Zyxel ZYWALL USG 2000 Support Notes

ZyWALL USG 2000 Support Notes
ZyWALL USG 2000
Unified Security Gateway
Support Notes
Revision 2.10
Dec, 2008
1
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
INDEX
The comparison of ZyNOS and ZLD ............................................................................................. 8
1. Deploying VPN .......................................................................................................................... 9
1.1 Extended Intranets .......................................................................................................... 11
1.1.2 Site to Site VPN solutions (ZyWALL 1050 Ù ZyWALL USG 2000): .............. 11
1.2 Extranet Deployment ..................................................................................................... 18
1.2.1 Site to site VPN solutions (ZyWALL USG 2000 to ZyWALL70) ...................... 19
1.2.2 Interoperability – VPN with other vendors ......................................................... 23
1.2.2.1 ZyWALL with FortiGate VPN Tunneling ................................................ 23
1.2.2.2 ZyWALL with NetScreen VPN Tunneling .............................................. 30
1.2.2.3 ZyWALL with SonicWall VPN Tunneling ............................................... 38
1.3 Remote Access VPN ...................................................................................................... 45
1.3.1 IPSec VPN for Remote Access ........................................................................... 45
1.3.1.1 Steps to configure ..................................................................................... 47
1.3.2 SSL VPN Application - Reverse Proxy ............................................................... 52
1.3.2.1 Scenario topology ..................................................................................... 52
1.3.2.2 Configuration flow ................................................................................... 52
1.3.2.3 Configuration procedure .......................................................................... 52
1.3.3 SSL VPN Application – Network Extension ...................................................... 55
1.3.3.1 Scenario topology ..................................................................................... 55
1.3.3.2 Configuration flow ................................................................................... 55
1.3.3.3 Configuration procedure .......................................................................... 56
1.3.4 L2TP over IPSec Application .............................................................................. 62
1.3.4.1 Scenario topology ..................................................................................... 62
1.3.4.2 Configuration flow ................................................................................... 62
1.3.4.3 Configuration Procedure .......................................................................... 62
1.4 Large-scale VPN Deployment ....................................................................................... 73
1.4.1 Fully Meshed Topology ................................................................................... 73
1.4.2 Star Topology ................................................................................................... 74
1.4.3 Star-Mesh Mixed Topology .............................................................................. 83
1.5 Device HA ...................................................................................................................... 99
1.5.1 Device HA ......................................................................................................... 101
1.5.1.1 Configuration procedure ........................................................................ 101
1.5.2 Device High Availability (HA) Active-Passive mode ....................................... 113
1.5.2.1 Scenario Topology ................................................................................. 113
All contents copyright (c) 2008 ZyXEL Communications Corporation.
2
ZyWALL USG 2000 Support Notes
1.5.2.2 Configuration Flow ................................................................................ 113
1.5.2.3 Configuration procedure ........................................................................ 114
1.5.2.4 Steps to configure ................................................................................... 115
2. Security Policy Enforcement .................................................................................................. 125
2.1 Managing IM/P2P Applications ................................................................................... 125
2.1.1 Why bother with managing IM/P2P applications? ............................................ 125
2.1.2 What does ZyWALL USG 2000 provide for managing IM/P2P applications? 126
2.1.3 Configuration Example ..................................................................................... 126
2.2 Zone-based Anti-Virus Protection ................................................................................ 134
2.2.1 Applying Zone-Based Anti-Virus to ZyWALL USG 2000 ............................... 134
2.2.2 Enabling Black and White List ......................................................................... 141
2.2.3 Enabling Anti-Virus Statistics Report ............................................................... 142
2.2.4 Dual AV ............................................................................................................. 143
2.3 Configuring ZyWALL USG 2000 as a Wireless Router .............................................. 143
2.3.1 Configuration procedure ................................................................................... 143
2.3.2 MAC filter in WLAN ........................................................................................ 145
2.4 Mobility Internet Access .............................................................................................. 147
2.4.1 Utilize 3G Wireless for Accessing the Internet ................................................. 148
2.4.1.1 Configuration procedure ........................................................................ 149
3. Seamless Incorporation .......................................................................................................... 156
3.1 Transparent Firewall ..................................................................................................... 156
3.1.1 Bridge mode & Router (NAT) mode co-exist ................................................... 156
3.1.2 NAT & Virtual Server........................................................................................ 159
3.2 Zone-based IDP Protection .......................................................................................... 162
3.2.1 Applying Zone-Based IDP to ZyWALL USG 2000 .......................................... 163
3.3 Anti-spam on the ZyWALL USG 2000 ........................................................................ 169
3.3.1 How Anti-Spam works on ZyWALL USG ....................................................... 170
3.3.2 Using DNSBL (DNS-based blacklist) ............................................................... 170
3.3.2.1 Application scenario to apply DNSBL ................................................... 170
3.3.2.1.1 Scenario I: Email server is located in the ISP/ Internet ...................... 170
3.3.2.1.2 Scenario II: Company’s Email server located in the DMZ ................. 173
3.3.3 Using Black/White list (B/W list) ..................................................................... 176
3.3.3.1 Configuration procedure ........................................................................ 176
3.3.3.2 Scenario topology ................................................................................... 177
3.3.3.3 Steps to configure B/W list .................................................................... 177
3.4 Guaranteed Quality of Service ..................................................................................... 180
3.4.1 Priority & Bandwidth management .................................................................. 181
All contents copyright (c) 2008 ZyXEL Communications Corporation.
3
ZyWALL USG 2000 Support Notes
F AQ ............................................................................................................................................ 188
A. Device Management FAQ ............................................................................................. 188
A01. How can I connect to ZyWALL USG 2000 to perform administrator’s tasks? 188
A02. Why can’t I login into ZyWALL USG 2000? ................................................... 188
A03. What’s difference between “Admin Service Control” and “User Service
Control” configuration in GUI menu System > WWW? ........................................... 189
A04. Why ZyWALL USG 2000 redirects me to the login page when I am
performing the management tasks in GUI? ............................................................... 190
A05. Why do I lose my configuration setting after ZyWALL USG 2000 restarts? ... 190
A06. How can I do if the system is keeping at booting up stage for a long time? ..... 190
B. Registration FAQ ........................................................................................................... 192
B01. Why do I need to do the Device Registration? .................................................. 192
B02. Why do I need to activate services? .................................................................. 192
B03. Why can’t I active trial service? ........................................................................ 192
B04. Will the UTM service registration information be reset once restore
configuration in ZyWALL USG 2000 back to manufactory default? ........................ 192
C. File Manager FAQ ......................................................................................................... 193
C01. How can ZyWALL USG 2000 manage multiple configuration files? .............. 193
C02. What are the configuration files like startup-config.conf, system-default.conf
and lastgood.conf? ...................................................................................................... 193
C03. Why can’t I update firmware? ........................................................................... 193
C04. What is the Shell Scripts for in GUI menu File manager > Shell Scripts? ........ 194
C05. How to write a shell script? ............................................................................... 194
C06. Why can’t I run shell script successfully? ......................................................... 194
D. Object FAQ.................................................................................................................... 195
D01. Why does ZyWALL USG 2000 use object? ...................................................... 195
D02. What’s the difference between Trunk and the Zone Object? ............................ 196
D03. What is the difference between the default LDAP and the group LDAP? What
is the difference between the default RADIUS and the group RADIUS? ................. 196
E. Interface FAQ ................................................................................................................ 197
E01. How to setup the WAN interface with PPPoE or PPTP? ................................... 197
E02. How to add a virtual interface (IP alias)? .......................................................... 197
E03. Why can’t I get IP address via DHCP relay? ..................................................... 197
E04. Why can’t I get DNS options from ZyWALL’s DHCP server? ......................... 197
E05. Why does the PPP interface dials successfully even its base interface goes
down? ......................................................................................................................... 198
F. Routing and NAT FAQ ................................................................................................... 199
All contents copyright (c) 2008 ZyXEL Communications Corporation.
4
ZyWALL USG 2000 Support Notes
F01. How to add a policy route? ................................................................................ 199
F02. How to configure local loopback in ZyWALL USG 2000? ............................... 199
F03. How to configure a NAT? .................................................................................. 203
F04. After I installed a HTTP proxy server and set a http redirect rule, I still can’t
access web. Why? ...................................................................................................... 204
F05. How to limit some application (for example, FTP) bandwidth usage? ............. 204
F06. What’s the routing order of policy route, dynamic route, and static route and
direct connect subnet table? ....................................................................................... 204
F07. Why ZyWALL USG 2000 cannot ping the Internet host, but PC from LAN side
can browse internet WWW? ...................................................................................... 205
F08. Why can’t I ping to the, Internet, after I shutdown the prim ary WAN interface?205
F09. Why the virtual server or port trigger does not work? ....................................... 205
F10. Why port trigger does not work? ....................................................................... 205
F11. How do I use the traffic redirect feature in ZyWALL USG 2000? .................... 206
F12. Why can’t ZyWALL learn the route from RIP and/or OSPF? ........................... 206
G. VPN and Certificate ...................................................................................................... 207
G01. Why can't the VPN connections dial to a remote gateway? .............................. 207
G02. VPN connections are dialed successfully, but the traffic still cannot go through
the IPsec tunnel. ......................................................................................................... 207
G03. Why ZyWALL USG 2000 VPN tunnel had been configured correctly and the VPN connection status is connected but the traffic still can not reach the remote
VPN subnet? ............................................................................................................... 207
G04. VPN connections are dialed successfully, and the policy route is set. But the
traffic is lost or there is no response from remote site. .............................................. 208
G05. Why don’t the Inbound/Outbound traffic NAT in VPN work? ......................... 208
H. Firewall FAQ ................................................................................................................. 209
H01. Why doesn’t my LAN to WAN or WAN to LAN rule work? ........................... 209
H02. Why does the intra-zone blocking malfunction after I disable the firewall? .... 209
H03. Can I have access control rules to the device in firewall? ................................ 209
I. Application Patrol FAQ................................................................................................... 210
I01. What is Application Patrol? ................................................................................ 210
I02. What applications can the Application Patrol function inspect? ........................ 210
I03. Why does the application patrol fail to drop/reject invalid access for some
applications? ............................................................................................................... 211
I04. What is the difference between “Auto” and “Service Ports” settings in the
Application Patrol configuration page? ..................................................................... 212
I05. What is the difference between BWM (bandwidth management) in Policy Route
5
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
and App. Patrol ? ........................................................................................................ 213
I06. Do I have to purchase iCards specifically for using AppPatrol feature? ............ 214
I07. Can I configure different access level based on application for different users? 214 I08. Can I migrate AppPatrol policy and bandwidth management control from
ZLD1.0x to ZLD2.0x? ............................................................................................... 214
J. lDP FAQ ......................................................................................................................... 215
J01. Why doesn’t the IDP work? Why has the signature updating failed? ................ 215
J02. When I use a web browser to configure the IDP, sometimes it will popup
"wait data timeout". .................................................................................................... 215
J03. When I want to configure the packet inspection (signatures), the GUI becomes
very slow. ................................................................................................................... 215
J04. After I select "Auto Update" for IDP, when will it update the signatures? ........ 215
J05. If I want to use IDP service, will it is enough if I just complete the registration
and turn on IDP? ........................................................................................................ 215
J06. What are the major design differences in IDP in ZLD1.0x and latest IDP/ADP
in ZLD2.0x? ............................................................................................................... 215
J07. Does IDP subscription have anything to do with AppPatrol? ............................ 216
J08. How to get a detailed description of an IDP signature? ..................................... 217
J09. After an IDP signature updated, does it require ZyWALL to reboot to make new
signatures take effect? ................................................................................................ 217
K. Content Filtering FAQ ................................................................................................... 218
K01. Why can’t I enable external web filtering service? Why does the external web
filtering service seem not to be working? .................................................................. 218
K02. Why can’t I use MSN after I enabled content filter and allowed trusted
websites only? ............................................................................................................ 218
L. Device HA FAQ ............................................................................................................. 219
L01. What does the “Preempt” mean? ....................................................................... 219
L02. What is the password in Synchronization? ........................................................ 219
L03. What is “Link Monitor” and how to enable it? .................................................. 219
L04. Can Link Monitor of Device HA be used in backup VRRP interfaces? ............ 220
L05. Why do both the VRRP interfaces of master ZW USG 2000 and backup ZW
USG 2000 are activated at the same time? ................................................................. 220
M. User Management FAQ ................................................................................................ 221
M01. What is the difference between user and guest account?.................................. 221
M02. What is the “re-authentication time” and “lease time”? ................................... 221
M03. Why can’t I sign in to the device? .................................................................... 221
M04. Why is the TELNET/SSH/FTP session to the device disconnected? Why is the
All contents copyright (c) 2008 ZyXEL Communications Corporation.
6
ZyWALL USG 2000 Support Notes
GUI redirected to login page after I click a button/link? ........................................... 221
M05. What is AAA? ................................................................................................... 222
M06. What are ldap-users and radius-users used for? ............................................... 222
M07. What privileges will be given for ldap-users and radius-users? ....................... 222
N. Centralized Log FAQ .................................................................................................... 224
N01. Why can’t I enable e-mail server in system log settings? ................................. 224
N02. After I have the entire required field filled, why can’t I receive the log mail? . 224
O. Traffic Statistics FAQ .................................................................................................... 225
O01. When I use "Flush Data" in Report, not all the statistic data are cleared. ......... 225
O02. Why isn't the statistic data of "Report" exact? .................................................. 225
O03. Does Report collect the traffic from/to ZyWALL itself? .................................. 225
O04. Why cannot I see the connections from/to ZyWALL itself? ............................. 225
P. Anti-Virus F AQ .............................................................................................................. 226
P01. Is there any file size or amount of concurrent files limitation with ZyWALL
USG 2000 Anti-Virus engine? ................................................................................... 226
P02. Does ZyWALL USG 2000 Anti-Virus support compressed file scanning? ....... 226
P03. What is the maximum concurrent session of ZyWALL USG 2000 Anti-Virus
engine? ....................................................................................................................... 226
P04. How many type of viruses can be recognized by the ZyWALL USG 2000? .... 226
P05. How frequent the AV signature will be updated? .............................................. 226
P06. How to retrieve the virus information in detail? ................................................ 226
P07. I cannot download a file from Internet through ZyWALL USG 2000 because the Anti-Virus engine considers this file has been infected by the virus; however, I am very sure this file is not infected because the file is nothing but a plain text file.
How do I resolve this problem? ................................................................................. 226
P08. Does ZyWALL USG 2000 Anti-Virus engine support Passive FTP? ................ 227
P09. What kinds of protocol are currently supported on ZyWALL USG 2000
Anti-Virus engine? ..................................................................................................... 227
P10. If the Anti-Virus engine detects a virus, what action it may take? Can it cure the
file? ............................................................................................................................. 227
All contents copyright (c) 2008 ZyXEL Communications Corporation.
7
ZyWALL USG 2000 Support Notes
The comparison of ZyNOS and ZLD
Since ZyXEL USG 2000 adopt ZLD 2.10 as their network operating system. Additionally, ZLD 2.10 provides many new features and new design in GUI. Hence, the layout in ZyNOS might not be the same as the one in ZLD 2.10. Accordingly, we provide a comparison table for your reference.
Platform Feature/Term
NAT
VPN
ZyNOS ZLD Chapter in
Advanced > NAT > Address Mapping Advanced > NAT Port forwarding Advanced > NAT Port Trigger
Security> VPN > Gateway Policy Security> VPN > Network Policy Security> VPN > Gateway Policy & Network Policy
Network > Routing > Policy Route SNAT Network > Virtual Server Network > Routing > Policy Route Port Triggering VPN > IPSec VPN> VPN Gateway VPN > IPSec VPN> VPN Connection VPN > IPSec VPN> Concentrator
Support Note
3.1.2 NAT & Virtual Server
1.1.2 Site to site VPN solutions
1.1.2 Site to site VPN solutions
Others
(Hub & Spoke VPN network) Advanced > BW MGMT AppPatrol & Network >
Policy Route Network > LAN/DMZ/WLAN> IP alias Wireless > Wi-Fi Network > Interface >
Wireless > 3G Network > Interface >
Security > Auth Server Object > AAA Server
All contents copyright (c) 2008 ZyXEL Communications Corporation.
Network > Interface >
LAN/DMZ/VLAN/Brid
ge> V irtual Interface
WLAN
Cellular
2.4 Mobility Internet Access
8
ZyWALL USG 2000 Support Notes
1. Deploying VPN
VPN (Virtual Private Network) allows you to establish a virtual direct connection to remote locations or for the telecommuters to access the internal network in the office. VPN is a replacement for the traditional site-to-site lease lines like T1 or ISDN. Through the VPN applications, it reduces setup cost, works for various types of Internet connection devices (ISDN modem, ADSL modem and FTTX…) and is easy to troubleshoot.
VPN gives you site-to-site connection flexibility. However, with multiple VPN connections between sites, it can become more difficult to maintain. Typically, an administrator has to configure many site-to-site VPN connections to allow a truly global VPN network.
VPN connection management is made easily using the VPN concentrator. The VPN concentrator routes VPN traffic across multiple remote sites without complex setting, thus reduces the configuration overhead and the possibility of improper configuration. The VPN concentrator is also a centralized management tool for administrators because all the traffic sent between remote sites has to go through the central office first and administrators can set up different access control rules. These are based on the source address, remote address, user and schedule to enhance VPN security. To help to reduce network intrusion attacks, administrators can configure the built-in IDP engine to inspect VPN traffic. For easy
9
All contents copyright (c) 2008 ZyXEL Communications Corporation.
h
N
u
B
T
A
u
a
r
f
o
g
e
w
o
r
e
y
0
o
N
a
h
y
y
C
o
n
b
u
P
U
o
e
g
a
0
o
e
k
y
c
t
k
r
a
0
troubles
ooting and
monitorin
, the VPN
concentrat
Z
WALL
r logs and
SG 200
stores syst
Suppor
m informa
Notes
ion and
network
The VP setting
status for f
concentr
p a globa
rther easy
tor enhanc VPN net
troublesho
s the VP
ork with
ting and a
routing a
less effort
alysis.
ility and h
but stron
lps networ
er securit
administ
and man
ators in gement
possibili
For SM
ies.
customer,
ZyXEL pr
vides a tot
l VPN sol
tion from
personal
lient to a 5
0+
people fi
rewall whe
he benefit
e all of th
rom deplo
ll contents c
se devices
ment of Z
pyright (c) 2
ave the V
XEL VPN
08 ZyXEL
N connect
solutions
ommunicati
on ability.
ns Corporati
10
n.
ZyWALL USG 2000 Support Notes
Security and Reliability Improved communications Increased flexibility Lower cost
1.1 Extended Intranets
The ZyXEL VPN solutions primarily can be used to extend the intranet and deliver increased connectivity between operation sites. The branch office subnet will be considered a part of main office internet. Therefore, user behind branch office also can use the internal network resources as if he was in the main office. Because of the VPN connection, user will feel like he is using a local LAN even though he is accessing the network resources via Internet. Use of a VPN for smaller branch offices, franchise sites and remote workers provides nearly the same level of connectivity and reliability as a private network. The remote connection cost also can decrease by leveraging the Internet connections to replace expensive leased lines.
USG 2000
USG2000
1.1.2 Site to Site VPN solutions (ZyWALL 1050 Ù ZyWALL USG 2000):
Site to Site VPN is the basic VPN solution between local and remote gateway. This type of VPN connection is used to extend and join local networks of both sites into a single intranet. There are two kinds of connection interface. Static IP and dynamic DNS.
11
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
Configure ZyWALL 1050 with Static IP address: ZyWALL 1050 uses the static IP address for VPN connection. The topology is shown on the
following figure.
User needs to configure the static IP address and then apply to the VPN Gateway configuration page. The configuration steps are stated below:
1) Login ZyWALL 1050 GUI, setup the ge2 interface for internet connection and manually
assign a static IP. The configuration path in ZyWALL 1050 is Network > Interface > Ethernet >Edit > ge2
2) Switch to VPN > IPSec VPN > VPN Gateway select interface ge2 as My Address and
12
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
then in Security Gateway Address field set the remote gateway IP to 167.35.4.3. The Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and
167.35.4.3.
3) User can refer to the user guide to complete the rest of the settings for VPN tunnel.
4) The ZyWALL1050 and ZyWALL USG 2000 VPN are route-based VPN. This means the
VPN tunnel can be an interface to route the VPN traffic. Thus, we need to configure a policy route for VPN traffic from the local subnet to the remote subnet after configuring the VPN gateway and connection (phase1 and phase2). The purpose of this policy route is to tell the ZyWALL1050 to send the traffic to VPN tunnel when the traffic flows from the local subnet to a destination that is in the remote subnet. Switch to ZyWALL 1050 > Network > Routing > Policy Route and add a new policy route. The source and the destination addresses are the local and remote subnets. The Next-Hop type is VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is configured and user can start to test it.
13
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
5) Login ZyWALL USG 2000 GUI, setup the ge2 interface for internet connection and
manually assign a static IP. The configuration path in ZyWALL USG 2000 menu is ZyWALL > VPN > IPSec VPN >VPN Gateway > Add. Select Static site to site VPN and then create an object if you have not created any wan interface.
14
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
6) Switch to VPN > IPSec VPN > VPN Gateway > Edit select interface ge2 as My Address
and then in Security Gateway Address field set the remote gateway IP to 210.110.7.1. The Local ID Type and content are IP and 167.35.4.3, Peer ID Type and content are IP and 210.110.7.1.
15
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
7) Create VPN by selecting ZyWALL > VPN > IPSec VPN > VPN Connection > Edit. As
for more detail, user can refer to the user guide to complete the rest of the settings for VPN tunnel.
8) The ZyWALL1050 and ZyWALL USG 2000 VPN are route-based VPN. This means the
VPN tunnel can be an interface to route the VPN traffic. Thus, we need to configure a policy route for VPN traffic from the local subnet to the remote subnet after configuring the VPN gateway and connection (phase1 and phase2). The purpose of this policy route is to tell the ZyWALL1050 to send the traffic to VPN tunnel when the traffic flows from the local subnet to a destination that is in the remote subnet. Switch to ZyWALL 1050 > Network > Routing > Policy Route and add a new policy route. The source and the destination addresses are the local and remote subnets. The Next-Hop type is VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is configured and user can start to test it.
Tips for application:
1. Make sure the presharekey is the same in both local and remote gateways.
2. Make sure the IKE & IPSec proposal is the same in both local and remote gateways.
16
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
3. Select the correct interface for VPN connection.
4. The Local and Peer ID type and content must the opposite and contain the same. Make sure the VPN policy route has been configured in ZyWALL1050.
17
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
1.2 Extranet Deployment
The VPN provides the access to extranets which can provide the security path over internet to improve the client service, vendor support and company communication. Different flexible business models have been developed based on the global VPN extranet architecture. For example, customers can order equipment over the VPN and also suppliers can check the orders electronically. Another result of its application is that the employees across different branches can collaborate on project documents and share the different site’s internal resource to complete the project.
USG 2000
Partner Site
The ZyWALL USG 2000 can be placed as a VPN gateway in the central site. It can communicate with other ZyXEL’s VPN-capable products as well as VPN products from other major vendors in the network device industry, e.g. Cisco PIX/IOS VPN products, Check Point VPN Pro, Juniper NetScreen 100/200 and others…
18
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
1.2.1 Site to site VPN solutions (ZyWALL USG 2000 to ZyWALL70)
The exciting ZyWALL35 or 70 in central office gateway can be replaced by ZyWALL USG 2000, and the ZyWALL35 or 70 moved to a remote office. The ZyWALL USG 2000 can provide higher VPN throughput and deal with multiple VPN tunnels at the same time. To show how to build tunnel between ZyWALL5/35/70 and ZyWALL USG 2000 we used ZyWALL 70 as an example.
Static IP address
210.110.7.1
Static IP address
167.35.4.3
Internet
CenterOffice Gateway Branch Gateway
LAN: 192.168.1.X
1) Login ZyWALL USG 2000 GUI and setup the ge2 interface for the internet connection
and manually assign a static IP. The configuration path is ZyWALL USG 2000 > Network > Interface > Edit > ge2
LAN: 192.168.2.X
2) Switch to VPN > IPSec VPN > VPN Gateway, select My Address as interface ge2 and
then in Security Gateway Address field set the remote gateway IP to 167.35.4.3. The Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and
19
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
167.35.4.3.
3) Login to ZyWALL70 and go to Security > VPN > Gateway Policy, add a new gateway
policy to connect with central office’s ZyWALL USG 2000. My Address and Remote
Gateway Address are ZyWALL70 and ZyWALL USG 2000 WAN IP addresses. The Pre-Shared Key configured on both sides must exactly the same Local ID Type &
content and Peer ID Type & content are reverse to the Local ZyWALL USG 2000.
4) The IKE Proposal is very important setting when configuring the VPN tunnel. The
proposal includes Negotiation Mode, Encryption and Authentication Algorithm and…. Make sure the IKE proposal parameters are must the same on both ends.
5) Switch to Network > IPSec VPN > VPN Connection, add a new VPN connection (IPSec
phase2). Setup the Phase2 proposal and local and remote policies. The chosen phase2 proposal chosen must be the same as on the remote site’s ZyWALL70.
20
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
6) In ZyWALL70, VPN is a rule based VPN. This means that whether the traffic is going to
the tunnel or not will depend on the local and remote policies. In this example, ZyWALL70 local and remote policies are 192.168.2.0 and 192.168.1.0 and the traffic from 192.168.2.X subnet to 192.168.1.X subnet will go through the VPN tunnel to the remote site as predefined. The ZyWALL USG 2000 local and remote policies must be reverse to the ZyWALL70’s settings, otherwise the tunnel will not be built up.
7) Check whether the IPSec proposal on both sites is the same and the configuration is done
on both sites.
5
7
6
8) The ZyWALL USG 2000 VPN is a route-based VPN, this means the VPN tunnel can be an
interface to route the VPN traffic. Thus, we need to configure a policy route for VPN traffic from the local subnet to the remote subnet after configuring the VPN gateway and
21
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
the connection (phase1 and phase2). The purpose for this policy route is to tell the ZyWALL USG 2000 to send the traffic to the VPN tunnel when the traffic goes from the local subnet to the destination that is in a remote subnet. Switch to Network> Routing > Policy > Policy Route and add a new policy route, the source and destination address are the local and remote subnet and the Next-Hop type is a VPN tunnel. Then choose the corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN tunnel and routing is built and user can start to test it.
8
9) After configuring both sides of the VPN, click the “Dial up” icon to test the VPN
connectivity.
10) “VPN tunnel establishment successful,” message appears.
All contents copyright (c) 2008 ZyXEL Communications Corporation.
22
ZyWALL USG 2000 Support Notes
9
10
Tips for application:
1. Make sure the presharekey is the same in both the local and the remote gateways.
2. Make sure the IKE & IPSec proposal is the same in both the local and the remote
gateways.
3. Select the correct interface for the VPN connection.
4. The Local and Peer ID type and content must be the opposite and not of the same content.
5. Make sure the VPN policy route had been setup in ZyWALL USG 2000.
1.2.2 Interoperability – VPN with other vendors
1.2.2.1 ZyWALL with FortiGate VPN Tunneling
This page guides how to setup a VPN connection between the ZyWALL USG 2000 and FortiGate 200A.
As on the figure shown below, the tunnel between Central and Remote offices ensures the packet flow between them are secure, because the packets go through the IPSec tunnel are
23
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
encrypted. To setup this VPN tunnel, the required settings for ZyWALL and FortiGate are explained in the following sections.
Static IP address
210.110.7.1
Static IP address
167.35.4.3
Internet
Central Office Gateway ZyWALL
LAN: 192.168.1.X
The central office gateway ZyWALL USG 2000’s interface and VPN setting retain the same setting as in the previous example. If you jumped this section first, please refer to ‘ZyWALL
Branch Gateway FortiGate 200A
LAN: 192.168.2.X
USG 2000 to ZYWALL70 VPN tunnel setting’ on page 8. This list below is to briefly show the VPN phase1 and phase2 configuration parameters:
ZyWALL FortiGate
WAN: 210.110.7.1
LAN: 192.168.1.0/24
Phase 1
Negotiation Mode : Main
Pre-share key: 123456789
Encryption :DES
Authentication :MD5
Key Group :DH1
Phase2
Encapsulation: Tunnel
Active Protocol: ESP
Encryption: DES
WAN: 167.35.4.3
LAN: 192.168.2.0/24
Phase 1
Negotiation Mode : Main
Pre-share key: 123456789
Encryption :DES
Authentication :MD5
Key Group :DH1
Phase2
Encapsulation: Tunnel
Active Protocol: ESP
Encryption: DES
Authentication: SHA1
Perfect Forward Secrecy (PFS): None
Perfect Forward Secrecy (PFS): None
Authentication: SHA1
1) Configure the ZyWALL USG 2000 ‘s VPN gateway and VPN connection as on the list.
Also, remember to configure the policy route for the VPN traffic routing. Refer to the
24
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
previous scenario or user guide to find help on setting the ZyWALL USG 2000 VPN.
2) Login to the FortiGate GUI and switch to System > Network > Interface and set the wan1
interface to 167.35.4.3 and internal interface to 192.168.2.1/255.255.255.0.
2
Note: About the detail interface settings, refer to FortiGate user guide.
3) Switch to System > VPN > IPSEC and select the Auto Key (IKE) tab and click the Create
Phase 1 button. This will open a new page for VPN phase1 setup.
3
4) Fill-in the VPN phase1 setting according to the table listed. We don’t have to setup the ID
type and content because the FortiGate accepts any peer ID. Make sure both the pre-shares key and proposal are the same as in the ZyWALL USG 2000.
25
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
4
5) Get back to the VPN configuration page again and click the Create Phase 2 button to add
a new Phase2 policy.
5
6) Select the “ZyWALL”(configured in the step 4) policy from the Phase 1 drop down menu
and click the Advanced… button to edit the phase 2 proposal and source and destination address. Please make sure the phase 2 proposal is the same as in ZyWALL USG 2000 phase 2.
26
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
6
7) The VPN tunnel configuration is finished and the VPN IPSec page will show the VPN
phase 1 and phase 2 rules in the Auto Key (IKE) tab.
7
8) We need to setup the firewall rules for IPSec VPN traffic transmitting from ZyWALL to
FortiGate and from FortiGate to ZyWALL. Switch to Firewall > VPN >Address menu and add two new address object which stand for ZyWALL LAN subnet and FortiGate LAN subnet. Using the “Create New” button to create a new address object.
8
9) Switch to Firewall > Policy and click “Insert Policy Before” icon to add new policy for the
VPN traffic from FortiGate to ZyWALL.
All contents copyright (c) 2008 ZyXEL Communications Corporation.
9
27
ZyWALL USG 2000 Support Notes
10) We will setup the FortiGate to ZyWALL policy in the new page. The source interface is
internal and Address name is Fortinet (192.168.2.0/255.255.255.0 address object). The destination interface is wan1 and Address name is Zynet (192.168.1.0/255.255.255.0 address object). Schedule and service type are “always” and “ANY” to ensure that all kinds of traffic can pass through the VPN tunnel at any time. There are three kinds of “Action” available for user to configure, because the traf fic is send from “internal” to WAN and will be encrypted by IPSec VPN tunnel. Thus, we select “IPSEC” as action and chose allow inbound and outbound traffic in the ZyWALL tunnel.
10
11) Switch to Firewall > Policy and click “Create New” button to add new policy for the VPN
traffic from ZyWALL to FortiGate.
11
12) We setup the ZyWALL to FortiGate policy in the new page. The source interface is wan1
and Address name is Zynet (192.168.1.0/255.255.255.0 address object). The destination interface is internal and the Address name is Fortinet (192.168.2.0/255.255.255.0 address object). Schedule and service type are always and ANY to ensure that all kinds of traffic
28
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
can pass through the VPN tunnel at any time. Select “ACCEPT” as an action this time because the traffic sent from wan to internal must be decrypted first and only then can be transmitted. Don’t select the IPSec as the Action in this VPN traffic flow direction.
12
13) The overall firewall policy is shown on the following figure. The VPN tunnel between
ZyWALL and FortiGate has been successfully setup.
13
Tips for application:
1. Make sure the Pre-Shared Key is the same in both local and remo te gateways.
2. Make sure both IKE and IPSec proposal are the same in both local and remote gateways.
3. Make sure the VPN policy route has been configured in ZyWALL USG 2000.
4. Make sure the Firewall rule has been configured in FortiGate.
29
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
1.2.2.2 ZyWALL with NetScreen VPN Tunneling
This section guides how to setup a VPN connection between the ZyWALL USG 2000 and NetScreen 5GT.
As on the figure below, the tunnel between Central and Remote offices ensures the packet flows between them are secure. This is because the packets flowing through the IPSec tunnel are encrypted. The required settings to setup this VPN tunnel using ZyWALL and NetScreen are stated in the following section.
Static IP address
210.110.7.1
Static IP address
167.35.4.3
Internet
Central Office Gateway ZyWALL
LAN: 192.168.1.X
The central office gateway ZyWALL USG 2000’s interface and VPN setting retain the same settings as in the previous example. If you jumped to this section first, please refer to ‘ZyWALL USG 2000 to ZYWALL70 VPN tunnel setting’ on the page 8. This list below is to briefly show the VPN phase1 and phase2 configuration parameters:
ZyWALL NetScreen
WAN: 210.110.7.1
LAN: 192.168.1.0/24
Branch Gateway NetScreen 5GT
LAN: 192.168.2.X
WAN: 167.35.4.3
LAN: 192.168.2.0/24
Phase 1
Negotiation Mode : Main
Pre-share key: 123456789
Negotiation Mode : Main
Pre-share key: 123456789
Encryption :DES
Authentication :MD5
Authentication :MD5
Key Group :DH1
All contents copyright (c) 2008 ZyXEL Communications Corporation.
Phase 1
Encryption :DES
Key Group :DH1
30
Loading...
+ 197 hidden pages