User Guide
Page 9
...ZyXEL Device 39 Introducing the Web Configurator 43 Wizard Setup for Internet Access 59 Bandwidth Management Wizard 73 Network ...79 WAN Setup ...81 LAN Setup ......101 Wireless LAN ...113 DMZ ...137 Network Address Translation (NAT) Screens 141 Security ...155 Firewalls ...157 Firewall Configuration ...169 Content Filtering ...191 Content Access Control ...195 Register ...211 Introduction to IPSec ...215 VPN... Screens ...221 Certificates ...247 Advanced ...271 Static Route ...273 Bandwidth Management ...277 Dynamic DNS Setup ...287 Remote Management ...
...ZyXEL Device 39 Introducing the Web Configurator 43 Wizard Setup for Internet Access 59 Bandwidth Management Wizard 73 Network ...79 WAN Setup ...81 LAN Setup ......101 Wireless LAN ...113 DMZ ...137 Network Address Translation (NAT) Screens 141 Security ...155 Firewalls ...157 Firewall Configuration ...169 Content Filtering ...191 Content Access Control ...195 Register ...211 Introduction to IPSec ...215 VPN... Screens ...221 Certificates ...247 Advanced ...271 Static Route ...273 Bandwidth Management ...277 Dynamic DNS Setup ...287 Remote Management ...
User Guide
Page 16
... Site Filters 200 13.2.4 Testing Web Site Access Privileges 205 13.3 User Account Setup ...206 13.4 User Online Status ...207 13.5 Trusted Devices ...208 13.6... Subscription Services Available on the ZyXEL Device 211 14.2 Registration ...212 14.3 Service ...213 Chapter 15 Introduction to IPSec...215 15.1 VPN Overview ...215 15.1.1 IPSec ......215 15.1.2 Security Association 215 15.1.3 Other Terminology 215 15.1.4 VPN Applications 216 15.2 IPSec Architecture ...216 15.2.1 IPSec Algorithms ...217 15.2.2 Key Management 217 15.3 Encapsulation ...217 16 P-662H...
... Site Filters 200 13.2.4 Testing Web Site Access Privileges 205 13.3 User Account Setup ...206 13.4 User Online Status ...207 13.5 Trusted Devices ...208 13.6... Subscription Services Available on the ZyXEL Device 211 14.2 Registration ...212 14.3 Service ...213 Chapter 15 Introduction to IPSec...215 15.1 VPN Overview ...215 15.1.1 IPSec ......215 15.1.2 Security Association 215 15.1.3 Other Terminology 215 15.1.4 VPN Applications 216 15.2 IPSec Architecture ...216 15.2.1 IPSec Algorithms ...217 15.2.2 Key Management 217 15.3 Encapsulation ...217 16 P-662H...
User Guide
Page 17
...Protocol 221 16.3 My IP Address ...222 16.4 Secure Gateway Address 222 16.4.1 Dynamic Secure Gateway Address 223 16.5 VPN Setup Screen ...223 16.6 Keep Alive ...225 16.7 VPN, NAT, and NAT Traversal 225 16.8 Remote DNS Server ...226 16.9 ID Type and Content ...227 16.9.1 ...VPN Rule Example 243 16.18.2 Telecommuters Using Unique VPN Rules Example 244 16.19 VPN and Remote Management 245 Chapter 17 Certificates ...247 17.1 Certificates Overview ...247 17.1.1 Advantages of Certificates 248 17.2 Self-signed Certificates ...248 17.3 Configuration Summary 248 17.4 My Certificates ...248 P-662H...
...Protocol 221 16.3 My IP Address ...222 16.4 Secure Gateway Address 222 16.4.1 Dynamic Secure Gateway Address 223 16.5 VPN Setup Screen ...223 16.6 Keep Alive ...225 16.7 VPN, NAT, and NAT Traversal 225 16.8 Remote DNS Server ...226 16.9 ID Type and Content ...227 16.9.1 ...VPN Rule Example 243 16.18.2 Telecommuters Using Unique VPN Rules Example 244 16.19 VPN and Remote Management 245 Chapter 17 Certificates ...247 17.1 Certificates Overview ...247 17.1.1 Advantages of Certificates 248 17.2 Self-signed Certificates ...248 17.3 Configuration Summary 248 17.4 My Certificates ...248 P-662H...
User Guide
Page 23
List of Figures List of Figures Figure 1 ZyXEL Device Internet Access Application 40 Figure 2 ZyXEL Device LAN-to-LAN Application Example 40 Figure 3 Firewall Application ...41 Figure 4 P-662H Front Panel ...41 Figure 5 P-662HW Front ... 13 Status: WLAN Status ...54 Figure 14 Status: Bandwidth Status ...54 Figure 15 Status: VPN Status ...55 Figure 16 Status: Packet Statistics ...56 Figure 17 System General ...57 Figure 18...Failed ...61 Figure 22 Auto-Detection: PPPoE ...61 Figure 23 Internet Access Wizard Setup: ISP Parameters 62 Figure 24 Internet Connection with PPPoE 63 Figure 25 Internet ...
List of Figures List of Figures Figure 1 ZyXEL Device Internet Access Application 40 Figure 2 ZyXEL Device LAN-to-LAN Application Example 40 Figure 3 Firewall Application ...41 Figure 4 P-662H Front Panel ...41 Figure 5 P-662HW Front ... 13 Status: WLAN Status ...54 Figure 14 Status: Bandwidth Status ...54 Figure 15 Status: VPN Status ...55 Figure 16 Status: Packet Statistics ...56 Figure 17 System General ...57 Figure 18...Failed ...61 Figure 22 Auto-Detection: PPPoE ...61 Figure 23 Internet Access Wizard Setup: ISP Parameters 62 Figure 24 Internet Connection with PPPoE 63 Figure 25 Internet ...
User Guide
Page 26
...128 IPSec Summary Fields ...223 Figure 129 VPN Setup ...224 Figure 130 NAT Router Between IPSec Routers 225 Figure 131 VPN Host using Intranet DNS Server Example 227 Figure 132 Edit VPN Policies ...229 Figure 133 Two Phases ... Subnet-based Bandwidth Management Example 278 Figure 159 Bandwidth Management: Summary 281 Figure 160 Bandwidth Management: Rule Setup 282 Figure 161 Bandwidth Management Rule Configuration 284 Figure 162 Bandwidth Management: Monitor 286 Figure 163 Dynamic DNS...Remote Management: Telnet 294 Figure 167 Remote Management: FTP 295 26 P-662H/HW-D Series User's Guide
...128 IPSec Summary Fields ...223 Figure 129 VPN Setup ...224 Figure 130 NAT Router Between IPSec Routers 225 Figure 131 VPN Host using Intranet DNS Server Example 227 Figure 132 Edit VPN Policies ...229 Figure 133 Two Phases ... Subnet-based Bandwidth Management Example 278 Figure 159 Bandwidth Management: Summary 281 Figure 160 Bandwidth Management: Rule Setup 282 Figure 161 Bandwidth Management Rule Configuration 284 Figure 162 Bandwidth Management: Monitor 286 Figure 163 Dynamic DNS...Remote Management: Telnet 294 Figure 167 Remote Management: FTP 295 26 P-662H/HW-D Series User's Guide
User Guide
Page 31
...IP Table ...53 Table 5 Status: WLAN Status ...54 Table 6 Status: VPN Status ...55 Table 7 Status: Packet Statistics ...56 Table 8 System General: Password ...57 Table 9 Internet Access Wizard Setup: ISP Parameters 62 Table 10 Internet Connection with PPPoE 63 Table 11 Internet Connection...Setup ...109 Table 32 LAN Client List ...110 Table 33 LAN IP Alias ...112 Table 34 Types of Encryption for Each Type of Authentication 115 Table 35 Additional Wireless Terms ...116 Table 36 Wireless LAN: General ...118 Table 37 Wireless No Security ...119 Table 38 Wireless: Static WEP Encryption 120 P-662H...
...IP Table ...53 Table 5 Status: WLAN Status ...54 Table 6 Status: VPN Status ...55 Table 7 Status: Packet Statistics ...56 Table 8 System General: Password ...57 Table 9 Internet Access Wizard Setup: ISP Parameters 62 Table 10 Internet Connection with PPPoE 63 Table 11 Internet Connection...Setup ...109 Table 32 LAN Client List ...110 Table 33 LAN IP Alias ...112 Table 34 Types of Encryption for Each Type of Authentication 115 Table 35 Additional Wireless Terms ...116 Table 36 Wireless LAN: General ...118 Table 37 Wireless No Security ...119 Table 38 Wireless: Static WEP Encryption 120 P-662H...
User Guide
Page 33
...Security > Register > Service 214 Table 85 VPN and NAT ...219 Table 86 AH and ESP ...222 Table 87 VPN Setup ...224 Table 88 VPN and NAT ...226 Table 89 Local ID...VPN Policies ...230 Table 94 Advanced VPN Policies ...236 Table 95 VPN: Manual Key ...239 Table 96 VPN: SA Monitor ...242 Table 97 VPN: Global Setting ...243 Table 98 Telecommuters Sharing One VPN Rule Example 244 Table 99 Telecommuters Using Unique VPN... Table 119 Media Bandwidth Management: Summary 281 Table 120 Bandwidth Management: Rule Setup 282 Table 121 Bandwidth Management Rule Configuration 284 Table 122 Dynamic DNS ...288...
...Security > Register > Service 214 Table 85 VPN and NAT ...219 Table 86 AH and ESP ...222 Table 87 VPN Setup ...224 Table 88 VPN and NAT ...226 Table 89 Local ID...VPN Policies ...230 Table 94 Advanced VPN Policies ...236 Table 95 VPN: Manual Key ...239 Table 96 VPN: SA Monitor ...242 Table 97 VPN: Global Setting ...243 Table 98 Telecommuters Sharing One VPN Rule Example 244 Table 99 Telecommuters Using Unique VPN... Table 119 Media Bandwidth Management: Summary 281 Table 120 Bandwidth Management: Rule Setup 282 Table 121 Bandwidth Management Rule Configuration 284 Table 122 Dynamic DNS ...288...
User Guide
Page 49
... settings. Trusted Remote Use this screen to define a bandwidth rule. Rule Setup Use this screen to import self-signed certificates. Dynamic DNS Use this screen to allow NetBIOS traffic through VPN tunnels. P-662H/HW-D Series User's Guide 49 Monitor Use this screen to exclude a ...certificates). Monitor Use this screen to view information about users accessing the Internet. Online Status Use this screen to view the ZyXEL Device's bandwidth usage and allotments. Trusted CAs Use this screen to create user accounts. User Profile Use this screen to ...
... settings. Trusted Remote Use this screen to define a bandwidth rule. Rule Setup Use this screen to import self-signed certificates. Dynamic DNS Use this screen to allow NetBIOS traffic through VPN tunnels. P-662H/HW-D Series User's Guide 49 Monitor Use this screen to exclude a ...certificates). Monitor Use this screen to view information about users accessing the Internet. Online Status Use this screen to view the ZyXEL Device's bandwidth usage and allotments. Trusted CAs Use this screen to create user accounts. User Profile Use this screen to ...
User Guide
Page 222
... SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to rebuild the VPN tunnel if the My IP Address changes after setup. The ZyXEL Device has to authenticate packet data. Chapter 16 VPN Screens Table 86 AH and ESP ESP AH ENCRYPTION AUTHENTICATION DES (default) Data ...), effectively doubling the strength of the remote IPSec router (secure gateway). 222 P-662H/HW-D Series User's Guide MD5 (default) MD5 (Message Digest 5) produces a 128-bit digest to 128-bit blocks of the ZyXEL Device. See the chapter on dial backup and traffic redirect. 16.4 Secure Gateway...
... SHA1 SHA1 (Secure Hash Algorithm) produces a 160-bit digest to rebuild the VPN tunnel if the My IP Address changes after setup. The ZyXEL Device has to authenticate packet data. Chapter 16 VPN Screens Table 86 AH and ESP ESP AH ENCRYPTION AUTHENTICATION DES (default) Data ...), effectively doubling the strength of the remote IPSec router (secure gateway). 222 P-662H/HW-D Series User's Guide MD5 (default) MD5 (Message Digest 5) produces a 128-bit digest to 128-bit blocks of the ZyXEL Device. See the chapter on dial backup and traffic redirect. 16.4 Secure Gateway...
User Guide
Page 223
You can initiate SAs. The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes... 128 IPSec Summary Fields Local and remote IP addresses must be useful for telecommuters initiating a VPN tunnel to open the Setup screen. In this case only the remote secure gateway can also enter a remote secure gateway...Manual key management. 16.5 VPN Setup Screen The following figure helps explain the main fields in the Secure Gateway Address field. You may be static. P-662H/HW-D Series User's Guide 223 Chapter 16 VPN Screens If the remote secure ...
You can initiate SAs. The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes... 128 IPSec Summary Fields Local and remote IP addresses must be useful for telecommuters initiating a VPN tunnel to open the Setup screen. In this case only the remote secure gateway can also enter a remote secure gateway...Manual key management. 16.5 VPN Setup Screen The following figure helps explain the main fields in the Secure Gateway Address field. You may be static. P-662H/HW-D Series User's Guide 223 Chapter 16 VPN Screens If the remote secure ...
User Guide
Page 224
... address(es) of computer(s) on the remote network behind your ZyXEL Device. Remote Address This is the IP address(es) of computer...and a subnet mask are displayed when the Remote Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Subnet. P-662H/HW-D Series User's Guide Click a number to Single. The beginning and ...displayed when the Local Address Type field in this VPN policy is the VPN policy index number. Active This field displays whether the VPN policy is active. Table 87 VPN Setup LABEL DESCRIPTION No. This field displays N/A when ...
... address(es) of computer(s) on the remote network behind your ZyXEL Device. Remote Address This is the IP address(es) of computer...and a subnet mask are displayed when the Remote Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Subnet. P-662H/HW-D Series User's Guide Click a number to Single. The beginning and ...displayed when the Local Address Type field in this VPN policy is the VPN policy index number. Active This field displays whether the VPN policy is active. Table 87 VPN Setup LABEL DESCRIPTION No. This field displays N/A when ...
User Guide
Page 225
...to work. In effect, the IPSec tunnel becomes an "always on the IPSec SA lifetime). Chapter 16 VPN Screens Table 87 VPN Setup LABEL DESCRIPTION Encap. Click the Delete icon to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. 16.6 Keep Alive When you can take...for an SA. Modify Click the Edit icon to go to the ZyXEL Device because the ZyXEL Device never drops the tunnels that the data has been maliciously altered. Figure 130 NAT Router Between IPSec Routers P-662H/HW-D Series User's Guide 225 IPSec Algorithm This field displays the...
...to work. In effect, the IPSec tunnel becomes an "always on the IPSec SA lifetime). Chapter 16 VPN Screens Table 87 VPN Setup LABEL DESCRIPTION Encap. Click the Delete icon to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. 16.6 Keep Alive When you can take...for an SA. Modify Click the Edit icon to go to the ZyXEL Device because the ZyXEL Device never drops the tunnels that the data has been maliciously altered. Figure 130 NAT Router Between IPSec Routers P-662H/HW-D Series User's Guide 225 IPSec Algorithm This field displays the...
User Guide
Page 229
Click an Edit icon in the VPN Setup screen to edit VPN policies. Figure 132 Edit VPN Policies P-662H/HW-D Series User's Guide 229 It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. 16.11 Editing VPN Policies Use this screen to view the screen as shown. Chapter 16 VPN Screens 16.10 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 16.12 on page 233for more on IKE phases).
Click an Edit icon in the VPN Setup screen to edit VPN policies. Figure 132 Edit VPN Policies P-662H/HW-D Series User's Guide 229 It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. 16.11 Editing VPN Policies Use this screen to view the screen as shown. Chapter 16 VPN Screens 16.10 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 16.12 on page 233for more on IKE phases).
User Guide
Page 230
...ZyXEL Device. 230 P-662H/HW-D Series User's Guide Select Range for a single IP address. You may use any time. IPSec Key Mode Select IKE or Manual from the drop-down list box. A DNS server allows clients on your LAN behind your ZyXEL Device. Table 93 Edit VPN Policies LABEL DESCRIPTION IPSec Setup... Active Keep Alive NAT Traversal Select this check box to 0.0.0.0, the ranges of computers on the VPN to find other active rules with the Secure...
...ZyXEL Device. 230 P-662H/HW-D Series User's Guide Select Range for a single IP address. You may use any time. IPSec Key Mode Select IKE or Manual from the drop-down list box. A DNS server allows clients on your LAN behind your ZyXEL Device. Table 93 Edit VPN Policies LABEL DESCRIPTION IPSec Setup... Active Keep Alive NAT Traversal Select this check box to 0.0.0.0, the ranges of computers on the VPN to find other active rules with the Secure...
User Guide
Page 235
...Hellman groups are derived from previous keys. Click Advanced in the ZyXEL Device. Diffie-Hellman is used within IKE SA setup to open this screen to establish a shared secret over an unsecured communications channel. Chapter 16 VPN Screens 16.12.2 Diffie-Hellman (DH) Key Groups Diffie-...Hellman (DH) is a public-key cryptography protocol that allows two parties to configure advanced IKE settings. P-662H...
...Hellman groups are derived from previous keys. Click Advanced in the ZyXEL Device. Diffie-Hellman is used within IKE SA setup to open this screen to establish a shared secret over an unsecured communications channel. Chapter 16 VPN Screens 16.12.2 Diffie-Hellman (DH) Key Groups Diffie-...Hellman (DH) is a public-key cryptography protocol that allows two parties to configure advanced IKE settings. P-662H...
User Guide
Page 236
...most common IP ports are : 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Enable Replay Detection As a VPN setup is processing intensive, the system is left at 0, End will also remain at 0. End Enter a port number in the previous field. If Remote Start Port... Figure 134 Advanced VPN Policies The following table describes the fields in the previous field. This port number must have the same negotiation mode. 236 P-662H/HW-D Series User's Guide Phase 1 Negotiation Mode Select Main or Aggressive from the drop-down list box. Select YES from the...
...most common IP ports are : 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Enable Replay Detection As a VPN setup is processing intensive, the system is left at 0, End will also remain at 0. End Enter a port number in the previous field. If Remote Start Port... Figure 134 Advanced VPN Policies The following table describes the fields in the previous field. This port number must have the same negotiation mode. 236 P-662H/HW-D Series User's Guide Phase 1 Negotiation Mode Select Main or Aggressive from the drop-down list box. Select YES from the...
User Guide
Page 237
...because you have to 3,000,000 seconds (almost 35 days). Select MD5 for minimal security and SHA-1 for phase 1 IKE setup. However, every time the VPN tunnel renegotiates, all users accessing remote resources are hash algorithms used to encrypt and decrypt the message or to choose from the ... without encryption. Select NULL to update the encryption and authentication keys. Select MD5 for minimal security and SHA-1 for data communications, both ends. P-662H/HW-D Series User's Guide 237 Select DES, 3DES, AES or NULL from the drop-down list box. As a result, 3DES is more processing...
...because you have to 3,000,000 seconds (almost 35 days). Select MD5 for minimal security and SHA-1 for phase 1 IKE setup. However, every time the VPN tunnel renegotiates, all users accessing remote resources are hash algorithms used to encrypt and decrypt the message or to choose from the ... without encryption. Select NULL to update the encryption and authentication keys. Select MD5 for minimal security and SHA-1 for data communications, both ends. P-662H/HW-D Series User's Guide 237 Select DES, 3DES, AES or NULL from the drop-down list box. As a result, 3DES is more processing...
User Guide
Page 238
This allows faster IPSec setup, but is the VPN Manual Key screen as shown next. 238 P-662H/HW-D Series User's Guide Back Click Back to return to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower). This is not ... the encryption and authentication keys. Apply Click Apply to the VPN-IKE screen. Cancel Click Cancel to return to the VPN-IKE screen without saving your changes back to the ZyXEL Device and return to save your changes. 16.14 Manual Key Setup Manual key management is useful if you select Manual in the...
This allows faster IPSec setup, but is the VPN Manual Key screen as shown next. 238 P-662H/HW-D Series User's Guide Back Click Back to return to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower). This is not ... the encryption and authentication keys. Apply Click Apply to the VPN-IKE screen. Cancel Click Cancel to return to the VPN-IKE screen without saving your changes back to the ZyXEL Device and return to save your changes. 16.14 Manual Key Setup Manual key management is useful if you select Manual in the...
User Guide
Page 239
... a useful option for the Security Parameter Index. Table 95 VPN: Manual Key LABEL DESCRIPTION IPSec Setup Active Select this check box to identify this VPN policy. Name Type up to 32 characters to activate this VPN policy. Encapsulation Mode Select Tunnel mode or Transport mode from the...Select IKE or Manual from the drop-down list box. P-662H/HW-D Series User's Guide 239 You may use any character, including spaces, but the ZyXEL Device drops trailing spaces. Figure 135 VPN: Manual Key Chapter 16 VPN Screens The following table describes the fields in this screen.
... a useful option for the Security Parameter Index. Table 95 VPN: Manual Key LABEL DESCRIPTION IPSec Setup Active Select this check box to identify this VPN policy. Name Type up to 32 characters to activate this VPN policy. Encapsulation Mode Select Tunnel mode or Transport mode from the...Select IKE or Manual from the drop-down list box. P-662H/HW-D Series User's Guide 239 You may use any character, including spaces, but the ZyXEL Device drops trailing spaces. Figure 135 VPN: Manual Key Chapter 16 VPN Screens The following table describes the fields in this screen.