12. How many network users can the SUA support?........9 13. How do I capture the PPP log in my P-202H Plus v2?......9 14. Why do we need the input filter in menu 3.1 and call filter in menu 11.1? ..........................
Page 3
15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European firmware)? ......................15 16. Does P-202H Plus v2 support MP callback to dial-in users? .... 16 17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting? ........................... 16 18.
Page 5
13. Using Multi-NAT................... 116 IPSec VPN ........................ 139 1. Using IPSec VPN.................... 139 2. P-202H Plus v2 vs 3rd Party VPN Gateway ..........159 3. P-202H Plus v2 vs 3rd Party VPN Software ..........208 4. Configure NAT for Internal Servers ............346 5.
3. What data compression protocol does the P-202H Plus v2 support? The P-202H Plus v2 supports STAC compression. Please note that STAC is not enabled in the P-202H Plus v2 by default. You can enable it in Remote Node setup (SMT menu 11.2, Edit PPP Option).
P-202H Plus v2 Support Notes The procedure for uploading via console is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR' to start the uploading c. Use X-modem protocol to transfer the ZyNOS code d.
Internet concurrently for the cost of a single user account. When P-202H Plus v2 acting as SUA receives a packet from a local client destined for the outside Internet, it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool.
13. How do I capture the PPP log in my P-202H Plus v2? The procedure to capture the PPP log in P-202H Plus v2 is as following. To enable the capture of PPP log before a connection is established: a.
Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask. 16. What is DNS proxy? If enabled, DNS Proxy allows the P-202H Plus v2 to act as the DNS server for the local network. The P-202H Plus v2 gets the IP address of the actual DNS server from the remote site via IPCP negotiation.
17. What is a Nailed-up Connection and when do I need to use it? A Nailed-up Connection, when enabled, emulates a leased line connection even though the physical line is a dial-up connection. The P-202H Plus v2 dials and holds up a connection, without any traffic requesting it.
13. What is reminder ring? The P-202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded(US switches only). 14. Why doesn't my answering machine on POTS port stop recording? Most answering machines stop recording when a busy tone is detected.
Yes. For the detail of the settings please refer to the Tested SUA Applications page. 18. What are the differences between P-202H, P-202H Plus and P-202H Plus The differences between P-202H, P-202H Plus and P-202H Plus v2 are listed in the following table. Feature / Model...
One to block the traffic, and the other to permit traffic. 2. What makes P-202H Plus v2 secure? The P-202H Plus v2 is pre-configured to automatically detect and thwart Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc.
4. The P-202H Plus v2's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.
Internet access devices while still be protected by P-202H Plus v2. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the static route.
Page 21
To achieve Anti- DoS, P-202H Plus v2 will send RST packets to the PC and the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by P-202H Plus v2.
Telnet your P-202H Plus v2. 3. Can I use a browser to configure my P-202H Plus v2? Yes, you can use a web browser to configure the P-202H Plus v2. 4. Why can't I configure my router using Telnet over WAN? There are three reasons that Telnet from WAN is blocked.
Log and alert 1. When does the P-202H Plus v2 generate the firewall log? The P-202H Plus v2 generates the log immediately when the packet match, doesn't match (or both) a firewall rule. The log for Default Permit (LAN to WAN, WAN to LAN) is generated automatically.
4. When does the P-202H Plus v2 generate the firewall alert? The P-202H Plus v2 generates the alert when an attack is detected by the firewall and sends it via Email. So, to send the alert you must configure the mail server and Email address using Web Configurator.
6. What is the difference between the log and alert? A log entry is just added to the log inside the P-202H Plus v2 and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.
P-202H Plus v2 VPN 1. How do I configure P-202H Plus v2 VPN? You can configure P-202H Plus v2 for VPN using SMT or Web configurator. P- 202H Plus v2 1 supports Web only. 2. How many VPN connections does P-202H Plus v2 support? One P-202H Plus v2 202H Plus supports 2 VPN connections.
1. If there is a NAT router running in the front of P-202H Plus v2, please make sure the NAT router supports to pass through IPSec. 2. In NAT case (either run on the frond end router, or in P-202H Plus v2 VPN box), only IPSec ESP tunneling mode is supported since NAT againsts AH mode.
12. What are the difference between the 'My IP Address' and 'Secure Gateway IP Address' in Menu 27.1.1? 'My IP Adderss' is the Internet IP address of the local P-202H Plus v2. The 'Secure Gateway IP Address' is the Internet IP address of the remote IPSec gateway.
14. Why does VPN throughput decrease when staying in SMT menu 24.1? If P-202H Plus v2 stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay in menu 24.1, 27.3 and 24.8 when VPN is in use.
RADIUS, TACAS, …etc. behind remote VPN gateway. However, if connecting with P-202H Plus v2, please not check this box. P-202H Plus v2 doesn’t support this feature in current firmware. It will support in the near future.
9. What is this option, “Attach the selected values to proposal only” for? To increase compatibility, Sentinel sends many kinds of possible proposal for it’s peer side, say P-202H Plus v2 to choose. If you uncheck this option, Sentinel will only send out the proposal you configured. To decrease negotiation time, you can uncheck this option, and verify phase1/phase2 parameters are consistent on both sides.
P-202H Plus v2 Support Notes General Application Notes 1. Internet Access A typical Internet access application of the P-202H Plus v2 is shown below. For a small office, there are some components you need to check before accessing the Internet.
Page 37
Windows CD or disk. When the drivers are updated, you will be asked if you want to restart the PC. Make sure your P-202H Plus v2 is powered on before answering Yes to the prompt. Repeat the above steps for each Windows PC on your network.
P-202H Plus v2 Support Notes Example: Key Settings: • Pri Phone#= is the phone number your P-202H Plus v2 has to dial in order to access your ISP. • My Login and My Password are the login information provided by ISP.
Page 40
• Example The following example shows how to dial to an ISP via the P-202H Plus v2 and then establish a tunnel to a private network. There will be three items that you need to set up for PPTP application, these are PPTP server (WinNT), PPTP client (Win9x) and the P-202H Plus v2.
Page 41
P-202H Plus v2 router setup • Before making a VPN connection from Win9x to WinNT server, you need to connect P-202H Plus v2 router to your ISP first. • Enter the IP address of the PPTP server (WinNT server) and the port number for PPTP as shown below.
Page 43
A service is identified by the port number. Also, since you need to specify the IP address of a server in the P-202H Plus v2, a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on.
Page 44
15 to make the outgoing connection work. After the required menu 15 settings are completed the internal server or client applications can be accessed by using the P-202H Plus v2's WAN IP address. •...
Page 46
Certain Quake servers do not allow multiple users to login using the same unique IP, so only one Quake user will be allowed in this case. Moreover, when a Quake server is configured behind SUA, P-202H Plus v2 will not be able to provide information of that server on the internet.
Page 47
• Introduction This configuration note explains how to set up two P-202H Plus v2 routers for a LAN-to-LAN connection. Once the connection is established, the workstations on both LANs will be able to perform any TCP/IP applications (e.g., FTP, Telnet, etc.).
Page 48
Server) Address-enter the IP address of the DNS server Default Gateway-the IP address of the P-202H Plus v2, the default gateway for LAN1 is P-202H Plus v2 1 and for LAN2 is P-202H Plus v2 2. The procedure for configuring these parameters for the workstations may differ depending on the type of TCP/IP networking software you are using on your workstations.
Page 51
Introduction This configuration note explains what other settings you need to pay attention to when configuring the P-202H Plus v2 talk to a Cisco router. Due to Cisco's authentication scheme, you need to configure some additional fields in P-202H Plus v2 when talking to a Cisco device. There are two things you must pay attention to.
Introduction This configuration note explains how to set up a workstation using an ISDN TA to connect to the P-202H Plus v2 router. In this configuration, the workstation must have TCP/IP dial-up program installed such as Windows Dial-up Networking to make the call.
Page 54
Ethernet Setup in SMT menu 3-enter the IP address of the P-202H Plus v2 and enable the DHCP server if it is required. To setup the P-202H Plus v2 for this application, make sure you have the following menus configured correctly.
Page 56
Note: If the remote user uses the Win9x to dial in, the Recv Authen must be set to PAP because Windows 9x will not respond to any periodic CHAP challenge sent by the P-202H Plus v2 and will cause the P-202H Plus v2 to drop the call.
IP packets. But at the same time, the Generic filter rules must be applied at the point when the P-202H Plus v2 is receiving and sending the packets; i.e. the ISDN interface. So, the execution sequence has to be changed.
Page 62
Please check the system log (Menu 24.3.1) before putting your device into use. Running the P-202H Plus v2 with wrong filter rules may cause it to keep the ISDN line perpetually active, and/or allow undesired traffic to pass to the outside world, and receive unwanted outside traffic.
Page 65
FTP connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over the Internet to your P-202H Plus v2. To prevent outside users from connecting to your P-202H Plus v2 via FTP, you can configure a filter to block FTP connections from WAN.
Page 69
If you want to avoid the outbound Web request to trigger a call to the remote web server, you can configure a call filter set in P-202H Plus v2 to block this packet. After the call filter is applied, the Web packet will not triggered the call to your ISP or remote node.
Page 73
If you want to forbid a specific local client from triggering a call to ISP, you can configure a call filter set in P-202H Plus v2 to block the packets from this client. After the call filter is applied, the packet that is sent from this client would not trigger the call to your ISP or remote node.
Page 76
The MAC address can be provided by the NICs. If there is the LAN packet passing through the P-202H Plus v2 you can identify the MAC address from the P-202H Plus v2's LAN packet trace. Please look at the following example to know the trace of the LAN packets.
Page 77
P-202H Plus v2 Support Notes Now a client on the LAN is trying to ping P-202H Plus v2……… ras> sys trcp sw off ras> sys trcp disp TIME: 37c060 enet0-RECV len:74 call=0 0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00...
Page 78
From the above first trace, we know that a client is trying to ping the P-202H Plus v2 router. And from the second trace, we know that the P-202H Plus v2 router will send a reply to the client accordingly. The following sample filter will utilize the 'Generic Filter Rule' to block the MAC address [00 80 c8 4c ea 63].
Page 79
Value (in hexadecimal): Specify the MAC address [00 80 c8 4c ea 63] that the P-202H Plus v2 should use to compare with the masked packet. If the result from the masked packet matches the 'Value', then the packet is considered matched.
Page 89
Where /var/log/zyxel.log is the full path of the log file. 3. Restart syslogd. • ZyXEL Syslog Message Format P-202H Plus v2 sends 5 types of syslog messages to syslogd, they are: 1. CDR log 2. Packet Triggered log 3. Filter log 4.
Remote Call = a string type which represents as the remote call number Local Call = a string type which represents as the my(local) call number Example: Jul 19 12:08:25 192.168.1.1 ZyXEL Communications Corp.: Call Connect: Dir=2 Remote Call=5783942 Local Call=1 Jul 19 12:08:29 192.168.1.1 ZyXEL Communications Corp.: Call DisConnect: Dir=2 Remote Call=2453140 Local Call=1 7.
Page 93
Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node.
Page 94
P-202H Plus v2 Support Notes Enter the IP address assigned from ISP for P-202H Plus v2, enter '0.0.0.0' if the IP is dynamically assigned during the PPP connection Set the 'Transfer Type' to 'Leased' for the ISDN leased-line connection After saving this menu, you will be asked if you want to perform an Internet connection test.
Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node.
Dial #3n#, where n is any number from 1 to 9, but should be identical to that used above. What is reminder ring? The P-202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded(US switches only). What is MSN/subaddress and how do I do it?
Page 99
ISDN packets through the BRI port. When the P-202H Plus v2 receives packets on its BRI port destined for one of the DCP clients, the router formats the packet as a DCP message and sends it to the corresponding client.
Page 101
2, ISDN Data Number, the P-202H Plus v2 will answer the call as a data call. If the MSN does not match any MSN in menu 2, the P-202H Plus v2 will answer the call as a CAPI call and forward it to the CAPI client.
RADIUS is 1812. So, be sure which port your RADIUS server uses before configuring it in the P-202H Plus v2. [Note]: The P-202H Plus v2 is configured with default port 1645, please reboot the P-202H Plus v2 it is changed to 1812.
Page 104
203.66.113.187 key187 In this example, the new client 203.66.113.187 is the P-202H Plus v2 router. The key 'key187' must be configured in SMT Menu 23.2 later.. 4. Enter the user profile including username and password in the 'Users' file. See an example below.
There are two types of callback that the P-202H Plus v2 supports, they are the CLID callback and MS CBCP callback using Dial-Up Networking. Unlike the CLID...
Page 106
13, O/G Login and O/G Password. • Setup the P-202H Plus v2 for calling back to a remote node • Setup the P-202H Plus v2 for calling back to a dial-in user •...
Page 107
Enter the remote phone number in this field which will be used for the CLID authentication. If this number does not match the Rem CLID one that the switch carries, the P-202H Plus v2 will drop the line due to the CLID authentication failure. Call Back Toggle to 'Yes' to turn on the callback function.
Page 108
Enter the phone number of the remote node for calling back. Phone # • Setup the P-202H Plus v2 for calling back to a dial-in user Generally, there are several settings must be checked when using the CLID callback. They are: The 'CLID Authentication' setting in menu 13 must be configured as 'Required' or 'Preferred'.
Page 113
Associates particular object with their value. 2. ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some P-202H Plus v2 routers. It is implemented based on the SNMPv1, so it will be able to communicate with SNMPv1 NMSs. Further, users can also add ZyXEL's private MIB in the NMS to monitor and control additional system variables.
Page 115
Downloading ZyXEL's private MIB 3. Configure the P-202H Plus v2 for SNMP The SNMP related settings in P-202H Plus v2 are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings.
'Set-community requested from the NMS. The default is Community 'public'. Enter the IP address of the NMS. The P-202H Plus v2 will only respond to SNMP messages coming from this IP address. If Trusted Host 0.0.0.0 is entered, the P-202H Plus v2 will respond to all NMS managers.
Page 117
IP addresses to a global IP address. It is only one subset of the NAT. The ZyNOS V2.41 for the P-202H Plus v2 100IH is enhanced to support the most of the features of the NAT based on RFC 1631, and we call this feature as 'Multi-NAT'.
Page 118
NAT supports five types of IP/port mapping. They are: 1. One to One In One-to-One mode, the P-202H Plus v2 maps one ILA to one IGA. 2. Many to One In Many-to-One mode, the P-202H Plus v2 maps multiple ILA to one IGA.
Page 119
Plus v2 supports NAT sets on a remote node basis. They are reusable, but only one set is allowed for each remote node. The P-202H Plus v2 312 supports 2 sets since there is only one remote node. The default SUA (Read Only) Set in menu 15.1 is a convenient, pre-configured, read only, Many-to-One mapping set,...
This page guides us to setup a VPN connection between two P-202H Plus v2 routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P- 202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware are shown below.
Page 140
VPN connection at all. 1. Setup P-202H Plus v2 A 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 141
7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2 A. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is P- 202H Plus v2 B WAN IP in this example.
Page 144
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way. 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field.
Page 145
P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in P-202H Plus v2 A. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot:...
Page 148
'ipsec debug 1' for our analysis. The following shows an example of dumped messages. P-202H Plus v2> ipsec debug 1 IPSEC debug level 1 P-202H Plus v2> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034...
Page 149
2. Setup P-202H Plus v2 VPN This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router.
Page 152
7. Click My Identity, click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in P-202H Plus v2 in the pop out windows. In this example, we enter 12345678.
Page 156
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
This page guides us to setup a VPN connection between two P-202H Plus v2 routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P- 202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware are shown below.
Page 160
VPN connection at all. 1. Setup P-202H Plus v2 A 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 161
7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2 A. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is P- 202H Plus v2 B WAN IP in this example.
Page 164
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way. 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field.
Page 165
P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in P-202H Plus v2 A. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot: If you use SMT management, the VPN configurations are as shown below.
Page 168
'ipsec debug 1' for our analysis. The following shows an example of dumped messages. P-202H Plus v2> ipsec debug 1 IPSEC debug level 1 P-202H Plus v2> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034...
Page 169
Clear IPSec Log (y/n): P-202H Plus v2 to Cisco Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and Cisco router. As the figure shown below, the tunnel between P-202H Plus v2 and Cisco Router ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and Cisco Router are explained in the following sections.
Page 170
0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all. If the WAN IP of P-202H Plus v2 is also dynamic IP, we enter 0.0.0.0 as its My IP Address. When this IP is given by ISP, it will update to this field.
Page 172
See the screen shot: 4. From Devices window choose a router, and add this router in Network Diagram. Rename it as "P-202H Plus v2". Assign passwords, choose TCP/IP as it's protocol, and then set the interface of WAN slot 0 as 1 Ethernet.
Page 176
8. Select VPN, then click the right button of the mouse, and choose connection Properties..Setup IPSec parameters as shown below. Note that the parameters you set here should match settings in P-202H Plus v2. In IKE Advanced Settings, Encryption Algorithm is 56-bit DES, Authentication Algorithm is MD5 and the SA lifetime is 1 hr.
Page 178
See the screen shot: 10. Enter Cisco commands mode from console and check if Cisco can make a successful ping to P-202H Plus v2. You might have to tune the configuration to accommodate your practical environment. For more detailed information, please go to http://www.cisco.com 11.
Page 181
IPSec VPN, "debug crypto ipsec". P-202H Plus v2 to SonicWALL Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and SonicWALL. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and SonicWALL are explained in the following sections.
Page 182
P-202H Plus v2 Support Notes 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 184
11. In IPSec Keying Mode option, select IKE using pre-shared secret. 12. In Name option, give a name for this SA. 13. In IPSec Gateway Address, enter P-202H Plus v2 WAN IP 14. In Encryption Method option, select Encrypt and Authenticate (ESP DES HMAC MD5).
Page 186
VPN connection at all. 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 187
7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is WatchGuard WAN IP in this example.
Page 190
P-202H Plus v2 Support Notes 12. Select isakmp (dynamic) (IKE in P-202H Plus v2) as Key Negotiation Type and enter a string as Share Key.I 13. Click Tunnels, and click Add. 14. Select the Gateway you had created and click OK.
Page 192
WatchGuard. P-202H Plus v2 to NETSCREEN Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and NETSCREEN are explained in the following sections.
Page 193
VPN connection at all. 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 202
1. Click VPN menu and click P1 Proposal tab. 2. Click New Phase 1 Proposal to create phase 1 proposal. 3. Give a Name for this proposal, for example P-202H Plus v2. 4. Select Preshare as the Authentication Method. 5. Select Group 1 as DH Group.
Page 205
2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e., NETSCREEN. 3. Select NETSCREEN as the Remote Gateway Tunnel Name. 4. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See the screen shot.
Page 209
This page guides us to setup a VPN connection between Checkpoint VPN and P- 202H Plus v2 router. As the figure shown below, the tunnel between P-202H Plus v2 and Checkpoint ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted.
Page 212
P-202H Plus v2 Support Notes 2. Setup Checkpoint VPN Creating Network objects. Click on New/Network, define the LAN segment of P-202H Plus v2. Select Locationa as External. (Note-Internal and external refer to whether this network is protected behind the Checkpoint or not.)
Page 218
This page guides us to setup a VPN connection between the WIN2K VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are WIN2K VPN software and P-202H Plus v2 router.
Page 229
Because there are two endpoints so we need two filter rules. One is for the direction from PC 1 to PC 2 (endpoint is P-202H Plus v2), and the other is from PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP for local and remote VPN clients (PC 1 or PC 2) are required.
Page 251
2. http://support.microsoft.com/support/kb/articles/q252/7/35.asp 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 254
Soft-PK VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router.
Page 256
7. Click My Identity, click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in P-202H Plus v2 in the pop out windows. In this example, we enter 12345678.
Page 260
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 263
202H Plus v2 router. There will be several devices we need to setup for this case. They are Linux FreeS/WAN and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted.
Page 265
65.170.185.111 202.132.170.1 : PSK "12345678" 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. The LAN IP in tihs example is 192.168.0.1, default password to login web configurator is 1234.
Page 269
Sentinel (Static IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
Page 277
P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address"...
Page 280
Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 281
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 282
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 286
Sentinel (Dynamic IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
Page 294
P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address"...
Page 297
Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 298
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 299
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 303
Sentinel (Behind NAT) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
Page 311
P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address"...
Page 314
Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 315
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 316
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 320
Sentinel (Dynamic IP) to P-202H Plus v2(Dynamic IP) Tunneling This page guides us to setup a VPN connection between the SSH Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel and P-202H Plus v2 router.
Page 321
P-202H Plus v2.ddns.org, and update your current WAN IP successfully. 2. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 332
P-202H Plus v2 Support Notes 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, P- 202H Plus v2.dyndns.org (P-202H Plus v2), choose this item, and then press Properties...
Page 336
Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 337
P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 338
This page guides us to setup a VPN connection between the Intel VPN client software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Intel VPN software and P-202H Plus v2 router.
Page 343
P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
IP entered in SUA/NAT Server Table. However, if both NAT and IPSec is enabled in P-202H Plus v2, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.
Page 349
Address Start to 192.168.1.0 and End to 192.168.2.255. This section covers the LAN segment of both headquarter and branch office B. 8. My IP Addr is the WAN IP of this P-202H Plus v2, 202.3.1.1. 9. Set Secure Gateway Addr to the IP address of Headquarter, 202.1.1.1.
ISDN call. Using EPA Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the EPA. The EPA will not operate by Telnet. The steps for enabling the EPA are as follows: 1.
Page 363
P-202H Plus v2 Support Notes P-202H Plus v2> isdn fw ana on P-202H Plus v2> dev dial 1 Start dialing for node <hinet>... ### Hit any key to continue.### $$$ DIALING dev=2 ch=0..$$$ OUTGOING-CALL phone(4125678) $$$ CALL CONNECT speed<64000> type<2> chan<0>...
P-202H Plus v2's PPP protocol analyzer. Using PPP Protocol Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the PPP log. The PPP log will not operate by Telnet. The steps for capturing the PPP log are as follows: •...
Page 367
P-202H Plus v2 Support Notes • Manually dial to remote node N P-202H Plus v2>dev dial N (N is the node number in Menu 11) Example: • Wait for all progress messages, and manually drop the call: P-202H Plus v2>dev channel drop [bri0|bri1] (bri0 for B1 channel, bri1 for B2 channel) •...
P-202H Plus v2 Support Notes 3. LAN/WAN Packet Trace The P-202H Plus v2 records packet trace and analyzes packets running on LAN and WAN interfaces. It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of the P-202H Plus v2.
Page 377
1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-202H Plus v2 over LAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.6 Display the trace briefly by entering: sys trcp brief...
Page 378
1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-202H Plus v2 over WAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off...
Enter the IP address of the P-202H Plus v2 To upload the firmware, please save the remote file as 'ras' to P- 202H Plus v2. After the transfer is complete, the P-202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself.
Page 382
ZyNOS firmware that is available in your hard disk. The remote file is the file name that will be saved in P-202H Plus v2. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for file transfering.
Page 383
P-202H Plus v2 Support Notes Before you begin: 1. TELNET to your P-202H Plus v2 first before using TFTP command 2. Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.8...
To use this feature, your workstation must have a FTP client software. There are two examples as shown below. 1. Using FTP command in terminal Use FTP client from your workstation to connect to the P-202H Plus v2 by Step 1 entering the IP address of the P-202H Plus v2.
- NCP negotiation ( NCP can be IPCP, BACP, BCP, CCP, IPXCP) The P-202H Plus v2 provides a very clear log for each step of the call setup. The following shows the messages displayed in each steps. If a step fails, an error message is displayed.
Page 392
" PP09 WARN Local IP mismatch, proposed 192.68.135.183, PP09 WARN neg'd 204.247.1.1, make sure RIP is turned on" This means that you configured your P-202H Plus v2 Menu 3.2 as 192.68.135.183, but the ISP thinks you should be 204.247.1.1. The P-202H Plus...
Page 400
In this example, the IP address of the remote node is 100.1.1.1, but after PPP is up, the far-end claims that their IP is in 200.0.0.0 network. P-202H Plus v2 will drop the call, becuase of the IP address mismatch in this case.
An IP packet for the LAN destination should be routed to the LAN interface ( enif0 in P-202H Plus v2 ), and IP packet for a remote node destination should be sent to the WAN interface if the connection is up, or else the packet will trigger an outcall to that remote node ( if the remote node is not set for 'incoming' only in Call Direction.
Page 403
00 0 wanIdle Internet 0023 0 2. You may want to verify if you have plugged in any filters for that remote node or LAN. P-202H Plus v2> sys filter sw on P-202H Plus v2> sys filter disp Drop Forward SetNotConfig...
• The procedure for uploading the configuration file via the console port is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR3' to start the uploading. c. Use X-modem protocol to transfer the configuration file.