ZyWALL 70 Internet Security Appliance

10

3.2 Using the Wizard to Configure for Internet Access

Step 1.

Click

Internet Access

in the

HOME

screen to help you configure your WAN1 on the ZyWALL

to access the Internet. The first wizard screen has three variations depending on what

encapsulation type you use. Use the information in

Internet Account Information

to fill in fields.

Choose

Ethernet

when the WAN port is used

as a regular Ethernet. Choose from

Standard

or a RoadRunner version. You’ll need

User

Name

,

Password

and

Login Server IP

Address

for some Roadrunner versions.

Point-to-Point Protocol over Ethernet (

PPPoE

)

also functions as a dial-up connection.

Therefore you’ll also need a username and

password and possibly the PPPoE service

name.

Your ISP will give you all needed information.

Choose

PPTP

if your service provider uses a

DSL terminator with PPTP login. The ZyWALL

must have a static IP address in this case.

You’ll also need a login name, associated

password, the DSL terminator IP address and

possibly a connection ID.

Click

Next

to continue.

Step 2.

Fill in the fields and click

Finish

to save and complete the wizard setup.

WAN IP Address Assignment

Select

Get automatically from ISP

if your ISP

did not assign you a fixed IP address. Select

Use fixed IP address

if the ISP assigned a

fixed IP address and then enter your IP

address and subnet mask in the next two

fields. Enter the gateway IP address in this field

(if provided) when you select

Use Fixed IP

Address

.

System DNS Servers

Select

From ISP

if your ISP dynamically

assigns DNS server information (and the

ZyWALL's WAN IP address).

Select

User-Defined

if you have the IP

address of a DNS server. Enter the DNS

server's IP address in the field to the right.

Select

None

if you do not want to configure

DNS servers. If you do not configure a DNS

server, you must know the IP address of a

machine in order to access it.

ZyWALL 70 Internet Security Appliance

11

WAN MAC Address

Select

Factory Default

to use the factory assigned default MAC address. Alternatively, select

Spoof this Computer's MAC

address - IP Address

and enter the IP address of the computer on the LAN whose MAC address you are cloning.

3.3 Test Your Internet Connection

Launch your web browser and navigate to

www.zyxel.com

. You don’t need a dial-up program such as Dial

Up Networking. Refer to the

User’s Guide

for more detailed information on the complete range of ZyWALL

features.

3.4 Using the Wizard to Configure a VPN Policy

Step 1.

Click

VPN Wizard

in the

HOME

screen to help you edit a VPN rule that use a pre-shared key

and configure IKE settings to establish a VPN tunnel.

Enter the WAN IP address of your ZyWALL.

The ZyWALL uses its current WAN IP

address (static or dynamic) in setting up the

VPN tunnel if you leave this field as

0.0.0.0

.

Select

IP Address

and then enter IP address

to identify the remote IPSec router by its IP

address.

Otherwise, select

Domain Name

and enter

the domain name.

Click

Next

to continue.

Step 2.

Fill in the fields and click

Next

to continue.

Select

Single

for a single IP address. Select

Range IP

for a specific range of IP

addresses. Select

Subnet

to specify IP

addresses on a network by their subnet

mask.

Local Network

If the

Local Network

field is configured to

Single

, enter a (static) IP address on the

LAN behind your ZyWALL. If the

Local

Network

field is configured to

Range IP

,

enter the beginning and end (static) IP

address, in a range of computers on the LAN

behind your ZyWALL. If the

Local Network

field is configured to

Subnet

, enter a (static)

IP address and subnet mask on the LAN

behind your ZyWALL.

ZyWALL 70 Internet Security Appliance

12

Remote Network

If the

Remote Network

field is configured to

Single

, enter a (static) IP address on the network behind the remote IPSec

router. If the

Remote Network

field is configured to

Range IP

, enter the beginning and end (static) IP address, in a range of

computers on the network behind the remote IPSec router. If the

Remote Network

field is configured to

Subnet

, enter a

(static) IP address and subnet mask on the network behind the remote IPSec router.

Step 3.

Use the third wizard screen to configure IKE tunnel settings.

Negotiation Mode

Select

Main Mode

or

Aggressive Mode

.

Multiple SAs connecting through a secure

gateway must have the same negotiation

mode.

Encryption Algorithm

Select the method of data encryption using a

private (secret) key.

The

DES

encryption algorithm uses a 56-bit

key. Triple DES (

3DES

) is a variation on

DES

that uses a 168-bit key. As a result,

3DES

is more secure than

DES

. It also

requires more processing power, resulting in

increased latency and decreased throughput.

This implementation of

AES

uses a 128-bit

key.

AES

is faster than

3DES

.

Authentication Algorithm

MD5

(Message Digest 5) and

SHA1

(Secure Hash Algorithm) are hash algorithms used to authenticate packet data. Select

MD5

for minimal security and

SHA-1

for maximum security.

Key Group

Choose a key group for phase 1 IKE setup.

DH1

(default) refers to Diffie-Hellman Group 1 a 768 bit random number.

DH2

refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.

SA Life Time (Minutes)

Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.

Pre-Shared Key

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must

precede a hexadecimal key with a "0x” (zero x), which is not counted as part of the 16 to 62 character range for the key.

Click

Next

to continue.

ZyWALL 70 Internet Security Appliance

13

Step 4.

Use the forth wizard screen to configure IPSec settings.

Choose

Tunnel

mode or

Transport

mode.

Choose which protocol to use (

ESP

or

AH

)

for the IKE key exchange.

Choose an encryption algorithm or select

NULL

to set up a tunnel without encryption.

Choose an authentication algorithm.

Set the IPSec SA lifetime. This field allows

you to determine how long the IPSec SA

should stay up before it times out.

Choose whether to enable Perfect Forward

Secrecy (PFS) using Diffie-Hellman public-

key cryptography. Select

None

(the default)

to disable PFS.

DH1

refers to Diffie-Hellman

Group 1 a 768 bit random number.

DH2

refers to Diffie-Hellman Group 2 a 1024 bit

(1Kb) random number (more secure, yet

slower).

Step 5.

This read-only screen shows the status of the current VPN setting. Use the summary table to

check whether what you have configured is correct.

Click

Finish

to save and complete the wizard

setup. Otherwise, click

Back

to return to the

previous screen.

ZyWALL 70 Internet Security Appliance

14

4 Troubleshooting

PROBLEM

CORRECTIVE ACTION

None of the

LEDs turn on

when you turn

on the ZyWALL.

Make sure that you have the power cord connected to the ZyWALL and an appropriate power

source. Make sure the fuse is not burnt out (see the

User’s Guide

appendices for details). Check all

cable connections.

If the LEDs still do not turn on, you may have a hardware problem. In this case, you should contact

your local vendor.

Cannot access

the ZyWALL

from the LAN.

Check the cable connection between the ZyWALL and your computer or hub. Refer to the section on

front panel for details.

Ping the ZyWALL from a LAN computer. Make sure your computer’s Ethernet card is installed and

functioning properly.

Cannot ping any

computer on the

LAN.

If the 10/100M LAN LEDs are off, check the cable connections between the ZyWALL and your LAN

computers.

Verify that the IP address and subnet mask of the ZyWALL and the LAN computers are in the same

IP address range.

The WAN IP is provided after the ISP verifies the MAC address, host name or user ID.

Find out the verification method used by your ISP and configure the corresponding fields.

If the ISP checks the WAN MAC address, you should clone the MAC address from a LAN computer.

Click

WAN

and then the

WAN1

or

WAN2

tab, select

Spoof WAN MAC Address

and enter the IP

address of the computer on the LAN whose MAC address you are cloning.

If the ISP checks the host name, enter your computer’s name in the

System Name

field in the

MAINTENANCE General

screen (refer to the

Maintenance

part in the

User’s Guide

).

Cannot get a

WAN IP address

from the ISP.

If the ISP checks the user ID, click

WAN

and then the

WAN1

or

WAN2

tab. Check your service type,

user name, and password.

Check the ZyWALL’s connection to the cable/DSL device.

Cannot access

the Internet.

Click

WAN

to verify your settings.