Home » ZyXEL Manuals » Networking » ZyXEL P-335U » Manual Viewer

ZyXEL P-335U User Guide - Page 145

Encapsulation, 1.3.4, IPSec SA Proposal and Perfect Forward Secrecy

Get ZyXEL P-335U PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 145 highlights

P-334U/P-335U User's Guide Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 13.1.3.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyXEL Device and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The ZyXEL Device and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 88 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the ZyXEL Device uses the IPSec protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contains the IP address of the ZyXEL Device or remote IPSec router, whichever is the destination. • Inside header: The inside IP header contains the IP address of the computer behind the ZyXEL Device or remote IPSec router. The header for the IPSec protocol (AH or ESP) appears between the IP headers. In transport mode, the encapsulation depends on the IPSec protocol. With AH, the ZyXEL Device includes part of the original IP header when it encapsulates the packet. With ESP, however, the ZyXEL Device does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address. 13.1.3.4 IPSec SA Proposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal on page 141), except that you also have the choice whether or not the ZyXEL Device and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). If you enable PFS, the ZyXEL Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. Chapter 13 IPSec VPN 145

Section	Page
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	7
Customer Support	8
Table of Contents	11
List of Figures	19
List of Tables	25
Preface	29
1. Getting to Know Your ZyXEL Device	31
1.1 ZyXEL Device Overview	31
1.2 Applications for the ZyXEL Device	31
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem	31
1.2.2 Wireless LAN Application	32
1.2.3 Print Server and Router Combined Application (P-335U Only)	33
1.2.4 VPN Application (P-335U Only)	33
1.3 Ways to Manage the ZyXEL Device	33
1.4 Good Habits for Managing Your ZyXEL Device	34
1.4.1 Front Panel LEDs	34
2. Introducing the Web Configurator	37
2.1 Web Configurator Overview	37
2.2 Accessing the Web Configurator	37
2.3 Resetting the ZyXEL Device	38
2.3.1 Procedure to Use the Reset Button	38
2.4 Navigating the Web Configurator	38
2.4.1 Navigation Panel	41
2.4.2 Summary: Bandwidth Management Monitor	43
2.4.3 Summary: DHCP Table	44
2.4.4 Summary: Packet Statistics	45
2.4.5 VPN Monitor	46
2.4.6 Summary: Wireless Station Status	46
3. Connection Wizard	49
3.1 Wizard Setup	49
3.2 Connection Wizard: STEP 1: System Information	50
3.2.1 System Name	50
3.2.2 Domain Name	51
3.3 Connection Wizard: STEP 2: Wireless LAN	51
3.3.1 Basic(WEP) Security	53
3.3.2 Extend(WPA-PSK or WPA2-PSK) Security	54
3.3.3 OTIST	55
3.4 Connection Wizard: STEP 3: Internet Configuration	56
3.4.1 Ethernet Connection	56
3.4.2 PPPoE Connection	57
3.4.3 PPTP Connection	58
3.4.4 Your IP Address	60
3.4.5 WAN IP Address Assignment	60
3.4.6 IP Address and Subnet Mask	61
3.4.7 DNS Server Address Assignment	61
3.4.8 WAN IP and DNS Server Address Assignment	62
3.4.9 WAN MAC Address	63
3.5 Connection Wizard: STEP 4: Bandwidth management	64
3.6 Connection Wizard Complete	65
4. Wireless LAN	67
4.1 Wireless Network Overview	67
4.2 Wireless Security Overview	68
4.2.1 SSID	68
4.2.2 MAC Address Filter	68
4.2.3 User Authentication	68
4.2.4 Encryption	69
4.2.5 One-Touch Intelligent Security Technology (OTIST)	70
4.3 General Wireless LAN Screen	70
4.3.1 No Security	71
4.3.2 WEP Encryption	72
4.3.3 WPA-PSK/WPA2-PSK	74
4.3.4 WPA/WPA2	75
4.4 OTIST	77
4.4.1 Enabling OTIST	78
4.4.1.1 AP	78
4.4.1.2 Wireless Client	79
4.4.2 Starting OTIST	80
4.4.3 Notes on OTIST	80
4.5 MAC Filter	81
4.6 Wireless LAN Advanced Screen	83
5. Wireless Tutorial	85
5.1 Example Parameters	85
5.2 Configuring the AP	85
5.3 Configuring the Wireless Client	87
5.3.1 Connecting to a Wireless LAN	88
5.3.2 Creating and Using a Profile	90
6. WAN	95
6.1 WAN Overview	95
6.2 WAN MAC Address	95
6.3 Internet Connection	95
6.3.1 Ethernet Encapsulation	95
6.3.2 PPPoE Encapsulation	97
6.3.3 PPTP Encapsulation	100
6.4 Advanced WAN Screen	103
7. LAN	105
7.1 LAN Overview	105
7.1.1 IP Pool Setup	105
7.1.2 System DNS Servers	105
7.2 LAN TCP/IP	105
7.2.1 Factory LAN Defaults	105
7.2.2 IP Address and Subnet Mask	106
7.2.3 Multicast	106
7.3 LAN IP Screen	106
7.4 LAN IP Alias	107
7.5 Advanced LAN Screen	108
8. DHCP Server	111
8.1 DHCP	111
8.2 DHCP Server General Screen	111
8.3 DHCP Server Advanced Screen	112
8.4 Client List Screen	113
9. Network Address Translation (NAT)	115
9.1 NAT Overview	115
9.2 Using NAT	115
9.2.1 Port Forwarding: Services and Port Numbers	115
9.2.2 Configuring Servers Behind Port Forwarding (Example)	116
9.3 General NAT Screen	116
9.4 NAT Application Screen	117
9.4.1 Game List Example	119
9.5 Trigger Port Forwarding	120
9.5.1 Trigger Port Forwarding Example	121
9.5.2 Two Points To Remember About Trigger Ports	121
9.6 NAT Advanced Screen	121
10. Dynamic DNS	125
10.1 Dynamic DNS Introduction	125
10.1.1 DynDNS Wildcard	125
10.2 Dynamic DNS Screen	125
11. Firewall	127
11.1 Introduction to Firewall	127
11.1.1 What is a Firewall?	127
11.1.2 Stateful Inspection Firewall.	127
11.1.3 About the ZyXEL Device Firewall	127
11.1.4 Guidelines For Enhancing Security With Your Firewall	128
11.2 General Firewall Screen	128
11.3 Services Screen	129
12. Content Filtering	133
12.1 Introduction to Content Filtering	133
12.2 Restrict Web Features	133
12.3 Days and Times	133
12.4 Filter Screen	133
12.5 Schedule	135
12.6 Customizing Keyword Blocking URL Checking	136
12.6.1 Domain Name or IP Address URL Checking	136
12.6.2 Full Path URL Checking	136
12.6.3 File Name URL Checking	137
13. IPSec VPN	139
13.1 IPSec VPN Overview	139
13.1.1 IKE SA (IKE Phase 1) Overview	140
13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router	140
13.1.2 IKE SA Setup	140
13.1.2.1 IKE SA Proposal	141
13.1.2.2 Diffie-Hellman (DH) Key Exchange	141
13.1.2.3 Authentication	141
13.1.2.4 Negotiation Mode	143
13.1.2.5 VPN, NAT, and NAT Traversal	143
13.1.3 IPSec SA (IKE Phase 2) Overview	144
13.1.3.1 Local Network and Remote Network	144
13.1.3.2 IPSec Protocol	144
13.1.3.3 Encapsulation	145
13.1.3.4 IPSec SA Proposal and Perfect Forward Secrecy	145
13.1.4 Additional IPSec VPN Topics	146
13.1.4.1 SA Life Time	146
13.1.4.2 Encryption and Authentication Algorithms	146
13.2 Remote DNS Server	147
13.3 VPN Summary	147
13.4 VPN Rule Setup (IKE)	148
13.5 Advanced VPN Rule Setup (IKE)	153
13.6 IPSec SA Using Manual Keys	159
13.6.1 IPSec SA Proposal Using Manual Keys	160
13.6.2 Authentication and the Security Parameter Index (SPI)	160
13.7 VPN Rule Setup (Manual)	160
13.8 VPN SA Monitor	164
13.9 VPN Global Setting	165
13.10 Telecommuter VPN/IPSec Examples	165
13.10.1 Telecommuters Sharing One VPN Rule Example	166
13.10.2 Telecommuters Using Unique VPN Rules Example	166
13.11 VPN and Remote Management	168
14. Static Route Screens	169
14.1 Static Route Overview	169
14.2 IP Static Route Screen	170
14.2.1 Static Route Setup Screen	171
15. Bandwidth Management	173
15.1 Bandwidth Management Overview	173
15.2 Application-based Bandwidth Management	173
15.3 Subnet-based Bandwidth Management	174
15.4 Application and Subnet-based Bandwidth Management	174
15.5 Bandwidth Management Priorities	175
15.6 Predefined Bandwidth Management Services	175
15.6.1 Services and Port Numbers	176
15.7 Default Bandwidth Management Classes and Priorities	178
15.8 Bandwidth Management General Configuration	179
15.9 Bandwidth Management Advanced Configuration	180
15.9.1 Rule Configuration with the Pre-defined Service	182
15.9.2 Rule Configuration with the User-defined Service	183
15.10 Bandwidth Management Monitor	184
16. Remote Management Screens	185
16.1 Remote Management Overview	185
16.1.1 Remote Management Limitations	185
16.1.2 Remote Management and NAT	186
16.1.3 System Timeout	186
16.2 WWW Screen	186
16.3 Telnet	187
16.4 Telnet Screen	187
16.5 FTP Screen	188
16.6 DNS Screen	189
17. UPnP	191
17.1 Universal Plug and Play Overview	191
17.1.1 How Do I Know If I'm Using UPnP?	191
17.1.2 NAT Traversal	191
17.1.3 Cautions with UPnP	191
17.2 UPnP and ZyXEL	192
17.3 UPnP Screen	192
17.4 Installing UPnP in Windows Example	193
17.4.1 Installing UPnP in Windows Me	193
17.4.2 Installing UPnP in Windows XP	194
17.5 Using UPnP in Windows XP Example	195
17.5.1 Auto-discover Your UPnP-enabled Network Device	195
17.5.2 Web Configurator Easy Access	196
17.5.3 Web Configurator Easy Access	197
18. Print Server	199
18.1 Print Server Overview	199
18.2 ZyXEL Device Print Server	199
18.3 Print Server Screen	200
19. Print Server Driver Setup	201
19.1 Installation Requirements	201
19.2 Windows 95/98 SE/Me/2000/XP/NT 4.0	201
19.2.1 Print Server Driver Setup Wizard	202
19.2.2 Adding a New Printer	207
19.3 Macintosh OS X	211
20. System	215
20.1 System Overview	215
20.2 System General Screen	215
20.3 Time Setting Screen	216
21. Logs	219
21.1 View Log	219
21.2 Log Settings	220
22. Tools	223
22.1 Firmware Upload Screen	223
22.2 Configuration Screen	224
22.2.1 Backup Configuration	225
22.2.2 Restore Configuration	225
22.2.3 Back to Factory Defaults	226
22.3 Restart Screen	227
23. Configuration Mode	229
24. Troubleshooting	231
24.1 Problems Starting Up the ZyXEL Device	231
24.2 Problems with the LAN	231
24.3 Problems with the WAN	232
24.4 Problems Accessing the ZyXEL Device	233
24.5 Problems with Restricted Web Pages and Keyword Blocking	233
24.5.1 Pop-up Windows, JavaScripts and Java Permissions	235
24.5.1.1 Internet Explorer Pop-up Blockers	235
24.5.1.2 JavaScripts	238
24.5.1.3 Java Permissions	240
24.5.2 ActiveX Controls in Internet Explorer	242
A. Product Specifications	245
B. Print Server Specifications	249
ZyXEL Device Print Server Compatible USB Printers	250
C. Setting up Your Computer’s IP Address	255
Windows 95/98/Me	255
Installing Components	256
Configuring	257
Verifying Settings	258
Windows 2000/NT/XP	258
Verifying Settings	263
Macintosh OS 8/9	263
Verifying Settings	265
Macintosh OS X	265
Verifying Settings	266
Linux	266
Using the K Desktop Environment (KDE)	267
Using Configuration Files	268
Verifying Settings	270
D. IP Subnetting	271
IP Addressing	271
IP Classes	271
Subnet Masks	272
Subnetting	272
Example: Two Subnets	273
Example: Four Subnets	275
Example Eight Subnets	276
Subnetting With Class A and Class B Networks.	277
E. Wireless LANs	279
Wireless LAN Topologies	279
Ad-hoc Wireless LAN Configuration	279
BSS	279
ESS	280
Channel	281
RTS/CTS	281
Fragmentation Threshold	282
Preamble Type	283
IEEE 802.11g Wireless LAN	283
Wireless Security Overview	284
IEEE 802.1x	284
RADIUS	284
Types of RADIUS Messages	285
Types of Authentication	286
EAP-MD5 (Message-Digest Algorithm 5)	286
EAP-TLS (Transport Layer Security)	286
EAP-TTLS (Tunneled Transport Layer Service)	286
PEAP (Protected EAP)	286
LEAP	287
Dynamic WEP Key Exchange	287
WPA and WPA2	287
Encryption	288
User Authentication	289
Wireless Client WPA Supplicants	289
WPA(2) with RADIUS Application Example	289
WPA(2)-PSK Application Example	290
Security Parameters Summary	291
F. Log Descriptions	293
Log Commands	307
Configuring What You Want the ZyXEL Device to Log	307
Displaying Logs	308
Log Command Example	308
G. Services	309
H. Internal SPTGEN	313
Internal SPTGEN Overview	313
The Configuration Text File Format	313
Internal SPTGEN File Modification - Important Points to Remember	314
Internal SPTGEN FTP Download Example	314
Internal SPTGEN FTP Upload Example	315
Example Internal SPTGEN Menus	316
Command Examples	328
I. Triangle Route	329
The Ideal Setup	329
The “Triangle Route” Problem	329
The “Triangle Route” Solutions	330
IP Aliasing	330
Index	331
A	331
B	331
C	331
D	331
E	331
F	332
G	332
H	332
I	332
J	333
K	333
L	333
M	333
N	333
O	333
P	333
R	333
S	334
T	334
U	334
V	334
W	334

Match case Limit results 1 per page

P-334U/P-335U User’s Guide

Chapter 13 IPSec VPN

145

Usually, you should select ESP. AH does not support encryption, and ESP is more suitable

with NAT.

13.1.3.3

Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is

more secure. Transport mode is only used when the IPSec SA is used for communication

between the ZyXEL Device and remote IPSec router (for example, for remote management),

not between computers on the local and remote networks.

Note:

The ZyXEL Device and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

Figure 88

VPN: Transport and Tunnel Mode Encapsulation

Original Packet

IP Header

TCP

Header

Data

Transport Mode Packet

IP Header

AH/ESP

Header

TCP

Header

Data

Tunnel Mode Packet

IP Header

AH/ESP

Header

IP Header

TCP

Header

Data

In tunnel mode, the ZyXEL Device uses the IPSec protocol to encapsulate the entire IP packet.

As a result, there are two IP headers:

•

Outside header: The outside IP header contains the IP address of the ZyXEL Device or

remote IPSec router, whichever is the destination.

•

Inside header: The inside IP header contains the IP address of the computer behind the

ZyXEL Device or remote IPSec router. The header for the IPSec protocol (AH or ESP)

appears between the IP headers.

In transport mode, the encapsulation depends on the IPSec protocol. With AH, the ZyXEL

Device includes part of the original IP header when it encapsulates the packet. With ESP,

however, the ZyXEL Device does not include the IP header when it encapsulates the packet,

so it is not possible to verify the integrity of the source IP address.

13.1.3.4

IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see

IKE SA Proposal on page 141

except that you also have the choice whether or not the ZyXEL Device and remote IPSec

router perform a new DH key exchange every time an IPSec SA is established. This is called

Perfect Forward Secrecy (PFS).

If you enable PFS, the ZyXEL Device and remote IPSec router perform a DH key exchange

every time an IPSec SA is established, changing the root key from which encryption keys are

generated. As a result, if one encryption key is compromised, other encryption keys remain

secure.