P-660R-Tx v3 Series Support Notes
16
All contents copyright © 2008 ZyXEL Communications Corporation.
15. Can the P-660R-Tx v3's SUA (Simple IP) handle IPSec packets sent by
the IPSec gateway
?
Yes, the P-660R-Tx v3's SUA can handle IPSec ESP Tunneling mode. We
know when packets go through SUA; SUA will change the source IP address
and source port for the host. To pass IPSec packets, SUA must understand the
ESP packet with protocol number 50; replace the source IP address of the
IPSec gateway to the router's WAN IP address. However, SUA should not
change the source port of the UDP packets which are used for key
managements. Because the remote gateway checks this source port during
connections, the port thus is not allowed to be changed.
16. How do I setup my P-660R-Tx v3 for routing IPSec packets over SUA
?
For outgoing IPSec tunnels, no extra setting is required.
For forwarding the inbound IPSec ESP tunnel, A 'Default' server set is required.
You could configure it in Web Configurator, Advanced Setup,
Advanced Setup
-> NAT -> DMZ:
Note
: First we should set
Number of IP
s as
Single
for SUA use.
It is because SUA makes your LAN appear as a single machine to the outside
world. LAN users are invisible to outside users. So, to make an internal server
for outside access, we must specify the service port and the LAN IP of this
server in Web configuration page. Thus SUA is able to forward the incoming
packets to the requested service behind SUA and the outside users access the
server using the P-660R-Tx v3's WAN IP address. So, we have to configure
the internal IPSec client as a default server (unspecified service port) when it
acts a server gateway.