ZyXEL Communications 652 272

Prestige 652 ADSL Security Router

Table 25-5Menu 27.1.1.1 — IKE Setup

FIELD	DESCRIPTION	EXAMPLE
	Press [SPACE BAR] to choose from 3DES or DES and then press [ENTER].

Authentication	MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash	MD5
Algorithm	algorithms used to authenticate packet data. The SHA1 algorithm is
	generally considered stronger than MD5, but is slightly slower.
	Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].

SA Life Time	Define the length of time before an IKE Security Association automatically	28800
(Seconds)	renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost	(default)
	35 days).
	A short SA Life Time increases security by forcing the two VPN gateways to
	update the encryption and authentication keys. However, every time the VPN
	tunnel renegotiates, all users accessing remote resources are temporarily
	disconnected.

Key Group	You must choose a key group for phase 1 IKE setup. DH1 (default) refers to	DH1
	Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-
	Hellman Group 2 a 1024 bit (1Kb) random number.
Phase 2

Active Protocol	Press [SPACE BAR] to choose from ESP or AH and then press [ENTER].	ESP
	See earlier for a discussion of these protocols.

Encryption	Press [SPACE BAR] to choose from NULL, 3DES or DES and then press	DES
Algorithm	[ENTER]. Select NULL to set up a tunnel without encryption.
Authentication	Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].	SHA1
Algorithm
SA Life Time	Define the length of time before an IKE Security Association automatically	28800
(Seconds)	renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost	(default)
	35 days).
Encapsulation	Press [SPACE BAR] to choose from Tunnel mode or Transport mode and	Tunnel
	then press [ENTER]. See earlier for a discussion of these.

Perfect Forward	Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2	None
Secrecy (PFS)	IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press
	[SPACE BAR] and choose from DH1 or DH2 to enable PFS. DH1 refers to
	Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-
	Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).

When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.

25-16

VPN/IPSec Setup

Contents

Page Copyright Federal Communications Commission (FCC) Interference Statement Information for Canadian Users ZyXEL Limited Warranty Customer Support Table of Contents Chapter 5 Remote Node Configuration Chapter 7 Bridging Setup Chapter 12 Creating Custom Rules Chapter 13 Customized Services Chapter 14 Logs Chapter 17 SNMP Configuration Chapter 20 System Maintenance and Information Chapter 21 Remote Management Chapter 22 IP Policy Routing Chapter 23 Call Scheduling Chapter 26 SA Monitor Chapter 28 Internal SPTGEN Page List of Figures Page Page Page Page Page List of Diagrams Page List of Tables Page Page Preface Syntax Conventions Bold Times New Roman Bold Arial The following section offers some background information on DSL. Skip it if you wish to begin working with your router right away What is DSL Page Part I: GETTING STARTED Page Getting To Know Your Prestige 1.1Prestige 652 ADSL Security Router 1.2Features •Content Filtering zInternal SPTGEN •Dynamic DNS Support •Packet Filtering zPPPoE Support (RFC2516) zADSL Transmission Rate Standards •Protocol Support Networking Compatibility zMultiplexing zEncapsulation Network Management •Other PPPoE Features 1.3Applications for the Prestige 1.3.1 Internet Access 1.3.2 Firewall for Secure Broadband Internet Access 1.3.3 LAN to LAN Application 1.3.4 VPN Application Figure 1-4VPN Application Hardware Installation and Initial Setup 2.1Front Panel LEDs of the P652 2.2Rear Panel and Connections 2.2.1 xDSL Port 2.2.2 Console Port 2.2.3 LAN 10/100M Port 2.2.4 Power Port 2.3Additional Installation Requirements 2.4P652 with POTS 2.4.1 Connecting a POTS Splitter 2.4.2 Telephone Microfilters 2.5P652 with ISDN 2.6Turning On Your Prestige 2.7Configuring Your Prestige For Internet Access 2.7.1 Initial Screen 2.7.2 Entering Password 2.8Resetting the Prestige 2.8.1 Methods of Restoring Factory-Defaults 2.8.2 Procedure To Use The Reset Button 2.8.3 Prestige 652 SMT Menu Overview 2.9Navigating the SMT Interface Table 2-2Main Menu Commands 2.9.1 System Management Terminal Interface Summary 2.10 Changing the System Password Page General Setup 3.1System Name 3.2Dynamic DNS 3.2.1 DYNDNS Wildcard 3.3General Setup 3.3.1 Configuring Dynamic DNS 3.4LAN Setup 3.4.1 LAN Port Filter Setup 3.5Protocol Dependent Ethernet Setup Page Internet Access 4.1Factory Ethernet Defaults 4.2LANs and WANs 4.2.1 LANs, WANs and the Prestige 4.3TCP/IP Parameters 4.3.1 IP Address and Subnet Mask 4.3.2 Private IP Addresses 4.3.3 RIP Setup 4.3.4 DHCP Configuration 4.4IP Multicast 4.5IP Policies 4.6IP Alias 4.6.1 IP Alias Setup Menu 3.2.1 - IP Alias Setup Figure 4-5Menu 3.2.1 — IP Alias Setup Table 4-1IP Alias Setup Menu Fields 4.7Route IP Setup 4.8TCP/IP Ethernet Setup and DHCP Figure 4-7Menu 3.2 — TCP/IP and DHCP Ethernet Setup Table 4-2DHCP Ethernet Setup Menu Fields Table 4-3TCP/IP Ethernet Setup Menu Fields 4.9VPI and VCI 4.10 Multiplexing 4.10.1 VC-basedMultiplexing 4.10.2 LLC-basedMultiplexing 4.11 Encapsulation 4.12 IP Address Assignment 4.12.1 Using PPPoA or PPPoE Encapsulation 4.12.2 Using RFC 1483 Encapsulation 4.12.3 Using ENET ENCAP Encapsulation 4.13 Internet Access Configuration 4.13.1 Traffic Shaping Figure 4-8Example of Traffic Shaping Figure 4-9Internet Access Setup Table 4-5Internet Access Setup Menu Fields Page Part II: ADVANCED APPLICATIONS Remote Node Configuration 5.1Remote Node Setup 5.1.1 Remote Node Profile 5.1.2 Encapsulation and Multiplexing Scenarios Figure 5-2Menu 11.1 — Remote Node Profile Menu Remote Node Profile Table 5-1Remote Node Profile Menu Fields Page 5.1.3 Outgoing Authentication Protocol 5.2Remote Node Setup Figure 5-3Remote Node Network Layer Options Table 5-2Remote Node Network Layer Options 5.3Remote Node Filter Figure 5-4Menu 11.5 — Remote Node Filter Figure 5-5Menu 11.5 — Remote Node Filter (PPPoE or PPP Encapsulation) Remote Node TCP/IP Configuration 6.1TCP/IP Configuration 6.1.1 Editing TCP/IP Options LLC-basedMultiplexing or PPPoA or PPPoE Encapsulation Figure 6-2Menu 11.6 for LLC-basedMultiplexing or PPPoA or PPPoE Encapsulation My Wan Addr My WAN Addr Rem IP Addr Figure 6-3Sample IP Addresses for a TCP/IP LAN-to-LANConnection Menu 11.1 – Remote Node Profile Table 6-1 TCP/IP-RelatedFields in Menu 11.1 — Remote Node Profile Figure 6-4Remote Node Network Layer Options Remote Node Network Layer Options Table 6-2TCP/IP Remote Node Configuration 6.1.2 IP Static Route Setup Figure 6-5Sample Static Routing Topology Configuration Static Route Setup Figure 6-6Menu 12 — Static Route Setup IP Static Route Setup Figure 6-7Menu 12.1 — IP Static Route Setup Figure 6-8Edit IP Static Route Menu 12.1.1 – Edit IP Static Route Setup Table 6-3Edit IP Static Route Menu Fields Bridging Setup 7.1Bridging in General 7.2Bridge Ethernet Setup 7.2.1 Remote Node Bridging Setup 7.2.2 Bridge Static Route Setup Figure 7-2Menu 12.3.1 — Edit Bridge Static Route Edit Bridge Static Route Table 7-2Edit Bridge Static Route Menu Fields Page Network Address Translation (NAT) 8.1Introduction 8.1.1 NAT Definitions 8.1.2 What NAT Does 8.1.3 How NAT Works 8.1.4 NAT Application 8.1.5 NAT Mapping Types 8.2Using NAT 8.2.1 SUA (Single User Account) Versus NAT 8.2.2 Applying NAT 8.3NAT Setup 8.3.1 Address Mapping Sets Figure 8-7Menu 15.1.255 — SUA Address Mapping Rules Menu 15.1.255 is read-only Table 8-4SUA Address Mapping Rules User-DefinedAddress Mapping Sets Set Name If the Set Name field is left blank, the entire set will be deleted Figure 8-8Menu 15.1.1 — First Set The Type, Local and Global Start/End IPs are configured in menu Table 8-5Fields in Menu No changes to the set take place until this action is taken Menu 15.1.1.1 - Address Mapping Rule Local Global Start/End IPs Page 8.4NAT Server Sets – Port Forwarding 8.4.1 Configuring a Server behind NAT Figure 8-11Menu 15.2.1 — NAT Server Setup Start Port No End Port No Figure 8-12Multiple Servers Behind NAT Example 8.5General NAT Examples 8.5.1 Example 1 Internet Access Only 8.5.2 Example 2: Internet Access with an Inside Server 8.5.3 Example 3: Multiple Public IP Addresses With Inside Servers Figure 8-17NAT Example Menu 15.1 - Address Mapping Sets Edit Action One-to-One Start IP Figure 8-18Example 3: Menu Figure 8-19Example 3: Menu Figure 8-20Example 3: Final Menu Step 9. Enter 2 in Menu 15 - NAT Setup 8.5.4 Example 4: NAT Unfriendly Application Programs Figure 8-22Example 4: Menu 15.1.1.1 — Address Mapping Rule Figure 8-23Example 4: Menu 15.1.1 — Address Mapping Rules Part III: Page Firewalls 9.1What Is a Firewall 9.2Types of Firewalls 9.2.1 Packet Filtering Firewalls 9.2.2 Application-levelFirewalls 9.3Introduction to ZyXEL’s Firewall 9.4Denial of Service 9.4.1 Basics 9.4.2 Types of DoS Attacks Figure 9-2 Three-WayHandshake SYN Attack Figure 9-3SYN Flood LAND Attack brute-force Figure 9-4Smurf Attack Table 9-2ICMP Commands That Trigger Alerts 9.5Stateful Inspection 9.5.1 Stateful Inspection Process 9.5.2 Stateful Inspection and the Prestige 9.5.3 TCP Security 9.5.4 UDP/ICMP Security 9.5.5 Upper Layer Protocols 9.6Guidelines For Enhancing Security With Your Firewall 9.6.1 Security In General 9.7Packet Filtering Vs Firewall 9.7.1 Packet Filtering: When To Use Filtering 9.7.2 Firewall When To Use The Firewall Page Introducing the Prestige Firewall 10.1 Remote Management and the Firewall 10.2 Access Methods 10.3 Using Prestige SMT Menus 10.3.1 Activating the Firewall 10.3.2 Viewing the Firewall Log Table 10-1View Firewall Log Page Using the Prestige Web Configurator 11.1 Web Configurator Login and Main Menu Screens 11.2 Enabling the Firewall 11.3 E-mail 11.3.1 Alerts 11.3.2 Logs Table 11-1 E-mail 11.3.3 SMTP Error Messages 11.3.4 Example E-mailLog 11.4 Attack Alert 11.4.1 Threshold Values 11.4.2 Half-OpenSessions TCP Maximum Incomplete and Blocking Time Alert Figure 11-4Attack Alert Table 11-3Attack Alert Page Creating Custom Rules 12.1 Rules Overview 12.2 Rule Logic Overview 12.2.1 Rule Checklist 12.2.2 Security Ramifications 12.2.3Key Fields For Configuring Rules Action Service Source Address 12.3 Connection Direction 12.3.1 LAN to WAN Rules 12.3.2 WAN to LAN Rules 12.4 Rule Summary Figure 12-3Firewall Rules Summary — First Screen Table 12-1Firewall Rules Summary — First Screen 12.5 Predefined Services Page Page 12.5.1 Creating/Editing Firewall Rules Page 12.5.2 Source and Destination Addresses Figure 12-5Adding/Editing Source and Destination Addresses Table 12-4Adding/Editing Source and Destination Addresses 12.6 Timeout 12.6.1 Factors Influencing Choices for Timeout Values Table 12-5Timeout Menu Customized Services 13.1 Introduction Table 13-1Customized Services 13.2 Creating/Editing A Customized Service 13.3Example DHCP Negotiation and Syslog Connection from the Internet Figure 13-3Configure Source IP Firewall Customized Services Config Figure 13-4Customized Service for Syslog Customized services show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your customized service Figure 13-5Syslog Rule Configuration Rule Summary Figure 13-6Example Rule Summary Logs 14.1 Log Screen Table 14-1Log Screen Content Filtering 15.1 Keyword 15.2 Schedule 15.3 Trusted 15.4 Logs Part IV: ADVANCED MANAGEMENT Filter Configuration 16.1 About Filtering Filter Rule 16.2 Configuring a Filter Set Figure 16-5Menu 21.1 — Filter Set Configuration Edit Comments Menu 21.1.1 - Filter Rules Summary Figure 16-6NetBIOS_WAN Filter Rules Summary Figure 16-7NetBIOS _LAN Filter Rules Summary 16.2.1 Filter Rules Summary Menus Table 16-1Filter Rules Summary Menu Abbreviations Table 16-2Rule Abbreviations Used 16.3 Configuring a Filter Rule 16.3.1 TCP/IP Filter Rule Table 16-3TCP/IP Filter Rule Menu Fields Page Figure 16-11Executing an IP Filter 16.3.2 Generic Filter Rule Table 16-4Generic Filter Rule Menu Fields 16.4 Filter Types and NAT 16.5 Example Filter Figure 16-14Sample Telnet Filter Menu 21 - Filter and Firewall Setup Menu 21.1 - Filter Set Configuration Menu 21.1.9 - Filter Rules Summary Equal Drop Next Figure 16-15Sample Filter — Menu 16.6 Applying Filters and Factory Defaults 16.6.1 Ethernet Traffic 16.6.2 Remote Node Filters Figure 16-18Filtering Remote Node Traffic Figure 16-19Filtering Remote Node Traffic with PPPoE Page SNMP Configuration 17.1 About SNMP 17.2 Supported MIBs 17.3 SNMP Configuration Figure 17-2Menu 22 — SNMP Configuration Table 17-1SNMP Configuration Menu Fields 17.4 SNMP Traps System Information and Diagnosis 18.1 System Status Figure 18-2Menu 24.1 — System Maintenance — Status Table 18-1System Maintenance — Status Menu Fields 18.2 System Information and Console Port Speed 18.2.1 System Information Figure 18-4Menu 24.2.1 — System Maintenance — Information Table 18-2Fields in System Maintenance 18.2.2 Console Port Speed 18.3 Log and Trace 18.3.1 Viewing Error Log 18.3.2 Syslog and Accounting Table 18-3System Maintenance Menu — Syslog Parameters 18.4 Diagnostic 18.5 Command Interpreter Mode Page Firmware and Configuration File Maintenance 19.1 Filename Conventions 19.2 Backup Configuration 19.2.1 Backup Configuration 19.2.2 Using the FTP Command from the Command Line 19.2.3 Example of FTP Commands from the Command Line 19.2.4 GUI-basedFTP Clients 19.2.5 Remote Management Limitations 19.2.6 Backup Configuration Using TFTP 19.2.7 TFTP Command Example 19.2.8 GUI-basedTFTP Clients 19.2.9 Backup Via Console Port 19.3 Restore Configuration 19.3.1 Restore Using FTP 19.3.2 Restore Using FTP Session Example 19.3.3 Restore Via Console Port 19.4 Uploading Firmware and Configuration Files 19.4.1 Firmware File Upload 19.4.2 Configuration File Upload 19.4.3 FTP File Upload Command from the DOS Prompt Example 19.4.4 FTP Session Example of Firmware File Upload 19.4.5 TFTP File Upload 19.4.6 TFTP Upload Command Example 19.4.7 Uploading Via Console Port 19.4.8 Uploading Firmware File Via Console Port 19.4.9 Example Xmodem Firmware Upload Using HyperTerminal 19.4.10Uploading Configuration File Via Console Port 19.4.11Example Xmodem Configuration Upload Using HyperTerminal Figure 19-19Example Xmodem Upload System Maintenance and Information 20.1 Command Interpreter Mode 20.2 Call Control Support 20.2.1 Budget Management Figure 20-4Budget Management Table 20-1Budget Management 20.3 Time and Date Setting 20.3.1 Resetting the Time Page Remote Management 21.1 About Telnet Configuration 21.2 Telnet Under NAT 21.3 Telnet Capabilities 21.3.1 Single Administrator 21.4 FTP 21.5 Web 21.6 Remote Management 21.6.1 Remote Management Limitations 21.7 Remote Management and NAT 21.8 System Timeout IP Policy Routing 22.1 Introduction 22.2 Benefits 22.3 Routing Policy 22.4 IP Routing Policy Setup Figure 22-2Menu 25.1 — Sample IP Routing Policy Setup Table 22-1IP Routing Policy Setup Menu 25.1.1 – IP Routing Policy Figure 22-3IP Routing Policy Table 22-2IP Routing Policy 22.5 Applying an IP Policy 22.5.1 Ethernet IP Policies Figure 22-4Menu 3.2 — TCP/IP and DHCP Ethernet Setup Figure 22-5Menu 11.3 — Remote Node Network Layer Options 22.6 IP Policy Routing Example Menu 25.1.1 - IP Routing Policy Figure 22-7IP Routing Policy Example Menu 25.1 - IP Routing Policy Setup Figure 22-8IP Routing Policy Figure 22-9Applying IP Policies Page Page Call Scheduling 23.1 Introduction Menu 26.1 - Schedule Set Setup Figure 23-2Schedule Set Setup Duration Table 23-1Schedule Set Setup Fields Page Figure 23-3Applying Schedule Set(s) to a Remote Node (PPPoE) Introduction to IPSec 24.1 Introduction 24.1.1 VPN 24.1.2 IPSec 24.1.3 Security Association 24.1.5 VPN Applications 24.2 IPSec Architecture 24.2.1 IPSec Algorithms 24.2.2 Key Management 24.3 Encapsulation 24.3.1 Transport Mode 24.3.2 Tunnel Mode 24.4 IPSec and NAT Table 24-1VPN and NAT VPN/IPSec Setup 25.1 VPN/IPSec Setup 25.2 IPSec Algorithms 25.2.1 AH (Authentication Header) Protocol 25.2.2 ESP (Encapsulating Security Payload) Protocol 25.3 IPSec Summary 25.3.1 My IP Address 25.3.2 Secure Gateway Address Page Figure 25-6Menu 27.1 — IPSec Summary Table 25-3Menu 27.1 — IPSec Summary Page 25.4 IPSec Setup Figure 25-7Menu 27.1.1 — IPSec Setup a VPN Table 25-4Menu 27.1.1 — IPSec Setup Page Page 25.5 IKE Setup 25.5.1 IKE Phases 25.5.2Negotiation Mode 25.5.3Pre-SharedKey 25.5.4 Diffie-Hellman(DH) Key Groups 25.5.5 Perfect Forward Secrecy (PFS) Figure Page 25.6 Manual Setup 25.6.1 Active Protocol 25.6.2 Security Parameter Index (SPI) Figure 25-10Menu 27.1.1.2 — Manual Setup Table 25-7Menu 27.1.1.2 — Manual Setup Page Page SA Monitor 1.1. Introduction Page IPSec Log 27.1 IPSec Logs Figure 27-2Example VPN Responder IPSec Log Double exclamation marks (!!) denote an error or warning message Table 27-1Sample IKE Key Exchange Logs Page Table 27-2Sample IPSec Logs During Packet Transmission Table 27-3 RFC-2408ISAKMP Payload Types Page Page Internal SPTGEN 28.1 The Configuration Text File Format 28.1.1 Internal SPTGEN File Modification - Important Points to Remember 28.2 Internal SPTGEN FTP Download Example 28.3 Internal SPTGEN FTP Upload Example Part:VI ADDITIONAL INFORMATION Troubleshooting 29.1 Problems Starting Up the Prestige 29.2 Problems with the LAN LED 29.3 Problems with the DSL LED 29.4 Problems with the LAN Interface 29.5 Problems with the WAN Interface 29.6 Problems with Internet Access 29.7 Problems with the Password 29.8 Problems with the Web Configurator 29.9 Problems with Remote Management Appendix A PPPoE How PPPoE Works Prestige as a PPPoE Client Diagram 2 Prestige as a PPPoE Client Appendix B Virtual Circuit Topology Appendix C Boot Module Commands Diagram 5 Boot Module Commands Appendix D Power Adapter Specifications Appendix E TCP/IP Client Client for Microsoft Networks Configuring TCP/IP Obtain an IP address automatically Specify an IP address Internet Protocol (TCP/IP) 3.The Internet Protocol TCP/IP Properties window opens Subnet mask Default gateway 4.In the Internet Protocol TCP/IP Properties window: Use the following IP Address -Inthe IP Settings tab, in IP addresses, click Add TCP/IP Address Default gateways TCP/IP Gateway Address Using DHCP Server Configure: Configure Manually Router address Appendix F Example Internal SPTGEN Screens / MENU 3.2 TCP/IP AND DHCP ETHERNET SETUP (SMT MENU 3.2) / MENU 3.2.1 IP ALIAS SETUP (SMT MENU 3.2.1) Page / MENU 4 INTERNET ACCESS SETUP (SMT MENU 4) / MENU 12.1.1 IP STATIC ROUTE SETUP (SMT MENU 12.1.1) / MENU 12.1.2 IP STATIC ROUTE SETUP (SMT MENU 12.1.2) / MENU 12.1.3 IP STATIC ROUTE SETUP (SMT MENU 12.1.3) Page Page Page Page Page Page Page Page Page Page Index