Home » ZyXEL Manuals » Networking » ZyXEL P-661H-D1 » Manual Viewer

ZyXEL P-661H-D1 User Guide - Page 230

IPSec and NAT, Key Management

Get ZyXEL P-661H-D1 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 230 highlights

Chapter 16 VPN The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an authentication mechanism for the AH and ESP protocols. Key Management Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 16.6.2 IPSec and NAT Read this section if you are running IPSec on a host computer behind the ZyXEL Device. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered. IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT. Table 61 VPN and NAT SECURITY PROTOCOL AH AH MODE NAT Transpor N t Tunnel N 230 P-661HNU-Fx User's Guide

Section	Page
P-661HNU-Fx	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
User’s Guide	19
Introduction	21
1.1 Overview	21
1.2 Applications for the ZyXEL Device	21
1.2.1 Internet Access	22
1.2.2 Wireless Connection	23
1.2.3 ZyXEL Device’s USB and Print Server Support	23
1.3 The WPS/WLAN Button	24
1.4 Ways to Manage the ZyXEL Device	25
1.5 Good Habits for Managing the ZyXEL Device	26
1.6 LEDs (Lights)	26
1.7 The RESET Button	27
Introducing the Web Configurator	29
2.1 Overview	29
2.1.1 Accessing the Web Configurator	29
2.2 The Web Configurator Layout	32
2.2.1 Title Bar	32
2.2.2 Main Window	33
2.2.3 Navigation Panel	33
Tutorials	37
3.1 Overview	37
3.2 Setting Up Your DSL Connection	37
3.3 How to Set up a Wireless Network	40
3.3.1 Example Parameters	41
3.3.2 Configuring the AP	41
3.3.3 Configuring the Wireless Client using the ZyXEL Utility	42
3.3.4 Configuring the Wireless Client using the WPS PIN number	49
3.4 Setting Up NAT Port Forwarding	50
3.5 Using the File Sharing Feature	52
3.5.1 Set Up File Sharing	52
3.5.2 Access Your Shared Files From a Computer	55
3.6 Using the Print Server Feature	55
3.7 Configuring the MAC Address Filter	70
3.8 Configuring Static Route for Routing to Another Network	71
3.9 Configuring QoS Queue and Class Setup	73
3.10 Access the ZyXEL Device Using DDNS	76
3.10.1 Registering a DDNS Account on www.dyndns.org	77
3.10.2 Configuring DDNS on Your ZyXEL Device	78
3.10.3 Testing the DDNS Setting	78
Technical Reference	79
Connection Status and System Info Screens	81
4.1 Overview	81
4.2 The Connection Status Screen	81
4.3 The System Info Screen	83
Broadband	87
5.1 Overview	87
5.1.1 What You Can Do in this Chapter	88
5.1.2 What You Need to Know	88
5.1.3 Before You Begin	89
5.2 The Broadband Screen	89
5.2.1 Add/Edit Internet Connection	90
5.3 The 3G Backup Screen	102
5.4 Technical Reference	104
Wireless	111
6.1 Overview	111
6.1.1 What You Can Do in this Chapter	111
6.1.2 Wireless Network Overview	111
6.1.3 Before You Begin	113
6.2 The Wireless General Screen	113
6.2.1 No Security	115
6.2.2 Basic (Static WEP/Shared WEP Encryption)	116
6.2.3 More Secure (WPA(2)-PSK)	118
6.2.4 WPA(2) Authentication	119
6.3 The More AP Screen	121
6.3.1 Edit More AP	122
6.4 The WPS Screen	123
6.5 The WMM Screen	125
6.6 Scheduling Screen	127
6.7 Technical Reference	127
6.7.1 Additional Wireless Terms	128
6.7.2 Wireless Security Overview	128
6.7.3 Signal Problems	131
6.7.4 BSS	131
6.7.5 MBSSID	132
6.7.6 WiFi Protected Setup (WPS)	132
Home Networking	141
7.1 Overview	141
7.1.1 What You Can Do in this Chapter	141
7.1.2 What You Need To Know	142
7.2 The LAN Setup Screen	145
7.3 The Static DHCP Screen	146
7.3.1 Before You Begin	146
7.4 The UPnP Screen	148
7.5 The File Sharing Screen	149
7.5.1 Before You Begin	149
7.5.2 Add/Edit File Sharing	151
7.5.3 Add New User	152
7.6 The Print Server Screen	153
7.6.1 Before You Begin	153
7.7 Technical Reference	154
7.8 Installing UPnP in Windows Example	158
7.9 Using UPnP in Windows XP Example	162
Routing	169
8.1 Overview	169
8.2 Configuring Static Route	170
8.2.1 Add/Edit Static Route	171
DNS Route	173
9.1 Overview	173
9.1.1 What You Can Do in this Chapter	174
9.2 The DNS Route Screen	174
9.2.1 Add/Edit DNS Route Edit	175
Quality of Service (QoS)	177
10.1 Overview	177
10.1.1 What You Can Do in this Chapter	177
10.1.2 What You Need to Know	178
10.2 The QoS General Screen	178
10.3 The Queue Setup Screen	180
10.3.1 Add/Edit a QoS Queue	181
10.4 The Class Setup Screen	181
10.4.1 Add/Edit QoS Class	183
10.5 The QoS Monitor Screen	186
10.6 QoS Technical Reference	187
10.6.1 IP Precedence	187
10.6.2 DiffServ	187
Network Address Translation (NAT)	189
11.1 Overview	189
11.1.1 What You Can Do in this Chapter	189
11.1.2 What You Need To Know	189
11.2 The Port Forwarding Screen	190
11.2.1 The Port Forwarding Screen	191
11.2.2 The Port Forwarding Edit Screen	192
11.3 The Sessions Screen	193
11.4 Technical Reference	194
11.4.1 NAT Definitions	194
11.4.2 What NAT Does	195
11.4.3 How NAT Works	195
Dynamic DNS	197
12.1 Overview	197
12.1.1 What You Need To Know	197
12.2 The Dynamic DNS Screen	198
Firewall	199
13.1 Overview	199
13.1.1 What You Can Do in this Chapter	199
13.1.2 What You Need to Know	200
13.2 The General Screen	201
13.3 The Services Screen	201
13.4 Firewall Technical Reference	203
13.4.1 Guidelines For Enhancing Security With Your Firewall	203
13.4.2 Security Considerations	203
MAC Filter	205
14.1 Overview	205
14.1.1 What You Need to Know	205
14.2 The MAC Filter Screen	206
Certificates	207
15.1 Overview	207
15.1.1 What You Can Do in this Chapter	207
15.1.2 What You Need to Know	207
15.1.3 Verifying a Certificate	209
15.2 Local Certificates	210
15.2.1 Trusted CAs	212
15.2.2 Trusted CA Import	213
15.2.3 View Certificate	213
15.3 VPN Certificates	215
15.3.1 Import Certificate	216
VPN	217
16.1 Overview	217
16.1.1 What You Can Do in the VPN Screens	217
16.1.2 What You Need to Know About IPSec VPN	218
16.1.3 Before You Begin	219
16.2 VPN Setup Screen	220
16.3 The VPN Edit Screen	222
16.4 Configuring Advanced Settings	226
16.5 Viewing SA Monitor	228
16.6 IPSec VPN Technical Reference	229
16.6.1 IPSec Architecture	229
16.6.2 IPSec and NAT	230
16.6.3 VPN, NAT, and NAT Traversal	231
16.6.4 Encapsulation	232
16.6.5 IKE Phases	233
16.6.6 Negotiation Mode	234
16.6.7 Remote DNS Server	234
16.6.8 ID Type and Content	235
16.6.9 Pre-Shared Key	237
16.6.10 Diffie-Hellman (DH) Key Groups	237
16.6.11 Telecommuter VPN/IPSec Examples	237
System Monitor	241
17.1 Overview	241
17.1.1 What You Can Do in this Chapter	241
17.2 The WAN Status Screen	241
17.3 The LAN Status Screen	242
17.4 The NAT Status Screen	243
17.5 The 3G Backup Status Screen	244
User Account	245
18.1 Overview	245
18.2 The User Account Screen	245
Remote MGMT	247
19.1 Overview	247
19.1.1 What You Need to Know	247
19.2 The Remote MGMT Screen	248
System	249
20.1 Overview	249
20.1.1 What You Need to Know	249
20.2 The System Screen	249
Time Setting	251
21.1 Overview	251
21.2 The Time Setting Screen	251
Log Setting	253
22.1 Overview	253
22.2 The Log Setting Screen	253
Firmware Upgrade	255
23.1 Overview	255
23.2 The Firmware Screen	255
Backup/Restore	257
24.1 Overview	257
24.2 The Backup/Restore Screen	257
24.3 The Reboot Screen	259
Diagnostic	261
25.1 Overview	261
25.1.1 What You Can Do in this Chapter	261
25.2 The Ping Screen	261
25.3 The DSL Line Screen	262
Troubleshooting	265
26.1 Overview	265
26.2 Power, Hardware Connections, and LEDs	265
26.3 ZyXEL Device Access and Login	266
26.4 Internet Access	268
26.5 Wireless Internet Access	270
26.6 USB Device Connection	271
26.7 UPnP	272
Product Specifications	273
IP Addresses and Subnetting	283
Setting Up Your Computer’s IP Address	295
Pop-up Windows, Java Script and Java Permissions	325
Wireless LANs	335
Common Services	359
Open Software Announcements	363
Legal Information	393