User Guide
Page 9
Contents Overview Contents Overview Introduction ...33 Introducing the ZyXEL Device 35 Introducing the Web Configurator 43 Wizard ...51 Internet and Wireless Setup Wizard 53 VoIP Wizard And Example ...65 Advanced ...71 Status Screens ...... ...83 LAN Setup ...89 Wireless LAN ...101 Network Address Translation (NAT) Screens 117 Voice ...129 Firewalls ...155 Content Filtering ...175 Introduction to IPSec ...179 VPN Screens ...185 Certificates ...211 Static Route ...235 Quality of Service (QoS) ...239 Dynamic DNS Setup ...251 Remote Management Configuration 255 Universal Plug-and-Play (UPnP...
Contents Overview Contents Overview Introduction ...33 Introducing the ZyXEL Device 35 Introducing the Web Configurator 43 Wizard ...51 Internet and Wireless Setup Wizard 53 VoIP Wizard And Example ...65 Advanced ...71 Status Screens ...... ...83 LAN Setup ...89 Wireless LAN ...101 Network Address Translation (NAT) Screens 117 Voice ...129 Firewalls ...155 Content Filtering ...175 Introduction to IPSec ...179 VPN Screens ...185 Certificates ...211 Static Route ...235 Quality of Service (QoS) ...239 Dynamic DNS Setup ...251 Remote Management Configuration 255 Universal Plug-and-Play (UPnP...
User Guide
Page 15
...("L" models only 152 Chapter 11 Firewalls...155 11.1 Firewall Overview ...155 11.1.1 Stateful Inspection Firewall 155 11.1.2 About the ZyXEL Device Firewall 155 11.1.3 Guidelines For Enhancing Security With Your Firewall 156 11.2 General Firewall Policy Overview 156 11.3 Security ...Schedule 176 12.4 Configuring Trusted Computers 177 Chapter 13 Introduction to IPSec...179 13.1 VPN Overview ...179 13.1.1 IPSec ...179 13.1.2 Security Association 179 13.1.3 Other Terminology 179 13.1.4 VPN Applications 180 13.2 IPSec Architecture ...180 13.2.1 IPSec Algorithms ...181 13.2.2 Key ...
...("L" models only 152 Chapter 11 Firewalls...155 11.1 Firewall Overview ...155 11.1.1 Stateful Inspection Firewall 155 11.1.2 About the ZyXEL Device Firewall 155 11.1.3 Guidelines For Enhancing Security With Your Firewall 156 11.2 General Firewall Policy Overview 156 11.3 Security ...Schedule 176 12.4 Configuring Trusted Computers 177 Chapter 13 Introduction to IPSec...179 13.1 VPN Overview ...179 13.1.1 IPSec ...179 13.1.2 Security Association 179 13.1.3 Other Terminology 179 13.1.4 VPN Applications 180 13.2 IPSec Architecture ...180 13.2.1 IPSec Algorithms ...181 13.2.2 Key ...
User Guide
Page 16
... Security Payload) Protocol 185 14.3 My IP Address ...186 14.4 Secure Gateway Address 186 14.4.1 Dynamic Secure Gateway Address 187 14.5 VPN Setup Screen ...187 14.6 Keep Alive ...189 14.7 VPN, NAT, and NAT Traversal 189 14.8 Remote DNS Server ...190 14.9 ID Type and Content ...191 14.9.1 ID Type and Content... Examples 192 14.10 Pre-Shared Key ...193 14.11 Editing VPN Policies ...193 14.12 IKE Phases ...198 14.12.1 Negotiation Mode 199 14.12.2 Diffie-Hellman (DH) Key Groups 199 14.12.3 Perfect Forward Secrecy...
... Security Payload) Protocol 185 14.3 My IP Address ...186 14.4 Secure Gateway Address 186 14.4.1 Dynamic Secure Gateway Address 187 14.5 VPN Setup Screen ...187 14.6 Keep Alive ...189 14.7 VPN, NAT, and NAT Traversal 189 14.8 Remote DNS Server ...190 14.9 ID Type and Content ...191 14.9.1 ID Type and Content... Examples 192 14.10 Pre-Shared Key ...193 14.11 Editing VPN Policies ...193 14.12 IKE Phases ...198 14.12.1 Negotiation Mode 199 14.12.2 Diffie-Hellman (DH) Key Groups 199 14.12.3 Perfect Forward Secrecy...
User Guide
Page 23
...Mode IPSec Encapsulation 182 Figure 106 IPSec Summary Fields ...187 Figure 107 VPN Setup ...188 Figure 108 NAT Router Between IPSec Routers 190 Figure 109 VPN Host using Intranet DNS Server Example 191 Figure 110 VPN Setup: Edit ...194 Figure 111 Two Phases to Set Up the ...IPSec SA 198 Figure 112 Advanced VPN IKE ...200 Figure 113 VPN Setup: Manual Key ...203 Figure 114 VPN: SA Monitor ...206 Figure 115 VPN: Global Setting ...207 Figure 116 Telecommuters Sharing One VPN Rule Example 208 Figure 117 Telecommuters Using Unique VPN Rules Example 209 Figure 118 Certificate Configuration...
...Mode IPSec Encapsulation 182 Figure 106 IPSec Summary Fields ...187 Figure 107 VPN Setup ...188 Figure 108 NAT Router Between IPSec Routers 190 Figure 109 VPN Host using Intranet DNS Server Example 191 Figure 110 VPN Setup: Edit ...194 Figure 111 Two Phases to Set Up the ...IPSec SA 198 Figure 112 Advanced VPN IKE ...200 Figure 113 VPN Setup: Manual Key ...203 Figure 114 VPN: SA Monitor ...206 Figure 115 VPN: Global Setting ...207 Figure 116 Telecommuters Sharing One VPN Rule Example 208 Figure 117 Telecommuters Using Unique VPN Rules Example 209 Figure 118 Certificate Configuration...
User Guide
Page 28
... ...176 Table 67 Content Filter: Schedule ...177 Table 68 Content Filter: Trusted ...177 Table 69 VPN and NAT ...183 Table 70 AH and ESP ...186 Table 71 VPN Setup ...188 Table 72 VPN and NAT ...190 Table 73 Local ID Type and Content Fields 192 Table 74 Peer ID Type and...ID Type and Content Configuration Example 192 Table 76 Mismatching ID Type and Content Configuration Example 193 Table 77 VPN Setup; Edit ...194 Table 78 Advanced VPN IKE ...200 Table 79 VPN Setup: Manual Key ...203 Table 80 VPN: SA Monitor ...206 Table 81 VPN: Global Setting ...207 28 P-2802H(W)(L)-I Series User's Guide
... ...176 Table 67 Content Filter: Schedule ...177 Table 68 Content Filter: Trusted ...177 Table 69 VPN and NAT ...183 Table 70 AH and ESP ...186 Table 71 VPN Setup ...188 Table 72 VPN and NAT ...190 Table 73 Local ID Type and Content Fields 192 Table 74 Peer ID Type and...ID Type and Content Configuration Example 192 Table 76 Mismatching ID Type and Content Configuration Example 193 Table 77 VPN Setup; Edit ...194 Table 78 Advanced VPN IKE ...200 Table 79 VPN Setup: Manual Key ...203 Table 80 VPN: SA Monitor ...206 Table 81 VPN: Global Setting ...207 28 P-2802H(W)(L)-I Series User's Guide
User Guide
Page 29
List of Tables Table 82 Telecommuters Sharing One VPN Rule Example 208 Table 83 Telecommuters Using Unique VPN Rules Example 209 Table 84 My Certificates ...213 Table 85 My Certificate Import ...215 Table 86 My Certificate Create ...216 Table 87 My Certificate Details ......
List of Tables Table 82 Telecommuters Sharing One VPN Rule Example 208 Table 83 Telecommuters Using Unique VPN Rules Example 209 Table 84 My Certificates ...213 Table 85 My Certificate Import ...215 Table 86 My Certificate Create ...216 Table 87 My Certificate Details ......
User Guide
Page 35
...• "H" denotes an integrated 4-port hub (switch). The "H" models also include Virtual Private Network (VPN) capability. It also introduces the ways you can manage the ZyXEL Device. 1.1 Overview The P-2802HW(L) series are Integrated Access Devices (IADs) that combine a VDSL2 router ... the second generation of the ZyXEL Device. You can configure firewall and/or content filtering for all features. Please refer to the following models. Table 2 Models Covered P-2802HWL-I1 P-2802HW-I1 P-2802H-I1 P-2802HWL-I3 P-2802HW-I3 P-2802H-I3 Not all models include all ...
...• "H" denotes an integrated 4-port hub (switch). The "H" models also include Virtual Private Network (VPN) capability. It also introduces the ways you can manage the ZyXEL Device. 1.1 Overview The P-2802HW(L) series are Integrated Access Devices (IADs) that combine a VDSL2 router ... the second generation of the ZyXEL Device. You can configure firewall and/or content filtering for all features. Please refer to the following models. Table 2 Models Covered P-2802HWL-I1 P-2802HW-I1 P-2802H-I1 P-2802HWL-I3 P-2802HW-I3 P-2802H-I3 Not all models include all ...
User Guide
Page 48
... traffic through which interface(s) and from which IP address(es) users can use HTTP to manage the ZyXEL Device. Remote MGMT WWW Use this screen to configure through VPN tunnels. DNS Use this screen to configure through which interface(s) and from which IP address(es) users... a static hostname alias for determining when to drop sessions that contain lists of each VPN tunnel. Telnet Use this screen to configure your ZyXEL Device's settings for your device to the ZyXEL Device. Trusted Remote Use this screen to save CA certificates to perform content filtering. ICMP...
... traffic through which interface(s) and from which IP address(es) users can use HTTP to manage the ZyXEL Device. Remote MGMT WWW Use this screen to configure through VPN tunnels. DNS Use this screen to configure through which interface(s) and from which IP address(es) users... a static hostname alias for determining when to drop sessions that contain lists of each VPN tunnel. Telnet Use this screen to configure your ZyXEL Device's settings for your device to the ZyXEL Device. Trusted Remote Use this screen to save CA certificates to perform content filtering. ICMP...
User Guide
Page 71
PART III Advanced Status Screens (73) WAN Setup (83) LAN Setup (89) Wireless LAN (101) Network Address Translation (NAT) Screens (117) Voice (129) Firewalls (155) Content Filtering (175) Introduction to IPSec (179) VPN Screens (185) Certificates (211) Static Route (235) Quality of Service (QoS) (239) Dynamic DNS Setup (251) Remote Management Configuration (255) Universal Plug-and-Play (UPnP) (271) 71
PART III Advanced Status Screens (73) WAN Setup (83) LAN Setup (89) Wireless LAN (101) Network Address Translation (NAT) Screens (117) Voice (129) Firewalls (155) Content Filtering (175) Introduction to IPSec (179) VPN Screens (185) Certificates (211) Static Route (235) Quality of Service (QoS) (239) Dynamic DNS Setup (251) Remote Management Configuration (255) Universal Plug-and-Play (UPnP) (271) 71
User Guide
Page 75
...this percentage is close to view the ZyXEL Device's current VPN connections. See Section 7.6 on page 77. VPN Status Click this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface. The ZyXEL Device starts up . System Mode This ...displays whether the ZyXEL Device is disabled. For the LAN interface,...
...this percentage is close to view the ZyXEL Device's current VPN connections. See Section 7.6 on page 77. VPN Status Click this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface. The ZyXEL Device starts up . System Mode This ...displays whether the ZyXEL Device is disabled. For the LAN interface,...
User Guide
Page 179
...using a "key". Decryption also requires a key. CHAPTER 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between two parties indicating what security parameters, such as keys and algorithms they will...is a contract between sites without the expense of leased site-to-site lines. P-2802H(W)(L)-I Series User's Guide 179 A secure VPN is a combination of encryption: it is a mathematical operation that offers flexible solutions for communication. 13.1.1 IPSec Internet Protocol Security (...
...using a "key". Decryption also requires a key. CHAPTER 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between two parties indicating what security parameters, such as keys and algorithms they will...is a contract between sites without the expense of leased site-to-site lines. P-2802H(W)(L)-I Series User's Guide 179 A secure VPN is a combination of encryption: it is a mathematical operation that offers flexible solutions for communication. 13.1.1 IPSec Internet Protocol Security (...
User Guide
Page 180
... The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 13.1.4 VPN Applications The ZyXEL Device supports the following VPN applications. • Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with ...Is Enabled When NAT is enabled, remote users are not able to access hosts on the LAN. • Unsupported IP Applications A VPN tunnel may be able to access all computers that the data has not been altered during transmission. 13.1.3.4 Data Origin Authentication The IPSec...
... The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 13.1.4 VPN Applications The ZyXEL Device supports the following VPN applications. • Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with ...Is Enabled When NAT is enabled, remote users are not able to access hosts on the LAN. • Unsupported IP Applications A VPN tunnel may be able to access all computers that the data has not been altered during transmission. 13.1.3.4 Data Origin Authentication The IPSec...
User Guide
Page 181
The Encryption Algorithm describes the use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 13.3 Encapsulation The two modes of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms. The Authentication Algorithms, HMAC... seeSection 14.2 on page 185for more information. 13.2.2 Key Management Key management allows you to determine whether to use of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 104 IPSec Architecture Chapter 13 Introduction to IPSec 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload)...
The Encryption Algorithm describes the use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 13.3 Encapsulation The two modes of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms. The Authentication Algorithms, HMAC... seeSection 14.2 on page 185for more information. 13.2.2 Key Management Key management allows you to determine whether to use of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 104 IPSec Architecture Chapter 13 Introduction to IPSec 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload)...
User Guide
Page 182
...P-2802H(W)(L)-I Series User's Guide This is incompatible with authentication and encryption. NAT is the most common mode of the final system behind the ZyXEL Device. Tunnel mode is applied only to the upper layer protocols contained in the hashing process. 13.3.2 Tunnel Mode Tunnel mode encapsulates the ...appears after the original IP header and options, but before the inside IP header contains the destination IP address of operation. An IPSec VPN using AH protocol, packet contents (the data payload) are not used to protect upper layer protocols and only affects the data in ...
...P-2802H(W)(L)-I Series User's Guide This is incompatible with authentication and encryption. NAT is the most common mode of the final system behind the ZyXEL Device. Tunnel mode is applied only to the upper layer protocols contained in the hashing process. 13.3.2 Tunnel Mode Tunnel mode encapsulates the ...appears after the original IP header and options, but before the inside IP header contains the destination IP address of operation. An IPSec VPN using AH protocol, packet contents (the data payload) are not used to protect upper layer protocols and only affects the data in ...
User Guide
Page 183
...plus original payload," which is unchanged by computing its own hash value, and complain that the data has been maliciously altered. Table 69 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y P-2802H(W)(L)-I Series User's Guide 183... The new IP packet's source address is the outbound address of the sending VPN gateway, and its own choosing. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are signed with authentication, the packet...
...plus original payload," which is unchanged by computing its own hash value, and complain that the data has been maliciously altered. Table 69 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y P-2802H(W)(L)-I Series User's Guide 183... The new IP packet's source address is the outbound address of the sending VPN gateway, and its own choosing. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are signed with authentication, the packet...
User Guide
Page 185
... information on viewing logs and the appendix for IPSec log descriptions. 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 14.2 IPSec Algorithms The ESP and AH protocols are limited compared ...Header) Protocol AH protocol (RFC 2402) was designed. ESP authenticating properties are necessary to ensure integrity. CHAPTER 14 VPN Screens This chapter introduces the VPN screens. This type of implementation does not protect the information from the authentication provided by AH. In applications where ...
... information on viewing logs and the appendix for IPSec log descriptions. 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 14.2 IPSec Algorithms The ESP and AH protocols are limited compared ...Header) Protocol AH protocol (RFC 2402) was designed. ESP authenticating properties are necessary to ensure integrity. CHAPTER 14 VPN Screens This chapter introduces the VPN screens. This type of implementation does not protect the information from the authentication provided by AH. In applications where ...
User Guide
Page 186
... of the remote IPSec router (secure gateway). 186 P-2802H(W)(L)-I Series User's Guide The ZyXEL Device has to authenticate packet data. SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to rebuild the VPN tunnel if My IP Address changes after setup. AES is a newer method of data ... is configured as 0.0.0.0: • The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel. • If the WAN connection goes down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the...
... of the remote IPSec router (secure gateway). 186 P-2802H(W)(L)-I Series User's Guide The ZyXEL Device has to authenticate packet data. SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to rebuild the VPN tunnel if My IP Address changes after setup. AES is a newer method of data ... is configured as 0.0.0.0: • The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel. • If the WAN connection goes down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the...
User Guide
Page 187
... Manual key management. 14.5 VPN Setup Screen The following figure helps explain the main ... Series User's Guide 187 Click Security > VPN to rebuild the VPN tunnel each time the remote secure gateway's WAN... enter 0.0.0.0 as 0.0.0.0 only when using DDNS. Edit a VPN by selecting an index number and then configuring its associated submenus... it in the Secure Gateway Address field. Chapter 14 VPN Screens If the remote secure gateway has a static WAN... Gateway IP Address may be useful for telecommuters initiating a VPN tunnel to the company network (seeSection 14.18 on page...
... Manual key management. 14.5 VPN Setup Screen The following figure helps explain the main ... Series User's Guide 187 Click Security > VPN to rebuild the VPN tunnel each time the remote secure gateway's WAN... enter 0.0.0.0 as 0.0.0.0 only when using DDNS. Edit a VPN by selecting an index number and then configuring its associated submenus... it in the Secure Gateway Address field. Chapter 14 VPN Screens If the remote secure gateway has a static WAN... Gateway IP Address may be useful for telecommuters initiating a VPN tunnel to the company network (seeSection 14.18 on page...
User Guide
Page 188
... not active. A Yes signifies that this VPN policy is the IP address(es) of computers are displayed when the Local Address Type field in a range of computer(s) on your local network behind your ZyXEL Device. No signifies that this VPN policy is displayed twice when the Local Address... Type field in this VPN policy. Chapter 14 VPN Screens Figure 107 VPN Setup The following table describes the fields in the...
... not active. A Yes signifies that this VPN policy is the IP address(es) of computers are displayed when the Local Address Type field in a range of computer(s) on your local network behind your ZyXEL Device. No signifies that this VPN policy is displayed twice when the Local Address... Type field in this VPN policy. Chapter 14 VPN Screens Figure 107 VPN Setup The following table describes the fields in the...
User Guide
Page 189
... there is outbound traffic with the AH protocol in the VPNIKE screen to the ZyXEL Device because the ZyXEL Device never drops the tunnels that the data has been maliciously altered. As a result, the VPN device at the receiving end finds a mismatch between the IPSec endpoints rewrites the ... used for this case only the remote IPSec router can take a turn connecting to 0.0.0.0. If the ZyXEL Device has its maximum number of computers are already connected. An IPSec VPN using the AH protocol digitally signs the outbound packet, both transport and tunnel mode. Modify Click the ...
... there is outbound traffic with the AH protocol in the VPNIKE screen to the ZyXEL Device because the ZyXEL Device never drops the tunnels that the data has been maliciously altered. As a result, the VPN device at the receiving end finds a mismatch between the IPSec endpoints rewrites the ... used for this case only the remote IPSec router can take a turn connecting to 0.0.0.0. If the ZyXEL Device has its maximum number of computers are already connected. An IPSec VPN using the AH protocol digitally signs the outbound packet, both transport and tunnel mode. Modify Click the ...