User Guide
Page 9
Contents Overview Contents Overview Introduction ...33 Introducing the ZyXEL Device 35 Introducing the Web Configurator 43 Wizard ...51 Internet and Wireless Setup Wizard 53 VoIP Wizard And Example ...65 Advanced ...71 Status Screens ...... ...83 LAN Setup ...89 Wireless LAN ...101 Network Address Translation (NAT) Screens 117 Voice ...129 Firewalls ...155 Content Filtering ...175 Introduction to IPSec ...179 VPN Screens ...185 Certificates ...211 Static Route ...235 Quality of Service (QoS) ...239 Dynamic DNS Setup ...251 Remote Management Configuration 255 Universal Plug-and-Play (UPnP...
Contents Overview Contents Overview Introduction ...33 Introducing the ZyXEL Device 35 Introducing the Web Configurator 43 Wizard ...51 Internet and Wireless Setup Wizard 53 VoIP Wizard And Example ...65 Advanced ...71 Status Screens ...... ...83 LAN Setup ...89 Wireless LAN ...101 Network Address Translation (NAT) Screens 117 Voice ...129 Firewalls ...155 Content Filtering ...175 Introduction to IPSec ...179 VPN Screens ...185 Certificates ...211 Static Route ...235 Quality of Service (QoS) ...239 Dynamic DNS Setup ...251 Remote Management Configuration 255 Universal Plug-and-Play (UPnP...
User Guide
Page 15
...("L" models only 152 Chapter 11 Firewalls...155 11.1 Firewall Overview ...155 11.1.1 Stateful Inspection Firewall 155 11.1.2 About the ZyXEL Device Firewall 155 11.1.3 Guidelines For Enhancing Security With Your Firewall 156 11.2 General Firewall Policy Overview 156 11.3 Security ...Schedule 176 12.4 Configuring Trusted Computers 177 Chapter 13 Introduction to IPSec...179 13.1 VPN Overview ...179 13.1.1 IPSec ...179 13.1.2 Security Association 179 13.1.3 Other Terminology 179 13.1.4 VPN Applications 180 13.2 IPSec Architecture ...180 13.2.1 IPSec Algorithms ...181 13.2.2 Key ...
...("L" models only 152 Chapter 11 Firewalls...155 11.1 Firewall Overview ...155 11.1.1 Stateful Inspection Firewall 155 11.1.2 About the ZyXEL Device Firewall 155 11.1.3 Guidelines For Enhancing Security With Your Firewall 156 11.2 General Firewall Policy Overview 156 11.3 Security ...Schedule 176 12.4 Configuring Trusted Computers 177 Chapter 13 Introduction to IPSec...179 13.1 VPN Overview ...179 13.1.1 IPSec ...179 13.1.2 Security Association 179 13.1.3 Other Terminology 179 13.1.4 VPN Applications 180 13.2 IPSec Architecture ...180 13.2.1 IPSec Algorithms ...181 13.2.2 Key ...
User Guide
Page 16
... Security Payload) Protocol 185 14.3 My IP Address ...186 14.4 Secure Gateway Address 186 14.4.1 Dynamic Secure Gateway Address 187 14.5 VPN Setup Screen ...187 14.6 Keep Alive ...189 14.7 VPN, NAT, and NAT Traversal 189 14.8 Remote DNS Server ...190 14.9 ID Type and Content ...191 14.9.1 ID Type and Content... Examples 192 14.10 Pre-Shared Key ...193 14.11 Editing VPN Policies ...193 14.12 IKE Phases ...198 14.12.1 Negotiation Mode 199 14.12.2 Diffie-Hellman (DH) Key Groups 199 14.12.3 Perfect Forward Secrecy...
... Security Payload) Protocol 185 14.3 My IP Address ...186 14.4 Secure Gateway Address 186 14.4.1 Dynamic Secure Gateway Address 187 14.5 VPN Setup Screen ...187 14.6 Keep Alive ...189 14.7 VPN, NAT, and NAT Traversal 189 14.8 Remote DNS Server ...190 14.9 ID Type and Content ...191 14.9.1 ID Type and Content... Examples 192 14.10 Pre-Shared Key ...193 14.11 Editing VPN Policies ...193 14.12 IKE Phases ...198 14.12.1 Negotiation Mode 199 14.12.2 Diffie-Hellman (DH) Key Groups 199 14.12.3 Perfect Forward Secrecy...
User Guide
Page 23
...Mode IPSec Encapsulation 182 Figure 106 IPSec Summary Fields ...187 Figure 107 VPN Setup ...188 Figure 108 NAT Router Between IPSec Routers 190 Figure 109 VPN Host using Intranet DNS Server Example 191 Figure 110 VPN Setup: Edit ...194 Figure 111 Two Phases to Set Up the ...IPSec SA 198 Figure 112 Advanced VPN IKE ...200 Figure 113 VPN Setup: Manual Key ...203 Figure 114 VPN: SA Monitor ...206 Figure 115 VPN: Global Setting ...207 Figure 116 Telecommuters Sharing One VPN Rule Example 208 Figure 117 Telecommuters Using Unique VPN Rules Example 209 Figure 118 Certificate Configuration...
...Mode IPSec Encapsulation 182 Figure 106 IPSec Summary Fields ...187 Figure 107 VPN Setup ...188 Figure 108 NAT Router Between IPSec Routers 190 Figure 109 VPN Host using Intranet DNS Server Example 191 Figure 110 VPN Setup: Edit ...194 Figure 111 Two Phases to Set Up the ...IPSec SA 198 Figure 112 Advanced VPN IKE ...200 Figure 113 VPN Setup: Manual Key ...203 Figure 114 VPN: SA Monitor ...206 Figure 115 VPN: Global Setting ...207 Figure 116 Telecommuters Sharing One VPN Rule Example 208 Figure 117 Telecommuters Using Unique VPN Rules Example 209 Figure 118 Certificate Configuration...
User Guide
Page 28
... ...176 Table 67 Content Filter: Schedule ...177 Table 68 Content Filter: Trusted ...177 Table 69 VPN and NAT ...183 Table 70 AH and ESP ...186 Table 71 VPN Setup ...188 Table 72 VPN and NAT ...190 Table 73 Local ID Type and Content Fields 192 Table 74 Peer ID Type and...ID Type and Content Configuration Example 192 Table 76 Mismatching ID Type and Content Configuration Example 193 Table 77 VPN Setup; Edit ...194 Table 78 Advanced VPN IKE ...200 Table 79 VPN Setup: Manual Key ...203 Table 80 VPN: SA Monitor ...206 Table 81 VPN: Global Setting ...207 28 P-2802H(W)(L)-I Series User's Guide
... ...176 Table 67 Content Filter: Schedule ...177 Table 68 Content Filter: Trusted ...177 Table 69 VPN and NAT ...183 Table 70 AH and ESP ...186 Table 71 VPN Setup ...188 Table 72 VPN and NAT ...190 Table 73 Local ID Type and Content Fields 192 Table 74 Peer ID Type and...ID Type and Content Configuration Example 192 Table 76 Mismatching ID Type and Content Configuration Example 193 Table 77 VPN Setup; Edit ...194 Table 78 Advanced VPN IKE ...200 Table 79 VPN Setup: Manual Key ...203 Table 80 VPN: SA Monitor ...206 Table 81 VPN: Global Setting ...207 28 P-2802H(W)(L)-I Series User's Guide
User Guide
Page 29
List of Tables Table 82 Telecommuters Sharing One VPN Rule Example 208 Table 83 Telecommuters Using Unique VPN Rules Example 209 Table 84 My Certificates ...213 Table 85 My Certificate Import ...215 Table 86 My Certificate Create ...216 Table 87 My Certificate Details ......
List of Tables Table 82 Telecommuters Sharing One VPN Rule Example 208 Table 83 Telecommuters Using Unique VPN Rules Example 209 Table 84 My Certificates ...213 Table 85 My Certificate Import ...215 Table 86 My Certificate Create ...216 Table 87 My Certificate Details ......
User Guide
Page 35
It also introduces the ways you can manage the ZyXEL Device. 1.1 Overview The P-2802HW(L) series are Integrated Access Devices (IADs) that combine a VDSL2 router with Voice over short cable lengths)) The P-2802HW(L) ... manage traffic on your network. Table 2 Models Covered P-2802HWL-I1 P-2802HW-I1 P-2802H-I1 P-2802HWL-I3 P-2802HW-I3 P-2802H-I3 Not all models include all data passing between VDSL1 and VDSL2. The "H" models also include Virtual Private Network (VPN) capability. CHAPTER 1 Introducing the ZyXEL Device This chapter introduces the main applications and features of ...
It also introduces the ways you can manage the ZyXEL Device. 1.1 Overview The P-2802HW(L) series are Integrated Access Devices (IADs) that combine a VDSL2 router with Voice over short cable lengths)) The P-2802HW(L) ... manage traffic on your network. Table 2 Models Covered P-2802HWL-I1 P-2802HW-I1 P-2802H-I1 P-2802HWL-I3 P-2802HW-I3 P-2802H-I3 Not all models include all data passing between VDSL1 and VDSL2. The "H" models also include Virtual Private Network (VPN) capability. CHAPTER 1 Introducing the ZyXEL Device This chapter introduces the main applications and features of ...
User Guide
Page 48
...the firewall rules, and allows you to use HTTP to manage the ZyXEL Device. Content Filter Keyword Use this screen to block access to web sites containing certain keywords in specific directions. VPN Global Setting Use this screen to allow NetBIOS traffic through which interface(s)... to edit/ add a firewall rule. DNS Use this screen to configure through VPN tunnels. Trusted Use this screen to generate and export self-signed certificates or certification requests and import the ZyXEL Device's CA-signed certificates. Certificates My Certificates Use this screen to exclude a...
...the firewall rules, and allows you to use HTTP to manage the ZyXEL Device. Content Filter Keyword Use this screen to block access to web sites containing certain keywords in specific directions. VPN Global Setting Use this screen to allow NetBIOS traffic through which interface(s)... to edit/ add a firewall rule. DNS Use this screen to configure through VPN tunnels. Trusted Use this screen to generate and export self-signed certificates or certification requests and import the ZyXEL Device's CA-signed certificates. Certificates My Certificates Use this screen to exclude a...
User Guide
Page 71
PART III Advanced Status Screens (73) WAN Setup (83) LAN Setup (89) Wireless LAN (101) Network Address Translation (NAT) Screens (117) Voice (129) Firewalls (155) Content Filtering (175) Introduction to IPSec (179) VPN Screens (185) Certificates (211) Static Route (235) Quality of Service (QoS) (239) Dynamic DNS Setup (251) Remote Management Configuration (255) Universal Plug-and-Play (UPnP) (271) 71
PART III Advanced Status Screens (73) WAN Setup (83) LAN Setup (89) Wireless LAN (101) Network Address Translation (NAT) Screens (117) Voice (129) Firewalls (155) Content Filtering (175) Introduction to IPSec (179) VPN Screens (185) Certificates (211) Static Route (235) Quality of Service (QoS) (239) Dynamic DNS Setup (251) Remote Management Configuration (255) Universal Plug-and-Play (UPnP) (271) 71
User Guide
Page 75
...trigger a call) and Drop (dropping a call) if you're using PPPoE encapsulation. If memory usage does get close to view the ZyXEL Device's current VPN connections. For the DSL interface, this in Maintenance > System > Time Setting. Summary Client List Click this link to display the MAC... address(es) of the ZyXEL Device's processing ability is currently used . WLAN Status Click this link to view current DHCP client information....
...trigger a call) and Drop (dropping a call) if you're using PPPoE encapsulation. If memory usage does get close to view the ZyXEL Device's current VPN connections. For the DSL interface, this in Maintenance > System > Time Setting. Summary Client List Click this link to display the MAC... address(es) of the ZyXEL Device's processing ability is currently used . WLAN Status Click this link to view current DHCP client information....
User Guide
Page 179
...operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a standards-based VPN that offers flexible solutions for communication. 13.1.1 IPSec Internet Protocol Security (IPSec) is a mathematical operation that transforms "ciphertext" to...the expense of leased site-to-site lines. CHAPTER 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between two parties indicating what security parameters, such as keys and algorithms ...
...operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a standards-based VPN that offers flexible solutions for communication. 13.1.1 IPSec Internet Protocol Security (IPSec) is a mathematical operation that transforms "ciphertext" to...the expense of leased site-to-site lines. CHAPTER 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between two parties indicating what security parameters, such as keys and algorithms ...
User Guide
Page 180
... Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 13.1.4 VPN Applications The ZyXEL Device supports the following VPN applications. • Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings...13.2 IPSec Architecture The overall IPSec architecture is enabled, remote users are not able to access hosts on the LAN. • Unsupported IP Applications A VPN tunnel may be able to access all computers that specific protocol.
... Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 13.1.4 VPN Applications The ZyXEL Device supports the following VPN applications. • Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings...13.2 IPSec Architecture The overall IPSec architecture is enabled, remote users are not able to access hosts on the LAN. • Unsupported IP Applications A VPN tunnel may be able to access all computers that specific protocol.
User Guide
Page 181
... 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). Figure 104 IPSec Architecture Chapter 13 Introduction to set up a VPN. 13.3 Encapsulation The two modes of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms. The Authentication Algorithms, HMAC-MD5 (RFC 2403... protocols. Please seeSection 14.2 on page 185for more information. 13.2.2 Key Management Key management allows you to determine whether to use of operation for IPSec VPNs are Transport mode and Tunnel mode.
... 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). Figure 104 IPSec Architecture Chapter 13 Introduction to set up a VPN. 13.3 Encapsulation The two modes of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms. The Authentication Algorithms, HMAC-MD5 (RFC 2403... protocols. Please seeSection 14.2 on page 185for more information. 13.2.2 Key Management Key management allows you to determine whether to use of operation for IPSec VPNs are Transport mode and Tunnel mode.
User Guide
Page 182
... IP tunnel with a hash value appended to gateway communications. Tunnel mode is required for gateway to gateway and host to the packet. An IPSec VPN using AH protocol, packet contents (the data payload) are not encrypted. 182 P-2802H(W)(L)-I Series User's Guide Therefore, the originating IP address cannot...data in the IP packet. With the use of portions of the final system behind the ZyXEL Device. The IP header information and options are running IPSec on a host computer behind the VPN gateway. This is incompatible with the AH protocol in both data payload and headers, with ...
... IP tunnel with a hash value appended to gateway communications. Tunnel mode is required for gateway to gateway and host to the packet. An IPSec VPN using AH protocol, packet contents (the data payload) are not encrypted. 182 P-2802H(W)(L)-I Series User's Guide Therefore, the originating IP address cannot...data in the IP packet. With the use of portions of the final system behind the ZyXEL Device. The IP header information and options are running IPSec on a host computer behind the VPN gateway. This is incompatible with the AH protocol in both data payload and headers, with ...
User Guide
Page 183
...) are signed with a hash value appended to the packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the "original header plus original payload," which is unchanged by computing its own... hash value, and complain that the data has been maliciously altered. The encrypted contents, but not the new headers, are encrypted. Table 69 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y P-2802H(W)(L)-I Series User's Guide 183 Chapter 13 ...
...) are signed with a hash value appended to the packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the "original header plus original payload," which is unchanged by computing its own... hash value, and complain that the data has been maliciously altered. The encrypted contents, but not the new headers, are encrypted. Table 69 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y P-2802H(W)(L)-I Series User's Guide 183 Chapter 13 ...
User Guide
Page 185
...during the authentication process. The primary function of key management is not required or not sanctioned by concealing the size of an IPSec VPN. P-2802H(W)(L)-I Series User's Guide 185 In applications where confidentiality is to create a Security Association (SA), the foundation of the ...SA between systems. Once the SA is sufficient if only the upper layer protocols need to ensure integrity. CHAPTER 14 VPN Screens This chapter introduces the VPN screens. However, ESP is established, the transport of data may commence. 14.2.1 AH (Authentication Header) Protocol AH protocol...
...during the authentication process. The primary function of key management is not required or not sanctioned by concealing the size of an IPSec VPN. P-2802H(W)(L)-I Series User's Guide 185 In applications where confidentiality is to create a Security Association (SA), the foundation of the ...SA between systems. Once the SA is sufficient if only the upper layer protocols need to ensure integrity. CHAPTER 14 VPN Screens This chapter introduces the VPN screens. However, ESP is established, the transport of data may commence. 14.2.1 AH (Authentication Header) Protocol AH protocol...
User Guide
Page 186
...secret) key. The following applies if this field is configured as 0.0.0.0: • The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to 128-bit blocks of data. Chapter 14 VPN Screens Table 70 AH and ESP ESP AH ENCRYPTION AUTHENTICATION DES (default) Data Encryption ...address or domain name of DES. SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to rebuild the VPN tunnel if My IP Address changes after setup. The ZyXEL Device has to authenticate packet data. See Chapter 6 on dial backup and traffic redirect. 14.4 Secure Gateway Address...
...secret) key. The following applies if this field is configured as 0.0.0.0: • The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to 128-bit blocks of data. Chapter 14 VPN Screens Table 70 AH and ESP ESP AH ENCRYPTION AUTHENTICATION DES (default) Data Encryption ...address or domain name of DES. SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to rebuild the VPN tunnel if My IP Address changes after setup. The ZyXEL Device has to authenticate packet data. See Chapter 6 on dial backup and traffic redirect. 14.4 Secure Gateway Address...
User Guide
Page 187
The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes (there may ...gateway has a dynamic WAN IP address and is using IKE key management and not Manual key management. 14.5 VPN Setup Screen The following figure helps explain the main fields in the web configurator. Figure 106 IPSec Summary Fields ...an index number and then configuring its associated submenus. You may be useful for telecommuters initiating a VPN tunnel to open the VPN Setup screen. This is read-only. P-2802H(W)(L)-I Series User's Guide 187 The Secure Gateway IP...
The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes (there may ...gateway has a dynamic WAN IP address and is using IKE key management and not Manual key management. 14.5 VPN Setup Screen The following figure helps explain the main fields in the web configurator. Figure 106 IPSec Summary Fields ...an index number and then configuring its associated submenus. You may be useful for telecommuters initiating a VPN tunnel to open the VPN Setup screen. This is read-only. P-2802H(W)(L)-I Series User's Guide 187 The Secure Gateway IP...
User Guide
Page 188
... is displayed twice when the Local Address Type field in the VPN Setup - The beginning and ending (static) IP addresses, in a range of computer(s) on your local network behind your ZyXEL Device. Local Address This is the VPN policy index number. This is the IP address(es) of ...computers are displayed when the Local Address Type field in the VPN Setup - Table 71 VPN Setup LABEL DESCRIPTION No. Edit screen is configured to...
... is displayed twice when the Local Address Type field in the VPN Setup - The beginning and ending (static) IP addresses, in a range of computer(s) on your local network behind your ZyXEL Device. Local Address This is the VPN policy index number. This is the IP address(es) of ...computers are displayed when the Local Address Type field in the VPN Setup - Table 71 VPN Setup LABEL DESCRIPTION No. Edit screen is configured to...
User Guide
Page 189
...delay). Secure Gateway IP This is the static WAN IP address or URL of computers are displayed when the Remote Address Type field in the VPN Setup - If the ZyXEL Device has its maximum number of computer(s) on the remote network behind the remote IPSec router. An IPSec...the Secure Gateway Address field in a range of the remote IPSec router. Cancel Click this return your changes and apply them to the ZyXEL Device. As a result, the VPN device at the receiving end finds a mismatch between the IPSec endpoints rewrites the source or destination address. In this to save your ...
...delay). Secure Gateway IP This is the static WAN IP address or URL of computers are displayed when the Remote Address Type field in the VPN Setup - If the ZyXEL Device has its maximum number of computer(s) on the remote network behind the remote IPSec router. An IPSec...the Secure Gateway Address field in a range of the remote IPSec router. Cancel Click this return your changes and apply them to the ZyXEL Device. As a result, the VPN device at the receiving end finds a mismatch between the IPSec endpoints rewrites the source or destination address. In this to save your ...