VPN Overview
Prestige VPN
VPN Overview
A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
There are some reasons to use a VPN. The most common reasons are because of security
and cost.
Security
1). Authentication
With authentication, VPN receiver can verify the source of packets and guarantee the data
integrity.
2). Encryption
With encryption, VPN guarantees the confidentiality of the original user data.
Cost
1). Cut long distance phone charges
Because users typically dial the their local ISP for VPN, thus, long distance phone charge
is reduced than making a long direct connection to the remote office.
2).Reducing number of access lines
Many companies pay monthly charges for two types access lines: (1) high-speed links for
their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to
carry data. A VPN may allow a company to carry the data traffic over its Internet
access lines, thus reducing the need for some installed lines.
3. What are most common VPN protocols?
There are currently three major tunneling protocols for VPNs. They are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).
PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.
IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to
provide security services compatible with the existing IP standard (IPv.4) and also the
upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs on top
of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security
services. These services allow for authentication, integrity, access control, and
confidentiality. IPSec allows for the information exchanged between remote sites to be
encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption
between computers. Since you have so many options, IPSec is truly the most extensible and
complete network security solution.
7.
What secure protocols does IPSec support?
There are two protocols provided by IPSec, they are AH (Authentication Header, protocol number 51) and ESP (Encapsulated Security Payload, protocol number 50).
8. What are the differences between 'Transport mode' and 'Tunnel mode?
The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability.
In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data.
There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.
A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use.
IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN.
There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection.
12. What are the differences between IKE and manual key VPN?
The only difference between IKE and manual key is how the encryption keys and SPIs are determined.
IKE is more secure than manual key, because IKE negotiation can generate new keys and
SPIs randomly for the VPN connection.
Prestige VPN
1. How do I configure Prestige VPN?
You can configure Prestige for VPN using SMT or Web configurator. Prestige 1 supports Web only.
2. How many VPN connections does Prestige support?
One Prestige 202H Plus supports 2 VPN connections.
3.
What VPN protocols are supported by Prestige VPN?
All Prestige series support ESP (protocol number 50) and AH (protocol number
51).
4. What types of
encryption does Prestige VPN support?
Prestige supports 56-bit DES and 168-bit 3DES.
5.
What types of authentication does Prestige VPN support?
VPN vendors support a number of different authentication methods. Prestige VPN supports both SHA1 and MD5.
AH provides authentication, integrity, and replay protection (but not confidentiality).
Its main difference with ESP is that AH also secures parts of the IP header of the packet
(like the source/destination addresses), but ESP does not.
ESP can provide authentication, integrity, replay protection, and confidentiality of the
data (it secures everything in the packet that follows the header). Replay protection
requires authentication and integrity (these two go always together). Confidentiality
(encryption) can be used with or without authentication/integrity. Similarly, one could
use authentication/integrity with or without confidentiality.
6. I am planning my Prestige-to-Prestige VPN configuration. What do I need to
know?
First of all, both Prestige must have VPN capabilities. Please check the firmware version, V3.50 or later has the VPN capability.
If your Prestige is capable of VPN, you can find the VPN options in Advanced>VPN tab.
For configuring a "box-to-box VPN", there are some tips:
7. Does Prestige support dynamic secure gateway IP?
If the remote VPN gateways uses dynamic IP, we enter 0.0.0.0 as the Secure Gateway IP Address in Prestige. In this case, the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.
8. What VPN gateway that has been tested with Prestige successfully?
We have tested Prestige successfully with the following third party VPN gateways.
9. What VPN software that has been tested with Prestige
successfully?
We have tested Prestige successfully with the following third party VPN software.
10.Will
ZyXEL support Secure Remote Management?
Yes, we will support it and we are working on it
currently.
11. Does Prestige VPN support NetBIOS broadcast?
The current 3.40 firmware release does not support it. But it is in our wish list.
12. What are the difference between the 'My IP Address' and
'Secure Gateway IP Address' in Menu 27.1.1?
'My IP Adderss' is the Internet IP address of the local Prestige. The 'Secure
Gateway IP Address' is the Internet IP address of the remote IPSec gateway.
13. Is the host behind NAT allowed to use IPSec?
NAT Condition | Supported IPSec Protocol |
VPN Gateway embedded NAT | AH tunnel mode, ESP tunnel mode |
VPN client/gateway behind NAT* | ESP tunnel mode |
NAT in Transport mode | None |
* The NAT router must support IPSec pass through. For example, for Prestige SUA/NAT routers, IPSec pass through is supported since ZyNOS 3.21. The default port and the client IP have to be specified in menu 15-SUA Server Setup.
14. Why does VPN throughput decrease when staying in SMT menu 24.1?
If Prestige stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay in menu 24.1, 27.3 and 24.8 when VPN is in use.
15. How do I configure Prestige with NAT for internal servers?
Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table.
However, if both NAT and IPSec is enabled in Prestige, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.
For example:
host-----------Prestige(NAT)-----------------Internet----Secure host
\
\
Non-secure host