Scribd Logo
Unggah

Selamat datang di Scribd!

  • ZyWALL To ZyWALL Tunneling

    Diunggah oleh

    Gonzalo Valdés Ayesta
    31 tayangan6 halaman
    VPN tunnel between two ZyWALL routers ensures packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel, they are encrypted. To achieve this VPN tunnel, the settings required for each ZyWALL are explained in the following sections.

    Deskripsi Asli:

    Judul Asli

    ZyWALL to ZyWALL Tunneling

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    VPN tunnel between two ZyWALL routers ensures packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel, they are encrypted. To achieve this VPN tunnel, the settings required for each ZyWALL are explained in the following sections.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    31 tayangan6 halaman

    ZyWALL To ZyWALL Tunneling

    Diunggah oleh

    Gonzalo Valdés Ayesta
    VPN tunnel between two ZyWALL routers ensures packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel, they are encrypted. To achieve this VPN tunnel, the settings required for each ZyWALL are explained in the following sections.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 6

    ZyWALL to ZyWALL Tunneling

    http://www.zyxeltech.de/snotezw5_362/app/zw_zw.htm

    ZyWALL to ZyWALL Tunneling


    1. 2. 3. 4. Setup ZyWALL A Setup ZyWALL B Troubleshooting View Log

    This page guides us to setup a VPN connection between two ZyWALL routers. Please note that, in addition to ZyWALL to ZyWALL, ZyWALL can also talk to other VPN hardwards. The tested VPN hardware are shown below. Cisco 1720 Router, IOS 12.2(2)XH, IP/ADSL/FW/IDS PLUS IPSEC 3DES NetScreen 5, ScreenOS 2.6.0r6 SonicWALL SOHO 2 WatchGuard Firebox II ZyXEL ZyWALL Avaya VPN Netopia VPN III VPN As the figure shown below, the tunnel between ZyWALL 1 and ZyWALL 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each ZyWALL are explained in the following sections.

    The IP addresses we use in this example are as shown below. LAN 1 192.168.1.0/24 ZyWALL A LAN: 192.168.1.1 WAN: 202.132.154.1 ZyWALL B LAN: 192.168.2.1 WAN: 168.10.10.66 LAN 2 192.168.2.0/24

    Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, please refer to Secure Gateway with Dynamic WAN IP Address for how to setup. 1. Setup ZyWALL A 1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Go to SECURITY->VPN->Press Add button 3. check Active check box and give a name to this policy. 4. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in ZyWALL B. 5. Source IP Address Start and Source IP Address End are PC 1 IP in this example. (the secure host behind ZyWALL A) 6. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 7. My IP Addr is the WAN IP of ZyWALL A. 8. Secure Gateway IP Addr is the remote secure gateway IP, that is ZyWALL B WAN IP in this example. 9. Select Encapsulation Mode to Tunnel. 10. Check the ESP check box. (AH can not be used in SUA/NAT case) 11. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in ZyWALL B. 12. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

    1 de 6

    23/05/2012 9:27

    ZyWALL to ZyWALL Tunneling

    http://www.zyxeltech.de/snotezw5_362/app/zw_zw.htm

    See the screen shot:

    2. Setup ZyWALL B Similar to the settings for ZyWALL A, ZyWALL B is configured in the same way.

    2 de 6

    23/05/2012 9:27

    ZyWALL to ZyWALL Tunneling

    http://www.zyxeltech.de/snotezw5_362/app/zw_zw.htm

    1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

    Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Go to SECURITY->VPN->Press Add button check Active check box and give a name to this policy. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in ZyWALL A. Source IP Address Start and Source IP Address End are PC 2 IP in this example. (the secure host behind ZyWALL B) Destination IP Address Start and Destination IP Address End are PC 1 IP in this example. (the secure remote host) Note: You may assign a range of Local/Remote IP addresses for multiple VPN sessions. My IP Addr is the WAN IP of ZyWALL B. Secure Gateway IP Addr is the remote secure gateway IP, that is ZyWALL A WAN IP in this example. Select Encapsulation Mode to Tunnel. Check the ESP check box. (AH can not be used in SUA/NAT case) Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in ZyWALL A. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

    See the screen shot:

    3 de 6

    23/05/2012 9:27

    ZyWALL to ZyWALL Tunneling

    http://www.zyxeltech.de/snotezw5_362/app/zw_zw.htm

    3. Troubleshooting Q: How do we know the above tunnel works? A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works.

    4 de 6

    23/05/2012 9:27

    ZyWALL to ZyWALL Tunneling

    http://www.zyxeltech.de/snotezw5_362/app/zw_zw.htm

    Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in ZyWALL. SECURITY->VPN->SA Monitor Through SA monitor, you can monitor every IPSec connections running in ZyWALL presently. The third column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go to SECURITY->VPN->VPN Rules to check your settings.

    Using CI command "ipsec debug type 6" & "ipsec debug level 3" Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages.
    ras> ipsec de type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTH on|off | 5:CERT on|off | 6: All> ras> ipsec de type 6 ras> ipsec de level <0:None | 1:User | 2:Low | 3:High> ras> ipsec de level 3 catcher(): recv pkt get_hdr(): nxt_payload<HASH> exch<ISAKMP Info>(5) m_id<0x9250B88D> len<68> isadb_get_entry(): nxt_pyld=<HASH>, exch=<ISAKMP Info> Old SA, sa->last_pyld=<HASH>, hdr.nxt_pyld=<HASH> sa->last_mid=0x9DDB9D5, hdr.m_id=0x9250B88D sa->last_len=52, hdr.len=68 catcher(): header ENCR_BIT set, mid=0x9250B88D conn_ent not exist yet hdr.exch<ISAKMP Info>(5) Peer starts new IPSec SA negotiation sa->state = <QM idle> create_conn_ent(): new conn_ent created sa->saIndex = 32768 proxy_src<192.168.1.0> proxy_src_mask<255.255.255.0> proxy_dst<172.22.3.83> proxy_dst_mask<172.22.3.83> proxy_src_proto_id<0> proxy_dst_proto_id<0> create_conn_ent(): done decryp_pyld(): len=40 alg<DES>, decrypt OK valid_pyld(): valid_pyld -- DEL(12) done

    4. View Log To view the log for IPSec and IKE connections, please go to Logs->View Log, select IKE from the Display drop down list. The log menu is also useful for troubleshooting please capture it to ZyXEL support if necessary. The example shown below is a successful IPSec connection.

    5 de 6

    23/05/2012 9:27

    ZyWALL to ZyWALL Tunneling

    http://www.zyxeltech.de/snotezw5_362/app/zw_zw.htm

    6 de 6

    23/05/2012 9:27

    Anda mungkin juga menyukai