IPSec FAQ


VPN Overview

  1. What is VPN?
  2. Why do I need VPN?
  3. What are most common VPN protocols?
  4. What is PPTP?
  5. What is L2TP?
  6. What is IPSec?
  7. What secure protocols dose IPSec support?
  8. What are the differences between 'Transport mode' and 'Tunnel mode?
  9. What is SA?
  10. What is IKE?
  11. What is Pre-Shared Key?
  12. What are the differences between IKE and manual key VPN?

Prestige VPN

  1. How do I configure Prestige VPN?
  2. How many VPN connections does Prestige support?
  3. What VPN protocols are supported by Prestige VPN?
  4. What types of encryption does Prestige VPN support?
  5. What types of authentication does Prestige VPN support?
  6. I am planning my Prestige-to-Prestige VPN configuration. What do I need to know?
  7. Does Prestige support dynamic secure gateway IP?
  8. What VPN gateway that has been tested with Prestige successfully?
  9. What VPN software that has been tested with Prestige successfully?
  10. Will ZyXEL support Secure Remote Management?
  11. Does Prestige VPN support NetBIOS broadcast?
  12. What are the difference between 'My IP Address' and 'Secure Gateway IP Address' in Menu 27.1.1?
  13. Is the host behind NAT allowed to use IPSec? 
  14. Why does VPN throughput decrease when staying in SMT menu 24.1?
  15. How do I configure Prestige with NAT for internal servers?

VPN Overview

1. What is VPN?

A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN?

There are some reasons to use a VPN. The most common reasons are because of security and cost.

Security

1). Authentication

With authentication, VPN receiver can verify the source of packets and guarantee the data integrity.

2). Encryption

With encryption, VPN guarantees the confidentiality of the original user data.

Cost

1). Cut long distance phone charges

Because users typically dial the their local ISP for VPN, thus, long distance phone charge is reduced than making a long direct connection to the remote office.

2).Reducing number of access lines

Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its  Internet access lines, thus reducing the need for some installed lines.

3. What are most common VPN protocols?

There are currently three major tunneling protocols for VPNs. They are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).

4. What is PPTP?

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.

5. What is L2TP?

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.

6. What is IPSec?

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs  on top of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is truly the most extensible and complete network security solution.

7. What secure protocols does IPSec support?

There are two protocols provided by IPSec, they are AH (Authentication Header, protocol number 51) and ESP (Encapsulated Security Payload, protocol number 50).

8. What are the differences between 'Transport mode' and 'Tunnel mode?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability.

In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data.

There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.

9. What is SA?

A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use.

10. What is IKE?

IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN.

There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

11. What is Pre-Shared Key?

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection.

12. What are the differences between IKE and manual key VPN?

The only difference between IKE and manual key is how the encryption keys and SPIs are determined.

IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection.


Prestige VPN

1. How do I configure Prestige VPN?

You can configure Prestige for VPN using SMT or Web configurator. Prestige 1 supports Web only.

2. How many VPN connections does Prestige support?

One Prestige 202H Plus supports 2 VPN connections.

3. What VPN protocols are supported by Prestige VPN?

All Prestige series support ESP (protocol number 50) and AH (protocol number 51).

4. What types of encryption does Prestige VPN support?

Prestige supports 56-bit DES and 168-bit 3DES.

5. What types of authentication does Prestige VPN support?

VPN vendors support a number of different authentication methods. Prestige VPN supports both SHA1 and MD5.

AH provides authentication, integrity, and replay protection (but not confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (like the source/destination addresses), but ESP does not.

ESP can provide authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the header). Replay protection requires authentication and integrity (these two go always together). Confidentiality
(encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality.

6. I am planning my Prestige-to-Prestige VPN configuration. What do I need to know?

First of all, both Prestige must have VPN capabilities. Please check the firmware version, V3.50 or later has the VPN capability.

If your Prestige is capable of VPN, you can find the VPN options in Advanced>VPN tab.

For configuring a "box-to-box VPN", there are some tips:

  1. If there is a NAT router running in the front of Prestige, please make sure the NAT router supports to pass through IPSec.
  2. In NAT case (either run on the frond end router, or in Prestige VPN box), only IPSec ESP tunneling mode is supported since NAT againsts AH mode.
  3. Source IP/Destination IP-- Please do not number the LANs (local and remote) using the same exact range of private IP addresses. This will make VPN destination addresses and the local LAN addresses are indistinguishable, and VPN will not work.
  4. Secure Gateway IP Address -- This must be a public, routable IP address, private IP is not allowed. That means it can not be in the 10.x.x.x subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 - 172.31.255.255 (these address ranges are reserved by internet standard for private LAN numberings behind NAT devices). It is usually a static IP so that we can pre-configure it in Prestige for making VPN connections. If it is a dynamic IP given by ISP, you still can configure this IP address after the remote Prestige is on-line and its WAN IP is available from ISP.

7. Does Prestige support dynamic secure gateway IP?

If the remote VPN gateways uses dynamic IP, we enter 0.0.0.0 as the Secure Gateway IP Address in Prestige. In this case, the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

8. What VPN gateway that has been tested with Prestige successfully?

We have tested Prestige successfully with the following third party VPN gateways.


9. What VPN software that has been tested with Prestige successfully?   

We have tested Prestige successfully with the following third party VPN software.

10.Will ZyXEL support Secure Remote Management?

Yes, we will support it and we are working on it currently.

11. Does Prestige VPN support NetBIOS broadcast?

The current 3.40 firmware release does not support it. But it is in our wish list.

12. What are the difference between the 'My IP Address' and 'Secure Gateway IP Address' in Menu 27.1.1?

'My IP Adderss' is the Internet IP address of the local Prestige. The 'Secure Gateway IP Address' is the Internet IP address of the remote IPSec gateway.

13. Is the host behind NAT allowed to use IPSec? 

NAT Condition Supported IPSec Protocol
VPN Gateway embedded NAT AH tunnel mode, ESP tunnel mode
VPN client/gateway behind NAT* ESP tunnel mode
NAT in Transport mode None

* The NAT router must support IPSec pass through. For example, for Prestige SUA/NAT routers, IPSec pass through is supported since ZyNOS 3.21. The default port and the client IP have to be specified in menu 15-SUA Server Setup.

14. Why does VPN throughput decrease when staying in SMT menu 24.1?

If Prestige stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics.  So, we do not suggest to stay in menu 24.1, 27.3 and 24.8 when VPN is in use.

15. How do I configure Prestige with NAT for internal servers?

Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. 

However, if both NAT and IPSec is enabled in Prestige, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.

For example:

host-----------Prestige(NAT)-----------------Internet----Secure host
                                                                                     \
                                                                                       \
                                                                                        Non-secure host