User Manual
Page 96
... and application patrol, more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 6.5.3 Licensing Update Use these screens to register your ZyWALL and subscribe to myZyXEL.com. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide Note: When...
... and application patrol, more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 6.5.3 Licensing Update Use these screens to register your ZyWALL and subscribe to myZyXEL.com. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide Note: When...
User Manual
Page 97
..., services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to P6 (in the DMZ zone). You have an FTP server connected to set up the criteria, next-hops, and NAT settings first. ZyWALL USG 50 User's Guide 97
..., services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to P6 (in the DMZ zone). You have an FTP server connected to set up the criteria, next-hops, and NAT settings first. ZyWALL USG 50 User's Guide 97
User Manual
Page 98
...> Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide The ZyWALL uses zones, not interfaces, in the order that you are using for your custom policy route comes before any firewall rules, assign an IDP profile, or configure remote management for FTP traffic. A zone is... traffic can be assigned to at most one zone. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus, ADP, application patrol Example: For example, to the ZyWALL. You may also want to the same zone as the interface on...
...> Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide The ZyWALL uses zones, not interfaces, in the order that you are using for your custom policy route comes before any firewall rules, assign an IDP profile, or configure remote management for FTP traffic. A zone is... traffic can be assigned to at most one zone. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus, ADP, application patrol Example: For example, to the ZyWALL. You may also want to the same zone as the interface on...
User Manual
Page 102
... when they can also use application patrol. Chapter 6 Configuration Basics 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for Bob (User/Group). 102 ZyWALL USG 50 User's Guide The ZyWALL also offers hub-and-spoke VPN. You can subscribe using it. 1 Create a user account...
... when they can also use application patrol. Chapter 6 Configuration Basics 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for Bob (User/Group). 102 ZyWALL USG 50 User's Guide The ZyWALL also offers hub-and-spoke VPN. You can subscribe using it. 1 Create a user account...
User Manual
Page 118
Figure 67 VPN Example LAN LAN 118 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 50 User's Guide Figure 66 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply.
Figure 67 VPN Example LAN LAN 118 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 50 User's Guide Figure 66 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply.
User Manual
Page 119
... subnet behind peer IPSec router Y (172.16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. You do not have to set up any certificates or extended authentication. 1 Click Configuration > VPN > IPSec VPN > VPN Gateway, and then click the Add icon. 2 Enable the VPN gateway and name it ("VPN_GW_EXAMPLE"). Figure 68 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 50 User's Guide...
... subnet behind peer IPSec router Y (172.16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. You do not have to set up any certificates or extended authentication. 1 Click Configuration > VPN > IPSec VPN > VPN Gateway, and then click the Add icon. 2 Enable the VPN gateway and name it ("VPN_GW_EXAMPLE"). Figure 68 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 50 User's Guide...
User Manual
Page 378
...IPSec 378 ZyWALL USG 50 User's Guide If the ZyWALL is in server mode, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA. See Chapter 41 on page 118 for an example of configuring IPSec VPN.... 23.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other ...
...IPSec 378 ZyWALL USG 50 User's Guide If the ZyWALL is in server mode, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA. See Chapter 41 on page 118 for an example of configuring IPSec VPN.... 23.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other ...
User Manual
Page 386
...example, the mail server) in the numbered list, select it . Choices are checked and executed. Enter the original destination port or range of translated destination ports. Mapped Port Start / Mapped Port End These fields are available if the protocol is the sequence in the remote network. Chapter 23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN... source address range (Source) must be equal to configure a new one). Select an entry and click Add to the main VPN screen. 386 ZyWALL USG 50 User's Guide Destination Select the address object that represents...
...example, the mail server) in the numbered list, select it . Choices are checked and executed. Enter the original destination port or range of translated destination ports. Mapped Port Start / Mapped Port End These fields are available if the protocol is the sequence in the remote network. Chapter 23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN... source address range (Source) must be equal to configure a new one). Select an entry and click Add to the main VPN screen. 386 ZyWALL USG 50 User's Guide Destination Select the address object that represents...
User Manual
Page 389
... 23 IPSec VPN Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you must enter twice as many characters as listed above. DES - The ZyWALL still stores the longer key. type a unique key 20 characters long You can use hexadecimal, you select an Encryption Algorithm. For example...
... 23 IPSec VPN Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you must enter twice as many characters as listed above. DES - The ZyWALL still stores the longer key. type a unique key 20 characters long You can use hexadecimal, you select an Encryption Algorithm. For example...
User Manual
Page 390
... IPSec routers. ZyWALL USG 50 User's Guide Inactivate To turn on an entry, select it and click Edit to open a screen where you activate and deactivate each one. Secure Gateway This field displays the IP address(es) of the VPN gateway My address This field displays the interface or a domain name the ZyWALL uses for an example...
... IPSec routers. ZyWALL USG 50 User's Guide Inactivate To turn on an entry, select it and click Edit to open a screen where you activate and deactivate each one. Secure Gateway This field displays the IP address(es) of the VPN gateway My address This field displays the interface or a domain name the ZyWALL uses for an example...
User Manual
Page 393
...Select Static Address to enter the domain name or the IP address of the ZyWALL. For example, "0x0123456789ABCDEF" is the IP address of the interface. The ZyWALL and remote IPSec router must use the same authentication method to the domain name. 0.0.0.0 is in...can provide a second IP address or domain name for the ZyWALL to have the ZyWALL and remote IPSec router use DDNS). ZyWALL USG 50 User's Guide 393 in "0123456789ABCDEF" is invalid. Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION My Address Select how...
...Select Static Address to enter the domain name or the IP address of the ZyWALL. For example, "0x0123456789ABCDEF" is the IP address of the interface. The ZyWALL and remote IPSec router must use the same authentication method to the domain name. 0.0.0.0 is in...can provide a second IP address or domain name for the ZyWALL to have the ZyWALL and remote IPSec router use DDNS). ZyWALL USG 50 User's Guide 393 in "0123456789ABCDEF" is invalid. Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION My Address Select how...
User Manual
Page 398
...VPN tunnel (telecommuters sharing a tunnel for at least 15 seconds, the ZyWALL sends a message to the remote IPSec router. You also have to forward packets with UDP port 500 and UDP 4500 headers unchanged. Click OK to save your settings and exit this screen without saving. 398 ZyWALL USG 50... server. Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION NAT Traversal Select this check box if you can use the VPN connection connectivity check (see if you want the ZyWALL to make sure the remote IPSec router is there before...
...VPN tunnel (telecommuters sharing a tunnel for at least 15 seconds, the ZyWALL sends a message to the remote IPSec router. You also have to forward packets with UDP port 500 and UDP 4500 headers unchanged. Click OK to save your settings and exit this screen without saving. 398 ZyWALL USG 50... server. Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION NAT Traversal Select this check box if you can use the VPN connection connectivity check (see if you want the ZyWALL to make sure the remote IPSec router is there before...
User Manual
Page 402
... identity of the remote IPSec router. In contrast, in Table 117 on page 402, the ZyWALL and the remote IPSec router cannot authenticate each other router. The content is also possible to configure the ZyWALL to the other successfully. The ZyWALL and the remote IPSec router have their own ...refers to the ID type and content that you enter does not have to correspond to check 402 ZyWALL USG 50 User's Guide Table 117 VPN Example: Matching ID Type and Content ZYWALL REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ...
... identity of the remote IPSec router. In contrast, in Table 117 on page 402, the ZyWALL and the remote IPSec router cannot authenticate each other router. The content is also possible to configure the ZyWALL to the other successfully. The ZyWALL and the remote IPSec router have their own ...refers to the ID type and content that you enter does not have to correspond to check 402 ZyWALL USG 50 User's Guide Table 117 VPN Example: Matching ID Type and Content ZYWALL REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ...
User Manual
Page 404
... the same VPN tunnel to connect to the IKE SA and IPSec SA packets. If you can set up NAT traversal. • Enable NAT traversal on page 405 for detailed information about active protocols.) If router A does not have an IPSec pass-thru feature. For example, this might...4-7 in aggressive mode). 404 ZyWALL USG 50 User's Guide If the user name or password is ESP. (See Active Protocol on the ZyWALL and remote IPSec router. • Configure the NAT router to verify the user name and password. You can set up the ZyWALL to establish a VPN tunnel, the authentication fails because...
... the same VPN tunnel to connect to the IKE SA and IPSec SA packets. If you can set up NAT traversal. • Enable NAT traversal on page 405 for detailed information about active protocols.) If router A does not have an IPSec pass-thru feature. For example, this might...4-7 in aggressive mode). 404 ZyWALL USG 50 User's Guide If the user name or password is ESP. (See Active Protocol on the ZyWALL and remote IPSec router. • Configure the NAT router to verify the user name and password. You can set up the ZyWALL to establish a VPN tunnel, the authentication fails because...
User Manual
Page 408
... its local policy. ZyWALL USG 50 User's Guide Chapter 23 IPSec VPN NAT for Inbound and Outbound Traffic The ZyWALL can translate the following example is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. If you have to configure this NAT, you...
... its local policy. ZyWALL USG 50 User's Guide Chapter 23 IPSec VPN NAT for Inbound and Outbound Traffic The ZyWALL can translate the following example is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. If you have to configure this NAT, you...
User Manual
Page 409
...port range must be port 25 for a firewall. Chapter 23 IPSec VPN • Destination - the translated source address; the original source address; the local network (A). • SNAT - the translated source address; For example, in the remote network. You have to hide the original ...configure this kind of translation if you set up this NAT, you have to specify one or more rules when you want to the way it might be the same size. the translated destination port or range of these rules controls the translation when the condition is satisfied. • Mapped IP - ZyWALL USG 50...
...port range must be port 25 for a firewall. Chapter 23 IPSec VPN • Destination - the translated source address; the original source address; the local network (A). • SNAT - the translated source address; For example, in the remote network. You have to hide the original ...configure this kind of translation if you set up this NAT, you have to specify one or more rules when you want to the way it might be the same size. the translated destination port or range of these rules controls the translation when the condition is satisfied. • Mapped IP - ZyWALL USG 50...
User Manual
Page 627
... groups specified by AAA server objects. Configure authentication method objects to have the ZyWALL use it in the VPN Gateway screen to authenticate VPN users for an example of how to the chapter on VPN for a VPN connection. 1 Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 50 User's Guide 627 By default...
... groups specified by AAA server objects. Configure authentication method objects to have the ZyWALL use it in the VPN Gateway screen to authenticate VPN users for an example of how to the chapter on VPN for a VPN connection. 1 Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 50 User's Guide 627 By default...
User Manual
Page 767
... 23 on page 281. Check the configuration for both computers have NAT traversal enabled. • The ZyWALL and remote IPSec router must use the same authentication method to a computer at one of the IPSec routers. Make sure both ZyXEL IPSec routers and check the settings in the...ZyWALL and remote IPSec router (for example, by RIP and would take priority over the new VPN connection. • To test whether or not a tunnel is working, ping from the network before testing your new VPN connection. ZyWALL USG 50 User's Guide 767 Log into both the ZyWALL and remote IPSec...
... 23 on page 281. Check the configuration for both computers have NAT traversal enabled. • The ZyWALL and remote IPSec router must use the same authentication method to a computer at one of the IPSec routers. Make sure both ZyXEL IPSec routers and check the settings in the...ZyWALL and remote IPSec router (for example, by RIP and would take priority over the new VPN connection. • To test whether or not a tunnel is working, ping from the network before testing your new VPN connection. ZyWALL USG 50 User's Guide 767 Log into both the ZyWALL and remote IPSec...
User Manual
Page 925
...FTP 714 and HTTPS 690 and IKE SA 405 and SSH 709 and VPN gateways 378 and WWW 693 certification path 634, 644, 650 expired 634 factory...-default 635 file formats 635 fingerprints 645, 651 importing 638 in IPSec 394 not used for encryption 634 revoked 634 self-signed 634, 640 serial number...example 660 configuration file troubleshooting 772 configuration files 737 at restart 740 backing up 740 downloading 741 downloading with FTP 713 editing 737 how applied 738 lastgood.conf 740, 744 managing 740 not stopping or starting the ZyWALL...address groups 533, 534, 539 ZyWALL USG 50 User's Guide 925
...FTP 714 and HTTPS 690 and IKE SA 405 and SSH 709 and VPN gateways 378 and WWW 693 certification path 634, 644, 650 expired 634 factory...-default 635 file formats 635 fingerprints 645, 651 importing 638 in IPSec 394 not used for encryption 634 revoked 634 self-signed 634, 640 serial number...example 660 configuration file troubleshooting 772 configuration files 737 at restart 740 backing up 740 downloading 741 downloading with FTP 713 editing 737 how applied 738 lastgood.conf 740, 744 managing 740 not stopping or starting the ZyWALL...address groups 533, 534, 539 ZyWALL USG 50 User's Guide 925
User Manual
Page 943
...and firewall 338 and NAT 338 and policy routes 337, 338 see also ALG 336 VPN 375 active protocol 405 and NAT 403 and the firewall 360 basic troubleshooting 767 IKE SA, see IKE SA IPSec 375 IPSec SA proposal 400 security associations (SA) 376 see also IKE SA see also...43 access users 596 requirements 43 supported browsers 43 ZyWALL USG 50 User's Guide Index web features ActiveX 554 cookies 554 Java 554 web proxy servers 554 web proxy servers 332, 554 see also HTTP redirect web site ZyXEL 4 web-based SSL application 659 configuration example 660 create 662 weblink 660 webroot-directory-traversal ...
...and firewall 338 and NAT 338 and policy routes 337, 338 see also ALG 336 VPN 375 active protocol 405 and NAT 403 and the firewall 360 basic troubleshooting 767 IKE SA, see IKE SA IPSec 375 IPSec SA proposal 400 security associations (SA) 376 see also IKE SA see also...43 access users 596 requirements 43 supported browsers 43 ZyWALL USG 50 User's Guide Index web features ActiveX 554 cookies 554 Java 554 web proxy servers 554 web proxy servers 332, 554 see also HTTP redirect web site ZyXEL 4 web-based SSL application 659 configuration example 660 create 662 weblink 660 webroot-directory-traversal ...