Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications P-334 15.17.2 Telecommuters Using Unique VPN Rules Example

1 366

Download 366 pages, 12.08 Mb

Prestige 334 User’s Guide

Having everyone use the same pre-shared key may create a vulnerability. If the pre-shared key is compromised, all of the VPN connections using that VPN rule are at risk. A recommended alternative is to use a different VPN rule for each telecommuter and identify them by unique IDs (see the Telecommuters Using Unique VPN Rules Example section )..

Table 56 Telecommuter and Headquarters Configuration Example

	TELECOMMUTER	HEADQUARTERS

My IP Address:	0.0.0.0 (dynamic IP address	Public static IP address
	assigned by the ISP)
Secure Gateway	Public static IP address or domain	0.0.0.0	With this IP address only the
IP Address:	name.	telecommuter can initiate the IPSec tunnel.

Figure 70 Telecommuters Sharing One VPN Rule Example

15.17.2 Telecommuters Using Unique VPN Rules Example

With aggressive negotiation mode (see section Negotiation Mode), the Prestige can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters. They can use different IPSec parameters (including the pre-shared key) and the local IP addresses (or ranges of addresses) can overlap.

181	Chapter 15 VPN Screens

Contents

User’s Guide Copyright Disclaimer Trademarks Federal Communications Commission (FCC) Interference Statement Notice Certifications ZyXEL Limited Warranty Note Safety Warnings Page Customer Support Page Page Table of Contents Wizard Setup System Screens Page Static Route Screens Content Filtering Remote Management Screens Introduction to IPSec Chapter Page Menu 3 LAN Setup Internet Access Remote Node Configuration Static Route Setup Enabling the Firewall SNMP Configuration System Information and Diagnosis Firmware and Configuration File Maintenance Appendix A Appendix B Appendix C Appendix D Appendix E Appendix H TMSS Appendix Triangle Route List of Figures Page Page Page Page Page List of Tables Page Page Page Preface About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Getting to Know Your Prestige 1.1 Prestige Internet Security Gateway Overview 1.2 Prestige Features 1.2.1.1 10/100M Auto-negotiatingEthernet/Fast Ethernet Interface(s) 1.2.1.2 Auto-crossover10/100 Mbps Ethernet Interface(s) 1.2.1.5 Reset Button 1.2.2.1 Trend Micro Security Services 1.2.2.2 IPSec VPN Capability 1.2.2.3 Firewall 1.2.2.4 Content Filtering 1.2.2.7 Universal Plug and Play (UPnP) 1.2.2.8 Call Scheduling 1.2.2.9 PPPoE 1.2.2.10 PPTP Encapsulation 1.2.2.11 Dynamic DNS Support 1.2.2.14 SNMP 1.2.2.15 Network Address Translation (NAT) 1.2.2.16 Traffic Redirect 1.2.2.17 Port Forwarding 1.2.2.18 DHCP (Dynamic Host Configuration Protocol) 1.3 Applications for the Prestige Page Introducing the Web Configurator 2.1 Web Configurator Overview 2.2Accessing the Prestige Web Configurator 2.3 Resetting the Prestige LOGOUT MAINTENANCE DHCP Table F/ W 2.3.3 Navigation Panel Table Page Page Wizard Setup 3.1 Wizard Setup Overview 3.2 Wizard Setup: General Setup and System Name 3.3 Wizard Setup: Screen Page 3.3.2 PPPoE Encapsulation 3.3.3 PPTP Encapsulation Page 3.4 Wizard Setup: Screen 3.4.3 DNS Server Address Assignment 3.4.4WAN MAC Address Page 3.5 Basic Setup Complete Page Page System Screens 4.1 System Overview 4.2 Configuring General Setup Page 4.3 Dynamic DNS 4.4 Configuring Dynamic DNS Figure 12 DDNS Table 9 DDNS 4.5 Configuring Password 4.6 Configuring Time Setting Page Page Page LAN Screens 5.1 LAN Overview 5.2 DHCP Setup 5.3 LAN TCP/IP 5.3.2 IP Address and Subnet Mask 5.3.3 RIP Setup RIP Direction Out Only In Only 5.4 Configuring IP Figure 15 LAN IP Table 12 LAN IP Page 5.5 Configuring Static DHCP 5.6 Configuring IP Alias Figure 17 IP Alias Table 14 IP Alias WAN Screens 6.1 WAN Overview 6.2 TCP/IP Priority (Metric) 6.3 Configuring Route 6.4 Configuring WAN ISP 6.4.2 PPPoE Encapsulation PPP over Ethernet PPPoE Page 6.4.3 PPTP Encapsulation 6.5 Configuring WAN IP Figure 22 WAN: IP Table 19 WAN: IP Page 6.6 Configuring WAN MAC 6.7 Traffic Redirect 6.8 Configuring Traffic Redirect Page Page Network Address Translation (NAT) Screens 7.1 NAT Overview 7.1.2 What NAT Does 7.1.3 How NAT Works 7.1.4 NAT Application 7.1.5 NAT Mapping Types One to One Many to One Many-to-Many Overload 7.2 Using NAT 7.3 SUA Server 7.3.1 Default Server IP Address 7.3.2 Port Forwarding: Services and Port Numbers SUA Server Note: 7.3.3 Configuring Servers Behind SUA (Example) 7.4 Configuring SUA Server Page 7.5 Configuring Address Mapping 7.5.1 Configuring Address Mapping Page 7.6 Trigger Port Forwarding 7.7 Configuring Trigger Port Forwarding Page Page Static Route Screens 8.1 Static Route Overview 8.2 Configuring IP Static Route 8.2.1 Configuring Route Entry Page Page UPN P 9.1 Universal Plug and Play Overview 9.2 UPnP and ZyXEL 9.3 Configuring UPnP 9.4 Installing UPnP in Windows Example 9.4.1 Installing UPnP in Windows Me Add/Remove Programs Windows Setup Communication Components 9.4.2 Installing UPnP in Windows XP 9.5 Using UPnP in Windows XP Example 9.5.1Auto-discoverYour UPnP-enabledNetwork Device Network Connections 9.5.2 Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke 9.5.3 Web Configurator Easy Access Connections Trend Micro Security Services 10.1 Trend Micro Security Service Overview 10.2 Configuring Service Settings Page 10.3 Virus Protection 10.4 Configuring Virus Protection Page 10.5 Parental Controls 10.6 Parental Controls Configuration Page Page Page 10.6.1 Parental Controls Statistics Page Firewall 11.1 Introduction 11.2Firewall Settings Screen Page 11.3 The Firewall, NAT and Remote Management 11.4 Services Page Page Page Content Filtering 12.1 Introduction to Content Filtering 12.2 Restrict Web Features 12.3 Days and Times 12.4 Configure Content Filtering Page Page Page Remote Management Screens 13.1 Remote Management Overview 13.2 Configuring WWW 13.3 Configuring Telnet 13.4 Configuring TELNET 13.5 Configuring FTP 13.6 SNMP 13.6.1Supported MIBs 13.6.2 SNMP Traps 13.6.3 Configuring SNMP SNMP Page 13.7 Configuring DNS 13.8 Configuring Security Page Page Introduction to IPSec 14.1 VPN Overview 14.1.3.1 Encryption 14.1.3.2 Data Confidentiality 14.1.3.3 Data Integrity 14.2IPSec Architecture 14.3 Encapsulation 14.4IPSec and NAT Page Page VPN Screens 15.1 VPN/IPSec Overview 15.2 IPSec Algorithms 15.3 My IP Address 15.4 Secure Gateway Address 15.5Summary Screen Page 15.6 Keep Alive 15.7 NAT Traversal 15.7.2 Remote DNS Server 15.8 ID Type and Content 15.9 Pre-SharedKey 15.10 Editing VPN Rules Page Page 15.11 IKE Phases 15.11.1 Negotiation Mode Negotiation Mode Main Mode Aggressive Mode Main Mode 15.12 Configuring Advanced IKE Settings Page Page Page Page 15.13 Manual Key Setup 15.14 Configuring Manual Key Page Page 15.15 Viewing SA Monitor 15.16 Configuring Global Setting 15.17 Telecommuter VPN/IPSec Examples 15.17.2 Telecommuters Using Unique VPN Rules Example 15.18 VPN and Remote Management Page Centralized Logs 16.1 View Log Figure 72 View Logs Table 57 View Logs 16.2 Log Settings Page Page Page Maintenance 17.1 Maintenance Overview 17.2 Status Screen Page 17.3 DHCP Table Screen 17.4 F/W Upload Screen 17.4.1 Preparing your Prestige for Firmware Upload Upgrade 17.5Configuration Screen Backup 17.5.2 Restore Configuration 17.6 Restart Screen Page Introducing the SMT 18.1 SMT Introduction 18.2 Navigating the SMT Interface Page 18.2.1 System Management Terminal Interface Summary 18.3 Changing the System Password Page Menu 1 General Setup 19.1 General Setup 19.2 Procedure To Configure Menu Page 19.2.1 Procedure to Configure Dynamic DNS Edit Dynamic DNS Menu 1.1— Configure Dynamic DNS Page Menu 2 WAN Setup 20.1 Introduction to WAN 20.2 WAN Setup Page Menu 3 LAN Setup 21.1 LAN Setup 21.2 Protocol Dependent Ethernet Setup 21.3TCP/IP Ethernet Setup and DHCP Page 21.3.1 IP Alias Setup Edit IP Alias Yes Menu 3.2.1 - IP Alias Setup Page Page Internet Access 22.1 Introduction to Internet Access Setup 22.2 Ethernet Encapsulation Page 22.3 Configuring the PPTP Client 22.4 Configuring the PPPoE Client 22.5 Basic Setup Complete Page Remote Node Configuration 23.1 Introduction to Remote Node Setup 23.2 Remote Node Profile Setup Page 23.2.2.1 Outgoing Authentication Protocol 23.2.2.2 Nailed-UpConnection 23.3 Edit IP My WAN Addr Gateway IP Addr 23.4 Remote Node Filter 23.4.1 Traffic Redirect Setup Menu 11.6 — Traffic Redirect Setup Page Page Static Route Setup 24.1 IP Static Route Setup Menu 12.1 – Edit IP Static Route Setup Network Address Translation (NAT) 25.1 Using NAT 25.2 Applying NAT [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options 25.3 NAT Setup 25.3.1Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets 25.3.1.1 User-DefinedAddress Mapping Sets 25.3.1.2 Ordering Your Rules Edit Menu 15.1.1.1 - Address Mapping Rule Local Global Start/End IPs 25.4 Configuring a Server behind NAT 25.5 General NAT Examples 25.5.1 Example 1: Internet Access Only Network Address Translation 25.5.2 Example 2: Internet Access with an Inside Server 25.5.3 Example 3: Multiple Public IP Addresses With Inside Servers 1 : Many : Menu 15.1 - Address Mapping Sets Edit Action Start IP Page 9Enter 2 in Menu 15 - NAT Setup 25.5.4 Example 4: NAT Unfriendly Application Programs Many-to-Many No Overload Page 25.6 Configuring Trigger Port Forwarding Page Enabling the Firewall 26.1 Remote Management and the Firewall 26.2Access Methods 26.3 Enabling the Firewall Page Filter Configuration 27.1 Introduction to Filters 27.1.1 The Filter Structure of the Prestige 27.2 Configuring a Filter Set Edit Comments 27.2.1 Configuring a Filter Rule 27.2.2 Configuring a TCP/IP Filter Rule TCP/IP Filter Rule Filter Type Menu 21.1.1.1 - TCP/IP Filter Rule Page 27.2.3 Configuring a Generic Filter Rule Offset Length Mask Value Page 27.3 Example Filter Yes •6 is the TCP IP Protocol Port # Equal Port # Comp 27.4Filter Types and NAT 27.5 Firewall Versus Filters 27.6 Applying a Filter 27.6.2 Applying Remote Node Filters SNMP Configuration 28.1 About SNMP 28.2Supported MIBs 28.3 SNMP Configuration 28.4 SNMP Traps Page System Information and Diagnosis 29.1 System Status Page 29.2 System Information 29.2.2 Console Port Speed Menu 24.2.2 – System Maintenance – Console Port Speed 29.3 Log and Trace 29.3.1.1 CDR 29.3.1.2 Packet triggered 29.3.1.3 Filter log 29.3.1.4 PPP log 29.3.1.5 Firewall log 29.4 Diagnostic 29.4.1 WAN DHCP IP Address Assignment Dynamic Encapsulation Ethernet Page Page Firmware and Configuration File Page Page Page Page Page Page Page Page Page Page Page System Maintenance 31.1 Command Interpreter Mode 31.2 Call Control Support 31.2.2 Call History 31.3 Time and Date Setting Page Page 31.3.1 Resetting the Time Page Remote Management 32.1 Remote Management 32.1.1 Remote Management Limitations Secure Client IP Page Call Scheduling 33.1 Introduction to Call Scheduling Menu 26.1 — Schedule Set Setup Duration PPPoA Page VPN/IPSec Setup 34.1 VPN/IPSec Overview 34.2 IPSec Summary Screen Page Page Page Page Page 34.3 IKE Setup Page 34.4 Manual Setup 34.4.0.1 Active Protocol 34.4.0.2 Security Parameter Index (SPI) Page SA Monitor 35.1 SA Monitor Overview 35.2Using SA Monitor Page Page 35.3 Problems with the Password 35.4 Problems with Remote Management PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works Prestige as a PPPoE Client What is PPTP PPTP and the Prestige PPTP Protocol Overview Control & PPP Connections PPP Data Connection Page Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration Page Table 116 UPnP Logs Windows 95/98/Me Installing Components Adapter Protocol Microsoft manufacturers Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP Network and Dial-up 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) Use the following IP Address IP address Subnet mask Default gateway IP Settin Use the following DNS server addresses Preferred DNS server Alternate DNS server 8Click OK to close the Internet Protocol (TCP/IP) Properties window 9Click OK to close the Local Area Connection Properties window Macintosh OS 8/9 Macintosh OS •Select Built-inEthernet from the Show list Using DHCP Apply Now Page Example Page 2Select the Service Settings tab 3Select the Enable Trend Micro Security Services check box Continue Page Page The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side How To Configure Triangle Route