197 | ZyXEL Communications wireless n gigbit router zyxel specification

Chapter 15 IPSec VPN

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in Section 15.6.5 on page 222. Main mode is used in various examples in the rest of this section.

IP Addresses of the NBG-460N and Remote IPSec Router

In the NBG-460N, you have to specify the IP addresses of the NBG-460N and the remote IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the NBG-460N. Sometimes, your NBG-460N might also offer another alternative, such as using the IP address of a port or interface.

You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA.

15.3.2 IPSec SA (IKE Phase 2) Overview

Once the NBG-460N and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore.

Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the NBG-460N and may be called the local policy. Similarly, the remote network consists of the devices connected to the remote IPSec router and may be called the remote policy.

Note: It is not recommended to set a VPN rule’s local and remote network settings both to 0.0.0.0 (any). This causes the NBG-460N to try to forward all access attempts (to the local network, the Internet or even the NBG-460N) to the remote IPSec router. In this case, you can no longer manage the NBG-460N.

NBG-460N User’s Guide

197

Image 197

ZyXEL Communications wireless n gigbit router zyxel IPSec SA IKE Phase 2 Overview, 197, Local Network and Remote Network

Contents

NBG-460N Page Intended Audience About This Users GuideRelated Documentation User Guide Feedback About This Users Guide Syntax Conventions Document Conventions Icons Used in Figures Telephone Switch Router ModemNBG-460N Computer Server Dslam Safety Warnings Safety Warnings NBG-460N User’s Guide Contents Overview Contents Overview NBG-460N User’s Guide Table of Contents Chapter Connection Wizard Part II Network WAN 177 Part IV Management 235 Part V Maintenance and Troubleshooting 261 Part VI Appendices and Index Table of Contents NBG-460N User’s Guide Part Page Applications Getting to Know Your NBG-460NOverview Router Mode Wireless ApplicationsLAN NBG460N 3 AP + Bridge AP Mode AP + Bridge Application Bridge Bridge Application Bridge Loop Two Bridges Connected to Hub Feature Router AP Mode Bridge Features Available in Router Mode vs. AP ModeWays to Manage the NBG-460N Router vs. AP vs. Bridge Good Habits for Managing the NBG-460N PowerLEDs Front Panel LEDs This feature Off Device is in normal power mode Wireless LAN Off Wireless LAN is not ready or has failedWAN Wlan Getting to Know Your NBG-460N NBG-460N User’s Guide WPS Button WPS Button NBG-460N User’s Guide Accessing the Web Configurator Introducing the Web ConfiguratorWeb Configurator Overview Change Password Screen Procedure to Use the Reset Button Resetting the NBG-460NNavigating the Web Configurator Icon Description Status Screen in Router ModeStatus Screen Icon Key Scheduler Label DescriptionDhcp When the line is disconnected Wlan is disabledIs enabled and N/A when the Wlan is disabled Memory Usage Screens Summary Navigation PanelLink TAB Function LAN Ddns NATVPN Mgmt Summary Any IP Table Mode As a Router or a Access Point LanguageSummary Bandwidth Management Monitor Logs View Log Summary BW Mgmt Monitor Summary Dhcp Table Host Name field Summary Packet Statistics Intervals field Summary VPN MonitorStop Click Stop to stop refreshing statistics This is the security association index number This is the index number of an associated wireless station Summary Wireless Station StatusAssociation Time NBG-460N’s Wlan network Introducing the Web Configurator NBG-460N User’s Guide Connection Wizard Wizard Setup System Name Connection Wizard System Information Underscores are accepted Domain Name Use the same Ssid in order to access the network Connection Wizard Wireless LANThis option is only available if WPS is not enabled Ssid Wizard Basic WEP Security Basic WEP Security WEP Extend WPA-PSK or WPA2-PSK SecurityAscii HEX Pre-Shared Connection Wizard Internet ConfigurationKey Do this PPPoE Connection Ethernet ConnectionConnection Description Type Pptp Pptp Connection ISP Parameter for Internet Access Wizard Pptp Connection ISP Parameters for Internet Access WAN IP Address Assignment Your IP AddressUse fixed IP address Provided by your ISP 10.0.0.0 172.16.0.0 192.168.0.0 IP Address and Subnet MaskPrivate IP Address Ranges WAN IP and DNS Server Address Assignment DNS Server Address Assignment Choose an IP address WAN MAC AddressWAN IP Address Assignment Wizard WAN MAC Address Connection Wizard Bandwidth management Wizard Bandwidth Management Connection Wizard Complete Connection Wizard Complete Connection Wizard NBG-460N User’s Guide Internet How to Connect to the Internet from an APTutorials Push Button Configuration NBG460N Example WPS Process PIN Method Channel Security SSIDExample3WPA-PSK Pre-Shared Key ThisismyWPA-PSKpre-sharedkey Tutorial Status AP Mode Configure Your Notebook Connecting a Wireless Client to a Wireless Network Link Status Using AP + Bridge Mode and WDS Configuring Your Bridge Mode Settings Pre-Shared Key ThisismyWPA2-PSKpre-sharedkey WPA2-PSK Site-To-Site VPN Tunnel Tutorial Site-To-Site VPN Tunnel SettingsSetting BOB’S NBG-460N JACK’S NBG-460N Tutorial Property Configuring Bob’s NBG-460N VPN Settings Tutorial Authentication Method Configuring Jack’s NBG-460N VPN Settings Tutorial Property Tutorial Authentication Method Pinging Jack’s Local IP Address Checking the VPN Connection Bandwidth Management for your Network Configuring Bandwidth Management by Application Configuring Bandwidth Allocation by IP or IP Range Configuring Bandwidth Management by Custom Application Fields Services Real Audio Rtsp VDO Live FTP Refer to Appedix F on the Bandwidth Mgnt Setting your NBG-460N to AP Mode AP Mode Status Screen Status AP Mode System Setting Configuration Mode Display Network Wireless LAN WPS screenThis shows the LAN port’s Dhcp role Client or None Schedules Or connected Menu AP Mode Setting Logs View Log Maintenance System GeneralReset the factory defaults to your NBG-460N Mask or to get the LAN IP address from a Dhcp server Sys OP General Configuring Your SettingsLAN Settings Table below describes the labels in the screen Wlan and Maintenance Settings Logging in to the Web Configurator in AP Mode Network Page Example of a Wireless Network Wireless LAN What You Should Know Wireless Security OverviewWhat You Can Do Ssid No Authentication Radius Server Types of Encryption for Each Type of Authentication100 Weakest Stronges t 101 General Wireless LAN ScreenPrintable 7-bit Ascii characters for the wireless LAN 102 No SecurityWPA-PSK and WPA2-PSK are available in this field Select Static WEP , WPA-PSK , WPA , WPA2-PSK or WPA2 to add 103 WEP Encryption WEP keys and displays them in the Key fields below Select 64-bit WEP or 128-bit WEP to enable data encryption104 AP or peer computer 105Correct WEP key Hex Security Mode field Server, the reauthentication timer on the Radius server has106 Priority 107 4 WPA/WPA2 Has priority Server, the reauthentication timer on the Radius server108 109 MAC Filter Screen MAC 110 Quality of Service QoS Screen Wireless LAN Advanced Screen111 RTS/CTS On page 123 for more information 112WMM QoS Policy You want to apply WMM QoS 113 Application Priority ConfigurationConfiguration screen User-Defined 114Mail 115 WPS Screen Scheduling Screen WPS Station Screen116 Push Button Whole day 117Following times fields Day 118 WDS Screen 119 Security Mode Static WEPBetween the NBG-460N and any wireless clients ASCII/HEX 120 Technical Reference Security Mode WPA2-PSKRoaming 121 Roaming Example 122 123 Quality of Service IPod Touch Web Configurator WiFi Protected Setup124 WMM QoS Priorities 125 Login Screen 126 System Status WAN connection is not working 127 MBM 128 129 WPS in ProgressPort Forwarding Turn the rule OFF 130Rule is turned on 131 Accessing the iPod Touch Web ConfiguratorAccessing the iPod Touch Web Configurator 132 LAN and WAN 133 134 Configuring Your Internet ConnectionWhat You Need To Know WAN MAC Address Multicast135 136 Iptv STB Port You have one STB 137You have two STBs 192.168.1.20 138 NetBIOS over TCP/IPAuto-Bridge 139 Internet ConnectionEthernet Encapsulation Address 140Defined changes to None after you click Apply WAN MAC PPPoE Encapsulation Setting or upload a different ROM file141 Select Clone the computers MAC address IP Address and enter 142 All of the LANs computers will have access DNS Servers First DNS 143Computer’s Different ROM file 144 Pptp Encapsulation Pptp connection 145 Select Clone the computers MAC address IP Address Advanced WAN Screen146 Select Igmp V-1,IGMP V-2 or None 147 To be in Router Mode for the Iptv STB port to work When the NBG-460N gets a WAN IP address that is notIgmp 148 149 LAN LAN IP Screen IP Pool SetupLAN TCP/IP 150 LAN TCP/IP LAN IP Alias151 Advanced LAN Screen Any IP Setup152 IP address that you assign. Unless you are implementing 153 LANs, WANs and the ZyXEL Device 154 Any IP 155 156 157 Dhcp 158 Dhcp General ScreenDhcp Advanced Screen 159 Select the Enable Dhcp Server check box. When you clearMust have their DNS server addresses manually configured Client List Screen NBG-460Ns system DNS server configured in the WAN Internet160 Select DNS Relay to have the NBG-460N act as a DNS proxy. This is the index number of the host computer 161Host names. After you click Apply, the MAC address and IP Them 162 163 Network Address Translation NAT Select the check box to enable NAT Enable NetworkDefault Server Setup General NAT Screen 165 NAT Application Screen 166 Fields under Add Application Rule Wake On LAN is enabled167 168 Configuring Servers Behind Port Forwarding ExampleGame List Example 169 NAT Advanced Screen Can establish through the NBG-460N Users may not be able to access the Internet170 Trigger Port Forwarding Example LAN that requested the service171 Traffic to a server on the WAN 172 Two Points To Remember About Trigger Ports 173 Dynamic DNSDynDNS Wildcard 174 Enable Dynamic Select this check box to use dynamic DNSDynamic DNS Screen WAN IP address 175 176 177 Part 178 179 Firewall 180 About the NBG-460N FirewallTriangle Routes 181 Triangle Routes and IP Alias 182 Services ScreenGeneral Firewall Screen Icmp 183 Add Firewall Rule screen 184 185 Add Firewall Rule ScreenPool Single IP is selected as the Address Type Address Type Click Clear All to empty the Blocked Services186 187 188 189 Content FilteringContent Filtering Profiles 190 Restrict Web FeaturesKeyword Blocking URL Checking Days and Times 191 Filter Screen Cookies 192Web Proxy Allowed Schedule Screen Which content filtering will be enforced193 Not affected 194 Customizing Keyword Blocking URL CheckingDomain Name or IP Address URL Checking Full Path URL Checking 195 IPSec VPN 196 IKE SA IKE Phase 1 Overview 197 IPSec SA IKE Phase 2 OverviewIP Addresses of the NBG-460N and Remote IPSec Router Local Network and Remote Network 198 General Screen 199 VPN Rule Setup Basic 200 Feature to work Secure Gateway Address field set to Enabled201 202 With dynamic WAN IP addresses Your computer in the Local Content field. The NBG-460N203 Address field refer to the Secure Gateway Address field 204 205 VPN Rule Setup Advanced 206 Security VPN General Rule Setup IKE Advanced 207 Select No to disable it 208 209 210 211 212 Each IPSec SA. It is more secure but takes more time VPN Rule Setup Manual213 214 Security VPN General Rule Setup Manual 215 216 SPI 217Secure Trailing spaces are truncated SA Monitor Screen218 219 VPN and Remote ManagementIKE SA Proposal 220 Diffie-Hellman DH Key Exchange VPN Example Matching ID Type and Content Authentication221 Remote Ipsec Router 222 Negotiation ModeVPN Example Mismatching ID Type and Content 223 15.6.6 VPN, NAT, and NAT Traversal 224 IPSec ProtocolEncapsulation Additional IPSec VPN Topics IPSec SA Proposal and Perfect Forward Secrecy225 SA Life Time Private DNS Server Encryption and Authentication Algorithms226 Private DNS Server Example 227 228 229 Management 230 Lanwan Static Route231 232 IP Static Route Screen 233 Static Route Setup Screen 234 235 Bandwidth ManagementFTP Chat, Email 236 General Configuration Screen Mbps 237Management check box 238 Advanced ConfigurationConnected to the WAN port has an upstream speed of 10 Mbps Wlan Bandwidth Low 239 240 Rule Configuration with the Pre-defined ServiceWlan to WAN To Wlan 241 Rule Configuration User Defined Service Rule Configuration 242 Monitor Screen Media Bandwidth Management Setup Services Predefined Bandwidth Management ServicesService Description Technical References Bandwidth Management Priority with Default Classes Default Bandwidth Management Classes and Priorities244 Class Type Priority Bandwidth Management Priorities Bandwidth Management Priorities245 246 247 Remote Management Remote Management Limitations System TimeoutRemote Management and NAT 248 WWW Screen Specify to access the NBG-460N using this service249 Remote management 250 Telnet ScreenFTP Screen 251 DNS Screen You specify to send DNS queries to the NBG-460N 252 253 Universal Plug-and-Play UPnPNAT Traversal 254 UPnP Screen 255 Using UPnP in Windows XP Example Network Connections 256 257 Internet Connection Properties Advanced Settings 258 Web Configurator Easy Access Network Connections My Network Places 259 Network Connections My Network Places Properties Example 260 261 Maintenance Troubleshooting 262 263 SystemSystem General Screen 264 265 Time Setting Screen Select User Defined Time Server Address and enter the IP 266 267 268 269 Logs View Log Screen Log categories that you selected in the Log Settings270 Display Time and date Log Settings271 Messages will not be sent via e-mail Mail Log Settings Mail Server272 Smtp 273Sent via e-mail Log Descriptions System Maintenance Logs274 LOG Message Description 275 System Error Logs TCP Reset Logs Access Control Logs276 Firewall Attack Alerts screen Packet Filter Logs 277 Icmp Logs 278 UPnP packets can pass through the firewall Content Filtering Logs279 Attack Logs 280 IPSec Logs 281 IKE Logs 282 283 284 802.1X Logs 285PKI Logs 286 ACL Setting NotesPacket Direction Description Type Code Description Syslog Logs 287Icmp Notes LOG Display Payload Type 288RFC-2408 Isakmp Payload Types 289 ToolsFirmware Upload Screen 290 Maintenance Tools Firmware Network Temporarily Disconnected Upload Error Message Backup Configuration Configuration ScreenRestore Configuration Maintenance Restore Configuration 293 Configuration Restore Successful 294 Back to Factory DefaultsRestart Screen Wake On LAN Indicate either Ready or MAC Address errorGreen 295 296 Maintenance Tools Green 297 Configuration Mode Category Link TAB Advanced Configuration Options298 299 Sys Op Mode Router 300 301 Maintenance Sys OP Mode General Firewall or bandwidth management 302 303 LanguageLanguage Screen 304 305 TroubleshootingPower, Hardware Connections, and LEDs 306 NBG-460N Access and Login Advanced Suggestions 307 308 Internet Access Internet connection is slow or intermittent 309 310 Resetting the NBG-460N to Its Factory Defaults 311 Wireless Router/AP Troubleshooting 312 Advanced Features Hardware Features Product Specifications and Wall- Mounting Instructions313 PWR, LAN1-4, WAN, WLAN, WPS Such as microwave ovens, wireless phones Firmware FeaturesBluetooth enabled devices, and other wireless LANs 314 315 Feature Specification Feature Specifications316 Standards Supported Protocol MBM Media Bandwidth Management Wall-mounting Instructions317 Masonry Plug and M4 Tap Screw 318 319 Appendices Index 320 321 Disable pop-up BlockersInternet Explorer Pop-up Blockers 322 Enable pop-up Blockers with Exceptions 323 Select Settings…to open the Pop-up Blocker Settings screen 324 JavaScripts Internet Options Security 325 326 Java Permissions Java Sun 327 Java Sun 328 329 Introduction to IP AddressesStructure 330 Subnet MasksSubnet Mask Identifying Network Number 1ST 2ND 3RD 4TH Octet Network Size 331Subnet Masks Binary 1ST 2ND 3RD 4TH Decimal Octet 332 NotationMaximum Host Numbers Alternative Subnet Mask Notation 333 Subnetting 334 Example Four Subnets IP/SUBNET Mask Network Number Last Octet BIT Value 335 336 Example Eight SubnetsSubnet Planning 337 Configuring IP Addresses16-bit Network Number Subnet Planning NO. Borrowed Subnet Mask NO. Hosts PER Host Bits Subnets Private IP Addresses 338 339 Setting up Your Computer’s IP Address 340 Installing ComponentsWindows 95/98/Me 341 Configuring 342 Verifying Settings 343 Windows 2000/NT/XP Windows XP Control Panel 344 Windows XP Local Area Connection Properties 345 Windows XP Internet Protocol TCP/IP Properties 346 Windows XP Advanced TCP/IP Properties 347 348 349 Macintosh OS 8/9 Macintosh OS 8/9 TCP/IP 350 351 Macintosh OS 352 Using the K Desktop Environment KDELinux Red Hat 9.0 KDE Ethernet Device General 353 354 Using Configuration Files Red Hat 9.0 DNS Settings in resolv.conf Red Hat 9.0 Static IP Address Setting in ifconfig-eth0 356 Verifying Settings 357 Wireless LAN TopologiesAd-hoc Wireless LAN Configuration 358 Basic Service Set 359 Channel RTS/CTS 360 Fragmentation Threshold Ieee 802.11g Wireless LANPreamble Type 361 362 IeeeIeee 802.11g Data Rate Modulation Mbps 363 Types of AuthenticationTypes of Radius Messages EAP-MD5 Message-Digest Algorithm 364 EAP-TTLS Tunneled Transport Layer ServiceEAP-TLS Transport Layer Security Peap Protected EAP WPA2 Comparison of EAP Authentication Types365 Encryption 366 User Authentication 367 27.0.2 WPA2-PSK Application Example27.0.3 WPA2 with Radius Application Example Authentication Encryptio Enter METHOD/ KEY Wireless Security Relational MatrixSecurity Parameters Summary 368 369 Services Name Protocol Ports Description Examples of Services370 371 372 Certifications Copyright373 Disclaimer FCC Radiation Exposure Statement 374 Viewing Certifications ZyXEL Limited Warranty375 Registration 376 377 IndexClasses and priorities CTS Clear to Send Encapsulating Security Payload. See ESP 378Essid IKE SA 379Ethernet PPPoE. see also PPP over Ethernet Language Link type 40 Mbssid 380MAC Radius QoS QoS priorities Quality of Service QoS381 382 Wireless security 98 overview Xbox Live ZyNOS 39 383 384