ZyXEL Communications P-661HW 13.12 IKE Phases

P-661H/HW Series User’s Guide

Table 84 Edit VPN Policies

LABEL	DESCRIPTION

Encryption	Select DES, 3DES, AES or NULL from the drop-down list box.
Algorithm	When you use one of these encryption algorithms for data communications, both
	the sending device and the receiving device must use the same secret key, which
	can be used to encrypt and decrypt the message or to generate and verify a
	message authentication code. The DES encryption algorithm uses a 56-bit key.
	Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,
	3DES is more secure than DES. It also requires more processing power, resulting
	in increased latency and decreased throughput. This implementation of AES uses
	a 128-bit key. AES is faster than 3DES.
	Select NULL to set up a tunnel without encryption. When you select NULL, you
	do not enter an encryption key.
Authentication	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and
Algorithm	SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet
	data. The SHA1 algorithm is generally considered stronger than MD5, but is
	slower. Select MD5 for minimal security and SHA1 for maximum security.
Advanced	Click Advanced to configure more detailed settings of your IKE key management.

Apply	Click Apply to save your changes back to the ZyXEL Device.

Cancel	Click Cancel to begin configuring this screen afresh.

13.12 IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.

Figure 125 Two Phases to Set Up the IPSec SA

In phase 1 you must:

•Choose a negotiation mode.

•Authenticate the connection by entering a pre-shared key.

•Choose an encryption algorithm.

216	Chapter 13 VPN Screens

Contents

User’s Guide Page Copyright Disclaimer Trademarks Certifications Federal Communications Commission (FCC) Interference Statement Notice Certifications Page Safety Warnings ZyXEL Limited Warranty Note Customer Support Page Page Table of Contents Wizards Wireless LAN Network Address Translation (NAT) Screens Firewall Configuration Content Filtering Introduction to IPSec Page Static Route Bandwidth Management Remote Management Configuration Page Troubleshooting Appendix A Product Specifications Appendix B About ADSL Appendix G Appendix H Appendix Appendix J Appendix K Page List of Figures Page Page Page Page Page List of Tables Page Page Page Preface About This User's Guide Syntax Conventions Related Documentation User Guide Feedback Graphics Icons Key Getting To Know Your ZyXEL Device 1.1 Introducing the ZyXEL Device 1.2 Features High Speed Internet Access Triple Play Service Zero Configuration Internet Access Any IP Media Bandwidth Management Universal Plug and Play (UPnP) PPPoE (RFC2516) Network Address Translation (NAT) Dynamic DNS Support IP Alias TR-069Compliance (P-661HOnly) Housing 4-portSwitch Wireless LAN 1.3 Applications for the ZyXEL Device 1.4 Front Panel LEDs 1.5 Hardware Connection 1.6 Splitters and Microfilters 1.6.1 Connecting a POTS Splitter 1.6.2Telephone Microfilters Page Page Introducing the Web Configurator 2.1 Web Configurator Overview 2.2 Accessing the Web Configurator Login Ignore Go to Wizard setup Go to Advanced setup View Device Status 2.3 Resetting the ZyXEL Device 2.4Navigating the Web Configurator Page Page Page 2.4.2 Status Screen Page 2.4.3 Status: Any IP Table Any IP Table 2.4.4 Status: WLAN Status (Wireless devices only) WLAN Status 2.4.5 Status: VPN Status VPN Status 2.4.6 Status: Bandwidth Status Bandwidth Status 2.4.7 Status: Packet Statistics Packet Statistics Poll Interval(s) 2.4.8 Changing Login Password Maintenance > System Page Wizards 3.1 Internet Setup Wizard 3.1.2.1 Screen 3.1.2.2 Screen 3.1.2.3 Screen Page Page 3.1.3 No DSL Detection 3.2Wireless Connection Wizard Setup (wireless devices only) Page Disable wireless security Manually assign a WEP key 3.2.1Manually assign a WPA-PSKkey Manually assign a key Pre- Shared Key 3.2.2 Manually assign a WEP key Page Finish 3.3 Bandwidth Management Wizard BANDWIDTH MANAGEMENT SETUP 3.3.1 Screen 3.3.2 Screen 3.3.3 Screen Page WAN Setup 4.1 WAN Overview 4.1.1.1 ENET ENCAP 4.1.1.2 PPP over Ethernet 4.1.1.3 PPPoA 4.1.1.4RFC 4.1.2.1 VC-basedMultiplexing 4.1.2.2 LLC-basedMultiplexing 4.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation 4.1.4.2 IP Assignment with RFC 1483 Encapsulation 4.1.4.3 IP Assignment with ENET ENCAP Encapsulation 4.2 Metric 4.3 Traffic Shaping 4.3.1.1 Constant Bit Rate (CBR) 4.3.1.2 Variable Bit Rate (VBR) 4.3.1.3 Unspecified Bit Rate (UBR) 4.4 Zero Configuration Internet Access 4.5Internet Connection Page 4.5.1 Configuring Advanced Internet Connection Internet Connection Page 4.6 Configuring More Connections 4.6.1 More Connections Edit More Connections Page Page 4.6.2 Configuring More Connections Advanced Setup More Connections Edit 4.7 Traffic Redirect 4.8 Configuring WAN Backup Page Page LAN Setup 5.1 LAN Overview 5.1.1LANs, WANs and the ZyXEL Device 5.1.2.1 IP Pool Setup 5.2LAN TCP/IP 5.2.1.1 Private IP Addresses 5.2.3 Multicast IGMP-v1 IGMP 5.2.4 Any IP 5.2.4.1 How Any IP Works 5.3 Configuring LAN IP Page 5.4 DHCP Setup 5.5 LAN Client List Page 5.6 LAN IP Alias Page Page Wireless LAN 6.1 Wireless Network Overview 6.2Wireless Security Overview 6.2.4 Encryption Static WEP WPA- PSK WPA-PSK WPA 6.3 Wireless Performance Overview 6.4 General Wireless LAN Screen Page 6.4.1 No Security No Security 6.4.2 WEP Encryption Network > Wireless LAN 6.4.3 WPA-PSK/WPA2-PSK Page 6.4.4 WPA/WPA2 Wireless LAN Page 6.4.5 Wireless LAN Advanced Setup 6.5 OTIST 6.5.1.1 AP 6.5.1.2 Wireless Client 6.5.2 Starting OTIST Start OTIST Adapter 6.5.3Notes on OTIST 6.6MAC Filter Page 6.7 WMM QoS 6.7.3 Services 6.8 QoS Screen 6.8.1 ToS (Type of Service) and WMM QoS QoS 6.8.2 Application Priority Configuration Modify Page Page Network Address Translation (NAT) Screens 7.1 NAT Overview 7.1.2 What NAT Does 7.1.3 How NAT Works 7.1.4 NAT Application 7.1.5 NAT Mapping Types One to One Many to One SUA Only 7.2 SUA (Single User Account) Versus NAT 7.3NAT General Setup 7.4 Port Forwarding 7.4.1 Default Server IP Address 7.4.2 Port Forwarding: Services and Port Numbers 7.4.3 Configuring Servers Behind Port Forwarding (Example) 7.5 Configuring Port Forwarding 7.5.1 Port Forwarding Rule Edit 7.6 Address Mapping Page 7.6.1 Address Mapping Rule Edit Address Mapping Page Firewalls 8.1 Firewall Overview 8.2 Types of Firewalls 8.3 Introduction to ZyXEL’s Firewall 8.4 Denial of Service 8.4.2 Types of DoS Attacks Ping of Death Teardrop SYN Flood LAND SYN Attack LAND Attack brute-force 8.4.2.1 ICMP Vulnerability 8.4.2.2 Illegal Commands (NetBIOS and SMTP) 8.4.2.3 Traceroute 8.5 Stateful Inspection 8.5.1 Stateful Inspection Process Firewall General 8.5.2Stateful Inspection and the ZyXEL Device 8.5.3 TCP Security 8.5.4 UDP/ICMP Security 8.6Guidelines for Enhancing Security with Your Firewall 8.7Packet Filtering Vs Firewall 8.7.1.1When To Use Filtering 8.7.2.1When To Use The Firewall Firewall Configuration 9.1 Access Methods 9.2 Firewall Policies Overview 9.3 Rule Logic Overview 9.3.3.1 Action 9.3.3.2 Service 9.3.3.3 Source Address 9.3.3.4 Destination Address 9.4 Connection Direction 9.5 Triangle Route 9.5.2 Solving the “Triangle Route” Problem 9.6 General Firewall Policy 9.7 Firewall Rules Summary 9.7.1 Configuring Firewall Rules Page Page 9.7.2 Customized Services Edit Customized Services 9.8 Example Firewall Rule Customized Service Customized Services Config Any Destination Address Delete Services Rules Page 9.9 Predefined Services Page 9.10 Anti-Probing 9.11 DoS Thresholds 9.11.2.1 TCP Maximum Incomplete and Blocking Time 9.11.3 Configuring Firewall Thresholds Firewall Threshold Page Trend Micro Security Services 10.1 Trend Micro Security Services Overview Service Summary Activate My Services Service Summary 10.2 Configuring TMSS on the ZyXEL Device Page 10.2.2 TMSS Exception List Security > TMSS > Exception List 10.3 TMSS Virus Protection 10.4 Parental Controls Page 10.4.1 Parental Controls Statistics Statistics 10.5 ActiveX Controls in Internet Explorer Page Page Page Content Filtering 11.1 Content Filtering Overview 11.2 Configuring Keyword Blocking 11.3 Configuring the Schedule 11.4 Configuring Trusted Computers Page Introduction to IPSec 12.1 VPN Overview 12.1.3.1 Encryption 12.1.3.2 Data Confidentiality 12.1.3.3 Data Integrity 12.1.3.4 Data Origin Authentication 12.2 IPSec Architecture 12.3 Encapsulation 12.4IPSec and NAT Page Page VPN Screens 13.1 VPN/IPSec Overview 13.2 IPSec Algorithms 13.3 My IP Address 13.4 Secure Gateway Address 13.5 VPN Setup Screen Figure 121 VPN Setup Table 78 VPN Setup 13.6 Keep Alive 13.7 VPN, NAT, and NAT Traversal 13.8 Remote DNS Server 13.9 ID Type and Content 13.9.1 ID Type and Content Examples 13.10 Pre-SharedKey 13.11 Editing VPN Policies Page Page Page Page 13.12 IKE Phases 13.12.1Negotiation Mode Negotiation Mode Main Mode Aggressive Mode Main Mode 13.13 Configuring Advanced IKE Settings Page Page 13.14 Manual Key Setup 13.15 Configuring Manual Key Page Page 13.16 Viewing SA Monitor 13.17 Configuring Global Setting 13.18 Telecommuter VPN/IPSec Examples 13.18.2 Telecommuters Using Unique VPN Rules Example Page 13.19 VPN and Remote Management Page Static Route 14.1 Static Route 14.2Configuring Static Route 14.2.1 Static Route Edit Page Page Bandwidth Management 15.1 Bandwidth Management Overview 15.2 Application-basedBandwidth Management 15.3 Subnet-basedBandwidth Management 15.4 Application and Subnet-basedBandwidth Management 15.5 Scheduler 15.6 Maximize Bandwidth Usage 15.6.2.1 Priority-basedAllotment of Unused and Unbudgeted Bandwidth 15.6.2.2Fairness-basedAllotment of Unused and Unbudgeted Bandwidth 15.7 Configuring Summary 15.8 Bandwidth Management Rule Setup Page 15.8.1 Rule Configuration User define Page 15.9 Bandwidth Monitor Page Dynamic DNS Setup 16.1 Dynamic DNS Overview 16.2 Configuring Dynamic DNS Figure 140 Dynamic DNS Page Page Remote Management Configuration 17.1 Remote Management Overview 17.2 WWW 17.3 Telnet 17.4 Configuring Telnet 17.5 Configuring FTP 17.6 SNMP 17.6.1Supported MIBs 17.6.2 SNMP Traps 17.6.3 Configuring SNMP SNMP Page 17.7 Configuring DNS 17.8 Configuring ICMP Page 17.9 TR-069 (P-661HOnly) Page Universal Plug-and-Play(UPnP) 18.1 Introducing Universal Plug and Play 18.2 UPnP and ZyXEL 18.3 Installing UPnP in Windows Example Communications Universal Plug and Play Add/Remove Programs Properties Installing UPnP in Windows XP 1Click Start and Control Panel 2Double-click Network Connections Network Connections Optional Networking Components … 18.4Using UPnP in Windows XP Example Page Page Page Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke Page System 19.1 General Setup Page 19.2 Time Setting Page Page Page Logs 20.1 Logs Overview 20.2 Viewing the Logs 20.3 Configuring Log Settings Page Page Tools 21.1 Firmware Upgrade Firmware Upload in Progress Return 21.2 Configuration Page 21.3 Restart Page Diagnostic 22.1 General Diagnostic 22.2 DSL Line Diagnostic Troubleshooting 23.1 Problems Starting Up the ZyXEL Device 23.2 Problems with the LAN 23.3 Problems with the WAN 23.4 Problems Accessing the ZyXEL Device Page Appendix A Product Specifications Specification Tables Table 127 Firmware Page Page Appendix B About ADSL Introduction to DSL ADSL Overview Advantages of ADSL Page Wall-mountingInstructions Page Appendix D Setting up Your Computer’s IP Address Windows 95/98/Me Installing Components Protocol Microsoft manufacturers Client Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP Page Internet Protocol (TCP/IP) Use the following IP Address IP address Subnet mask Default gateway •Click Advanced IP Settings TCP/IP Address Default gateways TCP/IP Gateway Address Use the following DNS server addresses Preferred DNS server Alternate DNS server Macintosh OS Automatic Location •Select Built-inEthernet from the Show list Using DHCP Configure Linux Automatically obtain IP address settings with dhcp Statically set IP Addresses Address Default Gateway Address Using Configuration Files Page Appendix E IP Subnetting IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page Appendix F Command Interpreter Command Syntax Command Usage Page Appendix G Firewall Commands Page Page Page Page Page Appendix H NetBIOS Filter Commands Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration Appendix PPPoE PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works ZyXEL Device as a PPPoE Client Appendix J Log Descriptions Page Page Table 149 ICMP Logs Table 150 CDR Logs Table 151 PPP Logs Table 152 UPnP Logs Page Table 155 IPSec Logs Table 156 IKE Logs Page Page Table 157 PKI Logs Page Page Page Page Log Commands Log Command Example Wireless LANs (wireless devices only) Wireless LAN Topologies ESS Channel RTS/CTS Fragmentation Threshold Preamble Type IEEE 802.11g Wireless LAN IEEE RADIUS Types of Authentication Dynamic WEP Key Exchange WPA and WPA2 User Authentication Wireless Client WPA Supplicants WPA(2) with RADIUS Application Example WPA(2)-PSKApplication Example Security Parameters Summary Page Pop-upWindows, JavaScripts and Java Permissions Internet Explorer Pop-upBlockers Enable pop-upBlockers with Exceptions 2Select Settings…to open the Pop-upBlocker Settings screen Allowed sites JavaScripts Custom Level Scripting Active scripting Scripting of Java applets Java Permissions JAVA (Sun) 2make sure that Use Java 2 for <applet> under Java (Sun) is selected Figure 219 Java (Sun) Index