Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 792H manual Viewing IPSec Log, VPN Responder IPSec Log

Models: 792H

1 428

Download 428 pages 12.67 Kb

Page 405

Prestige 792H G.SHDSL Router

37.3 Viewing IPSec Log

To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection.

Index:		Date/Time:	Log:
------------------------------------------------------------
001	01	Jan 08:02:22	Send Main Mode request to <192.168.100.101>
002	01	Jan 08:02:22	Send:<SA>
003	01	Jan 08:02:22	Recv:<SA>
004	01	Jan 08:02:24	Send:<KE><NONCE>
005	01	Jan 08:02:24	Recv:<KE><NONCE>
006	01	Jan 08:02:26	Send:<ID><HASH>
007	01	Jan 08:02:26	Recv:<ID><HASH>
008	01	Jan 08:02:26	Phase 1 IKE SA process done
009	01	Jan 08:02:26	Start Phase 2: Quick Mode
010	01	Jan 08:02:26	Send:<HASH><SA><NONCE><ID><ID>
011	01	Jan 08:02:26	Recv:<HASH><SA><NONCE><ID><ID>
012	01	Jan 08:02:26	Send:<HASH>

Clear IPSec Log (y/n):

Figure 37-2 Example VPN Initiator IPSec Log

37.3.1 VPN Responder IPSec Log

The following figure shows a typical log from the VPN connection peer.

Index:		Date/Time:	Log:
------------------------------------------------------------
001	01	Jan 08:08:07	Recv Main Mode request from <192.168.100.100>
002	01	Jan 08:08:07	Recv:<SA>
003	01	Jan 08:08:08	Send:<SA>
004	01	Jan 08:08:08	Recv:<KE><NONCE>
005	01	Jan 08:08:10	Send:<KE><NONCE>
006	01	Jan 08:08:10	Recv:<ID><HASH>
007	01	Jan 08:08:10	Send:<ID><HASH>
008	01	Jan 08:08:10	Phase 1 IKE SA process done
009	01	Jan 08:08:10	Recv:<HASH><SA><NONCE><ID><ID>
010	01	Jan 08:08:10	Start Phase 2: Quick Mode
011	01	Jan 08:08:10	Send:<HASH><SA><NONCE><ID><ID>
012	01	Jan 08:08:10	Recv:<HASH>

Clear IPSec Log (y/n):

Diagram 37-1 Example VPN Responder IPSec Log

This menu is useful for troubleshooting. A log index number, the date and time the log was created and a log message is displayed.

Double exclamation marks (!!) denote an error or warning message.

SA Monitor

37-3

Image 405

ZyXEL Communications 792H manual Viewing IPSec Log, Diagram 37-1 Example VPN Responder IPSec Log

Contents

Prestige 792H Page Trademarks DisclaimerPage Certifications Page Information for Canadian Users Page Safety Warnings ZyXEL Limited WarrantyPage Customer Support Page Table of Contents WAN Setup LAN SetupDynamic DNS Setup Customized Services 11-1 Firewall ConfigurationContent Filtering 12-1 Creating Custom Rules 10-115-1 14-1General Setup 19-1 Maintenance 17-1WAN Setup 20-4 Dial Backup 21-123-1 22-124-1 25-1Snmp Configuration 29-1 Filter Configuration 28-1System Maintenance 30-1 Firmware and Configuration File Maintenance 31-1IP Policy Routing 33-1 System Maintenance and Information 32-1Call Scheduling 34-1 Remote Management 35-1Troubleshooting 39-1 VPN/IPSec Setup 36-1SA Monitor 37-1 Internal Sptgen 38-1List of Figures Xviii List of Figures List of Figures Xix Diagnostic General 17-8 List of Figures Xxi Xxii List of Figures List of Figures Xxiii Xxiv List of Figures List of Figures Xxv Page List of Tables List of Tables Xxvii Xxviii List of Tables 28-15 Xxx List of Tables Page Syntax Conventions Related DocumentationXxxii Preface Introduction to G.SHDSL Introduction to DSLPart Page Symmetrical High Speed Internet Access Features of the PrestigeGetting to Know Your G.SHDSL Router ScalabilityFirewall IPSec VPN CapabilityTraffic Redirect Snmp Simple Network Management Protocol versions 1IP Alias SUA for Single-IP Address Internet AccessIP Policy Routing 10/100MB Auto-negotiation Ethernet/Fast Ethernet InterfaceEase of Installation Upgrade Firmware via LANUniversal Plug and Play UPnP Full Network ManagementInternet Access Application Scenarios for the PrestigeLAN-to-LAN Application Introducing the Web Configurator Web Configurator OverviewAccessing the Prestige Web Configurator Password Screen Navigating the Prestige Web ConfiguratorConfiguring Password Label Description Resetting the PrestigeUploading a Configuration File Via Console Port Using The Reset ButtonPage Wizard Setup Introduction Wizard SetupWAN Setup Service TypeEncapsulation Standard ModeTransfer Rates PPP over EthernetPPPoA Multiplexing4 RFC VC-based MultiplexingVPI and VCI Wizard Setup Configuration First ScreenRate and the same Transfer Min Rate Server see Service TypePPPoE IP Address and Subnet MaskVPI VCIIP Assignment with PPPoA or PPPoE Encapsulation IP Address AssignmentIP Assignment with RFC 1483 Encapsulation IP Assignment with Enet Encap EncapsulationPrivate IP Addresses Wizard Setup Configuration ISP Parameters Nailed-Up Connection PPP10 NAT Internet Connection with PPPoA Internet Internet Connection with RFC 11.2 RFCEnet Encap Internet Connection with Enet EncapInternet Connection with PPPoE PPPoEDhcp Setup IP Pool Setup Wizard Setup Configuration LAN ConfigurationWizard LAN Configuration Wizard Screen LAN COnfigurationWizard Setup Configuration Connection Tests Wizard Screen Connection Tests Test Your Internet ConnectionPage LAN Overview LAN SetupDNS Server Address LANs, WANs and the PrestigeLAN TCP/IP DNS Server Address AssignmentRIP Setup Factory LAN DefaultsIP Address and Subnet Mask MulticastLAN Configuring LANTCP/IP LAN WAN Setup WAN OverviewMetric PPPoE Encapsulation Traffic Shaping Example of Traffic Shaping Configuring WAN SetupWAN Setup ATM traffic. Enter the VCI assigned to you Subnet as the remote node For remote node setup, enter the IP address in the sameEncap in the Encapsulation field Traffic RedirectTraffic Redirect LAN Setup Configuring WAN BackupWAN Backup Cost Outgoing Authentication Protocol WAN , Traffic Redirect , Dial Backup38400 , 57600 , 115200 or 230400 bps Configuring Advanced WAN Backup Advanced WAN Backup 57600 , 115200 or 230400 bps Choose Both, In Only or Out Only Choose RIP-1,RIP-2B or RIP-2MConnection settings AT Command StringsDTR Signal Configuring Advanced Modem SetupResponse Strings Advanced Modem Setup Nmbr ClidPart Page NAT Overview Network Address Translation NATNAT Definitions What NAT DoesNAT Application How NAT WorksNAT Application With IP Alias NAT Mapping TypesMapping types SUA Single User Account Versus NATNAT Mapping Types Type IP Mapping SMT AbbreviationSUA Server Port Forwarding Services and Port NumbersServices and Port Numbers Configuring Servers Behind SUA ExampleServices Port Number EchoMultiple Servers Behind NAT Example Selecting the NAT ModeConfiguring SUA Server Edit SUA/NAT Server Set Configuring Address Mapping Many-to-One and Server mapping types Address Mapping RulesAddress Mapping Rule Edit Editing an Address Mapping RuleAddress Mapping Rules screen Page Configuring Dynamic DNS Dynamic DNS SetupDynamic DNS Dyndns WildcardDdns Firewall and Content Filter Page Firewall Overview FirewallsTypes of Firewalls Packet Filtering FirewallsStateful Inspection Firewalls Introduction to ZyXEL’s FirewallBasics Denial of ServiceCommon IP Ports Types of DoS AttacksThree-Way Handshake Icmp Commands That Trigger Alerts Legal Smtp Commands Legal NetBIOS CommandsStateful Inspection Message Request Positive Negative Retarget KeepaliveStateful Inspection Stateful Inspection ProcessStateful Inspection and the Prestige 4 UDP/ICMP Security TCP SecurityGuidelines for Enhancing Security with Your Firewall Upper Layer ProtocolsSecurity In General Packet Filtering Packet Filtering Vs FirewallFirewall When To Use FilteringPrestige 792H G.SHDSL Router Firewall Configuration Remote Management and the FirewallEnabling the Firewall E-mail Configuring E-mail AlertsAttack Alert Daily Weekly Hourly When Log is Full NoneAlerts Threshold ValuesHalf-Open Sessions TCP Maximum Incomplete and Blocking Time Following table describes the labels in this screen Alert256 Page Study these points carefully before configuring rules Rule ChecklistCreating Custom Rules Rules OverviewKey Fields For Configuring Rules Security RamificationsBlock means the firewall silently discards the packet LAN to WAN Rules Connection DirectionWAN to LAN Rules LogsLabel Description Example Firewall LogsBlock, Forward or None Rule SummaryFirewall Rules Summary First Screen Predefined Services Service Description Predefined ServicesNEWSTCP144 RLOGINTCP513NNTPTCP119 PINGICMP0Creating/Editing Firewall Rules Creating/Editing a Firewall Rule Source and Destination Addresses Range Address , Subnet Address and Any Address TimeoutTimeout Factors Influencing Choices for Timeout Values10-16 Creating Custom Rules Introduction to Customized Services Customized ServicesCreating/Editing a Customized Service Creating/Editing a Customized ServiceClick Rule Summary under Internet to Local Network Set Example Custom Service Firewall RuleConfigure Source IP Example Syslog Rule Configuration Example Rule Summary Example Content Filtering Content Filtering OverviewConfiguring Keyword Blocking Content Filter Keyword Content Filter Schedule Configuring the ScheduleContent Filter Trusted Configuring Trusted ComputersContent Filter Logs Configuring LogsBLOCKUNTRUSTDOMAIN, BLOCKKEYWORD, Blockactivex BLOCKJAVAAPPLET, BLOCKCOOKIE, BlockproxyBlockcybernot VPN/IPSec Page VPN Overview Introduction to IPSecIPSec Security AssociationData Origin Authentication VPN ApplicationsData Integrity VPN Application IPSec ArchitectureKey Management IPSec AlgorithmsTransport Mode Tunnel ModeIPSec and NAT Security Protocol Mode NAT VPN and NATESP VPN Screens AH Authentication Header Protocol14.1 VPN/IPSec Overview IPSec AlgorithmsSecure Gateway Address My IP AddressDynamic Secure Gateway Address AH and ESPIPSec Summary Fields VPN Summary ScreenVPN Summary Keep Alive ID Type and ContentLocal ID Type and Content Fields ID Type and Content ExamplesPeer ID Type and Content Fields Local ID TYPE= CONTENT=Mismatching ID Type and Content Configuration Example Matching ID Type and Content Configuration ExamplePre-Shared Key Editing VPN PoliciesVPN IKE VPN Screens 14-9 14-10 VPN Screens VPN Screens 14-11 IKE Authentication Algorithm fields described nextTwo Phases to Set Up the IPSec SA IKE PhasesDiffie-Hellman DH Key Groups Negotiation ModePerfect Forward Secrecy PFS 14.11Configuring Advanced IKE SettingsLabel Description VPN IKE VPN IKE AdvancedVPN Screens 14-17 14-18 VPN Screens Security Parameter Index SPI 14.12Manual Key SetupVPN Manual Key 14.13Configuring Manual KeySPI 14-22 VPN Screens VPN Screens 14-23 14.14Viewing SA Monitor 10 SA Monitor SA Monitor11 Global Setting 14.15Configuring Global Setting12 VPN Logs 14.16Configuring IPSec LogsLOG Message Description 13 Sample IKE Key Exchange LogsRequest conflict with rule #d 14 Sample IPSec Logs During Packet TransmissionLOG Display Payload Type 15 RFC-2408 Isakmp Payload Types14.17Telecommuter VPN/IPSec Examples Telecommuters Sharing One VPN Rule ExampleHeadquarters Telecommuters All Headquarters Rules All Telecommuter Rules Telecommuters Using Unique VPN Rules Example14.18VPN and Remote Management Remote Management and UPnP Remote Management Overview Remote Management ConfigurationRemote Management Limitations Remote Management and NATTelnet System Timeout15.3 FTP 15.4 WebRemote Management Configuring Remote ManagementUniversal Plug-and-Play UPnP How do I know if Im using UPnP?Universal Plug and Play Overview NAT TransversalAccessing the Prestige Web Configurator to Configure UPnP Configuring UPnPUPnP and ZyXEL Field Description Installing UPnP in Windows ExampleInstalling UPnP in Windows Me Installing UPnP in Windows XP Double-clickNetwork ConnectionsOptional Networking Component Auto-discover Your UPnP-enabled Network Device Using UPnP in Windows XP ExampleInternet Connection Properties Web Configurator Easy Access Example Click start and then Control PanelConnections Select My Network Places under Other Places UPnP 16-9 Maintenance Page Maintenance Maintenance OverviewSystem Status Screen System Status VPI/VCI System Status Show Statistics System StatisticsMaintenance 17-5 Dhcp Table Dhcp Table ScreenDiagnostic Screens Diagnostic General ScreenMAC Diagnostic General Prestige 792H G.SHDSL Router Diagnostic DSL Line ScreenFirmware Screen Firmware UpgradeNetwork Temporarily Disconnected SMT General Configuration Procedure for SMT Configuration via Telnet Procedure for SMT Configuration via Console PortEntering Password Introducing the SMTPrestige SMT Menu Overview Login ScreenPrestige Menu Overview Navigating the SMT Interface Main Menu CommandsOperation Keystroke Description ? or ChangeMeSystem Management Terminal Interface Summary Main Menu SummaryMenu Title Description Menu 23 System Password Changing the System PasswordGeneral Setup General SetupConfiguring Menu Configure Menu 1.1 Configure Dynamic DNS discussed next Field Description ExampleYes User Configuring Dynamic DNSPage From the main menu, enter 2 to open menu WAN Setup Screen20-5 Dial Backup Dial Backup OverviewConfiguring Dial Backup in Menu Enter to go to Menu 2.1 Advanced Setup Advanced WAN Setup115200 9600, 19200, 38400, 57600, 115200 or 230400 bpsNmbr = Field Description DefaultRemote Node Profile Backup ISP Advanced WAN Port Setup Call Control ParametersConnect CHAP/PAP Remote Node Profile Backup ISPPress Enter to go to Menu 11.3 Remote Node Network Editing PPP Options Editing TCP/IP OptionsOtherwise select Standard PPP NAT Enter to open Menu 11.3 Network Layer OptionsBoth Editing Filter SetsBoth/ None /In Only /Out Only and None RIP-1Menu 11.5 Remote Node Filter Ethernet LAN Port Filter Setup Ethernet SetupTCP/IP and Dhcp Setup IP Alias SetupRoute IP Setup Both , In Only or Out OnlyRIP-2B or RIP-2M General Setup 22.1.4 TCP/IP Ethernet Setup and DhcpBoth Both, In Only, Out Only or None RIP-1RIP-1,RIP-2B or RIP-2M 22-6 Internet Access Internet Access OverviewInternet Access Setup Or Enet Encap Enet EncapLLC-based UBRSUA Only DynamicAdvanced Applications Remote Node Configuration Remote Node SetupRemote Node Overview Encapsulation and Multiplexing Scenarios Remote Node SetupBased or LLC-based Then the Rem Login, Rem Password, My Login, MyTo display Menu 11.3 Remote Node Network Layer Options ChapTo display Menu 11.6 Remote Node ATM Layer Options Allocated Budget is 10 minutes and the Period hrRemote Remote Node Network Layer OptionsStatic Options are Both, In Only, Out Only or None My WAN Addr Sample IP AddressesSample IP Addresses for a TCP/IP LAN-to-LAN Connection Remote Node FilterEditing ATM Layer Options VC-based Multiplexing non-PPP EncapsulationPress Enter to open Menu 11.6 Remote Node ATM Layer Options Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation LLC-based Multiplexing or PPP EncapsulationStatic Route Overview Static Route SetupStatic Route Setup Edit IP Static Route Page Bridge Ethernet Setup Bridging SetupRemote Node Bridging Setup Bridging OverviewRemote Node Bridging Options Bridge Static Route SetupBridge Static Route Setup 26-4 Bridging Setup Applying NAT Applying NAT for Internet Access Full Feature NAT SetupAddress Mapping Sets Enter 1 to bring up Menu 15.1 Address Mapping SetsAddress Mapping Rules SUA Address Mapping SetsUser-Defined Address Mapping Sets Natset Field Desription ExampleGlobal Start/End IPs EditSelect Rule item One-to-One For ServerTo-One,Many-to-One and Server types NAT Server Sets NAT Server Setup General NAT Examples Example 1 Internet Access Only11 NAT Example 13 NAT Example Example 2 Internet Access with an Inside Server14 NAT Example 2 Menu Example 3 Multiple Public IP Addresses With Inside Servers15 NAT Example 17 Example 3 Menu Enter 2 in Menu 15 NAT Setup 19 Example 3- Menu Example 4 NAT Unfriendly Application Programs21 Example 4 Menu 22 Example 4 Menu Advanced Management Page About Filtering Filter ConfigurationOutgoing Packet Filtering Process Filter Rule Process Execute Filter RuleFilter Structure of the Prestige Filter Set ConfigurationNetBios WAN Filter Rules Summary TelnetWAN Filter Rules Summary Ftpwan Filter Rules Summary Abbreviations Used in the Filter Rules Summary Menu Filter Rules Summary MenusRule Abbreviations Used Filter Rule ConfigurationFilter Type Description GEN28.3.1 TCP/IP Filter Rule TCP/IP Filter RuleChoices are TCP/IP Filter Rule or Generic Filter Rule TCP/IP Filter Rule Choices are None , Less , Greater , Equal or Not EqualIf More is Yes , then Action Matched and Action Not Check Next Rule Check Next Rule, Forward or DropChoices are Check Next Rule, Forward or Drop 12 Executing an IP Filter 13 Generic Filter Rule Generic Filter RuleGeneric Filter Rule Menu Fields Example Filter Filter Types and NAT15 Sample Telnet Filter 16 Sample Filter Rules Summary Menu 17 Sample Filter Rules Summary Menu Ethernet Traffic Applying Filters and Factory DefaultsFilter Sets Table Filter Sets Description19 Filtering Ethernet Traffic Remote Node FiltersPage Snmp Configuration Snmp is only available if TCP/IP is configuredSnmp Overview Supported MIBs Snmp ConfigurationSnmp Traps Snmp TrapsSnmp Trap # Trap Name Description29-4 Snmp Configuration System Maintenance System Maintenance OverviewSystem Status System Maintenance Status System Information System InformationWAN LAN Menu 1 General SetupViewing Error Log Log and TraceConsole Port Speed Syslog Sample Error and Information MessagesSystem Maintenance Menu Syslog Parameters Parameter DescriptionCDR System Maintenance Diagnostic DiagnosticSystem Maintenance Menu Diagnostic Page Filename Conventions Firmware and Configuration File MaintenanceBackup Configuration Filename ConventionsFile Type Internal External Name Description Backup Configuration Using the FTP Command from the Command LineExample of FTP Commands from the Command Line Command Description General Commands for GUI-based FTP ClientsGUI-based FTP Clients Tftp and FTP over WAN Will Not Work WhenBackup Configuration Using Tftp Tftp Command ExampleGUI-based Tftp Clients General Commands for GUI-based Tftp Clients Backup Via Console PortBackup Configuration Example Restore ConfigurationSystem Maintenance Restore Configuration Restore Using FTPRestore Via Console Port Restore Using FTP Session ExampleFirmware File Upload Uploading Firmware and Configuration Files13 System Maintenance Upload System Firmware Configuration File UploadFTP File Upload Command from the DOS Prompt Example FTP Session Example of Firmware File UploadTftp File Upload Uploading Via Console Port Tftp Upload Command ExampleUploading Firmware File Via Console Port Example Xmodem Firmware Upload Using HyperTerminalExample Xmodem Configuration Upload Using HyperTerminal Uploading Configuration File Via Console Port19 Example Xmodem Upload Command Interpreter Mode System Maintenance and InformationBudget Management Call Control SupportBudget Management System Maintenance Time and Date Setting Time and Date SettingResetting the Time Time and Date Setting FieldsNTP RFC-1305 is similar to Time RFC-868 Page IP Policy Routing Overview IP Policy RoutingIP Policy Routing Benefits Routing PolicyIP Routing Policy Setup IP Routing Policy SetupAbbreviation Meaning ServiceCriterion ActionG t Delay, Max Thruput, Min Cost or Max ReliableEthernet IP Policies Applying an IP PolicyLess, Greater, Less or Equal or Greater or Equal Matched33-6 IP Policy Routing Example of IP Policy Routing IP Policy Routing ExampleIP Routing Policy Example Applying IP Policies Page Schedule Setup Call SchedulingCall Scheduling Overview Schedule Set Setup Forced On OnceApplying Schedule Sets to a Remote Node PPPoE Remote Management and Telnet Services Remote Management and FTP ServicesRemote Management Remote Management and Web Services Remote Management SetupDisabling Remote Management Remote Management ControlRemote Management and NAT System TimeoutSMT VPN/IPSec and Internal Sptgen 36.1 VPN/IPSec Overview VPN/IPSec SetupIPSec Summary Screen Menu 27 VPN/IPSec SetupESP DES MD5 Tunnel36-4 VPN/IPSec Setup IPSec Setup IPSec Summary Menu 27.1.1 IPSec SetupGateway Address field below Single Address field set toSubnet Manual Setup 3Menu 27.1.1.1 IKE Setup IKE SetupField Description ExampleDES DH1MD5 Mode Security Protocol Manual SetupActive Protocol Active Protocol Encapsulation and Security ProtocolESP Tunnel Menu 27.1.1.2 Manual SetupVPN/IPSec Setup 36-15 Page Using SA Monitor SA MonitorSA Monitor Overview Taiwan ESP DESRefresh Diagram 37-1 Example VPN Responder IPSec Log Viewing IPSec LogVPN Responder IPSec Log Page Configuration Text File Format Internal SptgenInternal Sptgen Overview 38-2 Internal Sptgen Internal Sptgen FTP Download Example Invalid Parameter Entered Command Line ExampleInternal Sptgen FTP Upload Example Internal Sptgen FTP Upload ExampleAppendices and Index Page Problems Starting Up the Prestige TroubleshootingProblems with the LAN Interface Troubleshooting the Start-Up of Your PrestigeProblems with Internet Access Problems with the WAN InterfaceTroubleshooting the WAN Interface Troubleshooting Internet AccessProblems with Telnet Problems with the PasswordTroubleshooting the Password Troubleshooting TelnetPage PPPoE in Action Appendix a PPPoEBenefits of PPPoE Traditional Dial-up ScenarioPrestige as a PPPoE Client Diagram 2 Prestige as a PPPoE ClientAppendix B Virtual Circuit Topology Diagram 3 Virtual Circuit TopologyAppendix C Power Adapter SpecificationsNorth American Plug Standards United Kingdom Plug StandardsEuropean Plug Standards AA-121ABNChina Standards Power Consumption Safety Standards Ccee GB8898 Index 17-10 28-4Local Network 10-730-6 24-1,24-2 24-230-5 RIPTraceroute TCP/IP