207 | ZyXEL Communications wireless n gigbit router zyxel specification

Chapter 15 IPSec VPN

The following table describes the labels in this screen.

Table 69 Security > VPN > General > Rule Setup: IKE (Advanced)

LABEL	DESCRIPTION
Property

Active	Select this check box to activate this VPN policy.

Keep Alive	Select this check box to have the NBG-460N automatically reinitiate
	the SA after the SA lifetime times out, even if there is no traffic. The
	remote IPSec router must also have keep alive enabled in order for
	this feature to work.

NAT Traversal	Select this check box to enable NAT traversal. NAT traversal allows
	you to set up a VPN connection when there are NAT routers between
	the two IPSec routers.

	Note: The remote IPSec router must also have NAT traversal
	enabled.
	You can use NAT traversal with ESP protocol using Transport or
	Tunnel mode, but not with AH protocol nor with manual key
	management. In order for an IPSec router behind a NAT router to
	receive an initiating IPSec packet, set the NAT router to forward UDP
	ports 500 and 4500 to the IPSec router behind the NAT router.

IPSec Keying	Select IKE or Manual from the drop-down list box. IKE provides
Mode	more protection so it is generally recommended. Manual is a useful
	option for troubleshooting if you have problems using IKE key
	management.

Protocol Number	Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and
	signifies any protocol.

Enable Replay	As a VPN setup is processing intensive, the system is vulnerable to
Detection	Denial of Service (DoS) attacks The IPSec receiver can detect and
	reject old or duplicate packets to protect against replay attacks.
	Select Yes from the drop-down menu to enable replay detection, or
	select No to disable it.

DNS Server (for	If there is a private DNS server that services the VPN, type its IP
IPSec VPN)	address here. The NBG-460N assigns this additional DNS server to
	the NBG-460N's DHCP clients that have IP addresses in this IPSec
	rule's range of local addresses.
	A DNS server allows clients on the VPN to find other computers and
	servers on the VPN by their (private) domain names.

NBG-460N User’s Guide

207

Image 207

ZyXEL Communications wireless n gigbit router zyxel manual 207, Select No to disable it

Contents

NBG-460N Page User Guide Feedback About This Users GuideIntended Audience Related Documentation About This Users Guide Syntax Conventions Document Conventions Dslam Telephone Switch Router ModemIcons Used in Figures NBG-460N Computer Server Safety Warnings Safety Warnings NBG-460N User’s Guide Contents Overview Contents Overview NBG-460N User’s Guide Table of Contents Chapter Connection Wizard Part II Network WAN 177 Part IV Management 235 Part V Maintenance and Troubleshooting 261 Part VI Appendices and Index Table of Contents NBG-460N User’s Guide Part Page Getting to Know Your NBG-460N OverviewApplications NBG460N Wireless ApplicationsRouter Mode LAN 3 AP + Bridge AP Mode AP + Bridge Application Bridge Bridge Application Bridge Loop Two Bridges Connected to Hub Router vs. AP vs. Bridge Features Available in Router Mode vs. AP ModeFeature Router AP Mode Bridge Ways to Manage the NBG-460N Front Panel LEDs PowerGood Habits for Managing the NBG-460N LEDs Wlan Wireless LAN Off Wireless LAN is not ready or has failedThis feature Off Device is in normal power mode WAN Getting to Know Your NBG-460N NBG-460N User’s Guide WPS Button WPS Button NBG-460N User’s Guide Introducing the Web Configurator Web Configurator OverviewAccessing the Web Configurator Change Password Screen Resetting the NBG-460N Navigating the Web ConfiguratorProcedure to Use the Reset Button Status Screen in Router Mode Status Screen Icon KeyIcon Description Label Description DhcpScheduler Memory Usage Wlan is disabledWhen the line is disconnected Is enabled and N/A when the Wlan is disabled LAN Navigation PanelScreens Summary Link TAB Function Mgmt NATDdns VPN Logs View Log Mode As a Router or a Access Point LanguageSummary Any IP Table Summary Bandwidth Management Monitor Summary BW Mgmt Monitor Summary Dhcp Table Host Name field Summary Packet Statistics This is the security association index number Summary VPN MonitorIntervals field Stop Click Stop to stop refreshing statistics NBG-460N’s Wlan network Summary Wireless Station StatusThis is the index number of an associated wireless station Association Time Introducing the Web Configurator NBG-460N User’s Guide Connection Wizard Wizard Setup System Name Connection Wizard System Information Underscores are accepted Domain Name Ssid Connection Wizard Wireless LANUse the same Ssid in order to access the network This option is only available if WPS is not enabled Wizard Basic WEP Security Basic WEP Security HEX Extend WPA-PSK or WPA2-PSK SecurityWEP Ascii Do this Connection Wizard Internet ConfigurationPre-Shared Key Pptp Ethernet ConnectionPPPoE Connection Connection Description Type Pptp Connection ISP Parameter for Internet Access Wizard Pptp Connection ISP Parameters for Internet Access Provided by your ISP Your IP AddressWAN IP Address Assignment Use fixed IP address IP Address and Subnet Mask Private IP Address Ranges10.0.0.0 172.16.0.0 192.168.0.0 WAN IP and DNS Server Address Assignment DNS Server Address Assignment WAN MAC Address WAN IP Address AssignmentChoose an IP address Wizard WAN MAC Address Connection Wizard Bandwidth management Wizard Bandwidth Management Connection Wizard Complete Connection Wizard Complete Connection Wizard NBG-460N User’s Guide How to Connect to the Internet from an AP TutorialsInternet Push Button Configuration NBG460N Example WPS Process PIN Method Pre-Shared Key ThisismyWPA-PSKpre-sharedkey SSIDExample3Channel Security WPA-PSK Tutorial Status AP Mode Configure Your Notebook Connecting a Wireless Client to a Wireless Network Link Status Using AP + Bridge Mode and WDS Configuring Your Bridge Mode Settings Pre-Shared Key ThisismyWPA2-PSKpre-sharedkey WPA2-PSK Site-To-Site VPN Tunnel Settings Setting BOB’S NBG-460N JACK’S NBG-460NSite-To-Site VPN Tunnel Tutorial Tutorial Property Configuring Bob’s NBG-460N VPN Settings Tutorial Authentication Method Configuring Jack’s NBG-460N VPN Settings Tutorial Property Tutorial Authentication Method Pinging Jack’s Local IP Address Checking the VPN Connection Bandwidth Management for your Network Configuring Bandwidth Management by Application Configuring Bandwidth Allocation by IP or IP Range Configuring Bandwidth Management by Custom Application Fields Services Real Audio Rtsp VDO Live FTP Refer to Appedix F on the Bandwidth Mgnt Setting your NBG-460N to AP Mode AP Mode Status Screen Status AP Mode Schedules Display Network Wireless LAN WPS screenSystem Setting Configuration Mode This shows the LAN port’s Dhcp role Client or None Or connected Menu AP Mode Mask or to get the LAN IP address from a Dhcp server Maintenance System GeneralSetting Logs View Log Reset the factory defaults to your NBG-460N Configuring Your Settings LAN SettingsSys OP General Table below describes the labels in the screen Wlan and Maintenance Settings Logging in to the Web Configurator in AP Mode Network Page Example of a Wireless Network Wireless LAN Wireless Security Overview What You Can DoWhat You Should Know Ssid Weakest Stronges t Types of Encryption for Each Type of AuthenticationNo Authentication Radius Server 100 General Wireless LAN Screen Printable 7-bit Ascii characters for the wireless LAN101 Select Static WEP , WPA-PSK , WPA , WPA2-PSK or WPA2 to add No Security102 WPA-PSK and WPA2-PSK are available in this field 103 WEP Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption 104WEP keys and displays them in the Key fields below Hex 105AP or peer computer Correct WEP key Priority Server, the reauthentication timer on the Radius server hasSecurity Mode field 106 107 4 WPA/WPA2 Server, the reauthentication timer on the Radius server 108Has priority 109 MAC Filter Screen MAC 110 RTS/CTS Wireless LAN Advanced ScreenQuality of Service QoS Screen 111 You want to apply WMM QoS 112On page 123 for more information WMM QoS Policy Application Priority Configuration Configuration screen113 114 MailUser-Defined 115 WPS Screen Push Button WPS Station ScreenScheduling Screen 116 Day 117Whole day Following times fields 118 WDS Screen Security Mode Static WEP Between the NBG-460N and any wireless clients119 ASCII/HEX 120 121 Security Mode WPA2-PSKTechnical Reference Roaming Roaming Example 122 123 Quality of Service WMM QoS Priorities WiFi Protected SetupIPod Touch Web Configurator 124 125 Login Screen 126 System Status WAN connection is not working 127 MBM 128 WPS in Progress Port Forwarding129 130 Rule is turned onTurn the rule OFF Accessing the iPod Touch Web Configurator Accessing the iPod Touch Web Configurator131 132 LAN and WAN 133 Configuring Your Internet Connection What You Need To Know134 Multicast 135WAN MAC Address 136 Iptv STB Port 192.168.1.20 137You have one STB You have two STBs NetBIOS over TCP/IP Auto-Bridge138 Internet Connection Ethernet Encapsulation139 WAN MAC 140Address Defined changes to None after you click Apply Select Clone the computers MAC address IP Address and enter Setting or upload a different ROM filePPPoE Encapsulation 141 142 All of the LANs computers will have access Different ROM file 143DNS Servers First DNS Computer’s 144 Pptp Encapsulation Pptp connection 145 Advanced WAN Screen 146Select Clone the computers MAC address IP Address Select Igmp V-1,IGMP V-2 or None 147 148 When the NBG-460N gets a WAN IP address that is notTo be in Router Mode for the Iptv STB port to work Igmp 149 LAN 150 IP Pool SetupLAN IP Screen LAN TCP/IP LAN IP Alias 151LAN TCP/IP IP address that you assign. Unless you are implementing Any IP SetupAdvanced LAN Screen 152 153 LANs, WANs and the ZyXEL Device 154 Any IP 155 156 157 Dhcp Dhcp General Screen Dhcp Advanced Screen158 Select the Enable Dhcp Server check box. When you clear Must have their DNS server addresses manually configured159 Select DNS Relay to have the NBG-460N act as a DNS proxy. NBG-460Ns system DNS server configured in the WAN InternetClient List Screen 160 Them 161This is the index number of the host computer Host names. After you click Apply, the MAC address and IP 162 163 Network Address Translation NAT General NAT Screen Enable NetworkSelect the check box to enable NAT Default Server Setup 165 NAT Application Screen 166 Wake On LAN is enabled 167Fields under Add Application Rule Configuring Servers Behind Port Forwarding Example Game List Example168 169 NAT Advanced Screen Users may not be able to access the Internet 170Can establish through the NBG-460N Traffic to a server on the WAN LAN that requested the serviceTrigger Port Forwarding Example 171 172 Two Points To Remember About Trigger Ports Dynamic DNS DynDNS Wildcard173 Enable Dynamic Select this check box to use dynamic DNS Dynamic DNS Screen174 WAN IP address 175 176 177 Part 178 179 Firewall About the NBG-460N Firewall Triangle Routes180 181 Triangle Routes and IP Alias Services Screen General Firewall Screen182 Icmp 183 Add Firewall Rule screen 184 Single IP is selected as the Address Type Add Firewall Rule Screen185 Pool Click Clear All to empty the Blocked Services 186Address Type 187 188 Content Filtering Content Filtering Profiles189 Days and Times Restrict Web Features190 Keyword Blocking URL Checking 191 Filter Screen Allowed 192Cookies Web Proxy Not affected Which content filtering will be enforcedSchedule Screen 193 Full Path URL Checking Customizing Keyword Blocking URL Checking194 Domain Name or IP Address URL Checking 195 IPSec VPN 196 IKE SA IKE Phase 1 Overview Local Network and Remote Network IPSec SA IKE Phase 2 Overview197 IP Addresses of the NBG-460N and Remote IPSec Router 198 General Screen 199 VPN Rule Setup Basic 200 Feature to work Enabled 201Secure Gateway Address field set to 202 Your computer in the Local Content field. The NBG-460N 203With dynamic WAN IP addresses Address field refer to the Secure Gateway Address field 204 205 VPN Rule Setup Advanced 206 Security VPN General Rule Setup IKE Advanced 207 Select No to disable it 208 209 210 211 212 VPN Rule Setup Manual 213Each IPSec SA. It is more secure but takes more time 214 Security VPN General Rule Setup Manual 215 216 217 SecureSPI SA Monitor Screen 218Trailing spaces are truncated VPN and Remote Management IKE SA Proposal219 220 Diffie-Hellman DH Key Exchange Remote Ipsec Router AuthenticationVPN Example Matching ID Type and Content 221 Negotiation Mode VPN Example Mismatching ID Type and Content222 223 15.6.6 VPN, NAT, and NAT Traversal IPSec Protocol Encapsulation224 SA Life Time IPSec SA Proposal and Perfect Forward SecrecyAdditional IPSec VPN Topics 225 Encryption and Authentication Algorithms 226Private DNS Server Private DNS Server Example 227 228 229 Management 230 Static Route 231Lanwan 232 IP Static Route Screen 233 Static Route Setup Screen 234 Chat, Email Bandwidth Management235 FTP 236 General Configuration Screen 237 Management check boxMbps Wlan Bandwidth Advanced Configuration238 Connected to the WAN port has an upstream speed of 10 Mbps Low 239 To Wlan Rule Configuration with the Pre-defined Service240 Wlan to WAN 241 Rule Configuration User Defined Service Rule Configuration 242 Monitor Screen Technical References Predefined Bandwidth Management ServicesMedia Bandwidth Management Setup Services Service Description Class Type Priority Default Bandwidth Management Classes and PrioritiesBandwidth Management Priority with Default Classes 244 Bandwidth Management Priorities 245Bandwidth Management Priorities 246 247 Remote Management 248 System TimeoutRemote Management Limitations Remote Management and NAT Remote management Specify to access the NBG-460N using this serviceWWW Screen 249 Telnet Screen FTP Screen250 251 DNS Screen You specify to send DNS queries to the NBG-460N 252 Universal Plug-and-Play UPnP NAT Traversal253 254 UPnP Screen 255 Using UPnP in Windows XP Example Network Connections 256 257 Internet Connection Properties Advanced Settings 258 Web Configurator Easy Access Network Connections My Network Places 259 Network Connections My Network Places Properties Example 260 261 Maintenance Troubleshooting 262 System System General Screen263 264 265 Time Setting Screen Select User Defined Time Server Address and enter the IP 266 267 268 269 Logs Display Log categories that you selected in the Log SettingsView Log Screen 270 Log Settings 271Time and date Mail Log Settings Mail Server 272Messages will not be sent via e-mail 273 Sent via e-mailSmtp LOG Message Description System Maintenance LogsLog Descriptions 274 275 System Error Logs Firewall Attack Alerts screen Access Control LogsTCP Reset Logs 276 Packet Filter Logs 277 Icmp Logs 278 Content Filtering Logs 279UPnP packets can pass through the firewall Attack Logs 280 IPSec Logs 281 IKE Logs 282 283 284 285 PKI Logs802.1X Logs Type Code Description ACL Setting Notes286 Packet Direction Description 287 Icmp NotesSyslog Logs 288 RFC-2408 Isakmp Payload TypesLOG Display Payload Type Tools Firmware Upload Screen289 290 Maintenance Tools Firmware Network Temporarily Disconnected Upload Error Message Maintenance Restore Configuration Configuration ScreenBackup Configuration Restore Configuration 293 Configuration Restore Successful Back to Factory Defaults Restart Screen294 295 Indicate either Ready or MAC Address errorWake On LAN Green 296 Maintenance Tools Green 297 Configuration Mode Advanced Configuration Options 298Category Link TAB 299 Sys Op Mode Router 300 301 Maintenance Sys OP Mode General Firewall or bandwidth management 302 Language Language Screen303 304 Troubleshooting Power, Hardware Connections, and LEDs305 306 NBG-460N Access and Login Advanced Suggestions 307 308 Internet Access Internet connection is slow or intermittent 309 310 Resetting the NBG-460N to Its Factory Defaults 311 Wireless Router/AP Troubleshooting 312 Advanced Features PWR, LAN1-4, WAN, WLAN, WPS Product Specifications and Wall- Mounting InstructionsHardware Features 313 314 Firmware FeaturesSuch as microwave ovens, wireless phones Bluetooth enabled devices, and other wireless LANs 315 Standards Supported Feature SpecificationsFeature Specification 316 Wall-mounting Instructions 317Protocol MBM Media Bandwidth Management Masonry Plug and M4 Tap Screw 318 319 Appendices Index 320 Disable pop-up Blockers Internet Explorer Pop-up Blockers321 322 Enable pop-up Blockers with Exceptions 323 Select Settings…to open the Pop-up Blocker Settings screen 324 JavaScripts Internet Options Security 325 326 Java Permissions Java Sun 327 Java Sun 328 Introduction to IP Addresses Structure329 1ST 2ND 3RD 4TH Octet Subnet Masks330 Subnet Mask Identifying Network Number Binary 1ST 2ND 3RD 4TH Decimal Octet 331Network Size Subnet Masks Alternative Subnet Mask Notation Notation332 Maximum Host Numbers 333 Subnetting 334 Example Four Subnets IP/SUBNET Mask Network Number Last Octet BIT Value 335 Example Eight Subnets Subnet Planning336 NO. Borrowed Subnet Mask NO. Hosts PER Host Bits Subnets Configuring IP Addresses337 16-bit Network Number Subnet Planning Private IP Addresses 338 339 Setting up Your Computer’s IP Address Installing Components Windows 95/98/Me340 341 Configuring 342 Verifying Settings 343 Windows 2000/NT/XP Windows XP Control Panel 344 Windows XP Local Area Connection Properties 345 Windows XP Internet Protocol TCP/IP Properties 346 Windows XP Advanced TCP/IP Properties 347 348 349 Macintosh OS 8/9 Macintosh OS 8/9 TCP/IP 350 351 Macintosh OS Using the K Desktop Environment KDE Linux352 Red Hat 9.0 KDE Ethernet Device General 353 354 Using Configuration Files Red Hat 9.0 DNS Settings in resolv.conf Red Hat 9.0 Static IP Address Setting in ifconfig-eth0 356 Verifying Settings Wireless LAN Topologies Ad-hoc Wireless LAN Configuration357 358 Basic Service Set 359 Channel RTS/CTS 360 361 Ieee 802.11g Wireless LANFragmentation Threshold Preamble Type Data Rate Modulation Mbps Ieee362 Ieee 802.11g EAP-MD5 Message-Digest Algorithm Types of Authentication363 Types of Radius Messages Peap Protected EAP EAP-TTLS Tunneled Transport Layer Service364 EAP-TLS Transport Layer Security Encryption Comparison of EAP Authentication TypesWPA2 365 366 User Authentication 27.0.2 WPA2-PSK Application Example 27.0.3 WPA2 with Radius Application Example367 368 Wireless Security Relational MatrixAuthentication Encryptio Enter METHOD/ KEY Security Parameters Summary 369 Services Examples of Services 370Name Protocol Ports Description 371 372 Disclaimer CopyrightCertifications 373 FCC Radiation Exposure Statement 374 ZyXEL Limited Warranty 375Viewing Certifications Registration 376 CTS Clear to Send Index377 Classes and priorities 378 EssidEncapsulating Security Payload. See ESP Language Link type 40 379IKE SA Ethernet PPPoE. see also PPP over Ethernet 380 MACMbssid QoS QoS priorities Quality of Service QoS 381Radius 382 Wireless security 98 overview Xbox Live ZyNOS 39 383 384