User Guide
Page 3
... DNS Setup ...175 Interface Group ...179 USB Service ...185 Power Management ...193 Firewall ...197 MAC Filter ...205 Parental Control ...207 Scheduler Rule ...211 Certificates ...213 VPN ...221 Voice ...235 Log ...267 Traffic Status ...271 VoIP Status ...275 ARP Table ...277 Routing Table ...279 IGMP/MLD Status ...281 xDSL Statistics ...283 3G...
... DNS Setup ...175 Interface Group ...179 USB Service ...185 Power Management ...193 Firewall ...197 MAC Filter ...205 Parental Control ...207 Scheduler Rule ...211 Certificates ...213 VPN ...221 Voice ...235 Log ...267 Traffic Status ...271 VoIP Status ...275 ARP Table ...277 Routing Table ...279 IGMP/MLD Status ...281 xDSL Statistics ...283 3G...
User Guide
Page 10
... CA Certificate 218 19.4.2 Import Trusted CA Certificate 219 Chapter 20 VPN ...221 20.1 Overview ...221 20.2 The IPSec VPN General Screen 221 20.3 The IPSec VPN Add/Edit Screen 222 20.4 The IPSec VPN Monitor Screen ...228 20.5 Technical Reference ...228 20.5.1 IPSec Architecture ...228 20.5.2 Encapsulation ...229 10 VMG8324-B10A / VMG8324-B30A Series User's Guide
... CA Certificate 218 19.4.2 Import Trusted CA Certificate 219 Chapter 20 VPN ...221 20.1 Overview ...221 20.2 The IPSec VPN General Screen 221 20.3 The IPSec VPN Add/Edit Screen 222 20.4 The IPSec VPN Monitor Screen ...228 20.5 Technical Reference ...228 20.5.1 IPSec Architecture ...228 20.5.2 Encapsulation ...229 10 VMG8324-B10A / VMG8324-B30A Series User's Guide
User Guide
Page 11
Table of Contents 20.5.3 IKE Phases ...230 20.5.4 Negotiation Mode ...231 20.5.5 IPSec and NAT ...232 20.5.6 VPN, NAT, and NAT Traversal 232 20.5.7 ID Type and Content ...233 20.5.8 Pre-Shared Key ...234 20.5.9 Diffie-Hellman (DH) Key Groups 234 Chapter 21 ... You Can Do in this Chapter 271 23.2 The WAN Status Screen ...271 23.3 The LAN Status Screen ...273 23.4 The NAT Status Screen ...274 VMG8324-B10A / VMG8324-B30A Series User's Guide 11
Table of Contents 20.5.3 IKE Phases ...230 20.5.4 Negotiation Mode ...231 20.5.5 IPSec and NAT ...232 20.5.6 VPN, NAT, and NAT Traversal 232 20.5.7 ID Type and Content ...233 20.5.8 Pre-Shared Key ...234 20.5.9 Diffie-Hellman (DH) Key Groups 234 Chapter 21 ... You Can Do in this Chapter 271 23.2 The WAN Status Screen ...271 23.3 The LAN Status Screen ...273 23.4 The NAT Status Screen ...274 VMG8324-B10A / VMG8324-B30A Series User's Guide 11
User Guide
Page 31
... screen to view NAT statistics for the phone ports. NAT Use this screen to select your ZyXEL Device's Voice over IP settings. VoIP Status Use this screen to view the status of all...Use this screen to view VoIP registration, current call statust and phone numbers for connected hosts. Maintenance VMG8324-B10A / VMG8324-B30A Series User's Guide 31 Trusted CA Use this screen to view a call service mode. ...supervisors. Use this screen to view and manage the list of all IPSec VPN tunnels. Use this screen to configure your location and a call history list. Security Log Use ...
... screen to view NAT statistics for the phone ports. NAT Use this screen to select your ZyXEL Device's Voice over IP settings. VoIP Status Use this screen to view the status of all...Use this screen to view VoIP registration, current call statust and phone numbers for connected hosts. Maintenance VMG8324-B10A / VMG8324-B30A Series User's Guide 31 Trusted CA Use this screen to view a call service mode. ...supervisors. Use this screen to view and manage the list of all IPSec VPN tunnels. Use this screen to configure your location and a call history list. Security Log Use ...
User Guide
Page 221
... the the Internet. Internet Protocol Security (IPSec) is a standards-based VPN that provides confidentiality, data integrity, and authentication. Figure 136 Security > IPSec VPN VMG8324-B10A / VMG8324-B30A Series User's Guide 221 This chapter shows you how to configure the Device's VPN settings. 20.2 The IPSec VPN General Screen Use this screen to open this screen as shown...
... the the Internet. Internet Protocol Security (IPSec) is a standards-based VPN that provides confidentiality, data integrity, and authentication. Figure 136 Security > IPSec VPN VMG8324-B10A / VMG8324-B30A Series User's Guide 221 This chapter shows you how to configure the Device's VPN settings. 20.2 The IPSec VPN General Screen Use this screen to open this screen as shown...
User Guide
Page 222
... screen contains the following fields: Table 103 Security > IPSec VPN LABEL Add New Connection # Status Connection Name Remote Gateway Local Addresses Remote Addresses Delete DESCRIPTION Click this screen as shown next. 222 VMG8324-B10A / VMG8324-B30A Series User's Guide This displays the IP address(es) on the LAN behind the remote IPSec's router. Click...
... screen contains the following fields: Table 103 Security > IPSec VPN LABEL Add New Connection # Status Connection Name Remote Gateway Local Addresses Remote Addresses Delete DESCRIPTION Click this screen as shown next. 222 VMG8324-B10A / VMG8324-B30A Series User's Guide This displays the IP address(es) on the LAN behind the remote IPSec's router. Click...
User Guide
Page 223
...IKE SA. VMG8324-B10A / VMG8324-B30A Series User's Guide 223 Select Subnet to activate this to specify local LAN IP addresses by their subnet mask. Name Remote IPSec Enter the IP address of the VPN policy. Figure 137 Security > IPSec VPN: Add/Edit Chapter 20 VPN This screen ...contains the following fields: Table 104 Security > IPSec VPN: Add/Edit LABEL DESCRIPTION Active Select this VPN policy. Gateway Address Tunnel access from local IP...
...IKE SA. VMG8324-B10A / VMG8324-B30A Series User's Guide 223 Select Subnet to activate this to specify local LAN IP addresses by their subnet mask. Name Remote IPSec Enter the IP address of the VPN policy. Figure 137 Security > IPSec VPN: Add/Edit Chapter 20 VPN This screen ...contains the following fields: Table 104 Security > IPSec VPN: Add/Edit LABEL DESCRIPTION Active Select this VPN policy. Gateway Address Tunnel access from local IP...
User Guide
Page 224
... Device by its authentication is selected, specify IP addresses on the LAN behind your preshared key. Select Certificate (X.509) to configure a VPN connection policy that the key is hexadecimal and "0123456789ABCDEF" is not counted as a regular IPSec SA. Type from 8 to 31 case... Only use the same active protocol. If Subnet is called "pre-shared" because you can communicate with certificate-based authentication. 224 VMG8324-B10A / VMG8324-B30A Series User's Guide Select the key exchange method: Auto(IKE) - It is selected, enter the subnet mask to identify ...
... Device by its authentication is selected, specify IP addresses on the LAN behind your preshared key. Select Certificate (X.509) to configure a VPN connection policy that the key is hexadecimal and "0123456789ABCDEF" is not counted as a regular IPSec SA. Type from 8 to 31 case... Only use the same active protocol. If Subnet is called "pre-shared" because you can communicate with certificate-based authentication. 224 VMG8324-B10A / VMG8324-B30A Series User's Guide Select the key exchange method: Auto(IKE) - It is selected, enter the subnet mask to identify ...
User Guide
Page 225
...Click more time to distinguish between the Device and remote IPSec router. Select the negotiation mode to use to display basic settings only. VMG8324-B10A / VMG8324-B30A Series User's Guide 225 When you select DNS or E-mail in this Device in the Local ID Type field, type a domain... Device automatically uses the Pre-Shared Key (refer to the remote IPSec router behind the NAT router. Choices are NAT routers between VPN connection requests that come in from IPSec routers with certificate-based authentication. Select IP to the Remote IPSec Gateway Address field description). ...
...Click more time to distinguish between the Device and remote IPSec router. Select the negotiation mode to use to display basic settings only. VMG8324-B10A / VMG8324-B30A Series User's Guide 225 When you select DNS or E-mail in this Device in the Local ID Type field, type a domain... Device automatically uses the Pre-Shared Key (refer to the remote IPSec router behind the NAT router. Choices are NAT routers between VPN connection requests that come in from IPSec routers with certificate-based authentication. Select IP to the Remote IPSec Gateway Address field description). ...
User Guide
Page 226
... DES encryption algorithm AES - 128 - Longer keys require more processing power, resulting in the IKE SA. However, every time the VPN tunnel renegotiates, all users accessing remote resources are : DES - Select which key size and encryption algorithm to use in increased latency ...also the longer it is also slower. 226 VMG8324-B10A / VMG8324-B30A Series User's Guide Choices are temporarily disconnected. a 196-bit key with the DES encryption algorithm AES - 128 - Chapter 20 VPN Table 104 Security > IPSec VPN: Add/Edit LABEL Encryption Algorithm DESCRIPTION Select which...
... DES encryption algorithm AES - 128 - Longer keys require more processing power, resulting in the IKE SA. However, every time the VPN tunnel renegotiates, all users accessing remote resources are : DES - Select which key size and encryption algorithm to use in increased latency ...also the longer it is also slower. 226 VMG8324-B10A / VMG8324-B30A Series User's Guide Choices are temporarily disconnected. a 196-bit key with the DES encryption algorithm AES - 128 - Chapter 20 VPN Table 104 Security > IPSec VPN: Add/Edit LABEL Encryption Algorithm DESCRIPTION Select which...
User Guide
Page 227
... characters long SPI Type a unique SPI (Security Parameter Index) in hexadecimal characters. Click OK to update the encryption and authentication keys. VMG8324-B10A / VMG8324-B30A Series User's Guide 227 The longer the key, the more secure the encryption, but it takes to encrypt and decrypt information. ...Choices are : DES - do not use to authenticate packet data. A short SA Life Time increases security by forcing the two VPN gateways to save your previously saved settings. Choices are : None - a 168-bit key with the DES encryption algorithm 3DES - Enter the...
... characters long SPI Type a unique SPI (Security Parameter Index) in hexadecimal characters. Click OK to update the encryption and authentication keys. VMG8324-B10A / VMG8324-B30A Series User's Guide 227 The longer the key, the more secure the encryption, but it takes to encrypt and decrypt information. ...Choices are : DES - do not use to authenticate packet data. A short SA Life Time increases security by forcing the two VPN gateways to save your previously saved settings. Choices are : None - a 168-bit key with the DES encryption algorithm 3DES - Enter the...
User Guide
Page 228
...it displays a red line in this screen as follows. 228 VMG8324-B10A / VMG8324-B30A Series User's Guide Figure 138 Security > IPSec VPN > Monitor This screen contains the following fields: Table 105 Security > IPSec VPN > Monitor LABEL DESCRIPTION Refresh Interval Select how often you want ...between . Local Addresses This displays the IP address(es) on the LAN behind your VPN tunnel's current status. You can also manually trigger a VPN tunnel to establish a VPN connection with the remote network. 20.5 Technical Reference This section provides some technical background ...
...it displays a red line in this screen as follows. 228 VMG8324-B10A / VMG8324-B30A Series User's Guide Figure 138 Security > IPSec VPN > Monitor This screen contains the following fields: Table 105 Security > IPSec VPN > Monitor LABEL DESCRIPTION Refresh Interval Select how often you want ...between . Local Addresses This displays the IP address(es) on the LAN behind your VPN tunnel's current status. You can also manually trigger a VPN tunnel to establish a VPN connection with the remote network. 20.5 Technical Reference This section provides some technical background ...
User Guide
Page 229
... structure (including implementation algorithms). Figure 140 Transport and Tunnel Mode IPSec Encapsulation VMG8324-B10A / VMG8324-B30A Series User's Guide 229 At the time of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 139 IPSec Architecture Chapter 20 VPN IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and ... the AH and ESP protocols. The Encryption Algorithm describes the use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 20.5.2 Encapsulation The two modes of writing, the Device supports Tunnel mode only.
... structure (including implementation algorithms). Figure 140 Transport and Tunnel Mode IPSec Encapsulation VMG8324-B10A / VMG8324-B30A Series User's Guide 229 At the time of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 139 IPSec Architecture Chapter 20 VPN IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and ... the AH and ESP protocols. The Encryption Algorithm describes the use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 20.5.2 Encapsulation The two modes of writing, the Device supports Tunnel mode only.
User Guide
Page 230
... access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. A Tunnel mode is required for IPSec. 230 VMG8324-B10A / VMG8324-B30A Series User's Guide phase 1 (Authentication) and phase 2 (Key Exchange). Tunnel mode is required for integrity against the data. The... protocol appears after the original IP header and options, but before the inside IP header contains the destination IP address of the VPN gateway. • Inside header: The inside IP header. 20.5.3 IKE Phases There are not used to protect upper layer protocols...
... access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. A Tunnel mode is required for IPSec. 230 VMG8324-B10A / VMG8324-B30A Series User's Guide phase 1 (Authentication) and phase 2 (Key Exchange). Tunnel mode is required for integrity against the data. The... protocol appears after the original IP header and options, but before the inside IP header contains the destination IP address of the VPN gateway. • Inside header: The inside IP header. 20.5.3 IKE Phases There are not used to protect upper layer protocols...
User Guide
Page 231
Figure 141 Two Phases to Set Up the IPSec SA Chapter 20 VPN In phase 1 you must : • Choose an encryption algorithm. • Choose an authentication algorithm • Choose a Diffie-Hellman public-key cryptography key group. • Set ... expires. It uses 6 messages in the negotiation). This field allows you to determine how long the IPSec SA should stay up before it times out. VMG8324-B10A / VMG8324-B30A Series User's Guide 231 The Device automatically renegotiates the IPSec SA if there is already established, the IPSec SA stays connected.
Figure 141 Two Phases to Set Up the IPSec SA Chapter 20 VPN In phase 1 you must : • Choose an encryption algorithm. • Choose an authentication algorithm • Choose a Diffie-Hellman public-key cryptography key group. • Set ... expires. It uses 6 messages in the negotiation). This field allows you to determine how long the IPSec SA should stay up before it times out. VMG8324-B10A / VMG8324-B30A Series User's Guide 231 The Device automatically renegotiates the IPSec SA if there is already established, the IPSec SA stays connected.
User Guide
Page 232
... 1). The encrypted contents, but not the new headers, are running IPSec on a host computer behind the Device. As a result, the VPN device at the receiving end. The new IP packet's source address is the outbound address of the "original header plus original payload," which is... with authentication is not compatible with ESP in remote access situations where the address of the VPN device at the receiving end finds a mismatch between the two IPSec routers. 232 VMG8324-B10A / VMG8324-B30A Series User's Guide IPSec using the AH protocol digitally signs the outbound packet, both ...
... 1). The encrypted contents, but not the new headers, are running IPSec on a host computer behind the Device. As a result, the VPN device at the receiving end. The new IP packet's source address is the outbound address of the "original header plus original payload," which is... with authentication is not compatible with ESP in remote access situations where the address of the VPN device at the receiving end finds a mismatch between the two IPSec routers. 232 VMG8324-B10A / VMG8324-B30A Series User's Guide IPSec using the AH protocol digitally signs the outbound packet, both ...
User Guide
Page 233
...endpoints. • Set the NAT router to forward UDP port 500 to save multiple active rules with the UDP port 500 header unchanged. VMG8324-B10A / VMG8324-B30A Series User's Guide 233 NAT traversal solves the problem by ID type and content since this case the Device can select between up... header to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA. Table 107 VPN and NAT SECURITY PROTOCOL AH AH ESP ESP MODE Transport Tunnel Transport Tunnel NAT N N Y* Y Y* - This is not encrypted. In this identifying information ...
...endpoints. • Set the NAT router to forward UDP port 500 to save multiple active rules with the UDP port 500 header unchanged. VMG8324-B10A / VMG8324-B30A Series User's Guide 233 NAT traversal solves the problem by ID type and content since this case the Device can select between up... header to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA. Table 107 VPN and NAT SECURITY PROTOCOL AH AH ESP ESP MODE Transport Tunnel Transport Tunnel NAT N N Y* Y Y* - This is not encrypted. In this identifying information ...
User Guide
Page 234
...keys. Diffie-Hellman is not authenticated. The domain name or e-mail address that allows two parties to E-mail. DNS Type a domain name (up a VPN tunnel. Table 109 Matching ID Type and Content Configuration Example Device A Device B Local ID type: E-mail Local ID type: IP Local ID content: ... the IKE SA is used for more on IKE phases). It is a public-key cryptography protocol that you use pre-shared keys. 234 VMG8324-B10A / VMG8324-B30A Series User's Guide Table 108 Local ID Type and Content Fields LOCAL ID TYPE= CONTENT= IP Type the IP address of the Diffie...
...keys. Diffie-Hellman is not authenticated. The domain name or e-mail address that allows two parties to E-mail. DNS Type a domain name (up a VPN tunnel. Table 109 Matching ID Type and Content Configuration Example Device A Device B Local ID type: E-mail Local ID type: IP Local ID content: ... the IKE SA is used for more on IKE phases). It is a public-key cryptography protocol that you use pre-shared keys. 234 VMG8324-B10A / VMG8324-B30A Series User's Guide Table 108 Local ID Type and Content Fields LOCAL ID TYPE= CONTENT= IP Type the IP address of the Diffie...
User Guide
Page 407
... type and content 233 IEEE 802.11g 379 IEEE 802.1Q 68 IGA 171 IGMP 68 multicast group list 281 version 68 IKE phases 230 VMG8324-B10A / VMG8324-B30A Series User's Guide ILA 171 Independent Basic Service Set See IBSS 375 initialization vector (IV) 383 Inside Global Address, see IGA inside header 230... 108, 129 ping 318 private 129 WAN 45 IP Address Assignment 67 IP alias NAT applications 173 IPSec algorithms 229 architecture 228 NAT 232 IPSec VPN 221 IPv6 45, 389 addressing 45, 69, 389 EUI-64 391 global address 390 interface ID 391 link-local address 389 Neighbor Discovery Protocol 389...
... type and content 233 IEEE 802.11g 379 IEEE 802.1Q 68 IGA 171 IGMP 68 multicast group list 281 version 68 IKE phases 230 VMG8324-B10A / VMG8324-B30A Series User's Guide ILA 171 Independent Basic Service Set See IBSS 375 initialization vector (IV) 383 Inside Global Address, see IGA inside header 230... 108, 129 ping 318 private 129 WAN 45 IP Address Assignment 67 IP alias NAT applications 173 IPSec algorithms 229 architecture 228 NAT 232 IPSec VPN 221 IPv6 45, 389 addressing 45, 69, 389 EUI-64 391 global address 390 interface ID 391 link-local address 389 Neighbor Discovery Protocol 389...