Home » ZyXEL Manuals » Networking » ZyXEL P-335U » Manual Viewer

ZyXEL P-335U User Guide - Page 144

IPSec SA IKE Phase 2 Overview

Get ZyXEL P-335U PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 144 highlights

P-334U/P-335U User's Guide Most routers like router A now have an IPSec pass-through feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the IPSec protocol is ESP. (See IPSec Protocol on page 144 for more information about active protocols.) If router A does not have an IPSec pass-through or if the IPSec protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel. You have to do the following things to set up NAT traversal. • Enable NAT traversal on the ZyXEL Device and remote IPSec router. • Configure the NAT router to forward packets with the extra header unchanged. The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyXEL Device and remote IPSec router support. 13.1.3 IPSec SA (IKE Phase 2) Overview Once the ZyXEL Device and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks. Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore. This section introduces the key components of an IPSec SA. 13.1.3.1 Local Network and Remote Network In an IPSec SA, the local network consists of devices connected to the ZyXEL Device and may be called the local policy. Similarly, the remote network consists of the devices connected to the remote IPSec router and may be called the remote policy. Note: It is not recommended to set a VPN rule's local and remote network settings both to 0.0.0.0 (any). This causes the ZyXEL Device to try to forward all access attempts (to the local network, the Internet or even the ZyXEL Device) to the remote IPSec router. In this case, you can no longer manage the ZyXEL Device. 13.1.3.2 IPSec Protocol The IPSec protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two IPSec protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The ZyXEL Device and remote IPSec router must use the same IPSec protocol. 144 Chapter 13 IPSec VPN

Section	Page
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	7
Customer Support	8
Table of Contents	11
List of Figures	19
List of Tables	25
Preface	29
1. Getting to Know Your ZyXEL Device	31
1.1 ZyXEL Device Overview	31
1.2 Applications for the ZyXEL Device	31
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem	31
1.2.2 Wireless LAN Application	32
1.2.3 Print Server and Router Combined Application (P-335U Only)	33
1.2.4 VPN Application (P-335U Only)	33
1.3 Ways to Manage the ZyXEL Device	33
1.4 Good Habits for Managing Your ZyXEL Device	34
1.4.1 Front Panel LEDs	34
2. Introducing the Web Configurator	37
2.1 Web Configurator Overview	37
2.2 Accessing the Web Configurator	37
2.3 Resetting the ZyXEL Device	38
2.3.1 Procedure to Use the Reset Button	38
2.4 Navigating the Web Configurator	38
2.4.1 Navigation Panel	41
2.4.2 Summary: Bandwidth Management Monitor	43
2.4.3 Summary: DHCP Table	44
2.4.4 Summary: Packet Statistics	45
2.4.5 VPN Monitor	46
2.4.6 Summary: Wireless Station Status	46
3. Connection Wizard	49
3.1 Wizard Setup	49
3.2 Connection Wizard: STEP 1: System Information	50
3.2.1 System Name	50
3.2.2 Domain Name	51
3.3 Connection Wizard: STEP 2: Wireless LAN	51
3.3.1 Basic(WEP) Security	53
3.3.2 Extend(WPA-PSK or WPA2-PSK) Security	54
3.3.3 OTIST	55
3.4 Connection Wizard: STEP 3: Internet Configuration	56
3.4.1 Ethernet Connection	56
3.4.2 PPPoE Connection	57
3.4.3 PPTP Connection	58
3.4.4 Your IP Address	60
3.4.5 WAN IP Address Assignment	60
3.4.6 IP Address and Subnet Mask	61
3.4.7 DNS Server Address Assignment	61
3.4.8 WAN IP and DNS Server Address Assignment	62
3.4.9 WAN MAC Address	63
3.5 Connection Wizard: STEP 4: Bandwidth management	64
3.6 Connection Wizard Complete	65
4. Wireless LAN	67
4.1 Wireless Network Overview	67
4.2 Wireless Security Overview	68
4.2.1 SSID	68
4.2.2 MAC Address Filter	68
4.2.3 User Authentication	68
4.2.4 Encryption	69
4.2.5 One-Touch Intelligent Security Technology (OTIST)	70
4.3 General Wireless LAN Screen	70
4.3.1 No Security	71
4.3.2 WEP Encryption	72
4.3.3 WPA-PSK/WPA2-PSK	74
4.3.4 WPA/WPA2	75
4.4 OTIST	77
4.4.1 Enabling OTIST	78
4.4.1.1 AP	78
4.4.1.2 Wireless Client	79
4.4.2 Starting OTIST	80
4.4.3 Notes on OTIST	80
4.5 MAC Filter	81
4.6 Wireless LAN Advanced Screen	83
5. Wireless Tutorial	85
5.1 Example Parameters	85
5.2 Configuring the AP	85
5.3 Configuring the Wireless Client	87
5.3.1 Connecting to a Wireless LAN	88
5.3.2 Creating and Using a Profile	90
6. WAN	95
6.1 WAN Overview	95
6.2 WAN MAC Address	95
6.3 Internet Connection	95
6.3.1 Ethernet Encapsulation	95
6.3.2 PPPoE Encapsulation	97
6.3.3 PPTP Encapsulation	100
6.4 Advanced WAN Screen	103
7. LAN	105
7.1 LAN Overview	105
7.1.1 IP Pool Setup	105
7.1.2 System DNS Servers	105
7.2 LAN TCP/IP	105
7.2.1 Factory LAN Defaults	105
7.2.2 IP Address and Subnet Mask	106
7.2.3 Multicast	106
7.3 LAN IP Screen	106
7.4 LAN IP Alias	107
7.5 Advanced LAN Screen	108
8. DHCP Server	111
8.1 DHCP	111
8.2 DHCP Server General Screen	111
8.3 DHCP Server Advanced Screen	112
8.4 Client List Screen	113
9. Network Address Translation (NAT)	115
9.1 NAT Overview	115
9.2 Using NAT	115
9.2.1 Port Forwarding: Services and Port Numbers	115
9.2.2 Configuring Servers Behind Port Forwarding (Example)	116
9.3 General NAT Screen	116
9.4 NAT Application Screen	117
9.4.1 Game List Example	119
9.5 Trigger Port Forwarding	120
9.5.1 Trigger Port Forwarding Example	121
9.5.2 Two Points To Remember About Trigger Ports	121
9.6 NAT Advanced Screen	121
10. Dynamic DNS	125
10.1 Dynamic DNS Introduction	125
10.1.1 DynDNS Wildcard	125
10.2 Dynamic DNS Screen	125
11. Firewall	127
11.1 Introduction to Firewall	127
11.1.1 What is a Firewall?	127
11.1.2 Stateful Inspection Firewall.	127
11.1.3 About the ZyXEL Device Firewall	127
11.1.4 Guidelines For Enhancing Security With Your Firewall	128
11.2 General Firewall Screen	128
11.3 Services Screen	129
12. Content Filtering	133
12.1 Introduction to Content Filtering	133
12.2 Restrict Web Features	133
12.3 Days and Times	133
12.4 Filter Screen	133
12.5 Schedule	135
12.6 Customizing Keyword Blocking URL Checking	136
12.6.1 Domain Name or IP Address URL Checking	136
12.6.2 Full Path URL Checking	136
12.6.3 File Name URL Checking	137
13. IPSec VPN	139
13.1 IPSec VPN Overview	139
13.1.1 IKE SA (IKE Phase 1) Overview	140
13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router	140
13.1.2 IKE SA Setup	140
13.1.2.1 IKE SA Proposal	141
13.1.2.2 Diffie-Hellman (DH) Key Exchange	141
13.1.2.3 Authentication	141
13.1.2.4 Negotiation Mode	143
13.1.2.5 VPN, NAT, and NAT Traversal	143
13.1.3 IPSec SA (IKE Phase 2) Overview	144
13.1.3.1 Local Network and Remote Network	144
13.1.3.2 IPSec Protocol	144
13.1.3.3 Encapsulation	145
13.1.3.4 IPSec SA Proposal and Perfect Forward Secrecy	145
13.1.4 Additional IPSec VPN Topics	146
13.1.4.1 SA Life Time	146
13.1.4.2 Encryption and Authentication Algorithms	146
13.2 Remote DNS Server	147
13.3 VPN Summary	147
13.4 VPN Rule Setup (IKE)	148
13.5 Advanced VPN Rule Setup (IKE)	153
13.6 IPSec SA Using Manual Keys	159
13.6.1 IPSec SA Proposal Using Manual Keys	160
13.6.2 Authentication and the Security Parameter Index (SPI)	160
13.7 VPN Rule Setup (Manual)	160
13.8 VPN SA Monitor	164
13.9 VPN Global Setting	165
13.10 Telecommuter VPN/IPSec Examples	165
13.10.1 Telecommuters Sharing One VPN Rule Example	166
13.10.2 Telecommuters Using Unique VPN Rules Example	166
13.11 VPN and Remote Management	168
14. Static Route Screens	169
14.1 Static Route Overview	169
14.2 IP Static Route Screen	170
14.2.1 Static Route Setup Screen	171
15. Bandwidth Management	173
15.1 Bandwidth Management Overview	173
15.2 Application-based Bandwidth Management	173
15.3 Subnet-based Bandwidth Management	174
15.4 Application and Subnet-based Bandwidth Management	174
15.5 Bandwidth Management Priorities	175
15.6 Predefined Bandwidth Management Services	175
15.6.1 Services and Port Numbers	176
15.7 Default Bandwidth Management Classes and Priorities	178
15.8 Bandwidth Management General Configuration	179
15.9 Bandwidth Management Advanced Configuration	180
15.9.1 Rule Configuration with the Pre-defined Service	182
15.9.2 Rule Configuration with the User-defined Service	183
15.10 Bandwidth Management Monitor	184
16. Remote Management Screens	185
16.1 Remote Management Overview	185
16.1.1 Remote Management Limitations	185
16.1.2 Remote Management and NAT	186
16.1.3 System Timeout	186
16.2 WWW Screen	186
16.3 Telnet	187
16.4 Telnet Screen	187
16.5 FTP Screen	188
16.6 DNS Screen	189
17. UPnP	191
17.1 Universal Plug and Play Overview	191
17.1.1 How Do I Know If I'm Using UPnP?	191
17.1.2 NAT Traversal	191
17.1.3 Cautions with UPnP	191
17.2 UPnP and ZyXEL	192
17.3 UPnP Screen	192
17.4 Installing UPnP in Windows Example	193
17.4.1 Installing UPnP in Windows Me	193
17.4.2 Installing UPnP in Windows XP	194
17.5 Using UPnP in Windows XP Example	195
17.5.1 Auto-discover Your UPnP-enabled Network Device	195
17.5.2 Web Configurator Easy Access	196
17.5.3 Web Configurator Easy Access	197
18. Print Server	199
18.1 Print Server Overview	199
18.2 ZyXEL Device Print Server	199
18.3 Print Server Screen	200
19. Print Server Driver Setup	201
19.1 Installation Requirements	201
19.2 Windows 95/98 SE/Me/2000/XP/NT 4.0	201
19.2.1 Print Server Driver Setup Wizard	202
19.2.2 Adding a New Printer	207
19.3 Macintosh OS X	211
20. System	215
20.1 System Overview	215
20.2 System General Screen	215
20.3 Time Setting Screen	216
21. Logs	219
21.1 View Log	219
21.2 Log Settings	220
22. Tools	223
22.1 Firmware Upload Screen	223
22.2 Configuration Screen	224
22.2.1 Backup Configuration	225
22.2.2 Restore Configuration	225
22.2.3 Back to Factory Defaults	226
22.3 Restart Screen	227
23. Configuration Mode	229
24. Troubleshooting	231
24.1 Problems Starting Up the ZyXEL Device	231
24.2 Problems with the LAN	231
24.3 Problems with the WAN	232
24.4 Problems Accessing the ZyXEL Device	233
24.5 Problems with Restricted Web Pages and Keyword Blocking	233
24.5.1 Pop-up Windows, JavaScripts and Java Permissions	235
24.5.1.1 Internet Explorer Pop-up Blockers	235
24.5.1.2 JavaScripts	238
24.5.1.3 Java Permissions	240
24.5.2 ActiveX Controls in Internet Explorer	242
A. Product Specifications	245
B. Print Server Specifications	249
ZyXEL Device Print Server Compatible USB Printers	250
C. Setting up Your Computer’s IP Address	255
Windows 95/98/Me	255
Installing Components	256
Configuring	257
Verifying Settings	258
Windows 2000/NT/XP	258
Verifying Settings	263
Macintosh OS 8/9	263
Verifying Settings	265
Macintosh OS X	265
Verifying Settings	266
Linux	266
Using the K Desktop Environment (KDE)	267
Using Configuration Files	268
Verifying Settings	270
D. IP Subnetting	271
IP Addressing	271
IP Classes	271
Subnet Masks	272
Subnetting	272
Example: Two Subnets	273
Example: Four Subnets	275
Example Eight Subnets	276
Subnetting With Class A and Class B Networks.	277
E. Wireless LANs	279
Wireless LAN Topologies	279
Ad-hoc Wireless LAN Configuration	279
BSS	279
ESS	280
Channel	281
RTS/CTS	281
Fragmentation Threshold	282
Preamble Type	283
IEEE 802.11g Wireless LAN	283
Wireless Security Overview	284
IEEE 802.1x	284
RADIUS	284
Types of RADIUS Messages	285
Types of Authentication	286
EAP-MD5 (Message-Digest Algorithm 5)	286
EAP-TLS (Transport Layer Security)	286
EAP-TTLS (Tunneled Transport Layer Service)	286
PEAP (Protected EAP)	286
LEAP	287
Dynamic WEP Key Exchange	287
WPA and WPA2	287
Encryption	288
User Authentication	289
Wireless Client WPA Supplicants	289
WPA(2) with RADIUS Application Example	289
WPA(2)-PSK Application Example	290
Security Parameters Summary	291
F. Log Descriptions	293
Log Commands	307
Configuring What You Want the ZyXEL Device to Log	307
Displaying Logs	308
Log Command Example	308
G. Services	309
H. Internal SPTGEN	313
Internal SPTGEN Overview	313
The Configuration Text File Format	313
Internal SPTGEN File Modification - Important Points to Remember	314
Internal SPTGEN FTP Download Example	314
Internal SPTGEN FTP Upload Example	315
Example Internal SPTGEN Menus	316
Command Examples	328
I. Triangle Route	329
The Ideal Setup	329
The “Triangle Route” Problem	329
The “Triangle Route” Solutions	330
IP Aliasing	330
Index	331
A	331
B	331
C	331
D	331
E	331
F	332
G	332
H	332
I	332
J	333
K	333
L	333
M	333
N	333
O	333
P	333
R	333
S	334
T	334
U	334
V	334
W	334

Match case Limit results 1 per page

P-334U/P-335U User’s Guide

144

Chapter 13 IPSec VPN

Most routers like router

now have an IPSec pass-through feature. This feature helps router

recognize VPN packets and route them appropriately. If router

has this feature, router

and

router

can establish a VPN tunnel as long as the IPSec protocol is ESP. (See

IPSec Protocol

on page 144

for more information about active protocols.)

If router

does not have an IPSec pass-through or if the IPSec protocol is AH, you can solve

this problem by enabling NAT traversal. In NAT traversal, router

and router

add an extra

header to the IKE SA and IPSec SA packets. If you configure router

to forward these

packets unchanged, router

and router

can establish a VPN tunnel.

You have to do the following things to set up NAT traversal.

•

Enable NAT traversal on the ZyXEL Device and remote IPSec router.

•

Configure the NAT router to forward packets with the extra header unchanged.

The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the

ZyXEL Device and remote IPSec router support.

13.1.3

IPSec SA (IKE Phase 2) Overview

Once the ZyXEL Device and remote IPSec router have established the IKE SA, they can

securely negotiate an IPSec SA through which to send data between computers on the

networks.

Note:

The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

13.1.3.1

Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the ZyXEL Device and

may be called the local policy. Similarly, the remote network consists of the devices connected

to the remote IPSec router and may be called the remote policy.

Note:

It is not recommended to set a VPN rule’s local and remote network settings

both to 0.0.0.0 (any). This causes the ZyXEL Device to try to forward all access

attempts (to the local network, the Internet or even the ZyXEL Device) to the

remote IPSec router. In this case, you can no longer manage the ZyXEL

Device.

13.1.3.2

IPSec Protocol

The IPSec protocol controls the format of each packet. It also specifies how much of each

packet is protected by the encryption and authentication algorithms. IPSec VPN includes two

IPSec protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security

Payload, RFC 2406).

Note:

The ZyXEL Device and remote IPSec router must use the same IPSec

protocol.