Home » ZyXEL Manuals » Networking » ZyXEL P-335U » Manual Viewer

ZyXEL P-335U User Guide - Page 156

P-334U/P-335U User's Guide, IPSec VPN, Security > VPN > Rule Setup: IKE Advanced,

Get ZyXEL P-335U PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 156 highlights

P-334U/P-335U User's Guide Table 53 Security > VPN > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION Local Address For a single IP address, enter a (static) IP address on the LAN behind your ZyXEL Device. For a specific range of IP addresses, enter the beginning (static) IP address, in a range of computers on your LAN behind your ZyXEL Device. To specify IP addresses on a network by their subnet mask, enter a (static) IP address on the LAN behind your ZyXEL Device. Local Address End / Mask When the local IP address is a single address, type it a second time here. When the local IP address is a range, enter the end (static) IP address, in a range of computers on the LAN behind your ZyXEL Device. When the local IP address is a subnet address, enter a subnet mask on the LAN behind your ZyXEL Device. Local Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Local Port End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. If Local Port Start is left at 0, Local Port End will also remain at 0. Remote Policy Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. Remote Address For a single IP address, enter a (static) IP address on the network behind the remote IPSec router. For a specific range of IP addresses, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. To specify IP addresses on a network by their subnet mask, enter a (static) IP address on the network behind the remote IPSec router. Remote Address End /Mask When the remote IP address is a single address, type it a second time here. When the remote IP address is a range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote IP address is a subnet address, enter a subnet mask on the network behind the remote IPSec router. Remote Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Remote Port End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. If Remote Port Start is left at 0, Remote Port End will also remain at 0. Authentication Method 156 Chapter 13 IPSec VPN

Section	Page
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	7
Customer Support	8
Table of Contents	11
List of Figures	19
List of Tables	25
Preface	29
1. Getting to Know Your ZyXEL Device	31
1.1 ZyXEL Device Overview	31
1.2 Applications for the ZyXEL Device	31
1.2.1 Secure Broadband Internet Access via Cable or DSL Modem	31
1.2.2 Wireless LAN Application	32
1.2.3 Print Server and Router Combined Application (P-335U Only)	33
1.2.4 VPN Application (P-335U Only)	33
1.3 Ways to Manage the ZyXEL Device	33
1.4 Good Habits for Managing Your ZyXEL Device	34
1.4.1 Front Panel LEDs	34
2. Introducing the Web Configurator	37
2.1 Web Configurator Overview	37
2.2 Accessing the Web Configurator	37
2.3 Resetting the ZyXEL Device	38
2.3.1 Procedure to Use the Reset Button	38
2.4 Navigating the Web Configurator	38
2.4.1 Navigation Panel	41
2.4.2 Summary: Bandwidth Management Monitor	43
2.4.3 Summary: DHCP Table	44
2.4.4 Summary: Packet Statistics	45
2.4.5 VPN Monitor	46
2.4.6 Summary: Wireless Station Status	46
3. Connection Wizard	49
3.1 Wizard Setup	49
3.2 Connection Wizard: STEP 1: System Information	50
3.2.1 System Name	50
3.2.2 Domain Name	51
3.3 Connection Wizard: STEP 2: Wireless LAN	51
3.3.1 Basic(WEP) Security	53
3.3.2 Extend(WPA-PSK or WPA2-PSK) Security	54
3.3.3 OTIST	55
3.4 Connection Wizard: STEP 3: Internet Configuration	56
3.4.1 Ethernet Connection	56
3.4.2 PPPoE Connection	57
3.4.3 PPTP Connection	58
3.4.4 Your IP Address	60
3.4.5 WAN IP Address Assignment	60
3.4.6 IP Address and Subnet Mask	61
3.4.7 DNS Server Address Assignment	61
3.4.8 WAN IP and DNS Server Address Assignment	62
3.4.9 WAN MAC Address	63
3.5 Connection Wizard: STEP 4: Bandwidth management	64
3.6 Connection Wizard Complete	65
4. Wireless LAN	67
4.1 Wireless Network Overview	67
4.2 Wireless Security Overview	68
4.2.1 SSID	68
4.2.2 MAC Address Filter	68
4.2.3 User Authentication	68
4.2.4 Encryption	69
4.2.5 One-Touch Intelligent Security Technology (OTIST)	70
4.3 General Wireless LAN Screen	70
4.3.1 No Security	71
4.3.2 WEP Encryption	72
4.3.3 WPA-PSK/WPA2-PSK	74
4.3.4 WPA/WPA2	75
4.4 OTIST	77
4.4.1 Enabling OTIST	78
4.4.1.1 AP	78
4.4.1.2 Wireless Client	79
4.4.2 Starting OTIST	80
4.4.3 Notes on OTIST	80
4.5 MAC Filter	81
4.6 Wireless LAN Advanced Screen	83
5. Wireless Tutorial	85
5.1 Example Parameters	85
5.2 Configuring the AP	85
5.3 Configuring the Wireless Client	87
5.3.1 Connecting to a Wireless LAN	88
5.3.2 Creating and Using a Profile	90
6. WAN	95
6.1 WAN Overview	95
6.2 WAN MAC Address	95
6.3 Internet Connection	95
6.3.1 Ethernet Encapsulation	95
6.3.2 PPPoE Encapsulation	97
6.3.3 PPTP Encapsulation	100
6.4 Advanced WAN Screen	103
7. LAN	105
7.1 LAN Overview	105
7.1.1 IP Pool Setup	105
7.1.2 System DNS Servers	105
7.2 LAN TCP/IP	105
7.2.1 Factory LAN Defaults	105
7.2.2 IP Address and Subnet Mask	106
7.2.3 Multicast	106
7.3 LAN IP Screen	106
7.4 LAN IP Alias	107
7.5 Advanced LAN Screen	108
8. DHCP Server	111
8.1 DHCP	111
8.2 DHCP Server General Screen	111
8.3 DHCP Server Advanced Screen	112
8.4 Client List Screen	113
9. Network Address Translation (NAT)	115
9.1 NAT Overview	115
9.2 Using NAT	115
9.2.1 Port Forwarding: Services and Port Numbers	115
9.2.2 Configuring Servers Behind Port Forwarding (Example)	116
9.3 General NAT Screen	116
9.4 NAT Application Screen	117
9.4.1 Game List Example	119
9.5 Trigger Port Forwarding	120
9.5.1 Trigger Port Forwarding Example	121
9.5.2 Two Points To Remember About Trigger Ports	121
9.6 NAT Advanced Screen	121
10. Dynamic DNS	125
10.1 Dynamic DNS Introduction	125
10.1.1 DynDNS Wildcard	125
10.2 Dynamic DNS Screen	125
11. Firewall	127
11.1 Introduction to Firewall	127
11.1.1 What is a Firewall?	127
11.1.2 Stateful Inspection Firewall.	127
11.1.3 About the ZyXEL Device Firewall	127
11.1.4 Guidelines For Enhancing Security With Your Firewall	128
11.2 General Firewall Screen	128
11.3 Services Screen	129
12. Content Filtering	133
12.1 Introduction to Content Filtering	133
12.2 Restrict Web Features	133
12.3 Days and Times	133
12.4 Filter Screen	133
12.5 Schedule	135
12.6 Customizing Keyword Blocking URL Checking	136
12.6.1 Domain Name or IP Address URL Checking	136
12.6.2 Full Path URL Checking	136
12.6.3 File Name URL Checking	137
13. IPSec VPN	139
13.1 IPSec VPN Overview	139
13.1.1 IKE SA (IKE Phase 1) Overview	140
13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router	140
13.1.2 IKE SA Setup	140
13.1.2.1 IKE SA Proposal	141
13.1.2.2 Diffie-Hellman (DH) Key Exchange	141
13.1.2.3 Authentication	141
13.1.2.4 Negotiation Mode	143
13.1.2.5 VPN, NAT, and NAT Traversal	143
13.1.3 IPSec SA (IKE Phase 2) Overview	144
13.1.3.1 Local Network and Remote Network	144
13.1.3.2 IPSec Protocol	144
13.1.3.3 Encapsulation	145
13.1.3.4 IPSec SA Proposal and Perfect Forward Secrecy	145
13.1.4 Additional IPSec VPN Topics	146
13.1.4.1 SA Life Time	146
13.1.4.2 Encryption and Authentication Algorithms	146
13.2 Remote DNS Server	147
13.3 VPN Summary	147
13.4 VPN Rule Setup (IKE)	148
13.5 Advanced VPN Rule Setup (IKE)	153
13.6 IPSec SA Using Manual Keys	159
13.6.1 IPSec SA Proposal Using Manual Keys	160
13.6.2 Authentication and the Security Parameter Index (SPI)	160
13.7 VPN Rule Setup (Manual)	160
13.8 VPN SA Monitor	164
13.9 VPN Global Setting	165
13.10 Telecommuter VPN/IPSec Examples	165
13.10.1 Telecommuters Sharing One VPN Rule Example	166
13.10.2 Telecommuters Using Unique VPN Rules Example	166
13.11 VPN and Remote Management	168
14. Static Route Screens	169
14.1 Static Route Overview	169
14.2 IP Static Route Screen	170
14.2.1 Static Route Setup Screen	171
15. Bandwidth Management	173
15.1 Bandwidth Management Overview	173
15.2 Application-based Bandwidth Management	173
15.3 Subnet-based Bandwidth Management	174
15.4 Application and Subnet-based Bandwidth Management	174
15.5 Bandwidth Management Priorities	175
15.6 Predefined Bandwidth Management Services	175
15.6.1 Services and Port Numbers	176
15.7 Default Bandwidth Management Classes and Priorities	178
15.8 Bandwidth Management General Configuration	179
15.9 Bandwidth Management Advanced Configuration	180
15.9.1 Rule Configuration with the Pre-defined Service	182
15.9.2 Rule Configuration with the User-defined Service	183
15.10 Bandwidth Management Monitor	184
16. Remote Management Screens	185
16.1 Remote Management Overview	185
16.1.1 Remote Management Limitations	185
16.1.2 Remote Management and NAT	186
16.1.3 System Timeout	186
16.2 WWW Screen	186
16.3 Telnet	187
16.4 Telnet Screen	187
16.5 FTP Screen	188
16.6 DNS Screen	189
17. UPnP	191
17.1 Universal Plug and Play Overview	191
17.1.1 How Do I Know If I'm Using UPnP?	191
17.1.2 NAT Traversal	191
17.1.3 Cautions with UPnP	191
17.2 UPnP and ZyXEL	192
17.3 UPnP Screen	192
17.4 Installing UPnP in Windows Example	193
17.4.1 Installing UPnP in Windows Me	193
17.4.2 Installing UPnP in Windows XP	194
17.5 Using UPnP in Windows XP Example	195
17.5.1 Auto-discover Your UPnP-enabled Network Device	195
17.5.2 Web Configurator Easy Access	196
17.5.3 Web Configurator Easy Access	197
18. Print Server	199
18.1 Print Server Overview	199
18.2 ZyXEL Device Print Server	199
18.3 Print Server Screen	200
19. Print Server Driver Setup	201
19.1 Installation Requirements	201
19.2 Windows 95/98 SE/Me/2000/XP/NT 4.0	201
19.2.1 Print Server Driver Setup Wizard	202
19.2.2 Adding a New Printer	207
19.3 Macintosh OS X	211
20. System	215
20.1 System Overview	215
20.2 System General Screen	215
20.3 Time Setting Screen	216
21. Logs	219
21.1 View Log	219
21.2 Log Settings	220
22. Tools	223
22.1 Firmware Upload Screen	223
22.2 Configuration Screen	224
22.2.1 Backup Configuration	225
22.2.2 Restore Configuration	225
22.2.3 Back to Factory Defaults	226
22.3 Restart Screen	227
23. Configuration Mode	229
24. Troubleshooting	231
24.1 Problems Starting Up the ZyXEL Device	231
24.2 Problems with the LAN	231
24.3 Problems with the WAN	232
24.4 Problems Accessing the ZyXEL Device	233
24.5 Problems with Restricted Web Pages and Keyword Blocking	233
24.5.1 Pop-up Windows, JavaScripts and Java Permissions	235
24.5.1.1 Internet Explorer Pop-up Blockers	235
24.5.1.2 JavaScripts	238
24.5.1.3 Java Permissions	240
24.5.2 ActiveX Controls in Internet Explorer	242
A. Product Specifications	245
B. Print Server Specifications	249
ZyXEL Device Print Server Compatible USB Printers	250
C. Setting up Your Computer’s IP Address	255
Windows 95/98/Me	255
Installing Components	256
Configuring	257
Verifying Settings	258
Windows 2000/NT/XP	258
Verifying Settings	263
Macintosh OS 8/9	263
Verifying Settings	265
Macintosh OS X	265
Verifying Settings	266
Linux	266
Using the K Desktop Environment (KDE)	267
Using Configuration Files	268
Verifying Settings	270
D. IP Subnetting	271
IP Addressing	271
IP Classes	271
Subnet Masks	272
Subnetting	272
Example: Two Subnets	273
Example: Four Subnets	275
Example Eight Subnets	276
Subnetting With Class A and Class B Networks.	277
E. Wireless LANs	279
Wireless LAN Topologies	279
Ad-hoc Wireless LAN Configuration	279
BSS	279
ESS	280
Channel	281
RTS/CTS	281
Fragmentation Threshold	282
Preamble Type	283
IEEE 802.11g Wireless LAN	283
Wireless Security Overview	284
IEEE 802.1x	284
RADIUS	284
Types of RADIUS Messages	285
Types of Authentication	286
EAP-MD5 (Message-Digest Algorithm 5)	286
EAP-TLS (Transport Layer Security)	286
EAP-TTLS (Tunneled Transport Layer Service)	286
PEAP (Protected EAP)	286
LEAP	287
Dynamic WEP Key Exchange	287
WPA and WPA2	287
Encryption	288
User Authentication	289
Wireless Client WPA Supplicants	289
WPA(2) with RADIUS Application Example	289
WPA(2)-PSK Application Example	290
Security Parameters Summary	291
F. Log Descriptions	293
Log Commands	307
Configuring What You Want the ZyXEL Device to Log	307
Displaying Logs	308
Log Command Example	308
G. Services	309
H. Internal SPTGEN	313
Internal SPTGEN Overview	313
The Configuration Text File Format	313
Internal SPTGEN File Modification - Important Points to Remember	314
Internal SPTGEN FTP Download Example	314
Internal SPTGEN FTP Upload Example	315
Example Internal SPTGEN Menus	316
Command Examples	328
I. Triangle Route	329
The Ideal Setup	329
The “Triangle Route” Problem	329
The “Triangle Route” Solutions	330
IP Aliasing	330
Index	331
A	331
B	331
C	331
D	331
E	331
F	332
G	332
H	332
I	332
J	333
K	333
L	333
M	333
N	333
O	333
P	333
R	333
S	334
T	334
U	334
V	334
W	334

Match case Limit results 1 per page

P-334U/P-335U User’s Guide

156

Chapter 13 IPSec VPN

Local Address

For a single IP address, enter a (static) IP address on the LAN behind your

ZyXEL Device.

For a specific range of IP addresses, enter the beginning (static) IP address, in

a range of computers on your LAN behind your ZyXEL Device.

To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the LAN behind your ZyXEL Device.

Local Address End /

Mask

When the local IP address is a single address, type it a second time here.

When the local IP address is a range, enter the end (static) IP address, in a

range of computers on the LAN behind your ZyXEL Device.

When the local IP address is a subnet address, enter a subnet mask on the

LAN behind your ZyXEL Device.

Local Port Start

0 is the default and signifies any port. Type a port number from 0 to 65535.

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,

HTTP; 25, SMTP; 110, POP3.

Local Port End

Enter a port number in this field to define a port range. This port number must

be greater than that specified in the previous field. If

Local Port

Start

is left at

Local Port

End

will also remain at 0.

Remote Policy

Remote IP addresses must be static and correspond to the remote IPSec

router's configured local IP addresses. The remote fields do not apply when the

Secure Gateway IP Address

field is configured to

0.0.0.0

. In this case only the

remote IPSec router can initiate the VPN.

Two active SAs cannot have the local and remote IP address(es) both the

same. Two active SAs can have the same local or remote IP address, but not

both. You can configure multiple SAs between the same local and remote IP

addresses, as long as only one is active at any time.

Remote Address

For a single IP address, enter a (static) IP address on the network behind the

remote IPSec router.

For a specific range of IP addresses, enter the beginning (static) IP address, in

a range of computers on the network behind the remote IPSec router.

To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the network behind the remote IPSec router.

Remote Address

End /Mask

When the remote IP address is a single address, type it a second time here.

When the remote IP address is a range, enter the end (static) IP address, in a

range of computers on the network behind the remote IPSec router.

When the remote IP address is a subnet address, enter a subnet mask on the

network behind the remote IPSec router.

Remote Port Start

0 is the default and signifies any port. Type a port number from 0 to 65535.

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,

HTTP; 25, SMTP; 110, POP3.

Remote Port End

Enter a port number in this field to define a port range. This port number must

be greater than that specified in the previous field. If

Remote Port Start

is left at

Remote Port End

will also remain at 0.

Authentication

Method

Table 53

Security > VPN > Rule Setup: IKE (Advanced)

(continued)

LABEL

DESCRIPTION