1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 45
Page 221 / 427 Scroll up to view Page 216 - 220
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
221
C
HAPTER
17
VPN Screens
This chapter introduces the VPN screens. See
Chapter 24 on page 295
for information on
viewing logs and the appendix for IPSec log descriptions.
17.1
VPN/IPSec Overview
Use the screens documented in this chapter to configure rules for VPN connections and
manage VPN connections.
17.2
IPSec Algorithms
The
ESP
and
AH
protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN. An SA is built from the authentication provided by the
AH
and
ESP
protocols. The primary function of key management is to establish and maintain the SA
between systems. Once the SA is established, the transport of data may commence.
17.2.1
AH (Authentication Header) Protocol
AH
protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the
ESP
was designed.
In applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an
AH
can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow for
verification of the integrity of the information and authentication of the originator.
17.2.2
ESP (Encapsulating Security Payload) Protocol
The
ESP
protocol (RFC 2406) provides encryption as well as the services offered by
AH
.
ESP
authenticating properties are limited compared to the
AH
due to the non-inclusion of the IP
header information during the authentication process. However,
ESP
is sufficient if only the
upper layer protocols need to be authenticated.
An added feature of the
ESP
is payload padding, which further protects communications by
concealing the size of the packet being transmitted.
Page 222 / 427
P-2602H(W)(L)-DxA Series User’s Guide
222
Chapter 17 VPN Screens
17.3
My IP Address
My IP Address is the WAN IP address of the ZyXEL Device. The ZyXEL Device has to
rebuild the VPN tunnel if the My IP Address changes after setup.
The following applies if this field is configured as
0.0.0.0
:
The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic)
to set up the VPN tunnel.
If the WAN connection goes down, the ZyXEL Device uses the dial backup IP address
for the VPN tunnel when using dial backup or the LAN IP address when using traffic
redirect. See
Chapter 7 on page 93
for details on dial backup and traffic redirect.
Table 80
AH and ESP
ESP
AH
ENCRYPTION
DES
(default)
Data Encryption Standard (DES) is a widely
used method of data encryption using a
private (secret) key. DES applies a 56-bit key
to each 64-bit block of data.
MD5
(default)
MD5 (Message Digest 5) produces a 128-bit
digest to authenticate packet data.
3DES
Triple DES (3DES) is a variant of DES, which
iterates three times with three separate keys
(3 x 56 = 168 bits), effectively doubling the
strength of DES.
SHA1
SHA1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.
AES
Advanced Encryption Standard is a newer
method of data encryption that also uses a
secret key. This implementation of AES
applies a 128-bit key to 128-bit blocks of data.
AES is faster than 3DES.
Select
NULL
to set up a phase 2 tunnel
without encryption.
AUTHENTICATION
MD5
(default)
MD5 (Message Digest 5) produces a 128-bit
digest to authenticate packet data.
MD5
(default)
MD5 (Message Digest 5) produces a 128-bit
digest to authenticate packet data.
SHA1
SHA1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.
SHA1
SHA1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.
Select
MD5
for minimal security and
SHA1
for maximum security.
Page 223 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
223
17.4
Secure Gateway Address
Secure Gateway Address
is the WAN IP address or domain name of the remote IPSec router
(secure gateway).
If the remote secure gateway has a static WAN IP address, enter it in the
Secure Gateway
Address
field. You may alternatively enter the remote secure gateway’s domain name (if it
has one) in the
Secure Gateway Address
field.
You can also enter a remote secure gateway’s domain name in the
Secure Gateway Address
field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The
ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP
address changes (there may be a delay until the DDNS servers are updated with the remote
gateway’s new WAN IP address).
17.4.1
Dynamic Secure Gateway Address
If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter
0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can
initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company
network (see
Section 17.18 on page 244
for configuration examples).
The Secure Gateway IP Address may be configured as 0.0.0.0 only when using
IKE
key
management and not
Manual
key management.
17.5
VPN Setup Screen
The following figure helps explain the main fields in the web configurator.
Figure 120
IPSec Summary Fields
Local and remote IP addresses must be static.
Click
Security
and
VPN
to open the
VPN
Setup
screen. This is a read-only menu of your
IPSec rules (tunnels). The IPSec summary menu is read-only. Edit a VPN by selecting an
index number and then configuring its associated submenus.
Page 224 / 427
P-2602H(W)(L)-DxA Series User’s Guide
224
Chapter 17 VPN Screens
Figure 121
VPN Setup
The following table describes the fields in this screen.
Table 81
VPN Setup
LABEL
DESCRIPTION
No.
This is the VPN policy index number. Click a number to edit VPN policies.
Active
This field displays whether the VPN policy is active or not. A
Yes
signifies that this
VPN policy is active.
No
signifies that this VPN policy is not active.
Name
This field displays the identification name for this VPN policy.
Local Address
This is the IP address(es) of computer(s) on your local network behind your ZyXEL
Device.
The same (static) IP address is displayed twice when the
Local Address Type
field
in the
VPN-IKE
(or
VPN-Manual Key
) screen is configured to
Single
.
The beginning and ending (static) IP addresses, in a range of computers are
displayed when the
Local Address Type
field in the
VPN-IKE
(or
VPN-Manual Key
)
screen is configured to
Range
.
A (static) IP address and a subnet mask are displayed when the
Local Address
Type
field in the
VPN-IKE
(or
VPN-Manual Key
) screen is configured to
Subnet
.
Page 225 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
225
17.6
Keep Alive
When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically
renegotiates the tunnel when the IPSec SA lifetime period expires (see
Section 17.12 on page
234
for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on”
connection after you initiate it. Both IPSec routers must have a ZyXEL Device-compatible
keep alive feature enabled in order for this feature to work.
If the ZyXEL Device has its maximum number of simultaneous IPSec tunnels connected to it
and they all have keep alive enabled, then no other tunnels can take a turn connecting to the
ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected.
When there is outbound traffic with no inbound traffic, the ZyXEL Device automatically
drops the tunnel after two minutes.
Remote
Address
This is the IP address(es) of computer(s) on the remote network behind the remote
IPSec router.
This field displays
N/A
when the
Secure Gateway Address
field displays
0.0.0.0
. In
this case only the remote IPSec router can initiate the VPN.
The same (static) IP address is displayed twice when the
Remote Address Type
field in the
VPN-IKE
(or
VPN-Manual Key
) screen is configured to
Single
.
The beginning and ending (static) IP addresses, in a range of computers are
displayed when the
Remote Address Type
field in the
VPN-IKE
(or
VPN-Manual
Key
) screen is configured to
Range
.
A (static) IP address and a subnet mask are displayed when the
Remote Address
Type
field in the
VPN-IKE
(or
VPN-Manual Key
) screen is configured to
Subnet
.
Encap.
This field displays
Tunnel
or
Transport
mode (
Tunnel
is the default selection).
IPSec Algorithm
This field displays the security protocols used for an SA.
Both
AH
and
ESP
increase ZyXEL Device processing requirements and
communications latency (delay).
Secure Gateway
IP
This is the static WAN IP address or URL of the remote IPSec router. This field
displays
0.0.0.0
when you configure the
Secure Gateway Address
field in the
VPN-
IKE
screen to
0.0.0.0.
Modify
Click the
Edit
icon to go to the screen where you can edit the VPN configuration.
Click the
Remove
icon to remove an existing VPN configuration.
Apply
Click this
to save your changes and apply them to the ZyXEL Device.
Cancel
Click this return your settings to their last saved values.
Table 81
VPN Setup
LABEL
DESCRIPTION

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top