1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 49
Page 241 / 427 Scroll up to view Page 236 - 240
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
241
DNS Server (for
IPSec VPN)
If there is a private DNS server that services the VPN, type its IP address here.
The ZyXEL Device assigns this additional DNS server to the ZyXEL Device 's
DHCP clients that have IP addresses in this IPSec rule's range of local addresses.
A DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.
Local
Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Local Address Type
Use the drop-down menu to choose
Single
,
Range
, or
Subnet
. Select
Single
for
a single IP address. Select
Range
for a specific range of IP addresses. Select
Subnet
to specify IP addresses on a network by their subnet mask.
IP Address Start
When the
Local Address Type
field is configured to
Single
, enter a (static) IP
address on the LAN behind your ZyXEL Device. When the
Local Address Type
field is configured to
Range
, enter the beginning (static) IP address, in a range of
computers on your LAN behind your ZyXEL Device. When the
Local Address
Type
field is configured to
Subnet
, this is a (static) IP address on the LAN behind
your ZyXEL Device.
End / Subnet Mask
When the
Local Address Type
field is configured to
Single
, this field is N/A.
When the
Local Address Type
field is configured to
Range
, enter the end (static)
IP address, in a range of computers on the LAN behind your ZyXEL Device. When
the
Local Address Type
field is configured to
Subnet
, this is a subnet mask on
the LAN behind your ZyXEL Device.
Remote
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.
Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.
Remote Address
Type
Use the drop-down menu to choose
Single
,
Range
, or
Subnet
. Select
Single
with a single IP address. Select
Range
for a specific range of IP addresses.
Select
Subnet
to specify IP addresses on a network by their subnet mask.
IP Address Start
When the
Remote Address Type
field is configured to Single, enter a (static) IP
address on the network behind the remote IPSec router. When the
Remote
Address Type
field is configured to
Range
, enter the beginning (static) IP
address, in a range of computers on the network behind the remote IPSec router.
When the
Remote Address Type
field is configured to
Subnet
, enter a (static) IP
address on the network behind the remote IPSec router.
End / Subnet Mask
When the
Remote Address Type
field is configured to
Single
, this field is N/A.
When the
Remote Address Type
field is configured to
Range
, enter the end
(static) IP address, in a range of computers on the network behind the remote
IPSec router. When the
Remote Address Type
field is configured to
Subnet
,
enter a subnet mask on the network behind the remote IPSec router.
Address
Information
Table 89
VPN: Manual Key (continued)
LABEL
DESCRIPTION
Page 242 / 427
P-2602H(W)(L)-DxA Series User’s Guide
242
Chapter 17 VPN Screens
17.16
Viewing SA Monitor
Click
Security
,
VPN
and
Monitor
to open the
SA Monitor
screen as shown. Use this screen
to display and manage active VPN connections.
A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
This screen displays active VPN connections. Use
Refresh
to display active VPN
connections. This screen is read-only. The following table describes the fields in this tab.
My IP Address
Enter the WAN IP address of your ZyXEL Device. The VPN tunnel has to be
rebuilt if this IP address changes.
The following applies if this field is configured as
0.0.0.0
:
The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or
dynamic) to set up the VPN tunnel.
If the WAN connection goes down, the ZyXEL Device uses the dial backup IP
address for the VPN tunnel when using dial backup or the LAN IP address when
using traffic redirect. See
Chapter 7 on page 93
for details on dial backup and
traffic redirect.
Secure Gateway
Address
Type the WAN IP address or the URL (up to 31 characters) of the IPSec router
with which you're making the VPN connection.
Security Protocol
IPSec Protocol
Select
ESP
if you want to use ESP (Encapsulation Security Payload). The ESP
protocol (RFC 2406) provides encryption as well as some of the services offered
by
AH
. If you select ESP here, you must select options from the
Encryption
Algorithm
and
Authentication Algorithm
fields (described next).
Encryption
Algorithm
Select
DES
,
3DES
or
NULL
from the drop-down list box.
When
DES
is used for data communications, both sender and receiver must know
the same secret key, which can be used to encrypt and decrypt the message or to
generate and verify a message authentication code. The
DES
encryption
algorithm uses a 56-bit key. Triple DES (
3DES
) is a variation on
DES
that uses a
168-bit key. As a result,
3DES
is more secure than
DES
. It also requires more
processing power, resulting in increased latency and decreased throughput.
Select
NULL
to set up a tunnel without encryption. When you select
NULL
, you
do not enter an encryption key.
Encapsulation Key
(only with ESP)
With
DES
, type a unique key 8 characters long. With
3DES
, type a unique key 24
characters long. Any characters may be used, including spaces, but trailing
spaces are truncated.
Authentication
Algorithm
Select
SHA1
or
MD5
from the drop-down list box.
MD5
(Message Digest 5) and
SHA1
(Secure Hash Algorithm) are hash algorithms used to authenticate packet
data. The
SHA1
algorithm is generally considered stronger than
MD5
, but is
slower. Select
MD5
for minimal security and
SHA-1
for maximum security.
Authentication Key
Type a unique authentication key to be used by IPSec if applicable. Enter 16
characters for
MD5
authentication or 20 characters for
SHA-1
authentication. Any
characters may be used, including spaces, but trailing spaces are truncated.
Back
Click
Back
to return to the previous screen.
Apply
Click
Apply
to save your changes back to the ZyXEL Device.
Table 89
VPN: Manual Key (continued)
LABEL
DESCRIPTION
Page 243 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
243
When there is outbound traffic but no inbound traffic, the SA times out automatically after two
minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the
SA lifetime period expires. See
Section 17.6 on page 225
on keep alive to have the ZyXEL
Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.
Figure 128
VPN: SA Monitor
The following table describes the fields in this screen.
Table 90
VPN: SA Monitor
LABEL
DESCRIPTION
No
This is the security association index number.
Name
This field displays the identification name for this VPN policy.
Encapsulation
This field displays
Tunnel
or
Transport
mode.
IPSec Algorithm
This field displays the security protocol, encryption algorithm, and authentication
algorithm used in each VPN tunnel.
Disconnect
Select one of the security associations, and then click
Disconnect
to stop that
security association.
Refresh
Click
Refresh
to display the current active VPN connection(s).
Page 244 / 427
P-2602H(W)(L)-DxA Series User’s Guide
244
Chapter 17 VPN Screens
17.17
Configuring Global Setting
To change your ZyXEL Device’s global settings, click
VPN
and then
Global Setting
. The
screen appears as shown.
Figure 129
VPN: Global Setting
The following table describes the fields in this screen.
17.18
Telecommuter VPN/IPSec Examples
The following examples show how multiple telecommuters can make VPN connections to a
single ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic
WAN IP addresses. The ZyXEL Device at headquarters has a static public IP address.
17.18.1
Telecommuters Sharing One VPN Rule Example
See the following figure and table for an example configuration that allows multiple
telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a
ZyXEL Device at headquarters (HQ in the figure). The telecommuters do not have domain
names mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all
use the same IPSec parameters but the local IP addresses (or ranges of addresses) should not
overlap.
Table 91
VPN: Global Setting
LABEL
DESCRIPTION
Windows Networking
(NetBIOS over TCP/IP)
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to find other computers. It may sometimes be necessary to
allow NetBIOS packets to pass through VPN tunnels in order to allow local
computers to find computers on the remote network and vice versa.
Allow NetBIOS Traffic
Through All IPSec
Tunnels
Select this check box to send NetBIOS packets through the VPN connection.
Apply
Click
Apply
to save your changes back to the ZyXEL Device.
Cancel
Click
Cancel
to begin configuring this screen afresh.
Page 245 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 17 VPN Screens
245
Figure 130
Telecommuters Sharing One VPN Rule Example
17.18.2
Telecommuters Using Unique VPN Rules Example
In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain
names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this).
With aggressive negotiation mode (see
Section 17.12.1 on page 235
), the ZyXEL Device can
use the ID types and contents to distinguish between VPN rules. Telecommuters can each use
a separate VPN rule to simultaneously access a ZyXEL Device at headquarters. They can use
different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules
configured on the ZyXEL Device at headquarters can overlap. The local IP addresses of the
rules configured on the telecommuters’ IPSec routers should not overlap.
See the following table and figure for an example where three telecommuters each use a
different VPN rule for a VPN connection with a ZyXEL Device located at headquarters. The
ZyXEL Device at headquarters (HQ in the figure) identifies each incoming SA by its ID type
and content and uses the appropriate VPN rule to establish the VPN connection.
The ZyXEL Device at headquarters can also initiate VPN connections to the telecommuters
since it can find the telecommuters by resolving their domain names.
Table 92
Telecommuters Sharing One VPN Rule Example
FIELDS
TELECOMMUTERS
HEADQUARTERS
My IP Address:
0.0.0.0 (dynamic IP address assigned
by the ISP)
Public static IP address
Secure Gateway IP
Address:
Public static IP address
0.0.0.0
With this IP address only the
telecommuter can initiate the IPSec
tunnel.
Local IP Address:
Telecommuter A: 192.168.2.12
Telecommuter B: 192.168.3.2
Telecommuter C: 192.168.4.15
192.168.1.10
Remote IP Address:
192.168.1.10
0.0.0.0 (N/A)

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top