Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 792H manual Sample IKE Key Exchange Logs, LOG Message Description

Models: 792H

1 428

Download 428 pages 12.67 Kb

Page 206

Prestige 792H G.SHDSL Router

Double exclamation marks (!!) denote an error or warning message.

The following table shows sample log messages during IKE key exchange.

Table 14-13 Sample IKE Key Exchange Logs

LOG MESSAGE	DESCRIPTION

Cannot find outbound SA for rule	The packet matches the rule index number (#d), but
<#d>	Phase 1 or Phase 2 negotiation for outbound (from the
	VPN initiator) traffic is not finished yet.
Send Main Mode request to <IP>	The Prestige has started negotiation with the peer.
Send Aggressive Mode request to <IP>
Recv Main Mode request from <IP>	The Prestige has received an IKE negotiation request
Recv Aggressive Mode request from	from the peer.
Recv Aggressive Mode request from
<IP>
Send:<Symbol><Symbol>	IKE uses the ISAKMP protocol (refer to RFC2408 –
Recv:<Symbol><Symbol>	ISAKMP) to transmit data. Each ISAKMP packet
Recv:<Symbol><Symbol>	contains payloads of different types that show in the
	log - see Table 14-15.
Phase 1 IKE SA process done	Phase 1 negotiation is finished.
Start Phase 2: Quick Mode	Phase 2 negotiation is beginning using Quick Mode.

!! IKE Negotiation is in process	The Prestige has begun negotiation with the peer for
	the connection already, but the IKE key exchange has
	not finished yet.

!! Duplicate requests with the same	The Prestige has received multiple requests from the
cookie	same peer but it is still processing the first IKE packet
	from that peer.
!! No proposal chosen	The parameters configured for Phase 1 or Phase 2
	negotiations don’t match. Please check all protocols
	and settings for these phases. For example, one party
	may be using 3DES encryption, but the other party is
	using DES encryption, so the connection will fail.
!! Verifying Local ID failed	During IKE Phase 2 negotiation, both parties
!! Verifying Remote ID failed	exchange policy details, including local and remote IP
!! Verifying Remote ID failed	address ranges. If these ranges differ, then the
	connection fails.

14-28

VPN Screens

Image 206

ZyXEL Communications 792H manual Sample IKE Key Exchange Logs, LOG Message Description

Contents

Prestige 792H Page Disclaimer TrademarksPage Certifications Page Information for Canadian Users Page ZyXEL Limited Warranty Safety WarningsPage Customer Support Page Table of Contents LAN Setup WAN Setup Dynamic DNS Setup Content Filtering 12-1 Firewall ConfigurationCustomized Services 11-1 Creating Custom Rules 10-1 14-1 15-1 WAN Setup 20-4 Maintenance 17-1General Setup 19-1 Dial Backup 21-1 24-1 22-123-1 25-1 System Maintenance 30-1 Filter Configuration 28-1Snmp Configuration 29-1 Firmware and Configuration File Maintenance 31-1 Call Scheduling 34-1 System Maintenance and Information 32-1IP Policy Routing 33-1 Remote Management 35-1 SA Monitor 37-1 VPN/IPSec Setup 36-1Troubleshooting 39-1 Internal Sptgen 38-1 List of Figures Xviii List of Figures List of Figures Xix Diagnostic General 17-8 List of Figures Xxi Xxii List of Figures List of Figures Xxiii Xxiv List of Figures List of Figures Xxv Page List of Tables List of Tables Xxvii Xxviii List of Tables 28-15 Xxx List of Tables Page Related Documentation Syntax Conventions Xxxii Preface Introduction to DSL Introduction to G.SHDSL Part Page Getting to Know Your G.SHDSL Router Features of the PrestigeSymmetrical High Speed Internet Access Scalability Traffic Redirect IPSec VPN CapabilityFirewall Snmp Simple Network Management Protocol versions 1 IP Policy Routing SUA for Single-IP Address Internet AccessIP Alias 10/100MB Auto-negotiation Ethernet/Fast Ethernet Interface Universal Plug and Play UPnP Upgrade Firmware via LANEase of Installation Full Network Management LAN-to-LAN Application Internet AccessApplication Scenarios for the Prestige Accessing the Prestige Web Configurator Introducing the Web ConfiguratorWeb Configurator Overview Navigating the Prestige Web Configurator Password Screen Configuring Password Resetting the Prestige Label Description Using The Reset Button Uploading a Configuration File Via Console PortPage WAN Setup Wizard SetupWizard Setup Introduction Service Type Transfer Rates Standard ModeEncapsulation PPP over Ethernet 4 RFC MultiplexingPPPoA VC-based Multiplexing Wizard Setup Configuration First Screen VPI and VCI Server see Service Type Rate and the same Transfer Min Rate VPI IP Address and Subnet MaskPPPoE VCI IP Address Assignment IP Assignment with PPPoA or PPPoE Encapsulation Private IP Addresses IP Assignment with RFC 1483 EncapsulationIP Assignment with Enet Encap Encapsulation 10 NAT Wizard Setup Configuration ISP ParametersNailed-Up Connection PPP Internet Connection with PPPoA Internet 11.2 RFC Internet Connection with RFC Internet Connection with Enet Encap Enet Encap PPPoE Internet Connection with PPPoE Dhcp Setup Wizard Setup Configuration LAN Configuration IP Pool Setup Wizard Screen LAN COnfiguration Wizard LAN Configuration Wizard Setup Configuration Connection Tests Test Your Internet Connection Wizard Screen Connection TestsPage DNS Server Address LAN SetupLAN Overview LANs, WANs and the Prestige DNS Server Address Assignment LAN TCP/IP IP Address and Subnet Mask Factory LAN DefaultsRIP Setup Multicast Configuring LAN LAN TCP/IP LAN Metric WAN SetupWAN Overview PPPoE Encapsulation Traffic Shaping Configuring WAN Setup Example of Traffic Shaping WAN Setup ATM traffic. Enter the VCI assigned to you For remote node setup, enter the IP address in the same Subnet as the remote node Traffic Redirect Encap in the Encapsulation field Configuring WAN Backup Traffic Redirect LAN Setup WAN Backup Cost 38400 , 57600 , 115200 or 230400 bps Outgoing Authentication ProtocolWAN , Traffic Redirect , Dial Backup Configuring Advanced WAN Backup Advanced WAN Backup 57600 , 115200 or 230400 bps Choose RIP-1,RIP-2B or RIP-2M Choose Both, In Only or Out Only AT Command Strings Connection settings Response Strings DTR SignalConfiguring Advanced Modem Setup Advanced Modem Setup Clid Nmbr Part Page NAT Definitions Network Address Translation NATNAT Overview What NAT Does How NAT Works NAT Application NAT Mapping Types NAT Application With IP Alias NAT Mapping Types SUA Single User Account Versus NATMapping types Type IP Mapping SMT Abbreviation Port Forwarding Services and Port Numbers SUA Server Services Port Number Configuring Servers Behind SUA ExampleServices and Port Numbers Echo Selecting the NAT Mode Multiple Servers Behind NAT Example Configuring SUA Server Edit SUA/NAT Server Set Configuring Address Mapping Address Mapping Rules Many-to-One and Server mapping types Editing an Address Mapping Rule Address Mapping Rule Edit Address Mapping Rules screen Page Dynamic DNS Dynamic DNS SetupConfiguring Dynamic DNS Dyndns Wildcard Ddns Firewall and Content Filter Page Types of Firewalls FirewallsFirewall Overview Packet Filtering Firewalls Introduction to ZyXEL’s Firewall Stateful Inspection Firewalls Denial of Service Basics Types of DoS Attacks Common IP Ports Three-Way Handshake Icmp Commands That Trigger Alerts Stateful Inspection Legal NetBIOS CommandsLegal Smtp Commands Message Request Positive Negative Retarget Keepalive Stateful Inspection Process Stateful Inspection Stateful Inspection and the Prestige TCP Security 4 UDP/ICMP Security Security In General Guidelines for Enhancing Security with Your FirewallUpper Layer Protocols Packet Filtering Vs Firewall Packet Filtering When To Use Filtering Firewall Prestige 792H G.SHDSL Router Enabling the Firewall Firewall ConfigurationRemote Management and the Firewall Configuring E-mail Alerts E-mail Daily Weekly Hourly When Log is Full None Attack Alert Half-Open Sessions AlertsThreshold Values TCP Maximum Incomplete and Blocking Time Alert Following table describes the labels in this screen 256 Page Creating Custom Rules Rule ChecklistStudy these points carefully before configuring rules Rules Overview Block means the firewall silently discards the packet Key Fields For Configuring RulesSecurity Ramifications Connection Direction LAN to WAN Rules Logs WAN to LAN Rules Firewall Logs Label Description Example Rule Summary Block, Forward or None Firewall Rules Summary First Screen Predefined Services Predefined Services Service Description NNTPTCP119 RLOGINTCP513NEWSTCP144 PINGICMP0 Creating/Editing Firewall Rules Creating/Editing a Firewall Rule Source and Destination Addresses Timeout Range Address , Subnet Address and Any Address Factors Influencing Choices for Timeout Values Timeout 10-16 Creating Custom Rules Customized Services Introduction to Customized Services Creating/Editing a Customized Service Creating/Editing a Customized Service Example Custom Service Firewall Rule Click Rule Summary under Internet to Local Network Set Configure Source IP Example Syslog Rule Configuration Example Rule Summary Example Configuring Keyword Blocking Content FilteringContent Filtering Overview Content Filter Keyword Configuring the Schedule Content Filter Schedule Configuring Trusted Computers Content Filter Trusted Configuring Logs Content Filter Logs Blockcybernot BLOCKUNTRUSTDOMAIN, BLOCKKEYWORD, BlockactivexBLOCKJAVAAPPLET, BLOCKCOOKIE, Blockproxy VPN/IPSec Page IPSec Introduction to IPSecVPN Overview Security Association Data Integrity Data Origin AuthenticationVPN Applications IPSec Architecture VPN Application IPSec Algorithms Key Management IPSec and NAT Transport ModeTunnel Mode ESP Security Protocol Mode NATVPN and NAT 14.1 VPN/IPSec Overview AH Authentication Header ProtocolVPN Screens IPSec Algorithms Dynamic Secure Gateway Address My IP AddressSecure Gateway Address AH and ESP VPN Summary Screen IPSec Summary Fields VPN Summary ID Type and Content Keep Alive Peer ID Type and Content Fields ID Type and Content ExamplesLocal ID Type and Content Fields Local ID TYPE= CONTENT= Pre-Shared Key Matching ID Type and Content Configuration ExampleMismatching ID Type and Content Configuration Example Editing VPN Policies VPN IKE VPN Screens 14-9 14-10 VPN Screens VPN Screens 14-11 Authentication Algorithm fields described next IKE IKE Phases Two Phases to Set Up the IPSec SA Negotiation Mode Diffie-Hellman DH Key Groups 14.11Configuring Advanced IKE Settings Perfect Forward Secrecy PFS VPN IKE Advanced Label Description VPN IKE VPN Screens 14-17 14-18 VPN Screens 14.12Manual Key Setup Security Parameter Index SPI 14.13Configuring Manual Key VPN Manual Key SPI 14-22 VPN Screens VPN Screens 14-23 14.14Viewing SA Monitor SA Monitor 10 SA Monitor 14.15Configuring Global Setting 11 Global Setting 14.16Configuring IPSec Logs 12 VPN Logs 13 Sample IKE Key Exchange Logs LOG Message Description 14 Sample IPSec Logs During Packet Transmission Request conflict with rule #d 15 RFC-2408 Isakmp Payload Types LOG Display Payload Type Headquarters Telecommuters 14.17Telecommuter VPN/IPSec ExamplesTelecommuters Sharing One VPN Rule Example Telecommuters Using Unique VPN Rules Example All Headquarters Rules All Telecommuter Rules 14.18VPN and Remote Management Remote Management and UPnP Remote Management Limitations Remote Management ConfigurationRemote Management Overview Remote Management and NAT 15.3 FTP System TimeoutTelnet 15.4 Web Configuring Remote Management Remote Management Universal Plug and Play Overview How do I know if Im using UPnP?Universal Plug-and-Play UPnP NAT Transversal UPnP and ZyXEL Accessing the Prestige Web Configurator to Configure UPnPConfiguring UPnP Installing UPnP in Windows Example Field Description Installing UPnP in Windows Me Optional Networking Component Installing UPnP in Windows XPDouble-clickNetwork Connections Using UPnP in Windows XP Example Auto-discover Your UPnP-enabled Network Device Internet Connection Properties Connections Select My Network Places under Other Places Web Configurator Easy Access ExampleClick start and then Control Panel UPnP 16-9 Maintenance Page System Status Screen MaintenanceMaintenance Overview System Status VPI/VCI System Statistics System Status Show Statistics Maintenance 17-5 Dhcp Table Screen Dhcp Table MAC Diagnostic ScreensDiagnostic General Screen Diagnostic General Diagnostic DSL Line Screen Prestige 792H G.SHDSL Router Firmware Upgrade Firmware Screen Network Temporarily Disconnected SMT General Configuration Entering Password Procedure for SMT Configuration via Console PortProcedure for SMT Configuration via Telnet Introducing the SMT Login Screen Prestige SMT Menu Overview Prestige Menu Overview Operation Keystroke Description Main Menu CommandsNavigating the SMT Interface ? or ChangeMe Menu Title Description System Management Terminal Interface SummaryMain Menu Summary Changing the System Password Menu 23 System Password Configuring Menu General SetupGeneral Setup Yes Configure Menu 1.1 Configure Dynamic DNS discussed nextField Description Example Configuring Dynamic DNS UserPage WAN Setup Screen From the main menu, enter 2 to open menu 20-5 Configuring Dial Backup in Menu Dial BackupDial Backup Overview 115200 Advanced WAN SetupEnter to go to Menu 2.1 Advanced Setup 9600, 19200, 38400, 57600, 115200 or 230400 bps Field Description Default Nmbr = Connect Remote Node Profile Backup ISPAdvanced WAN Port Setup Call Control Parameters Remote Node Profile Backup ISP CHAP/PAP Press Enter to go to Menu 11.3 Remote Node Network Otherwise select Standard PPP Editing PPP OptionsEditing TCP/IP Options Enter to open Menu 11.3 Network Layer Options NAT Both/ None /In Only /Out Only and None Editing Filter SetsBoth RIP-1 Menu 11.5 Remote Node Filter Ethernet Ethernet Setup LAN Port Filter Setup IP Alias Setup TCP/IP and Dhcp Setup RIP-2B or RIP-2M Route IP SetupBoth , In Only or Out Only 22.1.4 TCP/IP Ethernet Setup and Dhcp General Setup RIP-1,RIP-2B or RIP-2M Both Both, In Only, Out Only or NoneRIP-1 22-6 Internet Access Setup Internet AccessInternet Access Overview LLC-based Enet EncapOr Enet Encap UBR Dynamic SUA Only Advanced Applications Remote Node Overview Remote Node ConfigurationRemote Node Setup Remote Node Setup Encapsulation and Multiplexing Scenarios Then the Rem Login, Rem Password, My Login, My Based or LLC-based To display Menu 11.6 Remote Node ATM Layer Options ChapTo display Menu 11.3 Remote Node Network Layer Options Allocated Budget is 10 minutes and the Period hr Remote Node Network Layer Options Remote Static My WAN Addr Sample IP Addresses Options are Both, In Only, Out Only or None Remote Node Filter Sample IP Addresses for a TCP/IP LAN-to-LAN Connection Press Enter to open Menu 11.6 Remote Node ATM Layer Options Editing ATM Layer OptionsVC-based Multiplexing non-PPP Encapsulation LLC-based Multiplexing or PPP Encapsulation Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation Static Route Setup Static Route Overview Static Route Setup Edit IP Static Route Page Remote Node Bridging Setup Bridging SetupBridge Ethernet Setup Bridging Overview Bridge Static Route Setup Remote Node Bridging Options Bridge Static Route Setup 26-4 Bridging Setup Applying NAT Applying NAT for Internet Access Address Mapping Sets NAT SetupFull Feature Enter 1 to bring up Menu 15.1 Address Mapping Sets Address Mapping Sets Address Mapping Rules SUA User-Defined Address Mapping Sets Field Desription Example Natset Select Rule item Global Start/End IPsEdit To-One,Many-to-One and Server types One-to-OneFor Server NAT Server Sets NAT Server Setup Example 1 Internet Access Only General NAT Examples 11 NAT Example Example 2 Internet Access with an Inside Server 13 NAT Example Example 3 Multiple Public IP Addresses With Inside Servers 14 NAT Example 2 Menu 15 NAT Example 17 Example 3 Menu Enter 2 in Menu 15 NAT Setup Example 4 NAT Unfriendly Application Programs 19 Example 3- Menu 21 Example 4 Menu 22 Example 4 Menu Advanced Management Page Filter Configuration About Filtering Outgoing Packet Filtering Process Execute Filter Rule Filter Rule Process Filter Set Configuration Filter Structure of the Prestige NetBios WAN Filter Rules Summary TelnetWAN Filter Rules Summary Ftpwan Filter Rules Summary Filter Rules Summary Menus Abbreviations Used in the Filter Rules Summary Menu Filter Type Description Filter Rule ConfigurationRule Abbreviations Used GEN Choices are TCP/IP Filter Rule or Generic Filter Rule 28.3.1 TCP/IP Filter RuleTCP/IP Filter Rule If More is Yes , then Action Matched and Action Not TCP/IP Filter RuleChoices are None , Less , Greater , Equal or Not Equal Choices are Check Next Rule, Forward or Drop Check Next RuleCheck Next Rule, Forward or Drop 12 Executing an IP Filter Generic Filter Rule 13 Generic Filter Rule Generic Filter Rule Menu Fields Filter Types and NAT Example Filter 15 Sample Telnet Filter 16 Sample Filter Rules Summary Menu 17 Sample Filter Rules Summary Menu Filter Sets Table Applying Filters and Factory DefaultsEthernet Traffic Filter Sets Description Remote Node Filters 19 Filtering Ethernet TrafficPage Snmp Overview Snmp ConfigurationSnmp is only available if TCP/IP is configured Snmp Configuration Supported MIBs Snmp Snmp TrapsSnmp Traps Trap # Trap Name Description 29-4 Snmp Configuration System Status System MaintenanceSystem Maintenance Overview System Maintenance Status WAN System InformationSystem Information Menu 1 General Setup LAN Console Port Speed Viewing Error LogLog and Trace Sample Error and Information Messages Syslog CDR System Maintenance Menu Syslog ParametersParameter Description Diagnostic System Maintenance Diagnostic System Maintenance Menu Diagnostic Page Firmware and Configuration File Maintenance Filename Conventions File Type Internal External Name Description Backup ConfigurationFilename Conventions Example of FTP Commands from the Command Line Backup ConfigurationUsing the FTP Command from the Command Line GUI-based FTP Clients General Commands for GUI-based FTP ClientsCommand Description Tftp and FTP over WAN Will Not Work When GUI-based Tftp Clients Backup Configuration Using TftpTftp Command Example Backup Via Console Port General Commands for GUI-based Tftp Clients Restore Configuration Backup Configuration Example Restore Using FTP System Maintenance Restore Configuration Restore Using FTP Session Example Restore Via Console Port Uploading Firmware and Configuration Files Firmware File Upload Configuration File Upload 13 System Maintenance Upload System Firmware Tftp File Upload FTP File Upload Command from the DOS Prompt ExampleFTP Session Example of Firmware File Upload Tftp Upload Command Example Uploading Via Console Port Example Xmodem Firmware Upload Using HyperTerminal Uploading Firmware File Via Console Port Uploading Configuration File Via Console Port Example Xmodem Configuration Upload Using HyperTerminal 19 Example Xmodem Upload System Maintenance and Information Command Interpreter Mode Call Control Support Budget Management Budget Management Time and Date Setting System Maintenance Time and Date Setting NTP RFC-1305 is similar to Time RFC-868 Resetting the TimeTime and Date Setting Fields Page IP Policy Routing Benefits IP Policy RoutingIP Policy Routing Overview Routing Policy IP Routing Policy Setup IP Routing Policy Setup Criterion ServiceAbbreviation Meaning Action Delay, Max Thruput, Min Cost or Max Reliable G t Less, Greater, Less or Equal or Greater or Equal Applying an IP PolicyEthernet IP Policies Matched 33-6 IP Policy Routing IP Policy Routing Example Example of IP Policy Routing IP Routing Policy Example Applying IP Policies Page Call Scheduling Overview Schedule SetupCall Scheduling Schedule Set Setup Once Forced On Applying Schedule Sets to a Remote Node PPPoE Remote Management Remote Management and Telnet ServicesRemote Management and FTP Services Disabling Remote Management Remote Management SetupRemote Management and Web Services Remote Management Control System Timeout Remote Management and NAT SMT VPN/IPSec and Internal Sptgen VPN/IPSec Setup 36.1 VPN/IPSec Overview Menu 27 VPN/IPSec Setup IPSec Summary Screen Tunnel ESP DES MD5 36-4 VPN/IPSec Setup IPSec Setup Menu 27.1.1 IPSec Setup IPSec Summary Gateway Address field below Address field set to Single Subnet Manual Setup Field IKE Setup3Menu 27.1.1.1 IKE Setup Description Example MD5 DESDH1 Active Protocol Manual SetupMode Security Protocol Active Protocol Encapsulation and Security Protocol Menu 27.1.1.2 Manual Setup ESP Tunnel VPN/IPSec Setup 36-15 Page SA Monitor Overview Using SA MonitorSA Monitor Refresh TaiwanESP DES VPN Responder IPSec Log Diagram 37-1 Example VPN Responder IPSec LogViewing IPSec Log Page Internal Sptgen Overview Configuration Text File FormatInternal Sptgen 38-2 Internal Sptgen Invalid Parameter Entered Command Line Example Internal Sptgen FTP Download Example Internal Sptgen FTP Upload Example Internal Sptgen FTP Upload Example Appendices and Index Page Problems with the LAN Interface TroubleshootingProblems Starting Up the Prestige Troubleshooting the Start-Up of Your Prestige Troubleshooting the WAN Interface Problems with the WAN InterfaceProblems with Internet Access Troubleshooting Internet Access Troubleshooting the Password Problems with the PasswordProblems with Telnet Troubleshooting TelnetPage Benefits of PPPoE Appendix a PPPoEPPPoE in Action Traditional Dial-up Scenario Diagram 2 Prestige as a PPPoE Client Prestige as a PPPoE Client Diagram 3 Virtual Circuit Topology Appendix B Virtual Circuit Topology North American Plug Standards Power Adapter SpecificationsAppendix C United Kingdom Plug Standards China Standards European Plug StandardsAA-121ABN Power Consumption Safety Standards Ccee GB8898 Index 28-4 17-10 30-6 Local Network10-7 24-2 24-1,24-2 RIP 30-5 TCP/IP Traceroute