User manual ZYXEL ZYWALL USG 100

[. . . ] ZyWALL USG 100/200 Series Unified Security Gateway User's Guide Version 2. 10 5/2008 Edition 1 DEFAULT LOGIN LAN1 Port P4 IP Address http://192. 168. 1. 1 User Name admin Password 1234 www. zyxel. com About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to want to configure the ZyWALL using the web configurator. How To Use This Guide · Read Chapter 1 on page 53 chapter for an overview of features available on the ZyWALL. · Read Chapter 3 on page 65 for web browser requirements and an introduction to the main components, icons and menus in the ZyWALL web configurator. · Read Chapter 4 on page 75 if you're using the wizards for first time setup and you want more detailed information than what the real time online help provides. [. . . ] In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps. Figure 263 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key ZyWALL identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 100/200 Series User's Guide 375 Chapter 20 IPSec VPN Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or email address. Any domain name or e-mail address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the ZyWALL's or remote IPSec router's properties. The ZyWALL and the remote IPSec router have their own identities, so both of them must store two sets of information, one for themselves and one for the other router. Local ID type and content refers to the ID type and content that applies to the router itself, and peer ID type and content refers to the ID type and content that applies to the other router. The ZyWALL's local and peer ID type and content must match the remote IPSec router's peer and local ID type and content, respectively. For example, in Table 123 on page 376, the ZyWALL and the remote IPSec router authenticate each other successfully. In contrast, in Table 124 on page 376, the ZyWALL and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA. Table 123 VPN Example: Matching ID Type and Content ZYWALL Local ID type: E-mail Local ID content: tom@yourcompany. com Peer ID type: IP Peer ID content: 1. 1. 1. 2 REMOTE IPSEC ROUTER Local ID type: IP Local ID content: 1. 1. 1. 2 Peer ID type: E-mail Peer ID content: tom@yourcompany. com Table 124 VPN Example: Mismatching ID Type and Content ZYWALL Local ID type: E-mail Local ID content: tom@yourcompany. com Peer ID type: IP Peer ID content: 1. 1. 1. 20 REMOTE IPSEC ROUTER Local ID type: IP Local ID content: 1. 1. 1. 2 Peer ID type: E-mail Peer ID content: tom@yourcompany. com It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. This is less secure, so you should only use this if your ZyWALL provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section provides more information about IKE SA. Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. 376 ZyWALL USG 100/200 Series User's Guide Chapter 20 IPSec VPN Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret. Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an encryption key (from the shared secret), encrypt their identities, and exchange their encrypted identity information for authentication. In contrast, aggressive mode only takes three steps to establish an IKE SA. Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used in remote-access situations, where the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication. For example, the remote IPSec router may be a telecommuter who does not have a static IP address. VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 264 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. [. . . ] session monitor (L2TP VPN) 412 sessions 730 sessions usage 173, 177 setup wizards 75 severity (IDP) 488, 492 SHA1 374 shell scripts 705 and users 605 downloading 713 editing 712 how applied 706 managing 712 not stopping or starting the ZyWALL 56 syntax 706 uploading 714 shutdown 56 signal quality 233 signature categories access control 494 buffer overflow 494 DoS/DDoS 494 IM 493 P2P 493 scan 494 spam 493 virus/worm 494 Web attack 494 signature ID 492, 501, 503 signatures anti-virus 478 IDP 483 packet inspection 490 updating 191 SIM card 229 Simple Certificate Enrollment Protocol (SCEP) 645 Simple Mail Transfer Protocol. SIP 331 additional signaling port 329 ALG 325 and firewall 327 and RTP 331 media inactivity timeout 329 signaling inactivity timeout 329 signaling port 329 SMTP 560 smurf attack 525 SNAT 285 SNMP 696, 697 agents 697 and address groups 698 and address objects 698 and zones 698 Get 697 GetNext 697 Manager 697 managers 697 MIB 697 network components 696 Set 697 Trap 697 traps 697 versions 696 Snort equivalent terms 510 Snort rule header 509 Snort rule options 509 Snort signatures 509 Source Network Address Translation. See SNAT. 896 ZyWALL USG 100/200 Series User's Guide Index spam 559 specifications 749 device 749 feature 750 hardware 749 spillover (for load balancing) 272 SQL slammer 509 SSH 689 and address groups 692 and address objects 692 and certificates 691 and zones 692 client requirements 691 encryption methods 691 for secure Telnet 692 how connection is established 690 versions 691 with Linux 693 with Microsoft Windows 692 SSID 233, 235 SSL 385, 389, 678 certificates 396 computer names 389 connection monitor 389 full tunnel mode 389 global setting 390 IP pool 389 network list 389 remote user login 396 remote user logout 399 See also SSL VPN 385 user screen bookmarks 399 user screens 395, 398 user screens access methods 395 user screens certificates 396 user screens login 396 user screens logout 399 user screens required information 396 user screens system requirements 395 WINS 389 SSL access policy 386 SSL application object 657 file sharing 657 file sharing application 660 remote user screen links 657 summary 658 types 657 web-based 657, 659 web-based example 657 where used 121 SSL policy add 387 edit 387 objects used 386 SSL VPN 385 access policy 386 configuration overview 115 full tunnel mode 61, 386 network access mode 61 prerequisites 115 reverse proxy mode 61, 385 See also SSL 385 where used 115 stac compression 224 starting the ZyWALL 56 startup-config. conf 710 and synchronization (device HA) 588 if errors 708 missing at restart 708 present at restart 708 startup-config-bad. conf 708 static DHCP 214, 254, 261 static routes 278 and interfaces 285 and OSPF 291 and RIP 288 configuration overview 117 metric 285 prerequisites 117 statistics anti-spam 735 anti-virus 732 application patrol 462 bandwidth 463 daily e-mail report 737 IDP 733 protocol 464 traffic 727 status 171 Status bar also called message bar 72 status bar 72 warning message popup 72 stopping the ZyWALL 56 streaming protocols managing 443 strict source routing 500 STUN 327 and ALG 327 subscription services 186 and synchronization (device HA) 576 AppPatrol 188 content filtering 188 IDP 188 IDP. status 189, 452, 473 trial service activation 187 upgrading 189 supported browsers 65 Supporting Disk 4 ZyWALL USG 100/200 Series User's Guide 897 Index SYN flood 526 synchronization 576 and subscription services 576 information synchronized 588 password 581, 585 port number 581, 585 restrictions 589 syntax conventions 5 syslog 718, 724 syslog servers. [. . . ]