P-202H Plus v2 Support Notes P-202H Plus v2 ISDN Internet Access Router Support Notes Version3.40 June. 2006 All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes FAQ .................................................................................................................................... 6 ZyNOS FAQ.................................................................................................................. 6 1. What is ZyNOS? ................................................................................................. 6 2. How do I access the P-202H Plus v2 SMT menu? .................................... 6 3.
P-202H Plus v2 Support Notes 15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European firmware)? .............................................................................................................. 15 16. Does P-202H Plus v2 support MP callback to dial-in users? ............ 16 17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting? ................................................................................................................................... 16 18.
P-202H Plus v2 Support Notes 2. Why do I need VPN? ....................................................................................... 27 3. What are most common VPN protocols?.................................................. 28 4. What is PPTP?.................................................................................................. 28 5. What is L2TP?................................................................................................... 28 6. What is IPSec? ......................
P-202H Plus v2 Support Notes 12. How can I verify if the VPN connection is up in Sentinel?................. 35 13. I am using EnterNet 300, a PPPoE dial up software. Any concern? 35 Application Notes......................................................................................................... 35 General Application Notes .................................................................................... 36 1. Internet Access ......................................................................
P-202H Plus v2 Support Notes FAQ ZyNOS FAQ 1. What is ZyNOS? ZyNOS is ZyXEL's proprietary Network Operating System. It is the platform on all P-202H Plus v2 routers that delivers network services and applications. It is designed in a modular fashion so it is easy for developers to add new features. New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available. 2.
P-202H Plus v2 Support Notes The procedure for uploading via console is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR' to start the uploading c. Use X-modem protocol to transfer the ZyNOS code d. Enter 'ATGO' to restart the P-202H Plus v2 6. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN? The P-202H Plus v2 allows you to transfer the firmware from/to P-202H Plus v2 by using TFTP program via LAN.
P-202H Plus v2 Support Notes b. To backup the SMT configurations, use TFTP client program to get file 'rom-0' from the P-202H Plus v2. c. To restore the SMT configurations, use the TFTP client program to save your configuration in file 'rom-0' in the P-202H Plus v2. 9. What should I do if I forget the system password? In case you forget the system password, you can upload ROMFILE to reset the SMT to factory default. After uploading ROMFILE, the default system password is '1234'. 10.
P-202H Plus v2 Support Notes allows a network to rectify the illegal address problem mentioned above without going through each and every host. The aim of ZyXEL's SUA is to minimize the Internet access cost in a small office environment by using a single IP address to represent the multiple hosts inside. It does more than IP address translation, it also enables hosts on the LAN can access the Internet at the same time. 12.
P-202H Plus v2 Support Notes • • Deny packets from the outside that claim to be from the inside Allow everything that is not spoofing us Filter rule setup: • • • • • • Filter type =TCP/IP Filter Rule Active =Yes Source IP Addr =a.b.c.d Source IP Mask =w.x.y.z Action Matched =Drop Action Not Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.
P-202H Plus v2 Support Notes How do I set DNS other than P-202H Plus v2 IP address? The P-202H Plus v2 assigns the values entered in Primary DNS server and Secondary DNS server fields in Menu 3.2 to the responses to the DHCP requests on the local network if the DHCP Server function is enabled. 17. What is a Nailed-up Connection and when do I need to use it? A Nailed-up Connection, when enabled, emulates a leased line connection even though the physical line is a dial-up connection.
P-202H Plus v2 Support Notes Product FAQ 1. How do I collect EPA trace? Moreover, how do I read it? • Enable the trace in Menu 24.8 by the following CI command: isdn fw ana on • Make a call to remote node or ISP by: dev dial N (N is the remote node number) • Drop the call by: dev channel drop bri0|bri1 (bri0 for B1 channel, bri1 for B2 channel) • Display the trace by: isdn fw ana off isdn fw ana disp 2. Can I prevent the dial-in user from occupying two channels? Yes.
P-202H Plus v2 Support Notes Call Transfer Call Forwarding Reminder Ring Terminal Portability(Suspend/Resume) Most supplementary services are not free, please check with your telephone company for the services they offer. 5. How do I do call waiting/call hold/call retrieve? • • • • Put your current call on hold and answer the incoming call - after hearing the call waiting tone, press and immediately release the Flash button on your telephone.
P-202H Plus v2 Support Notes If you hang up your telephone during a three-way call and the two other callers remain on the line, the ISDN network will do an implicit transfer to directly connect the two remaining callers together. 9. How do I do call transfer? Call Transfer allows you to transfer an active call to a third party. This service must be subscribed from your telephone company.
P-202H Plus v2 Support Notes *22*forward-number# #20# #21# #22# Unconditional) Active CFNR (Call Forwarding No Reply Deactive CFB Deactive CFU Deactive CFNR 12. How do I suspend/resume a phone call (terminal portability)? The Terminal Portability service allows you to suspend a phone call temporarily. You can then resume this call later, at another location if you so wish. To suspend an active phone call: • • Press the flash key twice. Dial *3n*#, where n is any number from 1 to 9.
P-202H Plus v2 Support Notes calling party number or not when the switch sends the SETUP message to the called party. You need subscribe to it first (see supplemental services) 16. Does P-202H Plus v2 support MP callback to dial-in users? No, P-202H Plus v2 only supports single link PPP to dial-in users. 17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting? Yes. For the detail of the settings please refer to the Tested SUA Applications page. 18.
P-202H Plus v2 Support Notes Firewall FAQ General 1. What is a network firewall? A firewall is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms. One to block the traffic, and the other to permit traffic. 2.
P-202H Plus v2 Support Notes Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. 4. What kind of firewall is the P-202H Plus v2? 1. The P-202H Plus v2's firewall inspects packets contents and IP headers. It is applicable to all protocols, that understands data in the packet is intended for other layers, from network layer up to the application layer. 2.
P-202H Plus v2 Support Notes 3. Brute-force attacks that flood a network with useless data such as Smurf attack. 4. IP Spoofing 7. What is Ping of Death attack? Ping of Death uses a 'PING' utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot. 8. What is Teardrop attack? Teardrop attack exploits weakness in the reassemble of the IP packet fragments.
P-202H Plus v2 Support Notes hosts, this will create a large amount of ICMP echo request packet, the resulting ICMP traffic will not only clog up the 'intermediary' network, but will also congest the network of the spoofed source IP address, known as the 'victim' network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. 12. What is IP Spoofing attack? Many DoS attacks also use IP Spoofing as part of their attack.
P-202H Plus v2 Support Notes The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on P-202H Plus v2 box. However, if you turn on firewall, your connection will be blocked by firewall because of the following reason. Step 1. Being the default gateway of PC, P-202H Plus v2 will receive all "outgoing" traffic from PC. Step 2.
P-202H Plus v2 Support Notes (B) Deploying your second gateway on WAN side. (C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology in both CI command and Web configurator . You can issue this command, "sys firewall ignore triangle all on" , to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall setup page.
P-202H Plus v2 Support Notes 2. How do I prevent others from configuring my firewall? There are several ways to protect others from touching the settings of your firewall. 1. Change the default password since it is required when setting up the firewall using Telnet, Console or Web browser. 2. Limit who can Telnet to your router. You can enter the IP address of the secured LAN host in SMT Menu 24.11 to allow Telnet to your P-202H Plus v2. The default value in this field is 0.0.0.
P-202H Plus v2 Support Notes firewall off (Menu 21.2) or create a firewall rule to allow FTP connection from WAN. The WAN-to-LAN ACL summary will look like as shown below. Source IP= FTP host Destination IP= P-202H Plus v2's WAN IP Service= FTP TCP/21, TCP/20 Action=Forward 2. You have disabled FTP service in Menu 24.11. 3. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol field in menu 11.5. 6. Why can't I configure my router using Telnet over LAN? 1.
P-202H Plus v2 Support Notes The log supports up to 128 entries. There are 2 rows and 5 columns for each entry. Please see the example shown below. # Time Packet Information Reason Action 127|Mar 15 0 |From:192.168.1.34 To:202.132.155.93 |default permit |forward | 03:03:54|ICMP type:00008 code:00000 |<1,00> | Where stands for . X=1,2 ; Y=00~10.
P-202H Plus v2 Support Notes 6. What is the difference between the log and alert? A log entry is just added to the log inside the P-202H Plus v2 and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes IPSec Related FAQ IPSec FAQ VPN Overview 1. What is VPN? A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. 2.
P-202H Plus v2 Support Notes 3. What are most common VPN protocols? There are currently three major tunneling protocols for VPNs. They are Point-toPoint Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec). 4. What is PPTP? PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.
P-202H Plus v2 Support Notes for security gateway to provide IPSec service for other machines lacking of IPSec capability. In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data. There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode. 9.
P-202H Plus v2 Support Notes IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection. P-202H Plus v2 VPN 1. How do I configure P-202H Plus v2 VPN? You can configure P-202H Plus v2 for VPN using SMT or Web configurator. P202H Plus v2 1 supports Web only. 2. How many VPN connections does P-202H Plus v2 support? One P-202H Plus v2 202H Plus supports 2 VPN connections. 3.
P-202H Plus v2 Support Notes First of all, both P-202H Plus v2 must have VPN capabilities. Please check the firmware version, V3.50 or later has the VPN capability. If your P-202H Plus v2 is capable of VPN, you can find the VPN options in Advanced>VPN tab. For configuring a "box-to-box VPN", there are some tips: 1. If there is a NAT router running in the front of P-202H Plus v2, please make sure the NAT router supports to pass through IPSec. 2.
P-202H Plus v2 Support Notes • • • • ZyXEL P-202H Plus v2 Avaya VPN Netopia VPN III VPN 9. What VPN software that has been tested with P-202H Plus v2 successfully? We have tested P-202H Plus v2 successfully with the following third party VPN software. • • • • • • • • • • • SafeNet Soft-PK, 3DES edition Checkpoint Software SSH Sentinel, 1.4 SecGo IPSec for Windows F-Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN, v. 6.
P-202H Plus v2 Support Notes NAT* NAT in Transport mode None * The NAT router must support IPSec pass through. For example, for P-202H Plus v2 SUA/NAT routers, IPSec pass through is supported since ZyNOS 3.21. The default port and the client IP have to be specified in menu 15-SUA Server Setup. 14. Why does VPN throughput decrease when staying in SMT menu 24.1? If P-202H Plus v2 stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics.
P-202H Plus v2 Support Notes 1. What is SSH Sentinel VPN client? Developed by SSH (http://www.ssh.com) Sentinel VPN client is a bundled software with P-202H Plus v2 VPN solution. It supports IPSec/VPN. 2. Why do I need to use Sentinel? SSH Sentinel(TM) is an easy-to-use software for remote working based on the latest VPN technology. The software provides smooth integration with P-202H Plus v2 VPN which may be installed in HQ gateway. 3.
P-202H Plus v2 Support Notes 7. Does Sentinel support IP range? No, only subnet/single is supported. So when connecting with P-202H Plus v2, please not use range as address type. 8. Does Sentinel support 2 VPN connections at the same time? No, Sentinel doesn’t support it. Only one VPN connection can be activated at the same time. 9.
P-202H Plus v2 Support Notes General Application Notes 1. Internet Access A typical Internet access application of the P-202H Plus v2 is shown below. For a small office, there are some components you need to check before accessing the Internet. • Before you begin The P-202H Plus v2 is shipped with the following factory default: 1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits) 2. DHCP server enabled with IP pool starting from 192.168.1.33 3.
P-202H Plus v2 Support Notes • • In the Control Panel/Network window, click the TCP/IP entry to select it and click Properties button. In the TCP/IP Properties window, select Obtain an IP address automatically. Note: Do not assign arbitrary IP address and subnet mask to your PCs, otherwise, you will not be able to access the Internet. • • • • • • Click the WINS configuration tab and select Disable WINS Resolution. Click the Gateway tab.
P-202H Plus v2 Support Notes Example: Key Settings: • • • • Pri Phone#= is the phone number your P-202H Plus v2 has to dial in order to access your ISP. My Login and My Password are the login information provided by ISP. Since you have a single user Internet account, Single User Account should be set to 'Yes'. For the Local IP Address field, since the IP address will be dynamically assigned, you can either enter '0.0.0.
P-202H Plus v2 Support Notes Configure a PPTP server behind SUA • Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. In order to run the Windows9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server.
P-202H Plus v2 Support Notes The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade. • Configuration This application note explains how to establish a PPTP connection with a remote private network in the P-202H Plus v2 SUA case. In ZyNOS, all PPTP packets can be forwarded to the internal PPTP Server (WinNT server) behind SUA.
P-202H Plus v2 Support Notes o • • Set the Internet gateway to the router that is connecting to ISP P-202H Plus v2 router setup Before making a VPN connection from Win9x to WinNT server, you need to connect P-202H Plus v2 router to your ISP first. Enter the IP address of the PPTP server (WinNT server) and the port number for PPTP as shown below. When you have finished the above settings, you can ping to the remote Win9x client from WinNT.
P-202H Plus v2 Support Notes 202H Plus v2 router in SUA mode and enter this IP address in the VPN dial-up dialog box. You can check this Internet IP address from PNC Monitor or SMT Menu 24.1. If the Internet IP address is a fixed IP address provided by ISP in SUA mode, then you can always use this IP address for reaching the VPN server. In the following example, the IP address '140.113.1.225' is dynamically assigned by ISP.
P-202H Plus v2 Support Notes If you wish, you can make internal servers (e.g., Web, ftp or mail server) accessible for outside users, even though SUA makes your LAN appear as a single machine to the outside world. A service is identified by the port number. Also, since you need to specify the IP address of a server in the P-202H Plus v2, a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on.
P-202H Plus v2 Support Notes Telnet 23 SMTP 25 DNS (Domain Name Server) 53 www-http (Web) 80 Tested SUA Applications (e.g., Cu-SeeMe, ICQ, NetMeeting) • Introduction Generally, SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. However, some applications such as Cu-SeeMe, and ICQ will need to connect to the local user behind the P-202H Plus v2.
P-202H Plus v2 Support Notes Required Settings in Menu 15 Port/IP Application Incoming Connection Outgoing Connection HTTP None 80/client IP FTP None 21/client IP TELNET None 23/client IP (and remove Telnet filter in WAN port) POP3 None 110/clinet IP SMTP None 25/client IP mIRC None for Chat. For DCC, please set Default/Client IP . Windows PPTP None 1723/client IP ICQ 99a Default/client IP None for Chat.
P-202H Plus v2 Support Notes pcAnywhere 8.0 None 5631/client IP 5632/client IP 22/client IP 1 Since SUA enables your LAN to appear as a single computer to the Internet, it is not possible to configure similar servers on the same LAN behind SUA. 2 Because White Pine Cu-SeeMe uses dedicate ports (port 7648 & port 24032) to transmit and receive data, therefore only one local Cu-SeeMe is allowed within the same LAN.
P-202H Plus v2 Support Notes 3. LAN to LAN IP Connection • Introduction This configuration note explains how to set up two P-202H Plus v2 routers for a LAN-to-LAN connection. Once the connection is established, the workstations on both LANs will be able to perform any TCP/IP applications (e.g., FTP, Telnet, etc.). There will be three items that you need to set up. These are workstation and the two P-202H Plus v2 routers.
P-202H Plus v2 Support Notes IP Address-the IP address assigned to the workstation itself Subnet Mask-the subnet mask used for your network. Class C networks generally use a 24-bit netmask DNS (Domain Name Server) Address-enter the IP address of the DNS server o Default Gateway-the IP address of the P-202H Plus v2, the default gateway for LAN1 is P-202H Plus v2 1 and for LAN2 is P-202H Plus v2 2.
P-202H Plus v2 Support Notes Version= RIP-2B Edit IP Alias= No 2. Remote Node Setup in SMT Menu 11 Menu 11.1 - Remote Node Profile Rem Node Name= LAN2 Active= Yes Call Direction= Outgoing Incoming: Rem Login= Rem Password= Rem CLID= N/A Call Back= N/A Outgoing: My Login= test My Password= ******** Authen= CHAP/PAP Pri Phone #= 5007025 Sec Phone #= Edit PPP Options= No Rem IP Addr= 203.66.113.
P-202H Plus v2 Support Notes Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A TCP/IP Setup: IP Address= 203.66.113.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-2B Edit IP Alias= No 2. Remote Node Setup in SMT Menu 11 Menu 11.
P-202H Plus v2 Support Notes Key Settings: Select the 'Active' field to 'Yes' Select the 'Call Direction' to 'Incoming' Enter the correct node account for the dial-in router in 'Rem Login' and 'Rem Password' fields o Enter the IP address of the remote router in 'Rem IP Addr' field. o o o After you have finished the above settings, you are ready to make a test for this connection from Menu 24.4.5- 'Manual Call' by entering the node number. Menu 24.4 - System Maintenance - Diagnostic ISDN System 1.
P-202H Plus v2 Support Notes • Configuration • If the Cisco router requests PAP, you have to configure more settings in Menu 13 as follows.
P-202H Plus v2 Support Notes Menu 11.1 - Remote Node Profile Rem Node Name= LAN2 Active= Yes Call Direction= Both Edit PPP Options= No Rem IP Addr=140.113.1.
P-202H Plus v2 Support Notes perform any TCP/IP applications (e.g., FTP, Telnet, etc.). There will be two items that you need to set up for this connection. They are the workstation and the P202H Plus v2 router.
P-202H Plus v2 Support Notes o o Default Dial-in Setup in SMT menu 13 Edit Dial-in User in SMT menu 14 1. Ethernet Setup in SMT Menu 3 Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A TCP/IP Setup: IP Address= 192.68.135.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-2B Edit IP Alias= No 2.
P-202H Plus v2 Support Notes Allocated Budget(min)= 0 Period(hr)= 0 Press ENTER to Confirm or ESC to Cancel: • • • • • The Recv Authen field should be set to the type of authentication protocol you want to use. Since the workstation needs to have its IP address assigned, set the IP Address Supplied By: Dial-in User field to 'No'. Make sure that IP Pool is set to 'Yes'. In IP Start Addr, enter the IP address that you want to assign to the workstation when it dials in. In our example, this would be '192.
P-202H Plus v2 Support Notes • • The User Name and Password fields should be set to the login username and password that the workstation will provide when dialing in to the P202H Plus v2. Set the Active field to 'Yes'. Dial-in user with callback Menu 14.1 - Edit Dial-in User User Name= abc Active= Yes Passwd= ********* Callback= Mandatory Phone # Supplied by Caller= Yes Callback Phone #= N/A Rem CLID= Idle Timeout= 100 • • There are two options for the callback, Mandatory and Optional.
P-202H Plus v2 Support Notes 1. LAN device and protocol input filter sets. 2. WAN protocol call and output filter sets. 3. If SUA is enabled, SUA converts the source IP address from 192.168.1.33 to 203.205.115.6 and port number from 1023 to 4034. 4. WAN device output and call filter sets. The sequence of the logic flow for the packet from WAN to LAN is: 5. WAN device input filter sets. 6. If SUA is enabled, SUA converts the destination IP address from 203.205.115.6 to 92.168.1.
P-202H Plus v2 Support Notes Filter #: 1,1 Filter Type= Generic Filter Rule Active= Yes Offset= 0 Length= 0 Mask= N/A Value= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Menu 21.1.2: Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
P-202H Plus v2 Support Notes Menu 3.1: Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Menu 11.1: Menu 11.1 - Remote Node Profile Rem Node Name= abc Active= Yes Call Direction= Outgoing Edit PPP Options= No Rem IP Addr= 0.0.0.
P-202H Plus v2 Support Notes Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Menu 13: Menu 13 - Default Dial-in Setup Telco Options: CLID Authen= None IP Address Supplied By: Dial-in User= Yes IP Pool= Yes PPP Options: IP Start Addr= 123.234.111.
P-202H Plus v2 Support Notes Menu 13.1 - Default Dial-in Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3.1, 11.5, or 13.1, or entering a device filter set to the protocol filters field.
P-202H Plus v2 Support Notes We list the header of the IP, UDP and TCP in order to make you know more about the format of the IP packet and IPX packet in Menu 24.1 for easy configuration of a filter rule.
P-202H Plus v2 Support Notes Data (if any) Based on the above headers, we can then interpret the LAN Packet Which Triggered Last Call as following: LAN Packet which Triggered Last Call : (Type: IP) 45 00 00 2E CA 0E 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15 06 = TCP Protocol CC F7 CB B4= 204.247.203.180 = Source IP CC D9 00 02= 204.217.0.2 = Destination IP 04 1C=1052(dec)= Source port number 00 15= 21(dec)=Destination port number = FTP port IPX header in Menu 24.
P-202H Plus v2 Support Notes Filter Examples Filter example A filter for blocking the FTP connections from WAN • Introduction The P-202H Plus v2 supports the firmware and configuration files upload using FTP connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over the Internet to your P-202H Plus v2. To prevent outside users from connecting to your P-202H Plus v2 via FTP, you can configure a filter to block FTP connections from WAN.
P-202H Plus v2 Support Notes Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ---------------------- ----------------1 NetBIOS_WAN 7 _______________ 2 NetBIOS_LAN 8 _______________ 3 FTP_WAN 9 _______________ 4 _______________ 10 _______________ 5 _______________ 11 _______________ 6 _______________ 12 _______________ Enter Filter Set Number to Configure= 3 Edit Comments= FTP_WAN Press ENTER to Confirm or ESC to Cancel: • Rule 1- block the inbound FTP packet, TCP (06
P-202H Plus v2 Support Notes Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: • Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21 Menu 21.3.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 21 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
P-202H Plus v2 Support Notes • Choose the remote node number where you want to block the inbound FTP connections and apply the filter set in menu 11.5 by selecting the 'Edit Filter Sets' to 'Yes'. Menu 11.1 - Remote Node Profile Rem Node Name= hinet Active= Yes Call Direction= Outgoing Edit PPP Options= No Rem IP Addr= 0.0.0.
P-202H Plus v2 Support Notes A filter for blocking the web connections from LAN • Introduction If you want to avoid the outbound Web request to trigger a call to the remote web server, you can configure a call filter set in P-202H Plus v2 to block this packet. After the call filter is applied, the Web packet will not triggered the call to your ISP or remote node.
P-202H Plus v2 Support Notes ------ ---------------------- ----------------1 Web Request 7 _______________ 2 8 _______________ 3 9 _______________ 4 10 _______________ 5 11 _______________ 6 _______________ 12 _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: • Rule one for (a). http packet, TCP(06)/Port number 80 Menu 21.1.
P-202H Plus v2 Support Notes • Rule 2 for (b).DNS request, TCP(06)/Port number 53 Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: • Rule 3 for (c).
P-202H Plus v2 Support Notes Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: • After the three rules are completed, you will see the rule summary in Menu 21. Menu 21.1 - Filter Rules Summary # A Type Filter Rules Mmn - - ---- ------------------------------------- - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, NDN 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, NDN 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.
P-202H Plus v2 Support Notes My Password= ******** Authen= CHAP/PAP Pri Phone #= 4125678 Sec Phone #= Session Options: Edit Filter Sets= Yes Idle Timeout(sec)= 300 Press ENTER to Confirm or ESC to Cancel: • Menu 11.
P-202H Plus v2 Support Notes 2 3 4 5 6 8 9 _______________ _______________ _______________ _______________ _______________ 10 _______________ 11 _______________ 12 _______________ Enter Filter Set Number to Configure= 0 Edit Comments= Press ENTER to Confirm or ESC to Cancel: 2. One rule one for blocking all packets from this client Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
P-202H Plus v2 Support Notes • • • IP Mask..........................here the IP mask is used to mask the bits of the IP address given in the 'Source IP Addr=' field, for one workstation it is 255.255.255.255. Action Matched................Set to 'Drop' to drop all the packets from this client Action Not Matched.........Set to 'Forward' to allow the packets from other clients 3. Apply the filter set number '1' in the 'Call Filter Set' field of SMT menu 11.5 for taking active. Menu 11.
P-202H Plus v2 Support Notes device filters= Call Filter Sets: protocol filters= 1 device filters= 4. If you want to prevent this client accessing the Internet or remote node, you can apply this filter set to SMT Menu 3.1, the 'protocol filter' in the Input Filter Sets Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= 1 device filters= Output Filter Sets: protocol filters= device filters= After this filter set is applied to this field, the client (192.168.1.
P-202H Plus v2 Support Notes Now a client on the LAN is trying to ping P-202H Plus v2……… ras> sys trcp sw off ras> sys trcp disp TIME: 37c060 enet0-RECV len:74 call=0 0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00 0010: 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020: 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040: 77 61 62 63 64 65 66 67 68 69 TIME: 37c060 enet0-XMIT len:74 call=0 0000: [00 80 c8 4c ea 63] [00 a0 c5 01 23 45] 08 0
P-202H Plus v2 Support Notes - Checksum: 0x455C - Identifier: 768 - Sequence Number: 1280 - Optional Data: (32 bytes) • Configurations From the above first trace, we know that a client is trying to ping the P-202H Plus v2 router. And from the second trace, we know that the P-202H Plus v2 router will send a reply to the client accordingly. The following sample filter will utilize the 'Generic Filter Rule' to block the MAC address [00 80 c8 4c ea 63]. 1.
P-202H Plus v2 Support Notes • • • • Mask (in hexadecimal): Specify the value that the P-202H Plus v2 will logically qualify (logical AND) the data in the packet. Since the Length is set to 6 octets the Mask for it should be 12 hexadecimal numbers. In this case, we intent to set to 'ffffffffffff' to mask the incoming source MAC address, [00 80 c8 4c ea 63]. Value (in hexadecimal): Specify the MAC address [00 80 c8 4c ea 63] that the P-202H Plus v2 should use to compare with the masked packet.
P-202H Plus v2 Support Notes protocol filters= device filters= A filter for blocking the NetBIOS packets • Introduction The NETBIOS packets contain port numbers and need to be blocked in this case. They are port number 137, 138 and 139 with UDP or TCP protocol. In addition, the NETBIOS packet used to look for a remote DNS server can also trigger the call. Therefore, the filter rules should cover the above packets. • Configuration The packets which need to be blocked are as following.
P-202H Plus v2 Support Notes 1 2 3 4 5 6 NetBIOS_WAN NetBIOS_LAN _______________ _______________ _______________ _______________ 7 _______________ 8 _______________ 9 _______________ 10 _______________ 11 _______________ 12 _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: • Configure the first filter set 'NetBIOS_WAN' by selecting the Filter Set number 1. Rule 1-Destination port number 137 with protocol number 6 (TCP) Menu 21.1.
P-202H Plus v2 Support Notes Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 3-Destination port number 138 with protocol number 6 (TCP) Menu 21.
P-202H Plus v2 Support Notes Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 4-Destination port number 138 with protocol number 17 (UDP) Menu 21.1.4 - TCP/IP Filter Rule Filter #: 1,4 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 138 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
P-202H Plus v2 Support Notes Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 6-Destination port number 139 with protocol number 17 (UDP) Menu 21.1.6 - TCP/IP Filter Rule Filter #: 1,6 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
P-202H Plus v2 Support Notes Menu 21.2 - Filter Rules Summary # A Type Filter Rules Mmn - - ---- --------------------------------------------- - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 2 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 3 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 5 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139 6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.
P-202H Plus v2 Support Notes protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= 1 device filters= • Configure the second filter set 'NetBIOS_LAN' by selecting the Filter Set number 2. Rule 1-Source port number 137, Destination port number 53 with protocol number 6 (TCP) Menu 21.2.1 - TCP/IP Filter Rule Filter #: 2,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.
P-202H Plus v2 Support Notes Menu 21.2.2 - TCP/IP Filter Rule Filter #: 2,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
P-202H Plus v2 Support Notes protocol filters= 2 device filters= Output Filter Sets: protocol filters= device filters= 6. UNIX syslog Setup • P-202H Plus v2 Setup Menu 24.3.2 - System Maintenance - UNIX Syslog and Accounting UNIX Syslog: Active= Yes Syslog IP Address= 192.168.1.33 Log Facility= Local 1 Types: CDR= No Packet triggered= No Filter log= No PPP log= No POTS log= No Firewall log= No Configuration: 1. Active, use the space bar to turn on the syslog option. 2.
P-202H Plus v2 Support Notes 2. Edit the file /etc/syslog.conf by adding the following line at the end of the /etc/syslog.conf file. local1.* /var/log/zyxel.log Where /var/log/zyxel.log is the full path of the log file. 3. Restart syslogd. • ZyXEL Syslog Message Format P-202H Plus v2 sends 5 types of syslog messages to syslogd, they are: 1. 2. 3. 4. 5.
P-202H Plus v2 Support Notes C01 Incoming Call xxxx (means connected speed) xxxxx (means Remote Call ID) L02 Tunnel Connected(L2TP) C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote Call ID) C02 CLID call refused L02 Call Terminated C02 Call Terminated Example: Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C01 Incoming Call 64000 4125678 Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.
P-202H Plus v2 Support Notes match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (TCP,UDP,ICMP) spo: Source port dpo: Destination port Example: Jul 19 14:44:09 192.168.1.1 ZyXEL Communications Corp.: IP[Src=202.132.154.1 Dst=192.168.1.33 UDP spo=0035 dpo=05d4]}S03>R01mF Jul 19 14:44:13 192.168.1.1 ZyXEL Communications Corp.: IP[Src=192.168.1.33 Dst=202.132.154.1 ICMP]}S03>R01mF 4.
P-202H Plus v2 Support Notes sdcmdSyslogSend( SYSLOG_POTSLOG, SYSLOG_NOTICE, String ); String = Call Connect / Disconnect: Dir = xx Remote Call= xxxxx Local Call= xxxxx Dir = Call Direction 1: Incoming call 2: Outgoing call Remote Call = a string type which represents as the remote call number Local Call = a string type which represents as the my(local) call number Example: Jul 19 12:08:25 192.168.1.1 ZyXEL Communications Corp.: Call Connect: Dir=2 Remote Call=5783942 Local Call=1 Jul 19 12:08:29 192.168.
P-202H Plus v2 Support Notes Advance Setup = No B Channel Usage: o o o Set to Leased/Unused if you are using one 64K-leased line Set to Leased/Leased if you are using one 128K-leased lines Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node.
P-202H Plus v2 Support Notes Enter the IP address assigned from ISP for P-202H Plus v2, enter '0.0.0.0' if the IP is dynamically assigned during the PPP connection o Set the 'Transfer Type' to 'Leased' for the ISDN leased-line connection o After saving this menu, you will be asked if you want to perform an Internet connection test. Select 'Yes' to perform the test. If the test fails, please check again the above settings again.
P-202H Plus v2 Support Notes B Channel Usage: o o o Set to Leased/Unused if you are using one 64K-leased line Set to Leased/Leased if you are using one 128K-leased lines Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node. Menu 11.
P-202H Plus v2 Support Notes 3. 4. 5. 6. 7. Call Transfer Call Forwarding Reminder Ring Terminal Portability(Suspend/Resume) MSN/subaddress Most supplementary services are not free, please check with your telephone company for the services they offer. How do I do call waiting/call hold/call retrieve? • • • • Put your current call on hold and answer the incoming call - after hearing the call waiting tone, press and immediately release the Flash button on your telephone.
P-202H Plus v2 Support Notes If you hang up your telephone during a three-way call and the two other callers remain on the line, the ISDN network will do an implicit transfer to directly connect the two remaining callers together. How do I do call transfer? Call Transfer allows you to transfer an active call to a third party. This service must be subscribed from your telephone company.
P-202H Plus v2 Support Notes *22*forward-number# #20# #21# #22# Unconditional) Active CFNR (Call Forwarding No Reply Deactive CFB Deactive CFU Deactive CFNR How do I suspend/resume a phone call (terminal portability)? The Terminal Portability service allows you to suspend a phone call temporarily. You can then resume this call later, at another location if you so wish. To suspend an active phone call: • • Press the flash key twice. Dial *3n*#, where n is any number from 1 to 9.
P-202H Plus v2 Support Notes The P-202H Plus v2 202H Plus supports the ISDN Device Control Protocol (ISDN-DCP) from RVS-COM. The ISDN-DCP allows a workstation on the LAN to run some CAPI applications. These applications include FAX, Voice, File transfer. Using ISDN-DCP, the P-202H Plus v2 202H Plus behaves as a DCP server which listens for DCP messages on TCP port number 2578 on its LAN port and we call this feature as NetCAPI.
P-202H Plus v2 Support Notes Incoming Phone Numbers: ISDN Data = 10000 Subaddress= A/B Adapter 1 = Subaddress= A/B Adapter 2 = Subaddress= Incoming Phone Number Matching= Multiple Subscriber Number (MSN) Analog Call Routing= N/A Global Analog Call= N/A Edit Advanced Setup = No Edit NetCAPI Setup = Yes Press ENTER to Confirm or ESC to Cancel: 2. Edit NetCAPI related settings in menu 2.1 Menu 2.
P-202H Plus v2 Support Notes 3. Incoming Data Call Matching: This setting helps the P-202H Plus v2 to forward the incoming call correctly by checking the MSN or subaddress that the remote party calls. MSN: When this option is selected, the P-202H Plus v2 checks the MSN called by the remote party. If the MSN matches the one configured in menu 2, ISDN Data Number, the P-202H Plus v2 will answer the call as a data call.
P-202H Plus v2 Support Notes dcp fsm sw [on|off] To enable/disable the NetCAPI state machine, use the dcp fsm sw [on|off] command. dcp fsm disp To display the NetCAPI state machine log, use the dcp fsm disp command. The following example shows the output of the dcp fsm disp command: ISDN_DCP FSM Log, Entries = 6 Format # TimeStamp Protocol ObjectID State Event Event Handling Function 0:00:03.190 DCP: 0 S:IDLE(01) E:CapREQ (00) Func:DCPIgnore 1:00:03.
P-202H Plus v2 Support Notes dcp trcp clear To clear the NetCAPI packet log, use the dcp trcp clear command. dcp status disp To display the NetCAPI status, use the dcp status disp command. dcp object [object_id] To display the NetCAPI objects, use the dcp object [object_id] commands. 10. Using RADIUS • What is RADIUS? A Network Access Server (NAS, e.g., a Router) operates as a client of RADIUS.
P-202H Plus v2 Support Notes # Zyxel proprietary attributes ATTRIBUTE Zyxel-Callback-Option 192 integer VALUE Zyxel-Callback-Option None 0 VALUE Zyxel-Callback-Option Optional 1 VALUE Zyxel-Callback-Option Mandatory 2 # Zyxel Callback phone number source ATTRIBUTE Zyxel-Callback-Phone-Source 193 integer VALUE Zyxel-Callback-Phone-Source Preconfigured 0 VALUE Zyxel-Callback-Phone-Source User 1 3. Enter the RADIUS client IP and the encrypted key in the 'Clients' file. See an example below.
P-202H Plus v2 Support Notes 5. Run "RADIUS.EXE -X15" to turn on the RADIUS service. • P-202H Plus v2 Setup Menu 23.2 - System Security - External Server Authentication Server: Active= Yes Type= RADIUS Server Address= 203.66.113.10 Port #= 1645 Key= key187 Key Settings: Server Address--------Enter the IP address of the RADIUS server. For example, 203.66.113.10. o Port#------------------The default RADIUS/UDP port is 1645. Reboot the P-202H Plus v2, if it is changed to 1812.
P-202H Plus v2 Support Notes When calling back to a remote node the outgoing user information (username and password) are configured in menu 11.1, Remote Node Profile. While calling back to a dial-in user, the outgoing user information are configured in two fields in menu 13, O/G Login and O/G Password.
P-202H Plus v2 Support Notes Period(hr)= Press ENTER to Confirm or ESC to Cancel: 2. Create a remote node for a LAN-to-LAN connnection using the CLID callback. Menu 11.1 - Remote Node Profile Rem Node Name= LAN1 Active= Yes Call Direction= Both Incoming: Rem Login= test Rem Password= **** Rem CLID= 20000 Call Back= Yes Outgoing: My Login= test My Password= **** Authen= CHAP/PAP Pri Phone #= 20000 Sec Phone #= Edit PPP Options= No Rem IP Addr= 192.168.2.
P-202H Plus v2 Support Notes Password Outgoing: Pri Phone # • Enter the phone number of the remote node for calling back. Setup the P-202H Plus v2 for calling back to a dial-in user Generally, there are several settings must be checked when using the CLID callback. They are: The 'CLID Authentication' setting in menu 13 must be configured as 'Required' or 'Preferred'. The 'Outgoing user information' in menu 13 must be entered. The 'Callback' setting in menu 13 must be toggled to 'Mandatory'.
P-202H Plus v2 Support Notes Period(hr)= Press ENTER to Confirm or ESC to Cancel: CLID Settings: Option Description CLID Authen Toggle the 'CLID Authen' option in menu 13 to 'Required'. O/G Login Enter the user name given by the remote user for the authentication. O/G Password Enter the password given by the remote user for the authentication. 2. Create a dial-in user profile using the CLID callback. Menu 14.
P-202H Plus v2 Support Notes 12. Using SNMP 1. SNMP Overview The Simple Network Management Protocol (SNMP) is an applications-layer protocol used to exchange the management information between network devices (e.g., routers). By using SNMP, network administrators can more easily manage network performance, find and solve network problems. The SNMP is a member of the TCP/IP protocol suite, it uses the UDP to exchange messages between a management Client and an Agent, residing in a network node.
P-202H Plus v2 Support Notes The Internet Management Model is as shown in figure 1. Interactions between the NMS and managed devices can be any of four different types of commands: 1. Reads Read is used to monitor the managed devices, NMSs read variables that are maintained by the devices. 2. Writes Write is used to control the managed devices, NMSs write variables that are stored in the managed devices. 3.
P-202H Plus v2 Support Notes 2. SNMPv1 Operations SNMP itself is a simple request/response protocol. 4 SNMPv1 operations are defined as below. • • • • Get Allows the NMS to retrieve an object variable from the agent. GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a NMS wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
P-202H Plus v2 Support Notes The SNMPv1 messages contains two part. The first part contains a version and a community name. The second part contains the actual SNMP protocol data unit (PDU) specifying the operation to be performed (Get, Set, and so on) and the object values involved in the operation. The following figure shows the SNMPv1 message format. The SNMP PDU contains the following fields: • • • • • PDU type Specifies the type of PDU. Request ID Associates requests with responses.
P-202H Plus v2 Support Notes 1. coldStart (defined in RFC-1215) : If the machine coldstarts, the trap will be sent after booting. 2. warmStart (defined in RFC-1215) : If the machine warmstarts, the trap will be sent after booting. 3. linkDown (defined in RFC-1215) : If any link of IDSL or WAN is down, the trap will be sent with the port number . The port number is its interface index under the interface group. 4.
P-202H Plus v2 Support Notes • Downloading ZyXEL's private MIB 3. Configure the P-202H Plus v2 for SNMP The SNMP related settings in P-202H Plus v2 are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings. Menu 22 - SNMP Configuration SNMP: All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Get Community= public Set Community= public Trusted Host= 192.168.1.33 Trap: Community= public Destination= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: Key Settings: Option Descriptions Enter the correct Get Community. This Get Community must Get match the 'Get-' and 'GetNext' community requested from the Community NMS. The default is 'public'. Enter the correct Set Community. This Set Community must Set match the 'Set-community requested from the NMS.
P-202H Plus v2 Support Notes • • • 2. Configuring NAT 3. Address Mapping Sets and NAT Server Sets NAT Server Sets Examples 1. Internet Access Only 2. Internet Access with an Internal Server 3. Using Multiple Global IP addresses for clients and servers 4. Support Non NAT Friendly Applications What is Multi-NAT? NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network.
P-202H Plus v2 Support Notes • NAT Mapping Types NAT supports five types of IP/port mapping. They are: 1. One to One In One-to-One mode, the P-202H Plus v2 maps one ILA to one IGA. 2. Many to One In Many-to-One mode, the P-202H Plus v2 maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers). 3.
P-202H Plus v2 Support Notes Overload ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ... ILA1<--->IGA1 ILA2<--->IGA3 Many-to-Many ILA3<--->IGA2 No Overload ILA4<--->IGA4 ... Server 1 IP<--->IGA1 Server Server 2 IP<--->IGA1 • SUA Versus NAT SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules, Many-to-One and Server. The P-202H Plus v2 now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers.
P-202H Plus v2 Support Notes Pri Phone #= 1234 Sec Phone #= My Login= ChangeMe My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Telco Options: Transfer Type= 64K Multilink= Off Idle Timeout= 100 Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node in menu 11.1. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
P-202H Plus v2 Support Notes default NO to Yes, then press [ENTER] to bring up Menu 11.3-Remote Node Network Layer Options. The following table describes the options for Network Address Translation. Field Options Full Feature None Network Address Translation SUA Only Description When you select this option the SMT will use Address Mapping Set 1 (Menu 15.1see later for further discussion). NAT is disabled when you select this option.
P-202H Plus v2 Support Notes Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients. Each remote node must specify which NAT Address Mapping Set to use. The P312 has one remote node and so allows you to configure only 1 NAT Address Mapping Set. You can see two NAT Address Mapping sets in Menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set1.
P-202H Plus v2 Support Notes Idx Local Start IP Local End IP Global Start IP Global End IP --- --------------- --------------- --------------- --------------- -----1. 0.0.0.0 255.255.255.255 0.0.0.0 M-1 2. Server Set= 1 0.0.0.0 Server 3. 4. 5. 6. 7. 8. 9. 10. Type Press ESC or RETURN to Exit: The following table explains the fields in this screen. Please note that the fields in this menu are read-only.
P-202H Plus v2 Support Notes Please note that the fields in this menu are read-only. However, the settings of the server set 1 can be modified in menu 15.2.1. Now let's look at Option 1 in Menu 15.1. Enter 1 to bring up this menu. Menu 15.1.1 - Address Mapping Rules Set Name= ? Idx Local Start IP Local End IP Global Start IP Global End IP --- --------------- --------------- --------------- --------------- -----1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
P-202H Plus v2 Support Notes Select Rule selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action the Select Rule item will be disabled). When you choose Edit, Insert Before or Save Set in the previous field the cursor jumps to this field to allow 1 you to select the rule to apply the action in question. Note: Save Set in the Action field means to save the whole set.
P-202H Plus v2 Support Notes Many-to-Many No Overload Server 0.0.0.0 Start This is the starting local IP address (ILA) This is the ending local IP address (ILA). If the Local rule is for all local IPs, then put the Start IP as IP 255.255.255.255 End 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One type. This is the starting global IP address (IGA). If Start you have a dynamic IP, enter 0.0.0.0 as the 0.0.0.0 Global Start IP. Global IP This is the ending global IP address (IGA).
P-202H Plus v2 Support Notes Please note that a server can support more than one service, e.g., a server can provide both FTP and Mail service, while another provides only Web service. The following procedures show how to configure a server behind NAT. Step 1. Enter 15 in the Main Menu to go to Menu 15-NAT Setup. Step 2. Enter 2 to go to Menu 15.2-NAT Server Setup. Step 3. Enter the service port number in the Port# field and the inside IP address of the server in the IP Address field. Step 4.
P-202H Plus v2 Support Notes 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The most often used port numbers are shown in the following table. Please refer RFC 1700 for further information about port numbers. Service Port Number FTP 21 Telnet 23 SMTP 25 DNS (Domain Name Server) 53 www-http (Web) 80 PPTP (Point-to-Point Tunneling Protocol) 1723 • Examples 1. 2. 3. 4.
P-202H Plus v2 Support Notes Menu 4 - Internet Access Setup ISP's Name= ChangeMe Pri Phone #= 1234 Sec Phone #= My Login= ChangeMe My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Telco Options: Transfer Type= 64K Multilink= Off Idle Timeout= 100 Press ENTER to Confirm or ESC to Cancel: From Menu 4 shown above simply choose the SUA Only option from the NAT field. This is the Many-to-One mapping discussed earlier.
P-202H Plus v2 Support Notes 2. Internet Access with an Internal Server In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only) to specify the Internet Server behind the NAT as shown in the NAT as shown below. Menu 15.2 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.33 3. 0 0 0.0.
P-202H Plus v2 Support Notes 3. Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used) In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by the following way using 4 NAT rules. Rule 1 (One-to-One type) to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1.
P-202H Plus v2 Support Notes My Login= ChangeMe My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= N/A Telco Options: Transfer Type= 64K Multilink= Off Idle Timeout= 100 Press ENTER to Confirm or ESC to Cancel: Step 2: Go to menu 15.1 and choose 1 (not 255, SUA this time) to begin configuring this new set. Enter a Set Name, choose the Edit Action and then select 1 from Select Rule field. Press [ENTER] to confirm. See the following setup for the four rules in our case.
P-202H Plus v2 Support Notes Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2. Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. Menu 15.1.1.3 - - Rule 3 Type: Many-to-One Local IP: Start= 0.0.0.0 End = 255.255.255.
P-202H Plus v2 Support Notes Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu 15.1.1.4 - - Rule 4 Type: Server Local IP: Start= N/A End = N/A Global IP: Start=[Enter IGA3] End = N/A Server Mapping Set= 2 Press ENTER to Confirm or ESC to Cancel: When we have configured all four rules Menu 15.1.1 should look as follows. Menu 15.1.
P-202H Plus v2 Support Notes Press ESC or RETURN to Exit: Step 3: Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15.2.2 - NAT Server Setup (not Set 1, Set 1 is used for SUA Only case). Menu 15.2 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.10 3. 25 25 192.168.1.11 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8.
P-202H Plus v2 Support Notes One rule configured for using Many-to-Many No Overload mapping type is shown below. Menu 15.1.1.1 - - Rule 1 Type: Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= [Enter IGA1] End = [Enter IGA3] Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The three rules configured for using One-to-One mapping type is shown below. Menu 15.1.1.
P-202H Plus v2 Support Notes Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.3 - - Rule 3 Type: One-to-One Local IP: Start= 192.168.1.12 End = N/A All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Global IP: Start= [Enter IGA3] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes IPSec VPN 1. Using IPSec VPN What is IPSec? IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one(IPv.6). In addition, IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. IPSec is truly the most extensible and complete network security solution.
P-202H Plus v2 Support Notes • • • Avaya VPN Netopia VPN III VPN As the figure shown below, the tunnel between P-202H Plus v2 1 and P-202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each P-202H Plus v2 are explained in the following sections. The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 A P-202H Plus v2 B PC 2 LAN: 202.132.155.
P-202H Plus v2 Support Notes 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in P-202H Plus v2 B. 6. Source IP Address Start and Source IP Address End are PC 1 IP in this example. (the secure host behind P-202H Plus v2 A) 7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2 A. 9.
P-202H Plus v2 Support Notes See the screen shot: All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way. 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5.
P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in P-202H Plus v2 A. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot: All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.
P-202H Plus v2 Support Notes 3. Troubleshooting Q: How do we know the above tunnel works? A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works. Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in P202H Plus v2. • Menu 27.2, SA Monitor Through menu 27.
P-202H Plus v2 Support Notes 2 3 4 5 6 7 8 9 10 Select Command= Refresh Select Connection= N/A Press ENTER to Confirm or ESC to Cancel: • Using CI command 'ipsec debug 1' Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages.
P-202H Plus v2 Support Notes 4. View Log To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The log menu is also useful for troubleshooting please capture to us if necessary. Please refer to the example below.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 202.132.155.33 P-202H Plus v2 LAN: 202.132.171.1 WAN: 202.132.170.1 PC2 202.132.171.33 1. Setup Soft-PK VPN 1. Open Soft-PK Security Policy Editor 2. Add a new connection named 'P-202H Plus v2' as shown below. 3. Select Connection Security to Secure All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Remote Party Identity and Addressing settings: 4. In ID Type option, please choose IP Address option, and enter the IP address of the remote PC (PC 2 in this case). 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes The detailed configuration is shown in the following figure. Pre-Share Key Settings: 6. Extend P-202H Plus v2 icon, you may see My Identity. 7. Click My Identity, click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in P-202H Plus v2 in the pop out windows. In this example, we enter 12345678. See below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Security Policy Settings: All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode 10. Extend Security Policy icon, you will see two icons, Authentication (Phase 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in P-202H Plus All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes v2. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5.
P-202H Plus v2 Support Notes Figure 8: See the VPN rule screen shot All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings in VPN software. Network Diagram Key In our network diagram figures, a dotted line indicates a logical connection (i.e., the two devices are not physically attached), a solid line indicates a physical connection (i.e., there is a physical link between the two devices and they are directly attached), and a pipe indicates a secure connection between two devices. 2.
P-202H Plus v2 Support Notes • • • Avaya VPN Netopia VPN III VPN As the figure shown below, the tunnel between P-202H Plus v2 1 and P-202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each P-202H Plus v2 are explained in the following sections. The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 A P-202H Plus v2 B PC 2 LAN: 192.168.1.
P-202H Plus v2 Support Notes 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in P-202H Plus v2 B. 6. Source IP Address Start and Source IP Address End are PC 1 IP in this example. (the secure host behind P-202H Plus v2 A) 7.
P-202H Plus v2 Support Notes See the screen shot: If you use SMT management, the VPN configurations are as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way. 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5.
P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in P-202H Plus v2 A. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot: If you use SMT management, the VPN configurations are as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B.
P-202H Plus v2 Support Notes 3. Troubleshooting Q: How do we know the above tunnel works? A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works. Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in P202H Plus v2. • Menu 27.2, SA Monitor Through menu 27.
P-202H Plus v2 Support Notes DES-SHA1 2 3 4 5 6 7 8 9 10 Select Command= Refresh Select Connection= N/A Press ENTER to Confirm or ESC to Cancel: • Using CI command 'ipsec debug 1' Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages.
P-202H Plus v2 Support Notes 4. View Log To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The log menu is also useful for troubleshooting please capture to us if necessary. The example shown below is a successful IPSec connection. Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 10:23:22 !! Cannot find outbound SA for rule <1> 002 01 Jan 10:23:22 Send Main Mode request to <168.10.10.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 Cisco PC 2 LAN: 192.168.1.1 LAN: 192.168.2.1 192.168.1.33 192.168.2.2 WAN: 172.21.10.50 WAN: 140.113.10.50 Note: 1. When using Cisco Router to establish VPN, back-to-back connection is not applicable. In other words, the WAN IP of P-202H Plus v2 and Cisco router can't be in the same subnet. 2. The following configurations are supposed both two VPN gateways have fixed IP addresses.
P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in Sonicwall. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot: 2 Setup Cisco There are two ways to configure Cisco VPN, use commands from console or use Cisco ConfigMaker. Cisco ConfigMaker is an easy-to-use Windows 98/Me/NT/2000 application that configures Cisco routers, switches, hubs, and other devices.
P-202H Plus v2 Support Notes in section 2.1. If you prefer to use commands from console, please go to section 2.2. 2.1 Setup Ciscro by ConfigMaker You can download Cisco ConfigMaker from http://www.cisco.com/warp/public/cc/pd/nemnsw/cm/index.shtml. 1. Select AutoDetect device Wizard in Devices window. 2. Make sure that the console has been connected to your PC. If the router is detected successfully, a Cisco router should appear in the Network Diagram Window. 3.
P-202H Plus v2 Support Notes See the screen shot: 5. Layout your network topology in the Network Diagram as shown below. You may choose network components, such as hosts, Internet, Ethernet LAN from the Devices window. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes See the screen shot: 6. Connect the network components by Ethernet from the Connections window in the left bottom. Specify the WAN and LAN IP addresses to P202H Plus v2 and Cisco. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes See the screen shot: 7. Select VPN from Connections window. During this stage, you have to enter the pre-shared key, "12345678". All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes See the screen shot: 8. Select VPN, then click the right button of the mouse, and choose connection Properties.... Setup IPSec parameters as shown below. Note that the parameters you set here should match settings in P-202H Plus v2. In IKE Advanced Settings, Encryption Algorithm is 56-bit DES, Authentication Algorithm is MD5 and the SA lifetime is 1 hr. In IPSec Transform, Encryption Algorithm is 56-bit DES, Authentication Algorithm is MD5, and SA lifetime is 1 hr.
P-202H Plus v2 Support Notes See the screen shot: 9. Choose the Cisco router, and click Deliver to save the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes See the screen shot: 10. Enter Cisco commands mode from console and check if Cisco can make a successful ping to P-202H Plus v2. You might have to tune the configuration to accommodate your practical environment. For more detailed information, please go to http://www.cisco.com 11. In config mode, enter a command "crypto ipsec transform-set cmtransformset-1 esp-des esp-md5-hmac". 12.
P-202H Plus v2 Support Notes ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Cisco1720 ! logging rate-limit console 10 except errors enable password 7 1543595F50 ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! ! no ip domain-lookup ! ip dhcp pool 1 network 192.168.2.0 255.255.255.0 default-router 192.168.2.
P-202H Plus v2 Support Notes crypto map cm-cryptomap 1 ipsec-isakmp set peer 172.21.10.50 set transform-set cm-transformset-1 match address 100 ! ! ! ! interface Ethernet0 description connected to Internet ip address 140.113.10.50 255.255.0.0 half-duplex crypto map cm-cryptomap ! interface FastEthernet0 description connected to EthernetLAN_1 ip address 192.168.2.1 255.255.255.0 speed auto ! router rip version 1 passive-interface Ethernet0 network 140.113.0.0 network 192.168.2.
P-202H Plus v2 Support Notes ! no scheduler allocate end After all of the settings, if PC1 and PC2 can reach each other, then IPSec VPN has been established successfully. There is also a useful command to debug IPSec VPN, "debug crypto ipsec". P-202H Plus v2 to SonicWALL Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and SonicWALL. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure.
P-202H Plus v2 Support Notes 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5.
P-202H Plus v2 Support Notes See the screen shot: 2. Setup SonicWALL 1. Login SonicWALL by giving the LAN IP address of SonicWALL, default is 192.168.168.1. 2. Click Gernal menu, and click Network tab. 3. Select NAT Enabled as the Network Addressing Mode. 4. In LAN Settings, enter a LAN IP and Subnet Mask for SonicWALL. 5. In WAN Settings, enter a WAN IP, Subnet Mask, and WAN Gateway for SonicWALL. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. In DNS Settings, enter the DNS IP. 7. Click Update to save the settings to SonicWALL. 8. Click DHCP, enable DHCP, and the Dynamic Ranges. 9. Click VPN, click Configure tab. 10. In Security Association option, select Add New SA. 11. In IPSec Keying Mode option, select IKE using pre-shared secret. 12. In Name option, give a name for this SA. 13. In IPSec Gateway Address, enter P-202H Plus v2 WAN IP 14.
P-202H Plus v2 Support Notes If the SA is up, you can see a new button, Renegotiate appears in the Summary screen. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes P-202H Plus v2 to WatchGuard Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and WatchGuard. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and WatchGuard are explained in the following sections. The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 WatchGuard PC 2 LAN: 192.168.1.1 LAN: 192.
P-202H Plus v2 Support Notes 5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main. 6. Source IP Address Start and Source IP Address End are PC 1 IP in this example. (the secure host behind P-202H Plus v2) 7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is WatchGuard WAN IP in this example. 10.
P-202H Plus v2 Support Notes See the screen shot: 2. Setup WatchGuard 1. In the QuickSetup Wizard, select Configure in Routed Mode, click Next. 2. Enter IP of PC2, click OK. 3. In External Interface, enter the WAN IP for WatchGuard; and in Trusted Interface, enter the LAN IP for WatchGuard. Then click Next. 4. Enter the Default Gateway of WatchGuard then click Next twice. 5. Enter your passwords for Status and Configuration then click Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. Select Use Serial Cable to Assign IP Address and Serial Port of your computer then click Next and OK. 7. Turn the Firebox off and on again. Wait for the configuration file to be uploaded. 8. In the 'WatchGuard Control Center' click on the Policy Manager icon. 9. Pull down Network -> Branch Office VPN -> IPSec. See the figure below. 10. Click Gateway, and click Add. 11.
P-202H Plus v2 Support Notes 12. Select isakmp (dynamic) (IKE in P-202H Plus v2) as Key Negotiation Type and enter a string as Share Key.I 13. Click Tunnels, and click Add. 14. Select the Gateway you had created and click OK. 15. Enter a name in Name field for this Tunnel. 16. Click Dynamic Security tab, select Type, Authentication and Encryption for your SAP. These settings must be consistant with P-202H Plus v2 settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 17. Enable the Key expiration. Then click OK twice. (ESP, MD5-HMAC, DES-CBC) 18. Click Add in the main menu to Add Routing Policy. 19. In Local Host, enter PC1 IP; in Remote Host, enter PC2 IP, then select Secure in Disposition and Tunnel you had created. Then click OK twice. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 20. Select 'Save to Firebox' and enter the write pass phrase for your WatchGuard. P-202H Plus v2 to NETSCREEN Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and NETSCREEN are explained in the following sections.
P-202H Plus v2 Support Notes WAN: 202.132.154.1 WAN: 168.10.10.66 Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous 0.0.0.0 field.
P-202H Plus v2 Support Notes See the screen shot: If you use SMT management, the VPN configurations are as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 1. Edit IKE settings by selecting Edit IKE Setup option in menu27.1.1 to Yes and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes for data transmission. 2. Setup NETSCREEN For VPN 1. Configure NETSCREEN by using its web configurator. 2. Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL field Create Local & Remote Secure Host: 1. Click Address menu and click Trusted tab. 2. Click New Address to add the local secure host (192.168.78.5 in this example) and give a name to this host address (Local Secure Host in this example). See the screen shown below.
P-202H Plus v2 Support Notes 3. Click OK to save it. 4. Click New Address to add the remote secure host (192.168.1.33 in this example) and give a name to this host address (Remote Secure Host in this example). See the screen shown below. Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Click OK to save it. Create Outgoing & Incoming VPN Policy: 1. 2. 3. 4. Click Policy menu and click Outgoing tab. Click New Policy to configure the outgoing VPN policy. Give a name to the policy. Select the Local Secure Host that we configured above as the Source Address. 5. Select the Remote Secure Host that we configured above as the Destination Address. 6. Select ANY as the Service. 7. For the rest settings please refer to the following screen shot. And click OK to save.
P-202H Plus v2 Support Notes 8. Click Policy menu and click Incoming tab. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Click New Policy to configure the incoming VPN policy. 10. Give a name to the policy. 11. Select the Remote Secure Host that we configured above as the Source Address. 12. Select the Local Secure Host that we configured above as the Destination Address. 13. Select ANY as the Service. 14. For the rest settings please refer to the following screen shot. And click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Create Phase 1 Proposal: Note that all phase 1 and phase 2 settings in NETSCREEN must be consistent with P-202H Plus v2. 1. 2. 3. 4. 5. 6. 7. 8. Click VPN menu and click P1 Proposal tab. Click New Phase 1 Proposal to create phase 1 proposal. Give a Name for this proposal, for example P-202H Plus v2. Select Preshare as the Authentication Method. Select Group 1 as DH Group. Select DES-CBC as Encryption Algorithm. Select MD5 as Hash Algorithm.
P-202H Plus v2 Support Notes screenshot. Create VPN Gateway: 1. Click VPN menu and click Gateway tab. 2. Click New Remote Tunnel Gateway to add the local VPN gateway, i.e., NETSREEN. 3. Give a name to this gateway, for example NETSCREEN. 4. Click Static IP Address as for this example. 5. Enter WAN IP of NETSCREEN in the IP Address field. 6. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Enter 12345678 as the Preshared Key and click OK to save. See the screenshot. 8. Click New Remote Tunnel Gateway to add the remote VPN gateway, i.e., P-202H Plus v2. 9. Give a name to this gateway, for example P-202H Plus v2. 10. Click Static IP Address as for this example. 11. Enter WAN IP of P-202H Plus v2 in the IP Address field. 12. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 13. Enter 12345678 as the Preshared Key and click OK to save. See the screenshot. Create AutoKey IKE: 1. Click VPN menu and click AutoKey IKE tab. 2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e., NETSCREEN. 3. Select NETSCREEN as the Remote Gateway Tunnel Name. 4. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See the screen shot. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Click VPN menu and click AutoKey IKE tab. 6. Click New AutoKey IKE Entry to add the entry for the remote gateway, i.e., P-202H Plus v2. 7. Select P-202H Plus v2 as the Remote Gateway Tunnel Name. 8. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See the screen shot. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. After all above settings have been finished, you can start to access the remote secure PC. If the VPN is established successfully, you can see the traffic flow from the Traffic Log by clicking Log menu. See the following screen shot. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes You can also see the current active user from the Active Log by clicking Log menu. See the following screen shot. 3. P-202H Plus v2 vs 3rd Party VPN Software All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Checkpoint VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between Checkpoint VPN and P202H Plus v2 router. As the figure shown below, the tunnel between P-202H Plus v2 and Checkpoint ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and P-202H Plus v2 are explained in the following.
P-202H Plus v2 Support Notes Edit LAN segment of P-202H Plus v210. In this example, we setup P-202H Plus v210 as DHCP server, and it’s LAN IP address is 192.168.99.1. Edit Internet Access of P-202H Plus v210. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes In SMT menu 27, create a VPN rule like following. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup Checkpoint VPN Creating Network objects. Click on New/Network, define the LAN segment of P-202H Plus v2. Select Locationa as External. (Note-Internal and external refer to whether this network is protected behind the Checkpoint or not.) All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Define the LAN segment of Checkpoint. Select Location as Internal. If there are more than one network would like to utilize the VPN tunnel. You can merge the networks into one group. • Go to Manage/Network Objects. • Click on New/Group • Fill in the properties for the group objects as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Creating VPN Objects Define P-202H Plus v2 box as a tunnel end point. (Name: SOHO_TEST) Select VPN tab to define the protected domain of ZW, and the Encryption schemes used by the tunnel. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Define checkpoint box as a tunnel endpoint. Select VPN tab to define the protected domain of Checkpoint, and the Encryption schemes used by the tunnel. Choose IKE and press Edit… to edit the Phase1 parameters and pre-shared key. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Edit pre-shared key by selecting Pre-Shared Secret in Authentication Method. Choose Pre-Shared Secret then press Edit-Secretes… Select SOHO_TEST as peer, and input the pre-shared key. Define VPN policy. Create a new rule at or near the top of the policy. This rule should include both encryption domains as both source and destination and the action should be encrypt as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Double click on the "encrypt" action to edit the encryption properties. Select IKE as the form of encryption, and click on edit and select the Phase 2 parameters. WIN2K VPN to P-202H Plus v2 This page guides us to setup a VPN connection between the WIN2K VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are WIN2K VPN software and P-202H Plus v2 router.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 172.21.1.232 P-202H Plus v2 LAN: 192.168.1.1 WAN: 172.21.1.252 PC2 192.168.1.33 1. Setup WIN2K VPN - Create a custom MMC console 1. From Windows desktop, click Start, click Run, and in the Open textbox type MMC. Click OK. 2. On the Console window, click Add/Remove Snap-In. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. In the Add/Remove Snap-In dialog box, click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add. 5. Verify that Local Computer (default setting) is selected, and click Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. 7. Verify that Local Computer (default setting) is selected in the Group Policy Object dialog box, and then click Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 8. In the Add Standalone Snap-in dialog box, click Certifications, and then click Add. 9. In the Certificates snap-in dialog box, select Computer account, and click Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 10. Verify that Local Computer (default setting) is selected, and click Finish. 11. Click Close to close the Add Standalone Snap-in dialog box. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 12. Click OK to close the Add/Remove Snap-in dialog box. - Create IPSec Policy Typically, Windows 2000 gateway is not a member of a domain, so a local IPSec policy is created. If your Windows 2000 gateway is a member of a domain that already exists an local IPSec policy. In this case, you can create an Organization Unit (OU) in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object (GPO) of this OU.
P-202H Plus v2 Support Notes 2. Right click IP Security Policies on Local Machine, and then click Create IP Security Policy. 3. Click Next, and type a name for your policy. For example, WIN2K to P202H Plus v2 Tunnel. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. Uncheck Active the default response rule check box, and click Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Keep the Edit properties check box selected and click Finish. 5. A dialog window will bring up for you to configure two filter rules for this policy. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Note: The IPSec policy is created with default IKE main mode (phase 1) on the General tab. Please check details by clicking the Advanced on this tab. The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint. Because there are two endpoints so we need two filter rules. One is for the direction from PC 1 to PC 2 (endpoint is P-202H Plus v2), and the other is from PC 2 to PC 1 (endpoint is WIN2K).
P-202H Plus v2 Support Notes 2. On the IP Filter List tab, click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Type a name for the filter list (e.g., WIN2K to P-202H Plus v2), uncheck Use Add Wizard check box, and click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. In the Source address, choose A specific IP Address, and enter the IP address of PC 1 All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. In the Destination address, choose A specific IP Address, and enter the IP address of PC 2 6. Uncheck Mirror check box. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters. 8. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Click OK and Close to close the windows. - Build a Filter List from PC 2 to PC 1 1. On the IP Filter List tab, click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Type a name for the filter list (e.g., P-202H Plus v2 to WIN2K), uncheck Use Add Wizard check box, and click Add. 3. In the Source address, choose A specific IP Address, and enter the IP address of PC 2 All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. In the Destination address, choose A specific IP Address, and enter the IP address of PC 1 5. Uncheck Mirror check box. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active. 8. Click OK and Close to close the windows. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes - Configure a Rule for PC 1 to PC 2 tunnel 1. Select the first filter list you created above from the IP Filter List. For example, WIN2K to P-202H Plus v2. 2. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is P-202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections. 4. Click Filter Action tab, uncheck Use Add Wizard check box, and click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Leave Negotiate security as checked, and uncheck Accept unsecured communication, but always respond using IPSec check box. You must do this to ensure secure connections. 6. Click Add and select Custom (for expert users) if you want to define specific algorithms and session key lifetimes). Please make sure the settings match whatever we will configure in P-202H Plus v2 later. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Click OK. On the General tab, give a name to the filter action. For example, WIN2K to P-202H Plus v2, and click OK. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 8. Select the filter action you just created. 9. On the Authentication Methods tab, click Add to select Use this string to protect the key exchange (pre-shared key) option. And enter the string 12345678 in the text box. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 10. Click OK. See the finished screen shot. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes - Configure a Rule for PC 2 to PC 1 tunnel 1. In the IPSec policy properties, click Add to create a new rule. 2. Select the second filter list you created above from the IP Filter List. For example, P-202H Plus v2 to WIN2K. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is WIN2K. 4. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Click Filter Action tab, select the filter action you created. 6. On the Authentication Method tab, configure the same settings as done in the first rule. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Click Close. 8. Enable both rules you created in the policy properties and click Close. Figure 5: See the finished screen shot All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes - Assign Your New IPSec Policy to Your Windows 2000 1. In the IP Security Policies on Local Machine MMC snap-in, right click your new policy, and click Assign. 2. A green arrow will appear in the folder icon next to your policy. See the screen shot below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes For more information about configure WIN2K IPSec, please refer to the following web site. 1.http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.a sp 2. http://support.microsoft.com/support/kb/articles/q252/7/35.asp 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2.
P-202H Plus v2 Support Notes Figure 8: See the VPN rule screen shot If you use SMT management, the VPN configurations are as shown below. Menu 27.1.1 - IPSec Setup Index #= 1 Name= P-202H Plus v2 All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Active= Yes My IP Addr= 172.21.1.252 Secure Gateway IP Addr= 172.21.1.232 Protocol= 0 Local: IP Addr Start= 192.168.1.33 End= 192.168.1.33 Port Start= 0 End= N/A Remote: IP Addr Start= 172.21.1.232 End= 172.21.1.232 Port Start= 0 End= N/A Enable Replay Detection= No Key Management= IKE Edit IKE Setup= Yes Edit Manual Setup= N/A Press ENTER to Confirm or ESC to Cancel: 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
P-202H Plus v2 Support Notes Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel Soft-PK VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure.
P-202H Plus v2 Support Notes Remote Party Identity and Addressing settings: 4. In ID Type option, please choose IP Address option, and enter the IP address of the remote PC (PC 2 in this case). 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes The detailed configuration is shown in the following figure. Pre-Share Key Settings: 6. Extend P-202H Plus v2 icon, you may see My Identity. 7. Click My Identity, click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in P-202H Plus v2 in the pop out windows. In this example, we enter 12345678. See below. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Security Policy Settings: All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation Mode 10. Extend Security Policy icon, you will see two icons, Authentication (Phase 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in P202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5.
P-202H Plus v2 Support Notes Figure 8: See the VPN rule screen shot All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings in VPN software. Linux FreeS/WAN VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between FreeS/WAN and P202H Plus v2 router. There will be several devices we need to setup for this case. They are Linux FreeS/WAN and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. P-202H Plus LAN 2 v2 LAN: 192.168.0.254 LAN: 192.168.10.20 WAN: 202.132. 192.168.0. 192.168.10. WAN: 65.170.185.111 Gateway: 65. 0/24 170.1 Gateway: 0/24 170.185.65 202.132.170.25 4 LAN 1 FreeS/WAN Linux box 1. Setup FreeS/WAN We presume that your Linux's kernel has been compiled to support FreeS/WAN, and FreeS/WAN has been also installed successfully in your system.
P-202H Plus v2 Support Notes leftsubnet=192.168.10.0/24 leftnexthop=65.170.185.65 right=202.132.170.1 rightsubnet=192.168.0.0/24 rightnexthop=202.132.170.254 auto=start pfs=no authby=secret ipsec.secrets: 65.170.185.111 202.132.170.1 : PSK "12345678" 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. The LAN IP in tihs example is 192.168.0.1, default password to login web configurator is 1234. 2.
P-202H Plus v2 Support Notes You can click Advanced button to check IPSec Phase 1 and Phase 2 parameters. Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit Key Management Setup' option in menu27.1.1 to 'Yes' by pressing space bar and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate IPSec SAs which are used for data transmission.
P-202H Plus v2 Support Notes SSH Sentinel to P-202H Plus v2 Tunneling Sentinel (Static IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Sentinel installed, and P-202H Plus v2 ensures the packets flow between them are secure.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 172.21.1.232 P-202H Plus v2 LAN: 192.168.1.1 WAN: 172.21.1.252 PC2 192.168.1.33 1. Setup Sentinel 1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor. 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Select Create a preshared key, and press Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Press Apply in Main menu to save the above settings for latter use. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. Switch to Security Policy tab. Choose VPN connections, and then press Add... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address. 8. Press ... button besides Remote network. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Network Editor Window will pop out. Press New button, and Enter P202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 14. Press Apply to save all of the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 15. Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in /Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to Advanced -> VPN 3. Check Active box to enable this rule. Check Keep alive to make your VPN connection stay permanent. 4. Select Negotiation Mode to Main, as we configured in Sentinel. 5. Local IP, Address Type is Subnet, Address Start is 192.168.1.
P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel Sentinel (Dynamic IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 LAN: 192.168.1.1 WAN: 172.21.1.252 PC2 192.168.1.33 1. Setup Sentinel 1. From Tool Tray of Windows system, right click on your Sentinel icon, and then choose Run Policy Editor. 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Select Create a preshared key, and press Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Press Apply in Main menu to save the above settings for latter use. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. Switch to Security Policy tab. Choose VPN connections, and then press Add... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address. 8. Press ... button besides Remote network. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Network Editor Window will pop out. Press New button, and Enter P202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 14. Press Apply to save all of the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 15. Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in /Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to Advanced -> VPN 3. Check Active box to enable this rule. Check Keep alive to make your VPN connection stay permanent. 4. Select Negotiation Mode to Main, as we configured in Sentinel. 5. Local IP, Address Type is Subnet, Address Start is 192.168.1.
P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel Sentinel (Behind NAT) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 192.168.2.33 NAT Router LAN: 192.168.2.1 WAN: 172.21.1.232 P-202H Plus v2 PC2 LAN: 192.168.1.1 WAN: 172.21.1.252 192.168.1.33 1. Setup SSH Sentinel 1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor. 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Select Create a preshared key, and press Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Press Apply in Main menu to save the above settings for latter use. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. Switch to Security Policy tab. Choose VPN connections, and then press Add... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address. 8. Press ... button besides Remote network. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 9. Network Editor Window will pop out. Press New button, and Enter P202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 14. Press Apply to save all of the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 15. Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in /Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to Advanced -> VPN 3. Check Active box to enable this rule. Check Keep alive to make your VPN connection stay permanent. 4. Select Negotiation Mode to Main, as we configured in Sentinel. 5. Local IP, Address Type is Subnet, Address Start is 192.168.1.
P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel 3. Setup in NAT Router In this case, since VPN connection can only be initiated from SSH Sentinel, no NAT port forwarding is needed. Sentinel (Dynamic IP) to P-202H Plus v2(Dynamic IP) Tunneling This page guides us to setup a VPN connection between the SSH Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 LAN: 192.168.1.1 WAN: PC2 192.168.1.33 1. Setup P-202H Plus v2 1. Configure P-202H Plus v2 to use DDNS for WAN IP address update. You can refer to Using DDNS for how to configure it. We presume that you have got a dynamic domain name, P-202H Plus v2.ddns.org, and update your current WAN IP successfully. 2.
P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel 2. Setup Sentinel 1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Select Create a preshared key, and press Next. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Press Apply in Main menu to save the above settings for latter use. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 6. Switch to Security Policy tab. Choose VPN connections, and then press Add... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 7. Add VPN Connection window will pop out. Enter P-202H Plus v2.dyndns.org in Gateway IP address. 8. Press ... button besides Remote network. 9. Network Editor Window will pop out. Press New button, and Enter P202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 331 All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, P202H Plus v2.dyndns.org (P-202H Plus v2), choose this item, and then press Properties... button. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 14. Press Apply to save all of the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 15. Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in /Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Intel VPN client to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between the Intel VPN client software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Intel VPN software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Intel VPN client installed, and P-202H Plus v2 ensures the packets flow between them are secure.
P-202H Plus v2 Support Notes 2. Give this Tunnel a name, P-202H Plus v2, for example. Specify VPN Gateway IP Address as 172.21.1.252. Tunnel Applies to All network connections. Uncheck Enable IP Address assignment and WINS/DNS via VPN Gateway. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Select Security Associations tab. Press Add... to edit the IP address of remote VPN network. IP Address 192.168.1.0, Subnet Mask 255.255.255.0, Protocol ALL, Port ALL. And Phase 2 parameters. AH None, Authentication HMAC MD5, Encryption DES (56-bit key), uncheck Transport mode. Specify the Phase 2 SA life time you would like to use. Click OK to save the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 4. Select Shared Secret as Authentication Method, and Enter the preshared key: 12345678. Then press Advanced... to edit Phase 1 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 5. Specify phase SA life time you would like to have, 60 minutes for example. Encryption as DES 56-bit key, Authentication as HMAC MD5, and Diffie-Hellman Group as 1-RSA 768 bits. Click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 5.
P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in SSH. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. 14. Press Advanced button to set IKE phase 1 and phase 2 parameters. See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below. Menu 27.1.1 - IPSec Setup Index #= 1 Active= Yes Name= to_ssh My IP Addr= 172.21.1.252 Secure Gateway Addr= 172.21.1.232 Protocol= 0 Local: Addr Type= SUBNET IP Addr Start= 192.168.1.0 End= 255.255.255.0 Port Start= 0 End= N/A Remote: Addr Type= SINGLE All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes IP Addr Start= 172.21.1.232 End= N/A Port Start= 0 End= N/A Enable Replay Detection= No Key Management= IKE Edit Key Management Setup= No Press ENTER to Confirm or ESC to Cancel: 1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'. 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging.
P-202H Plus v2 Support Notes Some tips for this application: Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. The NAT router then will forward the incoming connections to the internal server according to the service port and private IP entered in SUA/NAT Server Table.
P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. Branch_A WAN:202.3.1.1 LAN:192.168.3.1 LAN of Branch_A 192.168.3.0/24 Headquarter WAN:202.1.1.1 LAN:192.168.1.1 LAN of Headquarter 192.168.1.0/24 Branch_B WAN:202.2.1.1 LAN:192.168.2.1 LAN of Branch_B 192.168.2.0/24 1. Setup VPN in branch office A Because VPN routing enables branch offices to talk to each other via tunnels concentrated on headquarter.
P-202H Plus v2 Support Notes 6. In Local section, select Address Type to Range Address, set IP Address Start to 192.168.3.0, and End to 192.168.3.255. This section covers the LAN segment of branch office A. 7. In Remote section, select Address Type to Range Address, set IP Address Start to 192.168.1.0 and End to 192.168.2.255. This section covers the LAN segment of both headquarter and branch office B. 8. My IP Addr is the WAN IP of this P-202H Plus v2, 202.3.1.1. 9.
P-202H Plus v2 Support Notes You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. Setup VPN in branch office B Be very careful about the remote IP address in branch office B, because for systems behind branch office B want to systems behind branch office A and headquarter, we have to specify these two segments in Remote section. However if we include these two segments in one rule, the LAN segment of branch office B will be also included in this single rule, which means intercommunication inside branch office B will run into VPN tunnel.
P-202H Plus v2 Support Notes You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. The second rule in Branch_B This rule is for branch office B to access branch office A. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 3. Setup VPN in Headquarter 1. The correspondent rule for Branch_A in headquarter All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. The correspondent rule for Branch_B_1 in headquarter All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes 2. The correspondent rule for Branch_B_2 in headquarter All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Support Tool 1. Using ZyXEL ISDN D Channel Analyzer, EPA Introduction An ISDN call connection failure can be diagnosed by using P-202H Plus v2's ISDN embedded protocol analyzer (EPA). The cause code in the EPA log can also help us to diagnose the disconnection of an ISDN call. Using EPA Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the EPA. The EPA will not operate by Telnet. The steps for enabling the EPA are as follows: 1.
P-202H Plus v2 Support Notes P-202H Plus v2> isdn fw ana on P-202H Plus v2> dev dial 1 Start dialing for node ... ### Hit any key to continue.### $$$ DIALING dev=2 ch=0..........
P-202H Plus v2 Support Notes 2 3 00000010 IE length : 2 bytes 1------- Extension bit : not continued -00----- Coding standard : CCITT coding standard ---01000 Info. trans. cap. : Unrestricted Digit 4 1------- Extension bit : not continued -00----- Transfer mode : Circuit Mode ---10000 Info. trans.
P-202H Plus v2 Support Notes ------01 Info. Ch. Selection : B1 channel 00:00:03:29 4 bytes LAPD D TE R SAPI=0 TEI=97 RR P/F=0 NR=1 00:00:03:59 11 bytes LAPD D NT C SAPI=0 TEI=97 INFO P=0 NR=1 NS=1 3 bytes Layer 3 Dest-> CallRef=1 PD=Q.
P-202H Plus v2 Support Notes Dest-> CallRef=1 PD=Q.
P-202H Plus v2 Support Notes • Manually dial to remote node N P-202H Plus v2>dev dial N (N is the node number in Menu 11) Example: • Wait for all progress messages, and manually drop the call: P-202H Plus v2>dev channel drop [bri0|bri1] (bri0 for B1 channel, bri1 for B2 channel) • Turn off the PPP trace by: P-202H Plus v2>sys trcl sw off P-202H Plus v2>sys trcp sw off • Dump the PPP log by: P-202H Plus v2>sys trcl disp The trace appears on the screen as in the following example.
P-202H Plus v2 Support Notes 89 258470 PP08 CALL CONNECT speed<64000> type<2> chan<0> 90 258471 PP09 ebp=7ea690,seqNum=5c bri0-XMIT len:23 call=4 0000: ff 03 c0 21 01 0d 00 13 01 04 05 f4 05 06 00 03 0010: f1 a6 08 02 0d 03 06 91 258748 PP09 ebp=7ea6c4,seqNum=5d bri0-XMIT len:23 call=4 0000: ff 03 c0 21 01 0e 00 13 01 04 05 f4 05 06 00 03 0010: f1 a6 08 02 0d 03 06 92 258750 PP09 ebp=7ea6f8,seqNum=5e bri0-RECV len:29 call=4 0000: ff 03 c0 21 01 01 00 19 01 04 05 f4 03 04 c0 23 0010: 11 04 05 f4 13 09 03 00
P-202H Plus v2 Support Notes 0000: ff 03 c0 21 08 11 00 10 80 fd 01 01 00 0a 11 06 0010: 00 01 01 03 109 258761 PP09 ebp=7ea010,seqNum=6c bri0-RECV len:14 call=4 0000: ff 03 80 21 03 19 00 0a 03 06 a3 1f f4 2e 110 258761 PP09 ebp=7ea044,seqNum=6d bri0-XMIT len:20 call=4 0000: ff 03 80 21 01 1a 00 10 02 06 00 2d 0f 00 03 06 0010: a3 1f f4 2e 111 258763 PP09 ebp=7ea078,seqNum=6e bri0-RECV len:20 call=4 0000: ff 03 80 21 02 1a 00 10 02 06 00 2d 0f 00 03 06 0010: a3 1f f4 2e 112 258763 PP09 IPCP opened 113 260
P-202H Plus v2 Support Notes 3. LAN/WAN Packet Trace The P-202H Plus v2 records packet trace and analyzes packets running on LAN and WAN interfaces. It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of the P-202H Plus v2. It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule.
P-202H Plus v2 Support Notes Online Trace 1. Trace LAN packet 2. Trace WAN packet 1. Trace LAN packet 1.1 Disable to capture the WAN packet by entering: sys trcp channel [bri0|bri1] none 1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0 bothway 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Display the brief trace online by entering: sys trcd brief or 1.
P-202H Plus v2 Support Notes IP Version =4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x0030 (48) Idetification = 0x330B (13067) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x80 (128) Protocol = 0x06 (TCP) Header Checksum = 0x3E71 (15985) Source IP = 0xC0A80102 (192.168.1.2) Destination IP = 0xC01F0782 (192.31.7.
P-202H Plus v2 Support Notes Idetification = 0x57F3 (22515) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0xED (237) Protocol = 0x06 (TCP) Header Checksum = 0xAC8C (44172) Source IP = 0xC01F0782 (192.31.7.130) Destination IP = 0xC0A80102 (192.168.1.2) TCP Header: Source Port = 0x0050 (80) Destination Port = 0x045C (1116) Sequence Number = 0x4AD1B57F (1255257471) Ack Number = 0x00BD15A8 (12391848) Header Length = 24 Flags = 0x12 (.A..S.
P-202H Plus v2 Support Notes Protocol = 0x06 (TCP) Header Checksum = 0x3C79 (15481) Source IP = 0xC0A80102 (192.168.1.2) Destination IP = 0xC01F0782 (192.31.7.130) TCP Header: Source Port = 0x045C (1116) Destination Port = 0x0050 (80) Sequence Number = 0x00BD15A8 (12391848) Ack Number = 0x4AD1B580 (1255257472) Header Length = 20 Flags = 0x10 (.A....
P-202H Plus v2 Support Notes 1 2 3 4 5 5 902.120 BRI0-T[0023] LCP (ID=0x06) Configure-Request (1,5,8,13) 905.120 BRI0-T[0023] LCP (ID=0x07) Configure-Request (1,5,8,13) 905.150 BRI0-R[0029] LCP (ID=0x01) Configure-Request (1,3,17,19) 905.150 BRI0-T[0021] LCP (ID=0x01) Configure-Reject (17,19) 905.160 BRI0-R[0013] LCP (ID=0x07) Configure-Reject (8,13) 905.
P-202H Plus v2 Support Notes 0020: 00 00 00 00 70 02 20 00-9A 63 00 00 02 04 05 B4 ....p. ..c...... 0030: 01 01 04 02 .... ---<0001>---------------------------------------------------------------PPP Frame: BRI0-RECV Size: 48/ 48 Time: 1147.970 sec Frame Type: TCP 210.67.113.145:80->163.31.239.
P-202H Plus v2 Support Notes Offline Trace 1. Trace LAN packet 2. Trace WAN packet 1. Trace LAN packet 1.1 Disable to capture the WAN packet by entering: sys trcp channel [bri0|bri1] none 1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0 bothway 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-202H Plus v2 over LAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.
P-202H Plus v2 Support Notes Network Type = 0x0800 (TCP/IP) IP Header: IP Version =4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Idetification = 0x7F02 (32514) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0xED (237) Protocol = 0x06 (TCP) Header Checksum = 0x857D (34173) Source IP = 0xC01F0782 (192.31.7.130) Destination IP = 0xC0A80102 (192.168.1.
P-202H Plus v2 Support Notes 1.6 Display the trace briefly by entering: sys trcp brief 1.7 Display specific packets by using: sys trcp parse Example: ras> sys trcp channel enet0 none ras> sys trcp channel bri0 bothway ras> sys trcl sw on ras> sys trcp sw on ras> sys trcl sw off ras> sys trcp sw off ras> sys trcp brief 0 1181.540 BRI0-T[0011] PPP VJ Compressed IP (0x002d) 1 1182.840 BRI0-T[0044] TCP 163.31.239.1:10007->210.67.113.145:80 2 1226.450 BRI0-T[0052] TCP 163.31.239.
P-202H Plus v2 Support Notes Sequence Number = 0x000D088D (854157) Ack Number = 0x00000000 (0) Header Length = 28 Flags = 0x02 (....S.) Window Size = 0x2000 (8192) Checksum = 0x5D27 (23847) Urgent Ptr = 0x0000 (0) Options = 0000: 02 04 05 B4 01 01 04 02 RAW DATA: 0000: FF 03 00 21 45 00 00 30-FD 02 40 00 7F 06 28 CF ...!E..0..@...(. 0010: A3 1F EF 01 D2 43 71 91-27 18 00 50 00 0D 08 8D .....Cq.'..P.... 0020: 00 00 00 00 70 02 20 00-5D 27 00 00 02 04 05 B4 ....p. .]'...... 0030: 01 01 04 02 ....
P-202H Plus v2 Support Notes Urgent Ptr = 0x0000 (0) Options = 0000: 02 04 05 B4 RAW DATA: 0000: FF 03 00 21 45 00 00 2C-01 D3 40 00 38 06 6B 03 ...!E..,..@.8.k. 0010: D2 43 71 91 A3 1F EF 01-00 50 27 18 7F 47 96 3C .Cq......P'..G.< 0020: 00 0D 08 8E 60 12 44 70-38 29 00 00 02 04 05 B4 ....`.Dp8)...... ras> Using TFTP to Upload/Download Firmware and Configuration Files 4.
P-202H Plus v2 Support Notes The 192.168.1.1 is the IP address of the P-202H Plus v2. The local file is the source file of the ZyNOS firmware that is available in your hard disk. The remote file is the file name that will be saved in P-202H Plus v2. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for file transfering.
P-202H Plus v2 Support Notes Before you begin: 1. TELNET to your P-202H Plus v2 first before using TFTP command 2. Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.
P-202H Plus v2 Support Notes P-202H Plus v2 Main Menu Getting Started 1. General Setup 2. ISDN Setup 3. Ethernet Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 13. Default Dial-in Setup 14. Dial-in User Setup 15. SUA Server Setup Advanced Management 21. Filter Set Configuration 23. System Password 24. System Maintenance 99. Exit Enter Menu Selection Number:24 Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9.
P-202H Plus v2 Support Notes 5. Using FTP to Upload Firmware and Configuration Files In addition to upload the firmware and configuration file via the console port and TFTP client, you can also upload the firmware and configuration files to the P202H Plus v2 202 using FTP. To use this feature, your workstation must have a FTP client software. There are two examples as shown below. 1.
P-202H Plus v2 Support Notes The P-202H Plus v2 reboots automatically after the uploading is finished. 2. Using FTP client software Rename the local firmware and configuration files to 'ras' and 'rom-0', Step because we can not specify the remote file name in the FTP client 1 software. Step Use FTP client from your workstation to connect to the P-202H Plus v2 by entering the IP address of the P-202H Plus v2. 2 Step Enter the SMT password as the FTP login password. The default is '1234'.
P-202H Plus v2 Support Notes 2. Press 'OK' to ignore the 'Username' prompt. 3. To upload the firmware file, we transfer the local 'ras' file to overwrite the remote 'ras' file. To upload the configuration file, we transfer the local 'rom-0' to overwrite the remote 'rom-0' file. 4.The P-202H Plus v2 reboots automatically after the uploading is finished. All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes CI Command List CI has the following command syntax: command subcommand [param] command subcommand [param] command ? | help command subcommand ? | help General user interface: 1. ? 2. exit Shows the following commands and all major (sub)commands Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release. Please goto ZyXEL public WEB site http://www.zyxel.
P-202H Plus v2 Support Notes Troubleshooting 1. Internet Connection Related SMT screens and CI commands: - SMT Menu 1, 4 - SMT Menu 24.1 and 24.4 -isdn loop -dev dial Some basic knowledge about Internet Connection Setup Before we start any verification or troubleshooting of Internet setup, let us first give a brief introduction of the connection setup sequence.
P-202H Plus v2 Support Notes Internet connection verification steps: • • • Setup Menu 4 for Internet Access. Perform a connection test (after you save Menu 4 ). You should see the call connected, LCP up or opened, CHAP/PAP login OK and IPCP up or opened. Internet connection test failed: • • Setup Menu 4 for Internet Access, Perform a connection test (after you save Menu 4 ). You could get the following errors.
P-202H Plus v2 Support Notes Dialing chan<1> phone(last 9-digit): 40202 ### Hit any key to continue.### Dial busy This means the far-end is busy. Dialing chan<1> phone(last 9-digit): 40202 ### Hit any key to continue.### Dial timeout This means you have been timeed out in making a connection. Please refer to next chapter for more detailed discussion on this. - Login to remote failed Dialing chan<1> phone (last 9-digit): 40201 ### Hit any key to continue.
P-202H Plus v2 Support Notes CHAP login to remote OK! IPCP negotiation started IPCP opened Recv'd TERM-ACK state 4 LCP stopped sys log disp: " PP09 WARN Local IP mismatch, proposed 192.68.135.183, PP09 WARN neg'd 204.247.1.1, make sure RIP is turned on" This means that you configured your P-202H Plus v2 Menu 3.2 as 192.68.135.183, but the ISP thinks you should be 204.247.1.1.
P-202H Plus v2 Support Notes CHAP send response CHAP login to remote OK! IPCP negotiation started BACP stopped IPCP up LCP down IPCP down LCP stopped The call connected, IPCP was up, but still the call dropped. The call could have been dropped by the far-end for some unknown reason. You need to verify the problem with your ISP.
P-202H Plus v2 Support Notes Lcp negotiation failed - trace PPP packets Ipcp negotiation failed - check if IP address is correct - check if IP is turned on in a remote node. - check if SUA is needed All others - collect PPP traces 2. Remote Node/Dial-in User Connection Related SMT screens and CI commands: - SMT Menu 2 - SMT Menu 24.4.12 - SMT Menu 24.
P-202H Plus v2 Support Notes Zyxel> dev dial 1 ### Hit any key to continue.### (hit any key) Dial Fail ***(null) Zyxel> sys log disp Zyxel> PP09 ERROR netMakeChannDial: err=-3001 rn_p=575de0 (here 3001 means call out not allowed) Some common troubleshooting examples: • • • • • Phone number is in Black List, check Menu 24.9.2 Call exceeded the Call budget, check Menu 24.9.
P-202H Plus v2 Support Notes ***startDialing failed ### Hit any key to continue.### • ZyNOS: Zyxel> dev dial 1 Dial no budget Zyxel> sys log disp PP09 INFO Remote node 0 budget expired PP09 INFO Dial no budget - Login to remote node failed, check the name and password again • Pre-ZyNOS: P2864> isdn dial 1 Start dialing for node<1> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> chan<1> prot<1> LCP up CHAP send response ***Login to remote failed.
P-202H Plus v2 Support Notes - PPP negotiation failed 306Z> isdn dial 1 or dev dial 1 Start dialing for node<1> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> chan<1> prot<1> LCP up CHAP send response CHAP login to remote OK! IPCP negotiation started BACP negotiation started BACP up CHAP send response CHAP login to remote OK! In the above case, the IPCP negotiation has started, but there is no 'IPCP up' message.
P-202H Plus v2 Support Notes 0000: ff 03 c0 21 01 12 00 24 01 04 05 f4 02 06 00 00 0010: 00 00 08 02 0d 03 06 11 04 05 f4 13 09 03 00 a0 105 fe3f30 0 PNET ebp=4aa30,seqNum=18 PPP1-RECV:24 len:42 0000: ff 03 c0 21 01 30 00 26 01 04 05 f4 02 06 00 00 0010: 00 00 03 05 c2 23 05 08 02 11 04 05 f4 13 09 03 106 fe3f3a 0 POU1 ebp=4aa60,seqNum=19 PPP1-XMIT:24 len:42 0000: ff 03 c0 21 02 30 00 26 01 04 05 f4 02 06 00 00 0010: 00 00 03 05 c2 23 05 08 02 11 04 05 f4 13 09 03 107 fe3f44 0 PNET ebp=4aa90,seqNum=1a PPP1
P-202H Plus v2 Support Notes 0010: 00 2d 0f 01 03 06 cc f7 cb b7 126 fe4066 0 PNET ebp=4ad30,seqNum=28 PPP1-RECV:24 len:12 0000: 80 71 02 13 00 0a 01 06 00 00 00 01 127 fe4066 2d8 PNET ppp BACP up Program Trace Switch OFF Packet Trace Switch OFF From the packet trace above, one can tell why the IPCP protocol was rejected by the far end. Please refer to PPP training material for more details.
P-202H Plus v2 Support Notes BACP negotiation started IPCP up LCP closed IPCP closed Recv'd TERM-ACK state 4 LCP stopped P128> sys log disp 18 417888 PP0a ERROR Remote subnet mismatch, cfg'd 100.1.1.1 19 417889 PP0a ERROR neg'd 200.0.0.0 20 417892 PP0a WARN ip_route: code=05 P1=00 P2=00 P3=00 In this example, the IP address of the remote node is 100.1.1.1, but after PPP is up, the far-end claims that their IP is in 200.0.0.0 network.
P-202H Plus v2 Support Notes Cannot callback to a Dial-in User The P-202H Plus v2 only supports Microsoft's proprietary CallBack Control Protocol (CBCP). Thus, the P-202H Plus v2 will be able to do PPP callback to only to those devices that also support CBCP. This means that if a dial-in user is using a different package such as Trumpet which doesn't support CBCP, then the P-202H Plus v2 will not callback to the user. 3.
P-202H Plus v2 Support Notes < Example > 1. Clear the error counter and display it to verify all counters are 0. P2864> ip route errcnt cl P2864> ip route errcnt dis last route error code = 0 ipRouteFail_Disable 0 ipRouteFail_PktLen 0 ipRouteFail_Header 0 ipRouteFail_CkSum 0 ipRouteFail_OptLen 0 ipRouteFail_OptSRoute 0 ipRouteFail_OptSSRoute 0 ipRouteFail_OptRRoute 0 ipRouteFail_TTL 0 ipRouteFail_No_Route 0 ipRouteFail_Wan_Route 0 ipRouteFail_RnNull 0 ipRouteFail_DF 0 ipRouteFail_Fragment 0 2.
P-202H Plus v2 Support Notes p2864> ip route errcnt disp last route error code = a <--an hex value index point to the last error ipRouteFail_Disable 0 (index 0) ipRouteFail_PktLen 0(index1) ipRouteFail_Header 0 (index 2) ipRouteFail_CkSum 0 ipRouteFail_OptLen 0 ipRouteFail_OptSRoute 0 ipRouteFail_OptSSRoute 0 ipRouteFail_OptRRoute 0 ipRouteFail_TTL 0 ipRouteFail_No_Route 0 ipRouteFail_Wan_Route 3 <-+ ipRouteFail_RtType 0 ipRouteFail_DF 0 | ipRouteFail_Fragment 0 | | This counter is increased by 1 This ipRo
P-202H Plus v2 Support Notes IpxMatch 0 IpxDefaultNotMatch 0 IpxDestNetwork 0 IpxDestSocket 0 IpxSourceNode 0 IpxDefaultMatch 0 IpxPacketType 0 IpxDestNode 0 IpxSourceNetwork 0 IpxSourceSocket 0 3. Start a PING or start the traffic from the LAN side to trigger the outcall, and then display the filter counters again. If the 'Drop' field show some numbers there, then it means that the packet has been filter out, so no outcall was made when the packet was sent to the P202H Plus v2. 4.
P-202H Plus v2 Support Notes b. Enter CI command 'sys stdio 0' in menu 24.8 to disable console idle timeout. c. Start the TFTP client program and enter the P-202H Plus v2's IP address. d. To upload the configuration file, put the local configuration file to the P202H Plus v2 as a remote file name 'rom-0 All contents copyright © 2006 ZyXEL Communications Corporation.
P-202H Plus v2 Support Notes Reference 1. ISDN Disconnection Cause This source of this ISDN cause is from ETS 300 102-1 Annex G. You can download the complete ETS 300 102-1 standard, the layer 3 basic call control, from the site www.etsi.org.
P-202H Plus v2 Support Notes 42 Switching equipment congestion 43 Access information discarded 44 Request circuit/channel not available 47 Resource unavailable, unspecified Service or Option not Available Class 49 Quality of service not available 50 Requested facility not subscribed 57 Bearer capability not authorized 58 Bearer capability not presently available 63 Serice or option not available, unspecified Service or Option not Implemented Class 65 Bearer capability not implemented 66
P-202H Plus v2 Support Notes 91 Invalid transit network selection 95 Invalid message, unspecified Protocol Error (e.g.
P-202H Plus v2 Support Notes 0003 to 001f 0021 0023 0025 0027 0029 002b 002d 002f 0031 0033 0035 0037 0039 003b 003d 003f 0041 0043 0045 0047 0049 004b 004d 004f 0051 0053 0055 0057 006f 0071 0073 007d 007f 0081 0083 00c1 00cf 00fb 00fd 00ff 02xx-1exx 0201 0203 reserved (transparency inefficient) Internet Protocol version 4 OSI Network Layer Xerox NS IDP DECnet Phase IV AppleTalk Novell IPX Van Jacobson Compressed TCP/IP Van Jacobson Uncompressed TCP/IP Bridging PDU Stream Protocol (ST-II) Banyan Vines re
P-202H Plus v2 Support Notes 0205 0207 0209 0231 0233 0235 0281 0283 4001 4003 4021 4023 • DEC LANBridge100 Spanning Tree Cisco Discovery Protocol [Sastry] Netcs Twin Routing [Korfmacher] Luxcom Sigma Network Systems Apple Client Server Protocol [Ridenour] Tag Switching - Unicast [Davie] Tag Switching - Multicast [Davie] Cray Communications Control Protocol [Stage] CDPD Mobile Network Registration Protocol [Quick] Stacker LZS [Simpson] RefTek Protocol [Banfill] NCP Layer Number 8001-801f 8021 8023 8025
P-202H Plus v2 Support Notes 806f 8073 8071 807d 8081 8083 80c1 80cf 80fb 80fd 80ff 8207 8209 8235 8281 8283 • c021 c023 c025 c027 c029 c02b c02d c081 c223 c225 c227 c229 c26f c281 c283 c481 Stampede Bridging Control Protocol MP+ Control Protocol [Smith] Reserved [Fox] Not Used - reserved [RFC1661] Reserved Until 20-Oct-2000 [IANA] Reserved Until 20-Oct-2000 [IANA] NTCITS IPI Control Protocol [Ungar] Not Used - reserved [RFC1661] single link compression in multilink control [RFC1962] Compression Control
P-202H Plus v2 Support Notes datagrams as Control Protocols (such as LCP). • PPP LCP AND IPCP CODES The Point-to-Point Protocol (PPP) Link Control Protocol (LCP), the Compression Control Protocol (CCP), Internet Protocol Control Protocol (IPCP), and other control protocols, contain an 8 bit Code field which identifies the type of packet.
P-202H Plus v2 Support Notes 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Authentication-Protocol Quality-Protocol Magic-Number DEPRECATED (Quality-Protocol) Protocol-Field-Compression Address-and-Control-Field-Compression FCS-Alternatives [RFC1570] Self-Describing-Pad [RFC1570] Numbered-Mode [RFC1663] DEPRECATED (Multi-Link-Procedure) Callback [RFC1570] DEPRECATED (Connect-Time) DEPRECATED (Compound-Frames) DEPRECATED (Nominal-Data-Encapsulation) Multilink-MRRU [RFC1717] Multilink-
P-202H Plus v2 Support Notes 0 1 2 3 4-255 OUI [RFC1968] Deprecated (DESE) [Fox] DESE [Kummert] DESE-bis [Fox] Unassigned PPP CCP CONFIGURATION OPTION TYPES A one octet field is used in the Compression Control Protocol (CCP) to indicate the configuration option type [RFC1962].
P-202H Plus v2 Support Notes 3 4 5 6 7 8 9 Length-Field-Present [RFC1963] Multi-Port [RFC1963] Transport-Mode [RFC1963] Maximum-Frame-Size [RFC1963] Allow-Odd-Frames [RFC1963] FCS-Type [RFC1963] Flow-Expiration-Time [RFC1963] Note that Option Types 5-8 are specific to a single port and require port numbers in their format. Option Types 6-8 are specific to the HDLC-Synchronous Transport-Mode.
P-202H Plus v2 Support Notes Class Description -----------------------------------------------------------------------------0 Null Class [RFC1717] 1 Locally Assigned [RFC1717] 2 Internet Protocol (IPv4) [RFC1717] 3 IEEE 802.
P-202H Plus v2 Support Notes • PPP ATCP CONFIGURATION OPTION TYPES The Point-to-Point Protocol (PPP) Apple Talk Control Protocol (ATCP) specifies a number of Configuration Options [RFC-1378] which are distinguished by an 8 bit Type field.
P-202H Plus v2 Support Notes The Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP) specifies a number of Configuration Options which are distinguished by an 8 bit Type field.
P-202H Plus v2 Support Notes 4 DEC LANbridge 100 spanning tree protocol • PPP INTERNETWORK PACKET EXCHANGE CONTROL PROTOCOL (IPXCP) IPXCP CONFIGURATION OPTIONS Option Description Reference ---------------------------------------------------------------------------------1 IPX-Network-Number [RFC1552] 2 IPX-Node-Number [RFC1552] 3 IPX-Compression-Protocol [RFC1552] 4 IPX-Routing-Protocol [RFC1552] 5 IPX-Router-Name [RFC1552] 6 IPX-Configuration-Complete [RFC1552] • IPX COMPRESSION PROTOCOL VALUES Value
P-202H Plus v2 Support Notes Option is not included in a Configure-Request packet, the default value for that Configuration Option is assumed. NBFCP uses the same Configuration Option format defined for LCP, with a separate set of Options.
P-202H Plus v2 Support Notes 3. Port Numbers The following list contains port numbers for well-known services as defined by RFC 1060 (Assigned Numbers). Format: / [aliases...
P-202H Plus v2 Support Notes hostnames 101/tcp hostname # usually from sri-nic iso-tsap 102/tcp dictionary 103/tcp webster x400 103/tcp # ISO Mail x400-snd 104/tcp csnet-ns 105/tcp pop 109/tcp postoffice pop2 109/tcp # Post Office pop3 110/tcp postoffice portmap 111/tcp portmap 111/udp sunrpc 111/tcp sunrpc 111/udp auth 113/tcp authentication sftp 115/tcp path 117/tcp uucp-path 117/tcp nntp 119/tcp usenet # Network News Transfer ntp 123/udp ntpd ntp # network time protocol nbname 137/udp nbdatagram 138/udp
P-202H Plus v2 Support Notes courier 530/tcp rpc conference 531/tcp chat rvd-control 531/udp MIT disk netnews 532/tcp readnews netwall 533/udp # -for emergency broadcasts uucp 540/tcp uucpd # uucp daemon klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp cmd # and remote shell new-rwho 550/udp new-who # experimental remotefs 556/tcp rfs_server rfs# Brunhoff remote filesystem rmonitor 560/udp rmonitord # experimental monitor 561/udp # experimental garcon 600/tcp maitrd 601/tcp busboy 602/tcp acct
P-202H Plus v2 Support Notes rscs0 queue rscs1 poker rscs2 gateway rscs3 remp rscs4 rscs5 rscs6 rscs7 rscs8 rscs9 rscsa rscsb qmaster qmaster 10000/udp 10001/tcp 10001/udp 10002/tcp 10002/udp 10003/tcp 10003/udp 10004/tcp 10004/udp 10005/udp 10006/udp 10007/udp 10008/udp 10009/udp 10010/udp 10011/udp 10012/tcp 10012/udp 4. Protocol Numbers In the Internet Protocol version 4 (IPv4) [RFC791] there is a field, called "Protocol", to identify the next level protocol. This is an 8 bit field.
P-202H Plus v2 Support Notes 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 ARGUS ARGUS [RWS4] EMCON EMCON [BN7] XNET Cross Net Debugger [IEN158,JFH2] CHAOS Chaos [NC3] UDP User Datagram [RFC768,JBP] MUX Multiplexing [IEN90,JBP] DCN-MEAS DCN Measurement Subsystems [DLM1] HMP Host Monitoring [RFC869,RH6] PRM Packet Radio Measurement [ZSU] XNS-IDP XEROX NS IDP [ETHERNET,XEROX] TRUNK-1 Trunk-1 [BWB6] TRUNK-2 Trunk-2 [BWB6] L
P-202H Plus v2 Support Notes 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 SKIP SKIP [Markson] IPv6-ICMP ICMP for IPv6 [RFC1883] IPv6-NoNxt No Next Header for IPv6 [RFC1883] IPv6-Opts Destination Options for IPv6 [RFC1883] any host internal protocol [IANA] CFTP CFTP [CFTP,HCF2] any local network [IANA] SAT-EXPAK SATNET and Backroom EXPAK [SHB] KRYPTOLAN Kryptolan [PXL1] RVD MIT Remote Virtual Disk Protocol [MBG] IPP
P-202H Plus v2 Support Notes 102 PNNI PNNI over IP [Callon] 103 PIM Protocol Independent Multicast [Farinacci] 104 ARIS ARIS [Feldman] 105 SCPS SCPS [Durst] 106 QNX QNX [Hunter] 107 A/N Active Networks [Braden] 108 IPPCP IP Payload Compression Protocol [Doraswamy] 109 SNP Sitara Networks Protocol [Sridhar] 110 Compaq-Peer Compaq Peer Protocol [Volpe] 111 IPX-in-IP IPX in IP [Lee] 112 VRRP Virtual Router Redundancy Protocol [Hinden] 113 PGM PGM Reliable Transport Protocol [Speakman] 114 any 0-hop protocol [
P-202H Plus v2 Support Notes -3028 -3029 -3030 -3031 -3032 -3033 -3034 -3035 -3036 -3037 -3038 -3039 -3040 -3041 -3042 -3043 -3045 -3046 -3047 -3048 the node is not found the node is inactive dial fail no budget radius authentication fail CLID is required CLID can not be found an outgoing call has already been placed for this remote node call is blocked invalid phone number remote side is busy no carrier no dial tone remote node is not active no answer received dial timeout redial stopped redial no number
P-202H Plus v2 Support Notes Meaning: call failed, packet is filtered. Solution: clean the filter set and reboot. -3004 Message: PINI ERROR netMakeChannDial: err=-3004, rn_p=576de0 Meaning: call failed due to no iface. Solution: reboot or drop one line. -3005 Message: PINI ERROR netMakeChannDial: err=-3005, rn_p=576de0 Meaning: call failed, both channels are down or occupied. Solution: initilize the ISDN line or drop one line.
P-202H Plus v2 Support Notes Meaning: waiting RADIUS authentication. Solution: do nothing, it should be information. -3026 Message: PINI ERROR netMakeChannDial: err=-3026, rn_p=576de0 Meaning: RADIUS call back fail Solution: do nothing, it should be information. -3028 Message: PINI ERROR netMakeChannDial: err=-3028, rn_p=576de0 Meaning: can not find the remote node. Solution: check configuration. -3029 Message: PINI ERROR netMakeChannDial: err=-3029, rn_p=576de0 Meaning: the node is not active.
P-202H Plus v2 Support Notes -3035 Message: PINI ERROR netMakeChannDial: err=-3035, rn_p=576de0 Meaning: call conflict, receive RING after an outgoing call has already been placed for this remote node. Solution: do nothing, it should be information. -3036 Message: PINI ERROR netMakeChannDial: err=-3036, rn_p=576de0 Meaning: call is blocked due to it's in the blacklist. Solution: remove it from blacklist in Menu 24.9.2.
P-202H Plus v2 Support Notes -3045 Message: PINI ERROR netMakeChannDial: err=-3045, rn_p=576de0 Meaning: redial stopped. Solution: do nothing, it should be information. -3046 Message: PINI ERROR netMakeChannDial: err=-3046, rn_p=76de0 Meaning: no number available to make a call again. Solution: do nothing, it should be information.
P-202H Plus v2 Support Notes Meaning: the peer using the different network protocol. (WARN - warning log) Solution: not a problem. 39. Message: PP0a WARN CHAP : login to remote failed, please check user/pswd. Meaning: login to the remote node failed. Solution: check the login name and password. 40. Message: PP09 WARN Local IP mismatch, proposed 1.1.1.1 neg'd 209.24.163.33 Meaning: peer wants to assign IP address to you which is different from Menu 3.2 local IP address.
P-202H Plus v2 Support Notes Meaning: 1. Download wrong firmware to the hardware because hardware does not have enough flash memory for this firmware. Or 2. download fail. Solution: 1. Use large flash memory for this firmware. 2. Redownload. 45. Message: 9f PNET WARN ppp MP late arrival seq x877 M x0 Meaning: the receiver received a previous packet after it has received a late packet. Solution: it is not a problem. 46. Message: INFO addCallHistory: Transfer rate 255 is out of defined values.
