Zyxel NBG5615 Router Manual PDF (Setup & Configuration Guide)

Page 121 / 252 Scroll up to view Page 116 - 120

NBG5715 User’s Guide

121

C

HAPTER

18

IPSec VPN

18.1

Overview

A virtual private network (VPN) provides secure communications between sites without the expense

of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication,

access control and auditing. It is used to transport traffic over the Internet or any insecure network

that uses TCP/IP for communication.

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure

data communications across a public network like the Internet. IPSec is built around a number of

standardized cryptographic techniques to provide confidentiality, data integrity and authentication

at the IP layer.

The following figure provides one perspective of a VPN tunnel.

Figure 76

IPSec VPN: Overview

The VPN tunnel connects the NBG5715 (

X

) and the remote IPSec router (

Y

). These routers then

connect the local network (

A

) and remote network (

B

).

18.2

What You Can Do in this Chapter

•

Use the

General

screen to display and manage the NBG5715’s VPN rules (tunnels) (

Section 18.4

on page 123

).

•

Use the

SA Monitor

screen to display and manage active VPN connections (

Section 18.6 on page

135

).

VPN Tunnel

X

Y

Page 122 / 252

Chapter 18 IPSec VPN

NBG5715 User’s Guide

122

18.3

What You Need To Know

A VPN tunnel is usually established in two phases. Each phase establishes a security association

(SA), a contract indicating what security parameters the NBG5715 and the remote IPSec router will

use.

The first phase establishes an Internet Key Exchange (IKE) SA between the NBG5715 and remote

IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which

the NBG5715 and remote IPSec router can send data between computers on the local network and

remote network. The following figure illustrates this.

Figure 77

VPN: IKE SA and IPSec SA

In this example, a computer in network

A

is exchanging data with a computer in network

B

. Inside

networks

A

and

B

, the data is transmitted the same way data is normally transmitted in the

networks. Between routers

X

and

Y

, the data is protected by tunneling, encryption, authentication,

and other security features of the IPSec SA. The IPSec SA is established securely using the IKE SA

that routers

X

and

Y

established first.

18.3.1

IKE SA (IKE Phase 1) Overview

The IKE SA provides a secure connection between the NBG5715 and remote IPSec router.

It takes several steps to establish an IKE SA. The negotiation mode determines the number of steps

to use. There are two negotiation modes--main mode and aggressive mode. Main mode provides

better security, while aggressive mode is faster.

Both routers must use the same negotiation mode.

These modes are discussed in more detail in

Section 18.7.4 on page 138

. Main mode is used in

various examples in the rest of this section.

IP Addresses of the NBG5715 and Remote IPSec Router

In the NBG5715, you have to specify the IP addresses of the NBG5715 and the remote IPSec router

to establish an IKE SA.

You can usually provide a static IP address or a domain name for the NBG5715. Sometimes, your

NBG5715 might also offer another alternative, such as using the IP address of a port or interface.

X

Y

IPSec SA

IKE SA

Page 123 / 252

Chapter 18 IPSec VPN

NBG5715 User’s Guide

123

You can usually provide a static IP address or a domain name for the remote IPSec router as well.

Sometimes, you might not know the IP address of the remote IPSec router (for example,

telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can

initiate an IKE SA.

18.3.2

IPSec SA (IKE Phase 2) Overview

Once the NBG5715 and remote IPSec router have established the IKE SA, they can securely

negotiate an IPSec SA through which to send data between computers on the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the NBG5715 and may be called

the local policy. Similarly, the remote network consists of the devices connected to the remote

IPSec router and may be called the remote policy.

Note: It is not recommended to set a VPN rule’s local and remote network settings both

to 0.0.0.0 (any). This causes the NBG5715 to try to forward all access attempts (to

the local network, the Internet or even the NBG5715) to the remote IPSec router.

In this case, you can no longer manage the NBG5715.

18.4

The General Screen

The following figure helps explain the main fields in the web configurator.

Figure 78

IPSec Fields Summary

Local and remote IP addresses must be static.

Click

Security > IPSec VPN

to display the

Summary

screen. This is a read-only menu of your

VPN rules (tunnels). Edit a VPN rule by clicking the

Edit

icon.

Local Network

Local IP Address

Remote Network

Remote IP Address

Remote

IPSec Router

VPN Tunnel

Page 124 / 252

Chapter 18 IPSec VPN

NBG5715 User’s Guide

124

Figure 79

Security > IPSec VPN > General

The following table describes the fields in this screen.

18.5

Edit VPN Rule

Click on a policy’s

Edit

icon in the

IPSec VPN > General

screen to edit the VPN policy.

Table 54

Security > IPSec VPN > General

LABEL

DESCRIPTION

#

This is the VPN policy index number.

Status

This field displays whether the VPN policy is active or not.

This icon is turned on when the rule is enabled.

Local Addr.

This displays the beginning and ending (static) IP addresses or a (static) IP

address and a subnet mask of computer(s) on your local network behind your

NBG5715.

Remote Addr.

This displays the beginning and ending (static) IP addresses or a (static) IP

address and a subnet mask of computer(s) on the remote network behind the

remote IPSec router.

This field displays

0.0.0.0

when the

Secure Gateway Address

field displays

0.0.0.0

. In this case only the remote IPSec router can initiate the VPN.

Encap.

This field displays

Tunnel

or

Transport

mode (

Tunnel

is the default selection).

Algorithm

This field displays the security protocol, encryption algorithm and authentication

algorithm used for an SA.

Gateway

This is the static WAN IP address or URL of the remote IPSec router. This field

displays

0.0.0.0

when you configure the

Secure Gateway Address

field in the

Rule Setup screen to

0.0.0.0

.

Modify

Click the

Edit

icon to go to the screen where you can edit the VPN rule.

Click the

Remove

icon to remove an existing VPN rule.

Allow Through

IPSec Tunnel

Select this check box to send NetBIOS packets through the VPN connection.

Apply

Click

Apply

to save your changes back to the NBG5715.

Cancel

Click

Cancel

to begin configuring this screen afresh.

Page 125 / 252

Chapter 18 IPSec VPN

NBG5715 User’s Guide

125

Note: The NBG5715 uses the system default gateway interface¡¦s WAN IP address as its

WAN IP address to set up a VPN tunnel.

18.5.1

IKEKey Setup

IKEprovides more protection so it is generally recommended. You only configure VPN manual key

when you select

IKE

in the

IPSec Keying Mode

field on the

IPSec VPN > General > Edit

screen.

Figure 80

Security > IPSec VPN > General > Edit: IKE

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share