PART III
Security
Firewall (153)
Content Filtering (161)
IPSec VPN (165)
151
152
CH A P T E R 13
Firewall
This chapter gives some background information on firewalls and explains how to get started with the NBG-460N’s firewall.
13.1 Introduction to ZyXEL’s Firewall
13.1.1 What is a Firewall?
Originally, the term “firewall” referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from a network that is not trusted. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself.
13.1.2 Stateful Inspection Firewall
Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.
13.1.3 About the NBG-460N Firewall
The NBG-460N firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (click the General tab under Firewall and then click the Enable Firewall check box). The NBG-460N's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The NBG-460N can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network.
|
153 |
NBG-460N User’s Guide |
|
|
|
Chapter 13 Firewall
The NBG-460N is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
The NBG-460N has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless the remote host is authorized to use a specific service.
13.1.4 Guidelines For Enhancing Security With Your Firewall
1Change the default password via web configurator.
2Think about access control before you connect to the network in any way, including attaching a modem to the port.
3Limit who can access your router.
4Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.
5For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.
6Protect against IP spoofing by making sure the firewall is active.
7Keep the firewall in a secured (locked) room.
13.2Triangle Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the NBG-460N’s LAN IP address, return traffic may not go through the NBG-460N. This is called an asymmetrical or “triangle” route. This causes the NBG-460N to reset the connection, as the connection has not been acknowledged.
You can have the NBG-460N permit the use of asymmetrical route topology on the network (not reset the connection).
Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the NBG-460N. A better solution is to use IP alias to put the NBG-460N and the backup gateway on separate subnets.
13.2.1 Triangle Routes and IP Alias
You can use IP alias instead of allowing triangle routes. IP Alias allow you to partition your network into logical sections over the same interface.
By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the NBG-460N to your LAN. The following steps describe such a scenario.
154 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
Chapter 13 Firewall
1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.
2The NBG-460N reroutes the packet to Gateway A, which is in Subnet 2.
3The reply from the WAN goes to the NBG-460N.
4The NBG-460N then sends it to the computer on the LAN in Subnet 1.
Figure 96 Using IP Alias to Solve the Triangle Route Problem
13.3 General Firewall Screen
Click Security > Firewall to open the General screen. Use this screen to enable or disable the NBG-460N’s firewall, and set up firewall logs.
Figure 97 Security > Firewall > General l
The following table describes the labels in this screen.
Table 57 Security > Firewall > General
LABEL |
DESCRIPTION |
Enable Firewall |
Select this check box to activate the firewall. The NBG-460N performs access |
|
control and protects against Denial of Service (DoS) attacks when the firewall is |
|
activated. |
|
|
Packet Direction |
This is the direction of travel of packets. |
|
Firewall rules are grouped based on the direction of travel of packets to which they |
|
apply. |
|
|
|
155 |
NBG-460N User’s Guide |
|
|
|
Chapter 13 Firewall
Table 57 Security > Firewall > General
LABEL |
DESCRIPTION |
Log |
Select whether to create a log for packets that are traveling in the selected |
|
direction when the packets are blocked (Log All) or forwarded (Log Forward). Or |
|
select Not Log to not log any records. |
|
To log packets related to firewall rules, make sure that Access Control under Log |
|
is selected in the Logs > Log Settings screen. |
|
|
Apply |
Click Apply to save the settings. |
|
|
Reset |
Click Reset to start configuring this screen again. |
|
|
13.4 Services Screen
Click Security > Firewall > Services. The screen appears as shown next.
If an outside user attempts to probe an unsupported port on your NBG-460N, an ICMP response packet is automatically returned. This allows the outside user to know the NBG460N exists. Use this screen to prevent the ICMP response packet from being sent. This keeps outsiders from discovering your NBG-460N when unsupported ports are probed.
You can also use this screen to enable service blocking, enter/delete/modify the services you want to block and the date/time you want to block them.
Figure 98 Security > Firewall > Services
The following table describes the labels in this screen.
Table 58 Security > Firewall > Services
LABEL |
DESCRIPTION |
ICMP |
Internet Control Message Protocol is a message control and error-reporting |
|
protocol between a host server and a gateway to the Internet. ICMP uses Internet |
|
Protocol (IP) datagrams, but the messages are processed by the TCP/IP software |
|
and directly apparent to the application user. |
|
|
Respond to Ping |
The NBG-460N will not respond to any incoming Ping requests when Disable is |
on |
selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply |
|
to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to all |
|
incoming LAN and WAN Ping requests. |
|
|
156 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
|
|
Chapter 13 Firewall |
|
Table 58 Security > Firewall > Services |
|
|
LABEL |
DESCRIPTION |
|
Do not respond to |
Select this option to prevent hackers from finding the NBG-460N by probing for |
|
requests for |
unused ports. If you select this option, the NBG-460N will not respond to port |
|
unauthorized |
request(s) for unused ports, thus leaving the unused ports and the NBG-460N |
|
services |
unseen. By default this option is not selected and the NBG-460N will reply with an |
|
|
ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a |
|
|
TCP Reset packet for a port probe on its unused TCP ports. |
|
|
Note that the probing packets must first traverse the NBG-460N's firewall |
|
|
mechanism before reaching this anti-probing mechanism. Therefore if the firewall |
|
|
mechanism blocks a probing packet, the NBG-460N reacts based on the firewall |
|
|
policy, which by default, is to send a TCP reset packet for a blocked TCP packet. |
|
|
You can use the command "sys firewall tcprst rst [on|off]" to change this policy. |
|
|
When the firewall mechanism blocks a UDP packet, it drops the packet without |
|
|
sending a response packet. |
|
|
|
|
Firewall Rule |
|
|
|
|
|
# |
This is your firewall rule number. The ordering of your rules is important as rules |
|
|
are applied in turn. Use the Move button to rearrange the order of the rules. |
|
|
|
|
Active |
This icon is green when the rule is turned on. The icon is grey when the rule is |
|
|
turned off. |
|
|
|
|
Service Name |
This field displays the services and port numbers to which this firewall rule applies. |
|
|
|
|
IP |
This field displays the IP address(es) the rule applies to. |
|
|
|
|
Schedule |
This field displays the days the firewall rule is active. |
|
|
|
|
Log |
This field shows you whether a log will be created when packets match the rule |
|
|
(Match) or not (No). |
|
|
|
|
Modify |
Click the Edit icon to modify an existing rule setting in the fields under the Add |
|
|
Firewall Rule screen. |
|
|
Click the Remove icon to delete a rule. Note that subsequent firewall rules move |
|
|
up by one when you take this action. |
|
|
|
|
Add |
Click the Add button to display the screen where you can configure a new firewall |
|
|
rule. Modify the number in the textbox to add the rule before a specific rule |
|
|
number. |
|
|
|
|
Move |
The Move button moves a rule to a different position. In the first text box enter the |
|
|
number of the rule you wish to move. In the second text box enter the number of |
|
|
the rule you wish to move the first rule to and click the Move button. |
|
|
|
|
Misc setting |
|
|
|
|
|
Bypass Triangle |
Select this check box to have the NBG-460N firewall ignore the use of triangle |
|
Route |
route topology on the network. |
|
|
|
|
Max NAT/Firewall |
Type a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions |
|
Session Per User |
that a host can create. |
|
|
|
|
Apply |
Click Apply to save the settings. |
|
|
|
|
Reset |
Click Reset to start configuring this screen again. |
|
|
|
13.4.1 The Add Firewall Rule Screen
If you click Add or the Modify icon on an existing rule, the Add Firewall Rule screen is displayed. Use this screen to add a firewall rule or to modify an existing one.
|
157 |
NBG-460N User’s Guide |
|
|
|
Chapter 13 Firewall
Figure 99 Security > Firewall > Services > Adding a Rule
The following table describes the labels in this screen.
Table 59 Security > Firewall > Services > Adding a Rule
LABEL |
DESCRIPTION |
Active |
Select this check box to turn the rule on. |
|
|
Address Type |
Do you want your rule to apply to packets with a particular (single) IP, a range of |
|
IP addresses (for example 192.168.1.10 to 192.169.1.50), a pool of IP address or |
|
any IP address? Select an option from the drop-down list box that includes: Any |
|
IP, Single IP, IP Range and IP Pool. |
IP Address |
Enter the single IP address here. This field is only available when Single IP is |
|
selected as the Address Type. |
Start IP Address |
Enter the starting IP address in a range here. This field is only available when IP |
|
Range is selected as the Address Type. |
|
|
End IP Address |
Enter the ending IP address in a range here. This field is only available when IP |
|
Range is selected as the Address Type. |
|
|
IP Pool List |
Add an IP address from the IP Pool List to the Selected IP List by highlighting an |
|
IP address and clicking Add. To delete an IP address from the Selected IP List |
|
highlight an IP address and click the Remove button. These fields are only |
|
available when IP Pool is selected as the Address Type. |
|
The IP Pool list gathers its IPs from entries in the ARP table. The ARP table |
|
contains the IP addresses and MAC addresses of the devices that have sent |
|
traffic to the NBG-460N. |
|
|
Service Setup |
|
|
|
158 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
|
|
Chapter 13 Firewall |
|
Table 59 Security > Firewall > Services > Adding a Rule |
|
|
LABEL |
DESCRIPTION |
|
Available |
This is a list of pre-defined services (ports) you may prohibit your LAN computers |
|
Services |
from using. Select the port you want to block using the drop-down list and click |
|
|
Add to add the port to the Blocked Services field. |
|
|
|
|
Blocked Services |
This is a list of services (ports) that will be inaccessible to computers on your LAN |
|
|
once you enable service blocking. |
|
|
|
|
Custom Port |
A custom port is a service that is not available in the pre-defined Available |
|
|
Services list and you must define using the next two fields. |
|
|
|
|
Type |
Choose the IP port (TCP or UDP) that defines your customized port from the drop |
|
|
down list box. |
|
|
|
|
Port Number |
Enter the port number range that defines the service. For example, if you want to |
|
|
define the Gnutella service, then select TCP type and enter a port range from |
|
|
6345 to 6349. |
|
|
|
|
Add |
Select a service from the Available Services drop-down list and then click Add to |
|
|
add a service to the Blocked Services |
|
|
|
|
Delete |
Select a service from the Blocked Services list and then click Delete to remove |
|
|
this service from the list. |
|
|
|
|
Clear All |
Click Clear All to empty the Blocked Services. |
|
|
|
|
Schedule to Block |
|
|
|
|
|
Day to Block: |
Select a check box to configure which days of the week (or everyday) you want |
|
|
service blocking to be active. |
|
|
|
|
Time of Day to |
Select the time of day you want service blocking to take effect. Configure blocking |
|
Block (24-Hour |
to take effect all day by selecting All Day. You can also configure specific times by |
|
Format) |
selecting From and entering the start time in the Start (hour) and Start (min) |
|
|
fields and the end time in the End (hour) and End (min) fields. Enter times in 24- |
|
|
hour format, for example, "3:00pm" should be entered as "15:00". |
|
|
|
|
Log |
|
|
|
|
|
Active (Log |
Select this to log packets that match this rule. Go to the Log Settings page and |
|
packets match |
select the Access Control logs category to have the NBG-460N record these |
|
this rule) |
logs. |
|
|
|
|
Misc setting |
|
|
|
|
|
Bypass Triangle |
Select this check box to have the NBG-460N firewall ignore the use of triangle |
|
Route |
route topology on the network. |
|
|
|
|
Max NAT/Firewall |
Type a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions |
|
Session Per User |
that a host can create. |
|
|
|
|
Apply |
Click Apply to save the settings. |
|
|
|
|
Reset |
Click Reset to start configuring this screen again. |
|
|
|
|
Cancel |
Click Cancel to return to the Services screen without saving any changes. |
|
|
|
|
159 |
NBG-460N User’s Guide |
|
|
|
Chapter 13 Firewall
160 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
CH A P T E R 14
Content Filtering
This chapter provides a brief overview of content filtering using the embedded web GUI.
14.1 Introduction to Content Filtering
Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering is the ability to block certain web features or specific URL keywords.
14.2 Restrict Web Features
The NBG-460N can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.
14.3 Days and Times
The NBG-460N also allows you to define time periods and days during which the NBG-460N performs content filtering.
14.4 Filter Screen
Click Security > Content Filter to open the Filter screen.
|
161 |
NBG-460N User’s Guide |
|
|
|
Chapter 14 Content Filtering
Figure 100 Security > Content Filter > Filter
The following table describes the labels in this screen.
Table 60 Security > Content Filter > Filter
LABEL |
DESCRIPTION |
Trusted Computer |
To enable this feature, type an IP address of any one of the computers in your |
IP Address |
network that you want to have as a trusted computer. This allows the trusted |
|
computer to have full access to all features that are configured to be blocked by |
|
content filtering. |
|
Leave this field blank to have no trusted computers. |
|
|
Restrict Web |
Select the box(es) to restrict a feature. When you download a page containing a |
Features |
restricted feature, that part of the web page will appear blank or grayed out. |
|
|
ActiveX |
A tool for building dynamic and active Web pages and distributed object |
|
applications. When you visit an ActiveX Web site, ActiveX controls are |
|
downloaded to your browser, where they remain in case you visit the site again. |
|
|
Java |
A programming language and development environment for building |
|
downloadable Web components or Internet and intranet business applications of |
|
all kinds. |
|
|
Cookies |
Used by Web servers to track usage and provide service based on ID. |
|
|
Web Proxy |
A server that acts as an intermediary between a user and the Internet to provide |
|
security, administrative control, and caching service. When a proxy server is |
|
located on the WAN it is possible for LAN users to circumvent content filtering by |
|
pointing to this proxy server. |
|
|
Keyword Blocking |
|
|
|
Enable URL |
The NBG-460N can block Web sites with URLs that contain certain keywords in |
Keyword Blocking |
the domain name or IP address. For example, if the keyword "bad" was enabled, |
|
all sites containing this keyword in the domain name or IP address will be |
|
blocked, e.g., URL http://www.website.com/bad.html would be blocked. Select |
|
this check box to enable this feature. |
|
|
162 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
|
|
Chapter 14 Content Filtering |
|
Table 60 Security > Content Filter > Filter |
|
|
LABEL |
DESCRIPTION |
|
Keyword |
Type a keyword in this field. You may use any character (up to 64 characters). |
|
|
Wildcards are not allowed. You can also enter a numerical IP address. |
|
|
|
|
Keyword List |
This list displays the keywords already added. |
|
|
|
|
Add |
Click Add after you have typed a keyword. |
|
|
Repeat this procedure to add other keywords. Up to 64 keywords are allowed. |
|
|
When you try to access a web page containing a keyword, you will get a |
|
|
message telling you that the content filter is blocking this request. |
|
|
|
|
Delete |
Highlight a keyword in the lower box and click Delete to remove it. The keyword |
|
|
disappears from the text box after you click Apply. |
|
|
|
|
Clear All |
Click this button to remove all of the listed keywords. |
|
|
|
|
Denied Access |
Enter a message to be displayed when a user tries to access a restricted web |
|
Message |
site. The default message is “Please contact your network administrator!!” |
|
|
|
|
Apply |
Click Apply to save your changes. |
|
|
|
|
Reset |
Click Reset to begin configuring this screen afresh |
|
|
|
14.5 Schedule
Use this screen to set the day(s) and time you want the NBG-460N to use content filtering. Click Security > Content Filter > Schedule. The following screen displays.
Figure 101 Security > Content Filter > Schedule
The following table describes the labels in this screen.
Table 61 Security > Content Filter > Schedule
LABEL |
DESCRIPTION |
Day to Block |
Select check boxes for the days that you want the NBG-460N to perform |
|
content filtering. Select the Everyday check box to have content filtering |
|
turned on all days of the week. |
|
|
Time of Day to Block |
Time of Day to Block allows the administrator to define during which time |
(24-Hour Format) |
periods content filtering is enabled. Time of Day to Block restrictions only |
|
apply to the keywords (see above). Restrict web server data, such as ActiveX, |
|
Java, Cookies and Web Proxy are not affected. |
|
Select All Day to have content filtering always active on the days selected in |
|
Day to Block with time of day limitations not enforced. |
|
Select From and enter the time period, in 24-hour format, during which |
|
content filtering will be enforced. |
|
|
|
163 |
NBG-460N User’s Guide |
|
|
|
Chapter 14 Content Filtering
Table 61 Security > Content Filter > Schedule
LABEL |
DESCRIPTION |
Apply |
Click Apply to save your customized settings and exit this screen. |
|
|
Reset |
Click Reset to begin configuring this screen afresh |
|
|
14.6 Customizing Keyword Blocking URL Checking
You can use commands to set how much of a website’s URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter.
14.6.1 Domain Name or IP Address URL Checking
By default, the NBG-460N checks the URL’s domain name or IP address when performing keyword blocking.
This means that the NBG-460N checks the characters that come before the first slash in the URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php, content filtering only searches for keywords within www.zyxel.com.tw.
14.6.2 Full Path URL Checking
Full path URL checking has the NBG-460N check the characters that come before the last slash in the URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/.
Use the ip urlfilter customize actionFlags 6 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's full path.
14.6.3 File Name URL Checking
Filename URL checking has the NBG-460N check all of the characters in the URL.
For example, filename URL checking searches for keywords within the URL www.zyxel.com.tw/news/pressroom.php.
Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's complete filename.
164 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
CH A P T E R 15
IPSec VPN
15.1 IPSec VPN Overview
A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data communications across a public network like the Internet. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.
The following figure provides one perspective of a VPN tunnel.
Figure 102 IPSec VPN: Overview
The VPN tunnel connects the NBG-460N (X) and the remote IPSec router (Y). These routers then connect the local network (A) and remote network (B).
15.1.1 What You Can Do in the IPSec VPN Screens
Use the General Screen (Section 15.2 on page 167) to display and manage the NBG-460N’s VPN rules (tunnels).
Use the SA Monitor Screen (Section 15.3 on page 184) to display and manage active VPN connections.
|
165 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
15.1.2 What You Need To Know About IPSec VPN
A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the NBG-460N and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the NBG-460N and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the NBG-460N and remote IPSec router can send data between computers on the local network and remote network. The following figure illustrates this.
Figure 103 VPN: IKE SA and IPSec SA
In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X and Y established first.
15.1.3 IKE SA (IKE Phase 1) Overview
The IKE SA provides a secure connection between the NBG-460N and remote IPSec router.
It takes several steps to establish an IKE SA. The negotiation mode determines the number of steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.
Note: Both routers must use the same negotiation mode.
These modes are discussed in more detail in Negotiation Mode on page 188. Main mode is used in various examples in the rest of this section.
15.1.3.1 IP Addresses of the NBG-460N and Remote IPSec Router
In the NBG-460N, you have to specify the IP addresses of the NBG-460N and the remote IPSec router to establish an IKE SA.
You can usually provide a static IP address or a domain name for the NBG-460N. Sometimes, your NBG-460N might also offer another alternative, such as using the IP address of a port or interface.
166 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
Chapter 15 IPSec VPN
You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA.
15.1.4 IPSec SA (IKE Phase 2) Overview
Once the NBG-460N and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.
Note: The IPSec SA stays connected even if the underlying IKE SA is not available anymore.
This section introduces the key components of an IPSec SA.
15.1.4.1 Local Network and Remote Network
In an IPSec SA, the local network consists of devices connected to the NBG-460N and may be called the local policy. Similarly, the remote network consists of the devices connected to the remote IPSec router and may be called the remote policy.
Note: It is not recommended to set a VPN rule’s local and remote network settings both to 0.0.0.0 (any). This causes the NBG-460N to try to forward all access attempts (to the local network, the Internet or even the NBG-460N) to the remote IPSec router. In this case, you can no longer manage the NBG-460N.
15.2 The General Screen
Click Security > VPN to display the Summary screen. This is a read-only menu of your VPN rules (tunnels). Edit a VPN rule by clicking the Edit icon.
Figure 104 Security > VPN > General
|
167 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
The following table describes the fields in this screen.
Table 62 Security > VPN > General
LABEL |
DESCRIPTION |
|
|
# |
This is the VPN policy index number. |
|
|
Active |
This field displays whether the VPN policy is active or not. |
|
This icon is turned on when the rule is enabled. |
|
|
Local Addr. |
This displays the beginning and ending (static) IP addresses or a (static) IP address |
|
and a subnet mask of computer(s) on your local network behind your NBG-460N. |
Remote Addr. |
This displays the beginning and ending (static) IP addresses or a (static) IP address |
|
and a subnet mask of computer(s) on the remote network behind the remote IPSec |
|
router. |
|
This field displays 0.0.0.0 when the Secure Gateway Address field displays 0.0.0.0. |
|
In this case only the remote IPSec router can initiate the VPN. |
Encap. |
This field displays Tunnel or Transport mode (Tunnel is the default selection). |
|
|
Algorithm |
This field displays the security protocol, encryption algorithm and authentication |
|
algorithm used for an SA. |
Gateway |
This is the static WAN IP address or URL of the remote IPSec router. This field |
|
displays 0.0.0.0 when you configure the Secure Gateway Address field in the Rule |
|
Setup screen to 0.0.0.0. |
Modify |
Click the Edit icon to go to the screen where you can edit the VPN rule. |
|
Click the Remove icon to remove an existing VPN rule. |
|
|
Windows |
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable |
Networking |
a computer to find other computers. It may sometimes be necessary to allow |
(NetBIOS over |
NetBIOS packets to pass through VPN tunnels in order to allow local computers to |
TCP/IP) |
find computers on the remote network and vice versa. |
Allow NetBIOS |
Select this check box to send NetBIOS packets through the VPN connection. |
Traffic Through |
|
IPSec Tunnel |
|
Apply |
Click Apply to save your changes back to the NBG-460N. |
|
|
Reset |
Click Reset to begin configuring this screen afresh. |
|
|
15.2.1 VPN Rule Setup (Basic)
Click the Edit icon in the General screen to display the Rule Setup screen.
This figure helps explain the main fields.
168 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
Chapter 15 IPSec VPN
Figure 105 IPSec Fields Summary
Use this screen to configure a VPN rule.
Figure 106 Security > VPN > General > Rule Setup: IKE (Basic)
|
169 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
The following table describes the labels in this screen.
Table 63 SECURITY > VPN > Rule Setup: IKE (Basic)
LABEL |
DESCRIPTION |
|
|
Property |
|
|
|
Active |
Select this check box to activate this VPN policy. |
|
|
Keep Alive |
Select this check box to have the NBG-460N automatically reinitiate the SA after |
|
the SA lifetime times out, even if there is no traffic. The remote IPSec router must |
|
also have keep alive enabled in order for this feature to work. |
|
|
NAT Traversal |
Select this check box to enable NAT traversal. NAT traversal allows you to set up |
|
a VPN connection when there are NAT routers between the two IPSec routers. |
|
Note: The remote IPSec router must also have NAT traversal |
|
enabled. |
|
You can use NAT traversal with ESP protocol using Transport or Tunnel mode, |
|
but not with AH protocol nor with manual key management. In order for an IPSec |
|
router behind a NAT router to receive an initiating IPSec packet, set the NAT |
|
router to forward UDP ports 500 and 4500 to the IPSec router behind the NAT |
|
router. |
|
|
IPSec Keying |
Select IKE or Manual from the drop-down list box. IKE provides more protection |
Mode |
so it is generally recommended. Manual is a useful option for troubleshooting if |
|
you have problems using IKE key management. |
|
|
DNS Server (for |
If there is a private DNS server that services the VPN, type its IP address here. |
IPSec VPN) |
The NBG-460N assigns this additional DNS server to the NBG-460N's DHCP |
|
clients that have IP addresses in this IPSec rule's range of local addresses. |
|
A DNS server allows clients on the VPN to find other computers and servers on |
|
the VPN by their (private) domain names. |
|
|
Local Policy |
Local IP addresses must be static and correspond to the remote IPSec router's |
|
configured remote IP addresses. |
|
Two active SAs can have the same configured local or remote IP address, but not |
|
both. You can configure multiple SAs between the same local and remote IP |
|
addresses, as long as only one is active at any time. |
|
In order to have more than one active rule with the Secure Gateway Address |
|
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between |
|
rules. |
|
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field |
|
and the LAN’s full IP address range as the local IP address, then you cannot |
|
configure any other active rules with the Secure Gateway Address field set to |
|
0.0.0.0. |
Local Address |
For a single IP address, enter a (static) IP address on the LAN behind your NBG- |
|
460N. |
|
For a specific range of IP addresses, enter the beginning (static) IP address, in a |
|
range of computers on your LAN behind your NBG-460N. |
|
To specify IP addresses on a network by their subnet mask, enter a (static) IP |
|
address on the LAN behind your NBG-460N. |
|
|
Local Address End |
When the local IP address is a single address, type it a second time here. |
/Mask |
When the local IP address is a range, enter the end (static) IP address, in a range |
|
of computers on the LAN behind your NBG-460N. |
|
When the local IP address is a subnet address, enter a subnet mask on the LAN |
|
behind your NBG-460N. |
170 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
Chapter 15 IPSec VPN
Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued)
LABEL DESCRIPTION
Remote Policy |
Remote IP addresses must be static and correspond to the remote IPSec router's |
|
configured local IP addresses. The remote fields do not apply when the Secure |
|
Gateway IP Address field is configured to 0.0.0.0. In this case only the remote |
|
IPSec router can initiate the VPN. |
|
Two active SAs cannot have the local and remote IP address(es) both the same. |
|
Two active SAs can have the same local or remote IP address, but not both. You |
|
can configure multiple SAs between the same local and remote IP addresses, as |
|
long as only one is active at any time. |
|
|
Remote Address |
For a single IP address, enter a (static) IP address on the network behind the |
|
remote IPSec router. |
|
For a specific range of IP addresses, enter the beginning (static) IP address, in a |
|
range of computers on the network behind the remote IPSec router. |
|
To specify IP addresses on a network by their subnet mask, enter a (static) IP |
|
address on the network behind the remote IPSec router. |
|
|
Remote Address |
When the remote IP address is a single address, type it a second time here. |
End /Mask |
When the remote IP address is a range, enter the end (static) IP address, in a |
|
range of computers on the network behind the remote IPSec router. |
|
When the remote IP address is a subnet address, enter a subnet mask on the |
|
network behind the remote IPSec router. |
|
|
Authentication |
|
Method |
|
|
|
My IP Address |
Enter the NBG-460N's static WAN IP address (if it has one) or leave the field set |
|
to 0.0.0.0. |
|
The NBG-460N uses its current WAN IP address (static or dynamic) in setting up |
|
the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes |
|
down, the NBG-460N uses the dial backup IP address for the VPN tunnel when |
|
using dial backup or the LAN IP address when using traffic redirect. |
|
Otherwise, you can enter one of the dynamic domain names that you have |
|
configured (in the DDNS screen) to have the NBG-460N use that dynamic |
|
domain name's IP address. |
|
The VPN tunnel has to be rebuilt if My IP Address changes after setup. |
|
|
Local ID Type |
Select IP to identify this NBG-460N by its IP address. |
|
Select Domain Name to identify this NBG-460N by a domain name. |
|
Select E-mail to identify this NBG-460N by an e-mail address. |
|
|
Local Content |
When you select IP in the Local ID Type field, type the IP address of your |
|
computer in the Local Content field. The NBG-460N automatically uses the IP |
|
address in the My IP Address field (refer to the My IP Address field description) |
|
if you configure the Local Content field to 0.0.0.0 or leave it blank. |
|
It is recommended that you type an IP address other than 0.0.0.0 in the Local |
|
Content field or use the Domain Name or E-mail ID type in the following |
|
situations. |
|
• When there is a NAT router between the two IPSec routers. |
|
• When you want the remote IPSec router to be able to distinguish between |
|
VPN connection requests that come in from IPSec routers with dynamic WAN |
|
IP addresses. |
|
When you select Domain Name or E-mail in the Local ID Type field, type a |
|
domain name or e-mail address by which to identify this NBG-460N in the Local |
|
Content field. Use up to 31 ASCII characters including spaces, although trailing |
|
spaces are truncated. The domain name or e-mail address is for identification |
|
purposes only and can be any string. |
|
171 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued)
LABEL DESCRIPTION
Secure Gateway |
Type the WAN IP address or the domain name (up to 31 characters) of the IPSec |
Address |
router with which you're making the VPN connection. Set this field to 0.0.0.0 if the |
|
remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode |
|
field must be set to IKE). |
|
In order to have more than one active rule with the Secure Gateway Address |
|
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between |
|
rules. |
|
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field |
|
and the LAN’s full IP address range as the local IP address, then you cannot |
|
configure any other active rules with the Secure Gateway Address field set to |
|
0.0.0.0. |
|
Note: You can also enter a remote secure gateway’s domain |
|
name in the Secure Gateway Address field if the remote |
|
secure gateway has a dynamic WAN IP address and is |
|
using DDNS. The NBG-460N has to rebuild the VPN tunnel |
|
each time the remote secure gateway’s WAN IP address |
|
changes (there may be a delay until the DDNS servers are |
|
updated with the remote gateway’s new WAN IP address). |
|
|
Peer ID Type |
Select IP to identify the remote IPSec router by its IP address. |
|
Select Domain Name to identify the remote IPSec router by a domain name. |
|
Select E-mail to identify the remote IPSec router by an e-mail address. |
|
|
Peer Content |
The configuration of the peer content depends on the peer ID type. |
|
For IP, type the IP address of the computer with which you will make the VPN |
|
connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-460N |
|
will use the address in the Secure Gateway Address field (refer to the Secure |
|
Gateway Address field description). |
|
For Domain Name or E-mail, type a domain name or e-mail address by which to |
|
identify the remote IPSec router. Use up to 31 ASCII characters including spaces, |
|
although trailing spaces are truncated. The domain name or e-mail address is for |
|
identification purposes only and can be any string. |
|
It is recommended that you type an IP address other than 0.0.0.0 or use the |
|
Domain Name or E-mail ID type in the following situations: |
|
• When there is a NAT router between the two IPSec routers. |
|
• When you want the NBG-460N to distinguish between VPN connection |
|
requests that come in from remote IPSec routers with dynamic WAN IP |
|
addresses. |
|
|
IPSec Algorithm |
|
|
|
Encapsulation |
Select Tunnel mode or Transport mode from the drop-down list box. |
Mode |
|
|
|
IPSec Protocol |
Select the security protocols used for an SA. |
|
Both AH and ESP increase processing requirements and communications |
|
latency (delay). |
|
If you select ESP here, you must select options from the Encryption Algorithm |
|
and Authentication Algorithm fields (described below). |
172 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
|
|
Chapter 15 IPSec VPN |
|
|
Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued) |
||
|
LABEL |
DESCRIPTION |
|
|
|
|
|
|
Pre-Shared Key |
Type your pre-shared key in this field. A pre-shared key identifies a |
|
|
|
communicating party during a phase 1 IKE negotiation. It is called "pre-shared" |
|
|
|
because you have to share it with another party before you can communicate |
|
|
|
with them over a secure connection. |
|
|
|
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal |
|
|
|
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero |
|
|
|
x), which is not counted as part of the 16 to 62 character range for the key. For |
|
|
|
example, in "0x0123456789ABCDEF", “0x” denotes that the key is hexadecimal |
|
|
|
and “0123456789ABCDEF” is the key itself. |
|
|
|
Both ends of the VPN tunnel must use the same pre-shared key. You will receive |
|
|
|
a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key |
|
|
|
is not used on both ends. |
|
|
|
|
|
|
Encryption |
Select which key size and encryption algorithm to use for data communications. |
|
|
Algorithm |
Choices are: |
|
|
|
DES - a 56-bit key with the DES encryption algorithm |
|
|
|
3DES - a 168-bit key with the DES encryption algorithm |
|
|
|
The NBG-460N and the remote IPSec router must use the same algorithms and |
|
|
|
key , which can be used to encrypt and decrypt the message or to generate and |
|
|
|
verify a message authentication code. Longer keys require more processing |
|
|
|
power, resulting in increased latency and decreased throughput. |
|
|
|
|
|
|
Authentication |
Select which hash algorithm to use to authenticate packet data. Choices are |
|
|
Algorithm |
SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also |
|
|
|
slower. |
|
|
|
|
|
|
Advanced... |
Click Advanced... to configure more detailed settings of your IKE key |
|
|
|
management. |
|
|
|
|
|
|
Apply |
Click Apply to save your changes back to the NBG-460N. |
|
|
|
|
|
|
Reset |
Click Reset to begin configuring this screen afresh. |
|
|
|
|
|
|
Cancel |
Click Cancel to exit the screen without making any changes. |
|
|
|
|
|
15.2.2 VPN Rule Setup (Advanced)
Click the Advanced... button in the Rule Setup screen to open this screen.
Use this screen to configure a VPN rule.
|
173 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
Figure 107 Security > VPN > General > Rule Setup: IKE (Advanced)
174 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
Chapter 15 IPSec VPN
The following table describes the labels in this screen.
Table 64 Security > VPN > Rule Setup: IKE (Advanced)
LABEL |
DESCRIPTION |
Property |
|
|
|
Active |
Select this check box to activate this VPN policy. |
|
|
Keep Alive |
Select this check box to have the NBG-460N automatically reinitiate the SA |
|
after the SA lifetime times out, even if there is no traffic. The remote IPSec |
|
router must also have keep alive enabled in order for this feature to work. |
|
|
NAT Traversal |
Select this check box to enable NAT traversal. NAT traversal allows you to set |
|
up a VPN connection when there are NAT routers between the two IPSec |
|
routers. |
|
Note: The remote IPSec router must also have NAT traversal |
|
enabled. |
|
You can use NAT traversal with ESP protocol using Transport or Tunnel |
|
mode, but not with AH protocol nor with manual key management. In order for |
|
an IPSec router behind a NAT router to receive an initiating IPSec packet, set |
|
the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind |
|
the NAT router. |
|
|
IPSec Keying Mode |
Select IKE or Manual from the drop-down list box. IKE provides more |
|
protection so it is generally recommended. Manual is a useful option for |
|
troubleshooting if you have problems using IKE key management. |
|
|
Protocol Number |
Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any |
|
protocol. |
|
|
Enable Replay |
As a VPN setup is processing intensive, the system is vulnerable to Denial of |
Detection |
Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate |
|
packets to protect against replay attacks. Select Yes from the drop-down menu |
|
to enable replay detection, or select No to disable it. |
DNS Server (for |
If there is a private DNS server that services the VPN, type its IP address here. |
IPSec VPN) |
The NBG-460N assigns this additional DNS server to the NBG-460N's DHCP |
|
clients that have IP addresses in this IPSec rule's range of local addresses. |
|
A DNS server allows clients on the VPN to find other computers and servers on |
|
the VPN by their (private) domain names. |
|
|
Local Policy |
Local IP addresses must be static and correspond to the remote IPSec router's |
|
configured remote IP addresses. |
|
Two active SAs can have the same configured local or remote IP address, but |
|
not both. You can configure multiple SAs between the same local and remote IP |
|
addresses, as long as only one is active at any time. |
|
In order to have more than one active rule with the Secure Gateway Address |
|
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between |
|
rules. |
|
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address |
|
field and the LAN’s full IP address range as the local IP address, then you |
|
cannot configure any other active rules with the Secure Gateway Address field |
|
set to 0.0.0.0. |
|
|
Local Address |
For a single IP address, enter a (static) IP address on the LAN behind your |
|
NBG-460N. |
|
For a specific range of IP addresses, enter the beginning (static) IP address, in |
|
a range of computers on your LAN behind your NBG-460N. |
|
To specify IP addresses on a network by their subnet mask, enter a (static) IP |
|
address on the LAN behind your NBG-460N. |
|
175 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)
LABEL |
DESCRIPTION |
Local Address End / |
When the local IP address is a single address, type it a second time here. |
Mask |
When the local IP address is a range, enter the end (static) IP address, in a |
|
range of computers on the LAN behind your NBG-460N. |
|
When the local IP address is a subnet address, enter a subnet mask on the |
|
LAN behind your NBG-460N. |
|
|
Local Port Start |
0 is the default and signifies any port. Type a port number from 0 to 65535. |
|
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, |
|
HTTP; 25, SMTP; 110, POP3. |
|
|
Local Port End |
Enter a port number in this field to define a port range. This port number must |
|
be greater than that specified in the previous field. If Local Port Start is left at |
|
0, Local Port End will also remain at 0. |
Remote Policy |
Remote IP addresses must be static and correspond to the remote IPSec |
|
router's configured local IP addresses. The remote fields do not apply when the |
|
Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the |
|
remote IPSec router can initiate the VPN. |
|
Two active SAs cannot have the local and remote IP address(es) both the |
|
same. Two active SAs can have the same local or remote IP address, but not |
|
both. You can configure multiple SAs between the same local and remote IP |
|
addresses, as long as only one is active at any time. |
|
|
Remote Address |
For a single IP address, enter a (static) IP address on the network behind the |
|
remote IPSec router. |
|
For a specific range of IP addresses, enter the beginning (static) IP address, in |
|
a range of computers on the network behind the remote IPSec router. |
|
To specify IP addresses on a network by their subnet mask, enter a (static) IP |
|
address on the network behind the remote IPSec router. |
|
|
Remote Address |
When the remote IP address is a single address, type it a second time here. |
End /Mask |
When the remote IP address is a range, enter the end (static) IP address, in a |
|
range of computers on the network behind the remote IPSec router. |
|
When the remote IP address is a subnet address, enter a subnet mask on the |
|
network behind the remote IPSec router. |
|
|
Remote Port Start |
0 is the default and signifies any port. Type a port number from 0 to 65535. |
|
Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, |
|
HTTP; 25, SMTP; 110, POP3. |
|
|
Remote Port End |
Enter a port number in this field to define a port range. This port number must |
|
be greater than that specified in the previous field. If Remote Port Start is left at |
|
0, Remote Port End will also remain at 0. |
|
|
Authentication |
|
Method |
|
|
|
My IP Address |
Enter the NBG-460N's static WAN IP address (if it has one) or leave the field |
|
set to 0.0.0.0. |
|
The NBG-460N uses its current WAN IP address (static or dynamic) in setting |
|
up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes |
|
down, the NBG-460N uses the dial backup IP address for the VPN tunnel when |
|
using dial backup or the LAN IP address when using traffic redirect. |
|
Otherwise, you can enter one of the dynamic domain names that you have |
|
configured (in the DDNS screen) to have the NBG-460N use that dynamic |
|
domain name's IP address. |
|
The VPN tunnel has to be rebuilt if My IP Address changes after setup. |
|
|
Local ID Type |
Select IP to identify this NBG-460N by its IP address. |
|
Select Domain Name to identify this NBG-460N by a domain name. |
|
Select E-mail to identify this NBG-460N by an e-mail address. |
|
|
176 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
|
|
Chapter 15 IPSec VPN |
|
Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued) |
|
|
LABEL |
DESCRIPTION |
|
Local Content |
When you select IP in the Local ID Type field, type the IP address of your |
|
|
computer in the Local Content field. The NBG-460N automatically uses the IP |
|
|
address in the My IP Address field (refer to the My IP Address field |
|
|
description) if you configure the Local Content field to 0.0.0.0 or leave it blank. |
|
|
It is recommended that you type an IP address other than 0.0.0.0 in the Local |
|
|
Content field or use the Domain Name or E-mail ID type in the following |
|
|
situations. |
|
|
• When there is a NAT router between the two IPSec routers. |
|
|
• When you want the remote IPSec router to be able to distinguish between |
|
|
VPN connection requests that come in from IPSec routers with dynamic |
|
|
WAN IP addresses. |
|
|
When you select Domain Name or E-mail in the Local ID Type field, type a |
|
|
domain name or e-mail address by which to identify this NBG-460N in the Local |
|
|
Content field. Use up to 31 ASCII characters including spaces, although trailing |
|
|
spaces are truncated. The domain name or e-mail address is for identification |
|
|
purposes only and can be any string. |
|
|
|
|
Secure Gateway |
Type the WAN IP address or the domain name (up to 31 characters) of the |
|
Address |
IPSec router with which you're making the VPN connection. Set this field to |
|
|
0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec |
|
|
Keying Mode field must be set to IKE). |
|
|
In order to have more than one active rule with the Secure Gateway Address |
|
|
field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between |
|
|
rules. |
|
|
If you configure an active rule with 0.0.0.0 in the Secure Gateway Address |
|
|
field and the LAN’s full IP address range as the local IP address, then you |
|
|
cannot configure any other active rules with the Secure Gateway Address field |
|
|
set to 0.0.0.0. |
|
|
Note: You can also enter a remote secure gateway’s domain |
|
|
name in the Secure Gateway Address field if the remote |
|
|
secure gateway has a dynamic WAN IP address and is |
|
|
using DDNS. The NBG-460N has to rebuild the VPN |
|
|
tunnel each time the remote secure gateway’s WAN IP |
|
|
address changes (there may be a delay until the DDNS |
|
|
servers are updated with the remote gateway’s new WAN |
|
|
IP address). |
|
|
|
|
Peer ID Type |
Select IP to identify the remote IPSec router by its IP address. |
|
|
Select Domain Name to identify the remote IPSec router by a domain name. |
|
|
Select E-mail to identify the remote IPSec router by an e-mail address. |
|
|
|
|
177 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)
LABEL |
DESCRIPTION |
Peer Content |
The configuration of the peer content depends on the peer ID type. |
|
For IP, type the IP address of the computer with which you will make the VPN |
|
connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-460N |
|
will use the address in the Secure Gateway Address field (refer to the Secure |
|
Gateway Address field description). |
|
For Domain Name or E-mail, type a domain name or e-mail address by which |
|
to identify the remote IPSec router. Use up to 31 ASCII characters including |
|
spaces, although trailing spaces are truncated. The domain name or e-mail |
|
address is for identification purposes only and can be any string. |
|
It is recommended that you type an IP address other than 0.0.0.0 or use the |
|
Domain Name or E-mail ID type in the following situations: |
|
• When there is a NAT router between the two IPSec routers. |
|
• When you want the NBG-460N to distinguish between VPN connection |
|
requests that come in from remote IPSec routers with dynamic WAN IP |
|
addresses. |
|
|
IKE Phase 1 |
|
|
|
Negotiation Mode |
Select Main or Aggressive from the drop-down list box. Multiple SAs |
|
connecting through a secure gateway must have the same negotiation mode. |
|
|
Encryption Algorithm |
Select which key size and encryption algorithm to use in the IKE SA. Choices |
|
are: |
|
DES - a 56-bit key with the DES encryption algorithm |
|
3DES - a 168-bit key with the DES encryption algorithm |
|
The NBG-460N and the remote IPSec router must use the same algorithms and |
|
keys. Longer keys require more processing power, resulting in increased |
|
latency and decreased throughput. |
|
|
Authentication |
Select which hash algorithm to use to authenticate packet data in the IKE SA. |
Algorithm |
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, |
|
but it is also slower. |
|
|
SA Life Time |
Define the length of time before an IKE SA automatically renegotiates in this |
(Seconds) |
field. It may range from 180 to 3,000,000 seconds (almost 35 days). |
|
A short SA Life Time increases security by forcing the two VPN gateways to |
|
update the encryption and authentication keys. However, every time the VPN |
|
tunnel renegotiates, all users accessing remote resources are temporarily |
|
disconnected. |
|
|
Key Group |
Select which Diffie-Hellman key group (DHx) you want to use for encryption |
|
keys. Choices are: |
|
DH1 - use a 768-bit random number |
|
DH2 - use a 1024-bit random number |
|
|
Pre-Shared Key |
Type your pre-shared key in this field. A pre-shared key identifies a |
|
communicating party during a phase 1 IKE negotiation. It is called "pre-shared" |
|
because you have to share it with another party before you can communicate |
|
with them over a secure connection. |
|
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 |
|
hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key |
|
with a "0x” (zero x), which is not counted as part of the 16 to 62 character range |
|
for the key. For example, in "0x0123456789ABCDEF", “0x” denotes that the key |
|
is hexadecimal and “0123456789ABCDEF” is the key itself. |
|
Both ends of the VPN tunnel must use the same pre-shared key. You will |
|
receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre- |
|
shared key is not used on both ends. |
|
|
IKE Phase 2 |
|
|
|
Encapsulation Mode |
Select Tunnel mode or Transport mode. |
|
|
178 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|
Chapter 15 IPSec VPN
Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued)
LABEL |
DESCRIPTION |
IPSec Protocol |
Select the security protocols used for an SA. |
|
Both AH and ESP increase processing requirements and communications |
|
latency (delay). |
|
If you select ESP here, you must select options from the Encryption Algorithm |
|
and Authentication Algorithm fields (described below). |
|
|
Encryption Algorithm |
Select which key size and encryption algorithm to use in the IKE SA. Choices |
|
are: |
|
DES - a 56-bit key with the DES encryption algorithm |
|
3DES - a 168-bit key with the DES encryption algorithm |
|
The NBG-460N and the remote IPSec router must use the same algorithms and |
|
keys. Longer keys require more processing power, resulting in increased |
|
latency and decreased throughput. |
|
|
Authentication |
Select which hash algorithm to use to authenticate packet data in the IPSec SA. |
Algorithm |
Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, |
|
but it is also slower. |
|
|
SA Life Time |
Define the length of time before an IPSec SA automatically renegotiates in this |
|
field. The minimum value is 180 seconds. |
|
A short SA Life Time increases security by forcing the two VPN gateways to |
|
update the encryption and authentication keys. However, every time the VPN |
|
tunnel renegotiates, all users accessing remote resources are temporarily |
|
disconnected. |
|
|
Perfect Forward |
Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if |
Secrecy (PFS) |
you do, which Diffie-Hellman key group to use for encryption. Choices are: |
|
None - disable PFS |
|
DH1 - enable PFS and use a 768-bit random number |
|
DH2 - enable PFS and use a 1024-bit random number |
|
PFS changes the root key that is used to generate encryption keys for each |
|
IPSec SA. It is more secure but takes more time. |
|
|
Basic... |
Click Basic... to go to the previous VPN configuration screen. |
|
|
Apply |
Click Apply to save the changes. |
|
|
Reset |
Click Reset to begin configuring this screen afresh. |
|
|
Cancel |
Click Cancel to exit the screen without making any changes. |
|
|
15.2.3 VPN Rule Setup (Manual)
Use this screen to configure VPN rules (tunnels) that use manual keys. Manual key management is useful if you have problems with IKE key management.
Select Manual in the IPSec Keying Mode field on the Rule Setup screen to open the screen as shown in Figure 108 on page 181.
15.2.3.1 IPSec SA Using Manual Keys
You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA.
|
179 |
NBG-460N User’s Guide |
|
|
|
Chapter 15 IPSec VPN
In IPSec SAs using manual keys, the NBG-460N and remote IPSec router do not establish an IKE SA. They only establish an IPSec SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences between IPSec SA using manual keys and other types of SA.
15.2.3.2 IPSec SA Proposal Using Manual Keys
In IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. There is no DH key exchange, so you have to provide the encryption key and the authentication key the NBG-460N and remote IPSec router use.
Note: The NBG-460N and remote IPSec router must use the same encryption key and authentication key.
15.2.3.3 Authentication and the Security Parameter Index (SPI)
For authentication, the NBG-460N and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number.
Note: The NBG-460N and remote IPSec router must use the same SPI.
180 |
|
|
NBG-460N User’s Guide |
|
|
|
|
|