Zyxel VMG8924-B30A Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

VMG8924-B30A

Page 221 / 412 Scroll up to view Page 216 - 220

VMG8924-B10A and VMG8924-B30A Series User’s Guide

221

HAPTER

VPN

20.1

Overview

A virtual private network (VPN) provides secure communications over the the Internet. Internet

Protocol Security (IPSec) is a standards-based VPN that provides confidentiality, data integrity, and

authentication. This chapter shows you how to configure the Device’s VPN settings.

20.2

The IPSec VPN General Screen

Use this screen to view and manage your VPN tunnel policies. The following figure helps explain the

main fields in the web configurator.

Figure 134

IPSec Fields Summary

Click

Security > IPSec VPN

to open this screen as shown next.

Figure 135

Security > IPSec VPN

Local Network

Remote Network

VPN Tunnel

Page 222 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

222

This screen contains the following fields:

20.3

The IPSec VPN Add/Edit Screen

Use these settings to add or edit VPN policies. Click the

Add New Connection

button in the

Security > VPN

screen to open this screen as shown next.

Table 102

Security > IPSec VPN

LABEL

DESCRIPTION

Add New

Connection

Click this button to add an item to the list.

This displays the index number of an entry.

Status

This displays whether the VPN policy is enabled (

Enable

) or not (

Disable

Connection Name

The name of the VPN policy.

Remote Gateway

This is the IP address of the remote IPSec router in the IKE SA.

Local Addresses

This displays the IP address(es) on the LAN behind your Device.

Remote

Addresses

This displays the IP address(es) on the LAN behind the remote IPSec’s router.

Delete

Click the

Edit

icon to modify the VPN policy.

Click the

Delete

icon to delete the VPN policy.

Page 223 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

223

Figure 136

Security > IPSec VPN: Add/Edit

This screen contains the following fields:

Table 103

Security > IPSec VPN: Add/Edit

LABEL

DESCRIPTION

Active

Select this to activate this VPN policy.

IPSec Connection

Name

Enter the name of the VPN policy.

Remote IPSec

Gateway Address

Enter the IP address of the remote IPSec router in the IKE SA.

Tunnel access

from local IP

addresses

Select

Single Address

to have only one local LAN IP address use the VPN tunnel. Select

Subnet

to specify local LAN IP addresses by their subnet mask.

Page 224 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

224

IP Address for

VPN

Single Address

is selected, enter a (static) IP address on the LAN behind your Device.

Subnet

is selected, specify IP addresses on a network by their subnet mask by entering

a (static) IP address on the LAN behind your Device.

Then enter the subnet mask to

identify the network address.

IP Subnetmask

Subnet

is selected, enter the subnet mask to identify the network address.

Tunnel access

from remote IP

addresses

Select

Single Address

to have only one remote LAN IP address use the VPN tunnel.

Select

Subnet

to specify remote LAN IP addresses by their subnet mask.

IP Address for

VPN

Single Address

is selected, enter a (static) IP address on the LAN behind the remote

IPSec’s router.

Subnet

is selected, specify IP addresses on a network by their subnet mask by entering

a (static) IP address on the LAN behind the remote IPSec’s router.

Then enter the subnet

mask to identify the network address.

IP Subnetmask

Subnet

is selected, enter the subnet mask to identify the network address.

Protocol

Select which protocol you want to use in the IPSec SA. Choices are:

(RFC 2402) - provides integrity, authentication, sequence integrity (replay

resistance), and non-repudiation but not encryption. If you select

, you must select an

Integraty

Algorithm

ESP

(RFC 2406) - provides encryption and the same services offered by

, but its

authentication is weaker. If you select

ESP

, you must select an

Encryption Agorithm

and

Integraty Algorithm

Both

and

ESP

increase processing requirements and latency (delay). The Device and

remote IPSec router must use the same active protocol.

Key Exchange

Method

Select the key exchange method:

Auto(IKE)

- Select this to use automatic IKE key management VPN connection policy.

Manual

- Select this option to configure a VPN connection policy that uses a manual key

instead of IKE key management. This may be useful if you have problems with IKE key

management.

Note: Only use manual key as a temporary solution, because it is not as secure as a regular

IPSec SA.

Authentication

Method

Select

Pre-Shared Key

to use a pre-shared key for authentication, and type in your pre-

shared key. A pre-shared key identifies a communicating party during a phase 1 IKE

negotiation. It is called "pre-shared" because you have to share it with another party

before you can communicate with them over a secure connection.

Select

Certificate (X.509)

to use a certificate for authentication.

Pre-Shared Key

Type your pre-shared key in this field. A pre-shared key identifies a communicating party

during a phase 1 IKE negotiation.

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9",

"A-F") characters. You must precede a hexadecimal key with a "0x” (zero x), which is not

counted as part of the 16 to 62 character range for the key. For example, in

"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal and

“0123456789ABCDEF” is the key itself.

Local ID Type

Select

to identify the Device by its IP address.

Select

E-mail

to identify this Device by an e-mail address.

Select

DNS

to identify this Device by a domain name.

Select

ASN1DN

(Abstract Syntax Notation one - Distinguished Name) to this Device by

the subject field in a certificate. This is used only with certificate-based authentication.

Table 103

Security > IPSec VPN: Add/Edit

LABEL

DESCRIPTION

Page 225 / 412

Chapter 20 VPN

VMG8924-B10A and VMG8924-B30A Series User’s Guide

225

Local ID Content

When you select IP in the

Local ID Type

field, type the IP address of your computer in

this field. If you configure this field to 0.0.0.0 or leave it blank, the Device automatically

uses the

Pre-Shared Key

(refer to the

Pre-Shared Key

field description).

It is recommended that you type an IP address other than 0.0.0.0 in this field or use the

DNS

E-mail

type in the following situations.

•

When there is a NAT router between the two IPSec routers.

•

When you want the remote IPSec router to be able to distinguish between VPN

connection requests that come in from IPSec routers with dynamic WAN IP addresses.

When you select

DNS

E-mail

in the

Local ID Type

field, type a domain name or e-

mail address by which to identify this Device in this field. Use up to 31 ASCII characters

including spaces, although trailing spaces are truncated. The domain name or e-mail

address is for identification purposes only and can be any string.

Remote ID Type

Select

to identify the remote IPSec router by its IP address.

Select

E-mail

to identify the remote IPSec router by an e-mail address.

Select

DNS

to identify the remote IPSec router by a domain name.

Select

ASN1DN

to identify the remote IPSec router by the subject field in a certificate.

This is used only with certificate-based authentication.

Remote ID

Content

The configuration of the remote content depends on the remote ID type.

For

, type the IP address of the computer with which you will make the VPN connection.

If you configure this field to 0.0.0.0 or leave it blank, the Device will use the address in

the

Remote IPSec Gateway Address

field (refer to the

Remote IPSec Gateway

Address

field description).

For

DNS

E-mail

, type a domain name or e-mail address by which to identify the

remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing

spaces are truncated. The domain name or e-mail address is for identification purposes

only and can be any string.

It is recommended that you type an IP address other than 0.0.0.0 or use the

DNS

E-

mail

ID type in the following situations:

•

When there is a NAT router between the two IPSec routers.

•

When you want the Device to distinguish between VPN connection requests that come

in from remote IPSec routers with dynamic WAN IP addresses.

Advanced IKE

Settings

Click

to display advanced settings. Click

less

to display basic settings only.

NAT_Traversal

Select

Enable

if you want to set up a VPN tunnel when there are NAT routers between the

Device and remote IPSec router. The remote IPSec router must also enable NAT traversal,

and the NAT routers have to forward UDP port 500 packets to the remote IPSec router

behind the NAT router. Otherwise, select

Disable

Phase 1

Mode

Select the negotiation mode to use to negotiate the IKE SA. Choices are:

Main

- this encrypts the Device’s and remote IPSec router’s identities but takes more

time to establish the IKE SA.

Aggressive

- this is faster but does not encrypt the identities.

The Device and the remote IPSec router must use the same negotiation mode.

Table 103

Security > IPSec VPN: Add/Edit

LABEL

DESCRIPTION

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share