User manual ZYXEL ZYWALL 2WG

[. . . ] ZyWALL 2WG Internet Security Appliance User's Guide Version 4. 02 1/2007 Edition 1 www. zyxel. com About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation · Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access. [. . . ] This field displays one or a range of IP address(es) of the remote network behind the remote IPsec router. Apply Cancel 14. 9 Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel. If you find a disconnect ( ) icon next to the rule you just created in the VPN Rules (IKE) screen, the ZyWALL automatically built the VPN tunnel. Go to the SA Monitor screen to view a list of connected VPN tunnels. See Section 14. 15 on page 289 for more information. 280 ZyWALL 2WG User's Guide Chapter 14 IPSec VPN Figure 154 VPN Rule Configured The following screen displays. Figure 155 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel. Figure 156 VPN Tunnel Established 14. 10 VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. ZyWALL 2WG User's Guide 281 Chapter 14 IPSec VPN 14. 10. 1 VPN Log The system log can often help to identify a configuration problem. Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel. View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24. 8. See Section 25. 5 on page 434 for information on the log messages. Figure 157 VPN Log Example ras> sys log disp ike ipsec # . time source destination message 0|01/11/2001 18:47:22 |5. 6. 7. 8 |5. 1. 2. 3 Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5. 6. 7. 8 |5. 1. 2. 3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5. 6. 7. 8 |5. 1. 2. 3 Send:[HASH] 3|01/11/2001 18:47:22 |5. 6. 7. 8 |5. 1. 2. 3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 4|01/11/2001 18:47:22 |5. 6. 7. 8 |5. 1. 2. 3 Adjust TCP MSS to 1398 5|01/11/2001 18:47:22 |5. 1. 2. 3 |5. 6. 7. 8 Recv:[HASH][SA][NONCE][ID][ID] 6|01/11/2001 18:47:22 |5. 1. 2. 3 |5. 6. 7. 8 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 7|01/11/2001 18:47:21 |5. 6. 7. 8 |5. 1. 2. 3 IKE Packet Retransmit 8|01/11/2001 18:47:21 |5. 6. 7. 8 |5. 1. 2. 3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 9|01/11/2001 18:47:17 |5. 6. 7. 8 |5. 1. 2. 3 Send:[HASH][SA][NONCE][ID][ID] 10|01/11/2001 18:47:17 |5. 6. 7. 8 |5. 1. 2. 3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 11|01/11/2001 18:47:17 |5. 6. 7. 8 |5. 1. 2. 3 Start Phase 2: Quick Mode 12|01/11/2001 18:47:17 |5. 6. 7. 8 |5. 1. 2. 3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 13|01/11/2001 18:47:17 |5. 6. 7. 8 |5. 1. 2. 3 Phase 1 IKE SA process done 14|01/11/2001 18:47:17 |5. 6. 7. 8 |5. 1. 2. 3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 15|01/11/2001 18:47:17 |5. 1. 2. 3 |5. 6. 7. 8 Recv:[ID][HASH][NOTFY:INIT_CONTACT]9C3F7DCA 16|01/11/2001 18:47:17 |5. 1. 2. 3 |5. 6. 7. 8 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 17|01/11/2001 18:47:15 |5. 6. 7. 8 |5. 1. 2. 3 Send:[ID][HASH][NOTFY:INIT_CONTACT]9C3F7DCA notes |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE |IKE 282 ZyWALL 2WG User's Guide Chapter 14 IPSec VPN 14. 11 IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (in the commands). If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information. Type ipsec debug level 0 and press [ENTER] to stop it. Figure 158 IKE/IPSec Debug Example ras> ipsec debug type level display ras> ipsec debug type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTH on|off | 5:CERT on|off | 6: All> ras> ipsec debug level <0:None | 1:User | 2:Low | 3:High> ras> ipsec debug type 1 on ras> ipsec debug type 2 on ras> ipsec debug level 3 ras> ipsec dial 1 get_ipsec_sa_by_policyIndex(): Start dialing for tunnel <rule# 1>. . . ikeStartNegotiate(): saIndex<0> peerIp<5. 1. 2. 3> protocol: <IPSEC_ESP>(3) peer Ip <5. 1. 2. 3> initiator(): type<IPSEC_ESP>, exch<Main> initiator : protocol: IPSEC_ESP, exchange mode: Main mode find ipsec saNot found Not found isadb_is_outstanding_req(): isakmp is outstanding req : SA not found isadb_create_entry(): >> INITIATOR isadb_get_entry_by_addr(): Get IKE entry by address: SA not found find_ipsec_sa(): SA not found ISAKMP SA created for peer <BRANCH> size<900> ISAKMP SA built, ISAKMP SA created for peer <BRANCH> size<900> ikePeer. s0 ISAKMP SA built, index = 0isadb_create_entry(): done create IKE entry doneinitiator(): find myIpAddr = 0. 0. 0. 0, use <5. 6. 7. 8> r ZyWALL 2WG User's Guide 283 Chapter 14 IPSec VPN 14. 12 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences between IPSec SA using manual keys and other types of SA. 14. 12. 1 IPSec SA Proposal Using Manual Keys In IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. There is no DH key exchange, so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use. The ZyWALL and remote IPSec router must use the same encryption key and authentication key. 14. 12. 2 Authentication and the Security Parameter Index (SPI) For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. The ZyWALL and remote IPSec router must use the same SPI. 14. 13 VPN Rules (Manual) Refer to Figure 143 on page 259 for a graphical representation of the fields in the web configurator. Click SECURITY > VPN > VPN Rules (Manual) to open the VPN Rules (Manual) screen. Use this screen to manage the ZyWALL's list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. 284 ZyWALL 2WG User's Guide Chapter 14 IPSec VPN Figure 159 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. Table 87 SECURITY > VPN > VPN Rules (Manual) LABEL # Name Active Local Network DESCRIPTION This is the VPN policy index number. This field displays the identification name for this VPN policy. This field displays whether the VPN policy is active or not. [. . . ] Max Age 127 ZyWALL 2WG User's Guide 725 Index O one minute high 223 one minute low 223 online services center 107 outgoing protocol filter 501 P packet filtering 566 Pairwise Master Key (PMK) 684, 685 PAP 488, 494, 524 parity 469 password 55, 452, 470 path cost 126 Perfect Forward Secrecy. PFS 274 Diffie-Hellman key group 274 PIN code 155 PIN number 109 PIN. see Personal Identification Number 155 ping 584 Point-to-Point Protocol over Ethernet 146 Point-to-Point Protocol over Ethernet. See PPPoE Point-to-Point Tunneling Protocol. [. . . ]