ZyXEL X550NHV2 User Manual

PART III

Security

Firewall (153)
Content Filtering (161)
IPSec VPN (165)

151

152

CHAPTER 13

Firewall

This chapter gives some background information on firewalls and explains how to get started
with the NBG-460N’s firewall.

13.1 Introduction to ZyXEL’s Firewall

13.1.1 What is a Firewall?

Originally, the term “firewall” referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term "firewall" is a system or group
of systems that enforces an access-control policy between two networks. It may also be
defined as a mechanism used to protect a trusted network from a network that is not trusted. Of
course, firewalls cannot solve every security problem. A firewall is one of the mechanisms
used to establish a network security perimeter in support of a network security policy. It
should never be the only mechanism or method employed. For a firewall to guard effectively,
you must design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.

13.1.2 Stateful Inspection Firewall

Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency; however, they
may lack the granular application level access control or caching that some proxies support.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.

13.1.3 About the NBG-460N Firewall

The NBG-460N firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated (click the General tab under Firewall and then click
the Enable Firewall check box). The NBG-460N's purpose is to allow a private Local Area
Network (LAN) to be securely connected to the Internet. The NBG-460N can be used to
prevent theft, destruction and modification of data, as well as log events, which may be
important to the security of your network.

NBG-460N User’s Guide

153

Chapter 13 Firewall

The NBG-460N is installed between the LAN and a broadband modem connecting to the
Internet. This allows it to act as a secure gateway for all data passing between the Internet and
the LAN.

The NBG-460N has one Ethernet WAN port and four Ethernet LAN ports, which are used to
physically separate the network into two areas.The WAN (Wide Area Network) port attaches
to the broadband (cable or DSL) modem to the Internet.

The LAN (Local Area Network) port attaches to a network of computers, which needs security
from the outside world. These computers will have access to Internet services such as e-mail,
FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless
the remote host is authorized to use a specific service.

13.1.4 Guidelines For Enhancing Security With Your Firewall

1 Change the default password via web configurator.
2 Think about access control before you connect to the network in any way, including

attaching a modem to the port.

3 Limit who can access your router.
4 Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled

service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.

5 For local services that are enabled, protect against misuse. Protect by configuring the

services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.

6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.

13.2 Triangle Routes

If an alternate gateway on the LAN has an IP address in the same subnet as the NBG-460N’s
LAN IP address, return traffic may not go through the NBG-460N. This is called an
asymmetrical or “triangle” route. This causes the NBG-460N to reset the connection, as the
connection has not been acknowledged.

You can have the NBG-460N permit the use of asymmetrical route topology on the network
(not reset the connection).

Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without
passing through the NBG-460N. A better solution is to use IP alias to put the NBG-460N and
the backup gateway on separate subnets.

13.2.1 Triangle Routes and IP Alias

You can use IP alias instead of allowing triangle routes. IP Alias allow you to partition your
network into logical sections over the same interface.

By putting your LAN and Gateway A in different subnets, all returning network traffic must
pass through the NBG-460N to your LAN. The following steps describe such a scenario.

154

NBG-460N User’s Guide

Chapter 13 Firewall

1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving

server on the WAN.

2 The NBG-460N reroutes the packet to Gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the NBG-460N.
4 The NBG-460N then sends it to the computer on the LAN in Subnet 1.

Figure 96 Using IP Alias to Solve the Triangle Route Problem

13.3 General Firewall Screen

Click Security > Firewall to open the General screen. Use this screen to enable or disable the
NBG-460N’s firewall, and set up firewall logs.

Figure 97 Security > Firewall > General l

The following table describes the labels in this screen.

Table 57 Security > Firewall > General

LABEL DESCRIPTION

Enable Firewall Select this check box to activate the firewall. The NBG-460N performs access

Packet Direction This is the direction of travel of packets.

control and protects against Denial of Service (DoS) attacks when the firewall is
activated.

Firewall rules are grouped based on the direction of travel of packets to which they
apply.

NBG-460N User’s Guide

155

Chapter 13 Firewall

Table 57 Security > Firewall > General

LABEL DESCRIPTION

Log Select whether to create a log for packets that are traveling in the selected

Apply Click Apply to save the settings.
Reset Click Reset to start configuring this screen again.

direction when the packets are blocked (Log All) or forwarded (Log Forward). Or
select Not Log to not log any records.

To log packets related to firewall rules, make sure that Access Control under Log
is selected in the Logs > Log Settings screen.

13.4 Services Screen

Click Security > Firewall > Services. The screen appears as shown next.
If an outside user attempts to probe an unsupported port on your NBG-460N, an ICMP

response packet is automatically returned. This allows the outside user to know the NBG­460N exists. Use this screen to prevent the ICMP response packet from being sent. This keeps
outsiders from discovering your NBG-460N when unsupported ports are probed.

You can also use this screen to enable service blocking, enter/delete/modify the services you
want to block and the date/time you want to block them.

Figure 98 Security > Firewall > Services

The following table describes the labels in this screen.

Table 58 Security > Firewall > Services

LABEL DESCRIPTION

ICMP Internet Control Message Protocol is a message control and error-reporting

Respond to Ping onThe NBG-460N will not respond to any incoming Ping requests when Disable is

protocol between a host server and a gateway to the Internet. ICMP uses Internet
Protocol (IP) datagrams, but the messages are processed by the TCP/IP software
and directly apparent to the application user.

selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply
to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to all
incoming LAN and WAN Ping requests.

156

NBG-460N User’s Guide

Chapter 13 Firewall

Table 58 Security > Firewall > Services

LABEL DESCRIPTION

Do not respond to
requests for
unauthorized
services

Firewall Rule
# This is your firewall rule number. The ordering of your rules is important as rules

Active This icon is green when the rule is turned on. The icon is grey when the rule is

Service Name This field displays the services and port numbers to which this firewall rule applies.
IP This field displays the IP address(es) the rule applies to.
Schedule This field displays the days the firewall rule is active.
Log This field shows you whether a log will be created when packets match the rule

Modify Click the Edit icon to modify an existing rule setting in the fields under the Add

Add Click the Add button to display the screen where you can configure a new firewall

Move The Move button moves a rule to a different position. In the first text box enter the

Misc setting
Bypass Triangle

Route
Max NAT/Firewall

Session Per User
Apply Click Apply to save the sett ings.
Reset Click Reset to start configuring this screen again.

Select this option to prevent hackers from finding the NBG-460N by probing for
unused ports. If you select this option, the NBG-460N will not respond to port
request(s) for unused ports, thus leaving the unused ports and the NBG-460N
unseen. By default this option is not selected and the NBG-460N will reply with an
ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a
TCP Reset packet for a port probe on its unused TCP ports.

Note that the probing packets must first traverse the NBG-460N's firewall
mechanism before reaching this anti-probing mechanism. Therefore if the firewall
mechanism blocks a probing packet, the NBG-460N reacts based on the firewall
policy, which by default, is to send a TCP reset packet for a blocked TCP packet.
You can use the command "sys firewall tcprst rst [on|off]" to change this policy.
When the firewall mechanism blocks a UDP packet, it drops the packet without
sending a response packet.

are applied in turn. Use the Move button to rearrange the order of the rules.

turned off.

(Match) or not (No).

Firewall Rule screen.
Click the Remove icon to delete a rule. Note that subsequent firewall rules move

up by one when you take this action.

rule. Modify the number in the textbox to add the rule before a specific rule
number.

number of the rule you wish to move. In the second text box enter the number of
the rule you wish to move the first rule to and click the Move button.

Select this check box to have the NBG-460N firewall ignore the use of triangle
route topology on the network.

Type a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions
that a host can create.

13.4.1 The Add Firewall Rule Screen

If you click Add or the Modify icon on an existing rule, the Add Firewall Rule screen is
displayed. Use this screen to add a firewall rule or to modify an existing one.

NBG-460N User’s Guide

157

Chapter 13 Firewall

Figure 99 Security > Firewall > Services > Adding a Rule

The following table describes the labels in this screen.

Table 59 Security > Firewall > Services > Adding a Rule

LABEL DESCRIPTION

Active Select this check box to turn the rule on.
Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of

IP Address Enter the single IP address here. This field is only available when Single IP is

Start IP Address Enter the starting IP address in a range here. This field is only available when IP

End IP Address Enter the ending IP address in a range here. This field is only available when IP

IP Pool List Add an IP address from the IP Pool List to the Selected IP List by highlighting an

Service Setup

IP addresses (for example 192.168.1.10 to 192.169.1.50), a pool of IP address or
any IP address? Select an option from the drop-down list box that includes: Any
IP, Single IP, IP Range and IP Pool.

selected as the Address Type.

Range is selected as the Address Type.

Range is selected as the Address Type.

IP address and clicking Add. To delete an IP address from the Selected IP List
highlight an IP address and click the Remove button. These fields are only
available when IP Pool is selected as the Address Type.

The IP Pool list gathers its IPs from entries in the ARP table. The ARP table
contains the IP addresses and MAC addresses of the devices that have sent
traffic to the NBG-460N.

158

NBG-460N User’s Guide

Chapter 13 Firewall

Table 59 Security > Firewall > Services > Adding a Rule

LABEL DESCRIPTION

Available
Services

Blocked Services This is a list of services (ports) that will be inaccessible to computers on your LAN

Custom Port A custom port is a service that is not available in the pre-defined Available

Type Choose the IP port (TCP or UDP) that defines your customized port from the drop

Port Number Enter the port number range that defines the service. For example, if you want to

Add Select a service from the Available Services drop-down list and then click Add to

Delete Select a service from the Blocked Services list and then click Delete to remove

Clear All Click Clear All to empty the Blocked Services.
Schedule to Block
Day to Block: Select a check box to configure which days of the week (or everyday) you want

Time of Day to
Block (24-Hour
Format)

Log
Active (Log

packets match
this rule)

Misc setting
Bypass Triangle

Route
Max NAT/Firewall

Session Per User
Apply Click Apply to save the sett ings.
Reset Click Reset to start configuring this screen again.
Cancel Click Cancel to return to the Services screen without saving any changes.

This is a list of pre-defined services (ports) you may prohibit your LAN computers
from using. Select the port you want to block using the drop-down list and click
Add to add the port to the Blocked Services field.

once you enable service blocking.

Services list and you must define using the next two fields.

down list box.

define the Gnutella service, then select TCP type and enter a port range from
6345 to 6349.

add a service to the Blocked Services

this service from the list.

service blocking to be active.
Select the time of day you want service blocking to take effect. Configure blocking

to take effect all day by selecting All Day. You can also configure specific times by
selecting From and entering the start time in the Start (hour) and Start (min)
fields and the end time in the End (hour) and End (min) fields. Enter times in 24­hour format, for example, "3:00pm" should be entered as "15:00".

Select this to log packets that match this rule. Go to the Log Settings page and
select the Access Control logs category to have the NBG-460N record these
logs.

Select this check box to have the NBG-460N firewall ignore the use of triangle
route topology on the network.

Type a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions
that a host can create.

NBG-460N User’s Guide

159

Chapter 13 Firewall

160

NBG-460N User’s Guide

CHAPTER 14

Content Filtering

This chapter provides a brief overview of content filtering using the embedded web GUI.

14.1 Introduction to Content Filtering

Internet content filtering allows you to create and enforce Internet access policies tailored to
your needs. Content filtering is the ability to block certain web features or specific URL
keywords.

14.2 Restrict Web Features

The NBG-460N can block web features such as ActiveX controls, Java applets, cookies and
disable web proxies.

14.3 Days and Times

The NBG-460N also allows you to define time periods and days during which the NBG-460N
performs content filtering.

14.4 Filter Screen

Click Security > Content Filter to open the Filter screen.

NBG-460N User’s Guide

161

Chapter 14 Content Filtering

Figure 100 Security > Content Filter > Filter

The following table describes the labels in this screen.

Table 60 Security > Content Filter > Filter

LABEL DESCRIPTION

Trusted Computer
IP Address

Restrict Web
Features

ActiveX A tool for building dynamic and active Web pages and distributed object

Java A programming language and development environment for building

Cookies Used by Web servers to track usage and provide service based on ID.
Web Proxy A server that acts as an intermediary between a user and the Internet to provide

Keyword Blocking
Enable URL

Keyword Blocking

To enable this feature, type an IP address of any one of the computers in your
network that you want to have as a trusted computer. This allows the trusted
computer to have full access to all features that are configured to be blocked by
content filtering.

Leave this field blank to have no trusted computers.
Select the box(es) to restrict a feature. When you download a page containing a

restricted feature, that part of the web page will appear blank or grayed out.

applications. When you visit an ActiveX Web site, ActiveX controls are
downloaded to your browser, where they remain in case you visit the site again.

downloadable Web components or Internet and intranet business applications of
all kinds.

security, administrative control, and caching service. When a proxy server is
located on the WAN it is possible for LAN users to circumvent content filtering by
pointing to this proxy server.

The NBG-460N can block Web sites with URLs that contain certain keywords in
the domain name or IP address. For example, if the keyword "bad" was enabled,
all sites containing this keyword in the domain name or IP address will be
blocked, e.g., URL http://www.website.com/bad.html would be blocked. Select
this check box to enable this feature.

162

NBG-460N User’s Guide

Table 60 Security > Content Filter > Filter

LABEL DESCRIPTION

Keyword Type a keyword in this field. You may use any character (up to 64 characters).

Keyword List This list displays the keywords already added.
Add Click Add after you have typed a keyword.

Delete Highlight a keyword in the lower box and click Delete to remove it. The keyword

Clear All Click this button to remove all of the listed keywords.
Denied Access

Message
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh

14.5 Schedule

Chapter 14 Content Filtering

Wildcards are not allowed. You can also enter a numerical IP address.

Repeat this procedure to add other keywords. Up to 64 keywords are allowed.
When you try to access a web page containing a keyword, you will get a

message telling you that the content filter is blocking this request.

disappears from the text box after you click Apply.

Enter a message to be displayed when a user tries to access a restricted web
site. The default message is “Please contact your network administrator!!”

Use this screen to set the day(s) and time you want the NBG-460N to use content filtering.
Click Security > Content Filter > Schedule. The following screen displays.

Figure 101 Security > Content Filter > Schedule

The following table describes the labels in this screen.

Table 61 Security > Content Filter > Schedule

LABEL DESCRIPTION

Day to Block Select check boxes for the days that you want the NBG-460N to perform

Time of Day to Block
(24-Hour Format)

content filtering. Select the Everyday check box to have content filtering
turned on all days of the week.

Time of Day to Block allows the administrator to define during which time
periods content filtering is enabled. Time of Day to Block restrictions only
apply to the keywords (see above). Restrict web server data, such as ActiveX,
Java, Cookies and Web Proxy are not affected.

Select All Day to have content filtering always active on the days selected in
Day to Block with time of day limitations not enforced.

Select From and enter the time period, in 24-hour format, during which
content filtering will be enforced.

NBG-460N User’s Guide

163

Chapter 14 Content Filtering

Table 61 Security > Content Filter > Schedule

LABEL DESCRIPTION

Apply Click Apply to save your customized settings and exit this screen.
Reset Click Reset to begin configuring this screen afresh

14.6 Customizing Keyword Blocking URL Checking

You can use commands to set how much of a website’s URL the content filter is to check for
keyword blocking. See the appendices for information on how to access and use the command
interpreter.

14.6.1 Domain Name or IP Address URL Checking

By default, the NBG-460N checks the URL’s domain name or IP address when performing
keyword blocking.

This means that the NBG-460N checks the characters that come before the first slash in the
URL.

For example, with the URL www.zyxel.com.tw/news/pressroom.php
searches for keywords within www.zyxel.com.tw

14.6.2 Full Path URL Checking

Full path URL checking has the NBG-460N check the characters that come before the last
slash in the URL.

For example, with the URL www.zyxel.com.tw/news/pressroom.php
searches for keywords within www.zyxel.com.tw/news/

Use the ip urlfilter customize actionFlags 6 [disable | enable]
command to extend (or not extend) the keyword blocking search to include the URL's full
path.

14.6.3 File Name URL Checking

Filename URL checking has the NBG-460N check all of the characters in the URL.
For example, filename URL checking searches for keywords within the URL

www.zyxel.com.tw/news/pressroom.php

Use the ip urlfilter customize actionFlags 8 [disable | enable]
command to extend (or not extend) the keyword blocking search to include the URL's
complete filename.

, content filtering only

.

, full path URL checking

.

.

164

NBG-460N User’s Guide

CHAPTER 15

IPSec VPN

15.1 IPSec VPN Overview

A virtual private network (VPN) provides secure communications between sites without the
expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption,
authentication, access control and auditing. It is used to transport traffic over the Internet or
any insecure network that uses TCP/IP for communication.

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for
secure data communications across a public network like the Internet. IPSec is built around a
number of standardized cryptographic techniques to provide confidentiality, data integrity and
authentication at the IP layer.

The following figure provides one perspective of a VPN tunnel.

Figure 102 IPSec VPN: Overview

The VPN tunnel connects the NBG-460N (X) and the remote IPSec router (Y). These routers
then connect the local network (A) and remote network (B).

15.1.1 What You Can Do in the IPSec VPN Screens

Use the General Screen (Section 15.2 on page 167) to display and manage the NBG-460N’s
VPN rules (tunnels).

Use the SA Monitor Screen (Section 15.3 on page 184) to display and manage active VPN
connections.

NBG-460N User’s Guide

165

Chapter 15 IPSec VPN

15.1.2 What You Need To Know About IPSec VPN

A VPN tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters the NBG-460N and the
remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA
between the NBG-460N and remote IPSec router. The second phase uses the IKE SA to
securely establish an IPSec SA through which the NBG-460N and remote IPSec router can
send data between computers on the local network and remote network. The following figure
illustrates this.

Figure 103 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B.
Inside networks A and B, the data is transmitted the same way data is normally transmitted in
the networks. Between routers X and Y, the data is protected by tunneling, encryption,
authentication, and other security features of the IPSec SA. The IPSec SA is established
securely using the IKE SA that routers X and Y established first.

15.1.3 IKE SA (IKE Phase 1) Overview

The IKE SA provides a secure connection between the NBG-460N and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines the number of

steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode
provides better security, while aggressive mode is faster.

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in Negotiation Mode on page 188. Main mode is
used in various examples in the rest of this section.

15.1.3.1 IP Addresses of the NBG-460N and Remote IPSec Router

In the NBG-460N, you have to specify the IP addresses of the NBG-460N and the remote
IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the NBG-460N. Sometimes,
your NBG-460N might also offer another alternative, such as using the IP address of a port or
interface.

166

NBG-460N User’s Guide

You can usually provide a static IP address or a domain name for the remote IPSec router as
well. Sometimes, you might not know the IP address of the remote IPSec router (for example,
telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router
can initiate an IKE SA.

15.1.4 IPSec SA (IKE Phase 2) Overview

Once the NBG-460N and remote IPSec router have established the IKE SA, they can securely
negotiate an IPSec SA through which to send data between computers on the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

15.1.4.1 Local Network and Remote Network

In an IPSec SA, the local network consists of devices connected to the NBG-460N and may be
called the local policy. Similarly, the remote network consists of the devices connected to the
remote IPSec router and may be called the remote policy.

Chapter 15 IPSec VPN

Note: It is not recommended to set a VPN rule’s local and remote network settings

both to 0.0.0.0 (any). This causes the NBG-460N to try to forward all access
attempts (to the local network, the Internet or even the NBG-460N) to the
remote IPSec router. In this case, you can no longer manage the NBG-460N.

15.2 The General Screen

Click Security > VPN to display the Summary screen. This is a read-only menu of your VPN
rules (tunnels). Edit a VPN rule by clicking the Edit icon.

Figure 104 Security > VPN > General

NBG-460N User’s Guide

167

Chapter 15 IPSec VPN

The following table describes the fields in this screen.

Table 62 Security > VPN > General

LABEL DESCRIPTION

# This is the VPN policy index number.
Active This field displays whether the VPN policy is active or not.

Local Addr. This displays the beginning and ending (static) IP addresses or a (static) IP address

Remote Addr. This displays the beginning and ending (static) IP addresses or a (static) IP address

Encap. This field displays Tunnel or Transport mode (Tunnel is the default selection).
Algorithm This field displays the security protocol, encrypti on algorithm and authentication

Gateway This is the static WAN IP address or URL of the remote IPSec router. This field

Modify Click the Edit icon to go to the screen where you can edit the VPN rule.

Windows
Networking
(NetBIOS over
TCP/IP)

Allow NetBIOS
Traffic Through
IPSec Tunnel

Apply Click Apply to save your changes back to the NBG-460N.
Reset Click Reset to begin configuring this screen afresh.

This icon is turned on when the rule is enabled.

and a subnet mask of computer(s) on your local network behind your NBG-460N.

and a subnet mask of computer(s) on the remote network behind the remote IPSec
router.

This field displays 0.0.0.0 when the Secure Gateway Address field displays 0.0.0.0.
In this case only the remote IPSec router can initiate the VPN.

algorithm used for an SA.

displays 0.0.0.0 when you configure the Secure Gateway Address field in the Rule
Setup screen to 0.0.0.0.

Click the Remove icon to remove an existing VPN rule.
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable

a computer to find other computers. It may sometimes be necessary to allow
NetBIOS packets to pass through VPN tunnels in order to allow local computers to
find computers on the remote network and vice versa.

Select this check box to send NetBIOS packets through the VPN connection.

15.2.1 VPN Rule Setup (Basic)

Click the Edit icon in the General screen to display the Rule Setup screen.
This figure helps explain the main fields.

168

NBG-460N User’s Guide

Figure 105 IPSec Fields Summary

Use this screen to configure a VPN rule.

Figure 106 Security > VPN > General > Rule Setup: IKE (Basic)

Chapter 15 IPSec VPN

NBG-460N User’s Guide

169

Chapter 15 IPSec VPN

The following table describes the labels in this screen.

Table 63 SECURITY > VPN > Rule Setup: IKE (Basic)

LABEL DESCRIPTION

Property
Active Select this check box to activate this VPN policy.
Keep Alive Select this check box to have the NBG-460N automatically reinitiate the SA after

NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up

IPSec Keying
Mode

DNS Server (for
IPSec VPN)

Local Policy Local IP addresses must be static and correspond to the remote IPSec router's

Local Address For a single IP address, enter a (static) IP address on the LAN behind your NBG-

Local Address End
/Mask

the SA lifetime times out, even if there is no traffic. The remote IPSec router must
also have keep alive enabled in order for this feature to work.

a VPN connection when there are NAT routers between the two IPSec routers.

Note: The remote IPSec router must also have NAT traversal

enabled.

You can use NAT traversal with ESP protocol using Transport or Tunnel mode,
but not with AH protocol nor with manual key management. In order for an IPSec
router behind a NAT router to receive an initiating IPSec packet, set the NAT
router to forward UDP ports 500 and 4500 to the IPSec router behind the NAT
router.

Select IKE or Manual from the drop-down list box. IKE provides more protection
so it is generally recommended. Manual is a useful option for troubleshooting if
you have problems using IKE key management.

If there is a private DNS server that services the VPN, type its IP address here.
The NBG-460N assigns this additional DNS server to the NBG-460N's DHCP
clients that have IP addresses in this IPSec rule's range of local addresses.

A DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.

configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but not

both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.

In order to have more than one active rule with the Secure Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.

If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field
and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the Secure Gateway Address field set to

0.0.0.0.

460N.
For a specific range of IP addresses, enter the beginning (static) IP address, in a

range of computers on your LAN behind your NBG-460N.
To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the LAN behind your NBG-460N.
When the local IP address is a single address, type it a second time here.

When the local IP address is a range, enter the end (static) IP address, in a range
of computers on the LAN behind your NBG-460N.

When the local IP address is a subnet address, enter a subnet mask on the LAN
behind your NBG-460N.

170

NBG-460N User’s Guide

Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued)

LABEL DESCRIPTION

Chapter 15 IPSec VPN

Remote Policy Remote IP addresses must be static and correspond to the remote IPSec router's

Remote Address For a single IP address, enter a (static) IP address on the network behind the

Remote Address
End /Mask

Authentication
Method

My IP Address Enter the NBG-460N's static WAN IP address (if it has one) or leave the field set

Local ID Type Select IP to identify this NBG-460N by its IP address.

Local Content When you select IP in the Local ID Type field, type the IP address of your

configured local IP addresses. The remote fields do not apply when the Secure
Gateway IP Address field is configured to 0.0.0.0. In this case only the remote
IPSec router can initiate the VPN.

Two active SAs cannot have the local and remote IP address(es) both the same.
Two active SAs can have the same local or remote IP address, but not both. You
can configure multiple SAs between the same local and remote IP addresses, as
long as only one is active at any time.

remote IPSec router.
For a specific range of IP addresses, enter the beginning (static) IP address, in a

range of computers on the network behind the remote IPSec router.
To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the network behind the remote IPSec router.
When the remote IP address is a single address, type it a second time here.

When the remote IP address is a range, enter the end (static) IP address, in a
range of computers on the network behind the remote IPSec router.

When the remote IP address is a subnet address, enter a subnet mask on the
network behind the remote IPSec router.

to 0.0.0.0.
The NBG-460N uses its current WAN IP address (static or dynamic) in setting up

the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes
down, the NBG-460N uses the dial backup IP address for the VPN tunnel when
using dial backup or the LAN IP address when using traffic re dire ct.

Otherwise, you can enter one of the dynamic domain names that you have
configured (in the DDNS screen) to have the NBG-460N use that dynamic
domain name's IP address.

The VPN tunnel has to be rebuilt if My IP Address changes after setup.

Select Domain Name to identify this NBG-460N by a domain name.
Select E-mail to identify this NBG-460N by an e-mail address.

computer in the Local Content field. The NBG-460N automatically uses the IP
address in the My IP Address field (refer to the My IP Address field description)
if you configure the Local Content field to 0.0.0.0 or leave it blank.

It is recommended that you type an IP address other than 0.0.0.0 in the Local
Content field or use the Domain Name or E-mail ID type in the following
situations.

• When there is a NAT router between the two IPSec routers.

• When you want the remote IPSec router to be able to distinguish between
VPN connection requests that come in from IPSec routers with dynamic WAN
IP addresses.

When you select Domain Name or E-mail in the Local ID Type field, type a
domain name or e-mail address by which to identify this NBG-460N in the Local
Content field. Use up to 31 ASCII characters including spaces, although tra iling
spaces are truncated. The domain name or e-mail address is for identification
purposes only and can be any string.

NBG-460N User’s Guide

171

Chapter 15 IPSec VPN

Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued)

LABEL DESCRIPTION

Secure Gateway
Address

Type the WAN IP address or the domain name (up to 31 characters) of the IPSec
router with which you're making the VPN connection. Set this field to 0.0.0.0 if the
remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode
field must be set to IKE).

In order to have more than one active rule with the Secure Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.

If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field
and the LAN’s full IP address range as the local IP address, then you cannot
configure any other active rules with the Secure Gateway Address field set to

0.0.0.0.

Note: You can also enter a remote secure gateway’s domain

name in the Secure Gateway Address field if the remote
secure gateway has a dynamic WAN IP address and is
using DDNS. The NBG-460N has to rebuild the VPN tunnel
each time the remote secure gateway’s WAN IP address
changes (there may be a delay until the DDNS servers are
updated with the remote gateway’s new WAN IP address).

Peer ID Type Select IP to identify the remote IPSec router by its IP address.

Select Domain Name to identify the remote IPSec router by a domain name.
Select E-mail to identify the remote IPSec router by an e-mail address.

Peer Content The configuration of the peer content depends on the peer ID type.

For IP, type the IP address of the computer with which you will make the VPN
connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-46 0N
will use the address in the Secure Gateway Address field (refer to the Secure
Gateway Address field description).

For Domain Name or E-mail, type a domain name or e-mail address by which to
identify the remote IPSec router. Use up to 31 ASCII characters including spaces,
although trailing spaces are truncated. The domain name or e-mail address is for
identification purposes only and can be any string.

It is recommended that you type an IP address other than 0.0.0.0 or use the
Domain Name or E-mail ID type in the following situations:

• When there is a NAT router between the two IPSec routers.

• When you want the NBG-460N to distinguish between VPN connection
requests that come in from remote IPSec routers with dynamic WAN IP
addresses.

IPSec Algorithm
Encapsulation

Mode
IPSec Protocol Select the security protocols used for an SA.

Select Tunnel mode or Transport mode from the drop-down list box.

Both AH and ESP increase processing requ irements and communications
latency (delay).

If you select ESP here, you must select options from the Encryption Algorithm
and Authentication Algorithm fields (described below).

172

NBG-460N User’s Guide

Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued)

LABEL DESCRIPTION

Chapter 15 IPSec VPN

Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a

Encryption
Algorithm

Authentication
Algorithm

Advanced... Click Advanced... to configure more detailed settings of your IKE key

Apply Click Apply to save your changes back to the NBG-460N.
Reset Click Reset to begin configuring this screen afresh.
Cancel Click Cancel to exit the screen without makin g any changes.

communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal
and “0123456789ABCDEF” is the key itself.

Both ends of the VPN tunnel must use the same pre-shared key. You will receive
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key
is not used on both ends.

Select which key size and encryption algorithm to use for data communications.
Choices are:

DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm

The NBG-460N and the remote IPSec router must use the same algorithms and
key , which can be used to encrypt and decrypt the message or to generate and
verify a message authentication code. Longer keys require more processing
power, resulting in increased latency and decreased throughput.

Select which hash algorithm to use to authenticate packet data. Choices are
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also
slower.

management.

15.2.2 VPN Rule Setup (Advanced)

Click the Advanced... button in the Rule Setup screen to open this screen.
Use this screen to configure a VPN rule.

NBG-460N User’s Guide

173

Chapter 15 IPSec VPN

Figure 107 Security > VPN > General > Rule Setup: IKE (Advanced)

174

NBG-460N User’s Guide

Chapter 15 IPSec VPN

The following table describes the labels in this screen.

Table 64 Security > VPN > Rule Setup: IKE (Advanced)

LABEL DESCRIPTION

Property
Active Select this check box to activate this VPN policy.
Keep Alive Select this check box to have the NBG-460N automatically reinitiate the SA

NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set

after the SA lifetime times out, even if there is no traffic. The remote IPSec
router must also have keep alive enabled in order for this feature to work.

up a VPN connection when there are NAT routers between the two IPSec
routers.

Note: The remote IPSec router must also have NAT traversal

enabled.

You can use NAT traversal with ESP protocol using Transport or Tunnel
mode, but not with AH protocol nor with manual key management. In order for
an IPSec router behind a NAT router to receive an initiating IPSec packet, set
the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind
the NAT router.

IPSec Keying Mode Select IKE or Manual from the drop-down list box. IKE provides more

Protocol Number Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any

Enable Replay
Detection

DNS Server (for
IPSec VPN)

Local Policy Local IP addresses must be static and correspond to the remote IPSec router's

Local Address For a single IP address, enter a (static) IP address on the LAN behind your

protection so it is generally recommended. Manual is a useful option for
troubleshooting if you have problems using IKE key management.

protocol.
As a VPN setup is processing intensive, the system is vulnerable to Denial of

Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate
packets to protect against replay attacks. Select Yes from the drop-down menu
to enable replay detection, or select No to disable it.

If there is a private DNS server that services the VPN, type its IP address here.
The NBG-460N assigns this additional DNS server to the NBG-460N's DHCP
clients that have IP addresses in this IPSec rule's range of local addresses.

A DNS server allows clients on the VPN to find other computers and servers on
the VPN by their (private) domain names.

configured remote IP addresses.
Two active SAs can have the same configured local or remote IP address, but

not both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.

In order to have more than one active rule with the Secure Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.

If you configure an active rule with 0.0.0.0 in the Secure Gateway Address
field and the LAN’s full IP address range as the local IP address, then you
cannot configure any other active rules with the Secure Gateway Address field
set to 0.0.0.0.

NBG-460N.
For a specific range of IP addresses, enter the beginning (static) IP address, in

a range of computers on your LAN behind your NBG-460N.
To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the LAN behind your NBG-460N.

NBG-460N User’s Guide

175

Chapter 15 IPSec VPN

Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)

LABEL DESCRIPTION

Local Address End /
Mask

Local Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535.

Local Port End Enter a port number in this field to define a port range. This port number must

Remote Policy Remote IP addresses must be static and correspond to the remote IPSec

Remote Address For a single IP address, enter a (static) IP address on the network behind the

Remote Address
End /Mask

Remote Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535.

Remote Port End Enter a port numb er in this field to define a port range. This port number must

Authentication
Method

My IP Address Enter the NBG-460N's static WAN IP address (if it has one) or leave the field

Local ID Type Select IP to identify this NBG-460N by its IP address.

When the local IP address is a single address, type it a second time here.
When the local IP address is a range, enter the end (static) IP address, in a

range of computers on the LAN behind your NBG-460N.
When the local IP address is a subnet address, enter a subnet mask on the

LAN behind your NBG-460N.

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,
HTTP; 25, SMTP; 110, POP3.

be greater than that specified in the previous field. If Local Port Start is left at
0, Local Port End will also remain at 0.

router's configured local IP addresses. The remote fields do not apply when the
Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the
remote IPSec router can initiate the VPN.

Two active SAs cannot have the local and remote IP address(es) both the
same. Two active SAs can have the same local or remote IP address, but not
both. You can configure multiple SAs between the same local and remote IP
addresses, as long as only one is active at any time.

remote IPSec router.
For a specific range of IP addresses, enter the beginning (static) IP address, in

a range of computers on the network behind the remote IPSec router.
To specify IP addresses on a network by their subnet mask, enter a (static) IP

address on the network behind the remote IPSec router.
When the remote IP address is a single address, type it a second time here.

When the remote IP address is a range, enter the end (static) IP address, in a
range of computers on the network behind the remote IPSec router.

When the remote IP address is a subnet address, enter a subnet mask on the
network behind the remote IPSec router.

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,
HTTP; 25, SMTP; 110, POP3.

be greater than that specified in the previous field. If Remote Port Start is left at
0, Remote Port End will also remain at 0.

set to 0.0.0.0.
The NBG-460N uses its current WAN IP address (static or dynamic) in setting

up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes
down, the NBG-460N uses the dial backup IP address for the VPN tunnel when
using dial backup or the LAN IP address when using traffic redirect.

Otherwise, you can enter one of the dynamic domain names that you have
configured (in the DDNS screen) to have the NBG-460N use that dynamic
domain name's IP address.

The VPN tunnel has to be rebuilt if My IP Address changes after setup.

Select Domain Name to identify this NBG-460N by a domain name.
Select E-mail to identify this NBG-460N by an e-mail address.

176

NBG-460N User’s Guide

Chapter 15 IPSec VPN

Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)

LABEL DESCRIPTION

Local Content When you select IP in the Local ID Type field, type the IP address of your

Secure Gateway
Address

computer in the Local Content field. The NBG-460N automatically uses the IP
address in the My IP Address field (refer to the My IP Address field
description) if you configure the Local Content field to 0.0.0.0 or leave it blank.

It is recommended that you type an IP address other than 0.0.0.0 in the Local
Content field or use the Domain Name or E-mail ID type in the following
situations.

• When there is a NAT router between the two IPSec routers.

• When you want the remote IPSec router to be able to distinguish between
VPN connection requests that come in from IPSec routers with dynamic
WAN IP addresses.

When you select Domain Name or E-mail in the Local ID Type field, type a
domain name or e-mail address by which to identify this NBG-460N in the Local
Content field. Use up to 31 ASCII characters including spaces, although trailing
spaces are truncated. The domain name or e-mail address is for identification
purposes only and can be any string.

Type the WAN IP address or the domain name (up to 31 characters) of the
IPSec router with which you're making the VPN connection. Set this field to

0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec

Keying Mode field must be set to IKE).

In order to have more than one active rule with the Secure Gateway Address
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between
rules.

If you configure an active rule with 0.0.0.0 in the Secure Gateway Address
field and the LAN’s full IP address range as the local IP address, then you
cannot configure any other active rules with the Secure Gateway Address field
set to 0.0.0.0.

Note: You can also enter a remote secure gateway’s domain

name in the Secure Gateway Address field if the remote
secure gateway has a dynamic WAN IP address and is
using DDNS. The NBG-460N has to rebuild the VPN
tunnel each time the remote secure gateway’s WAN IP
address changes (there may be a delay until the DDNS
servers are updated with the remote gateway’s new WAN
IP address).

Peer ID Type Select IP to identify the remote IPSec router by its IP address.

Select Domain Name to identify the remote IPSec router by a domain name.
Select E-mail to identify the remote IPSec router by an e-mail address.

NBG-460N User’s Guide

177

Chapter 15 IPSec VPN

Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)

LABEL DESCRIPTION

Peer Content The configuration of the peer content depends on the peer ID type.

IKE Phase 1
Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs

Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA. Choices

Authentication
Algorithm

SA Life Time
(Seconds)

Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption

Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a

IKE Phase 2
Encapsulation Mode Select Tunnel mode or Transport mode.

For IP, type the IP address of the computer with which you will make the VPN
connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-460N
will use the address in the Secure Gateway Address field (refer to the Secure
Gateway Address field description).

For Domain Name or E-mail, type a domain name or e-mail address by which
to identify the remote IPSec router. Use up to 31 ASCII characters including
spaces, although trailing spaces are truncated. The domain name or e-mail
address is for identification purposes only and can be any string.

It is recommended that you type an IP address other than 0.0.0.0 or use the
Domain Name or E-mail ID type in the following situations:

• When there is a NAT router between the two IPSec routers.

• When you want the NBG-460N to distinguish between VPN connection
requests that come in from remote IPSec routers with dynamic WAN IP
addresses.

connecting through a secure gateway must have the same negotiation mode.

are:

DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm

The NBG-460N and the remote IPSec router must use the same algorithms and
keys. Longer keys require more processing power, resulting in increased
latency and decreased throughput.

Select which hash algorithm to use to authenticate packet data in the IKE SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,
but it is also slower.

Define the length of time before an IKE SA automatically renegotiates in this
field. It may range from 180 to 3,000,000 seconds (almost 35 days).

A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.

keys. Choices are:

DH1 - use a 768-bit random number
DH2 - use a 1024-bit random number

communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62
hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key
with a "0x” (zero x), which is not counted as part of the 16 to 62 character range
for the key. For example, in "0x0123456789ABCDEF", “0x” denotes that the key
is hexadecimal and “0123456789ABCDEF” is the key itself.

Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre­shared key is not used on both ends.

178

NBG-460N User’s Guide

Chapter 15 IPSec VPN

Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)

LABEL DESCRIPTION

IPSec Protocol Select the security protocols used for an SA.

Both AH and ESP increase processing requirements and communications
latency (delay).

If you select ESP here, you must select options from the Encryption Algorithm
and Authentication Algorithm fields (described below).

Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA. Choices

Authentication
Algorithm

SA Life Time Define the length of time before an IPSec SA automatically renegotiates in this

Perfect Forward
Secrecy (PFS)

Basic... Click Basic... to go to the previous VPN configuration screen.
Apply Click Apply to save the changes.
Reset Click Reset to begin configuring this screen afresh.
Cancel Click Cancel to exit the screen without making any changes.

are:

DES - a 56-bit key with the DES encryption algorithm
3DES - a 168-bit key with the DES encryption algorithm

The NBG-460N and the remote IPSec router must use the same algorithms and
keys. Longer keys require more processing power, resulting in increased
latency and decreased throughput.

Select which hash algorithm to use to authenticate packet data in the IPSec SA.
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5,
but it is also slower.

field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to

update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if
you do, which Diffie-Hellman key group to use for encryption. Choices are:

None - disable PFS
DH1 - enable PFS and use a 768-bit random number
DH2 - enable PFS and use a 1024-bit random number

PFS changes the root key that is used to generate encryption keys for each
IPSec SA. It is more secure but takes more time.

15.2.3 VPN Rule Setup (Manual)

Use this screen to configure VPN rules (tunnels) that use manual keys. Manual key
management is useful if you have problems with IKE key management.

Select Manual in the IPSec Keying Mode field on the Rule Setup screen to open the screen
as shown in Figure 108 on page 181.

15.2.3.1 IPSec SA Using Manual Keys

You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel
quickly, for example, for troubleshooting. You should only do this as a temporary solution,
however, because it is not as secure as a regular IPSec SA.

NBG-460N User’s Guide

179

Chapter 15 IPSec VPN

In IPSec SAs using manual keys, the NBG-460N and remote IPSec router do not establish an
IKE SA. They only establish an IPSec SA. As a result, an IPSec SA using manual keys has
some characteristics of IKE SA and some characteristics of IPSec SA. There are also some
differences between IPSec SA using manual keys and other types of SA.

15.2.3.2 IPSec SA Proposal Using Manual Keys

In IPSec SA using manual keys, you can only specify one encryption algorithm and one
authentication algorithm. There is no DH key exchange, so you have to provide the encryption
key and the authentication key the NBG-460N and remote IPSec router use.

Note: The NBG-460N and remote IPSec router must use the same encryption key

and authentication key.

15.2.3.3 Authentication and the Security Parameter Index (SPI)

For authentication, the NBG-460N and remote IPSec router use the SPI, instead of pre-shared
keys, ID type and content. The SPI is an identification number.

Note: The NBG-460N and remote IPSec router must use the same SPI.

180

NBG-460N User’s Guide