User Guide
Page 7
... to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 Bridge Screens ...143 WAN Screens ...151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens ...223 Content Filtering Reports ...245 IPSec VPN Screens ...253... ...365 Remote Management Screens 377 UPnP Screens ...397 Custom Application Screen ...407 ALG Screen ...409 Logs and Maintenance ...415 Logs Screens ...417 Maintenance Screens ...447 ZyWALL 2 Plus User's Guide 7
... to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 Bridge Screens ...143 WAN Screens ...151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens ...223 Content Filtering Reports ...245 IPSec VPN Screens ...253... ...365 Remote Management Screens 377 UPnP Screens ...397 Custom Application Screen ...407 ALG Screen ...409 Logs and Maintenance ...415 Logs Screens ...417 Maintenance Screens ...447 ZyWALL 2 Plus User's Guide 7
User Guide
Page 13
...13.3 Web Site Submission ...250 Chapter 14 IPSec VPN Screens...253 14.1 Overview ...253 14.1.1 What You Can Do in the IPSec VPN Screens 253 14.1.2 What You Need to Know About IPSec VPN 254 14.2 The VPN Rules (IKE) Screen 256 14.2.1 The VPN Rules (IKE) Gateway Policy Edit Screen 257 ... Network Policy Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14.4 The SA Monitor Screen 275 14.5 The Global Setting Screen 275 14.5.1 Configuring the Global Setting Screen 277 14.6 Telecommuter VPN/IPSec Examples 278 ZyWALL 2 Plus User's Guide 13
...13.3 Web Site Submission ...250 Chapter 14 IPSec VPN Screens...253 14.1 Overview ...253 14.1.1 What You Can Do in the IPSec VPN Screens 253 14.1.2 What You Need to Know About IPSec VPN 254 14.2 The VPN Rules (IKE) Screen 256 14.2.1 The VPN Rules (IKE) Gateway Policy Edit Screen 257 ... Network Policy Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14.4 The SA Monitor Screen 275 14.5 The Global Setting Screen 275 14.5.1 Configuring the Global Setting Screen 277 14.6 Telecommuter VPN/IPSec Examples 278 ZyWALL 2 Plus User's Guide 13
User Guide
Page 14
... Example 279 14.6.2 Telecommuters Using Unique VPN Rules Example 279 14.7 VPN and Remote Management 281 14.8 Hub-and-spoke VPN ...281 14.8.1 Hub-and-spoke VPN Example 282 14.8.2 Hub-and-spoke Example VPN Rule Addresses 283 14.8.3 Hub-and-spoke VPN Requirements and Suggestions 283 14.9 IPSec VPN Technical Reference 283 Chapter 15 Certificates Screen ...295... User Database Screen 324 16.3 The RADIUS Screen ...326 Part IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide
... Example 279 14.6.2 Telecommuters Using Unique VPN Rules Example 279 14.7 VPN and Remote Management 281 14.8 Hub-and-spoke VPN ...281 14.8.1 Hub-and-spoke VPN Example 282 14.8.2 Hub-and-spoke Example VPN Rule Addresses 283 14.8.3 Hub-and-spoke VPN Requirements and Suggestions 283 14.9 IPSec VPN Technical Reference 283 Chapter 15 Certificates Screen ...295... User Database Screen 324 16.3 The RADIUS Screen ...326 Part IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide
User Guide
Page 193
PART III Security Firewall Screens (195) Content Filtering Screens (223) Content Filtering Reports (245) IPSec VPN Screens (253) Certificates Screen (295) Authentication Server Screens (323) 193
PART III Security Firewall Screens (195) Content Filtering Screens (223) Content Filtering Reports (245) IPSec VPN Screens (253) Certificates Screen (295) Authentication Server Screens (323) 193
User Guide
Page 253
.... • Use the VPN Rules (Manual) screens (see Section 14.2 on page 256) to manage the ZyWALL's list of VPN rules (tunnels) that use manual keys. CHAPTER 14 IPSec VPN Screens 14.1 Overview A virtual private network (VPN) provides secure communications between sites without the expense of tunneling, encryption, authentication, access control and auditing. ZyWALL 2 Plus User's Guide 253
.... • Use the VPN Rules (Manual) screens (see Section 14.2 on page 256) to manage the ZyWALL's list of VPN rules (tunnels) that use manual keys. CHAPTER 14 IPSec VPN Screens 14.1 Overview A virtual private network (VPN) provides secure communications between sites without the expense of tunneling, encryption, authentication, access control and auditing. ZyWALL 2 Plus User's Guide 253
User Guide
Page 254
Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use the VPN tunnel. 254 ZyWALL 2 Plus User's Guide Gateway and Network Policies A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. • A gateway policy contains the IKE SA settings. The second phase...
Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use the VPN tunnel. 254 ZyWALL 2 Plus User's Guide Gateway and Network Policies A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. • A gateway policy contains the IKE SA settings. The second phase...
User Guide
Page 255
... Gateway and Network Policies Chapter 14 IPSec VPN Screens This figure helps explain the main fields in the Technical Reference section. The negotiation mode determines the number of this case, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA... ZyWALL and Remote IPSec Router In the ZyWALL, you can still set up the IKE SA, but only the remote IPSec router can usually provide a static IP address or a domain name for the ZyWALL. There are discussed in more detail in the VPN setup. You can initiate an IKE SA. ZyWALL 2 Plus User...
... Gateway and Network Policies Chapter 14 IPSec VPN Screens This figure helps explain the main fields in the Technical Reference section. The negotiation mode determines the number of this case, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA... ZyWALL and Remote IPSec Router In the ZyWALL, you can still set up the IKE SA, but only the remote IPSec router can usually provide a static IP address or a domain name for the ZyWALL. There are discussed in more detail in the VPN setup. You can initiate an IKE SA. ZyWALL 2 Plus User...
User Guide
Page 256
... 14 IPSec VPN Screens 14.2 The VPN Rules (IKE) Screen Click SECURITY > VPN to manage the ZyWALL's list of VPN rules (tunnels) that use IKE SAs. Table 64 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to negotiate a phase 2 IPSec SA. 256 ZyWALL 2 Plus User's Guide Gateway Policies My ZyWALL Remote...
... 14 IPSec VPN Screens 14.2 The VPN Rules (IKE) Screen Click SECURITY > VPN to manage the ZyWALL's list of VPN rules (tunnels) that use IKE SAs. Table 64 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to negotiate a phase 2 IPSec SA. 256 ZyWALL 2 Plus User's Guide Gateway Policies My ZyWALL Remote...
User Guide
Page 257
... a screen in which devices (behind the IPSec routers) can also manually move a network policy that are not associated to the recycle bin. Use this icon to drop a VPN connection to configure a VPN gateway policy. You can use again later) to display the VPN-Gateway Policy -Edit screen. ZyWALL 2 Plus User's Guide 257 Remote Network This is...
... a screen in which devices (behind the IPSec routers) can also manually move a network policy that are not associated to the recycle bin. Use this icon to drop a VPN connection to configure a VPN gateway policy. You can use again later) to display the VPN-Gateway Policy -Edit screen. ZyWALL 2 Plus User's Guide 257 Remote Network This is...
User Guide
Page 258
Chapter 14 IPSec VPN Screens Figure 172 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 258 ZyWALL 2 Plus User's Guide
Chapter 14 IPSec VPN Screens Figure 172 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 258 ZyWALL 2 Plus User's Guide
User Guide
Page 259
... (in the DDNS screen) to have NAT traversal enabled. The VPN tunnel has to the IPSec router behind the NAT router. If you configure an active rule with manual key management. The remote IPSec router must have more information. ZyWALL 2 Plus User's Guide 259 NAT traversal allows you to set up to... current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this check box to enable NAT traversal. To use when the ZyWALL cannot connect to the primary remote gateway. Chapter 14 IPSec VPN Screens The following table describes the labels in this , you must ...
... (in the DDNS screen) to have NAT traversal enabled. The VPN tunnel has to the IPSec router behind the NAT router. If you configure an active rule with manual key management. The remote IPSec router must have more information. ZyWALL 2 Plus User's Guide 259 NAT traversal allows you to set up to... current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this check box to enable NAT traversal. To use when the ZyWALL cannot connect to the primary remote gateway. Chapter 14 IPSec VPN Screens The following table describes the labels in this , you must ...
User Guide
Page 260
...identify this field. You do not configure the local ID type and content when you select. When you want the remote IPSec router to be any string. 260 ZyWALL 2 Plus User's Guide Type from 8 to 31 case-sensitive ASCII characters or from the certificate you set Authentication Key to 62 ...not counted as the check interval and network policy SA life time. Both ends of the 16 to identify this VPN tunnel. The ZyWALL automatically uses the IP address in from IPSec routers with a "0x (zero x), which to using the primary remote gateway if the connection becomes available again....
...identify this field. You do not configure the local ID type and content when you select. When you want the remote IPSec router to be any string. 260 ZyWALL 2 Plus User's Guide Type from 8 to 31 case-sensitive ASCII characters or from the certificate you set Authentication Key to 62 ...not counted as the check interval and network policy SA life time. Both ends of the 16 to identify this VPN tunnel. The ZyWALL automatically uses the IP address in from IPSec routers with a "0x (zero x), which to using the primary remote gateway if the connection becomes available again....
User Guide
Page 261
... Key. For Subject Name, type the subject name of the certificate the remote IPSec router will use the DNS or E-mail ID type in the subject alternative name field of the certificate it uses for this VPN connection. Authentication ZyWALL 2 Plus User's Guide 261 Select Subject Name to Pre-shared Key. It is for...
... Key. For Subject Name, type the subject name of the certificate the remote IPSec router will use the DNS or E-mail ID type in the subject alternative name field of the certificate it uses for this VPN connection. Authentication ZyWALL 2 Plus User's Guide 261 Select Subject Name to Pre-shared Key. It is for...
User Guide
Page 262
... algorithm 3DES - A short SA Life Time increases security by the VPN peer (in the authentication server's local user database or a RADIUS server. use the same DH key group. 262 ZyWALL 2 Plus User's Guide Choices are temporarily disconnected. Password Enter the corresponding password for...and MD5. Choices are : DH1 - Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to be authenticated by forcing the two VPN gateways to the Local User Database screen where you...
... algorithm 3DES - A short SA Life Time increases security by the VPN peer (in the authentication server's local user database or a RADIUS server. use the same DH key group. 262 ZyWALL 2 Plus User's Guide Choices are temporarily disconnected. Password Enter the corresponding password for...and MD5. Choices are : DH1 - Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to be authenticated by forcing the two VPN gateways to the Local User Database screen where you...
User Guide
Page 263
...to Section 14.2.3 on page 256). Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Enable Multiple Proposals Select this to allow the ZyWALL to use any of a VPN tunnel and specifies the authentication, encryption and other... the policy index number. Cancel Click Cancel to display the VPN-Network Policy -Edit screen. A network policy identifies the devices behind the ZyWALL. ZyWALL 2 Plus User's Guide 263 Clear this screen to the ZyWALL. Name This field displays the policy name. Apply Click Apply...
...to Section 14.2.3 on page 256). Chapter 14 IPSec VPN Screens Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Enable Multiple Proposals Select this to allow the ZyWALL to use any of a VPN tunnel and specifies the authentication, encryption and other... the policy index number. Cancel Click Cancel to display the VPN-Network Policy -Edit screen. A network policy identifies the devices behind the ZyWALL. ZyWALL 2 Plus User's Guide 263 Clear this screen to the ZyWALL. Name This field displays the policy name. Apply Click Apply...
User Guide
Page 264
Chapter 14 IPSec VPN Screens Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 ZyWALL 2 Plus User's Guide
Chapter 14 IPSec VPN Screens Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 ZyWALL 2 Plus User's Guide
User Guide
Page 265
...VPN connection. Active Enable this SA. Nailed-Up Select this Address If you enable virtual address mapping. Turn on the remote network and vice versa. Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the local network. You do not trigger the tunnel. ZyWALL 2 Plus... screen. Allow NetBIOS Traffic Through IPSec Tunnel This field is not available when the ZyWALL is no traffic from the remote IPSec router by the time the timeout period expires, the ZyWALL disconnects the VPN tunnel. Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network...
...VPN connection. Active Enable this SA. Nailed-Up Select this Address If you enable virtual address mapping. Turn on the remote network and vice versa. Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the local network. You do not trigger the tunnel. ZyWALL 2 Plus... screen. Allow NetBIOS Traffic Through IPSec Tunnel This field is not available when the ZyWALL is no traffic from the remote IPSec router by the time the timeout period expires, the ZyWALL disconnects the VPN tunnel. Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network...
User Guide
Page 266
...select Many One-to -One in a range of computers on the LAN behind your ZyWALL. 266 ZyWALL 2 Plus User's Guide Local Network Specify the IP addresses of (static) IP addresses on your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static...IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Port Forwarding Rules If you are configuring a Many-to-One rule, click this is a (static) IP address on the LAN behind your ZyWALL. The VPN network policy port forwarding rules let the ZyWALL ...
...select Many One-to -One in a range of computers on the LAN behind your ZyWALL. 266 ZyWALL 2 Plus User's Guide Local Network Specify the IP addresses of (static) IP addresses on your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static...IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Port Forwarding Rules If you are configuring a Many-to-One rule, click this is a (static) IP address on the LAN behind your ZyWALL. The VPN network policy port forwarding rules let the ZyWALL ...
User Guide
Page 267
...IPSec router. When the Address Type field is the default and signifies any port. Some of the most common IP ports are : 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Both AH and ESP increase processing requirements and communications latency (delay). Choices are SHA1 and MD5. ZyWALL 2 Plus... a 56-bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must correspond to the remote IPSec router's configured local IP addresses. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL ...
...IPSec router. When the Address Type field is the default and signifies any port. Some of the most common IP ports are : 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Both AH and ESP increase processing requirements and communications latency (delay). Choices are SHA1 and MD5. ZyWALL 2 Plus... a 56-bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must correspond to the remote IPSec router's configured local IP addresses. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL ...
User Guide
Page 268
...or duplicate packets to Denial of Service (DOS) attacks. Use this to have the ZyWALL use a 1536-bit random number PFS changes the root key that is 180 seconds. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION SA Life Time (Seconds)... LAN. 268 ZyWALL 2 Plus User's Guide Both routers must use a 768-bit random number DH2 - Then, under Virtual Address Mapping Rule, select Many-to-One as the Type and click the Port Forwarding Rules button to use for the VPN rule. When you configure for the IPSec SA, even ...
...or duplicate packets to Denial of Service (DOS) attacks. Use this to have the ZyWALL use a 1536-bit random number PFS changes the root key that is 180 seconds. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION SA Life Time (Seconds)... LAN. 268 ZyWALL 2 Plus User's Guide Both routers must use a 768-bit random number DH2 - Then, under Virtual Address Mapping Rule, select Many-to-One as the Type and click the Port Forwarding Rules button to use for the VPN rule. When you configure for the IPSec SA, even ...