ZyXEL Communications P-202H Plus v2 Support Notes Download Page 21 | Manualshive

Page: 21 / 434

background image

P-202H Plus v2 Support Notes

The above figure indicates the "

triangle route

" topology. It works fine if you turn

off firewall function on P-202H Plus v2 box. However, if you turn on firewall, your
connection will be blocked by firewall because of the following reason.

Step 1. Being the default gateway of PC, P-202H Plus v2 will receive all

"outgoing" traffic from PC.

Step 2. And because of

Static route/Policy Routing

, P-202H Plus v2

forwards the traffic to another gateway (ISDN/Router) which is in

the

same segment

as P-202H Plus v2's LAN.

Step 3. However the return traffic won't go back to P-202H Plus v2, in stead,

the "another gateway (ISDN/Router)" will send back the traffic to PC
directly. Because the gateway (say, P201) and the PC are in the same
segment.

When firewall is turned on, P-202H Plus v2 will check the outgoing traffic by ACL
and create dynamic sessions to allow return traffic to go back. To achieve Anti-
DoS, P-202H Plus v2 will send RST packets to the PC and the peer since it
never receives the TCP SYN/ACK packet. Thus the connection will always be
reset by P-202H Plus v2.

Solutions.

(A) Deploying your second gateway in IP alias segment is a better solution. In
this way, your connection can be always under control of firewall. And thus there
won't be Triangle Route problem.

All contents copyright © 2006 ZyXEL Communications Corporation.

21

«
...
19
20
21
22
23
...
»

Summary of Contents for P-202H Plus v2

Page 1: ...P 202H Plus v2 Support Notes P 202H Plus v2 ISDN Internet Access Router Support Notes Version3 40 June 2006 All contents copyright 2006 ZyXEL Communications Corporation 1...

Page 2: ...ailed up Connection and when do I need to use it 11 18 What are Device filters and Protocol filters 11 19 Why can t I configure device filters or protocol filters 11 20 The P 202H Plus v2 supports to...

Page 3: ...ttack 20 13 What are the default ACL firewall rules in P 202H Plus v2 20 14 Why static policy route be blocked by P 202H Plus v2 20 Configuration 22 1 How do I configure the firewall 22 2 How do I pre...

Page 4: ...lly 32 10 Will ZyXEL support Secure Remote Management 32 11 Does P 202H Plus v2 VPN support NetBIOS broadcast 32 12 What are the difference between the My IP Address and Secure Gateway IP Address in M...

Page 5: ...eway 159 3 P 202H Plus v2 vs 3rd Party VPN Software 208 4 Configure NAT for Internal Servers 346 5 VPN Routing between Branch Offices 347 Support Tool 362 1 Using ZyXEL ISDN D Channel Analyzer EPA 362...

Page 6: ...ng parameters VT100 terminal emulation 9600bps baud rate N81 data format No Parity 8 data bits 1 stop bit The default console port baud rate is 9600bps You can change it to 115200bps in Menu 24 2 2 to...

Page 7: ...H Plus v2 c When the data transfer is finished the P 202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself d To backup your firmware use the TFTP client program to get file...

Page 8: ...using the IP address assigned by ISP When reply packets from the external Internet are received by P 202H Plus v2 the original IP source address and TCP UDP source port numbers are written into the de...

Page 9: ...ocedure to capture the PPP log in P 202H Plus v2 is as following To enable the capture of PPP log before a connection is established a Enter SMT Menu 24 8 the CI command mode b Enter sys trcl cl comma...

Page 10: ...No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 16 What is DNS proxy If enabled DNS Proxy allows the P 202H Plus v2 to act as the DNS server for th...

Page 11: ...into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol fi...

Page 12: ...g two channels Yes You can use a CI command to prevent the dial in user from occupying two channels Please enter to menu 24 8 and type the CI command ppp lcp mpin off or on to allow two channels 3 How...

Page 13: ...ng Then pick up the phone to return to the other call 6 Why doesn t call waiting work as expected An incoming caller will receive a busy signal if You have two calls active one active and one on hold...

Page 14: ...t the existing call on hold and receive a dial tone Dial the third party s phone number Caller B Before Caller B picks up the call you can transfer the call by pressing the Flash key The call is autom...

Page 15: ...202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded US switches only 14 Why doesn t my answering machine on POTS port stop recording Most answering machines s...

Page 16: ...SUA Applications page 18 What are the differences between P 202H P 202H Plus and P 202H Plus v2 The differences between P 202H P 202H Plus and P 202H Plus v2 are listed in the following table Feature...

Page 17: ...Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based...

Page 18: ...hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 202H Plus v2 s firewall provides email service to notify you for routine report...

Page 19: ...le the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK c...

Page 20: ...d network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall 13 Wha...

Page 21: ...t go back to P 202H Plus v2 in stead the another gateway ISDN Router will send back the traffic to PC directly Because the gateway say P201 and the PC are in the same segment When firewall is turned o...

Page 22: ...ute checking In Web GUI you can find this option in firewall setup page But we would like to notify that if you allow Triangle Route any traffic will be easily injected into the protected network thro...

Page 23: ...firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet from WAN you must turn the firewall off Menu 21 2 or create a firewall rule to allow Telnet...

Page 24: ...applied in the Input Protocol field in menu 3 1 4 The console port is in use 7 Why can t I upload the firmware and configuration file using FTP over LAN 1 1 You have disabled FTP service in Menu 24 11...

Page 25: ...the old entries when the log has over 128 entries There are three ways to view the firewall log 1 View the log from SMT Menu 21 3 View Firewall Log 2 View the log using CI command sys firewall displa...

Page 26: ...rt A log entry is just added to the log inside the P 202H Plus v2 and e mailed together with all other log entries at the scheduled time as configured An alert is e mailed immediately after an attacke...

Page 27: ...ntication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption With encryption VPN guarantees the confidentiality of the original user data C...

Page 28: ...s compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec provides cryp...

Page 29: ...There are two phases in every IKE negotiation phase 1 Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec 11 What is Pre Shared K...

Page 30: ...02H Plus v2 VPN support VPN vendors support a number of different authentication methods P 202H Plus v2 VPN supports both SHA1 and MD5 AH provides authentication integrity and replay protection but no...

Page 31: ...8 x x subnet nor in the range 172 16 0 0 172 31 255 255 these address ranges are reserved by internet standard for private LAN numberings behind NAT devices It is usually a static IP so that we can pr...

Page 32: ...Will ZyXEL support Secure Remote Management Yes we will support it and we are working on it currently 11 Does P 202H Plus v2 VPN support NetBIOS broadcast The current 3 40 firmware release does not s...

Page 33: ...t to stay in menu 24 1 27 3 and 24 8 when VPN is in use 15 How do I configure P 202H Plus v2 with NAT for internal servers Generally without IPSec to configure an internal server for outside access we...

Page 34: ...ation never remove the pre IPSec filter rule that bypasses IKE traffic If you do all your attempts to establish any IPSec connection are bound to fail because the negotiations never take place Only wh...

Page 35: ...click SSH icon in system tray click the VPN connection you have setup in Select VPN Packets triggering doesn t work in this case 11 Can P 202H Plus v2 be the initiator of VPN tunnel to Sentinel No Sen...

Page 36: ...202H Plus v2 s LAN port with a crossover red one Ethernet cable If you have more than one PC both the PC s Ethernet adapters and the P 202H Plus v2 s LAN port must be connected to an external hub with...

Page 37: ...properties window Click OK to close the Network window You will be prompted to insert your Windows CD or disk When the drivers are updated you will be asked if you want to restart the PC Make sure yo...

Page 38: ...either enter 0 0 0 0 or you can leave this field blank After saving this menu you will be asked if you want to perform an Internet connection test Select Yes to perform the test If the test fails ple...

Page 39: ...this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security is preserved even across the In...

Page 40: ...ollowing example shows how to dial to an ISP via the P 202H Plus v2 and then establish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PP...

Page 41: ...emonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achive you can place a VPN call from the remote Win9x client For example C ping 203 6...

Page 42: ...then you can always use this IP address for reaching the VPN server In the following example the IP address 140 113 1 225 is dynamically assigned by ISP You must enter this IP address in the VPN Serve...

Page 43: ...UA supports a default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default server is not defined the service request is s...

Page 44: ...entered in menu 15 to forward the incoming packets to the true destination behind SUA Generally we do not need extra settings of menu 15 for an outgoing connection But for some applications we need t...

Page 45: ...connections firewall and set the firewall time out to 80 seconds in firewall setting Default client IP Cornell 1 1 Cu SeeMe None 7648 client IP White Pine 3 1 2 Cu SeeMe 7648 client IP 24032 client I...

Page 46: ...he same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 202H Plus v2 will not be able to provide information of that server on the...

Page 47: ...ished the workstations on both LANs will be able to perform any TCP IP applications e g FTP Telnet etc There will be three items that you need to set up These are workstation and the two P 202H Plus v...

Page 48: ...to Win9x Control Panel Network TCP IP Network Adapter for finishing the above settings Setting up the P 202H Plus v2 1 P 202H Plus v2 2 Before configuring the two remote nodes for this application you...

Page 49: ...n CHAP PAP Session Options Pri Phone 5007025 Edit Filter Sets No Sec Phone Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Key Settings o Select the Active field to Yes o Select the Call...

Page 50: ...Remote Node Profile Rem Node Name LAN2 Edit PPP Options No Active Yes Rem IP Addr 202 113 5 1 Call Direction Outgoing Edit IP No Incoming Telco Option Rem Login Transfer Type 64K Rem Password Allocat...

Page 51: ...ll 22 Command Mode 3 Reset ISDN 4 ISDN Connection Test 5 Manual Call TCP IP 11 Internet Setup Test 12 Ping Host Enter Menu Selection Number Manual Call Remote Node N A Host IP Address N A Configuring...

Page 52: ...s Mutual Authen Yes Session Options O G Username test Edit Filter Sets No O G Password Multiple Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min 0 Period hr 0 Press...

Page 53: ...Login to the Cisco device hostname o Set Incmoing Rem Password to be the same as Outgoing My Password o Set Outgoing My Login to the System Name value in SMT Menu 1 Note The Cisco device must be conf...

Page 54: ...ress field o DNS Domain Name Server Address the IP address of the DNS server on the remote LAN o Default Gateway the IP address of the P 202H Plus v2 Please find the last three settings in Win9x Dial...

Page 55: ...Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 2B Edit IP Alias No 2 Default Dial in Setup in SMT Menu 13 Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Authen None...

Page 56: ...ials in In our example this would be 192 68 135 10 All the common properties in Menu 13 will be applied to all dial in users Note If the remote user uses the Win9x to dial in the Recv Authen must be s...

Page 57: ...eld of the P 202H Plus v2 5 Filter How does ZyXEL filter work Conceptually there are two categories of filter rules device and protocol The Generic filter rules belong to the device category they act...

Page 58: ...ts 8 LAN device and protocol output filter sets Generic and TCP IP and IPX filter rules are in different filter sets The SMT will detect and prevent the mixing of different category rules within any f...

Page 59: ...0 0 Port 0 Port Comp None Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to...

Page 60: ...on Outgoing Edit IP No Incoming Telco Option Rem Login N A Transfer Type 64K Rem Password N A Allocated Budget min Rem CLID N A Period hr Call Back N A Schedules Outgoing Carrier Access Code My Login...

Page 61: ...ress Supplied By CLID Authen None Dial in User Yes IP Pool Yes PPP Options IP Start Addr 123 234 111 163 Recv Authen CHAP PAP IP Count 1 4 4 Compression Yes Mutual Authen No Session Options O G Userna...

Page 62: ...traffic to pass to the outside world and receive unwanted outside traffic The first case may incur an enormous ISDN bill the second may lead to a data security hazard In order to avoid operational pro...

Page 63: ...8 bit protocol 16 bit header checksum 32 bit source IP address 32 bit destination IP address Option if any Data UDP Header 0 15 16 31 16 bit source port number 16 bit destination port number 16 bit U...

Page 64: ...mber FTP port IPX header in Menu 24 1 LAN Packet Which Triggered Last Call Type IPX 00 28 01 01 00 00 00 00 FF FF FF FF FF FF 04 53 00 00 00 00 00 00 00 00 00 0004 53 00 01 FF FF FF FF FF 00 00 00 00...

Page 65: ...02H Plus v2 s IP address but it is not available in SUA case since most WAN IP address is dynamically assigned by the ISP So we can only enter 0 0 0 0 as the destination IP in the filter rule Once 0 0...

Page 66: ...Set Number to Configure 3 Edit Comments FTP_WAN Press ENTER to Confirm or ESC to Cancel Rule 1 block the inbound FTP packet TCP 06 protocol with port number 20 Menu 21 3 1 TCP IP Filter Rule Filter 3...

Page 67: ...0 IP Mask 0 0 0 0 Port 21 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confir...

Page 68: ...D N A Period hr Call Back N A Carrier Access Code Outgoing Nailed Up Connection No My Login masterbc Toll Period sec 0 My Password Authen CHAP PAP Session Options Pri Phone 4125678 Edit Filter Sets Ye...

Page 69: ...Web service could be as following a HTTP packet TCP 06 protocol with port number 80 b DNS packet TCP 06 protocol with port number 53 or c DNS packet UDP 17 protocol with port number 53 For all worksta...

Page 70: ...one for a http packet TCP 06 Port number 80 Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0...

Page 71: ...k 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 3 for c DNS packet UDP 17 Port number 53...

Page 72: ...A 0 0 0 0 N D N 3 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 N D F Then put the filter set number 1 in the Call Filter Set field of SMT menu 11 5 for taking active All contents copyright 2006 ZyXEL Communicatio...

Page 73: ...al client from triggering a call to ISP you can configure a call filter set in P 202H Plus v2 to block the packets from this client After the call filter is applied the packet that is sent from this c...

Page 74: ...from this client Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None So...

Page 75: ...Node Name Hinet Route IP Active Yes Bridge No Call Direction Outgoing Edit PPP Options No Incoming Rem IP Addr 0 0 0 0 Rem Login N A Edit IP IPX Bridge No Rem Password N A Telco Option Rem CLID N A Al...

Page 76: ...lowed to access the Internet or remote node any more A filter for blocking a specific MAC address This configuration example will show you how to use a Generic Filter to block a specific MAC address o...

Page 77: ...61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 The detailed format of the Ethernet Version II Ethernet Version II Address 00 80 C8 4C EA 63...

Page 78: ...00 0010 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 2...

Page 79: ...acket does not match the Value In this case we will forward it If you want to configure more rules please select Check Next Rule to start configuring the next new rule However please note that the Fil...

Page 80: ...Destination port number 137 with protocol number 6 TCP o Rule 2 Destination port number 137 with protocol number 17 UDP o Rule 3 Destination port number 138 with protocol number 6 TCP o Rule 4 Destina...

Page 81: ...g the Filter Set number 1 Rule 1 Destination port number 137 with protocol number 6 TCP Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Rout...

Page 82: ...n Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 3 Destination port number 138 with protocol number 6 TCP Menu 21 1 3 TCP IP Filter Rule Filter 1 3 Filter...

Page 83: ...0 Port 138 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or...

Page 84: ...ilter Rule Filter 1 6 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0...

Page 85: ...5 for taking active You can enter to the menu 11 5 by selecting the Edit Filter Sets in menu 11 1 to Yes Menu 11 1 Remote Node Profile Rem Node Name hinet Route IP Active Yes Bridge No Call Direction...

Page 86: ...CP Menu 21 2 1 TCP IP Filter Rule Filter 2 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Ad...

Page 87: ...rd Press ENTER to Confirm or ESC to Cancel After the first filter set is finished you will see the complete rules summary as below Menu 21 2 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6...

Page 88: ...Active use the space bar to turn on the syslog option 2 Syslog IP Address enter the IP address of the UNIX server that you wish to send the syslog 3 Log Facility use the space bar to toggle between th...

Page 89: ...is field is set to Yes Filter log No filters are logged when this field is set to No Filters with the individual filter Log field set to Yes are logged when this field is set to Yes PPP log PPP events...

Page 90: ...PXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Example Jul 19 11 28 39 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 Data 4500003c100100001f0...

Page 91: ...EL Communications Corp ppp LCP Starting Jul 19 11 43 29 192 168 1 1 ZyXEL Communications Corp ppp IPCP Starting Jul 19 11 43 34 192 168 1 1 ZyXEL Communications Corp ppp CCP Starting Jul 19 11 43 38 1...

Page 92: ...unications Corp Call Connect Dir 2 Remote Call 5783942 Local Call 1 Jul 19 12 08 29 192 168 1 1 ZyXEL Communications Corp Call DisConnect Dir 2 Remote Call 2453140 Local Call 1 7 ISDN Leased Line Setu...

Page 93: ...the Leased Leased is configured in Menu 2 it allows a 128K leased connection to a remote node or allows MP bundling to a remote node Menu 4 Internet Access Setup ISP s Name hinet Pri Phone N A Sec Pho...

Page 94: ...again When you have configured and saved Menu 4 you should see that you have created a remote node in Menu 11 You can perform more advanced configuration options to this remote node in this menu LAN...

Page 95: ...PPP Options No Active Yes Rem IP Addr 140 113 1 1 Call Direction Edit IP No Incoming Telco Option Rem Login Transfer Type Leased Rem Password Allocated Budget min Rem CLID N A Period hr Call Back N A...

Page 96: ...he phone to ring Then pick up the phone to return to the other call Why doesn t call waiting work as expected An incoming caller will receive a busy signal if You have two calls active one active and...

Page 97: ...the existing call on hold and receive a dial tone Dial the third party s phone number Caller B Before Caller B picks up the call you can transfer the call by pressing the Flash key The call is automa...

Page 98: ...d press the Flash key Dial 3n where n is any number from 1 to 9 but should be identical to that used above What is reminder ring The P 202H Plus v2 sends a single short ring to your telephone every ti...

Page 99: ...s v2 receives packets on its BRI port destined for one of the DCP clients the router formats the packet as a DCP message and sends it to the corresponding client Supported applications 1 G3 G4 FAX tra...

Page 100: ...es Max Number of Registered Users 5 Incoming Data Call Number Matching NetCAPI Access List Start IP End IP Operation 192 168 1 33 192 168 1 36 Both 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0...

Page 101: ...ers the call as a CAPI call and forward it to the CAPI client 4 Access List Enter the IP range of the valid NetCAPI clients with desired operation direction Operation Incoming this permits the clients...

Page 102: ...245 CC 1 S IDLE 01 E LISTENREQ 05 Func DCPListenReq dcp fsm clear To clear the NetCAPI state machine log use the dcp fsm clear command dcp trcp sw on on off To enable disable the NetCAPI packet log us...

Page 103: ...swords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecured network could determine a user s password There has been some confusio...

Page 104: ...ication requests and their encryption key The first field is a valid hostname for the client The second field separated by blanks or tabs is the encryption key Client Name Key portmaster1 testing123 2...

Page 105: ...thout answering the call The phone number used for calling back is captured from the D channel message So if your local ISDN switch is able to carry the calling party number the P 202H Plus v2 can use...

Page 106: ...ing in menu 11 1 must be entered for the CLID authentication The Callback setting in menu 11 1 must be toggled to Yes The Outgoing user information in menu 11 1 must be entered The Outgoing Phone numb...

Page 107: ...l Period sec 0 My Password Session Options Authen CHAP PAP Edit Filter Sets No Pri Phone 20000 Idle Timeout sec 300 Sec Phone Press ENTER to Confirm or ESC to Cancel CLID Settings Option Description R...

Page 108: ...ote CLID setting in menu 14 1 must be entered for the CLID authentication The following SMT only show the main settings of the CLID callback you can refer to the user s manual or the support note for...

Page 109: ...User User Name test Active Yes Password Callback Mandatory Phone Supplied by Caller No Callback Phone 20000 Rem CLID 20000 Idle Timeout 300 CLID Settings Option Description Call Back Toggle to Mandato...

Page 110: ...ations are available but these can be simulated by the setting of flag variables For example to reset a node a counter variable named time to reset could be set to a value causing the node to reset af...

Page 111: ...evices 2 Writes Write is used to control the managed devices NMSs write variables that are stored in the managed devices 3 Traversal operations NMSs use these operations to determine which variables a...

Page 112: ...he NMS to retrieve the next object variable from a table or list within an agent In SNMPv1 when a NMS wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a...

Page 113: ...h a particular object variable Variable bindings Associates particular object with their value 2 ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some P 202H Plus v2 routers It is im...

Page 114: ...t number is its interface index under the interface group 5 authenticationFailure defined in RFC 1215 When receiving any SNMP get or set requirement with wrong community this trap is sent to the manag...

Page 115: ...s v2 for SNMP The SNMP related settings in P 202H Plus v2 are configured in menu 22 SNMP Configuration The following steps describe a simple setup procedure for configuring all SNMP settings Menu 22 S...

Page 116: ...lic Trusted Host Enter the IP address of the NMS The P 202H Plus v2 will only respond to SNMP messages coming from this IP address If 0 0 0 0 is entered the P 202H Plus v2 will respond to all NMS mana...

Page 117: ...ill be filtered out by the P 202H Plus v2 thus preventing intruders from probing your network The SUA feature that the P 202H Plus v2 supports previously operates by mapping the private IP addresses t...

Page 118: ...Overload mode the P 202H Plus v2 maps the multiple ILA to shared IGA 4 Many to Many No Overload In Many to Many No Overload mode the P 202H Plus v2 maps each ILA to unique IGA 5 Server In Server mode...

Page 119: ...2H Plus v2 supports NAT sets on a remote node basis They are reusable but only one set is allowed for each remote node The P 202H Plus v2 312 supports 2 sets since there is only one remote node The de...

Page 120: ...ows how you apply NAT to the remote node in menu 11 1 Menu 11 3 Remote Node Network Layer Options Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT SUA Only Address Mapping Set N A M...

Page 121: ...nu 15 1 see later for further discussion This option us basically Many to One Overload mapping Select Full Feature when you require other mapping types It is a convenient pre configured read only Many...

Page 122: ...ere are 8 remote nodes and so allows you to configure 8 NAT Address Mapping Sets The NAT Server Set is a list of LAN side servers mapped to external ports To use this set one set for the P312 a server...

Page 123: ...me of the set you selected in Menu 15 1 or enter the name of a new set you want to create SUA Idx This is the index or rule number 1 Local Start IP This is the starting local IP address ILA 0 0 0 0 fo...

Page 124: ...ield means that this is a required field and you must enter a name for the set The description of the other fields is as described above The Type Local and Global Start End IPs are configured in Menu...

Page 125: ...each rule is executed in turn beginning from the first rule Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you c...

Page 126: ...IPs the End IP address must begin after the IP Start address i e you cannot have an End IP address beginning before the Start IP address NAT Server Sets The NAT Server Set is a list of LAN side server...

Page 127: ...port number in the Port field and the inside IP address of the server in the IP Address field Step 4 Press SPACEBAR at the Press ENTER to confirm prompt to save your configuration after you define al...

Page 128: ...Name Server 53 www http Web 80 PPTP Point to Point Tunneling Protocol 1723 Examples 1 Internet Access Only 2 Internet Access with an Internal Server 3 Using Multiple Global IP addresses for clients a...

Page 129: ...tions Transfer Type 64K Multilink Off Idle Timeout 100 Press ENTER to Confirm or ESC to Cancel From Menu 4 shown above simply choose the SUA Only option from the NAT field This is the Many to One mapp...

Page 130: ...Server behind the NAT as shown in the NAT as shown below Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 33 3 0 0 0...

Page 131: ...GA1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Rule 3 Many to One type to map the other clients to IGA3 Rule 4 Server type to map a web server and mail server with I...

Page 132: ...ng this new set Enter a Set Name choose the Edit Action and then select 1 from Select Rule field Press ENTER to confirm See the following setup for the four rules in our case Rule 1 Setup Select One t...

Page 133: ...P Start Enter IGA2 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Rule 3 Setup Select Many to One type to map the other clients to IGA3 Menu 15 1 1 3 Rule 3 Type Many to One Lo...

Page 134: ...apping Set 2 Press ENTER to Confirm or ESC to Cancel When we have configured all four rules Menu 15 1 1 should look as follows Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Lo...

Page 135: ...0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel 4 Support Non NAT Friendly Application...

Page 136: ...No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start Enter IGA1 End Enter IGA3 Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel The three rules configured for using...

Page 137: ...nfirm or ESC to Cancel Menu 15 1 1 2 Rule 2 Type One to One Local IP Start 192 168 1 11 End N A Global IP Start Enter IGA2 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel All co...

Page 138: ...P 202H Plus v2 Support Notes Global IP Start Enter IGA3 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel All contents copyright 2006 ZyXEL Communications Corporation 138...

Page 139: ...wo distincts and disparate networks become one by connecting them with a tunnel secured by IPSec Tunnel mode IPSec in tunnel mode is normally used when the ultimate destination of the packet is differ...

Page 140: ...following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN conne...

Page 141: ...n IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 A 9 Secure Gateway IP Addr is the remote secure gateway IP that is P 202H Plus v2 B WAN...

Page 142: ...P 202H Plus v2 Support Notes See the screen shot All contents copyright 2006 ZyXEL Communications Corporation 142...

Page 143: ...ssing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data...

Page 144: ...ion Mode to Main as we configured in P 202H Plus v2 A 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 B 7 Destination IP Address S...

Page 145: ...gorithm to DES and Authentication Algorithm to MD5 as we configured in P 202H Plus v2 A 13 Enter the key string 12345678 in the Preshared Key text box and click Apply See the screen shot All contents...

Page 146: ...ssing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data...

Page 147: ...o methods to troubleshoot IPSec in P 202H Plus v2 Menu 27 2 SA Monitor Through menu 27 2 you can monitor every IPSec connections running in P 202H Plus v2 presently The second column of each entry ind...

Page 148: ...analysis The following shows an example of dumped messages P 202H Plus v2 ipsec debug 1 IPSEC debug level 1 P 202H Plus v2 catcher recv pkt numPkt 1 get_hdr nxt_payload 1 exchMode 2 m_id 0 len 80 f76a...

Page 149: ...M Receiving IKE Packet 15 013 01 Jan 00 15 19 Sending IKE Packet 15 Clear IPSec Log y n Note the Log column in the current 3 50 WA 0 firmware just shows the IKE state flow In the future firmware we wi...

Page 150: ...Plus v2 PC2 202 132 155 33 LAN 202 132 171 1 WAN 202 132 170 1 202 132 171 33 1 Setup Soft PK VPN 1 Open Soft PK Security Policy Editor 2 Add a new connection named P 202H Plus v2 as shown below 3 Se...

Page 151: ...choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID Type and enter P 202H Plus v2 s WA...

Page 152: ...lus v2 icon you may see My Identity 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in P 202H Plus v2 in...

Page 153: ...P 202H Plus v2 Support Notes Security Policy Settings All contents copyright 2006 ZyXEL Communications Corporation 153...

Page 154: ...Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but...

Page 155: ...P 202H Plus v2 Support Notes v2 All contents copyright 2006 ZyXEL Communications Corporation 155...

Page 156: ...IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You...

Page 157: ...P 202H Plus v2 Support Notes Figure 8 See the VPN rule screen shot All contents copyright 2006 ZyXEL Communications Corporation 157...

Page 158: ...dit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Page 159: ...a pipe indicates a secure connection between two devices 2 P 202H Plus v2 vs 3rd Party VPN Gateway P 202H Plus v2 to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between two...

Page 160: ...N 192 168 2 1 WAN 168 10 10 66 192 168 2 33 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the...

Page 161: ...Plus v2 A 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 A 9 Secure Gateway IP Addr is th...

Page 162: ...P 202H Plus v2 Support Notes See the screen shot If you use SMT management the VPN configurations are as shown below All contents copyright 2006 ZyXEL Communications Corporation 162...

Page 163: ...for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configu...

Page 164: ...ion Mode to Main as we configured in P 202H Plus v2 A 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 B 7 Destination IP Address S...

Page 165: ...Algorithm to MD5 as we configured in P 202H Plus v2 A 13 Enter the key string 12345678 in the Preshared Key text box and click Apply See the screen shot If you use SMT management the VPN configuration...

Page 166: ...for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configu...

Page 167: ...re two methods to troubleshoot IPSec in P 202H Plus v2 Menu 27 2 SA Monitor Through menu 27 2 you can monitor every IPSec connections running in P 202H Plus v2 presently The second column of each entr...

Page 168: ...our analysis The following shows an example of dumped messages P 202H Plus v2 ipsec debug 1 IPSEC debug level 1 P 202H Plus v2 catcher recv pkt numPkt 1 get_hdr nxt_payload 1 exchMode 2 m_id 0 len 80...

Page 169: ...Jan 10 23 26 Send ID HASH 008 01 Jan 10 23 26 Recv ID HASH 009 01 Jan 10 23 26 Phase 1 IKE SA process done 010 01 Jan 10 23 26 Start Phase 2 Quick Mode 011 01 Jan 10 23 26 Send HASH SA NONCE ID ID 01...

Page 170: ...also dynamic IP we enter 0 0 0 0 as its My IP Address When this IP is given by ISP it will update to this field 1 Setup P 202H Plus v2 1 Login P 202H Plus v2 by giving the LAN IP address of P 202H Plu...

Page 171: ...click Apply See the screen shot 2 Setup Cisco All contents copyright 2006 ZyXEL Communications Corporation 171 There are two ways to configure Cisco VPN use commands from console or use Cisco ConfigMa...

Page 172: ...been connected to your PC If the router is detected successfully a Cisco router should appear in the Network Diagram Window 3 Click right button of the mouse choose Device Properties In Passwords tab...

Page 173: ...creen shot 5 Layout your network topology in the Network Diagram as shown below You may choose network components such as hosts Internet Ethernet LAN from the Devices window All contents copyright 200...

Page 174: ...e screen shot 6 Connect the network components by Ethernet from the Connections window in the left bottom Specify the WAN and LAN IP addresses to P 202H Plus v2 and Cisco All contents copyright 2006 Z...

Page 175: ...Plus v2 Support Notes See the screen shot 7 Select VPN from Connections window During this stage you have to enter the pre shared key 12345678 All contents copyright 2006 ZyXEL Communications Corporat...

Page 176: ...Note that the parameters you set here should match settings in P 202H Plus v2 In IKE Advanced Settings Encryption Algorithm is 56 bit DES Authentication Algorithm is MD5 and the SA lifetime is 1 hr I...

Page 177: ...P 202H Plus v2 Support Notes See the screen shot 9 Choose the Cisco router and click Deliver to save the settings All contents copyright 2006 ZyXEL Communications Corporation 177...

Page 178: ...sec transform set cm transformset 1 esp des esp md5 hmac 12 After all of the settings if PC1 and PC2 can reach each other then IPSec VPN has been established successfully There is also an useful comma...

Page 179: ...p ip dhcp pool 1 network 192 168 2 0 255 255 255 0 default router 192 168 2 1 ip audit notify log ip audit po max events 100 ip ssh time out 120 ip ssh authentication retries 3 no ip dhcp client netwo...

Page 180: ...rnetLAN_1 ip address 192 168 2 1 255 255 255 0 speed auto router rip version 1 passive interface Ethernet0 network 140 113 0 0 network 192 168 2 0 no auto summary ip classless ip route 0 0 0 0 0 0 0 0...

Page 181: ...ing sections The IP addresses we use in this example are as shown below PC 1 P 202H Plus v2 Sonicwall PC 2 192 168 1 33 LAN 192 168 1 1 WAN 202 132 154 1 LAN 192 168 181 1 WAN 168 10 10 66 192 168 181...

Page 182: ...Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the...

Page 183: ...LL default is 192 168 168 1 2 Click Gernal menu and click Network tab 3 Select NAT Enabled as the Network Addressing Mode 4 In LAN Settings enter a LAN IP and Subnet Mask for SonicWALL 5 In WAN Settin...

Page 184: ...ion give a name for this SA 13 In IPSec Gateway Address enter P 202H Plus v2 WAN IP 14 In Encryption Method option select Encrypt and Authenticate ESP DES HMAC MD5 15 In Shared Secret option enter 123...

Page 185: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 185 If the SA is up you can see a new button Renegotiate appears in the Summary screen...

Page 186: ...sses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynami...

Page 187: ...re remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 9 Secure Gateway IP Addr is the remote secure gateway IP that is WatchGuard WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11...

Page 188: ...IP of PC2 click OK 3 In External Interface enter the WAN IP for WatchGuard and in Trusted Interface enter the LAN IP for WatchGuard Then click Next 4 Enter the Default Gateway of WatchGuard then clic...

Page 189: ...he configuration file to be uploaded 8 In the WatchGuard Control Center click on the Policy Manager icon 9 Pull down Network Branch Office VPN IPSec See the figure below 10 Click Gateway and click Add...

Page 190: ...Click Tunnels and click Add 14 Select the Gateway you had created and click OK 15 Enter a name in Name field for this Tunnel 16 Click Dynamic Security tab select Type Authentication and Encryption for...

Page 191: ...ESP MD5 HMAC DES CBC 18 Click Add in the main menu to Add Routing Policy 19 In Local Host enter PC1 IP in Remote Host enter PC2 IP then select Secure in Disposition and Tunnel you had created Then cl...

Page 192: ...gure shown below the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure To setup this VPN tunnel the required settings for P 202H Plus v2 and NETSCREEN are explained in the...

Page 193: ...Y menu Select a policy to edit by clicking Edit 4 On the CONFIGURE IKE menu check Active check box and give a name to this policy 5 Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we c...

Page 194: ...P 202H Plus v2 Support Notes See the screen shot If you use SMT management the VPN configurations are as shown below All contents copyright 2006 ZyXEL Communications Corporation 194...

Page 195: ...menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs whic...

Page 196: ...t 1 Click Address menu and click Trusted tab 2 Click New Address to add the local secure host 192 168 78 5 in this example and give a name to this host address Local Secure Host in this example See th...

Page 197: ...s example and give a name to this host address Remote Secure Host in this example See the screen shown below Note The Netmask field here for single IP is 255 255 255 255 Please do not enter the wrong...

Page 198: ...policy 3 Give a name to the policy 4 Select the Local Secure Host that we configured above as the Source Address 5 Select the Remote Secure Host that we configured above as the Destination Address 6...

Page 199: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 199 8 Click Policy menu and click Incoming tab...

Page 200: ...mote Secure Host that we configured above as the Source Address 12 Select the Local Secure Host that we configured above as the Destination Address 13 Select ANY as the Service 14 For the rest setting...

Page 201: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 201...

Page 202: ...e as the Authentication Method 5 Select Group 1 as DH Group 6 Select DES CBC as Encryption Algorithm 7 Select MD5 as Hash Algorithm 8 Enter 3600 in Lifetime field check Sec checkbox See the sceen shot...

Page 203: ...y to add the local VPN gateway i e NETSREEN 3 Give a name to this gateway for example NETSCREEN 4 Click Static IP Address as for this example 5 Enter WAN IP of NETSCREEN in the IP Address field 6 Sele...

Page 204: ...dd the remote VPN gateway i e P 202H Plus v2 9 Give a name to this gateway for example P 202H Plus v2 10 Click Static IP Address as for this example 11 Enter WAN IP of P 202H Plus v2 in the IP Address...

Page 205: ...Click VPN menu and click AutoKey IKE tab 2 Click New AutoKey IKE Entry to add the entry for the local gateway i e NETSCREEN 3 Select NETSCREEN as the Remote Gateway Tunnel Name 4 Select P 202H Plus v...

Page 206: ...AutoKey IKE Entry to add the entry for the remote gateway i e P 202H Plus v2 7 Select P 202H Plus v2 as the Remote Gateway Tunnel Name 8 Select P 202H Plus v2 as Phase 2 Proposal and click OK to save...

Page 207: ...een finished you can start to access the remote secure PC If the VPN is established successfully you can see the traffic flow from the Traffic Log by clicking Log menu See the following screen shot Al...

Page 208: ...otes You can also see the current active user from the Active Log by clicking Log menu See the following screen shot 3 P 202H Plus v2 vs 3rd Party VPN Software All contents copyright 2006 ZyXEL Commun...

Page 209: ...them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2 are explained in the following The IP a...

Page 210: ...LAN segment of P 202H Plus v210 In this example we setup P 202H Plus v210 as DHCP server and it s LAN IP address is 192 168 99 1 Edit Internet Access of P 202H Plus v210 All contents copyright 2006 Zy...

Page 211: ...P 202H Plus v2 Support Notes In SMT menu 27 create a VPN rule like following All contents copyright 2006 ZyXEL Communications Corporation 211...

Page 212: ...rk objects Click on New Network define the LAN segment of P 202H Plus v2 Select Locationa as External Note Internal and external refer to whether this network is protected behind the Checkpoint or not...

Page 213: ...nal If there are more than one network would like to utilize the VPN tunnel You can merge the networks into one group Go to Manage Network Objects Click on New Group Fill in the properties for the gro...

Page 214: ...VPN Objects Define P 202H Plus v2 box as a tunnel end point Name SOHO_TEST Select VPN tab to define the protected domain of ZW and the Encryption schemes used by the tunnel All contents copyright 2006...

Page 215: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 215...

Page 216: ...nel endpoint Select VPN tab to define the protected domain of Checkpoint and the Encryption schemes used by the tunnel Choose IKE and press Edit to edit the Phase1 parameters and pre shared key All co...

Page 217: ...press Edit Secretes Select SOHO_TEST as peer and input the pre shared key Define VPN policy Create a new rule at or near the top of the policy This rule should include both encryption domains as both...

Page 218: ...s we need to setup for this case They are WIN2K VPN software and P 202H Plus v2 router All contents copyright 2006 ZyXEL Communications Corporation 218 As the figure shown below the tunnel between PC...

Page 219: ...C2 172 21 1 232 LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup WIN2K VPN Create a custom MMC console 1 From Windows desktop click Start click Run and in the Open textbox type MMC Click OK 2 On...

Page 220: ...P 202H Plus v2 Support Notes 3 In the Add Remove Snap In dialog box click Add All contents copyright 2006 ZyXEL Communications Corporation 220...

Page 221: ...4 In the Add Standalone Snap in dialog box click Computer Management and then click Add 5 Verify that Local Computer default setting is selected and click Finish All contents copyright 2006 ZyXEL Com...

Page 222: ...dalone Snap in dialog box click Group Policy and then click Add 7 Verify that Local Computer default setting is selected in the Group Policy Object dialog box and then click Finish All contents copyri...

Page 223: ...8 In the Add Standalone Snap in dialog box click Certifications and then click Add 9 In the Certificates snap in dialog box select Computer account and click Next All contents copyright 2006 ZyXEL Co...

Page 224: ...Support Notes 10 Verify that Local Computer default setting is selected and click Finish 11 Click Close to close the Add Standalone Snap in dialog box All contents copyright 2006 ZyXEL Communications...

Page 225: ...s an local IPSec policy In this case you can create an Organization Unit OU in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object GPO o...

Page 226: ...click IP Security Policies on Local Machine and then click Create IP Security Policy 3 Click Next and type a name for your policy For example WIN2K to P 202H Plus v2 Tunnel All contents copyright 2006...

Page 227: ...P 202H Plus v2 Support Notes 4 Uncheck Active the default response rule check box and click Next All contents copyright 2006 ZyXEL Communications Corporation 227...

Page 228: ...t Notes 5 Keep the Edit properties check box selected and click Finish 5 A dialog window will bring up for you to configure two filter rules for this policy All contents copyright 2006 ZyXEL Communica...

Page 229: ...ndpoints so we need two filter rules One is for the direction from PC 1 to PC 2 endpoint is P 202H Plus v2 and the other is from PC 2 to PC 1 endpoint is WIN2K In each rule a source IP and destination...

Page 230: ...P 202H Plus v2 Support Notes 2 On the IP Filter List tab click Add All contents copyright 2006 ZyXEL Communications Corporation 230...

Page 231: ...202H Plus v2 Support Notes 3 Type a name for the filter list e g WIN2K to P 202H Plus v2 uncheck Use Add Wizard check box and click Add All contents copyright 2006 ZyXEL Communications Corporation 23...

Page 232: ...P 202H Plus v2 Support Notes 4 In the Source address choose A specific IP Address and enter the IP address of PC 1 All contents copyright 2006 ZyXEL Communications Corporation 232...

Page 233: ...Plus v2 Support Notes 5 In the Destination address choose A specific IP Address and enter the IP address of PC 2 6 Uncheck Mirror check box All contents copyright 2006 ZyXEL Communications Corporatio...

Page 234: ...cause IPSec tunnels do not support protocol specific or port specific filters 8 On the Description tab you can give a name for this filter list The filter name is displayed in the IPSec monitor when t...

Page 235: ...Plus v2 Support Notes 9 Click OK and Close to close the windows Build a Filter List from PC 2 to PC 1 1 On the IP Filter List tab click Add All contents copyright 2006 ZyXEL Communications Corporatio...

Page 236: ...or the filter list e g P 202H Plus v2 to WIN2K uncheck Use Add Wizard check box and click Add 3 In the Source address choose A specific IP Address and enter the IP address of PC 2 All contents copyrig...

Page 237: ...Plus v2 Support Notes 4 In the Destination address choose A specific IP Address and enter the IP address of PC 1 5 Uncheck Mirror check box All contents copyright 2006 ZyXEL Communications Corporatio...

Page 238: ...2 Support Notes 6 On the Protocol tab leave the protocol type to Any because IPSec tunnels do not support protocol specific or port specific filters All contents copyright 2006 ZyXEL Communications Co...

Page 239: ...escription tab you can give a name for this filter list The filter name is displayed in the IPSec monitor when the tunnel is active 8 Click OK and Close to close the windows All contents copyright 200...

Page 240: ...e first filter list you created above from the IP Filter List For example WIN2K to P 202H Plus v2 2 Click Tunnel Setting tab enter the remote endpoint For this filter list the remote IPSec endpoint is...

Page 241: ...rk connections or click LAN connections if your WIN2K does not connect to ISP but LAN In our example we choose All network connections 4 Click Filter Action tab uncheck Use Add Wizard check box and cl...

Page 242: ...ng IPSec check box You must do this to ensure secure connections 6 Click Add and select Custom for expert users if you want to define specific algorithms and session key lifetimes Please make sure the...

Page 243: ...02H Plus v2 Support Notes 7 Click OK On the General tab give a name to the filter action For example WIN2K to P 202H Plus v2 and click OK All contents copyright 2006 ZyXEL Communications Corporation 2...

Page 244: ...on you just created 9 On the Authentication Methods tab click Add to select Use this string to protect the key exchange pre shared key option And enter the string 12345678 in the text box All contents...

Page 245: ...P 202H Plus v2 Support Notes 10 Click OK See the finished screen shot All contents copyright 2006 ZyXEL Communications Corporation 245...

Page 246: ...to PC 1 tunnel 1 In the IPSec policy properties click Add to create a new rule 2 Select the second filter list you created above from the IP Filter List For example P 202H Plus v2 to WIN2K All conten...

Page 247: ...filter list the remote IPSec endpoint is WIN2K 4 Click Connection Type tab click All network connections or click LAN connections if your WIN2K does not connect to ISP but LAN In our example we choos...

Page 248: ...Notes 5 Click Filter Action tab select the filter action you created 6 On the Authentication Method tab configure the same settings as done in the first rule All contents copyright 2006 ZyXEL Communic...

Page 249: ...us v2 Support Notes 7 Click Close 8 Enable both rules you created in the policy properties and click Close Figure 5 See the finished screen shot All contents copyright 2006 ZyXEL Communications Corpor...

Page 250: ...ows 2000 1 In the IP Security Policies on Local Machine MMC snap in right click your new policy and click Assign 2 A green arrow will appear in the folder icon next to your policy See the screen shot...

Page 251: ...lect IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in WIN2K 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus...

Page 252: ...es Figure 8 See the VPN rule screen shot If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index 1 Name P 202H Plus v2 All contents copyright 2006 ZyXEL Commu...

Page 253: ...sing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data t...

Page 254: ...lus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2...

Page 255: ...choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID Type and enter P 202H Plus v2 s WA...

Page 256: ...lus v2 icon you may see My Identity 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in P 202H Plus v2 in...

Page 257: ...P 202H Plus v2 Support Notes Security Policy Settings All contents copyright 2006 ZyXEL Communications Corporation 257...

Page 258: ...Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but t...

Page 259: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 259...

Page 260: ...IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You...

Page 261: ...P 202H Plus v2 Support Notes Figure 8 See the VPN rule screen shot All contents copyright 2006 ZyXEL Communications Corporation 261...

Page 262: ...dit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Page 263: ...be several devices we need to setup for this case They are Linux FreeS WAN and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 and P 202H Plus v2 ensures the packets flow betw...

Page 264: ...resume that your Linux s kernel has been compiled to support FreeS WAN and FreeS WAN has been also installed successfully in your system You can refer to the following URL for more information http ww...

Page 265: ...Keying Mode to IKE and Negotiation Mode to Main Linux FreeS WAN only supports Main mode 6 In Local section choose Subnet Address as Address Type Source IP Address Start is 192 168 0 0 and End is 255 2...

Page 266: ...Advanced button to check IPSec Phase 1 and Phase 2 parameters Please note that Linux FreeS WAN only supports 3DES as encryption algorithm and DH2 or upper as key exchange group All contents copyright...

Page 267: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 267...

Page 268: ...space bar and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate IPSec SAs which are used for dat...

Page 269: ...and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through...

Page 270: ...2 172 21 1 232 LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor 2 Choose Key Ma...

Page 271: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 271...

Page 272: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Page 273: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 273...

Page 274: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 274...

Page 275: ...Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address 8 Press button besides Remote network All contents copyright 2006...

Page 276: ...P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 10 Choose P 202H Plus v2 as Authenticati...

Page 277: ...nnection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and E...

Page 278: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Page 279: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 279...

Page 280: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Page 281: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Page 282: ...ddress Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP Address Type is Single Address Start is Sentinel s IP 172 21 1 232 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gatewa...

Page 283: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 283...

Page 284: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 284...

Page 285: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Page 286: ...e They are Sentinel software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Bec...

Page 287: ...2 PC2 Dynamic LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup Sentinel 1 From Tool Tray of Windows system right click on your Sentinel icon and then choose Run Policy Editor 2 Choose Key Managem...

Page 288: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 288...

Page 289: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Page 290: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 290...

Page 291: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 291...

Page 292: ...Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address 8 Press button besides Remote network All contents copyright 2006...

Page 293: ...P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 10 Choose P 202H Plus v2 as Authenticati...

Page 294: ...nnection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and E...

Page 295: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Page 296: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 296...

Page 297: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Page 298: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Page 299: ...Address Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP leave it as default setup 0 0 0 0 0 0 0 0 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gateway...

Page 300: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 300...

Page 301: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 301...

Page 302: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Page 303: ...e They are Sentinel software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Bec...

Page 304: ...3 LAN 192 168 2 1 WAN 172 21 1 232 LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup SSH Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Polic...

Page 305: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 305...

Page 306: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Page 307: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 307...

Page 308: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 308...

Page 309: ...Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address 8 Press button besides Remote network All contents copyright 2006...

Page 310: ...P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 10 Choose P 202H Plus v2 as Authenticati...

Page 311: ...nnection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and E...

Page 312: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Page 313: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 313...

Page 314: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Page 315: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Page 316: ...Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP Address Start is Sentinel s IP 192 168 2 33 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gateway IP A...

Page 317: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 317...

Page 318: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 318...

Page 319: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Page 320: ...us v2 router There will be several devices we need to setup for this case They are Sentinel and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 20...

Page 321: ...Advanced VPN 4 Check Active box to enable this rule Check Keep alive to make your VPN connection stay permanent 5 Select Negotiation Mode to Main 6 Local IP Address Type is Subnet Address Start is 192...

Page 322: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 322...

Page 323: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 323...

Page 324: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Page 325: ...ration in IKE Setup should match the settings configured in Sentinel 2 Setup Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor All con...

Page 326: ...P 202H Plus v2 Support Notes 2 Choose Key Management Select My Keys then press Add button All contents copyright 2006 ZyXEL Communications Corporation 326...

Page 327: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 327...

Page 328: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Page 329: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 329...

Page 330: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 330...

Page 331: ...Press button besides Remote network All contents copyright 2006 ZyXEL Communications Corporation 331 9 Network Editor Window will pop out Press New button and Enter P 202H Plus v2 in Network name and...

Page 332: ...hentication Key Then click OK to save 11 In SSH Sentinel Policy Editor you will get a new VPN connection P 202H Plus v2 dyndns org P 202H Plus v2 choose this item and then press Properties button All...

Page 333: ...Support Notes 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and Extended authentication All contents copyright 2006 ZyXEL Communications C...

Page 334: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Page 335: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 335...

Page 336: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Page 337: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Page 338: ...kets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Intel VPN client and P 202H Plus v2 are explained in...

Page 339: ...ame P 202H Plus v2 for example Specify VPN Gateway IP Address as 172 21 1 252 Tunnel Applies to All network connections Uncheck Enable IP Address assignment and WINS DNS via VPN Gateway All contents c...

Page 340: ...Address 192 168 1 0 Subnet Mask 255 255 255 0 Protocol ALL Port ALL And Phase 2 parameters AH None Authentication HMAC MD5 Encryption DES 56 bit key uncheck Transport mode Specify the Phase 2 SA life...

Page 341: ...2 Support Notes 4 Select Shared Secret as Authentication Method and Enter the pre shared key 12345678 Then press Advanced to edit Phase 1 parameters All contents copyright 2006 ZyXEL Communications Co...

Page 342: ...se SA life time you would like to have 60 minutes for example Encryption as DES 56 bit key Authentication as HMAC MD5 and Diffie Hellman Group as 1 RSA 768 bits Click OK to save All contents copyright...

Page 343: ...to IKE and Negotiation Mode to Main as we configured in SSH 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Addre...

Page 344: ...as we configured in SSH 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 14 Press Advanced button to set IKE phase 1 and phase 2 parameters See the VPN rule screen shot S...

Page 345: ...enu 27 1 1 IPSec Setup Index 1 Name to_ssh Active Yes My IP Addr 172 21 1 252 Secure Gateway Addr 172 21 1 232 Protocol 0 Local Addr Type SUBNET IP Addr Start 192 168 1 0 End 255 255 255 0 Port Start...

Page 346: ...neral purpose SAs which are secure channels for data transmission Please note that any configuration in IKE Setup should match the settings configured in SSH Menu 27 1 1 1 IKE Setup Phase 1 Negotiatio...

Page 347: ...N Routing between Branch Offices This page guides us how to setup VPN routing between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter p...

Page 348: ...nd branch office A to access both LAN segments of headquarter and branch office B Because the LAN segments of headquarter and branch office B are continuous we merge them into one single rule by inclu...

Page 349: ...anch office B 8 My IP Addr is the WAN IP of this P 202H Plus v2 202 3 1 1 9 Set Secure Gateway Addr to the IP address of Headquarter 202 1 1 1 10 Select Encapsulation Mode to Tunnel 11 Check the ESP c...

Page 350: ...e 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter All contents c...

Page 351: ...ion However if we include these two segments in one rule the LAN segment of branch office B will be also included in this single rule which means intercommunication inside branch office B will run int...

Page 352: ...e 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter All contents c...

Page 353: ...P 202H Plus v2 Support Notes 2 The second rule in Branch_B This rule is for branch office B to access branch office A All contents copyright 2006 ZyXEL Communications Corporation 353...

Page 354: ...e 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter All contents c...

Page 355: ...P 202H Plus v2 Support Notes 3 Setup VPN in Headquarter 1 The correspondent rule for Branch_A in headquarter All contents copyright 2006 ZyXEL Communications Corporation 355...

Page 356: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 356...

Page 357: ...P 202H Plus v2 Support Notes 2 The correspondent rule for Branch_B_1 in headquarter All contents copyright 2006 ZyXEL Communications Corporation 357...

Page 358: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 358...

Page 359: ...P 202H Plus v2 Support Notes 2 The correspondent rule for Branch_B_2 in headquarter All contents copyright 2006 ZyXEL Communications Corporation 359...

Page 360: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 360...

Page 361: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 361...

Page 362: ...er to SMT Menu 11 and note which node N you will be dialing 2 Enter to SMT Menu 24 8 3 Enable the EPA capture capability by P 202H Plus v2 isdn fw ana on 4 Manually dial to remote node N P 202H Plus v...

Page 363: ...nsion bit final octet 00 00 03 18 8 bytes LAPD D TE C SAPI 63 TEI 127UI P 0 00001111 Layer management 00000001 Reference Number MSB 00000000 Reference Number LSB 256 00000001 Message Type Identity req...

Page 364: ...ering plan iden unknown 3a 1 Extension bit not continued 00 Presentation indic presentation allowed 000 Spare 00 Screeing indicator user provided not screened Calling Number Type 5009097 1 01110000 IN...

Page 365: ...bytes Unknown IE content 0x21 0x83 0x33 0x34 0x31 Unknown IE content 0x32 0x35 0x36 0x37 0x38 00 00 03 62 4 bytes LAPD D TE R SAPI 0 TEI 97 RR P F 0 NR 3 00 00 03 63 8 bytes LAPD D TE C SAPI 0 TEI 97...

Page 366: ...the trace of PPP log that we can diagnose from the trace by referring to the PPP numbers or use the ZPKTTOOL to interpret for us P 202H Plus v2 ZPKTTOOL tool is a DOS utility that interprets the dump...

Page 367: ...by P 202H Plus v2 sys trcl sw off P 202H Plus v2 sys trcp sw off Dump the PPP log by P 202H Plus v2 sys trcl disp The trace appears on the screen as in the following example Press Enter key to dump th...

Page 368: ...53 PP09 ebp 7e9e3c seqNum 63 bri0 XMIT len 16 call 4 0000 ff 03 c0 21 02 02 00 0c 01 04 05 f4 03 04 c0 23 98 258754 PP09 ebp 7e9e70 seqNum 64 bri0 RECV len 18 call 4 0000 ff 03 c0 21 02 0f 00 0e 01 04...

Page 369: ...P09 LCP closed 115 260465 PP09 FSM_DOWN state 9 116 260465 PP09 IPCP closed 117 260465 PP09 FSM_DOWN state 1 118 260465 PP09 FSM_DOWN state 1 119 260465 PP09 FSM_DOWN state 1 120 260465 PP09 FSM_DOWN...

Page 370: ...ith your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet 0 11880 160 ENET0 R 0062 TCP 192 168 1 2 1108 192 31 7 130 80...

Page 371: ...1 2 1108 192 31 7 130 80 2 11883 330 ENET0 T 0058 TCP 192 31 7 130 80 192 168 1 2 1108 3 11883 340 ENET0 R 0060 TCP 192 168 1 2 1108 192 31 7 130 80 4 11883 340 ENET0 R 0339 TCP 192 168 1 2 1108 192 3...

Page 372: ...8192 Checksum 0xBEC3 48835 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 01 01 04 02 RAW DATA 0000 00 A0 C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 L c E 0010 00 30 33 0B 40 00 80 06 3E 71 C0 A8 01 02...

Page 373: ...02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 ED 06 AC 8C C0 1F 07 82 C0 A8 W 0020 01 02 00 50 04 5C 4A D1 B5 7F 00 BD 15 A8 60 12 P J 0030 FA...

Page 374: ...1F 5 y 0020 07 82 04 5C 00 50 00 BD 15 A8 4A D1 B5 80 50 10 P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 8 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet...

Page 375: ...P IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0030 48 Idetification 0xE702 59138 Flags 0x02 Fragment Offset 0x00 Time to Live 0x7F 127 Protocol 0x06 TCP Header Checks...

Page 376: ...06 TCP Header Checksum 0xBC01 48129 Source IP 0xD2437191 210 67 113 145 Destination IP 0xA31FEF01 163 31 239 1 TCP Header Source Port 0x0050 80 Destination Port 0x2717 10007 Sequence Number 0x7AA71C33...

Page 377: ...sys trcp channel enet0 bothway ras sys trcp sw on ras sys trcl sw on ras sys trcp sw off ras sys trcl sw off ras sys trcp brief 0 10855 790 ENET0 T 0141 TCP 192 31 7 130 80 192 168 1 2 1102 1 10855 80...

Page 378: ...Checksum 0xDCEF 56559 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 7F 02 40 00 ED 06 85 7D C0 1F 07 82 C0 A8 0020 01 02...

Page 379: ...BRI0 R 0048 TCP 210 67 113 145 80 163 31 239 1 10008 4 1226 480 BRI0 T 0044 IP Unknown 0x07 5 1226 490 BRI0 T 0446 PPP VJ Compressed IP 0x002d ras sys trcp parse 1 2 0002 PPP Frame BRI0 XMIT Size 52...

Page 380: ...1226 480 sec Frame Type TCP 210 67 113 145 80 163 31 239 1 10008 PPP Header Protocol 0x0021 IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Idetification 0x01...

Page 381: ...r P 202H Plus v2 first before running the TFTP software o Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 o Run the TFTP client software o Enter the...

Page 382: ...disable console idle timeout in Menu 24 8 and stay in Menu 24 8 o Run the TFTP client software o To download the SMT configuration please get the remote file rom 0 from the P 202H Plus v2 o To upload...

Page 383: ...a LAN c tftp i P 202H Plus v2IP put localfile rom 0 Download SMT configurations via LAN c tftp i P 202H Plus v2IP get rom 0 localfile Using TFTP command on UNIX Before you begin 1 TELNET to your P 202...

Page 384: ...nformation and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Software Update 8 Command Interpreter Mode 9 Call Control Copyright c 1999 ZyXEL Communi...

Page 385: ...the SMT password as the FTP login password the default is 1234 Step 4 Enter command bin to set the transfer type to binary Step 5 Use put command to transfer the file to the P 202H Plus v2 Note The r...

Page 386: ...rom your workstation to connect to the P 202H Plus v2 by entering the IP address of the P 202H Plus v2 Step 3 Enter the SMT password as the FTP login password The default is 1234 Step 4 Press OK key t...

Page 387: ...we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0 file 4 The P 202H Plus v2 reboots automatical...

Page 388: ...commands and all major sub commands 2 exit Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release Please goto ZyXEL p...

Page 389: ...can be None PAP CHAP NCP negotiation NCP can be IPCP BACP BCP CCP IPXCP The P 202H Plus v2 provides a very clear log for each step of the call setup The following shows the messages displayed in each...

Page 390: ...Call didn t connect Try again later and also verify the phone number Login to remote failed IP address been rejected by your ISP ISDN protocol mismatch Disconnect by far end Other unknown reason Cann...

Page 391: ...e failed LCP closed Recv d TERM REQ Recv d TERM ACK state 5 LCP stopped TRY Verify username and password with your ISP again or retype the username and password field again When you retype the name an...

Page 392: ...ss 204 247 1 1 32 then you should configure your P 202H Plus v2 to enable Single User Account SUA For more information on how to configure SUA please refer to application note ISDN protocol mismatch D...

Page 393: ...d give no log about it Other unknown reason For any other unknown reason you have to look at the packet trace to decide what went wrong To collect the trace Go to Menu 11 and mark down which remote nu...

Page 394: ...call to a Remote node Use CI isdn dial node to verify a outgoing call for a remote node Use CI system event an incoming call from a remote node The following are some possible failure reasons for a ou...

Page 395: ...et check Menu 24 9 3 Login to remote node failed check the name and password again PPP negotiation failed IP address mismatched Phone number is in Black List check Menu 24 9 2 Pre ZyNOS P2864 isdn dia...

Page 396: ...1 phone last 9 digit 40201 Hit any key to continue Call CONNECT speed 64000 chan 1 prot 1 LCP up CHAP send response Login to remote failed Check name passwd Receive Terminate REQ LCP down Line Down ch...

Page 397: ...t collect the PPP negotiation trace Following are the steps to collect PPP negotiation packets You can use these steps to collect traces for all PPP related problems P128 sys trcl cl Program Trace Swi...

Page 398: ...65 6c 63 6f 6d 65 113 fe4002 195 PNET ppp CHAP login to remote OK 114 fe400c 0 PNET ebp 4ab50 seqNum 1e PPP1 RECV 24 len 8 0000 c0 29 01 32 00 06 01 02 115 fe400c 0 POU1 ebp 4ab80 seqNum 1f PPP1 XMIT...

Page 399: ...for node 4 Dialing chan 1 phone last 9 digit 40201 Hit any key to continue Call CONNECT speed 64000 chan 1 prot 1 LCP up CHAP send response CHAP login to remote OK IPCP negotiation started BACP negoti...

Page 400: ...swer incoming call from a Remote node or Dial in User The following are some of the possible reasons the P 202H Plus v2 not answering an incoming call System can t answer call ISDN protocol mismatched...

Page 401: ...destination should be routed to the LAN interface enif0 in P 202H Plus v2 and IP packet for a remote node destination should be sent to the WAN interface if the connection is up or else the packet wil...

Page 402: ...nterface Gateway Metric stat Timer Use 204 247 203 191 00 32 enif0 204 247 203 183 1 0015 0 0 204 247 203 128 00 26 enif0 204 247 203 183 1 0023 0 0 100 0 0 0 00 8 wanIdle 100 1 1 1 2 0023 0 0 default...

Page 403: ...e Use is the same as before the PING Or any other traffic that you think should route and trigger the outcall Furthermore the error counters are still 0 s P 202H Plus v2 ip route st Dest FF Len Interf...

Page 404: ...he password to 1234 2 You want to reset the configurations to defaults Please note that the default configuration file for the new ZyNOS is not compatible with the one for previous ZyNOS versions So w...

Page 405: ...le console idle timeout c Start the TFTP client program and enter the P 202H Plus v2 s IP address d To upload the configuration file put the local configuration file to the P 202H Plus v2 as a remote...

Page 406: ...te to destination 6 Channel unacceptable 7 Call awarded and being delivered in an established channel 16 Nomal call clearing 17 User busy 18 No user responding 19 No answer from user user alerted 21 C...

Page 407: ...Option not Implemented Class 65 Bearer capability not implemented 66 Channel type not implemented 69 Requested facility not implemented 70 Only restricted digital information bearer capability is una...

Page 408: ...rotocol error unspecified Interworking Class 127 Interworking unspecified 2 PPP Numbers POINT TO POINT PROTOCOL FIELD ASSIGNMENTS PPP DLL PROTOCOL NUMBERS The Point to Point Protocol PPP Data Link Lay...

Page 409: ...9 Serial Data Transport Protocol PPP SDTP 004b SNA over 802 2 004d SNA 004f Pv6 Header Compression 0051 KNX Bridging Data ianp 0053 Encryption Meyer 0055 Individual Link Encryption Meyer 0057 Internet...

Page 410: ...rotocol 8029 Appletalk Control Protocol 802b Novell IPX Control Protocol 802d reserved 802f reserved 8031 Bridging NCP 8033 Stream Protocol Control Protocol 8035 Banyan Vines Control Protocol 8037 res...

Page 411: ...rotocol RFC2125 c02d BAP RFC2125 c081 Container Control Protocol KEN c223 Challenge Handshake Authentication Protocol c225 RSA Authentication Protocol Narayana c227 Extensible Authentication Protocol...

Page 412: ...onfigure Nak 4 Configure Reject 5 Terminate Request 6 Terminate Ack 7 Code Reject 8 Protocol Reject 9 Echo Request 10 Echo Reply 11 Discard Request 12 Identification 13 Time Remaining 14 Reset Request...

Page 413: ...23 Link Discriminator for BACP RFC2125 24 LCP Authentication Option Culbert 25 Consistent Overhead Byte Stuffing COBS Carlson 26 Prefix elision Bormann 27 Multilink header format Bormann IPV6CP CONFIG...

Page 414: ...ft PPC RFC2118 19 Gandalf FZA RFC1962 20 V 42bis compression RFC1962 21 BSD Compress RFC1977 22 unassigned 23 LZS DCP RFC1967 24 MVRCA Magnalink RFC1975 25 DCE RFC1976 26 Deflate RFC1979 27 254 unassi...

Page 415: ...se RFC1994 Number Name 0 Reserved RFC1994 1 Reserved RFC1994 2 Reserved RFC1994 3 Reserved RFC1994 4 Reserved RFC1994 5 CHAP with MD5 RFC1994 128 MS CHAP Crocker PPP LCP FCS ALTERNATIVES The Point to...

Page 416: ...on 1 Dialing string 2 Location identifier 3 E 164 number 4 X 500 distinguished name 5 unassigned 6 Location is determined during CBCP negotiation PPP IPCP CONFIGURATION OPTION TYPES The Point to Point...

Page 417: ...S The Point to Point Protocol PPP OSI Network Layer Control Protocol OSINLCP specifies a number of Configuration Options RFC1377 which are distinguished by an 8 bit Type field These Types are assigned...

Page 418: ...as follows Type MAC 0 Reserved 1 IEEE 802 3 Ethernet with cannonical addresses 2 IEEE 802 4 with cannonical addresses 3 IEEE 802 5 with non cannonical addresses 4 FDDI with non cannonical addresses 5...

Page 419: ...Compressed IPX Fox 235 Shiva Compressed NCP IPX Fox IPX ROUTING PROTOCOL OPTIONS Value Protocol Reference 0 No routing protocol required RFC1552 1 RESERVED RFC1552 2 Novell RIP SAP required RFC1552 4...

Page 420: ...tion 1 Identity RFC2284 2 Notification RFC2284 3 Nak Response only RFC2284 4 MD5 Challenge RFC2284 5 One Time Password OTP RFC2289 6 Generic Token Card RFC2284 7 8 9 RSA Public Key Authentication Whel...

Page 421: ...ttytst source chargen 19 udp ttytst source ftp data 20 tcp ftp 21 tcp telnet 23 tcp smtp 25 tcp mail time 37 tcp timserver time 37 udp timserver rlp 39 udp resource resource location name 42 tcp name...

Page 422: ...tpd ntp network time protocol nbname 137 udp nbdatagram 138 udp nbsession 139 tcp NeWS 144 tcp news sgmp 153 udp sgmp tcprepo 158 tcp repository PCMAIL snmp 161 udp snmp snmp trap 162 udp snmp print s...

Page 423: ...udp acctslave2 706 udp acctdisk 707 udp kerberos 750 tcp kdc Kerberos authentication tcp kerberos 750 udp kdc Kerberos authentication udp kerberos_master 751 tcp Kerberos authentication kerberos_mast...

Page 424: ...otocol version 6 IPv6 RFC1883 this field is called the Next Header field Assigned Internet Protocol Numbers Decimal Keyword Protocol References 0 HOPOPT IPv6 Hop by Hop Option RFC1883 1 ICMP Internet...

Page 425: ...ol SAF3 35 IDPR Inter Domain Policy Routing Protocol MXS1 36 XTP XTP GXC 37 DDP Datagram Delivery Protocol WXC 38 IDPR CMTP IDPR Control Message Transport Proto MXS1 39 TP TP Transport Protocol DXF 40...

Page 426: ...toring SHB 77 SUN ND SUN ND PROTOCOL Temporary WM3 78 WB MON WIDEBAND Monitoring SHB 79 WB EXPAK WIDEBAND EXPAK SHB 80 ISO IP ISO Internet Protocol MTR 81 VMTP VMTP DRC3 82 SECURE VMTP SECURE VMTP DRC...

Page 427: ...nassigned IANA 255 Reserved IANA 5 System Error Code The system error codes can be displayed by using the CI commond sys log disp i For example ras sys log disp i 62 112 PP0a INTL call failed rnp 576d...

Page 428: ...ROR netMakeChannDial err 3000 rn_p 576de0 Meaning remote node is connecting already rn_p refers remote node point it may change for different version and different remote node number Solution ask remo...

Page 429: ...e0 Meaning remote node dial to you and wait you call back Solution do nothing it should be information 3020 Message PINI ERROR netMakeChannDial err 3020 rn_p 576de0 Meaning call dial fail Solution che...

Page 430: ...tion do nothing if it happens once for a while check the line if keep receiving this message 3031 Message PINI ERROR netMakeChannDial err 3031 rn_p 586de0 Meaning can not dial due to no budget Solutio...

Page 431: ...ng dial fail due to remote side is busy Solution wait until remote side is available 3039 Message PINI ERROR netMakeChannDial err 3039 rn_p 526de0 Meaning dial failed due to no carrier Solution check...

Page 432: ...Meaning remote node is not L2TP enabled or supported Solution change remote side configuration enable L2TP if possible Other Error Codes 35 Message PINI ERROR LoopBack Test Fail 4 Meaning isdn loopbac...

Page 433: ...t is not a problem 42 Message PP08 INFO CALL REJ ch 5ba788 CLID not matched Meaning CLID number is not match the remote node CLID INFO information log Solution change to correct CLID number 43 Message...

Page 434: ...age 9f PNET WARN ppp MP late arrival seq x877 M x0 Meaning the receiver received a previous packet after it has received a late packet Solution it is not a problem 46 Message INFO addCallHistory Trans...

Reviews:

No comments

Related manuals for P-202H Plus v2

Brand: ZETR Pages: 2

Brand: CallDirect Pages: 33

Brand: Qlogic Pages: 2

Brand: Qlogic Pages: 172

IntroSpect Analyzer 2 Series

Brand: Aruba Pages: 5

Brand: XNET Pages: 17

Brand: Ruckus Wireless Pages: 2

Brand: Rosewill Pages: 10

OP-8000-EDFA-1U Series

Brand: Optostar Pages: 9

Brand: BEC Pages: 159

GSM7224v2 - Layer 2 Managed Gigabit Switch

Brand: NETGEAR Pages: 3

Brand: Lanner Pages: 38

Brand: Allied Telesis Pages: 34

Brand: Ubiquiti Pages: 28

Brand: Tripp Lite Pages: 2

Brand: CopperOptics Pages: 12

Brand: Cleerline Pages: 2

GigaSpire BLAST u4hm

Brand: Calix Pages: 45

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands