Download
Share
Print this page
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Network Router
  5. ZyWall
  6. Support note

ZyXEL Communications ZyWALL Series Support Note

Hide thumbs Also See for ZyWALL Series:

Advertisement

Quick Links

Download this manual See also: Reference Manual
2013
ZyWALL Series
Support Note
V1
4/1/2013

Advertisement

loading

Related Manuals for ZyXEL Communications ZyWALL Series

Summary of Contents for ZyXEL Communications ZyWALL Series

  • Page 1 2013 ZyWALL Series Support Note 4/1/2013...

  • Page 2: Application Scenario

    Scenario 1 - Restricting Bandwidth Management Priority for Traffic 1.1 Application Scenario In an enterprise network, there are various types of traffic. However, most company's Internet bandwidth is limited. All traffic will contend for it and may result in some important traffic, for example.

  • Page 3: Configuration Guide

    1.2 Configuration Guide Network conditions: - WAN download bandwidth: 2M - WAN upload bandwidth: 1M Goals to achieve: Restrict FTP download/upload bandwidth to 1000/500 kbps and set priority of FTP traffic to 4 for all users. ZyWALL configuration: Step 1: Configuration > BWM > check “Enable BWM” Step 2: Configuration >...
  • Page 5 Scenario 2 - Assign IPv6 to your LAN to access remote IPv6 network 2.1 Application Scenario Nowadays, more and more Internet service providers provide IPv6 environment. With IPv6 feature enabled on ZyWALL, it can assign an IPv6 to clients under it and pass IPv6 traffic through IPv4 environment to access remote IPv6 network.
  • Page 6 ZyWALL Configuration: Step 1: Configuration > System > IPv6 > Click Enable IPv6 Step 2: Setting the static IP on WAN1...
  • Page 7 Step 3: Setting IPv6 IP address on LAN1 (1) Go to Configuration > Interface > Ethernet > double click LAN1 interface in IPv6 configuration. (2) Convert WAN1 IP address to hexadecimal Check Enable Stateless Address Auto-configuration (SLAAC) box and enter 2002:3b7c:a39b::/64 in the prefix table.
  • Page 8 Step 4: Enable 6 to 4 tunnel. (1) Go to Configuration > Interface > Tunnel > Click Add button (2) Select the 6to4 in that Tunnel Mode (3) Check the Prefix in the 6tp4 tunnel Parameter (4) Select the WAN1 interface as the gateway in the Gateway Setting After these configuration steps, connect your computer to the device and check that your computer received an IPv6 IP address from tunnel.
  • Page 9 Scenario 3 – Dialing up L2TP VPN connection to ZyWALL by using iOS/Android mobile device 3.1 Application Scenario Smart phone become increasingly popular with consumers. Though it brings us much more convenience, but also brings security concerns. A ZyWALL is compatible with iOS/Android mobile devices to establish L2TP VPN connection, provide secure and private mobile data transferring no matter if your mobile devices is behind NAT.
  • Page 10 3.2 Configuration Guide Network conditions: ZyWALL: iOS/Android mobile device: - WAN1 IP: 59.124.163.150 - IP: 116.59.252.188 (3G mobile network) - Local subnet: 192.168.1.0/24 - IP: 10.59.3.103 (Behind NAT device) - L2TP pool:192.168.100.0/24 - Intranet website: http://info.zyxel.com IPSec VPN conditions: Phase 1: Phase 2: - Authentication: 12345678 - Encapsulation Mode: Transport mode...
  • Page 11 Step 3: Fill in the needed VPN gateway configuration.
  • Page 12 Step 4: Click Configuration > VPN > IPSec VPN > VPN Connection to visit the configuration screen to set phase 2 rule Step 5: Click the “Add” button to add a VPN connection rule. Step 6: Fill in the needed VPN connection configuration.
  • Page 14 Step 7: Click Configuration > VPN > L2TP VPN to visit L2TP VPN configuration screen Step 8: Create a address object for L2TP users Step 9: Fill in the needed L2TP VPN connection configuration.
  • Page 15 iOS mobile client configuration Step 1: Settings > General > Network > Step 2: Choose the VPN and turn on VPN > Add configuration and insert needed L2TP VPN settings. Secret is the pre-shared key 12345678. Step 3. Go to Monitor > VPN Monitor > L2TP over IPSec to check the L2TP session.
  • Page 16 Android mobile client configuration Step 1: Settings > Wireless & networks > Step 2: Add VPN network...
  • Page 17 Step 3: Select L2TP/IPSec PSK as the type Step 4: Fill in the Pre-shared key 12345678 and fill in the server address. and click “Save”.
  • Page 18 Step 5: Click on “ZyWALL” to connect to Step 6: Device will show connected when the L2TP VPN. Fill in the L2TP password dial up successfully and click “Connect”. Step 7. Go to Monitor > VPN Monitor > L2TP over IPSec to check the L2TP session.
  • Page 19 Scenario 4 – One click Setup VPN connection to headquarter 4.1 Application Scenario As an enterprise, employees often have business trip around the world. They might need to access the resource which inside headquarter during trip and it brings secure concerns.
  • Page 20 4.2 Configuration Guide Network conditions: ZyWALL: - WAN 1 IP: 59.124.163.147 - Local subnet: 192.168.1.0/24 IPSec VPN conditions: Phase 1: - Authentication: 12345678 - Local/Peer IP: WAN1/0.0.0.0 - Negotiation: Main mode - Encryption algorithm: DES - Authentication algorithm: MD5 - Key group: DH1 Outside user: - IP: 114.16.87.56 Phase 2:...
  • Page 21 Goals to achieve: Provide an easy way for outside users to build up IPSec VPN tunnel by using the ZyWALL IPSec VPN Client for accessing internal resource. ZyWALL configuration Step 1: Click Configuration > Quick setup >VPN Setup Step 2: Select “VPN settings for Configuration Provisioning”...
  • Page 22 Step 3: Select “Express” (or select “Advance” to define detail settings manually) Step 4: Change Rule Name if needed...
  • Page 23 Step 5: Fill in Pre-shared key and Local policy Step 6: Check if IPSec VPN configuration correct and save setting...
  • Page 24 Step 7: Click Configuration > VPN > IPSec VPN > Configuration Provisioning and enable Configuration Provisioning Step 8: Create a provisioning rule for any user...
  • Page 25 ZyWALL IPSec VPN Client software configuration Step 1: Execute ZyWALL IPSec VPN Client Step 2: Click Configuration > Get from Server...
  • Page 26 Step 3: Fill in authentication information and click “Next” Step 4: The VPN profile will be downloaded from USG if authentication successful...
  • Page 27 Step 5: Double left click on the phase 2 profile to dial up IPSec VPN tunnel Step 6: You can reach the internal server...
  • Page 29 Scenario 5 – Dynamic users communicate with HQ and all branch offices by using auto created VPN routes 5.1 Application Scenario For world-wide enterprises, network communication between each branch and the headquarter office is very important. A VPN concentrator combines several IPSec VPN connections into one secure network for site-to-site VPN and reduces the number of VPN connections that need to be set up and maintained in the network.
  • Page 31 5.2 Configuration Guide Network conditions: ZyWALL: Site WAN IP VPN Tunnel VPN Policy(Local-Remote) 10.59.3.201 HQ-Branch 1 172.28.0.0/20 - 172.28.1.0/24 HQ-Branch 2 172.28.0.0/20 - 172.28.2.0/24 Branch 1 10.59.3.200 Branch 1-HQ 172.28.1.0/24 - 172.28.0.0/20 Outbound Traffic (SNAT) Source: 192.168.1.0/24 Destination:172.28.0.0/20 SNAT:172.28.1.0/24 Inbound Traffic(DNAT) Original IP: 172.28.1.0/24 Mapped IP: 192.168.1.0/24 Branch 2...
  • Page 32 ZyWALL configuration: Task 1. Establish IPSec VPN between HQ and Branch 1. HQ configuration Step1. Configuration > VPN > IPSec VPN > VPN Gateway > Edit...
  • Page 33 Step2. Configuration > VPN > IPSec VPN > VPN Connection > Edit Branch 1 configuration Step 1. Configuration > VPN > IPSec VPN > VPN Gateway > Edit...
  • Page 34 Step 2. Configuration > VPN > IPSec VPN > VPN Connection > Edit...
  • Page 35 Step 3. Do an SNAT rule in VPN tunnel. Source: 192.168.1.0/24 Destination:172.28.0.0/20 SNAT:172.28.1.0/24...
  • Page 36 Step 4. Configuration > Network > Routing > Policy Route, Add a policy route Source: any Destination: 172.28.0.0/20 Next-hop: VPN tunnel...
  • Page 37 Task 2. Establish IPSec VPN between HQ and Branch 2 HQ configuration Step 1. Configuration > VPN > IPSec VPN > VPN Gateway > Edit Step 2. Configuration > VPN > IPSec VPN > VPN Connection > Edit...
  • Page 38 Branch 2 configuration Step1. Configuration > VPN > IPSec VPN > VPN Gateway > Edit Step2. Configuration > VPN > IPSec VPN > VPN Connection > Edit...
  • Page 39 Step 3. Do an SNAT rule in VPN tunnel. Source: 192.168.2.0/24 Destination:172.28.0.0/20 SNAT:172.28.2.0/24...
  • Page 40 Step 4. Configuration > Network > Routing > Policy Route, Add a policy route Source: any Destination: 172.28.0.0/20 Next-hop: VPN tunnel...
  • Page 41 Task 3. Establish Dynamic VPN for mobile users HQ configuration Step 1. Configuration > VPN > IPSec VPN > VPN Gateway > Edit Step 2. Configuration > VPN > IPSec VPN > VPN Connection > Edit...
  • Page 42 Step 3. IPSec VPN client setting Step 4. In Phase 2, assign one IP for IPSec VPN Client manually.
  • Page 43 Step 5. Disable “Use Policy Route to control dynamic IPSec rules” on HQ device. Configuration > VPN > IPSec VPN > VPN Connection > Global Setting HQ Routing Packet Flow Maintenance > Packet Flow Explore > Routing Status Verification...
  • Page 44 IPSec VPN client can ping HQ, branch 1 and branch 2 successfully at the same time.