Zyxel P-661HNU-F1 Router Manual PDF (Setup & Configuration Guide)

Page 216 / 404 Scroll up to view Page 211 - 215

Chapter 15 Certificates

P-661HNU-Fx User’s Guide

216

15.3.1

Import Certificate

Click

Import

Certificate

in

the

VPN Certificates

screen to open the

Import

Certificate

screen. You can save a trusted certification authority’s certificate to

the ZyXEL Device.

Figure 93

Security > Certificates > VPN Certificates

The following table describes the labels in this screen.

Table 56

VPN Certificates > Import

LABEL

DESCRIPTION

Name

Type a name for this certificate

Public Key

The value provided by a designated authority, which combined with a

private key, can be used to encrypt messages.

Write the key between

BEGIN CERTIFICATE

and

END CERTIFICATE

Private Key

This is the key known only to the parties that exchange information.

Write the key between

BEGIN CERTIFICATE

and

END CERTIFICATE

Apply

Click

Apply

to save the certificate on the ZyXEL Device.

Back

Click

Back

to return to the previous screen.

Page 217 / 404

P-661HNU-Fx User’s Guide

217

C

HAPTER

16

VPN

16.1

Overview

A virtual private network (VPN) provides secure communications between sites

without the expense of leased site-to-site lines. A secure VPN is a combination of

tunneling, encryption, authentication, access control and auditing. It is used to

transport traffic over the Internet or any insecure network that uses TCP/IP for

communication.

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible

solutions for secure data communications across a public network like the

Internet. IPSec is built around a number of standardized cryptographic techniques

to provide confidentiality, data integrity and authentication at the IP layer. The

following figure is an example of an IPSec VPN tunnel.

Figure 94

VPN: Example

16.1.1

What You Can Do in the VPN Screens

•

Use the

Setup

screen (

Section 16.2 on page 220

) to view the configured VPN

policies and add, edit or remove a VPN policy.

•

Use the

Monitor

screen (

Section 16.5 on page 228

) to display and manage the

current active VPN connections.

VPN Tunnel

X

Y

Page 218 / 404

Chapter 16 VPN

P-661HNU-Fx User’s Guide

218

16.1.2

What You Need to Know About IPSec VPN

A VPN tunnel is usually established in two phases. Each phase establishes a

security association (SA), a contract indicating what security parameters the

ZyXEL Device and the remote IPSec router will use. The first phase establishes an

Internet Key Exchange (IKE) SA between the ZyXEL Device and remote IPSec

router. The second phase uses the IKE SA to securely establish an IPSec SA

through which the ZyXEL Device and remote IPSec router can send data between

computers on the local network and remote network. The following figure

illustrates this.

Figure 95

VPN: IKE SA and IPSec SA

In this example, a computer in network

A

is exchanging data with a computer in

network

B

. Inside networks

A

and

B

, the data is transmitted the same way data is

normally transmitted in the networks. Between routers

X

and

Y

, the data is

protected by tunneling, encryption, authentication, and other security features of

the IPSec SA. The IPSec SA is established securely using the IKE SA that routers

X

and

Y

established first.

My IP Address

is the WAN IP address of the ZyXEL Device. The ZyXEL Device has

to rebuild the VPN tunnel if

My IP Address

changes after setup.

The following applies if this field is configured as

0.0.0.0

:

•

The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or

dynamic) to set up the VPN tunnel.

Secure Gateway Address

is the WAN IP address or domain name of the remote

IPSec router (secure gateway).

A

X

Y

B

IPSec SA

IKE SA

Page 219 / 404

Chapter 16 VPN

P-661HNU-Fx User’s Guide

219

If the remote secure gateway has a static WAN IP address, enter it in the

Secure

Gateway Address

field. You may alternatively enter the remote secure gateway’s

domain name (if it has one) in the

Secure Gateway Address

field.

You can also enter a remote secure gateway’s domain name in the

Secure

Gateway Address

field if the remote secure gateway has a dynamic WAN IP

address and is using DDNS. The ZyXEL Device has to rebuild the VPN tunnel each

time the remote secure gateway’s WAN IP address changes (there may be a delay

until the DDNS servers are updated with the remote gateway’s new WAN IP

address).

Dynamic Secure Gateway Address

If the remote secure gateway has a dynamic WAN IP address and does not use

DDNS, enter 0.0.0.0 as the secure gateway’s address. In this case only the

remote secure gateway can initiate SAs. This may be useful for telecommuters

initiating a VPN tunnel to the company network (see

Section 16.6.11 on page 237

for configuration examples).

The Secure Gateway IP Address may be configured as

0.0.0.0

only when using

IKE

key management and not

Manual

key management.

Finding Out More

See

Section 16.6 on page 229

for advanced technical information on IPSec VPN.

16.1.3

Before You Begin

If a VPN tunnel uses Telnet, FTP, WWW, then you should configure remote

management (

Remote MGMT

) to allow access for that service.

Page 220 / 404

Chapter 16 VPN

P-661HNU-Fx User’s Guide

220

16.2

VPN Setup Screen

The following figure helps explain the main fields in the web configurator.

Figure 96

IPSec Summary Fields

Local and remote IP addresses must be static.

Click

Security

>

VPN

to open the

VPN

Setup

screen. This is a menu of your

IPSec rules (tunnels). The IPSec summary menu is read-only. Edit a VPN by

selecting an index number and then configuring its associated submenus.

Figure 97

Security > VPN > Setup

The following table describes the fields in this screen.

Table 57

Security > VPN > Setup

LABEL

DESCRIPTION

Add New

Tunnel

Click this button to set up VPN policies for a new tunnel

#

This is the VPN policy index number. Click a number to edit VPN policies.

Active

This field displays whether the VPN policy is active or not. A

Yes

signifies

that this VPN policy is active.

No

signifies that this VPN policy is not

active.

Tunnel Name

This field displays the identification name for this VPN policy.

Local Address

This field will display the IP addres used by the ZyXEL Device.

Local Network

Local IP Address

My IP Address

Secure Gateway IP Address

Remote Network

Remote IP Address

Remote

IPSec Router

VPN Tunnel

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share