Home » ZyXEL Manuals » Networking » ZyXEL Vantage CNM » Manual Viewer

ZyXEL Vantage CNM User Guide - Page 328

Device Operation > Device Configuration > VPN > IPSec VPN > VPN, Connection > Add/

Get ZyXEL Vantage CNM PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 328 highlights

Chapter 11 IPSec VPN Table 130 Device Operation > Device Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit (IKE) (continued) LABEL DESCRIPTION Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Add icon The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm. This column contains icons to add and remove proposals. To add a proposal, click the Add icon at the top of the column. Total Records SA Life Time Perfect Forward Secrecy (PFS) To remove a proposal, click the Remove icon next to the proposal. The Vantage CNM confirms that you want to delete it before doing so. This field displays the total number of proposals to use in the IPSec SA. Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The ZyWALL automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: NONE - disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - enable PFS and use a 1024-bit random number DH5 - enable PFS and use a 1536-bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. 328 Vantage CNM User's Guide

Section	Page
Vantage CNM	1
About This User's Guide	3
Document Conventions	5
Contents Overview	7
Introducing Vantage CNM	21
1.1 Overview	21
1.2 Ways to Manage Vantage CNM	22
1.3 Suggestions for Using Vantage CNM	22
Introduction	23
GUI Introduction	25
2.1 Menu Bar	26
2.2 Title Bar	27
2.3 Device Window	27
2.3.1 Topology	27
2.3.2 Device Search	36
2.4 Navigation Panel and Configuration Window	37
2.5 Security Risk Pop-up Messages in Internet Explorer 7.0	41
Device Configuration (ZyNOS and Prestige)	45
Load or Save Building Blocks (BB)	47
3.1 Load or Save BB	47
Device General Settings	51
4.1 System	51
4.2 Time Setting	52
Device Network Settings	55
5.1 LAN (ZyNOS ZyWALL)	55
5.2 LAN (Prestige)	59
5.2.1 Static DHCP	62
5.2.2 IP Alias	63
5.3 WAN General (ZyNOS ZyWALL)	65
5.3.1 WAN1 (ZyNOS ZyWALL with one WAN port)	69
5.3.2 WAN1 and WAN2 (ZyNOS ZyWALL with two WAN ports)	78
5.3.3 WAN2 (ZyNOS ZyWALL with 3G WAN)	87
5.3.4 Dial Backup (ZyNOS ZyWALL)	96
5.3.5 Advanced Modem Setup (ZyNOS ZyWALL)	98
5.3.6 Edit Dial Backup (ZyNOS ZyWALL)	100
5.3.7 WAN Setup (Prestige)	102
5.3.8 WAN Backup (Prestige)	106
5.3.9 Advanced WAN Backup (Prestige)	109
5.3.10 Advanced Modem Setup (Prestige)	111
5.4 Wireless Card	112
5.4.1 Wireless and Wireless Security Settings	112
5.4.2 Advanced Wireless Security Settings	115
5.4.3 MAC Filter	121
Device Security Settings	123
6.1 Firewall	123
6.1.1 Default Rule	123
6.1.2 Rule Summary	126
6.1.3 Add/Edit a Rule	128
6.1.4 Anti-Probing	131
6.1.5 Threshold	132
6.1.6 Service	135
6.1.7 Add/Edit Service	135
6.2 VPN	137
6.3 IPSec High Availability	137
6.3.1 VPN Rules (IKE)	138
6.3.2 Add/Edit an IKE Gateway Policy	139
6.3.3 Add/Edit an IKE Network Policy	148
6.3.4 Move an IKE Network Policy	154
6.3.5 VPN Rules (Manual)	154
6.3.6 Add/Edit an Manual VPN Rule	157
6.3.7 VPN Global Setting	160
6.4 Anti-Virus	162
6.4.1 General Anti-Virus Setup	162
6.5 Anti-Spam	164
6.5.1 Anti-Spam General Screen	164
6.5.2 Anti-Spam External DB Screen	167
6.6 Anti-Spam Lists Screen	170
6.6.1 Anti-Spam Lists Edit Screen	171
6.7 IDP	174
6.8 General Setup	174
6.9 IDP Signatures	176
6.9.1 Attack Types	176
6.9.2 Intrusion Severity	178
6.9.3 Signature Actions	178
6.9.4 Configuring IDP Signatures	179
6.9.5 Query View	181
6.9.6 Protocol Anomaly	184
6.10 Signature Update	186
6.11 Content Filter	189
6.12 Content Filter General Screen	189
6.13 Content Filter Policy	193
6.13.1 Content Filter Policy: General	194
6.13.2 Content Filter Policy: External Database	197
6.13.3 Content Filter Policy: Customization	204
6.13.4 Content Filter Policy: Schedule	207
6.14 Content Filter Objects	208
6.15 Content Filtering Cache	210
6.16 X Auth	211
6.16.1 Local User Database	211
6.16.2 RADIUS	212
Device Advanced Settings	215
7.0.1 NAT	215
7.1 NAT	215
7.2 Port Forwarding	218
7.3 Address Mapping	219
7.3.1 Edit an Address Mapping Rule	221
7.4 Trigger Port	222
7.4.1 Edit a Trigger Port Rule	223
7.5 Static Route	224
7.6 Static Route	224
7.6.1 Edit a Static Route	226
7.7 DNS	227
7.8 Address Record	227
7.8.1 Add/Edit an Address Record	228
7.9 Name Server Record	229
7.9.1 Add/Edit a Name Server Record	230
7.10 Cache	232
7.11 DDNS	233
7.12 DHCP	235
7.13 Remote MGMT	236
7.14 Remote MGMT	236
Device Log	241
8.1 Device Log	241
Device Configuration (ZLD)	245
Device Network Settings	247
9.1 Ethernet (ZLD ZyWALL)	247
9.1.1 Ethernet Edit	248
9.1.2 Adding Virtual Interfaces	255
9.2 WLAN General	256
9.2.1 WLAN Add/Edit Screen	259
9.2.2 WLAN Add/Edit: WEP Security	265
9.2.3 WLAN Add/Edit: WPA-PSK/WPA2-PSK Security	266
9.2.4 WLAN Add/Edit: WPA/WPA2 Security	267
9.2.5 WLAN Interface MAC Filter	269
9.2.6 MAC Filter Add/Edit Screen	271
9.3 VLAN Summary Screen	272
9.3.1 VLAN Add/Edit	272
9.4 Bridge Summary	277
9.4.1 Bridge Add/Edit	278
9.5 PPPoE/PPTP Interface Summary	283
9.5.1 PPPoE/PPTP Interface Edit	284
9.6 Auxiliary Interface	290
9.7 The Trunk Summary Screen	292
9.8 Configuring a Trunk	294
9.8.1 The Trunk Member List Screen	297
9.9 Interface Summary Screen	298
9.10 Policy Route Screen	300
9.10.1 Policy Route Edit Screen	303
9.11 IP Static Route Screen	306
9.11.1 Static Route Add/Edit Screen	307
9.12 The RIP Screen	308
9.13 The OSPF Screen	310
9.13.1 The OSPF Area Add/Edit Screen	312
Firewall	315
10.1 The Firewall Screen	315
10.1.1 The Firewall Edit Screen	318
10.2 The Session Limit Screen	319
10.2.1 The Session Limit Add/Edit Screen	321
IPSec VPN	323
11.1 The IPSec VPN Connection Screen	323
11.1.1 The IPSec VPN Connection Add/Edit Screen	325
11.1.2 IPSec VPN Connection Add/Edit (Manual Key)	331
11.2 The VPN Gateway Screen	335
11.2.1 The VPN Gateway Add/Edit Screen	336
11.3 The VPN Concentrator Screen	343
11.3.1 The VPN Concentrator Add/Edit Screen	345
SSL VPN	347
12.1 Overview	347
12.2 The SSL Access Privilege Screen	347
12.2.1 The SSL Access Policy Add/Edit Screen	349
12.3 The SSL Global Setting Screen	351
L2TP VPN	353
13.1 Overview	353
13.2 L2TP VPN Screen	353
Object	357
14.1 User Summary Screen	357
14.1.1 User Add/Edit Screen	358
14.2 User Group Summary Screen	360
14.2.1 Group Add/Edit Screen	361
14.3 Setting Screen	362
14.3.1 Default User Authentication Timeout Settings Edit Screens	366
14.3.2 Force User Authentication Policy Add/Edit Screen	368
14.4 Address Summary Screen	369
14.4.1 Address Add/Edit Screen	370
14.4.2 Address Group Summary Screen	371
14.4.3 Address Group Add/Edit Screen	373
14.5 The Service Summary Screen	374
14.5.1 The Service Add/Edit Screen	375
14.6 The Service Group Summary Screen	376
14.6.1 The Service Group Add/Edit Screen	378
14.7 The Schedule Summary Screen	379
14.7.1 The One-Time Schedule Add/Edit Screen	380
14.7.2 The Recurring Schedule Add/Edit Screen	381
AAA	385
15.1 Configuring Active Directory or LDAP Default Server Settings	385
15.2 Active Directory or LDAP Group Summary Screen	386
15.2.1 Creating an Active Directory or LDAP Group	388
15.3 Configuring a Default RADIUS Server	390
15.3.1 Configuring a Group of RADIUS Servers	391
15.3.2 Adding a RADIUS Server Member	392
15.4 Viewing Authentication Method Objects	393
15.5 Creating an Authentication Method Object	394
15.6 The My Certificates Screen	396
15.7 ISP Account Summary	397
15.7.1 ISP Account Edit	398
15.8 The SSL Application Screen	400
15.8.1 Creating/Editing a Web-based SSL Application Object	401
15.8.2 Creating/Editing a File Sharing SSL Application Object	403
Maintenance	405
16.1 Edit Remote Server Log Settings	405
Configuration, Firmware and Licence Management	407
Configuration Management	409
17.1 Synchronization (Device)	409
17.2 Synchronization (Folder)	411
17.3 Configuration File Management	412
17.3.1 Backup & Restore (Device)	413
17.3.2 Backup a Device	414
17.3.3 Backup & Restore (Folder)	415
17.3.4 Group Backup (Folder)	416
17.3.5 Group Restore (Folder)	418
17.4 Schedule List (Device)	419
17.5 Schedule List (Folder)	420
17.5.1 Add/Edit Schedule List (Folder)	421
17.6 Signature Profile Management	423
17.6.1 Signature Profile Backup & Restore (Device)	423
17.6.2 Signature Profile Backup & Restore (Folder)	425
17.6.3 Signature Profile Restore (Folder)	427
17.6.4 Restore to Device	429
17.6.5 Signature Profile Backup (Device)	430
17.6.6 Reset to Factory	431
17.7 Configuration Building Block	431
17.8 Add/Edit a Configuration BB	433
17.8.1 Create a Schedule Configuration BB (ZLD)	436
17.8.2 Create a User Configuration BB (ZLD)	437
17.8.3 Create an Address Configuration BB (ZLD)	439
17.8.4 Create a Service Configuration BB (ZLD)	440
17.9 Component BB	441
17.10 Add/Edit/Save as a Component BB	443
17.11 ZLD Firewall Rule Group Configuration	443
17.12 Add/Edit a Firewall Rule Group	444
Firmware Management	449
18.1 Firmware List	449
18.1.1 Add Firmware	450
18.2 Scheduler List	451
18.3 Firmware Upgrade	451
18.3.1 Firmware Upgrade (Folder)	452
18.3.2 Firmware Upgrade (Device)	453
18.3.3 Firmware Upgrade (Device) > Upgrade	453
License Management	457
19.1 Service Activation	457
19.1.1 Registration	457
19.1.2 Service	460
19.2 License Status	462
19.2.1 Activate/Upgrade License	465
19.3 License Status (Folder)	466
19.4 Signature Status (Device)	469
19.5 Signature Status (Folder)	471
VPN Management	473
VPN Community	475
20.1 VPN Community	475
20.1.1 Add/Edit a VPN Community	476
Installation Report	483
21.1 Installation Report	483
21.1.1 Show Detailed Installation Reportl	484
VPN Monitor	485
22.1 Monitor VPN by Community	485
22.1.1 Show Detailed VPN Community	486
22.1.2 VPN Tunnel Diagnostics	487
22.2 Monitor VPN by Device	489
22.2.1 VPN Tunnel Status	489
22.2.2 Search VPN Tunnels	490
22.2.3 SA Monitor	491
Monitor	493
Device Status Monitor	495
23.1 Device Status	495
3G Monitor	497
24.1 Summary	498
24.1.1 Show Detail	500
24.2 Availability Report	509
24.3 Radio Report	513
24.4 Traffic Report	518
24.5 Alert Report	519
24.6 Monitor Setting	523
24.6.1 Notification Setting	523
24.6.2 Notification	524
24.6.3 Monitor Interval	526
Device HA Status Monitor	527
25.1 Device HA Status	527
Device Alarm	529
26.1 Device Alarm Introduction	529
26.1.1 Alarm Severity	529
26.1.2 Unresolved Alarms	529
26.1.3 Responded Alarm	532
Log & Report	535
Device Operation Report	537
27.1 Firmware Upgrade Report	537
27.1.1 Firmware Report Details	538
27.2 Configuration Report	540
27.2.1 Configuration Report Details	542
27.3 Configuration File Backup Report	543
27.3.1 Configuration File Backup Report Details	545
27.4 Configuration File Restore Report	546
27.5 Signature Profile Backup Report	548
27.6 Signature Profile Restore Report	549
CNM Logs	553
28.1 Vantage CNM Logs	553
28.1.1 CNM Logs	553
VRPT	555
29.1 Vantage Report Overview	555
29.2 Vantage Report in Vantage CNM	556
29.3 Setting Up Vantage Report in Vantage CNM	556
29.4 Opening Vantage Report in Vantage CNM	557
CNM System Setting	559
CNM System Setting	561
30.1 Servers Configuration	561
30.1.1 Vantage CNM Server Public IP Address	563
30.2 Servers Status	564
30.3 User Access	565
30.4 Notifications	566
30.4.1 Notifications Settings	567
30.5 Log Setting	569
30.6 VRPT Management	571
30.6.1 Add/Edit VRPT Management	573
30.7 Certificate Management Overview	574
30.7.1 Advantages of Certificates	575
30.7.2 Current Certificate Information	576
30.7.3 Create CSR	577
30.7.4 Import Certificate	578
Maintenance	581
31.1 System Maintenance	581
31.1.1 Backup	582
31.2 Device Maintenance	583
Device Owner	585
32.1 Device Owner	585
32.1.1 Add/Edit a Device Owner	586
Vantage CNM Software Upgrade	587
33.1 CNM Software Upgrade	587
License	589
34.1 CNM Licence	589
34.1.1 License Upgrade	590
About CNM	591
35.1 About CNM	591
Account Management	593
User Group	595
36.1 Group	595
36.1.1 Add User Group	596
Account	599
37.1 “Root” Administrator	599
37.2 “Super” Administrators	599
37.3 Account	600
37.3.1 Add/Edit an Administrator Account	601
Troubleshooting	603
Troubleshooting	605
38.1 Vantage CNM Access and Login	605
38.2 Device Management	606
38.3 Device Firmware Management	606
38.4 Vantage Report	607
Appendices and Index	609
Product Specifications	611
Setting up Your Computer’s IP Address	617
Pop-up Windows, Java Scripts and Java Permissions	635
IP Addresses and Subnetting	643
IP Address Assignment Conflicts	653
Common Services	657
Importing Certificates	661
Open Software Announcements	667
Legal Information	695

Match case Limit results 1 per page

Chapter 11 IPSec VPN

Vantage CNM User’s Guide

328

Encryption

This field is applicable when the

Active Protocol

ESP

. Select which

key size and encryption algorithm to use in the IPSec SA. Choices

are:

NULL

- no encryption key or algorithm

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

AES128

- a 128-bit key with the AES encryption algorithm

AES192

- a 192-bit key with the AES encryption algorithm

AES256

- a 256-bit key with the AES encryption algorithm

The ZyWALL and the remote IPSec router must both have at least one

proposal that uses use the same encryption and the same key.

Longer keys are more secure, but require more processing power,

resulting in increased latency and decreased throughput.

Authentication

Select which hash algorithm to use to authenticate packet data in the

IPSec SA. Choices are

SHA1

and

MD5

SHA1

is generally considered

stronger than

MD5

, but it is also slower.

The ZyWALL and the remote IPSec router must both have a proposal

that uses the same authentication algorithm.

Add icon

This column contains icons to add and remove proposals.

To add a proposal, click the

Add

icon at the top of the column.

To remove a proposal, click the

Remove

icon next to the proposal.

The Vantage CNM confirms that you want to delete it before doing so.

Total Records

This field displays the total number of proposals to use in the IPSec

SA.

SA Life Time

Type the maximum number of seconds the IPSec SA can last. Shorter

life times provide better security. The ZyWALL automatically

negotiates a new IPSec SA before the current one expires, if there are

users who are accessing remote resources.

Perfect

Forward

Secrecy (PFS)

Select whether or not you want to enable Perfect Forward Secrecy

(PFS) and, if you do, which Diffie-Hellman key group to use for

encryption. Choices are:

NONE

- disable PFS

DH1

- enable PFS and use a 768-bit random number

DH2

- enable PFS and use a 1024-bit random number

DH5

- enable PFS and use a 1536-bit random number

PFS changes the root key that is used to generate encryption keys for

each IPSec SA. The longer the key, the more secure the encryption,

but also the longer it takes to encrypt and decrypt information. Both

routers must use the same DH key group.

Table 130

Device Operation > Device Configuration > VPN > IPSec VPN > VPN

Connection > Add/Edit (IKE) (continued)

LABEL

DESCRIPTION