ZyXEL Router Prestige 334 User Manual
Have a look at the manual ZyXEL Router Prestige 334 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 3 ZyXEL manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Prestige 334 User’s Guide Chapter 14 Introduction to IPSec 150 CHAPTER14 Introduction to IPSec This chapter introduces the basics of IPSec VPNs 14.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. 14.1.1 IPSec Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data communications across a public network like the Internet. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer. 14.1.2 Security Association A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use. 14.1.3 Other Terminology 14.1.3.1 Encryption Encryption is a mathematical operation that transforms data from plaintext (readable) to ciphertext (scrambled text) using a key. The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key.
Prestige 334 User’s Guide 151 Chapter 14 Introduction to IPSec Figure 56 Encryption and Decryption 14.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 14.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. 14.1.3.4 Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 14.1.4 VPN Applications The Prestige supports the following VPN applications. • Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites. • Accessing Network Resources When NAT Is Enabled When NAT is enabled, remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protocol. Since the VPN tunnel terminates inside the LAN, remote users will be able to access all computers that use private IP addresses on the LAN. • Unsupported IP Applications A VPN tunnel may be created to add support for unsupported emerging IP applications. See the chapter on Getting to Know Your Prestige for an example of a VPN application. 14.2 IPSec Architecture The overall IPSec architecture is shown as follows.
Prestige 334 User’s Guide Chapter 14 Introduction to IPSec 152 Figure 57 IPSec Architecture 14.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms. The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an authentication mechanism for the AH and ESP protocols. Please the IPSec Algorithms section for more information. 14.2.2 Key Management Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 14.3 Encapsulation The two modes of operation for IPSec VPNs are Tr a n s p o r t mode and Tunnel mode.
Prestige 334 User’s Guide 153 Chapter 14 Introduction to IPSec Figure 58 Transport and Tunnel Mode IPSec Encapsulation 14.3.1 Transport Mode Tr a n s p o r t mode is used to protect upper layer protocols and only affects the data in the IP packet. In Tr a n s p o r t mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP). With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP header information and options are not used in the authentication process. Therefore, the originating IP address cannot be verified for integrity against the data. With the use of AH as the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process. 14.3.2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. This is the most common mode of operation. Tunnel mode is required for gateway to gateway and host to gateway communications. Tunnel mode communications have two sets of IP headers: •Outside header: The outside IP header contains the destination IP address of the VPN gateway. •Inside header: The inside IP header contains the destination IP address of the final system behind the VPN gateway. The security protocol appears after the outer IP header and before the inside IP header. 14.4 IPSec and NAT Read this section if you are running IPSec on a host computer behind the Prestige.
Prestige 334 User’s Guide Chapter 14 Introduction to IPSec 154 NAT is incompatible with the AH protocol in both Tr a n s p o r t and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesnt match. The VPN device at the receiving end doesnt know about the NAT in the middle, so it assumes that the data has been maliciously altered. IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packets source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload, which is unchanged by a NAT device. Tr a n s p o r t mode ESP with authentication is not compatible with NAT, although NAT traversal provides a way to use Tr a n s p o r t mode ESP when there is a NAT router between the IPSec endpoints ( the NAT Traversal section for details). Table 45 VPN and NAT SECURITY PROTOCOLMODENAT AHTransportN AHTunnelN ESPTransportN ESPTunnelY
Prestige 334 User’s Guide 155 Chapter 14 Introduction to IPSec
Prestige 334 User’s Guide Chapter 15 VPN Screens156 CHAPTER15 VPN Screens This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the Appendices for IPSec log descriptions. 15.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 15.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. Once the SA is established, the transport of data may commence. 15.2.1 AH (Authentication Header) Protocol AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed. In applications where confidentiality is not required or not sanctioned by government encryption restrictions, an AH can be employed to ensure integrity. This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator. 15.2.2 ESP (Encapsulating Security Payload) Protocol The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be authenticated.
Prestige 334 User’s Guide 157Chapter 15 VPN Screens An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. 15.3 My IP Address My IP Address is the WAN IP address of the Prestige. If this field is configured as 0.0.0.0, then the Prestige will use the current Prestige WAN IP address (static or dynamic) to set up the VPN tunnel. The Prestige has to rebuild the VPN tunnel if the My IP Address changes after setup. 15.4 Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router (secure gateway). If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one) in the Secure Gateway Address field. You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The Prestige has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway’s new WAN IP address). Table 46 AH and ESP ESPAH DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data. MD5 (default) MD5 (Message Digest 5) produces a 128- bit digest to authenticate packet data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES. SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data. Select DES for minimal security and 3DES for maximum. Select MD5 for minimal security and SHA- 1 for maximum security.
Prestige 334 User’s Guide Chapter 15 VPN Screens158 15.4.1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network. 15.5 Summary Screen The following figure helps explain the main fields in the web configurator. Figure 59 IPSec Summary Fields Local and remote IP addresses must be static. Click VPN to open the Summary screen. This is a read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus. Note: The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management.
Prestige 334 User’s Guide 159Chapter 15 VPN Screens Figure 60 VPN: Summary The following table describes the labels in this screen. Table 47 VPN: Summary LABELDESCRIPTION #The VPN policy index number. ActiveThis field displays whether the VPN policy is active or not. A Y signifies that this VPN policy is active. N signifies that this VPN policy is not active. Local Addr.This is the IP address of the computer on your local network behind your Prestige. Remote Addr.This is the IP address(es) of computer(s) on the remote network behind the remote IPSec router. A single (static) IP address is displayed when the Remote Address Start and Remote Address End/Mask fields in the Rule Setup IKE (or Manual) screen are both configured to the same IP address. The beginning and ending (static) IP addresses, in a range of computers are displayed when the Remote Address Start and Remote Address End/Mask fields in the Rule Setup IKE (or Manual) screen are configured for a range of IP addresses. A (static) IP address and a subnet mask are displayed when the Remote Address Start and Remote Address End/Mask fields in the Rule Setup IKE (or Manual) screen are configured for a subnet. This field displays 0.0.0.0 when the Secure Gateway Address field is set to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Encap.This field displays Tu n n e l or Tr a n s p o r t mode (Tu n n e l is the default selection). AlgorithmThis field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay). GatewayThis is the static WAN IP address or URL of the remote IPSec router. This field displays 0.0.0.0 when you configure the Secure Gateway Addr field in the Rule Setup IKE screen to 0.0.0.0. Select the radio button next to a VPN index number and then click Edit to edit a specific VPN policy. Click the radio button next to an empty VPN policy index number and then Edit to add a new VPN policy. Select the radio button next to a VPN policy number you want to delete and then click Delete. When a VPN policy is deleted, subsequent policies do not move up in the list.