Page 2: Table Of Contents
12. How many network users can the SUA support?........9 13. How do I capture the PPP log in my P-202H Plus v2?......9 14. Why do we need the input filter in menu 3.1 and call filter in menu 11.1? ..........................
Page 3 15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European firmware)? ......................15 16. Does P-202H Plus v2 support MP callback to dial-in users? .... 16 17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting? ........................... 16 18.
Page 4 9. What is this option, “Attach the selected values to proposal only” for? ........................... 35 10. How to initiate a VPN tunnel from Sentinel?.......... 35 11. Can P-202H Plus v2 be the initiator of VPN tunnel to Sentinel? ..35 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 5 13. Using Multi-NAT................... 116 IPSec VPN ........................ 139 1. Using IPSec VPN.................... 139 2. P-202H Plus v2 vs 3rd Party VPN Gateway ..........159 3. P-202H Plus v2 vs 3rd Party VPN Software ..........208 4. Configure NAT for Internal Servers ............346 5.
Page 6: Faq
3. What data compression protocol does the P-202H Plus v2 support? The P-202H Plus v2 supports STAC compression. Please note that STAC is not enabled in the P-202H Plus v2 by default. You can enable it in Remote Node setup (SMT menu 11.2, Edit PPP Option).
Page 7: How Do I Upgrade/Backup The Zynos Firmware By Using Tftp Client Program Via Lan
P-202H Plus v2 Support Notes The procedure for uploading via console is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR' to start the uploading c. Use X-modem protocol to transfer the ZyNOS code d.
Page 8: What Should I Do If I Forget The System Password
Internet concurrently for the cost of a single user account. When P-202H Plus v2 acting as SUA receives a packet from a local client destined for the outside Internet, it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool.
Page 9: How Many Network Users Can The Sua Support
13. How do I capture the PPP log in my P-202H Plus v2? The procedure to capture the PPP log in P-202H Plus v2 is as following. To enable the capture of PPP log before a connection is established: a.
Page 10: What Is Dns Proxy
Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask. 16. What is DNS proxy? If enabled, DNS Proxy allows the P-202H Plus v2 to act as the DNS server for the local network. The P-202H Plus v2 gets the IP address of the actual DNS server from the remote site via IPCP negotiation.
Page 11: What Is A Nailed-Up Connection And When Do I Need To Use It
17. What is a Nailed-up Connection and when do I need to use it? A Nailed-up Connection, when enabled, emulates a leased line connection even though the physical line is a dial-up connection. The P-202H Plus v2 dials and holds up a connection, without any traffic requesting it.
Page 12: Product Faq
This prefix will be placed in front of the outgoing call phone numbers when you make an outgoing call. 4. What supplemental phone service does P-202H Plus v2 support The P-202H Plus v2 supports the following supplementary phone features on both of its POTS ports. Call Waiting Three Way Calling All contents copyright ©...
Page 13: How Do I Do Call Waiting/Call Hold/Call Retrieve
8. How do I remove a party from the three-way calling? Simply press the Flash key. The last call that was added to the conference is dropped. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 14: How Do I Do Call Transfer
The second is with the 'phone flash' commands where you pick up the handset and press the flash key before dialing the following: Command Meaning *20*forward-number# Active CFB (Call Forwarding Busy) *21*forward-number# Active CFU (Call Forwarding All contents copyright © 2006 ZyXEL Communications Corporation.
Page 15: How Do I Suspend/Resume A Phone Call (Terminal Portability)
13. What is reminder ring? The P-202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded(US switches only). 14. Why doesn't my answering machine on POTS port stop recording? Most answering machines stop recording when a busy tone is detected.
Page 16: Does P-202H Plus V2 Support Mp Callback To Dial-In Users
Yes. For the detail of the settings please refer to the Tested SUA Applications page. 18. What are the differences between P-202H, P-202H Plus and P-202H Plus The differences between P-202H, P-202H Plus and P-202H Plus v2 are listed in the following table. Feature / Model...
Page 17: Firewall Faq
One to block the traffic, and the other to permit traffic. 2. What makes P-202H Plus v2 secure? The P-202H Plus v2 is pre-configured to automatically detect and thwart Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc.
Page 18: What Kind Of Firewall Is The P-202H Plus V2
4. The P-202H Plus v2's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.
Page 19: What Is Ping Of Death Attack
A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous All contents copyright © 2006 ZyXEL Communications Corporation.
Page 20: What Is Ip Spoofing Attack
Internet access devices while still be protected by P-202H Plus v2. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the static route.
Page 21 To achieve Anti- DoS, P-202H Plus v2 will send RST packets to the PC and the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by P-202H Plus v2.
Page 22: Configuration
In fact, it's a security hole in protected your network. Configuration 1. How do I configure the firewall? P-202H Plus v2 supports a embedded web server so that you can use the web brower to configure it from any OS platform. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 23: How Do I Prevent Others From Configuring My Firewall
Telnet your P-202H Plus v2. 3. Can I use a browser to configure my P-202H Plus v2? Yes, you can use a web browser to configure the P-202H Plus v2. 4. Why can't I configure my router using Telnet over WAN? There are three reasons that Telnet from WAN is blocked.
Page 24: Why Can't I Configure My Router Using Telnet Over Lan
Log and alert 1. When does the P-202H Plus v2 generate the firewall log? The P-202H Plus v2 generates the log immediately when the packet match, doesn't match (or both) a firewall rule. The log for Default Permit (LAN to WAN, WAN to LAN) is generated automatically.
Page 25: How Do I View The Firewall Log
4. When does the P-202H Plus v2 generate the firewall alert? The P-202H Plus v2 generates the alert when an attack is detected by the firewall and sends it via Email. So, to send the alert you must configure the mail server and Email address using Web Configurator.
Page 26: What Is The Difference Between The Log And Alert
6. What is the difference between the log and alert? A log entry is just added to the log inside the P-202H Plus v2 and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.
Page 27: Ipsec Related Faq
Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 28: What Are Most Common Vpn Protocols
The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is All contents copyright © 2006 ZyXEL Communications Corporation.
Page 29: What Is Sa
Afterward, two VPN gateways use this negotiated keys and SPIs to send packets between two networks. • For manual key VPN, the encryption key, authentication key (if needed), and SPIs are predetermined by the administrator when configuring the security association. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 30: How Do I Configure P-202H Plus V2 Vpn
P-202H Plus v2 VPN 1. How do I configure P-202H Plus v2 VPN? You can configure P-202H Plus v2 for VPN using SMT or Web configurator. P- 202H Plus v2 1 supports Web only. 2. How many VPN connections does P-202H Plus v2 support? One P-202H Plus v2 202H Plus supports 2 VPN connections.
Page 31: Does P-202H Plus V2 Support Dynamic Secure Gateway Ip
1. If there is a NAT router running in the front of P-202H Plus v2, please make sure the NAT router supports to pass through IPSec. 2. In NAT case (either run on the frond end router, or in P-202H Plus v2 VPN box), only IPSec ESP tunneling mode is supported since NAT againsts AH mode.
Page 32: What Vpn Software That Has Been Tested With P-202H Plus V2
12. What are the difference between the 'My IP Address' and 'Secure Gateway IP Address' in Menu 27.1.1? 'My IP Adderss' is the Internet IP address of the local P-202H Plus v2. The 'Secure Gateway IP Address' is the Internet IP address of the remote IPSec gateway.
Page 33: Why Does Vpn Throughput Decrease When Staying In Smt Menu 24.1
14. Why does VPN throughput decrease when staying in SMT menu 24.1? If P-202H Plus v2 stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay in menu 24.1, 27.3 and 24.8 when VPN is in use.
Page 34: What Is Ssh Sentinel Vpn Client
RADIUS, TACAS, …etc. behind remote VPN gateway. However, if connecting with P-202H Plus v2, please not check this box. P-202H Plus v2 doesn’t support this feature in current firmware. It will support in the near future.
Page 35: Does Sentinel Support Ip Range
9. What is this option, “Attach the selected values to proposal only” for? To increase compatibility, Sentinel sends many kinds of possible proposal for it’s peer side, say P-202H Plus v2 to choose. If you uncheck this option, Sentinel will only send out the proposal you configured. To decrease negotiation time, you can uncheck this option, and verify phase1/phase2 parameters are consistent on both sides.
Page 36: General Application Notes
P-202H Plus v2 Support Notes General Application Notes 1. Internet Access A typical Internet access application of the P-202H Plus v2 is shown below. For a small office, there are some components you need to check before accessing the Internet.
Page 37 Windows CD or disk. When the drivers are updated, you will be asked if you want to restart the PC. Make sure your P-202H Plus v2 is powered on before answering Yes to the prompt. Repeat the above steps for each Windows PC on your network.
Page 38: Sua Applications
P-202H Plus v2 Support Notes Example: Key Settings: • Pri Phone#= is the phone number your P-202H Plus v2 has to dial in order to access your ISP. • My Login and My Password are the login information provided by ISP.
Page 39 This second dial-up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial-up adapter that provides PPP support for the analog or ISDN modem. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 40 • Example The following example shows how to dial to an ISP via the P-202H Plus v2 and then establish a tunnel to a private network. There will be three items that you need to set up for PPTP application, these are PPTP server (WinNT), PPTP client (Win9x) and the P-202H Plus v2.
Page 41 P-202H Plus v2 router setup • Before making a VPN connection from Win9x to WinNT server, you need to connect P-202H Plus v2 router to your ISP first. • Enter the IP address of the PPTP server (WinNT server) and the port number for PPTP as shown below.
Page 42 PPTP server. After the VPN link is established, you can start the network protocol application such as IP, IPX and NetBEUI. Configure an Internal Server Behind SUA • Introduction All contents copyright © 2006 ZyXEL Communications Corporation.
Page 43 A service is identified by the port number. Also, since you need to specify the IP address of a server in the P-202H Plus v2, a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on.
Page 44 15 to make the outgoing connection work. After the required menu 15 settings are completed the internal server or client applications can be accessed by using the P-202H Plus v2's WAN IP address. •...
Page 45 1720/client IP 2.11 1503/client IP Cisco IP/TV 2.0.0 None RealPlayer G2 None VDOLive None Quake1.06 None Default/client IP QuakeII2.30 None Default/client IP QuakeIII1.05 beta None StartCraft. 6112/client IP Quick Time 4.0 None All contents copyright © 2006 ZyXEL Communications Corporation.
Page 46 Certain Quake servers do not allow multiple users to login using the same unique IP, so only one Quake user will be allowed in this case. Moreover, when a Quake server is configured behind SUA, P-202H Plus v2 will not be able to provide information of that server on the internet.
Page 47 • Introduction This configuration note explains how to set up two P-202H Plus v2 routers for a LAN-to-LAN connection. Once the connection is established, the workstations on both LANs will be able to perform any TCP/IP applications (e.g., FTP, Telnet, etc.).
Page 48 Server) Address-enter the IP address of the DNS server Default Gateway-the IP address of the P-202H Plus v2, the default gateway for LAN1 is P-202H Plus v2 1 and for LAN2 is P-202H Plus v2 2. The procedure for configuring these parameters for the workstations may differ depending on the type of TCP/IP networking software you are using on your workstations.
Page 49 Enter the idle timer in the 'Idle Timeout' field for dropping the call if there is no data traffic between the two remote nodes • P-202H Plus v2 2 Setup 1. Ethernet Setup in SMT Menu 3 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 50 My Password= ******** Toll Period(sec)= 0 Authen= CHAP/PAP Session Options: Pri Phone #= 5007025 Edit Filter Sets= No Sec Phone #= Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 51 Introduction This configuration note explains what other settings you need to pay attention to when configuring the P-202H Plus v2 talk to a Cisco router. Due to Cisco's authentication scheme, you need to configure some additional fields in P-202H Plus v2 when talking to a Cisco device. There are two things you must pay attention to.
Page 52 Set 'PAP Login' to the appropriate login name Set 'PAP Password' to the appropriate login password • If the Cisco route requests CHAP, you have to configure more settings in Menu 11 as follows. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 53: Dial-In User Setup
Introduction This configuration note explains how to set up a workstation using an ISDN TA to connect to the P-202H Plus v2 router. In this configuration, the workstation must have TCP/IP dial-up program installed such as Windows Dial-up Networking to make the call.
Page 54 Ethernet Setup in SMT menu 3-enter the IP address of the P-202H Plus v2 and enable the DHCP server if it is required. To setup the P-202H Plus v2 for this application, make sure you have the following menus configured correctly.
Page 55 Recv Authen= CHAP/PAP IP Count(1,4)= 4 Compression= Yes Mutual Authen= NO Session Options: O/G Username= N/A Edit Filter Sets= No O/G Password= N/A Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 56 Note: If the remote user uses the Win9x to dial in, the Recv Authen must be set to PAP because Windows 9x will not respond to any periodic CHAP challenge sent by the P-202H Plus v2 and will cause the P-202H Plus v2 to drop the call.
Page 57: Filter
IP packets. But at the same time, the Generic filter rules must be applied at the point when the P-202H Plus v2 is receiving and sending the packets; i.e. the ISDN interface. So, the execution sequence has to be changed.
Page 58 Generic filter rules. You will receive the same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP/IP (or IPX) filter rules. Menu 21.1.1: Menu 21.1.1 - Generic Filter Rule All contents copyright © 2006 ZyXEL Communications Corporation.
Page 59 To separate the device and protocol filter categories; two new menus, Menu 11.5 and Menu 13.1, have been added, as well as some changes made to the Menu 3.1, Menu 11.1, and Menu 13. The new fields are shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 60 Toll Period(sec)= 0 Authen= CHAP/PAP Session Options: Pri Phone #= 140812345678 Edit Filter Sets= Yes Sec Phone #= 140822345678 Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Menu 11.5: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 61 Edit Filter Sets= Yes O/G Password= N/A Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: Allocated Budget(min)= 0 Period(hr)= 0 Press ENTER to Confirm or ESC to Cancel: Menu 13.1: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 62 Please check the system log (Menu 24.3.1) before putting your device into use. Running the P-202H Plus v2 with wrong filter rules may cause it to keep the ISDN line perpetually active, and/or allow undesired traffic to pass to the outside world, and receive unwanted outside traffic.
Page 63 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgment number 4-bit Reserved 16-bit window size header (6 bits) length 16-bit TCP checksum 16-bit urgent pointer Option (if any) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 64 Source network number 00 00 00 00 00 00 Source node number 04 53 Source socket number IPX packet type: 01=RIP 02=echo 03=error 04=SAP 05=SPX 11=NCP 14=NetBIOS Socket number: 0451=NCP 0451=SAP 0453=RIP 0455=NetBIOS All contents copyright © 2006 ZyXEL Communications Corporation.
Page 65 FTP connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over the Internet to your P-202H Plus v2. To prevent outside users from connecting to your P-202H Plus v2 via FTP, you can configure a filter to block FTP connections from WAN.
Page 66 IP Mask= 0.0.0.0 Port #= 20 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop All contents copyright © 2006 ZyXEL Communications Corporation.
Page 67 Filter Rules M m n - - ---- ------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=20 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 N D F All contents copyright © 2006 ZyXEL Communications Corporation.
Page 68 11.5 for activating the FTP_WAN filter. Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= All contents copyright © 2006 ZyXEL Communications Corporation.
Page 69 If you want to avoid the outbound Web request to trigger a call to the remote web server, you can configure a call filter set in P-202H Plus v2 to block this packet. After the call filter is applied, the Web packet will not triggered the call to your ISP or remote node.
Page 70 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 71 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 72 Rem Login= N/A Edit IP/IPX/Bridge= No Rem Password= N/A Telco Option: Rem CLID= N/A Allocated Budget(min)= 5 Call Back= N/A Period(hr)= 1 Outgoing: Transfer Type= 64K My Login= qwer Nailed-Up Connection= No All contents copyright © 2006 ZyXEL Communications Corporation.
Page 73 If you want to forbid a specific local client from triggering a call to ISP, you can configure a call filter set in P-202H Plus v2 to block the packets from this client. After the call filter is applied, the packet that is sent from this client would not trigger the call to your ISP or remote node.
Page 74 TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Key Settings: • Source IP addr....Enter the client IP in this field All contents copyright © 2006 ZyXEL Communications Corporation.
Page 75 Idle Timeout(sec)= 300 Sec Phone #= Press ENTER to Confirm or ESC to Cancel: Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= All contents copyright © 2006 ZyXEL Communications Corporation.
Page 76 The MAC address can be provided by the NICs. If there is the LAN packet passing through the P-202H Plus v2 you can identify the MAC address from the P-202H Plus v2's LAN packet trace. Please look at the following example to know the trace of the LAN packets.
Page 77 P-202H Plus v2 Support Notes Now a client on the LAN is trying to ping P-202H Plus v2……… ras> sys trcp sw off ras> sys trcp disp TIME: 37c060 enet0-RECV len:74 call=0 0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00...
Page 78 From the above first trace, we know that a client is trying to ping the P-202H Plus v2 router. And from the second trace, we know that the P-202H Plus v2 router will send a reply to the client accordingly. The following sample filter will utilize the 'Generic Filter Rule' to block the MAC address [00 80 c8 4c ea 63].
Page 79 Value (in hexadecimal): Specify the MAC address [00 80 c8 4c ea 63] that the P-202H Plus v2 should use to compare with the masked packet. If the result from the masked packet matches the 'Value', then the packet is considered matched.
Page 80 Before starting to set the filter rules, please enter a name for each filter set in the 'Comments' field first. Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- All contents copyright © 2006 ZyXEL Communications Corporation.
Page 81 TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 2-Destination port number 137 with protocol number 17 (UDP) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 82 IP Mask= 0.0.0.0 Port #= 138 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop All contents copyright © 2006 ZyXEL Communications Corporation.
Page 83 Menu 21.1.5 - TCP/IP Filter Rule Filter #: 1,5 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 139 Port # Comp= Equal All contents copyright © 2006 ZyXEL Communications Corporation.
Page 84 Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: After the first filter set is finished, you will see the complete rules summary as below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 85 Nailed-Up Connection= No My Password= ******** Session Options: Authen= CHAP/PAP Edit Filter Sets= Yes Pri Phone #= 4125678 Idle Timeout(sec)= 300 Sec Phone #= Menu 11.5 - Remote Node Filter Input Filter Sets: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 86 Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 2-Source port number 137, Destination port number 53 with protocol number 17 (UDP) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 87 Please apply this second filter set 'NetBIOS_LAN' in the 'protocol filters=' of the 'Input Filter Sets:' in the Menu 3 for blocking the packets from LAN. Menu 3.1 - General Ethernet Setup Input Filter Sets: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 88: Unix Syslog Setup
1. Make sure that your syslogd starts with -r argument. -r, this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services. The default setting is not enabled. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 89 Where /var/log/zyxel.log is the full path of the log file. 3. Restart syslogd. • ZyXEL Syslog Message Format P-202H Plus v2 sends 5 types of syslog messages to syslogd, they are: 1. CDR log 2. Packet Triggered log 3. Filter log 4.
Page 90 L02 Call Terminated C02 Call Terminated Example: Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C01 Incoming Call 64000 4125678 Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C02 Call Terminated 2.
Page 91 Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP /IPXCP Example: Jul 19 11:43:25 192.168.1.1 ZyXEL Communications Corp.: ppp:LCP Starting Jul 19 11:43:29 192.168.1.1 ZyXEL Communications Corp.: ppp:IPCP Starting Jul 19 11:43:34 192.168.1.1 ZyXEL Communications Corp.: ppp:CCP Starting Jul 19 11:43:38 192.168.1.1 ZyXEL Communications Corp.: ppp:BACP Starting...
Page 92: Isdn Leased Line Setup
Remote Call = a string type which represents as the remote call number Local Call = a string type which represents as the my(local) call number Example: Jul 19 12:08:25 192.168.1.1 ZyXEL Communications Corp.: Call Connect: Dir=2 Remote Call=5783942 Local Call=1 Jul 19 12:08:29 192.168.1.1 ZyXEL Communications Corp.: Call DisConnect: Dir=2 Remote Call=2453140 Local Call=1 7.
Page 93 Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node.
Page 94 P-202H Plus v2 Support Notes Enter the IP address assigned from ISP for P-202H Plus v2, enter '0.0.0.0' if the IP is dynamically assigned during the PPP connection Set the 'Transfer Type' to 'Leased' for the ISDN leased-line connection After saving this menu, you will be asked if you want to perform an Internet connection test.
Page 95: Supplemental Service
Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node.
Page 96 How do I remove a party from the three-way calling? Simply press the Flash key. The last call that was added to the conference is dropped. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 97 The second is with the 'phone flash' commands where you pick up the handset and press the flash key before dialing the following: Command Meaning *20*forward-number# Active CFB (Call Forwarding Busy) *21*forward-number# Active CFU (Call Forwarding All contents copyright © 2006 ZyXEL Communications Corporation.
Page 98: Using Netcapi
Dial #3n#, where n is any number from 1 to 9, but should be identical to that used above. What is reminder ring? The P-202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded(US switches only). What is MSN/subaddress and how do I do it?
Page 99 ISDN packets through the BRI port. When the P-202H Plus v2 receives packets on its BRI port destined for one of the DCP clients, the router formats the packet as a DCP message and sends it to the corresponding client.
Page 100 1. Active: Set to 'Yes' to enable the NetCAPI. 2. Max. Number of Registered Users: Enter the number of RVS-COM clients for registering in the P-202H Plus v2. The maximum number is 5. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 101 2, ISDN Data Number, the P-202H Plus v2 will answer the call as a data call. If the MSN does not match any MSN in menu 2, the P-202H Plus v2 will answer the call as a CAPI call and forward it to the CAPI client.
Page 103: Using Radius
RADIUS is 1812. So, be sure which port your RADIUS server uses before configuring it in the P-202H Plus v2. [Note]: The P-202H Plus v2 is configured with default port 1645, please reboot the P-202H Plus v2 it is changed to 1812.
Page 104 203.66.113.187 key187 In this example, the new client 203.66.113.187 is the P-202H Plus v2 router. The key 'key187' must be configured in SMT Menu 23.2 later.. 4. Enter the user profile including username and password in the 'Users' file. See an example below.
Page 105: Using Clid Callback
There are two types of callback that the P-202H Plus v2 supports, they are the CLID callback and MS CBCP callback using Dial-Up Networking. Unlike the CLID...
Page 106 13, O/G Login and O/G Password. • Setup the P-202H Plus v2 for calling back to a remote node • Setup the P-202H Plus v2 for calling back to a dial-in user •...
Page 107 Enter the remote phone number in this field which will be used for the CLID authentication. If this number does not match the Rem CLID one that the switch carries, the P-202H Plus v2 will drop the line due to the CLID authentication failure. Call Back Toggle to 'Yes' to turn on the callback function.
Page 108 Enter the phone number of the remote node for calling back. Phone # • Setup the P-202H Plus v2 for calling back to a dial-in user Generally, there are several settings must be checked when using the CLID callback. They are: The 'CLID Authentication' setting in menu 13 must be configured as 'Required' or 'Preferred'.
Page 109 CLID authentication. If this number does not match the Rem CLID one that the switch carries, the P-202H Plus v2 will drop the line due to the CLID authentication failure. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 110 The current Internet-standard MIB, MIB-II, is defined in RFC 1213 and contains 171 objects. These objects are grouped by protocol (including TCP, IP, UDP, SNMP, and other categories, including 'system' and 'interface.' All contents copyright © 2006 ZyXEL Communications Corporation.
Page 111 (such as IP routing table) in managed devices. 4. Traps The managed devices to asynchronously report certain events to NMSs use trap. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 112 Get operation, followed by a series of GetNext operations. • Allows the NMS to set values for object variables within an agent. • Trap Used by the agent to inform the NMS of some events. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 113 Associates particular object with their value. 2. ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some P-202H Plus v2 routers. It is implemented based on the SNMPv1, so it will be able to communicate with SNMPv1 NMSs. Further, users can also add ZyXEL's private MIB in the NMS to monitor and control additional system variables.
Page 114 And traps with the message "System reboot by user !" will be sent. (ii) For fatal error : System has to reboot for some fatal errors. And traps with the message of the fatal code will be sent. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 115 Downloading ZyXEL's private MIB 3. Configure the P-202H Plus v2 for SNMP The SNMP related settings in P-202H Plus v2 are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings.
Page 116: Using Multi-Nat
'Set-community requested from the NMS. The default is Community 'public'. Enter the IP address of the NMS. The P-202H Plus v2 will only respond to SNMP messages coming from this IP address. If Trusted Host 0.0.0.0 is entered, the P-202H Plus v2 will respond to all NMS managers.
Page 117 IP addresses to a global IP address. It is only one subset of the NAT. The ZyNOS V2.41 for the P-202H Plus v2 100IH is enhanced to support the most of the features of the NAT based on RFC 1631, and we call this feature as 'Multi-NAT'.
Page 118 NAT supports five types of IP/port mapping. They are: 1. One to One In One-to-One mode, the P-202H Plus v2 maps one ILA to one IGA. 2. Many to One In Many-to-One mode, the P-202H Plus v2 maps multiple ILA to one IGA.
Page 119 Plus v2 supports NAT sets on a remote node basis. They are reusable, but only one set is allowed for each remote node. The P-202H Plus v2 312 supports 2 sets since there is only one remote node. The default SUA (Read Only) Set in menu 15.1 is a convenient, pre-configured, read only, Many-to-One mapping set,...
Page 120 Press ENTER to Confirm or ESC to Cancel: Step 1. Enter 11 from the Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the All contents copyright © 2006 ZyXEL Communications Corporation.
Page 121 To configure NAT, enter 15 from the Main Menu to bring up the following screen. Menu 15 - NAT Setup 1. Address Mapping Sets 2. NAT Server Sets 3. Address Mapping Sets and NAT Server Sets All contents copyright © 2006 ZyXEL Communications Corporation.
Page 122 Let's first look at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers. The fields in this menu cannot be changed. Entering 255 brings up this screen. Menu 15.1.255 - Address Mapping Rules Set Name= SUA (Read Only) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 123 IP, enter 0.0.0.0 as the 0.0.0.0 Start IP Global Start IP. Global This is the ending global IP address (IGA). End IP Many-to-One and Type This is the NAT mapping types. Server All contents copyright © 2006 ZyXEL Communications Corporation.
Page 124 Before means to insert a new rule before the rule Delete selected. The rule after the selected rule will then be Save Set moved down by one rule. Delete means to delete the All contents copyright © 2006 ZyXEL Communications Corporation.
Page 125 Press [SPACEBAR] to toggle through a total of One-to-One 5 types. These are the mapping types discussed Many-to-One Type above plus a server type. Some examples follow Many-to-Many to clarify these a little more. Overload All contents copyright © 2006 ZyXEL Communications Corporation.
Page 126 192.168.1.36 and a FTP server at 192.168.1.33, then you need to specify for port 80 (Web) the server at IP address 192.168.1.36 and for port 21 (FTP) another at IP address 192.168.1.33. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 127 Menu 15.2 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.10 192.168.1.11 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 128 4. Support Non NAT Friendly Applications 1. Internet Access Only In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP. See the following figure. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 129 From Menu 4 shown above simply choose the SUA Only option from the NAT field. This is the Many-to-One mapping discussed earlier. The SUA read only option from the NAT field in menu 4 and 11.3 is specifically pre-configured to handle this case. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 130 Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 131 Address Mapping Sets. Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11.3. Menu 4 - Internet Access Setup ISP's Name= ChangeMe Pri Phone #= 1234 Sec Phone #= All contents copyright © 2006 ZyXEL Communications Corporation.
Page 132 Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 133 Menu 15.1.1.3 - - Rule 3 Type: Many-to-One Local IP: Start= 0.0.0.0 End = 255.255.255.255 Global IP: Start= [Enter IGA3] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 134 Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 [IGA1] 2. 192.168.1.11 [IGA2] 3. 0.0.0.0 255.255.255.255 [IGA3] 4. Server Set= 2 [IGA3] Server All contents copyright © 2006 ZyXEL Communications Corporation.
Page 135 IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. The following figure illustrates this. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 136 Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The three rules configured for using One-to-One mapping type is shown below. Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 137 Start= [Enter IGA2] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.3 - - Rule 3 Type: One-to-One Local IP: Start= 192.168.1.12 End = N/A All contents copyright © 2006 ZyXEL Communications Corporation.
Page 138 P-202H Plus v2 Support Notes Global IP: Start= [Enter IGA3] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 139: Ipsec Vpn
This page guides us to setup a VPN connection between two P-202H Plus v2 routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P- 202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware are shown below.
Page 140 VPN connection at all. 1. Setup P-202H Plus v2 A 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 141 7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2 A. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is P- 202H Plus v2 B WAN IP in this example.
Page 143 In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 144 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way. 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field.
Page 145 P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in P-202H Plus v2 A. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot:...
Page 146 In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 147 Please go back Menu 27 to check your settings. Menu 27.2 - SA Monitor Name Encap. IPSec ALgorithm -- -------------------------------------------------- ---------- ------------------------- 1 P-202H Plus v2A ca24f1eb6616b7c4 732c211ae9b01a0f Tunnel ESP DES-SHA1 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 148 'ipsec debug 1' for our analysis. The following shows an example of dumped messages. P-202H Plus v2> ipsec debug 1 IPSEC debug level 1 P-202H Plus v2> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034...
Page 149 2. Setup P-202H Plus v2 VPN This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router.
Page 150 202.132.155.33 202.132.171.33 WAN: 202.132.170.1 1. Setup Soft-PK VPN 1. Open Soft-PK Security Policy Editor 2. Add a new connection named 'P-202H Plus v2' as shown below. 3. Select Connection Security to Secure All contents copyright © 2006 ZyXEL Communications Corporation.
Page 151 PC (PC 2 in this case). 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 152 7. Click My Identity, click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in P-202H Plus v2 in the pop out windows. In this example, we enter 12345678.
Page 154 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in P-202H Plus All contents copyright © 2006 ZyXEL Communications Corporation.
Page 156 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 158 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 159: P-202H Plus V2 Vs 3Rd Party Vpn Gateway
This page guides us to setup a VPN connection between two P-202H Plus v2 routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P- 202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware are shown below.
Page 160 VPN connection at all. 1. Setup P-202H Plus v2 A 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 161 7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2 A. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is P- 202H Plus v2 B WAN IP in this example.
Page 163 In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 164 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way. 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field.
Page 165 P-202H Plus v2 Support Notes 12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in P-202H Plus v2 A. 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. See the screen shot: If you use SMT management, the VPN configurations are as shown below.
Page 166 In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 167 Please go back Menu 27 to check your settings. Menu 27.2 - SA Monitor Name Encap. IPSec ALgorithm -- -------------------------------------------------- ---------- ------------------------- 1 P-202H Plus v2A ca24f1eb6616b7c4 732c211ae9b01a0f Tunnel ESP All contents copyright © 2006 ZyXEL Communications Corporation.
Page 168 'ipsec debug 1' for our analysis. The following shows an example of dumped messages. P-202H Plus v2> ipsec debug 1 IPSEC debug level 1 P-202H Plus v2> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034...
Page 169 Clear IPSec Log (y/n): P-202H Plus v2 to Cisco Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and Cisco router. As the figure shown below, the tunnel between P-202H Plus v2 and Cisco Router ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and Cisco Router are explained in the following sections.
Page 170 0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all. If the WAN IP of P-202H Plus v2 is also dynamic IP, we enter 0.0.0.0 as its My IP Address. When this IP is given by ISP, it will update to this field.
Page 171 There are two ways to configure Cisco VPN, use commands from console or use Cisco ConfigMaker. Cisco ConfigMaker is an easy-to-use Windows 98/Me/NT/2000 application that configures Cisco routers, switches, hubs, and other devices. We will guide you how to setup IPSec by using Cisco ConfigMaker All contents copyright © 2006 ZyXEL Communications Corporation.
Page 172 See the screen shot: 4. From Devices window choose a router, and add this router in Network Diagram. Rename it as "P-202H Plus v2". Assign passwords, choose TCP/IP as it's protocol, and then set the interface of WAN slot 0 as 1 Ethernet.
Page 173 P-202H Plus v2 Support Notes See the screen shot: 5. Layout your network topology in the Network Diagram as shown below. You may choose network components, such as hosts, Internet, Ethernet LAN from the Devices window. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 174 See the screen shot: 6. Connect the network components by Ethernet from the Connections window in the left bottom. Specify the WAN and LAN IP addresses to P- 202H Plus v2 and Cisco. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 175 P-202H Plus v2 Support Notes See the screen shot: 7. Select VPN from Connections window. During this stage, you have to enter the pre-shared key, "12345678". All contents copyright © 2006 ZyXEL Communications Corporation.
Page 176 8. Select VPN, then click the right button of the mouse, and choose connection Properties..Setup IPSec parameters as shown below. Note that the parameters you set here should match settings in P-202H Plus v2. In IKE Advanced Settings, Encryption Algorithm is 56-bit DES, Authentication Algorithm is MD5 and the SA lifetime is 1 hr.
Page 178 See the screen shot: 10. Enter Cisco commands mode from console and check if Cisco can make a successful ping to P-202H Plus v2. You might have to tune the configuration to accommodate your practical environment. For more detailed information, please go to http://www.cisco.com 11.
Page 179 12345678 address 172.21.10.50 crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 crypto map cm-cryptomap local-address Ethernet0 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 180 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 snmp-server community public RO line con 0 exec-timeout 0 0 password 7 06575D7218 login line aux 0 line vty 0 4 password 7 11584B5643 login line vty 5 15 login All contents copyright © 2006 ZyXEL Communications Corporation.
Page 181 IPSec VPN, "debug crypto ipsec". P-202H Plus v2 to SonicWALL Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and SonicWALL. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and SonicWALL are explained in the following sections.
Page 182 P-202H Plus v2 Support Notes 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 183 3. Select NAT Enabled as the Network Addressing Mode. 4. In LAN Settings, enter a LAN IP and Subnet Mask for SonicWALL. 5. In WAN Settings, enter a WAN IP, Subnet Mask, and WAN Gateway for SonicWALL. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 184 11. In IPSec Keying Mode option, select IKE using pre-shared secret. 12. In Name option, give a name for this SA. 13. In IPSec Gateway Address, enter P-202H Plus v2 WAN IP 14. In Encryption Method option, select Encrypt and Authenticate (ESP DES HMAC MD5).
Page 186 VPN connection at all. 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 187 7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host) 8. My IP Addr is the WAN IP of P-202H Plus v2. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is WatchGuard WAN IP in this example.
Page 188 Interface, enter the LAN IP for WatchGuard. Then click Next. 4. Enter the Default Gateway of WatchGuard then click Next twice. 5. Enter your passwords for Status and Configuration then click Next. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 189 9. Pull down Network -> Branch Office VPN -> IPSec. See the figure below. 10. Click Gateway, and click Add. 11. Enter a name for remote security gateway in Name field, enter the remote gateway IP in Remote Gateway IP field. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 190 P-202H Plus v2 Support Notes 12. Select isakmp (dynamic) (IKE in P-202H Plus v2) as Key Negotiation Type and enter a string as Share Key.I 13. Click Tunnels, and click Add. 14. Select the Gateway you had created and click OK.
Page 191 18. Click Add in the main menu to Add Routing Policy. 19. In Local Host, enter PC1 IP; in Remote Host, enter PC2 IP, then select Secure in Disposition and Tunnel you had created. Then click OK twice. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 192 WatchGuard. P-202H Plus v2 to NETSCREEN Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and NETSCREEN are explained in the following sections.
Page 193 VPN connection at all. 1. Setup P-202H Plus v2 1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 195 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels All contents copyright © 2006 ZyXEL Communications Corporation.
Page 196 (Local Secure Host in this example). See the screen shown below. Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 197 (Remote Secure Host in this example). See the screen shown below. Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 198 5. Select the Remote Secure Host that we configured above as the Destination Address. 6. Select ANY as the Service. 7. For the rest settings please refer to the following screen shot. And click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 200 12. Select the Local Secure Host that we configured above as the Destination Address. 13. Select ANY as the Service. 14. For the rest settings please refer to the following screen shot. And click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 202 1. Click VPN menu and click P1 Proposal tab. 2. Click New Phase 1 Proposal to create phase 1 proposal. 3. Give a Name for this proposal, for example P-202H Plus v2. 4. Select Preshare as the Authentication Method. 5. Select Group 1 as DH Group.
Page 203 4. Click Static IP Address as for this example. 5. Enter WAN IP of NETSCREEN in the IP Address field. 6. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 204 10. Click Static IP Address as for this example. 11. Enter WAN IP of P-202H Plus v2 in the IP Address field. 12. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 205 2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e., NETSCREEN. 3. Select NETSCREEN as the Remote Gateway Tunnel Name. 4. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See the screen shot.
Page 206 P-202H Plus v2. 7. Select P-202H Plus v2 as the Remote Gateway Tunnel Name. 8. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See the screen shot. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 207 9. After all above settings have been finished, you can start to access the remote secure PC. If the VPN is established successfully, you can see the traffic flow from the Traffic Log by clicking Log menu. See the following screen shot. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 208: P-202H Plus V2 Vs 3Rd Party Vpn Software
P-202H Plus v2 Support Notes You can also see the current active user from the Active Log by clicking Log menu. See the following screen shot. 3. P-202H Plus v2 vs 3rd Party VPN Software All contents copyright © 2006 ZyXEL Communications Corporation.
Page 209 This page guides us to setup a VPN connection between Checkpoint VPN and P- 202H Plus v2 router. As the figure shown below, the tunnel between P-202H Plus v2 and Checkpoint ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted.
Page 210 Edit LAN segment of P-202H Plus v210. In this example, we setup P-202H Plus v210 as DHCP server, and it’s LAN IP address is 192.168.99.1. Edit Internet Access of P-202H Plus v210. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 212 P-202H Plus v2 Support Notes 2. Setup Checkpoint VPN Creating Network objects. Click on New/Network, define the LAN segment of P-202H Plus v2. Select Locationa as External. (Note-Internal and external refer to whether this network is protected behind the Checkpoint or not.)
Page 213 If there are more than one network would like to utilize the VPN tunnel. You can merge the networks into one group. • Go to Manage/Network Objects. • Click on New/Group • Fill in the properties for the group objects as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 214 P-202H Plus v2 Support Notes Creating VPN Objects Define P-202H Plus v2 box as a tunnel end point. (Name: SOHO_TEST) Select VPN tab to define the protected domain of ZW, and the Encryption schemes used by the tunnel. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 216 Define checkpoint box as a tunnel endpoint. Select VPN tab to define the protected domain of Checkpoint, and the Encryption schemes used by the tunnel. Choose IKE and press Edit… to edit the Phase1 parameters and pre-shared key. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 217 Create a new rule at or near the top of the policy. This rule should include both encryption domains as both source and destination and the action should be encrypt as shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 218 This page guides us to setup a VPN connection between the WIN2K VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are WIN2K VPN software and P-202H Plus v2 router.
Page 219 1. Setup WIN2K VPN - Create a custom MMC console 1. From Windows desktop, click Start, click Run, and in the Open textbox type MMC. Click OK. 2. On the Console window, click Add/Remove Snap-In. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 221 P-202H Plus v2 Support Notes 4. In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add. 5. Verify that Local Computer (default setting) is selected, and click Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 222 6. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. 7. Verify that Local Computer (default setting) is selected in the Group Policy Object dialog box, and then click Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 223 P-202H Plus v2 Support Notes 8. In the Add Standalone Snap-in dialog box, click Certifications, and then click Add. 9. In the Certificates snap-in dialog box, select Computer account, and click Next. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 224 P-202H Plus v2 Support Notes 10. Verify that Local Computer (default setting) is selected, and click Finish. 11. Click Close to close the Add Standalone Snap-in dialog box. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 225 Assigning IPSec Policy section of Windows 2000 online help. 1. From Windows desktop, click Start, click Run, and in the Open textbox type SECPOL.MSC. Click OK. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 226 2. Right click IP Security Policies on Local Machine, and then click Create IP Security Policy. 3. Click Next, and type a name for your policy. For example, WIN2K to P- 202H Plus v2 Tunnel. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 228 P-202H Plus v2 Support Notes 5. Keep the Edit properties check box selected and click Finish. 5. A dialog window will bring up for you to configure two filter rules for this policy. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 229 Because there are two endpoints so we need two filter rules. One is for the direction from PC 1 to PC 2 (endpoint is P-202H Plus v2), and the other is from PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP for local and remote VPN clients (PC 1 or PC 2) are required.
Page 231 P-202H Plus v2 Support Notes 3. Type a name for the filter list (e.g., WIN2K to P-202H Plus v2), uncheck Use Add Wizard check box, and click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 233 P-202H Plus v2 Support Notes 5. In the Destination address, choose A specific IP Address, and enter the IP address of PC 2 6. Uncheck Mirror check box. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 234 8. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 235 P-202H Plus v2 Support Notes 9. Click OK and Close to close the windows. - Build a Filter List from PC 2 to PC 1 1. On the IP Filter List tab, click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 236 P-202H Plus v2 Support Notes 2. Type a name for the filter list (e.g., P-202H Plus v2 to WIN2K), uncheck Use Add Wizard check box, and click Add. 3. In the Source address, choose A specific IP Address, and enter the IP address of PC 2 All contents copyright ©...
Page 237 P-202H Plus v2 Support Notes 4. In the Destination address, choose A specific IP Address, and enter the IP address of PC 1 5. Uncheck Mirror check box. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 238 P-202H Plus v2 Support Notes 6. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 239 7. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active. 8. Click OK and Close to close the windows. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 240 1. Select the first filter list you created above from the IP Filter List. For example, WIN2K to P-202H Plus v2. 2. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is P-202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 241 WIN2K does not connect to ISP but LAN). In our example, we choose All network connections. 4. Click Filter Action tab, uncheck Use Add Wizard check box, and click Add. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 242 6. Click Add and select Custom (for expert users) if you want to define specific algorithms and session key lifetimes). Please make sure the settings match whatever we will configure in P-202H Plus v2 later. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 243 P-202H Plus v2 Support Notes 7. Click OK. On the General tab, give a name to the filter action. For example, WIN2K to P-202H Plus v2, and click OK. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 244 8. Select the filter action you just created. 9. On the Authentication Methods tab, click Add to select Use this string to protect the key exchange (pre-shared key) option. And enter the string 12345678 in the text box. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 246 1. In the IPSec policy properties, click Add to create a new rule. 2. Select the second filter list you created above from the IP Filter List. For example, P-202H Plus v2 to WIN2K. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 247 IPSec endpoint is WIN2K. 4. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 248 P-202H Plus v2 Support Notes 5. Click Filter Action tab, select the filter action you created. 6. On the Authentication Method tab, configure the same settings as done in the first rule. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 249 P-202H Plus v2 Support Notes 7. Click Close. 8. Enable both rules you created in the policy properties and click Close. Figure 5: See the finished screen shot All contents copyright © 2006 ZyXEL Communications Corporation.
Page 250 1. In the IP Security Policies on Local Machine MMC snap-in, right click your new policy, and click Assign. 2. A green arrow will appear in the folder icon next to your policy. See the screen shot below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 251 2. http://support.microsoft.com/support/kb/articles/q252/7/35.asp 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 252 Figure 8: See the VPN rule screen shot If you use SMT management, the VPN configurations are as shown below. Menu 27.1.1 - IPSec Setup Index #= 1 Name= P-202H Plus v2 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 253 Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 3600 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 3600 Encapsulation= Tunnel All contents copyright © 2006 ZyXEL Communications Corporation.
Page 254 Soft-PK VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router.
Page 255 PC (PC 2 in this case). 5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 256 7. Click My Identity, click the Pre-Shared Key icon in the right side of the window. 8. Enter a key you that later you will also need to configure in P-202H Plus v2 in the pop out windows. In this example, we enter 12345678.
Page 258 1) and Key Exchange (Phase 2). 11. The settings shown in the following two figures for both Phases are our examples. You can choose any, but they should match whatever you enter in P- 202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 260 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 262 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 263 202H Plus v2 router. There will be several devices we need to setup for this case. They are Linux FreeS/WAN and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted.
Page 264 URL for more information, http://www.FreeS/WAN.org/. Two files must be configured in /etc directory. ipsec.conf: config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search conn %default keyingtries=3 conn P-202H Plus v2 left=65.170.185.111 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 265 65.170.185.111 202.132.170.1 : PSK "12345678" 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. The LAN IP in tihs example is 192.168.0.1, default password to login web configurator is 1234.
Page 266 You can click Advanced button to check IPSec Phase 1 and Phase 2 parameters. Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 268 In Phase 2, two peers negotiate IPSec SAs which are used for data transmission. Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 269 Sentinel (Static IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
Page 270 1. Setup Sentinel 1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor. 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 272 P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 275 7. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address. 8. Press ... button besides Remote network. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 276 202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 277 P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address"...
Page 278 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 280 Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 281 P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 282 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 285 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 286 Sentinel (Dynamic IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
Page 287 1. Setup Sentinel 1. From Tool Tray of Windows system, right click on your Sentinel icon, and then choose Run Policy Editor. 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 289 P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 292 7. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address. 8. Press ... button besides Remote network. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 293 202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 294 P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address"...
Page 295 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 297 Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 298 P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 299 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 302 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 303 Sentinel (Behind NAT) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router.
Page 304 1. Setup SSH Sentinel 1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor. 2. Choose Key Management. Select My Keys, then press Add... button. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 306 P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 309 7. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address. 8. Press ... button besides Remote network. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 310 202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 311 P-202H Plus v2 Support Notes 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(P-202H Plus v2), choose this item, and then press Properties... button. 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address"...
Page 312 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 314 Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 315 P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 316 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 319 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 320 Sentinel (Dynamic IP) to P-202H Plus v2(Dynamic IP) Tunneling This page guides us to setup a VPN connection between the SSH Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel and P-202H Plus v2 router.
Page 321 P-202H Plus v2.ddns.org, and update your current WAN IP successfully. 2. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 324 2. There are two phases for IKE: In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 325 Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel 2. Setup Sentinel 1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 328 P-202H Plus v2 Support Notes 4. Give this preshared key a name, P-202H Plus v2. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 331 9. Network Editor Window will pop out. Press New button, and Enter P- 202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 332 P-202H Plus v2 Support Notes 10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save. 11. In SSH Sentinel Policy Editor, you will get a new VPN connection, P- 202H Plus v2.dyndns.org (P-202H Plus v2), choose this item, and then press Properties...
Page 333 P-202H Plus v2 Support Notes 12. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation.
Page 334 13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 336 Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing...
Page 337 P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
Page 338 This page guides us to setup a VPN connection between the Intel VPN client software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Intel VPN software and P-202H Plus v2 router.
Page 339 P-202H Plus v2 Support Notes 2. Give this Tunnel a name, P-202H Plus v2, for example. Specify VPN Gateway IP Address as 172.21.1.252. Tunnel Applies to All network connections. Uncheck Enable IP Address assignment and WINS/DNS via VPN Gateway. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 340 255.255.255.0, Protocol ALL, Port ALL. And Phase 2 parameters. AH None, Authentication HMAC MD5, Encryption DES (56-bit key), uncheck Transport mode. Specify the Phase 2 SA life time you would like to use. Click OK to save the settings. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 341 P-202H Plus v2 Support Notes 4. Select Shared Secret as Authentication Method, and Enter the pre- shared key: 12345678. Then press Advanced... to edit Phase 1 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 342 5. Specify phase SA life time you would like to have, 60 minutes for example. Encryption as DES 56-bit key, Authentication as HMAC MD5, and Diffie-Hellman Group as 1-RSA 768 bits. Click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 343 P-202H Plus v2 Support Notes 2. Setup P-202H Plus v2 VPN 1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 344 13. Enter the key string 12345678 in the Preshared Key text box, and click Apply. 14. Press Advanced button to set IKE phase 1 and phase 2 parameters. See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 345 Name= to_ssh Active= Yes My IP Addr= 172.21.1.252 Secure Gateway Addr= 172.21.1.232 Protocol= 0 Local: Addr Type= SUBNET IP Addr Start= 192.168.1.0 End= 255.255.255.0 Port Start= 0 End= N/A Remote: Addr Type= SINGLE All contents copyright © 2006 ZyXEL Communications Corporation.
Page 346: Configure Nat For Internal Servers
Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel: 4. Configure NAT for Internal Servers All contents copyright © 2006 ZyXEL Communications Corporation.
Page 347: Vpn Routing Between Branch Offices
IP entered in SUA/NAT Server Table. However, if both NAT and IPSec is enabled in P-202H Plus v2, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.
Page 348 3. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. 4. Give this VPN rule a name, Branch_A. 5. Select Key Management to IKE and Negotiation Mode to Main. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 349 Address Start to 192.168.1.0 and End to 192.168.2.255. This section covers the LAN segment of both headquarter and branch office B. 8. My IP Addr is the WAN IP of this P-202H Plus v2, 202.3.1.1. 9. Set Secure Gateway Addr to the IP address of Headquarter, 202.1.1.1.
Page 350 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 351 LAN segment of branch office A and headquarter. 1. The first rule in Branch_ B. This rule is for branch office B to access headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 352 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 354 You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 362: Support Tool
ISDN call. Using EPA Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the EPA. The EPA will not operate by Telnet. The steps for enabling the EPA are as follows: 1.
Page 363 P-202H Plus v2 Support Notes P-202H Plus v2> isdn fw ana on P-202H Plus v2> dev dial 1 Start dialing for node <hinet>... ### Hit any key to continue.### $$$ DIALING dev=2 ch=0..$$$ OUTGOING-CALL phone(4125678) $$$ CALL CONNECT speed<64000> type<2> chan<0>...
Page 364 -0------ Interface Id present: implicitly --0----- Interface type : basic interface ---0---- Spare ----1--- Preferred/Exclusive : only the channel is acceptable -----0-- D Channel Indicator : channel identified is not D Channel All contents copyright © 2006 ZyXEL Communications Corporation.
Page 365 : normal call clearing 00:00:12:62 4 bytes LAPD D NT R SAPI=0 TEI=97 RR P/F=0 NR=3 00:00:12:75 12 bytes LAPD D NT C SAPI=0 TEI=97 INFO P=0 NR=3 NS=3 4 bytes Layer 3 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 366: Using Zyxel Ppp Analyzer
P-202H Plus v2's PPP protocol analyzer. Using PPP Protocol Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the PPP log. The PPP log will not operate by Telnet. The steps for capturing the PPP log are as follows: •...
Page 367 P-202H Plus v2 Support Notes • Manually dial to remote node N P-202H Plus v2>dev dial N (N is the node number in Menu 11) Example: • Wait for all progress messages, and manually drop the call: P-202H Plus v2>dev channel drop [bri0|bri1] (bri0 for B1 channel, bri1 for B2 channel) •...
Page 368 0010: a8 5f 43 2b 258760 PP09 ebp=7e9fa8,seqNum=6a bri0-RECV len:14 call=4 0000: ff 03 80 fd 01 01 00 0a 11 06 00 01 01 03 258760 PP09 ebp=7e9fdc,seqNum=6b bri0-XMIT len:20 call=4 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 369 Copy and paste the trace to an editor and save it as a text file • Run the ZPKTTOOL program to interpret the PPP log, to know the detailed trace, please refer to the ppp numbers. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 370: Lan/Wan Packet Trace
P-202H Plus v2 Support Notes 3. LAN/WAN Packet Trace The P-202H Plus v2 records packet trace and analyzes packets running on LAN and WAN interfaces. It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of the P-202H Plus v2.
Page 371 LAN Frame: ENET0-RECV Size: 62/ 62 Time: 12089.790 sec Frame Type: TCP 192.168.1.2:1116->192.31.7.130:80 Ethernet Header: Destination MAC Addr = 00A0C5921311 Source MAC Addr = 0080C84CEA63 Network Type = 0x0800 (TCP/IP) IP Header: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 372 Destination MAC Addr = 0080C84CEA63 Source MAC Addr = 00A0C5921311 Network Type = 0x0800 (TCP/IP) IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 373 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x0028 (40) Idetification = 0x350B (13579) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x80 (128) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 375 0000: FF 03 00 21 45 00 00 30-E7 02 40 00 7F 06 3E CF ...!E..0..@...>. 0010: A3 1F EF 01 D2 43 71 91-27 17 00 50 00 0B CB 53 ..Cq.'..P...S All contents copyright © 2006 ZyXEL Communications Corporation.
Page 376 0010: D2 43 71 91 A3 1F EF 01-00 50 27 17 7A A7 1C 33 .Cq..P'.z..3 0020: 00 0B CB 54 60 12 44 70-F4 0E 00 00 02 04 05 B4 ...T`.Dp..All contents copyright © 2006 ZyXEL Communications Corporation.
Page 377 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-202H Plus v2 over LAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.6 Display the trace briefly by entering: sys trcp brief...
Page 378 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-202H Plus v2 over WAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off...
Page 379 = 0x7F (127) Protocol = 0x06 (TCP) Header Checksum = 0x28CF (10447) Source IP = 0xA31FEF01 (163.31.239.1) Destination IP = 0xD2437191 (210.67.113.145) TCP Header: Source Port = 0x2718 (10008) Destination Port = 0x0050 (80) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 380 Destination Port = 0x2718 (10008) Sequence Number = 0x7F47963C (2135397948) Ack Number = 0x000D088E (854158) Header Length = 24 Flags = 0x12 (.A..S.) Window Size = 0x4470 (17520) Checksum = 0x3829 (14377) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 381: Using Tftp To Upload/Download Zynos Via Lan
Enter the IP address of the P-202H Plus v2 To upload the firmware, please save the remote file as 'ras' to P- 202H Plus v2. After the transfer is complete, the P-202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself.
Page 382 ZyNOS firmware that is available in your hard disk. The remote file is the file name that will be saved in P-202H Plus v2. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for file transfering.
Page 383 P-202H Plus v2 Support Notes Before you begin: 1. TELNET to your P-202H Plus v2 first before using TFTP command 2. Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.8...
Page 384 5. Backup Configuration 6. Restore Configuration 7. Software Update 8. Command Interpreter Mode 9. Call Control Copyright (c) 1999 ZyXEL Communications Corp.n Number: 8 ras> sys stdio 0 ras> (press Ctrl+] to escape to Telnet prompt) telnet> z [1]+ Stopped telnet 192.168.1.1...
Page 385: Using Ftp To Upload Firmware And Configuration Files
To use this feature, your workstation must have a FTP client software. There are two examples as shown below. 1. Using FTP command in terminal Use FTP client from your workstation to connect to the P-202H Plus v2 by Step 1 entering the IP address of the P-202H Plus v2.
Page 386 Example: 1. Connect to the P-202H Plus v2 by entering the P-202H Plus v2's IP and SMT password in the FTP software. Set the transfer type to 'Auto-Detect' or 'Binary'. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 387 3. To upload the firmware file, we transfer the local 'ras' file to overwrite the remote 'ras' file. To upload the configuration file, we transfer the local 'rom-0' to overwrite the remote 'rom-0' file. 4.The P-202H Plus v2 reboots automatically after the uploading is finished. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 388: Ci Command List
The latest CI Command list is available in release note of every ZyXEL firmware release. Please goto ZyXEL public WEB site http://www.zyxel.com/support/download_index.php to download firmware package (*.zip), you should unzip the package to get the release note in PDF format. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 389: Troubleshooting
- NCP negotiation ( NCP can be IPCP, BACP, BCP, CCP, IPXCP) The P-202H Plus v2 provides a very clear log for each step of the call setup. The following shows the messages displayed in each steps. If a step fails, an error message is displayed.
Page 390 - Call didn't connect - Try again later and also verify the phone number. Dialing chan<1> phone(last 9-digit): 40202 ### Hit any key to continue.### Dial no answer This means the far-end is not answering. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 391 - IP address been rejected by your ISP Dialing chan<1> phone (last 9-digit): 40201 ### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened All contents copyright © 2006 ZyXEL Communications Corporation.
Page 392 " PP09 WARN Local IP mismatch, proposed 192.68.135.183, PP09 WARN neg'd 204.247.1.1, make sure RIP is turned on" This means that you configured your P-202H Plus v2 Menu 3.2 as 192.68.135.183, but the ISP thinks you should be 204.247.1.1. The P-202H Plus...
Page 393 - go to SMT memu 24.1 to verify that channel status is not DOWN. If DOWN, it might be ISDN Init failure. - Do ISDN loopback test Authentication failed - check name and password All contents copyright © 2006 ZyXEL Communications Corporation.
Page 394: Remote Node/Dial-In User Connection
P2864> isdn dial 1 * Dial not allowed, or No Channel ( Call to a incoming only remote node, or no free B chan ) ### Hit any key to continue.### • ZyNOS: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 395 ZyNOS: Zyxel> dev dial 1 $$$ Call is blocked - Call exceeded the Call budget, check Menu 24.9.3 • Pre-ZyNOS: P2864> isdn dial 1 Start dialing for node<1> ***Connect time exceeds budget All contents copyright © 2006 ZyXEL Communications Corporation.
Page 396 Start dialing for node<1> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened CHAP login to remote failed LCP closed Recv'd TERM-REQ Recv'd TERM-ACK state 5 LCP stopped All contents copyright © 2006 ZyXEL Communications Corporation.
Page 397 BACP up P128> sys trcl disp 102 fe3792 15e PDI1 dialer Dialing chan<1> phone(last 9-digit):40201 103 fe3ea4 169 PDI1 dialer Call CONNECT speed<64000> chan<1> prot<1> 104 fe3eb8 0 POU1 ebp=4aa00,seqNum=17 PPP1-XMIT:24 len:40 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 398 0000: 80 71 02 17 00 0a 01 06 ff ff ff ff 125 fe405c 0 PNET ebp=4ad00,seqNum=27 PPP1-RECV:24 len:26 0000: ff 03 c0 21 08 33 00 16 80 21 01 12 00 10 02 06 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 399 P128> dev dial 4 Start dialing for node<4> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened CHAP login to remote OK! IPCP negotiation started All contents copyright © 2006 ZyXEL Communications Corporation.
Page 400 In this example, the IP address of the remote node is 100.1.1.1, but after PPP is up, the far-end claims that their IP is in 200.0.0.0 network. P-202H Plus v2 will drop the call, becuase of the IP address mismatch in this case.
Page 401: Ip Routing
An IP packet for the LAN destination should be routed to the LAN interface ( enif0 in P-202H Plus v2 ), and IP packet for a remote node destination should be sent to the WAN interface if the connection is up, or else the packet will trigger an outcall to that remote node ( if the remote node is not set for 'incoming' only in Call Direction.
Page 402 We can see the 'Use' increased from 0 to 3. This is correct, since each 'ip ping' command will try to send 3 packets. So no problem in IP routing. 4. Check the Error counters All contents copyright © 2006 ZyXEL Communications Corporation.
Page 403 00 0 wanIdle Internet 0023 0 2. You may want to verify if you have plugged in any filters for that remote node or LAN. P-202H Plus v2> sys filter sw on P-202H Plus v2> sys filter disp Drop Forward SetNotConfig...
Page 404: Reset To Default Configuration File
• The procedure for uploading the configuration file via the console port is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR3' to start the uploading. c. Use X-modem protocol to transfer the configuration file.
Page 405 Enter CI command 'sys stdio 0' in menu 24.8 to disable console idle timeout. c. Start the TFTP client program and enter the P-202H Plus v2's IP address. d. To upload the configuration file, put the local configuration file to the P- 202H Plus v2 as a remote file name 'rom-0 All contents copyright ©...
Page 406: Reference
Call rejected Number changed Destination out of order Invalid formate (address incomplete) Facility rejected Response to status enquiry Normal, unspecified Resource Unavailable Class No circuit/channel available Network out of order Temporary failure All contents copyright © 2006 ZyXEL Communications Corporation.
Page 407 Invalid call reference value Identified channel does not exist A suspended call exist, but this call identify Call identity in use No call suspended Call having the requested call identity has been cleared Incompatible destination All contents copyright © 2006 ZyXEL Communications Corporation.
Page 408: Ppp Numbers
All Protocols MUST be assigned such that the least significant bit of the most significant octet equals "0", and the least significant bit of the least significant octet equals "1". • Network Layer Numbers Value (in hex) Protocol Name --------------------------------------------------------------------- 0001 Padding Protocol All contents copyright © 2006 ZyXEL Communications Corporation.
Page 409 NTCITS IPI [Ungar] 00cf reserved (PPP NLPID) 00fb single link compression in multilink [RFC1962] 00fd compressed datagram [RFC1962] 00ff reserved (compression inefficient) 02xx-1exx (compression inefficient) 0201 802.1d Hello Packets 0203 IBM Source Routing BPDU All contents copyright © 2006 ZyXEL Communications Corporation.
Page 410 SNA Control Protocol 804f IP6 Header Compression Control Protocol 8051 KNX Bridging Control Protocol [ianp] 8053 Encryption Control Protocol [Meyer] 8055 Individual Link Encryption Control Protocol [Meyer] 8057 IPv6 Control Protovol [Hinden] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 411 Network Control Protocol (NCP), if any. Protocol field values in the "4xxx" to "7xxx" range are used for protocols with low volume traffic which have no associated NCP. Protocol field values in the "cxxx" to "exxx" range identify All contents copyright © 2006 ZyXEL Communications Corporation.
Page 412 The Point-to-Point Protocol (PPP) Link Control Protocol (LCP) specifies a number of Configuration Options which are distinguished by an 8 bit Type field. These Types are assigned as follows: Type Configuration Option -------------------------------------------------------------- Vendor Specific [RFC2153] Maximum-Receive-Unit Async-Control-Character-Map All contents copyright © 2006 ZyXEL Communications Corporation.
Page 413 2 IPv6-Compression-Protocol [RFC2023] • PPP ECP CONFIGURATION OPTION TYPES A one octet field is used in the Encryption Control Protocol (ECP) to indicate the configuration option type [RFC1968]. ECP Option Configuration Type ----------------------------------------------------------- All contents copyright © 2006 ZyXEL Communications Corporation.
Page 414 A one octet field is used in the Compression Control Protocol (CCP) PPP Serial Data Transport Protocol (SDTP) to indicate the option type [RFC1963]. SDCP Option Configuration Element ---------------------------------------------------------------------------------- Packet-Format [RFC1963] Header-Type [RFC1963] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 415 • PPP MULTILINK ENDPOINT DISCRIMINATOR CLASS The Point-to-Point Protocol (PPP) Link Control Protocol (LCP) Multilink Endpoint Discriminator Option includes a Class field which identifies the address class, These are assigned as follows: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 416 Configuration Option --------------------------------------------------------------------------------- IP-Addresses (deprecated) [RFC1332] IP-Compression-Protocol [RFC1332] IP-Address [RFC1332] Mobile-IPv4 [RFC2290] Primary DNS Server Address [RFC1877] Primary NBNS Server Address [RFC1877] Secondary DNS Server Address [RFC1877] Secondary NBNS Server Address [RFC1877] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 417 Configuration Options [RFC1763] which are distinguished by an 8 bit Type field. These Types are assigned as follows: Type Configuration Option ------------------------------------------------------------ BV-NS-RTP-Link-Type BV-FRP BV-RTP BV-Suppress-Broadcast • PPP BRIDGING CONFIGURATION OPTION TYPES All contents copyright © 2006 ZyXEL Communications Corporation.
Page 418 These are assigned as follows: Protocol Spanning Tree ------------------------------------------------------------------------------------ Null - no spanning tree protocol supported IEEE 802.1D spanning tree protocol IEEE 802.1G extended spanning tree protocol IBM source route spanning tree protocol All contents copyright © 2006 ZyXEL Communications Corporation.
Page 419 Novell Triggered RIP required [Edmonstone] Novell Triggered SAP required [Edmonstone] • NBFCP Configuration Options NBFCP Configuration Options [RFC 2097] allow modifications to the standard characteristics of the network-layer protocol to be negotiated. If a Configuration All contents copyright © 2006 ZyXEL Communications Corporation.
Page 420 Organisationally Unique Identifier (OUI), namely the first three octets of a Vendor's Ethernet address assigned by IEEE 802 [RFC1968. RFC2153]. These are listed in the "ethernet-numbers" file (see http://www.iana.org/in-notes/iana/assignments/ethernet-numbers). All contents copyright © 2006 ZyXEL Communications Corporation.
Page 421: Port Numbers
53/udp nameserver nameserver 53/tcp domain # name-domain server nameserver 53/udp domain 57/tcp # deprecated bootp 67/udp # boot program server tftp 69/udp 77/tcp netrjs finger 79/tcp link 87/tcp ttylink supdup 95/tcp All contents copyright © 2006 ZyXEL Communications Corporation.
Page 422 514/tcp # no passwords used syslog 514/udp printer 515/tcp spooler # line printer spooler talk 517/udp ntalk 518/udp 520/tcp # for LucasFilm route 520/udp router routed timed 525/udp timeserver tempo 526/tcp newdate All contents copyright © 2006 ZyXEL Communications Corporation.
Page 423 2053/tcp # Kerberos de-multiplexor eklogin 2105/tcp # Kerberos encrypted rlogin 5555/tcp rmtd 5556/tcp mtbd # mtb backup 9535/tcp # remote man server 9536/tcp mantst 9537/tcp # remote man server, testing bnews 10000/tcp All contents copyright © 2006 ZyXEL Communications Corporation.
Page 424: Protocol Numbers
Stream [RFC1190,IEN119] Transmission Control [RFC793] [Ballardie] Exterior Gateway Protocol [RFC888,DLM1] any private interior gateway [IANA] (used by Cisco for their IGRP) BBN-RCC-MON BBN RCC Monitoring [SGC] NVP-II Network Voice Protocol [RFC741,SC3] [PUP,XEROX] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 425 I-NLSP Integrated Net Layer Security TUBA [GLENN] SWIPE IP with Encryption [JI6] NARP NBMA Address Resolution Protocol [RFC1735] MOBILE IP Mobility [Perkins] TLSP Transport Layer Security Protocol [Oberg] using Kryptonet key management All contents copyright © 2006 ZyXEL Communications Corporation.
Page 426 Mobile Internetworking Control Pro. [JI6] SCC-SP Semaphore Communications Sec. Pro. [HXH] ETHERIP Ethernet-within-IP Encapsulation [RXH1] ENCAP Encapsulation Header [RFC1241,RXB3] any private encryption scheme [IANA] GMTP GMTP [RXB5] IFMP Ipsilon Flow Management Protocol [Hinden] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 427: System Error Code
-3020 call dial fail -3022 filter groups are mixed, so call is not allowed -3023 received unexpected event -3024 state timeout -3025 waiting RADIUS authentication -3026 RADIUS call back fail All contents copyright © 2006 ZyXEL Communications Corporation.
Page 428 Message: PINI ERROR netMakeChannDial: err=-3002, rn_p=576de0 Meaning: remote node call direction is configured as outgoing only. Solution: change the call direction to both or incoming. -3003 Message: PINI ERROR netMakeChannDial: err=-3003, rn_p=576de0 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 429 Solution: do nothing, it should be information. -3024 Message: PINI ERROR netMakeChannDial: err=-3024, rn_p=576de0 Meaning: state dial timeout. Solution: do nothing, it should be information. -3025 Message: PINI ERROR netMakeChannDial: err=-3025, rn_p=576de0 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 430 CLID=required. Solution: enter correct CLID number in remote node or in dial-in user setup. -3034 Message: PINI ERROR netMakeChannDial: err=-3034, rn_p=572de0 Meaning: CLID can not be found Solution: enter the correct CLID. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 431 Message: PINI ERROR netMakeChannDial: err=-3042, rn_p=576de0 Meaning: no answer received. Solution: check whether the phone number configured correctly. -3043 Message: PINI ERROR netMakeChannDial: err=-3043, rn_p=276de0 Meaning: dial timeout. Solution: change the timeout value. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 432 Meaning: outgoing call failed since the port for the source is not in the SUA table. Solution: too many users on the LAN. 38. Message: PP09 WARN Discard unknown network protocol 0x802B. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 433 15 - connection manager bit 16 - event manager bit 17 - L2TP protocol level xx: refers the information contents will be displayed, lower level - less contents. Default is level 5. 44. Message: CheckSum Error 1 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 434 46. Message: INFO addCallHistory: Transfer rate 255 is out of defined values. Meaning: transfer rate is not in the defined range. Solution: report to ZyXEL support. (one call history is missed in the call history table). All contents copyright © 2006 ZyXEL Communications Corporation.

ZyXEL Communications P-202H Plus v2 Support Notes

Faq

Zynos FAQ

Product FAQ

Firewall FAQ

Ipsec Related FAQ

Ipsec FAQ

SSH Sentinel FAQ

Application Notes

General Application Notes

Ipsec VPN

Support Tool

CI Command List

Troubleshooting

Reference

Quick Links

Related Manuals for ZyXEL Communications P-202H Plus v2

Summary of Contents for ZyXEL Communications P-202H Plus v2

Table of Contents