![Zyxel ZyWALL USG 2000 [69/150] Create secure connections across the internet](/img/pdf.png)
Zyxel ZyWALL USG 2000 [69/150] Create secure connections across the internet
![Zyxel ZyWALL USG 2000 [69/150] Create secure connections across the internet](/views2/1169217/page69/bg45.png)
ZyWALL USG 20-2000 User’s Guide 69
CHAPTER 4
Create Secure Connections Across the
Internet
These sections cover using VPN to create secure connections across the Internet.
• IPSec VPN on page 69
• VPN Concentrator Example on page 71
• Hub-and-spoke IPSec VPN Without VPN Concentrator on page 73
• ZyWALL IPSec VPN Client Configuration Provisioning on page 75
• SSL VPN on page 77
• L2TP VPN with Android, iOS, and Windows on page 79
• One-Time Password Version 2 (OTPv2) on page 92
4.1 IPSec VPN
Besides using the VPN quick setup wizard to configure settings for an IPSec VPN tunnel, you can
use the Configuration > VPN > IPSec VPN screens to configure and activate or deactivate VPN
gateway and IPSec VPN connection policies. You can also connect or disconnect IPSec VPN
connections.
•Use the VPN Gateway screens to manage the ZyWALL’s VPN gateways. A VPN gateway specifies
the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You
can also activate or deactivate each VPN gateway.
•Use the VPN Connection screens to specify which IPSec VPN gateway an IPSec VPN connection
policy uses, which devices behind the IPSec routers can use the VPN tunnel, and the IPSec SA
settings (phase 2 settings). You can also activate or deactivate and connect or disconnect each
VPN connection (each IPSec SA).
4.1.1 Test the VPN Connection
After you configure the VPN gateway and VPN connection settings, set up the VPN settings on the
peer IPSec router and try to establish the VPN tunnel. To trigger the VPN, either try to connect to a
device on the peer IPSec router’s LAN or click Configuration > VPN > IPSec VPN > VPN
Connection and use the VPN connection screen’s Connect icon.
4.1.2 Configure Security Policies for the VPN Tunnel
You configure security policies based on zones. The new VPN connection was assigned to the
IPSec_VPN zone. By default, there are no security restrictions on the IPSec_VPN zone, so, next,
you should set up security policies that apply to the IPSec_VPN zone.
Содержание
- Default login details 1
- Quick start guide 1
- Unified security gateway 1
- User s guide 1
- Zywall usg series 1
- Important 2
- Keep this guide for future reference 2
- Note it is recommended you use the web configurator to configure the zywall 2
- Read carefully before use 2
- Related documentation 2
- Contents 3
- Create secure connections across the internet 9 3
- How to set up your network 9 3
- Introduction 3
- Managing traffic 5 3
- Protecting your network 3 3
- Appendix a legal information 45 4
- Maintenance 25 4
- Introduction 5
- Key applications 5
- Overview 5
- Ipv6 routing 6
- Vpn connectivity 6
- Load balancing 7
- Ssl vpn network access 7
- User aware access control 7
- Default zones interfaces and ports 8
- Management overview 9
- Web configurator 9
- Command line interface cli 10
- Vantage cnm 10
- Web configurator 10
- Web configurator access 10
- Navigation panel 12
- Title bar 12
- Web configurator screens overview 12
- Chapter 1 introduction 13
- Dashboard 13
- Folder or link tab function 13
- Monitor menu 13
- Table 4 monitor menu screens summary 13
- The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs see the web help for details on the dashboard 13
- The monitor menu screens display status and statistics information 13
- Zywall usg 20 2000 user s guide 13
- Chapter 1 introduction 14
- Configuration menu 14
- Folder or link tab function 14
- Table 5 configuration menu screens summary 14
- Use the configuration menu screens to configure the zywall s features 14
- Zywall usg 20 2000 user s guide 14
- Chapter 1 introduction 15
- Folder or link tab function 15
- Table 5 configuration menu screens summary continued 15
- Zywall usg 20 2000 user s guide 15
- Chapter 1 introduction 16
- Folder or link tab function 16
- Table 5 configuration menu screens summary continued 16
- Zywall usg 20 2000 user s guide 16
- Chapter 1 introduction 17
- Click a column heading to sort the table s entries according to that column s criteria 17
- Figure 11 sorting table entries by a column s criteria 17
- Folder or link tab function 17
- Maintenance menu 17
- Table 5 configuration menu screens summary continued 17
- Table 6 maintenance menu screens summary 17
- Tables and lists 17
- Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the zywall 17
- Web configurator tables and lists are flexible with several options for how to display their entries 17
- Zywall usg 20 2000 user s guide 17
- Chapter 1 introduction 19
- Figure 15 navigating pages of table entries 19
- Figure 16 common table icons 19
- Here are descriptions for the most common table icons 19
- Label description 19
- Table 7 common table icons 19
- The tables have icons for working with table entries you can often use the shift or ctrl key to select multiple entries to remove activate or deactivate 19
- When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list 19
- Working with lists 19
- Zywall usg 20 2000 user s guide 19
- Note failure to use the proper screws may damage the unit 20
- Note leave 10 cm of clearance at the sides and 20 cm in the rear 20
- Rack mounting 20
- Stopping the zywall 20
- Note make sure the screws are securely fixed to the wall and strong enough to hold the weight of the zywall with the connection cables 21
- Wall mounting 21
- Front panel 22
- Usg 1000 22
- Usg 2000 22
- Usg 20w 22
- Usg 300 22
- Wall mount the zywall horizontally the zywall s side panels with ventilation slots should not be facing up or down as this position is less safe 22
- Base t ports 23
- Dual personality interfaces 23
- Mini gbic slots 23
- Usg 100 23
- Usg 20 23
- Usg 200 23
- Usg 20w 23
- Usg 50 23
- Fiber optic cable and transceiver removal 24
- To avoid possible eye injury do not look into an operating fiber optic module s connectors or fiber optic cable 24
- Transceiver and fiber optic cable installation 24
- Front panel leds 25
- Maximizing throughput 25
- Chapter 1 introduction 26
- Led color status description 26
- Table 8 zywall usg 20 usg 1000 front panel leds continued 26
- Table 9 zywall usg 2000 front panel leds 26
- Zywall usg 20 2000 user s guide 26
- Chapter 1 introduction 27
- Led color status description 27
- Table 9 zywall usg 2000 front panel leds continued 27
- Zywall usg 20 2000 user s guide 27
- How to configure interfaces port roles and zones 29
- How to set up your network 29
- Wizard overview 29
- Configure a wan ethernet interface 30
- Configure port roles 31
- Configure zones 31
- How to configure a cellular interface 32
- Note the network selection is set to auto by default this means that the 3g usb modem may connect to another 3g network when your service provider is not in range or when necessary select home to have the 3g device connect only to your home network or local service provider this prevents you from being charged using the rate of a different isp 33
- Create the wlan interface 34
- How to set up a wireless lan 34
- Set up user accounts 34
- Wireless clients import the zywall s certificate 36
- How to configure ethernet ppp vlan bridge and policy routing 37
- Wireless clients use the wlan interface 37
- How to set up ipv6 interfaces for pure ipv6 routing 38
- Ipv6 ipv6 38
- Note instead of using router advertisement you can use dhcpv6 to pass the network settings to the computers on the lan 38
- Note your isp or uplink router should enable router advertisement 39
- Setting up the lan interface 39
- Setting up the wan ipv6 interface 39
- Apply a network prefix from your isp 40
- Prefix delegation and router advertisement settings 40
- Ipv6 ipv6 41
- Note your isp or a dhcpv6 server in the same network as the wan should assign an ipv6 ip address for the wan interface 41
- Setting up the wan ipv6 interface 41
- Note you can configure the ipv6 address prefix length field instead if the delegated prefix is never changed 42
- Setting up the lan interface 42
- How to set up an ipv6 6to4 tunnel 44
- Ipv6 ipv4 44
- What can go wrong 44
- Configuration concept 45
- Lan1 ipv6 6to4 tunnel wan1 ipv4 45
- Setting up the lan ipv6 interface 45
- Setting up the 6to4 tunnel 46
- Testing the 6to4 tunnel 47
- What can go wrong 47
- Configuration concept 48
- How to set up an ipv6 in ipv4 tunnel 48
- Ipv6 in ipv4 48
- Ipv6 ipv4 48
- Lan1 ipv6 48
- Note in the ipv6 in ipv4 tunnel application you must configure the peer gateway s wan ipv4 address as the remote gateway ip 48
- Policy route wan1 ipv4 tunnel 48
- Setting up the ipv6 in ipv4 tunnel 48
- Setting up the lan ipv6 interface 49
- Setting up the policy route 50
- Testing the ipv6 in ipv4 tunnel 51
- What can go wrong 51
- Firewall 53
- Protecting your network 53
- User aware access control 54
- What can go wrong 54
- Device and service registration 55
- Endpoint security eps 55
- What can go wrong 55
- Anti virus policy configuration 56
- Note you need to first activate your anti virus service license or trial see device and service registration on page 55 56
- What can go wrong 57
- Idp profile configuration 58
- Note if internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue 58
- Note you need to first activate your idp service license or trial see device and service registration on page 55 58
- Procedure to create a new profile 58
- Adp profile configuration 59
- Procedure to create a new adp profile 59
- Note if internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue 60
- Content filter profile configuration 61
- Note you need to first activate your content filter service license or trial to use commtouch or bluecoat content filtering service see device and service registration on page 55 61
- Viewing content filter reports 63
- Anti spam policy configuration 66
- Note you need to first activate your anti spam service license or trial to use the mail scan functions sender reputation mail content analysis and virus outbreak detection see device and service registration on page 55 66
- Configure security policies for the vpn tunnel 69
- Create secure connections across the internet 69
- Ipsec vpn 69
- Test the vpn connection 69
- What can go wrong 70
- Branch office a 71
- Vpn concentrator example 71
- Branch office b 72
- Headquarters 72
- Branch office a zynos based zywall 73
- Hub and spoke ipsec vpn without vpn concentrator 73
- What can go wrong 73
- Branch office b zld based zywall 74
- Headquarters zld based zywall 74
- What can go wrong 74
- Overview of what to do 75
- Zywall ipsec vpn client configuration provisioning 75
- Configuration steps 76
- Ssl vpn 77
- What can go wrong 77
- What can go wrong 78
- L2tp vpn example 79
- L2tp vpn with android ios and windows 79
- L2tp_pool 192 68 0 0 192 68 0 0 lan1_subnet 192 68 x 79
- Configuring policy routing 81
- Configuring l2tp vpn in android 83
- Configuring l2tp vpn in ios 83
- Configuring l2tp in windows 7 or windows vista 84
- Configuring l2tp vpn in windows 84
- Create a connection object 84
- Configure the connection object 85
- Connect using l2tp vpn 86
- Configuring l2tp in windows xp 87
- One time password version 2 otpv2 92
- What can go wrong 92
- What can go wrong 93
- How to configure bandwidth management 95
- Managing traffic 95
- Bandwidth allocation example 96
- Setting the interface s bandwidth 96
- Sip any to wan and wan to any bandwidth management example 96
- Sip bandwidth management 96
- Http any to wan bandwidth management example 97
- Note use app patrol service for the services classified by the zywall s idp packet inspection signatures use service object for pre defined services 97
- Ftp wan to dmz bandwidth management example 99
- Ftp lan to dmz bandwidth management example 100
- How to configure a trunk for wan load balancing 102
- Set up available bandwidth on ethernet interfaces 102
- What can go wrong 102
- Configure the wan trunk 103
- Create the public ip address range object 104
- How to use multiple static public wan ip addresses for lan to wan traffic 104
- Active passive mode and legacy mode 105
- Configure the policy route 105
- How to use device ha to backup your zywall 105
- Active passive mode device ha example 106
- Management access ip addresses 106
- Synchronization 106
- Before you start 107
- Configure device ha on the master zywall 107
- Configure the backup zywall 108
- Check your device ha setup 110
- Deploy the backup zywall 110
- How to configure dns inbound load balancing 110
- What can go wrong 111
- Configure nat 112
- How to allow public access to a web server 112
- Set up a firewall rule 113
- 192 68 6 114
- How to allow incoming h 23 peer to peer calls 114
- How to manage voice traffic 114
- Turn on the alg 114
- What can go wrong 114
- Set up a nat policy for h 23 115
- Set up a firewall rule for h 23 116
- How to use an ippbx on the dmz 117
- Turn on the alg 117
- Set up a nat policy for the ippbx 118
- Set up a wan to dmz firewall rule for sip 118
- Set up a dmz to lan firewall rule for sip 119
- What can go wrong 119
- How to limit web surfing and msn to specific people 120
- Set up web surfing policies 120
- Set up msn policies 121
- What can go wrong 124
- Check service control 125
- How to allow management service from wan 125
- Maintenance 125
- Check firewall settings 126
- How to use a radius server to authenticate user accounts based on groups 128
- Example 1 microsoft windows 129
- How to use ssh for secure telnet access 129
- Example 2 linux 130
- How to manage zywall configuration files 130
- How to manage zywall firmware 131
- What can go wrong 131
- How to download and upload a shell script 132
- What can go wrong 132
- How to change a power module 133
- What can go wrong 133
- How to save system logs to a usb storage device 135
- Note make sure the usb device s file system is supported by the zywall it should not display unknown 135
- Note system logs saved on the zywall cannot be transferred to a usb device directly connected to the zywall the zywall saves new system logs to the connected usb storage after you complete the settings shown here 135
- Note you can check the remaining memory space in the dashboard screen 135
- How to get the zywall s diagnostic file 138
- What can go wrong 138
- How to capture packets on the zywall 139
- Packet capture screen 139
- Packet capture screen 141
- Example of viewing a packet capture cap file 142
- How to use packet flow explore for troubleshooting 143
- Legal information 145
- Ppendi 145
- Appendix a legal information 146
- Ce mark warning 146
- Certifications class a for zywall usg 300 1000 and 2000 146
- Fcc warning 146
- Federal communications commission fcc interference statement 146
- Notices 146
- Open source licenses 146
- Registration 146
- Taiwanese bsmi bureau of standards metrology and inspection a warning 146
- Viewing certifications 146
- Zywall usg 20 2000 user s guide 146
- Zyxel limited warranty 146
- Appendix a legal information 147
- Declaration of conformity with regard to eu directive 1999 5 ec r tte directive 147
- European union 147
- National restrictions 147
- Regulatory information 147
- Zywall usg 20 2000 user s guide 147
- Appendix a legal information 148
- Safety warnings 148
- Zywall usg 20 2000 user s guide 148
- Appendix a legal information 149
- Your product is marked with this symbol which is known as the weee mark weee stands for waste electronics and electrical equipment it means that used electrical and electronic products should not be mixed with general waste used electrical and electronic equipment should be treated separately 149
- Zywall usg 20 2000 user s guide 149
- Zywall usg 20w antenna warning this device meets etsi and fcc certification requirements when using the included antenna s only use the included antenna s zywall usg 20 20w if you wall mount your device make sure that no electrical lines gas or water pipes will be damaged 149
Похожие устройства
- Zyxel ZyWALL USG 2000 Справочник командного интерфейса
- Zyxel ZyWALL USG 2000 Инструкция по установке
- Zyxel ZyWALL USG 2000 Рекомендации по настройке
- HP 15-r254ur, l1s18ea Инструкция по эксплуатации
- HP 15-r256ur, l1t30ea Инструкция по эксплуатации
- HP 15-r259ur, l1t33ea Инструкция по эксплуатации
- HP 15-r269ur, m1k47ea Инструкция по эксплуатации
- HP pavilion 15-p156nr, k1y29ea Инструкция по эксплуатации
- HP pavilion 15-p157nr, k1y30ea Инструкция по эксплуатации
- HP pavilion 15-p201ur, l1s74ea Инструкция по эксплуатации
- Zyxel X8004 Инструкция по эксплуатации
- HP pavilion 15-p202ur, l1s76ea Инструкция по эксплуатации
- Zyxel P-791R v2 Инструкция по эксплуатации
- Zyxel P-791R v2 Инструкция по установке
- Zyxel P-791R v2 Рекомендации по настройке
- Zyxel P-791R v2 Технические характеристики
- Zyxel P-791R v2 Сертификат
- HP pavilion 15-p203ur, l1s78ea Инструкция по эксплуатации
- HP pavilion 15-p205ur, l1s80ea Инструкция по эксплуатации
- HP pavilion 15-p206ur, l1s82ea Инструкция по эксплуатации