User manual ZYXEL ZYWALL 2WG

[. . . ] ZyWALL 2WG Internet Security Appliance User's Guide Version 4. 02 1/2007 Edition 1 www. zyxel. com About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation · Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access. [. . . ] It also finishes the Diffie-Hellman key exchange, authenticates the ZyWALL, and sends its (unencrypted) identity to the ZyWALL for authentication. Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established. 264 ZyWALL 2WG User's Guide Chapter 14 IPSec VPN Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters). 14. 3. 1. 5 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 148 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Section 14. 6. 2 on page 273 for more information about active protocols. ) If router A does not have an IPSec pass-through or if the active protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel. · Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header. ) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support. 14. 4 Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. 14. 4. 1 SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations: · There is traffic when the SA life time expires · The IPSec SA is configured on the ZyWALL as nailed up (see below) ZyWALL 2WG User's Guide 265 Chapter 14 IPSec VPN Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic. If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to nailed up. Normally, the ZyWALL drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set the IPSec SA to nailed up, the ZyWALL automatically renegotiates the IPSec SA when the SA life time expires, and it does not drop the IPSec SA if there is no inbound traffic. The SA life time and nailed up settings only apply if the rule identifies the remote IPSec router by a static IP address or a domain name. If the Remote Gateway Address field is set to 0. 0. 0. 0, the ZyWALL cannot initiate the tunnel (and cannot renegotiate the SA). 14. 4. 2 IPSec High Availability IPSec high availability (also known as VPN high availability) allows you to use a redundant (backup) VPN connection to another WAN interface on the remote IPSec router if the primary (regular) VPN connection goes down. In the following figure, if the primary VPN tunnel (A) goes down, the ZyWALL uses the redundant VPN tunnel (B). Figure 149 IPSec High Availability When setting up a IPSec high availability VPN tunnel, the remote IPSec router: · Must have multiple WAN connections · Only needs the configure one corresponding IPSec rule 266 ZyWALL 2WG User's Guide Chapter 14 IPSec VPN · Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections · Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0. 0. 0. 0) · Should use a WAN connectivity check to this ZyWALL's WAN IP address If the remote IPSec router is not a ZyWALL, you may also want to avoid setting the IPSec rule to nailed up. 14. 4. 3 Encryption and Authentication Algorithms In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The encryption algorithms are listed here in order from weakest to strongest. · Data Encryption Standard (DES) is a widely used (but breakable) method of data encryption. It iterates three times with three separate keys, effectively tripling the strength of DES. · Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. [. . . ] menu overview 473 Message Integrity Check (MIC) 684 metric 135, 347, 490, 524, 527, 531 MIB 399 MSDU. see MAC service data unit 186 multicast 115, 176, 490, 500, 527 multiple WAN 131 myZyXEL. com 107 N nailed-up connection 524, 525 NAT 114, 329, 339, 340, 489, 505, 526, 527, 566 and VPN 265 application 331 configuring 535 default server IP address 339 definitions 329 examples 543 how NAT works 330 in the SMT 533 inside global address 329 inside local address 329 Many to Many No Overload 332 Many to Many Overload 332 Many to One 332 mapping types 332 NAT unfriendly applications 548 One to One 332 ordering rules 538 port forwarding 338 port restricted cone 332 Server 333 server set 535 Single User Account 333 trigger port forwarding 550 what NAT does 330, 335 NAT traversal 265, 405 navigation panel 65 NBNS 116, 118 NetBIOS 118 NetBIOS Name Server. NNTP service 339 NTP time protocol 455 M MAC address 142, 183, 484 filter 196 MAC address filter 183 MAC service data unit 186 main menu commands 470 maintenance 451 Management Information Base. managing subscription services 107 managing the device good habits 52 using FTP. [. . . ]