Home » ZyXEL Manuals » Networking » ZyXEL P-202H » Manual Viewer

ZyXEL P-202H User Guide - Page 131

P-202H Plus v2 User's Guide, VPN Screens, Advanced Rule Setup continued

Get ZyXEL P-202H PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 131 highlights

P-202H Plus v2 User's Guide Table 38 Advanced Rule Setup (continued) LABEL DESCRIPTION End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field (or equal to it for configuring an individual port). Phase 1 A phase 1 exchange establishes an IKE SA (Security Association). Negotiation Mode Select Main or Aggressive from the drop-down list box. The ZyXEL Device's negotiation mode should be identical to that on the remote secure gateway. Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "preshared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x" (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", "0x" denotes that the key is hexadecimal and "0123456789ABCDEF" is the key itself. Both ends of the VPN tunnel must use the same pre-shared key. You will receive a "PYLD_MALFORMED" (payload malformed) packet if the same preshared key is not used on both ends. Encryption Algorithm Select DES or 3DES from the drop-down list box. The ZyXEL Device's encryption algorithm should be identical to the secure remote gateway. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. Authentication Algorithm Select SHA1 or MD5 from the drop-down list box. The ZyXEL Device's authentication algorithm should be identical to the secure remote gateway. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate the source and integrity of packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select SHA-1 for maximum security. SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for IPSec. Active Protocol Select ESP or AH from the drop-down list box. The ZyXEL Device's IPSec Protocol should be identical to the secure remote gateway. The ESP (Encapsulation Security Payload) protocol (RFC 2406) provides encryption as well as the authentication offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below). The AH protocol (Authentication Header Protocol) (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed. If you select AH here, you must select options from the Authentication Algorithm field. Chapter 11 VPN Screens 130

Section	Page
P-202H Plus v2	1
Copyright	3
Certifications	4
Safety Warnings	5
ZyXEL Limited Warranty	6
Customer Support	7
Table of Contents	9
List of Figures	21
List of Tables	27
Preface	31
1. Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.3 Applications for the ZyXEL Device	37
1.3.1 Internet Access	37
1.3.2 LAN-to-LAN Connection	37
1.3.3 Remote Access Server	38
1.3.4 Secure Broadband Internet Access and VPN	38
1.4 Front Panel LEDs	39
1.5 Hardware Connection	40
2. Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	42
2.3.1 Using the Reset Button	42
2.4 Navigating the Web Configurator	43
2.4.1 Changing Login Password	44
3. Wizard Setup	47
3.1 Introduction	47
3.1.1 MSN (Multiple Subscriber Number) and Subaddress	47
3.1.2 PABX Outside Line Prefix	47
3.2 Wizard Setup	47
3.2.1 Test Your Internet Connection	54
4. LAN Setup	55
4.1 LAN Overview	55
4.1.1 LANs, WANs and the ZyXEL Device	55
4.1.2 DHCP Setup	55
4.1.2.1 IP Pool Setup	56
4.1.3 DNS Server Address Assignment	56
4.2 LAN TCP/IP	56
4.2.1 IP Address and Subnet Mask	56
4.2.1.1 Private IP Addresses	57
4.3 Configuring LAN Setup	57
5. WAN Setup	61
5.1 WAN Overview	61
5.1.1 PPP Multilink	61
5.1.2 Bandwidth on Demand	61
5.1.3 IP Address Assignment	61
5.2 Internet Access Setup	61
6. Network Address Translation (NAT) Screens	65
6.1 NAT Overview	65
6.1.1 NAT Definitions	65
6.1.2 What NAT Does	66
6.1.3 How NAT Works	66
6.1.4 NAT Application	67
6.1.5 NAT Mapping Types	67
6.2 SUA (Single User Account) Versus NAT	68
6.3 Selecting the NAT Mode	68
6.4 SUA Server	69
6.4.1 Default Server IP Address	70
6.4.2 Port Forwarding: Services and Port Numbers	70
6.4.3 Configuring Servers Behind NAT (Example)	70
6.5 Configuring SUA Server	71
6.6 Configuring Address Mapping	72
6.6.1 Address Mapping Rule Edit	73
7. Dynamic DNS	75
7.1 Dynamic DNS Overview	75
7.1.1 DYNDNS Wildcard	75
7.2 Configuring Dynamic DNS	75
8. Firewalls	77
8.1 Firewall Overview	77
8.2 Types of Firewalls	77
8.2.1 Packet Filtering Firewalls	77
8.2.2 Application-level Firewalls	77
8.2.3 Stateful Inspection Firewalls	78
8.3 Introduction to ZyXEL’s Firewall	78
8.3.1 Denial of Service Attacks	79
8.4 Denial of Service	79
8.4.1 Basics	79
8.4.2 Types of DoS Attacks	80
8.4.2.1 ICMP Vulnerability	82
8.4.2.2 Illegal Commands (NetBIOS and SMTP)	82
8.4.2.3 Traceroute	83
8.5 Stateful Inspection	83
8.5.1 Stateful Inspection Process	84
8.5.2 Stateful Inspection and the ZyXEL Device	84
8.5.3 TCP Security	85
8.5.4 UDP/ICMP Security	85
8.5.5 Upper Layer Protocols	86
8.6 Guidelines for Enhancing Security with Your Firewall	86
8.6.1 Security In General	86
8.7 Packet Filtering Vs Firewall	87
8.7.1 Packet Filtering:	87
8.7.1.1 When To Use Filtering	88
8.7.2 Firewall	88
8.7.2.1 When To Use The Firewall	88
9. Firewall Configuration	89
9.1 Enabling the Firewall	89
9.2 E-Mail	89
9.3 Attack Alert	91
9.3.1 Alerts	91
9.3.2 Threshold Values	91
9.3.3 Half-Open Sessions	92
9.3.3.1 TCP Maximum Incomplete and Blocking Time	92
9.3.4 Configuring Firewall Alert	92
9.4 Rules Overview	94
9.5 Rule Logic Overview	94
9.5.1 Rule Checklist	95
9.5.2 Security Ramifications	95
9.5.3 Key Fields For Configuring Rules	95
9.5.3.1 Action	95
9.5.3.2 Service	95
9.5.3.3 Source Address	96
9.5.3.4 Destination Address	96
9.6 Connection Direction	96
9.6.1 LAN to WAN Rules	96
9.6.2 WAN to LAN Rules	96
9.7 Firewall Rules Summary	96
9.7.1 Configuring Firewall Rules	98
9.7.2 Source and Destination Addresses	100
9.7.3 Customized Services	101
9.7.4 Configuring A Customized Service	102
9.8 Timeout	102
9.8.1 Factors Influencing Choices for Timeout Values	103
9.9 Logs Screen	104
9.10 Example Firewall Rule	105
9.11 Predefined Services	108
10. Introduction to IPSec	111
10.1 VPN Overview	111
10.1.1 IPSec	111
10.1.2 Security	111
10.1.3 Other Terminology	111
10.1.3.1 Encryption	111
10.1.3.2 Data Confidentiality	112
10.1.3.3 Data Integrity	112
10.1.3.4 Data Origin Authentication	112
10.1.4 VPN Applications	112
10.2 IPSec Architecture	112
10.2.1 IPSec Algorithms	113
10.2.2 Key Management	113
10.3 Encapsulation	113
10.3.1 Transport Mode	114
10.3.2 Tunnel Mode	114
10.4 IPSec and NAT	114
11. VPN Screens	117
11.1 VPN/IPSec Overview	117
11.2 IPSec Algorithms	117
11.2.1 AH (Authentication Header) Protocol	117
11.2.2 ESP (Encapsulating Security Payload) Protocol	117
11.3 My IP Address	118
11.4 Secure Gateway IP Address	118
11.4.1 Dynamic Secure Gateway Address	119
11.5 VPN Summary Screen	119
11.6 Keep Alive	121
11.7 ID Type and Content	121
11.7.1 ID Type and Content Examples	122
11.8 Pre-Shared Key	123
11.9 VPN Rules	123
11.10 IKE Phases	127
11.10.1 Negotiation Mode	128
11.10.2 Diffie-Hellman (DH) Key Groups	129
11.10.3 Perfect Forward Secrecy (PFS)	129
11.11 Advanced IKE Settings	129
11.12 Manual Key	132
11.12.1 Security Parameter Index (SPI)	132
11.13 Manual Key Screen	133
11.14 SA Monitor Screen	135
11.15 Global Setting Screen	136
11.16 Telecommuter VPN/IPSec Examples	137
11.16.1 Telecommuters Sharing One VPN Rule Example	137
11.16.2 Telecommuters Using Unique VPN Rules Example	138
11.17 Logs	139
12. NetCAPI	141
12.1 NetCAPI Overview	141
12.2 CAPI	141
12.2.1 ISDN-DCP	141
12.3 Configuring NetCAPI	142
12.3.1 Configuring the ZyXEL Device as a NetCAPI Server	143
12.3.2 RVS-COM	143
12.3.3 Example of Installing a CAPI driver and Communication Software	144
13. Supplementary Phone Services	145
13.1 Overview	145
13.2 Setting Up Supplemental Phone Service	146
13.3 The Flash Key	146
13.4 Call Waiting	146
13.4.1 How to Use Call Waiting	146
13.4.1.1 Placing the Current Call on Hold	146
13.4.1.2 Dropping the Current Call to Switch to an Incoming/Holding Call	146
13.5 Three Way Calling	147
13.5.1 How to Use Three-Way Calling	147
13.5.1.1 To drop the last call added to the three-way call:	147
13.5.1.2 To drop yourself from the conference call:	147
13.6 Call Transfer	147
13.6.1 How to Use Call Transfer	147
13.6.2 To Do a Blind Transfer:	148
13.7 Call Forwarding	148
13.8 Reminder Ring	148
13.9 Multiple Subscriber Number (MSN)	149
13.10 Using MSN	149
13.11 Terminal Portability (Suspend/Resume)	149
13.11.1 How to Suspend/Resume a Phone Call:	149
13.11.1.1 To suspend an active phone call	149
13.11.1.2 To resume your phone call	149
14. Maintenance	151
14.1 Maintenance Overview	151
14.2 System Status	151
14.2.1 System Statistics	153
14.3 DHCP Table Screen	154
14.4 Firmware Screen	155
14.5 Budget Control	158
15. Introducing the SMT	159
15.1 SMT Introduction	159
15.2 Accessing the ZyXEL Device via Console Port	159
15.2.1 Initial Screen	159
15.2.2 Entering Password	159
15.3 Procedure for SMT Configuration via Telnet	160
15.4 SMT Menu Overview	160
15.5 Navigating the SMT Interface	162
15.5.1 System Management Terminal Interface Summary	163
15.6 Changing the System Password	164
16. Menu 1 General Setup	167
16.1 General Setup	167
16.2 Procedure To Configure Menu 1	167
16.2.1 Procedure to Configure Dynamic DNS	168
17. Menu 2 ISDN Setup	171
17.1 ISDN Setup Overview	171
17.1.1 Supplementary Voice Services	171
17.1.2 ISDN Call Waiting	171
17.1.3 PABX Outside Line Prefix	171
17.1.4 Outgoing Calling Party Number	172
17.2 ISDN Setup	172
17.2.1 ISDN Advanced Setup	174
17.2.2 Configuring Advanced Setup	175
17.3 NetCAPI	176
17.3.1 Configuring NetCAPI	176
18. Menu 3 Ethernet Setup	179
18.1 Ethernet Setup	179
18.1.1 General Ethernet Setup	179
18.2 Ethernet TCP/IP and DHCP Server	180
18.3 Configuring TCP/IP Ethernet Setup and DHCP	180
18.3.1 IP Alias Setup	181
19. Internet Access Setup	185
19.1 Introduction to Internet Access Setup	185
19.2 Internet Access Setup	185
20. Remote Node Configuration	187
20.1 Introduction to Remote Node Setup	187
20.1.1 Minimum Toll Period	187
20.2 Remote Node Profile Setup	187
20.3 Outgoing Authentication Protocol	190
20.4 PPP Multilink	191
20.5 Bandwidth on Demand	191
20.6 Editing PPP Options	192
20.7 LAN-to-LAN Application	193
20.8 Configuring Network Layer Options	194
20.9 Remote Node Filter	196
21. Static Route Setup	199
21.1 Static Route	199
21.2 IP Static Route Setup	199
22. Dial-in Setup	203
22.1 Dial-in Users Overview	203
22.2 Default Dial-in User Setup	203
22.2.1 CLID Callback Support For Dial-In Users	203
22.3 Setting Up Default Dial-in	204
22.3.1 Default Dial-in Filter	206
22.4 Callback Overview	206
22.5 Dial-In User Setup	207
22.6 Telecommuting Application With Windows Example	208
22.7 LAN-to-LAN Server Application Example	210
22.7.1 Configuring Callback in LAN-to-LAN Application	210
22.7.2 Configuring With CLID in LAN-to-LAN Application	212
23. Network Address Translation (NAT)	215
23.1 Using NAT	215
23.1.1 SUA (Single User Account) Versus NAT	215
23.2 Applying NAT	215
23.3 NAT Setup	217
23.3.1 Address Mapping Sets	217
23.3.1.1 User-Defined Address Mapping Sets	219
23.3.1.2 Ordering Your Rules	220
23.4 Configuring a Server behind NAT	221
23.5 General NAT Examples	223
23.5.1 Example 1: Internet Access Only	223
23.5.2 Example 2: Internet Access with an Inside Server	224
23.5.3 Example 3: Multiple Public IP Addresses With Inside Servers	224
23.5.4 Example 4: NAT Unfriendly Application Programs	228
24. Enabling the Firewall	231
24.1 Remote Management and the Firewall	231
24.2 Access Methods	231
24.3 Enabling the Firewall	231
24.3.1 Viewing the Firewall Log	232
24.3.2 Example E-mail Log	234
25. Filter Configuration	235
25.1 Introduction to Filters	235
25.1.1 The Filter Structure of the ZyXEL Device	236
25.2 Configuring a Filter Set	237
25.2.1 Filter Rules Summary Menus	240
25.2.2 Configuring a Filter Rule	241
25.2.3 Configuring a TCP/IP Filter Rule	241
25.2.4 Configuring a Generic Filter Rule	244
25.3 Example Filter	246
25.4 Filter Types and NAT	248
25.5 Firewall Versus Filters	249
25.6 Applying a Filter	249
25.6.1 Applying LAN Filters	249
25.6.2 Applying Remote Node Filters	250
26. SNMP Configuration	251
26.1 About SNMP	251
26.2 Supported MIBs	252
26.3 SNMP Configuration	252
26.4 SNMP Traps	253
27. System Security	255
27.1 System Security	255
27.2 System Password	255
27.3 RADIUS	255
27.4 Configuring External Server	256
28. System Information and Diagnosis	259
28.1 System Status	259
28.2 System Information and Console Port Speed	261
28.2.1 System Information	261
28.2.2 Console Port Speed	262
28.3 Log and Trace	263
28.3.1 Viewing Error Log	263
28.3.2 Unix Syslog	264
28.3.2.1 CDR	265
28.3.2.2 Packet triggered	266
28.3.2.3 Filter log	266
28.3.2.4 PPP log	267
28.3.2.5 POTS log	267
28.3.3 Accounting Server	267
28.3.4 Call-Triggering Packet	268
28.4 Diagnostic	269
29. Firmware and Configuration File Maintenance	271
29.1 Filename Conventions	271
29.2 Backup Configuration	272
29.2.1 Backup Configuration	272
29.2.2 Using the FTP Command from the Command Line	273
29.2.3 Example of FTP Commands from the Command Line	273
29.2.4 GUI-based FTP Clients	274
29.2.5 Remote Management Limitations	274
29.2.6 Backup Configuration Using TFTP	274
29.2.7 TFTP Command Example	275
29.2.8 GUI-based TFTP Clients	275
29.2.9 Backup Via Console Port	276
29.3 Restore Configuration	277
29.3.1 Restore Using FTP	277
29.3.2 Restore Using FTP Session Example	278
29.3.3 Restore Via Console Port	278
29.4 Uploading Firmware and Configuration Files	279
29.4.1 Firmware File Upload	279
29.4.2 Configuration File Upload	280
29.4.3 FTP File Upload Command from the DOS Prompt Example	281
29.4.4 FTP Session Example of Firmware File Upload	281
29.4.5 TFTP File Upload	281
29.4.6 TFTP Upload Command Example	282
29.4.7 Uploading Via Console Port	282
29.4.8 Uploading Firmware File Via Console Port	282
29.4.9 Example Xmodem Firmware Upload Using HyperTerminal	283
29.4.10 Uploading Configuration File Via Console Port	283
29.4.11 Example Xmodem Configuration Upload Using HyperTerminal	284
30. System Maintenance	285
30.1 Command Interpreter Mode	285
30.1.1 Command Syntax	285
30.1.2 Command Usage	286
30.2 Call Control Support	286
30.2.1 Call Control Parameters	287
30.2.2 Black List	287
30.2.3 Budget Management	288
30.2.4 Call History	289
30.3 Time and Date Setting	290
30.3.1 Resetting the Time	291
31. Remote Management	293
31.1 Remote Management	293
31.1.1 Remote Management Limitations	294
31.2 Remote Management and NAT	294
31.3 System Timeout	295
32. Call Scheduling	297
32.1 Introduction to Call Scheduling	297
33. VPN/IPSec Setup	301
33.1 VPN/IPSec Overview	301
33.2 IPSec Summary Screen	302
33.3 IPSec Setup	304
33.4 IKE Setup	307
33.5 Manual Setup	309
33.5.1 Active Protocol	309
34. SA Monitor	313
34.1 SA Monitor Overview	313
34.2 Using SA Monitor	313
35. IPSec Log	315
35.1 IPSec Logs	315
36. Troubleshooting	319
36.1 Problems Starting Up the ZyXEL Device	319
36.2 Problems with the LAN	319
36.3 Problems with the ISDN Line	320
36.4 Problems with Remote User Dial-in	320
36.5 Problems Accessing the ZyXEL Device	321
A. Product Specifications	323
B. Wall-mounting Instructions	325
C. Log Descriptions	327
D. Setting up Your Computer’s IP Address	339
36.5.1 Verifying Settings	354
E. IP Addresses and Subnetting	355
F. Pop-up Windows, JavaScripts and Java Permissions	363
Index	371
A	371
B	371
C	371
D	371
E	372
F	372
G	372
H	372
I	372
K	373
L	373
M	373
N	373
O	373
P	373
Q	374
R	374
S	374
T	375
U	375
V	375
W	375
X	375

Match case Limit results 1 per page

P-202H Plus v2 User’s Guide

Chapter 11 VPN Screens

130

End

Enter a port number in this field to define a port range. This port number must

be greater than that specified in the previous field (or equal to it for configuring

an individual port).

Phase 1

A phase 1 exchange establishes an IKE SA (Security Association).

Negotiation Mode

Select

Main

Aggressive

from the drop-down list box. The ZyXEL Device's

negotiation mode should be identical to that on the remote secure gateway.

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a

communicating party during a phase 1 IKE negotiation. It is called "pre-

shared" because you have to share it with another party before you can

communicate with them over a secure connection.

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62

hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key

with a "0x” (zero x), which is not counted as part of the 16 to 62 character

range for the key. For example, in "0x0123456789ABCDEF", “0x” denotes that

the key is hexadecimal and “0123456789ABCDEF” is the key itself.

Both ends of the VPN tunnel must use the same pre-shared key. You will

receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-

shared key is not used on both ends.

Encryption Algorithm

Select

DES

3DES

from the drop-down list box. The ZyXEL Device's

encryption algorithm should be identical to the secure remote gateway. When

DES is used for data communications, both sender and receiver must know

the same secret key, which can be used to encrypt and decrypt the message.

The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a

variation on DES that uses a 168-bit key. As a result, 3DES is more secure

than DES. It also requires more processing power, resulting in increased

latency and decreased throughput.

Authentication

Algorithm

Select

SHA1

MD5

from the drop-down list box. The ZyXEL Device's

authentication algorithm should be identical to the secure remote gateway.

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate the source and integrity of packet data. The

SHA1 algorithm is generally considered stronger than MD5, but is slower.

Select

SHA-1

for maximum security.

SA Life Time

Define the length of time before an IKE SA automatically renegotiates in this

field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA

Life Time increases security by forcing the two VPN gateways to update the

encryption and authentication keys. However, every time the VPN tunnel

renegotiates, all users accessing remote resources are temporarily

disconnected.

Key Group

You must choose a key group for phase 1 IKE setup.

DH1

(default) refers to

Diffie-Hellman Group 1 a 768 bit random number.

DH2

refers to Diffie-Hellman

Group 2 a 1024 bit (1Kb) random number.

Phase 2

A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the

SA for IPSec.

Active Protocol

Select

ESP

from the drop-down list box. The ZyXEL Device's IPSec

Protocol should be identical to the secure remote gateway. The ESP

(Encapsulation Security Payload) protocol (RFC 2406) provides encryption as

well as the authentication offered by AH. If you select

ESP

here, you must

select options from the

Encryption Algorithm

and

Authentication

Algorithm

fields (described below). The AH protocol (Authentication Header

Protocol) (RFC 2402) was designed for integrity, authentication, sequence

integrity (replay resistance), and non-repudiation but not for confidentiality, for

which the ESP was designed. If you select

here, you must select options

from the

Authentication Algorithm

field.

Table 38

Advanced Rule Setup (continued)

LABEL

DESCRIPTION