Add/Edit Static Route	112
Firewall	115
17.1 Overview	115
17.1.1 What You Can Do in this Chapter	115
17.1.2 What You Need To Know	115
17.2 The Firewall General Screen	117
17.3 The Firewall Services Screen	117
IPSec VPN	121
18.1 Overview	121
18.2 What You Can Do in this Chapter	121
18.3 What You Need To Know	122
18.3.1 IKE SA (IKE Phase 1) Overview	122
18.3.2 IPSec SA (IKE Phase 2) Overview	123
18.4 The General Screen	123
18.5 Edit VPN Rule	124
18.5.1 IKEKey Setup	125
18.5.2 Manual Key Setup	130
18.5.3 Configuring Manual Key	131
18.6 The SA Monitor Screen	135
18.7 Technical Reference	135
18.7.1 IPSec Architecture	136
18.7.2 Encapsulation	136
18.7.3 IKE Phases	137
18.7.4 Negotiation Mode	138
18.7.5 IPSec and NAT	139
18.7.6 VPN, NAT, and NAT Traversal	139
18.7.7 ID Type and Content	140
18.7.8 Pre-Shared Key	141
18.7.9 Diffie-Hellman (DH) Key Groups	141
Bandwidth Management	143
19.1 Overview	143
19.2 What You Can Do this Chapter	143
19.3 What You Need To Know	143
19.4 General Screen	144
19.5 Advance Screen	144
19.5.1 Rule Configuration: User Defined Service Rule Configuration	146
Remote Management	149
20.1 Overview	149
20.2 What You Can Do in this Chapter	149
20.3 What You Need to Know	149
20.3.1 Remote Management and NAT	149
20.3.2 System Timeout	150
20.4 WWW Screen	150
20.5 Telnet Screen	150
Universal Plug-and-Play (UPnP)	153
21.1 Overview	153
21.2 What You Need to Know	153
21.2.1 NAT Traversal	153
21.2.2 Cautions with UPnP	153
21.3 UPnP Screen	154
21.4 Technical Reference	154
21.4.1 Using UPnP in Windows XP Example	154
21.4.2 Web Configurator Easy Access	156
Maintenance	159
22.1 Overview	159
22.2 What You Can Do in this Chapter	159
22.3 General Screen	159
22.4 Password Screen	160
22.5 Time Setting Screen	161
22.6 Firmware Upgrade Screen	162
22.7 Backup/Restore Screen	163
22.8 The Language Screen	165
Troubleshooting	167
23.1 Overview	167
23.2 Power, Hardware Connections, and LEDs	167
23.3 NBG5715 Access and Login	168
23.4 Internet Access	170
23.5 Resetting the NBG5715 to Its Factory Defaults	171
23.6 Wireless Router Troubleshooting	171
23.7 USB Device Problems	172
23.8 ZyXEL NetUSB Share Center Utility Problems	173
Pop-up Windows, JavaScript and Java Permissions	175
IP Addresses and Subnetting	185
Setting Up Your Computer’s IP Address	195
Wireless LANs	223
Common Services	237
Legal Information	241

Match case Limit results 1 per page

Chapter 18 IPSec VPN

NBG5715 User’s Guide

139

•

Aggressive Mode

is quicker than

Main Mode

because it eliminates several steps when the

communicating parties are negotiating authentication (phase 1). However the trade-off is that

faster speed limits its negotiating power and it also does not provide identity protection. It is

useful in remote access situations where the address of the initiator is not know by the responder

and both parties want to use pre-shared key authentication.

18.7.5

IPSec and NAT

Read this section if you are running IPSec on a host computer behind the NBG5715.

NAT is incompatible with the

protocol in both

Transport

and

Tunnel

mode. An IPSec VPN using

the

protocol digitally signs the outbound packet, both data payload and headers, with a hash

value appended to the packet. When using

protocol, packet contents (the data payload) are not

encrypted.

A NAT device in between the IPSec endpoints will rewrite either the source or destination address

with one of its own choosing. The VPN device at the receiving end will verify the integrity of the

incoming packet by computing its own hash value, and complain that the hash value appended to

the received packet doesn't match. The VPN device at the receiving end doesn't know about the

NAT in the middle, so it assumes that the data has been maliciously altered.

IPSec using

ESP

Tunnel

mode encapsulates the entire original packet (including headers) in a

new IP packet. The new IP packet's source address is the outbound address of the sending VPN

gateway, and its destination address is the inbound address of the VPN device at the receiving end.

When using

ESP

protocol with authentication, the packet contents (in this case, the entire original

packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash

value appended to the packet.

Tunnel

mode

ESP

with authentication is compatible with NAT because integrity checks are

performed over the combination of the "original header plus original payload," which is unchanged

by a NAT device.

Transport

mode

ESP

with authentication is not compatible with NAT.

18.7.6

VPN, NAT, and NAT Traversal

NAT is incompatible with the AH protocol in both transport

and tunnel

mode. An IPSec VPN using

the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash

value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or

destination address. As a result, the VPN device at the receiving end finds a mismatch between the

hash value and the data and assumes that the data has been maliciously altered.

NAT is not normally compatible with ESP in transport mode either, but the NBG5715’s

NAT

Traversal

feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when

there are NAT routers between the two IPSec routers.

Table 58

VPN and NAT

SECURITY PROTOCOL

MODE

NAT

Transport

Tunnel

ESP

Transport

ESP

Tunnel