IPSec FAQ


VPN Overview

  1. What is VPN?
  2. Why do I need VPN?
  3. What are most common VPN protocols?
  4. What is PPTP?
  5. What is L2TP?
  6. What is IPSec?
  7. What secure protocols dose IPSec support?
  8. What are the differences between 'Transport mode' and 'Tunnel mode?
  9. What is SA?
  10. What is IKE?
  11. What is Pre-Shared Key?
  12. What are the differences between IKE and manual key VPN?
  13. What is Phase 1 ID for?
  14. What is FQDN? 
  15. When should I use FQDN?

P334ww VPN

  1. Does my P334ww support IPSec VPN?
  2. How do I configure P334w VPN?
  3. How many VPN connections does P334w support?
  4. What VPN protocols are supported by P334w VPN?
  5. What types of encryption does P334w VPN support?
  6. What types of authentication does P334w VPN support?
  7. I am planning my P334w-to-ZyWALL VPN configuration. What do I need to know?
  8. Does P334w VPN support NetBIOS broadcast?
  9. Why does VPN throughput decrease when staying in SMT menu 24.1?
  10. How do I configure P334w with NAT for internal servers?
  11. I am planning my P334w behind a NAT router. What do I need to know?
  12. Where can I configure Phase 1 ID in P334w?
  13. How to configure P334w V3.60 that supports FQDN so that it can  cooperate with ZyWALL V3.50 ?
  14. If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know?
  15. How can I keep a tunnel alive?
  16. Can the whole LAN behind P334w be protected by VPN/IPSec tunnel?
  17. Can P334w support IPSec passthrough?
  18. Can P334w behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously?

1. What is VPN?

A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN?

There are some reasons to use a VPN. The most common reasons are because of security and cost.

Security

1). Authentication

With authentication, VPN receiver can verify the source of packets and guarantee the data integrity.

2). Encryption

With encryption, VPN guarantees the confidentiality of the original user data.

Cost

1). Cut long distance phone charges

Because users typically dial the their local ISP for VPN, thus, long distance phone charge is reduced than making a long direct connection to the remote office.

2).Reducing number of access lines

Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its  Internet access lines, thus reducing the need for some installed lines.

3. What are most common VPN protocols?

There are currently three major tunneling protocols for VPNs. They are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).

4. What is PPTP?

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.

5. What is L2TP?

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.

6. What is IPSec?

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs  on top of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is truly the most extensible and complete network security solution.

7. What secure protocols does IPSec support?

There are two protocols provided by IPSec, they are AH (Authentication Header, protocol number 51) and ESP (Encapsulated Security Payload, protocol number 50).

8. What are the differences between 'Transport mode' and 'Tunnel mode?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability.

In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data.

There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.

9. What is SA?

A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use.

10. What is IKE?

IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN.

There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

11. What is Pre-Shared Key?

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection.

12. What are the differences between IKE and manual key VPN?

The only difference between IKE and manual key is how the encryption keys and SPIs are determined.

IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection.

13. What is Phase 1 ID for?

In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request. However, in some application, remote VPN box or client software is using an IP address dynamically assigned from ISP, so P334w needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there are local and peer ID field to achieve this.

14. What is FQDN? 

FQDN(Fully Qualified Domain Name), IKE standard takes it as one type of Phase 1 ID. 

As we mentioned, Phase 1 ID is an identification for each VPN peer. The type of  Phase 1 ID may be IP/FQDN(DNS)/Ueser FQDN(E-mail). The content of Phase 1 ID depends on the Phase 1 ID type. The following is an example for how to configure phase 1 ID.

ID type Content
------------------------------------
IP 202.132.154.1
DNS www.zyxel.com
E-mail support@zyxel.com.tw

Please note that, in P334w, if "DNS" or "E-mail" type is chosen, you can still use a random string as the content, such as "this_is_p334w". It's not necessary to follow the format exactly. 

By default, P334w takes IP as phase 1 ID type for itself and it's remote peer. But if it's remote peer is using DNS or E-mail, you have to adjust the settings to pass phase 1 ID checking.

15. When should I use FQDN?

If your VPN connection is P334w to P334w/ZyWALL, and both of them have static IP address, and there is no NAT router in between, you can ignore this option. Just leave Local/Peer ID type as IP, then skip this option.

If either side of VPN tunneling end point is using dynamic IP address, you may need to configure ID for the one with dynamic IP address. And in this case, "Aggressive mode" is recommended to be applied in phase 1 negotiation .


1. Does my P334w support IPSec VPN? 

IPSec VPN is available for P334w since ZyNOS V3.60.

2. How do I configure P334w VPN?

You can configure P334w for VPN using SMT or Web configurator.

3. How many VPN connections does P334w support ?

P334w supports 2 tunnels.

4. What VPN protocols are supported by P334w ?

P334w supports ESP (protocol number 50) and AH (protocol number 51).

5. What types of encryption does P334w VPN support?

P334w supports 56-bit DES and 168-bit 3DES.

6. What types of authentication does P334w VPN support?

VPN vendors support a number of different authentication methods. P334w VPN supports both SHA1 and MD5.

AH provides authentication, integrity, and replay protection (but not confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (like the source/destination addresses), but ESP does not.

ESP can provide authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the header). Replay protection requires authentication and integrity (these two go always together). Confidentiality
(encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality.

7. I am planning my P334w-to-ZyWALL VPN configuration. What do I need to know?

First of all, P334w is designed for Telecommutor and it works as a client side of the VPN.

If your P334w and ZyWALL support VPN, you can find the VPN options in Advanced>VPN tab.

For configuring a 'box-to-box VPN', there are some tips:

  1. If there is a NAT router running in the front of P334w, please make sure the NAT router supports to pass through IPSec.
  2. In NAT case (either run on the frond end router, or in P334w VPN box), only IPSec ESP tunneling mode is supported since NAT against AH mode.
  3. Source IP/Destination IP-- P334w only supports SINGLE for Local Addr Type in its VPN rules. Therefore, only one PC assigned in the Local IP Addr of VPN rule can be protected via VPN/IPSec. Remote IP Addr can be a Subnet, Range or single host.
  4. Secure Gateway IP Address -- This must be a public, routable IP address, private IP is not allowed. That means it can not be in the 10.x.x.x subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 - 172.31.255.255 (these address ranges are reserved by internet standard for private LAN numberings behind NAT devices). It is usually a static IP so that we can pre-configure it in P334w for making VPN connections. If it is a dynamic IP given by ISP, you still can configure this IP address after the remote P334w/ZyWALL is on-line and its WAN IP is available from ISP.

8. Does P334w VPN support NetBIOS broadcast?

Yes, P334w supports NetBIOS broadcast over IPSec VPN tunnel. Use CI command “ipsec config netbios active <yes|no>” in SMT menu 24.8 to enable/disable this function.

9. Why does VPN throughput decrease when staying in SMT menu 24.1?

If P334w stays in menu 24.1 and 24.8 a certain of memory is allocated to generate the required statistics.  So, we do not suggest to stay in menu 24.1 and 24.8 when VPN is in use.

10. How do I configure P334w with NAT for internal servers?

Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. 

However, if both NAT and IPSec is enabled in P334w, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.

For example:

host----P334w(NAT)----ADSL Modem----Internet----Secure host
                                                                                     \
                                                                                       \
                                                                                        Non-secure host

11. I am planning my P334w behind a NAT router. What do I need to know?

Some tips for this:

  1. The NAT router must support to pass through IPSec protocol. Only ESP tunnel mode is possible to work in NAT case. In the NAT router is P334w NAT router supporting IPSec pass through, default port and the P334w WAN IP must be configured in SUA/NAT Server Table.
  2. WAN IP of the NAT router is the tunneling endpoint for this case, not the WAN IP of P334w.
  3. If firewall is turned on in P334w, you must forward IKE port in Internet interface.
  4. If NAT are also enabled in P334w, NAT server is required for non-secure connections, NAT server is not required for secure connections and the physical private IP is used.

For example:

host----P334w----NAT Router----Internet----Secure host
                                                                      \
                                                                       \
                                                                        Non-secure host

12. Where can I configure Phase 1 ID in P334w?

Phase 1 ID can be configured in VPN setup menu as following. Note that you can make such configuration in either web configurator or SMT menu. 

13. How to configure P334w that supports so that it can cooperate with ZyWALL V3.50 ?

ZyWALL with firmware version V3.50 in prefix can only support phase 1 ID as IP type. And ID checking mechanism is actually bypassed. So to work smoothly, please apply IP type in P334w. The following is an example for your reference.

In this example, we presume that the network environment is as following,

P334w (V3.60) is using dynamic IP address, and it have DDNS to register it's current dynamic IP address. ZyWALL (V3.50) is using static IP adderss, and since it's peer's IP address is dynamic, so the secure gateway is configured in DDNS format.

Old ZyWALL (V3.50) P334w (V3.60)
My IP=212.125.177.2
Secure gateway Addr= p334w.dyndns.org
                                    (DDNS name of P334w)
 Local ID type = IP
 My IP = 0.0.0.0
 Peer ID type = IP
 Secure gateway Addr= 212.125.177.2

Old ZyWALL will use the "p334w.dyndns.org" to find the P334w's current WAN IP address. And then use it  for phase 1 ID content.

14.  If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know?

We presume your environment may look like this,

VPN client: 10.1.33.33
NAT router WAN IP: 202.132.154.2
P334w WAN: 202.132.154.3

Since the VPN client is behind a NAT router, it must have a private IP address in most case. This may cause the VPN client to send it's private IP address as the content of it's phase 1 ID. So you have to configure P334w's secure gateway's phase 1 ID as the private IP address of the VPN client. The configuration will be like this,

15. How can I keep a tunnel alive?

To keep a tunnel alive, you can check "keep alive" option when configuring your VPN tunnel. With this option, whenever phase 2 SA lifetime is due, IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay.

But to reduce the consumption of system resource, if VPN tunnels get disconnected either manually, by idle timer, or because of power cycle, packet triggering is still necessary to make the tunnel up.

16. Can the whole LAN behind P334w be protected by VPN/IPSec tunnel?

No, it can't. P334w is designed for Telecommuter. Only one PC assigned in the Local IP Addr of VPN rule can be protected via VPN/IPSec.

17. Can P334w support IPSec passthrough?

Yes, P334w can support IPSec passthrough. P334w doesn't only support IPSec/VPN gateway, it can also be a NAT router supporting IPSec passthrough.

If the VPN connection is initiated from the security gateway behind P334w, no configuration is necessary for NAT nor Firewall.

If the VPN connection is initiated from the security gateway outside of P334w, NAT port forwarding and Firewall forwarding are necessary.  

To configure NAT port forwarding, please go to WEB interface, Setup/ "SUA/NAT", put the secure gateway's IP address in default server.

To configure Firewall forwarding, please go to WEB interface, Setup/Firewall, select Packet Direction to WAN to LAN, and create a firewall rule the forwards IKE(UDP:500).

18. Can P334w behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously ?

No, current P334w can't support them simultaneously. You need to choose either one. If P334w is to support IPSec passthrough, you have to disable the VPN function on P334w. To disable it, you can either deactivate each VPN rule or issue a CI command, "ipsec switch off" from SMT menu 24.8. You can get into SMT menu via either telnet or console connection. P334w may support both of them in the future, please refer to the release note.