User manual ZYXEL ZYWALL 2 PLUS

[. . . ] ZyWALL 2 Plus Internet Security Appliance User's Guide Version 4. 02 3/2007 Edition 1 www. zyxel. com About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation · Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access. [. . . ] This causes the ZyWALL to try to forward all access attempts (to the local network, the Internet or even the ZyWALL) to the remote IPSec router. In this case, you can no longer manage the ZyWALL. If you select the VPN rules skip applying to the overlap range of local and remote IP addresses option (see Figure 174 on page 267) and the VPN rule's local and remote network settings are both 0. 0. 0. 0 (any), no traffic will go through the VPN tunnel. ZyWALL 2 Plus User's Guide 251 Chapter 14 IPSec VPN 14. 6. 1. 1 Overlapping Local And Remote Network IP Addresses Devices behind the ZyWALL (local devices) and the devices behind the remote IPSec router (remote devices) may use private IP addresses. Therefore it is possible that local devices and remote devices may have the same IP addresses. For example, local network X uses IP addresses 192. 168. 1. 2 to 192. 168. 1. 4. If you select the VPN rules skip applying to the overlap range of local and remote IP addresses option (see Figure 174 on page 267), every time a computer on network X tries to access a network X computer with an IP address from 192. 168. 1. 2 to 192. 168. 1. 4, the ZyWALL sends the traffic through the VPN tunnel to network Y. If you clear the VPN rules skip applying to the overlap range of local and remote IP addresses option (see Figure 174 on page 267), every time a computer on network X tries to access a network X computer with an IP address from 192. 168. 1. 2 to 192. 168. 1. 4, the ZyWALL sends the traffic to the local network. Figure 165 Local and Remote Network IP Address Overlap 14. 6. 2 Virtual Address Mapping Virtual address mapping (NAT over IPSec) changes the source IP addresses of packets from your local devices to virtual IP addresses before sending them through the VPN tunnel. 14. 6. 2. 1 Avoiding Overlapping Local And Remote Network IP Addresses If both IPSec routers support virtual address mapping, you can access devices on both networks, even if their IP addresses overlap. You map the ZyWALL's local network addresses to virtual IP addresses and map the remote IPSec router's local IP addresses to other (nonoverlapping) virtual IP addresses. Take Section 14. 6. 1. 1 on page 252 as an example of overlapping local and remote IP addresses. You can set up virtual address mapping on both IPSec routers to allow computers on network X to access network X and network Y computers with the same IP address. · You set ZyWALL A to change the source IP addresses of packets from local network X (192. 168. 1. 2 to 192. 168. 1. 4) to virtual IP addresses 10. 0. 0. 2 to 10. 0. 0. 4 before sending them through the VPN tunnel. · You set ZyWALL B to change the source IP addresses of packets from the remote network Y (192. 168. 1. 2 to 192. 168. 1. 27) to virtual IP addresses 172. 21. 2. 2 to 172. 21. 2. 27 before sending them through the VPN tunnel. 252 ZyWALL 2 Plus User's Guide Chapter 14 IPSec VPN · On ZyWALL A, you specify 172. 21. 2. 2 to 172. 21. 2. 27 as the remote network. On ZyWALL B, you specify 10. 0. 0. 2 to 10. 0. 0. 4 as the remote network. Figure 166 Virtual Mapping of Local and Remote Network IP Addresses Computers on network X use IP addresses 192. 168. 1. 2 to 192. 168. 1. 4 to access local network devices and IP addresses 172. 21. 2. 2 to 172. 21. 2. 27 to access the remote network devices. Computers on network Y use IP addresses 192. 168. 1. 2 to 192. 168. 1. 27 to access local network devices and IP addresses 10. 0. 0. 2 to 10. 0. 0. 4 to access the remote network devices. 14. 6. 3 Active Protocol The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 14. 6. 4 Encapsulation There are two ways to encapsulate packets. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. ZyWALL 2 Plus User's Guide 253 Chapter 14 IPSec VPN The ZyWALL and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 167 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header AH/ESP Header AH/ESP Header Data Transport Mode Packet IP Header TCP Header IP Header Data Tunnel Mode Packet IP Header TCP Header Data In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: · Outside header: The outside IP header contains the IP address of the ZyWALL or remote IPSec router, whichever is the destination. · Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers. With AH, the ZyWALL includes part of the original IP header when it encapsulates the packet. [. . . ] incoming protocol filter 473 Internet access setup 67, 475 Internet Assigned Number Authority. Internet Assigned Numbers AuthoritySee IANA 622 Internet Protocol Security. IP address assignment 476, 493 pool 125, 128, 163, 173, 471 private 124 IP alias 473 IP alias setup 473 DMZ 481 IP protocol type 198 IP static route 497 active 498 destination IP address 498 name 498 route number 498 IPSec 235 IPSec SA active protocol 253 authentication algorithms 239, 245 authentication key (manual keys) 262 encapsulation 253 encryption algorithms 239, 245 encryption key (manual keys) 262 local policy 251 manual keys 262 nail up 244 Perfect Forward Secrecy (PFS) 254 proposal 254 remote policy 251 SA life time 243 Security Parameter Index (SPI) (manual keys) 262 transport mode 253 tunnel mode 253 when IKE SA is disconnected 244, 251 IPSec SA. ISP parameters 68 L LAN 126 port filter setup 469 setup 469 license key 119 link type 57 loading a configuration file 440 log 540 log and trace 540 log facility 542 login screen 446 M MAC address 144, 460 main menu commands 446 maintenance 427 Management Information Base. [. . . ]