ZyXEL VMG8324B10A Users Manual
CHAPTER 17
17.1 Overview
Parental control allows you to block web sites with the specific URL. You can also define time
periods and days during which the Device performs parental control on a specific user.
17.2 The Parental Control Screen
Use this screen to enable parental control, view the parental control rules and schedules.
Click Security > Parental Control to open the following screen.
Figure 124 Security > Parental Control
Parental Control
The following table describes the fields in this screen.
Table 93 Security > Parental Control
LABEL DESCRIPTION
Parental
Control
Add new PCP Click this if you want to configure a new parental control rule.
# This shows the index number of the rule.
Status This indicates whether the rule is active or not.
PCP Name This shows the name of the rule.
Home Network
User (MAC)
VMG8324-B10A / VMG8324-B30A Series User’s Guide 207
Select Enable to activate parental control.
A yellow bulb signifies that this rule is activ e. A gra y bulb signifies that this rule is not acti ve.
This shows the MAC address of the LAN user’s computer to which this rule applies.
Chapter 17 Parental Control
Table 93 Security > Parental Control (continued)
LABEL DESCRIPTION
Internet Access
Schedule
Network
Service
Website Block This shows whether the website block is configured. If not, None will be shown.
Modify Click the Edit icon to go to the screen where you can edit the rule.
Apply Click Apply to save your changes.
Cancel Click Cancel to restore your previously saved settings.
This shows the day(s) and time on which parental control is enabled.
This shows whether the network service is configured. If not, None will be shown.
Click the Delete icon to delete an existing rule.
17.2.1 Add/Edit a Parental Control Rule
Click Add new PCP in the Parental Control screen to add a new rule or click the Edit icon next to
an existing rule to edit it. Use this screen to configure a restricted access schedule and/or URL
filtering settings to block the users on your network from accessing certain web sites.
Figure 125 Parental Control Rule: Add/Edit
208
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Chapter 17 Parental Control
The following table describes the fields in this screen.
Table 94 Parental Control Rule: Add/Edit
LABEL DESCRIPTION
General
Active Select the checkbox to activate this parental control rule.
Parental
Control Profile
Name
Home Network
User
Internet Access Schedule
Day Select check boxes for the days that you want the Device to perform parental control.
Time Drag the time bar to define the time that the LAN user is allowed access.
Network Service
Network
Service Setting
Add new
service
# This shows the index number of the rule. Select the checkbox next to the rule to activate it.
Service Name This shows the name of the rule.
Protocol:Port This shows the protocol and the port of the rule.
Modify Click the Edit icon to go to the screen where you can edit the rule.
Enter a descriptive name for the rule.
Select the LAN user that you want to apply this rule to from the drop-down list box. If you
select Custom, enter the LAN user’s MAC address. If you select All, the rule applies to all
LAN users.
If you select Block, the Device prohibits the users from viewing the Web sites with the URLs
listed below.
If you select Allow, the Device blocks access to all URLs except ones listed below.
Click this to show a screen in which you can add a new service rule. You can configure the
Service Name, Protocol, and Name of the new rule.
Click the Delete icon to delete an existing rule.
Blocked Site/
URL Keyword
Apply Click this button to save your settings back to the Device.
Cancel Click Cancel to restore your previously saved settings.
Click Add to show a screen to enter the URL of web site or URL keyword to which the Device
blocks access. Click Delete to remove it.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
209
Chapter 17 Parental Control
210
VMG8324-B10A / VMG8324-B30A Series User’s Guide
CHAPTER 18
18.1 Overview
You can define time periods and days during which the Device performs scheduled rules of certain
features (such as Firewall Access Control) in the Scheduler Rule screen.
18.2 The Scheduler Rule Screen
Use this screen to view, add, or edit time schedule rules.
Click Security > Scheduler Rule to open the following screen.
Figure 126 Security > Scheduler Rule
Scheduler Rule
The following table describes the fields in this screen.
Table 95 Security > Scheduler Rule
LABEL DESCRIPTION
Add new rule Click this to create a new rule.
# This is the inde x num ber of the entry.
Rule Name This shows the name of the rule.
Day This shows the day(s) on which this rule is enabled.
Time This shows the period of time on which this rule is enabled.
Description This shows the description of this rule.
Modify Click the Edit icon to edit the schedule.
Click the Delete icon to delete a scheduler rule.
Note: You cannot delete a scheduler rule once it is applied to a certain feature.
VMG8324-B10A / VMG8324-B30A Series User’s Guide 211
Chapter 18 Scheduler Rule
18.2.1 Add/Edit a Schedule
Click the Add button in the Scheduler Rule screen or click the Edit icon next to a schedule rule to
open the following screen. Use this screen to configure a restricted access schedule.
Figure 127 Scheduler Rule: Add/Edit
The following table describes the fields in this screen.
Table 96 Scheduler Rule: Add/Edit
LABEL DESCRIPTION
Rule Name Enter a name (up to 31 printable English keyboard characters, not including spaces) for this
schedule.
Day Select check boxes for the days that you want the Device to perform this scheduler rule.
Time if Day
Range
Description Enter a description for this scheduler rule.
Apply Click Apply to save your changes.
Cancel Click Cancel to exit thi s screen without saving.
Enter the time period of each day, in 24-hour format, during which the rule will be enfo rced.
212
VMG8324-B10A / VMG8324-B30A Series User’s Guide
CHAPTER 19
19.1 Overview
The Device can use certificates (also called digital IDs) to authenticate users. Certificates are based
on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Certificates provide a way to exchange public keys for use in authentication.
19.1.1 What You Can Do in this Chapter
•The Local Certificates screen lets you generate certification requests and import the Device's
CA-signed certificates (Section 19.4 on page 216).
•The Trusted CA screen lets you save the certificates of trusted CAs to the Device (Section 19.4
on page 216).
Certificates
19.2 What You Need to Know
The following terms and concepts may help as you read through this chapter.
Certification Authority
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate
owner. There are commercial certification authorities like CyberTrust or VeriSign and government
certification authorities. The certification authority uses its private key to sign certificates. Anyone
can then use the certification authority's public key to v erify the certificates. Y ou can use the Device
to generate certification requests that contain identifying information and public keys and then send
the certification requests to a certification authority.
19.3 The Local Certificates Screen
Click Security > Certificates to open the Local Certificates screen. This is the Device’ s summary
list of certificates and certification requests.
Figure 128 Security > Certificates > Local Certificates
VMG8324-B10A / VMG8324-B30A Series User’s Guide 213
Chapter 19 Certificates
The following table describes the labels in this screen.
Table 97 Security > Certificates > Local Certificates
LABEL DESCRIPTION
Private Key is
protected by a
password
Browse... Click this to find the certificate file you want to upload.
Import Certificate Click this button to save the certificate that you have enrolled from a certification
Create Certificate
Request
Current File This field displays the name used to identify this certificate. It is recommended that you
Subject This field displays identifying information about the certificate’s owner, such as CN
Issuer This field displays identifying information about the certificate’s issuing certification
Valid From This field displays the date that the certificate becomes applicable. The text displays in
Valid To This field displays the date that the certificate expires. The text displays in red and
Modify Click the View icon to open a screen with an in-depth list of information about the
Select the checkbox and enter the private key into the text box to store it on the Device.
The private key should not exceed 63 ASCII characters (not including spaces).
authority from your computer to the Device.
Click this button to go to the screen where you can have the Device generate a
certification request.
give each certificate a unique name.
(Common Name), OU (Organizational Unit or department), O (Organization or company)
and C (Country). It is recommended that each certificate have unique subject
information.
authority, such as a common name, organizational unit or department, organization or
company and country.
red and includes a Not Yet Valid! message if the certificate has not yet become
applicable.
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
certificate (or certification request).
For a certification request, click Load Signed to import the signed certificate.
Click the Remove icon to delete the certificate (or certificatio n request). You cannot
delete a certificate that one or more features is configured to use.
19.3.1 Create Certificate Request
Click Security > Certificates > Local Certificates and then Create Certificate Request to
open the following screen. Use this screen to have the Device generate a certification request.
Figure 129 Create Certificate Request
214
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Chapter 19 Certificates
The following table describes the labels in this screen.
Table 98 Create Certificate Request
LABEL DESCRIPTION
Certificate
Name
Common Name Select Auto to have the Device configure this field automatically. Or select Customize to
Organization
Name
State/Province
Name
Country/Region
Name
Apply Click Apply to save your changes.
Cancel Click Cancel to exit this screen without saving.
Type up to 63 ASCII characters (not including spaces) to identify this certificate.
enter it manually.
Type the IP address (in dotted decimal notation), domain name or e-mail address in the
field provided. The domain name or e-mail address can be up to 63 ASCII characters. The
domain name or e-mail address is for identification purposes only and can be any string.
Type up to 63 characters to identify the company or group to which the certificate owner
belongs. You may use any character, including spaces, but the Device drops trailing spac es.
Type up to 32 characters to identify the state or province where the certificate owner is
located. You may use any character, including spaces, but the Device drops trailing spaces.
Select a country to identify the nation where the certificate owner is located.
After you click Apply, the following screen displays to notify you that you need to get the certificate
request signed by a Certificate Authority. If you already have, click Load_Signed to import the
signed certificate into the Device. Otherwise click Back to return to the Local Certificates screen.
Figure 130 Certificate Request Created
19.3.2 Load Signed Certificate
After you create a certificate request and have it signed by a Certificate Authority, in the Local
Certificates screen click the certificate request’s Load Signed icon to import the signed certificate
into the Device.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
215
Chapter 19 Certificates
Note: You must remove any spaces from the certificate’s filename before you can import
it.
Figure 131 Load Signed Certificate
The following table describes the labels in this screen.
Table 99 Load Signed Certificate
LABEL DESCRIPTION
Certificate
Name
Certificate Copy and paste the signed certificate into the text box to store it on the Device.
Apply Click Apply to save your changes.
Cancel Click Cancel to exit this screen without saving.
This is the name of the signed cert ificate.
19.4 The Trusted CA Screen
Click Security > Certificates > Trusted CA to open the following screen. This screen displays a
summary list of certificates of the certification authorities that you have set the Device to accept as
trusted. The Device accepts any valid certificate signed by a certification authority on this list as
216
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Chapter 19 Certificates
being trustworthy; thus you do not need to import any certificate that is signed by one of these
certification authorities.
Figure 132 Security > Certificates > Trusted CA
The following table describes the fields in this screen.
Table 100 Security > Certificates > Trusted CA
LABEL DESCRIPTION
Import
Certificate
# This is the index number of the entry.
Name This field displays the name used to identify this certificate.
Subject This field displays information that identifies the owner of the certificate, such as Common
Type This field displays general information about the certificate. ca means that a Certification
Modify Click the View icon to open a screen with an in-depth list of information about the
Click this button to open a screen where you can save the certificate of a certification
authority that you trust to the Device.
Name (CN), OU (Organizational Unit or department), Organization (O), State (ST) and
Country (C). It is recommended that each certificate have unique subject information.
Authority signed the certificate.
certificate (or certification request).
Click the Remove button to delete the certificate (or certification request). You cannot
delete a certificate that one or more features is configured to use.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
217
Chapter 19 Certificates
19.4.1 View Trusted CA Certificate
Click the View icon in the Trusted CA screen to open the following screen. Use this screen to view
in-depth information about the certification authority’s certificate.
Figure 133 Trusted CA: View
The following table describes the fields in this screen.
Table 101 Trusted CA: View
LABEL DESCRIPTION
Name This field displays the identifying name of this certificate.
Type This field displays general information about the certificate. ca means that a Certification
Authority signed the certificate.
Subject This field displays information that identifies the owner of the certificate, such as Common
Certificate This read-only text box displays the certificate in Privacy Enhanced Mail (PEM) format. PEM
Back Click Back to return to the previous screen.
Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
uses base 64 to convert the binary certificate into a printable form.
You can cop y and past e the certific ate in to an e-ma il to se nd to fr iends or col lea gues or yo u
can copy and paste the certificate into a text editor and save the file on a management
computer for later distribution (via floppy disk for example).
218
VMG8324-B10A / VMG8324-B30A Series User’s Guide
19.4.2 Import Trusted CA Certificate
Click the Import Certificate button in the Trusted CA screen to open the following screen. The
Device trusts any valid certificate signed by any of the imported trusted CA certificates.
Figure 134 Trusted CA: Import Certificate
The following table describes the fields in this screen.
Chapter 19 Certificates
Table 102 Trusted CA: Import Certificate
LABEL DESCRIPTION
Certificate File
Path
Enable Trusted
CA for 802.1x
Authentication
Certificate Copy and paste the certificate into the text box to store it on the Device.
OK Click OK to save your changes.
Cancel Click Cancel to exit this screen without saving.
Type in the location of the certificate you want to upload in this field or click Browse ... to
find it.
If you select this checkbox, the trusted CA will be used for 802.1x authentication. The
selected trusted CA will be displayed in the Network Setting > Broadband > 802.1x:
Edit screen.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
219
Chapter 19 Certificates
220
VMG8324-B10A / VMG8324-B30A Series User’s Guide
CHAPTER 20
Local Network
Remote Network
VPN Tunnel
20.1 Overview
A virtual private network (VPN) provides secure communications over the the Internet. Internet
Protocol Security (IPSec) is a standards-based VPN that provides confidentiality , data integrity, and
authentication. This chapter shows you how to configure the Device’s VPN settings.
20.2 The IPSec VPN General Screen
Use this screen to view and manage your VPN tunnel policies. The following figure helps explain the
main fields in the web configurator.
Figure 135 IPSec Fields Summary
VPN
Click Security > IPSec VPN to open this screen as shown next.
Figure 136 Security > IPSec VPN
VMG8324-B10A / VMG8324-B30A Series User’s Guide 221
Chapter 20 VPN
This screen contains the following fields:
Table 103 Security > IPSec VPN
LABEL DESCRIPTION
Add New
Connection
# This displays the index number of an entry.
Status This displays whether the VPN policy is enabled (Enable) or not (Disable).
Connection Name The name of the VPN policy.
Remote Gateway This is the IP address of the remote IPSec router in the IKE SA.
Local Addresses This displays the IP address(es) on the LAN behind your Device.
Remote
Addresses
Delete Click the Edit icon to modify the VPN policy.
Click this button to add an item to the list.
This displays the IP address(es) on the LAN behind the remote IPSec’s router.
Click the Delete icon to delete the VPN policy.
20.3 The IPSec VPN Add/Edit Screen
Use these settings to add or edit VPN policies. Click the Add New Connection button in the
Security > VPN screen to open this screen as shown next.
222
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Figure 137 Security > IPSec VPN: Add/Edit
Chapter 20 VPN
This screen contains the following fields:
Table 104 Security > IPSec VPN: Add/Edit
LABEL DESCRIPTION
Active Select this to activate this VPN policy.
IPSec Connection
Name
Remote IPSec
Gateway Address
T unnel access
from local IP
addresses
Enter the name of the VPN policy.
Enter the IP address of the remote IPSec router in the IKE SA.
Select Single Address to have only one local LAN IP address use the VPN tunnel. Select
Subnet to specify local LAN IP addresses by their subnet mask.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
223
Chapter 20 VPN
Table 104 Security > IPSec VPN: Add/Edit
LABEL DESCRIPTION
IP Address for
VPN
IP Subnetmask If Subnet is selected, enter the subnet mask to identify the network address.
T unnel access
from remote IP
addresses
IP Address for
VPN
IP Subnetmask If Subnet is selected, enter the subnet mask to identify the network address.
Protocol Select which protocol you want to use in the IPSec SA. Choices are:
If Single Address is selected, enter a (static) IP address on the LAN behind your Device.
If Subnet is selected, specify IP addresses on a network by their subne t mask by entering
a (static) IP address on the LAN behind your Device. Then enter the subnet mask to
identify the network address.
Select Single Address to have only one remote LAN IP address use the VPN tunnel.
Select Subnet to specify remote LAN IP addresses by their subnet mask.
If Single Address is selected, enter a (static) IP address on the LAN behind the remote
IPSec’s router.
If Subnet is selected, specify IP addresses on a network by their subne t mask by entering
a (static) IP address on the LAN behind the remote IPSec’s router. Then enter the subnet
mask to identify the network address.
AH (RFC 2402) - provides integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not encryption. If you select AH, you must select an
Integraty Algorithm.
ESP (RFC 2406) - provides encryption and the same services offered by AH, but its
authentication is weaker. If you select ESP, you must select an Encryption Agorithm
and Integraty Algorithm.
Both AH and ESP increase processing requirements and latency (delay). The Device and
remote IPSec router must use the same active protocol.
Key Exchange
Method
Select the key exchange method:
Auto(IKE) - Select this to use automatic IKE key management VPN connection policy.
Manual - Select this option to configure a VPN connection policy that uses a manual key
instead of IKE key management. This may be useful if you have problems with IKE key
management.
Note: Only use manual key as a temporary solution, because it is not as secure as a regular
IPSec SA.
Authentication
Method
Pre-Shared Key Type your pre-shared key in this fiel d. A pre -s h ar ed key identifies a communicating party
Local ID Type Select IP to identify the Device by its IP address.
Select Pre-Shared Key to use a pre-shared key for authentication, and type in your pre-
shared key. A pre-shared key identifies a communicating party during a phase 1 IKE
negotiation. It is called "pre-shared" because you have to share it with another party
before you can communicate with them over a secure connection.
Select Certificate (X.509) to use a certificate for authentication.
during a phase 1 IKE negotiation.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9",
"A-F") characters. You must precede a hexadecimal key with a "0x” (zero x), which is not
counted as part of the 16 to 62 character range for the key. For example, in
"0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal and
“0123456789ABCDEF” is the key itself.
224
Select E-mail to identify this Device by an e-mail address.
Select DNS to identify this Device by a domain name.
Select ASN1DN (Abstract Syntax Notation one - Distinguished Name) to this Device by
the subject field in a certificate. This is used only with certificate-based authentication.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Chapter 20 VPN
Table 104 Security > IPSec VPN: Add/Edit
LABEL DESCRIPTION
Local ID Content When you select IP in the Local ID Type field, type the IP address of your computer in
this field. If you configure this field to 0.0.0.0 or leave it blank, the Device automatically
uses the Pre-Shared Key (refer to the Pre-Shared Key field description).
It is recommended that you type an IP address other than 0.0.0.0 in this field or use the
DNS or E-mail type in the following situations.
• When there is a NAT router between the two IPSec routers.
• When you want th e remote IPSec router to be able to distinguish between VPN
connection requests that come in from IPSec route rs with dynami c W AN IP addresses .
When you select DNS or E-mail in the Local ID Type field, type a domain name or email address by which to identify this Device in this field. Use up to 31 ASCII characters
including spaces, although trailing spaces are truncated. The domain name or e-mail
address is for identification purposes only and can be any string.
Remote ID Type Select IP to identify the remote IPSec router by its IP address.
Select E-mail to identify the remote IPSec router by an e-mail address.
Select DNS to identify the remote IPSec router by a domain name.
Select ASN1DN to identify the remote IPSec router by the subject field in a certificate.
This is used only with certificate-based authentication.
Remote ID
Content
The configuration of the remote content depends on the remote ID type.
For IP, type the IP address of the computer with which you will make the VPN connection.
If you configure this field to 0.0.0.0 or leave it blank, the Device will use the address in
the Remote IPSec Gateway Address field (refer to the Remote IPSec Gateway
Address field description).
For DNS or E-mail, type a domain name or e-mail address by which to identify the
remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing
spaces are truncated. The domain name or e-mail address is for identification purposes
only and can be any string.
It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-
mail ID type in the following situations:
• When there is a NAT router between the two IPSec routers.
• When you want the Device to distinguish between VPN connection requests that come
in from remote IPSec routers with dynamic WAN IP addresses.
Advanced IKE
Settings
NAT_Traversal Select Enable
Phase 1
Mode Select the negotiation mode to use to negotiate the IKE SA. Choices are:
Click more to display advanced settings. Click less to display basic settings only.
vic
e and remote IPSec router . The remote IPSec router must also enable NAT tr aversal,
De
and the NAT routers have to forward UDP port 500 packets to the remote IPSec router
behind the NAT router. Otherwise, select Disable.
Main - this encrypts the Device’s and remote IPSec router’s identities but takes more
time to establish the IKE SA.
Aggressive - this is faster but does not encrypt the identities.
The Device and the remote IPSec router must use the same negotiation mode.
if you want to set up a VPN tunnel when th ere are NA T routers betwe en the
VMG8324-B10A / VMG8324-B30A Series User’s Guide
225
Chapter 20 VPN
Table 104 Security > IPSec VPN: Add/Edit
LABEL DESCRIPTION
Encryption
Algorithm
Integrity
Algorithm
Select DiffieHellman Group
for Key Exchange
Key Life Time Define the length of time before an IPSec SA automatically renegotiates in this field.
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algo rithm
AES - 128 - a 128-bit key with the AES encryption algorithm
AES - 196 - a 196-bit key with the AES encryption algorithm
AES - 256 - a 256-bit key with the AES encryption algorithm
The Device and the remote IPSec router must use the same key size and encryption
algorithm. Longer keys require more processing power, resulting in increased latency and
decreased throughput.
Select which hash algorithm to use to authenticate packet data. Choices are MD5, SHA1.
SHA is generally considered stronger than MD5, but it is also slower.
Select which Diffie-Hellman key group you want to use for encryption keys. Choices for
number of bits in the random number are: 768, 1024, 1536, 2048, 3072, 4096.
The longer the key, the more secure the encryption, but also the long er it takes to encrypt
and decrypt information. Both routers must use the same DH key group.
Phase 2
Encryption
Algorithm
Integrity
Algorithm
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates, all
users accessing remote resources are temporarily disconnected.
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algo rithm
AES - 128 - a 128-bit key with the AES encryption algorithm
AES - 192 - a 196-bit key with the AES encryption algorithm
AES - 256 - a 256-bit key with the AES encryption algorithm
Select ESP_NULL to set up a tunnel without encryption. When you select ESP_NULL,
you do not enter an encryption key.
The Device and the remote IPSec router must use the same key size and encryption
algorithm. Longer keys require more processing power, resulting in increased latency and
decreased throughput.
Select which hash algorithm to use to authenticate packet data. Choices are MD5 and
SHA1. SHA is generally considered stronger than MD5, but it is also slower.
226
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Chapter 20 VPN
Table 104 Security > IPSec VPN: Add/Edit
LABEL DESCRIPTION
Perfect Forward
Secrecy (PFS)
Key Life Time Define the length of time before an IPSec SA automatically renegotiates in this field.
The following fields are available if you select Manual in the Key Exchange Method field.
Encryption
Algorithm
Encryption
Key
Authentication
Algorithm
Authentication
Key
Select whether or not you want to enable Perfect Forward Secrecy (PFS)
PFS changes the root key that is used to generate encryption keys for each IPSec SA. The
longer the key, the more secure the encryption, but also the longer it takes t o encrypt and
decrypt information. Both routers must use the same DH key group. Choices are:
None - do not use any random number.
768bit(DH Group1) - use a 768-bit random number
1024bit(DH Group2) - use a 1024-bit random number
1536bit(DH Group5) - use a 1536-bit random number
2048bit(DH Group14) - use a 2048-bit random number
3072bit(DH Group15) - use a 3072-bit random number
4096bit(DH Group16) - use a 4096-bit random number
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates, all
users accessing remote resources are temporarily disconnected.
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algo rithm
EPS_NULL - no encryption key or algorithm
This field is applicable when you select an Encryption Algorithm.
Enter the encryption key, which depends on the encryption algorithm.
DES - type a unique key 16 hexadecimal characters long
3DES - type a unique key 48 hexadecimal characters long
Select which hash algorithm to use to authenticate packet data. Choices are MD5, SHA1.
SHA is generally considered stronger than MD5, but it is also slower.
Enter the authentication key, which depends on the authentication algorithm.
MD5 - type a unique key 32 hexadecimal characters long
SHA1 - type a unique key 40 hexadecimal characters long
SPI Type a unique SPI (Security Parameter Index) in hexadecimal characters.
The SPI is used to identify the Device during authentication.
The Device and remote IPSec router must use the same SPI.
OK Click OK to save your changes.
Cancel Click Cancel to restore your previously saved settings.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
227
Chapter 20 VPN
20.4 The IPSec VPN Monitor Screen
Use this screen to check your VPN tunnel’s current status. You can also manually trigger a VPN
tunnel to the remote network. Click Security > IPSec VPN > Monitor to open this screen as
shown next.
Figure 138 Security > IPSec VPN > Monitor
This screen contains the following fields:
Table 105 Security > IPSec VPN > Monitor
LABEL DESCRIPTION
Refresh Interval Select how often you want the Device to update this screen. Select No Refresh to have
the Device stop updating the screen.
Status This displays a green line between two hosts if the VPN tunnel has been established
Connection Name This displays the name of the VPN policy.
Remote Gateway This is the IP address of the remote IPSec router in the IKE SA.
Local Addresses This displays the IP address(es) on the LAN behind your Device.
Remote
Addresses
Action Click Trigger to establish a VPN connection with the remote network.
successfully. Otherwise, it displays a red line in between.
This displays the IP address(es) on the LAN behind the remote IPSec router.
20.5 Technical Reference
This section provides some technical background information about the topics covered in this
section.
20.5.1 IPSec Architecture
The overall IPSec architecture is shown as follows.
228
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Figure 139 IPSec Architecture
IPSec Algorithms
Chapter 20 VPN
The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header)
protocol (RFC 2402) describe the packet formats and the default standards for packet structure
(including implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption
Standard) and Triple DES algorithms.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an
authentication mechanism for the AH and ESP protocols.
Key Management
Key management allows you to determine whether to use IKE (ISAKMP) or manual key
configuration in order to set up a VPN.
20.5.2 Encapsulation
The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. A t the time of
writing, the Device supports Tunnel mode only.
Figure 140 Transport and Tunnel Mode IPSec Encapsulation
VMG8324-B10A / VMG8324-B30A Series User’s Guide
229
Chapter 20 VPN
T ransport Mode
Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the
original IP header and options, but before any upper layer protocols contained in the packet (such
as TCP and UDP).
With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP
header information and options are not used in the authentication process. Therefore, the
originating IP address cannot be verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward into the IP header to
verify the integrity of the entire packet by use of portions of the original IP header in the hashing
process.
Tunnel Mode
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required
for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP
tunnel with authentication and encryption. This is the most common mode of operation. Tunnel
mode is required for gateway to gateway and host to gateway communications. Tunnel mode
communications have two sets of IP headers:
• Outside header: The outside IP header contains the destination IP address of the VPN gateway.
• Inside header: The inside IP header contains the destination IP address of the final system
behind the VPN gateway. The security protocol appears after the outer IP header and before the
inside IP header.
20.5.3 IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)
and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses
that SA to negotiate SAs for IPSec.
230
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Figure 141 Two Phases to Set Up the IPSec SA
In phase 1 you must:
Chapter 20 VPN
• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
• Choose an authentication algorithm.
• Choose a Diffie-Hellman public-key cryptography key group.
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up
before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA
times out when an IPSec SA is already established, the IPSec SA stays connected.
In phase 2 you must:
• Choose an encryption algorithm.
• Choose an authentication algorithm
• Choose a Diffie-Hellman public-key cryptography key group.
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay
up before it times out. The Device automatically renegotiates the IPSec SA if there is traffic when
the IPSec SA lifetime period expires. If an IPSec SA times out, then the IPSec router must
renegotiate the SA the next time someone attempts to send traffic.
20.5.4 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be
established for each connection through IKE negotiations.
• Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation,
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode
features identity protection (your identity is not revealed in the negotiation).
VMG8324-B10A / VMG8324-B30A Series User’s Guide
231
Chapter 20 VPN
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when the
communicating parties are negotiating authentication (phase 1). However the trade-off is that
faster speed limits its negotiating power and it also does not provide identity protection. It is
useful in remote access situations where the address of the initiator is not know by the responder
and both parties want to use pre-shared key authentication.
20.5.5 IPSec and NAT
Read this section if you are running IPSec on a host computer behind the Device.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using
the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash
value appended to the packet. When using AH protocol, packet contents (the data payload) are not
encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination address
with one of its own choosing. The VPN device at the receiving end will verify the integrity of the
incoming packet by computing its own hash value, and complain that the hash value appended to
the received packet doesn't match. The VPN device at the receiving end doesn't know about the
NAT in the middle, so it assumes that the data has been maliciously altered.
IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a
new IP packet. The new IP packet's source address is the outbound address of the sending VPN
gateway , and its destination address is the inbound address of the VPN device at the receiving end.
When using ESP protocol with authentication, the packet contents (in this case, the entire original
packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash
value appended to the packet.
Tunnel mode ESP with authentication is compatible with NAT because integrity checks are
performed over the combination of the "original header plus original payload," which is unchanged
by a NAT device.
Transport mode ESP with authentication is not compatible with NAT.
Table 106 VPN and NAT
SECURITY PROTOCOL MODE NAT
AH Transport N
AH Tunnel N
ESP Transport N
ESP Tunnel Y
20.5.6 VPN, NAT, and NAT Traversal
NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using
the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash
value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or
destination address. As a result, the VPN device at the receiving end finds a mismatch between the
hash value and the data and assumes that the data has been maliciously altered.
NAT is not normally compatible with ESP in transport mode either, but the Device’s NAT Traversal
feature provides a way to handle this. NA T tr a versal allows y ou to set up an IKE SA when there are
NAT router s be tw ee n the two IPS ec route r s.
232
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Chapter 20 VPN
A
B
Figure 142 NAT Router Between IPSec Routers
Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because
the NAT router changes the header of the IPSec packet. NA T traversal solves the problem by adding
a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP
port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA,
IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA.
For NAT traversal to work, you must:
• Use ESP security protocol (in either transport or tunnel mode).
•Use IKE keying mode.
• Enable NAT traversal on both IPSec endpoints.
• Set the NAT router to forward UDP port 500 to IPSec router A.
Finally , NA T is compatible with ESP in tunnel mode because integrity checks are performed ov er the
combination of the "original header plus original payload," which is unchanged by a NAT device. The
compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following
table.
Table 107 VPN and NAT
SECURITY PROTOCOL MODE NAT
AH Transport N
AH Tunnel N
ESP Transport Y*
ESP Tunnel Y
Y* - This is supported in the Device if you enable NAT traversal.
20.5.7 ID Type and Content
With aggressive negotiation mode (see Section 20.5.4 on page 231), the Device identifies incoming
SAs by ID type and content since this identifying information is not encrypted. This enables the
Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that
have dynamic WAN IP addresses.
Regardless of the ID type and content configuration, the Device does not allow you to save multiple
active rules with overlapping local and remote IP addresses.
With main mode (see Section 20.5.4 on page 231), the ID type and content are encrypted to
provide identity protection. In this case the Device can only distinguish between up to 12 different
incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The
Device can distinguish up to 48 incoming SAs because you can select between three encryption
algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key
groups when you configure a VPN rule (see Section 20.2 on page 221). The ID type and content act
as an extra level of identification for incoming SAs.
VMG8324-B10A / VMG8324-B30A Series User’s Guide
233
Chapter 20 VPN
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
Table 108 Local ID Type and Content Fields
LOCAL ID TYPE= CONTENT=
IP Type the IP address of your computer.
DNS Type a domain name (up to 31 characters) by which to identify this Device.
E-mail Type an e-mail address (up to 31 characters) by which to identify this Device.
The domain name or e-mail address that you use in the Local ID Content field is used
for identification purposes only and does not need to be a real domain name or e-mail
address.
20.5.7.1 ID Type and Content Examples
Two IPSec routers must have matching ID type and content configuration in order to set up a VPN
tunnel.
The two Devices in this example can complete negotiation and establish a VPN tunnel.
Table 109 Matching ID Type and Content Configuration Example
Device A Device B
Local ID type: E-mail Loc al ID type: IP
Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2
Remote ID type: IP Remote ID type: E-mail
Remote ID content: 1.1.1.2 Remote ID content: tom@yourcompany.com
The two Devices in this example cannot complete their negotiation because Device B’s Local ID
Type is IP, but Device A’s Remote ID Type is set to E-mail. An “ID mismatched” message
displays in the IPSEC LOG.
Table 110 Mismatching ID Type and Content Configuration Example
DEVICE A DEVICE B
Local ID type: IP Local ID type: IP
Local ID content: 1.1.1.10 Local ID content: 1.1.1.2
Remote ID ty pe: E-mail Remote ID type: IP
Remote ID content: aa@yahoo.com Remote ID content: 1.1.1.0
20.5.8 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section
20.5.3 on page 230 for more on IKE phases). It is called “pre-shared” because you have to share it
with another party before you can communicate with them over a secure connection.
20.5.9 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA
setup to establish session keys. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
234
VMG8324-B10A / VMG8324-B30A Series User’s Guide
CHAPTER 21
21.1 Overview
Use this chapter to:
• Connect an analog phone to the Device.
• Make phone calls over the Internet, as well as the regular phone network.
• Configure settings such as speed dial.
• Configure network settings to optimize the voice quality of your phone calls.
21.1.1 What You Can Do in this Chapter
These screens allow you to configure your Device to make phone calls over the Internet and your
regular phone line, and to set up the phones you connect to the Device.
Voice
•Use the SIP Account screen (Section 21.3 on page 236) to set up information about your SIP
account, control which SIP accounts the phones connected to the Device use and configure audio
settings such as volume levels for the phones connected to the Device.
•Use the SIP Service Provider screen (Section 21.4 on page 241) to configure the SIP server
information, QoS for VoIP calls, the numbers for certain phone functions, and dialing plan.
•Use the PhoneRegion screen (Section 21.5 on page 249) to change settings that depend on the
country you are in.
•Use the Call Rule screen (Section 21.6 on page 249) to set up shortcuts for dialing frequentlyused (VoIP) phone numbers.
•Use the Call History Summary screen (Section 21.7 on page 250) to view the summary list of
received, dialed and missed calls.
•Use the Call History Outgoing screen (Section 21.8 on page 251) to view detailed information
for each outgoing call you made.
•Use the Call History Incoming screen (Section 21.9 on page 251) to view detailed information
for each incoming call from someone calling you.
You don’t necessarily need to use all these screens to set up your account. In fact, if your service
provider did not supply information on a particular field in a screen, it is usually best to leave it at
its default setting.
VMG8324-B10A / VMG8324-B30A Series User’s Guide 235
Chapter 21 Voice
21.1.2 What You Need to Know About VoIP
VoIP
VoIP stands for Voice over IP. IP is the Internet Protocol, which is the message-carrying standard
the Internet runs on. So, Voice over IP is the sending of voice signals (speech) over the Internet (or
another network that uses the Internet Protocol).
SIP
SIP stands for Session Initiation Protocol. SIP is a signalling standard that lets one network device
(like a computer or the Device) send messages to another. In VoIP, these messages are about
phone calls over the network. For example, when you dial a number on your Device, it sends a SIP
message over the network asking the other device (the number you dialed) to take part in the call.
SIP Accounts
A SIP account is a type of VoIP account. It is an arrangement with a service provider that lets you
make phone calls over the Internet. When you set the Device to use your SIP account to make
calls, the Device is able to send all the information about the phone call to your service provider on
the Internet.
Strictly speaking, you don’t need a SIP account. It is possible for one SIP device (like the Device) to
call another without involving a SIP service provider. However, the networking difficulties involved
in doing this make it tremendously impractical under normal circumstances. Your SIP account
provider removes these difficulties by taking care of the call routing and setup - figuring out how to
get your call to the right place in a way that you and the other person can talk to one another.
How to Find Out More
See Chapter 4 on page 37 for a tutorial showing how to set up these screens in an example
scenario.
See Section 21.10 on page 252 for advanced technical information on SIP.
21.2 Before You Begin
• Before you can use these screens, you need to have a VoIP account already set up. If you don’t
have one yet, you can sign up with a VoIP service provider over the Internet.
• You should have the information your VoIP service provider gave you ready, before you start to
configure the Device.
21.3 The SIP Account Screen
The Device uses a SIP account to make outgoing VoIP calls and check if an incoming call’s
destination number matches your SIP account’s SIP number. In order to make or receive a VoIP
236
VMG8324-B10A / VMG8324-B30A Series User’s Guide
Loading...