Prestige
to NETSCREEN Tunneling
- Setup Prestige
- Setup NETSCREEN
Note: Not all ZyXEL Prestige provide
VPN functionality. Please check the User's Manual from the packaged
CD-ROM.
This page guides us to setup a VPN connection between Prestige and NETSCREEN. As the
figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them
are secure. To setup this VPN tunnel, the required settings for Prestige and NETSCREEN are
explained in the following sections.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige |
NETSCREEN |
PC 2 |
192.168.1.33 |
LAN: 192.168.1.1
WAN: 202.132.154.1 |
LAN: 192.168.78.1
WAN: 168.10.10.66 |
192.168.78.5 |
Note: The following configurations are
supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses
dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this
case, the VPN connection can only be initiated from dynamic side to fixed side to update
its dynamic IP to the fixed side. From this connection, the source IP is obtained and then
update to the previous 0.0.0.0 field. However, if both gateways use dynamic IP addresses,
it is no way to establish VPN connection at all.
1. Setup Prestige
- Login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1,
default password to login web configurator is 1234.
- Click Advanced, and click VPN tab on the left.
- On the SUMMARY menu, Select a policy to edit by clicking Edit.
- On the CONFIGURE-IKE menu, check Active check box and
give a name to this policy.
- Select IPSec Keying Mode to IKE and Negotiation
Mode to Main, as we configured in NETSCREEN.
- Source IP Address Start and Source IP Address End are PC
1 IP in this example. If a range of IP is used, please enter the start IP and the
end IP. For example, 192.168.1.33 to 192.168.1.35.
- Destination IP Address Start and Destination IP Address End
are PC 2 IP in this example. (the secure remote host)
- My IP Addr is the WAN IP of Prestige.
- Secure Gateway IP Addr is the remote secure gateway IP, that is
NETSCREEN WAN IP in this example.
- Select Encapsulation Mode to Tunnel.
- Check the ESP check box. (AH can not be used in SUA/NAT case)
- Select Encryption Algorithm to DES and Authentication
Algorithm to MD5, as we configured in NETSCREEN.
- Enter the key string 12345678 in the Preshared Key
text box, and click Apply.
See the screen shot:

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting Edit IKE Setup
option in menu27.1.1 to Yes and then pressing 'Enter'.
2. There are two phases for IKE:
In Phase 1, two IKE peers establish a secure channel for
key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data
transmission.

2. Setup NETSCREEN
For VPN
- Configure NETSCREEN by using its web configurator.
- Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL field
Create Local & Remote Secure Host:
- Click Address menu and click Trusted tab.
- Click New Address to add the local secure host (192.168.78.5 in this
example) and give a name to this host address (Local Secure Host in this example). See the
screen shown below.
Note: The Netmask field here for single IP is 255.255.255.255. Please do
not enter the wrong netmask, otherwise, VPN can not be established correctly.

- Click OK to save it.
- Click New Address to add the remote secure host (192.168.1.33 in this
example) and give a name to this host address (Remote Secure Host in this example). See
the screen shown below.
Note: The Netmask field here for single IP is 255.255.255.255. Please do
not enter the wrong netmask, otherwise, VPN can not be established correctly.

- Click OK to save it.
Create Outgoing & Incoming VPN Policy:
- Click Policy menu and click Outgoing tab.
- Click New Policy to configure the outgoing VPN policy.
- Give a name to the policy.
- Select the Local Secure Host that we configured above as the Source
Address.
- Select the Remote Secure Host that we configured above as the Destination
Address.
- Select ANY as the Service.
- For the rest settings please refer to the following screen shot. And click OK
to save.


- Click Policy menu and click Incoming tab.
- Click New Policy to configure the incoming VPN policy.
- Give a name to the policy.
- Select the Remote Secure Host that we configured above as the Source
Address.
- Select the Local Secure Host that we configured above as the Destination
Address.
- Select ANY as the Service.
- For the rest settings please refer to the following screen shot. And click OK
to save.


Create Phase 1 Proposal: Note that all phase 1 and phase 2 settings in NETSCREEN must be
consistent with Prestige.
- Click VPN menu and click P1 Proposal tab.
- Click New Phase 1 Proposal to create phase 1 proposal.
- Give a Name for this proposal, for example Prestige.
- Select Preshare as the Authentication Method.
- Select Group 1 as DH Group.
- Select DES-CBC as Encryption Algorithm.
- Select MD5 as Hash Algorithm.
- Enter 3600 in Lifetime field, check Sec
checkbox. See the sceen shot below.

Create Phase 2 Proposal:
- Click VPN menu and click P2 Proposal tab.
- Click New Phase 2 Proposal to create phase 2 proposal.
- Check Encryption (ESP) checkbox and select DES-CBC and
MD5 as the Encryption Algorithm and the Authentication
Algorithm. See the screen shot.

Create VPN Gateway:
- Click VPN menu and click Gateway tab.
- Click New Remote Tunnel Gateway to add the local VPN gateway, i.e.,
NETSREEN.
- Give a name to this gateway, for example NETSCREEN.
- Click Static IP Address as for this example.
- Enter WAN IP of NETSCREEN in the IP Address field.
- Select Prestige that we configure above as the Phase 1 Proposal.
- Enter 12345678 as the Preshared Key and click OK
to save. See the screen shot.

- Click New Remote Tunnel Gateway to add the remote VPN gateway, i.e.,
Prestige.
- Give a name to this gateway, for example Prestige.
- Click Static IP Address as for this example.
- Enter WAN IP of Prestige in the IP Address field.
- Select Prestige that we configure above as the Phase 1 Proposal.
- Enter 12345678 as the Preshared Key and click OK
to save. See the screen shot.

Create AutoKey IKE:
- Click VPN menu and click AutoKey IKE tab.
- Click New AutoKey IKE Entry to add the entry for the local gateway,
i.e., NETSCREEN.
- Select NETSCREEN as the Remote Gateway Tunnel Name.
- Select Prestige as Phase 2 Proposal and click OK
to save. See the screen shot.

- Click VPN menu and click AutoKey IKE tab.
- Click New AutoKey IKE Entry to add the entry for the remote gateway,
i.e., Prestige.
- Select Prestige as the Remote Gateway Tunnel Name.
- Select Prestige as Phase 2 Proposal and click OK
to save. See the screen shot.

After all above settings have been finished, you can start to access the remote secure
PC. If the VPN is established successfully, you can see the traffic flow from the Traffic
Log by clicking Log menu. See the following screen shot.
You can also see the current active user from the Active Log by clicking Log
menu. See the following screen shot.
