User manual ZYXEL ZYWALL USG ZLD 2.21 SUPPORT NOTES

[. . . ] ZyWALL USG ZLD 2. 21 Support Notes Revision 1. 00 August, 2010 Written by CSO ZyXEL ­ ZyWALL USG Support Notes Table of Contents Scenario 1 -- Connecting your USG to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. 1 Application Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. 2 Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Scenario 2 -- WAN Load Balancing and Customized Usage of WAN Connection for Specific Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [. . . ] The USG can provide secure site-to-site access between remote locations and corporate resources through the Internet. Using IPSec VPN, companies can secure connections to branch offices, partners and headquarters as the illustration below. All contents copyright (c) 2010 ZyXEL Communications Corporation. 27 ZyXEL ­ ZyWALL USG Support Notes 4. 2 Configuration Guide Network Conditions: USG-50: WAN IP: 59. 124. 163. 152 Local subnet: 192. 168. 50. 0/24 ZyWALL-5 UTM: WAN IP: 10. 59. 1. 50 Local subnet: 192. 168. 5. 0/24 IPSec VPN Conditions: Phase 1: Authentication: 1234567890 Local/Peer ID type: IP 0. 0. 0. 0 Negotiation: Main mode Encryption Algorithm: 3DES Authentication Algorithm: MD5 Key Group: DH1 Phase 2: Encapsulation Mode: Tunnel Active Protocol: ESP Encryption Algorithm: DES Authentication Algorithm: SHA1 Perfect Forward Secrecy: None Goal to achieve: Build up the IPSec VPN tunnel between USG-50 and ZyWALL-5 UTM with the above configuration. All contents copyright (c) 2010 ZyXEL Communications Corporation. 28 ZyXEL ­ ZyWALL USG Support Notes ZLD configuration Step 1. Click CONFIGURATION > VPN > IPSec VPN > VPN Gateway to open the configuration screen. Click SECURITY > VPN > VPN RULES (IKE) to open the configuration Step 2. To configure the VPN gateway rule, user needs to fill in: VPN gateway name Gateway address; both local (My Address) and peer (Peer GW Address) Authentication setting Pre-Shared Key ID Type setting (Local and Peer side) Negotiation mode Encryption algorithm Authentication algorithm Key Group Step 3. To configure the gateway policy, user needs to fill in: Policy name Gateway information; both local (My ZyWALL) and peer (Remote GW) Authentication setting Pre-Shared Key ID Type setting (Local and Peer side) Negotiation mode Encryption algorithm Authentication algorithm Key Group Phase-1 setting Configure the IKE proposal All contents copyright (c) 2010 ZyXEL Communications Corporation. 29 ZyXEL ­ ZyWALL USG Support Notes All contents copyright (c) 2010 ZyXEL Communications Corporation. 30 ZyXEL ­ ZyWALL USG Support Notes Step 4. Click CONFIGURATION > VPN > IPSec VPN > VPN Connection to open the configuration screen to configure the phase-2 rule. To configure the phase-2 rule, user needs to fill in: VPN connection name VPN gateway selection Policy for Local network side Remote network side Active protocol Encapsulation mode Encryption algorithm Authentication algorithm Perfect Forward Secrecy Policy name The gateway rule it is applied to Tunnel policy for Local network side Remote network side Encapsulation mode Active protocol Encryption algorithm Authentication algorithm Perfect Forward Secrecy Configure the IPSec proposal Phase-2 settings All contents copyright (c) 2010 ZyXEL Communications Corporation. 31 ZyXEL ­ ZyWALL USG Support Notes All contents copyright (c) 2010 ZyXEL Communications Corporation. 32 ZyXEL ­ ZyWALL USG Support Notes Step 6. After saving the network policy, user can see the IPSec VPN configuration is complete. After the VPN tunnel is established, user can find the SA information on SECURITY > VPN > SA Monitor. All contents copyright (c) 2010 ZyXEL Communications Corporation. 33 ZyXEL ­ ZyWALL USG Support Notes Step 7. After setting the rule, user can select the rule and click the Connect button to establish the VPN link. Once the tunnel is established, a connected icon will be displayedin front of the rule. Step 8. When the VPN tunnel is established, user can find the SA information on MONITOR > VPN MONITOR > IPSec. All contents copyright (c) 2010 ZyXEL Communications Corporation. 34 ZyXEL ­ ZyWALL USG Support Notes Scenario 5 -- Secure client-to-site connections using IPSec VPN 5. 1 Application Scenario The ZyWALL USG Series can provide secure access between remote locations and corporate resources through the Internet for organizations of any size. Using IPSec VPN, companies can secure connections to branch offices, partners and headquarters. Road warriors and telecommuters can use SSL or L2TP VPN to safely access the company network without having to install VPN software. ZyWALL USG Series provides a flexible and easy way to enable mobile employees, vendors and partners to confidentially access your network resource for better efficiency. All contents copyright (c) 2010 ZyXEL Communications Corporation. 35 ZyXEL ­ ZyWALL USG Support Notes 5. 2 Configuration Guide Network Conditions: USG-50: WAN IP: 10. 59. 1. 39 Local subnet: 192. 168. 50. 0/24 ZyWALL-5 UTM: WAN IP: 10. 59. 1. 50 Local subnet: 192. 168. 5. 0/24 IPSec VPN Conditions: Phase 1: Authentication: 1234567890 Local/Peer ID type: IP 0. 0. 0. 0 Negotiation: Main mode Encryption Algorithm: 3DES Authentication Algorithm: MD5 Key Group: DH1 Phase 2: Encapsulation Mode: Tunnel Active Protocol: ESP Encryption Algorithm: DES Authentication Algorithm: SHA1 Perfect Forward Secrecy: None Goal to achieve: Build up an IPSec VPN tunnel for mobile user's dynamic access to USG-50 or ZyWALL-5 UTM with the above configuration. All contents copyright (c) 2010 ZyXEL Communications Corporation. 36 ZyXEL ­ ZyWALL USG Support Notes ZLD configuration Step 1. Click CONFIGURATION > VPN > IPSec VPN > VPN Gateway to open the configuration screen. Click SECURITY > VPN > VPN RULES (IKE) to open the configuration Step 2. To configure the VPN gateway rule, user needs to fill in: VPN gateway name Gateway address; both local (My Address) and peer (Dynamic Address) Authentication setting Pre-Shared Key ID Type setting (Local and Peer side) Negotiation mode Encryption algorithm Authentication algorithm Key Group Step 3. To configure the gateway policy, user needs to fill in: Policy name Gateway information; both local (My ZyWALL) and peer ("0. 0. 0. 0" for dynamic access) Authentication setting Pre-Shared Key ID Type setting (Local and Peer side) Negotiation mode Encryption algorithm Authentication algorithm Key Group Phase-1 setting Configure the IKE proposal All contents copyright (c) 2010 ZyXEL Communications Corporation. 37 ZyXEL ­ ZyWALL USG Support Notes All contents copyright (c) 2010 ZyXEL Communications Corporation. 38 ZyXEL ­ ZyWALL USG Support Notes Step 4. Click CONFIGURATION > VPN > IPSec VPN > VPN Connection to open the configuration screen to configure the phase-2 rule. Go back to the previous page, to see the newly created IKE rule with the destination Dynamic. [. . . ] Insert an access policy. All contents copyright (c) 2010 ZyXEL Communications Corporation. 80 ZyXEL ­ ZyWALL USG Support Notes Add a profile which allows users to serf all websites. Set action When Category Server is Unavailable to "Warn and Log". Check all the unsafe categories, and leave all the managed categories as unchecked. Add a policy to meet the requirement that during office hours, employees should be prevented from accessing some websites, and that the manager (192. 168. 1. 50) is not restricted. [. . . ]