Home » ZyXEL Manuals » Networking » ZyXEL P-202U » Manual Viewer

ZyXEL P-202U User Guide - Page 317

P-202H Plus v2 User's Guide, IPSec Log, Sample IPSec Logs During Packet Transmission,

Get ZyXEL P-202U PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 317 highlights

P-202H Plus v2 User's Guide Table 106 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations don't match. Please check all protocols and settings for these phases. For example, one party may be using 3DES encryption, but the other party is using DES encryption, so the connection will fail. !! Verifying Local ID failed !! Verifying Remote ID failed During IKE Phase 2 negotiation, both parties exchange policy details, including local and remote IP address ranges. If these ranges differ, then the connection fails. !! Local / remote IPs of incoming request conflict with rule If the security gateway is "0.0.0.0", the ZyXEL Device will use the peer's "Local Addr" as its "Remote Addr". If this IP (range) conflicts with a previously configured rule then the connection is not allowed. !! Invalid IP / The peer's "Local IP Addr" range is invalid. !! Remote IP / conflicts If the security gateway is "0.0.0.0", the ZyXEL Device will use the peer's "Local Addr" as its "Remote Addr". If a peer's "Local Addr" range conflicts with other connections, then the ZyXEL Device will not accept VPN connection requests from this peer. !! Active connection allowed exceeded The ZyXEL Device limits the number of simultaneous Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded. !! IKE Packet Retransmit The ZyXEL Device did not receive a response from the peer and so retransmits the last packet sent. !! Failed to send IKE Packet The ZyXEL Device cannot send IKE packets due to a network error. !! Too many errors! Deleting SA The ZyXEL Device deletes an SA when too many errors occur. The following table shows sample log messages during packet transmission. Table 107 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to !! Cannot find Phase 2 SA !! Discard REPLAY packet !! Inbound packet authentication failed !! Inbound packet decryption failed Rule idle time out, disconnect DESCRIPTION If the ZyXEL Device's WAN IP changes, all configured "My IP Addr" are changed to b "0.0.0.0".. If this field is configured as 0.0.0.0, then the ZyXEL Device will use the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel. The ZyXEL Device cannot find a phase 2 SA that corresponds with the SPI of an inbound packet (from the peer); the packet is dropped. If the ZyXEL Device receives a packet with the wrong sequence number it will discard it. The authentication configuration settings are incorrect. Please check them. The decryption configuration settings are incorrect. Please check them. If an SA has no packets transmitted for a period of time (configurable via CI command), the ZyXEL Device drops the connection. Chapter 35 IPSec Log 316

Section	Page
P-202H Plus v2	1
Copyright	3
Certifications	4
Safety Warnings	5
ZyXEL Limited Warranty	6
Customer Support	7
Table of Contents	9
List of Figures	21
List of Tables	27
Preface	31
1. Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.3 Applications for the ZyXEL Device	37
1.3.1 Internet Access	37
1.3.2 LAN-to-LAN Connection	37
1.3.3 Remote Access Server	38
1.3.4 Secure Broadband Internet Access and VPN	38
1.4 Front Panel LEDs	39
1.5 Hardware Connection	40
2. Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	42
2.3.1 Using the Reset Button	42
2.4 Navigating the Web Configurator	43
2.4.1 Changing Login Password	44
3. Wizard Setup	47
3.1 Introduction	47
3.1.1 MSN (Multiple Subscriber Number) and Subaddress	47
3.1.2 PABX Outside Line Prefix	47
3.2 Wizard Setup	47
3.2.1 Test Your Internet Connection	54
4. LAN Setup	55
4.1 LAN Overview	55
4.1.1 LANs, WANs and the ZyXEL Device	55
4.1.2 DHCP Setup	55
4.1.2.1 IP Pool Setup	56
4.1.3 DNS Server Address Assignment	56
4.2 LAN TCP/IP	56
4.2.1 IP Address and Subnet Mask	56
4.2.1.1 Private IP Addresses	57
4.3 Configuring LAN Setup	57
5. WAN Setup	61
5.1 WAN Overview	61
5.1.1 PPP Multilink	61
5.1.2 Bandwidth on Demand	61
5.1.3 IP Address Assignment	61
5.2 Internet Access Setup	61
6. Network Address Translation (NAT) Screens	65
6.1 NAT Overview	65
6.1.1 NAT Definitions	65
6.1.2 What NAT Does	66
6.1.3 How NAT Works	66
6.1.4 NAT Application	67
6.1.5 NAT Mapping Types	67
6.2 SUA (Single User Account) Versus NAT	68
6.3 Selecting the NAT Mode	68
6.4 SUA Server	69
6.4.1 Default Server IP Address	70
6.4.2 Port Forwarding: Services and Port Numbers	70
6.4.3 Configuring Servers Behind NAT (Example)	70
6.5 Configuring SUA Server	71
6.6 Configuring Address Mapping	72
6.6.1 Address Mapping Rule Edit	73
7. Dynamic DNS	75
7.1 Dynamic DNS Overview	75
7.1.1 DYNDNS Wildcard	75
7.2 Configuring Dynamic DNS	75
8. Firewalls	77
8.1 Firewall Overview	77
8.2 Types of Firewalls	77
8.2.1 Packet Filtering Firewalls	77
8.2.2 Application-level Firewalls	77
8.2.3 Stateful Inspection Firewalls	78
8.3 Introduction to ZyXEL’s Firewall	78
8.3.1 Denial of Service Attacks	79
8.4 Denial of Service	79
8.4.1 Basics	79
8.4.2 Types of DoS Attacks	80
8.4.2.1 ICMP Vulnerability	82
8.4.2.2 Illegal Commands (NetBIOS and SMTP)	82
8.4.2.3 Traceroute	83
8.5 Stateful Inspection	83
8.5.1 Stateful Inspection Process	84
8.5.2 Stateful Inspection and the ZyXEL Device	84
8.5.3 TCP Security	85
8.5.4 UDP/ICMP Security	85
8.5.5 Upper Layer Protocols	86
8.6 Guidelines for Enhancing Security with Your Firewall	86
8.6.1 Security In General	86
8.7 Packet Filtering Vs Firewall	87
8.7.1 Packet Filtering:	87
8.7.1.1 When To Use Filtering	88
8.7.2 Firewall	88
8.7.2.1 When To Use The Firewall	88
9. Firewall Configuration	89
9.1 Enabling the Firewall	89
9.2 E-Mail	89
9.3 Attack Alert	91
9.3.1 Alerts	91
9.3.2 Threshold Values	91
9.3.3 Half-Open Sessions	92
9.3.3.1 TCP Maximum Incomplete and Blocking Time	92
9.3.4 Configuring Firewall Alert	92
9.4 Rules Overview	94
9.5 Rule Logic Overview	94
9.5.1 Rule Checklist	95
9.5.2 Security Ramifications	95
9.5.3 Key Fields For Configuring Rules	95
9.5.3.1 Action	95
9.5.3.2 Service	95
9.5.3.3 Source Address	96
9.5.3.4 Destination Address	96
9.6 Connection Direction	96
9.6.1 LAN to WAN Rules	96
9.6.2 WAN to LAN Rules	96
9.7 Firewall Rules Summary	96
9.7.1 Configuring Firewall Rules	98
9.7.2 Source and Destination Addresses	100
9.7.3 Customized Services	101
9.7.4 Configuring A Customized Service	102
9.8 Timeout	102
9.8.1 Factors Influencing Choices for Timeout Values	103
9.9 Logs Screen	104
9.10 Example Firewall Rule	105
9.11 Predefined Services	108
10. Introduction to IPSec	111
10.1 VPN Overview	111
10.1.1 IPSec	111
10.1.2 Security	111
10.1.3 Other Terminology	111
10.1.3.1 Encryption	111
10.1.3.2 Data Confidentiality	112
10.1.3.3 Data Integrity	112
10.1.3.4 Data Origin Authentication	112
10.1.4 VPN Applications	112
10.2 IPSec Architecture	112
10.2.1 IPSec Algorithms	113
10.2.2 Key Management	113
10.3 Encapsulation	113
10.3.1 Transport Mode	114
10.3.2 Tunnel Mode	114
10.4 IPSec and NAT	114
11. VPN Screens	117
11.1 VPN/IPSec Overview	117
11.2 IPSec Algorithms	117
11.2.1 AH (Authentication Header) Protocol	117
11.2.2 ESP (Encapsulating Security Payload) Protocol	117
11.3 My IP Address	118
11.4 Secure Gateway IP Address	118
11.4.1 Dynamic Secure Gateway Address	119
11.5 VPN Summary Screen	119
11.6 Keep Alive	121
11.7 ID Type and Content	121
11.7.1 ID Type and Content Examples	122
11.8 Pre-Shared Key	123
11.9 VPN Rules	123
11.10 IKE Phases	127
11.10.1 Negotiation Mode	128
11.10.2 Diffie-Hellman (DH) Key Groups	129
11.10.3 Perfect Forward Secrecy (PFS)	129
11.11 Advanced IKE Settings	129
11.12 Manual Key	132
11.12.1 Security Parameter Index (SPI)	132
11.13 Manual Key Screen	133
11.14 SA Monitor Screen	135
11.15 Global Setting Screen	136
11.16 Telecommuter VPN/IPSec Examples	137
11.16.1 Telecommuters Sharing One VPN Rule Example	137
11.16.2 Telecommuters Using Unique VPN Rules Example	138
11.17 Logs	139
12. NetCAPI	141
12.1 NetCAPI Overview	141
12.2 CAPI	141
12.2.1 ISDN-DCP	141
12.3 Configuring NetCAPI	142
12.3.1 Configuring the ZyXEL Device as a NetCAPI Server	143
12.3.2 RVS-COM	143
12.3.3 Example of Installing a CAPI driver and Communication Software	144
13. Supplementary Phone Services	145
13.1 Overview	145
13.2 Setting Up Supplemental Phone Service	146
13.3 The Flash Key	146
13.4 Call Waiting	146
13.4.1 How to Use Call Waiting	146
13.4.1.1 Placing the Current Call on Hold	146
13.4.1.2 Dropping the Current Call to Switch to an Incoming/Holding Call	146
13.5 Three Way Calling	147
13.5.1 How to Use Three-Way Calling	147
13.5.1.1 To drop the last call added to the three-way call:	147
13.5.1.2 To drop yourself from the conference call:	147
13.6 Call Transfer	147
13.6.1 How to Use Call Transfer	147
13.6.2 To Do a Blind Transfer:	148
13.7 Call Forwarding	148
13.8 Reminder Ring	148
13.9 Multiple Subscriber Number (MSN)	149
13.10 Using MSN	149
13.11 Terminal Portability (Suspend/Resume)	149
13.11.1 How to Suspend/Resume a Phone Call:	149
13.11.1.1 To suspend an active phone call	149
13.11.1.2 To resume your phone call	149
14. Maintenance	151
14.1 Maintenance Overview	151
14.2 System Status	151
14.2.1 System Statistics	153
14.3 DHCP Table Screen	154
14.4 Firmware Screen	155
14.5 Budget Control	158
15. Introducing the SMT	159
15.1 SMT Introduction	159
15.2 Accessing the ZyXEL Device via Console Port	159
15.2.1 Initial Screen	159
15.2.2 Entering Password	159
15.3 Procedure for SMT Configuration via Telnet	160
15.4 SMT Menu Overview	160
15.5 Navigating the SMT Interface	162
15.5.1 System Management Terminal Interface Summary	163
15.6 Changing the System Password	164
16. Menu 1 General Setup	167
16.1 General Setup	167
16.2 Procedure To Configure Menu 1	167
16.2.1 Procedure to Configure Dynamic DNS	168
17. Menu 2 ISDN Setup	171
17.1 ISDN Setup Overview	171
17.1.1 Supplementary Voice Services	171
17.1.2 ISDN Call Waiting	171
17.1.3 PABX Outside Line Prefix	171
17.1.4 Outgoing Calling Party Number	172
17.2 ISDN Setup	172
17.2.1 ISDN Advanced Setup	174
17.2.2 Configuring Advanced Setup	175
17.3 NetCAPI	176
17.3.1 Configuring NetCAPI	176
18. Menu 3 Ethernet Setup	179
18.1 Ethernet Setup	179
18.1.1 General Ethernet Setup	179
18.2 Ethernet TCP/IP and DHCP Server	180
18.3 Configuring TCP/IP Ethernet Setup and DHCP	180
18.3.1 IP Alias Setup	181
19. Internet Access Setup	185
19.1 Introduction to Internet Access Setup	185
19.2 Internet Access Setup	185
20. Remote Node Configuration	187
20.1 Introduction to Remote Node Setup	187
20.1.1 Minimum Toll Period	187
20.2 Remote Node Profile Setup	187
20.3 Outgoing Authentication Protocol	190
20.4 PPP Multilink	191
20.5 Bandwidth on Demand	191
20.6 Editing PPP Options	192
20.7 LAN-to-LAN Application	193
20.8 Configuring Network Layer Options	194
20.9 Remote Node Filter	196
21. Static Route Setup	199
21.1 Static Route	199
21.2 IP Static Route Setup	199
22. Dial-in Setup	203
22.1 Dial-in Users Overview	203
22.2 Default Dial-in User Setup	203
22.2.1 CLID Callback Support For Dial-In Users	203
22.3 Setting Up Default Dial-in	204
22.3.1 Default Dial-in Filter	206
22.4 Callback Overview	206
22.5 Dial-In User Setup	207
22.6 Telecommuting Application With Windows Example	208
22.7 LAN-to-LAN Server Application Example	210
22.7.1 Configuring Callback in LAN-to-LAN Application	210
22.7.2 Configuring With CLID in LAN-to-LAN Application	212
23. Network Address Translation (NAT)	215
23.1 Using NAT	215
23.1.1 SUA (Single User Account) Versus NAT	215
23.2 Applying NAT	215
23.3 NAT Setup	217
23.3.1 Address Mapping Sets	217
23.3.1.1 User-Defined Address Mapping Sets	219
23.3.1.2 Ordering Your Rules	220
23.4 Configuring a Server behind NAT	221
23.5 General NAT Examples	223
23.5.1 Example 1: Internet Access Only	223
23.5.2 Example 2: Internet Access with an Inside Server	224
23.5.3 Example 3: Multiple Public IP Addresses With Inside Servers	224
23.5.4 Example 4: NAT Unfriendly Application Programs	228
24. Enabling the Firewall	231
24.1 Remote Management and the Firewall	231
24.2 Access Methods	231
24.3 Enabling the Firewall	231
24.3.1 Viewing the Firewall Log	232
24.3.2 Example E-mail Log	234
25. Filter Configuration	235
25.1 Introduction to Filters	235
25.1.1 The Filter Structure of the ZyXEL Device	236
25.2 Configuring a Filter Set	237
25.2.1 Filter Rules Summary Menus	240
25.2.2 Configuring a Filter Rule	241
25.2.3 Configuring a TCP/IP Filter Rule	241
25.2.4 Configuring a Generic Filter Rule	244
25.3 Example Filter	246
25.4 Filter Types and NAT	248
25.5 Firewall Versus Filters	249
25.6 Applying a Filter	249
25.6.1 Applying LAN Filters	249
25.6.2 Applying Remote Node Filters	250
26. SNMP Configuration	251
26.1 About SNMP	251
26.2 Supported MIBs	252
26.3 SNMP Configuration	252
26.4 SNMP Traps	253
27. System Security	255
27.1 System Security	255
27.2 System Password	255
27.3 RADIUS	255
27.4 Configuring External Server	256
28. System Information and Diagnosis	259
28.1 System Status	259
28.2 System Information and Console Port Speed	261
28.2.1 System Information	261
28.2.2 Console Port Speed	262
28.3 Log and Trace	263
28.3.1 Viewing Error Log	263
28.3.2 Unix Syslog	264
28.3.2.1 CDR	265
28.3.2.2 Packet triggered	266
28.3.2.3 Filter log	266
28.3.2.4 PPP log	267
28.3.2.5 POTS log	267
28.3.3 Accounting Server	267
28.3.4 Call-Triggering Packet	268
28.4 Diagnostic	269
29. Firmware and Configuration File Maintenance	271
29.1 Filename Conventions	271
29.2 Backup Configuration	272
29.2.1 Backup Configuration	272
29.2.2 Using the FTP Command from the Command Line	273
29.2.3 Example of FTP Commands from the Command Line	273
29.2.4 GUI-based FTP Clients	274
29.2.5 Remote Management Limitations	274
29.2.6 Backup Configuration Using TFTP	274
29.2.7 TFTP Command Example	275
29.2.8 GUI-based TFTP Clients	275
29.2.9 Backup Via Console Port	276
29.3 Restore Configuration	277
29.3.1 Restore Using FTP	277
29.3.2 Restore Using FTP Session Example	278
29.3.3 Restore Via Console Port	278
29.4 Uploading Firmware and Configuration Files	279
29.4.1 Firmware File Upload	279
29.4.2 Configuration File Upload	280
29.4.3 FTP File Upload Command from the DOS Prompt Example	281
29.4.4 FTP Session Example of Firmware File Upload	281
29.4.5 TFTP File Upload	281
29.4.6 TFTP Upload Command Example	282
29.4.7 Uploading Via Console Port	282
29.4.8 Uploading Firmware File Via Console Port	282
29.4.9 Example Xmodem Firmware Upload Using HyperTerminal	283
29.4.10 Uploading Configuration File Via Console Port	283
29.4.11 Example Xmodem Configuration Upload Using HyperTerminal	284
30. System Maintenance	285
30.1 Command Interpreter Mode	285
30.1.1 Command Syntax	285
30.1.2 Command Usage	286
30.2 Call Control Support	286
30.2.1 Call Control Parameters	287
30.2.2 Black List	287
30.2.3 Budget Management	288
30.2.4 Call History	289
30.3 Time and Date Setting	290
30.3.1 Resetting the Time	291
31. Remote Management	293
31.1 Remote Management	293
31.1.1 Remote Management Limitations	294
31.2 Remote Management and NAT	294
31.3 System Timeout	295
32. Call Scheduling	297
32.1 Introduction to Call Scheduling	297
33. VPN/IPSec Setup	301
33.1 VPN/IPSec Overview	301
33.2 IPSec Summary Screen	302
33.3 IPSec Setup	304
33.4 IKE Setup	307
33.5 Manual Setup	309
33.5.1 Active Protocol	309
34. SA Monitor	313
34.1 SA Monitor Overview	313
34.2 Using SA Monitor	313
35. IPSec Log	315
35.1 IPSec Logs	315
36. Troubleshooting	319
36.1 Problems Starting Up the ZyXEL Device	319
36.2 Problems with the LAN	319
36.3 Problems with the ISDN Line	320
36.4 Problems with Remote User Dial-in	320
36.5 Problems Accessing the ZyXEL Device	321
A. Product Specifications	323
B. Wall-mounting Instructions	325
C. Log Descriptions	327
D. Setting up Your Computer’s IP Address	339
36.5.1 Verifying Settings	354
E. IP Addresses and Subnetting	355
F. Pop-up Windows, JavaScripts and Java Permissions	363
Index	371
A	371
B	371
C	371
D	371
E	372
F	372
G	372
H	372
I	372
K	373
L	373
M	373
N	373
O	373
P	373
Q	374
R	374
S	374
T	375
U	375
V	375
W	375
X	375

Match case Limit results 1 per page

P-202H Plus v2 User’s Guide

Chapter 35 IPSec Log

316

The following table shows sample log messages during packet transmission.

!! No proposal chosen

The parameters configured for Phase 1 or Phase 2

negotiations don't match. Please check all protocols and

settings for these phases. For example, one party may be

using 3DES encryption, but the other party is using DES

encryption, so the connection will fail.

!! Verifying Local ID failed

!! Verifying Remote ID failed

During IKE Phase 2 negotiation, both parties exchange

policy details, including local and remote IP address

ranges. If these ranges differ, then the connection fails.

!! Local / remote IPs of incoming request

conflict with rule <#d>

If the security gateway is

"0.0.0.0", the ZyXEL Device will

use the peer's "Local Addr" as its "Remote Addr". If this IP

(range) conflicts with a previously configured rule then the

connection is not allowed.

!! Invalid IP <IP start>/<IP end>

The peer's "Local IP Addr" range is invalid.

!! Remote IP <IP start> / <IP end>

conflicts

If the security gateway is

"0.0.0.0", the ZyXEL Device will

use the peer's "Local Addr" as its "Remote Addr". If a

peer's "Local Addr" range conflicts with other connections,

then the ZyXEL Device will not accept VPN connection

requests from this peer.

!! Active connection allowed exceeded

The ZyXEL Device limits the number of simultaneous

Phase 2 SA negotiations. The IKE key exchange process

fails if this limit is exceeded.

!! IKE Packet Retransmit

The ZyXEL Device did not receive a response from the

peer and so retransmits the last packet sent.

!! Failed to send IKE Packet

The ZyXEL Device cannot send IKE packets due to a

network error.

!! Too many errors! Deleting SA

The ZyXEL Device deletes an SA when too many errors

occur.

Table 107

Sample IPSec Logs During Packet Transmission

LOG MESSAGE

DESCRIPTION

!! WAN IP changed to <IP>

If the ZyXEL Device's WAN IP changes, all configured "My

IP Addr" are changed to b "0.0.0.0".. If this field is

configured as 0.0.0.0, then the ZyXEL Device will use the

current ZyXEL Device WAN IP address (static or dynamic)

to set up the VPN tunnel.

!! Cannot find Phase 2 SA

The ZyXEL Device cannot find a phase 2 SA that

corresponds with the SPI of an inbound packet (from the

peer); the packet is dropped.

!! Discard REPLAY packet

If the ZyXEL Device receives a packet with the wrong

sequence number it will discard it.

!! Inbound packet authentication failed

The authentication configuration settings are incorrect.

Please check them.

!! Inbound packet decryption failed

The decryption configuration settings are incorrect.

Please check them.

Rule <#d> idle time out, disconnect

If an SA has no packets transmitted for a period of time

(configurable via CI command), the ZyXEL Device drops

the connection.

Table 106

Sample IKE Key Exchange Logs

LOG MESSAGE

DESCRIPTION