1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. NBG5615
    5. /
  5. 26
Page 126 / 252 Scroll up to view Page 121 - 125
Chapter 18 IPSec VPN
NBG5715 User’s Guide
126
The following table describes the labels in this screen.
Table 55
Security > IPSec VPN > General > Edit: IKE
LABEL
DESCRIPTION
Property
Propert
Select
Enable
to activate this VPN policy.
Keep Alive
Select this check box to have the NBG5715 automatically reinitiate the SA after
the SA lifetime times out, even if there is no traffic. The remote IPSec router
must also have keep alive enabled in order for this feature to work.
NAT Traversal
Select this check box to enable NAT traversal. NAT traversal allows you to set up
a VPN connection when there are NAT routers between the two IPSec routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with
ESP
protocol using
Transport
or
Tunnel
mode,
but not with
AH
protocol nor with manual key management. In order for an
IPSec router behind a NAT router to receive an initiating IPSec packet, set the
NAT router to forward UDP ports 500 and 4500 to the IPSec router behind the
NAT router.
IPSec Keying
Mode
Select
IKE
from the drop-down list box.
IKE
provides more protection so it is
generally recommended.
DNS Server (for
IPSec VPN)
If there is a private DNS server that services the VPN, type its IP address here.
The NBG5715 assigns this additional DNS server to the NBG5715's DHCP clients
that have IP addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.
Local Policy
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but
not both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
In order to have more than one active rule with the
Secure Gateway Address
field set to
0.0.0.0
, the ranges of the local IP addresses cannot overlap
between rules.
If you configure an active rule with
0.0.0.0
in the
Secure Gateway Address
field and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the
Secure Gateway Address
field set to
0.0.0.0
.
Local Address
For a single IP address, enter a (static) IP address on the LAN behind your
NBG5715.
For a specific range of IP addresses, enter the beginning (static) IP address, in a
range of computers on your LAN behind your NBG5715.
To specify IP addresses on a network by their subnet mask, enter a (static) IP
address on the LAN behind your NBG5715.
Local Address End
/Mask
When the local IP address is a single address, type it a second time here.
When the local IP address is a range, enter the end (static) IP address, in a
range of computers on the LAN behind your NBG5715.
When the local IP address is a subnet address, enter a subnet mask on the LAN
behind your NBG5715.
Page 127 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
127
Remote Policy
Remote IP addresses must be static and correspond to the remote IPSec
router's configured local IP addresses. The remote fields do not apply when the
Secure Gateway IP Address
field is configured to
0.0.0.0
. In this case only
the remote IPSec router can initiate the VPN.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Remote Address
Start
For a single IP address, enter a (static) IP address on the network behind the
remote IPSec router.
For a specific range of IP addresses, enter the beginning (static) IP address, in a
range of computers on the network behind the remote IPSec router.
To specify IP addresses on a network by their subnet mask, enter a (static) IP
address on the network behind the remote IPSec router.
Remote Address
End /Mask
When the remote IP address is a single address, type it a second time here.
When the remote IP address is a range, enter the end (static) IP address, in a
range of computers on the network behind the remote IPSec router.
When the remote IP address is a subnet address, enter a subnet mask on the
network behind the remote IPSec router.
Authentication Method
My IP Address
Enter the NBG5715's static WAN IP address (if it has one) or leave the field set
to
0.0.0.0
.
The NBG5715 uses its current WAN IP address (static or dynamic) in setting up
the VPN tunnel if you leave this field as
0.0.0.0
. If the WAN connection goes
down, the NBG5715 uses the dial backup IP address for the VPN tunnel when
using dial backup or the LAN IP address when using traffic redirect.
Otherwise, you can enter one of the dynamic domain names that you have
configured (in the
DDNS
screen) to have the NBG5715 use that dynamic
domain name's IP address.
The VPN tunnel has to be rebuilt if
My IP Address
changes after setup.
Local ID Type
Select
IP
to identify this NBG5715 by its IP address.
Select
Domain Name
to identify this NBG5715 by a domain name.
Select
E-mail
to identify this NBG5715 by an e-mail address.
Table 55
Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
DESCRIPTION
Page 128 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
128
Local Content
When you select
IP
in the
Local ID Type
field, type the IP address of your
computer in the
Local Content
field. The NBG5715 automatically uses the IP
address in the
My IP Address
field (refer to the
My IP Address
field
description) if you configure the
Local
Content
field to
0.0.0.0
or leave it
blank.
It is recommended that you type an IP address other than
0.0.0.0
in the
Local
Content
field or use the
Domain Name
or
E-mail
ID type in the following
situations.
When there is a NAT router between the two IPSec routers.
When you want the remote IPSec router to be able to distinguish between VPN
connection requests that come in from IPSec routers with dynamic WAN IP
addresses.
When you select
Domain Name
or
E-mail
in the
Local ID Type
field, type a
domain name or e-mail address by which to identify this NBG5715 in the
Local
Content
field. Use up to 31 ASCII characters including spaces, although trailing
spaces are truncated. The domain name or e-mail address is for identification
purposes only and can be any string.
Secure Gateway
Address
Type the WAN IP address or the domain name (up to 31 characters) of the
IPSec router with which you're making the VPN connection. Set this field to
0.0.0.0
if the remote IPSec router has a dynamic WAN IP address (the
IPSec
Keying Mode
field must be set to
IKE
).
In order to have more than one active rule with the
Secure Gateway Address
field set to
0.0.0.0
, the ranges of the local IP addresses cannot overlap
between rules.
If you configure an active rule with
0.0.0.0
in the
Secure Gateway Address
field and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the
Secure Gateway Address
field set to
0.0.0.0
.
You can also enter a remote secure gateway’s domain name in the
Secure
Gateway Address
field if the remote secure gateway has a dynamic WAN IP
address and is using DDNS. The NBG5715 has to rebuild the VPN tunnel each
time the remote secure gateway’s WAN IP address changes (there may be a
delay until the DDNS servers are updated with the remote gateway’s new WAN
IP address).
Peer ID Type
Select
IP
to identify the remote IPSec router by its IP address.
Select
Domain Name
to identify the remote IPSec router by a domain name.
Select
E-mail
to identify the remote IPSec router by an e-mail address.
Table 55
Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
DESCRIPTION
Page 129 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
129
Peer Content
The configuration of the peer content depends on the peer ID type.
For
IP
, type the IP address of the computer with which you will make the VPN
connection. If you configure this field to
0.0.0.0
or leave it blank, the NBG5715
will use the address in the
Secure Gateway Address
field (refer to the
Secure
Gateway Address
field description).
For
Domain Name
or
E-mail
, type a domain name or e-mail address by which
to identify the remote IPSec router. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or e-mail
address is for identification purposes only and can be any string.
It is recommended that you type an IP address other than
0.0.0.0
or use the
Domain Name
or
E-mail
ID type in the following situations:
When there is a NAT router between the two IPSec routers.
When you want the NBG5715 to distinguish between VPN connection requests
that come in from remote IPSec routers with dynamic WAN IP addresses.
IPSec Algorithm
Phase 1
Pre-Shared
Key
Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x”
(zero x), which is not counted as part of the 16 to 62 character range for the
key. For example, in "0x0123456789ABCDEF", “0x” denotes that the key is
hexadecimal and “0123456789ABCDEF” is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key
is not used on both ends.
Mode
Select
Main
or
Aggressive
from the drop-down list box. Multiple SAs
connecting through a secure gateway must have the same negotiation mode.
Encryption
Algorithm
Select which key size and encryption algorithm to use for data communications.
Choices are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
The NBG5715 and the remote IPSec router must use the same algorithms and
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1
and
MD5
.
SHA1
is generally considered stronger than
MD5
, but it is also
slower.
SA Life Time
Define the length of time before an IKE or IPSec SA automatically renegotiates
in this field. It may range from 1 to 2,000,000,000 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Table 55
Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
DESCRIPTION
Page 130 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
130
18.5.2
Manual Key Setup
Manual key management is useful if you have problems with IKE key management.
18.5.2.1
Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and using the same
IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The
SPI
(Security
Parameter Index) along with a destination IP address uniquely identify a particular Security
Association (SA). The
SPI
is transmitted from the remote VPN gateway to the local VPN gateway.
The local VPN gateway then uses the network, encryption and key values that the administrator
associated with the SPI to establish the tunnel.
Key Group
You must choose a key group for phase 1 IKE setup.
DH1
refers to Diffie-
Hellman Group 1 a 768 bit random number.
DH2
refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Phase 2
Encapsulation
Mode
Select
Tunnel
mode or
Transport
mode from the drop-down list box.
IPSec Protocol
Select the security protocols used for an SA.
Both
AH
and
ESP
increase processing requirements and communications
latency (delay).
If you select
ESP
here, you must select options from the
Encryption
Algorithm
and
Authentication Algorithm
fields (described below).
Encryption
Algorithm
Select which key size and encryption algorithm to use for data communications.
Choices are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
The NBG5715 and the remote IPSec router must use the same algorithms and
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
SHA1
and
MD5
.
SHA1
is generally considered stronger than
MD5
, but it is also
slower.
SA Life Time
Define the length of time before an IKE or IPSec SA automatically renegotiates
in this field. It may range from 1 to 2,000,000,000 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Key Group
You must choose a key group for phase 1 IKE setup.
DH1
refers to Diffie-
Hellman Group 1 a 768 bit random number.
DH2
refers to Diffie-Hellman Group
2 a 1024 bit (1Kb) random number.
Back
Click
Back
to return to the previous screen.
Apply
Click
Apply
to save your changes back to the NBG5715.
Cancel
Click
Cancel
to restore your previous settings.
Table 55
Security > IPSec VPN > General > Edit: IKE (continued)
LABEL
DESCRIPTION

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top