Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 792H manual Field, 3Menu 27.1.1.1 IKE Setup, Description Example, Main

Models: 792H

1 428

Download 428 pages 12.67 Kb

Page 397

Prestige 792H G.SHDSL Router

36.4 IKE Setup

To edit this menu, the Key Management field in Menu 27.1.1 – IPSec Setup must be set to IKE. Move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec Setup; press [SPACE BAR] to select Yes and then press [ENTER] to display Menu 27.1.1.1 – IKE Setup.

Menu 27.1.1.1 - IKE Setup

Phase 1

Negotiation Mode= Main

PSK= 123456789

Encryption Algorithm= DES

Authentication Algorithm= SHA1

SA Life Time (Seconds)= 28800

Key Group= DH1

Phase 2

Active Protocol = ESP

Encryption Algorithm = DES

Authentication Algorithm = SHA1

SA Life Time (Seconds)= 28800

Encapsulation = Tunnel

Perfect Forward Secrecy (PFS)= None

Press ENTER to Confirm or ESC to Cancel:

Figure 36-5Menu 27.1.1.1 IKE Setup

The following table describes the fields in this menu.

FIELD

Table 36-3Menu 27.1.1.1 IKE Setup

DESCRIPTION	EXAMPLE

Phase 1

Negotiation	Press [SPACE BAR] to choose from Main or Aggressive and then press	Main
Mode	[ENTER]. See earlier for a discussion of these modes. Multiple SAs
	connecting through a secure gateway must have the same negotiation mode.
PSK (Pre-	Prestige gateways authenticate an IKE VPN session by matching pre-shared
Shared Key)	keys. Pre-shared keys are best for small networks with fewer than ten nodes.
	Enter your pre-shared key here. Enter up to 31 characters. Any character may
	be used, including spaces, but trailing spaces are truncated.
	Both ends of the VPN tunnel must use the same pre-shared key. You will
	receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-
	shared key is not used on both ends.

VPN/IPSec Setup

36-11

Image 397

ZyXEL Communications 792H manual Field, 3Menu 27.1.1.1 IKE Setup, Description Example, Main

Contents

Prestige 792H Page Trademarks DisclaimerPage Certifications Page Information for Canadian Users Page Safety Warnings ZyXEL Limited WarrantyPage Customer Support Page Table of Contents WAN Setup LAN Setup Dynamic DNS Setup Customized Services 11-1 Firewall ConfigurationContent Filtering 12-1 Creating Custom Rules 10-1 15-1 14-1 General Setup 19-1 Maintenance 17-1WAN Setup 20-4 Dial Backup 21-1 23-1 22-124-1 25-1 Snmp Configuration 29-1 Filter Configuration 28-1System Maintenance 30-1 Firmware and Configuration File Maintenance 31-1 IP Policy Routing 33-1 System Maintenance and Information 32-1Call Scheduling 34-1 Remote Management 35-1 Troubleshooting 39-1 VPN/IPSec Setup 36-1SA Monitor 37-1 Internal Sptgen 38-1 List of Figures Xviii List of Figures List of Figures Xix Diagnostic General 17-8 List of Figures Xxi Xxii List of Figures List of Figures Xxiii Xxiv List of Figures List of Figures Xxv Page List of Tables List of Tables Xxvii Xxviii List of Tables 28-15 Xxx List of Tables Page Syntax Conventions Related Documentation Xxxii Preface Introduction to G.SHDSL Introduction to DSL Part Page Symmetrical High Speed Internet Access Features of the PrestigeGetting to Know Your G.SHDSL Router Scalability Firewall IPSec VPN CapabilityTraffic Redirect Snmp Simple Network Management Protocol versions 1 IP Alias SUA for Single-IP Address Internet AccessIP Policy Routing 10/100MB Auto-negotiation Ethernet/Fast Ethernet Interface Ease of Installation Upgrade Firmware via LANUniversal Plug and Play UPnP Full Network Management Application Scenarios for the Prestige Internet AccessLAN-to-LAN Application Web Configurator Overview Introducing the Web ConfiguratorAccessing the Prestige Web Configurator Password Screen Navigating the Prestige Web Configurator Configuring Password Label Description Resetting the Prestige Uploading a Configuration File Via Console Port Using The Reset ButtonPage Wizard Setup Introduction Wizard SetupWAN Setup Service Type Encapsulation Standard ModeTransfer Rates PPP over Ethernet PPPoA Multiplexing4 RFC VC-based Multiplexing VPI and VCI Wizard Setup Configuration First Screen Rate and the same Transfer Min Rate Server see Service Type PPPoE IP Address and Subnet MaskVPI VCI IP Assignment with PPPoA or PPPoE Encapsulation IP Address Assignment IP Assignment with Enet Encap Encapsulation IP Assignment with RFC 1483 EncapsulationPrivate IP Addresses Nailed-Up Connection PPP Wizard Setup Configuration ISP Parameters10 NAT Internet Connection with PPPoA Internet Internet Connection with RFC 11.2 RFC Enet Encap Internet Connection with Enet Encap Internet Connection with PPPoE PPPoE Dhcp Setup IP Pool Setup Wizard Setup Configuration LAN Configuration Wizard LAN Configuration Wizard Screen LAN COnfiguration Wizard Setup Configuration Connection Tests Wizard Screen Connection Tests Test Your Internet ConnectionPage LAN Overview LAN SetupDNS Server Address LANs, WANs and the Prestige LAN TCP/IP DNS Server Address Assignment RIP Setup Factory LAN DefaultsIP Address and Subnet Mask Multicast LAN Configuring LAN TCP/IP LAN WAN Overview WAN SetupMetric PPPoE Encapsulation Traffic Shaping Example of Traffic Shaping Configuring WAN Setup WAN Setup ATM traffic. Enter the VCI assigned to you Subnet as the remote node For remote node setup, enter the IP address in the same Encap in the Encapsulation field Traffic Redirect Traffic Redirect LAN Setup Configuring WAN Backup WAN Backup Cost WAN , Traffic Redirect , Dial Backup Outgoing Authentication Protocol38400 , 57600 , 115200 or 230400 bps Configuring Advanced WAN Backup Advanced WAN Backup 57600 , 115200 or 230400 bps Choose Both, In Only or Out Only Choose RIP-1,RIP-2B or RIP-2M Connection settings AT Command Strings Configuring Advanced Modem Setup DTR SignalResponse Strings Advanced Modem Setup Nmbr Clid Part Page NAT Overview Network Address Translation NATNAT Definitions What NAT Does NAT Application How NAT Works NAT Application With IP Alias NAT Mapping Types Mapping types SUA Single User Account Versus NATNAT Mapping Types Type IP Mapping SMT Abbreviation SUA Server Port Forwarding Services and Port Numbers Services and Port Numbers Configuring Servers Behind SUA ExampleServices Port Number Echo Multiple Servers Behind NAT Example Selecting the NAT Mode Configuring SUA Server Edit SUA/NAT Server Set Configuring Address Mapping Many-to-One and Server mapping types Address Mapping Rules Address Mapping Rule Edit Editing an Address Mapping Rule Address Mapping Rules screen Page Configuring Dynamic DNS Dynamic DNS SetupDynamic DNS Dyndns Wildcard Ddns Firewall and Content Filter Page Firewall Overview FirewallsTypes of Firewalls Packet Filtering Firewalls Stateful Inspection Firewalls Introduction to ZyXEL’s Firewall Basics Denial of Service Common IP Ports Types of DoS Attacks Three-Way Handshake Icmp Commands That Trigger Alerts Legal Smtp Commands Legal NetBIOS CommandsStateful Inspection Message Request Positive Negative Retarget Keepalive Stateful Inspection Stateful Inspection Process Stateful Inspection and the Prestige 4 UDP/ICMP Security TCP Security Upper Layer Protocols Guidelines for Enhancing Security with Your FirewallSecurity In General Packet Filtering Packet Filtering Vs Firewall Firewall When To Use Filtering Prestige 792H G.SHDSL Router Remote Management and the Firewall Firewall ConfigurationEnabling the Firewall E-mail Configuring E-mail Alerts Attack Alert Daily Weekly Hourly When Log is Full None Threshold Values AlertsHalf-Open Sessions TCP Maximum Incomplete and Blocking Time Following table describes the labels in this screen Alert 256 Page Study these points carefully before configuring rules Rule ChecklistCreating Custom Rules Rules Overview Security Ramifications Key Fields For Configuring RulesBlock means the firewall silently discards the packet LAN to WAN Rules Connection Direction WAN to LAN Rules Logs Label Description Example Firewall Logs Block, Forward or None Rule Summary Firewall Rules Summary First Screen Predefined Services Service Description Predefined Services NEWSTCP144 RLOGINTCP513NNTPTCP119 PINGICMP0 Creating/Editing Firewall Rules Creating/Editing a Firewall Rule Source and Destination Addresses Range Address , Subnet Address and Any Address Timeout Timeout Factors Influencing Choices for Timeout Values 10-16 Creating Custom Rules Introduction to Customized Services Customized Services Creating/Editing a Customized Service Creating/Editing a Customized Service Click Rule Summary under Internet to Local Network Set Example Custom Service Firewall Rule Configure Source IP Example Syslog Rule Configuration Example Rule Summary Example Content Filtering Overview Content FilteringConfiguring Keyword Blocking Content Filter Keyword Content Filter Schedule Configuring the Schedule Content Filter Trusted Configuring Trusted Computers Content Filter Logs Configuring Logs BLOCKJAVAAPPLET, BLOCKCOOKIE, Blockproxy BLOCKUNTRUSTDOMAIN, BLOCKKEYWORD, BlockactivexBlockcybernot VPN/IPSec Page VPN Overview Introduction to IPSecIPSec Security Association VPN Applications Data Origin AuthenticationData Integrity VPN Application IPSec Architecture Key Management IPSec Algorithms Tunnel Mode Transport ModeIPSec and NAT VPN and NAT Security Protocol Mode NATESP VPN Screens AH Authentication Header Protocol14.1 VPN/IPSec Overview IPSec Algorithms Secure Gateway Address My IP AddressDynamic Secure Gateway Address AH and ESP IPSec Summary Fields VPN Summary Screen VPN Summary Keep Alive ID Type and Content Local ID Type and Content Fields ID Type and Content ExamplesPeer ID Type and Content Fields Local ID TYPE= CONTENT= Mismatching ID Type and Content Configuration Example Matching ID Type and Content Configuration ExamplePre-Shared Key Editing VPN Policies VPN IKE VPN Screens 14-9 14-10 VPN Screens VPN Screens 14-11 IKE Authentication Algorithm fields described next Two Phases to Set Up the IPSec SA IKE Phases Diffie-Hellman DH Key Groups Negotiation Mode Perfect Forward Secrecy PFS 14.11Configuring Advanced IKE Settings Label Description VPN IKE VPN IKE Advanced VPN Screens 14-17 14-18 VPN Screens Security Parameter Index SPI 14.12Manual Key Setup VPN Manual Key 14.13Configuring Manual Key SPI 14-22 VPN Screens VPN Screens 14-23 14.14Viewing SA Monitor 10 SA Monitor SA Monitor 11 Global Setting 14.15Configuring Global Setting 12 VPN Logs 14.16Configuring IPSec Logs LOG Message Description 13 Sample IKE Key Exchange Logs Request conflict with rule #d 14 Sample IPSec Logs During Packet Transmission LOG Display Payload Type 15 RFC-2408 Isakmp Payload Types Telecommuters Sharing One VPN Rule Example 14.17Telecommuter VPN/IPSec ExamplesHeadquarters Telecommuters All Headquarters Rules All Telecommuter Rules Telecommuters Using Unique VPN Rules Example 14.18VPN and Remote Management Remote Management and UPnP Remote Management Overview Remote Management ConfigurationRemote Management Limitations Remote Management and NAT Telnet System Timeout15.3 FTP 15.4 Web Remote Management Configuring Remote Management Universal Plug-and-Play UPnP How do I know if Im using UPnP?Universal Plug and Play Overview NAT Transversal Configuring UPnP Accessing the Prestige Web Configurator to Configure UPnPUPnP and ZyXEL Field Description Installing UPnP in Windows Example Installing UPnP in Windows Me Double-clickNetwork Connections Installing UPnP in Windows XPOptional Networking Component Auto-discover Your UPnP-enabled Network Device Using UPnP in Windows XP Example Internet Connection Properties Click start and then Control Panel Web Configurator Easy Access ExampleConnections Select My Network Places under Other Places UPnP 16-9 Maintenance Page Maintenance Overview MaintenanceSystem Status Screen System Status VPI/VCI System Status Show Statistics System Statistics Maintenance 17-5 Dhcp Table Dhcp Table Screen Diagnostic General Screen Diagnostic ScreensMAC Diagnostic General Prestige 792H G.SHDSL Router Diagnostic DSL Line Screen Firmware Screen Firmware Upgrade Network Temporarily Disconnected SMT General Configuration Procedure for SMT Configuration via Telnet Procedure for SMT Configuration via Console PortEntering Password Introducing the SMT Prestige SMT Menu Overview Login Screen Prestige Menu Overview Navigating the SMT Interface Main Menu CommandsOperation Keystroke Description ? or ChangeMe Main Menu Summary System Management Terminal Interface SummaryMenu Title Description Menu 23 System Password Changing the System Password General Setup General SetupConfiguring Menu Field Description Example Configure Menu 1.1 Configure Dynamic DNS discussed nextYes User Configuring Dynamic DNSPage From the main menu, enter 2 to open menu WAN Setup Screen 20-5 Dial Backup Overview Dial BackupConfiguring Dial Backup in Menu Enter to go to Menu 2.1 Advanced Setup Advanced WAN Setup115200 9600, 19200, 38400, 57600, 115200 or 230400 bps Nmbr = Field Description Default Advanced WAN Port Setup Call Control Parameters Remote Node Profile Backup ISPConnect CHAP/PAP Remote Node Profile Backup ISP Press Enter to go to Menu 11.3 Remote Node Network Editing TCP/IP Options Editing PPP OptionsOtherwise select Standard PPP NAT Enter to open Menu 11.3 Network Layer Options Both Editing Filter SetsBoth/ None /In Only /Out Only and None RIP-1 Menu 11.5 Remote Node Filter Ethernet LAN Port Filter Setup Ethernet Setup TCP/IP and Dhcp Setup IP Alias Setup Both , In Only or Out Only Route IP SetupRIP-2B or RIP-2M General Setup 22.1.4 TCP/IP Ethernet Setup and Dhcp RIP-1 Both Both, In Only, Out Only or NoneRIP-1,RIP-2B or RIP-2M 22-6 Internet Access Overview Internet AccessInternet Access Setup Or Enet Encap Enet EncapLLC-based UBR SUA Only Dynamic Advanced Applications Remote Node Setup Remote Node ConfigurationRemote Node Overview Encapsulation and Multiplexing Scenarios Remote Node Setup Based or LLC-based Then the Rem Login, Rem Password, My Login, My To display Menu 11.3 Remote Node Network Layer Options ChapTo display Menu 11.6 Remote Node ATM Layer Options Allocated Budget is 10 minutes and the Period hr Remote Remote Node Network Layer Options Static Options are Both, In Only, Out Only or None My WAN Addr Sample IP Addresses Sample IP Addresses for a TCP/IP LAN-to-LAN Connection Remote Node Filter VC-based Multiplexing non-PPP Encapsulation Editing ATM Layer OptionsPress Enter to open Menu 11.6 Remote Node ATM Layer Options Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation LLC-based Multiplexing or PPP Encapsulation Static Route Overview Static Route Setup Static Route Setup Edit IP Static Route Page Bridge Ethernet Setup Bridging SetupRemote Node Bridging Setup Bridging Overview Remote Node Bridging Options Bridge Static Route Setup Bridge Static Route Setup 26-4 Bridging Setup Applying NAT Applying NAT for Internet Access Full Feature NAT SetupAddress Mapping Sets Enter 1 to bring up Menu 15.1 Address Mapping Sets Address Mapping Rules SUA Address Mapping Sets User-Defined Address Mapping Sets Natset Field Desription Example Edit Global Start/End IPsSelect Rule item For Server One-to-OneTo-One,Many-to-One and Server types NAT Server Sets NAT Server Setup General NAT Examples Example 1 Internet Access Only 11 NAT Example 13 NAT Example Example 2 Internet Access with an Inside Server 14 NAT Example 2 Menu Example 3 Multiple Public IP Addresses With Inside Servers 15 NAT Example 17 Example 3 Menu Enter 2 in Menu 15 NAT Setup 19 Example 3- Menu Example 4 NAT Unfriendly Application Programs 21 Example 4 Menu 22 Example 4 Menu Advanced Management Page About Filtering Filter Configuration Outgoing Packet Filtering Process Filter Rule Process Execute Filter Rule Filter Structure of the Prestige Filter Set Configuration NetBios WAN Filter Rules Summary TelnetWAN Filter Rules Summary Ftpwan Filter Rules Summary Abbreviations Used in the Filter Rules Summary Menu Filter Rules Summary Menus Rule Abbreviations Used Filter Rule ConfigurationFilter Type Description GEN TCP/IP Filter Rule 28.3.1 TCP/IP Filter RuleChoices are TCP/IP Filter Rule or Generic Filter Rule Choices are None , Less , Greater , Equal or Not Equal TCP/IP Filter RuleIf More is Yes , then Action Matched and Action Not Check Next Rule, Forward or Drop Check Next RuleChoices are Check Next Rule, Forward or Drop 12 Executing an IP Filter 13 Generic Filter Rule Generic Filter Rule Generic Filter Rule Menu Fields Example Filter Filter Types and NAT 15 Sample Telnet Filter 16 Sample Filter Rules Summary Menu 17 Sample Filter Rules Summary Menu Ethernet Traffic Applying Filters and Factory DefaultsFilter Sets Table Filter Sets Description 19 Filtering Ethernet Traffic Remote Node FiltersPage Snmp is only available if TCP/IP is configured Snmp ConfigurationSnmp Overview Supported MIBs Snmp Configuration Snmp Traps Snmp TrapsSnmp Trap # Trap Name Description 29-4 Snmp Configuration System Maintenance Overview System MaintenanceSystem Status System Maintenance Status System Information System InformationWAN LAN Menu 1 General Setup Log and Trace Viewing Error LogConsole Port Speed Syslog Sample Error and Information Messages Parameter Description System Maintenance Menu Syslog ParametersCDR System Maintenance Diagnostic Diagnostic System Maintenance Menu Diagnostic Page Filename Conventions Firmware and Configuration File Maintenance Filename Conventions Backup ConfigurationFile Type Internal External Name Description Using the FTP Command from the Command Line Backup ConfigurationExample of FTP Commands from the Command Line Command Description General Commands for GUI-based FTP ClientsGUI-based FTP Clients Tftp and FTP over WAN Will Not Work When Tftp Command Example Backup Configuration Using TftpGUI-based Tftp Clients General Commands for GUI-based Tftp Clients Backup Via Console Port Backup Configuration Example Restore Configuration System Maintenance Restore Configuration Restore Using FTP Restore Via Console Port Restore Using FTP Session Example Firmware File Upload Uploading Firmware and Configuration Files 13 System Maintenance Upload System Firmware Configuration File Upload FTP Session Example of Firmware File Upload FTP File Upload Command from the DOS Prompt ExampleTftp File Upload Uploading Via Console Port Tftp Upload Command Example Uploading Firmware File Via Console Port Example Xmodem Firmware Upload Using HyperTerminal Example Xmodem Configuration Upload Using HyperTerminal Uploading Configuration File Via Console Port 19 Example Xmodem Upload Command Interpreter Mode System Maintenance and Information Budget Management Call Control Support Budget Management System Maintenance Time and Date Setting Time and Date Setting Time and Date Setting Fields Resetting the TimeNTP RFC-1305 is similar to Time RFC-868 Page IP Policy Routing Overview IP Policy RoutingIP Policy Routing Benefits Routing Policy IP Routing Policy Setup IP Routing Policy Setup Abbreviation Meaning ServiceCriterion Action G t Delay, Max Thruput, Min Cost or Max Reliable Ethernet IP Policies Applying an IP PolicyLess, Greater, Less or Equal or Greater or Equal Matched 33-6 IP Policy Routing Example of IP Policy Routing IP Policy Routing Example IP Routing Policy Example Applying IP Policies Page Call Scheduling Schedule SetupCall Scheduling Overview Schedule Set Setup Forced On Once Applying Schedule Sets to a Remote Node PPPoE Remote Management and FTP Services Remote Management and Telnet ServicesRemote Management Remote Management and Web Services Remote Management SetupDisabling Remote Management Remote Management Control Remote Management and NAT System Timeout SMT VPN/IPSec and Internal Sptgen 36.1 VPN/IPSec Overview VPN/IPSec Setup IPSec Summary Screen Menu 27 VPN/IPSec Setup ESP DES MD5 Tunnel 36-4 VPN/IPSec Setup IPSec Setup IPSec Summary Menu 27.1.1 IPSec Setup Gateway Address field below Single Address field set to Subnet Manual Setup 3Menu 27.1.1.1 IKE Setup IKE SetupField Description Example DH1 DESMD5 Mode Security Protocol Manual SetupActive Protocol Active Protocol Encapsulation and Security Protocol ESP Tunnel Menu 27.1.1.2 Manual Setup VPN/IPSec Setup 36-15 Page SA Monitor Using SA MonitorSA Monitor Overview ESP DES TaiwanRefresh Viewing IPSec Log Diagram 37-1 Example VPN Responder IPSec LogVPN Responder IPSec Log Page Internal Sptgen Configuration Text File FormatInternal Sptgen Overview 38-2 Internal Sptgen Internal Sptgen FTP Download Example Invalid Parameter Entered Command Line Example Internal Sptgen FTP Upload Example Internal Sptgen FTP Upload Example Appendices and Index Page Problems Starting Up the Prestige TroubleshootingProblems with the LAN Interface Troubleshooting the Start-Up of Your Prestige Problems with Internet Access Problems with the WAN InterfaceTroubleshooting the WAN Interface Troubleshooting Internet Access Problems with Telnet Problems with the PasswordTroubleshooting the Password Troubleshooting TelnetPage PPPoE in Action Appendix a PPPoEBenefits of PPPoE Traditional Dial-up Scenario Prestige as a PPPoE Client Diagram 2 Prestige as a PPPoE Client Appendix B Virtual Circuit Topology Diagram 3 Virtual Circuit Topology Appendix C Power Adapter SpecificationsNorth American Plug Standards United Kingdom Plug Standards AA-121ABN European Plug StandardsChina Standards Power Consumption Safety Standards Ccee GB8898 Index 17-10 28-4 10-7 Local Network30-6 24-1,24-2 24-2 30-5 RIP Traceroute TCP/IP