User Guide
Page 9
Contents Overview Contents Overview User's Guide ...19 Introduction ...21 Introducing the Web Configurator 29 Tutorials ...37 Technical Reference ...79 Connection Status and System Info Screens 81 Broadband ...87 Wireless ...111 Home Networking ...141 Routing ...169 ...DNS Route ...173 Quality of Service (QoS) ...177 Network Address Translation (NAT 189 Dynamic DNS ...197 Firewall ...199 MAC Filter ...205 Certificates ...207 VPN ...217 System Monitor ...241 User Account ...245 Remote MGMT ...247 System ...249 Time Setting ...251 Log Setting ...253 Firmware Upgrade ...255 Backup/Restore ...257...
Contents Overview Contents Overview User's Guide ...19 Introduction ...21 Introducing the Web Configurator 29 Tutorials ...37 Technical Reference ...79 Connection Status and System Info Screens 81 Broadband ...87 Wireless ...111 Home Networking ...141 Routing ...169 ...DNS Route ...173 Quality of Service (QoS) ...177 Network Address Translation (NAT 189 Dynamic DNS ...197 Firewall ...199 MAC Filter ...205 Certificates ...207 VPN ...217 System Monitor ...241 User Account ...245 Remote MGMT ...247 System ...249 Time Setting ...251 Log Setting ...253 Firmware Upgrade ...255 Backup/Restore ...257...
User Guide
Page 15
... Certificate ...216 Chapter 16 VPN...217 16.1 Overview ...217 16.1.1 What You Can Do in the VPN Screens 217 16.1.2 What You Need to Know About IPSec VPN 218 16.1.3 Before You Begin 219 16.2 VPN Setup Screen ...220 16.3 The VPN Edit Screen ...222 16.4 Configuring Advanced Settings 226 16.5 Viewing... SA Monitor ...228 16.6 IPSec VPN Technical Reference 229 16.6.1 IPSec...
... Certificate ...216 Chapter 16 VPN...217 16.1 Overview ...217 16.1.1 What You Can Do in the VPN Screens 217 16.1.2 What You Need to Know About IPSec VPN 218 16.1.3 Before You Begin 219 16.2 VPN Setup Screen ...220 16.3 The VPN Edit Screen ...222 16.4 Configuring Advanced Settings 226 16.5 Viewing... SA Monitor ...228 16.6 IPSec VPN Technical Reference 229 16.6.1 IPSec...
User Guide
Page 34
...will show you the active tunnel's status System Monitor 34 P-661HNU-Fx User's Guide VPN Setup Use this screen to save CA certificates to the ZyXEL Device. Printer Server Use this screen to configure QoS queue assignment. Queue Setup Use this screen to enable or disable sharing of ... and set the default action to take on the ZyXEL Device. DNS Route DNS Route Use this screen to view and configure DNS routes. Sessions Use this screen to limit the number of a USB printer via the ZyXEL Device. VPN Certificates Use this screen to 4 certificates can establish....
...will show you the active tunnel's status System Monitor 34 P-661HNU-Fx User's Guide VPN Setup Use this screen to save CA certificates to the ZyXEL Device. Printer Server Use this screen to configure QoS queue assignment. Queue Setup Use this screen to enable or disable sharing of ... and set the default action to take on the ZyXEL Device. DNS Route DNS Route Use this screen to view and configure DNS routes. Sessions Use this screen to limit the number of a USB printer via the ZyXEL Device. VPN Certificates Use this screen to 4 certificates can establish....
User Guide
Page 215
...Table 55 Security > Certificates > VPN Certificates LABEL DESCRIPTION Import Certificate Click this screen to... It is about to expire or has already expired. P-661HNU-Fx User's Guide 215 message if the certificate is recommended that you trust to the ZyXEL Device. Subject This field displays...) and Country (C). Issuer The certification authority Valid From This field displays the date that one or more features is configured to use.). Chapter 15 Certificates 15.3 VPN Certificates To access this screen, click on the Download icon to download a certificate to your computer.
...Table 55 Security > Certificates > VPN Certificates LABEL DESCRIPTION Import Certificate Click this screen to... It is about to expire or has already expired. P-661HNU-Fx User's Guide 215 message if the certificate is recommended that you trust to the ZyXEL Device. Subject This field displays...) and Country (C). Issuer The certification authority Valid From This field displays the date that one or more features is configured to use.). Chapter 15 Certificates 15.3 VPN Certificates To access this screen, click on the Download icon to download a certificate to your computer.
User Guide
Page 217
... secure data communications across a public network like the Internet. Figure 94 VPN: Example VPN Tunnel X Y 16.1.1 What You Can Do in the VPN Screens • Use the Setup screen (Section 16.2 on page 220) to view the configured VPN policies and add, edit or remove a VPN policy. • Use the Monitor screen (Section 16.5 on page...
... secure data communications across a public network like the Internet. Figure 94 VPN: Example VPN Tunnel X Y 16.1.1 What You Can Do in the VPN Screens • Use the Setup screen (Section 16.2 on page 220) to view the configured VPN policies and add, edit or remove a VPN policy. • Use the Monitor screen (Section 16.5 on page...
User Guide
Page 218
... this field is usually established in the networks. The ZyXEL Device has to Know About IPSec VPN A VPN tunnel is configured as 0.0.0.0: • The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to securely establish an IPSec SA through which the ZyXEL Device and remote IPSec router can send data between the...
... this field is usually established in the networks. The ZyXEL Device has to Know About IPSec VPN A VPN tunnel is configured as 0.0.0.0: • The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to securely establish an IPSec SA through which the ZyXEL Device and remote IPSec router can send data between the...
User Guide
Page 219
...ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes (there may be useful for telecommuters initiating a VPN tunnel to the company network (see Section 16.6.11 on IPSec VPN. 16.1.3 Before You Begin If a VPN tunnel uses Telnet, FTP, WWW, then you should configure... remote management (Remote MGMT) to allow access for configuration examples). P-661HNU-Fx User's Guide 219 This may be configured as the secure gateway's...
...ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes (there may be useful for telecommuters initiating a VPN tunnel to the company network (see Section 16.6.11 on IPSec VPN. 16.1.3 Before You Begin If a VPN tunnel uses Telnet, FTP, WWW, then you should configure... remote management (Remote MGMT) to allow access for configuration examples). P-661HNU-Fx User's Guide 219 This may be configured as the secure gateway's...
User Guide
Page 220
...VPN 16.2 VPN Setup Screen The following table describes the fields in the web configurator. Click Security > VPN to edit VPN policies. This is read-only. Table 57 Security > VPN > Setup LABEL DESCRIPTION Add New Tunnel Click this button to set up VPN policies for this VPN policy is the VPN.... Click a number to open the VPN Setup screen. Edit a VPN by the ZyXEL Device. 220 P-661HNU-Fx User's Guide No signifies that this VPN policy. Figure 97 Security > VPN > Setup The following figure helps explain the main fields in this VPN policy is active or not. A ...
...VPN 16.2 VPN Setup Screen The following table describes the fields in the web configurator. Click Security > VPN to edit VPN policies. This is read-only. Table 57 Security > VPN > Setup LABEL DESCRIPTION Add New Tunnel Click this button to set up VPN policies for this VPN policy is the VPN.... Click a number to open the VPN Setup screen. Edit a VPN by the ZyXEL Device. 220 P-661HNU-Fx User's Guide No signifies that this VPN policy. Figure 97 Security > VPN > Setup The following figure helps explain the main fields in this VPN policy is active or not. A ...
User Guide
Page 221
... Click the Edit icon to go to remove an existing VPN configuration. Click this to save your settings to the ZyXEL Device. P-661HNU-Fx User's Guide 221 Both AH and ESP increase ZyXEL Device processing requirements and communications latency (delay). Chapter 16 VPN Table 57 Security > VPN > Setup (continued) LABEL DESCRIPTION Remote Address This field will...
... Click the Edit icon to go to remove an existing VPN configuration. Click this to save your settings to the ZyXEL Device. P-661HNU-Fx User's Guide 221 Both AH and ESP increase ZyXEL Device processing requirements and communications latency (delay). Chapter 16 VPN Table 57 Security > VPN > Setup (continued) LABEL DESCRIPTION Remote Address This field will...
User Guide
Page 223
... Address Start End / Subnet Mask Remote Two active SAs cannot have the same negotiation mode. When the Remote Address Type field is configured to Single, this VPN policy. Mode Select net-net or Roadwarrior from the drop-down menu to choose Single, or Subnet. Use the drop-down menu ...an IP Address on the network behind your ZyXEL Device. When the Remote Address Type field is active at any time. Chapter 16 VPN Table 58 Security > VPN > Setup > Edit LABEL DESCRIPTION Tunnel Name Type up to 32 characters to identify this field is configured to Subnet, enter the subnet of the ...
... Address Start End / Subnet Mask Remote Two active SAs cannot have the same negotiation mode. When the Remote Address Type field is configured to Single, this VPN policy. Mode Select net-net or Roadwarrior from the drop-down menu to choose Single, or Subnet. Use the drop-down menu ...an IP Address on the network behind your ZyXEL Device. When the Remote Address Type field is active at any time. Chapter 16 VPN Table 58 Security > VPN > Setup > Edit LABEL DESCRIPTION Tunnel Name Type up to 32 characters to identify this field is configured to Subnet, enter the subnet of the ...
User Guide
Page 224
... router by its IP address. Use up to 31 characters) of this information you configure the local Content field to identify this ZyXEL Device by an e-mail address. The domain name or e-mail address is a NAT router between VPN connection requests that you type an IP address other than 0.0.0.0 in the local Content...
... router by its IP address. Use up to 31 characters) of this information you configure the local Content field to identify this ZyXEL Device by an e-mail address. The domain name or e-mail address is a NAT router between VPN connection requests that you type an IP address other than 0.0.0.0 in the local Content...
User Guide
Page 225
Chapter 16 VPN Table 58 Security > VPN > Setup > Edit LABEL DESCRIPTION Content The configuration of the computer with which you will make the VPN connection. For IP, type the IP address of the peer content depends on both ends. Click the button to the ZyXEL Device. Click Apply ...use the DNS or E-mail ID type in your IKE key management. You can create, import and configure certificates in "0x0123456789ABCDEF", "0x" denotes that you want the ZyXEL Device to identify the remote IPSec router. If you want to 62 hexadecimal ("0-9", "A-F") characters. Security ...
Chapter 16 VPN Table 58 Security > VPN > Setup > Edit LABEL DESCRIPTION Content The configuration of the computer with which you will make the VPN connection. For IP, type the IP address of the peer content depends on both ends. Click the button to the ZyXEL Device. Click Apply ...use the DNS or E-mail ID type in your IKE key management. You can create, import and configure certificates in "0x0123456789ABCDEF", "0x" denotes that you want the ZyXEL Device to identify the remote IPSec router. If you want to 62 hexadecimal ("0-9", "A-F") characters. Security ...
User Guide
Page 226
... Table 59 Security > VPN > Setup > Edit > Advanced Setup LABEL DESCRIPTION Advanced Setup Phase 1 Encryption Algorithm Select 3DES, AES128 or AES256 from the drop-down list box. The DES encryption algorithm uses a 56-bit key. Chapter 16 VPN 16.4 Configuring Advanced Settings Click Advanced Setup... in this screen. Figure 99 Security > VPN > Setup > Edit > Advanced Setup The following table describes the fields in the VPN Setup-Edit screen to open this screen. When you...
... Table 59 Security > VPN > Setup > Edit > Advanced Setup LABEL DESCRIPTION Advanced Setup Phase 1 Encryption Algorithm Select 3DES, AES128 or AES256 from the drop-down list box. The DES encryption algorithm uses a 56-bit key. Chapter 16 VPN 16.4 Configuring Advanced Settings Click Advanced Setup... in this screen. Figure 99 Security > VPN > Setup > Edit > Advanced Setup The following table describes the fields in the VPN Setup-Edit screen to open this screen. When you...
User Guide
Page 230
... with the AH protocol in this section if you are running IPSec on a host computer behind the ZyXEL Device. The new IP packet's source address is the outbound address of the VPN device at the receiving end. When using the AH protocol digitally signs the outbound packet, both Transport ... match. Key Management Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in the middle, so it assumes that the hash value appended to set up a VPN. 16.6.2 IPSec and NAT Read this case, the entire original packet) are performed over the combination of...
... with the AH protocol in this section if you are running IPSec on a host computer behind the ZyXEL Device. The new IP packet's source address is the outbound address of the VPN device at the receiving end. When using the AH protocol digitally signs the outbound packet, both Transport ... match. Key Management Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in the middle, so it assumes that the hash value appended to set up a VPN. 16.6.2 IPSec and NAT Read this case, the entire original packet) are performed over the combination of...
User Guide
Page 235
... If you to distinguish between up to 12 incoming SAs because you configure a VPN rule P-661HNU-Fx User's Guide 235 The DNS server feature for SAs that have dynamic WAN IP addresses. This enables the ZyXEL Device to save multiple active rules with Windows 2000 or Windows XP....In this identifying information is not encrypted. Regardless of the ID type and content configuration, the ZyXEL Device does not allow you do not specify an Intranet DNS server on the remote network, then the VPN host must use separate passwords to simultaneously connect to provide identity protection.
... If you to distinguish between up to 12 incoming SAs because you configure a VPN rule P-661HNU-Fx User's Guide 235 The DNS server feature for SAs that have dynamic WAN IP addresses. This enables the ZyXEL Device to save multiple active rules with Windows 2000 or Windows XP....In this identifying information is not encrypted. Regardless of the ID type and content configuration, the ZyXEL Device does not allow you do not specify an Intranet DNS server on the remote network, then the VPN host must use separate passwords to simultaneously connect to provide identity protection.
User Guide
Page 236
...VPN tunnel. 236 P-661HNU-Fx User's Guide E-mail Type an e-mail address (up to 31 characters) by which to identify this ZyXEL Device. E-mail Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router. The domain name or e-mail address that you configure ...in the Secure Gateway Address field below. 16.6.8.1 ID Type and Content Examples Two IPSec routers must have the ZyXEL Device automatically use in the Secure Gateway Address field. The domain name also...
...VPN tunnel. 236 P-661HNU-Fx User's Guide E-mail Type an e-mail address (up to 31 characters) by which to identify this ZyXEL Device. E-mail Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router. The domain name or e-mail address that you configure ...in the Secure Gateway Address field below. 16.6.8.1 ID Type and Content Examples Two IPSec routers must have the ZyXEL Device automatically use in the Secure Gateway Address field. The domain name also...
User Guide
Page 237
... headquarters has a static public IP address. An "ID mismatched" message displays in this example can make VPN connections to establish a shared secret over an unsecured communications channel. Table 65 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: E-mail Local ID type: IP Local ID content: [email protected]...
... headquarters has a static public IP address. An "ID mismatched" message displays in this example can make VPN connections to establish a shared secret over an unsecured communications channel. Table 65 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: E-mail Local ID type: IP Local ID content: [email protected]...
User Guide
Page 238
... parameters but the local IP addresses (or ranges of the rules configured on page 234), the ZyXEL Device can use different IPSec parameters. Chapter 16 VPN 16.6.11.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that are mapped to their dynamic WAN IP addresses (use Dynamic...
... parameters but the local IP addresses (or ranges of the rules configured on page 234), the ZyXEL Device can use different IPSec parameters. Chapter 16 VPN 16.6.11.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that are mapped to their dynamic WAN IP addresses (use Dynamic...
User Guide
Page 239
...VPN rule for a VPN connection with a ZyXEL Device located at headquarters can find the telecommuters by its ID type and content and uses the appropriate VPN rule to establish the VPN...ZyXEL Device at headquarters can also initiate VPN connections to the telecommuters since it can overlap. Chapter 16 VPN at headquarters. Figure 107 Telecommuters Using Unique VPN...192.168.4.15 Table 68 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All....168.2.12 Local IP Address: 192.168.2.12 Headquarters ZyXEL Device Rule 1: Peer ID Type: IP Peer ID...
...VPN rule for a VPN connection with a ZyXEL Device located at headquarters can find the telecommuters by its ID type and content and uses the appropriate VPN rule to establish the VPN...ZyXEL Device at headquarters can also initiate VPN connections to the telecommuters since it can overlap. Chapter 16 VPN at headquarters. Figure 107 Telecommuters Using Unique VPN...192.168.4.15 Table 68 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All....168.2.12 Local IP Address: 192.168.2.12 Headquarters ZyXEL Device Rule 1: Peer ID Type: IP Peer ID...
User Guide
Page 398
...Services, see DiffServ Diffie-Hellman key groups 237 DiffServ (Differentiated Services) marking rule 188 disclaimer 393 DNS 142, 173 DNS Server for VPN host 234 DNS server address assignment 109 domain name system, see IBSS initialization vector (IV) 345 inside header 232 install UPnP 158 ...P-661HNU-Fx User's Guide DS (Differentiated Services) 188 DS field 188 DSCP 187 DSL line, reinitialize 264 dynamic DNS 197 Dynamic Host Configuration Protocol, see DHCP dynamic secure gateway address 219 dynamic WEP key exchange 344 DYNDNS wildcard 197 E EAP Authentication 342 Encapsulation 104 MER 105...
...Services, see DiffServ Diffie-Hellman key groups 237 DiffServ (Differentiated Services) marking rule 188 disclaimer 393 DNS 142, 173 DNS Server for VPN host 234 DNS server address assignment 109 domain name system, see IBSS initialization vector (IV) 345 inside header 232 install UPnP 158 ...P-661HNU-Fx User's Guide DS (Differentiated Services) 188 DS field 188 DSCP 187 DSL line, reinitialize 264 dynamic DNS 197 Dynamic Host Configuration Protocol, see DHCP dynamic secure gateway address 219 dynamic WEP key exchange 344 DYNDNS wildcard 197 E EAP Authentication 342 Encapsulation 104 MER 105...