User Guide
Page 3
Contents Overview Contents Overview User's Guide ...13 Introduction ...15 The WPS Button ...21 ZyXEL NetUSB Share Center Utility ...23 Introducing the Web Configurator ...29 Monitor and Summary ...33 NBG5715 Modes ...39 Easy Mode ...41 Router Mode ...51 Tutorials ...57 Technical Reference ...65 WAN ...67 Wireless LAN ...75 LAN ...91 DHCP Server ...95 NAT ...99 Dynamic DNS ...109 Static Route ...111 Firewall ...115 IPSec VPN ...121 Bandwidth Management ...143 Remote Management ...149 Universal Plug-and-Play (UPnP) ...153 Maintenance ...159 Troubleshooting ...167 NBG5715 User's Guide 3
Contents Overview Contents Overview User's Guide ...13 Introduction ...15 The WPS Button ...21 ZyXEL NetUSB Share Center Utility ...23 Introducing the Web Configurator ...29 Monitor and Summary ...33 NBG5715 Modes ...39 Easy Mode ...41 Router Mode ...51 Tutorials ...57 Technical Reference ...65 WAN ...67 Wireless LAN ...75 LAN ...91 DHCP Server ...95 NAT ...99 Dynamic DNS ...109 Static Route ...111 Firewall ...115 IPSec VPN ...121 Bandwidth Management ...143 Remote Management ...149 Universal Plug-and-Play (UPnP) ...153 Maintenance ...159 Troubleshooting ...167 NBG5715 User's Guide 3
User Guide
Page 9
...What You Need To Know ...115 17.2 The Firewall General Screen ...117 17.3 The Firewall Services Screen ...117 Chapter 18 IPSec VPN...121 18.1 Overview ...121 18.2 What You Can Do in this Chapter 121 18.3 What You Need To Know ......122 18.3.1 IKE SA (IKE Phase 1) Overview 122 18.3.2 IPSec SA (IKE Phase 2) Overview 123 18.4 The General Screen ...123 18.5 Edit VPN Rule ...124 18.5.1 IKEKey Setup ...125 18... Screen ...144 19.5 Advance Screen ...144 19.5.1 Rule Configuration: User Defined Service Rule Configuration 146 NBG5715 User's Guide 9
...What You Need To Know ...115 17.2 The Firewall General Screen ...117 17.3 The Firewall Services Screen ...117 Chapter 18 IPSec VPN...121 18.1 Overview ...121 18.2 What You Can Do in this Chapter 121 18.3 What You Need To Know ......122 18.3.1 IKE SA (IKE Phase 1) Overview 122 18.3.2 IPSec SA (IKE Phase 2) Overview 123 18.4 The General Screen ...123 18.5 Edit VPN Rule ...124 18.5.1 IKEKey Setup ...125 18... Screen ...144 19.5 Advance Screen ...144 19.5.1 Rule Configuration: User Defined Service Rule Configuration 146 NBG5715 User's Guide 9
User Guide
Page 37
... MAC address of computer(s) on your local network behind the remote IPSec router. Local Address This is the IP address of computer(s) on the remote network behind your network or computer with the NBG5715's WLAN network. Remote Address This is the static WAN IP address...Status DESCRIPTION This field displays whether the VPN connection is the index number of the remote IPSec router. Connection Name Remote Gateway This field displays the identification name for example, your NBG5715. This is the IP address of an associated wireless station. Association Time This field ...
... MAC address of computer(s) on your local network behind the remote IPSec router. Local Address This is the IP address of computer(s) on the remote network behind your network or computer with the NBG5715's WLAN network. Remote Address This is the static WAN IP address...Status DESCRIPTION This field displays whether the VPN connection is the index number of the remote IPSec router. Connection Name Remote Gateway This field displays the identification name for example, your NBG5715. This is the IP address of an associated wireless station. Association Time This field ...
User Guide
Page 54
... displays N/A when the line is disconnected. to go to the Monitor > WLAN_5G Station Status screen (Section 5.7 on the navigation panel to the NBG5715. Use this screen to the Monitor > Packet Statistics screen (Section 5.5 on page 37). Use this displays the port speed and duplex setting or... currently associated to the Monitor > VPN Monitor screen (Section 5.4 on page 34). to go to the NBG5715. Summary Packet Statistics WLAN_2.4G Station Status WLAN_5G Station Status IPSec VPN Status For the WLAN 2.4G/5G, it displays the maximum transmission rate when the WLAN 2.4G/5G...
... displays N/A when the line is disconnected. to go to the Monitor > WLAN_5G Station Status screen (Section 5.7 on the navigation panel to the NBG5715. Use this screen to the Monitor > Packet Statistics screen (Section 5.5 on page 37). Use this displays the port speed and duplex setting or... currently associated to the Monitor > VPN Monitor screen (Section 5.4 on page 34). to go to the NBG5715. Summary Packet Statistics WLAN_2.4G Station Status WLAN_5G Station Status IPSec VPN Status For the WLAN 2.4G/5G, it displays the maximum transmission rate when the WLAN 2.4G/5G...
User Guide
Page 56
IPSec VPN General Use this screen to activate/deactivate the firewall. Remote MGMT WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the NBG5715. MAINTENANCE General General Use this screen to set the upstream bandwidth...This screen allows you to select the language you to edit/add a firewall rule. Services This screen shows a summary of your NBG5715. Use this screen to change administrative settings such as system and domain names. Port Forwaring Use this screen to configure IP static ...
IPSec VPN General Use this screen to activate/deactivate the firewall. Remote MGMT WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the NBG5715. MAINTENANCE General General Use this screen to set the upstream bandwidth...This screen allows you to select the language you to edit/add a firewall rule. Services This screen shows a summary of your NBG5715. Use this screen to change administrative settings such as system and domain names. Port Forwaring Use this screen to configure IP static ...
User Guide
Page 121
... integrity and authentication at the IP layer. The following figure provides one perspective of a VPN tunnel. NBG5715 User's Guide 121 Figure 76 IPSec VPN: Overview VPN Tunnel X Y The VPN tunnel connects the NBG5715 (X) and the remote IPSec router (Y). IPSec is a combination of tunneling, encryption, authentication, access control and auditing. These routers then connect the local...
... integrity and authentication at the IP layer. The following figure provides one perspective of a VPN tunnel. NBG5715 User's Guide 121 Figure 76 IPSec VPN: Overview VPN Tunnel X Y The VPN tunnel connects the NBG5715 (X) and the remote IPSec router (Y). IPSec is a combination of tunneling, encryption, authentication, access control and auditing. These routers then connect the local...
User Guide
Page 122
...mode determines the number of this . Main mode is normally transmitted in the networks. You can send data between the NBG5715 and remote IPSec router. Sometimes, your NBG5715 might also offer another alternative, such as using the IKE SA that routers X and Y established first. 18.3.1 IKE... SA (IKE Phase 1) Overview The IKE SA provides a secure connection between the NBG5715 and remote IPSec router. Chapter 18 IPSec VPN 18.3 What You Need To Know A VPN tunnel is exchanging data with a computer in network B. Each phase establishes ...
...mode determines the number of this . Main mode is normally transmitted in the networks. You can send data between the NBG5715 and remote IPSec router. Sometimes, your NBG5715 might also offer another alternative, such as using the IKE SA that routers X and Y established first. 18.3.1 IKE... SA (IKE Phase 1) Overview The IKE SA provides a secure connection between the NBG5715 and remote IPSec router. Chapter 18 IPSec VPN 18.3 What You Need To Know A VPN tunnel is exchanging data with a computer in network B. Each phase establishes ...
User Guide
Page 123
... access attempts (to the local network, the Internet or even the NBG5715) to display the Summary screen. In this case, you can still set a VPN rule's local and remote network settings both to the remote IPSec router and may be called the remote policy. Edit a VPN rule...only the remote IPSec router can initiate an IKE SA. 18.3.2 IPSec SA (IKE Phase 2) Overview Once the NBG5715 and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to the NBG5715 and may be static. Click Security > IPSec VPN to the remote IPSec router. Sometimes, ...
... access attempts (to the local network, the Internet or even the NBG5715) to display the Summary screen. In this case, you can still set a VPN rule's local and remote network settings both to the remote IPSec router and may be called the remote policy. Edit a VPN rule...only the remote IPSec router can initiate an IKE SA. 18.3.2 IPSec SA (IKE Phase 2) Overview Once the NBG5715 and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to the NBG5715 and may be static. Click Security > IPSec VPN to the remote IPSec router. Sometimes, ...
User Guide
Page 124
... algorithm and authentication algorithm used for an SA. Click Cancel to begin configuring this check box to edit the VPN policy. 124 NBG5715 User's Guide This field displays whether the VPN policy is the VPN policy index number. This displays the beginning and ending (static...VPN rule. Click the Edit icon to go to the NBG5715. Algorithm Gateway Modify This field displays 0.0.0.0 when the Secure Gateway Address field displays 0.0.0.0. Encap. Click Apply to save your NBG5715. Chapter 18 IPSec VPN Figure 79 Security > IPSec VPN > General The following table describes the fields in...
... algorithm and authentication algorithm used for an SA. Click Cancel to begin configuring this check box to edit the VPN policy. 124 NBG5715 User's Guide This field displays whether the VPN policy is the VPN policy index number. This displays the beginning and ending (static...VPN rule. Click the Edit icon to go to the NBG5715. Algorithm Gateway Modify This field displays 0.0.0.0 when the Secure Gateway Address field displays 0.0.0.0. Encap. Click Apply to save your NBG5715. Chapter 18 IPSec VPN Figure 79 Security > IPSec VPN > General The following table describes the fields in...
User Guide
Page 125
Figure 80 Security > IPSec VPN > General > Edit: IKE NBG5715 User's Guide 125 Chapter 18 IPSec VPN Note: The NBG5715 uses the system default gateway interface¡¦s WAN IP address as its WAN IP address to set up a VPN tunnel. 18.5.1 IKEKey Setup IKEprovides more protection so it is generally recommended. You only configure VPN manual key when you select IKE in the IPSec Keying Mode field on the IPSec VPN > General > Edit screen.
Figure 80 Security > IPSec VPN > General > Edit: IKE NBG5715 User's Guide 125 Chapter 18 IPSec VPN Note: The NBG5715 uses the system default gateway interface¡¦s WAN IP address as its WAN IP address to set up a VPN tunnel. 18.5.1 IKEKey Setup IKEprovides more protection so it is generally recommended. You only configure VPN manual key when you select IKE in the IPSec Keying Mode field on the IPSec VPN > General > Edit screen.
User Guide
Page 126
... addresses in this additional DNS server to set the NAT router to forward UDP ports 500 and 4500 to enable NAT traversal. The NBG5715 assigns this IPSec rule's range of the local IP addresses cannot overlap between the same local and remote IP addresses, as long as the local IP... End /Mask To specify IP addresses on the LAN behind your NBG5715. The remote IPSec router must also have NAT traversal enabled. Chapter 18 IPSec VPN The following table describes the labels in this check box to have the NBG5715 automatically reinitiate the SA after the SA lifetime times out, even ...
... addresses in this additional DNS server to set the NAT router to forward UDP ports 500 and 4500 to enable NAT traversal. The NBG5715 assigns this IPSec rule's range of the local IP addresses cannot overlap between the same local and remote IP addresses, as long as the local IP... End /Mask To specify IP addresses on the LAN behind your NBG5715. The remote IPSec router must also have NAT traversal enabled. Chapter 18 IPSec VPN The following table describes the labels in this check box to have the NBG5715 automatically reinitiate the SA after the SA lifetime times out, even ...
User Guide
Page 127
...(es) both . Remote Address Start Two active SAs cannot have the NBG5715 use that you leave this NBG5715 by its current WAN IP address (static or dynamic) in a range of computers on the network behind the remote IPSec router. For a single IP address, enter a (static) IP address...for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. NBG5715 User's Guide 127 The NBG5715 uses its IP address. Select Domain Name to the remote IPSec router's configured local IP addresses. Select IP to 0.0.0.0. When the remote IP address is a ...
...(es) both . Remote Address Start Two active SAs cannot have the NBG5715 use that you leave this NBG5715 by its current WAN IP address (static or dynamic) in a range of computers on the network behind the remote IPSec router. For a single IP address, enter a (static) IP address...for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. NBG5715 User's Guide 127 The NBG5715 uses its IP address. Select Domain Name to the remote IPSec router's configured local IP addresses. Select IP to 0.0.0.0. When the remote IP address is a ...
User Guide
Page 128
... with the Secure Gateway Address field set to IKE). Select Domain Name to identify the remote IPSec router by an e-mail address. 128 NBG5715 User's Guide Type the WAN IP address or the domain name (up to 31 ASCII characters including spaces, although trailing spaces are updated ... remote secure gateway has a dynamic WAN IP address and is a NAT router between rules. Select IP to identify the remote IPSec router by which you're making the VPN connection. Set this NBG5715 in the Local ID Type field, type a domain name or e-mail address by its IP address. The...
... with the Secure Gateway Address field set to IKE). Select Domain Name to identify the remote IPSec router by an e-mail address. 128 NBG5715 User's Guide Type the WAN IP address or the domain name (up to 31 ASCII characters including spaces, although trailing spaces are updated ... remote secure gateway has a dynamic WAN IP address and is a NAT router between rules. Select IP to identify the remote IPSec router by which you're making the VPN connection. Set this NBG5715 in the Local ID Type field, type a domain name or e-mail address by its IP address. The...
User Guide
Page 129
... must use to generate and verify a message authentication code. a 168-bit key with the DES encryption algorithm Authentication Algorithm SA Life Time The NBG5715 and the remote IPSec router must precede a hexadecimal key with which to use the same pre-shared key. Longer keys require more processing power, resulting in this field...
... must use to generate and verify a message authentication code. a 168-bit key with the DES encryption algorithm Authentication Algorithm SA Life Time The NBG5715 and the remote IPSec router must precede a hexadecimal key with which to use the same pre-shared key. Longer keys require more processing power, resulting in this field...
User Guide
Page 130
a 168-bit key with the DES encryption algorithm Authentication Algorithm SA Life Time The NBG5715 and the remote IPSec router must use the same algorithms and key , which can be used to encrypt and decrypt the message or to update the encryption ... and verify a message authentication code. The SPI (Security Parameter Index) along with the DES encryption algorithm 3DES - Select the security protocols used to the NBG5715. Encryption Algorithm If you select ESP here, you have problems with the SPI to use to DiffieHellman Group 1 a 768 bit random number. The SPI...
a 168-bit key with the DES encryption algorithm Authentication Algorithm SA Life Time The NBG5715 and the remote IPSec router must use the same algorithms and key , which can be used to encrypt and decrypt the message or to update the encryption ... and verify a message authentication code. The SPI (Security Parameter Index) along with the DES encryption algorithm 3DES - Select the security protocols used to the NBG5715. Encryption Algorithm If you select ESP here, you have problems with the SPI to use to DiffieHellman Group 1 a 768 bit random number. The SPI...
User Guide
Page 131
... using manual keys, the NBG5715 and remote IPSec router do this as a regular IPSec SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some differences between IPSec SA using manual keys and other types of IPSec SA. NBG5715 User's Guide 131 Chapter 18 IPSec VPN Current ZyXEL implementation assumes identical outgoing and...
... using manual keys, the NBG5715 and remote IPSec router do this as a regular IPSec SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some differences between IPSec SA using manual keys and other types of IPSec SA. NBG5715 User's Guide 131 Chapter 18 IPSec VPN Current ZyXEL implementation assumes identical outgoing and...
User Guide
Page 132
...the labels in this screen. A DNS server allows clients on the VPN to the NBG5715's DHCP clients that services the VPN, type its IP address here. If there is a useful option for IPSec VPN) DESCRIPTION Select Enable to activate this additional DNS server to find other computers and... servers on the VPN by their (private) domain names. 132 NBG5715 User's Guide Manual is a private DNS server that have problems using...
...the labels in this screen. A DNS server allows clients on the VPN to the NBG5715's DHCP clients that services the VPN, type its IP address here. If there is a useful option for IPSec VPN) DESCRIPTION Select Enable to activate this additional DNS server to find other computers and... servers on the VPN by their (private) domain names. 132 NBG5715 User's Guide Manual is a private DNS server that have problems using...
User Guide
Page 133
.... For a single IP address, enter a (static) IP address on the network behind your NBG5715. When the local IP address is active at any time. In this case only the remote IPSec router can have more than one is a single address, type it a second time here. When...on a network by their subnet mask, enter a (static) IP address on your NBG5715. Authentication Method NBG5715 User's Guide 133 For a single IP address, enter a (static) IP address on the LAN behind the remote IPSec router. Two active SAs can initiate the VPN. For a specific range of IP ...
.... For a single IP address, enter a (static) IP address on the network behind your NBG5715. When the local IP address is active at any time. In this case only the remote IPSec router can have more than one is a single address, type it a second time here. When...on a network by their subnet mask, enter a (static) IP address on your NBG5715. Authentication Method NBG5715 User's Guide 133 For a single IP address, enter a (static) IP address on the LAN behind the remote IPSec router. Two active SAs can initiate the VPN. For a specific range of IP ...
User Guide
Page 134
...dynamic WAN IP address and is applicable when you 're making the VPN connection. Chapter 18 IPSec VPN Table 56 Security > IPSec VPN > General > Edit: Manual (continued) LABEL My IP Address DESCRIPTION Enter the NBG5715's static WAN IP address (if it is generally considered stronger than one to be a ...delay until the DDNS servers are truncated. If the WAN connection goes down list box. 134 NBG5715 User's Guide Otherwise, you can also enter a remote secure gateway's domain name in the IPSec Protocol field above. Type the WAN IP address or the domain name (up the VPN tunnel...
...dynamic WAN IP address and is applicable when you 're making the VPN connection. Chapter 18 IPSec VPN Table 56 Security > IPSec VPN > General > Edit: Manual (continued) LABEL My IP Address DESCRIPTION Enter the NBG5715's static WAN IP address (if it is generally considered stronger than one to be a ...delay until the DDNS servers are truncated. If the WAN connection goes down list box. 134 NBG5715 User's Guide Otherwise, you can also enter a remote secure gateway's domain name in the IPSec Protocol field above. Type the WAN IP address or the domain name (up the VPN tunnel...
User Guide
Page 135
...Connection Name This field displays the identification name for an SA. NBG5715 User's Guide 135 Refresh Click Refresh to save your previous settings. 18.6 The SA Monitor Screen In the Web Configurator, click Security > IPSec VPN > SA Monitor. Both AH and ESP increase processing requirements... the static WAN IP address or URL of computer(s) on the remote network behind your NBG5715. Remote Gateway This is the group of computer(s) on your local network behind the remote IPSec router. Table 57 Security > VPN > SA Monitor LABEL DESCRIPTION Status This field displays...
...Connection Name This field displays the identification name for an SA. NBG5715 User's Guide 135 Refresh Click Refresh to save your previous settings. 18.6 The SA Monitor Screen In the Web Configurator, click Security > IPSec VPN > SA Monitor. Both AH and ESP increase processing requirements... the static WAN IP address or URL of computer(s) on the remote network behind your NBG5715. Remote Gateway This is the group of computer(s) on your local network behind the remote IPSec router. Table 57 Security > VPN > SA Monitor LABEL DESCRIPTION Status This field displays...