Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 792H manual Ike, Manual Setup

Models: 792H

1 428

Download 428 pages 12.67 Kb

Page 396

Prestige 792H G.SHDSL Router

Table 36-2 Menu 27.1.1 IPSec Setup

FIELD	DESCRIPTION	EXAMPLE

End/Subnet	When the Addr Type field is configured to Single, this field is N/A.	255.255.0.0
Mask	When the Addr Type field is configured to Range, enter the end (static) IP
	address, in a range of computers on the network behind the remote IPSec
	router.
	When the Addr Type field is configured to SUBNET, enter a subnet mask
	on the network behind the remote IPSec router.
	This field displays N/A when you configure the Secure Gateway Address
	field to 0.0.0.0.

Port Start	0 is the default and signifies any port. Type a port number from 0 to 65535.	0
	Someone behind the remote IPSec router cannot create a VPN tunnel
	when attempting to connect using a port number that does not match this
	port number or range of port numbers.
	Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,
	HTTP; 25, SMTP; 110, POP3.

End	Enter a port number in this field to define a port range. This port number
	must be greater than that specified in the previous field. This field is N/A
	when 0 is configured in the Port Start field.
Enable Replay	As a VPN setup is processing intensive, the system is vulnerable to Denial	No
Detection	of Service (DoS) attacks The IPSec receiver can detect and reject old or
	duplicate packets to protect against replay attacks. Enable replay detection
	by setting this field to Yes.
	Press [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER]
	to enable replay detection.

Key	Press [SPACE BAR] to choose either IKE or Manual and then press	IKE
Management	[ENTER]. Manual is useful for troubleshooting if you have problems using
	IKE key management.
Edit Key	Press [SPACE BAR] to change the default No to Yes and then press	No
Management	[ENTER] to go to a key management menu for configuring your key
Setup	management setup (described later). If you set the Key Management field
	to IKE, this will take you to Menu 27.1.1.1 – IKE Setup. If you set the Key
	Management field to Manual, this will take you to Menu 27.1.1.2 –
	Manual Setup.

When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.

36-10

VPN/IPSec Setup

Image 396

ZyXEL Communications 792H manual Ike, Manual Setup

Contents

Prestige 792H Page Disclaimer TrademarksPage Certifications Page Information for Canadian Users Page ZyXEL Limited Warranty Safety WarningsPage Customer Support Page Table of Contents LAN Setup WAN Setup Dynamic DNS Setup Firewall Configuration Customized Services 11-1Content Filtering 12-1 Creating Custom Rules 10-1 14-1 15-1 Maintenance 17-1 General Setup 19-1WAN Setup 20-4 Dial Backup 21-1 22-1 23-124-1 25-1 Filter Configuration 28-1 Snmp Configuration 29-1System Maintenance 30-1 Firmware and Configuration File Maintenance 31-1 System Maintenance and Information 32-1 IP Policy Routing 33-1Call Scheduling 34-1 Remote Management 35-1 VPN/IPSec Setup 36-1 Troubleshooting 39-1SA Monitor 37-1 Internal Sptgen 38-1 List of Figures Xviii List of Figures List of Figures Xix Diagnostic General 17-8 List of Figures Xxi Xxii List of Figures List of Figures Xxiii Xxiv List of Figures List of Figures Xxv Page List of Tables List of Tables Xxvii Xxviii List of Tables 28-15 Xxx List of Tables Page Related Documentation Syntax Conventions Xxxii Preface Introduction to DSL Introduction to G.SHDSL Part Page Features of the Prestige Symmetrical High Speed Internet AccessGetting to Know Your G.SHDSL Router Scalability IPSec VPN Capability FirewallTraffic Redirect Snmp Simple Network Management Protocol versions 1 SUA for Single-IP Address Internet Access IP AliasIP Policy Routing 10/100MB Auto-negotiation Ethernet/Fast Ethernet Interface Upgrade Firmware via LAN Ease of InstallationUniversal Plug and Play UPnP Full Network Management Internet Access Application Scenarios for the PrestigeLAN-to-LAN Application Introducing the Web Configurator Web Configurator OverviewAccessing the Prestige Web Configurator Navigating the Prestige Web Configurator Password Screen Configuring Password Resetting the Prestige Label Description Using The Reset Button Uploading a Configuration File Via Console PortPage Wizard Setup Wizard Setup IntroductionWAN Setup Service Type Standard Mode EncapsulationTransfer Rates PPP over Ethernet Multiplexing PPPoA4 RFC VC-based Multiplexing Wizard Setup Configuration First Screen VPI and VCI Server see Service Type Rate and the same Transfer Min Rate IP Address and Subnet Mask PPPoEVPI VCI IP Address Assignment IP Assignment with PPPoA or PPPoE Encapsulation IP Assignment with RFC 1483 Encapsulation IP Assignment with Enet Encap EncapsulationPrivate IP Addresses Wizard Setup Configuration ISP Parameters Nailed-Up Connection PPP10 NAT Internet Connection with PPPoA Internet 11.2 RFC Internet Connection with RFC Internet Connection with Enet Encap Enet Encap PPPoE Internet Connection with PPPoE Dhcp Setup Wizard Setup Configuration LAN Configuration IP Pool Setup Wizard Screen LAN COnfiguration Wizard LAN Configuration Wizard Setup Configuration Connection Tests Test Your Internet Connection Wizard Screen Connection TestsPage LAN Setup LAN OverviewDNS Server Address LANs, WANs and the Prestige DNS Server Address Assignment LAN TCP/IP Factory LAN Defaults RIP SetupIP Address and Subnet Mask Multicast Configuring LAN LAN TCP/IP LAN WAN Setup WAN OverviewMetric PPPoE Encapsulation Traffic Shaping Configuring WAN Setup Example of Traffic Shaping WAN Setup ATM traffic. Enter the VCI assigned to you For remote node setup, enter the IP address in the same Subnet as the remote node Traffic Redirect Encap in the Encapsulation field Configuring WAN Backup Traffic Redirect LAN Setup WAN Backup Cost Outgoing Authentication Protocol WAN , Traffic Redirect , Dial Backup38400 , 57600 , 115200 or 230400 bps Configuring Advanced WAN Backup Advanced WAN Backup 57600 , 115200 or 230400 bps Choose RIP-1,RIP-2B or RIP-2M Choose Both, In Only or Out Only AT Command Strings Connection settings DTR Signal Configuring Advanced Modem SetupResponse Strings Advanced Modem Setup Clid Nmbr Part Page Network Address Translation NAT NAT OverviewNAT Definitions What NAT Does How NAT Works NAT Application NAT Mapping Types NAT Application With IP Alias SUA Single User Account Versus NAT Mapping typesNAT Mapping Types Type IP Mapping SMT Abbreviation Port Forwarding Services and Port Numbers SUA Server Configuring Servers Behind SUA Example Services and Port NumbersServices Port Number Echo Selecting the NAT Mode Multiple Servers Behind NAT Example Configuring SUA Server Edit SUA/NAT Server Set Configuring Address Mapping Address Mapping Rules Many-to-One and Server mapping types Editing an Address Mapping Rule Address Mapping Rule Edit Address Mapping Rules screen Page Dynamic DNS Setup Configuring Dynamic DNSDynamic DNS Dyndns Wildcard Ddns Firewall and Content Filter Page Firewalls Firewall OverviewTypes of Firewalls Packet Filtering Firewalls Introduction to ZyXEL’s Firewall Stateful Inspection Firewalls Denial of Service Basics Types of DoS Attacks Common IP Ports Three-Way Handshake Icmp Commands That Trigger Alerts Legal NetBIOS Commands Legal Smtp CommandsStateful Inspection Message Request Positive Negative Retarget Keepalive Stateful Inspection Process Stateful Inspection Stateful Inspection and the Prestige TCP Security 4 UDP/ICMP Security Guidelines for Enhancing Security with Your Firewall Upper Layer ProtocolsSecurity In General Packet Filtering Vs Firewall Packet Filtering When To Use Filtering Firewall Prestige 792H G.SHDSL Router Firewall Configuration Remote Management and the FirewallEnabling the Firewall Configuring E-mail Alerts E-mail Daily Weekly Hourly When Log is Full None Attack Alert Alerts Threshold ValuesHalf-Open Sessions TCP Maximum Incomplete and Blocking Time Alert Following table describes the labels in this screen 256 Page Rule Checklist Study these points carefully before configuring rulesCreating Custom Rules Rules Overview Key Fields For Configuring Rules Security RamificationsBlock means the firewall silently discards the packet Connection Direction LAN to WAN Rules Logs WAN to LAN Rules Firewall Logs Label Description Example Rule Summary Block, Forward or None Firewall Rules Summary First Screen Predefined Services Predefined Services Service Description RLOGINTCP513 NEWSTCP144NNTPTCP119 PINGICMP0 Creating/Editing Firewall Rules Creating/Editing a Firewall Rule Source and Destination Addresses Timeout Range Address , Subnet Address and Any Address Factors Influencing Choices for Timeout Values Timeout 10-16 Creating Custom Rules Customized Services Introduction to Customized Services Creating/Editing a Customized Service Creating/Editing a Customized Service Example Custom Service Firewall Rule Click Rule Summary under Internet to Local Network Set Configure Source IP Example Syslog Rule Configuration Example Rule Summary Example Content Filtering Content Filtering OverviewConfiguring Keyword Blocking Content Filter Keyword Configuring the Schedule Content Filter Schedule Configuring Trusted Computers Content Filter Trusted Configuring Logs Content Filter Logs BLOCKUNTRUSTDOMAIN, BLOCKKEYWORD, Blockactivex BLOCKJAVAAPPLET, BLOCKCOOKIE, BlockproxyBlockcybernot VPN/IPSec Page Introduction to IPSec VPN OverviewIPSec Security Association Data Origin Authentication VPN ApplicationsData Integrity IPSec Architecture VPN Application IPSec Algorithms Key Management Transport Mode Tunnel ModeIPSec and NAT Security Protocol Mode NAT VPN and NATESP AH Authentication Header Protocol VPN Screens14.1 VPN/IPSec Overview IPSec Algorithms My IP Address Secure Gateway AddressDynamic Secure Gateway Address AH and ESP VPN Summary Screen IPSec Summary Fields VPN Summary ID Type and Content Keep Alive ID Type and Content Examples Local ID Type and Content FieldsPeer ID Type and Content Fields Local ID TYPE= CONTENT= Matching ID Type and Content Configuration Example Mismatching ID Type and Content Configuration ExamplePre-Shared Key Editing VPN Policies VPN IKE VPN Screens 14-9 14-10 VPN Screens VPN Screens 14-11 Authentication Algorithm fields described next IKE IKE Phases Two Phases to Set Up the IPSec SA Negotiation Mode Diffie-Hellman DH Key Groups 14.11Configuring Advanced IKE Settings Perfect Forward Secrecy PFS VPN IKE Advanced Label Description VPN IKE VPN Screens 14-17 14-18 VPN Screens 14.12Manual Key Setup Security Parameter Index SPI 14.13Configuring Manual Key VPN Manual Key SPI 14-22 VPN Screens VPN Screens 14-23 14.14Viewing SA Monitor SA Monitor 10 SA Monitor 14.15Configuring Global Setting 11 Global Setting 14.16Configuring IPSec Logs 12 VPN Logs 13 Sample IKE Key Exchange Logs LOG Message Description 14 Sample IPSec Logs During Packet Transmission Request conflict with rule #d 15 RFC-2408 Isakmp Payload Types LOG Display Payload Type 14.17Telecommuter VPN/IPSec Examples Telecommuters Sharing One VPN Rule ExampleHeadquarters Telecommuters Telecommuters Using Unique VPN Rules Example All Headquarters Rules All Telecommuter Rules 14.18VPN and Remote Management Remote Management and UPnP Remote Management Configuration Remote Management OverviewRemote Management Limitations Remote Management and NAT System Timeout Telnet15.3 FTP 15.4 Web Configuring Remote Management Remote Management How do I know if Im using UPnP? Universal Plug-and-Play UPnPUniversal Plug and Play Overview NAT Transversal Accessing the Prestige Web Configurator to Configure UPnP Configuring UPnPUPnP and ZyXEL Installing UPnP in Windows Example Field Description Installing UPnP in Windows Me Installing UPnP in Windows XP Double-clickNetwork ConnectionsOptional Networking Component Using UPnP in Windows XP Example Auto-discover Your UPnP-enabled Network Device Internet Connection Properties Web Configurator Easy Access Example Click start and then Control PanelConnections Select My Network Places under Other Places UPnP 16-9 Maintenance Page Maintenance Maintenance OverviewSystem Status Screen System Status VPI/VCI System Statistics System Status Show Statistics Maintenance 17-5 Dhcp Table Screen Dhcp Table Diagnostic Screens Diagnostic General ScreenMAC Diagnostic General Diagnostic DSL Line Screen Prestige 792H G.SHDSL Router Firmware Upgrade Firmware Screen Network Temporarily Disconnected SMT General Configuration Procedure for SMT Configuration via Console Port Procedure for SMT Configuration via TelnetEntering Password Introducing the SMT Login Screen Prestige SMT Menu Overview Prestige Menu Overview Main Menu Commands Navigating the SMT InterfaceOperation Keystroke Description ? or ChangeMe System Management Terminal Interface Summary Main Menu SummaryMenu Title Description Changing the System Password Menu 23 System Password General Setup General SetupConfiguring Menu Configure Menu 1.1 Configure Dynamic DNS discussed next Field Description ExampleYes Configuring Dynamic DNS UserPage WAN Setup Screen From the main menu, enter 2 to open menu 20-5 Dial Backup Dial Backup OverviewConfiguring Dial Backup in Menu Advanced WAN Setup Enter to go to Menu 2.1 Advanced Setup115200 9600, 19200, 38400, 57600, 115200 or 230400 bps Field Description Default Nmbr = Remote Node Profile Backup ISP Advanced WAN Port Setup Call Control ParametersConnect Remote Node Profile Backup ISP CHAP/PAP Press Enter to go to Menu 11.3 Remote Node Network Editing PPP Options Editing TCP/IP OptionsOtherwise select Standard PPP Enter to open Menu 11.3 Network Layer Options NAT Editing Filter Sets BothBoth/ None /In Only /Out Only and None RIP-1 Menu 11.5 Remote Node Filter Ethernet Ethernet Setup LAN Port Filter Setup IP Alias Setup TCP/IP and Dhcp Setup Route IP Setup Both , In Only or Out OnlyRIP-2B or RIP-2M 22.1.4 TCP/IP Ethernet Setup and Dhcp General Setup Both Both, In Only, Out Only or None RIP-1RIP-1,RIP-2B or RIP-2M 22-6 Internet Access Internet Access OverviewInternet Access Setup Enet Encap Or Enet EncapLLC-based UBR Dynamic SUA Only Advanced Applications Remote Node Configuration Remote Node SetupRemote Node Overview Remote Node Setup Encapsulation and Multiplexing Scenarios Then the Rem Login, Rem Password, My Login, My Based or LLC-based Chap To display Menu 11.3 Remote Node Network Layer OptionsTo display Menu 11.6 Remote Node ATM Layer Options Allocated Budget is 10 minutes and the Period hr Remote Node Network Layer Options Remote Static My WAN Addr Sample IP Addresses Options are Both, In Only, Out Only or None Remote Node Filter Sample IP Addresses for a TCP/IP LAN-to-LAN Connection Editing ATM Layer Options VC-based Multiplexing non-PPP EncapsulationPress Enter to open Menu 11.6 Remote Node ATM Layer Options LLC-based Multiplexing or PPP Encapsulation Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation Static Route Setup Static Route Overview Static Route Setup Edit IP Static Route Page Bridging Setup Bridge Ethernet SetupRemote Node Bridging Setup Bridging Overview Bridge Static Route Setup Remote Node Bridging Options Bridge Static Route Setup 26-4 Bridging Setup Applying NAT Applying NAT for Internet Access NAT Setup Full FeatureAddress Mapping Sets Enter 1 to bring up Menu 15.1 Address Mapping Sets Address Mapping Sets Address Mapping Rules SUA User-Defined Address Mapping Sets Field Desription Example Natset Global Start/End IPs EditSelect Rule item One-to-One For ServerTo-One,Many-to-One and Server types NAT Server Sets NAT Server Setup Example 1 Internet Access Only General NAT Examples 11 NAT Example Example 2 Internet Access with an Inside Server 13 NAT Example Example 3 Multiple Public IP Addresses With Inside Servers 14 NAT Example 2 Menu 15 NAT Example 17 Example 3 Menu Enter 2 in Menu 15 NAT Setup Example 4 NAT Unfriendly Application Programs 19 Example 3- Menu 21 Example 4 Menu 22 Example 4 Menu Advanced Management Page Filter Configuration About Filtering Outgoing Packet Filtering Process Execute Filter Rule Filter Rule Process Filter Set Configuration Filter Structure of the Prestige NetBios WAN Filter Rules Summary TelnetWAN Filter Rules Summary Ftpwan Filter Rules Summary Filter Rules Summary Menus Abbreviations Used in the Filter Rules Summary Menu Filter Rule Configuration Rule Abbreviations UsedFilter Type Description GEN 28.3.1 TCP/IP Filter Rule TCP/IP Filter RuleChoices are TCP/IP Filter Rule or Generic Filter Rule TCP/IP Filter Rule Choices are None , Less , Greater , Equal or Not EqualIf More is Yes , then Action Matched and Action Not Check Next Rule Check Next Rule, Forward or DropChoices are Check Next Rule, Forward or Drop 12 Executing an IP Filter Generic Filter Rule 13 Generic Filter Rule Generic Filter Rule Menu Fields Filter Types and NAT Example Filter 15 Sample Telnet Filter 16 Sample Filter Rules Summary Menu 17 Sample Filter Rules Summary Menu Applying Filters and Factory Defaults Ethernet TrafficFilter Sets Table Filter Sets Description Remote Node Filters 19 Filtering Ethernet TrafficPage Snmp Configuration Snmp is only available if TCP/IP is configuredSnmp Overview Snmp Configuration Supported MIBs Snmp Traps Snmp TrapsSnmp Trap # Trap Name Description 29-4 Snmp Configuration System Maintenance System Maintenance OverviewSystem Status System Maintenance Status System Information System InformationWAN Menu 1 General Setup LAN Viewing Error Log Log and TraceConsole Port Speed Sample Error and Information Messages Syslog System Maintenance Menu Syslog Parameters Parameter DescriptionCDR Diagnostic System Maintenance Diagnostic System Maintenance Menu Diagnostic Page Firmware and Configuration File Maintenance Filename Conventions Backup Configuration Filename ConventionsFile Type Internal External Name Description Backup Configuration Using the FTP Command from the Command LineExample of FTP Commands from the Command Line General Commands for GUI-based FTP Clients Command DescriptionGUI-based FTP Clients Tftp and FTP over WAN Will Not Work When Backup Configuration Using Tftp Tftp Command ExampleGUI-based Tftp Clients Backup Via Console Port General Commands for GUI-based Tftp Clients Restore Configuration Backup Configuration Example Restore Using FTP System Maintenance Restore Configuration Restore Using FTP Session Example Restore Via Console Port Uploading Firmware and Configuration Files Firmware File Upload Configuration File Upload 13 System Maintenance Upload System Firmware FTP File Upload Command from the DOS Prompt Example FTP Session Example of Firmware File UploadTftp File Upload Tftp Upload Command Example Uploading Via Console Port Example Xmodem Firmware Upload Using HyperTerminal Uploading Firmware File Via Console Port Uploading Configuration File Via Console Port Example Xmodem Configuration Upload Using HyperTerminal 19 Example Xmodem Upload System Maintenance and Information Command Interpreter Mode Call Control Support Budget Management Budget Management Time and Date Setting System Maintenance Time and Date Setting Resetting the Time Time and Date Setting FieldsNTP RFC-1305 is similar to Time RFC-868 Page IP Policy Routing IP Policy Routing OverviewIP Policy Routing Benefits Routing Policy IP Routing Policy Setup IP Routing Policy Setup Service Abbreviation MeaningCriterion Action Delay, Max Thruput, Min Cost or Max Reliable G t Applying an IP Policy Ethernet IP PoliciesLess, Greater, Less or Equal or Greater or Equal Matched 33-6 IP Policy Routing IP Policy Routing Example Example of IP Policy Routing IP Routing Policy Example Applying IP Policies Page Schedule Setup Call SchedulingCall Scheduling Overview Schedule Set Setup Once Forced On Applying Schedule Sets to a Remote Node PPPoE Remote Management and Telnet Services Remote Management and FTP ServicesRemote Management Remote Management Setup Remote Management and Web ServicesDisabling Remote Management Remote Management Control System Timeout Remote Management and NAT SMT VPN/IPSec and Internal Sptgen VPN/IPSec Setup 36.1 VPN/IPSec Overview Menu 27 VPN/IPSec Setup IPSec Summary Screen Tunnel ESP DES MD5 36-4 VPN/IPSec Setup IPSec Setup Menu 27.1.1 IPSec Setup IPSec Summary Gateway Address field below Address field set to Single Subnet Manual Setup IKE Setup 3Menu 27.1.1.1 IKE SetupField Description Example DES DH1MD5 Manual Setup Mode Security ProtocolActive Protocol Active Protocol Encapsulation and Security Protocol Menu 27.1.1.2 Manual Setup ESP Tunnel VPN/IPSec Setup 36-15 Page Using SA Monitor SA MonitorSA Monitor Overview Taiwan ESP DESRefresh Diagram 37-1 Example VPN Responder IPSec Log Viewing IPSec LogVPN Responder IPSec Log Page Configuration Text File Format Internal SptgenInternal Sptgen Overview 38-2 Internal Sptgen Invalid Parameter Entered Command Line Example Internal Sptgen FTP Download Example Internal Sptgen FTP Upload Example Internal Sptgen FTP Upload Example Appendices and Index Page Troubleshooting Problems Starting Up the PrestigeProblems with the LAN Interface Troubleshooting the Start-Up of Your Prestige Problems with the WAN Interface Problems with Internet AccessTroubleshooting the WAN Interface Troubleshooting Internet Access Problems with the Password Problems with TelnetTroubleshooting the Password Troubleshooting TelnetPage Appendix a PPPoE PPPoE in ActionBenefits of PPPoE Traditional Dial-up Scenario Diagram 2 Prestige as a PPPoE Client Prestige as a PPPoE Client Diagram 3 Virtual Circuit Topology Appendix B Virtual Circuit Topology Power Adapter Specifications Appendix CNorth American Plug Standards United Kingdom Plug Standards European Plug Standards AA-121ABNChina Standards Power Consumption Safety Standards Ccee GB8898 Index 28-4 17-10 Local Network 10-730-6 24-2 24-1,24-2 RIP 30-5 TCP/IP Traceroute