Home > ZyXEL > Router > ZyXEL Router Prestige 334 User Manual

ZyXEL Router Prestige 334 User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual ZyXEL Router Prestige 334 User Manual. The ZyXEL manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 161

    Page 161 Prestige 334 User’s Guide Chapter 15 VPN Screens160 15.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically renegotiates the tunnel when the IPSec SA lifetime period expires ( the IPSec Algorithms section for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Both IPSec routers must have a Prestige-compatible keep alive feature enabled in order for this feature to work. If the Prestige... 
    Prestige 334 User’s Guide
Chapter 15 VPN Screens160
15.6  Keep Alive
When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically 
renegotiates the tunnel when the IPSec SA lifetime period expires ( the IPSec Algorithms 
section  for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always 
on” connection after you initiate it. Both IPSec routers must have a Prestige-compatible keep 
alive feature enabled in order for this feature to work.
If the Prestige...

    Page 162

    Page 162 Prestige 334 User’s Guide 161Chapter 15 VPN Screens • Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A. 15.7.2 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP since these... 
    Prestige 334 User’s Guide
161Chapter 15 VPN Screens
• Enable NAT traversal on both IPSec endpoints.
In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec 
router B, set the NAT router to forward UDP port 500 to IPSec router A.
15.7.2  Remote DNS Server
In cases where you want to use domain names to access Intranet servers on a remote network 
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the 
LAN or from the ISP since these...

    Page 163

    Page 163 Prestige 334 User’s Guide Chapter 15 VPN Screens162 15.8 ID Type and Content With aggressive negotiation mode (see Section Negotiation Mode), the Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the Prestige to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate passwords to simultaneously connect to the Prestige from IPSec routers... 
    Prestige 334 User’s Guide
Chapter 15 VPN Screens162
15.8  ID Type and Content
With aggressive negotiation mode (see Section Negotiation Mode), the Prestige identifies 
incoming SAs by ID type and content since this identifying information is not encrypted. This 
enables the Prestige to distinguish between multiple rules for SAs that connect from remote 
IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate 
passwords to simultaneously connect to the Prestige from IPSec routers...

    Page 164

    Page 164 Prestige 334 User’s Guide 163Chapter 15 VPN Screens 15.8.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two Prestiges in this example can complete negotiation and establish a VPN tunnel The two Prestiges in this example cannot complete their negotiation because Prestige B’s Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. 15.9... 
    Prestige 334 User’s Guide
163Chapter 15 VPN Screens
15.8.1  ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a 
VPN tunnel. 
The two Prestiges in this example can complete negotiation and establish a VPN tunnel
The two Prestiges in this example cannot complete their negotiation because Prestige B’s 
Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail. An “ID mismatched” 
message displays in the IPSEC LOG. 
15.9...

    Page 165

    Page 165 Prestige 334 User’s Guide Chapter 15 VPN Screens164 15.10 Editing VPN Rules Click Edit on the Summary screen or click the Rule Setup tab to edit VPN rules. Figure 64 VPN: Rule Setup (Basic) The following table describes the labels in this screen. Table 51 VPN: Rule Setup (Basic) LABELDESCRIPTION ActiveSelect this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep AliveSelect this check box to have the Prestige... 
    Prestige 334 User’s Guide
Chapter 15 VPN Screens164
15.10  Editing VPN Rules 
Click Edit on the Summary screen or click the Rule Setup tab to edit VPN rules. 
Figure 64   VPN: Rule Setup (Basic)
The following table describes the labels in this screen.
Table 51   VPN: Rule Setup (Basic)
LABELDESCRIPTION
ActiveSelect this check box to activate this VPN tunnel. This option determines whether 
a VPN rule is applied before a packet leaves the firewall.
Keep AliveSelect this check box to have the Prestige...

    Page 166

    Page 166 Prestige 334 User’s Guide 165Chapter 15 VPN Screens IPSec Keying ModeSelect IKE or Manual from the drop-down list box. IKE provides more protection so it is generally recommended. Manual is a useful option for troubleshooting. Local AddressThe local IP address must be static and correspond to the remote IPSec routers configured remote IP addresses. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses,... 
    Prestige 334 User’s Guide
165Chapter 15 VPN Screens
IPSec Keying ModeSelect IKE or Manual from the drop-down list box. IKE provides more protection 
so it is generally recommended. Manual is a useful option for troubleshooting. 
Local AddressThe local IP address must be static and correspond to the remote IPSec routers 
configured remote IP addresses. 
Two active SAs can have the same local or remote IP address, but not both. You 
can configure multiple SAs between the same local and remote IP addresses,...

    Page 167

    Page 167 Prestige 334 User’s Guide Chapter 15 VPN Screens166 Secure Gateway AddressType the WAN IP address or the URL (up to 31 characters) of the IPSec router with which youre making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode field must be set to IKE). The remote address fields do not apply when the Secure Gateway Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Peer ID... 
    Prestige 334 User’s Guide
Chapter 15 VPN Screens166
Secure Gateway 
AddressType the WAN IP address or the URL (up to 31 characters) of the IPSec router 
with which youre making the VPN connection. Set this field to 0.0.0.0 if the 
remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode 
field must be set to IKE). The remote address fields do not apply when the 
Secure Gateway Address field is configured to 0.0.0.0. In this case only the 
remote IPSec router can initiate the VPN.
Peer ID...

    Page 168

    Page 168 Prestige 334 User’s Guide 167Chapter 15 VPN Screens 15.11 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec. Figure 65 Two Phases to Set Up the IPSec SA In phase 1 you must: • Choose a negotiation mode. • Authenticate the connection by entering a pre-shared key. • Choose an encryption algorithm. • Choose an... 
    Prestige 334 User’s Guide
167Chapter 15 VPN Screens
15.11   IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and 
the second one uses that SA to negotiate SAs for IPSec. 
Figure 65   Two Phases to Set Up the IPSec SA
In phase 1 you must:
• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
• Choose an...

    Page 169

    Page 169 Prestige 334 User’s Guide Chapter 15 VPN Screens168 • Choose an encryption algorithm. • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public- key cryptography – see Section Perfect Forward Secrecy (PFS). Select None (the default) to disable PFS. Choose Tunnel mode or Transport mode. Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The Prestige automatically... 
    Prestige 334 User’s Guide
Chapter 15 VPN Screens168
• Choose an encryption algorithm.
• Choose an authentication algorithm
• Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public-
key cryptography – see Section Perfect Forward Secrecy (PFS). Select None (the default) 
to disable PFS.
Choose Tunnel mode or Transport mode.
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should 
stay up before it times out. The Prestige automatically...

    Page 170

    Page 170 Prestige 334 User’s Guide 169Chapter 15 VPN Screens This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Prestige. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange). 15.12 Configuring Advanced IKE Settings Select Advanced at the bottom of the Rule Setup IKE screen.... 
    Prestige 334 User’s Guide
169Chapter 15 VPN Screens
This may be unnecessary for data that does not require such security, so PFS is disabled 
(None) by default in the Prestige. Disabling PFS means new authentication and encryption 
keys are derived from the same root secret (which may have security implications in the long 
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
15.12  Configuring Advanced IKE Settings
Select Advanced at the bottom of the Rule Setup IKE screen....
    Start reading ZyXEL Router Prestige 334 User Manual

    Related Manuals for ZyXEL Router Prestige 334 User Manual

    All ZyXEL manuals