1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. NBG5615
    5. /
  5. 27
Page 131 / 252 Scroll up to view Page 126 - 130
Chapter 18 IPSec VPN
NBG5715 User’s Guide
131
Current ZyXEL implementation assumes identical outgoing and incoming SPIs.
18.5.2.2
IPSec SA Using Manual Keys
You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly,
for example, for troubleshooting. You should only do this as a temporary solution, however,
because it is not as secure as a regular IPSec SA.
In IPSec SAs using manual keys, the NBG5715 and remote IPSec router do not establish an IKE SA.
They only establish an IPSec SA. As a result, an IPSec SA using manual keys has some
characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences
between IPSec SA using manual keys and other types of SA.
18.5.2.3
IPSec SA Proposal Using Manual Keys
In IPSec SA using manual keys, you can only specify one encryption algorithm and one
authentication algorithm. There is no DH key exchange, so you have to provide the encryption key
and the authentication key the NBG5715 and remote IPSec router use.
Note: The NBG5715 and remote IPSec router must use the same encryption key and
authentication key.
18.5.3
Configuring Manual Key
You only configure VPN manual key when you select
Manual
in the
IPSec Keying Mode
field on
the
IPSec VPN > General > Edit
screen.
Page 132 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
132
Figure 81
Security > IPSec VPN > General > Edit: Manual
The following table describes the labels in this screen.
Table 56
Security > IPSec VPN > General > Edit: Manual
LABEL
DESCRIPTION
Property
Property
Select
Enable
to activate this VPN policy.
IPSec Keying
Mode
Select
Manual
from the drop-down list box.
Manual
is a useful option for
troubleshooting if you have problems using
IKE
key management.
DNS Server (for
IPSec VPN)
If there is a private DNS server that services the VPN, type its IP address here.
The NBG5715 assigns this additional DNS server to the NBG5715's DHCP clients
that have IP addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.
Page 133 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
133
Local Policy
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but not
both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.
In order to have more than one active rule with the
Secure Gateway Address
field set to
0.0.0.0
, the ranges of the local IP addresses cannot overlap between
rules.
If you configure an active rule with
0.0.0.0
in the
Secure Gateway Address
field and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the
Secure Gateway Address
field set to
0.0.0.0
.
Local Address
For a single IP address, enter a (static) IP address on the LAN behind your
NBG5715.
For a specific range of IP addresses, enter the beginning (static) IP address, in a
range of computers on your LAN behind your NBG5715.
To specify IP addresses on a network by their subnet mask, enter a (static) IP
address on the LAN behind your NBG5715.
Local Address
End /Mask
When the local IP address is a single address, type it a second time here.
When the local IP address is a range, enter the end (static) IP address, in a
range of computers on the LAN behind your NBG5715.
When the local IP address is a subnet address, enter a subnet mask on the LAN
behind your NBG5715.
Remote Policy
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses. The remote fields do not apply when the
Secure
Gateway IP Address
field is configured to
0.0.0.0
. In this case only the remote
IPSec router can initiate the VPN.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Remote Address
Start
For a single IP address, enter a (static) IP address on the network behind the
remote IPSec router.
For a specific range of IP addresses, enter the beginning (static) IP address, in a
range of computers on the network behind the remote IPSec router.
To specify IP addresses on a network by their subnet mask, enter a (static) IP
address on the network behind the remote IPSec router.
Remote Address
End /Mask
When the remote IP address is a single address, type it a second time here.
When the remote IP address is a range, enter the end (static) IP address, in a
range of computers on the network behind the remote IPSec router.
When the remote IP address is a subnet address, enter a subnet mask on the
network behind the remote IPSec router.
Authentication Method
Table 56
Security > IPSec VPN > General > Edit: Manual
(continued)
LABEL
DESCRIPTION
Page 134 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
134
My IP Address
Enter the NBG5715's static WAN IP address (if it has one) or leave the field set to
0.0.0.0
.
The NBG5715 uses its current WAN IP address (static or dynamic) in setting up
the VPN tunnel if you leave this field as
0.0.0.0
. If the WAN connection goes
down, the NBG5715 uses the dial backup IP address for the VPN tunnel when
using dial backup or the LAN IP address when using traffic redirect.
Otherwise, you can enter one of the dynamic domain names that you have
configured (in the
DDNS
screen) to have the NBG5715 use that dynamic domain
name's IP address.
The VPN tunnel has to be rebuilt if
My IP Address
changes after setup.
Secure Gateway
Address
Type the WAN IP address or the domain name (up to 31 characters) of the IPSec
router with which you're making the VPN connection. Set this field to
0.0.0.0
if
the remote IPSec router has a dynamic WAN IP address (the
IPSec Keying
Mode
field must be set to
IKE
).
In order to have more than one active rule with the
Secure Gateway Address
field set to
0.0.0.0
, the ranges of the local IP addresses cannot overlap between
rules.
If you configure an active rule with
0.0.0.0
in the
Secure Gateway Address
field and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the
Secure Gateway Address
field set to
0.0.0.0
.
You can also enter a remote secure gateway’s domain name in the
Secure
Gateway Address
field if the remote secure gateway has a dynamic WAN IP
address and is using DDNS. The NBG5715 has to rebuild the VPN tunnel each
time the remote secure gateway’s WAN IP address changes (there may be a
delay until the DDNS servers are updated with the remote gateway’s new WAN
IP address).
IPSec Algorithm
SPI
Type a unique
SPI
(Security Parameter Index) from one to four characters long.
Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm
The NBG5715 and the remote IPSec router must use the same algorithms and
keys. Longer keys require more processing power, resulting in increased latency
and decreased throughput.
Encryption Key
This field is applicable when you select
ESP
in the
IPSec
Protocol
field above.
With
DES
, type a unique key 8 characters long. With
3DES
, type a unique key
24 characters long. Any characters may be used, including spaces, but trailing
spaces are truncated.
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are
SHA1
and
MD5
.
SHA1
is generally considered stronger than
MD5
,
but it is also slower.
Authentication
Key
Type a unique authentication key to be used by IPSec if applicable. Enter 16
characters for
MD5
authentication or
characters for
SHA-1
authentication. Any
characters may be used, including spaces, but trailing spaces are truncated.
Encapsulation
Mode
Select
Tunnel
mode or
Transport
mode from the drop-down list box.
Table 56
Security > IPSec VPN > General > Edit: Manual
(continued)
LABEL
DESCRIPTION
Page 135 / 252
Chapter 18 IPSec VPN
NBG5715 User’s Guide
135
18.6
The SA Monitor Screen
In the Web Configurator, click
Security > IPSec VPN
>
SA Monitor
. Use this screen to display
and manage active VPN connections.
A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This
screen displays active VPN connections. Use
Refresh
to display active VPN connections.
Figure 82
Security > IPSec VPN > SA Monitor
The following table describes the labels in this screen.
18.7
Technical Reference
This section provides some technical background information about the topics covered in this
chapter.
IPSec Protocol
Select the security protocols used for an SA.
Both
AH
and
ESP
increase processing requirements and communications latency
(delay).
If you select
ESP
here, you must select options from the
Encryption Algorithm
and
Authentication Algorithm
fields (described below).
Back
Click
Back
to return to the previous screen.
Apply
Click
Apply
to save your changes back to the NBG5715.
Cancel
Click
Cancel
to restore your previous settings.
Table 56
Security > IPSec VPN > General > Edit: Manual
(continued)
LABEL
DESCRIPTION
Table 57
Security > VPN > SA Monitor
LABEL
DESCRIPTION
Status
This field displays whether the VPN connection is up (yellow bulb) or down
(gray bulb).
Connection Name
This field displays the identification name for this VPN policy.
Remote Gateway
This is the static WAN IP address or URL of the remote IPSec router.
Local Address
This is the IP address of computer(s) on your local network behind your
NBG5715.
Remote Address
This is the IP address of computer(s) on the remote network behind the remote
IPSec router.
Refresh
Click
Refresh
to display the current active VPN connection(s).

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top