Home » ZyXEL Manuals » Wireless » ZyXEL VMG8324 » Manual Viewer

ZyXEL VMG8324 User Guide - Page 233

ID Type and Content

Add to My Manuals
Save this manual to your list of manuals

Page 233 highlights

Figure 142 NAT Router Between IPSec Routers Chapter 20 VPN A B Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA. For NAT traversal to work, you must: • Use ESP security protocol (in either transport or tunnel mode). • Use IKE keying mode. • Enable NAT traversal on both IPSec endpoints. • Set the NAT router to forward UDP port 500 to IPSec router A. Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table. Table 107 VPN and NAT SECURITY PROTOCOL AH AH ESP ESP MODE Transport Tunnel Transport Tunnel NAT N N Y* Y Y* - This is supported in the Device if you enable NAT traversal. 20.5.7 ID Type and Content With aggressive negotiation mode (see Section 20.5.4 on page 231), the Device identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Regardless of the ID type and content configuration, the Device does not allow you to save multiple active rules with overlapping local and remote IP addresses. With main mode (see Section 20.5.4 on page 231), the ID type and content are encrypted to provide identity protection. In this case the Device can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Device can distinguish up to 48 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see Section 20.2 on page 221). The ID type and content act as an extra level of identification for incoming SAs. VMG8324-B10A / VMG8324-B30A Series User's Guide 233

Section	Page
VMG8324-B10A and VMG8324- B30A Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	15
Introducing the Device	17
1.1 Overview	17
1.2 Ways to Manage the Device	17
1.3 Good Habits for Managing the Device	17
1.4 Applications for the Device	18
1.4.1 Internet Access	18
1.4.2 Device’s USB Support	19
1.5 LEDs (Lights)	20
1.6 The RESET Button	22
1.7 Wireless Access	22
1.7.1 Using the Wi-Fi and WPS Buttons	22
1.8 Wall-mounting Instructions	23
The Web Configurator	25
2.1 Overview	25
2.1.1 Accessing the Web Configurator	25
2.2 Web Configurator Layout	27
2.2.1 Title Bar	27
2.2.2 Main Window	28
2.2.3 Navigation Panel	29
Quick Start	33
3.1 Overview	33
3.2 Quick Start Setup	33
Technical Reference	35
Network Map and Status Screens	37
4.1 Overview	37
4.2 The Network Map Screen	37
4.3 The Status Screen	38
Broadband	43
5.1 Overview	43
5.1.1 What You Can Do in this Chapter	43
5.1.2 What You Need to Know	44
5.1.3 Before You Begin	47
5.2 The Broadband Screen	47
5.2.1 Add/Edit Internet Connection	49
5.3 The 3G Backup Screen	57
5.4 The Advanced Screen	61
5.5 The 802.1x Screen	62
5.5.1 Edit 802.1X Settings	63
5.6 The WAN Status Screen	63
5.7 Technical Reference	64
Wireless	71
6.1 Overview	71
6.1.1 What You Can Do in this Chapter	71
6.1.2 What You Need to Know	72
6.2 The General Screen	72
6.2.1 No Security	75
6.2.2 Basic (WEP Encryption)	75
6.2.3 Basic (802.1X)	76
6.2.4 More Secure (WPA(2)-PSK)	79
6.2.5 WPA(2) Authentication	80
6.3 The More AP Screen	81
6.3.1 Edit More AP	83
6.4 MAC Authentication	85
6.5 The WPS Screen	86
6.6 The WMM Screen	87
6.7 The WDS Screen	88
6.7.1 WDS Scan	89
6.8 The Others Screen	90
6.9 The Channel Status Screen	92
6.10 Technical Reference	92
6.10.1 Wireless Network Overview	92
6.10.2 Additional Wireless Terms	94
6.10.3 Wireless Security Overview	94
6.10.4 Signal Problems	96
6.10.5 BSS	97
6.10.6 MBSSID	97
6.10.7 Preamble Type	98
6.10.8 Wireless Distribution System (WDS)	98
6.10.9 WiFi Protected Setup (WPS)	98
Home Networking	107
7.1 Overview	107
7.1.1 What You Can Do in this Chapter	107
7.1.2 What You Need To Know	108
7.1.3 Before You Begin	109
7.2 The LAN Setup Screen	109
7.3 The Static DHCP Screen	113
7.4 The UPnP Screen	114
7.5 Installing UPnP in Windows Example	115
7.6 Using UPnP in Windows XP Example	118
7.7 The Additional Subnet Screen	124
7.8 The STB Vendor ID Screen	125
7.9 The 5th Ethernet Port Screen	125
7.10 The LAN VLAN Screen	126
7.11 The Wake on LAN Screen	127
7.12 Technical Reference	128
7.12.1 LANs, WANs and the Device	128
7.12.2 DHCP Setup	128
7.12.3 DNS Server Addresses	128
7.12.4 LAN TCP/IP	129
Routing	131
8.1 Overview	131
8.2 The Routing Screen	132
8.2.1 Add/Edit Static Route	133
8.3 The DNS Route Screen	134
8.3.1 The DNS Route Add Screen	134
8.4 The Policy Forwarding Screen	135
8.4.1 Add/Edit Policy Forwarding	136
8.5 RIP	137
8.5.1 The RIP Screen	137
Quality of Service (QoS)	139
9.1 Overview	139
9.1.1 What You Can Do in this Chapter	139
9.2 What You Need to Know	139
9.3 The Quality of Service General Screen	141
9.4 The Queue Setup Screen	142
9.4.1 Adding a QoS Queue	143
9.5 The Class Setup Screen	144
9.5.1 Add/Edit QoS Class	146
9.6 The QoS Policer Setup Screen	149
9.6.1 Add/Edit a QoS Policer	150
9.7 The QoS Monitor Screen	151
9.8 Technical Reference	152
Network Address Translation (NAT)	157
10.1 Overview	157
10.1.1 What You Can Do in this Chapter	157
10.1.2 What You Need To Know	157
10.2 The Port Forwarding Screen	158
10.2.1 Add/Edit Port Forwarding	160
10.3 The Applications Screen	161
10.3.1 Add New Application	162
10.4 The Port Triggering Screen	162
10.4.1 Add/Edit Port Triggering Rule	164
10.5 The DMZ Screen	165
10.6 The ALG Screen	166
10.7 The Address Mapping Screen	166
10.7.1 Add/Edit Address Mapping Rule	167
10.8 The Address Mapping Screen	168
10.9 The Sessions Screen	169
10.10 Technical Reference	169
10.10.1 NAT Definitions	170
10.10.2 What NAT Does	171
10.10.3 How NAT Works	172
10.10.4 NAT Application	173
Dynamic DNS Setup	175
11.1 Overview	175
11.1.1 What You Can Do in this Chapter	175
11.1.2 What You Need To Know	176
11.2 The DNS Entry Screen	176
11.2.1 Add/Edit DNS Entry	177
11.3 The Dynamic DNS Screen	177
Interface Group	179
12.1 Overview	179
12.1.1 What You Can Do in this Chapter	179
12.2 The Interface Group Screen	179
12.2.1 Interface Group Configuration	180
12.2.2 Interface Grouping Criteria	182
USB Service	185
13.1 Overview	185
13.1.1 What You Can Do in this Chapter	185
13.1.2 What You Need To Know	185
13.1.3 Before You Begin	187
13.2 The File Sharing Screen	188
13.2.1 The Add New Share Screen	189
13.2.2 The Add New User Screen	190
13.3 The Media Server Screen	190
13.4 Printer Server	191
13.4.1 Before You Begin	191
13.4.2 The Printer Server Screen	192
Power Management	193
14.1 Overview	193
14.1.1 What You Can Do in this Chapter	193
14.1.2 What You Need To Know	193
14.2 The Power Management Screen	193
14.3 The Auto Switch Off Screen	194
14.3.1 The Auto Switch Off Add/Edit Screen	195
14.3.2 The Add/Edit Rule Screen	195
Firewall	197
15.1 Overview	197
15.1.1 What You Can Do in this Chapter	197
15.1.2 What You Need to Know	198
15.2 The Firewall Screen	199
15.3 The Protocol Screen	199
15.3.1 Add/Edit a Service	200
15.4 The Access Control Screen	201
15.4.1 Add/Edit an ACL Rule	202
15.5 The DoS Screen	204
MAC Filter	205
16.1 Overview	205
16.2 The MAC Filter Screen	205
Parental Control	207
17.1 Overview	207
17.2 The Parental Control Screen	207
17.2.1 Add/Edit a Parental Control Rule	208
Scheduler Rule	211
18.1 Overview	211
18.2 The Scheduler Rule Screen	211
18.2.1 Add/Edit a Schedule	212
Certificates	213
19.1 Overview	213
19.1.1 What You Can Do in this Chapter	213
19.2 What You Need to Know	213
19.3 The Local Certificates Screen	213
19.3.1 Create Certificate Request	214
19.3.2 Load Signed Certificate	215
19.4 The Trusted CA Screen	216
19.4.1 View Trusted CA Certificate	218
19.4.2 Import Trusted CA Certificate	219
VPN	221
20.1 Overview	221
20.2 The IPSec VPN General Screen	221
20.3 The IPSec VPN Add/Edit Screen	222
20.4 The IPSec VPN Monitor Screen	228
20.5 Technical Reference	228
20.5.1 IPSec Architecture	228
20.5.2 Encapsulation	229
20.5.3 IKE Phases	230
20.5.4 Negotiation Mode	231
20.5.5 IPSec and NAT	232
20.5.6 VPN, NAT, and NAT Traversal	232
20.5.7 ID Type and Content	233
20.5.8 Pre-Shared Key	234
20.5.9 Diffie-Hellman (DH) Key Groups	234
Voice	235
21.1 Overview	235
21.1.1 What You Can Do in this Chapter	235
21.1.2 What You Need to Know About VoIP	236
21.2 Before You Begin	236
21.3 The SIP Account Screen	236
21.3.1 The SIP Account Add/Edit Screen	237
21.4 The SIP Service Provider Screen	241
21.4.1 The SIP Service Provider Add/Edit Screen	242
21.4.2 Dial Plan Rules	248
21.5 The Phone Screen	249
21.6 The Call Rule Screen	249
21.7 The Call History Summary Screen	250
21.8 The Call History Outgoing Calls Screen	251
21.9 The Call History Incoming Calls Screen	251
21.10 Technical Reference	252
21.10.1 Quality of Service (QoS)	260
21.10.2 Phone Services Overview	260
Log	267
22.1 Overview	267
22.1.1 What You Can Do in this Chapter	267
22.1.2 What You Need To Know	267
22.2 The System Log Screen	268
22.3 The Security Log Screen	269
Traffic Status	271
23.1 Overview	271
23.1.1 What You Can Do in this Chapter	271
23.2 The WAN Status Screen	271
23.3 The LAN Status Screen	273
23.4 The NAT Status Screen	274
VoIP Status	275
24.1 The VoIP Status Screen	275
ARP Table	277
25.1 Overview	277
25.1.1 How ARP Works	277
25.2 ARP Table Screen	277
Routing Table	279
26.1 Overview	279
26.2 The Routing Table Screen	279
IGMP/MLD Status	281
27.1 Overview	281
27.2 The IGMP/MLD Group Status Screen	281
xDSL Statistics	283
28.1 The xDSL Statistics Screen	283
3G Statistics	287
29.1 Overview	287
29.2 The 3G Statistics Screen	287
User Account	289
30.1 Overview	289
30.2 The User Account Screen	289
Remote Management	291
31.1 Overview	291
31.2 The Remote MGMT Screen	291
31.3 The Trust Domain Screen	292
31.4 The Add Trust Domain Screen	293
TR-069 Client	295
32.1 Overview	295
32.2 The TR-069 Client Screen	295
TR-064	297
33.1 Overview	297
33.2 The TR-064 Screen	297
SNMP	299
34.1 Overview	299
34.2 The SNMP Screen	299
Time Settings	301
35.1 Overview	301
35.2 The Time Screen	301
E-mail Notification	305
36.1 Overview	305
36.2 The Email Notification Screen	305
36.2.1 Email Notification Edit	306
Logs Setting	307
37.1 Overview	307
37.2 The Log Settings Screen	307
37.2.1 Example E-mail Log	308
Firmware Upgrade	311
38.1 Overview	311
38.2 The Firmware Screen	311
Configuration	313
39.1 Overview	313
39.2 The Configuration Screen	313
39.3 The Reboot Screen	315
Diagnostic	317
40.1 Overview	317
40.1.1 What You Can Do in this Chapter	317
40.2 What You Need to Know	317
40.3 Ping & TraceRoute & NsLookup	318
40.4 802.1ag	319
40.5 OAM Ping	320
Troubleshooting	323
41.1 Power, Hardware Connections, and LEDs	323
41.2 Device Access and Login	324
41.3 Internet Access	326
41.4 Wireless Internet Access	327
41.5 USB Device Connection	328
41.6 UPnP	328
Customer Support	329
Setting up Your Computer’s IP Address	335
IP Addresses and Subnetting	357
Pop-up Windows, JavaScripts and Java Permissions	365
Wireless LANs	375
IPv6	389
Services	397
Legal Information	401

Match case Limit results 1 per page

Chapter 20 VPN

VMG8324-B10A / VMG8324-B30A Series User’s Guide

233

Figure 142

NAT Router Between IPSec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because

the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding

a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP

port 500 header unchanged. In the above figure, when IPSec router

tries to establish an IKE SA,

IPSec router

checks the UDP port 500 header, and IPSec routers

and

build the IKE SA.

For NAT traversal to work, you must:

•

Use ESP security protocol (in either transport or tunnel mode).

•

Use IKE keying mode.

•

Enable NAT traversal on both IPSec endpoints.

•

Set the NAT router to forward UDP port 500 to IPSec router

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the

combination of the "original header plus original payload," which is unchanged by a NAT device. The

compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following

table.

Y* - This is supported in the Device if you enable NAT traversal.

20.5.7

ID Type and Content

With aggressive negotiation mode (see

Section 20.5.4 on page 231

), the Device identifies incoming

SAs by ID type and content since this identifying information is not encrypted. This enables the

Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that

have dynamic WAN IP addresses.

Regardless of the ID type and content configuration, the Device does not allow you to save multiple

active rules with overlapping local and remote IP addresses.

With main mode (see

Section 20.5.4 on page 231

), the ID type and content are encrypted to

provide identity protection. In this case the Device can only distinguish between up to 12 different

incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The

Device can distinguish up to 48 incoming SAs because you can select between three encryption

algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key

groups when you configure a VPN rule (see

Section 20.2 on page 221

). The ID type and content act

as an extra level of identification for incoming SAs.

Table 107

VPN and NAT

SECURITY PROTOCOL

MODE

NAT

Transport

Tunnel

ESP

Transport

ESP

Tunnel