225 | ZyXEL Communications wireless n gigbit router zyxel manual

Chapter 15 IPSec VPN

In transport mode, the encapsulation depends on the IPSec protocol. With AH, the NBG-460N includes part of the original IP header when it encapsulates the packet. With ESP, however, the NBG-460N does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.

15.6.9 IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal on page 219), except that you also have the choice whether or not the NBG-460N and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).

If you enable PFS, the NBG-460N and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.

If you do not enable PFS, the NBG-460N and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.

The DH key exchange is time-consuming and may be unnecessary for data that does not require such security.

15.6.10 Additional IPSec VPN Topics

This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted.

SA Life Time

SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the NBG-460N automatically renegotiates the SA in the following situations:

•There is traffic when the SA life time expires

•The IPSec SA is configured on the NBG-460N as nailed up (see below)

Otherwise, the NBG-460N must re-negotiate the SA the next time someone wants to send traffic.

Note: If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected.

NBG-460N User’s Guide

225

Image 225

ZyXEL Communications wireless n gigbit router zyxel manual IPSec SA Proposal and Perfect Forward Secrecy, 225, SA Life Time

Contents

NBG-460N Page Intended Audience About This Users GuideRelated Documentation User Guide Feedback About This Users Guide Syntax Conventions Document Conventions Icons Used in Figures Telephone Switch Router ModemNBG-460N Computer Server Dslam Safety Warnings Safety Warnings NBG-460N User’s Guide Contents Overview Contents Overview NBG-460N User’s Guide Table of Contents Chapter Connection Wizard Part II Network WAN 177 Part IV Management 235 Part V Maintenance and Troubleshooting 261 Part VI Appendices and Index Table of Contents NBG-460N User’s Guide Part Page Getting to Know Your NBG-460N OverviewApplications Router Mode Wireless ApplicationsLAN NBG460N 3 AP + Bridge AP Mode AP + Bridge Application Bridge Bridge Application Bridge Loop Two Bridges Connected to Hub Feature Router AP Mode Bridge Features Available in Router Mode vs. AP ModeWays to Manage the NBG-460N Router vs. AP vs. Bridge Good Habits for Managing the NBG-460N PowerLEDs Front Panel LEDs This feature Off Device is in normal power mode Wireless LAN Off Wireless LAN is not ready or has failedWAN Wlan Getting to Know Your NBG-460N NBG-460N User’s Guide WPS Button WPS Button NBG-460N User’s Guide Introducing the Web Configurator Web Configurator OverviewAccessing the Web Configurator Change Password Screen Resetting the NBG-460N Navigating the Web ConfiguratorProcedure to Use the Reset Button Status Screen in Router Mode Status Screen Icon KeyIcon Description Label Description DhcpScheduler When the line is disconnected Wlan is disabledIs enabled and N/A when the Wlan is disabled Memory Usage Screens Summary Navigation PanelLink TAB Function LAN Ddns NATVPN Mgmt Summary Any IP Table Mode As a Router or a Access Point LanguageSummary Bandwidth Management Monitor Logs View Log Summary BW Mgmt Monitor Summary Dhcp Table Host Name field Summary Packet Statistics Intervals field Summary VPN MonitorStop Click Stop to stop refreshing statistics This is the security association index number This is the index number of an associated wireless station Summary Wireless Station StatusAssociation Time NBG-460N’s Wlan network Introducing the Web Configurator NBG-460N User’s Guide Connection Wizard Wizard Setup System Name Connection Wizard System Information Underscores are accepted Domain Name Use the same Ssid in order to access the network Connection Wizard Wireless LANThis option is only available if WPS is not enabled Ssid Wizard Basic WEP Security Basic WEP Security WEP Extend WPA-PSK or WPA2-PSK SecurityAscii HEX Pre-Shared Connection Wizard Internet ConfigurationKey Do this PPPoE Connection Ethernet ConnectionConnection Description Type Pptp Pptp Connection ISP Parameter for Internet Access Wizard Pptp Connection ISP Parameters for Internet Access WAN IP Address Assignment Your IP AddressUse fixed IP address Provided by your ISP IP Address and Subnet Mask Private IP Address Ranges10.0.0.0 172.16.0.0 192.168.0.0 WAN IP and DNS Server Address Assignment DNS Server Address Assignment WAN MAC Address WAN IP Address AssignmentChoose an IP address Wizard WAN MAC Address Connection Wizard Bandwidth management Wizard Bandwidth Management Connection Wizard Complete Connection Wizard Complete Connection Wizard NBG-460N User’s Guide How to Connect to the Internet from an AP TutorialsInternet Push Button Configuration NBG460N Example WPS Process PIN Method Channel Security SSIDExample3WPA-PSK Pre-Shared Key ThisismyWPA-PSKpre-sharedkey Tutorial Status AP Mode Configure Your Notebook Connecting a Wireless Client to a Wireless Network Link Status Using AP + Bridge Mode and WDS Configuring Your Bridge Mode Settings Pre-Shared Key ThisismyWPA2-PSKpre-sharedkey WPA2-PSK Site-To-Site VPN Tunnel Settings Setting BOB’S NBG-460N JACK’S NBG-460NSite-To-Site VPN Tunnel Tutorial Tutorial Property Configuring Bob’s NBG-460N VPN Settings Tutorial Authentication Method Configuring Jack’s NBG-460N VPN Settings Tutorial Property Tutorial Authentication Method Pinging Jack’s Local IP Address Checking the VPN Connection Bandwidth Management for your Network Configuring Bandwidth Management by Application Configuring Bandwidth Allocation by IP or IP Range Configuring Bandwidth Management by Custom Application Fields Services Real Audio Rtsp VDO Live FTP Refer to Appedix F on the Bandwidth Mgnt Setting your NBG-460N to AP Mode AP Mode Status Screen Status AP Mode System Setting Configuration Mode Display Network Wireless LAN WPS screenThis shows the LAN port’s Dhcp role Client or None Schedules Or connected Menu AP Mode Setting Logs View Log Maintenance System GeneralReset the factory defaults to your NBG-460N Mask or to get the LAN IP address from a Dhcp server Configuring Your Settings LAN SettingsSys OP General Table below describes the labels in the screen Wlan and Maintenance Settings Logging in to the Web Configurator in AP Mode Network Page Example of a Wireless Network Wireless LAN Wireless Security Overview What You Can DoWhat You Should Know Ssid No Authentication Radius Server Types of Encryption for Each Type of Authentication100 Weakest Stronges t General Wireless LAN Screen Printable 7-bit Ascii characters for the wireless LAN101 102 No SecurityWPA-PSK and WPA2-PSK are available in this field Select Static WEP , WPA-PSK , WPA , WPA2-PSK or WPA2 to add 103 WEP Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption 104WEP keys and displays them in the Key fields below AP or peer computer 105Correct WEP key Hex Security Mode field Server, the reauthentication timer on the Radius server has106 Priority 107 4 WPA/WPA2 Server, the reauthentication timer on the Radius server 108Has priority 109 MAC Filter Screen MAC 110 Quality of Service QoS Screen Wireless LAN Advanced Screen111 RTS/CTS On page 123 for more information 112WMM QoS Policy You want to apply WMM QoS Application Priority Configuration Configuration screen113 114 MailUser-Defined 115 WPS Screen Scheduling Screen WPS Station Screen116 Push Button Whole day 117Following times fields Day 118 WDS Screen Security Mode Static WEP Between the NBG-460N and any wireless clients119 ASCII/HEX 120 Technical Reference Security Mode WPA2-PSKRoaming 121 Roaming Example 122 123 Quality of Service IPod Touch Web Configurator WiFi Protected Setup124 WMM QoS Priorities 125 Login Screen 126 System Status WAN connection is not working 127 MBM 128 WPS in Progress Port Forwarding129 130 Rule is turned onTurn the rule OFF Accessing the iPod Touch Web Configurator Accessing the iPod Touch Web Configurator131 132 LAN and WAN 133 Configuring Your Internet Connection What You Need To Know134 Multicast 135WAN MAC Address 136 Iptv STB Port You have one STB 137You have two STBs 192.168.1.20 NetBIOS over TCP/IP Auto-Bridge138 Internet Connection Ethernet Encapsulation139 Address 140Defined changes to None after you click Apply WAN MAC PPPoE Encapsulation Setting or upload a different ROM file141 Select Clone the computers MAC address IP Address and enter 142 All of the LANs computers will have access DNS Servers First DNS 143Computer’s Different ROM file 144 Pptp Encapsulation Pptp connection 145 Advanced WAN Screen 146Select Clone the computers MAC address IP Address Select Igmp V-1,IGMP V-2 or None 147 To be in Router Mode for the Iptv STB port to work When the NBG-460N gets a WAN IP address that is notIgmp 148 149 LAN LAN IP Screen IP Pool SetupLAN TCP/IP 150 LAN IP Alias 151LAN TCP/IP Advanced LAN Screen Any IP Setup152 IP address that you assign. Unless you are implementing 153 LANs, WANs and the ZyXEL Device 154 Any IP 155 156 157 Dhcp Dhcp General Screen Dhcp Advanced Screen158 Select the Enable Dhcp Server check box. When you clear Must have their DNS server addresses manually configured159 Client List Screen NBG-460Ns system DNS server configured in the WAN Internet160 Select DNS Relay to have the NBG-460N act as a DNS proxy. This is the index number of the host computer 161Host names. After you click Apply, the MAC address and IP Them 162 163 Network Address Translation NAT Select the check box to enable NAT Enable NetworkDefault Server Setup General NAT Screen 165 NAT Application Screen 166 Wake On LAN is enabled 167Fields under Add Application Rule Configuring Servers Behind Port Forwarding Example Game List Example168 169 NAT Advanced Screen Users may not be able to access the Internet 170Can establish through the NBG-460N Trigger Port Forwarding Example LAN that requested the service171 Traffic to a server on the WAN 172 Two Points To Remember About Trigger Ports Dynamic DNS DynDNS Wildcard173 Enable Dynamic Select this check box to use dynamic DNS Dynamic DNS Screen174 WAN IP address 175 176 177 Part 178 179 Firewall About the NBG-460N Firewall Triangle Routes180 181 Triangle Routes and IP Alias Services Screen General Firewall Screen182 Icmp 183 Add Firewall Rule screen 184 185 Add Firewall Rule ScreenPool Single IP is selected as the Address Type Click Clear All to empty the Blocked Services 186Address Type 187 188 Content Filtering Content Filtering Profiles189 190 Restrict Web FeaturesKeyword Blocking URL Checking Days and Times 191 Filter Screen Cookies 192Web Proxy Allowed Schedule Screen Which content filtering will be enforced193 Not affected 194 Customizing Keyword Blocking URL CheckingDomain Name or IP Address URL Checking Full Path URL Checking 195 IPSec VPN 196 IKE SA IKE Phase 1 Overview 197 IPSec SA IKE Phase 2 OverviewIP Addresses of the NBG-460N and Remote IPSec Router Local Network and Remote Network 198 General Screen 199 VPN Rule Setup Basic 200 Feature to work Enabled 201Secure Gateway Address field set to 202 Your computer in the Local Content field. The NBG-460N 203With dynamic WAN IP addresses Address field refer to the Secure Gateway Address field 204 205 VPN Rule Setup Advanced 206 Security VPN General Rule Setup IKE Advanced 207 Select No to disable it 208 209 210 211 212 VPN Rule Setup Manual 213Each IPSec SA. It is more secure but takes more time 214 Security VPN General Rule Setup Manual 215 216 217 SecureSPI SA Monitor Screen 218Trailing spaces are truncated VPN and Remote Management IKE SA Proposal219 220 Diffie-Hellman DH Key Exchange VPN Example Matching ID Type and Content Authentication221 Remote Ipsec Router Negotiation Mode VPN Example Mismatching ID Type and Content222 223 15.6.6 VPN, NAT, and NAT Traversal IPSec Protocol Encapsulation224 Additional IPSec VPN Topics IPSec SA Proposal and Perfect Forward Secrecy225 SA Life Time Encryption and Authentication Algorithms 226Private DNS Server Private DNS Server Example 227 228 229 Management 230 Static Route 231Lanwan 232 IP Static Route Screen 233 Static Route Setup Screen 234 235 Bandwidth ManagementFTP Chat, Email 236 General Configuration Screen 237 Management check boxMbps 238 Advanced ConfigurationConnected to the WAN port has an upstream speed of 10 Mbps Wlan Bandwidth Low 239 240 Rule Configuration with the Pre-defined ServiceWlan to WAN To Wlan 241 Rule Configuration User Defined Service Rule Configuration 242 Monitor Screen Media Bandwidth Management Setup Services Predefined Bandwidth Management ServicesService Description Technical References Bandwidth Management Priority with Default Classes Default Bandwidth Management Classes and Priorities244 Class Type Priority Bandwidth Management Priorities 245Bandwidth Management Priorities 246 247 Remote Management Remote Management Limitations System TimeoutRemote Management and NAT 248 WWW Screen Specify to access the NBG-460N using this service249 Remote management Telnet Screen FTP Screen250 251 DNS Screen You specify to send DNS queries to the NBG-460N 252 Universal Plug-and-Play UPnP NAT Traversal253 254 UPnP Screen 255 Using UPnP in Windows XP Example Network Connections 256 257 Internet Connection Properties Advanced Settings 258 Web Configurator Easy Access Network Connections My Network Places 259 Network Connections My Network Places Properties Example 260 261 Maintenance Troubleshooting 262 System System General Screen263 264 265 Time Setting Screen Select User Defined Time Server Address and enter the IP 266 267 268 269 Logs View Log Screen Log categories that you selected in the Log Settings270 Display Log Settings 271Time and date Mail Log Settings Mail Server 272Messages will not be sent via e-mail 273 Sent via e-mailSmtp Log Descriptions System Maintenance Logs274 LOG Message Description 275 System Error Logs TCP Reset Logs Access Control Logs276 Firewall Attack Alerts screen Packet Filter Logs 277 Icmp Logs 278 Content Filtering Logs 279UPnP packets can pass through the firewall Attack Logs 280 IPSec Logs 281 IKE Logs 282 283 284 285 PKI Logs802.1X Logs 286 ACL Setting NotesPacket Direction Description Type Code Description 287 Icmp NotesSyslog Logs 288 RFC-2408 Isakmp Payload TypesLOG Display Payload Type Tools Firmware Upload Screen289 290 Maintenance Tools Firmware Network Temporarily Disconnected Upload Error Message Backup Configuration Configuration ScreenRestore Configuration Maintenance Restore Configuration 293 Configuration Restore Successful Back to Factory Defaults Restart Screen294 Wake On LAN Indicate either Ready or MAC Address errorGreen 295 296 Maintenance Tools Green 297 Configuration Mode Advanced Configuration Options 298Category Link TAB 299 Sys Op Mode Router 300 301 Maintenance Sys OP Mode General Firewall or bandwidth management 302 Language Language Screen303 304 Troubleshooting Power, Hardware Connections, and LEDs305 306 NBG-460N Access and Login Advanced Suggestions 307 308 Internet Access Internet connection is slow or intermittent 309 310 Resetting the NBG-460N to Its Factory Defaults 311 Wireless Router/AP Troubleshooting 312 Advanced Features Hardware Features Product Specifications and Wall- Mounting Instructions313 PWR, LAN1-4, WAN, WLAN, WPS Such as microwave ovens, wireless phones Firmware FeaturesBluetooth enabled devices, and other wireless LANs 314 315 Feature Specification Feature Specifications316 Standards Supported Wall-mounting Instructions 317Protocol MBM Media Bandwidth Management Masonry Plug and M4 Tap Screw 318 319 Appendices Index 320 Disable pop-up Blockers Internet Explorer Pop-up Blockers321 322 Enable pop-up Blockers with Exceptions 323 Select Settings…to open the Pop-up Blocker Settings screen 324 JavaScripts Internet Options Security 325 326 Java Permissions Java Sun 327 Java Sun 328 Introduction to IP Addresses Structure329 330 Subnet MasksSubnet Mask Identifying Network Number 1ST 2ND 3RD 4TH Octet Network Size 331Subnet Masks Binary 1ST 2ND 3RD 4TH Decimal Octet 332 NotationMaximum Host Numbers Alternative Subnet Mask Notation 333 Subnetting 334 Example Four Subnets IP/SUBNET Mask Network Number Last Octet BIT Value 335 Example Eight Subnets Subnet Planning336 337 Configuring IP Addresses16-bit Network Number Subnet Planning NO. Borrowed Subnet Mask NO. Hosts PER Host Bits Subnets Private IP Addresses 338 339 Setting up Your Computer’s IP Address Installing Components Windows 95/98/Me340 341 Configuring 342 Verifying Settings 343 Windows 2000/NT/XP Windows XP Control Panel 344 Windows XP Local Area Connection Properties 345 Windows XP Internet Protocol TCP/IP Properties 346 Windows XP Advanced TCP/IP Properties 347 348 349 Macintosh OS 8/9 Macintosh OS 8/9 TCP/IP 350 351 Macintosh OS Using the K Desktop Environment KDE Linux352 Red Hat 9.0 KDE Ethernet Device General 353 354 Using Configuration Files Red Hat 9.0 DNS Settings in resolv.conf Red Hat 9.0 Static IP Address Setting in ifconfig-eth0 356 Verifying Settings Wireless LAN Topologies Ad-hoc Wireless LAN Configuration357 358 Basic Service Set 359 Channel RTS/CTS 360 Fragmentation Threshold Ieee 802.11g Wireless LANPreamble Type 361 362 IeeeIeee 802.11g Data Rate Modulation Mbps 363 Types of AuthenticationTypes of Radius Messages EAP-MD5 Message-Digest Algorithm 364 EAP-TTLS Tunneled Transport Layer ServiceEAP-TLS Transport Layer Security Peap Protected EAP WPA2 Comparison of EAP Authentication Types365 Encryption 366 User Authentication 27.0.2 WPA2-PSK Application Example 27.0.3 WPA2 with Radius Application Example367 Authentication Encryptio Enter METHOD/ KEY Wireless Security Relational MatrixSecurity Parameters Summary 368 369 Services Examples of Services 370Name Protocol Ports Description 371 372 Certifications Copyright373 Disclaimer FCC Radiation Exposure Statement 374 ZyXEL Limited Warranty 375Viewing Certifications Registration 376 377 IndexClasses and priorities CTS Clear to Send 378 EssidEncapsulating Security Payload. See ESP IKE SA 379Ethernet PPPoE. see also PPP over Ethernet Language Link type 40 380 MACMbssid QoS QoS priorities Quality of Service QoS 381Radius 382 Wireless security 98 overview Xbox Live ZyNOS 39 383 384