Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 792H manual Sample IPSec Logs During Packet Transmission

Models: 792H

1 428

Download 428 pages 12.67 Kb

Page 207

		Prestige 792H G.SHDSL Router
	Table 14-13 Sample IKE Key Exchange Logs

	LOG MESSAGE	DESCRIPTION

	!! Local / remote IPs of incoming	If the security gateway is “0.0.0.0”, the Prestige will
	request conflict with rule <#d>	use the peer’s “Local Addr” as its “Remote Addr”. If
		this IP (range) conflicts with a previously configured
		rule then the connection is not allowed.
	!! Invalid IP <IP start>/<IP end>	The peer’s “Local IP Addr” range is invalid.
	!! Remote IP <IP start> / <IP end>	If the security gateway is “0.0.0.0”, the Prestige will
	conflicts	use the peer’s “Local Addr” as its “Remote Addr”. If a
		peer’s “Local Addr” range conflicts with other
		connections, then the Prestige will not accept VPN
		connection requests from this peer.

	!! Active connection allowed	The Prestige limits the number of simultaneous Phase
	exceeded	2 SA negotiations. The IKE key exchange process fails
		if this limit is exceeded.

	!! IKE Packet Retransmit	The Prestige did not receive a response from the peer
		and so retransmits the last packet sent.
	!! Failed to send IKE Packet	The Prestige cannot send IKE packets due to a
		network error.
	!! Too many errors! Deleting SA	The Prestige deletes an SA when too many errors
		occur.

The following table shows sample log messages during packet transmission.

Table 14-14 Sample IPSec Logs During Packet Transmission

LOG MESSAGE

DESCRIPTION

!!WAN IP changed to <IP> If the Prestige’s WAN IP changes, all configured “My IP Addr” are changed to b “0.0.0.0”.. If this field is configured as 0.0.0.0, then the Prestige will use the current Prestige WAN IP address (static or dynamic) to set up the VPN tunnel.

!!Cannot find Phase 2 SA The Prestige cannot find a phase 2 SA that corresponds with the SPI of an inbound packet (from the peer); the packet is dropped.

!!Discard REPLAY packet If the Prestige receives a packet with the wrong sequence number it will discard it.

VPN Screens

14-29

Image 207

ZyXEL Communications 792H manual Sample IPSec Logs During Packet Transmission, Request conflict with rule #d

Contents

Prestige 792H Page Trademarks DisclaimerPage Certifications Page Information for Canadian Users Page Safety Warnings ZyXEL Limited WarrantyPage Customer Support Page Table of Contents WAN Setup LAN Setup Dynamic DNS Setup Creating Custom Rules 10-1 Firewall ConfigurationCustomized Services 11-1 Content Filtering 12-1 15-1 14-1 Dial Backup 21-1 Maintenance 17-1General Setup 19-1 WAN Setup 20-4 25-1 22-123-1 24-1 Firmware and Configuration File Maintenance 31-1 Filter Configuration 28-1Snmp Configuration 29-1 System Maintenance 30-1 Remote Management 35-1 System Maintenance and Information 32-1IP Policy Routing 33-1 Call Scheduling 34-1 Internal Sptgen 38-1 VPN/IPSec Setup 36-1Troubleshooting 39-1 SA Monitor 37-1 List of Figures Xviii List of Figures List of Figures Xix Diagnostic General 17-8 List of Figures Xxi Xxii List of Figures List of Figures Xxiii Xxiv List of Figures List of Figures Xxv Page List of Tables List of Tables Xxvii Xxviii List of Tables 28-15 Xxx List of Tables Page Syntax Conventions Related Documentation Xxxii Preface Introduction to G.SHDSL Introduction to DSL Part Page Scalability Features of the PrestigeSymmetrical High Speed Internet Access Getting to Know Your G.SHDSL Router Snmp Simple Network Management Protocol versions 1 IPSec VPN CapabilityFirewall Traffic Redirect 10/100MB Auto-negotiation Ethernet/Fast Ethernet Interface SUA for Single-IP Address Internet AccessIP Alias IP Policy Routing Full Network Management Upgrade Firmware via LANEase of Installation Universal Plug and Play UPnP Internet Access Application Scenarios for the PrestigeLAN-to-LAN Application Introducing the Web Configurator Web Configurator OverviewAccessing the Prestige Web Configurator Password Screen Navigating the Prestige Web Configurator Configuring Password Label Description Resetting the Prestige Uploading a Configuration File Via Console Port Using The Reset ButtonPage Service Type Wizard SetupWizard Setup Introduction WAN Setup PPP over Ethernet Standard ModeEncapsulation Transfer Rates VC-based Multiplexing MultiplexingPPPoA 4 RFC VPI and VCI Wizard Setup Configuration First Screen Rate and the same Transfer Min Rate Server see Service Type VCI IP Address and Subnet MaskPPPoE VPI IP Assignment with PPPoA or PPPoE Encapsulation IP Address Assignment IP Assignment with RFC 1483 Encapsulation IP Assignment with Enet Encap EncapsulationPrivate IP Addresses Wizard Setup Configuration ISP Parameters Nailed-Up Connection PPP10 NAT Internet Connection with PPPoA Internet Internet Connection with RFC 11.2 RFC Enet Encap Internet Connection with Enet Encap Internet Connection with PPPoE PPPoE Dhcp Setup IP Pool Setup Wizard Setup Configuration LAN Configuration Wizard LAN Configuration Wizard Screen LAN COnfiguration Wizard Setup Configuration Connection Tests Wizard Screen Connection Tests Test Your Internet ConnectionPage LANs, WANs and the Prestige LAN SetupLAN Overview DNS Server Address LAN TCP/IP DNS Server Address Assignment Multicast Factory LAN DefaultsRIP Setup IP Address and Subnet Mask LAN Configuring LAN TCP/IP LAN WAN Setup WAN OverviewMetric PPPoE Encapsulation Traffic Shaping Example of Traffic Shaping Configuring WAN Setup WAN Setup ATM traffic. Enter the VCI assigned to you Subnet as the remote node For remote node setup, enter the IP address in the same Encap in the Encapsulation field Traffic Redirect Traffic Redirect LAN Setup Configuring WAN Backup WAN Backup Cost Outgoing Authentication Protocol WAN , Traffic Redirect , Dial Backup38400 , 57600 , 115200 or 230400 bps Configuring Advanced WAN Backup Advanced WAN Backup 57600 , 115200 or 230400 bps Choose Both, In Only or Out Only Choose RIP-1,RIP-2B or RIP-2M Connection settings AT Command Strings DTR Signal Configuring Advanced Modem SetupResponse Strings Advanced Modem Setup Nmbr Clid Part Page What NAT Does Network Address Translation NATNAT Overview NAT Definitions NAT Application How NAT Works NAT Application With IP Alias NAT Mapping Types Type IP Mapping SMT Abbreviation SUA Single User Account Versus NATMapping types NAT Mapping Types SUA Server Port Forwarding Services and Port Numbers Echo Configuring Servers Behind SUA ExampleServices and Port Numbers Services Port Number Multiple Servers Behind NAT Example Selecting the NAT Mode Configuring SUA Server Edit SUA/NAT Server Set Configuring Address Mapping Many-to-One and Server mapping types Address Mapping Rules Address Mapping Rule Edit Editing an Address Mapping Rule Address Mapping Rules screen Page Dyndns Wildcard Dynamic DNS SetupConfiguring Dynamic DNS Dynamic DNS Ddns Firewall and Content Filter Page Packet Filtering Firewalls FirewallsFirewall Overview Types of Firewalls Stateful Inspection Firewalls Introduction to ZyXEL’s Firewall Basics Denial of Service Common IP Ports Types of DoS Attacks Three-Way Handshake Icmp Commands That Trigger Alerts Message Request Positive Negative Retarget Keepalive Legal NetBIOS CommandsLegal Smtp Commands Stateful Inspection Stateful Inspection Stateful Inspection Process Stateful Inspection and the Prestige 4 UDP/ICMP Security TCP Security Guidelines for Enhancing Security with Your Firewall Upper Layer ProtocolsSecurity In General Packet Filtering Packet Filtering Vs Firewall Firewall When To Use Filtering Prestige 792H G.SHDSL Router Firewall Configuration Remote Management and the FirewallEnabling the Firewall E-mail Configuring E-mail Alerts Attack Alert Daily Weekly Hourly When Log is Full None Alerts Threshold ValuesHalf-Open Sessions TCP Maximum Incomplete and Blocking Time Following table describes the labels in this screen Alert 256 Page Rules Overview Rule ChecklistStudy these points carefully before configuring rules Creating Custom Rules Key Fields For Configuring Rules Security RamificationsBlock means the firewall silently discards the packet LAN to WAN Rules Connection Direction WAN to LAN Rules Logs Label Description Example Firewall Logs Block, Forward or None Rule Summary Firewall Rules Summary First Screen Predefined Services Service Description Predefined Services PINGICMP0 RLOGINTCP513NEWSTCP144 NNTPTCP119 Creating/Editing Firewall Rules Creating/Editing a Firewall Rule Source and Destination Addresses Range Address , Subnet Address and Any Address Timeout Timeout Factors Influencing Choices for Timeout Values 10-16 Creating Custom Rules Introduction to Customized Services Customized Services Creating/Editing a Customized Service Creating/Editing a Customized Service Click Rule Summary under Internet to Local Network Set Example Custom Service Firewall Rule Configure Source IP Example Syslog Rule Configuration Example Rule Summary Example Content Filtering Content Filtering OverviewConfiguring Keyword Blocking Content Filter Keyword Content Filter Schedule Configuring the Schedule Content Filter Trusted Configuring Trusted Computers Content Filter Logs Configuring Logs BLOCKUNTRUSTDOMAIN, BLOCKKEYWORD, Blockactivex BLOCKJAVAAPPLET, BLOCKCOOKIE, BlockproxyBlockcybernot VPN/IPSec Page Security Association Introduction to IPSecVPN Overview IPSec Data Origin Authentication VPN ApplicationsData Integrity VPN Application IPSec Architecture Key Management IPSec Algorithms Transport Mode Tunnel ModeIPSec and NAT Security Protocol Mode NAT VPN and NATESP IPSec Algorithms AH Authentication Header ProtocolVPN Screens 14.1 VPN/IPSec Overview AH and ESP My IP AddressSecure Gateway Address Dynamic Secure Gateway Address IPSec Summary Fields VPN Summary Screen VPN Summary Keep Alive ID Type and Content Local ID TYPE= CONTENT= ID Type and Content ExamplesLocal ID Type and Content Fields Peer ID Type and Content Fields Editing VPN Policies Matching ID Type and Content Configuration ExampleMismatching ID Type and Content Configuration Example Pre-Shared Key VPN IKE VPN Screens 14-9 14-10 VPN Screens VPN Screens 14-11 IKE Authentication Algorithm fields described next Two Phases to Set Up the IPSec SA IKE Phases Diffie-Hellman DH Key Groups Negotiation Mode Perfect Forward Secrecy PFS 14.11Configuring Advanced IKE Settings Label Description VPN IKE VPN IKE Advanced VPN Screens 14-17 14-18 VPN Screens Security Parameter Index SPI 14.12Manual Key Setup VPN Manual Key 14.13Configuring Manual Key SPI 14-22 VPN Screens VPN Screens 14-23 14.14Viewing SA Monitor 10 SA Monitor SA Monitor 11 Global Setting 14.15Configuring Global Setting 12 VPN Logs 14.16Configuring IPSec Logs LOG Message Description 13 Sample IKE Key Exchange Logs Request conflict with rule #d 14 Sample IPSec Logs During Packet Transmission LOG Display Payload Type 15 RFC-2408 Isakmp Payload Types 14.17Telecommuter VPN/IPSec Examples Telecommuters Sharing One VPN Rule ExampleHeadquarters Telecommuters All Headquarters Rules All Telecommuter Rules Telecommuters Using Unique VPN Rules Example 14.18VPN and Remote Management Remote Management and UPnP Remote Management and NAT Remote Management ConfigurationRemote Management Overview Remote Management Limitations 15.4 Web System TimeoutTelnet 15.3 FTP Remote Management Configuring Remote Management NAT Transversal How do I know if Im using UPnP?Universal Plug-and-Play UPnP Universal Plug and Play Overview Accessing the Prestige Web Configurator to Configure UPnP Configuring UPnPUPnP and ZyXEL Field Description Installing UPnP in Windows Example Installing UPnP in Windows Me Installing UPnP in Windows XP Double-clickNetwork ConnectionsOptional Networking Component Auto-discover Your UPnP-enabled Network Device Using UPnP in Windows XP Example Internet Connection Properties Web Configurator Easy Access Example Click start and then Control PanelConnections Select My Network Places under Other Places UPnP 16-9 Maintenance Page Maintenance Maintenance OverviewSystem Status Screen System Status VPI/VCI System Status Show Statistics System Statistics Maintenance 17-5 Dhcp Table Dhcp Table Screen Diagnostic Screens Diagnostic General ScreenMAC Diagnostic General Prestige 792H G.SHDSL Router Diagnostic DSL Line Screen Firmware Screen Firmware Upgrade Network Temporarily Disconnected SMT General Configuration Introducing the SMT Procedure for SMT Configuration via Console PortProcedure for SMT Configuration via Telnet Entering Password Prestige SMT Menu Overview Login Screen Prestige Menu Overview ? or ChangeMe Main Menu CommandsNavigating the SMT Interface Operation Keystroke Description System Management Terminal Interface Summary Main Menu SummaryMenu Title Description Menu 23 System Password Changing the System Password General Setup General SetupConfiguring Menu Configure Menu 1.1 Configure Dynamic DNS discussed next Field Description ExampleYes User Configuring Dynamic DNSPage From the main menu, enter 2 to open menu WAN Setup Screen 20-5 Dial Backup Dial Backup OverviewConfiguring Dial Backup in Menu 9600, 19200, 38400, 57600, 115200 or 230400 bps Advanced WAN SetupEnter to go to Menu 2.1 Advanced Setup 115200 Nmbr = Field Description Default Remote Node Profile Backup ISP Advanced WAN Port Setup Call Control ParametersConnect CHAP/PAP Remote Node Profile Backup ISP Press Enter to go to Menu 11.3 Remote Node Network Editing PPP Options Editing TCP/IP OptionsOtherwise select Standard PPP NAT Enter to open Menu 11.3 Network Layer Options RIP-1 Editing Filter SetsBoth Both/ None /In Only /Out Only and None Menu 11.5 Remote Node Filter Ethernet LAN Port Filter Setup Ethernet Setup TCP/IP and Dhcp Setup IP Alias Setup Route IP Setup Both , In Only or Out OnlyRIP-2B or RIP-2M General Setup 22.1.4 TCP/IP Ethernet Setup and Dhcp Both Both, In Only, Out Only or None RIP-1RIP-1,RIP-2B or RIP-2M 22-6 Internet Access Internet Access OverviewInternet Access Setup UBR Enet EncapOr Enet Encap LLC-based SUA Only Dynamic Advanced Applications Remote Node Configuration Remote Node SetupRemote Node Overview Encapsulation and Multiplexing Scenarios Remote Node Setup Based or LLC-based Then the Rem Login, Rem Password, My Login, My Allocated Budget is 10 minutes and the Period hr ChapTo display Menu 11.3 Remote Node Network Layer Options To display Menu 11.6 Remote Node ATM Layer Options Remote Remote Node Network Layer Options Static Options are Both, In Only, Out Only or None My WAN Addr Sample IP Addresses Sample IP Addresses for a TCP/IP LAN-to-LAN Connection Remote Node Filter Editing ATM Layer Options VC-based Multiplexing non-PPP EncapsulationPress Enter to open Menu 11.6 Remote Node ATM Layer Options Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation LLC-based Multiplexing or PPP Encapsulation Static Route Overview Static Route Setup Static Route Setup Edit IP Static Route Page Bridging Overview Bridging SetupBridge Ethernet Setup Remote Node Bridging Setup Remote Node Bridging Options Bridge Static Route Setup Bridge Static Route Setup 26-4 Bridging Setup Applying NAT Applying NAT for Internet Access Enter 1 to bring up Menu 15.1 Address Mapping Sets NAT SetupFull Feature Address Mapping Sets Address Mapping Rules SUA Address Mapping Sets User-Defined Address Mapping Sets Natset Field Desription Example Global Start/End IPs EditSelect Rule item One-to-One For ServerTo-One,Many-to-One and Server types NAT Server Sets NAT Server Setup General NAT Examples Example 1 Internet Access Only 11 NAT Example 13 NAT Example Example 2 Internet Access with an Inside Server 14 NAT Example 2 Menu Example 3 Multiple Public IP Addresses With Inside Servers 15 NAT Example 17 Example 3 Menu Enter 2 in Menu 15 NAT Setup 19 Example 3- Menu Example 4 NAT Unfriendly Application Programs 21 Example 4 Menu 22 Example 4 Menu Advanced Management Page About Filtering Filter Configuration Outgoing Packet Filtering Process Filter Rule Process Execute Filter Rule Filter Structure of the Prestige Filter Set Configuration NetBios WAN Filter Rules Summary TelnetWAN Filter Rules Summary Ftpwan Filter Rules Summary Abbreviations Used in the Filter Rules Summary Menu Filter Rules Summary Menus GEN Filter Rule ConfigurationRule Abbreviations Used Filter Type Description 28.3.1 TCP/IP Filter Rule TCP/IP Filter RuleChoices are TCP/IP Filter Rule or Generic Filter Rule TCP/IP Filter Rule Choices are None , Less , Greater , Equal or Not EqualIf More is Yes , then Action Matched and Action Not Check Next Rule Check Next Rule, Forward or DropChoices are Check Next Rule, Forward or Drop 12 Executing an IP Filter 13 Generic Filter Rule Generic Filter Rule Generic Filter Rule Menu Fields Example Filter Filter Types and NAT 15 Sample Telnet Filter 16 Sample Filter Rules Summary Menu 17 Sample Filter Rules Summary Menu Filter Sets Description Applying Filters and Factory DefaultsEthernet Traffic Filter Sets Table 19 Filtering Ethernet Traffic Remote Node FiltersPage Snmp Configuration Snmp is only available if TCP/IP is configuredSnmp Overview Supported MIBs Snmp Configuration Trap # Trap Name Description Snmp TrapsSnmp Traps Snmp 29-4 Snmp Configuration System Maintenance System Maintenance OverviewSystem Status System Maintenance Status System Information System InformationWAN LAN Menu 1 General Setup Viewing Error Log Log and TraceConsole Port Speed Syslog Sample Error and Information Messages System Maintenance Menu Syslog Parameters Parameter DescriptionCDR System Maintenance Diagnostic Diagnostic System Maintenance Menu Diagnostic Page Filename Conventions Firmware and Configuration File Maintenance Backup Configuration Filename ConventionsFile Type Internal External Name Description Backup Configuration Using the FTP Command from the Command LineExample of FTP Commands from the Command Line Tftp and FTP over WAN Will Not Work When General Commands for GUI-based FTP ClientsCommand Description GUI-based FTP Clients Backup Configuration Using Tftp Tftp Command ExampleGUI-based Tftp Clients General Commands for GUI-based Tftp Clients Backup Via Console Port Backup Configuration Example Restore Configuration System Maintenance Restore Configuration Restore Using FTP Restore Via Console Port Restore Using FTP Session Example Firmware File Upload Uploading Firmware and Configuration Files 13 System Maintenance Upload System Firmware Configuration File Upload FTP File Upload Command from the DOS Prompt Example FTP Session Example of Firmware File UploadTftp File Upload Uploading Via Console Port Tftp Upload Command Example Uploading Firmware File Via Console Port Example Xmodem Firmware Upload Using HyperTerminal Example Xmodem Configuration Upload Using HyperTerminal Uploading Configuration File Via Console Port 19 Example Xmodem Upload Command Interpreter Mode System Maintenance and Information Budget Management Call Control Support Budget Management System Maintenance Time and Date Setting Time and Date Setting Resetting the Time Time and Date Setting FieldsNTP RFC-1305 is similar to Time RFC-868 Page Routing Policy IP Policy RoutingIP Policy Routing Overview IP Policy Routing Benefits IP Routing Policy Setup IP Routing Policy Setup Action ServiceAbbreviation Meaning Criterion G t Delay, Max Thruput, Min Cost or Max Reliable Matched Applying an IP PolicyEthernet IP Policies Less, Greater, Less or Equal or Greater or Equal 33-6 IP Policy Routing Example of IP Policy Routing IP Policy Routing Example IP Routing Policy Example Applying IP Policies Page Schedule Setup Call SchedulingCall Scheduling Overview Schedule Set Setup Forced On Once Applying Schedule Sets to a Remote Node PPPoE Remote Management and Telnet Services Remote Management and FTP ServicesRemote Management Remote Management Control Remote Management SetupRemote Management and Web Services Disabling Remote Management Remote Management and NAT System Timeout SMT VPN/IPSec and Internal Sptgen 36.1 VPN/IPSec Overview VPN/IPSec Setup IPSec Summary Screen Menu 27 VPN/IPSec Setup ESP DES MD5 Tunnel 36-4 VPN/IPSec Setup IPSec Setup IPSec Summary Menu 27.1.1 IPSec Setup Gateway Address field below Single Address field set to Subnet Manual Setup Description Example IKE Setup3Menu 27.1.1.1 IKE Setup Field DES DH1MD5 Active Protocol Encapsulation and Security Protocol Manual SetupMode Security Protocol Active Protocol ESP Tunnel Menu 27.1.1.2 Manual Setup VPN/IPSec Setup 36-15 Page Using SA Monitor SA MonitorSA Monitor Overview Taiwan ESP DESRefresh Diagram 37-1 Example VPN Responder IPSec Log Viewing IPSec LogVPN Responder IPSec Log Page Configuration Text File Format Internal SptgenInternal Sptgen Overview 38-2 Internal Sptgen Internal Sptgen FTP Download Example Invalid Parameter Entered Command Line Example Internal Sptgen FTP Upload Example Internal Sptgen FTP Upload Example Appendices and Index Page Troubleshooting the Start-Up of Your Prestige TroubleshootingProblems Starting Up the Prestige Problems with the LAN Interface Troubleshooting Internet Access Problems with the WAN InterfaceProblems with Internet Access Troubleshooting the WAN Interface Troubleshooting Telnet Problems with the PasswordProblems with Telnet Troubleshooting the PasswordPage Traditional Dial-up Scenario Appendix a PPPoEPPPoE in Action Benefits of PPPoE Prestige as a PPPoE Client Diagram 2 Prestige as a PPPoE Client Appendix B Virtual Circuit Topology Diagram 3 Virtual Circuit Topology United Kingdom Plug Standards Power Adapter SpecificationsAppendix C North American Plug Standards European Plug Standards AA-121ABNChina Standards Power Consumption Safety Standards Ccee GB8898 Index 17-10 28-4 Local Network 10-730-6 24-1,24-2 24-2 30-5 RIP Traceroute TCP/IP