ZyXEL Router Prestige 334 User Manual

							Prestige 334 User’s Guide
Chapter 34 VPN/IPSec Setup320
Port Start0 is the default and signifies any port. Type a port number from 0 to 65535. You cannot 
create a VPN tunnel if you try to connect using a port number that does not match this 
port number or range of port numbers.
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, 
SMTP; 110, POP3
EndEnter a port number in this field to define a port range. This port number must be 
greater than that specified in the previous field. This field is N/A when 0 is configured in 
the Port Start field.
RemoteRemote IP addresses must be static and correspond to the remote IPSec router’s con-
figured local IP addresses. The remote fields are N/A when the Secure Gateway 
Address field is configured to 0.0.0.0. 
Two active SAs cannot have the local and remote IP address(es) both the same. Two 
active SAs can have the same local or remote IP address, but not both. You can 
configure multiple SAs between the same local and remote IP addresses, as long as 
only one is active at any time.
Addr TypePress [SPACE BAR] to choose SINGLE, RANGE, or SUBNET and press [ENTER]. 
Select SINGLE with a single IP address. Use RANGE for a specific range of IP 
addresses. Use SUBNET to specify IP addresses on a network by their subnet mask.
IP Addr StartWhen the Addr Type field is configured to Single, enter a static IP address on the net-
work behind the remote IPSec router.
When the Addr Type field is configured to Range, enter the beginning (static) IP 
address, in a range of computers on the network behind the remote IPSec router.
When the Addr Type field is configured to SUBNET, enter a static IP address on the 
network behind the remote IPSec router.
This field displays N/A when you configure the Secure Gateway Address field to 
0.0.0.0.
End/Subnet
MaskWhen the Addr Type field is configured to Single, this field is N/A.
When the Addr Type field is configured to Range, enter the end (static) IP address, in 
a range of computers on the network behind the remote IPSec router. 
When the Addr Type field is configured to SUBNET, enter a subnet mask on the net-
work behind the remote IPSec router.
This field displays N/A when you configure the Secure Gateway Address field to 
0.0.0.0.
Port Start0 is the default and signifies any port. Type a port number from 0 to 65535. Someone 
behind the remote IPSec router cannot create a VPN tunnel when attempting to con-
nect using a port number that does not match this port number or range of port num-
bers.
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, 
SMTP; 110, POP3.
EndEnter a port number in this field to define a port range. This port number must be 
greater than that specified in the previous field. This field is N/A when 0 is configured in 
the Port Start field.
Table 105   Menu 27.1.1 IPSec Setup
FIELDDESCRIPTION 
						

							Prestige 334 User’s Guide
321Chapter 34 VPN/IPSec Setup
34.3  IKE Setup
To edit this menu, the Key Management field in Menu 27.1.1 – IPSec Setup must be set to 
IKE. Move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec 
Setup; press [SPACE BAR] to select Ye s and then press [ENTER] to display Menu 27.1.1.1 
– IKE Setup.
Enable Replay 
DetectionAs a VPN setup is processing intensive, the system is vulnerable to Denial of Service 
(DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to pro-
tect against replay attacks. Enable replay detection by setting this field to Ye s.
Press [SPACE BAR] to select Ye s or No. Choose Ye s and press [ENTER] to enable 
replay detection.
Key 
ManagementPress [SPACE BAR] to choose either IKE or Manual and then press [ENTER]. Manual 
is useful for troubleshooting if you have problems using IKE key management.
Edit Key 
Management 
SetupPress [SPACE BAR] to change the default No to Ye s and then press [ENTER] to go to 
a key management menu for configuring your key management setup (described 
later). If you set the Key Management field to IKE, this will take you to Menu 27.1.1.1 
– IKE Setup. If you set the Key Management field to Manual, this will take you to 
Menu 27.1.1.2 – Manual Setup.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to 
save your configuration, or press [ESC] at any time to cancel.
Table 105   Menu 27.1.1 IPSec Setup
FIELDDESCRIPTION 
						

							Prestige 334 User’s Guide
Chapter 34 VPN/IPSec Setup322
Figure 180   Menu 27.1.1.1 IKE Setup
The following table describes the fields in this menu.
    Menu 27.1.1.1 - IKE Setup
      Phase 1
        Negotiation Mode= Main
        Pre-Shared Key= ?
        Encryption Algorithm= DES
        Authentication Algorithm= MD5
        SA Life Time (Seconds)= 28800
        Key Group= DH1
      Phase 2
        Active Protocol= ESP
        Encryption Algorithm= DES
        Authentication Algorithm= SHA1
        SA Life Time (Seconds)= 28800
        Encapsulation= Tunnel
        Perfect Forward Secrecy (PFS)= None
                    Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Table 106   Menu 27.1.1.1 IKE Setup
FIELDDESCRIPTION
Phase 1
Negotiation
ModePress [SPACE BAR] to choose from Main or Aggressive and then press [ENTER]. 
See earlier for a discussion of these modes. Multiple SAs connecting through a 
secure gateway must have the same negotiation mode. 
PSKPrestige gateways authenticate an IKE VPN session by matching pre-shared keys. 
Pre-shared keys are best for small networks with fewer than ten nodes. Enter your 
pre-shared key here. Enter up to 31 characters. Any character may be used, includ-
ing spaces, but trailing spaces are truncated. 
Both ends of the VPN tunnel must use the same pre-shared key. You will receive a 
“PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key is 
not used on both ends.
Encryption 
AlgorithmWhen DES is used for data communications, both sender and receiver must know 
the same secret key, which can be used to encrypt and decrypt the message or to 
generate and verify a message authentication code. Prestige DES encryption algo-
rithm uses a 56-bit key.
Triple DES (3DES), is a variation on DES that uses a 168-bit key. As a result, 3DES 
is more secure than DES. It also requires more processing power, resulting in 
slightly increased latency and decreased throughput.
Press [SPACE BAR] to choose from 3DES or DES and then press [ENTER]. 
						

							Prestige 334 User’s Guide
323Chapter 34 VPN/IPSec Setup
34.4  Manual Setup
You only configure Menu 27.1.1.2 – Manual Setup when you select Manual in the Key 
Management field in Menu 27.1.1 – IPSec Setup. Manual key management is useful if you 
have problems with IKE key management.
Authentication
AlgorithmMD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms 
used to authenticate packet data. The SHA1 algorithm is generally considered stron-
ger than MD5, but is slightly slower.
Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].
SA Life Time
(Seconds)Define the length of time before an IKE Security Association automatically renegoti-
ates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to update 
the encryption and authentication keys. However, every time the VPN tunnel 
renegotiates, all users accessing remote resources are temporarily disconnected. 
Key GroupYou must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-
Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 
1024 bit (1Kb) random number. 
Phase 2
Active ProtocolPress [SPACE BAR] to choose from ESP or AH and then press [ENTER]. See 
earlier for a discussion of these protocols.
Encryption
AlgorithmPress [SPACE BAR] to choose from NULL, 3DES or DES and then press [ENTER]. 
Select NULL to set up a tunnel without encryption.
Authentication
AlgorithmPress [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].
SA Life Time
(Seconds)Define the length of time before an IPSec Security Association automatically 
renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 
days).
EncapsulationPress [SPACE BAR] to choose from Tu n n e l  mode or Transport mode and then 
press [ENTER]. See earlier for a discussion of these.
Perfect Forward
Secrecy (PFS)Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec SA 
setup. This allows faster IPSec setup, but is not so secure. Press [SPACE BAR] and 
choose from DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random 
number (more secure, yet slower). 
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to 
save your configuration, or press [ESC] at any time to cancel.
Table 106   Menu 27.1.1.1 IKE Setup
FIELDDESCRIPTION 
						

							Prestige 334 User’s Guide
Chapter 34 VPN/IPSec Setup324
34.4.0.1  Active Protocol
This field is a combination of mode and security protocols used for the VPN. See the Web 
Configurator part on VPN for more information on these parameters. 
34.4.0.2  Security Parameter Index (SPI)
To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec 
Setup press [SPACE BAR] to select Ye s and then press [ENTER] to go to Menu 27.1.1.2 – 
Manual Setup.
Figure 181   Menu 27.1.1.2 Manual Setup
The following table describes the fields in this menu.
Table 107   Active Protocol: Encapsulation and Security Protocol
MODESECURITY PROTOCOL
TunnelESP
TransportAH
               
      Menu 27.1.1.2 – Manual Setup
Active Protocol= ESP Tunnel
ESP Setup
  SPI (Decimal)= 
  Encryption Algorithm= DES
    Key1=
    Key2= N/A
    Key3= N/A
  Authentication Algorithm= MD5 
    Key= N/A
    
AH Setup
  SPI (Decimal)= N/A
  Authentication Algorithm= N/A
    Key=
      Press ENTER to Confirm or ESC to Cancel:
Table 108   Menu 27.1.1.2 Manual Setup
FIELDDESCRIPTION
Active ProtocolPress [SPACE BAR] to choose from ESP Tunnel, ESP Transport, AH Tunnel or AH 
Transport and then press [ENTER]. Choosing an ESP combination causes the AH 
Setup fields to be non-applicable (N/A)
ESP SetupThe ESP Setup fields are N/A if you chose an AH Active Protocol.
SPI (Decimal)The SPI must be unique and from one to four integers (0 to 9).  
						

							Prestige 334 User’s Guide
325Chapter 34 VPN/IPSec Setup
Encryption
AlgorithmPress [SPACE BAR] to choose from NULL, 3DES or DES and then press [ENTER]. 
Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when 
you choose 3DES. Select NULL to set up a tunnel without encryption. When you 
select NULL, you do not enter any encryption keys.
Key1Enter a unique eight-character key. Any character may be used, including spaces, but 
trailing spaces are truncated.
Fill in the Key1 field when you choose DES and fill in fields Key1 to Key3 when you 
choose 3DES.
Key2Enter a unique eight-character key. It can be comprised of any character including 
spaces (but trailing spaces are truncated).
Key3Enter a unique eight-character key. It can be comprised of any character including 
spaces (but trailing spaces are truncated).
Authentication
AlgorithmPress [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. 
KeyEnter the authentication key to be used by IPSec if applicable. The key must be 
unique. Enter 16 characters for MD5 authentication and 20 characters for SHA-1 
authentication. Any character may be used, including spaces, but trailing spaces are 
truncated.
AH SetupThe AH Setup fields are N/A if you chose an ESP Active Protocol.
SPI (Decimal)The SPI must be from one to four unique decimal characters (0 to 9) long.
Authentication
AlgorithmPress [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER].
KeyEnter the authentication key to be used by IPSec if applicable. The key must be 
unique. Enter 16 characters for MD5 authentication and 20 characters for SHA-1 
authentication. Any character may be used, including spaces, but trailing spaces are 
truncated.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to 
save your configuration, or press [ESC] at any time to cancel.
Table 108   Menu 27.1.1.2 Manual Setup
FIELDDESCRIPTION 
						

							Prestige 334 User’s Guide
Chapter 35 SA Monitor326
CHAPTER35
SA Monitor
This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 
27.2.
35.1  SA Monitor Overview
A Security Association (SA) is the group of security settings related to a specific VPN tunnel. 
This menu (shown next) displays active VPN connections. 
35.2  Using SA Monitor
1. Use the Refresh function to display active VPN connections.
2. Use the Disconnect function to cut off active connections.
3. Type 2 in Menu 27 - VPN/IPSec Setup, and then press [ENTER] to go to Menu 
27.2 - SA Monitor.
Note: When there is outbound traffic but no inbound traffic, the SA 
times out automatically after two minutes. A tunnel with no outbound 
or inbound traffic is idle and does not timeout until the SA lifetime 
period expires. See the Web configurator part on keep alive to have 
the Prestige renegotiate an IPSec SA when the SA lifetime expires, 
even if there is no traffic. 
						

							Prestige 334 User’s Guide
327Chapter 35 SA Monitor
Figure 182   Menu 27.2 SA Monitor
The following table describes the fields in this menu.
                          Menu 27.2 - SA Monitor
#
---
001
002
003
004
005
006
007
008
009
010
Name
--------------------------------
Taiwan : 3.3.3.1 – 3.3.3.3.100
  Encap.
---------
Tunnel
IPSec ALgorithm
----------------
ESP DES MD5
                          Select Command= Refresh
                          Select Connection= N/A
Press ENTER to Confirm or ESC to Cancel:
Table 109   Menu 27.2 SA Monitor
FIELDDESCRIPTION
#This is the security association index number.
NameThis field displays the identi fication name for this VPN policy. This name is unique for 
each connection where the secure gateway IP address is a public static IP address. 
When the secure gateway IP address is 0.0. 0.0 (as discussed in the last chapter), there 
may be different connections using this same VPN rule. In this case, the name is followed 
by the remote IP address as configured in  Menu 27.1.1. – IPSec Setup. Individual 
connections using the same VPN rule may be terminated without affecting other 
connections using the same rule.
Encap.This field displays  Tu n n e l  mode or  Tr a n s p o r t   mode. See previous for discussion.
IPSec
ALgorithmThis field displays the security protocols used for an SA.  ESP provides confidentiality and 
integrity of data by encrypting the data and  encapsulating it into IP packets. Encryption 
methods include 56-bit  DES and 168-bit  3DES. NULL  denotes a tunnel without encryp-
tion.
An incoming SA may have an  AH in addition to  ESP. The Authentication Header provides 
strong integrity and authentic ation by adding authentication information to IP packets. 
This authentication information is calculated using header and payload data in the IP 
packet. This provides an additional level of security.  AH choices are  MD5 (default  - 128 
bits) and  SHA -1(160 bits).
Both AH and  ESP increase Prestige processing requirements and communications 
latency (delay). 
						

							Prestige 334 User’s Guide
Appendix A Troubleshooting330
Appendix A
Troubleshooting
This chapter covers potential problems and possible remedies. After each problem description, 
some instructions are provided to help you to diagnose and to solve the problem. Please see 
our included disk for further information.
Table 110   Troubleshooting
PROBLEMCORRECTIVE ACTION
None of the LEDs turn on 
when you turn on the 
Prestige.Make sure that you have the correct power adapter connected to the 
Prestige and plugged in to an appropriate power source. Check all cable 
connections.If the LEDs still do not turn on, you may have a hardware 
problem. In this case, you should contact your local vendor.
Cannot access the Prestige 
from the LAN.Check the cable connection between the Prestige and your computer or 
hub. Refer to the Rear Panel section for details. Ping the Prestige from a 
LAN computer. Make sure your computer Ethernet card is installed and 
functioning properly.
Cannot ping any computer 
on the LAN.If the 10/100M LAN LEDs are off, check the cable connections between 
the Prestige and your LAN computers.Verify that the IP address and 
subnet mask of the Prestige and the LAN computers are in the same IP 
address range.
Cannot get a WAN IP 
address from the ISP.The WAN IP is provided after the ISP verifies the MAC address, host 
name or user ID.Find out the verification method used by your ISP and 
configure the corresponding fields.
If the ISP checks the WAN MAC address, you should clone the MAC 
address from a LAN computer. Click WAN and then the MAC tab, select 
Spoof this Computers MAC address - IP Address and enter the IP 
address of the computer on the LAN whose MAC address you are 
cloning. 
If the ISP checks the host name, enter your computer’s name (refer to the 
Wizard Setup section in the User’s Guide) in the System Name field in the 
first screen of the WIZARD.
If the ISP checks the user ID, click WAN and then the ISP tab. Check your 
service type, user name, and password.
Cannot access the Internet.Check the Prestige’s connection to the cable/DSL device.
Check whether your cable/DSL device requires a crossover or straight-
through cable.
Click WAN to verify your settings.
Access to a restricted web 
page is not blocked.Make sure that the Enable Parental Control check box is selected in the 
Parental Control screen.
Make sure that you select a category in the Parental Control screen to 
restrict access to web pages relevant to that category. For example, 
select the Gambling check box to prevent access to 
www.onlinegambling.com.
Make sure that the Blocking Schedule configured in the Parental Control 
screen restricts access at the scheduled time. 
						

							Prestige 334 User’s Guide
331Appendix A Troubleshooting
35.3  Problems with the Password
35.4  Problems with Remote Management
Access to a web page with 
a URL containing a 
forbidden keyword is not 
blocked.Make sure that you select the Keyword Blocking check box in the Content 
Filtering screen. Make sure that the keywords that you type are listed in 
the Keyword List. 
If a keyword that is listed in the Keyword List is not blocked when it is 
found in a URL, customize the keyword blocking using commands. See 
the Customizing Keyword Blocking URL Checking section in the Content 
Filter chapter.
Parental Control is 
configured correctly, but I 
can still access restricted 
web pages.Restart the device to clear the cache.
The content filter server may be unavailable. The View Logs screen can 
display content filtering log messages. See the Log Descriptions 
appendix for a list of possible log messages. In the View Logs screen 
copy and paste the log messages and e-mail them to customer support 
with an explanation of the problem.
If you still have problems, contact your vendor or customer support for 
further advice.
Table 110   Troubleshooting
PROBLEMCORRECTIVE ACTION
Table 111   Troubleshooting the Password
PROBLEMCORRECTIVE ACTION
Cannot access the 
Prestige. The password field is case sensitive. Make sure that you enter the correct 
password using the proper casing.
Use the Reset button to restore the factory default configuration file. This will 
restore all of the factory defaults including the password, see Chapter 2 
Introducing the Web Configurator for details.
Table 112   Troubleshooting Telnet
PROBLEMCORRECTIVE ACTION
Cannot access the 
Prestige from the 
LAN or WAN.Refer to “Remote Management Limitations in Chapter 16 Remote Management 
Screens for scenarios when remote management may not be possible. 
When NAT is enabled:
• Use the Prestiges WAN IP address when configuring from the WAN. 
• Use the Prestiges LAN IP address when configuring from the LAN.