ZyXEL Prestige 202H Plus v2
Contents
1. Multiple Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min 0 Period hr 0 Press ENTER to Confirm or ESC to Cancel Key Settings o Set Mutual Authen to Yes set PAP Login to the appropriate login name Set PAP Password to the appropriate login password e lf the Cisco route requests CHAP you have to configure more settings in Menu 11 as follows 32 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 11 1 Remote Node Profile Rem Node Name LAN2 Edit PPP Options No Active Yes Rem IP Addr 140 113 1 1 Call Direction Both Edit IP No Incoming Telco Option Rem Login cisco_hostname Transfer Type 64K Rem Password Allocated Budget min Rem CLID N A Period hr Call Back N A schedules Outgoing Carrier Access Code My Login P 202H Plus v2_systemname Nailed Up Connection No My Password Toll Period sec 0 Authen CHAP PAP Session Options Pri Phone 10000 Edit Filter Sets No Sec Phone Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Key Settings o Set Incoming Rem Login to the Cisco device hostname o Set Incmoing Rem Password to be the same as Outgoing My Password o Set Outgoing My Login to the System Name value in SMT Menu 1 Note The Cisco device must be configured as a remote node but NOT as a remote user in this case2. Session Options Authen CHAP PAP Edit Filter Sets Yes Pri Phone 4125678 Idle Timeout sec 300 Sec Phone Press ENTER to Confirm or ESC to Cancel Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters 75 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes device filters Call Filter Sets protocol filters 1 device filters 4 If you want to prevent this client accessing the Internet or remote node you can apply this filter set to SMT Menu 3 1 the protocol filter in the Input Filter sets Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters 1 device filters Output Filter Sets protocol filters device filters After this filter set is applied to this field the client 192 168 1 5 will not be allowed to access the Internet or remote node any more A filter for blocking a specific MAC address This configuration example will show you how to use a Generic Filter to block a specific MAC address on the LAN Before you Begin Before you configure the filter you need to know the MAC address of the client The MAC address can be provided by the NICs If there is the LAN packet passing through the P 202H Plus v2 you can identify the MAC address from the P 202H Plus v2 s LAN packet trace Please look at the following example to know the trace of the LAN packets ra
3. cued os 2 Select the second filter list you created above from the IP Filter List For example P 202H Plus v2 to WIN2K Edit Rule Properties yj _ x Authentication Methods Tunnel Setting Connection Type IF Filter List Filter Action The selected IP filter list species which network traffic will be secured with this rule IP Filter Lists O New IF Filter List O WIN2K to ZyWALL Oy ZyWALL to WINZE Add Edit Remove coc to 246 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3 Click Tunnel Setting tab enter the remote endpoint For this filter list the remote IPSec endpoint is WIN2K Edit Rule Properties S o 172 21 1 232 4 Click Connection Type tab click All network connections or click LAN connections if your WIN2K does not connect to ISP but LAN In our example we choose All network connections Edit Rule Properties 247 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5 Click Filter Action tab select the filter action you created Edit Rule Properties 3 x Authentication Methods Tunnel Setting Connection Type IF Filter List Filter Action The selected filter action specifies whether this rule negotiates for secure network traffic and how it will secure the traffic Filter Actions IKE New Filter Action
4. IF Address Start lt Pct IP gt e VER J Ends Subnet Mask 0 0 0 0 Remote Remote Address Type Single IF Address Start lt PC2 F gt End Subnet Mask 0 0 0 0 Local ID Type IF s Content 0 0 0 0 Wy IF Address lt A WAN P Logout Feer ID Type IF Content 0 0 0 0 Secure Gateway IF Address E WAM P gt Encapsulation Mode Tunnel Security Protocol VPM Protocol ESP Pre Shared Key 2345678 00 VPN Setup DES Authentication Algorithm MDS gt Back Apply Cancel Delete 2 Setup Cisco There are two ways to configure Cisco VPN use commands from console or use Cisco ConfigMaker Cisco ConfigMaker is an easy to use Windows 98 Me NT 2000 application that configures Cisco routers switches hubs and other devices We will guide you how to setup IPSec by using Cisco ConfigMaker 171 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes in section 2 1 If you prefer to use commands from console please go to section 2 2 2 1 Setup Ciscro by ConfigMaker You can download Cisco ConfigMaker from htto www cisco com warp public cc pd nemnsw cm index shtml 1 Select AutoDetect device Wizard in Devices window 2 Make sure that the console has been connected to your PC If the router is detected successfully a Cisco router should appear in the Network Diagram Window 3 Click right button of the mouse choose Device Properties In Pa
5. 9 In the Certificates snap in dialog box select Computer account and click Next Certificates snap in ij F i X This snap in will always manage certificates for My user account Service account f Computer account lt Back Cancel 223 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 10 Verify that Local Computer default setting is selected and click Finish Select Computer y Al x Select the computer you want this Snap in to manage This snap in will always manage Local computer the computer this console is running on Another computer Browse Allow the selected computer to be changed when launching from the command line This only applies if you save the console Cancel K 11 Click Close to close the Add Standalone Snap in dialog box Add Standalone Snap in x Available Standalone Snap ine Smapin Vendor A Ai Actives Control Certificates Microgott Corporation g Component Services Microsoft Corporation m Computer Management Microsott Corporation g Device Manager Microso Corporation ES Disk Defragmenter Executive Software Inte C Disk Management VERITAS Software Cor EOE vent Viewer Microsoft Corporation ep Fas Serice Management Microsoft Corporation Folder ki Description The Certificates snap in allows you to browse the contents of the certificate stores for yourse
6. Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm 30E5 Authentication Algorithm M05 SA Life Time Seconds 9600 Key Group DH2 Phase 2 Active Protocol ESP Encryption Algorithm 30E5 Authentication Algorithm SHAI SA Life Time Seconds 3608 Encapsulation Tunnel Perfect Forward Secrecy PFS Press ENTER to Confirm or ESC to SSH Sentinel to P 202H Plus v2 Tunneling Sentinel Static IP to P 202H Plus v2 Static IP Tunneling This page guides us to setup a VPN connection between the Sentinel software and P 202H Plus v2 router There will be several devices we need to setup for this case They are Sentinel software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Sentinel and P 202H Plus v2 are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are Sentinel and P 202H Plus v2 269 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Internet Prestige The IP addresses we use in this example are as shown below LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 172 21 1 232 1 Setup Sentinel 1 From T
7. Remove Properties VIEW Description The keps that are used for authenticating the local host LE Cancel K ts 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 291 ZyXEL P 202H Plus v2 Support Notes T SSH Sentinel Policy Editor Hx security Policy Key Management Policy Default i S m e Pre IPSec Filter YPN Connections A Add a Secured Connections ida Secured Networks CE Default Response a Post lPSec Filter EE Allow all traffic T HS0H0 HOILAN IAs 4370H a hy Remove Properties Diagnostics Description A virtual private network i created when the local host establishes an PSec protected connection to a remote private network through a security gateway cae hon _ 2 7 Add VPN Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address Add PN Connection i ajx 5 Gateway IF address 172 21 1 252 Remote network en Authentication kep checkpoint certificate h Use legacy proposal Diagnostics Properties Cancel 8 Press button besides Remote network All contents copyright 2006 ZyXEL Communications Corporation 292 ZyXEL P 202H Plus v2 Support Notes Add PN Connection ES i Gateway IF
8. Rule 2 Destination port number 137 with protocol number 17 UDP 81 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 3 Destination port number 138 with protocol number 6 TCP Menu 21 1 3 TCP IP Filter Rule Filter 1 3 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 138 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop 82 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 4 Destination port number 138 with protocol number 17 UDP Menu 21 1 4 TCP IP Filter Rule Filter 1 4 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 138 Port
9. ZyXEL P 202H Plus v2 Support Notes Menu 21 2 Filter Rules Summary A Type Filter Rules Mmn 1 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 137 N DN 2 YIP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 N DN 3 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 N DN 4 YIP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 N DN 5 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 N DN 6 YIP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 139 NDF Apply the filter set NetBIOS_WAN to the Protocol Filter of the Call Filter Sets in the remote node setup 11 5 for taking active You can enter to the menu 11 5 by selecting the Edit Filter Sets in menu 11 1 to Yes Rem Node Namez hinet Active Yes Call Direction Outgoing Incoming Rem Login N A Rem Password N A Menu 11 1 Remote Node Profile Route IP Bridge No Telco Option Edit PPP Options No Rem IP Addr 0 0 0 0 Edit IP IPX Bridge No Rem CLID N A Allocated Budget min 0 Call Back N A Period hr 0 Outgoing Transfer Type 64K My Login masterbc My Password Authen CHAP PAP Pri Phone 4125678 Sec Phone Menu 11 5 Remote Node Filter Input Filter Sets All contents copyright 2006 ZyXEL Communications Corporation Nailed Up Connection No session Options Edit Filter Sets Yes Idle Timeout sec 300 85 ZyXEL P 202H Plus v2 Support Notes protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters
10. ZyXEL P 202H Plus v2 Support Notes See the screen shot YPN Properties 56 bit DES na 56 bit DES hd MDS Message Digest gt MDS Message Digest Z Teew E a tfm E E 9 Choose the Cisco router and click Deliver to save the settings 177 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the screen shot Untitled Cisco ConfigMaker v2 5 1 E if O x File Edit View Configuration Management Tools Help L 7 Cu db ey i ry T Hew Open Save Undo Fedo Cut Copy Faste Delete Detect Firewall Deliver Ping Tutorial alx DEI a x Deliver Configuration META AutoDetect Device Wizard m f Draw your Network a g Routers HAST Diagram LF Cisco 800 Series 7 Ceea Te Sores IF none Eth Select 4 device from the ae Devices window and ee Cisco 1600 Series FthernetLan click in the Network EL Cisco 1700 Series Diagram window F Cisco 1710 To connect two devices Fa Cisco 1720 select connection from p n Cisco 1750 the Connections window Click the first device in A Cisco 1751 the Network Diagram and then click the second device to complete the connection AO Cisco 2500 Series AL Cisco 2600 Series o HGJ Cisco 3600 Series er Cisco 4000 Series a voice Devices Deliver Configuration When the device iz blue select the device and download the 105 configuration to it using the EthernetLaN 1 ele Confiquration th wizar
11. none List Phase 2 Proposals YPN Monitor V Enable Transport Mode Enable For L2TP over IPSec only OK Cancel 9 After all above settings have been finished you can start to access the remote secure PC If the VPN is established successfully you can see the traffic flow from the Traffic Log by clicking Log menu See the following screen shot All contents copyright 2006 ZyXEL Communications Corporation 207 ZyXEL P 202H Plus v2 Support Notes E HetScreen Administration Tools Microsoft Internet Explorer File Edt iew Favorites Tools Help ln 2 8 2 Ss Sih Jj s Back Fansa Stop Retesh Home Search Favorites History Mail Print Edit Discuss Address http 192 169 78 1 layout htm6 1 1 x to NeETSCREEN 5 Sao Configure Admin Traffic Log W Source Destination Service Entries Action Remote Secure Host Local Secure Host ANY 20 View log entries Local Secure Hast Remote Secure Host ANY 140 View log entries Address Service Monitor E T e Internet 2 You can also see the current active user from the Active Log by clicking Log menu See the following screen shot E HetScreen Administration Tools Microsoft Internet Explorer File Edit View Favorites Tools Help ce 2 a a alB S amp S B amp B EH Back orien Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address E http 77192 1568 78 1 7layout html 6 1 1
12. 00 00 03 18 8 bytes LAPD D TE C SAPI 63 TEl 127UI P 0 00001111 Layer management 00000001 Reference Number MSB 00000000 Reference Number LSB 256 00000001 Message Type Identity request 1111111 Action indicator 127 1 Extension bit final octet 00 00 03 19 8 bytes LAPD D NT C SAPI 63 TEl 127UI P 0 00001111 Layer management 00000001 Reference Number MSB 00000000 Reference Number LSB 256 00000010 Message Type Identity assigned 1100001 Action indicator 97 1 Extension bit final octet 00 00 03 19 3 bytes LAPD D TE C SAPI 0 TEl 97 SABME P 1 00 00 03 20 3 bytes LAPD D NT R SAPI 0 TEI 97 UA F 1 00 00 03 23 36 bytes LAPD D TE C SAPI 0 TEl 97 INFO P 0 NR 0 NS 0 28 bytes Layer 3 Orig gt CallRef 1 PD Q 931 SETUP 1 00000100 INFORMATION ELEMENT Bearer Capability 363 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 00000010 IE length 2 bytes 3 1 Extension bit not continued 00 Coding standard CCITT coding standard 01000 Info trans cap Unrestricted Digit 4 1 Extension bit not continued 00 Transfer mode Circuit Mode 10000 Info trans rate 64 kbps 1 00011000 INFORMATION ELEMENT Channel Idetification 2 00000001 IE length 1 byte 3 1 Extension bit not continued o Interface Id present implicitly Q Interface type basic interface Q Spare Q Preferred Exclusive preferred chan
13. 4 Dial in User Setup Using an ISDN TA and Win9x Dial Up Networking you can dial into P 202H Plus v2 router with callback and without callback e Introduction This configuration note explains how to set up a workstation using an ISDN TA to connect to the P 202H Plus v2 router In this configuration the workstation must have TCP IP dial up program installed such as Windows Dial up Networking to make the call Once the connection is established the workstation will be able to 53 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes perform any TCP IP applications e g FTP Telnet etc There will be two items that you need to set up for this connection They are the workstation and the P 202H Plus v2 router e Configuration 192 66 153 1 192 608 133 2 e Setting up the Win9x Dial Up Networking DUN To set up the DUN for this connection you will need to set the following parameters o Phone number the phone number of the P 202H Plus v2 router o Internet account Username and Password o IP Address the IP address in this case will be dynamically assigned by the P 202H Plus v2 Generally you should simply enter 0 0 0 0 into the IP address field o DNS Domain Name Server Address the IP address of the DNS server on the remote LAN o Default Gateway the IP address of the P 202H Plus v2 Please find the last three settings in Win9x gt Dial Up Networking gt Prope
14. Connected to 192 168 1 1 Escape character is T Password Copyright c 1999 ZyXEL Communications Corp 383 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes P 202H Plus v2 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter Set Configuration 2 ISDN Setup 3 Ethernet Setup 23 System Password 4 Internet Access Setup 24 System Maintenance Advanced Applications 11 Remote Node Setup 12 Static Routing Setup 13 Default Dial in Setup 14 Dial in User Setup 15 SUA Server Setup 99 Exit Enter Menu Selection Number 24 Menu 24 System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration software Update Command Interpreter Mode Call Control Se to a Copyright c 1999 ZyXEL Communications Corp n Number 8 ras gt sys stdio 0 ras gt press Ctrl to escape to Telnet prompt telnet gt z 1 Stopped telnet 192 168 1 1 copwu faelinux copwuls tftp tfto gt connect 192 168 1 1 tfto gt binary lt change to binary mode tfto gt get rom 0 local rom lt download configurations tfto gt get ras local firmware lt download firmware tfto gt put local rom rom 0 lt upload configurations tfto gt put local firmware ras lt upload firmware 384 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H
15. Go Links NETSCREEN 5 eee Configure Admin Interface Network Traffic Log Policy men SS eS 20 10 192 1668 73 5 Release Address Service Monitor i Internet ve 3 P 202H Plus v2 vs 3rd Party VPN Software 208 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Checkpoint VPN to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between Checkpoint VPN and P 202H Plus v2 router As the figure shown below the tunnel between P 202H Plus v2 and Checkpoint ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2 are explained in the following LAN 1 LAN 2 e a T PC 1 P internet Checkpoint Prestige IPSec Tunnel The IP addresses we use in this example are as shown below 172 16 16 0 24 62 2 237 177 217 20 195 73 192 168 99 0 24 1 Setup P 202H Plus v2 Remove default fliter rule from Menu 3 1 209 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes biter konie Heer Teanine fats Beebe a Aqui Ubetagug T DE o 3 OS F Hemu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press EXTER to Confira or ESC to Ca
16. of the Input Filter Sets in the Menu 3 for blocking the packets from LAN Menu 3 1 General Ethernet Setup Input Filter Sets 87 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes protocol filters 2 device filters Output Filter Sets protocol filters device filters 6 UNIX syslog Setup e P 202H Plus v2 Setup Menu 24 3 2 System Maintenance UNIX Syslog and Accounting UNIX Syslog Active Yes syslog IP Address 192 168 1 33 Log Facility Local 1 Types CDR No Packet triggered No Filter log No PPP log No POTS log No Firewall log No Configuration 1 Active use the space bar to turn on the syslog option 2 Syslog IP Address enter the IP address of the UNIX server that you wish to send the syslog 3 Log Facility use the space bar to toggle between the 7 different local options 4 Types use the space bar to toggle the logs we are going to record e UNIX Setup 1 Make sure that your syslogd starts with r argument r this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services The default setting is not enabled 88 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 Edit the file etc syslog conf by adding the following line at the end of the etc syslog conf file local1 var log zyxel log Where
17. 0x0030 48 ldetification 0xE702 59138 Flags 0x02 Fragment Offset 0x00 Time to Live 0x F 127 Protocol 0x06 TCP Header Checksum Ox3ECF 16079 Source IP 0xA31FEFO1 163 31 239 1 Destination IP 0xD2437191 210 67 113 145 TCP Header source Port 0x2717 10007 Destination Port 0x0050 80 Sequence Number 0x000BCB53 772947 Ack Number 0x00000000 0 Header Length 28 Flags O0x02 9 Window Size 0x2000 8192 Checksum 0x9A63 39523 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 01 01 04 02 RAW DATA 0000 FF 03 00 21 45 00 00 30 E7 02 40 00 7F 06 3E CF E 0 0010 A3 1F EF 01 D2 43 71 91 27 17 00 50 00 OB CB 53 Cq P 375 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 0020 00 00 00 00 70 02 20 00 9A 63 00 00 02 04 05 B4 p c 0030 01 01 04 02 eae lt Q001 gt PPP Frame BRIO RECV Size 48 48 Time 1147 970 sec Frame Type TCP 210 67 113 145 80 gt 163 31 239 1 10007 PPP Header Protocol 0x0021 IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 ldetification 0xBOD4 45268 Flags 0x02 Fragment Offset 0x00 Time to Live 0x38 56 Protocol 0x06 TCP Header Checksum 0xBC01 48129 Source IP 0xD2437191 210 67 113 145 Destination IP 0xA31FEFO1 163 31 23
18. 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These header information include the source destination addresses and ports of the packets Application level Firewalls generally are hosts running proxy servers which permit no traffic directly between networks and which perform logging and auditing of traffic passing through them A proxy server is an application gateway or circuit level gateway that runs on top of general operating system such as UNIX or Windows NT It hides valuable data by requiring users to communicate with secure systems by mean of a proxy A key drawback of this device is performance Stateful Inspection Firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols The flexible nature of Stateful 17 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Inspection firewalls generally provides the best speed and transparency however they may lack the granular application level access control or caching that some proxies support 4 What kind of firewall is the P 202H Plus v2 1 The P 202H Plus v2 s firewall inspects packets contents and IP h
19. 36 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Note In the Control Panel Network window click the TCP IP entry to select it and click Properties button In the TCP IP Properties window select Obtain an IP address automatically Do not assign arbitrary IP address and subnet mask to your PCs otherwise you will not be able to access the Internet Click the WINS configuration tab and select Disable WINS Resolution Click the Gateway tab Highlight any installed gateways and click the Remove button until there are none listed Click the DNS Configuration tab and select Disable DNS Click OK to save and close the TCP IP properties window Click OK to close the Network window You will be prompted to insert your Windows CD or disk When the drivers are updated you will be asked if you want to restart the PC Make sure your P 202H Plus v2 is powered on before answering Yes to the prompt Repeat the above steps for each Windows PC on your network Setting up the P 202H Plus v2 router The following procedure is for the most typical usage of the P 202H Plus v2 where you have a single user account SUA The PNC P 202H Plus v2 Network Commander is a Windows based tool that helps you to easily configure your P 202H Plus v2 for Internet access It is included in the P 202H Plus v2 package Please install the PNC first before configuring your P 202H Plus v2 37 All contents copy
20. 9 What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set a relatively long intervals terminates the TCP three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users 10 What is LAND attack In a LAN attack hackers flood SYN packets to the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 11 What is Brute force attack A Brute force attack such as Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous 19 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes hosts this will cr
21. Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 5 Destination port number 139 with protocol number 6 TCP Menu 21 1 5 TCP IP Filter Rule Filter 1 5 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal 3 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 6 Destination port number 139 with protocol number 17 UDP Menu 21 1 6 TCP IP Filter Rule Filter 1 6 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel After the first filter set is finished you will see the complete rules summary as below 84 All contents copyright 2006 ZyXEL Communications Corporation
22. Jj Delivered Has required information Changes the device or connection properties E 4 From Devices window choose a router and add this router in Network Diagram Rename it as P 202H Plus v2 Assign passwords choose TCP IP as it s protocol and then set the interface of WAN slot 0 as 1 Ethernet 172 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the screen shot untitled Cisco ConfigMaker v2 5 1 ol O x File Edit View Configuration Management Tools Help Dl om 3 B x gt 4 amp New Open Save Undo Reda Eut Copy Faste Delete Detect Firewall Deliver Ping Tutorial ODER Network Diagram Devices Using Cisco ConfigMaker utoD ete P evice Wizard Draw your Network FL Cisco 1500 Series al Diagram T aga me H Select a device from the Devices window and Ely Switches click in the Network AiO Cisco 1500 Series Diagram window Routers 2 To connect two devices a ga Cisco S00 Series Se select connection from Flea Cisco 1000 Series the Connections window Click the first device in H 6 Cisco 1600 Series 1 the Network Diagram and E E Cisco 1700 Series then click the second device to complete the APY Cisco 1710 pias connection Deliver Configuration A Cisco 1751 E When the device iz blue select the device and Ciscol 720 download the 105 configuration to it using the Deliver Configur
23. Menu 27 1 1 IPSec Setup Index Name Prestige Active Yes Keep Alive No Local ID type IP Content My IP Addr 262 132 170 1 Peer ID type IP Con Secure Gateway Addr 202 132 TED 33 Protocol Local Addr Type RANGE IP Addr Start 242 132 171 339 End Subnet Mask ee 132 171 3533 Port Start P End N A Remote Addr Type RANGE IP Addr Start 242 132 155 335 End Subnet Mask 202 132 155 33 Port Start D End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup yes Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 1 Edit IKE settings by selecting Edit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission All contents copyright 2006 ZyXEL Communications Corporation 158 ZyXEL P 202H Plus v2 Support Notes Please note that any configuration in IKE Setup should match the settings in VPN software Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Mal Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3600 Key Group OH Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3608 Encapsulation Tunnel Perfect
24. P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 Ons 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet0O none 1 2 Enable to capture the WAN packet by entering sys trep channel bri0 bri1 bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys trced brief or 1 5 Display the detailed trace online by entering sys trcd parse Example ras gt sys trcp channel enetO none ras gt sys trcp channel bri0 bothway ras gt sys trcp sw on ras gt sys trcl sw on ras gt sys trcd brief O 899 160 BRIO T 0023 LCP ID 0x05 Configure Request 1 5 8 13 374 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 902 120 BRIO T 0023 LCP 905 120 BRIO T 0023 LCP 905 150 BRIO R 0029 LCP 905 150 BRIO T 0021 LCP 905 160 BRIO R 0013 LCP 905 160 BRIO R 0013 LCP ID 0x06 ID 0x07 ID 0x01 ID 0x01 ID 0x07 ID 0x07 Configure Request 1 5 8 13 Configure Request 1 5 8 13 Configure Request 1 3 17 19 Configure Reject 17 19 Configure Reject 8 13 Configure Reject 8 13 aor O N ras gt sys trcd parse s 0000 ee PPP Frame BRIO XMIT Size 52 52 Time 1145 250 sec Frame Type TCP 163 31 239 1 10007 gt 210 67 113 145 80 PPP Header Protocol 0x0021 IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length
25. P 202H Plus v2 gt sys filter disp Drop 0 Forward 0 setNotConfig 0 setNotActive 0 NonRuleMatch 0 InvalidSet 0 GenMatch 0 GenNotMatch 0 loMatch 0 loDefaultMatch 0O loDefaultNotMatch O loSourceAddr 0 loDestAddr 0 loSourceRoute 0 loTcoConn 0 loSourcePort 0 loDestPort 0 lpProtocol 0 403 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes loxMatch 0 loxDefaultMatch 0 loxDefaultNotMatch O loxPacketT ype 0 loxDestNetwork 0O lpxDestNode 0 loxDestSocket 0 loxSourceNetwork O loxSourceNode 0 loxSourceSocket 0 3 Start a PING or start the traffic from the LAN side to trigger the outcall and then display the filter counters again If the Drop field show some numbers there then it means that the packet has been filter out so no outcall was made when the packet was sent to the P 202H Plus v2 4 Reset to default configuration file There are two cases you need to upload the default configuration file to the P 202H Plus v2 they are 1 You forget the SMT password and want to reset the password to 1234 2 You want to reset the configurations to defaults Please note that the default configuration file for the new ZyNOS is not compatible with the one for previous ZyNOS versions So when upgrading your Pretige from the previous ZyNOS to please also update the default configuration file for the new ZyNOS e The procedure for uploading the configuration file via the console port is as
26. Secure Gateway Addr 22 132 154 1 Protocol Local Addr Type SINGLE IP Addr Start 140 130 10 33 End Subnet Mask N A Port Start End N A Remote Addr Type SINGLE IP Addr Start 262 132 155 3 End Subnet Mask N A Port Start End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup Wes Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 1 Edit IKE settings by selecting Edit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configuration in IKE Setup should be consistent in both P 202H Plus v2 A and P 202H Plus v2 B 146 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Mai Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time 5econds 3600 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm UES Authentication Algorithm M05 SA Life Time Seconds 3600 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel 3 Troubleshooting Q How do we know the above tunnel works A If the connection between PC 1 and P
27. ZyXEL P 202H Plus v2 Support Notes 20 Select Save to Firebox and enter the write pass phrase for your WatchGuard m C Program FilesYW atchGuard5172 21 1 169 cfg Policy Manager Pile E3 File Edit astun Network Wiew Help a Cs FTF Save the active configuration to a firebox P 202H Plus v2 to NETSCREEN Tunneling This page guides us to setup a VPN connection between P 202H Plus v2 and NETSCREEN As the figure shown below the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure To setup this VPN tunnel the required settings for P 202H Plus v2 and NETSCREEN are explained in the following sections LAN 1 LAN 2 Prestige man NETSCREEN IPSec Tunnel The IP addresses we use in this example are as shown below 192 168 1 33 LAN 192 168 1 1 LAN 192 168 78 1 192 168 78 5 192 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes WAN 202 132 154 1 WAN 168 10 10 66 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side From this connection the source IP is obtained and then update to the previous 0 0 0 0 field However if both gateways use dynamic IP addresses it
28. ftp telnet HTTP etc You can only initiate VPN tunnel by choosing Select VPN from SSH Sentinel tray 280 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 2 21 1 252 ZyWALL Select YPM Start Policy Manager ca Stoo Policy Manager w fo E Ti ian un af NOTE Please check your P 202H Plus v2 s release note if your current firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in lt Your VPN connection gt Properties Advanced Tab Settings 281 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Security Association Lifetimes l l 3 x The settings affect this connection rule only IKE security association Lifetime in minutes Guana 240 min Lifetime in megabytes IPSec security association Lifetime in minutes Lifetime in megabytes M 0 ME Detaults o wx Cancel 2 Setup P 202H Plus v2 VPN 1 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Go to Advanced gt VPN 3 Check Active box to enable this rule Check Keep alive to make your VPN connection stay permanent 4 Select Negotiation Mod
29. the packets go through the IPSec tunnel are encrypted To achieve this VPN tunnel the settings required for each P 202H Plus v2 are explained in the following sections LAN 1 LAN 2 f internet Prestige A Prestige B IPSec Tunnel The IP addresses we use in this example are as shown below LAN 202 132 155 1 LAN 140 130 10 1 202 132 155 33 WAN 202 132 154 1 WAN 168 10 10 66 40 130 19 38 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all 1 Setup P 202H Plus v2 A 1 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Click Advanced and click VPN tab on the left 3 On the SUMMARY menu Select a policy to edit by clicking Edit 140 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 8 9 On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in
30. usually to sri nic nameserver name domain server nameserver domain name domain server domain deprecated boot program server netrjs ttylink 421 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes hostnames 101 tcp hostname usually from sri nic iso tsap 102 tcp dictionary 103 tcp webster x400 103 tcp ISO Mail x400 snd 104 tcp csnet ns 105 tcp pop 109 tcp postoffice pop2 109 tcp Post Office pops 110 tcp postoffice portmap 111 tcp portmap 111 udp sunrpc 111 tcp sunrpc 111 udp auth 113 tcp authentication sftp 115 tcp path 117 tcp uucp path 117 tcp nntp 119 tcp usenet Network News Transfer ntp 123 udp ntpd nt network time protocol nbname 137 udp nbdatagram 138 udp nbsession 139 tcp NeWS 144 tco news sgmp 153 udp sgmp tcprepo 158 tco repository PCMAIL snmp 161 udp snmp snmp trap 162 udp snmp print srv 170 tcp network PostScript vmnet 175 tcp load 315 udp vmnet0O 400 tcp sytek 500 udp biff 912 udp comsat exec 512 tcp login 513 tcp who 513 udp whod shell 914 tcp cmd no passwords used syslog 514 udp printer 515 tcp spooler line printer spooler talk 517 udp ntalk 518 udp efs 520 tcp for LucasFilm route 520 udp router routed timed 925 udp timeserver tempo 526 tco newdate 422 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes courier 530 tc
31. var log zyxel log is the full path of the log file 3 Restart syslogd e ZyXEL Syslog Message Format P 202H Plus v2 sends 5 types of syslog messages to syslogd they are 1 CDR log 2 Packet Triggered log 3 Filter log 4 PPP log 5 POTS log CDR Call Detail Record CDR logs all data phone line activity if set to Yes Packei The first 48 bytes or octets and protocol type of the triggering packet is sent to the UNIX syslog server when this field is set to triggered Vee No filters are logged when this field is set to No Filters with the Filter log individual filter Log field set to Yes are logged when this field is set to Yes PPP log PPP events are logged when this field is set to Yes POTS log Voice calls are logged when this field is set to Yes 1 CDR log call messages Format sdcmdSyslogSend SYSLOG_CDR SYSLOG_INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str C01 Outgoing Call dev xx ch xx dev device No ch channel No C01 Incoming Call xxxxBps xxxxx L2TP xxxxx means Remote Call ID 89 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes C01 Incoming Call xxxx means connected speed xxxxx means Remote Call ID LO2 Tunnel Connected L2TP C02 OutCall Connect
32. 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 3 for c DNS packet UDP 17 Port number 53 Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 71 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel e After the three rules are completed you will see the rule summary in Menu 21 Menu 21 1 Filter Rules Summary A Type Filter Rules Mmn NDN 2YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 NDN 3 YIP Pr 17 SA 0 0 0 0 DA 0 0 0 0 NDF e Then put the filter set number 1 in the Call Filter Set field of SMT menu 11 5 for taking active Menu 11 1 Remote Node Profile Rem Node Name Hinet Route IP Active Yes Bridge No Call Direction Outgoing Edit PPP Options No Incoming Rem IP Addr 0 0 0 0 Rem Login N A Edit IP IPX Bridge No Rem Password N A Telco Option Rem CLID N A Allocated Budget min 5 Call Back N A Period hr 1 Outgoing Transfer Type 64K My Login qwer Nailed Up Connection No dz All
33. 01 10 00 15 07 7a 79 78 65 6c 72 64 0010 08 70 72 65 73 74 69 67 65 102 258759 PPO9 ebp 7e9ed8 seqNum 66 bri0 RECV len 9 call 4 0000 ff 03 c0 23 02 10 00 05 00 103 258759 PPOY IPCP negotiation started 104 258760 PP0O9 ebp 7e9f0c seqNum 6 7 bri0 XMIT len 20 call 4 0000 ff 03 80 21 01 19 00 10 02 06 00 2d Of 00 03 06 0010 00 00 00 00 105 258760 PP0O9 ebp 7e9f40 seqNum 68 bri0 RECV len 20 call 4 0000 ff 03 80 21 01 01 00 10 02 06 00 2d Of 01 03 06 0010 a8 5f 43 2b 106 258760 PP0O9 ebp 7e9f74 seqNum 69 bri0 XMIT len 20 call 4 0000 ff 03 80 21 02 01 00 10 02 06 00 2d Of 01 03 06 0010 a8 5f 43 2b 107 258760 PPO9 ebp 7e9fa8 seqNum 6a bri0 RECV len 14 call 4 0000 ff 03 80 fd 01 01 00 0a 11 06 00 01 01 03 108 258760 PP0O9 ebp e9fdc seqNum 6b bri0 XMIT len 20 call 4 368 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 0000 0010 109 0000 110 0000 0010 111 0000 0010 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 P 202H Plus v2 Support Notes ff 03 cO 21 08 11 00 10 80 fd 01 01 00 Oa 11 06 00 01 01 03 258761 PPO9 ebp 7ea010 segNum 6c bri0 RECV len 14 call 4 ff 03 80 21 03 19 00 Oa 03 06 a3 1f f4 2e 258761 PPO9 ebp 7ea044 seqNum 6d bri0 XMIT len 20 call 4 ff 03 80 21 01 1a 00 10 02 06 00 2d Of 00 03 06 a3 1f f4 2e 258763 PPO9 ebp 7ea078 seqNum 6e bri0 RECV len 20 call 4 ff 03 80 21 02 1a 00 10 02 06 00 2d Of 00 03 06 a3 1f f4 2e 258763 PP09
34. 1 PPDP 8 9 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field The LAN IP in tihs example is 192 168 0 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main Linux FreeS WAN only supports Main mode In Local section choose Subnet Address as Address Type Source IP Address Start is 192 168 0 0 and End is 255 255 255 0 in this example the secure network behind P 202H Plus v2 In Remote section choose Subnet Address as Address Type Source IP Address Start is 192 168 10 0 and End is 255 255 255 0 the secure network behind Linux My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the remote secure gateway IP that is Linx box in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to 3DES and Authentication Algorithm to SHAT 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 265 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACCESS SOLUTION VPA IKE cll S IPSec Setup IY Active Advanced Setup Mame Password
35. 1 Login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy sai pee hd 186 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5 Select IPSec Keying Mode to IKE and Negotiation Mode to Main 6 Source IP Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 9 Secure Gateway IP Addr is the remote secure gateway IP that is WatchGuard WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in WatchGuard 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 187 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes EPEPEEREEEEEEEEFFEREEEEFEEEEEEEEEEEEERTETEEFEFFEEFEEEFEFETETEREETEEEEETEEFEFEFFEEFEEERTEETEFEETEEFEFEEEFEFEEFEETEEREETEEE
36. 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 index timer second channel receive transmit length protocol sourcelP port destlP port There are two ways to dump the trace 1 Online Trace display the trace real time on screen 2 Offline Trace capture the trace first and display later The details for capturing the trace in SMT menu 24 8 are as follows 370 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Online Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel bri0 bri1 none 1 2 Enable to capture the LAN packet by entering sys trcp channel enet0O bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys trcd brief or 1 5 Display the detailed trace online by entering sys trcd parse Example ras gt sys trcp channel bri0 none ras gt sys trcp channel enetO bothway ras gt sys trcp sw on ras gt sys trcl sw on ras gt sys trcd brief O 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 100 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 330 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 340 ENETO R O060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 340 ENETO R 0339 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 610 ENETO T 0054
37. 138 with protocol number 6 TCP o Rule 4 Destination port number 138 with protocol number 17 UDP o Rule 5 Destination port number 139 with protocol number 6 TCP o Rule 6 Destination port number 139 with protocol number 17 UDP Filter Set 2 o Rule 1 Source port number 137 Destination port number 53 with protocol number 6 TCP o Rule 2 Source port number 137 Destination port number 53 with protocol number 17 UDP Before starting to set the filter rules please enter a name for each filter set in the Comments field first Menu 21 Filter Set Configuration Filter Filter Set Comments Set Comments 80 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 NetBIOS _WAN 7 2 NetBlOS_LAN 8 3 9 4 10 o 11 6 12 Enter Filter Set Number to Configure 1 Edit Comments Press ENTER to Confirm or ESC to Cancel e Configure the first filter set NetBIOS_WAN by selecting the Filter Set number 1 Rule 1 Destination port number 137 with protocol number 6 TCP Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel
38. 14 Defender Token AXENT Rosselli e PPP VENDOR SPECIFIC OUI OPTIONS There are some provisions in some PPP message formats for vendor specific options to be identified by the Organisationally Unique Identifier OUI namely the first three octets of a Vendor s Ethernet address assigned by IEEE 802 RFC1968 RFC2153 These are listed in the ethernet numbers file see http www iana org in notes iana assignments ethernet numbers 420 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 3 Port Numbers P 202H Plus v2 Support Notes The following list contains port numbers for well known services as defined by RFC 1060 Assigned Numbers Format lt service name gt lt port number gt lt protocol gt aliases lt comment gt echo echo discard discard systat systat daytime daytime netstat qotd qotd chargen chargen ftp data ftp telnet smtp time time rlp name name whois domain domain nameserver nameserver mtp bootp tftp rje finger link supdup 7 tcp 7 udp 9 tcp 9 udp 11 tcp 11 tcp 13 tcp 13 udp 15 tcp 17 tcp 17 udp 19 tcp 19 udp 20 tcp 21 tcp 23 tcp 25 tcp 37 tcp 37 udp 39 udp 42 tcp 42 udp 43 tcp 53 tcp 53 udp 53 tcp 53 udp 5 tcp 67 udp 69 udp 7 tcp 79 tcp 87 tcp 95 tcp sink null sink null users quote quote ttytst source ttytst source mail timserver timserver resource resource location nameserver nameserver nicname
39. 2 Right click IP Security Policies on Local Machine and then click Create IP Security Policy er Local Security Settings Password and account lockout policies Auditing user rights and security options policies Security Settings H i Account Policies sa obocol Security IPSec Administration Crpate IP Security Policy Martage IP Filter lists and Filter actions All Tasks b Refresh Help Create an IF Security Policy 3 Click Next and type a name for your policy For example WIN2K to P 202H Plus v2 Tunnel 226 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IP Security Policy Wizard 3 x IP Secunty Policy Hame 7 Name this security policy and optionally give it a bref description _ Hame WE to ZyWALL Tunnel Description IP Security Policy Wizard 3 x 3 rd Requests for Secure Communication Specify how this policy responds to requests for secure communication _ The default response rule responds to remote computers that request security when no other rule applies To communicate securely the computer must respond to requests for ZECUE Communication Activate the default response rule 22 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5 Keep the Edit properties check box selected and click Finish IP Security Policy
40. 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter 350 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACESS SOLITON Main Meru Advanced Setup Password LAN VAN MAT Firewall e YPN Logout VPA WE Advanced Setup VPH IKE Pratacol Erahle Replay Detection Local Start Port Remote Start ort Phasel Megotiaion Wode Pra Shared Key Ercryptign Algorithm Authentication Algorithm of Life ime Seconds Key GroJjp Phase Active Protocol Ercryptign Algorithrni Authentication Algorithm of Life ime Seconds Ercapsulation Perfact Forvwad SecracyiPFS 2 Setup VPN in branch office B TE iji P 202H Plus v2 Support Notes SITE M Ead 0 Ead D TE Wain Y 12345670 DES ig WDS DHI FSP DES gol Tunnel 7 NONE Cancel Be very careful about the remote IP address in branch office B because for systems behind branch office B want to systems behind branch office A and headquarter we have to specify these two segments in Remote section However if we include these two segments in one rule the LAN segment of branch office B will be also included in this single rule which means intercommunication inside branch office B will run into VPN tunnel To avoid such situation we need two separate
41. 209 eo A40 2 2 237 177 Select Command Hone Select Rule WA Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 211 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes outer kote Heer lennine fate perban Arh apis beaan 2 Owe oS os f Hemi 27 1 1 PSec Setup ckot i a Yes My IP Addr 217 280 195 173 Secure Gateway IP Addr 62 2 2397 177 Frotecol IF Addr Start 192 166 99 0 End 255 2090 200 0 Fort Start 8 End WA Remote IPF Addr Start 177 16 16 90 End 759 233 740 0 Fort Start 8 End NZA Enable Replay Detection No Key Hanagewent IKE Edit IKE Setup Wo Edit Hanual Setup NAA Press EXTER to Confira or ESC to Cancel outer konie Heer leaning fate perb Arch apis banaag 1 DE oS OS f Menu 27 1 1 1 IKE Setup ony ey ORE gotiation Mode Qogressive Pre Shared Kep as Encryption Algorithe SIDES futhentication Algorithe 405 SA Life Time Seconds 9600 Kev Group UHI Phase fictive Protocol ESP Encryption Algorithm 3DES Buthentication Algoritha HDS Life Time Seconds 3600 Encapsulation Tunnel Ferfect Forward Secrecy PFS Hone Press ENTER to Confira or ESC to Cancel Press Space Bar to Toggle 2 Setup Checkpoint VPN Creating Network objects Click on New Network define the LAN segment of P 202H Plus v2 Select Locationa as External Note Internal and external refer to whether this netwo
42. 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 331 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 xX Give networks and subnetwork custom names ou Waj can later use the names when creating rules Defined networks IP address 192 168 1 0 ATTA ade LI Mew Network name ZPW ALL IF address Te Tbe 7 Subnet mask 209 Add YPN Connection Gateway name zywall dyndns org iF Remote network ZyWALL ha Authentication kep Jes AWW ALL ee ibm certificate Diagnostics Properties g 11 In SSH Sentinel Policy Editor you will get a new VPN connection P 202H Plus v2 dyndns org P 202H Plus v2 choose this item and then press Properties button 332 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor oo zx security Policy Key Management Policy E Mu Policy t E Default H Pre lIPS ec Filter ae YPN Connections re zywa dyndns org ey W4LL AY Add Fla secured Connections H a Secured Networks HEE Default Response H e Post IPSec Filter pn a a HS0H40 NWOILEN wna JMH o a Add Remove ae Diagnostics Description cat too _ 2 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire vir
43. 3 0 0 0 0 255 255 255 255 IGA3 M 41 4 Server Set 2 IGA3 Server 5 6 7 8 9 10 134 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Press ESC or RETURN to Exit Step 3 Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15 2 2 NAT Server Setup not Set 1 Set 1 is used for SUA Only case Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 10 3 25 25 192 168 1 11 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel 4 Support Non NAT Friendly Applications some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this 135 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes User 1 ILAI 192 168 1 10 Prestige User 2 ILA2 192 165 1 1 User 3 ILA3 192 168 1 1Z One rule configured for using Many to Many No Overload mapping type is shown below Menu 15 1 1 1 Ru
44. 4 10 100M a b adapter 2 Remote Access Server Dial in user Y Y Y suppport RADIUS Y Y Y Gonnection Y Y Y SNMP Y ZYNOS 2 50 Y Y P ONNE Y ZyNOS V2 41 y y upload IP Policy Routing Y ZYNOS 2 50 Y Y Mega Bundle Y ZyNOS 2 50 Y Y IP Alias Y ZYNOS 2 50 Y Y Firewall Y Y VPN Y Y 16 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Firewall FAQ General 1 What is a network firewall A firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network The firewall can be thought of two mechanisms One to block the traffic and the other to permit traffic 2 What makes P 202H Plus v2 secure The P 202H Plus v2 is pre configured to automatically detect and thwart Denial of Service DoS attacks such as Ping of Death SYN Flood LAND attack IP Spoofing etc It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The P 202H Plus v2supports Network Address Translation NAT which translates the private local addresses to one or multiple public addresses This adds a level of security since the clients on the private LAN are invisible to the Internet 3 What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall
45. 5 Enter WAN IP of NETSCREEN in the IP Address field 6 Select P 202H Plus v2 that we configure above as the Phase 1 Proposal NETSCREEN 5 System Network Policy A PN Virtual IP Lists Address Service Schedule Users Monitor Traffic j Counters Alarm Log Copyright 1998 2001 NetScreen Technologies Inc All rights reserved PHASE 2 PROPOSAL CONFIGURATION Name Perfect Forward Secrecy Encapsulation Encryption ESP Encryption Algorithm Authentication Algorithm C Authentication Only AH Authentication Algorithm Lifetime In Time In Kbytes ZyWALL NO PFS DES CBC MD5 gt MD5 3600 Sec Min Hours Days lo Kbytes All contents copyright 2006 ZyXEL Communications Corporation 203 ZyXEL P 202H Plus v2 Support Notes 7 Enter 12345678 as the Preshared Key and click OK to save See the screenshot 4 NetScreen Administration Tools Microsoft Internet Explorer File Edit View Favorites Tools Help Coe Ala m 3B SB amp Back newad Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address http 192 168 78 1 layout htmi 6 1 1 Go Links System REMOTE TUNNEL GATEWAY CONFIGURATION E Gateway Name NETSCREEN Remote Gateway Static IP Address Pee Peer ID optional Aan C Dynamic IP Address Peer ID C Dialup User User Group Non
46. 80020001 80040001 80030001 800b0001 800c0e10 In isadb_get_entry nxt_pyld 1 exch 2 New SA In responder isadb_create_entry RESPONSOR entering soGetPeerByAddr lt deleted gt 168 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 4 View Log P 202H Plus v2 Support Notes To view the log for IPSec and IKE connections please enter menu 27 3 View IPSec Log The log menu is also useful for troubleshooting please capture to us if necessary The example shown below is a successful IPSec connection Index Date Time 01 Jan 10 23 22 01 Jan 10 23 22 01 Jan 10 23 22 01 Jan 10 23 22 01 Jan 10 23 24 01 Jan 10 23 24 01 Jan 10 23 26 01 Jan 10 23 26 01 Jan 10 23 26 01 Jan 10 23 26 01 Jan 10 23 26 01 Jan 10 23 26 01 Jan 10 23 26 Clear IPSec Log y n II Cannot find outbound SA for rule lt 1 gt send Main Mode request to lt 168 10 10 66 gt Send lt SA gt Recv lt SA gt Send lt KE gt lt NONCE gt Recv lt KE gt lt NONCE gt Send lt ID gt lt HASH gt Recv lt ID gt lt HASH gt Phase 1 IKE SA process done Start Phase 2 Quick Mode Send lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Recv lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Send lt HASH gt P 202H Plus v2 to Cisco Tunneling This page guides us to setup a VPN connection between P 202H Plus v2 and Cisco router As the figure shown below the tunnel between P 202H Plus v2 and Cisco Router ensures th
47. 9 How do I do call transfer Call Transfer allows you to transfer an active call to a third party This service must be subscribed from your telephone company Transferring an active call to a third party e Once you have an active call Caller A press Flash key to put Caller A on hold and receive a dial tone e Dial the third party s phone number Caller B e When you are ready to conference the two calls together press Flash key to a Three Way Conference call e Hang up the phone The ISDN network does an implicit transfer to directly connect Caller A with Caller B 10 How do blind call transfer e Once you have an active call Caller A press Flash key to put the existing call on hold and receive a dial tone e Dial the third party s phone number Caller B e Before Caller B picks up the call you can transfer the call by pressing the Flash key The call is automatically transferred 11 What is call forwarding and how do do it The call forwarding means the switch will ring another number at a place where you will be when sometime dials your directory number There are two methods to active call forwarding either method should work fine and you can use whichever one you are most comfortable The first is exactly the same as on an analog line i e you pick up the handset and dial the access code assign by your telephone company and the number that you want the calls forwarded Check with your telephone company
48. Address E http 2 192 168 78 1 ayout htmi 61 1 v Go Links NeTSCREEN 5 Name optional Outgoing System Source Address Local Secure Host Destination Address Remote Secure Host Interface Service ANY P olicy NAT O OF VPN C C DIP Of JT Fix Port Virtual IP Lists C DIP On None z Action Tunnel VPN Tunnel ZyWALL TOR L2TP None 7 Authentication M Logging Enable Counting Enable Alarm Threshold 0 Bytes Sec 0 Bytes Min eee ough TAANA Schedule None z Inc All rights reserved Traffic Shaping 9 Off c Guaranteed Bandwidth lo kbps Maximum Bandwidth 0 kbps Traffic Priority Low priority DS Codenoint Markine I Enable zl Go to the Outgoing Traffic Control Configuration al es r Internet File Edit View Favorites Tools Help 7 2 2S 2 8 2 Back Farivar Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address http 192 168 78 1 layout htm 6 1 1 NeTtTSCREEN 5 sae Configure Network incoming Outgoing ID Source Destination Service NAT Action Option Configure Lists Local Remote Edit 4 Secure cecure Host ANY N A a real Address Host Monitor Traffic Counters Alarm Log Copyright 1998 2001 NetScreen Technologies Inc All rights reserved Go to the Outgoing Traffic Control Configuration 8 Click Policy menu and click Incoming tab intent 199 All c
49. Corporation ZyXEL P 202H Plus v2 Support Notes 202H Plus v2 router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet IP address from PNC Monitor or SMT Menu 24 1 If the Internet IP address is a fixed IP address provided by ISP in SUA mode then you can always use this IP address for reaching the VPN server In the following example the IP address 140 113 1 225 is dynamically assigned by ISP You must enter this IP address in the VPN Server dialog box for reaching the PP TP server After the VPN link is established you can start the network protocol application such as IP IPX and NetBEUI Connect To El ES User name prtp Password YPN server 140 113 1 225 mea Configure an Internal Server Behind SUA Prestige Remote client Web Server e Introduction 42 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you wish you can make internal servers e g Web ftp or mail server accessible for outside users even though SUA makes your LAN appear as a single machine to the outside world A service is identified by the port number Also since you need to specify the IP address of a server in the P 202H Plus v2 a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on In addition to the servers for specific services SUA supports a
50. D NT RSAPI 0 TEI 97 RR P F 0 NR 3 00 00 12 75 12 bytes LAPD D NT CSAPI 0 TEIl 97 INFO P 0 NR 3 NS 3 4 bytes Layer 3 365 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Dest gt CallRef 1 PD Q 931 RELEASE 1 00001000 INFORMATION ELEMENT Cause 2 00000010 IE length 2 bytes 3 1 Extension bit not continued 00 Coding standard CCITT coding standard Q Spare Q000 Location user 4 1 Extension bit not continued 0010000 Cause Value normal call clearing 00 00 12 76 4 bytes LAPD D TE RSAPI 0 TEI 97 RR P F 0 NR 4 00 00 12 76 8 bytes LAPD D TE C SAPI 0 TEl 97 INFO P 0 NR 4 NS 3 0 bytes Layer 3 Orig gt CallRef 1 PD Q 931 RLS COMPLE 00 00 12 77 4 bytes LAPD D NT RSAPI 0 TEI 97 RR P F 0 NR 4 P 202H Plus v2 gt 2 Using ZyXEL PPP Analyzer Introduction The P 202H Plus v2 supports the trace of PPP log that we can diagnose from the trace by referring to the PPP numbers or use the ZPKT TOOL to interpret for US P 202H Plus v2 ZPKT TOOL tool is a DOS utility that interprets the dump of the PPP log in P 202H Plus v2 A PPP call connection failure can be diagnosed by using P 202H Plus v2 s PPP protocol analyzer Using PPP Protocol Analyzer You must connect the P 202H Plus v2 to a terminal program via the serial port to capture the PPP log The PPP log will not operate by Telnet The steps for capturing the PPP log are as follows e Enter to SM
51. DES Authentication Algorithm SHAT SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward SecrecyiPFoy NONE Apply Cancel 267 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index Name To Linux Active Yes Keep Alive No Local ID type IP Content 4 4 0 4 My IP Addr 202 132 170 1 Peer ID type IP Content 4 4 4 4 Secure Gateway Addr 65 170 185 111 Protocol Local Addr Type SUBNET IP Addr Start 192 168 0 0 End Subnet Mask 255 255 255 Port Start P End N A Remote Addr Type SUBNET IP Addr Start 192 168 10 0 End Subnet Mask 255 255 255 0 Port Start P End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by selecting Edit Key Management Setup option in menu2 1 1 to Yes by pressing space bar and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate IPSec SAs which are used for data transmission Please note that Linux FreeS WAN only supports 3DES as encryption algorithm and DH2 or upper as key exchange group 268 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes
52. Denials of Service DoS attack 000 ec ceeeeenees 18 7 What is Ping of Death attack 000000 cc cccccsseceeseeeeeteeeeeeeeeeeeens 19 8 What is Teardrop attack 0 00000 cccccccccsecceesseeeeesseeeessseeeeesseeeeeeas 19 9 What is SYN Flood attack 00 0000 ccccessccceessseeeeeesseeeeestseeeeens 19 10 What is LAND QUACK eit se cctctssaececere deecsiactsctariwatedasdesseaeedunanieceidaaieastaeits 19 11 What is Brute force attack 0 000 000 ccc ccccrscccceseeeeesseeeeesseeeeeseeeens 19 12 What is IP Spoofing attack 000 0 cc ccecccesseeeesseeeeseeeeeneeeeenees 20 13 What are the default ACL firewall rules in P 202H Plus v2 20 14 Why static policy route be blocked by P 202H Plus v2 20 Grol atte lc 11 2 1 orasini T mors bet era oe 22 1 How do I configure the firewall 0 0 cc cccecccsseeeeesteeeeesseeeens 22 2 How do I prevent others from configuring my firewall 23 3 Can use a browser to configure my P 202H Plus v2 0 23 4 Why can t I configure my router using Telnet over WAN 23 5 Why can t I upload the firmware and configuration file using FTP OV WAN scapes tare te A tuvasva tan Gucs least ccesa wee oh ereen ee des 23 6 Why can t I configure my router using Telnet over LAN 24 7 Why can t I upload the firmware and configuration file using FTP over LAN esi ener Sic caie Ronee oss hac
53. E Bacp OK 389 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Internet connection verification steps e Setup Menu 4 for Internet Access e Perform a connection test after you save Menu 4 e You should see the call connected LCP up or opened CHAP PAP login OK and IPCP up or opened Internet connection test failed e Setup Menu 4 for Internet Access e Perform a connection test after you save Menu 4 You could get the following errors Some common problem troubleshooting examples Cannot make outcall Call didn t connect Try again later and also verify the phone number Login to remote failed IP address been rejected by your ISP ISDN protocol mismatch Disconnect by far end Other unknown reason Cannot make outcall Dial no number This could mean that your ISDN line is not up Dial Fail LINK IS NOT AVAILABLE This could mean that your two channels are connected to other sites or A B adapter in use Call didn t connect Try again later and also verify the phone number Dialing chan lt 1 gt phone last 9 digit 40202 Hit any key to continue Dial no answer This means the far end is not answering 390 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Dialing chan lt 1 gt phone last 9 digit 40202 Hit any key to continue Dial busy This means the far end is busy D
54. E Jev IPSEC Tunnel Delete SST Tunnel Tunnel Nar Properties rer O Client IP Outbound Interface Subnet ma Connect Piscannmect 09 19 2002 3 59 38 PM keygen Generated 2046 bit key 09 19 2002 3 59 38 PM keygen Generated 2046 bit key 09 19 2002 3 59 34 PM keygen Generating 2046 bit key 09 19 2002 3 59 33 PM keygen Generated 1024 bit key m F Define an IPSEC tunnel a O E A 2 Give this Tunnel a name P 202H Plus v2 for example Specify VPN Gateway IP Address as 172 21 1 252 Tunnel Applies to All network connections Uncheck Enable IP Address assignment and WINS DNS via VPN Gateway 339 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Tunnel Properties E E x General Security Associations Connection Tunnel properties for ZyWALL VPA Gateway IF Addresses or domain names f r2 21 1 252 User Identifier domain name email address etc A Tunnel Applies to O All network connections E specific outbound interface PCMCIA Fast Ethernet Attached 172 221 2 1 Y 3 Select Security Associations tab Press Add to edit the IP address of remote VPN network IP Address 192 168 1 0 Subnet Mask 255 255 255 0 Protocol ALL Port ALL And Phase 2 parameters AH None Authentication HMAC MD5 Encryption DES 56 bit key uncheck Transport mode Specify the Phase 2 SA life time you would like to use Click OK to save the settin
55. Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters 68 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes A filter for blocking the web connections from LAN e Introduction If you want to avoid the outbound Web request to trigger a call to the remote web server you can configure a call filter set in P 202H Plus v2 to block this packet After the call filter is applied the Web packet will not triggered the call to your ISP or remote node However when the call is trigger by the other packets and the Internet connection is established the workstations then are able to access the Web page e Configuration Before configuring a filter you need to know the following information 1 The outbound packet type protocol amp port number 2 The source IP address Generally the outbound packets for Web service could be as following a HTTP packet TCP 06 protocol with port number 80 b DNS packet TCP 06 protocol with port number 53 or c DNS packet UDP 17 protocol with port number 53 For all workstation on the LAN the source IP address will be 0 0 0 0 Otherwise you have to enter an IP Address for the workstation you want to block See the procedure for configuring this filter below o Create a filter set in Menu 21 e g set 1 o Create three filter rules in Menu 21 1 1 Menu 21 1 2 Menu 21 1 3 Rule 1 block the HTTP packe
56. Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Network Diagram Key In our network diagram figures a dotted line indicates a logical connection i e the two devices are not physically attached a solid line indicates a physical connection i e there is a physical link between the two devices and they are directly attached and a pipe indicates a secure connection between two devices 2 P 202H Plus v2 vs 3rd Party VPN Gateway P 202H Plus v2 to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between two P 202H Plus v2 routers Please note that in addition to P 202H Plus v2 to P 202H Plus v2 P 202H Plus v2 can also talk to other VPN hardwards The tested VPN hardware are shown below Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES NetScreen 5 ScreenOS 2 6 0r6 SonicWALL SOHO 2 WatchGuard Firebox II ZyXEL VPN solution 159 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Avaya VPN e Netopia VPN e III VPN As the figure shown below the tunnel between P 202H Plus v2 1 and P 202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure Because the packets go through the IPSec tunnel are encrypted To achieve this VPN tunnel the settings required for each P 202H Plus v2 are explained in the following sections Prestige B Prestige A IPSec Tunnel The IP addresses we use in thi
57. IKE proposal to Encryption algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none 312 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Proposal Parameters mainmode MODP 768 group 1 kd DES HMACMDS T fume d ee 14 Press Apply to save all of the settings 313 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor E ajx security Policy Key Management Policy Default F a Fre lPSec Filter E WPN Connections BE 172 21 1 252 ZyWALL ABB Add E G Secured Connections a Secured Networks CE Default Response H E Post IPSec Filter H3S0H0 HOILEN1WWASs Ans Add Remove Properties Diagnostics Description 15 Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item Note A When building VPN between Sentinel and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping ftp telnet HTTP etc You can only initiate VPN tunnel by choosing Select VPN from SSH Sentinel tray 314 All contents copyright 200
58. IPCP opened 260465 PP09 FSM DOWN state 9 260465 PPO9 LCP closed 260465 PP09 FSM DOWN state 9 260465 PPO09 IPCP closed 260465 PP09 FSM DOWN state 1 260465 PP09 FSM DOWN state 1 260465 PP09 FSM DOWN state 1 260465 PP09 FSM DOWN state 0 260465 PPO9 FSM DOWN state 0 260465 PP09 FSM DOWN state 0 260465 PPO9 FSM DOWN state 0 260465 PPO9 FSM DOWN state 0 260465 PPO9 FSM DOWN state 0 260465 PPO9 FSM DOWN state 1 260465 PPO9 PPP down chan lt 0 gt 0 Program Trace Switch OFF Packet Trace Switch OFF P 202H Plus v2 gt Copy and paste the trace to an editor and save it as a text file Run the ZPKT TOOL program to interpret the PPP log to know the detailed trace please refer to the ppp numbers 369 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 MS DOS Prompt ZPK 7 12 E EE ZyXEL ZPRITOOL Ver 0 13 981030 is i oad og SaveLog F4 i PY David en 3 LAN WAN Packet Trace The P 202H Plus v2 records packet trace and analyzes packets running on LAN and WAN interfaces It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of the P 202H Plus v2 It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to Know the details of a packet for configuring a filter rule The format of the display is as following Packet O
59. Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel e When two rules are completed you can see the rule summary in Menu 21 1 Menu 21 3 Filter Rules Summary A Type Filter Rules Mmn 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 20 NDN 2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 21 NDF 67 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Choose the remote node number where you want to block the inbound FTP connections and apply the filter set in menu 11 5 by selecting the Edit Filter Sets to Yes Menu 11 1 Remote Node Profile Rem Node Name hinet Edit PPP Options No Active Yes Rem IP Addr 0 0 0 0 Call Direction Outgoing Edit IP No Incoming Telco Option Rem Login N A Transfer Type 64K Rem Password N A Allocated Budget min Rem CLID N A Period hr Call Back N A Carrier Access Code Outgoing Nailed Up Connection No My Login masterbc Toll Period sec 0 My Password Authen CHAP PAP Session Options Pri Phone 4125678 Edit Filter Sets Yes sec Phone Idle Timeout sec 300 Press ENTER to Confirm or ESC to Cancel e Put the filter set number 3 to the Input Protocol Filter Set in menu 11 5 for activating the FTP_WAN filter Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 3 device filters Output
60. Menu 13 1 61 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 13 1 Default Dial in Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3 1 11 5 or 13 1 or entering a device filter set to the protocol filters field Even though SMT will prevent the inconsistency from being entered in ZyNOS it is unable to resolve the intermixing problems existing in the filter sets that were configured before Instead when ZyNOS translates the old configuration into the new format it will verify the filter rules and log the inconsistencies Please check the system log Menu 24 3 1 before putting your device into use Running the P 202H Plus v2 with wrong filter rules may cause it to keep the ISDN line perpetually active and or allow undesired traffic to pass to the outside world and receive unwanted outside traffic The first case may incur an enormous ISDN bill the second may lead to a data security hazard In order to avoid operational problems later the P 202H Plus v2 will disable its routing bridging functions if there is an inconsistency among its filter rules How do know what packet is triggering the call lf the user already knows the protocol type the source port and the IP address of the
61. Menu 21 1 2 Generic Filter Rule Filter 1 2 Filter Type Generic Filter Rule Active Yes Offset 6 Length 6 Maske ffffffffffff Value 0080c810234a More No Log None Action Matched Drop Action Not Matched Forward You can now apply it to the General Ethernet Setup in Menu 3 1 Please note that the Generic Filter can only be applied to the Device Filter but not the Protocol Filter that is used for configuring the TCPIP and IPX filters Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters device filters 1 Output Filter Sets 79 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes protocol filters device filters A filter for blocking the NetBIOS packets e Introduction The NETBIOS packets contain port numbers and need to be blocked in this case They are port number 137 138 and 139 with UDP or TCP protocol In addition the NETBIOS packet used to look for a remote DNS server can also trigger the call Therefore the filter rules should cover the above packets e Configuration The packets which need to be blocked are as following Please configure two filter sets with 4 and 2 rules respectively based on the following packets in SMT menu 21 Filter Set 1 o Rule 1 Destination port number 137 with protocol number 6 TCP o Rule 2 Destination port number 137 with protocol number 17 UDP o Rule 3 Destination port number
62. My WAN Addr 0 0 0 0 NAT SUA Only Address Mapping Set N A Metric 2 Private No RIP Direction Both Version RIP 2B Press ENTER to Confirm or ESC to Cancel Step 1 Enter 11 from the Main Menu Step 2 Move the cursor to the Edit IP field press the SPACEBAR to toggle the 120 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes default NO to Yes then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options The following table describes the options for Network Address Translation Field Options Full Feature None Network Address Translation SUA Only Description When you select this option the SMT will use Address Mapping Set 1 Menu 15 1 see later for further discussion NAT is disabled when you select this option When you select this option the SMT will use Address Mapping Set 255 Menu 15 1 see later for further discussion This option us basically Many to One Overload mapping Select Full Feature when you require other mapping types Itis a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions Note that there is also a Server type whose IGA is 0 0 0 0 in this set Table Applying NAT in Menu 4 and Menu 11 3 2 Configuring NAT To configure NAT enter 15 from the Main Menu to bring up the following screen
63. Name SUA Read Only 122 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 0 0 0 0 255 255 255 255 0 0 0 0 M 1 2 Server Set 1 0 0 0 0 Server 3 4 5 6 r 8 9 10 Press ESC or RETURN to Exit The following table explains the fields in this screen Please note that the fields in this menu are read only The Type Local and Global Start End IPs are normally not for this read only menu configured in Menu 15 1 1 1 described later and the values are displayed here Field Description Option Example This is the name of the set you selected in Menu Set Name 15 1 or enter the name of a new set you want to SUA create Idx This is the index or rule number 1 0 0 0 0 for the Local Start _ Many to One type iP This is the starting local IP address ILA Caan ert a4 45 the Server type Local End This is the starting local IP address ILA If the ip rule is for all local IPs then the Start IP is 255 255 255 255 0 0 0 0 and the End IP is 255 255 255 255 Global This is the starting global IP address IGA If Start IP you have a dynamic IP enter 0 0 0 0 as the 0 0 0 0 Global Start IP Sa This is the ending global IP address IGA N A Many to One and Type This is the NAT mapping types Sener 123 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus
64. Notes See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION IY Active ne hosen OOOO Wizard Setup cnn IPSec Key Mode IKE a Advanced Setup Negotiation Mode Main pupae werd Local Address Type Subnet Address e LAN Start Address 192 168 1 0 MAT End Address 255 255 255 0 eae Remote Address Type Range Address gt Time Zone e Start Address 0 0 0 0 Content Fiter a End Address 0 0 0 0 c Firewall e YPN biy IF Address 172 211 252 Remote Management Secure Gateway IP Address 0 0 0 0 a o ooo Encapsulation Mode Tunnel Dial Backup Security Protocol Maintenance YFN Protocol ESP Pre shared Key 12345678 Logout VPN Setup DES Authentication Algorithm MDS L Set IKE Phase 1 and Phase 2 parameters 300 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL a TOTAL INTERNET ACCESS SOLUTION VPN IKE Advanced Setup bain Menu VPN IKE Frotocol Advanced Set nced setup Enable Replay Detection N c Pazaword e Local Start Port 0 End 0 LAN rns Remote Start Port 0 End i e NAT l Fhase1 c Firewall Negotiation Mode Main hi c YPN Pre Shared Key 12345676 P Encryption Algorithm DES g Authentication Algorithm MDS SA Life Time Seconds i iji Key Group DHI Phase Active Protocal ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Sec
65. P 202H Plus v2 B Source IP Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 A Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host My IP Addr is the WAN IP of P 202H Plus v2 A Secure Gateway IP Addr is the remote secure gateway IP that is P 202H Plus v2 B WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in P 202H Plus v2 B 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 141 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the screen shot SITE MAP TOTAL INTERNET ACCESS SOLUTION VPN IKE ee IPSec Setup IY Active Keep Alive Advanced Setup Mame Prestige Password IPSec Key Mode IKE E LAN ae Negotiation Mode Main alba Local asl Local Address Type Single IP Address Start ePCIIP gt End Subnet Mask booo Remote si Remote Address Type Single gt IP Address Start lt PC2 IP End Subnet Mask booo Local ID Type IF content pooo My IP Address KA WANIP gt Feer ID Type IP bi Content 0 0 0 0 Secure Gateway IF Address lt B WAM IP gt Encapsulation Mode Tunnel ka Security Protocol
66. PDI1 dialer Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt 104 fe8eb8 0 POU1 ebp 4aa00 seqNum 17 PPP1 XMIT 24 len 40 397 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 0000 ff 03 cO 21 01 12 00 24 01 04 05 f4 02 06 00 00 0010 00 00 08 02 Od 03 06 11 04 05 f4 13 09 03 00 aD 105 fe3f30 0 PNET ebp 4aa30 seqNum 18 PPP1 RECV 24 len 42 0000 ff 03 cO 21 01 30 00 26 01 04 05 f4 02 06 00 00 0010 00 00 03 05 c2 23 05 08 02 11 04 05 f4 13 09 03 106 fe3f8a 0 POU1 ebp 4aa60 seqNum 19 PPP1 XMIT 24 len 42 0000 ff 03 cO 21 02 30 00 26 01 04 05 f4 02 06 00 00 0010 00 00 03 05 c2 23 05 08 02 11 04 05 f4 13 09 03 107 fe3f44 0 PNET ebp 4aa90 seqNum 1a PPP1 RECV 24 len 40 0000 ff 03 cO 21 02 12 00 24 01 04 05 f4 02 06 00 00 0010 00 00 08 02 Od 03 06 11 04 05 f4 13 09 03 00 aD 108 fe3f44 186 PNET ppp LCP up 109 fe38fc6 0 PNET ebp 4aac0 seqNum 1b PPP1 RECV 24 len 15 0000 c2 23 01 11 00 Od 08 00 00 48 e4 00 04 fc 6c 110 fe3fc6 190 PNET ppp CHAP send response 111 fe3fd0 0 POU1 ebp 4aat0 seqNum ic PPP1 XMIT 24 len 28 0000 c2 23 02 11 00 1a 10 ce f1 4c 9f fe 01 a9 85 04 0010 bb Ob 51 e5 17 3e 5e 50 32 38 36 34 112 fe4002 0 PNET ebp 4ab20 seqNum 1d PPP1 RECV 24 len 13 0000 c2 23 03 11 00 Ob 57 65 6c 63 6f 6d 65 113 fe4002 195 PNET ppp CHAP login to remote OK 114 fe400c 0 PNET ebp 4ab50 seqNum 1e PPP1 RECV 24 len 8 0000 cO 29 01 32 00 06 01 02 115 fe400c 0 POU1 ebp 4ab80 seqN
67. Plus v2 Support Notes 5 Using FTP to Upload Firmware and Configuration Files In addition to upload the firmware and configuration file via the console port and TF TP client you can also upload the firmware and configuration files to the P 202H Plus v2 202 using FTP To use this feature your workstation must have a FTP client software There are two examples as shown below 1 Using FTP command in terminal Use FTP client from your workstation to connect to the P 202H Plus v2 by entering the IP address of the P 202H Plus v2 Step Press Enter key to ignore the username because the P 202H Plus v2 2 does not check the username Step 3 Enter the SMT password as the FTP login password the default is 1234 Step 4 Enter command bin to set the transfer type to binary Step 5 Use put command to transfer the file to the P 202H Plus v2 Step 1 Note The remote file name for the firmware is ras and for the configuration file is rom 0 rom zero not capital o Example C temp gt ftp 202 132 155 97 Connected to 202 132 155 97 220 FTP version 1 0 ready at Thu Jan 1 00 02 09 1970 User 202 132 155 97 none lt Enter gt 331 Enter PASS command Password 230 Logged in fto gt bin 200 Type OK fto gt put p202e bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 924512 bytes sent in 4 83Seconds 191 41Kbytes sec ftp gt Here the p202e b
68. Plus v2 Support Notes 91 Invalid transit network selection 95 Invalid message unspecified Protocol Error e g unknown message Class 96 Mandatory information element is missing 97 Message type non existent or not implemented Message not compatible with call state or message type non existent or not implemented 99 Information element non existent or not implemented 100 sInviiad information element contents 101 Message not compatible with call state 102 Recovery on timer expiry 111 Protocol error unspecified 98 Interworking Class 127 Interworking unspecified 2 PPP Numbers POINT TO POINT PROTOCOL FIELD ASSIGNMENTS PPP DLL PROTOCOL NUMBERS The Point to Point Protocol PPP Data Link Layer 146 147 175 contains a 16 bit Protocol field to identify the encapsulated protocol The Protocol field is consistent with the ISO 3309 HDLC extension mechanism for Address fields All Protocols MUST be assigned such that the least significant bit of the most significant octet equals 0 and the least significant bit of the least significant octet equals 1 e Network Layer Numbers Value in hex Protocol Name 0001 Padding Protocol 408 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 0003 to 001f 0021 0023 0025 0027 0029 002b 002d 002i 0031 0033 0035 0037 P 202H Plus v2 Support Notes reserved transparency inefficient Internet Protocol version 4 OSI Network Layer Xer
69. Polic v E Authentication Phase 1 E 2 0 Eey Exchange Phase 2 C Use Manual Keys Other Connections Enable Perfect Forward Secrecy PFS PFs Key Group Diffie Hellman Group1 Enable Replay Detection 10 Extend Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but they should match whatever you enter in P 202H Plus v2 258 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes security Policy Editor afeNethoft FE File Edit Optons Help alela tll Network security Policy Fl deh ZYWALL l l Authentication Method and Aleorithmes Fifa eecunity Policy untheautiaess See Be Authentication Phase 1 leer LL t igra He Key Exchange Phase 2 Other Connections ed Life Seconds 3600 _ Re Policy Editor afeMethoft FE File Edit Options Help aed Tol gt lt i t at Network Security Policy seconds A Life Seconds 3600 Compresion None M Encapsulation Protocol ESP Encrypt Ale DE Hash Ale ii Authentication Protocol 4 H lal pecnrity Policy H E Authentication Phase 1 E a Key Exchange Phase 2 of Proposal 1 T Other Connections Encapsulation Tunnel w 259 All contents copyright 2006 ZyXEL Communications Corporation Z
70. Port Start P End N A Remote Addr Type SINGLE IP Addr Start 192 168 1 33 End Subnet Mask N A Port Start End N A Enable Replay Detection Neck Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configuration in IKE Setup should be consistent in both P 202H Plus v2 A and P 202H Plus v2 B 166 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 2 7 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3600 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm UES Authentication Algorithm HO5 SA Life Time Seconds 3608 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 3 Troubleshooting Q How do we know the above tunnel works A If the connection between PC 1 and PC 2 Is ok we know the tunnel works Please try to ping from PC 1 to PC 2 or PC 2 to PC 1 If PC 1 and PC 2 can ping to e
71. RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c 0010 00 2C 7F 02 40 00 ED 06 85 7D CO 1F 07 82 CO AS 0020 01 02 00 50 04 4F DY 1B 18 26 00 AA 40 5F 60 12 P O amp _ 0030 FA FO DC EF 00 00 02 04 05 B4 nee ras gt 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet0O none 1 2 Enable to capture the WAN packet by entering sys trep channel bri0 brit bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Wait for packet passing through P 202H Plus v2 over WAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 378 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 6 Display the trace briefly by entering sys trep brief 1 7 Display specific packets by using sys trcp parse lt from_index gt lt to_index gt Example ras gt sys trcp channel enetO none ras gt sys trcp channel brid bothway ras gt sys trcl sw on ras gt sys trcp sw on ras gt sys trcl sw off ras gt sys trcp sw off ras gt sys trcp brief 1181 540 BRIO T 0011 PPP VJ Compressed IP 0x002q 1182 840 BRIO 1 0044 TCP 163 31 239 1 10007 gt 210 67 113 145 80 1226 450 BRIO T 0052 TCP 163 31 239 1 10008 gt 210 67 113 145 80 1226 480 BRIO R 0048 TCP 210 67 113 145 80 gt 163 31 239 1 10008 1226 480 BRIO T 0044 IP Unknown 0x07 1226 490 BRIO T 04
72. RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 Bem 0010 00 30 33 OB 40 00 80 06 3E 71 CO A8 01 02 CO 1F 03 gt q 0020 07 82 04 5C 00 50 00 BD 15 A7 00 00 00 00 70 02 P D 0030 20 00 BE C3 00 00 02 04 05 B4 01 01 04 02 a lt Q001 gt LAN Frame ENETO XMIT Size 58 58 Time 12090 020 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1116 Ethernet Header Destination MAC Addr 0080C84CEA63 Source MAC Addr 00A0C5921311 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 372 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ldetification 0x57F3 22515 Flags 0x02 Fragment Offset 0x00 Time to Live OxED 237 Protocol 0x06 TCP Header Checksum 0xAC8C 44172 Source IP 0xC01F0782 192 31 7 130 Destination IP 0xC0A80102 192 168 1 2 TCP Header Source Port 0x0050 80 Destination Port 0x045C 1116 Sequence Number 0x4AD1B57F 1255257471 Ack Number 0x00BD15A8 12391848 Header Length 24 Flags 0x12 A S Window Size OxFAFO 64240 Checksum 0xF877 63607 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 E
73. SAs which are secure channels for data transmission 324 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Please note that any configuration in IKE Setup should match the settings configured in Sentinel Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 33600 Key Group OH Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel 2 Setup Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor 325 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes nl L MF Start Policy Manager SSH Sentinel 2 Choose Key Management Select My Keys then press Add button 326 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes na SSH Sentinel Policy Editor HE Security Policy Key Management m Trusted Policy Servers a Trusted Certificates Fla Certification Authorities H Remote Hosts gra checkpoint certificate o AA Add AB Add h Remove Properties VIEW Description The keps that a
74. Server 1 with ILA1 192 168 1 10 to IGA Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Rule 3 Many to One type to map the other clients to IGAS Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN Step 1 In this case we need to configure Address Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11 3 Menu 4 Internet Access Setup ISP s Name ChangeMe Pri Phone 1234 Sec Phone 131 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL Step 2 P 202H Plus v2 Support Notes My Login ChangeMe My Password My WAN IP Addr 0 0 0 0 NAT Full Feature Address Mapping Set N A Telco Options Transfer Type 64K Multilink Off Idle Timeout 100 Press ENTER to Confirm or ESC to Cancel Go to menu 15 1 and choose 1 not 255 SUA this time to begin configuring this new set Enter a Set Name choose the Edit Action and then select 1 from Select Rule field Press ENTER to confirm See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 Menu 15 1 1 1 Rule 1 Type One to One Local IP Start 192 168 1 10 En
75. Shared secret and Confirm shared secret fields Finally press Finish 2r All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Create Preshared Key Type in the shared secret 5 Press Apply in Main menu to save the above settings for latter use 243 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor Ei Security Policy Key Management F Trusted Policy Servers Fle Trusted Certificates Fla Certification Authorities o E Remote Hosts l a Director Sernvices J A My Keps host key lg checkpoint certificate AB Add ge ZyWALL AB Add Remove Properties VIEW Description The keps that are used for authenticating the local host LE Cancel K ts 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 274 ZyXEL P 202H Plus v2 Support Notes T SSH Sentinel Policy Editor Hx security Policy Key Management Policy Default i S m e Pre IPSec Filter YPN Connections A Add a Secured Connections ida Secured Networks CE Default Response a Post lPSec Filter EE Allow all traffic T HS0H0 HOILAN IAs 4370H a hy Remove Properties Diagnostics Descripti
76. Some answering machine only recongnize that a calling party has hung up after a period of silence In this case if such an answering machine is atiched to the POTS port of P 202H Plus v2 you need to configure the Hangup silence Time sec in SMT menu 2 1 to determine the silence time period By doing so once P 202H Plus v2 receives busy tones from the switch it sends the silence tone to the answering machine on POTS meanwhile 15 What are CLIP and CLIR in Advanced Setup of Menu 2 European firmware CLIP or CLIR refers to CLID Presented or Restricted The P 202H Plus v2 can set the CLIP CLIR bit at SETUP message to request the Switch to include the 15 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes calling party number or not when the switch sends the SETUP message to the called party You need subscribe to it first see supplemental services 16 Does P 202H Plus v2 support MP callback to dial in users No P 202H Plus v2 only supports single link PPP to dial in users 17 Does ZyNOS support IRC Real Player CU SeeMe and NetMeeting Yes For the detail of the settings please refer to the Tested SUA Applications page 18 What are the differences between P 202H P 202H Plus and P 202H Plus v2 The differences between P 202H P 202H Plus and P 202H Plus v2 are listed In the following table Feature Model P 202H P 202H Plus P 202H Plus v2 Ethernet Port 1 10 100M 4 10 100M
77. TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 620 ENETO T 0102 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 630 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 630 ENETO R O060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 650 ENETO R O060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 10 11883 650 ENETO R 0062 TCP 192 168 1 2 1109 gt 192 31 7 130 80 ras gt sys trcd parse lt Q0Q00 gt LAN Frame ENETO RECV Size 62 62 Time 12089 790 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 OCONOOAaRWND gt Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header 371 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0030 48 ldetification 0x330B 13067 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3E71 15985 source IP 0xC0A80102 192 168 1 2 Destination IP 0xC01F0782 192 31 7 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number 0x00BD15A7 12391847 Ack Number 0x00000000 0 Header Length 28 Flags 0x02 9 Window Size 0x2000 8192 Checksum 0OxBECS3 48835 Urgent Ptr 0x0000 0 Options 0000 02 04 05 BA 01 01 04 02
78. There is no need to configure additional POP3 server in menu 15 Two ports 25 amp 110 must be configured in menu 15 to support both SMTP and POPS services 2 NetMeeting RealPlayer IP TV and Quick Time are supported Configurations For example if the workstation operating Cu SeeMe has an IP of 192 168 1 34 then the default SUA server must be set to 192 168 1 34 The peer Cu SeeMe user can reach this workstation by using P 202H Plus v2 s WAN IP address which can be obtained from menu 24 1 46 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address Default Default Ge B B B B B B B B Seen amp Seg noge amp Segoe Sewn amp Segoe amp Press ENTER to Confirm or ESC to Cancel 3 LAN to LAN IP Connection e Introduction This configuration note explains how to set up two P 202H Plus v2 routers for a LAN to LAN connection Once the connection is established the workstations on both LANs will be able to perform any TCP IP applications e g FTP Telnet etc There will be three items that you need to set up These are workstation and the two P 202H Plus v2 routers e Configuration LANI LANZ e Setting up the workstation on both LANs To set up the workstations you will need to set the following parameters 47 All contents copyright 200
79. Therefore you can not use Dial Up Networking for the CLID callback since it does not support the CLID callback 105 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes When calling back to a remote node the outgoing user information username and password are configured in menu 11 1 Remote Node Profile While calling back to a dial in user the outgoing user information are configured in two fields in menu 13 O G Login and O G Password e Setup the P 202H Plus v2 for calling back to a remote node e Setup the P 202H Plus v2 for calling back to a dial in user e Setup the P 202H Plus v2 for calling back to a remote node Generally there are several settings must be checked when using the CLID callback They are The CLID Authentication setting in menu 13 must be configured as Required or Preferred The Remote CLID setting in menu 11 1 must be entered for the CLID authentication The Callback setting in menu 11 1 must be toggled to Yes The Outgoing user information in menu 11 1 must be entered The Outgoing Phone number in menu 11 1 must be entered The following SMT only show the main settings of the CLID callback you can refer to the user s manual or the support note for the other settings 1 Toggle the CLID Authen option in menu 13 to Required Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Auth
80. Type SINGLE IP Addr Start 172 21 1 232 End Subnet Mask N A Port Start P End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission 285 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Please note that any configuration in IKE Setup should match the settings configured in Sentinel Menu 2 7 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time ae tate oi Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Sentinel Dynamic IP to P 202H Plus v2 Static IP Tunneling This page guides us to setup a VPN connection between the Sentinel software and P 202H Plus v2 router There will be several devices we need to setup for this case They are Sentinel software and P 202H Plus v2 router As the figure shown be
81. Type and enter P 202H Plus v2 s WAN IP address in the following field 255 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The detailed configuration is shown in the following figure mecucity Policy Editor afeNethoft FE File Edit Options Help Alma t Network security Policy EN WW A LL Connection Security Other Connections if Secure Non secure a C Block IP address Remote Party Identity and Addressing of PC PP lype IP ddes 202 132 171 33 WAN IP Fort au r Frotocol ju addre oS of W Connect using Secure Gateway T 4yYWALL ID TypelIF Address Pre Share Key Settings 6 Extend P 202H Plus v2 icon you may see My Identity 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in P 202H Plus v2 in the pop out windows In this example we enter 12345678 See below 256 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12345678 Security Policy Settings 297 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 9 Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode A becurity Policy Editor SafeMetsoft PE File Edit Options Help alexa t Network security Policy Ee S ZyWALL beta My Identity Taf i Security r
82. VPN Protocol ESP Pre Shared Key 12345670 YPN Setup DES Authentication Algorithm MDS Advanced ji ji Back Apply Cancel Delete 142 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 PSec Setup Index Name PrestigeA Active Yes Keep Alive No Local ID type IP Content My IP Addr 202 132 154 1 Peer ID type IP Content Secure Gateway Addr 168 10 10 66 Protocol Local Addr Type SINGLE IP Addr Start 202 132 155 33 End Subnet Mask N A Port Start End N A Remote Addr Type SINGLE IP Addr Start 146 130 10 33 End Subnet Mask N A Port Start End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup Yes Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 1 Edit IKE settings by selecting Edit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configuration in IKE Setup should be consistent in both P 202H Plus v2 A and P 202H Plus v2 B 143 All contents copyright 2006 ZyXEL Communications Corporation P 202H Plus v2 Support Notes Menu 27 1 1 1 IKE S
83. Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 ldetification 0x01D3 467 Flags 0x02 Fragment Offset 0x00 Time to Live 0x38 56 Protocol 0x06 TCP Header Checksum O0x6B03 27395 Source IP 0xD2437191 210 67 113 145 Destination IP OxA31FEF01 163 31 239 1 TCP Header Source Port 0x0050 80 Destination Port 0x2718 10008 Sequence Number 0x F479638C 2135397948 Ack Number 0x000D088E 854158 Header Length 24 Flags 0x12 A S Window Size 0x4470 17520 Checksum 0x3829 14377 380 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Urgent Ptr 0x0000 0 Options 0000 02 04 05 B RAW DATA 0000 FF 03 00 21 45 00 00 2C 01 D3 40 00 38 06 6B 03 E 8 k 0010 D2 43 71 91 A3 1F EF 01 00 50 27 18 7F 47 96 3C Cq P G lt 0020 00 OD 08 8E 60 12 44 70 38 29 00 00 02 04 05 B4 Dp8 ras gt Using TFTP to Upload Download Firmware and Configuration Files 4 Using TFTP to upload download ZyNOS via LAN o TELNET to your P 202H Plus v2 first before running the TFTP software o Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 o Run the TFTP client software o Enter the IP address of the P 202H Plus v2 o To upload the firmware please save the remote file as ras to P 202H Plus v2 After the transfer is complete the P 202H
84. Wizard 7 x Completing the IP Security Policy Wizard ou have successtully completed specifying the properties for pour new F security policy To edit your IF security policy now select the Edit properties check bos and then click Finish IM Edit properties To close this wizard click Finish cence _ 5 A dialog window will bring up for you to configure two filter rules for this policy WINZEK to ZYWALL Properties j z x Aules General Security rules for communicating with other computers IP Security Aules IF Filter List Filter Acton Authentication O lt Dynanmic gt Default Response Kerberos 4 all Remove Use Add Wizard 228 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Note The IPSec policy is created with default IKE main mode phase 1 on the General tab Please check details by clicking the Advanced on this tab W2K to ZYWALL Tunnel Properties 7 x Rule General IP secunty policy general properties Mame wek to YALL Tunnel Description Check for policy changes ever 180 minute s kep Exchange using these settings The IPSec tunnel consists of two rules each of which specifies a tunnel endpoint Because there are two endpoints so we need two filter rules One is for the direction from PC 1 to PC 2 endpoint is P 202H Plus v2 and the other is from PC 2 to PC 1 endpoi
85. ZyXEL match m drop D Src Source Address Dst Destination Address P 202H Plus v2 Support Notes prot Protocol TCP UDP ICMP Spo Source port dpo Destination port Example Jul 19 14 44 09 192 168 1 1 ZyXEL Communications Corp IP Src 202 132 154 1 Dst 192 168 1 383 UDP spo 0035 dpo 05d4 S03 gt R01mF Jul 19 14 44 13 192 168 1 1 ZyXEL Communications Corp IP Src 192 168 1 33 Dst 202 132 154 1 ICMP S03 gt R01mF 4 PPP Log Format sdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Example Jul 19 11 43 25 192 168 1 Jul 19 11 43 29 192 168 1 Jul 19 11 43 34 192 168 1 Jul 19 11 43 38 192 168 1 Jul 19 11 43 43 192 168 1 Jul 19 11 43 51 192 168 1 Jul 19 11 43 55 192 168 1 Jul 19 11 44 00 192 168 1 Jul 19 11 44 05 192 168 1 Jul 19 11 44 09 192 168 1 Jul 19 11 44 14 192 168 1 5 POTS Log Format 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp 1 ZyXEL Communications Corp ppp LCP Starting ppp IPCP Starting ppp CCP Starting opp BACP Starting ppp IPCP Opening ppp CCP Op
86. ZyXEL P 202H Plus v2 Support Notes Create Preshared Key Type in the shared secret 5 Press Apply in Main menu to save the above settings for latter use 307 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor Ei Security Policy Key Management F Trusted Policy Servers Fle Trusted Certificates Fla Certification Authorities o E Remote Hosts l a Director Sernvices J A My Keps host key lg checkpoint certificate AB Add ge ZyWALL AB Add Remove Properties VIEW Description The keps that are used for authenticating the local host LE Cancel K ts 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 308 ZyXEL P 202H Plus v2 Support Notes T SSH Sentinel Policy Editor Hx security Policy Key Management Policy Default i S m e Pre IPSec Filter YPN Connections A Add a Secured Connections ida Secured Networks CE Default Response a Post lPSec Filter EE Allow all traffic T HS0H0 HOILAN IAs 4370H a hy Remove Properties Diagnostics Description A virtual private network i created when the local host establishes an PSec protected connection to a remote private network through a sec
87. capability by P 202H Plus v2 gt isdn fw ana on 4 Manually dial to remote node N P 202H Plus v2 gt dev dial N N is the node number in Menu 11 5 Wait for all progress messages and manually drop the call P 202H Plus v2 gt dev channel drop bri0 brit1 all bri0 for B1 channel brit for B2 channel all for all channels 6 Turn off the EPA by P 202H Plus v2 gt isdn fw ana off 7 Dump the EPA by P 202H Plus v2 gt isdn fw ana disp The trace appears on the screen as in the following example Please use PageUp and PageDown to browse the EPA trace Example 362 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes P 202H Plus v2 gt isdn fw ana on P 202H Plus v2 gt dev dial 1 Start dialing for node lt hinet gt Hit any key to continue DIALING dev 2 ch 0 OUTGOING CALL phone 4125678 CALL CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt LCP opened PAP sending user pswd IPCP negotiation started CCP stopped BACP stopped IPCP opened P 202H Plus v2 gt dev chann drop all P 202H Plus v2 gt isdn fw ana off P 202H Plus v2 gt isdn fw ana disp 00 00 01 18 8 bytes LAPD D NT C SAPI 63 TEl 127Ul P 0 00001111 Layer management 00000000 Reference Number MSB 00000000 Reference Number LSB 0 00000100 Message Type Identity check request 1000000 Action indicator 64 1 Extension bit final octet
88. default configuration file 0 0 0 ccecccceesseeeeeeetseees 404 PRETO FC INGO oea E te asactanontanttonieneane 406 1 ISDN Disconnection CauSe c ccc ccccssccccsssseeeceessseeeeeessseeeeeeaas 406 P fl ae LULL 91 ae en ee en er ES eR ne a 408 3 PON NUMDEIS oen E EE T N 421 A Protocol NUMDETS occian E 424 D OV SUS TM EIO COQ Onena r ae eames 427 5 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes FAQ ZyNOS FAQ 1 What is ZyNOS ZyNOS is ZyXEL s proprietary Network Operating System It is the platform on all P 202H Plus v2 routers that delivers network services and applications It is designed in a modular fashion so it is easy for developers to add new features New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available 2 How do I access the P 202H Plus v2 SMT menu The SMT interface is a menu driven interface which can be accessed via a RS232 console or a Telnet connection To access the P 202H Plus v2 via SMT console port a computer equipped with communication software such as HyperTerminal must be configured to the following parameters e VT100 terminal emulation e 9600bps baud rate e N81 data format No Parity 8 data bits 1 stop bit The default console port baud rate is 9600bps You can change it to 115200bps in Menu 24 2 2 to speed up access of the SMT 3 What data compression protocol does the P
89. e Active Turn Active to Yes e Offset in bytes Set to 6 since the source MAC address starts at 7th octets we need to skip the first octets of the destination MAC address e Length in bytes Set to 6 since MAC address has 6 octets 78 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Mask in hexadecimal Specify the value that the P 202H Plus v2 will logically qualify logical AND the data in the packet Since the Length is set to 6 octets the Mask for it should be 12 hexadecimal numbers In this case we intent to set to ffffffffffff to mask the incoming source MAC address 00 80 c8 4c ea 63 e Value in hexadecimal Specify the MAC address 00 80 c8 4c ea 63 that the P 202H Plus v2 should use to compare with the masked packet If the result from the masked packet matches the Value then the packet is considered matched e Action Matched Enter the action you want if the masked packet matches the Value In this case we will drop it e Action Not Matched Enter the action you want if the masked packet does not match the Value In this case we will forward it If you want to configure more rules please select Check Next Rule to start configuring the next new rule However please note that the Filter Type must be also Generic Filter Rule but not others Because the Generic and TCP IP IPX filter rules must be in different filter sets
90. follows a Enter debug mode when powering on the P 202H Plus v2 using a terminal emulator b Enter ATURS to start the uploading c Use X modem protocol to transfer the configuration file d Enter ATGO to restart the P 202H Plus v2 e The procedure for uploading the configuration file using TFTP client program via LAN Is as follows a Use the TELNET client program in your PC to login to your P 202H Plus v2 404 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes b Enter Cl command sys stdio 0 in menu 24 8 to disable console idle timeout c Start the TFTP client program and enter the P 202H Plus v2 s IP address d To upload the configuration file put the local configuration file to the P 202H Plus v2 as a remote file name rom 0 405 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Reference 1 ISDN Disconnection Cause This source of this ISDN cause is from ETS 300 102 1 Annex G You can download the complete ETS 300 102 1 standard the layer 3 basic call control from the site www etsi org Normal Class Code Disconnection Cause 1 Unallocated 2 No route to specified transit network 3 No route to destination 6 Channel unacceptable 7 Call awarded and being delivered in an established channel 16 Nomal call clearing 17 User busy 18 No user responding 19 No answer from user user alerted 21 C
91. for this access code The second is with the phone flash commands where you pick up the handset and press the flash key before dialing the following Command Meaning 20 forward number Active CFB Call Forwarding Busy 21 forward number Active CFU Call Forwarding 14 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Unconditional 22 forward number Active CFNR Call Forwarding No Reply 20 Deactive CFB 21 Deactive CFU 22 Deactive CFNR 12 How do I suspend resume a phone call terminal portability The Terminal Portability service allows you to Suspend a phone call temporarily You can then resume this call later at another location if you so wish To suspend an active phone call e Press the flash key twice e Dial 3n where n is any number from 1 to 9 To resume your phone call e Reconnect at a n ISDN telephone that is linked to the same S T interface Network Terminator 1 NT1 where you suspended the call e Pick up the handset and press the Flash key e Dial 3n where n is any number from 1 to 9 but should be identical to that used above 13 What is reminder ring The P 202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded US switches only 14 Why doesn t my answering machine on POTS port stop recording Most answering machines stop recording when a busy tone is detected But some may not
92. if any Protocol field values in the 4xxx to 7xxx range are used for protocols with low volume traffic which have no associated NCP Protocol field values in the cxxx to exxx range identify 411 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes datagrams as Control Protocols such as LCP e PPP LCP AND IPCP CODES The Point to Point Protocol PPP Link Control Protocol LCP the Compression Control Protocol CCP Internet Protocol Control Protocol IPCP and other control protocols contain an 8 bit Code field which identifies the type of packet These Codes are assigned as follows Code Packet Type Vendor Specific RFC2153 Configure Request Configure Ack Configure Nak Configure Reject Terminate Request Terminate Ack Code Reject Protocol Reject Echo Request OONOOBRWDND O gt 10 Echo Reply 11 Discard Request 12 Identification 13 Time Remaining 14 Reset Request RFC1962 15 Reset Reply RFC1962 LCP Only CCP Only e PPP LCP CONFIGURATION OPTION TYPES The Point to Point Protocol PPP Link Control Protocol LCP specifies a number of Configuration Options which are distinguished by an 8 bit Type field These Types are assigned as follows Type Configuration Option Vendor Specific RFC2153 Maximum Receive Unit Async Control Character Map N 412 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL
93. ip route error counters sys filter disp display filter statistic counters sys filter clear clear filter statistic counters IP Routing problem causes An IP packet for the LAN destination should be routed to the LAN interface enif0 in P 202H Plus v2 and IP packet for a remote node destination should be sent to the WAN interface if the connection is up or else the packet will trigger an outcall to that remote node if the remote node is not set for incoming only in Call Direction If a packet cannot be routed or cannot trigger a call to remote node the reason may be due to e routing table problem e the packet has been filtered e cannot trigger the outcall or the outcall failed due to the reason stated in previous chapter Incoming only remote node Black List Call Budget or PPP negotiation failed Steps to verify IP routing problem 1 check if there is any routing error ip route errcnt disp 2 check if the counter of the specified route increased ip route status 3 check if any filter counter increased sys filter disp 4 check if there is any LAN or WAN problem refer to sessions LAN or WAN connection 401 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes lt Example gt 1 Clear the error counter and display it to verify all counters are 0 P2864 gt ip route errcnt cl P2864 gt ip route errcnt dis l
94. is no way to establish VPN connection at all 1 Setup P 202H Plus v2 1 Login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy 5 Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in NETSCREEN 6 Source IP Address Start and Source IP Address End are PC 1 IP in this example If a range of IP is used please enter the start IP and the end IP For example 192 168 1 33 to 192 168 1 35 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 9 Secure Gateway IP Addr is the remote secure gateway IP that is NETSCREEN WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in NETSCREEN 13 Enter the key string 12345678 in the Preshared Key text box and click Apply ne eae hed 193 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes SEC ING creen SOE ZyXEL sive uar TOTAL I
95. means that you configured your P 202H Plus v2 Menu 3 2 as 192 68 135 183 but the ISP thinks you should be 204 247 1 1 The P 202H Plus v2 dropped the call for you because even if the call is up your network will still be unable to talk to the Internet TRY 1 If you have a class C network of 204 247 1 0 24 then you should change your Menu 3 2 to use that address 2 If you have only one IP address 204 247 1 1 32 then you should configure your P 202H Plus v2 to enable Single User Account SUA For more information on how to configure SUA please refer to application note ISDN protocol mismatch Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt You see the call connected but nothing else after that After a while it says Line down This could be because of the low level protocol mismatch Let s say you use 64K to dial into a X 75 or V 120 only router TRY Contact your ISP and make sure they use Clear Channel ISDN protocol or change your Telco option to X 75 or V 120 for DSS1 or 1TR6 only Disconnect by far end Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt LCP up 392 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes CHAP send response CHAP login to remote OK IPCP negoti
96. packet that is triggering the call he can design the filter rule based on these information Otherwise he can take a look at the SMT Menu 24 1 to see what is the exact packet that triggers the outgoing call The LAN Packet Which Triggered Last Call status in Menu 24 1 will show you the packet which triggers the call A display of the header of the packets is shown next LAN Packet which Triggered Last Call Type IP 45 00 00 2E CA OE 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15 00 33 2D 5E 55 80 B5 CO 50 18 1F 9B E7 D4 00 00 50 41 53 56 OD OA 62 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes We list the header of the IP UDP and TCP in order to make you know more about the format of the IP packet and IPX packet in Menu 24 1 for easy configuration of a filter rule IP Header 0 15 16 31 4 bit 4 bit 8 bit type of service 16 bit total length in bytes version length TOS 16 bit identification 3 bit 13 bit fragment offset flag 8 bit time to live TTL 8 bit protocol 16 bit header checksum 32 bit source IP address 32 bit destination IP address Option if any Data UDP Header 0 15 16 31 16 bit source port number 16 bit destination port number 16 bit UDP length 16 bit UDP checksum Data if any TCP Header 0 15 16 31 16 bit source port number 16 bit destination port number 32 bit Sequence number 32 bit acknowledgment number 4 bit ReservedUAPRS F 16 bit window size
97. password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy 5 Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in Sonicwall 6 Source IP Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 9 Secure Gateway IP Addr is the remote secure gateway IP that is Sonicwall WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case AWN 170 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in Sonicwall 13 Enter the key string 12345678 in the Preshared Key text box and click Apply See the screen shot ZyXEL osu TOTAL INTERNET ACCESS SOLUTION CAME a IPSec Setup M Active Keep Alive Advanced Setup Name Pre stige eem IPSec Key Mode IKE hi LAN on ees Negotiation Mode Main VAN Local n OS O Local Address Type Single Firewall
98. previous ZyNOS routers supported the SUA only option in today s routers Many to Many Overload In Many to Many Overload mode the P 202H Plus v2 maps the multiple ILA to shared IGA Many to Many No Overload In Many to Many No Overload mode the P 202H Plus v2 maps each ILA to unique IGA Server In Server mode the P 202H Plus v2 maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types NAT Type IP Mapping One to One ILA1 lt gt IGA1 ILA1 lt gt IGA1 maby O me EAA SUA PAT Many to Many ILA1 lt gt IGA1 118 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Overload ILA2 lt gt IGA2 ILA3 lt gt IGA1 ILA4 lt gt IGA2 ILA1 lt gt IGA1 ILA2 lt gt IGA3 Many to Many jy A3 lt gt IGA2 MON NENOES TA asad Sanat Server 1 IP lt gt IGA1 Server 2 IP lt gt IGA1 e SUA Versus NAT SUA Single User Account in previous ZyNOS versions is a NAT set with 2 rules Many to One and Server The P 202H Plus v2 now has Full Feature NAT Support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g FTP servers are allowed on the LAN for o
99. settings you are ready to make a test for this connection from Menu 24 4 5 Manual Call by entering the node number Menu 24 4 System Maintenance Diagnostic ISDN system Hang Up B1 Call 21 Reboot System Hang Up B2 Call 22 Command Mode Reset ISDN ISDN Connection Test Manual Call oR OP TCP IP 11 Internet Setup Test 12 Ping Host Enter Menu Selection Number Manual Call Remote Node N A Host IP Address N A Configuring for Cisco Mutual Authentication e Introduction This configuration note explains what other settings you need to pay attention to when configuring the P 202H Plus v2 talk to a Cisco router Due to Cisco s authentication scheme you need to configure some additional fields in P 202H Plus v2 when talking to a Cisco device There are two things you must pay attention to The first is Cisco s mutual authentication scheme and the second Is their interpretation of CHAP 51 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Configuration e lf the Cisco router requests PAP you have to configure more settings in Menu 13 as follows Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Authen None Dial in User Yes IP Pool No PPP Options IP Start Addr N A Recv Authen CHAP PAP IP Count 1 4 N A Compression Yes Mutual Authen Yes session Options O G Usernames test Edit Filter Sets No O G Password
100. the ESP check box AH can not be used in SUA NAT case 144 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in P 202H Plus v2 A 13 Enter the key string 12345678 in the Preshared Key text box and click Apply See the screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION W Active ore ae Name FrestigeB IFSec Key Mode IKE Y Advanced Setup Megotiation Mode Main C Password Local Address Type Single Agddress LAN Start Address kPce IP i T End Address 0 0 0 0 ga E ic DNS Siar ai S Remote Address Type Single Address Time one lt Start Address Pct F gt Content Fiter Firewall End Address 0 0 0 0 e VPN wiy IF Address kE wA N F gt Remote Management Secure Gateway IP Address lt A WAN F gt UPnP Encapsulation Mode Tunnel T 4 T Dial Backup Security Protocol Maintenance WFN Protocol ESP Pre Shared Key 12346670 Logout VP Setup DES Authentication Algorithm MDS 145 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index Name PrestigeB Active Yes Keep Alive No Local ID type IP Content My IP Addr 168 10 10 66 Peer ID type IP Content
101. the most extensible and complete network security solution IPSec which is based on modern cryptographic technologies enables end to end security so that every single piece of information sent to or from a computer can be secured It can also be deployed inside a network to form Virtual Private Networks VPNs where two distincts and disparate networks become one by connecting them with a tunnel secured by IPSec Tunnel mode IPSec in tunnel mode is normally used when the ultimate destination of the packet is different from the security termination point We introduce two tunnel mode examples e Secure Gateway to Secure Gateway P 202H Plus v2 to P 202H Plus v2 Tunneling Setup P 202H Plus v2 A Setup P 202H Plus v2 B Troubleshooting View Log I a This page guides us to setup a VPN connection between two P 202H Plus v2 routers Please note that in addition to P 202H Plus v2 to P 202H Plus v2 P 202H Plus v2 can also talk to other VPN hardwards The tested VPN hardware are shown below Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES NetScreen 5 ScreenOS 2 6 0r6 SonicWALL SOHO 2 WatchGuard Firebox II ZyXEL VPN solutions 139 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Avaya VPN e Netopia VPN e III VPN As the figure shown below the tunnel between P 202H Plus v2 1 and P 202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure Because
102. 0 00 03 29 4 bytes LAPD D TE RSAPI 0 TEI 97 RR P F 0 NR 1 00 00 03 59 11 bytes LAPD D NT CSAPI 0 TEl 97 INFO P 0 NR 1 NS 1 3 bytes Layer 3 Dest gt CallRef 1 PD Q 931 ALERTING 1 00110100 INFORMATION ELEMENT Signal 2 00000001 IE length 1 byte 3 01000000 Signal Value alerting on pattern 0 00 00 03 59 4 bytes LAPD D TE R SAPI 0 TEl 97 RR P F 0 NR 2 00 00 03 61 23 bytes LAPD D NT C SAPI 0 TEl 97 INFO P 0 NR 1 NS 2 15 bytes Layer 3 Dest gt CallRef 1 PD Q 931 CONNECT 00110100 INFORMATION ELEMENT Signal 00000001 IE length 1 byte 00111111 Signal Value tones off 01001100 INFORMATION ELEMENT Connected Number 00001010 IE length 10 bytes xxx Unknown IE content 0x21 0x83 0x33 0x34 0x31 Unknown IE content 0x32 0x35 0x36 0x37 0x38 mPo WPNDh 00 00 03 62 4 bytes LAPD D TE RSAPI 0 TEl 97 RR P F 0 NR 3 00 00 03 63 8 bytes LAPD D TE C SAPI 0 TEl 97 INFO P 0 NR 3 NS 1 0 bytes Layer 3 Orig gt CallRef 1 PD Q 931 CONNECT ACK 00 00 03 63 4 bytes LAPD D NT RSAPI 0 TEI 97 RR P F 0 NR 2 00 00 12 61 12 bytes LAPD D TE C SAPI 0 TEI 97 INFO P 0 NR 3 NS 2 4 bytes Layer 3 Orig gt CallRef 1 PD Q 931 DISCONNECT 1 00001000 INFORMATION ELEMENT Cause 2 00000010 IE length 2 bytes 3 1 Extension bit not continued 00 Coding standard CCITT coding standard Q Spare Q000 Location user 4 1 Extension bit not continued 0010000 Cause Value normal call clearing 00 00 12 62 4 bytes LAPD
103. 0855 790 ENETO T 0141 TCP 192 31 7 130 80 gt 192 168 1 2 1102 10855 800 ENETO R 0060 TCP 192 168 1 2 1102 gt 192 31 7 130 80 10855 810 ENETO R 0062 TCP 192 168 1 2 1103 gt 192 31 7 130 80 10855 840 ENETO R 0062 TCP 192 168 1 2 1104 gt 192 31 7 130 80 10856 020 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1102 10856 030 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1103 Q AOUN 6 10856 040 ENETO R 0060 TCP 192 168 1 2 1103 gt 192 31 7 130 80 ras gt sys trcp parse 5 5 LAN Frame ENETO XMIT Size 58 58 Time 10856 030 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1103 Ethernet Header Destination MAC Addr 0O0080C84CEA63 Source MAC Addr 00A0C5921311 377 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 ldetification 0x7F02 32514 Flags 0x02 Fragment Offset 0x00 Time to Live OxED 237 Protocol 0x06 TCP Header Checksum 0x857D 34173 Source IP 0xC01F0782 192 31 7 130 Destination IP 0xC0A80102 192 168 1 2 TCP Header Source Port 0x0050 80 Destination Port 0x044F 1103 Sequence Number 0xD91B1826 3642431526 Ack Number OxOOAA405F 11157599 Header Length 24 Flags 0x12 A S Window Size OxFAFO 64240 Checksum OxDCEF 56559 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B
104. 1 5 5 The console port is in use 5 Why can t I upload the firmware and configuration file using FTP over WAN 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable FTP from WAN you must turn the 23 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes firewall off Menu 21 2 or create a firewall rule to allow FTP connection from WAN The WAN to LAN ACL summary will look like as shown below Source IP FTP host Destination IP P 202H Plus v2 s WAN IP Service FTP TCP 21 TCP 20 Action Forward 2 You have disabled FTP service in Menu 24 11 3 The default filter rule 3 Telnet_F TP WAN is applied in the Input Protocol field in menu 11 5 6 Why can t configure my router using Telnet over LAN 1 You have disabled Telnet service in Menu 24 11 2 Telnet service is enabled but your host IP is not the secured host entered in Menu 24 11 In this case the error message Client IP is not allowed is appeared on the Telnet screen 3 The default filter rule 3 Telnet_FTP_LAN is applied in the Input Protocol field in menu 3 1 4 The console port is in use 7 Why can t upload the firmware and configuration file using FTP over LAN 1 1 You have disabled FTP service in Menu 24 11 2 The default filter rule 3 Telnet_FTP_LAN is applied in the Input Protocol field in menu 3 1 Log and alert 1 When do
105. 2 168 2 0 0 0 0 255 192 168 1 0 0 0 0 255 snmp server community public RO line con 0 exec timeout 0 0 password 7 065 75D7218 login line aux 0 line vty 0 4 password 7 11584B5643 login line vty 5 15 login 180 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes no scheduler allocate end After all of the settings if PC1 and PC2 can reach each other then IPSec VPN has been established successfully There is also a useful command to debug IPSec VPN debug crypto ipsec P 202H Plus v2 to SonicWALL Tunneling This page guides us to setup a VPN connection between P 202H Plus v2 and SONICWALL As the figure shown below the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure To setup this VPN tunnel the required settings for P 202H Plus v2 and SonicWALL are explained in the following sections LAN 1 LAN 2 Prestige i SonicWALL IPSec Tunnel The IP addresses we use in this example are as shown below LAN 192 168 1 1 LAN 192 168 181 1 192 168 1 33 WAN 202 132 154 1 WAN 168 10 10 66 12 gt 108 181 10 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side From this
106. 202 132 155 99 Destination IP address No option Internet Control Message Protocol Type 8 Echo Request Code 0 TI All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Checksum 0x455C Identifier 768 Sequence Number 1280 Optional Data 32 bytes e Configurations From the above first trace we Know that a client is trying to ping the P 202H Plus v2 router And from the second trace we know that the P 202H Plus v2 router will send a reply to the client accordingly The following sample filter will utilize the Generic Filter Rule to block the MAC address 00 80 c8 4c ea 63 1 First from the incoming LAN packet we know that the unwanted source MAC address starts at the 7th Octet TIME 37c060 enetO RECV len 74 call 0 0000 00 a0 c5 01 23 45 00 80 c8 4c ea 63 08 00 45 00 0010 00 3c eb Oc 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 2 We are now ready to configure the Generic Filter Rule as below Menu 21 1 1 Generic Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active Yes Offset 6 Length 6 Maske ffffffffffff Value 0080c84cea63 More No Log None Action Matched Drop Action Not Matched Forward Key Settings e Filter Type Set the Filter Type to Generic Filter Rule
107. 202H Plus v2 202 3 1 1 9 Set Secure Gateway Addr to the IP address of Headquarter 202 1 1 1 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to SHA 1 These parameters are for IKE phase 2 negotiation You can set more detailed configuration by pressing Advanced button 13 Enter the key string 12345678 in the Pre shared Key text box and click Apply 349 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACCESS SOLUTION Main Menu Advanced Setup Password LAB T YAR WAT Firewall e YPN Logout VPN IRE IPSec Setup I Active Mame IPSec Key Mode Negotiation Mode Local Local Address Type IF Address Start End Subnet Mask Remote Remote Address Type IF Address Start End Subnet Mask Local ID Type Content biy IP Address Feer IO Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocol Pre Shared Key VPR Setup Authentication Algorithm P 202H Plus v2 Support Notes SIT Keep Alive Branch_A IKE Z Main Range 192 168 3 0 192 168 3 266 Range 192 168 1 O 192 168 1 205 IF gt 0 0 0 0 202 3 1 0 0 0 0 202 1 1 1 Tunnel ha ESP 12345676 gk Back Apply Cancel Delete You can setup IKE phase 1 and phase
108. 202H Plus v2 support The P 202H Plus v2 supports STAC compression Please note that STAC is not enabled in the P 202H Plus v2 by default You can enable it in Remote Node setup SMT menu 11 2 Edit PPP Option 4 What is the default console port baud rate Moreover how do I change it The default console port baud rate is 9600bps When configuring the SMT please make sure that terminal baud rate is also 9600bps You can change the console baud rate from 9600bps to 57600 to speed up SMT access by using SMT menu 24 2 2 5 How do I upload the ZyNOS firmware code via console All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The procedure for uploading via console is as follows a Enter debug mode when powering on the P 202H Plus v2 using a terminal emulator b Enter ATUR to start the uploading c Use X modem protocol to transfer the ZyNOS code d Enter ATGO to restart the P 202H Plus v2 6 How do I upgrade backup the ZyNOS firmware by using TFTP client program via LAN The P 202H Plus v2 allows you to transfer the firmware from to P 202H Plus v2 by using TFTP program via LAN The procedure for uploading via TFTP is as follows a Use the TELNET client program in your PC to login to your P 202H Plus v2 and use Menu 24 8 to enter Cl command sys stdio 0 to disable console idle timeout b To upgrade firmware use TFTP client program to put firmware in file ras
109. 21 pole Sel 240 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3 Click Connection Type tab click All network connections or click LAN connections if your WIN2K does not connect to ISP but LAN In our example we choose All network connections New Rule Properties oa _ x IF Filter List Filter Action Authentication Methods Tunnel Setting Connection Type This rule only applies to network traffic over connections of the selected type AfFgetwork connections Local area network LAM Remote access 4 Click Filter Action tab uncheck Use Add Wizard check box and click New Rule Properties x Authentication Methods Tunnel Setting Connection Type IP Filter List Filter Action Ds The selected filter action species whether this mle negotiates for secure network traffic and how it will secure the traffic Filter Actions New Filter Action 241 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5 Leave Negotiate security as checked and uncheck Accept unsecured communication but always respond using IPSec check box You must do this to ensure secure connections New Filter Action 1 Properties f i 3 x Security Methods General Femi C Block Negotiate security Security Method preference order ESP Confidential ES Add Edit Remove
110. 2345678 000 DES SHAT Advanced ja Back Apply Cancel Delete You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter 354 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACcESS SOLUTION Main Meru Advanced Setup Password LAN VAN MAT Firewall e YPN Logout VPA WE Advanced Setup VPH IKE Pratacol Erahle Replay Detection Local Start Port Remote Start ort Phasel Megotiaion Wode Pra Shared Key Ercryptign Algorithm Authentication Algorithm of Life ime Seconds Key GroJjp Phase Active Protocol Ercryptign Algorithrni Authentication Algorithm of Life ime Seconds Ercapsulation Perfact Forvwad SecracyiPFS 3 Setup VPN in Headquarter TE iji P 202H Plus v2 Support Notes SITE M Ead 0 Ead D TE Wain Y 12345670 DES ig WDS DHI FSP DES cou Tunnel 7 NONE Cancel 1 The correspondent rule for Branch_A in headquarter 355 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes EUE URES ES ERTUELCIEEELULELETLTUELIILEE LULU LESETLLLCLELIIULE LOSES LL LELTEUEELOLELELE TEL LSL EE LESELELE CEES LOLIELOLELETECUELTLELEL ELE LELILLE LEI ELILOLELILIUTELIIELLEILEL ELE LILLIE
111. 2H Plus v2 support One P 202H Plus v2 202H Plus supports 2 VPN connections 3 What VPN protocols are supported by P 202H Plus v2 VPN All P 202H Plus v2 series support ESP protocol number 50 and AH protocol number 51 4 What types of encryption does P 202H Plus v2 VPN support P 202H Plus v2 supports 56 bit DES and 168 bit 3DES 5 What types of authentication does P 202H Plus v2 VPN support VPN vendors support a number of different authentication methods P 202H Plus v2 VPN supports both SHA1 and MD5 AH provides authentication integrity and replay protection but not confidentiality Its main difference with ESP is that AH also secures parts of the IP header of the packet like the source destination addresses but ESP does not ESP can provide authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always together Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality 6 am planning my P 202H Plus v2 to P 202H Plus v2 VPN configuration What do I need to know 30 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes First of all both P 202H Plus v2 must have VPN capabilities Please check the firmware
112. 46 PPP VJ Compressed IP 0x002q ras gt sys trcp parse 1 2 oKRWNM PPP Frame BRIO XMIT Size 52 52 Time 1226 450 sec Frame Type TCP 163 31 239 1 10008 gt 210 67 113 145 80 PPP Header Protocol 0x0021 IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0030 48 ldetification 0xF D02 64770 Flags 0x02 Fragment Offset 0x00 Time to Live 0x F 127 Protocol 0x06 TCP Header Checksum 0x28CF 10447 Source IP OxA31FEFO01 163 31 239 1 Destination IP 0xD2437191 210 67 113 145 TCP Header Source Port 0x2718 10008 Destination Port 0x0050 80 379 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Sequence Number 0x000D088D 854157 Ack Number 0x00000000 0 Header Length 28 Flags 0x02 S Window Size 0x2000 8192 Checksum 0x5D27 23847 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 01 01 04 02 RAW DATA 0000 FF 03 00 21 45 00 00 30 FD 02 40 00 7F 06 28 CF E 0 0010 A3 1F EF 01 D2 43 71 91 27 1800 50 00 OD 08 8D Slo Pi 0020 00 00 00 00 70 02 20 00 5D 27 00 00 02 04 05 B4 p 0030 01 01 04 02 eee lt Q003 gt PPP Frame BRIO RECV Size 48 48 Time 1226 480 sec Frame Type TCP 210 67 113 145 80 gt 163 31 239 1 10008 PPP Header Protocol 0x0021 IP IP Header IP
113. 5 MOBILE IP Mobility Perkins TLSP Transport Layer Security Protocol Oberg using Kryptonet key management 425 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes SKIP SKIP Markson IPv6 ICMP ICMP for IPv6 RFC1883 IPv6 NoNxt No Next Header for IPv6 RFC1883 I Pv6 Opts Destination Options for Pv6 RFC1883 any host internal protocol IANA CFTP CFTP CFTP HCF2 any local network IANA SAT EXPAK SATNET and Backroom EXPAK SHB KRYPTOLAN Kryptolan PXL1 RVD MIT Remote Virtual Disk Protocol MBG IPPC Internet Pluribus Packet Core SHB any distributed file system IANA SAT MON SATNET Monitoring SHB VISA VISA Protocol GXT1 IPCV Internet Packet Core Utility SHB CPNX Computer Protocol Network Executive DXM2 CPHB Computer Protocol Heart Beat DXM2 WSN Wang Span Network VXD PVP Packet Video Protocol SC3 BR SAT MON Backroom SATNET Monitoring SHB SUN ND SUN ND PROTOCOL Temporary WM3 WB MON WIDEBAND Monitoring SHB WB EXPAK WIDEBAND EXPAK SHB ISO IP ISO Internet Protocol MTR VMTP VMTP DRC3 SECURE VMTP SECURE VMTP DRC3 VINES VINES BXH TTP TTP JXS NSFNET IGP NSFNET IGP HWB DGP Dissimilar Gateway Protocol DGP ML109 TCF TCF GAL5 EIGRP EIGRP CISCO GXS OSPFIGP OSPFIGP RFC1583 JTM4 Sprite RPC Sprite RPC Protocol SPRITE BXW LARP Locus Address Resolution Protocol BXH MTP Multicast Transport Protocol SXA AX 25 AX 25 Frames BK29 IP
114. 5 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Get Community public Set Community public Trusted Host 192 168 1 33 Trap Community public Destination 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Key Settings Option Get Community Set Community Trusted Host Trap Community Trap Destination Descriptions Enter the correct Get Community This Get Community must match the Get and GetNext community requested from the NMS The default is public Enter the correct Set Community This Set Community must match the Set community requested from the NMS The default is public Enter the IP address of the NMS The P 202H Plus v2 will only respond to SNMP messages coming from this IP address If 0 0 0 0 is entered the P 202H Plus v2 will respond to all NMS managers Enter the community name in each sent trap to the NMS This Trap Community must match what the NMS is expecting The default is public Enter the IP address of the NMS that you wish to send the traps to If 0 0 0 0 is entered the P 202H Plus v2 will not send trap any NMS manager 13 Using Multi NAT What is Multi NAT How NAT works NAT Mapping Types SUA Versus NAT SMT Menus 1 Applying NAT in the SMT Menus 116 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 Configuring NAT 3 Address Mappi
115. 6 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 2 21 1 252 ZyWALL Select YPM Start Policy Manager ca Stoo Policy Manager w fo E Ti ian un af NOTE Please check your P 202H Plus v2 s release note if your current firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in lt Your VPN connection gt Properties Advanced Tab Settings 315 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Security Association Lifetimes l l 3 x The settings affect this connection rule only IKE security association Lifetime in minutes Guana 240 min Lifetime in megabytes IPSec security association Lifetime in minutes Lifetime in megabytes M 0 ME Detaults o wx Cancel 2 Setup P 202H Plus v2 VPN 1 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Go to Advanced gt VPN 3 Check Active box to enable this rule Check Keep alive to make your VPN connection stay permanent 4 Select Negotiation Mode to Main as we configured in Sentinel Local IP Address Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 Remo
116. 6 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes o IP Address the IP address assigned to the workstation itself o Subnet Mask the subnet mask used for your network Class C networks generally use a 24 bit netmask DNS Domain Name Server Address enter the IP address of the DNS server o Default Gateway the IP address of the P 202H Plus v2 the default gateway for LAN1 is P 202H Plus v2 1 and for LAN2 is P 202H Plus v2 2 The procedure for configuring these parameters for the workstations may differ depending on the type of TCP IP networking software you are using on your workstations If you are unfamiliar with how to set these parameters you can refer to the technical notes corresponding to your software For Windows 9x please go to Win9x gt Control Panel gt Network gt TCP IP Network Adapter for finishing the above settings e Setting up the P 202H Plus v2 1 amp P 202H Plus v2 2 Before configuring the two remote nodes for this application you need to complete the following settings first in each P 202H Plus v2 o General Setup in SMT Menu 1 enter the system information o ISDN Setup in SMT Menu 2 configure the ISDN parameters o Ethernet Setup in SMT Menu 3 enter the IP address of the P 202H Plus v2 and enable the DHCP server if it is required o Remote Node Setup in SMT Menu 11 e P 202H Plus v2 1 Setup 1 Ethernet Setup in SMT Menu 3 Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHC
117. 68 1 33 then you need to specify for port 80 Web the server at IP address 192 168 1 36 and for port 21 FTP another at IP address 192 168 1 33 126 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes FTP Server 192 168 1 33 Web Server 192 166 1 36 EN Global IP assigned by the ISP Please note that a server can support more than one service e g a server can provide both FTP and Mail service while another provides only Web service The following procedures show how to configure a server behind NAT Step 1 Enter 15 in the Main Menu to go to Menu 15 NAT Setup Step 2 Enter 2 to go to Menu 15 2 NAT Server Setup Step 3 Enter the service port number in the Port field and the inside IP address of the server in the IP Address field Step 4 Press SPACEBAR at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any time to cancel Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 10 3 21 21 192 168 1 11 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 127 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel The most
118. 6af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 80010001 80020001 80040001 80030001 800b0001 800c0e10 In isadb_get_entry nxt_pyld 1 exch 2 New SA In responder isadb_create_entry RESPONSOR entering soGetPeerByAddr lt deleted gt 148 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 4 View Log To view the log for IPSec and IKE connections please enter menu 27 3 View IPSec Log The log menu is also useful for troubleshooting please capture to us if necessary Please refer to the example below Index Date Log 001 01 Jan 00 15 11 lt lt lt lt INFO Sending IKE Packet 15 002 01 Jan 00 15 11 lt lt lt lt Sending IKE Packet 15 003 01 Jan 00 15 11 lt lt lt lt INFO Sending IKE Packet 15 004 01 Jan 00 15 11 lt lt lt lt Sending IKE Packet 15 005 01 Jan 00 15 16 lt lt lt lt Sending IKE Packet 006 01 Jan 00 15 16 gt gt gt gt MM Receiving IKE Packet 007 01 Jan 00 15 18 lt lt lt lt Sending IKE Packet 008 01 Jan 00 15 18 gt gt gt gt MM Receiving IKE Packet 4 009 01 Jan 00 15 19 lt lt lt lt Sending IKE Packet 010 01 Jan 00 15 19 gt gt gt gt MM Receiving IKE Packet 011 01 Jan 00 15 19 lt lt lt lt Sending IKE Packet 012 01 Jan 00 15 19 gt gt gt gt QM Receiving IKE Packet 15 013 01 Jan 00 15 19 lt lt lt lt Sending IK
119. 8 JBP MUX Multiplexing IEN90 JBP DCN MEAS DCN Measurement Subsystems DLM1 HMP Host Monitoring RFC869 RH6 PRM Packet Radio Measurement ZSU XNS IDP XEROX NS IDP ETHERNET XEROX TRUNK 1 Trunk 1 BWB6 TRUNK 2 Trunk 2 BWB6 LEAF 1 Leaf 1 BWB6 LEAF 2 Leaf 2 BWB6 RDP Reliable Data Protocol RFC908 RH6 IRTP Internet Reliable Transaction RFC938 IXM ISO TP4 ISO Transport Protocol Class 4 RFC905 RC 77 NETBLT Bulk Data Transfer Protocol RFC969 DDC1 MFE NSP MEE Network Services Protocol MFENET BCH2 MERIT INP MERIT Internodal Protocol HWB SEP Sequential Exchange Protocol JC120 3PC Third Party Connect Protocol SAF3 IDPR Inter Domain Policy Routing Protocol MXS1 XTP XTP GXC DDP Datagram Delivery Protocol WXC IDPR CMTP IDPR Control Message Transport Proto MXS1 TP TP Transport Protocol DXF IL IL Transport Protocol Presotto IPv6 lpv6 Deering SDRP Source Demand Routing Protocol DXE1 IPv6 Route Routing Header for IPv6 Deering IPv6 Frag Fragment Header for IPv6 Deering IDRP Inter Domain Routing Protocol Sue Hares RSVP Reservation Protocol Bob Braden GRE General Routing Encapsulation Tony Li MHRP Mobile Host Routing Protocol David Johnson BNA BNA Gary Salamon ESP Encap Security Payload for IPv6 RFC1827 AH Authentication Header for IPv6 RFC1826 I NLSP Integrated Net Layer Security TUBA GLENN SWIPE IP with Encryption JI6 NARP NBMA Address Resolution Protocol RFC173
120. 9 1 TCP Header Source Port 0x0050 80 Destination Port 0x2717 10007 Sequence Number 0x7AA7 1C33 2057772083 Ack Number 0x000BCB54 772948 Header Length 24 Flags 0x12 A 3 Window Size 0x4470 17520 Checksum OxF40E 62478 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B RAW DATA 0000 FF 03 00 21 45 00 00 2C BO D4 40 00 38 06 BC 01 E 8 0010 D2 43 71 91 A3 1F EF 01 00 50 27 17 7A A7 1C 33 Cq P z 3 0020 00 OB CB 54 60 12 44 70 F4 OE 00 00 02 04 05 B4 T Dp 376 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Offline Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel bri0 bri1 none 1 2 Enable to capture the LAN packet by entering sys trcp channel enet0O bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Wait for packet passing through P 202H Plus v2 over LAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 1 6 Display the trace briefly by entering sys trep brief 1 7 Display specific packets by using sys trcp parse lt from_index gt lt to_index gt Exmaple ras gt sys trcp channel bri0 none ras gt sys trcp channel enetO bothway ras gt sys trcp sw on ras gt sys trcl sw on ras gt sys trcp sw off ras gt sys trcl sw off ras gt sys trcp brief O 1
121. 92 168 2 1 24 Eth oo Ethernet w A Frame Relay EthernetLan 1 A HDLC IP none F Ms ISDN m A ISON Leased Line T A PPP Syne Serial E HoST_1 P Voice Line x Device Needs information Ready for delivery Delivered Ready P 202H Plus v2 Support Notes O x Fing Tutorial Using Cisco ConfigMaker Draw your Network Diagram Select a device from the Devices window and click in the Network Diagram window To connect two devices select connection fram the Connections window Click the first device in the Network Diagram and then click the second device to complete the connection Deliver Configuration When the device iz blue select the device and download the 105 configuration to it using the Deliver Confiquration wizard You can also Configure a WPN using the VPN tion i E Help Connection Needs information ff Has required information K 8 Select VPN then click the right button of the mouse and choose connection Properties Setup IPSec parameters as shown below Note that the parameters you set here should match settings in P 202H Plus v2 In IKE Advanced Settings Encryption Algorithm is 56 bit DES Authentication Algorithm is MD5 and the SA lifetime is 1 hr In IPSec Transform Encryption Algorithm is 56 bit DES Authentication Algorithm is MD5 and SA lifetime is 1 hr 176 All contents copyright 2006 ZyXEL Communications Corporation
122. 92 168 3 0 24 192 168 1 0 24 192 168 2 0 24 1 Setup VPN in branch office A Because VPN routing enables branch offices to talk to each other via tunnels concentrated on headquarter In this step we configure an IPSec rule in P 202H Plus v2 Branch_A for PCs behind branch office A to access both LAN segments of headquarter and branch office B Because the LAN segments of headquarter and branch office B are continuous we merge them into one single rule by including these two segments in Remote section If by any chance the two segments are not continuous we strongly recommend you to setup different rules for these segments 1 Click Advanced and click VPN tab on the left 2 On the SUMMARY menu Select a policy to edit by clicking Edit 3 On the CONFIGURE IKE menu check Active check box and give a name to this policy 4 Give this VPN rule a name Branch_A 5 Select Key Management to IKE and Negotiation Mode to Main 348 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 6 In Local section select Address Type to Range Address set IP Address Start to 192 168 3 0 and End to 192 168 3 255 This section covers the LAN segment of branch office A 7 In Remote section select Address Type to Range Address set IP Address Start to 192 168 1 0 and End to 192 168 2 255 This section covers the LAN segment of both headquarter and branch office B 8 My IP Addr is the WAN IP of this P
123. All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Internet Key Exchange IKE e E x Use these security settings when authenticating Reconnect and authenticate ewer feo minutes Protect key exchange using Encryption DES 56 bit kep bd Authentication HMAC MES Diffie Hellman Group 1 ASA 769 bits Always use these settings when creating a new tunnel Cancel 2 Setup P 202H Plus v2 VPN 1 ow ty 8 9 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in SSH Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure SSH PC Note You may assign a range of source Destination IP addresses for multiple VPN sessions My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the remote SSH s IP that is PC 1 in this example 10 Select Encapsulation Mode
124. Authentication Key Then click OK to save Subnet mask 276 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Gateway IF address 172 21 1 252 FIP Remote network ZyWALL l Authentication kep fem AWW ALL checkpoint certificate Diagnostics 11 In SSH Sentinel Policy Editor you will get a new VPN connection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button Properties 2 SSH Sentinel Policy Editor ajx security Policy Key Management Policy E Default EE m e Pre IPSec Filter E WPN Connections ABB Add l a secured Connections a secured Networks i CE Default Response H PostlPSec Filter H3S0H0 HOILEN IAS Ans Add Remove Propaties Diagnostics Description cad a _ EO 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and Extended authentication 21 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Rule Properties General Advanced Remote endpoint Security Qateway Remote network ZyWALL F IPSec IKE proposal Authentication kep e LL Proposal template normal Uncheck Settings ay mi A virtual IP address is an address from Settings Tey the internal network Extended aut
125. Block Size Send Fetch 512 Local File prestige rom Match Files Binary I Ea Remote File Jrom O Abort Press F1 tor Help 16 46 06 The 192 168 1 1 is the IP address of the P 202H Plus v2 The local file is the source file of your configuration file that is available in your hard disk The remote file is the file name that will be saved in P 202H Plus v2 Check the port number 69 and 512 Octet blocks for TFTP Check Binary mode for file transfering e Using TFTP command on Windows NT 382 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Before you begin 1 TELNET to your P 202H Plus v2 first before using TF TP command 2 Type the Cl command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 Upload ZyNOS via LAN c tftp i P 202H Plus v2IP put localfile ras Download ZyNOS via LAN c tftp i P 202H Plus v2IP get ras localfile Upload SMT configurations via LAN c tftp i P 202H Plus v2IP put localfile rom 0 Download SMT configurations via LAN c tftp i P 202H Plus v2IP get rom 0 localfile e Using TFTP command on UNIX Before you begin 1 TELNET to your P 202H Plus v2 first before using TF TP command 2 Type the Cl command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 Example copwu faelinux copwu telnet 192 168 1 1 Trying 192 168 1 1
126. C mS JE to Ez hA LL Add Edit Remove Use Add Wizard ces too 6 On the Authentication Method tab configure the same settings as done in the first rule Edit Rule Properties ajx IF Filter List Filter Action Authentication Methods Tunnel Setting Connection Type The authentication method species how trust is established between the computers Offer and accept these I authentication methods when negotiating security with another computer Authentication Method preference order Kerberos Preshared Kew cee too 248 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 7 Click Close Edit Rule Properties 32 x IF Filter List Filter Action Authentication Methods Tunnel Setting Connection Type The authentication method specities how trust i established between the computers Offer and accept these aa ton authentication methods when negotiating security with another computer Authentication Method preference order Add Kerberos Preshared Ken 12345678 Edit Remove Move up addi Move down as Eancel Apply 8 Enable both rules you created in the policy properties and click Close Figure 5 See the finished screen shot WIN2K to ZYWALL Properties _ x Rules General z ba Security rules for communicating with other computers a IP Security Rules IF Filt
127. C 2 Is ok we know the tunnel works Please try to ping from PC 1 to PC 2 or PC 2 to PC 1 If PC 1 and PC 2 can ping to each other it means that the IPSec tunnel has been established successfully If the ping fail there are two methods to troubleshoot IPSec in P 202H Plus v2 e Menu 27 2 SA Monitor Through menu 27 2 you can monitor every IPSec connections running in P 202H Plus v2 presently The second column of each entry indicates the IPSec rule name So if you can t see the name of your IPSec rule it means that the SA establishment fails Please go back Menu 27 to check your settings Menu 27 2 SA Monitor Name Encap IPSec ALgorithm 1 P 202H Plus v2A ca24fleb6616b7c4 732c211ae9b01a0f Tunnel ESP DES SHA1 147 All contents copyright 2006 ZyXEL Communications Corporation lt m P 202H Plus v2 Support Notes O0O0ONOQOAIRAOOMN Select Command Refresh Select Connection N A Press ENTER to Confirm or ESC to Cancel e Using Cl command ipsec debug 1 Please enter ipsec debug 1 in Menu 24 8 There should be lots of detailed messages printed out to show how negotiations are taken place If IPSec connection fails please dump ipsec debug 1 for our analysis The following shows an example of dumped messages P 202H Plus v2 gt ipsec debug 1 IPSEC debug level 1 P 202H Plus v2 gt catcher recv pkt numPkt lt 1 gt get_hdr nxt_payload lt 1 gt exchMode lt 2 gt m_id lt 0 gt len lt 80 gt f7
128. Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACESS SOLITON Main Meru Advanced Setup Password LAN D WAR MAT Firewall e PH Logout P 202H Plus v2 Support Notes SITE M VPN WE Advanced Setup VPH IKE Pratoacal Erahle Replay Detection Local Start Port Remote Start 2 ort Phasel Megotiaion Made Pra Shared Key Ercryptian Algorithm Authentication Algorithm 5A Life ime Seconds Key GroJjp Phase Active Protocol Ercryptian Algorithm Authentication Algorithm SA Lite ime Seconds Ercapsulation Perfact Forvacd SecracyiPF Si Te 7 Ead pie eab o e Wain T 12545670 DES WDS 20000 DHI FSP DES g 20000 Tunnel NONE Cancel 361 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Support Tool 1 Using ZyXEL ISDN D Channel Analyzer EPA Introduction An ISDN call connection failure can be diagnosed by using P 202H Plus v2 s ISDN embedded protocol analyzer EPA The cause code in the EPA log can also help us to diagnose the disconnection of an ISDN call Using EPA Analyzer You must connect the P 202H Plus v2 to a terminal program via the serial port to capture the EPA The EPA will not operate by Telnet The steps for enabling the EPA are as follows 1 Enter to SMT Menu 11 and note which node N you will be dialing 2 Enter to SMT Menu 24 8 3 Enable the EPA capture
129. D 06 AC 8C CO 1F 07 82 C0 A8 W 0020 01 02 00 50 04 5C 4A D1 B5 7F 00 BD 15 A8 60 12 P J z 0030 FA FO F8 77 00 00 02 04 05 B4 A lt 0002 gt LAN Frame ENETO RECV Size 60 60 Time 12090 210 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0028 40 ldetification 0x350B 13579 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 373 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Protocol 0x06 TCP Header Checksum 0x3C79 15481 source IP 0xC0A80102 192 168 1 2 Destination IP 0xC01F0782 192 31 7 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number 0x00BD15A8 12391848 Ack Number 0x4AD1B580 1255257472 Header Length 20 Flags 0x10 A Window Size 0x2238 8760 Checksum OxE8ED 59629 Urgent Ptr 0x0000 0 TCP Data Length 6 Captured 6 0000 20 20 20 20 20 20 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 om ae 0010 00 28 35 OB 40 00 80 06 3C 79 CO A8 01 02 CO IF 5 lt y 0020 07 82 04 5C 00 50 00 BD 15 A8 4A D1 B5 80 50 10
130. E In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Please note that any configuration in IKE Setup should match the settings configured in SSH Menu 27 1 1 1 IKE Setup Phase 1 Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MD5 SA Life Time Seconds 28800 Key Group DH1 Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MD5 SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel 4 Configure NAT for Internal Servers 346 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Some tips for this application Generally without IPSec to configure an internal server for outside access we need to configure the server private IP and its service port in SUA NAT Server Table The NAT router then will forward the incoming connections to the internal server according to the service port and private IP entered in SUA NAT Server Table However if both NAT and IPSec is enabled in P 202H Plus v2 the edit of the table is necessary only if the connection is a non secure connections For secure connections none SUA server settings are required since private IP is reachable in the VPN case Remember IPSe
131. E Packet 15 Clear IPSec Log y n Note the Log column in the current 3 50 WA 0 firmware just shows the IKE State flow In the future firmware we will enhance it to show packet information such as protocol type port number e Secure Gateway to PC Soft PK VPN to P 202H Plus v2 Tunneling 1 Setup Soft PK VPN 2 Setup P 202H Plus v2 VPN This page guides us to setup a VPN connection between the VPN software and P 202H Plus v2 router There will be several devices we need to setup for this case They are VPN software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2 are explained in the following sections 149 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IPSec Tunnel Prestige SafeNet SoftPK The IP addresses we use in this example are as shown below LAN 202 132 171 1 202 132 155 33 WAN 202 132 170 1 202 132 171 33 1 Setup Soft PK VPN 1 Open Soft PK Security Policy Editor 2 Add anew connection named P 202H Plus v2 as shown below 3 Select Connection Security to Secure 150 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL security Policy Editor afeNethoft FE File Edit Option
132. EETEEFEFEFFEEFEEEEFEEEEREETEEEEFEEFFEFEFEEETEEEEREETEETEFEFEFEFEFEFETEEFEETEEEFEFEEEFEEEEFEEFEERTETEEEEETEFTEFEFFEEFEEEEETEEEEETETEEEEFEEEFEFEFEEEEEEEEEFETTEFFEET EREEREER ZyXEL ore uar TOTAL INTERNET ACCESS SOLUTION VPN IKE Js uel IPSec Setup LES es M Active l Keep Alive Advanced Setup Mame Fre stige N A wee IPSec Key Mode IKE Y E LAN Negotiation Made Main E WAR Local Tu Local Address Type Single Firewall IP Address Start Pc IP e PR End Subnet Wask 0 0 0 Remote Remote Address Type Single IF Address Start lt PC2 IR End Subnet Mask 0 0 0 Local ID Type IR k Content booo oo My IP Address lt AWANIP gt Peer ID Type IP Content booo oo Secure Gateway IP Address eB VIAL P Encapsulation Mode Tunnel Security Protocol VPN Protocol ESP E Pre shared Key 2345678 00 VPN Setup DES Authentication Algorithm MDS Back Apply Cancel Delete Logout 2 Setup WatchGuard 1 In the QuickSetup Wizard select Configure in Routed Mode click Next 2 Enter IP of PC2 click OK 3 In External Interface enter the WAN IP for WatchGuard and in Trusted Interface enter the LAN IP for WatchGuard Then click Next 4 Enter the Default Gateway of WatchGuard then click Next twice 5 Enter your passwords for Status and Configuration then click Next 188 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H P
133. EL P 202H Plus v2 Support Notes 3 What are most common VPN protocols There are currently three major tunneling protocols for VPNs They are Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Internet Protocol Security IPSec 4 What is PPTP PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade 5 What is L2TP Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet service provider ISP to enable the operation of a virtual private network VPN over the Internet 6 What is IPSec IPSec is a set of IP extensions developed by IETF Internet Engineering Task Force to provide security services compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec provides cryptographic security services These services allow for authentication integrity access control and confidentiality IPSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do en
134. Filter Sets No Multiple Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min 108 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Period hr Press ENTER to Confirm or ESC to Cancel CLID Settings Option Description CLID Authen Toggle the CLID Authen option in menu 13 to Required Enter the user name given by the remote user for the ce authentication O G Enter the password given by the remote user for Password the authentication 2 Create a dial in user profile using the CLID callback Menu 14 1 Edit Dial in User User Name test Active Yes Password KKKKKKKK Calloack Mandatory Phone Supplied by Caller No Callback Phone 20000 Rem CLID 20000 Idle Timeout 300 CLID Settings Option Description Call Back Toggle to Mandatory to turn on the callback function PHONE Enter the phone number of the remote user for calling back Enter the remote phone number in this field which will be used Rem CLID for the CLID authentication If this number does not match the one that the switch carries the P 202H Plus v2 will drop the line due to the CLID authentication failure 109 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Using SNMP 1 SNMP Overview The Simple Network Management Protocol SNMP is an applications layer protocol used to e
135. IP P within IP Encapsulation Protocol JI6 MICP Mobile Internetworking Control Pro JI6 SCC SP Semaphore Communications Sec Pro HXH ETHERIP Ethernet within IP Encapsulation RXH1 ENCAP Encapsulation Header RFC1241 RXB3 any private encryption scheme IANA GMTP GMTP RXB5 IFMP losilon Flow Management Protocol Hinden 426 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 254 200 P 202H Plus v2 Support Notes PNNI PNNI over IP Callon PIM Protocol Independent Multicast Farinacci ARIS ARIS Feldman SCPS SCPS Durst QNX QNX Hunter A N Active Networks Braden IPPCP IP Payload Compression Protocol Doraswamy SNP Sitara Networks Protocol Sridhar Compaq Peer Compaq Peer Protocol Volpe IPX in IP_ IPX in IP Lee VRRP Virtual Router Redundancy Protocol Hinden PGM PGM Reliable Transport Protocol Speakman any 0 hop protocol IANA L2TP Layer Two Tunneling Protocol Aboba Unassigned IANA Reserved IANA 5 System Error Code The system error codes can be displayed by using the CI commond sys log disp I For example ras gt sys log disp i 62 112 PPOa INTL call failed rno 5 76de0 code 3022 Main Error Codes 3000 3001 3002 3003 3004 3005 3006 3007 3020 3022 3023 3024 3025 3026 remote node is connecting configured incoming call only outgoing call f
136. IP addresses we use in this example are as shown below LAN 192 168 1 1 172 21 1 232 WAN 172 21 1 252 192 168 1 33 1 Setup WIN2K VPN Create a custom MMC console 1 From Windows desktop click Start click Run and in the Open textbox tyoe MMC Click OK 3 Type the name of a program Folder document or Internet resource and Windows will open it For You Open Cancel Browse 2 On the Console window click Add Remove Snap In 219 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes iti Consolel Console Window Help mj i New Ctrl M Open Chrl 0 Save Ctrl 5 EX D aie Add he move Snap in Ctrl M Options 1 CWINNT s ystemazydeymgmt 2 COWINNT Systems2 secpol 3 CAWINAT Systemazygpedit 4 eva Exit 3 In the Add Remove Snap In dialog box click Add 4dd Remove Snap in Standalone Extensions Use this page to add or remove a standalone Srap in from the console Snap in added to Description oh Remove Gout Cancel _ 220 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 4 Inthe Add Standalone Snap in dialog box click Computer Management and then click Add Add Standalone Snap in J 7 x Available Standalone Snap ing Ai Actives Control EP Certificates Microgott Corporati
137. IPSec Key Mode e LAN ee Negotiation Mode WAM Local MAT Local Address Type c Firewall IP Address Start e VPR End Subnet Mask ar Remote Remote Address Type IF Address Start End Subnet Mask Local ID Type Content biy IF Address Peer ID Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocol Pre Shared Key YPN Setup Authentication Algorithm P 202H Plus v2 Support Notes Keep Alive fto Linux IKE bd Main Subnet 192 168 0 0 255 255 255 0 Subnet 192 168 10 0 255 255 255 0 P IF r ESP Z h2345678 sis aes SHAI gt Back Apply Cancel Delete You can click Advanced button to check IPSec Phase 1 and Phase 2 parameters Please note that Linux FreeS WAN only supports 3DES as encryption algorithm and DH2 or upper as key exchange group 266 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes TOTAL INTERNET ACCESS SOLUTION VPN IKE Advanced Setup Main Menu O o VPN IKE Protocol Advanced Setu i Enable Replay Detection Password TE Local Start Port End O e LAN AEN Remote Start Fort End D NAT Phase Firewall Negotiation Mode Main e WER Pre Shared Key 12345678 eee Encryption Algorithmi SDES d Authentication Algorithm MDS SA Life Time Seconds 28800 Key Group DH Phase Active Protocol ESP Encryption Algorithm
138. LTIISEL ILE LISELI ELLILIELILEL ESET L EST LELELELE LESTLL ELI LELISEDLULELTELTIELLITEL LILO LITE LL ELT IISELELE LEST EL ELEESEL IIL ZyXEL TOTAL INTERNET ACCESS SOLUTION VPN IKE palue E IPSec Setup ee IY Active Keep Alive Advanced Setup Name to_Branch_A el IPSec Key Made IKE Y LAN pii Negotiation Mode Main TE VAAL ____________ Local ay Local Address Type Range Firewall IF Address Start 192 168 1 0 c VPM End Subnet Mask 192 168 1 255 eT Remote Remote Address Type Range IPF Address Start 192 168 3 0 End Subnet Mask 192 168 3 256 Local IO Type IF g Content 0 0 0 hw IF Address 202 2 1 1 Feer ID Type IF s Content 0 0 0 0 Secure Gateway IP Address 202 3 1 1 Encapsulation Mode Tunnel a Security Protocol WPN Protocol ESP Pre Shared Key 123545676 WPN Setup DES Authentication Algorithm SHAT Advanced ERS 1 Back Apply Cancel Delete i 356 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL oe TOTAL INTERNET ACcESS SOLUTION VPA WE Advanced Setup Main Meru VPH IKE Protocol m AEUANCDO SAND Erable Replay Detection Ne c Password Local Start Fort m i mart Eid Shas Remote Start ort i Ead D e MAT l Phasel c Firewall Negotiaion Made Wain k e WPH Pr2 Shared Key 125456765 E Ercryptian Algorithm DES Authentication Algorithm WOS SA Life ime Seconds i iji KEY GroJp DHI Pha
139. Life Time Seconds 3608 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 2 Setup P 202H Plus v2 B Similar to the settings for P 202H Plus v2 A P 202H Plus v2 B is configured in the same way 1 8 9 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field 2 Click Advanced and click VPN tab on the left 3 4 On the CONFIGURE IKE menu check Active check box and give a name On the SUMMARY menu Select a policy to edit by clicking Edit to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in P 202H Plus v2 A Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 B Destination IP Address Start and Destination IP Address End are PC 1 IP in this example the secure remote host Note You may assign a range of Local Remote IP addresses for multiple VPN sessions My IP Addr is the WAN IP of P 202H Plus v2 B Secure Gateway IP Addr is the remote secure gateway IP that is P 202H Plus v2 A WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 164 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Select Encryption Algorithm to DES and Authenticatio
140. Menu 15 NAT Setup 1 Address Mapping Sets 2 NAT Server Sets 3 Address Mapping Sets and NAT Server Sets 121 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients Each remote node must specify which NAT Address Mapping Set to use The P312 has one remote node and so allows you to configure only 1 NAT Address Mapping Set You can see two NAT Address Mapping sets in Menu 15 1 You can only configure Set 1 Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 the SMT will use Set1 When you select SUA Only the SMT will use Set 255 For the P100IH there are 8 remote nodes and so allows you to configure 8 NAT Address Mapping Sets The NAT Server Set is a list of LAN side servers mapped to external ports To use this set one set for the P312 a server rule must be set up inside the NAT Address Mapping set Please see NAT Server Sets for further information on these menus Enter 1 to bring up Menu 15 1 Address Mapping Sets Menu 15 1 Address Mapping Sets 1 2 3 4 5 6 7 8 255 SUA Read Only Enter Set Number to Edit Let s first look at Option 255 Option 255 is equivalent to SUA in previous ZyXEL routers The fields in this menu cannot be changed Entering 255 brings up this screen Menu 15 1 255 Address Mapping Rules set
141. Move up gt Move dawn Allis unsecured communication with non IPSec aware computer Session key Perfect Forward Secrecy cancel e 6 Click Add and select Custom for expert users if you want to define specific algorithms and session key lifetimes Please make sure the settings match whatever we will configure in P 202H Plus v2 later New Security Method E ajx Security Method High ESF Data will be encrypted authentic and unmodified amp Medium 4H Data will be authentic and unmodified but will not be encrypted Custom for crag te Sage soncecnocciennenceasonccogeecectecod Mligsccsoanccroncecss Settings OF Cancel Apply 242 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Custom Security Method Settings 7 Click OK On the General tab give a name to the filter action For example WIN2K to P 202H Plus v2 and click OK New Filter Action 1 Properties WIN 2K to ZyWALL 243 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 8 Select the filter action you just created New Rule Properties al _ x Authentication Methods Tunnel Setting Connection Type IF Filter List Filter Actor The selected filter action specifies whether this rule negotiates for secure network traffic and how it will secure the traffic Filter Actions O
142. NO Passyyord Local Start Port i 0 e LAN End ean Rernote Start Port i End i c MAT l Fhase1 c Firewall Negotiation Mode Main hi c YPN Pre Shared Key 12345670 ea Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds i iji Key Group DHI Phase Active Protocal ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds Encapsulation Tunnel Perfect Forward Secrecy PFS MONE Mi Apply Cancel 323 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index Name to sentinel Active Yes Keep Alive Yes Local ID type IP Content My IP Addr 6 0 0 0 Peer ID type IP Content Secure Gateway Addr 4 4 4 4 Protocol Local Addr Type SUBNET IP Addr Start 192 168 1 0 End Subnet Mask 255 255 255 Port Start End N A Remote Addr Type N A IP Addr Start N A End Subnet Mask N A Port Start N A End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose
143. NTERNET ACCESS SOLUTION VPN IKE i anu IPSec Setup IY Active Keep Alive Advanced Setup Name Pre stigeA ee IPSec Key Mode IKE Y E LAN Negotiation Made Main E WAR Local Tu Local Address Type Single E Firewall IF Address Start Pc IF e WPN End Subnet Mask 0 0 0 0 ean Remote Remote Address Type Single IF Address Start lt PC2 IP End f Subnet Mask pooo Local ID Type IR k Content booo oo My IP Address lt AWANIP gt Peer ID Type IP Content 0 0 0 0 Secure Gateway IP Address B VAN IP Encapsulation Mode Tunnel Security Protocol YPM Protocol ESP Pre Shared Key 12345678 VPM Setup DES Authentication Algorithm MDS Advanced ji il Back Apply Cancel Delete i lf you use SMT management the VPN configurations are as shown below 194 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 27 1 1 IPSec Setup Index Name PrestigeA Active Yes Keep Alive No Local ID type IP Content 4 4 4 4 My IP Addr 262 132 154 1 Peer ID type IP Content 4 4 4 4 Secure Gateway Addr 168 16 16 66 Protocol 0 Local Addr Type SINGLE IP Addr Start 192 168 1 33 End Subnet Mask N A Port Start End N A Remote Addr Type SINGLE IP Addr Start 192 168 2 33 End Subnet Mask N A Port Start End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confi
144. New Filter Action WIN2K to ZyWALL Add Edit Remove T Use add wizard sei toh 9 On the Authentication Methods tab click Add to select Use this string to protect the key exchange pre shared key option And enter the string 12345678 in the text box New Authentication Method Properties Wy ajx Authentication Method The authentication method specihes how trust is established between the computers Windows 2000 default Kerberos Y5 protocol Use a certificate fram this certificate authority CA Browse f Use this string to protect the key exchange preshared kep 12345676 244 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 10 Click OK Edit Rule Properties IP ter List Kerberos Move dawr See the finished screen shot WIN2K to ZyWALL Properties O lt o pramis Default Response kerberos Fancel 245 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Configure a Rule for PC 2 to PC 1 tunnel 1 In the IPSec policy properties click Add to create a new rule WinzK to ZYWALL Tunnel Properties 5 ii 3x Rules General IF Security Rules IP Filter List Authentication Wink bo Zw ALL WIMKE to Apa LL Kerberos Pres 17 O lt 0 phamic Default Response Kerberos E 4 Add S Edit Remove Use Add Wizard
145. P None Client IP Pool Starting Address N A size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A TCP IP Setup IP Address 202 113 5 1 IP Subnet Mask 255 255 255 0 RIP Direction Both 48 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Version RIP 2B Edit IP Alias No 2 Remote Node Setup in SMT Menu 11 Menu 11 1 Remote Node Profile Rem Node Name LAN2 Edit PPP Options No Active Yes Rem IP Addr 203 66 113 1 Call Direction Outgoing Edit IP No Incoming Telco Option Rem Login Transfer Type 64K Rem Password Allocated Budget min Rem CLID N A Period hr Call Back N A schedules Outgoing Carrier Access Code My Login test Nailed Up Connection No My Password Toll Period sec 0 Authen CHAP PAP Session Options Pri Phone 5007025 Edit Filter Sets No Sec Phone Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Key Settings o Select the Active field to Yes o Select the Call Direction to Outgoing o Enter the correct node account in My Login and My Password fields o Enter the phone number of the remote router in the Pri Phone field o Enter the IP address of the remote router in Rem IP Adadr field o Enter the idle timer in the Idle Timeout field for dropping the call if there is no data traffic between the two remote nodes e P 202H Plus v2 2 Setup 1 Ethern
146. P 202H Plus v2 Support Notes 2 Press OK to ignore the Username prompt Enter user name oo 3 To upload the firmware file we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0 file 42 Prestige 202 132 155 937 CuteFTP 2 3 FTP Session Bookmarks Commands Queve View Directory Macro Window Help UALR PAHGGetson EO Scitemp hi Mame size Date Time Mame size Date Time Attr 620438 12 01 99 18 53 alras 20436 07701799 12 00 yyy a rom 0 16384 07 01 99 12 00 P P A 0 00 01 Elapsed 0 00 01 Left 42 266240 260 00 KE s F 4 The P 202H Plus v2 reboots automatically after the uploading is finished 387 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Cl Command List Cl has the following command syntax command lt iface device gt subcommand param command subcommand param command help command subcommand help General user interface 1 Shows the following commands and all major Sub commands 2 exit Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release Please goto ZyXEL public WEB site http www zyxel com support download_ index php to download firmware package zip you should unzip the package to g
147. P 202H Plus v2 Support Notes 3 Authentication Protocol 4 Quality Protocol 5 Magic Number 6 DEPRECATED Quality Protocol 7 Protocol Field Compression 8 Address and Control Field Compression 9 FCS Alternatives RFC1570 10 Self Describing Pad RFC1570 11 Numbered Mode RFC1663 12 DEPRECATED Multi Link Procedure 13 Callback RFC1570 14 DEPRECATED Connect Time 15 DEPRECATED Compound Frames 16 DEPRECATED Nominal Data Encapsulation 17 Multilink MRRU RFC171 7 18 Multilink Short Sequence Number Header RFC171 7 19 Multilink Endpoint Discriminator RFC171 7 20 Proprietary KEN 21 DCE Identifier SCHNEIDER 22 Multi Link Plus Procedure Smith 23 Link Discriminator for BACP RFC2125 24 LCP Authentication Option Culbert 25 Consistent Overhead Byte Stuffing COBS Carlson 26 Prefix elision Bormann 27 Multilink header format Bormann e IPV6CP CONFIGURATION OPTIONS IPV6CP Configuration Options allow negotiation of desirable IPv6 parameters IPV6CP uses the same Configuration Option format defined for LCP with a separate set of Options If a Configuration Option is not included in a Configure Request packet the default value for that Configuration Option is assumed 1 Interface Token RFC2023 2 IPv6 Compression Protocol RFC2023 e PPP ECP CONFIGURATION OPTION TYPES A one octet field is used in the Encryption Control Protocol ECP to indicate the configuration option type RFC1968 ECP O
148. P Addr 172 21 1 232 Protocol 0 Local IP Addr Start 192 168 1 33 End 192 168 1 33 Port Start 0 End N A Remote IP Addr Start 172 21 1 232 End 172 21 1 232 Port Start 0 End N A Enable Replay Detection No Key Management IKE Edit IKE Setup Yes Edit Manual Setup N A Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Please note that any configuration in IKE Setup should match the settings configured in WIN2K Menu 27 1 1 1 IKE Setup Phase 1 Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MD5 SA Life Time Seconds 3600 Key Group DH1 Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MD5 SA Life Time Seconds 3600 Encapsulation Tunnel 253 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Soft PK VPN to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between the VPN software and P 202H Plus v2 router There will be several devices we need to setup for t
149. Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself o To download the firmware please get the remote file ras from the P 202H Plus v2 An example re TFTP32 File Options Help Host 192 168 1 1 Port 69 Timeout fio Send timeout to Server Block Size Send Fetch 512 Local File prestige bin Match Files Binary W Ea Remote File ras Abort Fress Fl for Help 16 44 18 381 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The 192 168 1 1 is the IP address of the P 202H Plus v2 The local file is the source file of the ZyNOS firmware that is available in your hard disk The remote file is the file name that will be saved in P 202H Plus v2 Check the port number 69 and 512 Octet blocks for TFTP Check Binary mode for file transfering Using TFTP to upload download SMT configurations via LAN o TELNET to your P 202H Plus v2 first before running the TFTP software o Type the Cl command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 o Runthe TFIP client software o To download the SMT configuration please get the remote file rom 0 from the P 202H Plus v2 o To upload the SMT configuration please save the remote file as rom 0 in the P 202H Plus v2 An Example re TFTP32 Fil Options Help Host 192 168 1 1 Port 69 Timeout fio Send timeout to Server
150. Plus v2 Support Notes IPSec Related FAQ IPSec FAQ VPN Overview 1 What is VPN A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication 2 Why do need VPN There are some reasons to use a VPN The most common reasons are because of security and cost Security 1 Authentication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption With encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long distance phone charge is reduced than making a long direct connection to the remote office 2 Reducing number of access lines Many companies pay monthly charges for two types access lines 1 high speed links for their Internet access and 2 frame relay ISDN Primary Rate Interface or T1 lines to carry data A VPN may allow a company to carry the data traffic over its Internet access lines thus reducing the need for some installed lines 21 All contents copyright 2006 ZyXEL Communications Corporation ZyX
151. Remove Properties Diagnostics Description OK Cancel Apply 15 Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item Note A When building VPN between Sentinel and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping ftp telnet HTTP etc You can only initiate VPN tunnel by choosing Select VPN from SSH Sentinel tray 336 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes View Statistics EH Run Policy Editor Auditing d User Rey Agent Select Active Policy zywall dyndns org CZy WALL Select YPN a Start Policy Manager Stop Policy Manager EP Help SSH Sentinels Online Support d T About a Hide Tray ap D s Ch LOS bet NOTE Please check your P 202H Plus v2 s release note if your current firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in lt Your VPN connection gt Properties Advanced Tab Settings Security Association Lifetimes 7 x me The settings affect this connection rule only IKE security association Lifetime in minutes aaa 240 min Lifetime in meg
152. Rule Active Yes Destination IP Addr a b c d Destination IP Mask w x y z Action Matched Drop Action No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 16 What is DNS proxy lf enabled DNS Proxy allows the P 202H Plus v2 to act as the DNS server for the local network The P 202H Plus v2 gets the IP address of the actual DNS server from the remote site via IPCP negotiation Note this feature only works if the remote site supports RFC 1877 How do I turn on DNS Proxy DNS Proxy is enabled only if the selection of the DHCP field under DHCP Setup in Menu 3 2 is Server and the Primary DNS Server is set to 0 0 0 0 this is the factory default If the DNS Proxy is enabled the P 202H Plus v2 will assign its IP address as the Primary DNS in the responses to DHCP requests on the local network 10 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes How do I set DNS other than P 202H Plus v2 IP address The P 202H Plus v2 assigns the values entered in Primary DNS server and Secondary DNS server fields in Menu 3 2 to the responses to the DHCP requests on the local network if the DHCP Server function is enabled 17 What is a Nailed up Connection and when do I need to use it A Nailed up Connection when enabled emulates a leased line connection even though the physical line is a dial up connection The P 202H Plus v2 dials and holds u
153. Sec Phone N A Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel e Set the Transfer Type to Leased for the ISDN leased line connection 8 Supplemental Service The P 202H Plus v2 supports the following supplementary phone features on both of its POTS ports 1 Call Waiting 2 Three Way Calling 95 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Call Transfer Call Forwarding Reminder Ring Terminal Portability Suspend Resume MSN subaddress ee ee Most supplementary services are not free please check with your telephone company for the services they offer How do I do call waiting call hold call retrieve e Put your current call on hold and answer the incoming call after hearing the call waiting tone press and immediately release the Flash button on your telephone e Put your current call on hold and switch to another call press and immediately release the Flash button on your telephone e Hang up your current call before answering the incoming call hang up the phone and wait for answering the incoming call e Hang up the current active call and switch back to the other call hang up and wait for the phone to ring Then pick up the phone to return to the other call Why doesn t call waiting work as expected An incoming caller will receive a busy signal if e You have two calls active one active and one on hold or both active by using
154. Secunty Policy Fly ZyWALL 2 elf My Identity Ela mecurity Policy H E Authentication Phase 1 a Key Exchange Phase 2 ed Lite Compression None J Encapsulation Protocol ESP Encrypt Ale Hash Ale P 202H Plus v2 Support Notes duthentication Method and Algorithme PLE OL Seconds 3600 seconds Seconds 2600 DES z Authentication Protocol AH Hash ile PHA I PF Encapewlation Tunnel aa 155 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 Setup P 202H Plus v2 VPN 1 gt OP 8 9 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in Soft PK Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You may assign a range of Source Destination IP addresses for multiple VPN sessions My IP Addr
155. Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 14 Press Advanced button to set IKE phase 1 and phase 2 parameters 321 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION IY Active Hame fta_ssh Wizard Setup IPSec Key Mode IKE k Advanced Setup Negotiation Mode Main ee Local Address Type Subnet Address PLAN Start Address 192 168 1 0 MAT End Address 255 255 255 0 e Dynamic DNS Remote Address Type Range Address eM Sells Start Address 0 0 0 0 Content Fitter End Address 0 0 0 0 Firewall en Wy IP Address 0 0 0 0 Remote Management Secure Gateway IP Address 0 0 0 0 UPnP Encapsulation Mode Tunnel te Dial Backup Security Protocol Trees YPN Protocol ESF Pre Shared Key 12345670 Logot WPN Setup DES Authentication Algorithm MDS Advanced ji i Set IKE Phase 1 and Phase 2 parameters oA All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL n TOTAL INTERNET ACCESS SOLUTION VPN IKE Advanced Setup Main Menu o VPN IKE Protacal i Advanced Setu p Enable Replay Detection J
156. Supports Aggressive Mode F Supports Subnets Edit pre shared key by selecting Pre Shared Secret in Authentication Method Choose Pre Shared Secret then press Edit Secretes select SOHO_TEST as peer and input the pre shared key Shared Secret Shared Sectets Litt ASP 1000 SOHO_TEST Enter s cret pttotest Sa _ wea _ Define VPN policy Create a new rule at or near the top of the policy This rule should include both encryption domains as both source and destination and the action should be encrypt as shown below 217 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Ti 172 30 254 254 Check Point Policy Editor File Edit View Manage Policy Window Help ES lo bE SBSRR CH PT BEF atiisa amp B FT amp 23 Security Policy vitodefault y Address Translation vitadefault Source Destination Seryice Action Install On Tin VPN _Users Any amp any B Any Client Encrypt Ez Long E atlantica Any E atlantica SOHO_TEST T 7 E IPSEC acce EE Lon iid atlantica An _ SOHO_TEST El atlantica pt zig long T Y Soho_192_168_99 Soho_192_168_99 an Bq net_internal_16_16 fs net_internal_16_16 i 4 8 Sa A a tp PAN evp R accept EE Long m atlantica Any E eSate E atlantica E Firewan accept E3 Long E atlantica 8 Any l tP telnet 7 a l e B eSafe B int_esafe E ft accept Ez Long Eed atlantica 5 Any o E eSafe E Excha
157. T ACCESS SOLUTION VPN IKE pannen IPSec Setup IY Active hitvanced Setup Mame Password IPSec Key Mode c LAN Negotiation Mode E WAM Local e MAT Local Address Type c Firewall IF Address Start e WPH End Subnet Mask PeF Remote Remote Address Type IP Address Start Ends Subnet Mask LocalID Type Content biy IP Address Feer IO Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocal Pre Shared Key YPN Setup Authentication Algorithm Back Apply P 202H Plus v2 Support Notes SIT Keep Alive Prestige B IKE g Main Single PCZ IP gt 0 0 0 Single Pct IP gt 00 0 P oo 0 0 0 0 lt B WAN IP P zA WAN IP Tunnel ESP 12345678 DES E MDS Advanced ga 1 i Cancel Delete 261 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index Name Prestige Active Yes Keep Alive No Local ID type IP Content 4 4 0 4 My IP Addr 202 132 170 1 Peer ID type IP Content 0 0 0 4 Secure Gateway Addr 22 132 155 33 Protocol Local Addr Type RANGE IP Addr Start 202 132 171 33 End Subnet Mask 22 132 171 33 Port Start End N A Remote Addr Type RANGE IP Addr Start 202 132 155 33 End Subnet Mask 202 132 155 33 Port Start End N A Enab
158. T Menu 11 and note which node N you will be dialing e Enter to SMT Menu 24 8 e Enable the PPP trace capability by P 202H Plus v2 gt sys trcl cl P 202H Plus v2 gt sys trcl sw on P 202H Plus v2 gt sys trcp sw on 366 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Manually dial to remote node N P 202H Plus v2 gt dev dial N N is the node number in Menu 11 Example Prestige gt dev dial 1 Start daline for node lt hinet gt eat Hit any key to continue Ht DIALING dev 2 ch 0 l QUTGOING CALL phonel4125678 CALL CONNECT speed 64000 gt typex2 gt chan 0 gt LCP opened PAP sending user pswd ttt IPCP negotiation started CCP stopped e Wait for all progress messages and manually drop the call P 202H Plus v2 gt dev channel drop bri0 bri1 bri0 for B1 channel brit for B2 channel e Turn off the PPP trace by P 202H Plus v2 gt sys trcl sw off P 202H Plus v2 gt sys trcp sw off e Dump the PPP log by P 202H Plus v2 gt sys trcl disp The trace appears on the screen as in the following example Press lt Enter gt key to dump the entire trace Example P 202H Plus v2 gt dev chan drop bri0 P 202H Plus v2 gt sys trcl sw off P 202H Plus v2 gt sys trcp sw off P 202H Plus v2 gt sys trcl disp 87 258407 PP08 DIALING dev 2 ch 0 88 258407 PP08 OUTGOING CALL phone 4125678 367 All contents copyright 2006 ZyXEL C
159. TION hain Wenu Advanced Setup Password LAN T WAN NAT Firewall c YPN Logout P 202H Plus v2 Support Notes VPN IKE Advanced Setup VPH IKE Protocol Enable Replay Detection Local Start Port Remote Start Port Phaset Megotiation Mode Pre Shared Key Encryption Algorithm Authentication Algorithm SA Life Time Seconds Key Group Phase Active Protocal Encryption Algorithm Authentication Algorithm SA Life Time Seconds Encapsulation Perfect Forward Secrecy PFS Apply SIT No 0 0 End enad o e Main x 12345678 DES g MDS DH1 ESP DES i MDS i iji Tunnel ha NONE Cancel SEL lf you use SMT management the VPN configurations are as shown below Index 1 Active Yes Menu 27 1 1 IPSec Setup Name to_ssh My IP Addr 172 21 1 252 Secure Gateway Addr 172 21 1 232 Protocol 0 Local Addr Type SUBNET IP Addr Start 192 168 1 0 Port Start 0 End N A End 255 255 255 0 345 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IP Addr Start 172 21 1 232 End N A Port Start 0 End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IK
160. Tag Switching Unicast Davie Tag Switching Multicast Davie Cray Communications Control Protocol Stage CDPD Mobile Network Registration Protocol Quick stacker LZS Simpson RefTek Protocol Banfill NCP Layer Number Not Used reserved RFC1661 Internet Protocol Control Protocol OSI Network Layer Control Protocol Xerox NS IDP Control Protocol DECnet Phase IV Control Protocol Appletalk Control Protocol Novell IPX Control Protocol reserved reserved Bridging NCP Stream Protocol Control Protocol Banyan Vines Control Protocol reserved till 1993 reserved reserved Multi Link Control Protocol NETBIOS Framing Control Protocol Cisco Systems Control Protocol Ascom Timeplex Fujitsu LBLB Control Protocol DCA Remote Lan Network Control Protocol RLNCP Serial Data Control Protocol PPP SDCP SNA over 802 2 Control Protocol SNA Control Protocol IP6 Header Compression Control Protocol KNX Bridging Control Protocol ianp Encryption Control Protocol Meyer Individual Link Encryption Control Protocol Meyer IPv6 Control Protovol Hinden 410 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 806i 8073 8071 807d 8081 8083 80c1 80cf 80fb 80fd 8Off 8207 8209 8235 8281 8283 c021 c023 c025 c02 c029 c02b c02d c081 C223 C225 c227 c229 c26f c281 C283 c481 P 202H Plus v2 Support Notes Stampede Bridging Control Protocol MP Control Protocol Smith Reserved Fox Not Used r
161. Three Way Calling e You are dialing a number on the B channel the incoming caller is attempting to reach but have not yet established a connection If no action is taken to answer the call call waiting indicator tone is ignored the call waiting tones will disappear after about 20 seconds How do I do three way calling e Press the Flash key to put the existing call on hold and receive a dial tone e Dial the third party s phone number e When you are ready to conference the call together press the Flash key again to establish a three way conference call How do I remove a party from the three way calling simply press the Flash key The last call that was added to the conference is dropped 96 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you hang up your telephone during a three way call and the two other callers remain on the line the ISDN network will do an implicit transfer to directly connect the two remaining callers together How do I do call transfer Call Transfer allows you to transfer an active call to a third party This service must be subscribed from your telephone company Transferring an active call to a third party e Once you have an active call Caller A press Flash key to put Caller A on hold and receive a dial tone e Dial the third party s phone number Caller B e When you are ready to conference the two calls together press Flash
162. Tunnels and click Add 14 Select the Gateway you had created and click OK 15 Enter a name in Name field for this Tunnel 16 Click Dynamic Security tab select Type Authentication and Encryption for your SAP These settings must be consistant with P 202H Plus v2 settings 190 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 17 Enable the Key expiration Then click OK twice ESP MD5 HMAC DES CBC PETTEE seenen ae reas semen w ae a IPSec Configurati ce an x IPC se Bewiktien Paliman Ok Configure Tunnel E Oo Cancel Identity Dynamic Security OF Gateways Help Logging Help AON ewen 5192 kilobytes every hours Cancel Help Move Up Move Down TE Edit Remove 18 Click Add in the main menu to Add Routing Policy 19 In Local Host enter PC1 IP in Remote Host enter PC2 IP then select secure in Disposition and Tunnel you had created Then click OK twice IPSec Configuration e k x IPSec Routing Policies Ok Local Addresses Remote Addresses Tunnel D Cancel Gateways Tunnels Add Routing Policy Logging ocal Host IP of Pld Help Remote Host jk IP of FCI gt Disposition secure Tunnel Move Up Move Down Add Edit emare _Mave Up Move Down Bz a 191 All contents copyright 2006 ZyXEL Communications Corporation
163. Type field which identifies the MAC encapsulated These Types are assigned as follows Type MAC 0 Reserved 1 IEEE 802 3 Ethernet with cannonical addresses 2 IEEE 802 4 with cannonical addresses 3 IEEE 802 5 with non cannonical addresses 4 FDDI with non cannonical addresses 5 10 reserved 11 IEEE 802 5 with cannonical addresses 12 FDDI with cannonical addresses e PPP BRIDGING SPANNING TREE The Point to Point Protocol PPP Bridging Control Protocol BCP Spanning Tree Configuration Option contains an 8 bit Protocol field which identifies the Spanning tree used These are assigned as follows Protocol Spanning Tree 0 Null no spanning tree protocol supported 1 IEEE 802 1D spanning tree protocol 2 IEEE 802 1G extended spanning tree protocol 3 IBM source route spanning tree protocol 418 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 4 DEC LANbridge 100 spanning tree protocol e PPP INTERNETWORK PACKET EXCHANGE CONTROL PROTOCOL IPXCP IPXCP CONFIGURATION OPTIONS 1 IPX Network Number RFC1552 2 IPX Node Number RFC1552 3 IPX Compression Protocol RFC1552 4 IPX Routing Protocol RFC1552 5 IPX Router Name RFC1552 6 IPX Configuration Complete RFC1552 e IPX COMPRESSION PROTOCOL VALUES Value Protocol Reference 2 Telebit Compressed IPX Fox 235 Shiva Compressed NCP IPX Fox e IPX ROUTING PROTOCOL OPTIONS Value Protocol Reference No routing proto
164. XEL Select Rule P 202H Plus v2 Support Notes selected rule and then all the rules after the selected one will be advanced one rule Save Set means to save the whole set note when you choose this action the Select Rule item will be disabled When you choose Edit Insert Before or Save Set in the previous field the cursor jumps to this field to allow 1 you to select the rule to apply the action in question Note Save Set in the Action field means to save the whole set You must do this if you make any changes to the set including deleting a rule No changes to the set take place until this action is taken Be careful when ordering your rules as each rule is executed in turn beginning from the first rule selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs displayed in Menu 15 1 1 Menu 15 1 1 1 Rule 1 Type One to One Local IP Start 0 0 0 0 End N A Global IP Start 0 0 0 0 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel The following table describes the fields in this screen Field Type Description Option Example Press SPACEBAR to toggle through a total of One to One 5 types These are the mapping types discussed Many to One above plus a server type Some examples follow Many to Many to clarify these a littl
165. ZyXEL P 202H Plus v2 Support Notes P 202H Plus v2 ISDN Internet Access Router Support Notes Version3 40 June 2006 ZyXEL Unleash Networking Power All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes FAQ ee ne eee nee rt ea matter ree eee Tet ate Pee eee ee Tee ee ee ree Tee et eee 6 Z YNOS FAQ eee a ne ORR eR rede Or nS ee Oe eR a E 6 ENa ZYNOS 6 seca ce E EE cates 6 2 How do access the P 202H Plus v2 SMT menu 00000 eee 6 3 What data compression protocol does the P 202H Plus v2 support 6 4 What is the default console port baud rate Moreover how do Chande N onanan tanta ei eet 6 5 How do I upload the ZyNOS firmware code via console 6 6 How do I upgrade backup the ZyNOS firmware by using TFTP client program via LAN inarin E N eeu 7 7 How do upload ROMFILE via console port c cc cccceeneeeees 7 8 How do I backup restore SMT configurations by using TFTP client program via LAN Z raean E A E AOT 7 9 What should do if forget the system password ee 8 10 What is SUA When should I use SUA 000 ccc eeeteeees 8 11 What is the difference between NAT and SUA 00 0 ee 8 12 How many network users can the SUA support 00 9 13 How do I capture the PPP log in my P 202H Plus v2 0000000 9 14 Why do we need the input filter in menu 3 1 and
166. a select the device and download the 105 eee configuration to it using EthernetLAn 1 the Deliver Configuration Wizard a You can also Configure a YPN using x Device Needs information E Ready for delivery Delivered Connection F Needs information F Has required information Ready E 6 Connect the network components by Ethernet from the Connections window in the left bottom Specify the WAN and LAN IP addresses to P 202H Plus v2 and Cisco 174 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the screen shot Untithed Cisco ConfigMaker v2 5 1 _ Oo x File Edit View Configuration Management Tools Help BF BF amp e x o gt 8a amp amp Hew Open Save Undo Fedo Eut Eopy Paste Delete Detect Firewall Delver Ping Tutorial gt x DRI Using Cisco ConfigMaker AutoDetect Device Wizard B a Routers al E I Cisco 800 Series i KI Cisco 1000 Series FI KI Cisco 1600 Series E ol Cisco 1700 Series Draw your Network Diagram Select a device from the Devices window and click in the Network Diagram window a P Cisco 1710 To connect two devices an F Cisco 1720 select connection from Eth the Connections window ae 1OMO0feO 192 168 1424 oe ie Seca Tse Click the first device in SSi AR Cisco 1751 the Network Diagram and od Cisco 2500 Series arate then click the second a Cis
167. a connection is established a Enter SMT Menu 24 8 the Cl command mode b Enter sys trcl cl command c Enter sys trcl sw on command d Enter sys trcp sw on command To display the PPP log after a connection is disconnected a Enter sys trcl sw off command b Enter sys trcp sw off command c Enter sys trcl disp command 14 Why do we need the input filter in menu 3 1 and call filter in menu 11 1 Two factory default filter sets have been optimized for Internet connection They are configured in menu 21 and applied to menu 3 1 and menu 11 5 to prevent NETBIOS triggering the call You can remove it if you do not need it 15 How can protect against IP spoofing attacks The P 202H Plus v2 s filter sets provide a means to protect against IP spoofing attacks The basic scheme is as follows For the incoming data filter All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e Deny packets from the outside that claim to be from the inside e Allow everything that is not spoofing us Filter rule setup Filter type TCP IP Filter Rule Active Yes Source IP Addr a b c d source IP Mask w x y z Action Matched Drop Action Not Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask For the outgoing data filters e Deny bounceback packet e Allow packets that originate from us Filter rule setup Filter Type TCP IP Filter
168. abytes IPSec security association Lifetime in minutes Lifetime in megabytes I I I I I I I I I I I 0 ME Defaults ok Cancel 337 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Intel VPN client to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between the Intel VPN client software and P 202H Plus v2 router There will be several devices we need to setup for this case They are Intel VPN software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Intel VPN client installed and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Intel VPN client and P 202H Plus v2 are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are Intel VPN client and P 202H Plus v2 di IPSec Tunnel co Intel VPN Prestige client The IP addresses we use in this example are as shown below LAN 192 168 1 1 172 21 1 232 WAN 172 21 1 252 192 168 1 33 1 Setup Intel 1 Select Tunnels New IPSEC Tunnel to create a VPN connection 338 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes u Intel NetStructure TM PN Client test T 5 x File view Tunnels Setup Help
169. ach other it means that the IPSec tunnel has been established successfully If the ping fail there are two methods to troubleshoot IPSec in P 202H Plus v2 e Menu 27 2 SA Monitor Through menu 27 2 you can monitor every IPSec connections running in P 202H Plus v2 presently The second column of each entry indicates the IPSec rule name So if you can t see the name of your IPSec rule it means that the SA establishment fails Please go back Menu 27 to check your settings Menu 27 2 SA Monitor Name Encap IPSec ALgorithm 1 P 202H Plus v2A ca24fleb6616b 7c4 732c211ae9b01a0f Tunnel ESP 167 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes DES SHA1 O ONO O1 BW P Select Command Refresh Select Connection N A Press ENTER to Confirm or ESC to Cancel e Using Cl command ipsec debug 1 Please enter Ipsec debug 1 in Menu 24 8 There should be lots of detailed messages printed out to show how negotiations are taken place If IPSec connection fails please dump ipsec debug 1 for our analysis The following shows an example of dumped messages P 202H Plus v2 gt ipsec debug 1 IPSEC debug level 1 P 202H Plus v2 gt catcher recv pkt numPkt lt 1 gt get_hdr nxt_payload lt 1 gt exchMode lt 2 gt m_id lt 0 gt len lt 80 gt f76af206 b18 7aae3 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 80010001
170. address 172 21 1 252 IF Remote network Authentication kep checkpoint certificate Use legacy proposal Diagnostics Properties Cancel 9 Network Editor Window will pop out Press New button and Enter P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window Network Editor x Give networks and subnetwork custom names ou Waj can later use the names when creating rules Defined networks IP address 192 168 1 0 PaT enaa Mew Remove Network name ZYWALL e 192 168 1 D Al Zoic on e eo Lo Cancel 10 Choose P 202H Plus v2 as Authentication Key Then click OK to save Subnet mask 293 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Gateway IF address 172 21 1 252 FIP Remote network ZyWALL l Authentication kep fem AWW ALL checkpoint certificate Diagnostics 11 In SSH Sentinel Policy Editor you will get a new VPN connection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button Properties 2 SSH Sentinel Policy Editor ajx security Policy Key Management Policy E Default EE m e Pre IPSec Filter E WPN Connections ABB Add l a secured Connections a secured Networks i CE Default Response H PostlPSe
171. ails configured outgoing call only incoming call fails packet is filtered no iface no channel available call request fail remote node is waiting call back call dial fail filter groups are mixed so call is not allowed received unexpected event state timeout waiting RADIUS authentication RADIUS call back fail 427 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3028 the node is not found 3029 the node is inactive 3030 dial fail 3031 no budget 3032 radius authentication fail 3033 CLID is required 3034 CLID can not be found 3035 an outgoing call has already been placed for this remote node 3036 callis blocked 3037 invalid phone number 3038 remote side is busy 3039 no carrier 3040 no dial tone 3041 remote node is not active 3042 no answer received 3043 dial timeout 3045 redial stopped 3046 redial no number 3047 3048 remote node is not L2TP enabled or supported 3000 Message PINI ERROR netMakeChannDial err 3000 rn_p 576de0 Meaning remote node is connecting already rn_p refers remote node point it may change for different version and different remote node number Solution ask remote node to dial to you then if you drop you can dial or reboot 3001 Message PINI ERROR netMakeChannDial err 3001 rn_p 576de0 Meaning remote node call direction is configured as incoming only Solution change the call direction to outgo
172. all history table 434 All contents copyright 2006 ZyXEL Communications Corporation
173. all rejected 22 Number changed 27 Destination out of order 28 Invalid formate address incomplete 29 Facility rejected 30 Response to status enquiry 31 Normal unspecified Resource Unavailable Class 34 No circuit channel available 38 Network out of order 41 Temporary failure 406 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 42 Switching equipment congestion 43 Access information discarded 44 Request circuit channel not available 47 Resource unavailable unspecified Service or Option not Available Class 49 Quality of service not available 50 Requested facility not subscribed 57 Bearer capability not authorized 58 Bearer capability not presently available 63 Serice or option not available unspecified Service or Option not Implemented Class 65 Bearer capability not implemented 66 Channel type not implemented 69 Requested facility not implemented Only restricted digital information bearer capability is unavailable 79 Service option not implemented unspecified 70 Invalid Message e g parameter out of range Class 81 Invalid call reference value 82 Identified channel does not exist 83 A suspended call exist but this call identify 84 Call identity in use 85 No call suspended 86 Call having the requested call identity has been cleared 88 Incompatible destination 407 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H
174. anged The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow for the packet from LAN to WAN is 57 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ook LAN device and protocol input filter sets 2 WAN protocol call and output filter sets 3 If SUA is enabled SUA converts the source IP address from 192 168 1 33 to 203 205 115 6 and port number from 1023 to 4034 4 WAN device output and call filter sets The sequence of the logic flow for the packet from WAN to LAN is 5 WAN device input filter sets 6 If SUA is enabled SUA converts the destination IP address from 203 205 115 6 to 92 168 1 33 and port number from 4034 to 1023 7 WAN protocol input filter sets 8 LAN device and protocol output filter sets Protocol Filter Dev we Filter Sets LAW Filter Sets 203 205 115 6 4034 3 4 192 168 1 331023 A 203 203 115 6 405 T 192 168 1 331023 Figure 1 Packet Logie Flow in zy oi Generic and TCP IP and IPX filter rules are in different filter sets The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21 In the following example you will receive an error message Protocol and device filter rules cannot be active together if you try to activate a TCP IP or IPX filter rule in a filter set that has already had one or more active Generic filter rules You w
175. ased Line SCID viceiccstctscastie ects a emia E 92 S SUDDIEMENTal SERVICE ona a asarmendintn eaneeseieteas 95 9 Using INCICAP I oria a a E E E AE O 98 10 USMO RADIUS seroren A S a 103 11 Siig CLID CaM ACK cainonineninnen a TA 105 T3 USMO MUU NAT acraea te ntanttes erases artnet raceererae 116 IR SEC N EN oea E a cr ee an ee 139 Ne SING IPSEC PIN eene N AA AN 139 2 P 202H Plus v2 vs 3rd Party VPN Gateway 0 cece 159 3 P 202H Plus v2 vs 3rd Party VPN Software eee 208 4 Configure NAT for Internal Servers 0 ccc ccecceeseeeeteeeeenees 346 5 VPN Routing between Branch Offices 0 cc cccseeeeteeeenees 347 SUDDO TOOL accra ceases cen een 362 1 Using ZyXEL ISDN D Channel Analyzer EPA 00000 362 2 Using ZyXEL PPP Analyzer scsieccsiccdisstelsiarsteccosuspatiaxeiaendesanaxaerstesetiacs 366 3 LAN WAN Packet Trace 000000 cc ccccccccsssecceesesseeeeeseeeeeesesseeeeeseaeees 370 4 Using TFTP to upload download ZyNOS via LAN 0 0 381 5 Using FTP to Upload Firmware and Configuration Files 385 GCP COMMA ENS Us icsccteriies cas nantesticscoastaacuseniad cabinaicaseiactahenicaeierese eee enetee 388 TEOUDIESNOOUNO o arna E teraction nme te cnc Mimernree Niet ete ere ae are 389 t Internel Connec Uon ic 2hcctrn esti nce ake es 389 2 Remote Node Dial in User Connection 0 000c cc cccceceeeseeeeeees 394 SIP ROUNO nee nn re ee ee 401 4 Reset to
176. ast route error code 0 loRouteFail_ Disable O ioRouteFail PktLen O ioRouteFail Header 0 loRouteFail_ CkSum 0 ioRouteFail OptLen 0 ioRouteFail_ OptSRoute O loRouteFail_ OptSSRoute 0 ioRouteFail OptRRoute O loRouteFail_ TTL 0 ioRouteFail_ No Route O loRouteFail Wan_Route O loRouteFail RnNull ioRouteFail_ DF 0 loRouteFail_ Fragment O 2 Display the IP routing table and check the Use field for the problem route We assume that we are troubleshooting the route to 100 1 1 1 and trying to figure out why the call was not triggered to the remote node P2864 gt P2864 gt ip route st Dest FF Len Interface Gateway Metric stat Timer Use 204 247 203 191 00 32 enifO 204 247 203 183 1 00150 O 204 247 203 128 00 26 enifO 204 247 203 183 1 00230 0 100 0 0 0 008 wanldle 100 1 1 1 2 00230 0 default 000 wanldle Internet 2 00230 0 3 Do a PING to that remote node IP address 100 1 1 1 from the P 202H Plus v2 directly You can do it from the LAN also Check the routing table again 306Z gt ip ping 100 1 1 1 Resolving 100 1 1 1 100 1 1 1 306Z gt 306Z gt ip route st Dest FF Len Interface Gateway Metric stat Timer Use 204 247 203 191 00 32 enifO 204 247 203 183 1 00150 O 204 247 203 128 00 26 wanldle 204 247 203 167 2 00230 0 100 0 0 0 008 wanldile 100 1 1 1 2 00230 3 default 000 wanldle Internet 2 00230 0O We can see the Use increased from 0 to 3 This is correct since each ip ping command will try to send 3 packets S
177. ation Wizard You can also Configure a YPN using x Device Needs information Ready for delivery Delivered Connectors Fa Needs information Fa Has required information Ready E 5 Layout your network topology in the Network Diagram as shown below You may choose network components such as hosts Internet Ethernet LAN from the Devices window 173 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the screen shot 10_31 Cisco ConfigMaker 2 5 1 a ioj x Fie Edit View Configuration Management Tools Help D a a x gt 4 amp New Open Save Undo Fedo Eut Copy Faste Pelete Detect Firewall Deliver Ping Tutorial x TE ane Using Cisco ConfigMaker AutoDetect Device Wizard r Draw your Network H E Cisco 1500 Series al E Diagram 4 FastHub 400 Series Te ks HOST Select a device from the cE Devices window ard dg Switches click in the Network Ff Cisco 1500 Series EthernetLan Diagram window Ea Routers To connect two devices H E Cisco 800 Series E select connection from i the Connections window E i Cisco 1000 Series ZyWALL Click the first device in a g Cisco 1600 Series the Network Diagram and E E Cisco 1700 Series then click the second PP Cisco 1710 device to complete the Cisco 1720 Internet conme amn F Cisco 1750 E eee i Deliver Configuration E E Cisco1720 When the device is Glue
178. ation started BACP stopped IPCP up LCP down IPCP down LCP stopped The call connected IPCP was up but still the call dropped The call could have been dropped by the far end for some unknown reason You need to verify the problem with your ISP Sometimes if the far end is using Ascend Pipeline for your connection they will let IPCP up and check the IP address if IP address is not the same as what s configured in their Connection Profile they would drop the call and give no log about it Other unknown reason For any other unknown reason you have to look at the packet trace to decide what went wrong To collect the trace e Goto Menu 11 and mark down which remote number is for Internet access e Goto Cl Menu 24 8 e Turn on the screen capture log capability e systrclcl to clear the trace e sys trcl sw on to turn on the trace log e sys trcp sw on to turn on the packet trace e dev dial e After the call failed e sys trcl disp Summary Failure reasons Actions Dial failed check disconnect cause go to SMT memu 24 1 to verify that channel status is not DOWN If DOWN it might be ISDN Init failure Do ISDN loopback test Authentication failed check name and password 393 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Lcp negotiation failed trace PPP packets locp negotiation failed check if IP address is correct check if IP is turned on
179. by entering the correct username amp password and the IP address of the P 202H Plus v2 s Internet IP address for logging to NT RAS server 40 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Set the Internet gateway to the router that is connecting to ISP o P 202H Plus v2 router setup e Before making a VPN connection from Win9x to WinNT server you need to connect P 202H Plus v2 router to your ISP first e Enter the IP address of the PPTP server WinNT server and the port number for PPTP as shown below Menu 15 2 NAT Server Setup Default Default Press ENTER to Confirm or ESC to Cancel When you have finished the above settings you can ping to the remote Win9x client from WinNT This ping command is used to demonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achive you can place a VPN call from the remote Win9x client For example C ping 203 66 113 2 When a dial up connection to ISP is established a default gateway is assigned to the router traffic through that connection Therefore the output below shows the default gateway of the Win95 client after the dial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to P 41 All contents copyright 2006 ZyXEL Communications
180. by the remote party If the MSN matches the one configured in menu 2 ISDN Data Number the P 202H Plus v2 will answer the call as a data call If the MSN does not match any MSN in menu 2 the P 202H Plus v2 will answer the call as a CAPI call and forward it to the CAPI client Subaddress When this option is selected the P 202H Plus v2 checks the subaddress called by the remote party If the subaddress matches the one configured in menu 2 ISDN Data Number the P 202H Plus v2 will answer the call as a data call If the subaddress does not match any subaddress in menu 2 the P 202H Plus v2 will answer the call as a CAPI call and forward it to the CAPI client NetCAPI When this option is selected the P 202H Plus v2 always answers the call as a CAPI call and forward it to the CAPI client 4 Access List Enter the IP range of the valid NetCAPI clients with desired operation direction Operation Incoming this permits the clients in this IP range to only answer calls Operation Outgoing this permits the clients in this IP range to only place calls Operation Both this permits the clients in this IP range to both place and answer calls Operation None this means no calls for the clients in this IP range are allowed 5 Start IP Refers to the first IP address of a group of NetCAPI clients Each group contains contigunous IP addresses 6 End IP Refers to the last IP address in a NetCAPI client group 7 Operation Call control setti
181. c Filter H3S0H0 HOILEN IAS Ans Add Remove Propaties Diagnostics Description cad a _ EO 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and Extended authentication 294 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Rule Properties General Advanced Remote endpoint Security Qateway Remote network ZyWALL F IPSec IKE proposal Authentication kep e LL Proposal template normal Uncheck Settings ay mi A virtual IP address is an address from Settings Tey the internal network Extended authentication The YPN gateway may require IKE uth RAADIUS or CHAP authentication Settings Description Change 13 Tune IKE proposal to Encryption algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none 295 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Proposal Parameters mainmode MODP 768 group 1 kd DES HMACMDS T fume d ee 14 Press Apply to save all of the settings 296 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel P
182. c is an IP in IP encapsulation the internal IP header is not translated by NAT For example Internal Server P 202H Plus v2 NAT IPSec ADSL Modem Internet Remote Network 5 VPN Routing between Branch Offices This page guides us how to setup VPN routing between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter plays as a VPN relay Users can gain benefit from such application when the scale of branch offices is very large because no additional VPN tunnels between branch offices are needed In this support note we skip the detailed configuration steps for Internet access and presume that you are familiar with basic ZyNOS VPN configuration As the figure shown below each branch office have a VPN tunnel to headquarter thus PCs in branch offices can access systems in headquarter via the tunnel Through VPN routing P 202H Plus v2 series now provide you a solution to let PCs in branch offices talk to each other through the existing VPN tunnels concentrated on the headquarter This feature is available in P 202H Plus v210 P 202H Plus v250 and P 202H Plus v2100 347 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Headquarter Bran cha Branch B The IP addresses we use in this example are as shown below WAN 202 3 1 1 WAN 202 1 1 1 WAN 202 2 1 1 LAN 192 168 3 1 LAN 192 168 1 1 LAN 192 168 2 1 1
183. call filter in menu 1a E 2 E ET P IEE EE E T A E A ad 9 15 How can I protect against IP spoofing attacks 0000 ee 9 16 Whatis DNS DEOKY nemora a a aes 10 17 What is a Nailed up Connection and when do I need to use it 11 18 What are Device filters and Protocol filters 000 eee 1 19 Why can t I configure device filters or protocol filters 11 20 The P 202H Plus v2 supports to upload the firmware and configuration files using FTP but how do I prevent the outside user from FTP my P 202H Plus V2 o oo cccccccceesssceceeessseeceessseeeeeestaeees 11 ProOdUCLEA O corsara E 12 1 How do I collect EPA trace Moreover how do I read it 12 2 Can prevent the dial in user from occupying two channels 12 3 How does Dial Prefix to Access Outside Line in Menu 2 European TUREVI WANE WOK ena E A EE E EEA 12 4 What supplemental phone service does P 202H Plus v2 support 12 5 How do do call waiting call hold call retrieve 00000 ee 13 6 Why doesn t call waiting work as expected ccc cceereeee 13 7 How do I do three way calling 00 cc ccccccecssseeeeeessseeeeestseeeeens 13 8 How do I remove a party from the three way calling 0 0 0 13 9 How do I do call transfer cisscisscisicaHerrsssianasedcsadsinadtaxsieccoseettancexasteteduswetiereiis 14 10 How do I blind call transfer 000 0 cc ccc
184. cause the negotiations never take place Only when you would like to have some TCP UDP packets bypass IPSec must you specify the traffic as bypass in pre ipsec filter Otherwise just not setup any bypass discard reject on the traffic you would like to be protected by IPSec 5 What is Acquire virtual IP address for Should check this box With this feature Sentinel can obtain a virtual IP address assigned from VPN gateway However if connecting with P 202H Plus v2 please not check this box P 202H Plus v2 doesn t support this feature in current firmware 6 What is Extended Authentication Should I check this box With this feature VPN connection from Sentinel can be authenticated to authentication server such as RADIUS TACAS etc behind remote VPN gateway However if connecting with P 202H Plus v2 please not check this box P 202H Plus v2 doesn t support this feature in current firmware It will Support in the near future 34 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 7 Does Sentinel support IP range No only subnet single is supported So when connecting with P 202H Plus v2 please not use range as address type 8 Does Sentinel support 2 VPN connections at the same time No Sentinel doesn t support it Only one VPN connection can be activated at the same time 9 What is this option Attach the selected values to proposal only for To increas
185. ccceeesseeeeeeeteeeeeennes 14 11 What is call forwarding and how do I do it 0 0 eee 14 12 How do I suspend resume a phone call terminal portability 15 13 What is reminder ring 0 0 0 0 ccc cccescceesseecceseeeesesseeeeseeeesseeeens 15 14 Why doesn t my answering machine on POTS port stop recording EE Sacer sd alc A T E ogee ccna T Ue cI sc ala dee oe A A aeons 15 2 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 15 What are CLIP and CLIR in Advanced Setup of Menu 2 European BURY AU C22 ao ote es Facet arias sacs meres tan neha somata ae maeian aaa aaa tartian thee 15 16 Does P 202H Plus v2 support MP callback to dial in users 16 17 Does ZyNOS support IRC Real Player CU SeeMe and NetMeeting E A E A Te tne ea A EER 16 18 What are the differences between P 202H P 202H Plus and P 202H PIUS V2 E T E eee ee ne ae eee 16 PPO Ur an E eee ecnseeteeteatenae 17 GENEAN aer estas ante ccm saeteislnase miata eace mannan enteral 17 1 What is a network firewall 00 0 0 cccccccescccesseeeeeeseeseseeeeeseeeens 17 2 What makes P 202H Plus v2 secure o oo cece eeeteeeeteeeeeneeens 17 3 What are the basic types of firewalls 0 0 000 cc ccecceeeteeeeees 17 4 What kind of firewall is the P 202H Plus v2 0 000 cece 18 5 Why do you need a firewall when your router has packet filtering and NAT DUN ensenen dene antaeetioees 18 6 What is
186. ce it never receives the TCP SYN ACK packet Thus the connection will always be reset by P 202H Plus v2 Solutions A Deploying your second gateway in IP alias segment is a better solution In this way your connection can be always under control of firewall And thus there won t be Triangle Route problem 21 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ISP F ISOM router Switeh HUB BPI Prestige alae B Deploying your second gateway on WAN side il ISON router a Saitoh HUB oe rd ch HUB a C To resolve this conflict we add an option for users to allow disallow such Triangle Route topology in both Cl command and Web configurator You can issue this command sys firewall ignore triangle all on to allow firewall bypass triangle route checking In Web GUI you can find this option in firewall setup page But we would like to notify that if you allow Triangle Route any traffic will be easily injected into the protected network through the unprotected gateway In fact it s a security hole in protected your network Configuration 1 How do I configure the firewall P 202H Plus v2 supports a embedded web server so that you can use the web brower to configure it from any OS platform 22 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 How do I prevent others fro
187. ch the remote node CLID INFO information log solution change to correct CLID number 43 Message Tracelog type 21180 level 1 Meaning tracelog type xxx refers the type of information will be displayed 21180 L2TP bit O error log trace bit 1 kernel trace bit 2 memory bit 3 mbuffer bit 4 Stdio bit 5 ndis LAN packet bit 6 LAN packet bit 7 WAN packet bit 8 IP protocol bit 9 IPX protocol bit 10 Bridging protocol bit 11 AppleTalk protocol bit 12 ppp protocol bit 13 application bit 14 SPT bit 15 connection manager bit 16 event manager bit 17 L2TP protocol level xx refers the information contents will be displayed lower level less contents Default is level 5 44 Message CheckSum Error 1 433 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Meaning 1 Download wrong firmware to the hardware because hardware does not have enough flash memory for this firmware Or 2 download fail solution 1 Use large flash memory for this firmware 2 Redownload 45 Message 9f PNET WARN ppp MP late arrival seq x877 M x0 Meaning the receiver received a previous packet after it has received a late packet Solution it is not a problem 46 Message INFO addCallHistory Transfer rate 255 is out of defined values Meaning transfer rate is not in the defined range solution report to ZyXEL support one call history is missed in the c
188. co 2600 Series i Eth AAM ALL device to complete the HGJ Cisco 3600 Series connachon Cisco 4000 5 Eth gl i ee aie Inter et 9143 10 r Deliver Configuration E ga Voice Devices ki When the device is blue Ciscoly 20 select the device and OM O00 192 168 2124 download the 105 configuration to it using Eth the EthernetLAN 1 Belver Configuration r wizard IF none You can also f F ISDN Leased Line O a ee N PPP iSync Serial ontigure a using E Pae seriel HOST 1 the YPN connection ir frire Fi gice Line Ginette a Help x Device Needs information C Ready for delivery Delivered Connection 7 Needs information ff Has required information Ready oS eae 7 Select VPN from Connections window During this stage you have to enter the pre shared key 12345678 175 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL See the screen shot Untitled Cisco ConfigMaker v2 5 1 File Edit View Configuration Management Tools Help O a Cu dh fe x o gt 8 Hew Open Save Undo Redo Eut Eopy Paste Delete Detect Firewall Deliver alx DES a AutoDetect Device Wizard lage Ethernet LAN T Host oD Dial in PCs moder AME Dial in PCs ISDN hal Cisco Cache Engine 59 Hubs 29 Cisco 1500 Series 2 FastHub 400 Series Fla Stacks Fl A Switches F B49 Cisco 1500 Series Internet A a Routers o H E Cisco 800 Series xl CiscH 720 T a 1q0100fe0 1
189. col required RFC1552 RESERVED RFC1552 Novell RIP SAP required RFC1552 Novell NLSP required RFC1552 Novell Demand RIP required RFC1582 Novell Demand SAP required RFC1582 Novell Triggered RIP required Edmonstone Novell Triggered SAP required Edmonstone CONOR NM O e NBFCP Configuration Options NBFCP Configuration Options RFC 2097 allow modifications to the standard characteristics of the network layer protocol to be negotiated If a Configuration 419 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Option is not included in a Configure Request packet the default value for that Configuration Option is assumed NBFCP uses the same Configuration Option format defined for LCP with a separate set of Options Current values are assigned as follows Name Projection Peer Information Multicast Filtering IEEE MAC Address Required AUN e PPP EAP REQUEST RESPONSE TYPES A one octet field is used in the Extensible Authentication Protocol EAP to indicate the function and structure of EAP Request and Response packets RFC2284 Type Description 1 Identity RFC2284 2 Notification RFC2284 3 Nak Response only RFC2284 4 MD5 Challenge RFC2284 5 One Time Password OTP RFC2289 6 Generic Token Card RFC2284 7 8 9 RSA Public Key Authentication Whelan 10 DSS Unilateral Nace 11 KEA Nace 12 KEA VALIDATE Nace 13 EAP TLS Adoba
190. connection the source IP is obtained and then update to the previous 0 0 0 0 field However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all 181 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 Setup P 202H Plus v2 1 oo 8 9 Login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in Sonicwall Source IP Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the remote secure gateway IP that is Sonicwall WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in Sonicwall 13 Enter the key string 12345678 in the Preshared Key text box and clic
191. contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes My Password session Options Authen CHAP PAP Edit Filter Sets Yes Pri Phone 4125678 Idle Timeout sec 300 Sec Phone Press ENTER to Confirm or ESC to Cancel Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters ook A filter for blocking a specific client e Introduction If you want to forbid a specific local client from triggering a call to ISP you can configure a call filter set in P 202H Plus v2 to block the packets from this client After the call filter is applied the packet that is sent from this client would not trigger the call to your ISP or remote node As long as the call is triggered by the other clients and the Internet connection is established this workstation will be able to access the Internet or remote node e Configuration 1 Create a filter set in Menu 21 e g set 1 Menu 21 Filter Set Configuration Filter Filter Set Comments Set Comments 1 Block a client 7 73 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 10 Oo O1 B W PS 12 Enter Filter Set Number to Configure 0 Edit Comments Press ENTER to Confirm or ESC to Cancel 2 One rule one for blocking all packets fr
192. cryption between computers Since you have so many options IPSec is truly the most extensible and complete network security solution 7 What secure protocols does IPSec support There are two protocols provided by IPSec they are AH Authentication Header protocol number 51 and ESP Encapsulated Security Payload protocol number 50 8 What are the differences between Transport mode and Tunnel mode The IPSec protocols AH and ESP can be used to protect either an entire IP payload or only the upper layer protocols of an IP payload Transport mode is mainly for an IP host to protect the data generated locally while tunnel mode is 28 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes for security gateway to provide IPSec service for other machines lacking of IPSec capability In this case Transport mode only protects the upper layer protocols of IP payload user data Tunneling mode protects the entire IP payload including user data There is no restriction that the IPSec hosts and the security gateway must be separate machines Both IPSec protocols AH and ESP can operate in either transport mode and tunnel mode 9 What is SA A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 10 What is IKE IKE is short for Internet Key Exchange Key Management allows you to determin
193. cting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission 319 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Please note that any configuration in IKE Setup should match the settings configured in Sentinel Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 28808 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm UES Authentication Algorithm M05 SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel 3 Setup in NAT Router In this case since VPN connection can only be initiated from SSH Sentinel no NAT port forwarding is needed Sentinel Dynamic IP to P 202H Plus v2 Dynamic IP Tunneling This page guides us to setup a VPN connection between the SSH Sentinel software and P 202H Plus v2 router There will be several devices we need to setup for this case They are Sentinel and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow betwe
194. d h Remove Properties VIEW Description The keps that are used for authenticating the local host coed host _ 2 3 Select Create a preshared key and press Next 288 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes New Authentication Key xX This wizard guides you through the generation of a new authentication key What kind of an authentication key would you like to create Create an authentication key pair and a certificate f Enroll fona certificate Create a preshared key eal ae ee 4 Give this preshared key a name P 202H Plus v2 And then enter the oreshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish 289 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Create Preshared Key Type in the shared secret 5 Press Apply in Main menu to save the above settings for latter use 290 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor Ei Security Policy Key Management F Trusted Policy Servers Fle Trusted Certificates Fla Certification Authorities o E Remote Hosts l a Director Sernvices J A My Keps host key lg checkpoint certificate AB Add ge ZyWALL AB Add
195. d N A Global IP Start Enter IGA1 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel 132 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Menu 15 1 1 2 Rule 2 Type One to One Local IP Start 192 168 1 11 End N A Global IP Start Enter IGA2 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Rule 3 Setup Select Many to One type to map the other clients to IGA3 Menu 15 1 1 3 Rule 3 Type Many to One Local IP Start 0 0 0 0 End 255 255 255 255 Global IP Start Enter IGA3 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel 133 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 Menu 15 1 1 4 Rule 4 Type Server Local IP Start N A End N A Global IP Start Enter IGA3 End N A Server Mapping Set 2 Press ENTER to Confirm or ESC to Cancel When we have configured all four rules Menu 15 1 1 should look as follows Menu 15 1 1 Address Mapping Rules Set Name Examples Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 IGA1 1 1 2 192 168 1 11 IGA2 1 1
196. d i IF none You can also oo 4 ISDN Leased Line os re a Configure a using A ae cadet H ST 1 the PN connection in x Device E Needs information Ready for delivery Delivered Connection g Needs information Has required information Delivers the configuration to the device 5 10 Enter Cisco commands mode from console and check if Cisco can make a successful ping to P 202H Plus v2 You might have to tune the configuration to accommodate your practical environment For more detailed information please go to http Awww cisco com 11 ln config mode enter a command crypto ipsec transform set cm transformset 1 esp des esp md5 hmac 12 After all of the settings if PC 1 and PC2 can reach each other then IPSec VPN has been established successfully There is also an useful command to debug IPSec VPN debug crypto ipsec 2 2 Setup Cisco by Commands Note that in order to setup Cisco by commands you have to connect your PC and Cisco route by a console cable Enter the following commands one per line Cisco1720 config Cisco1 720 lt start typing the commands below gt 178 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes version 12 2 no parser cache no service single slot reload enable service timestamps debug uptime service timestamps log uptime service password encryption hostname Cisco1 720 logging rate limit console 10 except errors enab
197. d devices to asynchronously report certain events to NMSs use trap 111 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes User Interface Agent Agent Wanaged Wanaged Managed device device device Figure 1 SNMP Management Model 2 SNMPv1 Operations SNMP itself is a simple request response protocol 4 SNMPv1 operations are defined as below e Get Allows the NMS to retrieve an object variable from the agent e GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent In SNMPv1 when a NMS wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations e Set Allows the NMS to set values for object variables within an agent e Trap Used by the agent to inform the NMS of some events 112 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The SNMPv1 messages contains two part The first part contains a version and a community name The second part contains the actual SNMP protocol data unit PDU specifying the operation to be performed Get Set and so on and the object values involved in the operation The following figure shows the SNMPv1 message format 4 SNMAPv1 Message _____ Er ror Er ror Obj ect l Obj ect 5 Obj ect J Status Index Value 1 Value 2 Value 3 Variable Bindings Figure
198. date to save the settings to SonicWALL 8 Click DHCP enable DHCP and the Dynamic Ranges 9 Click VPN click Configure tab 10 In Security Association option select Add New SA 11 In IPSec Keying Mode option select IKE using pre shared secret 12 In Name option give a name for this SA 13 In IPSec Gateway Address enter P 202H Plus v2 WAN IP 14 In Encryption Method option select Encrypt and Authenticate ESP DES HMAC MD5 15 In Shared Secret option enter 12345678 as the secret key 16 Click Add New Network 17 In Edit VPN Destination Network enter remote secure host in Network field PC 1 in the case And also enter its subnet mask and click Update 18 Click Update to save VPN settings in VPN menu See the screen shot A SonicWALL Administration Microsoft Internet Explorer File Edit View Favorites Tools Help a gt x E LG a d X Es i r EB Back Farivar Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address http 192 168 181 1 management html Go Links Summary Configure RADIUS Certificates z WALO SONICWALL Add Modify IPSec Security Associations General y Security Association TEST IPSec Keying Mode IKE using pre shared secret Filter E EE E T A T EAA Disable This SA I Access IPSec Gateway Address 202 132 154 1 Advanced DHCP Security policy VPN PERAN SA Life time secs 28800 Anti Virus Encryption Met
199. ddress in P 202H Plus v2 In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all 8 What VPN gateway that has been tested with P 202H Plus v2 successfully We have tested P 202H Plus v2 successfully with the following third party VPN gateways Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES NetScreen 5 ScreenOS 2 6 0r6 SonicWALL SOHO 2 WatchGuard Firebox II 3 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL P 202H Plus v2 Avaya VPN Netopia VPN II VPN 9 What VPN software that has been tested with P 202H Plus v2 successfully We have tested P 202H Plus v2 successfully with the following third party VPN software SafeNet Soft PK 3DES edition Checkpoint Software SSH Sentinel 1 4 SecGo IPSec for Windows F Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN v 6 90 FreeS WAN for Linux SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test e Windows 2000 IPSec 10 Will ZyXEL support Secure Remote Management Yes we will support it and we are working on it currently 11 Does P 202H Plus v2 VPN support NetBIOS broadcast The current 3 40 firmware release does not support it But it is in our wis
200. default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default server is not defined the service request is simply discarded e Configuration To make a server visible to the outside world specify the port number of the service and the inside address of the server in Menu 15 Multiple Server Configuration The outside users can access the local server using the P 202H Plus v2 s WAN IP address which can be obtained from menu 24 1 e For example Configuring an internal Web server for outside access Menu 15 2 NAT Server Setup Rule Start Port No End Port No IP Address Default son Sy ee ee ee ee SSeS Seer wee neha dad coe ged cela Seqeeggegeso Press ENTER to Confirm or ESC to Cancel e Port numbers for some services Service Port Number FTP 21 43 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Telnet 23 SMTP 25 DNS Domain Name Server 53 www hitp Web 80 Tested SUA Applications e g Cu SeeMe ICQ NetMeeting Prestige Cu SeeMe Player 7 Cu seeMe Player e Introduction Generally SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users However some applications such as Cu SeeMe and ICQ will need to connect to the local user behind the P 202H Plus v2 In such case a SUA server must be entered in menu 15 to forwa
201. device filters ook e Configure the second filter set NetBIOS_LAN by selecting the Filter Set number 2 Rule 1 Source port number 137 Destination port number 53 with protocol number 6 TCP Menu 21 2 1 TCP IP Filter Rule Filter 2 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 2 Source port number 137 Destination port number 53 with protocol number 17 UDP 86 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 21 2 2 TCP IP Filter Rule Filter 2 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel After the first filter set is finished you will see the complete rules summary as below Menu 21 2 Filter Rules Summary A Type Filter Rules Mmn Please apply this second filter set NetBIOS_LAWN in the protocol filters
202. due to no link or wrong number Solution check the Menu 2 setting and reintialize ISDN line 36 Message PPO9 ERROR Inet SUA cannot get IP addr from server Meaning Server did not assign IP address to you when you are using SUA Solution request server assign IP address to you if you need use SUA 37 Message PNET ERROR iproute SUA O G No port for source A0659522 264 Meaning outgoing call failed since the port for the source is not in the SUA table Solution too many users on the LAN 38 Message PPO9 WARN Discard unknown network protocol 0x802B 432 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Meaning the peer using the different network protocol WARN warning log solution not a problem 39 Message PPOa WARN CHAP login to remote failed please check user pswd Meaning login to the remote node failed Solution check the login name and password 40 Message PPO9 WARN Local IP mismatch proposed 1 1 1 1 neg d 209 24 163 33 Meaning peer wants to assign IP address to you which is different from Menu 3 2 local IP address Solution use SUA to accept the peer assigned IP address 41 Message WARN ppp CCP Stac seq error recv d 0x67 exp d 0x81 Meaning received compression packet not matching with the expected number Solution it is not a problem 42 Message PP08 INFO CALL REJ ch lt 5ba788 gt CLID not matched Meaning CLID number is not mat
203. e Mode Initiator Main ID Protection Aggressive Monitor Phase 1 Propao Traffic 1 Caw g ee z Counters aone id none zl Oo o a lt Ei a gt E E go th Oo o Alarm Preshared Key Local ID optional NetScreen Technologies gt ine Preferred Certificate optional All rights reserved Local Cert None gt Peer CA None Peer Type NONE Cancel l Done g Internet 8 Click New Remote Tunnel Gateway to add the remote VPN gateway i e P 202H Plus v2 9 Give a name to this gateway for example P 202H Plus v2 10 Click Static IP Address as for this example 11 Enter WAN IP of P 202H Plus v2 in the IP Address field 12 Select P 202H Plus v2 that we configure above as the Phase 1 Proposal 204 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 13 Enter 12345678 as the Preshared Key and click OK to save See the screenshot File Edit View Favorites Tools Help e 0 AA dz 46 8 E Back Bonnard Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address hitp 192 168 78 1 layout html6 1 1 Go oes REMOTE TUNNEL GATEWAY CONFIGURATION TN Gateway Name ZyWALL Remote Gateway Static IP Address Address 202 132 1541 gt Peer ID optional aici f C Dynamic IP Address Peer ID C Dialup User Us
204. e 21 1 P 232 Subnet mask 255 55 Z5b 255 Destination address hy IF Address W Mirrored Also match packets with the exact opposite source and destination addresses Cancel Appy 2 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5 In the Destination address choose A specific IP Address and enter the IP address of PC 2 Filter Properties A specific IP Address 7 192 1685 1 specific IP Address 7 192 168 1 233 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 7 On the Protocol tab leave the protocol type to Any because IPSec tunnels do not support protocol specific or port specific filters leek Poy Wie Zefin Set tne la protocol pork ronm any part H Erom this port io any port H To this port 8 On the Description tab you can give a name for this filter list The filter name is displayed in the IPSec monitor when the tunnel is active Filter Properties 234 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 9 Click OK and Close to close the windows IP Filter List Build a Filter List from PC 2 to PC 1 1 On the IP Filter List tab click Add New Rule Properties O New IF Filter List WIN2K to ZyWALL Ct TTEEITS ETMENE APEI 235 All conte
205. e TEST 192 168 1 34 192 168 1 34 ESP DES HMAC MDS Se IKE 192 168 181 1 192 168 1 34 192 168 1 34 EEEE 192 168 181 254 202 132 154 1 i oo SAs defined 2 SAs allowed 26 a ea E Vaya z E STATUS Ready Done ee ee amp Internet YW 185 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes P 202H Plus v2 to WatchGuard Tunneling This page guides us to setup a VPN connection between P 202H Plus v2 and WatchGuard As the figure shown below the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure To setup this VPN tunnel the required settings for P 202H Plus v2 and WatchGuard are explained in the following sections LAN 1 LAN 2 Prestige WatchGuard IPSec Tunnel The IP addresses we use in this example are as shown below LAN 192 168 1 1 LAN 192 168 2 1 192 168 1 33 WAN 202 132 154 1 WAN 168 10 10 66 192 108 2 33 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side From this connection the source IP is obtained and then update to the previous 0 0 0 0 field However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all 1 Setup P 202H Plus v2
206. e compatibility Sentinel sends many kinds of possible proposal for it s peer side say P 202H Plus v2 to choose If you uncheck this option Sentinel will only send out the proposal you configured To decrease negotiation time you can uncheck this option and verify phase1 phase2 parameters are consistent on both sides 10 How to initiate a VPN tunnel from Sentinel Right click SSH icon in system tray click the VPN connection you have setup in Select VPN Packets triggering doesn t work in this case 11 Can P 202H Plus v2 be the initiator of VPN tunnel to Sentinel No Sentinel is supposed to be a VPN solution for remote access Please always initiate your VPN tunnel from Sentinel but not from P 202H Plus v2 12 How can I verify if the VPN connection is up in Sentinel You can check if your VPN connection is up by double clicking SSH icon in system tray If the connection is up you should see your VPN network in the popped out window 13 I am using EnterNet 300 a PPPoE dial up software Any concern If using EnterNet PPP over Ethernet client the network access type must be set from the client s advanced connection settings to protocol driver Open Enternet 300 Profiles window gt Connections gt Settings gt Advanced gt In Network Access section choose Protocol Driver Application Notes 35 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes General Application No
207. e more Overload 125 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Many to Many No Overload Server Start This is the starting local IP address ILA 0 0 0 0 Local This is the ending local IP address ILA If the IP End rule is for all local IPs then put the Start IP as 255 255 255 255 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to One type This is the starting global IP address IGA If Start you have a dynamic IP enter 0 0 0 0 as the 0 0 0 0 Global Global Start IP IP This is the ending global IP address IGA This End field is N A for One to One Many to One and 172 16 23 55 Server types Local and Global IP fields are N A for the Server Type Note For all Local and Global IPs the End IP address must begin after the IP Start address i e you cannot have an End IP address beginning before the Start IP address e NAT Server Sets The NAT Server Set is a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wish you can make inside servers for different services e g Web or FTP visible to the outside users even though NAT makes your network appears as a single machine to the outside world A server is identified by the port number e g Web service is on port 80 and FTP on port 21 As an example see the following figure if you have a Web server at 192 168 1 36 and a FTP server at 192 1
208. e packets flow between them are secure To setup this VPN tunnel the required settings for P 202H Plus v2 and Cisco Router are explained in the following sections Prestige IPSec Tunnel 169 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The IP addresses we use in this example are as shown below LAN 192 168 1 1 LAN 192 168 2 1 192 168 1 33 WAN 172 21 10 50 WAN 140 113 10 50 192 168 2 4 Note 1 When using Cisco Router to establish VPN back to back connection is not applicable In other words the WAN IP of P 202H Plus v2 and Cisco router can t be in the same subnet 2 The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side From this connection the source IP is obtained and then update to the previous 0 0 0 0 field However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all If the WAN IP of P 202H Plus v2 is also dynamic IP we enter 0 0 0 0 as its My IP Address When this IP is given by ISP it will update to this field 1 Setup P 202H Plus v2 1 Login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default
209. e to Main as we configured in Sentinel 5 Local IP Address Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP Address Type is Single Address Start is Sentinel s IP 172 21 1 232 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gateway IP Addr is also Sentinel s IP 172 21 1 232 9 Select Encapsulation Mode to Tunnel 10 Check the ESP check box AH can not be used in SUA NAT case 11 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in Sentinel 12 Enter the key string 12345678 in the Preshared Key text box and click Apply 13 Press Advanced button to set IKE phase 1 and phase 2 parameters 282 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION VPN FRE oas IPSec Setup M Active Keep Alive Advanced Setup Kania to SSH ee IPSec Key Mode IKE e LAN l Negotiation Mode Main CAWAN Local aa Local Address Type Subnet Firewall P IP Address Start 192 168 1 0 ni End Subnet Mask 255 255 255 0 Remote Remote Address Type Single IP Address Start 172 21 1 232 End Subnet Mask 0 0 0 0 Logout Local ID Type IF T content boon My IP Address 72 211 252 Feer ID Type IF T Content 0 0 0 0 Secure Gateway IP Address 172 21 1 232 Encapsulation Mode Tunnel Security Protocol YPN Prot
210. e whether to use IKE ISAKMP or manual key configuration to set up a VPN There are two phases in every IKE negotiation phase 1 Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec 11 What is Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called Pre shared because you have to share it with another party before you can communicate with them over a secure connection 12 What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPIs are determined e For IKE VPN the key and SPls are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys and SPIs to send packets between two networks e For manual key VPN the encryption key authentication key if needed and SPls are predetermined by the administrator when configuring the security association 29 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IKE is more secure than manual key because IKE negotiation can generate new keys and SPls randomly for the VPN connection P 202H Plus v2 VPN 1 How do I configure P 202H Plus v2 VPN You can configure P 202H Plus v2 for VPN using SMT or Web configurator P 202H Plus v2 1 supports Web only 2 How many VPN connections does P 20
211. eaders It is applicable to all protocols that understands data in the packet is intended for other layers from network layer up to the application layer 2 The P 202H Plus v2 s firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The P 202H Plus v2 s firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session 4 The P 202H Plus v2 s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 202H Plus v2 s firewall provides email service to notify you for routine reports and when alerts occur 5 Why do you need a firewall when your router has packet filtering and NAT built in With the spectacular growth of the Internet and online access companies that do business on the Internet face greater security threats Although packet filter and NAT restrict access to particular computers and networks however for the other companies this security may be insufficient because packets filters typically cannot maintain session state Thus for greater security a firewall is co
212. eate a large amount of ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible 12 What is IP Spoofing attack Many DoS attacks also use IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall 13 What are the default ACL firewall rules in P 202H Plus v2 There are two default ACLs pre configured in the P 202H Plus v2 one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets LFL E E rrestige Internet l l H i Forward LAN to WVAN Connections fault A Pela ACLS Block WAN to LAN Connections 14 Why static policy route be blocked by P 202H Plus v2 P 202H Plus v2 is an ideal secure gateway for all data passing between the Inte
213. ecure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for FreeS WAN and P 202H Plus v2 are explained in the following sections 263 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Frees wan Linux box Prestige IPSec Tunnel The IP addresses we use in this example are as shown below 192 168 0 254 WAN 202 132 192 168 0 170 1 Gateway 0 24 202 132 170 25 4 LAN 192 168 10 20 WAN 65 170 185 111 Gateway 65 170 185 65 192 168 10 0 24 1 Setup FreeS WAN We presume that your Linux s kernel has been compiled to support FreeS WAN and FreeS WAN has been also installed successfully in your system You can refer to the following URL for more information http Awww FreeS WAN org Two files must be configured in etc directory ipsec conf config setup interfaces ipsecO eth1 klipsdebug none plutodebug none plutoload search plutostart search conn default keyingtries 3 conn P 202H Plus v2 left 65 170 185 111 264 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes leftsubnet 192 168 10 0 24 leftnexthop 65 170 185 65 right 202 132 170 1 rightsubnet 192 168 0 0 24 rightnexthop 202 132 170 254 auto start pfs no authby secret ipsec secrets 65 170 185 111 202 132 170 1 PSK 12345678 2 Setup P 202H Plus v2 VPN
214. ed 396 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes PPP negotiation failed 306Z gt isdn dial 1 or dev dial 1 Start dialing for node lt 1 gt Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt LCP up CHAP send response CHAP login to remote OK IPCP negotiation started BACP negotiation started BACP up CHAP send response CHAP login to remote OK In the above case the IPCP negotiation has started but there is no IPCP up message This means that the IP negotiation failed and even though the line is Up you Can t ping from one end to the other To identify the problem you must collect the PPP negotiation trace Following are the steps to collect PPP negotiation packets You can use these steps to collect traces for all PPP related problems P128 gt sys trel cl Program Trace Switch OFF P128 gt sys trcl sw on P128 gt sys trcp sw on P128 gt isdn dial 1 or dev dial 1 Start dialing for node lt 1 gt Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt LCP up CHAP send response CHAP login to remote OK IPCP negotiation started BACP negotiation started BACP up P128 gt sys trcl disp 102 fe3792 15e PDI dialer Dialing chan lt 1 gt phone last 9 digit 40201 103 fe8ea4 169
215. ed in RFC 1215 If any link of IDSL or WAN is up the trap will be sent with the port number The port number is its interface index under the interface group 5 authenticationFailure defined in RFC 1215 When receiving any SNMP get or set requirement with wrong community this trap is sent to the manager 6 whyReboot defined in ZYXEL MIB When the system is going to restart warmstart the trap will be sent with the reason of restart before rebooting 1 For intentional reboot In some cases download new files Cl command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent ii For fatal error system has to reboot for some fatal errors And traps with the message of the fatal code will be sent 114 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Products 1 p ysYariobles Group pERI Variables Group ole Variables Group pAPT Variables Group pERSVariable Group pGialInvariables Group pRemoteModevariables Group pRemoteUservariables Group Zyxel Traps Figure 3 AEL Private MIB Tree e Downloading ZyXEL s private MIB 3 Configure the P 202H Plus v2 for SNMP The SNMP related settings in P 202H Plus v2 are configured in menu 22 SNMP Configuration The following steps describe a simple setup procedure for configuring all SNMP settings Menu 22 SNMP Configuration SNMP 11
216. ed xxxx means connected speed xxxxx means Remote Call ID C02 CLID call refused LO2 Call Terminated C02 Call Terminated Example Feb 14 16 57 17 192 168 1 1 ZyXEL Communications Corp board 0 line 0 channel 0 call 18 C01 Incoming Call 64000 4125678 Feb 14 17 07 18 192 168 1 1 ZyXEL Communications Corp board 0 line 0 channel 0 call 18 C02 Call Terminated 2 Packet triggered log Format sdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Example Jul 19 11 28 39 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 Data 4500003c100100001f010004c0a8661 4ca849a7 7b08004a5c02000100616263646566676869 Jul 19 11 28 56 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 Data 4500002c1b0140001f06b50ec0a8661 4ca849a7b0427001 7001 95b3e00000000600220008c 3 Filter log This message is available when the Log is enabled in the filter rule setting The message consists of the packet header and the log of the filter rules Format sdcmdSyslogSend SYSLOG_FILLOG SYSLOG_NOTICE String string IP Src xx xx xx xx DSt Xx XX XX XX Prot SPO XXXxX dpo xxxx S04 gt R01mD IP is the packet header and S04 gt R01mD means filter set 4 S and rule 1 R 90 All contents copyright 2006 ZyXEL Communications Corporation
217. een the client and RADIUS server are authenticated through the use of a shared secret which is never sent over the network In addition any user passwords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecured network could determine a user s password There has been some confusion in the assignment of port numbers for this protocol The early deployment of RADIUS was done using the erroneously chosen port number 1645 which conflicts with the datametrics service The officially assigned port number for RADIUS is 1872 So be sure which port your RADIUS server uses before configuring it in the P 202H Plus v2 Note The P 202H Plus v2 is configured with default port 1645 please reboot the P 202H Plus v2 it is changed to 1812 e RADIUS Server Setup 1 Get Radius application S W and install it first 2 If the callback feature is required please add the following ZyXEL proprietary attributes in the Dictionary file which generally locates in the Radius installation folder Please note when editing RADIUS files some RADIUS servers do not suggest DOS Editor or Notepad So you can try Wordpad instead 103 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Zyxel proprietary attributes ATTRIBUTE Zyxel Callback Option 192 integer VALUE Zyxel Callback Option None 0 VALUE Zyxel Callback Option Optional 1 VALUE Zyxe
218. efore answering the incoming call hang up the phone and wait for answering the incoming call e Hang up the current active call and switch back to the other call hang up and wait for the phone to ring Then pick up the phone to return to the other call 6 Why doesn t call waiting work as expected An incoming caller will receive a busy signal if e You have two calls active one active and one on hold or both active by using Three Way Calling e You are dialing a number on the B channel the incoming caller is attempting to reach but have not yet established a connection lf no action is taken to answer the call call waiting indicator tone is ignored the call waiting tones will disappear after about 20 seconds 7 How do I do three way calling e Press the Flash key to put the existing call on hold and receive a dial tone e Dial the third party s phone number e When you are ready to conference the call together press the Flash key again to establish a three way conference call 8 How do remove a party from the three way calling simply press the Flash key The last call that was added to the conference is dropped 13 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you hang up your telephone during a three way call and the two other callers remain on the line the ISDN network will do an implicit transfer to directly connect the two remaining callers together
219. elect VPN tab to define the protected domain of ZW and the Encryption schemes used by the tunnel 214 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Workstation Properties 215 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Define checkpoint box as a tunnel endpoint Workstation Properties General Interfaces SNMP NAT Cen icatar VPN Aulhe Hame anha IP Address 62 2 237 177 Get edcress Comment VitedataFrewal Sever Locahore Tyee f riemal C Extennal C Host Gateway r Modules lnetalled ME VPH 1 amp Foetal Versione ff Get select VPN tab to define the protected domain of Checkpoint and the Encryption schemes used by the tunnel Workstation Properties Damai C Yald Addessasjof Intertaces E EG Manual PSEC E Dither O par SKP w locel Encrypt Dict gt fe poz PIZ W Exportable for Secuklemobs Choose IKE and press Edit to edit the Phase1 parameters and pre shared key 216 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IKE Properties Gereral k a Key Negoliahon Encryption Method s Hash Method E E F MDS C f CAST F apes iw SHA Aueherbealion Method IW Pre Shared Secret Edt Secrets M Pubie Key Signatures
220. emote Start ort i Ead D e MAT l Phasel c Firewall Negotiaion Made Wain k e WPH Pr2 Shared Key 125456765 E Ercryptian Algorithm DES Authentication Algorithm WOS SA Life ime Seconds i iji KEY GroJp DHI Phase Active Protocol FSP Ercryptian Algorithm DES Authentication Algorithm SA Life ime Seconds oo Ercapsulation Tunnel gt Feact Forward Secrecy PFS HOME ii Apply Cancel 2 The correspondent rule for Branch_B_ 2 in headquarter 359 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACCESS SOLUTION Main Menu Advanced Setup Password LAN T WAR WAT Firewall e WPM Logout P 202H Plus v2 Support Notes SIT VPN IKE IPSec Setup W Active Keep Alive Name fto_Branch B 2 IPSec Key Mode IKE g Negotiation Mode Main Local Local Address Type Range IP Address Start 192 168 3 0 End Subnet Mask 192 168 3 256 Remote Remote Address Type Range IP Address Start 192 168 2 0 End Subnet Mask 192 168 2255 Local ID Type IF g content booo ooo My IP Address poii OOO O Feer ID Type IP Content 0 0 0 0 Secure Gateway IP Address 202 2 1 1 Encapsulation Mode Tunnel h Security Protocol YPN Protocol ESP E Pre Shared Key 12345678 WPN Setup DES Authentication Algorithm SHAI Advanced Eee 1 Back Apply Cancel Delete 360 All contents copyright 2006 ZyXEL
221. en Required Dial in User Yes IP Pool No PPP Options IP Start Addr N A Recv Authen CHAP PAP IP Count 1 2 N A Compression Yes Mutual Authen No O G Login N A session Options O G Password N A Edit Filter Sets No Multiple Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min 106 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Period hr Press ENTER to Confirm or ESC to Cancel 2 Create a remote node for a LAN to LAN connnection using the CLID callback Menu 11 1 Remote Node Profile Rem Node Name LAN1 Edit PPP Options No Active Yes Rem IP Addr 192 168 2 1 Call Direction Both Edit IP No Incoming Telco Option Rem Login test Transfer Type 64K Rem Password Allocated Budget min Rem CLID 20000 Period hr Call Back Yes schedules Outgoing Nailed Up Connection N A My Login test Toll Period sec 0 My Password Session Options Authen CHAP PAP Edit Filter Sets No Pri Phone 20000 Idle Timeout sec 300 Sec Phone Press ENTER to Confirm or ESC to Cancel CLID Settings Option Rem CLID Call Back Outgoing My Login Outgoing My Description Enter the remote phone number in this field which will be used for the CLID authentication If this number does not match the one that the switch carries the P 202H Plus v2 will drop the line due to the CLID authentication failure Togg
222. en them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Sentinel and P 202H Plus v2 are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are Sentinel and P 202H Plus v2 320 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes O l The IP addresses we use in this example are as shown below LAN 192 168 1 1 lt Dynamic IP gt 1 Setup P 202H Plus v2 1 Configure P 202H Plus v2 to use DDNS for WAN IP address update You can refer to Using DDNS for how to configure it We presume that you have got a dynamic domain name P 202H Plus v2 ddns org and update your current WAN IP successfully Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Go to Advanced gt VPN Check Active box to enable this rule Check Keep alive to make your VPN connection stay permanent Select Negotiation Mode to Main Local IP Address Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 7 Remote IP leave this field as blank 8 9 Secure Gateway IP Addr is Sentinel s IP since Sentinel is using dynamic My IP Addr leave this field as 0 0 0 0 IP address fill this field as 0 0 0 0 10
223. ening ppp BACP Opening ppp LCP Closing ppp IPCP Closing ppp CCP Closing ppp BACP Closing 91 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes sdcmdSyslogSend SYSLOG_POTSLOG SYSLOG_ NOTICE String String Call Connect Disconnect Dir xx Remote Call xxxxx Local Call XXXXX Dir Call Direction 1 Incoming call 2 Outgoing call Remote Call a string type which represents as the remote call number Local Call a string type which represents as the my local call number Example Jul 19 12 08 25 192 168 1 1 ZyXEL Communications Corp Call Connect Dir 2 Remote Call 5783942 Local Call 1 Jul 19 12 08 29 192 168 1 1 ZyXEL Communications Corp Call DisConnect Dir 2 Remote Call 2453140 Local Call 1 7 ISDN Leased Line Setup Internet Access via ISDN Leased Line in ISOH Leased Line This configuration illustrates an Internet Access over an ISDN leased line that is installed by the telco Key Settings in P 202H Plus v2 o Menu 2 ISDN Setup o Menu 4 Internet Access Setup Menu 2 ISDN Setup Switch Type DSS 1 B Channel Usage Leased Unused Incoming Phone Numbers ISDN Data 92 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Advance Setup No B Channel Usage o Set to Leased Unused if you are using one 64K leased line o Set to Leased Leased if you are using one 128K leased lines o Se
224. eps host key lg checkpoint certificate AB Add ge ZyWALL AB Add Remove Properties VIEW Description The keps that are used for authenticating the local host LE Cancel K ts 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 330 ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor ay gt j security Policy Key Management Policy Default F s Fre lPSec Filter E VPA Connections AB Add EE Secured Connections a secured Networks i EE Default Response mH Post lPSec Filter HS0H0 HOILAN IAs And a hy Remove Properties Diagnostics Description A virtual private network i created when the local host establishes an PSec protected connection to a remote private network through a security gateway cae hon _ 2 7 Add VPN Connection window will pop out Enter P 202H Plus v2 dyndns org in Gateway IP address 8 Press button besides Remote network Add PN Connection a 2 x 3 Gateway name Si zywall dyndns org piP Remote network Authentication kep ibm certificate 7 Use legacy proposal Diagnostics Properties Cancel 9 Network Editor Window will pop out Press New button and Enter P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255
225. er Group None Mode Initiator Main ID Protection C Aggressive Monitor Phase 1 Proposa AM ope i none M none gt Local ID optional Copyright 1998 2001 ERER Seos Preferred Certificate optional All rights reserved Local Cert None gt Peer CA None Peer Type NONE Cancel 21 Face oS i l Intemet Z e li Create AutoKey IKE a Click VPN menu and click AutoKey IKE tab 2 Click New AutoKey IKE Entry to add the entry for the local gateway i e NETSCREEN 3 Select NETSCREEN as the Remote Gateway Tunnel Name 4 Select P 202H Plus v2 as Phase 2 Proposal and click OK to save See the screen shot 205 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL NetScreen Administration Tools Microsoft Internet Explorer P 202H Plus v2 Support Notes File Edit View Favorites Tools Help e gt 9Q9 a gia 3 B E Back Farivar Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address http 192 168 78 1 layout htmi 6 1 1 Go Links System Configure Admin j Interface AUTOKEY IKE CONFIGURATION Network Policy VPN Virtual IP Lists Address Service Schedule Users Monitor Traffic Counters Alarm Log m a oa r _ oO oO tN D o NetScreen Technologies Inc Name NETSCREEN Enable Replay Protectio
226. er List Authentication Tunnel Setting AWWALL to WINZE test Preshared Rey 1 72 21 1 232 WEINE to Zp ALL test Preshared Kep 172 21 1 252 O lt Dynamic Default A Kerberos Mone p 4 Add Edit Remove Use Add Wizard cancel 249 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Assign Your New IPSec Policy to Your Windows 2000 1 Inthe IP Security Policies on Local Machine MMC snap in right click your new policy and click Assign r Local Security Settings Dj x Policy Assigned Communicate normally funs Mo 4 Security Settings f g Account Policies Local Policies H E Public Key Policies H IF Security Policies on Local Machine For all IF traffic always req Mo For all IP traffic always req Mo WINZE to ZyW LL Assign All Tasks t Delete Rename Properties Help Assign this policy attempt to make it active 2 A green arrow will appear in the folder icon next to your policy See the screen shot below r Local Security Settings Action view ae EE cm a 4 Z Client Respond Only Communicate normally uns Mo Policy Assigned Security Settings G1 Account Policies fi Local Policies E E Public Key Policies m e IF Security Policies on Local Machine S Secure Server Requir For all IP traffic a
227. es the P 202H Plus v2 generate the firewall log The P 202H Plus v2 generates the log immediately when the packet match doesn t match or both a firewall rule The log for Default Permit LAN to WAN WAN to LAN is generated automatically To generate the log for custom rules the Log option in Web Configurator must be set to Not Match Match or Both The Reason column for the default permit shown in the log will be default permit lt 1 00 gt or lt 2 00 gt Here lt 1 00 gt means the LAN to WAN default ACL set lt 2 00 gt means the WAN to LAN default ACL set 2 What does the log show to us 24 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The log supports up to 128 entries There are 2 rows and 5 columns for each entry Please see the example shown below Time Packet Information Reason Action 127 Mar 15 0 From 192 168 1 34 T0 202 132 155 93 default permit forward 03 03 54 ICMP type 00008 code 00000 lt 1 00 gt Where lt X Y gt stands for lt Set number Rule number gt X 1 2 Y 00 10 There are two policy sets set 1 for rules checking connections from LAN to WAN and set 2 for rules checking connections from WAN to LAN So X 1 means set 1 and X 2 means set 2 Y means the rule in the set Because we can configure up to 10 rules in a set so Y can be from 1 to 10 If the rule number shows 00 It means the Default Rule 3 How do view the firewall
228. eserved RFC1661 Reserved Until 20 Oct 2000 IANA Reserved Until 20 Oct 2000 IANA NTCITS IPI Control Protocol Ungar Not Used reserved RFC1661 single link compression in multilink control RFC1962 Compression Control Protocol RFC1962 Not Used reserved RFC1661 Cisco Discovery Protocol Control Sastry Netcs Twin Routing Korfmacher Apple Client Server Protocol Control Ridenour Tag Switching Unicast Davie Tag Switching Multicast Davie LCP Layer Numbers Link Control Protocol Password Authentication Protocol Link Quality Report Shiva Password Authentication Protocol CallBack Control Protocol CBCP BACP Bandwidth Allocation Control Protocol RFC2125 BAP RFC2125 Container Control Protocol KEN Challenge Handshake Authentication Protocol RSA Authentication Protocol Narayana Extensible Authentication Protocol RFC2284 Mitsubishi Security Info Exch Ptcl SIEP Seno Stampede Bridging Authorization Protocol Proprietary Authentication Protocol KEN Proprietary Authentication Protocol Tackabury Proprietary Node ID Authentication Protocol KEN It is recommended that values in the 02xx to 1exx and xx01 to xx1f ranges not be assigned as they are compression inefficient Protocol field values in the Oxxx to 3xxx range identify the network layer protocol of specific datagrams and values in the 8xxx to bxxx range identify datagrams belonging to the associated Network Control Protocol NCP
229. et Setup in SMT Menu 3 49 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP None Client IP Pool Starting Address N A size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A TCP IP Setup IP Address 203 66 113 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 2B Edit IP Alias No 2 Remote Node Setup in SMT Menu 11 Menu 11 1 Remote Node Profile Rem Node Name LAN2 Edit PPP Options No Active Yes Rem IP Addr 202 113 5 1 Call Direction Outgoing Edit IP No Incoming Telco Option Rem Login Transfer Type 64K Rem Password Allocated Budget min Rem CLID N A Period hr Call Back N A schedules Outgoing Carrier Access Code My Login test Nailed Up Connection No My Password Toll Period sec 0 Authen CHAP PAP Session Options Pri Phone 5007025 Edit Filter Sets No Sec Phone Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel 50 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Key Settings o Select the Active field to Yes o Select the Call Direction to Incoming o Enter the correct node account for the dial in router in Rem Login and Rem Password fields o Enter the IP address of the remote router in Rem IP Addr field After you have finished the above
230. et the release note in PDF format 388 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Troubleshooting 1 Internet Connection Related SMT screens and Cl commands SMT Menu 1 4 SMT Menu 24 1 and 24 4 isdn loop dev dial Some basic knowledge about Internet Connection Setup Before we start any verification or troubleshooting of Internet setup let us first give a brief introduction of the connection setup sequence Any PPP call to Internet or other ISDN router can be divided into the following steps Dialing LCP negotiation Authentication it can be None PAP CHAP NCP negotiation NCP can be IPCP BACP BCP CCP IPXCP The P 202H Plus v2 provides a very clear log for each step of the call setup The following shows the messages displayed in each steps If a step fails an error message is displayed start Dialing chan lt 1 gt phone lt 20301 gt lt Dialing Call CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt lt Dial OK After call is up P 202H Plus v2 will start LCP negotiation LCP opened lt Lcp OK CHAP login to remote OK lt Auth OK IPCP negotiation started lt lpcp negotiation BACP negotiation started BCP stopped ne Bcp Not available OE es 10 0 C116 Ccp Not available IPCP opened aaa aa aaa IPCP OK BACP opened
231. etup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm M05 SA Life Time Seconds 3600 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm UES Authentication Algorithm M05 SA Life Time Seconds 3680 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel 2 Setup P 202H Plus v2 B Similar to the settings for P 202H Plus v2 A P 202H Plus v2 B is configured in the same way 1 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field 2 Click Advanced and click VPN tab on the left 3 On the SUMMARY menu Select a policy to edit by clicking Edit 4 On the CONFIGURE IKE menu check Active check box and give a name to this policy 5 Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in P 202H Plus v2 A 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 B 7 Destination IP Address Start and Destination IP Address End are PC 1 IP in this example the secure remote host Note You may assign a range of Local Remote IP addresses for multiple VPN sessions 8 My IP Addr is the WAN IP of P 202H Plus v2 B 9 Secure Gateway IP Addr is the remote secure gateway IP that is P 202H Plus v2 A WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check
232. g in to the P 202H Plus v2 Set the Active field to Yes e Dial in user with callback Menu 14 1 Edit Dial in User User Name abc Active Yes Passwd KKKKKKKKK Callback Mandatory Phone Supplied by Caller Yes Callback Phone N A Rem CLID Idle Timeout 100 e There are two options for the callback Mandatory and Optional If the Mandatory is configured the P 202H Plus v2 router has to callback anyway If the Optional is configured the dial in user will have the chance to cancel the callback e The number for calling back to the dial in user can be specified by the user during the connection or pre configured in the Callback Phone field of the P 202H Plus v2 5 Filter How does ZyXEL filter work Conceptually there are two categories of filter rules device and protocol The Generic filter rules belong to the device category they act on the raw data from to LAN and WAN The IP and IPX filter rules belong to the protocol category they act on the IP and IPX packets In order to allow users to specify the local network IP address and port number in the filter rules with SUA connections the TCP IP filter function has to be executed before SUA for WAN outgoing packets and after the SUA for WAN incoming IP packets But at the same time the Generic filter rules must be applied at the point when the P 202H Plus v2 is receiving and sending the packets i e the ISDN interface So the execution sequence has to be ch
233. gs 340 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Security Association IP Address Subnet Mask Protocol Fort fi g2 168 1 0 255 255 255 0 ALL ALL Security Parameters Authentication Header AH Mone Transport Mode Encryption and Authentication ESF Authentication Encryption DES 56 bit key Transport Mode Session Keys Re kep every Re kep every En minutes li oo000 Kbytes Perfect forward secrecy Always use these settings when creating a new S Cancel 4 Select Shared Secret as Authentication Method and Enter the pre shared key 12345678 Then press Advanced to edit Phase 1 parameters 341 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Tunnel Properties E x General Security Associations Connection Configure these settings via the YPN Gateway Accept peer proposal Security Associations 54 s IPM ask Status Security 192 165 1 07 255 255 255 0 ALL ALL Disconne ESP DES Add Edt Delete Interet Rey Exchange IEE settings Authenk a Certificate Rey Length 1024 High Security Advanced a 5 Specify phase SA life time you would like to have 60 minutes for example Encryption as DES 56 bit key Authentication as HMAC MD5 and Diffie Hellman Group as 1 RSA 768 bits Click OK to save 342
234. h list 12 What are the difference between the My IP Address and Secure Gateway IP Address in Menu 27 1 1 My IP Adderss is the Internet IP address of the local P 202H Plus v2 The Secure Gateway IP Address is the Internet IP address of the remote IPSec gateway 13 Is the host behind NAT allowed to use IPSec VPN Gateway embedded AH tunnel mode ESP tunnel NAT mode VPN client gateway behind ESP tunnel mode 32 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes NAT NAT in Transport mode None The NAT router must support IPSec pass through For example for P 202H Plus v2 SUA NAT routers IPSec pass through is supported since ZyNOS 3 21 The default port and the client IP have to be specified in menu 15 SUA Server Setup 14 Why does VPN throughput decrease when staying in SMT menu 24 1 lf P 202H Plus v2 stays in menu 24 1 24 8 and 27 3 a certain of memory is allocated to generate the required statistics So we do not suggest to stay in menu 24 1 27 3 and 24 8 when VPN is in use 15 How do configure P 202H Plus v2 with NAT for internal servers Generally without IPSec to configure an internal server for outside access we need to configure the server private IP and its service port in SUA NAT Server Table However if both NAT and IPSec is enabled in P 202H Plus v2 the edit of the table is necessary only if the connection is a non secure connec
235. hannDial err 3023 rn_p 576de0 Meaning received unexpected event Solution do nothing it should be information 3024 Message PINI ERROR netMakeChannDial err 3024 rn_p 576de0 Meaning state dial timeout Solution do nothing it should be information 3025 Message PINI ERROR netMakeChannDial err 3025 rn_p 576de0 All contents copyright 2006 ZyXEL Communications Corporation 429 ZyXEL P 202H Plus v2 Support Notes Meaning waiting RADIUS authentication solution do nothing it should be information 3026 Message PINI ERROR netMakeChannDial err 3026 rn_p 5 76de0 Meaning RADIUS call back fail solution do nothing it should be information 3028 Message PINI ERROR netMakeChannDial err 3028 rn_p 5 76de0 Meaning can not find the remote node solution check configuration 3029 Message PINI ERROR netMakeChannDial err 3029 rn_p 576de0 Meaning the node is not active Solution check the configuration of the remote node 3030 Message PINI ERROR netMakeChannDial err 3030 rn_p 576de Meaning dial fail solution do nothing if it happens once for a while check the line if keep receiving this message 3031 Message PINI ERROR netMakeChannDial err 3031 rn_p 586de0 Meaning can not dial due to no budget solution reconfigure Menu 11 remote node profile Allocated Budget 3032 Message PINI ERROR netMakeChannDial err 3032 rn_p 526de0 Meaning RADIUS authentication S
236. header 6 bits RCSSY length GKHTN N 16 bit TCP checksum 16 bit urgent pointer Option if any 63 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Data if any Based on the above headers we can then interpret the LAN Packet Which Triggered Last Call as following LAN Packet which Triggered Last Call Type IP 45 00 00 2E CA OE 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15 06 TCP Protocol CC F7 CB B4 204 247 203 180 Source IP CC D9 00 02 204 217 0 2 Destination IP 04 1C 1052 dec Source port number 00 15 21 dec Destination port number FTP port IPX header in Menu 24 1 LAN Packet Which Triggered Last Call Type IPX 00 28 01 01 00 00 00 00 FF FF FF FF FF FF 04 53 00 00 00 00 00 00 00 00 00 0004 53 00 01 FF FF FF FF FF 00 00 00 00 01 IPX packet type 00 00 00 00 Destination network number FF FF FF FF FF FF Destination node number 04 53 Destination socket number 00 00 00 00 Source network number 00 00 00 00 00 00 Source node number 04 53 Source socket number IPX packet type 01 RIP 02 echo 03 error 04 SAP 05 SPX 11 NCP 14 NetBIOS Socket number 0451 NCP 0451 SAP 0453 RIP 0455 NetBIOS 64 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Filter Examples Filter example A filter for blocking the FTP connections from WAN e Introduction The P 202H Plus v2 supports the fi
237. hentication The YPN gateway may require IKE uth RAADIUS or CHAP authentication Settings Description Change 13 Tune IKE proposal to Encryption algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none 278 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Proposal Parameters mainmode MODP 768 group 1 kd DES HMACMDS T fume d ee 14 Press Apply to save all of the settings 279 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor E ajx security Policy Key Management Policy Default F a Fre lPSec Filter E WPN Connections BE 172 21 1 252 ZyWALL ABB Add E G Secured Connections a Secured Networks CE Default Response H E Post IPSec Filter H3S0H0 HOILEN1WWASs Ans Add Remove Properties Diagnostics Description 15 Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item Note A When building VPN between Sentinel and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping
238. his case They are VPN software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2 are explained in the following sections PC 1 SafeNet SoftPK IPSec Tunnel Prestige The IP addresses we use in this example are as shown below LAN 202 132 171 1 202 132 155 33 WAN 202 132 170 1 202 132 171 33 1 Setup Soft PK VPN 1 Open Soft PK Security Policy Editor 2 Add anew connection named P 202H Plus v2 as shown below 3 Select Connection Security to Secure 254 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL security Policy Editor afeNethoft FE File Edit Options Help CaMel xlE t Wetwork pecurity Policy Add a new connection P 202H Plus v2 Support Notes Connection Securit fe Secure Remote Party Identity and Addressing ID Type IF Address 0 0 0 0 Fort al ha Protocol all ae Connect using Secure Gateway Tunnel IF Address i 0 0 0 Remote Party Identity and Addressing settings 4 In ID Type option please choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID
239. hod Encrypt and Authenticate ESP DES HMAC MD5 gt Shared Secret fi 2345678 Destination Networks Network Subnet Mask 192 168 1 34 255 255 255 255 J Add New Network Advanced Settings Logout STATUS There were no changes made a ee ee S ee eee a Internet 184 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes E YPH Destination Network Microsoft Internet Explorer M E3 Edit YEN Destination Network Hetwork 192 168 1 34 Subnet mask 255 255 255 255 Update Cancel If the SA is up you can see a new button Renegotiate appears in the Summary screen A SonicWALL Administration Microsoft Internet Explorer File Edit View Favorites Tools Help e gt 0 A AJA m IB 3 5 H Back Farivar Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address je http 4 192 168 181 1 management html Go i Links VPN Help a SONICWALI RADIUS Certificates Summary Configure General Log Global IPSec Settings Filter Unique Firewall Identifier joo4o1 O1081FC Tools M Enable VPN or M Disable all VPN Windows Networking NetBIOS broadcast cess Enable Fragmented Packet Handling Advanced DHCP Current IPSec Security Associations a Disabled Name Local Remote Encryption Method Anti Virus ne E Group VPN 0 0 0 1 255 255 255 254 ie ae o
240. ialing chan lt 1 gt phone last 9 digit 40202 Hit any key to continue Dial timeout This means you have been timeed out in making a connection Please refer to next chapter for more detailed discussion on this Login to remote failed Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt LCP opened CHAP login to remote failed LCP closed Recv d TERM REQ Recv d TERM ACK state 5 LCP stopped TRY Verify username and password with your ISP again or retype the username and password field again When you retype the name and password and hit return at Press Enter to confirm or Esc to Cancel if you don t see Saving to ROM message then your original entry is the same as your retry this means maybe the name pw from the ISP is incorrect You must call your ISP and verify the name and password again IP address been rejected by your ISP Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt LCP opened 391 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes CHAP login to remote OK IPCP negotiation started IPCP opened Recv d TERM ACK state 4 LCP stopped sys log disp PPO9 WARN Local IP mismatch proposed 192 68 135 183 PPO9 WARN neg d 204 247 1 1 make sure RIP is turned on This
241. ill receive the same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP IP or IPX filter rules Menu 21 1 1 Menu 21 1 1 Generic Filter Rule 58 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Filter 1 1 Filter Type Generic Filter Rule Active Yes Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Menu 21 1 2 Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Saving to ROM Please wait Protocol and device rule cannot be active together To separate the device and protocol filter categories two new menus Menu 11 5 and Menu 13 1 have been added as well as some changes made to the Menu 3 1 Menu 11 1 and Menu 13 The new fields are shown below 59 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 3 1 Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters device filte
242. in is the local file and ras is the remote file that will be saved in the P 202H Plus v2 385 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The P 202H Plus v2 reboots automatically after the uploading is finished Step Step Step Step Example Using FTP client software Rename the local firmware and configuration files to ras and rom 0 because we can not specify the remote file name in the FTP client software Use FTP client from your workstation to connect to the P 202H Plus v2 by entering the IP address of the P 202H Plus v2 Enter the SMT password as the FTP login password The default is 1234 Press OK key to ignore the username because the P 202H Plus v2 does not check the username 1 Connect to the P 202H Plus v2 by entering the P 202H Plus v2 s IP and SMT password in the FTP software Set the transfer type to Auto Detect or Binary Edit Host General Advanced Site Label Host Type Prestige Auto D etec X Host Address Initial Remote Director 202 1 32 155 97 User ID Password Remote Directory Filter i M Local Filtering Initial Local Director Je temp E Local Directoy Filter Cancel Amply Help Transter type i ASCII C Image f Auto Detect Login type Normal Anonymous C Double All contents copyright 2006 ZyXEL Communications Corporation 386 ZyXEL
243. in a remote node check if SUA is needed All others collect PPP traces 2 Remote Node Dial in User Connection Related SMT screens and Cl commands SMT Menu 2 SMT Menu 24 4 12 SMT Menu 24 9 isdn dial pre ZyNOS or dev dial ZyNOS sys log disp Cannot outcall to a Remote node Use Cl isdn dial lt node gt to verify a outgoing call for a remote node Use Cl system event an incoming call from a remote node The following are some possible failure reasons for a outgoing call Dial failed please refer to previous chapter for more details ISDN protocol mismatched please refer to previous chapter for more details Incoming only remote node check Menu 11 Pre ZyNOS P2864 gt isdn dial 1 Dial not allowed or No Channel Call to a incoming only remote node or no free B chan Hit any key to continue ZyNOS 394 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Zyxel gt dev dial 1 Hit any key to continue hit any key Dial Fail null Zyxel gt sys log disp Zyxel gt PPO9 ERROR netMakeChannDial err 3001 rn_p 575de0 here 3001 means call out not allowed Some common troubleshooting examples Phone number is in Black List check Menu 24 9 2 Call exceeded the Call budget check Menu 24 9 3 Login to remote node failed check the name and password again PPP negotiation failed IP address mis
244. in the P 202H Plus v2 c When the data transfer is finished the P 202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself d To backup your firmware use the TFTP client program to get file ras from the P 202H Plus v2 7 How do I upload ROMFILE via console port In some situations such as losing the system password or the need of resetting SMT to factory default you may need to upload the ROMFILE The procedure for uploading via the console port is as follows a Enter debug mode when powering on the P 202H Plus v2 using a terminal emulator b Enter ATURS to start the uploading c Use X modem protocol to transfer ROMFILE d Enter ATGO to restart the P 202H Plus v2 8 How do I backup restore SMT configurations by using TFTP client program via LAN a Use the TELNET client program in your PC to login to your P 202H Plus v2 and use Menu 24 8 to enter Cl command sys stdio 0 to disable console idle timeout All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes b To backup the SMT configurations use TFTP client program to get file rom 0 from the P 202H Plus v2 c To restore the SMT configurations use the TFTP client program to save your configuration in file rom 0 in the P 202H Plus v2 9 What should I do if forget the system password In case you forget the system password you can upload ROMEFILE to reset the SMT to factor
245. ing no dial tone Solution check the phone line 3041 Message PINI ERROR netMakeChannDial err 3041 rn_p 576de0 Meaning remote node is not active Solution active the remote node 3042 Message PINI ERROR netMakeChannDial err 3042 rn_p 576de0 Meaning no answer received Solution check whether the phone number configured correctly 3043 Message PINI ERROR netMakeChannDial err 3043 rn_p 276de0 Meaning dial timeout Solution change the timeout value 431 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3045 Message PINI ERROR netMakeChannDial err 3045 rn_p 576de0 Meaning redial stopped Solution do nothing it should be information 3046 Message PINI ERROR netMakeChannDial err 3046 rn_p 76de0 Meaning no number available to make a call again Solution do nothing it should be information 3047 Message PINI ERROR netMakeChannDial err 3047 rn_p 56de0 Meaning first call to peer with CLID authenticated and the peer is obtained CLID but PPP is not up yet second call to the peer with same CLID is coming Solution using different CLID 3048 Message PINI ERROR netMakeChannDial err 3048 rn_p 576de0 Meaning remote node is not L2TP enabled or supported Solution change remote side configuration enable L2TP if possible Other Error Codes 35 Message PINI ERROR LoopBack Test Fail 4 Meaning isdn loopback test fail
246. ing or both 3002 Message PINI ERROR netMakeChannDial err 3002 rn_p 576de0 Meaning remote node call direction is configured as outgoing only Solution change the call direction to both or incoming 3003 Message PINI ERROR netMakeChannDial err 3003 rn_p 576de0 All contents copyright 2006 ZyXEL Communications Corporation 428 ZyXEL P 202H Plus v2 Support Notes Meaning call failed packet is filtered Solution clean the filter set and reboot 3004 Message PINI ERROR netMakeChannDial err 3004 rn_p 576de0 Meaning call failed due to no iface solution reboot or drop one line 3005 Message PINI ERROR netMakeChannDial err 3005 rn_p 576de0 Meaning call failed both channels are down or occupied Solution initilize the ISDN line or drop one line 3006 Message PINI ERROR netMakeChannDial err 3006 rn_p 5 76de0 Meaning call request failed solution check the configuration 3007 Message PINI ERROR netMakeChannDial err 3007 rn_p 5 76de0 Meaning remote node dial to you and wait you call back Solution do nothing it should be information 3020 Message PINI ERROR netMakeChannDial err 3020 rn_p 5 76de0 Meaning call dial fail solution check resource and configuration 3022 Message PINI ERROR netMakeChannDial err 3022 rn_p 576de0 Meaning filter groups are mixed so call is not allowed Solution clean the filter set and reboot 3023 Message PINI ERROR netMakeC
247. ining material for more details RFC 1661 IP address mismatched Pre ZyNOS P128 gt isdn dial 4 Start dialing for node lt 4 gt Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt LCP up CHAP send response CHAP login to remote OK IPCP negotiation started BACP negotiation started IPCP up Remote subnet mismatch cfg d 100 0 0 0 Remote subnet mismatch neg d 200 0 0 0 LCP down IPCP down Ip route code 05 P1 00 P2 00 P3 00 Receive Terminate ACK LCP stopped ZyNOS P128 gt dev dial 4 Start dialing for node lt 4 gt Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt LCP opened CHAP login to remote OK IPCP negotiation started 399 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes BACP negotiation started IPCP up LCP closed IPCP closed Recv d TERM ACK state 4 LCP stopped P128 gt sys log disp 18 417888 PPOa ERROR Remote subnet mismatch cfg d 100 1 1 1 19 417889 PPOa ERROR neg d 200 0 0 0 20 417892 PPOa WARN ip_route code 05 P1 00 P2 00 P3 00 In this example the IP address of the remote node is 100 1 1 1 but after PPP is up the far end claims that their IP is in 200 0 0 0 network P 202H Plus v2 will drop the call becuase of the IP address mismatch in this ca
248. is added during the installation phase of the Upgrade in addition to the first dial up adapter that provides PPP support for the analog or ISDN modem 39 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade e Configuration This application note explains how to establish a PPTP connection with a remote private network in the P 202H Plus v2 SUA case In ZyNOS all PPTP packets can be forwarded to the internal PPTP Server WinNT server behind SUA The port number of the PPTP has to be entered in the SMT Menu 15 for P 202H Plus v2 to forward to the appropriate private IP address of Windows NT server Prestige a a PPTF Client PPTP Server e Example The following example shows how to dial to an ISP via the P 202H Plus v2 and then establish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PPTP server WinNT PPTP client Win9x and the P 202H Plus v2 o PPTP server setup WinNT Add the VPN service from Control Panel gt Network Add an user account for PPTP logged on user Enable RAS port Select the network protocols from RAS such as IPX TCP IP NetBEUI Set the Internet gateway to P 202H Plus v2 o PPTP client setup Win9x Add one VPN connection from Dial Up Networking
249. is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the remote secure gateway IP that is PC 1 in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to SHA1 as we configured in Soft PK 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 156 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Figure 8 See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION If Active een Name Prestige IPSec Key Mode IKE Advanced Setup Megotiation Mode Main C Password Local Address Type Single ACddress LAN Start Address lt Pce F gt eel TC End Address 0 0 0 0 Sa DO ic DMS pels Reco etc Remote Address Type Single Address Time Zone i Start Address Pct F gt content Fiter a End Address 0 0 0 0 7 e PR Wy IP Address KB WANIP gt Remote Management Secure Gateway IP Address KAWANIP gt UPnP Encapsulation Mode Tunnel Dial Backup Security Protocol Maintenance WPN Protocol ESP Pre Shared Key fiesse7e Logout VPN Setup DES Authentication Algorithm MD5 gt 157 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below
250. ished correctly 196 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes E NetScreen Administration Tools Microsoft Internet Explorer File Edt View Favorites Tools Help F a O11 O aAa SSe 2 M Back Eomsand Stop Refesh Home Search Favorites History Mail Print Enit Discuss Address E htip 192 168 78 1 layout htmr6 1 1 Go Links System ADDRESS CONFIGURATION Configure Admin Interface Network Address Name JLo cal Secure Host Virtual IP Y ae IP Address Domain Name 192 160 70 5 Ty Address Schedule j Comment Monitor Location Trust Untrust Traffic ns nue a Gees A ne Ge cn Che ca abun sigan Cte ican oe Geeks ene Counters JK Cancel il Copyright amp 1998 2001 NetScreen Technologies Inc All rights reserwred K Go ta the Outgoing Traffic ContolConfiguation hme 3 Click OK to save it 4 Click New Address to add the remote secure host 192 168 1 33 in this example and give a name to this host address Remote Secure Host in this example See the screen shown below Note The Netmask field here for single IP is 255 255 255 255 Please do not enter the wrong netmask otherwise VPN can not be established correctly 197 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes NetScreen Administration Tools Microsoft Internet Explorer File Ed
251. it View Favorites Tools Help Leow amp A a 39 68 3 E E Back Eomsand Stop Refesh Home Search Favorites History Mail Print Enit Discuss Address htip 192 168 78 1 layout htm6 1 1 Go Links NeTtTScREEN 5 aie System ADDRESS CONFIGURATION Configure Admin Interface Network Policy Address Name Remote Secure Host IP Address Domain Name fi 92 166 1 33 Virtual IF Address Service Schedule Comment Monitor Location C Trust Untrust Traffic Cancel Counters Copyright 1998 2004 NetScreen Technologies Inc All rights reserved E Go to the Untrusted Addresses Configuration F Internet A 5 Click OK to save it Create Outgoing amp Incoming VPN Policy 1 Click Policy menu and click Outgoing tab 2 Click New Policy to configure the outgoing VPN policy 3 Give a name to the policy 4 Select the Local Secure Host that we configured above as the Source Address 5 Select the Remote Secure Host that we configured above as the Destination Address 6 Select ANY as the Service 7 For the rest settings please refer to the following screen shot And click OK to save 198 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes File Edit View Favorites Tools Help z FO B A Q a g9 p 4 E E Back Forverd Stop Refresh Home Search Favorites History Mail Print Edit Discuss
252. k Apply 182 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the screen shot ZyXEL sie war TOTAL IMTERKET ACCESS SOLUTION VPN IKE MaMe IPSec Setup l M Active Keep Alive DADANEED Se Name PrestigeA ee ee IPSec Key Mode IKE E LAN ete Negotiation Made Main E WAR Local all Local Address Type Single Firewall IP Address Start Pc IP e PN End Subnet Mask 0 0 0 0 Remote Femote Address Type Single IF Address Start lt PC2 IR End Subnet Mask 0 0 0 0 Local ID Type IF ki Content booo o My IP Address lt AWANIP gt Feer ID Type IF Z Content booo Secure Gateway IP Address eB WAT IP gt Encapsulation Mode Tunnel Security Protocol VPN Protocol ESP gt Pre shared Key fh2345678 00 VPN Setup DES Authentication Algorithm MDS Back Apply Cancel Delete Logout 2 Setup SonicWALL 1 Login SonicWALL by giving the LAN IP address of SonicWALL default is 192 168 168 1 Click Gernal menu and click Network tab select NAT Enabled as the Network Addressing Mode In LAN Settings enter a LAN IP and Subnet Mask for SonicWALL In WAN Settings enter a WAN IP Subnet Mask and WAN Gateway for SonicWALL G sagt hed 183 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 6 In DNS Settings enter the DNS IP 7 Click Up
253. key to a Three Way Conference call e Hang up the phone The ISDN network does an implicit transfer to directly connect Caller A with Caller B How do blind call transfer e Once you have an active call Caller A press Flash key to put the existing call on hold and receive a dial tone e Dial the third party s phone number Caller B e Before Caller B picks up the call you can transfer the call by pressing the Flash key The call is automatically transferred What is call forwarding and how do do it The call forwarding means the switch will ring another number at a place where you will be when sometime dials your directory number There are two methods to active call forwarding either method should work fine and you can use whichever one you are most comfortable The first is exactly the same as on an analog line i e you pick up the handset and dial the access code assign by your telephone company and the number that you want the calls forwarded Check with your telephone company for this access code The second is with the phone flash commands where you pick up the handset and press the flash key before dialing the following Command Meaning 20 forward number Active CFB Call Forwarding Busy 21 forward number Active CFU Call Forwarding 97 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Unconditional 22 forward number Active CFNR Call Forwardi
254. l Callback Option Mandatory 2 Zyxel Callback phone number source ATTRIBUTE Zyxel Calloback Phone Source 193 integer VALUE Zyxel Callback Phone Source Preconfigured 0 VALUE Zyxel Callback Phone Source User 1 3 Enter the RADIUS client IP and the encrypted key in the Clients file See an example below This file contains a list of clients which are allowed to make authentication requests and their encryption key The first field is a valid hostname for the client The second field separated by blanks or tabs is the encryption key Client Name Key portmaster1 testing123 203 66 113 187 key187 In this example the new client 203 66 113 187 is the P 202H Plus v2 router The key key187 must be configured in SMT Menu 23 2 later 4 Enter the user profile including username and password in the Users file See an example below Example 1 PPP user without callback i Username Password ay Passwords 12345 Example 2 PPP user with Callback Username Password toot Password 1234 Zyxel Callback Option Mandatory Zyxel Callback Phone Source Preconfigured CallBack Number 523444 104 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5 Run RADIUS EXE X15 to turn on the RADIUS service e P 202H Plus v2 Setup Menu 23 2 System Security External Server Authentication Server Active Yes Type RADIUS Server Addre
255. le 1 Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start Enter IGA1 End Enter IGA3 Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel The three rules configured for using One to One mapping type is shown below Menu 15 1 1 1 Rule 1 Type One to One Local IP 136 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes otart 192 168 1 10 End N A Global IP Start Enter IGA1 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 2 Rule 2 Type One to One Local IP Start 192 168 1 11 End N A Global IP Start Enter IGA2 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 3 Rule 3 Type One to One Local IP Start 192 168 1 12 End NA 137 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 138 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IPSec VPN 1 Using IPSec VPN What is IPSec IPSec is a set of IP extensions developed by IETF Internet Engineering Task Force to provide security services compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP IPSec is truly
256. le Replay Detection No Key Management IKE Edit Key Management Setup Yes Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 1 Edit IKE settings by selecting Edit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission All contents copyright 2006 ZyXEL Communications Corporation 262 ZyXEL P 202H Plus v2 Support Notes Please note that any configuration in IKE Setup should match the settings in VPN software Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3600 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm UES Authentication Algorithm MDS SA Life Time Seconds 3680 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Linux FreeS WAN VPN to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between FreeS WAN and P 202H Plus v2 router There will be several devices we need to setup for this case They are Linux FreeS WAN and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 and P 202H Plus v2 ensures the packets flow between them are s
257. le password 7 1543595F50 memory size iomem 15 mmi polling interval 60 no mmi auto configure no mmi pvc mmi snmp timeout 180 ip Subnet zero no ip domain lookup io dhcp pool 1 network 192 168 2 0 255 255 255 0 default router 192 168 2 1 ip audit notify log ip audit po max events 100 ip ssh time out 120 ip ssh authentication retries 3 no ip dhcp client network discovery crypto isakmp policy 1 hash md5 authentication pre share lifetime 3600 crypto isakmp key 12345678 address 172 21 10 50 crypto ipsec transform set cm transformset 1 esp des esp md5 hmac crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 crypto map cm cryptomap local address Ethernet0 179 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes crypto map cm cryptomap 1 ipsec isakmp set peer 172 21 10 50 set transform set cm transformset 1 match address 100 interface EthernetO description connected to Internet ip address 140 113 10 50 255 255 0 0 half duplex crypto map cm cryptomap interface FastEthernetO description connected to EthernetLAN_ 1 ip address 192 168 2 1 255 255 255 0 speed auto router rip version 1 passive interface Ethernet0 network 140 113 0 0 network 192 168 2 0 no auto summary ip classless ip route 0 0 0 0 0 0 0 0 Ethernet0 no ip http server access list 100 permit ip 19
258. le to Yes to turn on the callback function Enter the user name given by the remote node Enter the password given by the remote node 107 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Password Outgoing Pri Phone Enter the phone number of the remote node for calling back e Setup the P 202H Plus v2 for calling back to a dial in user Generally there are several settings must be checked when using the CLID callback They are The CLID Authentication setting in menu 13 must be configured as Required or Preferred The Outgoing user information in menu 13 must be entered The Callback setting in menu 13 must be toggled to Mandatory The Callback Phone number setting in menu 14 1 must be predefined in menu The Remote CLID setting in menu 14 1 must be entered for the CLID authentication The following SMT only show the main settings of the CLID callback you can refer to the user s manual or the support note for the other settings 1 Toggle the CLID Authen option to Required and enter the Outgoing user information in menu 13 Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Authen Required Dial in User Yes IP Pool No PPP Options IP Start Addr N A Recv Authen CHAP PAP IP Count 1 2 N A Compression Yes Mutual Authen No O G Login test session Options O G Password Edit
259. lf a service or a computer 224 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Click OK to close the Add Remove Snap in dialog box i O x ii Console Window Help i x qi Console1 Console Root Action View Favorites Tree Favorites l a EELO nsale Root J LE Computer Management Local E Sed Local Computer Policy E E Certificates Local Computer m Computer Management Local i Local Computer Policy Certificates Local Computer Create IPSec Policy Typically Windows 2000 gateway is not a member of a domain so a local IPSec policy is created If your Windows 2000 gateway is a member of a domain that already exists an local IPSec policy In this case you can create an Organization Unit OU in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object GPO of this OU For more information please refer to the Assigning IPSec Policy section of Windows 2000 online help 1 From Windows desktop click Start click Run and in the Open textbox type SECPOL MSC Click OK 225 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes SX 2 Type the name of a program Folder document or Internet resource and Windows will open it For vou Open secpol msc Cancel Browse
260. lk Address Routing Protocol Suppress Broadcasts AT Compression Protocol Reserved Server information Zone information Default Router Address CONOR WND e PPP OSINLCP CONFIGURATION OPTION TYPES The Point to Point Protocol PPP OSI Network Layer Control Protocol OSINLCP specifies a number of Configuration Options RFC1377 which are distinguished by an 8 bit Type field These Types are assigned as follows Type Configuration Option 1 Align NPDU e PPP BANYAN VINES CONFIGURATION OPTION TYPES The Point to Point Protocol PPP Banyan Vines Control Protocol BVCP specifies a number of Configuration Options RFC1763 which are distinguished by an 8 bit Type field These Types are assigned as follows Type Configuration Option 1 BV NS RTP Link Type 2 BV FRP 3 BV RTP 4 BV Suppress Broadcast e PPP BRIDGING CONFIGURATION OPTION TYPES 417 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The Point to Point Protocol PPP Bridging Control Protocol BCP specifies a number of Configuration Options which are distinguished by an 8 bit Type field These Types are assigned as follows Type Configuration Option 1 Bridge ldentification 2 Line Identification 3 MAC Support 4 Tinygram Compression 5 LAN Identification 6 MAC Address 7 Spanning Tree Protocol e PPP BRIDGING MAC TYPES The Point to Point Protocol PPP Bridging Control Protocol BCP contains an 8 bit MAC
261. log The log keeps 128 entries the new entries will overwrite the old entries when the log has over 128 entries There are three ways to view the firewall log 1 View the log from SMT Menu 21 3 View Firewall Log 2 View the log using Cl command sys firewall display 3 View the log from Web Configurator 4 When does the P 202H Plus v2 generate the firewall alert The P 202H Plus v2 generates the alert when an attack is detected by the firewall and sends it via Email So to send the alert you must configure the mail server and Email address using Web Configurator You can also specify how frequently you want to receive the alert via Web Configurator 5 What does the alert show to us The alert shown in the Email is actually the evens of the attack So the Reason column shows Attack and the attack type Please see the example shown below Time Packet Information Reason Action 127 Mar 15 0 From 192 168 1 1 T0 192 168 1 1 attack block 03 04 54 ICMP type 00008 code 00000 land 25 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 6 What is the difference between the log and alert A log entry is just added to the log inside the P 202H Plus v2 and e mailed together with all other log entries at the scheduled time as configured An alert is e mailed immediately after an attacked is detected All contents copyright 2006 ZyXEL Communications Corporation 26 ZyXEL P 202H
262. low the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Sentinel and P 202H Plus v2 are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are Sentinel and P 202H Plus v2 286 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Internet Prestige The IP addresses we use in this example are as shown below LAN 192 168 1 1 lt Dynamic gt WAN 172 21 1 252 192 168 1 33 1 Setup Sentinel 1 From Tool Tray of Windows system right click on your Sentinel icon and then choose Run Policy Editor View Statistics kH Run Policy Editor Auditing User Key Agent Select Active Policy Select YPN Start Policy Manager Stop Policy Manager IDs nline Support SSH Sentinel Hide Tray P E a Te L i 6 06 PM I 2 Choose Key Management Select My Keys then press Add button 287 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes na SSH Sentinel Policy Editor HE Security Policy Key Management m Trusted Policy Servers a Trusted Certificates Fla Certification Authorities H Remote Hosts gra checkpoint certificate o AA Add AB Ad
263. lus v2 Support Notes Gateway IF address 172 21 1 252 FIP Remote network ZyWALL l Authentication kep fem AWW ALL checkpoint certificate Diagnostics 11 In SSH Sentinel Policy Editor you will get a new VPN connection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button Properties 2 SSH Sentinel Policy Editor ajx security Policy Key Management Policy E Default EE m e Pre IPSec Filter E WPN Connections ABB Add l a secured Connections a secured Networks i CE Default Response H PostlPSec Filter H3S0H0 HOILEN IAS Ans Add Remove Propaties Diagnostics Description cad a _ EO 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and Extended authentication 311 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Rule Properties General Advanced Remote endpoint Security Qateway Remote network ZyWALL F IPSec IKE proposal Authentication kep e LL Proposal template normal Uncheck Settings ay mi A virtual IP address is an address from Settings Tey the internal network Extended authentication The YPN gateway may require IKE uth RAADIUS or CHAP authentication Settings Description Change 13 Tune
264. lus v2 Support Notes 6 Select Use Serial Cable to Assign IP Address and Serial Port of your computer then click Next and OK 7 Turn the Firebox off and on again Wait for the configuration file to be uploaded 8 In the WatchGuard Control Center click on the Policy Manager icon 9 Pull down Network gt Branch Office VPN gt IPSec See the figure below a C Program Files WatchGuard 1 72 21 1 169 ctg Policy Manager OR File Edit Setup Network View Help a F h Sla Configuration Default Gateway Enhanced DY CF Client Branch Office WPM Sf Remote User FTF rm or esee Basic DWYCP w atchauard WPM IPSec Configuration 10 Click Gateway and click Add 11 Enter a name for remote security gateway in Name field enter the remote gateway IP in Remote Gateway IP field 189 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Select isakmp dynamic IKE in P 202H Plus v2 as Key Negotiation Type and enter a string as Share Key nai been a IPSec Routing Policies ees dresses P amaka Add Ej Configure Gateways ie x Cancel Gateways Es Tunnels Cancel Logging di Help ey Negotiation T ype isakmp dynamic Remote Gateway IF 202 132 154 1 Tummel er Gite Eee E Move Up Move Down Add Edit Remove _Move Up Move Down Edt Bemove 13 Click
265. lways reg No EA Server Request Secu For all IP traffic always reg Mo ma wWINZE bo z y WALL All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes For more information about configure WIN2K IPSec please refer to the following web site 1 http www microsoft com windows2000 techinfo planning security ipsecsteps a sp 2 http support microsoft com support kb articles q252 7 35 asp 2 Setup P 202H Plus v2 VPN 1 ee 8 9 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in WIN2K Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure WIN2K PC Note You may assign a range of Source Destination IP addresses for multiple VPN sessions My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the remote WIN2K s IP that is PC 1 in this example 10 Select Encapsulation Mode to Tun
266. m configuring my firewall There are several ways to protect others from touching the settings of your firewall 1 Change the default password since it is required when setting up the firewall using Telnet Console or Web browser 2 Limit who can Telnet to your router You can enter the IP address of the secured LAN host in SMT Menu 24 11 to allow Telnet to your P 202H Plus v2 The default value in this field is 0 0 0 0 which means you do not care which host is trying to Telnet your P 202H Plus v2 3 Can use a browser to configure my P 202H Plus v2 Yes you can use a web browser to configure the P 202H Plus v2 4 Why can t configure my router using Telnet over WAN There are three reasons that Telnet from WAN is blocked 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet from WAN you must turn the firewall off Menu 21 2 or create a firewall rule to allow Telnet connection from WAN The WAN to LAN ACL summary will look like as shown below Source IP Telnet host Destination IP router WAN IP Service TCP 23 Action Forward 2 You have disabled Telnet service in Menu 24 11 3 Telnet service is enabled but your host IP is not the secured host entered in Menu 24 11 In this case the error message Client IP is not allowed is appeared on the Telnet screen 4 The default filter rule 3 Telnet_FTP_WAN is applied in the Input Protocol field in menu 1
267. matched Phone number is in Black List check Menu 24 9 2 Pre ZyNOS P2864 gt isdn dial 1 Start dialing for node lt 1 gt Call failed number is Blacklisted Hit any key to continue ZyNOS Zyxel gt dev dial 1 Call is blocked Call exceeded the Call budget check Menu 24 9 3 o Pre ZyNOS P2864 gt isdn dial 1 Start dialing for node lt 1 gt Connect time exceeds budget 395 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes startDialing failed Hit any key to continue ZyNOS Zyxel gt dev dial 1 Dial no budget Zyxel gt sys log disp PPO9 INFO Remote node 0 budget expired PPO9 INFO Dial no budget Login to remote node failed check the name and password again Pre ZyNOS P2864 gt isdn dial 1 Start dialing for node lt 1 gt Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt chan lt 1 gt prot lt 1 gt LCP up CHAP send response Login to remote failed Check name passwd Receive Terminate REQ LCP down Line Down chan lt 1 gt ZyNOS zyxel gt dev dial 1 Start dialing for node lt 1 gt Dialing chan lt 1 gt phone last 9 digit 40201 Hit any key to continue Call CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt LCP opened CHAP login to remote failed LCP closed Recv d TERM REQ Recv d TERM ACK state 5 LCP stopp
268. mmunications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL a TOTAL INTERNET ACCESS SOLUTION VPN IKE Advanced Setup bain Menu VPN IKE Frotocol Advanced Set nced setup Enable Replay Detection N c Pazaword e Local Start Port 0 End 0 LAN rns Remote Start Port 0 End i e NAT l Fhase1 c Firewall Negotiation Mode Main hi c YPN Pre Shared Key 12345676 P Encryption Algorithm DES g Authentication Algorithm MDS SA Life Time Seconds i iji Key Group DHI Phase Active Protocal ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds Encapsulation Tunnel Perfect Forward Secrecy PFS MONE Mi Apply Cancel 318 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index Name to ssh Active Yes Keep Alive Yes Local ID type IP Content My IP Addr 172 21 1 252 Peer ID type IP Content Secure Gateway Addr 172 21 1 23 2 Protocol Local Addr Type SUBNET IP Addr Start 192 168 1 0 End Subnet Mask 255 255 255 4 Port Start End N A Remote Addr Type SINGLE IP Addr Start 192 168 2 33 End Subnet Mask N A Port Start End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel 1 Edit IKE settings by sele
269. n Enable Remote Gateway Tunnel Name NETSCREEN lt Phase 2 Proposal 2yWALL_ gt none nones none List Phase 2 Proposals YPN Monitor V Enable List Gateways Yv Transport Mode Enable For L2TP over IPSec only OK Cancel All rights reserved El a Intemet 5 Click VPN menu and click AutoKey IKE tab 6 Click New AutoKey IKE Entry to add the entry for the remote gateway i e P 202H Plus v2 7 Select P 202H Plus v2 as the Remote Gateway Tunnel Name 8 Select P 202H Plus v2 as Phase 2 Proposal and click OK to save See the screen shot 206 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes NetScreen Administration Tools Microsoft Internet Explorer Eile Edit View Fa avorites Tools Help Back Forverd oo tee a 3 B S Mail Print Edit Discuss Oo a Stop Refresh Home Search Favorites History Address http 192 168 78 1 layout html 6 1 1 eGo Links System AUTOKEY IKE CONFIGURATION Network Name zywa Enable Replay Protection Enable E Remote Gateway Tunnel Name ZyWALL 7 List Gateways ists Phase 2 Proposal ZyWALL v Users Monitor Traffic Counters Alarm FF o T wn a oO a _ oO Q N i _ NetScreen Technologies Inc All rights reserved E Beal es Internet Z none
270. n Algorithm to MD5 as we configured in P 202H Plus v2 A 13 Enter the key string 12345678 in the Preshared Key text box and click Apply see the screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION dain Menu hitvanced Setup c Password LAN WARN MAT Firewall e PR Oot VPN IKE IPSec Setup IY Active Mame IPSec Key Mode Megotiation Mode Local Local Address Type IF Address Start End Subnet Mask Remote Remote Address Type IF Address Start End Subnet Mask LocalID Type Content biy IF Address Peer IO Type content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocol Pre Shared Key VPM Setup Authentication Algorithm SIT Keep Alive Prestige B IKE Main Single PCZ IP ooo Single EPEA IP o0 0 0 0 0 0 lt B WAN IP zA WAN IP gt Tunnel ESP 12545670 DES MDS 3 a Back Apply Cancel Delete lf you use SMT management the VPN configurations are as shown below 165 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 27 1 1 IPSec Setup Index Name PrestigeB Active Yes Keep Alive No Local ID type IP Content 0 0 0 4 My IP Addr 168 10 10 66 Peer ID type IP Content 4 4 4 4 Secure bateway Addr 22 132 154 1 Protocol Local Addr Type SINGLE IP Addr Start 192 168 2 33 End Subnet Mask N A
271. n IP filter list i composed of multiple filters In this way multiple subnets IF addresses and protocols can be combined into one IF filter Name ZAW ALL to WIN ZE Description Add Edit E Remove Filters Use Add Wizard Protocol Source Fort Destination AWS LL to Wink ANY ANY ANY 2 Eancel te 239 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Configure a Rule for PC 1 to PC 2 tunnel 1 Select the first filter list you created above from the IP Filter List For example WIN2K to P 202H Plus v2 New Rule Properties i 3 x Authentication Methods Tunnel Setting Connection Type IF Filter List Filter Action z The selected IF filter list species which network traffic will be secured with this rule IP Filter Lists ZyWALL to WIN2K Add Edit Remove 2 Click Tunnel Setting tab enter the remote endpoint For this filter list the remote IPSec endpoint is P 202H Plus v2 New Rule Properties E o x IF Filter List Filter Action Authentication Methads Tunnel Setting Connection Type The tunnel endpoint is the tunneling computer closest to the IP traffic destination as specihed by the associated IF Filter List It takes two rules to describe an IPSec Tunnel This rule does not specify an IPSec tunnel f The tunnel endpoint is specified by this IP Address J 172
272. ncel Edit LAN segment of P 202H Plus v210 In this example we setup P 202H Plus v210 as DHCP server and it s LAN IP address is 192 168 99 1 noite konne Hier lenin fate perb Arch Auten beaa 2 Cae of DS F Menu 3 2 TCPYTIP and DHCP Ethernet Setup DHCP Server Configuration l Client IP Pool Starting Address 192 166 Size of Client IP Pool 3 Primary DNS Server 6 0 8 0 Secondary DAS Server 8 0 0 8 DACP Server fiddress N A ICPYIP Setup IP Address 197 166 99 1 IF Subnet Mask 255 755 2755_68 RIF Direction None Version N A Hulticast Hone Edit IP Alias Wo Press ENTER to Confira or ESC to Cancel Edit Internet Access of P 202H Plus v210 210 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes biter konie Heer Teanine Hornu 4 Internet Access Setup ISP s Mame sunrise fants ak poll PPPoE Service Type HA My Logins ods 106258cal lino ch Pas vepri ee dle Timeout 8 IP Address Assignment Dynasic IF Address NARA IP Subnet Mask HA Gateway IF Address W A Network Address Tranclation SUA Only Press ENTER to Confira or FSC to Cancel In SMT menu 27 create a VPN rule like following outer katie Heer lennine De of D5 g Hemi 27 1 IPSec Summary A Local Addr Start Local Addr End Encap IPSec Algorithm Remote Addr Start Remote Addr End Secure Ge Addr 192 168 99 0 55 255 255 0 Tunnel ESP 3DES HDS Le D6 6 8
273. nees 34 2 Why do I need to use Sentinel 0 0 0 0 cece ceesseceesseeeesseeeeeeens 34 3 Does SSH Sentinel work with the PPP over Ethernet PPPoE protocol which is used by the ADSL Network Adapter cards 34 4 How to configure Pre IPSec filter 0000 cc cccccsseeeeeesteeeeens 34 5 What is Acquire virtual IP address for Should check this box 34 6 What is Extended Authentication Should check this box 34 7 Does Sentinel support IP range ccc cccsseeceesseeeessseeeesaees 35 8 Does Sentinel support 2 VPN connections at the same time 35 9 What is this option Attach the selected values to proposal only for EA nunca aeicich R E A 35 10 How to initiate a VPN tunnel from Sentinel 000000000 35 11 Can P 202H Plus v2 be the initiator of VPN tunnel to Sentinel 35 A All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 How can verify if the VPN connection is up in Sentinel 35 13 I am using EnterNet 300 a PPPoE dial up software Any concern 35 ADDING ATION NOTES ninaa ea E E ANO 35 General Application Notes 0 c cc cccccccccesssceceessseeeeeessseeeeeeseeeeesenseees 36 ASMNTEPNeL ACCESS ooon cee haas E A 36 2 SUA PAD DICALIONS ra R 38 4 Di l in USCl SCUID vrs ieee tee ee ies 53 IIRO ae en Ene ed PR eA eC rea ee 57 6 UNIX syslog SOUP sencccocs ease ee ee 88 T ISDN Le
274. nel 0 D Channel Indicator channel identified is not D Channel 01 Info Ch Selection B1 channel 1 01101100 INFORMATION ELEMENT Calling Party Number 2 00001001 IE length 9 bytes 3 Q Extension bit continued 000 Type of number unknown 0000 Numbering plan iden unknown 3a 1 Extension bit not continued 00 Presentation indic presentation allowed 000 Spare 00 Screeing indicator user provided not screened sweeee Calling Number Type 5009097 1 01110000 INFORMATION ELEMENT Called Party Number 2 00001000 IE length 8 bytes 3 1 Extension bit not continued 000 Type of number unknown 0000 Numbering plan iden unknown t Called Number Type 4125678 00 00 03 23 4 bytes LAPD D NT R SAPI 0 TEl 97 RR P F 0 NR 1 00 00 03 2383 11 bytes LAPD D NT C SAPI 0 TEl 97 INFO P 0 NR 1 NS 0 3 bytes Layer 3 Dest gt CallRef 1 PD Q 931 CALL _PROCE 1 00011000 INFORMATION ELEMENT Channel Idetification 2 00000001 IE length 1 byte 3 1 Extension bit not continued ooo Interface Id present implicitly Q Interface type basic interface Q Spare Preferred Exclusive only the channel is acceptable 0 D Channel Indicator channel identified is not D Channel 364 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 01 Info Ch Selection B1 channel 0
275. nel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in WIN2K 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 251 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL Figure 8 See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION fain Menu hitvanced Setup Password LAR T VAR AAT Firewall e WPN agot VPN IKE IPSec Setup IY Active Mame IPSec Key Mode Megotiation Mode Local Local Address Type IF Address Start End Subnet Mask Remote Remote Address Type IP Address Start Ends Subnet Mask LocalID Type Content biy IP Address Feer IO Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocal Pre Shared Key YPN Setup Authentication Algorithm P 202H Plus v2 Support Notes SIT Keep Alive Prestige B IKE z Main Single PCZ IP gt 0 0 0 Tunnel Esr E f23a5678 00 DES z Mos z Back Apply Cancel Delete lf you use SMT management the VPN configurations are as shown below Index 1 Menu 27 1 1 IPSec Setup Name P 202H Plus v2 252 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Active Yes My IP Addr 172 21 1 252 Secure Gateway I
276. nel drop briO bri1 briO for B1 channel brit for B2 channel e Display the trace by isdn fw ana off isdn fw ana disp 2 Can I prevent the dial in user from occupying two channels Yes You can use a Cl command to prevent the dial in user from occupying two channels Please enter to menu 24 8 and type the Cl command ppp icp mpin off or on to allow two channels 3 How does Dial Prefix to Access Outside Line in Menu 2 European firmware work This prefix will be placed in front of the outgoing call phone numbers when you make an outgoing call 4 What supplemental phone service does P 202H Plus v2 support The P 202H Plus v2 supports the following supplementary phone features on both of its POTS ports Call Waiting Three Way Calling 12 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Call Transfer Call Forwarding Reminder Ring Terminal Portability Suspend Resume Most supplementary services are not free please check with your telephone company for the services they offer 5 How do I do call waiting call hold call retrieve e Put your current call on hold and answer the incoming call after hearing the call waiting tone press and immediately release the Flash button on your telephone e Put your current call on hold and switch to another call press and immediately release the Flash button on your telephone e Hang up your current call b
277. ng No Reply 20 Deactive CFB 21 Deactive CFU 22 Deactive CFNR How do suspend resume a phone call terminal portability The Terminal Portability service allows you to Suspend a phone call temporarily You can then resume this call later at another location if you so wish To suspend an active phone call e Press the flash key twice e Dial 3n where n is any number from 1 to 9 To resume your phone call e Reconnect at a n ISDN telephone that is linked to the same S T interface Network Terminator 1 NT1 where you suspended the call e Pick up the handset and press the Flash key e Dial 3n where n is any number from 1 to 9 but should be identical to that used above What is reminder ring The P 202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded US switches only What is MSN subaddress and how do do it Depending on your location you may have Multiple Subscriber Number MSN where the telephone company gives you more than one number for your ISDN line You can assign each number to a different port e g the first number to data calls the second to A B adapter 1 and so on Or DSS1 the telephone company may give you only one number but allow you to assign your own subaddresses to different ports e g subaddress 1 to data calls and 2 to A B adapter 1 9 Using NetCAPI e Whatis NetCAPI 98 All contents copyright 2006 ZyXEL Communications Corpo
278. ng Sets and NAT Server Sets e NAT Server Sets e Examples 1 Internet Access Only 2 Internet Access with an Internal Server 3 Using Multiple Global IP addresses for clients and servers 4 Support Non NAT Friendly Applications e What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the additional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the P 202H Plus v2 thus preventing intruders from probing your network The SUA feature that the P 202H Plus v2 supports previously operates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The ZyNOS V2 41 for the P 202H Plus v2 1001H is enhanced to support the most of the features of the NAT based on RFC 1631 and we call thi
279. nge Any accept EE Long Ed atlantica Any Ea E vitoproxy Ed atlantica tE ftp accept Ez Long Ed atlantica S Any v lt gt ot Encrypt EE Long E atlantica Any For Help press F1 172 30 254 254 Read Write Double click on the encrypt action to edit the encryption properties Select IKE as the form of encryption and click on edit and select the Phase 2 parameters IKE Properties General Transom Data Inbegnty Ork AH Ereciyphior Al qerithir SDES Data Integniy MDS Allowed Peer Gateway S0HO_TES Use Pertec Forward Secrecy WIN2K VPN to P 202H Plus v2 This page guides us to setup a VPN connection between the WIN2K VPN software and P 202H Plus v2 router There will be several devices we need to setup for this case They are WIN2K VPN software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for WIN2K and P 202H Plus v2 are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are WIN2K and P 202H Plus v2 218 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Ir L Ba 2 T E r ii IPSec Tunnel Prestige Win K The
280. ngs for the NetCAPI users e CAPI Incoming When this option is selected the NetCAPI users have permission to only accecpt incoming calls Outgoing When this option is selected the NetCAPI users have permission to only place outgoing calls Both When this option is selected the NetCAPI users have permission for both answering and placing calls None When this option is selected no calls are allowed for the NetCAPI users CI commands 101 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes dcp fsm sw onloff To enable disable the NetCAPI state machine use the dcp fsm sw onloff command dcp fsm disp To display the NetCAPI state machine log use the dcp fsm disp command The following example shows the output of the dcp fsm disp command ISDN _DCP FSM Log Entries 6 Format TimeStamp Protocol ObjectID State Event Event Handling Function 0 00 03 190 DCP 0 S IDLE 01 E CapREQ 00 Func DCPlgnore 1 00 03 215 SC 0 S IDLE 01 E STARTREQ 01 Func DCPSCStartReq 2 00 04 375 SC 1 S ACTI 02 E7ENDREQ 02 Func DCPSCEndRegq 3 00 06 545 DCP 0 S IDLE 01 E CapREQ 00 Func DCPlgnore 4 00 06 555 SC 0 S IDLE 01 E STARTREQ 01 Func DCPSCStartReq 5 00 07 245 CC 1 S IDLE 01 E LISTENREQ 05 Func DCPListenReq dcp fsm clear To clear the NetCAPI state machine log use the dcp fsm clear command dcp trcp sw on onloff To enable disable the NetCAPI packet log use the dcp
281. nnel Usage Switch Switch 99 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Incoming Phone Numbers ISDN Data 10000 Subaddress A B Adapter 1 Subaddress A B Adapter 2 Subaddress Incoming Phone Number Matching Multiple Subscriber Number MSN Analog Call Routing N A Global Analog Call N A Edit Advanced Setup No Edit NetCAPI Setup Yes Press ENTER to Confirm or ESC to Cancel 2 Edit NetCAPI related settings in menu 2 1 Menu 2 2 NetCAPI Setup Active Yes Max Number of Registered Users 5 Incoming Data Call Number Matching NetCAPI Access List Start IP End IP Operation 192 168 1 33 192 168 1 36 Both 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None default None Press ENTER to Confirm or ESC to Cancel Key Settings 1 Active Set to Yes to enable the NetCAPI 2 Max Number of Registered Users Enter the number of RVS COM clients for registering in the P 202H Plus v2 The maximum number is 5 100 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3 Incoming Data Call Matching This setting helps the P 202H Plus v2 to forward the incoming call correctly by checking the MSN or subaddress that the remote party calls MSN When this option is selected the P 202H Plus v2 checks the MSN called
282. nsidered 6 What is Denials of Service DoS attack Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources There are four types of DoS attacks 1 Those that exploits bugs in a TCP IP implementation such as Ping of Death and Teardrop 2 Those that exploits weaknesses in the TCP IP specification such as SYN Flood and LAND Attacks 18 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3 Brute force attacks that flood a network with useless data such as Smurf attack 4 IP Spoofing 7 What is Ping of Death attack Ping of Death uses a PING utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot 8 What is Teardrop attack Teardrop attack exploits weakness in the reassemble of the IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original packet except that it contains an offset field The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot
283. nt is WIN2Kk In each rule a source IP and destination IP for local and remote VPN clients PC 1 or PC 2 are required See the guides below Build a Filter List from PC 1 to PC 2 1 In policy properties uncheck Use Add Wizard check box and click Add to create a new rule 229 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes win2k to ZYWALL Tunnel Properties ARAR a A n a a a a a a a a a a a a a a a O ce 2 On the IP Filter List tab click Add 230 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes New Rule Properties New IP Filter List be reli Sema e Pante Appi 3 Type a name for the filter list e g WIN2K to P 202H Plus v2 uncheck Use Add Wizard check box and click Add 231 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IP Filter List An F filter list i composed of multiple filters In this way multiple subnets IFP r addresses and protocols can be combined into one IP filter Name WIN 2K to Zy ALL Description ko Filters Use Add Wizard Description Protocal Source Fort Destination 4 In the Source address choose A specific IP Address and enter the IP address of PC 1 Filter Properties Addressing Protocal Description Source address Ja speciic IP Address IP Address Ti
284. nts copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 Type a name for the filter list e g P 202H Plus v2 to WIN2K uncheck Use Add Wizard check box and click Add An IP filter list is composed of multiple filters In this way multiple subnets IF 5 addresses and protocols can be combined into one IF filter Mame AWWALL to WIN Ze Description Sja Filters Use Add Wizard ipti Protocol Source Fort Destination 3 In the Source address choose A specific IP Address and enter the IP address of PC 2 Filter Properties RES Addressing Protocol Description Source address la specific IF Address T IF Address 192 168 1 33 subnet mask 755 255 255 255 Destination address Ary IP Address i Mirrored Also match packets with the exact opposite source and destination addresses cancel Apo _ 236 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 4 Inthe Destination address choose A specific IP Address and enter the IP address of PC 1 Filter Properties a E 2 x Addressing Protocol Description Source address IP Address LE ee 0 es S E subnet mask fa ed Sea ito Destination address lA specific IP Address Tf 21 255 255 1 255 ede es IP Address Subnet mask IM Mirrored Also match packets with the exact opposi
285. number 20 Rule 2 block the inbound FTP packet TCP 06 protocol with port number 21 o Apply the filter set in remote node Menu 11 e Create a filter set in Menu 21 65 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 21 Filter Set Configuration Filter Filter Set Comments Set Comments 1 NetBIOS WAN 7 2 NetBIOS LAN 8 3 FTP_WAN 9 4 10 5 11 6 12 Enter Filter Set Number to Configure 3 Edit Comments FTP_WAN Press ENTER to Confirm or ESC to Cancel e Rule 1 block the inbound FTP packet TCP 06 protocol with port number 20 Menu 21 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 20 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop 66 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 2 block the inbound FTP packet TCP 06 protocol with port number 21 Menu 21 3 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 21 Port Comp Equal Source IP Addr 0 0 0 0 IP
286. o no problem in IP routing 4 Check the Error counters 402 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes p2864 gt ip route errcnt disp last route error code a lt an hex value index point to the last error iloRouteFail Disable O index 0 ipRouteFail_ PktLen Oj index1 ioRouteFail_ Header 0 index 2 ipRouteFail_ CkSum 0 ioRouteFail OptLen 0 ioRouteFail OptSRoute O ioRouteFail_ OptSSRoute 0 ioRouteFail_ OptRRoute O loRouteFail_ TTL 0 ioRouteFail_ No Route O loRouteFail Wan _Route 3 lt loRouteFail RtType 0 ioRouteFail_ DF 0 loRouteFail_ Fragment O This counter is increased by 1 This ipRouteFail_ Wan_Route means routing cannot get a WAN resource to dial out You can go to Menu 24 1 and verify if both B channels are up already or if the Link is Down lt Example gt 1 If the routing table show the Use is the same as before the PING Or any other traffic that you think should route and trigger the outcall Furthermore the error counters are still O s P 202H Plus v2 gt ip route st Dest FF Len Interface Gateway Metric stat Timer Use 204 247 203 191 00 32 enOif 204 247 203 183 1 00150 204 247 203 128 00 26 wanidle 204 247 203 167 2 00230 0 100 0 0 0 008 wanldle 100 1 1 1 2 00230 3 default 000 wanldle Internet 2 00230 0 2 You may want to verify if you have plugged in any filters for that remote node or LAN P 202H Plus v2 gt sys filter sw on
287. oNhPvl Message Format The SNMP PDU contains the following fields PDU type Specifies the type of PDU Request ID Associates requests with responses Error status Indicates an error and an error type Error index Associates the error with a particular object variable Variable bindings Associates particular object with their value 2 ZYXEL SNMP Implementation ZyXEL currently includes SNMP support in some P 202H Plus v2 routers It is implemented based on the SNMPv1 so it will be able to communicate with SNMPv1 NMSs Further users can also add ZyXEL s private MIB in the NMS to monitor and control additional system variables The ZyXEL s private MIB tree is shown in figure 3 For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager some traps are sent to the SNMP manager when anyone of the following events happens 113 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 coldStart defined in RFC 1215 lf the machine coldstarts the trap will be sent after booting 2 warmstart defined in RFC 1215 lf the machine warmstarts the trap will be sent after booting 3 linkDown defined in RFC 1215 If any link of IDSL or WAN is down the trap will be sent with the port number The port number is its interface index under the interface group 4 linkUp defin
288. ocol ESP Pre Shared Key 12345670 WPN Setup DES Authentication Algorithm MDS Advanced pai a T Back Apply Cancel Delete Set IKE Phase 1 and Phase 2 parameters 283 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL aa TOTAL INTERNET ACCESS SOLUTION VPN IKE Advanced Setup Main Menu VPH _ IKE Protocol 0 Advanced Setu p Enable Replay Detection NO Passyyord Local Start Port 0 i T LAN ane Prony Remote Start Port 0 End i MAT i FPhase1 Firewall Negotiation Mode Main Y e PH Pre Shared Key 12345670 ogai Encryption Algorithm DES g Authentication Algorithm MOS SA Life Time Seconds i ii Key Group DHI Phase Active Protocal ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds Encapsulation Tunnel Perfect Forward Secrecy PFS MONE Mi Apply Cancel 284 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 PSec Setup Index Name to ssh Active Yes Keep Alive Yes Local ID type IP Content My IP Addr 1 2 21 1 252 Peer ID type IP Content Secure Gateway Addr 1 72 21 1 232 Protocol Local Addr Type SUBNET IP Addr Start 192 168 1 0 End Subnet Mask 255 255 255 6 Port Start End N A Remote Addr
289. ode RFC1963 Maximum Frame Size RFC1963 Allow Odd Frames RFC1 963 FCS Type RFC1963 Flow Expiration Time RFC1963 O COND OI OW Note that Option Types 5 8 are specific to a single port and require port numbers in their format Option Types 6 8 are specific to the HDLC Synchronous Transport Mode e PPP AUTHENTICATION ALGORITHMS A one octet field is used in the Challenge Handshake Authentication Protocol CHAP to indicate which algorithm is in use RFC1994 0 Reserved RFC1994 1 Reserved RFC1994 2 Reserved RFC1994 3 Reserved RFC1994 4 Reserved RFC1994 5 CHAP with MD5 RFC1994 128 MS CHAP Crocker PPP LCP FCS ALTERNATIVES The Point to Point Protocol PPP Link Control Protocol LCP FCS Alternatives Configuration Option contains an 8 bit Options field which identifies the FCS used These are assigned as follows Bit FCS 1 Null FCS 2 CCITT 16 Bit FCS 4 CCITT 32 bit FCS e PPP MULTILINK ENDPOINT DISCRIMINATOR CLASS The Point to Point Protocol PPP Link Control Protocol LCP Multilink Endpoint Discriminator Option includes a Class field which identifies the address class These are assigned as follows 415 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 0 Null Class RFC1717 1 Locally Assigned RFC171 7 2 Internet Protocol IPv4 RFC1717 3 IEEE 802 1 global MAC address RFC1717 4 PPP Magic Number Block RFC171 7 5 Public Switched Net
290. of NAT SUA or PAT for NAT translates address into port mapping The primary motivation for RFC 1631 is that there is not enough IP address to go around In addition great many corporations simply did not bother to obtain legal globally unique IP addresses for their networks and now finding themselves unable to connect to the Internet Basically NAT is a process of translating one address to another A NAT implementation can be as simple as substituting an IP address with another This 8 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes allows a network to rectify the illegal address problem mentioned above without going through each and every host The aim of ZyXEL s SUA is to minimize the Internet access cost in a small office environment by using a single IP address to represent the multiple hosts inside It does more than IP address translation it also enables hosts on the LAN can access the Internet at the same time 12 How many network users can the SUA support The fixed size translation table limits the number of simultaneous A reasonable number will be less than 20 users Beyond that the limited modem bandwidth would probably become the bottleneck and any increase in the translation table size will not help 13 How do I capture the PPP log in my P 202H Plus v2 The procedure to capture the PPP log in P 202H Plus v2 is as following To enable the capture of PPP log before
291. often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www hitp Web 80 PPTP Point to Point Tunneling 1723 Protocol e Examples Internet Access Only Internet Access with an Internal Server Using Multiple Global IP addresses for clients and servers Support Non NAT Friendly Applications na a as 1 Internet Access Only In our Internet Access example we only need one rule where all our ILAs map to one IGA assigned by the ISP See the following figure 128 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Client 1 ILA Client 2 ILA2 Prestige Client 3 ILA3 N IGA Assigned by ISP Client 4 ILA4 Internet Access Using NAT Many to One Mappin Menu 4 Internet Access Setup ISP s Name ChangeMe Pri Phone 1234 Sec Phone My Login ChangeMe My Password My WAN IP Addr 0 0 0 0 NAT SUA Only Address Mapping Set N A Telco Options Transfer Type 64K Multilink Off Idle Timeout 100 Press ENTER to Confirm or ESC to Cancel From Menu 4 shown above simply choose the SUA Only option from the NAT field This is the Many to One mapping discussed earlier The SUA read only option from the NAT field in menu 4 and 11 3 is specifically pre configured to handle this case 129 All contents c
292. olicy Editor E ajx security Policy Key Management Policy Default F a Fre lPSec Filter E WPN Connections BE 172 21 1 252 ZyWALL ABB Add E G Secured Connections a Secured Networks CE Default Response H E Post IPSec Filter H3S0H0 HOILEN1WWASs Ans Add Remove Properties Diagnostics Description 15 Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item Note A When building VPN between Sentinel and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping ftp telnet HTTP etc You can only initiate VPN tunnel by choosing Select VPN from SSH Sentinel tray 297 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 2 21 1 252 ZyWALL Select YPM Start Policy Manager ca Stoo Policy Manager w fo E Ti ian un af NOTE Please check your P 202H Plus v2 s release note if your current firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in lt Your VPN connection gt Properties Advanced Tab Settings 298 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Suppo
293. olution check the configuration in Menu 23 2 3033 Message PINI ERROR netMakeChannDial err 3033 rn_p 596de0 Meaning dial failed due to remote side CLID required or dial in user CLID required solution enter correct CLID number in remote node or in dial in user setup 3034 Message PINI ERROR netMakeChannDial err 3034 rn_p 5 72de0 Meaning CLID can not be found solution enter the correct CLID 430 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3035 Message PINI ERROR netMakeChannDial err 3035 rn_p 576de0 Meaning call conflict receive RING after an outgoing call has already been placed for this remote node solution do nothing it should be information 3036 Message PINI ERROR netMakeChannDial err 3036 rn_p 5 76de0 Meaning call is blocked due to it s in the blacklist Solution remove it from blacklist in Menu 24 9 2 3037 Message PINI ERROR netMakeChannDial err 3037 rn_p 376de0 Meaning invalid phone number solution check phone number in SMT 3038 Message PINI ERROR netMakeChannDial err 3038 rn_p 5 76ae0 Meaning dial fail due to remote side is busy Solution wait until remote side is available 3039 Message PINI ERROR netMakeChannDial err 3039 rn_p 526de0 Meaning dial failed due to no carrier Solution check the ISDN line or reboot 3040 Message PINI ERROR netMakeChannDial err 3040 rn_p 5 76de0 Mean
294. om this client Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None Source IP Addr 192 168 1 5 IP Mask 255 255 255 255 Port Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Key Settings e Source IP addr Enter the client IP in this field 74 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e IP Mask cee here the IP mask is used to mask the bits of the IP address given in the Source IP Addr field for one workstation it is 255 255 255 255 e Action Matched Set to Drop to drop all the packets from this client e Action Not Matched Set to Forward to allow the packets from other clients 3 Apply the filter set number 1 in the Call Filter Set field of SMT menu 11 5 for taking active Menu 11 1 Remote Node Profile Rem Node Name Hinet Route IP Active Yes Bridge No Call Direction Outgoing Edit PPP Options No Incoming Rem IP Addr 0 0 0 0 Rem Login N A Edit IP IPX Bridge No Rem Password N A Telco Option Rem CLID N A Allocated Budget min 5 Call Back N A Period hr 1 Outgoing Transfer Type 64K My Login qwer Nailed Up Connection No My Password
295. ommunications Corporation ZyXEL P 202H Plus v2 Support Notes 89 258470 PP08 CALL CONNECT speed lt 64000 gt type lt 2 gt chan lt 0 gt 90 258471 PPO9 ebp ea690 seqNum 5c bri0 XMIT len 23 call 4 0000 ff 03 cO 21 01 Od 00 13 01 04 05 f4 05 06 00 03 0010 f1 a6 08 02 Od 03 06 91 258748 PPO9 ebp ea6c4 seqNum 5d bri0 XMIT len 23 call 4 0000 ff 03 cO 21 01 Oe 00 13 01 04 05 f4 05 06 00 03 0010 f1 a6 08 02 Od 03 06 92 258750 PPO9 ebp 7ea6i8 seqNum 5e bri0 RECV len 29 call 4 0000 ff 03 cO 21 01 01 00 19 01 04 05 f4 03 04 c0 23 0010 11 04 05 f4 13 09 03 00 cO 7b 72 cf 08 93 258 751 PPO9 ebp ea 2c seqNum 5df bri0 XMIT len 21 call 4 0000 ff 03 cO 21 04 01 00 11 11 04 05 f4 13 09 03 00 0010 cO 7b 72 cf 08 94 258751 PPO9 ebp ea 60 seqNum 60 bri0 RECV len 13 call 4 0000 ff 03 cO 21 04 Oe 00 09 08 02 Od 03 06 95 258751 PPO9 ebp e9dd4 seqNum 61 bri0 XMIT len 18 call 4 0000 ff 03 cO 21 01 Of 00 Oe 01 04 05 f4 05 06 00 03 0010 f1 a6 96 258753 PPO9 ebp 7e9e08 seqNum 62 bri0 RECV len 16 call 4 0000 ff 03 cO 21 01 02 00 Oc 01 04 05 f4 03 04 c0 23 97 258753 PPOY9 ebp 7e9e3c seqNum 63 bri0 XMIT len 16 call 4 0000 ff 03 cO 21 02 02 00 Oc 01 04 05 f4 03 04 c0 23 98 258754 PPO9 ebp 7e9e70 seqNum 64 bri0 RECV len 18 call 4 0000 ff 03 cO 21 02 Of 00 Oe 01 04 05 f4 05 06 00 03 0010 f1 a6 99 258754 PPO9 LCP opened 100 258754 PP0O9 PAP sending user pswd 101 258754 PP0O9 ebp 7e9ea4 seqNum 65 bri0 XMIT len 25 call 4 0000 ff 03 c0 23
296. on A virtual private network i created when the local host establishes an PSec protected connection to a remote private network through a security gateway cae hon _ 2 7 Add VPN Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address Add PN Connection i ajx 5 Gateway IF address 172 21 1 252 Remote network en Authentication kep checkpoint certificate h Use legacy proposal Diagnostics Properties Cancel 8 Press button besides Remote network All contents copyright 2006 ZyXEL Communications Corporation 275 ZyXEL P 202H Plus v2 Support Notes Add PN Connection ES i Gateway IF address 172 21 1 252 IF Remote network Authentication kep checkpoint certificate Use legacy proposal Diagnostics Properties Cancel 9 Network Editor Window will pop out Press New button and Enter P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window Network Editor x Give networks and subnetwork custom names ou Waj can later use the names when creating rules Defined networks IP address 192 168 1 0 PaT enaa Mew Remove Network name ZYWALL e 192 168 1 D Al Zoic on e eo Lo Cancel 10 Choose P 202H Plus v2 as
297. on amp Component Services Microsoft Corporation Computer Management Microsott Corporation i Device Manage ES Disk Defragmenter Executive Software Inte CI Disk Management VERITAS Software Cor ujj Event Viewer Microsol Corporation ep Fax Serice Management Microsol Corporation Folder Microgott Corporation Description Computer management and related system tools Computer Management Select the computer you want this Snap in to manage This snap in will always manage f Local a computer this console i running or Another computer Browse Allow the selected computer to be changed when launching from the command line This only applies if you save the console Back Cancel 221 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 6 In the Add Standalone Snap in dialog box click Group Policy and then click Add Add Standalone Snap in gt 7 x Available Standalone Snap ing Fax Service Management Microsol Corporation Folder FrontPage Server Extensions Microgott Corporation pol desing Serce Microgott Corporation a IF Securty Policy Management Link to Web Address at Local Users and Groups Microsol Corporation ail Performance Logs and Alerts Microsol Corporation ee Removable Storage Management HighGround Systems Inc ER Description This snap in allows you to edit Gro
298. on options to this remote node in this menu 2 SUA Applications 38 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Configure a PPTP server behind SUA e Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself In order to run the Windows9x PPTP client you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Networking uses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security is preserved even across the Internet RAS HT RAS wan T Client Modem Server Window95 PPTP Client Internet NT RAS Server Protocol Stack PPTP appears as new modem type Virtual Private Networking Adapter that can be selected when setting up a connection in the Dial Up Networking folder The VPN Adapter type does not appear elsewhere in the system Since PPTP encapsulates its data stream in the PPP protocol the VPN requires a second dial up adapter This second dial up adapter for VPN
299. onds Encapsulation Tunnel Perfect Forward Secrecy PFS MONE Mi Apply Cancel 301 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index Name to ssh Active Yes Keep Alive Yes Local ID type IP Content My IP Addr 172 21 1 252 Peer ID type IP Content Secure Gateway Addr 4 4 0 4 Protocol Local Addr Type SUBNET IP Addr Start 192 168 1 8 End Subnet Mask 255 255 255 4 Port Start End N A Remote Addr Type N A IP Addr Start N A End Subnet Mask N A Port Start N A End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Contirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission 302 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Please note that any configuration in IKE Setup should match the settings configured in Sentinel Menu 27 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentica
300. onnection via ISDN Leased Line Remote Note ISOH Leased Line This configuration illustrates a LAN to LAN connection over an ISDN leased line that is subscribed from the telco e Key Settings in P 202H Plus v2 o Menu 2 ISDN Setup o Menu 11 Remote Node Setup Menu 2 ISDN Setup Switch Type DSS 1 B Channel Usage Leased Unused Incoming Phone Numbers ISDN Data Advance Setup No 94 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes B Channel Usage o Set to Leased Unused if you are using one 64K leased line o Set to Leased Leased if you are using one 128K leased lines o Set to Leased Switch if you are using one 64K leased line and one switch line The P 202H Plus v2 does not allow two leased lines to connect two different remote nodes Therefore if the Leased Leased is configured in Menu 2 it allows a 128K leased connection to a remote node or allows MP bundling to a remote node Menu 11 1 Remote Node Profile Rem Node Name LAN1 Edit PPP Options No Active Yes Rem IP Addr 140 113 1 1 Call Direction Edit IP No Incoming Telco Option Rem Login Transfer Type Leased Rem Password Allocated Budget min Rem CLID N A Period hr Call Back N A Schedules Outgoing Carrier Access Code My Login test Nailed Up Connection No My Password Toll Period sec 0 Authen CHAP PAP Session Options Pri Phone N A Edit Filter Sets No
301. ontents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 9 Click New Policy to configure the incoming VPN policy 10 Give a name to the policy 11 Select the Remote Secure Host that we configured above as the Source Address 12 Select the Local Secure Host that we configured above as the Destination Address 13 Select ANY as the Service 14 For the rest settings please refer to the following screen shot And click OK to save 200 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Eile Edit View Favorites Tools Help 7 82 B a a 9 8 3S Es Back Forverd Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address E http 2 192 168 78 1 ayout htmi 61 1 v Go Links NeTSCREEN 5 Name optional Incoming System Source Address Remote Secure Host Destination Address Local Secure Host x Interface cee Service ANY A riy NAT Of VPN C C DPOF IT Fix Port C DIP On ide None EEE Action Tunnel Users VPN Tunnel ZyWALL Aina L2TP None Authentication E Logging Enable Counting Enable Alarm Threshold 0 Bytes Sec 0 Bytes Min eb talents Schedule None z Inc All rights reserved Traffic Shaping g Off c Guaranteed Bandwidth lo kbps Maximum Bandwidth lo kbps Traffic Priority Low priority DS Codepoint Markine M Enable xl Go to the Incoming T
302. ool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor View Statistics kH Run Policy Editor Auditing User Key Agent Select Active Policy Select YPN Start Policy Manager Stop Policy Manager IDs nline Support SSH Sentinel Hide Tray P E a Te L i 6 06 PM I 2 Choose Key Management Select My Keys then press Add button 270 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes na SSH Sentinel Policy Editor HE Security Policy Key Management m Trusted Policy Servers a Trusted Certificates Fla Certification Authorities H Remote Hosts gra checkpoint certificate o AA Add AB Add h Remove Properties VIEW Description The keps that are used for authenticating the local host coed host _ 2 3 Select Create a preshared key and press Next 2r All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes New Authentication Key xX This wizard guides you through the generation of a new authentication key What kind of an authentication key would you like to create Create an authentication key pair and a certificate f Enroll fona certificate Create a preshared key eal ae ee 4 Give this preshared key a name P 202H Plus v2 And then enter the oreshared key 12345678 in both
303. opyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 Internet Access with an Internal Server Client 1 ILA Client 2 ILA2 Prestige Client 3 ILA3 N IGA Assigned by ISP FTP Server ILA4 Internet Access using NAT Many to One plus a Server Set In this case we do exactly as above use the convenient pre configured SUA Only set and also go to Menu 15 2 1 NAT Server Setup Used for SUA Only to specify the Internet Server behind the NAT as shown in the NAT as shown below Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address Default Default 0 0 0 0 80 80 192 168 1 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 co ae Se ee a oe Press ENTER to Confirm or ESC to Cancel 130 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 3 Using Multiple Global IP addresses for clients and servers One to One Many to One Server Set mapping types are used General Server 192 168 120 Other Clients 192 168 1 Prestige FIP Server 1 192 168 1 10 3 IGAs Assigned by ISP FIP Server 2 192 168 1 11 In this case we have 3 IGAs IGA1 IGA2 and IGA3 from the ISP We have two very busy internal FTP servers and also an internal general server for the web and mail In this case we want to assign the 3 IGAs by the following way using 4 NAT rules Rule 1 One to One type to map the FTP
304. or Auditing User key Agent Select Active Policy Select YPN Start Policy Manager Stop Policy Manager IDs nline Support SSH Sentinel Hide Tray ae N sE 3 D 6 06 PM 2 Choose Key Management Select My Keys then press Add button 304 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes na SSH Sentinel Policy Editor HE Security Policy Key Management m Trusted Policy Servers a Trusted Certificates Fla Certification Authorities H Remote Hosts gra checkpoint certificate o AA Add AB Add h Remove Properties VIEW Description The keps that are used for authenticating the local host coed host _ 2 3 Select Create a preshared key and press Next 305 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes New Authentication Key xX This wizard guides you through the generation of a new authentication key What kind of an authentication key would you like to create Create an authentication key pair and a certificate f Enroll fona certificate Create a preshared key eal ae ee 4 Give this preshared key a name P 202H Plus v2 And then enter the oreshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish 306 All contents copyright 2006 ZyXEL Communications Corporation
305. ox NS IDP DECnet Phase IV Apple Talk Novell IPX Van Jacobson Compressed TCP IP Van Jacobson Uncompressed TCP IP Bridging PDU stream Protocol ST II Banyan Vines reserved until 1993 AppleTalk EDDP AppleTalk SmartBuffered Multi Link RFC1717 NETBIOS Framing Cisco Systems Ascom Timeplex Fujitsu Link Backup and Load Balancing LBLB DCA Remote Lan Serial Data Transport Protocol PPP SDTP SNA over 802 2 SNA Pv6 Header Compression KNX Bridging Data ianp Encryption Meyer Individual Link Encryption Meyer Internet Protocol version 6 Hinden Stampede Bridging Reserved Fox MP Protocol Smith reserved Control Escape RFC1661 reserved compression inefficient RFC1662 Reserved Until 20 Oct 2000 IANA Reserved Until 20 Oct 2000 IANA NTCITS IPI Ungar reserved PPP NLPID single link compression in multilink RFC1962 compressed datagram RFC1 962 reserved compression inefficient compression inefficient 802 1d Hello Packets IBM Source Routing BPDU 409 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL 0205 0207 0209 0231 0233 0235 0281 0283 4001 4003 4021 4023 8001 801f 8021 8023 8025 8027 8029 802b 802d 802i 8031 8033 8035 P 202H Plus v2 Support Notes DEC LANBridge100 Spanning Tree Cisco Discovery Protocol Sastry Netcs Twin Routing Korfmacher Luxcom sigma Network Systems Apple Client Server Protocol Ridenour
306. p a connection without any traffic requesting it When you want the link to be always up you need to use it 18 What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group Is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group 19 Why can t I configure device filters or protocol filters In ZyNOS you can not mix different filter groups in the same filter set 20 The P 202H Plus v2 supports to upload the firmware and configuration files using FTP but how do I prevent the outside user from FTP my P 202H Plus v2 The P 202H Plus v2 supports to upload the firmware and configuration files using FTP connections via LAN and WAN So this becomes unsecure that anyone can make a FTP connection over the Internet to your P 202H Plus v2 To prevent from outside users connecting to your P 202H Plus v2 via FTP you can configure a filter to block the FTP connection from WAN 11 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Product FAQ 1 How do I collect EPA trace Moreover how do read it e Enable the trace in Menu 24 8 by the following Cl command isdn fw ana on e Make a call to remote node or ISP by dev dial N N is the remote node number e Drop the call by dev chan
307. p rpc conference 531 tcp chat rvd control 531 udo MIT disk netnews 532 tco readnews netwall 533 udp for emergency broadcasts uucp 540 tcp uucpd uucp daemon klogin 543 tcp Kerberos authenticated rlogin kshell 544 tc p cmd and remote shell new rwho 550 udp new who experimental remotefs 556 tcp rfs_server rfs Brunhoff remote filesystem rmonitor 560 udp rmonitord experimental monitor 561 udp experimental garcon 600 tcp maitrd 601 tcp busboy 602 tcp acctmaster 700 udp acctslave 701 udp acct 702 udp acctlogin 703 udp acctprinter 704 udp elcsd 704 udp errlog acctinfo 705 udp acctslave2 706 udp acctdisk 707 udp kerberos 750 tcp p kdc Kerberos authentication tcp kerberos 50 udp kdc Kerberos authentication udp kerberos_master 751 tcp Kerberos authentication kerberos_master 751 udp Kerberos authentication passwd_server 752 udp Kerberos passwd server userreg_server 753 udp Kerberos userreg server krb prop 754 tcp Kerberos slave propagation erlogin 888 tcp Login and environment passing kpop 1109 tcp Pop with Kerberos phone 1167 udp ingreslock 1524 tcp maze 1666 udp nfs 2049 udp sun nfs knetd 2053 tcp Kerberos de multiplexor eklogin 2105 tcp Kerberos encrypted rlogin rmt 5555 tcp rmtd mtb 5556 tcp mtbd mtb backup man 9535 tcp remote man server Ww 9536 tcp mantst 9537 tcp remote man server testing bnews 10000 tcp 423 All contents copyright 2006 ZyXEL Comm
308. ption Configuration Type 413 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 0 OUI RFC1968 1 Deprecated DESE Fox 2 DESE Kummert 3 DESE bis Fox 4 255 Unassigned PPP CCP CONFIGURATION OPTION TYPES A one octet field is used in the Compression Control Protocol CCP to indicate the configuration option type RFC 1962 CCP Option Configuration Type 0 OUI RFC1962 1 Predictor type 1 RFC1962 2 Rredictor type 2 RFC1962 3 Puddle Jumper RFC1962 4 15 unassigned 16 Hewlett Packard PPC RFC1962 17 Stac Electronics LZS RFC1974 18 Microsoft PPC RFC2118 19 Gandalf FZA RFC1962 20 V 42bis compression RFC1962 21 BSD Compress RFC1977 22 unassigned 23 LZS DCP RFC1967 24 MVRCA Magnalink RFC1975 25 DCE RFC1976 26 Deflate RFC1979 27 254 unassigned 255 Reserved RFC1962 The unassigned values 4 15 are intended to be assigned to other freely available compression algorithms that have no license fees e PPP SDCP CONFIGURATION OPTIONS A one octet field is used in the Compression Control Protocol CCP PPP Serial Data Transport Protocol SDTP to indicate the option type RFC1963 SDCP Option Configuration Element 1 Packet Format RFC1963 2 Header Type RFC1963 414 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Length Field Present RFC1963 Multi Port RFC1963 Transport M
309. raffic Control Configuration pail es r Internet WY File Edit View Favorites Tools Help 7 2 2S w 2 ies a Back Farivar Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address http 192 168 78 1 layout htm 6 1 1 NeTtTSCREEN 5 aan Network incoming Outgoing ID Source Destination Service NAT Action Option Configure eras Address Host Schedule Monitor Copyright 1998 2001 NetScreen Technologies Inc All rights reserved A T lement sg 201 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Create Phase 1 Proposal Note that all phase 1 and phase 2 settings in NETSCREEN must be consistent with P 202H Plus v2 Click VPN menu and click P1 Proposal tab Click New Phase 1 Proposal to create phase 1 proposal Give a Name for this proposal for example P 202H Plus v2 Select Preshare as the Authentication Method Select Group 1 as DH Group Select DES CBC as Encryption Algorithm Select MD5 as Hash Algorithm Enter 3600 in Lifetime field check Sec checkbox See the sceen shot below Z NetScreen Administration Tools Microsoft Internet Explorer Se Fie Edit View Favorites Tools Help oe 60 32 Aa a Sie SS Ss a Back Farivar Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address 4 http 192 168 78 1 layout html6 1 1 Go Links NeTtTSCREEN 5 Sys
310. ration ZyXEL P 202H Plus v2 Support Notes The P 202H Plus v2 202H Plus supports the ISDN Device Control Protocol ISDN DCP from RVS COM The ISDN DCP allows a workstation on the LAN to run some CAPI applications These applications include FAX Voice File transfer Using ISDN DCP the P 202H Plus v2 202H Plus behaves as a DCP server which listens for DCP messages on TCP port number 2578 on its LAN port and we Call this feature as NetCAPI When the P 202H Plus v2 receives a DCP message from a DCP client running RVS COM software the P 202H Plus v2 sends the confirmation message to the client and sends ISDN packets through the BRI port When the P 202H Plus v2 receives packets on its BRI port destined for one of the DCP clients the router formats the packet as a DCP message and sends it to the corresponding client e Supported applications G3 G4 FAX transmission Euro File Transfer EFT File transfer Autoanswer host mode Telephony oe a e Supported D Channel Protocol NetCAPI is available only for the European ISDN switch type DSS1 e RVS COM Setup To use the NetCAPI function of the P 202H Plus v2 202H Plus for FAX transmission file transfer and voice you must install RVS COM Lite 1 63 or above first e P 202H Plus v2 Setup All NetCAPI related settings are configured in menu 2 1 as shown below 1 Edit the NetCAPI settings by setting the Edit NetCAPI Setup to Yes Menu 2 ISDN Setup Switch Type DSS 1 B Cha
311. rd the incoming packets to the true destination behind SUA Generally we do not need extra settings of menu 15 for an outgoing connection But for some applications we need to configure the menu 15 to make the outgoing connection work After the required menu 15 settings are completed the internal server or client applications can be accessed by using the P 202H Plus v2 s WAN IP address e SUA Supporting Table The following are the required menu 15 settings for the various applications running SUA mode ZyXEL SUA Supporting Table 44 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes maae None 80 clientIP IP FIP Nore None 2 1 client IP TELNET None 23 client IP and remove Telnet filter in WAN port e POP3 Nore ne 10 clinet IP SMTP None 25 client IP IP None for Chat mIRC For DCC please set Noe amme IP WindowsPPTP sits PPTP None 1723 client IP IP ICQ 99a None for Chat Default client IP For DCC please set ICQ gt preference gt connections gt firewall and set the firewall time out to 80 seconds in firewall setting Cornell 1 1 Cu SeeMe None 7648 client IP White Pine 3 1 2 Cu SeeMe eee IP amp paa IP 24032 client IP me Pine 4 0 Cu SeeMe e IP amp paana IP 24032 client IP en NetMeeting 2 1 amp ee isene IP 2 11 1503 client IP Cisco IP TV 2 0 0 Cisco IP TV2 0 0 2 0 0 None RealPlayer G2 None n VDOLive None J Quake 064 None Defaul
312. re used for authenticating the local host coed host _ 2 3 Select Create a preshared key and press Next 321 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes New Authentication Key xX This wizard guides you through the generation of a new authentication key What kind of an authentication key would you like to create Create an authentication key pair and a certificate f Enroll fona certificate Create a preshared key eal ae ee 4 Give this preshared key a name P 202H Plus v2 And then enter the oreshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish 328 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Give networks and subnetwork custom names ou Jee can later use the names when creating rules Defined networks IP address 192 168 1 0 ATTA ade LI Mew Network name ZPW ALL IF address Te Tbe Subnet mask 209 5 Press Apply in Main menu to save the above settings for latter use 329 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 SSH Sentinel Policy Editor Ei Security Policy Key Management F Trusted Policy Servers Fle Trusted Certificates Fla Certification Authorities o E Remote Hosts l a Director Sernvices J A My K
313. right 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes IS P Parameters for Internet Access Provided by your ISF ISP s Name Hinet User Hame mpusemane ss Password oa isd oe SP s Primary Phone Number 4125678 O n ISP s Secondary Phone Number Po ISUN Loopback est Do you want to perform ISON Loopback Tes before connecting to your ISP UNS Server Address Provided By your ISP f Get automatically from ISP Use this server I ISDN Loopback Test Please click Connect to connect to your SP Help lt Bacs Connect Cancel Key Settings e Pri Phone is the phone number your P 202H Plus v2 has to dial in order to access your ISP e My Login and My Password are the login information provided by ISP e Since you have a single user Internet account Single User Account should be set to Yes e For the Local IP Address field since the IP address will be dynamically assigned you can either enter 0 0 0 0 or you can leave this field blank After saving this menu you will be asked if you want to perform an Internet connection test Select Yes to perform the test If the test fails please check again the above settings or refer to the User s Manual Troubleshooting section for correction action When you have configured and saved Menu 4 you should see that you have created a remote node in Menu 11 You can perform more advanced configurati
314. rk is protected behind the Checkpoint or not 212 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Hetwork Properties IF Addis 192 168 99 0 Get address Het Mask 255 255 255 0 Comment Test network for Wehchguar Color Location Brosdcast C nena Enema C Allowed Disabled Define the LAN segment of Checkpoint Select Location as Internal Network Properties Hamy IP Address 17216160 Getaddess Net Mask 255252400 Comment Vtodata lokale Clerks Location Broadcast rtenal O Enema C Allowed Disaloaed lf there are more than one network would like to utilize the VPN tunnel You can merge the networks into one group e Go to Manage Network Objects e Click on New Group e Fill in the properties for the group objects as shown below 213 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Group Properties Hame PN E i arce MW Comment Local E nciyptice Domain ASP_1030 Sa Net_esate_16_96 ASP_1030_192_168_1 aa Net_internal_16_16 Creating VPN Objects Define P 202H Plus v2 box as a tunnel end point Name SOHO_TEST Workstation Properties General intewaces SNMP MAT VPM IP adders EAM ra Get adchess Comment ASF Teti j Locators Type C jema Estemal C Hoa Gateway Modules Installed M VPN 1 amp Firewall Version Geal S
315. rm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels 195 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes for data transmission Menu 2 7 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3608 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3608 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle 2 Setup NETSCREEN For VPN 1 Configure NETSCREEN by using its web configurator 2 Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL field Create Local amp Remote Secure Host 1 Click Address menu and click Trusted tab 2 Click New Address to add the local secure host 192 168 78 5 in this example and give a name to this host address Local Secure Host in this example See the screen shown below Note The Netmask field here for single IP is 255 255 255 255 Please do not enter the wrong netmask otherwise VPN can not be establ
316. rmware and configuration files upload using FTP connections via LAN and WAN So it is possible that anyone can make a FTP connection over the Internet to your P 202H Plus v2 To prevent outside users from connecting to your P 202H Plus v2 via FTP you can configure a filter to block FTP connections from WAN e Before you begin Before configuring a filter you need to know the following information 1 The inbound packet type protocol amp port number In this case it is TCP 06 protocol with port 20 or 21 2 The source IP address In this case we block all connections from outside so the source IP is 0 0 0 0 3 The destination IP address It is the P 202H Plus v2 s IP address but it is not available in SUA case since most WAN IP address is dynamically assigned by the ISP So we can only enter 0 0 0 0 as the destination IP in the filter rule Once 0 0 0 0 is set as the destination IP no FTP connections are allowed to reach the P 202H Plus v2 nor the FTP server on the LAN For the LAN to LAN connection you enter the P 202H Plus v2 s LAN IP as the destination IP in the filter rule After the FTP filter is applied to the remote node it only blocks the FTP connection to the P 202H Plus v2 but still permits the FTP connection to the local FTP server e Configuration o Create a filter set in Menu 21 e g set 3 o Create two filter rules in Menu 21 3 1 and Menu 21 3 2 Rule 1 block the inbound FTP packet TCP 06 protocol with port
317. rnet and the LAN DMZ For some reasons load balance or backup line users may want traffic to be re routed to another Internet access devices while still be protected by P 202H Plus v2 In such case the network topology is the most important issue Here is a common example that people mis deploy the Static route 20 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ISP 2 ISON router e Switch HUB gL g ta ISP 1 The above figure indicates the triangle route topology It works fine if you turn off firewall function on P 202H Plus v2 box However if you turn on firewall your connection will be blocked by firewall because of the following reason step 1 Being the default gateway of PC P 202H Plus v2 will receive all outgoing traffic from PC step 2 And because of Static route Policy Routing P 202H Plus v2 forwards the traffic to another gateway ISDN Router which is in the same segment as P 202H Plus v2 s LAN step 3 However the return traffic won t go back to P 202H Plus v2 in stead the another gateway ISDN Router will send back the traffic to PC directly Because the gateway say P201 and the PC are in the same segment When firewall is turned on P 202H Plus v2 will check the outgoing traffic by ACL and create dynamic sessions to allow return traffic to go back To achieve Anti DoS P 202H Plus v2 will send RST packets to the PC and the peer sin
318. rs Output Filter Sets protocol filters device filters Menu 11 1 Menu 11 1 Remote Node Profile Rem Node Name abc Edit PPP Options No Active Yes Rem IP Addr 0 0 0 0 Call Direction Outgoing Edit IP No Incoming Telco Option Rem Login N A Transfer Type 64K Rem Password N A Allocated Budget min Rem CLID N A Period hr Call Back N A schedules Outgoing Carrier Access Code My Login wxyz Nailed Up Connection No My Password Toll Period sec 0 Authen CHAP PAP Session Options Pri Phone 140812345678 Edit Filter Sets Yes Sec Phone 140822345678 Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Menu 11 5 60 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Menu 13 Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Authen None Dial in User Yes IP Pool Yes PPP Options IP Start Addr 123 234 111 163 Recv Authen CHAP PAP IP Count 1 4 4 Compression Yes Mutual Authen No session Options O G Username N A Edit Filter Sets Yes O G Password N A Multiple Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min 0 Period hr 0 Press ENTER to Confirm or ESC to Cancel
319. rt Notes Security Association Lifetimes l l 3 x The settings affect this connection rule only IKE security association Lifetime in minutes Guana 240 min Lifetime in megabytes IPSec security association Lifetime in minutes Lifetime in megabytes M 0 ME Detaults o wx Cancel 2 Setup P 202H Plus v2 VPN 1 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Go to Advanced gt VPN 3 Check Active box to enable this rule Check Keep alive to make your VPN connection stay permanent Select Negotiation Mode to Main as we configured in Sentinel Local IP Address Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 Remote IP leave it as default setup 0 0 0 0 0 0 0 0 My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is 0 0 0 0 Select Encapsulation Mode to Tunnel 10 Check the ESP check box AH can not be used in SUA NAT case 11 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in Sentinel 12 Enter the key string 12345678 in the Preshared Key text box and click Apply 13 Press Advanced button to set IKE phase 1 and phase 2 parameters oS CO NO 299 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support
320. rties gt Server Types gt TCP IP Settings e Setting up the P 202H Plus v2 Before configuring the P 202H Plus v2 for this application you need to first complete the following settings o General Setup in SMT menu 1 enter the system information o ISDN Setup in SMT menu 2 Configure the ISDN number o Ethernet Setup in SMT menu 3 enter the IP address of the P 202H Plus v2 and enable the DHCP server if it is required To setup the P 202H Plus v2 for this application make sure you have the following menus configured correctly 54 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes o Default Dial in Setup in SMT menu 13 o Edit Dial in User in SMT menu 14 1 Ethernet Setup in SMT Menu 3 Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP None Client IP Pool Starting Address N A size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A TCP IP Setup IP Address 192 68 135 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 2B Edit IP Alias No 2 Default Dial in Setup in SMT Menu 13 Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Authen None Dial in User No IP Pool Yes PPP Options IP Start Addr 192 68 135 10 Recv Authen CHAP PAP IP Count 1 4 4 Compression Yes Mutual Authen NO session Options O G Username N A Edit Filter Sets No O G Password N A Multiple Link Options Max Trans Ra
321. rules to cover the LAN segment of branch office A and headquarter 1 The first rule in Branch_ B This rule is for branch office B to access headquarter 351 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL TOTAL INTERNET ACCESS SOLUTION Main Menu Advanced Setup Password e LAR T WAR WAT Firewall e YPN Logout VPN IKE IPSec Setup M Active Mame IPSec Key Mode Negotiation Mode Local Local Address Type IF Address Start End Subnet Mask Remote Remote Address Type IF Address Start End Subnet Mask Local IO Type Content biy IP Address Feer IO Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocol Pre Shared Key YPN Setup Authentication Algorithm P 202H Plus v2 Support Notes SIT Keep Alive Branch_B_1 IKE g Main Range 192 168 2 0 192 168 2 266 Range 192 168 1 O 192 168 1 205 0 0 0 0 IR Tunnel gt 2345678 ss s Back Apply Cancel Delete You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter J32 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACcESS SOLUTION Main Meru Advanced Setup Password LAN VAN MAT Fire
322. s feature as Multi NAT For more information on IP address translation please refer to RFC 1631 The IP Network Address Translator NAT e How NAT works If we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA see the following figure The term inside refers to the set of networks that are subject to translation NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers and then forwards each packet to the Internet ISP thus making them appear as if they had come from the NAT system itself e g the P 202H Plus v2 router The P 202H Plus v2 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored 117 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Presti ge TSP ILA Inside Local Addresses ILA IGA IGA Inside Global Addresses Figure1 Local Global IP Addresses NAT Mapping Types NAT supports five types of IP port mapping They are 1 2 One to One In One to One mode the P 202H Plus v2 maps one ILA to one IGA Many to One In Many to One mode the P 202H Plus v2 maps multiple ILA to one IGA This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that
323. s Help CaMel xlE t Wetwork pecurity Policy Add a new connection P 202H Plus v2 Support Notes Connection Securit fe Secure Remote Party Identity and Addressing ID Type IF Address 0 0 0 0 Fort al ha Protocol all ae Connect using Secure Gateway Tunnel IF Address i 0 0 0 Remote Party Identity and Addressing settings 4 In ID Type option please choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID Type and enter P 202H Plus v2 s WAN IP address in the following field 151 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The detailed configuration is shown in the following figure mecucity Policy Editor afeNethoft FE File Edit Options Help Alma t Network security Policy EN WW A LL Connection Security Other Connections if Secure Non secure a C Block IP address Remote Party Identity and Addressing of PC PP lype IP ddes 202 132 171 33 WAN IP Fort au r Frotocol ju addre oS of W Connect using Secure Gateway T 4yYWALL ID TypelIF Address Pre Share Key Settings 6 Extend P 202H Plus v2 icon you may see My Identity 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in P 202H Plu
324. s example are as shown below LAN 192 168 1 1 LAN 192 168 2 1 192 168 1 33 WAN 202 132 154 1 WAN 168 10 10 66 192 188 2 33 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side However if both gateways use dynamic IP addresses it is no way to establish VPN connection at all 1 Setup P 202H Plus v2 A 1 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 160 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes oo 8 9 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in P 202H Plus v2 B Source IP Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 A Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host My IP Addr is the WAN IP of P 202H Plus
325. s gt sys trcp channel enetO bothway ras gt sys trcp sw on 76 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Now a client on the LAN is trying to ping P 202H Plus v2 ras gt sys trcp sw off ras gt sys trcp disp TIME 37c060 enet0O RECV len 74 call 0 0000 00 a0 c5 01 23 45 00 80 c8 4c ea 63 08 00 45 00 0010 00 3c eb Oc 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 TIME 37c060 enetO XMIT len 74 call 0 0000 00 80 c8 4c ea 63 00 a0 c5 01 23 45 08 00 45 00 0010 00 3c 00 07 00 00 fe 01 f0 ef ca 84 9b 63 ca 84 0020 9b 5d 00 00 4d 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 The detailed format of the Ethernet Version II Ethernet Version Il Address 00 80 C8 4C EA 63 Source MAC gt 00 A0 C5 23 45 Destination MAC Ethernet Il Protocol Type IP Internet Protocol Version MSB 4 bits 4 Header length LSB 4 bits 5 Service type Precd Routine Delay Normal Throut Normal Reli Normal Total length 60 Octets Fragment ID 60172 Flags May be fragmented Last fragment Offset 0 0x00 Time to live 32 seconds hops IP protocol type ICMP 0x01 Checksum OxESEA IP address 202 132 155 93 Source IP address gt
326. s ta charatictlin ceases iam oni eet etncdisaeee tenets ysiet edt 24 LOGAN AIET Gene meme eee emma A eee ene 24 1 When does the P 202H Plus v2 generate the firewall log 24 2 What does the log SNOW tO US 00 0 ccc cccssecceesseeeeesseeeeesseeeessaees 24 3 How do view the firewall 109 00 ccc ccccsssecceeestseeceesteeeeens 25 4 When does the P 202H Plus v2 generate the firewall alert 25 5 What does the alert SHOW tO US 00 ccc cccesccceeteceeesseeeessseeeeeaees 25 6 What is the difference between the log and alert 00000 26 IPSec Related FAQ iirc ies ea tess es 27 NP SOC FAO rra aaalasia aaa 2 YPN OVONVICW ee nee a EE EE E E ere 27 TeVWNal IS VPN ei ee a 27 3 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 2 Why do I need VPN tsetse traces nae eel ee ene eee 27 3 What are most common VPN protocols c ccc cceeseeeeeneees 28 VV aU A Se bP ceeds es ceecas A O E 28 By WHAT IS E2 FEP Z erokna onus E E N 28 6 Walls IPSEC eneo E 28 8 What are the differences between Transport mode and Tunnel MOJE pee bee 28 Oe WVU NS SA Z icraa ttre case a E cee aed E E euciae N 29 TOE What IS IKE nornen a a a ae 29 11 What is Pre Shared Key oeasencstsictcte i edunenti dete bodes tain aru guslaiel enact 29 12 What are the differences between IKE and manual key VPN 29 1 How do I config
327. s v2 in the pop out windows In this example we enter 12345678 See below 152 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12345678 Security Policy Settings 153 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 9 Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode A becurity Policy Editor SafeMetsoft PE File Edit Options Help alexa t Network security Policy Ee S ZyWALL beta My Identity Taf i Security r Polic v E Authentication Phase 1 E 2 0 Eey Exchange Phase 2 C Use Manual Keys Other Connections Enable Perfect Forward Secrecy PFS PFs Key Group Diffie Hellman Group1 Enable Replay Detection 10 Extend Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but they should match whatever you enter in P 202H Plus 154 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ie mecucity Foley Editor afeNethoft FE File Edit Optons Help Bs x t Network security Policy I dah ay WALL FE mecuity Policy Sao Authentication Phas 1 ag Key Exchange Phase 2 Other Connections ew Life A security Foley Editor afeNethoft FE Fie Edit Optons Help alexa 14 Network
328. se Cannot answer incoming call from a Remote node or Dial in User The following are some of the possible reasons the P 202H Plus v2 not answering an incoming call System can t answer call ISDN protocol mismatched System authentication not set correctly Far end name password not correct IP address mismatched To collect the trace or to identify the problem just use sys event command in Cl and wait for an incoming call If itis a PPP related problem then use the following steps to collect PPP trace sys trel cl sys trcl sw on sys trcp sw on lt Wait for an incoming call or issue sys event after the call stops gt sys trcl sw off sys trcp sw off sys trcl disp een a Re ad 400 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Cannot callback to a Dial in User The P 202H Plus v2 only supports Microsoft s proprietary CallBack Control Protocol CBCP Thus the P 202H Plus v2 will be able to do PPP callback to only to those devices that also support CBCP This means that if a dial in user is using a different package such as Trumpet which doesn t support CBCP then the P 202H Plus v2 will not callback to the user 3 IP Routing Related SMT screens and Cl commands SMT Menu 2 ip route stat display ip route table and statistic counters ip route errcnt disp display ip route error counters ip route errcnt clear clear
329. se Active Protocol FSP Ercryptian Algorithm DES Authentication Algorithm SA Life ime Seconds oo Ercapsulation Tunnel gt Feact Forward Secrecy PFS HOME ii Apply Cancel 2 The correspondent rule for Branch_B_1 in headquarter 357 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL n TOTAL INTERNET ACCESS SOLUTION i IPSec Setup W Active Keep Alive Advanced Setup Name fto_Branch B 1 E USS IFSec Key Mode IKE Y LAN f Negotiation Made Main e WAM Local Da o Local Address Type Range Firewall _ IP Address Start 192 168 1 0 te End Subnet Mask 192 168 1 256 Remote Remote Address Type Range IP Address Start 192 168 2 0 End Subnet Mask 192 168 2 256 Logout Local ID Type IF i content pooo oo My IP Address 2111 Peer ID Type IF r Content 0 0 0 0 Secure Gateway IP Address 202 2 1 1 Encapsulation Mode Tunnel hi Security Protocol VPM Protocol ESP Pre Shared Key 123545676 YPN Setup DES Authentication Algorithm SHAT Advanced Eas 1 Back Apply Cancel Delete 358 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ZyXEL oe TOTAL INTERNET ACcESS SOLUTION VPA WE Advanced Setup Main Meru VPH IKE Protocol m AEUANCDO SAND Erable Replay Detection Ne c Password Local Start Fort m i mart Eid Shas R
330. ss 203 66 113 10 Port 1645 Key key187 Key Settings o server Address Enter the IP address of the RADIUS server For example 203 66 113 10 o Port The default RADIUS UDP port is 1645 Reboot the P 202H Plus v2 if it is changed to 1812 o K Y The key must be the same with the one configured in the Clients file 6 Please check there is no duplicate user setting in SMT menu 14 compared to the Users file in step 4 11 Using CLID Callback e What is CLID Callback CLID stands for Calling Line Identification i e calling parting number which can be used by the ISDN CPE to call back without answering the call The phone number used for calling back is captured from the D channel message So if your local ISDN switch ts able to carry the calling party number the P 202H Plus v2 can use this phone number to call back to the remote party There are two types of callback that the P 202H Plus v2 supports they are the CLID callback and MS CBCP callback using Dial Up Networking Unlike the CLID callback when using the MS CBCP callback the CPE must answer the first call to get the remote phone number from PPP CBCP negotiation and then call back to the remote party after hanging up the first call In such a case the remote party has to pay for the first phone call While using the CLID callback the remote party does not have to pay for the first call since the call is not answered
331. sswords tab setup the passwords for this router See the screen shot Untitled Cisco ConfigMaker 2 5 1 Ioj x Fie Edit View Configuration Management Tools Help New Open Save Undo Aeda Cut Copy Paste Delete Detect Firewall Deliver Ping Tutorial l zl Network Diagram a zzl Using Cisco ConfigMaker AutoDetect Device Wizard Draw pour Network RE Internet a Diagram iE orporabe Network l Ethernet LAN Select a device from the Devices window ard 5 Host click in the Network Dial in PCs modern Diagram window ie Dial in PCs ISDN To connect two devices A Cisco Cache Engine select connection from Sa Habe the Connections window ee Click the first device in Ea Cisco 1500 Series the Network Diagram ard AL FastHub 400 Series then click the second lal Stacks a device to complete the connection Fifa Switches io Ea z ae elver Configuration a ga Routers 2 Copy Ctrl c g zi Delete Del When the device is blue x E F select the device and download the 105 Device Properties configuration to it using the Tt F5 Deliver Configuration onfiguration Deliver Configuration Ctrl D Wizard Read Configuration Ctrl F ou can also Ping Device Telnet Configure a VPN using ug Voice Line a Issue Show Commands Launch Device Home Page x Device P Needs information E Ready tor delivery
332. t TCP 06 protocol with port number 80 Rule 2 block the DNS packet TCP 06 protocol with port number 53 Rule 3 block the DNS packet UDP 17 protocol with port number 53 o Apply the filter set in remote node Menu 11 e Create a filter set in Menu 21 Menu 21 Filter Set Configuration Filter Filter Set Comments Set Comments 69 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Web Request 7 12 Enter Filter Set Number to Configure 1 Edit Comments Press ENTER to Confirm or ESC to Cancel Rule one for a http packet TCP 06 Port number 80 Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 80 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 70 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Rule 2 for ob DNS request TCP 06 Port number 53 Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0
333. t client IP Quakell2 30 None Default client IP Quakelll1 05 beta None StartCraft 61 12 client IP Quick Time 4 0 None l All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 5631 client IP pcAnywhere 8 0 None 5632 client IP 22 client IP Since SUA enables your LAN to appear as a single computer to the Internet it is not possible to configure similar servers on the same LAN behind SUA Because White Pine Cu SeeMe uses dedicate ports port 7648 amp port 24032 to transmit and receive data therefore only one local Cu SeeMe is allowed within the same LAN With SUA enabled NetMeeting users within the same LAN will not be able to connect to the remote NetMeeting user and as remote users are not able to distinguish between local users with the same internet IP and SUA allows one local NetMeeting user to connect to multiple Internet users at the same time Certain Quake servers do not allow multiple users to login using the same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 202H Plus v2 will not be able to provide information of that server on the internet 5 Quake II has the same limitations as that of Quake I Notes 1 Ifa SMTP port 25 server is configured in menu 15 the POPS port 110 packets will also be forwarded to the same SMTP server by the P 202H Plus v2 automatically
334. t the data unit is a string along with its length and value ASN 1 is a flexible way of defining protocols especially for network management protocols where nodes may support different sets of manageable variables The net of variables that each node supports is called the Management Information Base MIB The MIB is made up of several parts including the Standard MIB specified as part of SNMP and Enterprise Specific MIB which are defined by different manufacturer for hardware specific management The current Internet standard MIB MIB II is defined in RFC 1213 and contains 171 objects These objects are grouped by protocol including TCP IP UDP SNMP and other categories including system and interface 110 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes The Internet Management Model is as shown in figure 1 Interactions between the NMS and managed devices can be any of four different types of commands 1 Reads Read is used to monitor the managed devices NMSs read variables that are maintained by the devices Writes Write is used to control the managed devices NMSs write variables that are stored in the managed devices Traversal operations NMSs use these operations to determine which variables a managed device supports and to sequentially gather information from variable tables such as IP routing table in managed devices Traps The manage
335. t to Leased Switch if you are using one 64K leased line and one switch line The P 202H Plus v2 does not allow two leased lines to connect two different remote nodes Therefore if the Leased Leased is configured in Menu 2 it allows a 128K leased connection to a remote node or allows MP bundling to a remote node Menu 4 Internet Access Setup ISP s Name hinet Pri Phone N A sec Phone N A My Login test My Password My WAN IP Addr 0 0 0 0 NAT SUA Only Address Mapping Set N A Telco Option Transfer Type Leased Multilink Off Idle Timeout 100 Key Settings o My Login and My Password are the login information provided by ISP o Turn on SUA if you only have a single user Internet account 93 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes o Enter the IP address assigned from ISP for P 202H Plus v2 enter 0 0 0 0 if the IP is dynamically assigned during the PPP connection o Set the Transfer Type to Leased for the ISDN leased line connection After saving this menu you will be asked if you want to perform an Internet connection test Select Yes to perform the test If the test fails please check again the above settings again When you have configured and saved Menu 4 you should see that you have created a remote node in Menu 11 You can perform more advanced configuration options to this remote node in this menu LAN to LAN C
336. te IP Address Start is Sentinel s IP 192 168 2 33 My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the NAT Router s IP Select Encapsulation Mode to Tunnel 10 Check the ESP check box AH can not be used in SUA NAT case 11 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in Sentinel 12 Enter the key string 12345678 in the Preshared Key text box and click Apply 13 Press Advanced button to set IKE phase 1 and phase 2 parameters on CO NO 316 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION IY Active ee Name lta_ssh Wizard Setup IPSec Key Mode IKE s Advanced Setup Negotiation Mode Main e Peete Local Address Type Subnet Address C LAN Start Address 192 168 1 0 0 Mleenll End Address 255 255 255 0 ie Remote Address Type Single Address Time Zone Start Address i92 168 2 33 Content Fitter End Address 0 0 0 0 Firewall e VEN My IP Address 172 211 252 Remote Management Secure Gateway IP Address 172 211 232 OENE Encapsulation Mode Tunnel 7 a Dial Backup Security Protocol evel VPN Protocol ESP gt Pre Shared Key 12345678 Logout YPN Setup DES gt Authentication Algorithm MD5 L Set IKE Phase 1 and Phase 2 parameters 317 All contents copyright 2006 ZyXEL Co
337. te Kbps 128 Callback Budget Management 55 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Allocated Budget min 0 Period hr 0 Press ENTER to Confirm or ESC to Cancel e The Recv Authen field should be set to the type of authentication protocol you want to use e Since the workstation needs to have its IP address assigned set the IP Address Supplied By Dial in User field to No e Make sure that IP Pool is set to Yes e In IP Start Addr enter the IP address that you want to assign to the workstation when it dials in In our example this would be 192 68 135 10 e All the common properties in Menu 13 will be applied to all dial in users Note If the remote user uses the Win9x to dial in the Recv Authen must be set to PAP because Windows 9x will not respond to any periodic CHAP challenge sent by the P 202H Plus v2 and will cause the P 202H Plus v2 to drop the call 3 Edit Dial in User Setup in SMT menu 14 1 e Dial in user without callback Menu 14 1 Edit Dial in User User Name abc Active Yes Passwd KKKKKKKKK Calloack No Phone Supplied by Caller N A Callback Phone N A Rem CLID Idle Timeout 100 56 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e The User Name and Password fields should be set to the login username and password that the workstation will provide when dialin
338. te source and destination addresses cancel ea 5 Uncheck Mirror check box 21 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Addressing Protocol Description Source address IF ddess 192 168 1 33 Subnet mask 255 255 255 255 Destination address lA specific IF Address 7 1727 21 255 255 1 255 ede 255 IF Address Subnet mask Mirrored Also match packets with the exact opposite source and destination addresses y ee e 6 On the Protocol tab leave the protocol type to Any because IPSec tunnels do not support protocol specific or port specific filters Filter Properties Addressing Protocol Description Select a protocol type re 7 Set the E protocol part f From any port From this pork f To any port f To this pork Carcel aee All contents copyright 2006 ZyXEL Communications Corporation 238 ZyXEL P 202H Plus v2 Support Notes 7 On the Description tab you can give a name for this filter list The filter name is displayed in the IPSec monitor when the tunnel is active Filter Properties x Addressing Protocol Description Use this description field at a name or a detailed explanation of the filter Description AVWALL to Wingk Cancel Apply 8 Click OK and Close to close the windows A
339. tem PHASE 1 PROPOSAL CONFIGURATION Network Palirw Name ZyWALL CT Authentication Method Preshare ha Virtual IP Ta DH Group Group 1 gt EBRIE Encryption amp Data Integrity Service Encryption Algorithm DES CBC Hash Algorithm MD5 gt Users Monitor DELA 3600 Sec C Min Hours Days Traffic Counters AETI OK Cancel Log Copyright 1998 2001 NetScreen Technologies Inc All rights reserved HI gt E Go to the Proposal 1 Configuration Intenet Z Create Phase 2 Proposal 1 Click VPN menu and click P2 Proposal tab 2 Click New Phase 2 Proposal to create phase 2 proposal 3 Check Encryption ESP checkbox and select DES CBC and MD5 as the Encryption Algorithm and the Authentication Algorithm See the 202 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes screenshot NetScreen Administration Tools Microsoft Internet Explorer Fie Edit View Favorites Tools Help le 2 Snag a Ja BE amp Back Forward Stop Refresh Home Search Favorites History Mail Print Edit Discuss Address http 192 168 78 1 layout htmP6 1 1 v Go I Links Create VPN Gateway 1 Click VPN menu and click Gateway tab 2 Click New Remote Tunnel Gateway to add the local VPN gateway i e NETSREEN 3 Give a name to this gateway for example NETSCREEN 4 Click Static IP Address as for this example
340. tes 1 Internet Access A typical Internet access application of the P 202H Plus v2 is shown below For a small office there are some components you need to check before accessing the Internet e Before you begin The P 202H Plus v2 is shipped with the following factory default 1 IP address 192 168 1 1 subnet mask 255 255 255 0 24 bits 2 DHCP server enabled with IP pool starting from 192 168 1 33 3 Default SMT menu password 1234 e Setting up the Win95 98 Workstation 1 Ethernet connection All PCs must have an Ethernet adapter card installed e If you only have one PC connect the PC s Ethernet adapter to the P 202H Plus v2 s LAN port with a crossover red one Ethernet cable e lf you have more than one PC both the PC s Ethernet adapters and the P 202H Plus v2 s LAN port must be connected to an external hub with straight Ethernet cable 2 TCP IP Installation You must first install TCP IP software on each PC before you can use it for Internet access If you have already installed TCP IP go to the next section to configure it otherwise follow these steps to install e Inthe Control Panel Network window click Add button e Inthe Select Network Component Type windows select Protocol and click Add e Inthe Select Network Protocol windows select Microsoft from the manufacturers then select TCP IP from the Network Protocols and click OK 3 TCP IP Configuration Follow these steps to configure Windows TCP IP
341. tion ZyXEL P 202H Plus v2 Support Notes Menu 27 1 1 PSec Setup Index Name PrestigeA Active Yes Keep Alive No Local ID type IP Content 4 4 0 4 My IP Addr 282 132 154 1 Peer ID type IP Content 4 4 4 4 Secure Gateway Addr 168 10 10 66 Protocol Local Addr Type SINGLE IP Addr Start 192 168 1 33 End Subnet Mask N A Port tar t 4 End N A Remote Addr jype SINGLE IP Addr Start 192 168 2 33 End Subnet Mask N A Port Start End N A Enable Replay Detection No Key Management IKE Edit Key Management Setup No Press ENTER to Confirm or ESC to Cancel Press ENTER to Contirm or ESC to Cancel 1 Edit IKE settings by selecting Edit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configuration in IKE Setup should be consistent in both P 202H Plus v2 A and P 202H Plus v2 B 163 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Menu 2 7 1 1 1 IKE Setup Phase Negotiation Mode Main Pre Shared Key 12345678 Encryption Algorithm DES Authentication Algorithm MDS SA Life Time Seconds 3608 Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm UES Authentication Algorithm MDS SA
342. tion Algorithm MDS SA Life Time ecu atatan Key Group DHI Phase 2 Active Protocol ESP Encryption Algorithm DES Authentication Algorithm MD5 SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS None Press ENTER to Confirm or ESC to Cancel Sentinel Behind NAT to P 202H Plus v2 Static IP Tunneling This page guides us to setup a VPN connection between the Sentinel software and P 202H Plus v2 router There will be several devices we need to setup for this case They are Sentinel software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Sentinel and P 202H Plus v2 are explained in the following sections As the red pipe shown in the following figure the tunneling endpoints are Sentinel and P 202H Plus v2 303 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Prestige The IP addresses we use in this example are as shown below LAN 192 168 2 1 LAN 192 168 1 1 192 168 2 33 WAN WAN 172 211 252 192 168 1 33 172 21 1 232 1 Setup SSH Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor View Statistics k Run Policy Edit
343. tions For secure connections none SUA server settings are required since private IP is reachable in the VPN case For example host P 202H Plus v2 NAT Internet Secure host Non secure host SSH Sentinel FAQ 33 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 1 What is SSH Sentinel VPN client Developed by SSH http www ssh com Sentinel VPN client is a bundled software with P 202H Plus v2 VPN solution It supports IPSec VPN 2 Why do I need to use Sentinel SSH Sentinel TM is an easy to use software for remote working based on the latest VPN technology The software provides smooth integration with P 202H Plus v2 VPN which may be installed in HQ gateway 3 Does SSH Sentinel work with the PPP over Ethernet PPPoE protocol which is used by the ADSL Network Adapter cards Yes the latest release SSH Sentinel 1 3 also supports PPPoE but due to the wide range of PPPoE implementations and the fact that we have a very limited access to PPPoE adapters in general we are not able to fully test this functionality As a consequence it is hard to say with exactly which PPPoE drivers SSH Sentinel 1 3 is fully compatible 4 How to configure Pre IPSec filter In pre ipsec configuration never remove the pre IPSec filter rule that bypasses IKE traffic If you do all your attempts to establish any IPSec connection are bound to fail be
344. to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 343 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in SSH 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 14 Press Advanced button to set IKE phase 1 and phase 2 parameters See the VPN rule screen shot ZyXEL TOTAL INTERNET ACCESS SOLUTION Main Wenu Acvanced Setup Password LAN WARN BAT Firewall e YPN Logout VPN IKE IPSec Setup M Active Mame IPSec Key Mode Megotiation Mode Local Local Address Type IP Address Start End Subnet Mask Remote Remote Address Type IF Address Start End Subnet Mask Local ID Type content biv IP Address Peer ID Type content Secure Gateway IP Address Encapsulation Mode Security Protocol YPM Protocal Pre Shared Key YPN Setup Authentication Algorithm SIT Keep Alive fto_Intel IKE Main Subnet 192 168 1 nl 255 255 255 0 Single 172 21 1 232 0 0 0 0 0 0 0 172 211 252 P 0 0 0 0 172 21 1 232 Tunnel ESP E 2345678 bes I mos z Back Apply Cancel Delete Set IKE Phase 1 and Phase 2 parameters 344 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL TOTAL INTERNET ACCESS SOLU
345. trcp sw on onloff command dcp trcp disp To display the NetCAPI packet log use the dcp trcp disp command The following example shows the output of the dcp trcp disp command ISDN_DCP Message Log Entries 12 Format 1 Time Stamp Object ID MessageNum Parameter Length Message ID TIME 23043 188 Obj 00000000 MNum 0x0 Len 0000 DCP_CAPABILITY REQ 0000 Format2 Time Stamp Object ID MessageNum Parameter Length Message ID TIME 23043 188 Obj 00000000 MNum 0x0 Len 0025 DCP_CAPABILITY_CONF 0001 Parameter Part 00 01 03 01 02 03 01 00 00 00 00 01 05 5a 79 58 45 4c 01 00 Oe 50 72 65 73 74 69 67 65 20 32 30 102 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes dcp trcp clear To clear the NetCAPI packet log use the dcp trcp clear command dcp status disp To display the NetCAPI status use the dcp status disp command dcp object object_id To display the NetCAPI objects use the dcp object object_id commands 10 Using RADIUS e What is RADIUS A Network Access Server NAS e g a Router operates as a client of RADIUS The RADIUS client is responsible for passing user information to designated RADIUS servers and then acting on the response which is returned RADIUS servers are responsible for receiving user connection requests authenticating the user and then returning all configuration information necessary for the client to deliver service to the user Transactions betw
346. tual IP address and Extended authentication 333 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes General Advanced Remote endpoint A spB aY 5 Security gateway Eater Remote network ALL IPSec IKE proposal Authentication key e 12545678 al Proposal template normal Uncheck Acquire virtual IF address a A virtual IF address is an address from Settings my the internal network Extended authentication The YPN gateway may require IKE Salt Auth RADIUS of CHAP authentication es Description Change Setting 13 Tune IKE proposal to Encryption algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none 334 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Proposal Parameters mainmode MODP 768 group 1 kd DES HMACMDS T fume d ee 14 Press Apply to save all of the settings 335 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes SSH Sentinel Policy E 2 x Sy Si i Pre lPSec Filter E WPN Connections eg 2 vall dyndns org 2yWALL E a Secured Networks H E Default Response 43000 NOILHN H MMH Add
347. um 1f PPP1 XMIT 24 len 8 0000 cO 29 02 32 00 06 01 02 116 fe402a 0 PNET ebp 4abb0 seqNum 20 PPP1 RECV 24 len 8 0000 cO 29 03 32 00 06 01 02 117 fe4034 225 PNET ppp IPCP negotiation started 118 fe403e 0 POU1 ebp 4abe0 seqNum 21 PPP1 XMIT 24 len 18 0000 80 21 01 12 00 10 02 06 00 2d Of 01 03 06 cc f7 0010 cb b7 119 fe403e 2d7 PNET ppp BACP negotiation started 120 fe4048 0 POU1 ebp 4ac10 seqNum 22 PPP1 XMIT 24 len 12 0000 80 71 01 13 00 Oa 01 06 00 00 00 01 121 fe4048 0 PNET ebp 4ac40 seqNum 23 PPP1 RECV 24 len 12 0000 80 2b 01 16 00 Oa 01 06 00 00 00 00 122 fe4048 0 POU1 ebp 4ac70 seqNum 24 PPP1 XMIT 24 len 20 0000 ff 03 cO 21 08 13 00 10 80 2b 01 16 00 0a 01 06 0010 00 00 00 00 123 fe4052 0 PNET ebp 4aca0 seqNum 25 PPP1 RECV 24 len 12 0000 80 71 01 17 00 0a 01 06 ff ff ff ff 124 fe4052 0 POU1 ebp 4acd0 seqNum 26 PPP1 XMIT 24 len 12 0000 80 71 02 17 00 0a 01 06 ff ff ff ff 125 fe405c 0 PNET ebp 4ad00 seqNum 27 PPP1 RECV 24 len 26 0000 ff 03 cO 21 08 33 00 16 80 21 01 12 00 10 02 06 398 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 0010 00 2d Of 01 03 06 cc f7 cb b7 126 fe4066 0 PNET ebp 4ad30 seqNum 28 PPP1 RECV 24 len 12 0000 80 71 02 13 00 Oa 01 06 00 00 00 01 127 fe4066 2d8 PNET ppp BACP up Program Trace Switch OFF Packet Trace Switch OFF From the packet trace above one can tell why the IPCP protocol was rejected by the far end Please refer to PPP tra
348. unications Corporation ZyXEL P 202H Plus v2 Support Notes rscsO 10000 udp queue 10001 tcp rscs1 10001 udp poker 10002 tcp rscs2 10002 udp gateway 10003 tcp rscs3 10003 udp remp 10004 tcp rscs4 10004 udp rscs5 10005 udp rscs6 10006 udp rscs 10007 udp rscs8 10008 udp rscs9 10009 udp rscsa 10010 udp rscsb 1001 1 udp qmaster 1001 2 tcp qmaster 10012 udp 4 Protocol Numbers In the Internet Protocol version 4 IPv4 RFC791 there is a field called Protocol to identify the next level protocol This is an 8 bit field In Internet Protocol version 6 IPv6 RFC1883 this field is called the Next Header field Assigned Internet Protocol Numbers Decimal Keyword Protocol References QO HOPOPT IPv6 Hop by Hop Option RFC1883 1 ICMP Internet Control Message RFC792 2 IGMP Internet Group Management RFC1112 3 GGP Gateway to Gateway RFC823 4 IP IP in IP encapsulation RFC2003 5 ON Stream RFC1190 IEN1 19 6 TCP Transmission Control RFC793 7 CBT CBT Ballardie 8 EGP Exterior Gateway Protocol RFC888 DLM1 9 IGP any private interior gateway IANA used by Cisco for their IGRP 10 BBN RCC MON BBN RCC Monitoring SGC 11 NVP II Network Voice Protocol RFC741 SC3 12 PUP PUP PUP XEROX 424 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes ARGUS ARGUS RWS4 EMCON EMCON BN7 XNET Cross Net Debugger IEN158 JFH2 CHAOS Chaos NC3 UDP User Datagram RFC76
349. up Policy Objects which can be inked to a Site Domain or Organizational Unit in the Active Directory or stored on a computer 7 Verify that Local Computer default setting is selected in the Group Policy Object dialog box and then click Finish Select Group Policy Object x Group Policy Objects can be stored in the Active Directory or on a local computer Use the Browse button to select a Group Policy Tis Object Group Policy Object Local Computer Browse Allow the focus of the Group Policy Snap in to be changed when launching from the command lne This only applies if jou sawe the console Back gih Cancel 222 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes 8 In the Add Standalone Snap in dialog box click Certifications and then click Add Add Standalone Snap in i 7 x Available Standalone Snap ing a Actives Control Certificates Microso Corporation amp Component Services Microsoft Corporation m Computer Management Microsott Corporation 2 Device Manager Microsol Corporation ES Disk Defragmenter Executive Software Inte CI Disk Management VERITAS Software Cor Fa Event Viewer Microsoft Corporation ep Fax Serice Management Microso Corporation C Folder Description The Certificates snap in allows you to browse the contents of the certificate stores for yourself a service or a computer
350. ure P 202H Plus v2 VPN 00000 cece cceeteeeees 30 2 How many VPN connections does P 202H Plus v2 support 30 3 What VPN protocols are supported by P 202H Plus v2 VPN 30 4 What types of encryption does P 202H Plus v2 VPN support 30 5 What types of authentication does P 202H Plus v2 VPN support 30 6 am planning my P 202H Plus v2 to P 202H Plus v2 VPN configuration What do I need to KNOW 0 00 00 cccccccesseeceeeteeeeens 30 7 Does P 202H Plus v2 support dynamic secure gateway IP 31 8 What VPN gateway that has been tested with P 202H Plus v2 SUCCES STUIV ay Gaerne ere err ee en ee ere ene rn ee 31 9 What VPN software that has been tested with P 202H Plus v2 SUGCCOS SPM 0 oenen E nae rans 32 10 Will ZyXEL support Secure Remote Management 32 11 Does P 202H Plus v2 VPN support NetBIOS broadcast 32 12 What are the difference between the My IP Address and Secure Gateway IP Address in Menu 27 1 1 cc ccccccesscceeesseeeessseeeeeaees 32 13 Is the host behind NAT allowed to use IPSec 0 ee 32 14 Why does VPN throughput decrease when staying in SMT menu NO IE EEEE PE PEIE atone Staessen A E S E A P A E E E E E ET 33 15 How do I configure P 202H Plus v2 with NAT for internal servers 33 SSA SEMNELE A Orrar ia a a NN 33 1 What is SSH Sentinel VPN client 0 000 000 ccccssceceeesseeeeee
351. urity gateway cae hon _ 2 7 Add VPN Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address Add PN Connection i ajx 5 Gateway IF address 172 21 1 252 Remote network en Authentication kep checkpoint certificate h Use legacy proposal Diagnostics Properties Cancel 8 Press button besides Remote network All contents copyright 2006 ZyXEL Communications Corporation 309 ZyXEL P 202H Plus v2 Support Notes Add PN Connection ES i Gateway IF address 172 21 1 252 IF Remote network Authentication kep checkpoint certificate Use legacy proposal Diagnostics Properties Cancel 9 Network Editor Window will pop out Press New button and Enter P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window Network Editor x Give networks and subnetwork custom names ou Waj can later use the names when creating rules Defined networks IP address 192 168 1 0 PaT enaa Mew Remove Network name ZYWALL e 192 168 1 D Al Zoic on e eo Lo Cancel 10 Choose P 202H Plus v2 as Authentication Key Then click OK to save Subnet mask 310 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H P
352. utside access In previous ZyNOS versions that supported SUA visible servers had to be of different types The P 202H Plus v2 supports NAT sets on a remote node basis They are reusable but only one set is allowed for each remote node The P 202H Plus v2 312 supports 2 sets since there is only one remote node The default SUA Read Only Set in menu 15 1 is a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions e SMT Menus 1 Applying NAT in the SMT Menus 2 Configuring NAT 3 Address Mapping Sets and NAT Server Sets 1 Applying NAT in the SMT Menus You apply NAT via menus 4 and 11 3 as displayed next The next figure how you apply NAT for Internet access in menu 4 Enter 4 from the Main Menu to go to Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name ChangeMe 119 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes Pri Phone 1234 Sec Phone My Login ChangeMe My Password My WAN IP Addr 0 0 0 0 NAT SUA Only Address Mapping Set N A Telco Options Transfer Type 64K Multilink Off Idle Timeout 100 Press ENTER to Confirm or ESC to Cancel The following figure shows how you apply NAT to the remote node in menu 11 1 Menu 11 3 Remote Node Network Layer Options Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0
353. v2 A Secure Gateway IP Addr is the remote secure gateway IP that is P 202H Plus v2 B WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in P 202H Plus v2 B 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 161 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes SEC ING creen SOE ZyXEL sive uar TOTAL INTERNET ACCESS SOLUTION VPN IKE i anu IPSec Setup IY Active Keep Alive Advanced Setup Name Pre stigeA ee IPSec Key Mode IKE Y E LAN Negotiation Made Main E WAR Local Tu Local Address Type Single E Firewall IF Address Start Pc IF e WPN End Subnet Mask 0 0 0 0 ean Remote Remote Address Type Single IF Address Start lt PC2 IP End f Subnet Mask pooo Local ID Type IR k Content booo oo My IP Address lt AWANIP gt Peer ID Type IP Content 0 0 0 0 Secure Gateway IP Address B VAN IP Encapsulation Mode Tunnel Security Protocol YPM Protocol ESP Pre Shared Key 12345678 VPM Setup DES Authentication Algorithm MDS Advanced ji il Back Apply Cancel Delete i lf you use SMT management the VPN configurations are as shown below 162 All contents copyright 2006 ZyXEL Communications Corpora
354. v2 Support Notes Please note that the fields in this menu are read only However the settings of the server set 1 can be modified in menu 15 2 1 Now let s look at Option 1 in Menu 15 1 Enter 1 to bring up this menu Menu 15 1 1 Address Mapping Rules Set Name Idx Local Start IP Local End IP Global Start IP Global End IP Type OOo O ee h Action Edit select Rule 0 Press ENTER to Confirm or ESC to Cancel We will just look at the differences from the previous menu Note that this screen is not read only so we have extra Action and Select Rule fields Not also that the in the Set Name field means that this is a required field and you must enter a name for the set The description of the other fields is as described above The Type Local and Global Start End IPs are configured in Menu 15 1 1 described later and the values are displayed here Field Description Option Enter a name for this set of rules This is a required field Set Name Please note that if this field is left blank the entire Rule1 set will be deleted They are 4 actions The default is Edit Edit means you want to edit a selected rule see following field Insert cl Insert Before Action Before means to insert a new rule before the rule Delete selected The rule after the selected rule will then be moved down by one rule Delete means to delete the SANE GEI 124 All contents copyright 2006 ZyXEL Communications Corporation Zy
355. version V3 50 or later has the VPN capability If your P 202H Plus v2 is capable of VPN you can find the VPN options in Advanced gt VPN tab For configuring a box to box VPN there are some tips 1 If there is a NAT router running in the front of P 202H Plus v2 please make sure the NAT router supports to pass through IPSec 2 In NAT case either run on the frond end router or in P 202H Plus v2 VPN box only IPSec ESP tunneling mode is supported since NAT againsts AH mode 3 Source IP Destination IP Please do not number the LANs local and remote using the same exact range of private IP addresses This will make VPN destination addresses and the local LAN addresses are indistinguishable and VPN will not work 4 Secure Gateway IP Address This must be a public routable IP address private IP is not allowed That means it can not be in the 10 x x x subnet the 192 168 x x subnet nor in the range 172 16 0 0 172 31 255 255 these address ranges are reserved by internet standard for private LAN numberings behind NAT devices It is usually a static IP so that we can pre configure it in P 202H Plus v2 for making VPN connections If it is a dynamic IP given by ISP you still can configure this IP address after the remote P 202H Plus v2 is on line and its WAN IP is available from ISP 7 Does P 202H Plus v2 support dynamic secure gateway IP lf the remote VPN gateways uses dynamic IP we enter 0 0 0 0 as the Secure Gateway IP A
356. wall e YPN Logout VPA WE Advanced Setup VPH IKE Pratacol Erahle Replay Detection Local Start Port Remote Start ort Phasel Megotiaion Wode Pra Shared Key Ercryptign Algorithm Authentication Algorithm of Life ime Seconds Key GroJjp Phase Active Protocol Ercryptign Algorithrni Authentication Algorithm of Life ime Seconds Ercapsulation Perfact Forvwad SecracyiPFS 2 The second rule in Branch B TE iji P 202H Plus v2 Support Notes SITE M Ead 0 Ead D TE Wain Y 12345670 DES ig WDS DHI FSP DES cou Tunnel 7 NONE Cancel This rule is for branch office B to access branch office A 353 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACCESS SOLUTION P 202H Plus v2 Support Notes pane IPSec Setup IY Active Advanced Setup Mame Password IPSec Key Mode LAN Neqotiation Mode WARN Local NAT Local Address Type Firewall IF Address Start e MPM End Subnet Mask TT Remote Remote Address Type IF Address Start End Subnet hask Local ID Type Content biv IF Address Feer IDO Type Content Secure Gateway IP Address Encapsulation Mode Security Protocol WPN Protocol Pre Shared key YPN Setup Authentication Algorithm Keep Alive Branch_B 2 IKE s Main Range 192 168 2 0 192 168 2 256 Range 192 168 3 0 192 168 3 256 ESP z
357. work Director Number RFC1717 e PPP LCP CALLBACK OPERATION FIELDS The Point to Point Protocol PPP Link Control Protocol LCP Callback Configuration Option contains an 8 bit Operations field which identifies the format of the Message These are assigned as follows Operation Description 0 Location determined by user authentication 1 Dialing string 2 Location identifier 3 E 164 number 4 X 500 distinguished name 5 unassigned 6 Location is determined during CBCP negotiation e PPP IPCP CONFIGURATION OPTION TYPES The Point to Point Protocol PPP Internet Protocol Control Protocol IPCP specifies a number of Configuration Options which are distinguished by an 8 bit Type field These Types are assigned as follows Type Configuration Option 1 IP Addresses deprecated RFC1332 2 IP Compression Protocol RFC1332 3 IP Address RFC1332 4 Mobile IPv4 RFC2290 129 Primary DNS Server Address RFC1877 130 Primary NBNS Server Address RFC1877 131 secondary DNS Server Address RFC1877 132 Secondary NBNS Server Address RFC1877 416 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL P 202H Plus v2 Support Notes e PPP ATCP CONFIGURATION OPTION TYPES The Point to Point Protocol PPP Apple Talk Control Protocol ATCP specifies a number of Configuration Options RFC 1378 which are distinguished by an 8 bit Type field These Types are assigned as follows Type Configuration Option Apple Ta
358. xchange the management information between network devices e g routers By using SNMP network administrators can more easily manage network performance find and solve network problems The SNMP is a member of the TCP IP protocol suite it uses the UDP to exchange messages between a management Client and an Agent residing in a network node There are two versions of SNMP Version 1 and Version 2 ZyXEL supports SNMPv1 Most of the changes introduced in Version 2 increase SNMP s security capabilities SNMP encompasses three main areas 1 Asmall set of management operations 2 Definitions of management variables 3 Data representation The operations allowed are Get GetNext Set and Trap These functions operates on variables that exist in network nodes Examples of variables include statistic counters node port status and so on All of the SNMP management functions are carried out through these simple operations No action operations are available but these can be simulated by the setting of flag variables For example to reset a node a counter variable named time to reset could be set to a value causing the node to reset after the time had elapsed SNMP variables are defined using the OSI Abstract Syntax Notation One ASN 1 ASN 1 specifies how a variable is encoded in a transmitted data frame it is very powerful because the encoded data is self defining For example the encoding of a text string includes an indication tha
359. y default After uploading ROMFILE the default system password is 1234 10 What is SUA When should I use SUA SUA Single User Account is a unique feature supported by P 202H Plus v2 router which allows multiple people to access Internet concurrently for the cost of a single user account When P 202H Plus v2 acting as SUA receives a packet from a local client destined for the outside Internet it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from P 202H Plus v2 using the IP address assigned by ISP When reply packets from the external Internet are received by P 202H Plus v2 the original IP source address and TCP UDP source port numbers are written into the destination fields of the packet since it is now moving in the opposite direction the checksums are recomputed and the packet is delivered to its true destination This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it 11 What is the difference between NAT and SUA NAT is a generic name defined in RFC 1631 The IP Network Address Translator NAT SUA Internet Single User Account is ZyXEL s implementation and trade name for functioning PAT Port Address Translation which is a specific type
360. yXEL P 202H Plus v2 Support Notes 2 Setup P 202H Plus v2 VPN 1 gt OP 8 9 Using a web browser login P 202H Plus v2 by giving the LAN IP address of P 202H Plus v2 in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Advanced and click VPN tab on the left On the SUMMARY menu Select a policy to edit by clicking Edit On the CONFIGURE IKE menu check Active check box and give a name to this policy Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in Soft PK Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You may assign a range of Source Destination IP addresses for multiple VPN sessions My IP Addr is the WAN IP of P 202H Plus v2 Secure Gateway IP Addr is the remote secure gateway IP that is PC 1 in this example 10 Select Encapsulation Mode to Tunnel 11 Check the ESP check box AH can not be used in SUA NAT case 12 Select Encryption Algorithm to DES and Authentication Algorithm to SHA1 as we configured in Soft PK 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 260 All contents copyright 2006 ZyXEL Communications Corporation ZyXEL Figure 8 See the VPN rule screen shot ZyXEL TOTAL INTERNE
Download Pdf Manuals
Related Search