Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications wireless n gigbit router zyxel manual Negotiation Mode, 222

Models: wireless n gigbit router zyxel

1 384

Download 384 pages 30.66 Kb

Page 222

Chapter 15 IPSec VPN

Table 72 VPN Example: Matching ID Type and Content

NBG-460N	REMOTE IPSEC ROUTER
Peer ID type: IP	Peer ID type: E-mail

Peer ID content: 1.1.1.2	Peer ID content: tom@yourcompany.com

In the following example, the ID type and content do not match so the authentication fails and the NBG-460N and the remote IPSec router cannot establish an IKE SA.

Table 73 VPN Example: Mismatching ID Type and Content

NBG-460N	REMOTE IPSEC ROUTER
Local ID type: E-mail	Local ID type: IP

Local ID content: tom@yourcompany.com	Local ID content: 1.1.1.2

Peer ID type: IP	Peer ID type: E-mail

Peer ID content: 1.1.1.15	Peer ID content: tom@yourcompany.com

15.6.5 Negotiation Mode

There are two negotiation modes: main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1-2:The NBG-460N sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the NBG- 460N.

Steps 3-4:The NBG-460N and the remote IPSec router participate in a Diffie- Hellman key exchange, based on the accepted DH key group, to establish a shared secret.

Steps 5-6:Finally, the NBG-460N and the remote IPSec router generate an encryption key from the shared secret, encrypt their identities, and exchange their encrypted identity information for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA.

Step 1: The NBG-460N sends its proposals to the remote IPSec router. It also starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for authentication.

Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the NBG-460N. It also finishes the Diffie-Hellman key exchange, authenticates the NBG-460N, and sends its (unencrypted) identity to the NBG-460N for authentication.

222

NBG-460N User’s Guide

Image 222

ZyXEL Communications wireless n gigbit router zyxel Negotiation Mode, 222, VPN Example Mismatching ID Type and Content

Contents

NBG-460N Page Related Documentation About This Users GuideIntended Audience User Guide FeedbackAbout This Users Guide Document Conventions Syntax ConventionsNBG-460N Computer Server Telephone Switch Router ModemIcons Used in Figures DslamSafety Warnings Safety Warnings NBG-460N User’s Guide Contents Overview Contents Overview NBG-460N User’s Guide Table of Contents Chapter Connection Wizard Part II Network WAN 177 Part IV Management 235 Part V Maintenance and Troubleshooting 261 Part VI Appendices and Index Table of Contents NBG-460N User’s Guide Part Page Getting to Know Your NBG-460N OverviewApplications LAN Wireless ApplicationsRouter Mode NBG460NAP Mode 3 AP + BridgeBridge AP + Bridge ApplicationBridge Application Bridge Loop Two Bridges Connected to Hub Ways to Manage the NBG-460N Features Available in Router Mode vs. AP ModeFeature Router AP Mode Bridge Router vs. AP vs. BridgeLEDs PowerGood Habits for Managing the NBG-460N Front Panel LEDsWAN Wireless LAN Off Wireless LAN is not ready or has failedThis feature Off Device is in normal power mode WlanGetting to Know Your NBG-460N NBG-460N User’s Guide WPS Button WPS Button NBG-460N User’s Guide Introducing the Web Configurator Web Configurator OverviewAccessing the Web Configurator Change Password Screen Resetting the NBG-460N Navigating the Web ConfiguratorProcedure to Use the Reset Button Status Screen in Router Mode Status Screen Icon KeyIcon Description Label Description DhcpScheduler Is enabled and N/A when the Wlan is disabled Wlan is disabledWhen the line is disconnected Memory UsageLink TAB Function Navigation PanelScreens Summary LANVPN NATDdns MgmtSummary Bandwidth Management Monitor Mode As a Router or a Access Point LanguageSummary Any IP Table Logs View LogSummary Dhcp Table Summary BW Mgmt MonitorSummary Packet Statistics Host Name fieldStop Click Stop to stop refreshing statistics Summary VPN MonitorIntervals field This is the security association index numberAssociation Time Summary Wireless Station StatusThis is the index number of an associated wireless station NBG-460N’s Wlan networkIntroducing the Web Configurator NBG-460N User’s Guide Wizard Setup Connection WizardConnection Wizard System Information System NameDomain Name Underscores are acceptedThis option is only available if WPS is not enabled Connection Wizard Wireless LANUse the same Ssid in order to access the network SsidBasic WEP Security Wizard Basic WEP SecurityAscii Extend WPA-PSK or WPA2-PSK SecurityWEP HEXKey Connection Wizard Internet ConfigurationPre-Shared Do thisConnection Description Type Ethernet ConnectionPPPoE Connection PptpISP Parameter for Internet Access Pptp ConnectionISP Parameters for Internet Access Wizard Pptp ConnectionUse fixed IP address Your IP AddressWAN IP Address Assignment Provided by your ISPIP Address and Subnet Mask Private IP Address Ranges10.0.0.0 172.16.0.0 192.168.0.0 DNS Server Address Assignment WAN IP and DNS Server Address AssignmentWAN MAC Address WAN IP Address AssignmentChoose an IP address Connection Wizard Bandwidth management Wizard WAN MAC AddressConnection Wizard Complete Wizard Bandwidth ManagementConnection Wizard Complete Connection Wizard NBG-460N User’s Guide How to Connect to the Internet from an AP TutorialsInternet Push Button Configuration NBG460N Example WPS Process PIN Method WPA-PSK SSIDExample3Channel Security Pre-Shared Key ThisismyWPA-PSKpre-sharedkeyConfigure Your Notebook Tutorial Status AP ModeConnecting a Wireless Client to a Wireless Network Using AP + Bridge Mode and WDS Link StatusConfiguring Your Bridge Mode Settings WPA2-PSK Pre-Shared Key ThisismyWPA2-PSKpre-sharedkeySite-To-Site VPN Tunnel Settings Setting BOB’S NBG-460N JACK’S NBG-460NSite-To-Site VPN Tunnel Tutorial Configuring Bob’s NBG-460N VPN Settings Tutorial PropertyConfiguring Jack’s NBG-460N VPN Settings Tutorial Authentication MethodTutorial Property Tutorial Authentication Method Checking the VPN Connection Pinging Jack’s Local IP AddressConfiguring Bandwidth Management by Application Bandwidth Management for your NetworkConfiguring Bandwidth Management by Custom Application Configuring Bandwidth Allocation by IP or IP RangeFields Services Real Audio Rtsp VDO Live FTP Refer to Appedix F on the Bandwidth Mgnt AP Mode Setting your NBG-460N to AP ModeStatus AP Mode Status ScreenThis shows the LAN port’s Dhcp role Client or None Display Network Wireless LAN WPS screenSystem Setting Configuration Mode SchedulesMenu AP Mode Or connectedReset the factory defaults to your NBG-460N Maintenance System GeneralSetting Logs View Log Mask or to get the LAN IP address from a Dhcp serverConfiguring Your Settings LAN SettingsSys OP General Wlan and Maintenance Settings Table below describes the labels in the screenLogging in to the Web Configurator in AP Mode Network Page Wireless LAN Example of a Wireless NetworkWireless Security Overview What You Can DoWhat You Should Know Ssid 100 Types of Encryption for Each Type of AuthenticationNo Authentication Radius Server Weakest Stronges tGeneral Wireless LAN Screen Printable 7-bit Ascii characters for the wireless LAN101 WPA-PSK and WPA2-PSK are available in this field No Security102 Select Static WEP , WPA-PSK , WPA , WPA2-PSK or WPA2 to addWEP Encryption 103Select 64-bit WEP or 128-bit WEP to enable data encryption 104WEP keys and displays them in the Key fields below Correct WEP key 105AP or peer computer Hex106 Server, the reauthentication timer on the Radius server hasSecurity Mode field Priority4 WPA/WPA2 107Server, the reauthentication timer on the Radius server 108Has priority MAC Filter Screen 109110 MAC111 Wireless LAN Advanced ScreenQuality of Service QoS Screen RTS/CTSWMM QoS Policy 112On page 123 for more information You want to apply WMM QoSApplication Priority Configuration Configuration screen113 114 MailUser-Defined WPS Screen 115116 WPS Station ScreenScheduling Screen Push ButtonFollowing times fields 117Whole day DayWDS Screen 118Security Mode Static WEP Between the NBG-460N and any wireless clients119 120 ASCII/HEXRoaming Security Mode WPA2-PSKTechnical Reference 121122 Roaming ExampleQuality of Service 123124 WiFi Protected SetupIPod Touch Web Configurator WMM QoS PrioritiesLogin Screen 125System Status 126127 WAN connection is not working128 MBMWPS in Progress Port Forwarding129 130 Rule is turned onTurn the rule OFF Accessing the iPod Touch Web Configurator Accessing the iPod Touch Web Configurator131 132 133 LAN and WANConfiguring Your Internet Connection What You Need To Know134 Multicast 135WAN MAC Address Iptv STB Port 136You have two STBs 137You have one STB 192.168.1.20NetBIOS over TCP/IP Auto-Bridge138 Internet Connection Ethernet Encapsulation139 Defined changes to None after you click Apply 140Address WAN MAC141 Setting or upload a different ROM filePPPoE Encapsulation Select Clone the computers MAC address IP Address and enterAll of the LANs computers will have access 142Computer’s 143DNS Servers First DNS Different ROM filePptp Encapsulation 144145 Pptp connectionAdvanced WAN Screen 146Select Clone the computers MAC address IP Address 147 Select Igmp V-1,IGMP V-2 or NoneIgmp When the NBG-460N gets a WAN IP address that is notTo be in Router Mode for the Iptv STB port to work 148LAN 149LAN TCP/IP IP Pool SetupLAN IP Screen 150LAN IP Alias 151LAN TCP/IP 152 Any IP SetupAdvanced LAN Screen IP address that you assign. Unless you are implementingLANs, WANs and the ZyXEL Device 153Any IP 154155 156 Dhcp 157Dhcp General Screen Dhcp Advanced Screen158 Select the Enable Dhcp Server check box. When you clear Must have their DNS server addresses manually configured159 160 NBG-460Ns system DNS server configured in the WAN InternetClient List Screen Select DNS Relay to have the NBG-460N act as a DNS proxy.Host names. After you click Apply, the MAC address and IP 161This is the index number of the host computer Them162 Network Address Translation NAT 163Default Server Setup Enable NetworkSelect the check box to enable NAT General NAT ScreenNAT Application Screen 165166 Wake On LAN is enabled 167Fields under Add Application Rule Configuring Servers Behind Port Forwarding Example Game List Example168 NAT Advanced Screen 169Users may not be able to access the Internet 170Can establish through the NBG-460N 171 LAN that requested the serviceTrigger Port Forwarding Example Traffic to a server on the WANTwo Points To Remember About Trigger Ports 172Dynamic DNS DynDNS Wildcard173 Enable Dynamic Select this check box to use dynamic DNS Dynamic DNS Screen174 175 WAN IP address176 Part 177178 Firewall 179About the NBG-460N Firewall Triangle Routes180 Triangle Routes and IP Alias 181Services Screen General Firewall Screen182 183 Icmp184 Add Firewall Rule screenPool Add Firewall Rule Screen185 Single IP is selected as the Address TypeClick Clear All to empty the Blocked Services 186Address Type 187 188 Content Filtering Content Filtering Profiles189 Keyword Blocking URL Checking Restrict Web Features190 Days and TimesFilter Screen 191Web Proxy 192Cookies Allowed193 Which content filtering will be enforcedSchedule Screen Not affectedDomain Name or IP Address URL Checking Customizing Keyword Blocking URL Checking194 Full Path URL CheckingIPSec VPN 195IKE SA IKE Phase 1 Overview 196IP Addresses of the NBG-460N and Remote IPSec Router IPSec SA IKE Phase 2 Overview197 Local Network and Remote NetworkGeneral Screen 198VPN Rule Setup Basic 199Feature to work 200Enabled 201Secure Gateway Address field set to 202 Your computer in the Local Content field. The NBG-460N 203With dynamic WAN IP addresses 204 Address field refer to the Secure Gateway Address fieldVPN Rule Setup Advanced 205Security VPN General Rule Setup IKE Advanced 206Select No to disable it 207208 209 210 211 212 VPN Rule Setup Manual 213Each IPSec SA. It is more secure but takes more time Security VPN General Rule Setup Manual 214215 216 217 SecureSPI SA Monitor Screen 218Trailing spaces are truncated VPN and Remote Management IKE SA Proposal219 Diffie-Hellman DH Key Exchange 220221 AuthenticationVPN Example Matching ID Type and Content Remote Ipsec RouterNegotiation Mode VPN Example Mismatching ID Type and Content222 15.6.6 VPN, NAT, and NAT Traversal 223IPSec Protocol Encapsulation224 225 IPSec SA Proposal and Perfect Forward SecrecyAdditional IPSec VPN Topics SA Life TimeEncryption and Authentication Algorithms 226Private DNS Server 227 Private DNS Server Example228 Management 229230 Static Route 231Lanwan IP Static Route Screen 232Static Route Setup Screen 233234 FTP Bandwidth Management235 Chat, EmailGeneral Configuration Screen 236237 Management check boxMbps Connected to the WAN port has an upstream speed of 10 Mbps Advanced Configuration238 Wlan Bandwidth239 LowWlan to WAN Rule Configuration with the Pre-defined Service240 To WlanRule Configuration User Defined Service Rule Configuration 241Monitor Screen 242Service Description Predefined Bandwidth Management ServicesMedia Bandwidth Management Setup Services Technical References244 Default Bandwidth Management Classes and PrioritiesBandwidth Management Priority with Default Classes Class Type PriorityBandwidth Management Priorities 245Bandwidth Management Priorities 246 Remote Management 247Remote Management and NAT System TimeoutRemote Management Limitations 248249 Specify to access the NBG-460N using this serviceWWW Screen Remote managementTelnet Screen FTP Screen250 DNS Screen 251252 You specify to send DNS queries to the NBG-460NUniversal Plug-and-Play UPnP NAT Traversal253 UPnP Screen 254Using UPnP in Windows XP Example 255256 Network ConnectionsInternet Connection Properties Advanced Settings 257Web Configurator Easy Access 258259 Network Connections My Network Places260 Network Connections My Network Places Properties ExampleMaintenance Troubleshooting 261262 System System General Screen263 264 Time Setting Screen 265266 Select User Defined Time Server Address and enter the IP267 268 Logs 269270 Log categories that you selected in the Log SettingsView Log Screen DisplayLog Settings 271Time and date Mail Log Settings Mail Server 272Messages will not be sent via e-mail 273 Sent via e-mailSmtp 274 System Maintenance LogsLog Descriptions LOG Message DescriptionSystem Error Logs 275276 Access Control LogsTCP Reset Logs Firewall Attack Alerts screen277 Packet Filter Logs278 Icmp LogsContent Filtering Logs 279UPnP packets can pass through the firewall 280 Attack Logs281 IPSec Logs282 IKE Logs283 284 285 PKI Logs802.1X Logs Packet Direction Description ACL Setting Notes286 Type Code Description287 Icmp NotesSyslog Logs 288 RFC-2408 Isakmp Payload TypesLOG Display Payload Type Tools Firmware Upload Screen289 Maintenance Tools Firmware 290Upload Error Message Network Temporarily DisconnectedRestore Configuration Configuration ScreenBackup Configuration Maintenance Restore ConfigurationConfiguration Restore Successful 293Back to Factory Defaults Restart Screen294 Green Indicate either Ready or MAC Address errorWake On LAN 295Maintenance Tools Green 296Configuration Mode 297Advanced Configuration Options 298Category Link TAB Sys Op Mode 299300 RouterMaintenance Sys OP Mode General 301302 Firewall or bandwidth managementLanguage Language Screen303 304 Troubleshooting Power, Hardware Connections, and LEDs305 NBG-460N Access and Login 306307 Advanced SuggestionsInternet Access 308309 Internet connection is slow or intermittentResetting the NBG-460N to Its Factory Defaults 310Wireless Router/AP Troubleshooting 311Advanced Features 312313 Product Specifications and Wall- Mounting InstructionsHardware Features PWR, LAN1-4, WAN, WLAN, WPSBluetooth enabled devices, and other wireless LANs Firmware FeaturesSuch as microwave ovens, wireless phones 314315 316 Feature SpecificationsFeature Specification Standards SupportedWall-mounting Instructions 317Protocol MBM Media Bandwidth Management 318 Masonry Plug and M4 Tap ScrewAppendices Index 319320 Disable pop-up Blockers Internet Explorer Pop-up Blockers321 Enable pop-up Blockers with Exceptions 322Select Settings…to open the Pop-up Blocker Settings screen 323JavaScripts 324325 Internet Options SecurityJava Permissions 326327 Java Sun328 Java SunIntroduction to IP Addresses Structure329 Subnet Mask Identifying Network Number Subnet Masks330 1ST 2ND 3RD 4TH OctetSubnet Masks 331Network Size Binary 1ST 2ND 3RD 4TH Decimal OctetMaximum Host Numbers Notation332 Alternative Subnet Mask NotationSubnetting 333Example Four Subnets 334335 IP/SUBNET Mask Network Number Last Octet BIT ValueExample Eight Subnets Subnet Planning336 16-bit Network Number Subnet Planning Configuring IP Addresses337 NO. Borrowed Subnet Mask NO. Hosts PER Host Bits Subnets338 Private IP AddressesSetting up Your Computer’s IP Address 339Installing Components Windows 95/98/Me340 Configuring 341Verifying Settings 342Windows 2000/NT/XP 343344 Windows XP Control Panel345 Windows XP Local Area Connection Properties346 Windows XP Internet Protocol TCP/IP Properties347 Windows XP Advanced TCP/IP Properties348 Macintosh OS 8/9 349350 Macintosh OS 8/9 TCP/IPMacintosh OS 351Using the K Desktop Environment KDE Linux352 353 Red Hat 9.0 KDE Ethernet Device GeneralUsing Configuration Files 354Red Hat 9.0 Static IP Address Setting in ifconfig-eth0 Red Hat 9.0 DNS Settings in resolv.confVerifying Settings 356Wireless LAN Topologies Ad-hoc Wireless LAN Configuration357 Basic Service Set 358Channel 359360 RTS/CTSPreamble Type Ieee 802.11g Wireless LANFragmentation Threshold 361Ieee 802.11g Ieee362 Data Rate Modulation MbpsTypes of Radius Messages Types of Authentication363 EAP-MD5 Message-Digest AlgorithmEAP-TLS Transport Layer Security EAP-TTLS Tunneled Transport Layer Service364 Peap Protected EAP365 Comparison of EAP Authentication TypesWPA2 EncryptionUser Authentication 36627.0.2 WPA2-PSK Application Example 27.0.3 WPA2 with Radius Application Example367 Security Parameters Summary Wireless Security Relational MatrixAuthentication Encryptio Enter METHOD/ KEY 368Services 369Examples of Services 370Name Protocol Ports Description 371 372 373 CopyrightCertifications Disclaimer374 FCC Radiation Exposure StatementZyXEL Limited Warranty 375Viewing Certifications 376 RegistrationClasses and priorities Index377 CTS Clear to Send378 EssidEncapsulating Security Payload. See ESP Ethernet PPPoE. see also PPP over Ethernet 379IKE SA Language Link type 40380 MACMbssid QoS QoS priorities Quality of Service QoS 381Radius Wireless security 98 overview 382383 Xbox Live ZyNOS 39384