Prestige to NETSCREEN Tunneling

  1. Setup Prestige
  2. Setup NETSCREEN

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between Prestige and NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for Prestige and NETSCREEN are explained in the following sections. 

 

The IP addresses we use in this example are as shown below.

PC 1 

Prestige NETSCREEN PC 2
192.168.1.33 LAN: 192.168.1.1
WAN:  202.132.154.1
LAN: 192.168.78.1
WAN:  168.10.10.66

192.168.78.5

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous 0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.


1. Setup Prestige

  1. Login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in NETSCREEN.
  6. Source IP Address Start and Source IP Address End are PC 1 IP in this example. If a range of IP is used, please enter the start IP and the end IP. For example, 192.168.1.33 to 192.168.1.35.
  7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host)
  8. My IP Addr is the WAN IP of Prestige.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is NETSCREEN WAN IP in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in NETSCREEN.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

See the screen shot:


If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting Edit IKE Setup option in menu27.1.1 to Yes and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.


2. Setup NETSCREEN For VPN

  1. Configure NETSCREEN by using its web configurator.
  2. Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL field

Create Local & Remote Secure Host:

  1. Click Address menu and click Trusted tab.
  2. Click New Address to add the local secure host (192.168.78.5 in this example) and give a name to this host address (Local Secure Host in this example). See the screen shown below.

    Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly.

    n-lp.gif (75591 bytes)
  3. Click OK to save it.
  4. Click New Address to add the remote secure host (192.168.1.33 in this example) and give a name to this host address (Remote Secure Host in this example). See the screen shown below.

    Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly.

    n-rp.gif (79186 bytes)

  5. Click OK to save it.

Create Outgoing & Incoming VPN Policy:

  1. Click Policy menu and click Outgoing tab.
  2. Click New Policy to configure the outgoing VPN policy.
  3. Give a name to the policy.
  4. Select the Local Secure Host that we configured above as the Source Address.
  5. Select the Remote Secure Host that we configured above as the Destination Address.
  6. Select ANY as the Service.
  7. For the rest settings please refer to the following screen shot. And click OK to save.n-out.gif (63731 bytes)n-out-s.gif (35386 bytes)
  8. Click Policy menu and click Incoming tab.
  9. Click New Policy to configure the incoming VPN policy.
  10. Give a name to the policy.
  11. Select the Remote Secure Host that we configured above as the Source Address.
  12. Select the Local Secure Host that we configured above as the Destination Address.
  13. Select ANY as the Service.
  14. For the rest settings please refer to the following screen shot. And click OK to save.n-in.gif (63860 bytes)n-in-s.gif (34914 bytes)

Create Phase 1 Proposal: Note that all phase 1 and phase 2 settings in NETSCREEN must be consistent with Prestige.

  1. Click VPN menu and click P1 Proposal tab.
  2. Click New Phase 1 Proposal to create phase 1 proposal.
  3. Give a Name for this proposal, for example Prestige.
  4. Select Preshare as the Authentication Method.
  5. Select Group 1 as DH Group.
  6. Select DES-CBC as Encryption Algorithm.
  7. Select MD5 as Hash Algorithm.
  8. Enter 3600 in Lifetime field, check Sec checkbox. See the sceen shot below.n-p1.gif (62396 bytes)

Create Phase 2 Proposal:

  1. Click VPN menu and click P2 Proposal tab.
  2. Click New Phase 2 Proposal to create phase 2 proposal.
  3. Check Encryption (ESP) checkbox and select DES-CBC and MD5 as the Encryption Algorithm and the Authentication Algorithm. See the screen shot.n-p2.gif (65873 bytes)

Create VPN Gateway:

  1. Click VPN menu and click Gateway tab.
  2. Click New Remote Tunnel Gateway to add the local VPN gateway, i.e., NETSREEN.
  3. Give a name to this gateway, for example NETSCREEN.
  4. Click Static IP Address as for this example.
  5. Enter WAN IP of NETSCREEN in the IP Address field.
  6. Select Prestige that we configure above as the Phase 1 Proposal.
  7. Enter 12345678 as the Preshared Key and click OK to save. See the screen shot.n-lg.gif (67552 bytes)
  8. Click New Remote Tunnel Gateway to add the remote VPN gateway, i.e., Prestige.
  9. Give a name to this gateway, for example Prestige.
  10. Click Static IP Address as for this example.
  11. Enter WAN IP of Prestige in the IP Address field.
  12. Select Prestige that we configure above as the Phase 1 Proposal.
  13. Enter 12345678 as the Preshared Key and click OK to save. See the screen shot.n-rg.gif (63933 bytes)

Create AutoKey IKE:

  1. Click VPN menu and click AutoKey IKE tab.
  2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e., NETSCREEN.
  3. Select NETSCREEN as the Remote Gateway Tunnel Name.
  4. Select Prestige as Phase 2 Proposal and click OK to save. See the screen shot.n-autoike-l.gif (62133 bytes)
  5. Click VPN menu and click AutoKey IKE tab.
  6. Click New AutoKey IKE Entry to add the entry for the remote gateway, i.e., Prestige.
  7. Select Prestige as the Remote Gateway Tunnel Name.
  8. Select Prestige as Phase 2 Proposal and click OK to save. See the screen shot.n-autoike-r.gif (62236 bytes)

After all above settings have been finished, you can start to access the remote secure PC. If the VPN is established successfully, you can see the traffic flow from the Traffic Log by clicking Log menu. See the following screen shot.n-traffic.gif (36691 bytes)

You can also see the current active user from the Active Log by clicking Log menu. See the following screen shot.
n-active.gif (34991 bytes)