ZyXEL Communications P-202H Plus v2 Скачать руководство пользователя страница 65 | Manualshive

Страница: 65 / 434

background image

P-202H Plus v2 Support Notes

Filter Examples

Filter example

A filter for blocking the FTP connections from WAN

•

Introduction

The P-202H Plus v2 supports the firmware and configuration files upload using
FTP connections via LAN and WAN. So, it is possible that anyone can make a
FTP connection over the Internet to your P-202H Plus v2. To prevent outside
users from connecting to your P-202H Plus v2 via FTP, you can configure a filter
to block FTP connections from WAN.

•

Before you begin

Before configuring a filter, you need to know the following information:

1.

The inbound packet type

(protocol & port number):

In this case, it is

TCP(06)

protocol with port

20 or 21

.

2.

The source IP address:

In this case, we block all connections from

outside so the source IP is

0.0.0.0

.

3.

The destination IP

addres

s

:

It is the P-202H Plus v2's IP address, but it

is not available in SUA case since most WAN IP address is dynamically
assigned by the ISP. So, we can only enter

0.0.0.0

as the destination IP in

the filter rule. Once 0.0.0.0 is set as the destination IP, no FTP
connections are allowed to reach the P-202H Plus v2 nor the FTP server
on the LAN. For the LAN-to-LAN connection, you enter the P-202H Plus
v2's LAN IP as the destination IP in the filter rule. After the FTP filter is
applied to the remote node, it only blocks the FTP connection to the P-
202H Plus v2 but still permits the FTP connection to the local FTP server.

•

Configuration

o

Create a filter set in Menu 21, e.g., set 3

o

Create two filter rules in Menu 21.3.1 and Menu 21.3.2

Rule 1- block the inbound FTP packet, TCP (06) protocol
with port number 20

Rule 2- block the inbound FTP packet, TCP (06) protocol
with port number 21

o

Apply the filter set in remote node, Menu 11

•

Create a filter set in Menu 21

All contents copyright © 2006 ZyXEL Communications Corporation.

65

«
...
63
64
65
66
67
...
»

Содержание P-202H Plus v2

Страница 1: ...P 202H Plus v2 Support Notes P 202H Plus v2 ISDN Internet Access Router Support Notes Version3 40 June 2006 All contents copyright 2006 ZyXEL Communications Corporation 1...

Страница 2: ...ailed up Connection and when do I need to use it 11 18 What are Device filters and Protocol filters 11 19 Why can t I configure device filters or protocol filters 11 20 The P 202H Plus v2 supports to...

Страница 3: ...ttack 20 13 What are the default ACL firewall rules in P 202H Plus v2 20 14 Why static policy route be blocked by P 202H Plus v2 20 Configuration 22 1 How do I configure the firewall 22 2 How do I pre...

Страница 4: ...lly 32 10 Will ZyXEL support Secure Remote Management 32 11 Does P 202H Plus v2 VPN support NetBIOS broadcast 32 12 What are the difference between the My IP Address and Secure Gateway IP Address in M...

Страница 5: ...eway 159 3 P 202H Plus v2 vs 3rd Party VPN Software 208 4 Configure NAT for Internal Servers 346 5 VPN Routing between Branch Offices 347 Support Tool 362 1 Using ZyXEL ISDN D Channel Analyzer EPA 362...

Страница 6: ...ng parameters VT100 terminal emulation 9600bps baud rate N81 data format No Parity 8 data bits 1 stop bit The default console port baud rate is 9600bps You can change it to 115200bps in Menu 24 2 2 to...

Страница 7: ...H Plus v2 c When the data transfer is finished the P 202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself d To backup your firmware use the TFTP client program to get file...

Страница 8: ...using the IP address assigned by ISP When reply packets from the external Internet are received by P 202H Plus v2 the original IP source address and TCP UDP source port numbers are written into the de...

Страница 9: ...ocedure to capture the PPP log in P 202H Plus v2 is as following To enable the capture of PPP log before a connection is established a Enter SMT Menu 24 8 the CI command mode b Enter sys trcl cl comma...

Страница 10: ...No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 16 What is DNS proxy If enabled DNS Proxy allows the P 202H Plus v2 to act as the DNS server for th...

Страница 11: ...into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol fi...

Страница 12: ...g two channels Yes You can use a CI command to prevent the dial in user from occupying two channels Please enter to menu 24 8 and type the CI command ppp lcp mpin off or on to allow two channels 3 How...

Страница 13: ...ng Then pick up the phone to return to the other call 6 Why doesn t call waiting work as expected An incoming caller will receive a busy signal if You have two calls active one active and one on hold...

Страница 14: ...t the existing call on hold and receive a dial tone Dial the third party s phone number Caller B Before Caller B picks up the call you can transfer the call by pressing the Flash key The call is autom...

Страница 15: ...202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded US switches only 14 Why doesn t my answering machine on POTS port stop recording Most answering machines s...

Страница 16: ...SUA Applications page 18 What are the differences between P 202H P 202H Plus and P 202H Plus v2 The differences between P 202H P 202H Plus and P 202H Plus v2 are listed in the following table Feature...

Страница 17: ...Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based...

Страница 18: ...hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 202H Plus v2 s firewall provides email service to notify you for routine report...

Страница 19: ...le the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK c...

Страница 20: ...d network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall 13 Wha...

Страница 21: ...t go back to P 202H Plus v2 in stead the another gateway ISDN Router will send back the traffic to PC directly Because the gateway say P201 and the PC are in the same segment When firewall is turned o...

Страница 22: ...ute checking In Web GUI you can find this option in firewall setup page But we would like to notify that if you allow Triangle Route any traffic will be easily injected into the protected network thro...

Страница 23: ...firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet from WAN you must turn the firewall off Menu 21 2 or create a firewall rule to allow Telnet...

Страница 24: ...applied in the Input Protocol field in menu 3 1 4 The console port is in use 7 Why can t I upload the firmware and configuration file using FTP over LAN 1 1 You have disabled FTP service in Menu 24 11...

Страница 25: ...the old entries when the log has over 128 entries There are three ways to view the firewall log 1 View the log from SMT Menu 21 3 View Firewall Log 2 View the log using CI command sys firewall displa...

Страница 26: ...rt A log entry is just added to the log inside the P 202H Plus v2 and e mailed together with all other log entries at the scheduled time as configured An alert is e mailed immediately after an attacke...

Страница 27: ...ntication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption With encryption VPN guarantees the confidentiality of the original user data C...

Страница 28: ...s compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec provides cryp...

Страница 29: ...There are two phases in every IKE negotiation phase 1 Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec 11 What is Pre Shared K...

Страница 30: ...02H Plus v2 VPN support VPN vendors support a number of different authentication methods P 202H Plus v2 VPN supports both SHA1 and MD5 AH provides authentication integrity and replay protection but no...

Страница 31: ...8 x x subnet nor in the range 172 16 0 0 172 31 255 255 these address ranges are reserved by internet standard for private LAN numberings behind NAT devices It is usually a static IP so that we can pr...

Страница 32: ...Will ZyXEL support Secure Remote Management Yes we will support it and we are working on it currently 11 Does P 202H Plus v2 VPN support NetBIOS broadcast The current 3 40 firmware release does not s...

Страница 33: ...t to stay in menu 24 1 27 3 and 24 8 when VPN is in use 15 How do I configure P 202H Plus v2 with NAT for internal servers Generally without IPSec to configure an internal server for outside access we...

Страница 34: ...ation never remove the pre IPSec filter rule that bypasses IKE traffic If you do all your attempts to establish any IPSec connection are bound to fail because the negotiations never take place Only wh...

Страница 35: ...click SSH icon in system tray click the VPN connection you have setup in Select VPN Packets triggering doesn t work in this case 11 Can P 202H Plus v2 be the initiator of VPN tunnel to Sentinel No Sen...

Страница 36: ...202H Plus v2 s LAN port with a crossover red one Ethernet cable If you have more than one PC both the PC s Ethernet adapters and the P 202H Plus v2 s LAN port must be connected to an external hub with...

Страница 37: ...properties window Click OK to close the Network window You will be prompted to insert your Windows CD or disk When the drivers are updated you will be asked if you want to restart the PC Make sure yo...

Страница 38: ...either enter 0 0 0 0 or you can leave this field blank After saving this menu you will be asked if you want to perform an Internet connection test Select Yes to perform the test If the test fails ple...

Страница 39: ...this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security is preserved even across the In...

Страница 40: ...ollowing example shows how to dial to an ISP via the P 202H Plus v2 and then establish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PP...

Страница 41: ...emonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achive you can place a VPN call from the remote Win9x client For example C ping 203 6...

Страница 42: ...then you can always use this IP address for reaching the VPN server In the following example the IP address 140 113 1 225 is dynamically assigned by ISP You must enter this IP address in the VPN Serve...

Страница 43: ...UA supports a default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default server is not defined the service request is s...

Страница 44: ...entered in menu 15 to forward the incoming packets to the true destination behind SUA Generally we do not need extra settings of menu 15 for an outgoing connection But for some applications we need t...

Страница 45: ...connections firewall and set the firewall time out to 80 seconds in firewall setting Default client IP Cornell 1 1 Cu SeeMe None 7648 client IP White Pine 3 1 2 Cu SeeMe 7648 client IP 24032 client I...

Страница 46: ...he same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 202H Plus v2 will not be able to provide information of that server on the...

Страница 47: ...ished the workstations on both LANs will be able to perform any TCP IP applications e g FTP Telnet etc There will be three items that you need to set up These are workstation and the two P 202H Plus v...

Страница 48: ...to Win9x Control Panel Network TCP IP Network Adapter for finishing the above settings Setting up the P 202H Plus v2 1 P 202H Plus v2 2 Before configuring the two remote nodes for this application you...

Страница 49: ...n CHAP PAP Session Options Pri Phone 5007025 Edit Filter Sets No Sec Phone Idle Timeout sec 100 Press ENTER to Confirm or ESC to Cancel Key Settings o Select the Active field to Yes o Select the Call...

Страница 50: ...Remote Node Profile Rem Node Name LAN2 Edit PPP Options No Active Yes Rem IP Addr 202 113 5 1 Call Direction Outgoing Edit IP No Incoming Telco Option Rem Login Transfer Type 64K Rem Password Allocat...

Страница 51: ...ll 22 Command Mode 3 Reset ISDN 4 ISDN Connection Test 5 Manual Call TCP IP 11 Internet Setup Test 12 Ping Host Enter Menu Selection Number Manual Call Remote Node N A Host IP Address N A Configuring...

Страница 52: ...s Mutual Authen Yes Session Options O G Username test Edit Filter Sets No O G Password Multiple Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min 0 Period hr 0 Press...

Страница 53: ...Login to the Cisco device hostname o Set Incmoing Rem Password to be the same as Outgoing My Password o Set Outgoing My Login to the System Name value in SMT Menu 1 Note The Cisco device must be conf...

Страница 54: ...ress field o DNS Domain Name Server Address the IP address of the DNS server on the remote LAN o Default Gateway the IP address of the P 202H Plus v2 Please find the last three settings in Win9x Dial...

Страница 55: ...Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 2B Edit IP Alias No 2 Default Dial in Setup in SMT Menu 13 Menu 13 Default Dial in Setup Telco Options IP Address Supplied By CLID Authen None...

Страница 56: ...ials in In our example this would be 192 68 135 10 All the common properties in Menu 13 will be applied to all dial in users Note If the remote user uses the Win9x to dial in the Recv Authen must be s...

Страница 57: ...eld of the P 202H Plus v2 5 Filter How does ZyXEL filter work Conceptually there are two categories of filter rules device and protocol The Generic filter rules belong to the device category they act...

Страница 58: ...ts 8 LAN device and protocol output filter sets Generic and TCP IP and IPX filter rules are in different filter sets The SMT will detect and prevent the mixing of different category rules within any f...

Страница 59: ...0 0 Port 0 Port Comp None Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to...

Страница 60: ...on Outgoing Edit IP No Incoming Telco Option Rem Login N A Transfer Type 64K Rem Password N A Allocated Budget min Rem CLID N A Period hr Call Back N A Schedules Outgoing Carrier Access Code My Login...

Страница 61: ...ress Supplied By CLID Authen None Dial in User Yes IP Pool Yes PPP Options IP Start Addr 123 234 111 163 Recv Authen CHAP PAP IP Count 1 4 4 Compression Yes Mutual Authen No Session Options O G Userna...

Страница 62: ...traffic to pass to the outside world and receive unwanted outside traffic The first case may incur an enormous ISDN bill the second may lead to a data security hazard In order to avoid operational pro...

Страница 63: ...8 bit protocol 16 bit header checksum 32 bit source IP address 32 bit destination IP address Option if any Data UDP Header 0 15 16 31 16 bit source port number 16 bit destination port number 16 bit U...

Страница 64: ...mber FTP port IPX header in Menu 24 1 LAN Packet Which Triggered Last Call Type IPX 00 28 01 01 00 00 00 00 FF FF FF FF FF FF 04 53 00 00 00 00 00 00 00 00 00 0004 53 00 01 FF FF FF FF FF 00 00 00 00...

Страница 65: ...02H Plus v2 s IP address but it is not available in SUA case since most WAN IP address is dynamically assigned by the ISP So we can only enter 0 0 0 0 as the destination IP in the filter rule Once 0 0...

Страница 66: ...Set Number to Configure 3 Edit Comments FTP_WAN Press ENTER to Confirm or ESC to Cancel Rule 1 block the inbound FTP packet TCP 06 protocol with port number 20 Menu 21 3 1 TCP IP Filter Rule Filter 3...

Страница 67: ...0 IP Mask 0 0 0 0 Port 21 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confir...

Страница 68: ...D N A Period hr Call Back N A Carrier Access Code Outgoing Nailed Up Connection No My Login masterbc Toll Period sec 0 My Password Authen CHAP PAP Session Options Pri Phone 4125678 Edit Filter Sets Ye...

Страница 69: ...Web service could be as following a HTTP packet TCP 06 protocol with port number 80 b DNS packet TCP 06 protocol with port number 53 or c DNS packet UDP 17 protocol with port number 53 For all worksta...

Страница 70: ...one for a http packet TCP 06 Port number 80 Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0...

Страница 71: ...k 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 3 for c DNS packet UDP 17 Port number 53...

Страница 72: ...A 0 0 0 0 N D N 3 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 N D F Then put the filter set number 1 in the Call Filter Set field of SMT menu 11 5 for taking active All contents copyright 2006 ZyXEL Communicatio...

Страница 73: ...al client from triggering a call to ISP you can configure a call filter set in P 202H Plus v2 to block the packets from this client After the call filter is applied the packet that is sent from this c...

Страница 74: ...from this client Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None So...

Страница 75: ...Node Name Hinet Route IP Active Yes Bridge No Call Direction Outgoing Edit PPP Options No Incoming Rem IP Addr 0 0 0 0 Rem Login N A Edit IP IPX Bridge No Rem Password N A Telco Option Rem CLID N A Al...

Страница 76: ...lowed to access the Internet or remote node any more A filter for blocking a specific MAC address This configuration example will show you how to use a Generic Filter to block a specific MAC address o...

Страница 77: ...61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 The detailed format of the Ethernet Version II Ethernet Version II Address 00 80 C8 4C EA 63...

Страница 78: ...00 0010 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 2...

Страница 79: ...acket does not match the Value In this case we will forward it If you want to configure more rules please select Check Next Rule to start configuring the next new rule However please note that the Fil...

Страница 80: ...Destination port number 137 with protocol number 6 TCP o Rule 2 Destination port number 137 with protocol number 17 UDP o Rule 3 Destination port number 138 with protocol number 6 TCP o Rule 4 Destina...

Страница 81: ...g the Filter Set number 1 Rule 1 Destination port number 137 with protocol number 6 TCP Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Rout...

Страница 82: ...n Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Rule 3 Destination port number 138 with protocol number 6 TCP Menu 21 1 3 TCP IP Filter Rule Filter 1 3 Filter...

Страница 83: ...0 Port 138 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or...

Страница 84: ...ilter Rule Filter 1 6 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0...

Страница 85: ...5 for taking active You can enter to the menu 11 5 by selecting the Edit Filter Sets in menu 11 1 to Yes Menu 11 1 Remote Node Profile Rem Node Name hinet Route IP Active Yes Bridge No Call Direction...

Страница 86: ...CP Menu 21 2 1 TCP IP Filter Rule Filter 2 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Ad...

Страница 87: ...rd Press ENTER to Confirm or ESC to Cancel After the first filter set is finished you will see the complete rules summary as below Menu 21 2 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6...

Страница 88: ...Active use the space bar to turn on the syslog option 2 Syslog IP Address enter the IP address of the UNIX server that you wish to send the syslog 3 Log Facility use the space bar to toggle between th...

Страница 89: ...is field is set to Yes Filter log No filters are logged when this field is set to No Filters with the individual filter Log field set to Yes are logged when this field is set to Yes PPP log PPP events...

Страница 90: ...PXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Example Jul 19 11 28 39 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 Data 4500003c100100001f0...

Страница 91: ...EL Communications Corp ppp LCP Starting Jul 19 11 43 29 192 168 1 1 ZyXEL Communications Corp ppp IPCP Starting Jul 19 11 43 34 192 168 1 1 ZyXEL Communications Corp ppp CCP Starting Jul 19 11 43 38 1...

Страница 92: ...unications Corp Call Connect Dir 2 Remote Call 5783942 Local Call 1 Jul 19 12 08 29 192 168 1 1 ZyXEL Communications Corp Call DisConnect Dir 2 Remote Call 2453140 Local Call 1 7 ISDN Leased Line Setu...

Страница 93: ...the Leased Leased is configured in Menu 2 it allows a 128K leased connection to a remote node or allows MP bundling to a remote node Menu 4 Internet Access Setup ISP s Name hinet Pri Phone N A Sec Pho...

Страница 94: ...again When you have configured and saved Menu 4 you should see that you have created a remote node in Menu 11 You can perform more advanced configuration options to this remote node in this menu LAN...

Страница 95: ...PPP Options No Active Yes Rem IP Addr 140 113 1 1 Call Direction Edit IP No Incoming Telco Option Rem Login Transfer Type Leased Rem Password Allocated Budget min Rem CLID N A Period hr Call Back N A...

Страница 96: ...he phone to ring Then pick up the phone to return to the other call Why doesn t call waiting work as expected An incoming caller will receive a busy signal if You have two calls active one active and...

Страница 97: ...the existing call on hold and receive a dial tone Dial the third party s phone number Caller B Before Caller B picks up the call you can transfer the call by pressing the Flash key The call is automa...

Страница 98: ...d press the Flash key Dial 3n where n is any number from 1 to 9 but should be identical to that used above What is reminder ring The P 202H Plus v2 sends a single short ring to your telephone every ti...

Страница 99: ...s v2 receives packets on its BRI port destined for one of the DCP clients the router formats the packet as a DCP message and sends it to the corresponding client Supported applications 1 G3 G4 FAX tra...

Страница 100: ...es Max Number of Registered Users 5 Incoming Data Call Number Matching NetCAPI Access List Start IP End IP Operation 192 168 1 33 192 168 1 36 Both 0 0 0 0 0 0 0 0 None 0 0 0 0 0 0 0 0 None 0 0 0 0 0...

Страница 101: ...ers the call as a CAPI call and forward it to the CAPI client 4 Access List Enter the IP range of the valid NetCAPI clients with desired operation direction Operation Incoming this permits the clients...

Страница 102: ...245 CC 1 S IDLE 01 E LISTENREQ 05 Func DCPListenReq dcp fsm clear To clear the NetCAPI state machine log use the dcp fsm clear command dcp trcp sw on on off To enable disable the NetCAPI packet log us...

Страница 103: ...swords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecured network could determine a user s password There has been some confusio...

Страница 104: ...ication requests and their encryption key The first field is a valid hostname for the client The second field separated by blanks or tabs is the encryption key Client Name Key portmaster1 testing123 2...

Страница 105: ...thout answering the call The phone number used for calling back is captured from the D channel message So if your local ISDN switch is able to carry the calling party number the P 202H Plus v2 can use...

Страница 106: ...ing in menu 11 1 must be entered for the CLID authentication The Callback setting in menu 11 1 must be toggled to Yes The Outgoing user information in menu 11 1 must be entered The Outgoing Phone numb...

Страница 107: ...l Period sec 0 My Password Session Options Authen CHAP PAP Edit Filter Sets No Pri Phone 20000 Idle Timeout sec 300 Sec Phone Press ENTER to Confirm or ESC to Cancel CLID Settings Option Description R...

Страница 108: ...ote CLID setting in menu 14 1 must be entered for the CLID authentication The following SMT only show the main settings of the CLID callback you can refer to the user s manual or the support note for...

Страница 109: ...User User Name test Active Yes Password Callback Mandatory Phone Supplied by Caller No Callback Phone 20000 Rem CLID 20000 Idle Timeout 300 CLID Settings Option Description Call Back Toggle to Mandato...

Страница 110: ...ations are available but these can be simulated by the setting of flag variables For example to reset a node a counter variable named time to reset could be set to a value causing the node to reset af...

Страница 111: ...evices 2 Writes Write is used to control the managed devices NMSs write variables that are stored in the managed devices 3 Traversal operations NMSs use these operations to determine which variables a...

Страница 112: ...he NMS to retrieve the next object variable from a table or list within an agent In SNMPv1 when a NMS wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a...

Страница 113: ...h a particular object variable Variable bindings Associates particular object with their value 2 ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some P 202H Plus v2 routers It is im...

Страница 114: ...t number is its interface index under the interface group 5 authenticationFailure defined in RFC 1215 When receiving any SNMP get or set requirement with wrong community this trap is sent to the manag...

Страница 115: ...s v2 for SNMP The SNMP related settings in P 202H Plus v2 are configured in menu 22 SNMP Configuration The following steps describe a simple setup procedure for configuring all SNMP settings Menu 22 S...

Страница 116: ...lic Trusted Host Enter the IP address of the NMS The P 202H Plus v2 will only respond to SNMP messages coming from this IP address If 0 0 0 0 is entered the P 202H Plus v2 will respond to all NMS mana...

Страница 117: ...ill be filtered out by the P 202H Plus v2 thus preventing intruders from probing your network The SUA feature that the P 202H Plus v2 supports previously operates by mapping the private IP addresses t...

Страница 118: ...Overload mode the P 202H Plus v2 maps the multiple ILA to shared IGA 4 Many to Many No Overload In Many to Many No Overload mode the P 202H Plus v2 maps each ILA to unique IGA 5 Server In Server mode...

Страница 119: ...2H Plus v2 supports NAT sets on a remote node basis They are reusable but only one set is allowed for each remote node The P 202H Plus v2 312 supports 2 sets since there is only one remote node The de...

Страница 120: ...ows how you apply NAT to the remote node in menu 11 1 Menu 11 3 Remote Node Network Layer Options Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT SUA Only Address Mapping Set N A M...

Страница 121: ...nu 15 1 see later for further discussion This option us basically Many to One Overload mapping Select Full Feature when you require other mapping types It is a convenient pre configured read only Many...

Страница 122: ...ere are 8 remote nodes and so allows you to configure 8 NAT Address Mapping Sets The NAT Server Set is a list of LAN side servers mapped to external ports To use this set one set for the P312 a server...

Страница 123: ...me of the set you selected in Menu 15 1 or enter the name of a new set you want to create SUA Idx This is the index or rule number 1 Local Start IP This is the starting local IP address ILA 0 0 0 0 fo...

Страница 124: ...ield means that this is a required field and you must enter a name for the set The description of the other fields is as described above The Type Local and Global Start End IPs are configured in Menu...

Страница 125: ...each rule is executed in turn beginning from the first rule Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you c...

Страница 126: ...IPs the End IP address must begin after the IP Start address i e you cannot have an End IP address beginning before the Start IP address NAT Server Sets The NAT Server Set is a list of LAN side server...

Страница 127: ...port number in the Port field and the inside IP address of the server in the IP Address field Step 4 Press SPACEBAR at the Press ENTER to confirm prompt to save your configuration after you define al...

Страница 128: ...Name Server 53 www http Web 80 PPTP Point to Point Tunneling Protocol 1723 Examples 1 Internet Access Only 2 Internet Access with an Internal Server 3 Using Multiple Global IP addresses for clients a...

Страница 129: ...tions Transfer Type 64K Multilink Off Idle Timeout 100 Press ENTER to Confirm or ESC to Cancel From Menu 4 shown above simply choose the SUA Only option from the NAT field This is the Many to One mapp...

Страница 130: ...Server behind the NAT as shown in the NAT as shown below Menu 15 2 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 33 3 0 0 0...

Страница 131: ...GA1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Rule 3 Many to One type to map the other clients to IGA3 Rule 4 Server type to map a web server and mail server with I...

Страница 132: ...ng this new set Enter a Set Name choose the Edit Action and then select 1 from Select Rule field Press ENTER to confirm See the following setup for the four rules in our case Rule 1 Setup Select One t...

Страница 133: ...P Start Enter IGA2 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Rule 3 Setup Select Many to One type to map the other clients to IGA3 Menu 15 1 1 3 Rule 3 Type Many to One Lo...

Страница 134: ...apping Set 2 Press ENTER to Confirm or ESC to Cancel When we have configured all four rules Menu 15 1 1 should look as follows Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Lo...

Страница 135: ...0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 7 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel 4 Support Non NAT Friendly Application...

Страница 136: ...No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start Enter IGA1 End Enter IGA3 Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel The three rules configured for using...

Страница 137: ...nfirm or ESC to Cancel Menu 15 1 1 2 Rule 2 Type One to One Local IP Start 192 168 1 11 End N A Global IP Start Enter IGA2 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel All co...

Страница 138: ...P 202H Plus v2 Support Notes Global IP Start Enter IGA3 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel All contents copyright 2006 ZyXEL Communications Corporation 138...

Страница 139: ...wo distincts and disparate networks become one by connecting them with a tunnel secured by IPSec Tunnel mode IPSec in tunnel mode is normally used when the ultimate destination of the packet is differ...

Страница 140: ...following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN conne...

Страница 141: ...n IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 A 9 Secure Gateway IP Addr is the remote secure gateway IP that is P 202H Plus v2 B WAN...

Страница 142: ...P 202H Plus v2 Support Notes See the screen shot All contents copyright 2006 ZyXEL Communications Corporation 142...

Страница 143: ...ssing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data...

Страница 144: ...ion Mode to Main as we configured in P 202H Plus v2 A 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 B 7 Destination IP Address S...

Страница 145: ...gorithm to DES and Authentication Algorithm to MD5 as we configured in P 202H Plus v2 A 13 Enter the key string 12345678 in the Preshared Key text box and click Apply See the screen shot All contents...

Страница 146: ...ssing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data...

Страница 147: ...o methods to troubleshoot IPSec in P 202H Plus v2 Menu 27 2 SA Monitor Through menu 27 2 you can monitor every IPSec connections running in P 202H Plus v2 presently The second column of each entry ind...

Страница 148: ...analysis The following shows an example of dumped messages P 202H Plus v2 ipsec debug 1 IPSEC debug level 1 P 202H Plus v2 catcher recv pkt numPkt 1 get_hdr nxt_payload 1 exchMode 2 m_id 0 len 80 f76a...

Страница 149: ...M Receiving IKE Packet 15 013 01 Jan 00 15 19 Sending IKE Packet 15 Clear IPSec Log y n Note the Log column in the current 3 50 WA 0 firmware just shows the IKE state flow In the future firmware we wi...

Страница 150: ...Plus v2 PC2 202 132 155 33 LAN 202 132 171 1 WAN 202 132 170 1 202 132 171 33 1 Setup Soft PK VPN 1 Open Soft PK Security Policy Editor 2 Add a new connection named P 202H Plus v2 as shown below 3 Se...

Страница 151: ...choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID Type and enter P 202H Plus v2 s WA...

Страница 152: ...lus v2 icon you may see My Identity 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in P 202H Plus v2 in...

Страница 153: ...P 202H Plus v2 Support Notes Security Policy Settings All contents copyright 2006 ZyXEL Communications Corporation 153...

Страница 154: ...Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but...

Страница 155: ...P 202H Plus v2 Support Notes v2 All contents copyright 2006 ZyXEL Communications Corporation 155...

Страница 156: ...IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You...

Страница 157: ...P 202H Plus v2 Support Notes Figure 8 See the VPN rule screen shot All contents copyright 2006 ZyXEL Communications Corporation 157...

Страница 158: ...dit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Страница 159: ...a pipe indicates a secure connection between two devices 2 P 202H Plus v2 vs 3rd Party VPN Gateway P 202H Plus v2 to P 202H Plus v2 Tunneling This page guides us to setup a VPN connection between two...

Страница 160: ...N 192 168 2 1 WAN 168 10 10 66 192 168 2 33 Note The following configurations are supposed both two VPN gateways have fixed IP addresses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the...

Страница 161: ...Plus v2 A 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the secure remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 A 9 Secure Gateway IP Addr is th...

Страница 162: ...P 202H Plus v2 Support Notes See the screen shot If you use SMT management the VPN configurations are as shown below All contents copyright 2006 ZyXEL Communications Corporation 162...

Страница 163: ...for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configu...

Страница 164: ...ion Mode to Main as we configured in P 202H Plus v2 A 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 B 7 Destination IP Address S...

Страница 165: ...Algorithm to MD5 as we configured in P 202H Plus v2 A 13 Enter the key string 12345678 in the Preshared Key text box and click Apply See the screen shot If you use SMT management the VPN configuration...

Страница 166: ...for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data transmission Note that any configu...

Страница 167: ...re two methods to troubleshoot IPSec in P 202H Plus v2 Menu 27 2 SA Monitor Through menu 27 2 you can monitor every IPSec connections running in P 202H Plus v2 presently The second column of each entr...

Страница 168: ...our analysis The following shows an example of dumped messages P 202H Plus v2 ipsec debug 1 IPSEC debug level 1 P 202H Plus v2 catcher recv pkt numPkt 1 get_hdr nxt_payload 1 exchMode 2 m_id 0 len 80...

Страница 169: ...Jan 10 23 26 Send ID HASH 008 01 Jan 10 23 26 Recv ID HASH 009 01 Jan 10 23 26 Phase 1 IKE SA process done 010 01 Jan 10 23 26 Start Phase 2 Quick Mode 011 01 Jan 10 23 26 Send HASH SA NONCE ID ID 01...

Страница 170: ...also dynamic IP we enter 0 0 0 0 as its My IP Address When this IP is given by ISP it will update to this field 1 Setup P 202H Plus v2 1 Login P 202H Plus v2 by giving the LAN IP address of P 202H Plu...

Страница 171: ...click Apply See the screen shot 2 Setup Cisco All contents copyright 2006 ZyXEL Communications Corporation 171 There are two ways to configure Cisco VPN use commands from console or use Cisco ConfigMa...

Страница 172: ...been connected to your PC If the router is detected successfully a Cisco router should appear in the Network Diagram Window 3 Click right button of the mouse choose Device Properties In Passwords tab...

Страница 173: ...creen shot 5 Layout your network topology in the Network Diagram as shown below You may choose network components such as hosts Internet Ethernet LAN from the Devices window All contents copyright 200...

Страница 174: ...e screen shot 6 Connect the network components by Ethernet from the Connections window in the left bottom Specify the WAN and LAN IP addresses to P 202H Plus v2 and Cisco All contents copyright 2006 Z...

Страница 175: ...Plus v2 Support Notes See the screen shot 7 Select VPN from Connections window During this stage you have to enter the pre shared key 12345678 All contents copyright 2006 ZyXEL Communications Corporat...

Страница 176: ...Note that the parameters you set here should match settings in P 202H Plus v2 In IKE Advanced Settings Encryption Algorithm is 56 bit DES Authentication Algorithm is MD5 and the SA lifetime is 1 hr I...

Страница 177: ...P 202H Plus v2 Support Notes See the screen shot 9 Choose the Cisco router and click Deliver to save the settings All contents copyright 2006 ZyXEL Communications Corporation 177...

Страница 178: ...sec transform set cm transformset 1 esp des esp md5 hmac 12 After all of the settings if PC1 and PC2 can reach each other then IPSec VPN has been established successfully There is also an useful comma...

Страница 179: ...p ip dhcp pool 1 network 192 168 2 0 255 255 255 0 default router 192 168 2 1 ip audit notify log ip audit po max events 100 ip ssh time out 120 ip ssh authentication retries 3 no ip dhcp client netwo...

Страница 180: ...rnetLAN_1 ip address 192 168 2 1 255 255 255 0 speed auto router rip version 1 passive interface Ethernet0 network 140 113 0 0 network 192 168 2 0 no auto summary ip classless ip route 0 0 0 0 0 0 0 0...

Страница 181: ...ing sections The IP addresses we use in this example are as shown below PC 1 P 202H Plus v2 Sonicwall PC 2 192 168 1 33 LAN 192 168 1 1 WAN 202 132 154 1 LAN 192 168 181 1 WAN 168 10 10 66 192 168 181...

Страница 182: ...Address Start and Source IP Address End are PC 1 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 2 IP in this example the...

Страница 183: ...LL default is 192 168 168 1 2 Click Gernal menu and click Network tab 3 Select NAT Enabled as the Network Addressing Mode 4 In LAN Settings enter a LAN IP and Subnet Mask for SonicWALL 5 In WAN Settin...

Страница 184: ...ion give a name for this SA 13 In IPSec Gateway Address enter P 202H Plus v2 WAN IP 14 In Encryption Method option select Encrypt and Authenticate ESP DES HMAC MD5 15 In Shared Secret option enter 123...

Страница 185: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 185 If the SA is up you can see a new button Renegotiate appears in the Summary screen...

Страница 186: ...sses If one of VPN gateways uses dynamic IP we enter 0 0 0 0 as the secure gateway IP address In this case the VPN connection can only be initiated from dynamic side to fixed side to update its dynami...

Страница 187: ...re remote host 8 My IP Addr is the WAN IP of P 202H Plus v2 9 Secure Gateway IP Addr is the remote secure gateway IP that is WatchGuard WAN IP in this example 10 Select Encapsulation Mode to Tunnel 11...

Страница 188: ...IP of PC2 click OK 3 In External Interface enter the WAN IP for WatchGuard and in Trusted Interface enter the LAN IP for WatchGuard Then click Next 4 Enter the Default Gateway of WatchGuard then clic...

Страница 189: ...he configuration file to be uploaded 8 In the WatchGuard Control Center click on the Policy Manager icon 9 Pull down Network Branch Office VPN IPSec See the figure below 10 Click Gateway and click Add...

Страница 190: ...Click Tunnels and click Add 14 Select the Gateway you had created and click OK 15 Enter a name in Name field for this Tunnel 16 Click Dynamic Security tab select Type Authentication and Encryption for...

Страница 191: ...ESP MD5 HMAC DES CBC 18 Click Add in the main menu to Add Routing Policy 19 In Local Host enter PC1 IP in Remote Host enter PC2 IP then select Secure in Disposition and Tunnel you had created Then cl...

Страница 192: ...gure shown below the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure To setup this VPN tunnel the required settings for P 202H Plus v2 and NETSCREEN are explained in the...

Страница 193: ...Y menu Select a policy to edit by clicking Edit 4 On the CONFIGURE IKE menu check Active check box and give a name to this policy 5 Select IPSec Keying Mode to IKE and Negotiation Mode to Main as we c...

Страница 194: ...P 202H Plus v2 Support Notes See the screen shot If you use SMT management the VPN configurations are as shown below All contents copyright 2006 ZyXEL Communications Corporation 194...

Страница 195: ...menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs whic...

Страница 196: ...t 1 Click Address menu and click Trusted tab 2 Click New Address to add the local secure host 192 168 78 5 in this example and give a name to this host address Local Secure Host in this example See th...

Страница 197: ...s example and give a name to this host address Remote Secure Host in this example See the screen shown below Note The Netmask field here for single IP is 255 255 255 255 Please do not enter the wrong...

Страница 198: ...policy 3 Give a name to the policy 4 Select the Local Secure Host that we configured above as the Source Address 5 Select the Remote Secure Host that we configured above as the Destination Address 6...

Страница 199: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 199 8 Click Policy menu and click Incoming tab...

Страница 200: ...mote Secure Host that we configured above as the Source Address 12 Select the Local Secure Host that we configured above as the Destination Address 13 Select ANY as the Service 14 For the rest setting...

Страница 201: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 201...

Страница 202: ...e as the Authentication Method 5 Select Group 1 as DH Group 6 Select DES CBC as Encryption Algorithm 7 Select MD5 as Hash Algorithm 8 Enter 3600 in Lifetime field check Sec checkbox See the sceen shot...

Страница 203: ...y to add the local VPN gateway i e NETSREEN 3 Give a name to this gateway for example NETSCREEN 4 Click Static IP Address as for this example 5 Enter WAN IP of NETSCREEN in the IP Address field 6 Sele...

Страница 204: ...dd the remote VPN gateway i e P 202H Plus v2 9 Give a name to this gateway for example P 202H Plus v2 10 Click Static IP Address as for this example 11 Enter WAN IP of P 202H Plus v2 in the IP Address...

Страница 205: ...Click VPN menu and click AutoKey IKE tab 2 Click New AutoKey IKE Entry to add the entry for the local gateway i e NETSCREEN 3 Select NETSCREEN as the Remote Gateway Tunnel Name 4 Select P 202H Plus v...

Страница 206: ...AutoKey IKE Entry to add the entry for the remote gateway i e P 202H Plus v2 7 Select P 202H Plus v2 as the Remote Gateway Tunnel Name 8 Select P 202H Plus v2 as Phase 2 Proposal and click OK to save...

Страница 207: ...een finished you can start to access the remote secure PC If the VPN is established successfully you can see the traffic flow from the Traffic Log by clicking Log menu See the following screen shot Al...

Страница 208: ...otes You can also see the current active user from the Active Log by clicking Log menu See the following screen shot 3 P 202H Plus v2 vs 3rd Party VPN Software All contents copyright 2006 ZyXEL Commun...

Страница 209: ...them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2 are explained in the following The IP a...

Страница 210: ...LAN segment of P 202H Plus v210 In this example we setup P 202H Plus v210 as DHCP server and it s LAN IP address is 192 168 99 1 Edit Internet Access of P 202H Plus v210 All contents copyright 2006 Zy...

Страница 211: ...P 202H Plus v2 Support Notes In SMT menu 27 create a VPN rule like following All contents copyright 2006 ZyXEL Communications Corporation 211...

Страница 212: ...rk objects Click on New Network define the LAN segment of P 202H Plus v2 Select Locationa as External Note Internal and external refer to whether this network is protected behind the Checkpoint or not...

Страница 213: ...nal If there are more than one network would like to utilize the VPN tunnel You can merge the networks into one group Go to Manage Network Objects Click on New Group Fill in the properties for the gro...

Страница 214: ...VPN Objects Define P 202H Plus v2 box as a tunnel end point Name SOHO_TEST Select VPN tab to define the protected domain of ZW and the Encryption schemes used by the tunnel All contents copyright 2006...

Страница 215: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 215...

Страница 216: ...nel endpoint Select VPN tab to define the protected domain of Checkpoint and the Encryption schemes used by the tunnel Choose IKE and press Edit to edit the Phase1 parameters and pre shared key All co...

Страница 217: ...press Edit Secretes Select SOHO_TEST as peer and input the pre shared key Define VPN policy Create a new rule at or near the top of the policy This rule should include both encryption domains as both...

Страница 218: ...s we need to setup for this case They are WIN2K VPN software and P 202H Plus v2 router All contents copyright 2006 ZyXEL Communications Corporation 218 As the figure shown below the tunnel between PC...

Страница 219: ...C2 172 21 1 232 LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup WIN2K VPN Create a custom MMC console 1 From Windows desktop click Start click Run and in the Open textbox type MMC Click OK 2 On...

Страница 220: ...P 202H Plus v2 Support Notes 3 In the Add Remove Snap In dialog box click Add All contents copyright 2006 ZyXEL Communications Corporation 220...

Страница 221: ...4 In the Add Standalone Snap in dialog box click Computer Management and then click Add 5 Verify that Local Computer default setting is selected and click Finish All contents copyright 2006 ZyXEL Com...

Страница 222: ...dalone Snap in dialog box click Group Policy and then click Add 7 Verify that Local Computer default setting is selected in the Group Policy Object dialog box and then click Finish All contents copyri...

Страница 223: ...8 In the Add Standalone Snap in dialog box click Certifications and then click Add 9 In the Certificates snap in dialog box select Computer account and click Next All contents copyright 2006 ZyXEL Co...

Страница 224: ...Support Notes 10 Verify that Local Computer default setting is selected and click Finish 11 Click Close to close the Add Standalone Snap in dialog box All contents copyright 2006 ZyXEL Communications...

Страница 225: ...s an local IPSec policy In this case you can create an Organization Unit OU in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object GPO o...

Страница 226: ...click IP Security Policies on Local Machine and then click Create IP Security Policy 3 Click Next and type a name for your policy For example WIN2K to P 202H Plus v2 Tunnel All contents copyright 2006...

Страница 227: ...P 202H Plus v2 Support Notes 4 Uncheck Active the default response rule check box and click Next All contents copyright 2006 ZyXEL Communications Corporation 227...

Страница 228: ...t Notes 5 Keep the Edit properties check box selected and click Finish 5 A dialog window will bring up for you to configure two filter rules for this policy All contents copyright 2006 ZyXEL Communica...

Страница 229: ...ndpoints so we need two filter rules One is for the direction from PC 1 to PC 2 endpoint is P 202H Plus v2 and the other is from PC 2 to PC 1 endpoint is WIN2K In each rule a source IP and destination...

Страница 230: ...P 202H Plus v2 Support Notes 2 On the IP Filter List tab click Add All contents copyright 2006 ZyXEL Communications Corporation 230...

Страница 231: ...202H Plus v2 Support Notes 3 Type a name for the filter list e g WIN2K to P 202H Plus v2 uncheck Use Add Wizard check box and click Add All contents copyright 2006 ZyXEL Communications Corporation 23...

Страница 232: ...P 202H Plus v2 Support Notes 4 In the Source address choose A specific IP Address and enter the IP address of PC 1 All contents copyright 2006 ZyXEL Communications Corporation 232...

Страница 233: ...Plus v2 Support Notes 5 In the Destination address choose A specific IP Address and enter the IP address of PC 2 6 Uncheck Mirror check box All contents copyright 2006 ZyXEL Communications Corporatio...

Страница 234: ...cause IPSec tunnels do not support protocol specific or port specific filters 8 On the Description tab you can give a name for this filter list The filter name is displayed in the IPSec monitor when t...

Страница 235: ...Plus v2 Support Notes 9 Click OK and Close to close the windows Build a Filter List from PC 2 to PC 1 1 On the IP Filter List tab click Add All contents copyright 2006 ZyXEL Communications Corporatio...

Страница 236: ...or the filter list e g P 202H Plus v2 to WIN2K uncheck Use Add Wizard check box and click Add 3 In the Source address choose A specific IP Address and enter the IP address of PC 2 All contents copyrig...

Страница 237: ...Plus v2 Support Notes 4 In the Destination address choose A specific IP Address and enter the IP address of PC 1 5 Uncheck Mirror check box All contents copyright 2006 ZyXEL Communications Corporatio...

Страница 238: ...2 Support Notes 6 On the Protocol tab leave the protocol type to Any because IPSec tunnels do not support protocol specific or port specific filters All contents copyright 2006 ZyXEL Communications Co...

Страница 239: ...escription tab you can give a name for this filter list The filter name is displayed in the IPSec monitor when the tunnel is active 8 Click OK and Close to close the windows All contents copyright 200...

Страница 240: ...e first filter list you created above from the IP Filter List For example WIN2K to P 202H Plus v2 2 Click Tunnel Setting tab enter the remote endpoint For this filter list the remote IPSec endpoint is...

Страница 241: ...rk connections or click LAN connections if your WIN2K does not connect to ISP but LAN In our example we choose All network connections 4 Click Filter Action tab uncheck Use Add Wizard check box and cl...

Страница 242: ...ng IPSec check box You must do this to ensure secure connections 6 Click Add and select Custom for expert users if you want to define specific algorithms and session key lifetimes Please make sure the...

Страница 243: ...02H Plus v2 Support Notes 7 Click OK On the General tab give a name to the filter action For example WIN2K to P 202H Plus v2 and click OK All contents copyright 2006 ZyXEL Communications Corporation 2...

Страница 244: ...on you just created 9 On the Authentication Methods tab click Add to select Use this string to protect the key exchange pre shared key option And enter the string 12345678 in the text box All contents...

Страница 245: ...P 202H Plus v2 Support Notes 10 Click OK See the finished screen shot All contents copyright 2006 ZyXEL Communications Corporation 245...

Страница 246: ...to PC 1 tunnel 1 In the IPSec policy properties click Add to create a new rule 2 Select the second filter list you created above from the IP Filter List For example P 202H Plus v2 to WIN2K All conten...

Страница 247: ...filter list the remote IPSec endpoint is WIN2K 4 Click Connection Type tab click All network connections or click LAN connections if your WIN2K does not connect to ISP but LAN In our example we choos...

Страница 248: ...Notes 5 Click Filter Action tab select the filter action you created 6 On the Authentication Method tab configure the same settings as done in the first rule All contents copyright 2006 ZyXEL Communic...

Страница 249: ...us v2 Support Notes 7 Click Close 8 Enable both rules you created in the policy properties and click Close Figure 5 See the finished screen shot All contents copyright 2006 ZyXEL Communications Corpor...

Страница 250: ...ows 2000 1 In the IP Security Policies on Local Machine MMC snap in right click your new policy and click Assign 2 A green arrow will appear in the folder icon next to your policy See the screen shot...

Страница 251: ...lect IPSec Keying Mode to IKE and Negotiation Mode to Main as we configured in WIN2K 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus...

Страница 252: ...es Figure 8 See the VPN rule screen shot If you use SMT management the VPN configurations are as shown below Menu 27 1 1 IPSec Setup Index 1 Name P 202H Plus v2 All contents copyright 2006 ZyXEL Commu...

Страница 253: ...sing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate general purpose SAs which are secure channels for data t...

Страница 254: ...lus v2 ensures the packets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for the software and P 202H Plus v2...

Страница 255: ...choose IP Address option and enter the IP address of the remote PC PC 2 in this case 5 Check Connect using Secure Gateway Tunnel please also select IP Address as ID Type and enter P 202H Plus v2 s WA...

Страница 256: ...lus v2 icon you may see My Identity 7 Click My Identity click the Pre Shared Key icon in the right side of the window 8 Enter a key you that later you will also need to configure in P 202H Plus v2 in...

Страница 257: ...P 202H Plus v2 Support Notes Security Policy Settings All contents copyright 2006 ZyXEL Communications Corporation 257...

Страница 258: ...Security Policy icon you will see two icons Authentication Phase 1 and Key Exchange Phase 2 11 The settings shown in the following two figures for both Phases are our examples You can choose any but t...

Страница 259: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 259...

Страница 260: ...IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Address Start and Destination IP Address End are PC 1 in this example the secure remote host Note You...

Страница 261: ...P 202H Plus v2 Support Notes Figure 8 See the VPN rule screen shot All contents copyright 2006 ZyXEL Communications Corporation 261...

Страница 262: ...dit IKE Setup option in menu27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Страница 263: ...be several devices we need to setup for this case They are Linux FreeS WAN and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 and P 202H Plus v2 ensures the packets flow betw...

Страница 264: ...resume that your Linux s kernel has been compiled to support FreeS WAN and FreeS WAN has been also installed successfully in your system You can refer to the following URL for more information http ww...

Страница 265: ...Keying Mode to IKE and Negotiation Mode to Main Linux FreeS WAN only supports Main mode 6 In Local section choose Subnet Address as Address Type Source IP Address Start is 192 168 0 0 and End is 255 2...

Страница 266: ...Advanced button to check IPSec Phase 1 and Phase 2 parameters Please note that Linux FreeS WAN only supports 3DES as encryption algorithm and DH2 or upper as key exchange group All contents copyright...

Страница 267: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 267...

Страница 268: ...space bar and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate IPSec SAs which are used for dat...

Страница 269: ...and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Because the packets go through...

Страница 270: ...2 172 21 1 232 LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor 2 Choose Key Ma...

Страница 271: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 271...

Страница 272: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Страница 273: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 273...

Страница 274: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 274...

Страница 275: ...Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address 8 Press button besides Remote network All contents copyright 2006...

Страница 276: ...P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 10 Choose P 202H Plus v2 as Authenticati...

Страница 277: ...nnection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and E...

Страница 278: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Страница 279: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 279...

Страница 280: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Страница 281: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Страница 282: ...ddress Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP Address Type is Single Address Start is Sentinel s IP 172 21 1 232 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gatewa...

Страница 283: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 283...

Страница 284: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 284...

Страница 285: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Страница 286: ...e They are Sentinel software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Bec...

Страница 287: ...2 PC2 Dynamic LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup Sentinel 1 From Tool Tray of Windows system right click on your Sentinel icon and then choose Run Policy Editor 2 Choose Key Managem...

Страница 288: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 288...

Страница 289: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Страница 290: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 290...

Страница 291: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 291...

Страница 292: ...Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address 8 Press button besides Remote network All contents copyright 2006...

Страница 293: ...P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 10 Choose P 202H Plus v2 as Authenticati...

Страница 294: ...nnection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and E...

Страница 295: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Страница 296: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 296...

Страница 297: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Страница 298: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Страница 299: ...Address Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP leave it as default setup 0 0 0 0 0 0 0 0 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gateway...

Страница 300: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 300...

Страница 301: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 301...

Страница 302: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Страница 303: ...e They are Sentinel software and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 202H Plus v2 ensures the packets flow between them are secure Bec...

Страница 304: ...3 LAN 192 168 2 1 WAN 172 21 1 232 LAN 192 168 1 1 WAN 172 21 1 252 192 168 1 33 1 Setup SSH Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Polic...

Страница 305: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 305...

Страница 306: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Страница 307: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 307...

Страница 308: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 308...

Страница 309: ...Connection window will pop out Press IP button besides Gateway Name box Enter P 202H Plus v210 s WAN IP address in Gateway IP address 8 Press button besides Remote network All contents copyright 2006...

Страница 310: ...P 202H Plus v2 in Network name and 192 168 1 0 in IP address field and 255 255 255 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window 10 Choose P 202H Plus v2 as Authenticati...

Страница 311: ...nnection 172 21 1 252 P 202H Plus v2 choose this item and then press Properties button 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and E...

Страница 312: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Страница 313: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 313...

Страница 314: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Страница 315: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Страница 316: ...Type is Subnet Address Start is 192 168 1 0 End Subnet Mask is 255 255 255 0 6 Remote IP Address Start is Sentinel s IP 192 168 2 33 7 My IP Addr is the WAN IP of P 202H Plus v2 8 Secure Gateway IP A...

Страница 317: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 317...

Страница 318: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 318...

Страница 319: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Страница 320: ...us v2 router There will be several devices we need to setup for this case They are Sentinel and P 202H Plus v2 router As the figure shown below the tunnel between PC 1 with Sentinel installed and P 20...

Страница 321: ...Advanced VPN 4 Check Active box to enable this rule Check Keep alive to make your VPN connection stay permanent 5 Select Negotiation Mode to Main 6 Local IP Address Type is Subnet Address Start is 192...

Страница 322: ...P 202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters All contents copyright 2006 ZyXEL Communications Corporation 322...

Страница 323: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 323...

Страница 324: ...it IKE Setup option in menu 27 1 1 to Yes and then pressing Enter 2 There are two phases for IKE In Phase 1 two IKE peers establish a secure channel for key exchanging In Phase 2 two peers negotiate g...

Страница 325: ...ration in IKE Setup should match the settings configured in Sentinel 2 Setup Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor All con...

Страница 326: ...P 202H Plus v2 Support Notes 2 Choose Key Management Select My Keys then press Add button All contents copyright 2006 ZyXEL Communications Corporation 326...

Страница 327: ...P 202H Plus v2 Support Notes 3 Select Create a preshared key and press Next All contents copyright 2006 ZyXEL Communications Corporation 327...

Страница 328: ...Give this preshared key a name P 202H Plus v2 And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish All contents copyright 2006 ZyXEL C...

Страница 329: ...P 202H Plus v2 Support Notes 5 Press Apply in Main menu to save the above settings for latter use All contents copyright 2006 ZyXEL Communications Corporation 329...

Страница 330: ...P 202H Plus v2 Support Notes 6 Switch to Security Policy tab Choose VPN connections and then press Add All contents copyright 2006 ZyXEL Communications Corporation 330...

Страница 331: ...Press button besides Remote network All contents copyright 2006 ZyXEL Communications Corporation 331 9 Network Editor Window will pop out Press New button and Enter P 202H Plus v2 in Network name and...

Страница 332: ...hentication Key Then click OK to save 11 In SSH Sentinel Policy Editor you will get a new VPN connection P 202H Plus v2 dyndns org P 202H Plus v2 choose this item and then press Properties button All...

Страница 333: ...Support Notes 12 Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and Extended authentication All contents copyright 2006 ZyXEL Communications C...

Страница 334: ...on algorithm as DES Integrity function as MD5 IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to Encryption algorithm as DES Integrity funciton as HMAC MD5 PFS group as none All...

Страница 335: ...P 202H Plus v2 Support Notes 14 Press Apply to save all of the settings All contents copyright 2006 ZyXEL Communications Corporation 335...

Страница 336: ...and P 202H Plus v2 the tunnel can t be initiated from P 202H Plus v2 side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets such as ping...

Страница 337: ...rent firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in Your VPN connection Prop...

Страница 338: ...kets flow between them are secure Because the packets go through the IPSec tunnel are encrypted To setup this VPN tunnel the required settings for Intel VPN client and P 202H Plus v2 are explained in...

Страница 339: ...ame P 202H Plus v2 for example Specify VPN Gateway IP Address as 172 21 1 252 Tunnel Applies to All network connections Uncheck Enable IP Address assignment and WINS DNS via VPN Gateway All contents c...

Страница 340: ...Address 192 168 1 0 Subnet Mask 255 255 255 0 Protocol ALL Port ALL And Phase 2 parameters AH None Authentication HMAC MD5 Encryption DES 56 bit key uncheck Transport mode Specify the Phase 2 SA life...

Страница 341: ...2 Support Notes 4 Select Shared Secret as Authentication Method and Enter the pre shared key 12345678 Then press Advanced to edit Phase 1 parameters All contents copyright 2006 ZyXEL Communications Co...

Страница 342: ...se SA life time you would like to have 60 minutes for example Encryption as DES 56 bit key Authentication as HMAC MD5 and Diffie Hellman Group as 1 RSA 768 bits Click OK to save All contents copyright...

Страница 343: ...to IKE and Negotiation Mode to Main as we configured in SSH 6 Source IP Address Start and Source IP Address End are PC 2 IP in this example the secure host behind P 202H Plus v2 7 Destination IP Addre...

Страница 344: ...as we configured in SSH 13 Enter the key string 12345678 in the Preshared Key text box and click Apply 14 Press Advanced button to set IKE phase 1 and phase 2 parameters See the VPN rule screen shot S...

Страница 345: ...enu 27 1 1 IPSec Setup Index 1 Name to_ssh Active Yes My IP Addr 172 21 1 252 Secure Gateway Addr 172 21 1 232 Protocol 0 Local Addr Type SUBNET IP Addr Start 192 168 1 0 End 255 255 255 0 Port Start...

Страница 346: ...neral purpose SAs which are secure channels for data transmission Please note that any configuration in IKE Setup should match the settings configured in SSH Menu 27 1 1 1 IKE Setup Phase 1 Negotiatio...

Страница 347: ...N Routing between Branch Offices This page guides us how to setup VPN routing between branch offices through headquarter So that whenever branch office A wants to talk to branch office B headquarter p...

Страница 348: ...nd branch office A to access both LAN segments of headquarter and branch office B Because the LAN segments of headquarter and branch office B are continuous we merge them into one single rule by inclu...

Страница 349: ...anch office B 8 My IP Addr is the WAN IP of this P 202H Plus v2 202 3 1 1 9 Set Secure Gateway Addr to the IP address of Headquarter 202 1 1 1 10 Select Encapsulation Mode to Tunnel 11 Check the ESP c...

Страница 350: ...e 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter All contents c...

Страница 351: ...ion However if we include these two segments in one rule the LAN segment of branch office B will be also included in this single rule which means intercommunication inside branch office B will run int...

Страница 352: ...e 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter All contents c...

Страница 353: ...P 202H Plus v2 Support Notes 2 The second rule in Branch_B This rule is for branch office B to access branch office A All contents copyright 2006 ZyXEL Communications Corporation 353...

Страница 354: ...e 1 and phase 2 parameters by pressing Advanced button Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter All contents c...

Страница 355: ...P 202H Plus v2 Support Notes 3 Setup VPN in Headquarter 1 The correspondent rule for Branch_A in headquarter All contents copyright 2006 ZyXEL Communications Corporation 355...

Страница 356: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 356...

Страница 357: ...P 202H Plus v2 Support Notes 2 The correspondent rule for Branch_B_1 in headquarter All contents copyright 2006 ZyXEL Communications Corporation 357...

Страница 358: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 358...

Страница 359: ...P 202H Plus v2 Support Notes 2 The correspondent rule for Branch_B_2 in headquarter All contents copyright 2006 ZyXEL Communications Corporation 359...

Страница 360: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 360...

Страница 361: ...P 202H Plus v2 Support Notes All contents copyright 2006 ZyXEL Communications Corporation 361...

Страница 362: ...er to SMT Menu 11 and note which node N you will be dialing 2 Enter to SMT Menu 24 8 3 Enable the EPA capture capability by P 202H Plus v2 isdn fw ana on 4 Manually dial to remote node N P 202H Plus v...

Страница 363: ...nsion bit final octet 00 00 03 18 8 bytes LAPD D TE C SAPI 63 TEI 127UI P 0 00001111 Layer management 00000001 Reference Number MSB 00000000 Reference Number LSB 256 00000001 Message Type Identity req...

Страница 364: ...ering plan iden unknown 3a 1 Extension bit not continued 00 Presentation indic presentation allowed 000 Spare 00 Screeing indicator user provided not screened Calling Number Type 5009097 1 01110000 IN...

Страница 365: ...bytes Unknown IE content 0x21 0x83 0x33 0x34 0x31 Unknown IE content 0x32 0x35 0x36 0x37 0x38 00 00 03 62 4 bytes LAPD D TE R SAPI 0 TEI 97 RR P F 0 NR 3 00 00 03 63 8 bytes LAPD D TE C SAPI 0 TEI 97...

Страница 366: ...the trace of PPP log that we can diagnose from the trace by referring to the PPP numbers or use the ZPKTTOOL to interpret for us P 202H Plus v2 ZPKTTOOL tool is a DOS utility that interprets the dump...

Страница 367: ...by P 202H Plus v2 sys trcl sw off P 202H Plus v2 sys trcp sw off Dump the PPP log by P 202H Plus v2 sys trcl disp The trace appears on the screen as in the following example Press Enter key to dump th...

Страница 368: ...53 PP09 ebp 7e9e3c seqNum 63 bri0 XMIT len 16 call 4 0000 ff 03 c0 21 02 02 00 0c 01 04 05 f4 03 04 c0 23 98 258754 PP09 ebp 7e9e70 seqNum 64 bri0 RECV len 18 call 4 0000 ff 03 c0 21 02 0f 00 0e 01 04...

Страница 369: ...P09 LCP closed 115 260465 PP09 FSM_DOWN state 9 116 260465 PP09 IPCP closed 117 260465 PP09 FSM_DOWN state 1 118 260465 PP09 FSM_DOWN state 1 119 260465 PP09 FSM_DOWN state 1 120 260465 PP09 FSM_DOWN...

Страница 370: ...ith your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet 0 11880 160 ENET0 R 0062 TCP 192 168 1 2 1108 192 31 7 130 80...

Страница 371: ...1 2 1108 192 31 7 130 80 2 11883 330 ENET0 T 0058 TCP 192 31 7 130 80 192 168 1 2 1108 3 11883 340 ENET0 R 0060 TCP 192 168 1 2 1108 192 31 7 130 80 4 11883 340 ENET0 R 0339 TCP 192 168 1 2 1108 192 3...

Страница 372: ...8192 Checksum 0xBEC3 48835 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 01 01 04 02 RAW DATA 0000 00 A0 C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 L c E 0010 00 30 33 0B 40 00 80 06 3E 71 C0 A8 01 02...

Страница 373: ...02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 ED 06 AC 8C C0 1F 07 82 C0 A8 W 0020 01 02 00 50 04 5C 4A D1 B5 7F 00 BD 15 A8 60 12 P J 0030 FA...

Страница 374: ...1F 5 y 0020 07 82 04 5C 00 50 00 BD 15 A8 4A D1 B5 80 50 10 P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 8 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet...

Страница 375: ...P IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0030 48 Idetification 0xE702 59138 Flags 0x02 Fragment Offset 0x00 Time to Live 0x7F 127 Protocol 0x06 TCP Header Checks...

Страница 376: ...06 TCP Header Checksum 0xBC01 48129 Source IP 0xD2437191 210 67 113 145 Destination IP 0xA31FEF01 163 31 239 1 TCP Header Source Port 0x0050 80 Destination Port 0x2717 10007 Sequence Number 0x7AA71C33...

Страница 377: ...sys trcp channel enet0 bothway ras sys trcp sw on ras sys trcl sw on ras sys trcp sw off ras sys trcl sw off ras sys trcp brief 0 10855 790 ENET0 T 0141 TCP 192 31 7 130 80 192 168 1 2 1102 1 10855 80...

Страница 378: ...Checksum 0xDCEF 56559 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 7F 02 40 00 ED 06 85 7D C0 1F 07 82 C0 A8 0020 01 02...

Страница 379: ...BRI0 R 0048 TCP 210 67 113 145 80 163 31 239 1 10008 4 1226 480 BRI0 T 0044 IP Unknown 0x07 5 1226 490 BRI0 T 0446 PPP VJ Compressed IP 0x002d ras sys trcp parse 1 2 0002 PPP Frame BRI0 XMIT Size 52...

Страница 380: ...1226 480 sec Frame Type TCP 210 67 113 145 80 163 31 239 1 10008 PPP Header Protocol 0x0021 IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Idetification 0x01...

Страница 381: ...r P 202H Plus v2 first before running the TFTP software o Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 o Run the TFTP client software o Enter the...

Страница 382: ...disable console idle timeout in Menu 24 8 and stay in Menu 24 8 o Run the TFTP client software o To download the SMT configuration please get the remote file rom 0 from the P 202H Plus v2 o To upload...

Страница 383: ...a LAN c tftp i P 202H Plus v2IP put localfile rom 0 Download SMT configurations via LAN c tftp i P 202H Plus v2IP get rom 0 localfile Using TFTP command on UNIX Before you begin 1 TELNET to your P 202...

Страница 384: ...nformation and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Software Update 8 Command Interpreter Mode 9 Call Control Copyright c 1999 ZyXEL Communi...

Страница 385: ...the SMT password as the FTP login password the default is 1234 Step 4 Enter command bin to set the transfer type to binary Step 5 Use put command to transfer the file to the P 202H Plus v2 Note The r...

Страница 386: ...rom your workstation to connect to the P 202H Plus v2 by entering the IP address of the P 202H Plus v2 Step 3 Enter the SMT password as the FTP login password The default is 1234 Step 4 Press OK key t...

Страница 387: ...we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0 file 4 The P 202H Plus v2 reboots automatical...

Страница 388: ...commands and all major sub commands 2 exit Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release Please goto ZyXEL p...

Страница 389: ...can be None PAP CHAP NCP negotiation NCP can be IPCP BACP BCP CCP IPXCP The P 202H Plus v2 provides a very clear log for each step of the call setup The following shows the messages displayed in each...

Страница 390: ...Call didn t connect Try again later and also verify the phone number Login to remote failed IP address been rejected by your ISP ISDN protocol mismatch Disconnect by far end Other unknown reason Cann...

Страница 391: ...e failed LCP closed Recv d TERM REQ Recv d TERM ACK state 5 LCP stopped TRY Verify username and password with your ISP again or retype the username and password field again When you retype the name an...

Страница 392: ...ss 204 247 1 1 32 then you should configure your P 202H Plus v2 to enable Single User Account SUA For more information on how to configure SUA please refer to application note ISDN protocol mismatch D...

Страница 393: ...d give no log about it Other unknown reason For any other unknown reason you have to look at the packet trace to decide what went wrong To collect the trace Go to Menu 11 and mark down which remote nu...

Страница 394: ...call to a Remote node Use CI isdn dial node to verify a outgoing call for a remote node Use CI system event an incoming call from a remote node The following are some possible failure reasons for a ou...

Страница 395: ...et check Menu 24 9 3 Login to remote node failed check the name and password again PPP negotiation failed IP address mismatched Phone number is in Black List check Menu 24 9 2 Pre ZyNOS P2864 isdn dia...

Страница 396: ...1 phone last 9 digit 40201 Hit any key to continue Call CONNECT speed 64000 chan 1 prot 1 LCP up CHAP send response Login to remote failed Check name passwd Receive Terminate REQ LCP down Line Down ch...

Страница 397: ...t collect the PPP negotiation trace Following are the steps to collect PPP negotiation packets You can use these steps to collect traces for all PPP related problems P128 sys trcl cl Program Trace Swi...

Страница 398: ...65 6c 63 6f 6d 65 113 fe4002 195 PNET ppp CHAP login to remote OK 114 fe400c 0 PNET ebp 4ab50 seqNum 1e PPP1 RECV 24 len 8 0000 c0 29 01 32 00 06 01 02 115 fe400c 0 POU1 ebp 4ab80 seqNum 1f PPP1 XMIT...

Страница 399: ...for node 4 Dialing chan 1 phone last 9 digit 40201 Hit any key to continue Call CONNECT speed 64000 chan 1 prot 1 LCP up CHAP send response CHAP login to remote OK IPCP negotiation started BACP negoti...

Страница 400: ...swer incoming call from a Remote node or Dial in User The following are some of the possible reasons the P 202H Plus v2 not answering an incoming call System can t answer call ISDN protocol mismatched...

Страница 401: ...destination should be routed to the LAN interface enif0 in P 202H Plus v2 and IP packet for a remote node destination should be sent to the WAN interface if the connection is up or else the packet wil...

Страница 402: ...nterface Gateway Metric stat Timer Use 204 247 203 191 00 32 enif0 204 247 203 183 1 0015 0 0 204 247 203 128 00 26 enif0 204 247 203 183 1 0023 0 0 100 0 0 0 00 8 wanIdle 100 1 1 1 2 0023 0 0 default...

Страница 403: ...e Use is the same as before the PING Or any other traffic that you think should route and trigger the outcall Furthermore the error counters are still 0 s P 202H Plus v2 ip route st Dest FF Len Interf...

Страница 404: ...he password to 1234 2 You want to reset the configurations to defaults Please note that the default configuration file for the new ZyNOS is not compatible with the one for previous ZyNOS versions So w...

Страница 405: ...le console idle timeout c Start the TFTP client program and enter the P 202H Plus v2 s IP address d To upload the configuration file put the local configuration file to the P 202H Plus v2 as a remote...

Страница 406: ...te to destination 6 Channel unacceptable 7 Call awarded and being delivered in an established channel 16 Nomal call clearing 17 User busy 18 No user responding 19 No answer from user user alerted 21 C...

Страница 407: ...Option not Implemented Class 65 Bearer capability not implemented 66 Channel type not implemented 69 Requested facility not implemented 70 Only restricted digital information bearer capability is una...

Страница 408: ...rotocol error unspecified Interworking Class 127 Interworking unspecified 2 PPP Numbers POINT TO POINT PROTOCOL FIELD ASSIGNMENTS PPP DLL PROTOCOL NUMBERS The Point to Point Protocol PPP Data Link Lay...

Страница 409: ...9 Serial Data Transport Protocol PPP SDTP 004b SNA over 802 2 004d SNA 004f Pv6 Header Compression 0051 KNX Bridging Data ianp 0053 Encryption Meyer 0055 Individual Link Encryption Meyer 0057 Internet...

Страница 410: ...rotocol 8029 Appletalk Control Protocol 802b Novell IPX Control Protocol 802d reserved 802f reserved 8031 Bridging NCP 8033 Stream Protocol Control Protocol 8035 Banyan Vines Control Protocol 8037 res...

Страница 411: ...rotocol RFC2125 c02d BAP RFC2125 c081 Container Control Protocol KEN c223 Challenge Handshake Authentication Protocol c225 RSA Authentication Protocol Narayana c227 Extensible Authentication Protocol...

Страница 412: ...onfigure Nak 4 Configure Reject 5 Terminate Request 6 Terminate Ack 7 Code Reject 8 Protocol Reject 9 Echo Request 10 Echo Reply 11 Discard Request 12 Identification 13 Time Remaining 14 Reset Request...

Страница 413: ...23 Link Discriminator for BACP RFC2125 24 LCP Authentication Option Culbert 25 Consistent Overhead Byte Stuffing COBS Carlson 26 Prefix elision Bormann 27 Multilink header format Bormann IPV6CP CONFIG...

Страница 414: ...ft PPC RFC2118 19 Gandalf FZA RFC1962 20 V 42bis compression RFC1962 21 BSD Compress RFC1977 22 unassigned 23 LZS DCP RFC1967 24 MVRCA Magnalink RFC1975 25 DCE RFC1976 26 Deflate RFC1979 27 254 unassi...

Страница 415: ...se RFC1994 Number Name 0 Reserved RFC1994 1 Reserved RFC1994 2 Reserved RFC1994 3 Reserved RFC1994 4 Reserved RFC1994 5 CHAP with MD5 RFC1994 128 MS CHAP Crocker PPP LCP FCS ALTERNATIVES The Point to...

Страница 416: ...on 1 Dialing string 2 Location identifier 3 E 164 number 4 X 500 distinguished name 5 unassigned 6 Location is determined during CBCP negotiation PPP IPCP CONFIGURATION OPTION TYPES The Point to Point...

Страница 417: ...S The Point to Point Protocol PPP OSI Network Layer Control Protocol OSINLCP specifies a number of Configuration Options RFC1377 which are distinguished by an 8 bit Type field These Types are assigned...

Страница 418: ...as follows Type MAC 0 Reserved 1 IEEE 802 3 Ethernet with cannonical addresses 2 IEEE 802 4 with cannonical addresses 3 IEEE 802 5 with non cannonical addresses 4 FDDI with non cannonical addresses 5...

Страница 419: ...Compressed IPX Fox 235 Shiva Compressed NCP IPX Fox IPX ROUTING PROTOCOL OPTIONS Value Protocol Reference 0 No routing protocol required RFC1552 1 RESERVED RFC1552 2 Novell RIP SAP required RFC1552 4...

Страница 420: ...tion 1 Identity RFC2284 2 Notification RFC2284 3 Nak Response only RFC2284 4 MD5 Challenge RFC2284 5 One Time Password OTP RFC2289 6 Generic Token Card RFC2284 7 8 9 RSA Public Key Authentication Whel...

Страница 421: ...ttytst source chargen 19 udp ttytst source ftp data 20 tcp ftp 21 tcp telnet 23 tcp smtp 25 tcp mail time 37 tcp timserver time 37 udp timserver rlp 39 udp resource resource location name 42 tcp name...

Страница 422: ...tpd ntp network time protocol nbname 137 udp nbdatagram 138 udp nbsession 139 tcp NeWS 144 tcp news sgmp 153 udp sgmp tcprepo 158 tcp repository PCMAIL snmp 161 udp snmp snmp trap 162 udp snmp print s...

Страница 423: ...udp acctslave2 706 udp acctdisk 707 udp kerberos 750 tcp kdc Kerberos authentication tcp kerberos 750 udp kdc Kerberos authentication udp kerberos_master 751 tcp Kerberos authentication kerberos_mast...

Страница 424: ...otocol version 6 IPv6 RFC1883 this field is called the Next Header field Assigned Internet Protocol Numbers Decimal Keyword Protocol References 0 HOPOPT IPv6 Hop by Hop Option RFC1883 1 ICMP Internet...

Страница 425: ...ol SAF3 35 IDPR Inter Domain Policy Routing Protocol MXS1 36 XTP XTP GXC 37 DDP Datagram Delivery Protocol WXC 38 IDPR CMTP IDPR Control Message Transport Proto MXS1 39 TP TP Transport Protocol DXF 40...

Страница 426: ...toring SHB 77 SUN ND SUN ND PROTOCOL Temporary WM3 78 WB MON WIDEBAND Monitoring SHB 79 WB EXPAK WIDEBAND EXPAK SHB 80 ISO IP ISO Internet Protocol MTR 81 VMTP VMTP DRC3 82 SECURE VMTP SECURE VMTP DRC...

Страница 427: ...nassigned IANA 255 Reserved IANA 5 System Error Code The system error codes can be displayed by using the CI commond sys log disp i For example ras sys log disp i 62 112 PP0a INTL call failed rnp 576d...

Страница 428: ...ROR netMakeChannDial err 3000 rn_p 576de0 Meaning remote node is connecting already rn_p refers remote node point it may change for different version and different remote node number Solution ask remo...

Страница 429: ...e0 Meaning remote node dial to you and wait you call back Solution do nothing it should be information 3020 Message PINI ERROR netMakeChannDial err 3020 rn_p 576de0 Meaning call dial fail Solution che...

Страница 430: ...tion do nothing if it happens once for a while check the line if keep receiving this message 3031 Message PINI ERROR netMakeChannDial err 3031 rn_p 586de0 Meaning can not dial due to no budget Solutio...

Страница 431: ...ng dial fail due to remote side is busy Solution wait until remote side is available 3039 Message PINI ERROR netMakeChannDial err 3039 rn_p 526de0 Meaning dial failed due to no carrier Solution check...

Страница 432: ...Meaning remote node is not L2TP enabled or supported Solution change remote side configuration enable L2TP if possible Other Error Codes 35 Message PINI ERROR LoopBack Test Fail 4 Meaning isdn loopbac...

Страница 433: ...t is not a problem 42 Message PP08 INFO CALL REJ ch 5ba788 CLID not matched Meaning CLID number is not match the remote node CLID INFO information log Solution change to correct CLID number 43 Message...

Страница 434: ...age 9f PNET WARN ppp MP late arrival seq x877 M x0 Meaning the receiver received a previous packet after it has received a late packet Solution it is not a problem 46 Message INFO addCallHistory Trans...

Отзывы:

Нет отзывов

Похожие инструкции для P-202H Plus v2

Бренд: 3Com Страницы: 48

Бренд: Ubiquiti Страницы: 40

Бренд: Patton electronics Страницы: 75

RocketLink-G 3088/I

Бренд: Patton electronics Страницы: 61

Бренд: Patton Страницы: 12

Бренд: Patton Страницы: 84

OnSite 3210 Series

Бренд: Patton Страницы: 110

Бренд: Patton electronics Страницы: 2

SMARTNODE 4110 Series

Бренд: Patton electronics Страницы: 78

Бренд: Patton electronics Страницы: 8

Бренд: Qlogic Страницы: 2

Бренд: Qlogic Страницы: 172

ADSL/ADSL2/ADSL2+ Router 660R-6xC Series

Бренд: ZyXEL Communications Страницы: 282

Бренд: Patton electronics Страницы: 12

Бренд: Lucent Technologies Страницы: 20

Бренд: Eneo Страницы: 68

Бренд: UfiSpace Страницы: 34

DL-DVI-Vision-IP Series

Бренд: G&D Страницы: 228

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды