Home > ZyXEL > Router > ZyXEL Router Prestige 334 User Manual

ZyXEL Router Prestige 334 User Manual

Download as PDF Print this page Share this page

Have a look at the manual ZyXEL Router Prestige 334 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 3 ZyXEL manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

View all the pages

Add page 171 to Favourites

image text

Enable zoom

							Prestige 334 User’s Guide
Chapter 15 VPN Screens170
Figure 66   VPN IKE: Advanced

Add page 172 to Favourites

image text

Enable zoom

Prestige 334 User’s Guide
171Chapter 15 VPN Screens
The following table describes the labels in this screen.
Table 52 VPN IKE: Advanced
LABELDESCRIPTION
Active Select this check box to activate this VPN policy.
Keep AliveSelect this check box to turn on the Keep Alive feature for this SA.
Turn on Keep Alive to have the Prestige automatically reinitiate the SA after
the SA lifetime times out, even if there is no traffic. The remote IPSec router
must also have keep alive enabled in order for this feature to work.
NAT TraversalSelect this check box to enable NAT traversal. NAT traversal allows you to set
up a VPN connection when there are NAT routers between the two IPSec
routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with ESP protocol using Transport or Tu n n e l
mode, but not with AH protocol nor with manual key management. In order for
an IPSec router behind a NAT router to receive an initiating IPSec packet, set
the NAT router to forward UDP port 500 to the IPSec router behind the NAT
router.
IPSec Keying Mode The advanced configuration page is only available with the IKE IPSec keying
mode.
Click the Basic button below in order to be able to choose the Manual IPSec
keying mode.
Make sure the remote gateway has the same configuration in this field.
Protocol Number Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any
protocol.
Enable Replay
Detection As a VPN setup is processing intensive, the system is vulnerable to Denial of
Service (DOS) attacks The IPSec receiver can detect and reject old or
duplicate packets to protect against replay attacks. Enable replay detection by
setting this field to Ye s.
Local Address The local IP address must be static and correspond to the remote IPSec
routers configured remote IP addresses.
Two active SAs can have the same local or remote IP address, but not both.
You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
Local Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535.
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,
HTTP; 25, SMTP; 110, POP3
Local Port End Enter a port number in this field to define a port range. This port number must
be greater than that specified in the previous field (or equal to it for configuring
an individual port).
Remote Address Start Remote IP addresses must be static and correspond to the remote IPSec
routers configured local IP addresses. The remote address fields do not apply
when the Secure Gateway Address field is configured to 0.0.0.0. In this case
only the remote IPSec router can initiate the VPN.
Two active SAs cannot have the local and remote IP address(es) both the
same. Two active SAs can have the same local or remote IP address, but not
both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
Enter a (static) IP address on the network behind the remote IPSec router.

Add page 173 to Favourites

image text

Enable zoom

Prestige 334 User’s Guide
Chapter 15 VPN Screens172
Remote Address End/
MaskWhen the remote IP address is a single address, type it a second time here.
When the remote IP address is a range, enter the end (static) IP address, in a
range of computers on the network behind the remote IPSec router.
When the remote IP address is a subnet address, enter a subnet mask on the
network behind the remote IPSec router.
Remote Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535.
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,
HTTP; 25, SMTP; 110, POP3
Remote Port End Enter a port number in this field to define a port range. This port number must
be greater than that specified in the previous field (or equal to it for configuring
an individual port).
DNS Server (for IPSec
VPN)If there is a private DNS server that services the VPN, type its IP address here.
The Prestige assigns this additional DNS server to the Prestige’s DHCP
clients that have IP addresses in this IPSec rules range of local addresses. A
DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.
My IP Address Enter the WAN IP address of your Prestige. The Prestige uses its current WAN
IP address (static or dynamic) in setting up the VPN tunnel if you leave this
field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes.
Local ID TypeSelect IP to identify this Prestige by its IP address.
Select DNS to identify this Prestige by a domain name.
Select E-mail to identify this Prestige by an e-mail address.
Local ContentWhen you select IP in the Local ID Type field, type the IP address of your
computer in the local Content field. The Prestige automatically uses the IP
address in the My IP Address field (refer to the My IP Address field
description) if you configure the local Content field to 0.0.0.0 or leave it blank.
It is recommended that you type an IP address other than 0.0.0.0 in the local
Content field or use the DNS or E-mail ID type in the following situations.
• When there is a NAT router between the two IPSec routers.
• When you want the remote IPSec router to be able to distinguish between
VPN connection requests that come in from IPSec routers with dynamic
WAN IP addresses.
When you select DNS or E-mail in the Local ID Type field, type a domain
name or e-mail address by which to identify this Prestige in the local Content
field. Use up to 31 ASCII characters including spaces, although trailing spaces
are truncated. The domain name or e-mail address is for identification
purposes only and can be any string.
Secure Gateway
Address Type the WAN IP address or the URL (up to 31 characters) of the remote
secure gateway with which youre making the VPN connection. Set this field to
0.0.0.0 if the remote secure gateway has a dynamic WAN IP address (the
IPSec Keying Mode field must be set to IKE).
Peer ID TypeSelect IP to identify the remote IPSec router by its IP address.
Select DNS to identify the remote IPSec router by a domain name.
Select E-mail to identify the remote IPSec router by an e-mail address.
Table 52 VPN IKE: Advanced
LABELDESCRIPTION

Add page 174 to Favourites

image text

Enable zoom

Prestige 334 User’s Guide
173Chapter 15 VPN Screens
Peer ContentThe configuration of the peer content depends on the peer ID type.
•For IP, type the IP address of the computer with which you will make the
VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the
Prestige will use the address in the Secure Gateway Address field (refer
to the Secure Gateway Address field description).
•For DNS or E-mail, type a domain name or e-mail address by which to
identify the remote IPSec router. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or e-mail
address is for identification purposes only and can be any string.
It is recommended that you type an IP address other than 0.0.0.0 or use the
DNS or E-mail ID type in the following situations:
• When there is a NAT router between the two IPSec routers.
When you want the Prestige to distinguish between VPN connection requests
that come in from remote IPSec routers with dynamic WAN IP addresses.
IKE Phase 1 A phase 1 exchange establishes an IKE SA (Security Association).
Negotiation Mode Select Main or Aggressive from the drop-down list box. The Prestiges
negotiation mode should be identical to that on the remote secure gateway.
Encryption Algorithm Select DES or 3DES from the drop-down list box. The Prestiges encryption
algorithm should be identical to the secure remote gateway. When DES is
used for data communications, both sender and receiver must know the same
secret key, which can be used to encrypt and decrypt the message. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on
DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It
also requires more processing power, resulting in increased latency and
decreased throughput.
Authentication
Algorithm Select SHA1 or MD5 from the drop-down list box. The Prestiges
authentication algorithm should be identical to the secure remote gateway.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate the source and integrity of packet data. The
SHA1 algorithm is generally considered stronger than MD5, but is slower.
Select SHA-1 for maximum security.
SA Life Time Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA
Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily
disconnected.
Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called pre-
shared because you have to share it with another party before you can
communicate with them over a secure connection.
IKE Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the
SA for IPSec.
Encapsulation Mode Select Tu n n e l mode or Tr a n s p o r t mode from the drop down list-box. The
Prestiges encapsulation mode should be identical to the secure remote
gateway.
Table 52 VPN IKE: Advanced
LABELDESCRIPTION

Add page 175 to Favourites

image text

Enable zoom

Prestige 334 User’s Guide
Chapter 15 VPN Screens174
15.13 Manual Key Setup
Manual key management is useful if you have problems with IKE key management.
IPSec Protocol Select ESP or AH from the drop-down list box. The Prestiges IPSec Protocol
should be identical to the secure remote gateway. The ESP (Encapsulation
Security Payload) protocol (RFC 2406) provides encryption as well as the
authentication offered by AH. If you select ESP here, you must select options
from the Encryption Algorithm and Authentication Algorithm fields (described
below). The AH protocol (Authentication Header Protocol) (RFC 2402) was
designed for integrity, authentication, sequence integrity (replay resistance),
and non-repudiation but not for confidentiality, for which the ESP was
designed. If you select AH here, you must select options from the
Authentication Algorithm field.
Encryption Algorithm The encryption algorithm for the Prestige and the secure remote gateway
should be identical. When DES is used for data communications, both sender
and receiver must know the same secret key, which can be used to encrypt
and decrypt the message. The DES encryption algorithm uses a 56-bit key.
Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result,
3DES is more secure than DES. It also requires more processing power,
resulting in increased latency and decreased throughput.
Authentication
Algorithm Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5)
and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate
packet data. The SHA1 algorithm is generally considered stronger than MD5,
but is slower. Select MD5 for minimal security and SHA-1 for maximum
security.
SA Life Time Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA
Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel
renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward
Secrecy (PFS) Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure. Choose from
DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1, a 768 bit
random number. DH2 refers to Diffie-Hellman Group 2, a 1024 bit (1Kb)
random number (more secure, yet slower).
BasicSelect Basic to go to the previous VPN configuration screen.
ApplyClick Apply to save your changes.
ResetClick Reset to begin configuring this screen afresh.
Table 52 VPN IKE: Advanced
LABELDESCRIPTION

Add page 176 to Favourites

image text

Enable zoom

							Prestige 334 User’s Guide
175Chapter 15 VPN Screens
15.13.1  Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the 
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The 
SPI (Security Parameter Index) along with a destination IP address uniquely identify a 
particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to 
the local VPN gateway. The local VPN gateway then uses the network, encryption and key 
values that the administrator associated with the SPI to establish the tunnel.
15.14  Configuring Manual Key
You only configure VPN Manual Key when you select Manual in the IPSec Keying Mode 
field on the Rule Setup IKE screen. This is the Rule Setup Manual screen as shown next.  
Note: Current ZyXEL implementation assumes identical 
outgoing and incoming SPIs

Add page 177 to Favourites

image text

Enable zoom

							Prestige 334 User’s Guide
Chapter 15 VPN Screens176
Figure 67   Setup: Manual
The following table describes the labels in this screen.
Table 53   Rule Setup: Manual
LABELDESCRIPTION
Active Select this check box to activate this VPN policy.
IPSec Keying ModeSelect IKE or Manual from the drop-down list box. Manual is a useful option 
for troubleshooting if you have problems using IKE key management. 
Protocol NumberEnter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any 
protocol.
Local AddressThe Local IP address must be static and correspond to the remote IPSec 
routers configured remote IP addresses. 
Two active SAs can have the same local or remote IP address, but not both. 
You can configure multiple SAs between the same local and remote IP 
addresses, as long as only one is active at any time.
Local Port Start0 is the default and signifies any port. Type a port number from 0 to 65535. 
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, 
HTTP; 25, SMTP; 110, POP3.

Add page 178 to Favourites

image text

Enable zoom

							Prestige 334 User’s Guide
177Chapter 15 VPN Screens
Local Port EndType a port number in this field to define a port range. This port number must 
be greater than that specified in the previous field. If Local Port Start is left at 
0, Local Port End will also remain at 0.
Remote Address StartRemote IP addresses must be static and correspond to the remote IPSec 
routers configured local IP addresses. The remote address fields do not 
apply when the Secure Gateway IP Address field is configured to 0.0.0.0. In 
this case only the remote IPSec router can initiate the VPN.
Two active SAs cannot have the local and remote IP address(es) both the 
same. Two active SAs can have the same local or remote IP address, but not 
both. You can configure multiple SAs between the same local and remote IP 
addresses, as long as only one is active at any time.
Enter a (static) IP address on the network behind the remote IPSec router.
Remote Address End/
MaskWhen the remote IP address is a single address, type it a second time here.
When the remote IP address is a range, enter the end (static) IP address, in a 
range of computers on the network behind the remote IPSec router.
When the remote IP address is a subnet address, enter a subnet mask on the 
network behind the remote IPSec router. 
Remote Port Start0 is the default and signifies any port. Type a port number from 0 to 65535. 
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, 
HTTP; 25, SMTP; 110, POP3.
Remote Port EndEnter a port number in this field to define a port range. This port number must 
be greater than that specified in the previous field. If Remote Port Start is left 
at 0, Remote Port End will also remain at 0.
DNS Server (for IPSec 
VPN)If there is a private DNS server that services the VPN, type its IP address 
here. The Prestige assigns this additional DNS server to the Prestige’s DHCP 
clients that have IP addresses in this IPSec rules range of local addresses. A 
DNS server allows clients on the VPN to find other computers and servers on 
the VPN by their (private) domain names.
My IP AddressEnter the WAN IP address of your Prestige. The Prestige uses its current 
WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave 
this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address 
changes.
Secure Gateway IP 
AddressType the WAN IP address or the URL (up to 31 characters) of the IPSec 
router with which youre making the VPN connection. 
SPIType a number (base 10) from 1 to 999999 for the Security Parameter Index. 
Encapsulation ModeSelect Tu n n e l mode or Transport mode from the drop-down list box.
Enable Replay 
DetectionAs a VPN setup is processing intensive, the system is vulnerable to Denial of 
Service (DoS) attacks The IPSec receiver can detect and reject old or 
duplicate packets to protect against replay attacks. Select YES from the drop-
down menu to enable replay detection, or select NO to disable it.
IPSec ProtocolSelect ESP if you want to use ESP (Encapsulation Security Payload). The 
ESP protocol (RFC 2406) provides encryption as well as some of the services 
offered by AH. If you select ESP here, you must select options from the 
Encryption Algorithm and Authentication Algorithm fields (described 
next).
Select AH if you want to use AH (Authentication Header Protocol). The AH 
protocol (RFC 2402) was designed for integrity, authentication, sequence 
integrity (replay resistance), and non-repudiation but not for confidentiality, for 
which the ESP was designed. If you select AH here, you must select options 
from the Authentication Algorithm field (described later).
Table 53   Rule Setup: Manual
LABELDESCRIPTION

Add page 179 to Favourites

image text

Enable zoom

Prestige 334 User’s Guide
Chapter 15 VPN Screens178
15.15 Viewing SA Monitor
In the web configurator, click VPN and the SA Monitor tab. Use this screen to display and
manage active VPN connections.
A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
This screen displays active VPN connections. Use Refresh to display active VPN
connections. This screen is read-only. The following table describes the labels in this tab.
Encryption AlgorithmSelect DES or 3DES from the drop-down list box. The Prestiges encryption
algorithm should be identical to the secure remote gateway. When DES is
used for data communications, both sender and receiver must know the same
secret key, which can be used to encrypt and decrypt the message. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on
DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It
also requires more processing power, resulting in increased latency and
decreased throughput.
Authentication
AlgorithmSelect SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5)
and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate
packet data. The SHA1 algorithm is generally considered stronger than MD5,
but is slower. Select MD5 for minimal security and SHA-1 for maximum
security.
Encryption Key (Only
with ESP)With DES, type a unique key 8 characters long. With 3DES, type a unique
key 24 characters long. Any characters may be used, including spaces, but
trailing spaces are truncated.
Authentication KeyType a unique authentication key to be used by IPSec if applicable. Enter 16
characters for MD5 authentication or 20 characters for SHA-1 authentication.
Any characters may be used, including spaces, but trailing spaces are
truncated.
ApplyClick Apply to save your changes back to the Prestige.
ResetClick Reset to begin configuring this screen afresh.
Table 53 Rule Setup: Manual
LABELDESCRIPTION
Note: When there is outbound traffic but no inbound traffic, the
SA times out automatically after two minutes. A tunnel with no
outbound or inbound traffic is idle and does not timeout until
the SA lifetime period expires.See the Keep Alive section to
have the Prestige renegotiate an IPSec SA when the SA
lifetime expires, even if there is no traffic.

Add page 180 to Favourites

image text

Enable zoom

							Prestige 334 User’s Guide
179Chapter 15 VPN Screens
Figure 68   SA Monitor
The following table describes the labels in this screen.
15.16  Configuring Global Setting
To change your Prestige’s Global Settings, click VPN, then the Global Setting tab. The 
screen appears as shown.
Table 54   SA Monitor 
LABELDESCRIPTION
#This is the security association index number. 
NameThis field displays the identification name for this VPN policy.
EncapsulationThis field displays Tunnel or Transport mode. 
IPSec AlgorithmThis field displays the security protocols used for an SA. 
Both AH and ESP increase Prestige processing requirements and 
communications latency (delay).
Previous Page      
(If applicable)Click Previous Page to view more items in the summary.
RefreshClick Refresh to display the current active VPN connection(s). 
Next Page            
(If applicable)Click Next Page to view more items in the summary.

All ZyXEL manuals Comments (0)