Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications P-334U, P-335U 13.1.2 IKE SA Setup, 13.1.1 IKE SA (IKE Phase 1) Overview, Note:, 13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router

1 335

Download 335 pages, 14.72 Mb

P-334U/P-335U User’s Guide

Figure 83 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X and Y established first.

The rest of this section discusses IKE SA and IPSec SA in more detail.

13.1.1 IKE SA (IKE Phase 1) Overview

The IKE SA provides a secure connection between the ZyXEL Device and remote IPSec router.

It takes several steps to establish an IKE SA. The negotiation mode determines the number of steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in Negotiation Mode on page 143. Main mode is used in various examples in the rest of this section.

13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router

In the ZyXEL Device, you have to specify the IP addresses of the ZyXEL Device and the remote IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the ZyXEL Device. Sometimes, your ZyXEL Device might also offer another alternative, such as using the IP address of a port or interface.

You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA.

13.1.2 IKE SA Setup

This section provides more details about IKE SAs.

140	Chapter 13 IPSec VPN

Contents

User’s Guide Page Copyright Disclaimer Trademarks Certifications Federal Communications Commission (FCC) Interference Statement Viewing Certifications Safety Warnings ZyXEL Limited Warranty Note Registration Customer Support Page Page Table of Contents Wireless LAN Page Network Address Translation (NAT) Content Filtering Chapter IPSec VPN Static Route Screens Bandwidth Management Remote Management Screens Page Appendix A Appendix B Appendix C Appendix D Appendix E List of Figures Page Page Page Figure 182 Red Hat 9.0: KDE: Network Configuration: Activate Page List of Tables Page Page Page Preface About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Getting to Know Your ZyXEL Device 1.1 ZyXEL Device Overview 1.2 Applications for the ZyXEL Device 1.2.2 Wireless LAN Application 1.3 Ways to Manage the ZyXEL Device 1.4 Good Habits for Managing Your ZyXEL Device Table Page Introducing the Web Configurator 2.1 Web Configurator Overview 2.2Accessing the Web Configurator 2.3 Resetting the ZyXEL Device 2.4Navigating the Web Configurator Page Page 2.4.1 Navigation Panel Page 2.4.2 Summary: Bandwidth Management Monitor BW MGMT Monitor (Details...) 2.4.3 Summary: DHCP Table DHCP Table (Details...) 2.4.4 Summary: Packet Statistics Packet Statistics (Details...) Poll Interval(s) 2.4.5 VPN Monitor VPN Monitor (Details...) 2.4.6 Summary: Wireless Station Status WLAN Station Status (Details...) Association List Page Page Connection Wizard 3.1 Wizard Setup 3.2 Connection Wizard: STEP 1: System Information 3.3 Connection Wizard: STEP 2: Wireless LAN Page 3.3.1 Basic(WEP) Security Basic(WEP) 3.3.2 Extend(WPA-PSKor WPA2-PSK)Security Extend(WPA-PSK) Extend(WPA2-PSK) Pre-Shared 3.3.3 OTIST 3.4 Connection Wizard: STEP 3: Internet Configuration 3.4.2 PPPoE Connection 3.4.3 PPTP Connection Page 3.4.4 Your IP Address 3.4.5 WAN IP Address Assignment 3.4.6 IP Address and Subnet Mask 3.4.7 DNS Server Address Assignment DNS Server Wizard WAN > Internet Connection 3.4.8WAN IP and DNS Server Address Assignment 3.4.9 WAN MAC Address 3.5 Connection Wizard: STEP 4: Bandwidth management 3.6 Connection Wizard Complete Page Wireless LAN 4.1 Wireless Network Overview 4.2Wireless Security Overview 4.2.4 Encryption WPA Static WEP WPA- PSK 4.3 General Wireless LAN Screen 4.3.1 No Security No Security 4.3.2 WEP Encryption Security Mode Page 4.3.3 WPA-PSK/WPA2-PSK 4.3.4 WPA/WPA2 Page 4.4 OTIST 4.4.1.1 AP 4.4.1.2 Wireless Client 4.4.2 Starting OTIST Start Adapter 4.4.3Notes on OTIST 4.5MAC Filter Page 4.6 Wireless LAN Advanced Screen Page Wireless Tutorial 5.1 Example Parameters 5.2 Configuring the AP Enable Wireless LAN SSID_Example3 Auto Channel Selection WPA-PSK ThisismyWPA-PSKpre-sharedkey 5.3 Configuring the Wireless Client 5.3.1 Connecting to a Wireless LAN Site Survey Scan Available Network List Back Exit Confirm Save Link Info Security Settings 5.3.2Creating and Using a Profile Profile Add New Profile Scan Info Infrastructure Select Activate Now Activate Later Connect Page Page WAN 6.1 WAN Overview 6.2 WAN MAC Address 6.3 Internet Connection Page 6.3.2 PPPoE Encapsulation PPP over Ethernet PPPoE Page 6.3.3 PPTP Encapsulation Page Page 6.4 Advanced WAN Screen Figure 64 Advanced LAN 7.1 LAN Overview 7.2 LAN TCP/IP 7.3 LAN IP Screen 7.4 LAN IP Alias 7.5 Advanced LAN Screen Page Page DHCP Server 8.1 DHCP 8.2 DHCP Server General Screen 8.3 DHCP Server Advanced Screen 8.4 Client List Screen Page CHAPTER 9 Network Address Translation (NAT) 9.1 NAT Overview 9.2 Using NAT 9.3 General NAT Screen 9.4 NAT Application Screen Page 9.4.1 Game List Example 9.5 Trigger Port Forwarding 9.6 NAT Advanced Screen Page Page Page Dynamic DNS 10.1 Dynamic DNS Introduction 10.2 Dynamic DNS Screen Page Firewall 11.1 Introduction to Firewall 11.2General Firewall Screen 11.3 Services Screen Figure 79 Services Page Page Content Filtering 12.1 Introduction to Content Filtering 12.2 Restrict Web Features 12.3 Days and Times 12.4 Filter Screen Page 12.5 Schedule 12.6 Customizing Keyword Blocking URL Checking 12.6.3 File Name URL Checking Page IPSec VPN 13.1 IPSec VPN Overview 13.1.1 IKE SA (IKE Phase 1) Overview 13.1.1.1 IP Addresses of the ZyXEL Device and Remote IPSec Router 13.1.2 IKE SA Setup 13.1.2.1 IKE SA Proposal 13.1.2.2 Diffie-Hellman(DH) Key Exchange 13.1.2.3 Authentication Page 13.1.2.4 Negotiation Mode 13.1.3.1 Local Network and Remote Network 13.1.3.2 IPSec Protocol 13.1.3.3 Encapsulation 13.1.3.4 IPSec SA Proposal and Perfect Forward Secrecy 13.1.4.1 SA Life Time 13.1.4.2 Encryption and Authentication Algorithms 13.2 Remote DNS Server 13.3 VPN Summary 13.4 VPN Rule Setup (IKE) Page Page Page Page 13.5 Advanced VPN Rule Setup (IKE) Page Page Page Page Page 13.6 IPSec SA Using Manual Keys 13.7 VPN Rule Setup (Manual) Page Page Page 13.8 VPN SA Monitor 13.9 VPN Global Setting 13.10 Telecommuter VPN/IPSec Examples 13.10.1 Telecommuters Sharing One VPN Rule Example 13.10.2 Telecommuters Using Unique VPN Rules Example Page 13.11 VPN and Remote Management Static Route Screens 14.1 Static Route Overview 14.2 IP Static Route Screen 14.2.1 Static Route Setup Screen Modify Page Bandwidth Management 15.1 Bandwidth Management Overview 15.2Application-basedBandwidth Management 15.3 Subnet-basedBandwidth Management 15.4 Application and Subnet-basedBandwidth Management 15.5 Bandwidth Management Priorities 15.6 Predefined Bandwidth Management Services 15.6.1Services and Port Numbers Page 15.7 Default Bandwidth Management Classes and Priorities 15.8 Bandwidth Management General Configuration 15.9 Bandwidth Management Advanced Configuration Page 15.9.1 Rule Configuration with the Pre-definedService Application List 15.9.2 Rule Configuration with the User-definedService User-defined Service 15.10 Bandwidth Management Monitor Remote Management Screens 16.1 Remote Management Overview 16.2 WWW Screen 16.3 Telnet 16.4 Telnet Screen 16.5 FTP Screen 16.6 DNS Screen Page UPN P 17.1 Universal Plug and Play Overview 17.2 UPnP and ZyXEL 17.3 UPnP Screen 17.4 Installing UPnP in Windows Example Add/Remove Programs Windows Setup Communication Components 17.4.2Installing UPnP in Windows XP 1Click Start and Control Panel 2Double-click Network Connections Windows Optional Networking Components Wizard window displays 17.5Using UPnP in Windows XP Example 17.5.2 Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke 17.5.3 Web Configurator Easy Access Page Print Server 18.1 Print Server Overview 18.2 ZyXEL Device Print Server 18.3 Print Server Screen Print Server Driver Setup 19.1 Installation Requirements 19.2Windows 95/98 SE/Me/2000/XP/NT Setup Wizard for Windows NT/2000/XP 19.2.1 Print Server Driver Setup Wizard Welcome Select A Print Server Change Settings Yes, I want to change settings Password No, I don’t want to change settings Add New Printer Select A Printer Page 19.2.2Adding a New Printer Local printer LPT Manufacturers Printers Have Disk… Keep existing driver Replace existing driver Do not share this printer 19.3 Macintosh OS Macintosh HD Applications Utilities Printer List IP Printing Printer’s Address 9Deselect the Use default queue on server check box LP1 Name LP1 on Name System 20.1 System Overview 20.2 System General Screen 20.3 Time Setting Screen Page Page Logs 21.1 View Log 21.2 Log Settings Page Page Tools 22.1 Firmware Upload Screen 22.2 Configuration Screen Configuration 22.2.1 Backup Configuration Backup 22.2.2 Restore Configuration 22.2.3 Back to Factory Defaults Reset 22.3 Restart Screen Page Configuration Mode Page Troubleshooting 24.1 Problems Starting Up the ZyXEL Device 24.2 Problems with the LAN 24.3 Problems with the WAN 24.4 Problems Accessing the ZyXEL Device 24.5Problems with Restricted Web Pages and Keyword Blocking Problems with the Password Problems with Remote Management Problems with the Print Server 24.5.1.1 Internet Explorer Pop-upBlockers Privacy Internet Options Block pop-ups 2Select Settings…to open the Pop-upBlocker Settings screen Allowed sites Pop-up Blocker Settings 24.5.1.2JavaScripts Custom Level Scripting Active scripting Scripting of Java applets 24.5.1.3 Java Permissions 2Make sure that Use Java 2 for <applet> under Java (Sun) is selected 24.5.2 ActiveX Controls in Internet Explorer 2In the Internet Options window, click Custom Level Page Page Product Specifications Page Page Page Print Server Specifications ZyXEL Device Print Server Compatible USB Printers Page Page Page Page Setting up Your Computer’s IP Address Windows 95/98/Me Installing Components Microsoft manufacturers TCP/IP Client Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) •Click Advanced IP Settings TCP/IP Address IP address Subnet mask Use the following DNS server addresses Preferred DNS server Alternate DNS server Macintosh OS 8/9 2Select Ethernet built-in from the Connect via list Using DHCP Server Configure: Macintosh OS Linux Using the K Desktop Environment (KDE) System Setting Ethernet Device General Automatically obtain IP address settings with dhcp Using Configuration Files Page Page IP Subnetting IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page Wireless LANs Wireless LAN Topologies ESS Channel RTS/CTS Fragmentation Threshold Preamble Type IEEE 802.11g Wireless LAN IEEE RADIUS Types of RADIUS Messages Types of Authentication Dynamic WEP Key Exchange WPA and WPA2 Encryption User Authentication Wireless Client WPA Supplicants WPA(2) with RADIUS Application Example WPA(2)-PSKApplication Example Security Parameters Summary Page Log Descriptions Page Page Table 119 ICMP Logs Table 120 CDR Logs Table 121 PPP Logs Table 122 UPnP Logs Page Table 125 IPSec Logs Table 126 IKE Logs Page Page Table 127 PKI Logs Page Page Page Page Log Commands Log Command Example Services Page Page Page Internal SPTGEN Internal SPTGEN Overview The Configuration Text File Format Internal SPTGEN FTP Download Example Internal SPTGEN FTP Upload Example Example Internal SPTGEN Menus Page Page Page Page Table 139 Menu Page Page Page Page Page Page Command Examples Triangle Route The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing