Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications wireless n gigbit router zyxel VPN and Remote Management, IKE SA Proposal

Models: wireless n gigbit router zyxel

1 384

Download 384 pages 30.66 Kb

Page 219

Chapter 15 IPSec VPN

15.6 Technical Reference

The following section contains additional technical information about the NBG- 460N features described in this chapter.

15.6.1 VPN and Remote Management

You can allow someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage the NBG-460N. One of the NBG-460N’s ports must be part of the VPN rule’s local network. This can be the NBG-460N’s LAN port if you do not want to allow remote management on the WAN port. You also have to configure remote management (Management > Remote MGMT) to allow management access for the service through the specific port.

In the following example, the VPN rule’s local network (A) includes the NBG- 460N’s LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the NBG- 460N’s LAN interface. Remote management must also be configured to allow HTTP access on the NBG-460N’s LAN interface.

Figure 136 VPN for Remote Management Example

15.6.2 IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the NBG-460N and remote

NBG-460N User’s Guide

219

Image 219

ZyXEL Communications wireless n gigbit router zyxel manual VPN and Remote Management, IKE SA Proposal, 219

Contents

NBG-460N Page User Guide Feedback About This Users GuideIntended Audience Related DocumentationAbout This Users Guide Syntax Conventions Document ConventionsDslam Telephone Switch Router ModemIcons Used in Figures NBG-460N Computer ServerSafety Warnings Safety Warnings NBG-460N User’s Guide Contents Overview Contents Overview NBG-460N User’s Guide Table of Contents Chapter Connection Wizard Part II Network WAN 177 Part IV Management 235 Part V Maintenance and Troubleshooting 261 Part VI Appendices and Index Table of Contents NBG-460N User’s Guide Part Page Getting to Know Your NBG-460N OverviewApplications NBG460N Wireless ApplicationsRouter Mode LAN3 AP + Bridge AP ModeAP + Bridge Application BridgeBridge Application Bridge Loop Two Bridges Connected to Hub Router vs. AP vs. Bridge Features Available in Router Mode vs. AP ModeFeature Router AP Mode Bridge Ways to Manage the NBG-460NFront Panel LEDs PowerGood Habits for Managing the NBG-460N LEDsWlan Wireless LAN Off Wireless LAN is not ready or has failedThis feature Off Device is in normal power mode WANGetting to Know Your NBG-460N NBG-460N User’s Guide WPS Button WPS Button NBG-460N User’s Guide Introducing the Web Configurator Web Configurator OverviewAccessing the Web Configurator Change Password Screen Resetting the NBG-460N Navigating the Web ConfiguratorProcedure to Use the Reset Button Status Screen in Router Mode Status Screen Icon KeyIcon Description Label Description DhcpScheduler Memory Usage Wlan is disabledWhen the line is disconnected Is enabled and N/A when the Wlan is disabledLAN Navigation PanelScreens Summary Link TAB FunctionMgmt NATDdns VPNLogs View Log Mode As a Router or a Access Point LanguageSummary Any IP Table Summary Bandwidth Management MonitorSummary BW Mgmt Monitor Summary Dhcp TableHost Name field Summary Packet StatisticsThis is the security association index number Summary VPN MonitorIntervals field Stop Click Stop to stop refreshing statisticsNBG-460N’s Wlan network Summary Wireless Station StatusThis is the index number of an associated wireless station Association TimeIntroducing the Web Configurator NBG-460N User’s Guide Connection Wizard Wizard SetupSystem Name Connection Wizard System InformationUnderscores are accepted Domain NameSsid Connection Wizard Wireless LANUse the same Ssid in order to access the network This option is only available if WPS is not enabledWizard Basic WEP Security Basic WEP SecurityHEX Extend WPA-PSK or WPA2-PSK SecurityWEP AsciiDo this Connection Wizard Internet ConfigurationPre-Shared KeyPptp Ethernet ConnectionPPPoE Connection Connection Description TypePptp Connection ISP Parameter for Internet AccessWizard Pptp Connection ISP Parameters for Internet AccessProvided by your ISP Your IP AddressWAN IP Address Assignment Use fixed IP addressIP Address and Subnet Mask Private IP Address Ranges10.0.0.0 172.16.0.0 192.168.0.0 WAN IP and DNS Server Address Assignment DNS Server Address AssignmentWAN MAC Address WAN IP Address AssignmentChoose an IP address Wizard WAN MAC Address Connection Wizard Bandwidth managementWizard Bandwidth Management Connection Wizard CompleteConnection Wizard Complete Connection Wizard NBG-460N User’s Guide How to Connect to the Internet from an AP TutorialsInternet Push Button Configuration NBG460N Example WPS Process PIN Method Pre-Shared Key ThisismyWPA-PSKpre-sharedkey SSIDExample3Channel Security WPA-PSKTutorial Status AP Mode Configure Your NotebookConnecting a Wireless Client to a Wireless Network Link Status Using AP + Bridge Mode and WDSConfiguring Your Bridge Mode Settings Pre-Shared Key ThisismyWPA2-PSKpre-sharedkey WPA2-PSKSite-To-Site VPN Tunnel Settings Setting BOB’S NBG-460N JACK’S NBG-460NSite-To-Site VPN Tunnel Tutorial Tutorial Property Configuring Bob’s NBG-460N VPN SettingsTutorial Authentication Method Configuring Jack’s NBG-460N VPN SettingsTutorial Property Tutorial Authentication Method Pinging Jack’s Local IP Address Checking the VPN ConnectionBandwidth Management for your Network Configuring Bandwidth Management by ApplicationConfiguring Bandwidth Allocation by IP or IP Range Configuring Bandwidth Management by Custom ApplicationFields Services Real Audio Rtsp VDO Live FTP Refer to Appedix F on the Bandwidth Mgnt Setting your NBG-460N to AP Mode AP ModeStatus Screen Status AP ModeSchedules Display Network Wireless LAN WPS screenSystem Setting Configuration Mode This shows the LAN port’s Dhcp role Client or NoneOr connected Menu AP ModeMask or to get the LAN IP address from a Dhcp server Maintenance System GeneralSetting Logs View Log Reset the factory defaults to your NBG-460NConfiguring Your Settings LAN SettingsSys OP General Table below describes the labels in the screen Wlan and Maintenance SettingsLogging in to the Web Configurator in AP Mode Network Page Example of a Wireless Network Wireless LANWireless Security Overview What You Can DoWhat You Should Know Ssid Weakest Stronges t Types of Encryption for Each Type of AuthenticationNo Authentication Radius Server 100General Wireless LAN Screen Printable 7-bit Ascii characters for the wireless LAN101 Select Static WEP , WPA-PSK , WPA , WPA2-PSK or WPA2 to add No Security102 WPA-PSK and WPA2-PSK are available in this field103 WEP EncryptionSelect 64-bit WEP or 128-bit WEP to enable data encryption 104WEP keys and displays them in the Key fields below Hex 105AP or peer computer Correct WEP keyPriority Server, the reauthentication timer on the Radius server hasSecurity Mode field 106107 4 WPA/WPA2Server, the reauthentication timer on the Radius server 108Has priority 109 MAC Filter ScreenMAC 110RTS/CTS Wireless LAN Advanced ScreenQuality of Service QoS Screen 111You want to apply WMM QoS 112On page 123 for more information WMM QoS PolicyApplication Priority Configuration Configuration screen113 114 MailUser-Defined 115 WPS ScreenPush Button WPS Station ScreenScheduling Screen 116Day 117Whole day Following times fields118 WDS ScreenSecurity Mode Static WEP Between the NBG-460N and any wireless clients119 ASCII/HEX 120121 Security Mode WPA2-PSKTechnical Reference RoamingRoaming Example 122123 Quality of ServiceWMM QoS Priorities WiFi Protected SetupIPod Touch Web Configurator 124125 Login Screen126 System StatusWAN connection is not working 127MBM 128WPS in Progress Port Forwarding129 130 Rule is turned onTurn the rule OFF Accessing the iPod Touch Web Configurator Accessing the iPod Touch Web Configurator131 132 LAN and WAN 133Configuring Your Internet Connection What You Need To Know134 Multicast 135WAN MAC Address 136 Iptv STB Port192.168.1.20 137You have one STB You have two STBsNetBIOS over TCP/IP Auto-Bridge138 Internet Connection Ethernet Encapsulation139 WAN MAC 140Address Defined changes to None after you click ApplySelect Clone the computers MAC address IP Address and enter Setting or upload a different ROM filePPPoE Encapsulation 141142 All of the LANs computers will have accessDifferent ROM file 143DNS Servers First DNS Computer’s144 Pptp EncapsulationPptp connection 145Advanced WAN Screen 146Select Clone the computers MAC address IP Address Select Igmp V-1,IGMP V-2 or None 147148 When the NBG-460N gets a WAN IP address that is notTo be in Router Mode for the Iptv STB port to work Igmp149 LAN150 IP Pool SetupLAN IP Screen LAN TCP/IPLAN IP Alias 151LAN TCP/IP IP address that you assign. Unless you are implementing Any IP SetupAdvanced LAN Screen 152153 LANs, WANs and the ZyXEL Device154 Any IP155 156 157 DhcpDhcp General Screen Dhcp Advanced Screen158 Select the Enable Dhcp Server check box. When you clear Must have their DNS server addresses manually configured159 Select DNS Relay to have the NBG-460N act as a DNS proxy. NBG-460Ns system DNS server configured in the WAN InternetClient List Screen 160Them 161This is the index number of the host computer Host names. After you click Apply, the MAC address and IP162 163 Network Address Translation NATGeneral NAT Screen Enable NetworkSelect the check box to enable NAT Default Server Setup165 NAT Application Screen166 Wake On LAN is enabled 167Fields under Add Application Rule Configuring Servers Behind Port Forwarding Example Game List Example168 169 NAT Advanced ScreenUsers may not be able to access the Internet 170Can establish through the NBG-460N Traffic to a server on the WAN LAN that requested the serviceTrigger Port Forwarding Example 171172 Two Points To Remember About Trigger PortsDynamic DNS DynDNS Wildcard173 Enable Dynamic Select this check box to use dynamic DNS Dynamic DNS Screen174 WAN IP address 175176 177 Part178 179 FirewallAbout the NBG-460N Firewall Triangle Routes180 181 Triangle Routes and IP AliasServices Screen General Firewall Screen182 Icmp 183Add Firewall Rule screen 184Single IP is selected as the Address Type Add Firewall Rule Screen185 PoolClick Clear All to empty the Blocked Services 186Address Type 187 188 Content Filtering Content Filtering Profiles189 Days and Times Restrict Web Features190 Keyword Blocking URL Checking191 Filter ScreenAllowed 192Cookies Web ProxyNot affected Which content filtering will be enforcedSchedule Screen 193Full Path URL Checking Customizing Keyword Blocking URL Checking194 Domain Name or IP Address URL Checking195 IPSec VPN196 IKE SA IKE Phase 1 OverviewLocal Network and Remote Network IPSec SA IKE Phase 2 Overview197 IP Addresses of the NBG-460N and Remote IPSec Router198 General Screen199 VPN Rule Setup Basic200 Feature to workEnabled 201Secure Gateway Address field set to 202 Your computer in the Local Content field. The NBG-460N 203With dynamic WAN IP addresses Address field refer to the Secure Gateway Address field 204205 VPN Rule Setup Advanced206 Security VPN General Rule Setup IKE Advanced207 Select No to disable it208 209 210 211 212 VPN Rule Setup Manual 213Each IPSec SA. It is more secure but takes more time 214 Security VPN General Rule Setup Manual215 216 217 SecureSPI SA Monitor Screen 218Trailing spaces are truncated VPN and Remote Management IKE SA Proposal219 220 Diffie-Hellman DH Key ExchangeRemote Ipsec Router AuthenticationVPN Example Matching ID Type and Content 221Negotiation Mode VPN Example Mismatching ID Type and Content222 223 15.6.6 VPN, NAT, and NAT TraversalIPSec Protocol Encapsulation224 SA Life Time IPSec SA Proposal and Perfect Forward SecrecyAdditional IPSec VPN Topics 225Encryption and Authentication Algorithms 226Private DNS Server Private DNS Server Example 227228 229 Management230 Static Route 231Lanwan 232 IP Static Route Screen233 Static Route Setup Screen234 Chat, Email Bandwidth Management235 FTP236 General Configuration Screen237 Management check boxMbps Wlan Bandwidth Advanced Configuration238 Connected to the WAN port has an upstream speed of 10 MbpsLow 239To Wlan Rule Configuration with the Pre-defined Service240 Wlan to WAN241 Rule Configuration User Defined Service Rule Configuration242 Monitor ScreenTechnical References Predefined Bandwidth Management ServicesMedia Bandwidth Management Setup Services Service DescriptionClass Type Priority Default Bandwidth Management Classes and PrioritiesBandwidth Management Priority with Default Classes 244Bandwidth Management Priorities 245Bandwidth Management Priorities 246 247 Remote Management248 System TimeoutRemote Management Limitations Remote Management and NATRemote management Specify to access the NBG-460N using this serviceWWW Screen 249Telnet Screen FTP Screen250 251 DNS ScreenYou specify to send DNS queries to the NBG-460N 252Universal Plug-and-Play UPnP NAT Traversal253 254 UPnP Screen255 Using UPnP in Windows XP ExampleNetwork Connections 256257 Internet Connection Properties Advanced Settings258 Web Configurator Easy AccessNetwork Connections My Network Places 259Network Connections My Network Places Properties Example 260261 Maintenance Troubleshooting262 System System General Screen263 264 265 Time Setting ScreenSelect User Defined Time Server Address and enter the IP 266267 268 269 LogsDisplay Log categories that you selected in the Log SettingsView Log Screen 270Log Settings 271Time and date Mail Log Settings Mail Server 272Messages will not be sent via e-mail 273 Sent via e-mailSmtp LOG Message Description System Maintenance LogsLog Descriptions 274275 System Error LogsFirewall Attack Alerts screen Access Control LogsTCP Reset Logs 276Packet Filter Logs 277Icmp Logs 278Content Filtering Logs 279UPnP packets can pass through the firewall Attack Logs 280IPSec Logs 281IKE Logs 282283 284 285 PKI Logs802.1X Logs Type Code Description ACL Setting Notes286 Packet Direction Description287 Icmp NotesSyslog Logs 288 RFC-2408 Isakmp Payload TypesLOG Display Payload Type Tools Firmware Upload Screen289 290 Maintenance Tools FirmwareNetwork Temporarily Disconnected Upload Error MessageMaintenance Restore Configuration Configuration ScreenBackup Configuration Restore Configuration293 Configuration Restore SuccessfulBack to Factory Defaults Restart Screen294 295 Indicate either Ready or MAC Address errorWake On LAN Green296 Maintenance Tools Green297 Configuration ModeAdvanced Configuration Options 298Category Link TAB 299 Sys Op ModeRouter 300301 Maintenance Sys OP Mode GeneralFirewall or bandwidth management 302Language Language Screen303 304 Troubleshooting Power, Hardware Connections, and LEDs305 306 NBG-460N Access and LoginAdvanced Suggestions 307308 Internet AccessInternet connection is slow or intermittent 309310 Resetting the NBG-460N to Its Factory Defaults311 Wireless Router/AP Troubleshooting312 Advanced FeaturesPWR, LAN1-4, WAN, WLAN, WPS Product Specifications and Wall- Mounting InstructionsHardware Features 313314 Firmware FeaturesSuch as microwave ovens, wireless phones Bluetooth enabled devices, and other wireless LANs315 Standards Supported Feature SpecificationsFeature Specification 316Wall-mounting Instructions 317Protocol MBM Media Bandwidth Management Masonry Plug and M4 Tap Screw 318319 Appendices Index320 Disable pop-up Blockers Internet Explorer Pop-up Blockers321 322 Enable pop-up Blockers with Exceptions323 Select Settings…to open the Pop-up Blocker Settings screen324 JavaScriptsInternet Options Security 325326 Java PermissionsJava Sun 327Java Sun 328Introduction to IP Addresses Structure329 1ST 2ND 3RD 4TH Octet Subnet Masks330 Subnet Mask Identifying Network NumberBinary 1ST 2ND 3RD 4TH Decimal Octet 331Network Size Subnet MasksAlternative Subnet Mask Notation Notation332 Maximum Host Numbers333 Subnetting334 Example Four SubnetsIP/SUBNET Mask Network Number Last Octet BIT Value 335Example Eight Subnets Subnet Planning336 NO. Borrowed Subnet Mask NO. Hosts PER Host Bits Subnets Configuring IP Addresses337 16-bit Network Number Subnet PlanningPrivate IP Addresses 338339 Setting up Your Computer’s IP AddressInstalling Components Windows 95/98/Me340 341 Configuring342 Verifying Settings343 Windows 2000/NT/XPWindows XP Control Panel 344Windows XP Local Area Connection Properties 345Windows XP Internet Protocol TCP/IP Properties 346Windows XP Advanced TCP/IP Properties 347348 349 Macintosh OS 8/9Macintosh OS 8/9 TCP/IP 350351 Macintosh OSUsing the K Desktop Environment KDE Linux352 Red Hat 9.0 KDE Ethernet Device General 353354 Using Configuration FilesRed Hat 9.0 DNS Settings in resolv.conf Red Hat 9.0 Static IP Address Setting in ifconfig-eth0356 Verifying SettingsWireless LAN Topologies Ad-hoc Wireless LAN Configuration357 358 Basic Service Set359 ChannelRTS/CTS 360361 Ieee 802.11g Wireless LANFragmentation Threshold Preamble TypeData Rate Modulation Mbps Ieee362 Ieee 802.11gEAP-MD5 Message-Digest Algorithm Types of Authentication363 Types of Radius MessagesPeap Protected EAP EAP-TTLS Tunneled Transport Layer Service364 EAP-TLS Transport Layer SecurityEncryption Comparison of EAP Authentication TypesWPA2 365366 User Authentication27.0.2 WPA2-PSK Application Example 27.0.3 WPA2 with Radius Application Example367 368 Wireless Security Relational MatrixAuthentication Encryptio Enter METHOD/ KEY Security Parameters Summary369 ServicesExamples of Services 370Name Protocol Ports Description 371 372 Disclaimer CopyrightCertifications 373FCC Radiation Exposure Statement 374ZyXEL Limited Warranty 375Viewing Certifications Registration 376CTS Clear to Send Index377 Classes and priorities378 EssidEncapsulating Security Payload. See ESP Language Link type 40 379IKE SA Ethernet PPPoE. see also PPP over Ethernet380 MACMbssid QoS QoS priorities Quality of Service QoS 381Radius 382 Wireless security 98 overviewXbox Live ZyNOS 39 383384