ZyXEL Communications LTE6100 13.3.7 ID Type and Content, NAT Traversal

Chapter 13 VPN

NAT is not normally compatible with ESP in transport mode either, but the LTE Device’s NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers.

Figure 54 NAT Router Between IPSec Routers

AB

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA.

For NAT traversal to work, you must:

•Use ESP security protocol (in either transport or tunnel mode).

•Use IKE keying mode.

•Enable NAT traversal on both IPSec endpoints.

•Set the NAT router to forward UDP port 500 to IPSec router A.

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table.

Table 40 VPN and NAT

SECURITY PROTOCOL	MODE	NAT
AH	Transport	N

AH	Tunnel	N

ESP	Transport	Y*

ESP	Tunnel	Y

Y* - This is supported in the LTE Device if you enable NAT traversal.

13.3.7 ID Type and Content

With aggressive negotiation mode (see Section 13.3.4 on page 94), the LTE Device identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the LTE Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.

Regardless of the ID type and content configuration, the LTE Device does not allow you to save multiple active rules with overlapping local and remote IP addresses.

With main mode (see Section 13.3.4 on page 94), the ID type and content are encrypted to provide identity protection. In this case the LTE Device can distinguish between different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The LTE Device can

96
96	LTE6100 User’s Guide

Contents

Default Login Details Copyright © ZyXEL Communications Corporation IMPORTANT Related Documentation Contents Overview Page Table of Contents Part I: User’s Guide Chapter Home Networking Routing Dynamic DNS Firewall Traffic Status User Account Time Setting Log Setting Firmware Upgrade Backup/Restore Diagnostic Index Page Page Introduction 1.1 Overview 1.2 Applications for the LTE Device 1.2.1 Internet Access LAN WAN 1.3Ways to Manage the LTE Device 1.4Good Habits for Managing the LTE Device 1.5LEDs (Lights) 1.6 The RESET Button Page Introducing the Web Configurator 2.1 Overview 2.1.1 Accessing the Web Configurator Skip 6The Connection Status screen appears. Figure 6 Connection Status 2.2 The Web Configurator Layout 2.2.1Title Bar 2.2.2 Main Window 2.2.3 Traffic Status 2.2.4 User Account 2.2.5 Navigation Panel Page Page Page Connection Status and System Info 3.1 Overview 3.2 The Connection Status Screen List View Viewing mode Refresh Interval Icon View Info List View 3.3 The System Info Screen 4G LTE N/A LTE Down Maintenance > Reboot Page Page Broadband 4.1 Overview 4.1.1What You Can Do in this Chapter 4.1.2What You Need to Know 4.1.3 Before You Begin 4.2 The Broadband Screen 4.2.1 Edit Internet Connection 4.3 The SIM Screen 4.3.1 PUK Code Screen 4.4 Technical Reference LTE Frequency Band Table UPLINK (UL) OPERATING BAND DOWNLINK (DL) OPERATING BAND BAND BASE STATION RECEIVE Page Page Home Networking 5.1 Overview LAN 5.1.1What You Can Do in this Chapter 5.1.2What You Need To Know Subnet Mask DHCP DNS 5.1.2.2 About UPnP How do I know if I'm using UPnP 5.2 The LAN Setup Screen 5.3 The Static DHCP Screen 5.3.1 Before You Begin 5.4 The UPnP Screen Network Setting > Home Networking > Static DHCP > UPnP Routing 6.1 Overview LANWAN 6.2 Configuring Static Route 6.2.1 Add/Edit Static Route Page Quality of Service (QoS) 7.1 Overview 7.1.1What You Can Do in this Chapter 7.1.2What You Need to Know 7.2 The QoS General Screen 7.3 The Queue Setup Screen 7.3.1 Add/Edit a QoS Queue 7.4 The Class Setup Screen Page 7.4.1 Add/Edit QoS Class Unchange Ether Type Criteria Configuration-Basic section Queue Setup 7.5 The QoS Monitor Screen 7.6 QoS Technical Reference 7.6.1 DiffServ Page Network Address Translation (NAT) 8.1 Overview 8.1.1What You Can Do in this Chapter 8.1.2What You Need To Know 8.2 The Port Forwarding Screen IP Address assigned by ISP 8.2.1 The Port Forwarding Screen 8.2.2 The Port Forwarding Edit Screen 8.3 The DMZ Screen 8.4 The Sessions Screen 8.5 Technical Reference 8.5.1 NAT Definitions 8.5.2 What NAT Does 8.5.3 How NAT Works Page Dynamic DNS 9.1 Overview 9.1.1 What You Need To Know 9.2 The Dynamic DNS Screen Firewall 10.1 Overview LANWAN 10.1.1What You Can Do in this Chapter 10.1.2 What You Need to Know 10.2 The General Screen 10.3 The Services Screen 10.3.1 The Add New Services Entry Screen 10.4 The Access Control Screen 10.4.1 The Add New ACL Rule/Edit Screen 10.5 The DoS Screen 10.6 Firewall Technical Reference 10.6.1 Guidelines For Enhancing Security With Your Firewall 10.6.2Security Considerations Page Page MAC Filter 11.1 Overview 11.1.1 What You Need to Know 11.2 The MAC Filter Screen MAC Address Parental Control 12.1 Overview 12.2 The Parental Control Screen 12.2.1 Add/Edit a Parental Control Rule Service Name Port Page VPN 13.1 Overview 13.2 IPSec VPN 13.2.1 The General Screen Table 36 IPSec VPN 13.2.2 IPSec VPN: Add E-mail Pre-Share Key Pre Share Key Local ID DES 3DES AES128 AES192 AES256 13.2.3 The Monitor Screen 13.3 Technical Reference 13.3.1 IPSec Architecture 13.3.2 Encapsulation 13.3.3 IKE Phases 13.3.4Negotiation Mode 13.3.5IPSec and NAT 13.3.6 VPN, NAT, and NAT Traversal 13.3.7 ID Type and Content 13.3.8 Pre-SharedKey 13.3.9 Diffie-Hellman(DH) Key Groups Logs 14.1 Overview 14.1.1What You Can Do in this Chapter 14.1.2What You Need To Know 14.2The System Log Screen Traffic Status 15.1 Overview 15.1.1What You Can Do in this Chapter 15.2 The WAN Status Screen 15.3 The LAN Status Screen 15.4 The NAT Status Screen Page User Account 16.1 Overview 16.2 The User Account Screen Page Remote MGMT 17.1 Overview 17.1.1 What You Need to Know 17.2 The Remote MGMT Screen Page System 18.1 Overview 18.1.1 What You Need to Know 18.2 The System Screen Page Time Setting 19.1 Overview 19.2 The Time Setting Screen Daylight Savings o'clock field Reset Log Setting 20.1 Overview 20.2 The Log Setting Screen ALL Firmware Upgrade 21.1 Overview 21.2 The Firmware Upgrade Screen Firmware Upgrade Backup/Restore 22.1 Overview 22.2 The Backup/Restore Screen Restore Configuration Do not turn off the LTE Device while configuration file upload is in progress Configuration 22.3 The Reboot Screen Page Diagnostic 23.1 Overview 23.2 The Ping/TraceRoute Screen Page Troubleshooting 24.1 Overview 24.2Power, Hardware Connections, and LEDs 24.3LTE Device Access and Login 24.4Internet Access 24.5UPnP IP Addresses and Subnetting Subnet Masks 1ST OCTET: 2ND 3RD 4TH OCTET Network Size SUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS Subnetting Example: Four Subnets Table 61 Subnet IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT Example: Eight Subnets SUBNET FIRST ADDRESS LAST BROADCAST Subnet Planning NO. “BORROWED” NO. SUBNETS NO. HOSTS PER HOST BITS Configuring IP Addresses Private IP Addresses IP Address Conflicts Conflicting Computer IP Addresses Example Conflicting Router IP Addresses Example Conflicting Computer and Router IP Addresses Example Setting Up Your Computer’s IP Address 1Click Start > Control Panel 2In the Control Panel, click the Network Connections icon 3Right-click Local Area Connection and then select Properties 5The Internet Protocol TCP/IP Properties window opens Obtain an IP address automatically 7Click OK to close the Internet Protocol (TCP/IP) Properties window 8Click OK to close the Local Area Connection Properties window Verifying Settings 1Click Start > All Programs > Accessories > Command Prompt Command Prompt Start > Control Panel > Network Connections Support Windows Vista 2In the Control Panel, click the Network and Internet icon 3Click the Network and Sharing Center icon Continue 6Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties 7The Internet Protocol Version 4 (TCP/IPv4) Properties window opens 9Click OK to close the Internet Protocol (TCP/IP) Properties window 10Click OK to close the Local Area Connection Properties window Windows 3Click Change adapter settings Page 5Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties 6The Internet Protocol Version 4 (TCP/IPv4) Properties window opens 8Click OK to close the Internet Protocol (TCP/IP) Properties window 9Click OK to close the Local Area Connection Properties window Mac OS X: 10.3 and 1Click Apple > System Preferences Network Built-in Ethernet Configure Using DHCP Configure IPv4 TCP/IP Manually Subnet Mask Mac OS X: 2In System Preferences, click the Network icon Configure Page Linux: Ubuntu 8 (GNOME) 1Click System > Administration > Network Network Settings Unlock Authenticate Properties Static IP address IP address Subnet mask Gateway address DNS Close Linux: openSUSE 10.3 (KDE) 1Click K Menu > Computer > Administrator Settings (YaST) Run as Root - KDE su YaST Control Center Network Devices Network Card Overview Network Card Setup Address Dynamic Address (DHCP) Statically assigned IP Address Hostname Hostname/DNS Finish KNetwork Manager Task bar Options Page Page Pop-upWindows, JavaScript and Java Permissions Block pop-ups Enable Pop-upBlockers with Exceptions 2Select Settings…to open the Pop-upBlocker Settings screen Add Allowed sites JavaScript Security Custom Level Scripting Active scripting Scripting of Java applets Java Permissions Microsoft VM Java permissions JAVA (Sun) Advanced 2Make sure that Use Java 2 for <applet> under Java (Sun) is selected Figure 131 Java (Sun) Mozilla Firefox Tools Content Page Common Services Page Page Page Legal Information FCC Radiation Exposure Statement 注意 Notices Viewing Certifications Safety Warnings