IPSec FAQ

IPSec FAQ

VPN Overview

What is VPN?
Why do I need VPN?
What are most common VPN protocols?
What is PPTP?
What is L2TP?
What is IPSec?
What secure protocols dose IPSec support?
What are the differences between 'Transport mode' and 'Tunnel mode?
What is SA?
What is IKE?
What is Pre-Shared Key?
What are the differences between IKE and manual key VPN?
What is Phase 1 ID for?
What is FQDN?
When should I use FQDN?

ZyWALL VPN

Is my ZyWALL ready for IPSec VPN?
How do I configure ZyWALL VPN?
How many VPN connections does ZyWALL support?
What VPN protocols are supported by ZyWALL VPN?
What types of encryption does ZyWALL VPN support?
What types of authentication does ZyWALL VPN support?
I am planning my ZyWALL-to-ZyWALL VPN configuration. What do I need to know?
Does ZyWALL support dynamic secure gateway IP?
What VPN gateway that has been tested with ZyWALL successfully?
What VPN software that has been tested with ZyWALL successfully?
Will ZyXEL support Secure Remote Management?
Does ZyWALL VPN support NetBIOS broadcast?
What are the difference between 'My IP Address' and 'Secure Gateway IP Address' in Menu 27.1.1?
Is the host behind NAT allowed to use IPSec?
Why does VPN throughput decrease when staying in SMT menu 24.1?
How do I configure ZyWALL with NAT for internal servers?
I am planning my ZyWALL behind a NAT router. What do I need to know?
Where can I configure Phase 1 ID in ZyWALL?
How to configure ZyWALL V3.52 that supports FQDN so that it can cooperate with ZyWALL V3.50 ?
If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know?
Since which firmware version does ZyWALL support configuration of phase 1 ID?
How can I keep a tunnel alive?
Single, Range, Subnet, which types of IP address do ZyWALL 10/10II/10W/50/100 support in VPN/IPSec?
Can ZyWALL support IPSec passthrough?
Can ZyWALL behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously?

A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN?

There are some reasons to use a VPN. The most common reasons are because of security and cost.

Security

1). Authentication

With authentication, VPN receiver can verify the source of packets and guarantee the data integrity.

2). Encryption

With encryption, VPN guarantees the confidentiality of the original user data.

Cost

1). Cut long distance phone charges

Because users typically dial the their local ISP for VPN, thus, long distance phone charge is reduced than making a long direct connection to the remote office.

2).Reducing number of access lines

Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines.

3. What are most common VPN protocols?

There are currently three major tunneling protocols for VPNs. They are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).

4. What is PPTP?

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.

5. What is L2TP?

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.

6. What is IPSec?

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is truly the most extensible and complete network security solution.

7. What secure protocols does IPSec support?

There are two protocols provided by IPSec, they are AH (Authentication Header, protocol number 51) and ESP (Encapsulated Security Payload, protocol number 50).

8. What are the differences between 'Transport mode' and 'Tunnel mode?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability.

In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data.

There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.

9. What is SA?

A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use.

10. What is IKE?

IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN.

There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

11. What is Pre-Shared Key?

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection.

12. What are the differences between IKE and manual key VPN?

The only difference between IKE and manual key is how the encryption keys and SPIs are determined.

For IKE VPN, the key and SPIs are negotiated from one VPN gateway to the other. Afterward, two VPN gateways use this negotiated keys and SPIs to send packets between two networks.
For manual key VPN, the encryption key, authentication key (if needed), and SPIs are predetermined by the administrator when configuring the security association.

IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection.

13. What is Phase 1 ID for?

In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request. However, in some application, remote VPN box or client software is using an IP address dynamically assigned from ISP, so ZyWALL needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there are local and peer ID field to achieve this.

14. What is FQDN?

FQDN(Fully Qualified Domain Name), IKE standard takes it as one type of Phase 1 ID.

As we mentioned, Phase 1 ID is an identification for each VPN peer. The type of Phase 1 ID may be IP/FQDN(DNS)/Ueser FQDN(E-mail). The content of Phase 1 ID depends on the Phase 1 ID type. The following is an example for how to configure phase 1 ID.

ID type Content
------------------------------------
IP 202.132.154.1
DNS www.zyxel.com
E-mail support@zyxel.com.tw

Please note that, in ZyWALL, if "DNS" or "E-mail" type is choosen, you can still use a random string as the content, such as "this_is_zywall". It's not neccessary to follow the format exactly.

By default, ZyWALL takes IP as phase 1 ID type for itself and it's remote peer. But if it's remote peer is using DNS or E-mail, you have to ajust the settings to pass phase 1 ID checking.

15. When should I use FQDN?

If yoour VPN connection is ZyWALL to ZyWALL, and both of them have static IP address, and there is no NAT router in between, you can ignore this option. Just leave Local/Peer ID type as IP, then skip this option.

If either side of VPN tunneling end point is using dynamic IP address, you may need to configure ID for the one with dynamic IP address. And in this case, "Aggressive mode" is recommended to be applied in phase 1 negotiation .

1. Is my ZyWALL ready for IPSec VPN?

IPSec VPN is available for ZyWALL since ZyNOS V3.50. It is free upgrade, no registration is needed.

By upgrading the firmware and also configurations (romfile) to ZyNOS V3.50, the IPSec VPN capability is ready in your ZyWALL. You then can configure VPN via web configurator. Please download the firmware from our web site.

NOTE: For updating from ZyNOS V3.2x to V3.5x, please use console or TFTP update. This is because the memory allocation difference between these two versions.

2. How do I configure ZyWALL VPN?

You can configure ZyWALL for VPN using SMT or Web configurator. ZyWALL 1 supports Web only.

3. How many VPN connections does ZyWALL support?

ZyWALL 1 supports 1 VPN connection. ZyWALL 10 supports 10 VPN connections. ZyWALL 50 supports 50 tunnels. ZyWALL 100 supports 100 tunnels.

4. What VPN protocols are supported by ZyWALL?

All ZyWALL series support ESP (protocol number 50) and AH (protocol number 51).

5. What types of encryption does ZyWALL VPN support?

ZyWALL supports 56-bit DES and 168-bit 3DES.

6. What types of authentication does ZyWALL VPN support?

VPN vendors support a number of different authentication methods. ZyWALL VPN supports both SHA1 and MD5.

AH provides authentication, integrity, and replay protection (but not confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (like the source/destination addresses), but ESP does not.

ESP can provide authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the header). Replay protection requires authentication and integrity (these two go always together). Confidentiality
(encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality.

7. I am planning my ZyWALL-to-ZyWALL VPN configuration. What do I need to know?

First of all, both ZyWALL must have VPN capabilities. Please check the firmware version, V3.50 or later has the VPN capability.

If your ZyWALL is capable of VPN, you can find the VPN options in Advanced>VPN tab.

For configuring a 'box-to-box VPN', there are some tips:

If there is a NAT router running in the front of ZyWALL, please make sure the NAT router supports to pass through IPSec.
In NAT case (either run on the frond end router, or in ZyWALL VPN box), only IPSec ESP tunneling mode is supported since NAT againsts AH mode.
Source IP/Destination IP-- Please do not number the LANs (local and remote) using the same exact range of private IP addresses. This will make VPN destination addresses and the local LAN addresses are indistinguishable, and VPN will not work.
Secure Gateway IP Address -- This must be a public, routable IP address, private IP is not allowed. That means it can not be in the 10.x.x.x subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 - 172.31.255.255 (these address ranges are reserved by internet standard for private LAN numberings behind NAT devices). It is usually a static IP so that we can pre-configure it in ZyWALL for making VPN connections. If it is a dynamic IP given by ISP, you still can configure this IP address after the remote ZyWALL is on-line and its WAN IP is available from ISP.

8. Does ZyWALL support dynamic secure gateway IP?

If the remote VPN gateways uses dynamic IP, we enter 0.0.0.0 as the Secure Gateway IP Address in ZyWALL. In this case, the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

9. What VPN gateway that has been tested with ZyWALL successfully?

We have tested ZyWALL successfully with the following third party VPN gateways.

Cisco 1720 Router, IOS 12.2(2)XH, IP/ADSL/FW/IDS PLUS IPSEC 3DES
NetScreen 5, ScreenOS 2.6.0r6
SonicWALL SOHO 2
WatchGuard Firebox II
ZyXEL ZyWALL 100
Avaya VPN
Netopia VPN
III VPN

10. What VPN software that has been tested with ZyWALL successfully?

We have tested ZyWALL successfully with the following third party VPN software.

SafeNet Soft-PK, 3DES edition
Checkpoint Software
SSH Sentinel, 1.4
SecGo IPSec for Windows
F-Secure IPSec for Windows
KAME IPSec for UNIX
Nortel IPSec for UNIX
Intel VPN, v. 6.90
FreeS/WAN for Linux
SSH Remote ISAKMP Testing Page, (http://isakmp-test.ssh.fi/cgi-bin/nph-isakmp-test)
Windows 2000, IPSec

11.Will ZyXEL support Secure Remote Management?

Yes, we will support it and we are working on it currently.

12. Does ZyWALL VPN support NetBIOS broadcast?

The current 3.50 firmware release does not support it. But it is in our wish list.

13. What are the difference between the 'My IP Address' and 'Secure Gateway IP Address' in Menu 27.1.1?

'My IP Adderss' is the Internet IP address of the local ZyWALL. The 'Secure Gateway IP Address' is the Internet IP address of the remote IPSec gateway.

14. Is the host behind NAT allowed to use IPSec?

NAT Condition	Supported IPSec Protocol
VPN Gateway embedded NAT	AH tunnel mode, ESP tunnel mode
VPN client/gateway behind NAT^*	ESP tunnel mode
NAT in Transport mode	None

* The NAT router must support IPSec pass through. For example, for ZyWALL SUA/NAT routers, IPSec pass through is supported since ZyNOS 3.21. The default port and the client IP have to be specified in menu 15-SUA Server Setup.

15. Why does VPN throughput decrease when staying in SMT menu 24.1?

If ZyWALL stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay in menu 24.1, 27.3 and 24.8 when VPN is in use.

16. How do I configure ZyWALL with NAT for internal servers?

Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table.

However, if both NAT and IPSec is enabled in ZyWALL, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.

For example:

host----ZyWALL(NAT)----ADSL Modem----Internet----Secure host
                                                                                     \
                                                                                       \
                                                                                        Non-secure host

17. I am planning my ZyWALL behind a NAT router. What do I need to know?

Some tips for this:

The NAT router must support to pass through IPSec protocol. Only ESP tunnel mode is possible to work in NAT case. In the NAT router is ZyWALL NAT router supporting IPSec pass through, default port and the ZyWALL WAN IP must be configured in SUA/NAT Server Table.
WAN IP of the NAT router is the tunneling endpoint for this case, not the WAN IP of ZyWALL.
If firewall is turned on in ZyWALL, you must forward IKE port in Internet interface.
If NAT are also enabled in ZyWALL, NAT server is required for non-secure connections, NAT server is not required for secure connections and the phyical private IP is used.

For example:

host----ZyWALL----NAT Router----Internet----Secure host
                                                                      \
                                                                       \
                                                                        Non-secure host

18. Where can I configure Phase 1 ID in ZyWALL?

Phase 1 ID can be configured in VPN setup menu as following. Note that you can make such configuration in either web configurator or SMT menu.

19. How to configure ZyWALL V3.52 that supports so that it can cooperate with ZyWALL V3.50 ?

ZyWALL with firmware version V3.50 in prefix can only support phase 1 ID as IP type. And ID checking mechanism is actually bypassed. So to work smoothly, please apply IP type in new ZyWALL. The following is an example for your reference.

In this example, we presume that the network environment is as following,

ZyWALL (V3.52) is using dynamic IP address, and it have DDNS to register it's current dynamic IP address.ZyWALL (V3.50) is using static IP adderss, and since it's peer's IP address is dynamic, so the secure gateway is configured in DDNS format.

Old ZyWALL (V3.50)	New ZyWALL (V3.52)
My IP=212.125.177.2 Secure gateway Addr= newzw.dyndns.org (DDNS name of New ZyWALL)	Local ID type = IP My IP = 0.0.0.0 Peer ID type = IP Secure gateway Addr= 212.125.177.2

ZyWALL will use the "newzw.dyndns.org" to find the New ZyWALL's current WAN IP address. And then use it for phase 1 ID content.

20. If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know?

We presume your environment may look like this,

VPN client: 10.1.33.33
NAT router WAN IP: 202.132.154.2
ZyWALL WAN: 202.132.154.3

Since the VPN client is behind a NAT router, it must have a private IP address in most case. This may cause the VPN client to send it's private IP address as the content of it's phase 1 ID. So you have to configure ZyWALL's secure gateway's phase 1 ID as the private IP address of the VPN client.

21. Since which firmware version does ZyWALL support configuration of phase 1 ID?

ZyWALL can support configuration of phase 1 ID since V3.52.

22. How can I keep a tunnel alive?

To keep a tunnel alive, you can check "keep alive" option when configuring your VPN tunnel. With this option, whenever phase 2 SA lifetime is due, IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay.

But to reduce the consumption of system resource, if VPN tunnels get disconnected either manually, by idle timer, or because of power cycle, packet triggering is still necessary to make the tunnel up.

23. Single, Range, Subnet, which types of IP address do ZyWALL 10/10II/10W/50/100 support in VPN/IPSec?

The mentioned ZyWALL series support all of the types. In other words, you can specify a single PC, a range of PCs or even a network of PCs to utilize the VPN/IPSec service.

24. Can ZyWALL support IPSec passthrough?

Yes, ZyWALL can support IPSec passthrough. ZyWALL series don't only support IPSec/VPN gateway, it can also be a NAT router supporting IPSec passthrough.

If the VPN connection is initiated from the security gateway behind ZyWALL, no configuration is necessary for NAT nor Firewall.

If the VPN connection is initiated from the security gateway outside of ZyWALL, NAT port forwarding and Firewall forwarding are necessary.

To configure NAT port forwarding, please go to WEB interface, Setup/ "SUA/NAT", put the secure gateway's IP address in default server.

To configure Firewall forwarding, please go to WEB interface, Setup/Firewall, select Packet Direction to WAN to LAN, and create a firewall rule the forwards IKE(UDP:500).

25. Can ZyWALL behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously?

No, ZyWALL can't support them simultaneously. You need to choose either one. If ZyWALL is to support IPSec passthrough, you have to disable the VPN function on ZyWALL. To disable it, you can either deactivate each VPN rule or issue a CI command, "ipsec switch off" from SMT menu 24.8. You can get into SMT menu via either telnet or console connection.