ZyXEL Router Prestige 334 User Manual
Have a look at the manual ZyXEL Router Prestige 334 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 3 ZyXEL manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Prestige 334 User’s Guide Chapter 15 VPN Screens160 15.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically renegotiates the tunnel when the IPSec SA lifetime period expires ( the IPSec Algorithms section for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Both IPSec routers must have a Prestige-compatible keep alive feature enabled in order for this feature to work. If the Prestige has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the Prestige because the Prestige never drops the tunnels that are already connected. 15.7 NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A and B. Figure 61 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet’s header so it does not match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN connection. 15.7.1 NAT Traversal Configuration For NAT traversal to work you must: • Use ESP security protocol (in either transport or tunnel mode). • Use IKE keying mode. Note: When there is outbound traffic with no inbound traffic, the Prestige automatically drops the tunnel after two minutes.
Prestige 334 User’s Guide 161Chapter 15 VPN Screens • Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A. 15.7.2 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the remote network The following figure depicts an example where three VPN tunnels are created from Prestige A; one to branch office 2, one to branch office 3 and another to headquarters. In order to access computers that use private domain names on the headquarters (HQ) network, the Prestige at branch office 1 uses the Intranet DNS server in headquarters. The DNS server feature for VPN does not work with Windows 2000 or Windows XP. Figure 62 VPN Host using Intranet DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote network.
Prestige 334 User’s Guide Chapter 15 VPN Screens162 15.8 ID Type and Content With aggressive negotiation mode (see Section Negotiation Mode), the Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the Prestige to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate passwords to simultaneously connect to the Prestige from IPSec routers with dynamic IP addresses (see the Telecommuter VPN/IPSec Examples section for a telecommuter configuration example). With main mode (see Section Negotiation Mode), the ID type and content are encrypted to provide identity protection. In this case the Prestige can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Prestige can distinguish up to eight incoming SAs because you can select between three encryption algorithms (DES and 3DES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule ( the Configuring Advanced IKE Settings section ). The ID type and content act as an extra level of identification for incoming SAs. The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address. Note: Regardless of the ID type and content configuration, the Prestige does not allow you to save multiple active rules with overlapping local and remote IP addresses. Table 48 Local ID Type and Content Fields LOCAL ID TYPECONTENT IPType the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. DNSType a domain name (up to 31 characters) by which to identify this Prestige. E-mailType an e-mail address (up to 31 characters) by which to identify this Prestige. The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address. Table 49 Peer ID Type and Content Fields PEER ID TYPECONTENT IPType the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field. DNSType a domain name (up to 31 characters) by which to identify the remote IPSec router.
Prestige 334 User’s Guide 163Chapter 15 VPN Screens 15.8.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two Prestiges in this example can complete negotiation and establish a VPN tunnel The two Prestiges in this example cannot complete their negotiation because Prestige B’s Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. 15.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section IKE Phases for more on IKE phases). It is called “pre-shared” because you have to share it with another party before you can communicate with them over a secure connection. E-mailType an e-mail address (up to 31 characters) by which to identify the remote IPSec router. The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address. The domain name also does not have to match the remote router’s IP address or what you configure in the Secure Gateway Address field below. Table 49 Peer ID Type and Content Fields PEER ID TYPECONTENT Table 50 Matching ID Type and Content Configuration Example PRESTIGE APRESTIGE B Local ID type: E-mailLocal ID type: IP Local ID content: [email protected] ID content: 1.1.1.2 Peer ID type: IPPeer ID type: E-mail Peer ID content: 1.1.1.2Peer ID content: [email protected] Figure 63 Mismatching ID Type and Content Configuration Example PRESTIGE APRESTIGE B Local ID type: IPLocal ID type: IP Local ID content: 1.1.1.10Local ID content: 1.1.1.10 Peer ID type: E-mailPeer ID type: IP Peer ID content: [email protected] ID content: N/A
Prestige 334 User’s Guide Chapter 15 VPN Screens164 15.10 Editing VPN Rules Click Edit on the Summary screen or click the Rule Setup tab to edit VPN rules. Figure 64 VPN: Rule Setup (Basic) The following table describes the labels in this screen. Table 51 VPN: Rule Setup (Basic) LABELDESCRIPTION ActiveSelect this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep AliveSelect this check box to have the Prestige automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work. NAT TraversalSelect this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. The remote IPSec router must also have NAT traversal enabled. You can use NAT traversal with ESP protocol using Tr a n s p o r t or Tu n n e l mode, but not with AH protocol nor with manual key management. In order for an IPSec router behind a NAT router to receive an initiating IPSec packet, set the NAT router to forward UDP port 500 to the IPSec router behind the NAT router.
Prestige 334 User’s Guide 165Chapter 15 VPN Screens IPSec Keying ModeSelect IKE or Manual from the drop-down list box. IKE provides more protection so it is generally recommended. Manual is a useful option for troubleshooting. Local AddressThe local IP address must be static and correspond to the remote IPSec routers configured remote IP addresses. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. Remote Address StartRemote IP addresses must be static and correspond to the remote IPSec routers configured local IP addresses. The remote address fields do not apply when the Secure Gateway Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. Enter a (static) IP address on the network behind the remote IPSec router. Remote Address End/MaskWhen the remote IP address is a single address, type it a second time here. When the remote IP address is a range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote IP address is a subnet address, enter a subnet mask on the network behind the remote IPSec router. DNS Server (for IPSec VPN)If there is a private DNS server that services the VPN, type its IP address here. The Prestige assigns this additional DNS server to the Prestige’s DHCP clients that have IP addresses in this IPSec rules range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names. My IP AddressEnter the WAN IP address of your Prestige. The Prestige uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Local ID TypeSelect IP to identify this Prestige by its IP address. Select DNS to identify this Prestige by a domain name. Select E-mail to identify this Prestige by an e-mail address. Local ContentWhen you select IP in the Local ID Type field, type the IP address of your computer in the local Content field. The Prestige automatically uses the IP address in the My IP Address field (refer to the My IP Address field description) if you configure the local Content field to 0.0.0.0 or leave it blank. It is recommended that you type an IP address other than 0.0.0.0 in the local Content field or use the DNS or E-mail ID type in the following situations. When there is a NAT router between the two IPSec routers. When you want the remote IPSec router to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses. When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this Prestige in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. Table 51 VPN: Rule Setup (Basic) LABELDESCRIPTION
Prestige 334 User’s Guide Chapter 15 VPN Screens166 Secure Gateway AddressType the WAN IP address or the URL (up to 31 characters) of the IPSec router with which youre making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode field must be set to IKE). The remote address fields do not apply when the Secure Gateway Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Peer ID TypeSelect IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Peer ContentThe configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the Prestige will use the address in the Secure Gateway Address field (refer to the Secure Gateway Address field description). For DNS or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-mail ID type in the following situations: When there is a NAT router between the two IPSec routers. When you want the Prestige to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses. Encapsulation ModeSelect Tu n n e l mode or Transport mode from the drop-down list box. IPSec ProtocolSelect ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next). Select AH if you want to use AH (Authentication Header Protocol). The AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed. If you select AH here, you must select options from the Authentication Algorithm field (described later). Pre-Shared KeyType your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called pre-shared because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal (0-9, A-F) characters. You must precede a hexadecimal key with a 0x” (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in 0x0123456789ABCDEF, “0x” denotes that the key is hexadecimal and “0123456789ABCDEF” is the key itself. Both ends of the VPN tunnel must use the same pre-shared key. You will receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key is not used on both ends Encryption AlgorithmSelect DES or 3DES from the drop-down list box. The Prestige’s encryption algorithm should be identical to the secure remote gateway. When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. Table 51 VPN: Rule Setup (Basic) LABELDESCRIPTION
Prestige 334 User’s Guide 167Chapter 15 VPN Screens 15.11 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec. Figure 65 Two Phases to Set Up the IPSec SA In phase 1 you must: • Choose a negotiation mode. • Authenticate the connection by entering a pre-shared key. • Choose an encryption algorithm. • Choose an authentication algorithm. • Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected. In phase 2 you must: • Choose which protocol to use (ESP or AH) for the IKE key exchange. Authentication AlgorithmSelect SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. AdvancedClick Advanced to configure more detailed settings of your IKE key management. ApplyClick Apply to save your changes back to the Prestige. ResetClick Reset to begin configuring this screen afresh. Table 51 VPN: Rule Setup (Basic) LABELDESCRIPTION
Prestige 334 User’s Guide Chapter 15 VPN Screens168 • Choose an encryption algorithm. • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public- key cryptography – see Section Perfect Forward Secrecy (PFS). Select None (the default) to disable PFS. Choose Tunnel mode or Transport mode. Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The Prestige automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The Prestige also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic. 15.11.1 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection through IKE negotiations. •Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation). •Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade- off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication. 15.11.2 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys. 15.11.3 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys. The (time-consuming) Diffie- Hellman exchange is the trade-off for this extra security.
Prestige 334 User’s Guide 169Chapter 15 VPN Screens This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Prestige. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange). 15.12 Configuring Advanced IKE Settings Select Advanced at the bottom of the Rule Setup IKE screen. This is the Rule Setup IKE- Advanced screen as shown next.