P202H Plus v2 - Router ZYXEL - Free user manual and instructions

★ ★ ★ ★ ★ 9.0/10 📄 410 pages EN 💬 AI Question

USER MANUAL P202H Plus v2 ZYXEL

Version3.40 June. 2006

3. What data compression protocol does the P-202H Plus v2 support? 6

4. What is the default console port baud rate? Moreover, how do I

6. How do I upgrade/backup the ZyNOS firmware by using TFTP client

8. How do I backup/restore SMT configurations by using TFTP client

program via LAN?.................................................................................................. 7

9. What should I do if I forget the system password? ................................. 8

10. What is SUA? When should I use SUA?................................................... 8

11. What is the difference between NAT and SUA?..................................... 8

14. Why do we need the input filter in menu 3.1 and call filter in menu

11.1? .......................................................................................................................... 9

15. How can I protect against IP spoofing attacks?..................................... 9

16. What is DNS proxy?...................................................................................... 10

17. What is a Nailed-up Connection and when do I need to use it?....... 11

18. What are Device filters and Protocol filters?......................................... 11

19. Why can't I configure device filters or protocol filters?.................... 11

20. The P-202H Plus v2 supports to upload the firmware and

configuration files using FTP, but how do I prevent the outside user from 'FTP' my P-202H Plus v2?........................................................................ 11 Product FAQ.............................................................................................................. 12

1. How do I collect EPA trace? Moreover, how do I read it?.................... 12

2. Can I prevent the dial-in user from occupying two channels?........... 12

3. How does 'Dial Prefix to Access Outside Line' in Menu 2 (European

firmware) work?.................................................................................................... 12

4. What supplemental phone service does P-202H Plus v2 support..... 12

5. How do I do call waiting/call hold/call retrieve?...................................... 13

6. Why doesn't call waiting work as expected?........................................... 13

7. How do I do three way calling?.................................................................... 13

8. How do I remove a party from the three-way calling?........................... 13

11. What is call forwarding and how do I do it?........................................... 14

14. Why doesn't my answering machine on POTS port stop recording?

All contents copyright © 2006 ZyXEL Communications Corporation. 2P-202H Plus v2 Support Notes

15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European

firmware)?.............................................................................................................. 15

16. Does P-202H Plus v2 support MP callback to dial-in users? ............ 16

17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting?

18. What are the differences between P-202H, P-202H Plus and P-202H

5. Why do you need a firewall when your router has packet filtering and

14. Why static/policy route be blocked by P-202H Plus v2?.................... 20

5. Why can't I upload the firmware and configuration file using FTP

over WAN?............................................................................................................. 23

6. Why can't I configure my router using Telnet over LAN? .................... 24

7. Why can't I upload the firmware and configuration file using FTP

6. What is the difference between the log and alert?................................. 26

All contents copyright © 2006 ZyXEL Communications Corporation. 3P-202H Plus v2 Support Notes

8. What are the differences between 'Transport mode' and 'Tunnel

12. What are the differences between IKE and manual key VPN?.......... 29

1. How do I configure P-202H Plus v2 VPN?................................................. 30

2. How many VPN connections does P-202H Plus v2 support? ............. 30

3. What VPN protocols are supported by P-202H Plus v2 VPN? ............ 30

4. What types of encryption does P-202H Plus v2 VPN support? .......... 30

5. What types of authentication does P-202H Plus v2 VPN support? ... 30

8. What VPN gateway that has been tested with P-202H Plus v2

successfully?........................................................................................................ 31

9. What VPN software that has been tested with P-202H Plus v2

12. What are the difference between the 'My IP Address' and 'Secure

14. Why does VPN throughput decrease when staying in SMT menu

24.1? ........................................................................................................................ 33

15. How do I configure P-202H Plus v2 with NAT for internal servers? 33

3. Does SSH Sentinel work with the PPP over Ethernet (PPPoE)

protocol, which is used by the ADSL Network Adapter cards?.............. 34

4. How to configure Pre-IPSec filter? ............................................................. 34

5. What is "Acquire virtual IP address" for? Should I check this box? 34

6. What is "Extended Authentication"? Should I check this box?......... 34

7. Does Sentinel support IP range? ................................................................ 35

8. Does Sentinel support 2 VPN connections at the same time? ........... 35

9. What is this option, “Attach the selected values to proposal only” for?

10. How to initiate a VPN tunnel from Sentinel?

All contents copyright © 2006 ZyXEL Communications Corporation. 4P-202H Plus v2 Support Notes

ZyNOS is ZyXEL's proprietary Network Operating System. It is the platform on all P-202H Plus v2 routers that delivers network services and applications. It is designed in a modular fashion so it is easy for developers to add new features. New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available.

2. How do I access the P-202H Plus v2 SMT menu?

The SMT interface is a menu driven interface, which can be accessed via a RS232 console or a Telnet connection. To access the P-202H Plus v2 via SMT console port, a computer equipped with communication software such as HyperTerminal must be configured to the following parameters.

• N81 data format (No Parity, 8 data bits, 1 stop bit) The default console port baud rate is 9600bps. You can change it to 115200bps in Menu 24.2.2 to speed up access of the SMT.

3. What data compression protocol does the P-202H Plus v2 support?

The P-202H Plus v2 supports STAC compression. Please note that STAC is not enabled in the P-202H Plus v2 by default. You can enable it in Remote Node setup (SMT menu 11.2, Edit PPP Option).

4. What is the default console port baud rate? Moreover, how do I change it?

The default console port baud rate is 9600bps. When configuring the SMT, please make sure that terminal baud rate is also 9600bps. You can change the console baud rate from 9600bps to 57600 to speed up SMT access, by using SMT menu 24.2.2.

5. How do I upload the ZyNOS firmware code via console?

All contents copyright © 2006 ZyXEL Communications Corporation. 6P-202H Plus v2 Support Notes The procedure for uploading via console is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR' to start the uploading c. Use X-modem protocol to transfer the ZyNOS code d. Enter 'ATGO' to restart the P-202H Plus v2

6. How do I upgrade/backup the ZyNOS firmware by using TFTP client

program via LAN? The P-202H Plus v2 allows you to transfer the firmware from/to P-202H Plus v2 by using TFTP program via LAN. The procedure for uploading via TFTP is as follows. a. Use the TELNET client program in your PC to login to your P-202H Plus v2, and use Menu 24.8 to enter CI command 'sys stdio 0' to disable console idle timeout. b. To upgrade firmware, use TFTP client program to put firmware in file 'ras' in the P-202H Plus v2. c. When the data transfer is finished, the P-202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself. d. To backup your firmware, use the TFTP client program to get file 'ras' from the P-202H Plus v2.

7. How do I upload ROMFILE via console port?

In some situations, such as losing the system password or the need of resetting SMT to factory default you may need to upload the ROMFILE. The procedure for uploading via the console port is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR3' to start the uploading c. Use X-modem protocol to transfer ROMFILE d. Enter 'ATGO' to restart the P-202H Plus v2

8. How do I backup/restore SMT configurations by using TFTP client

program via LAN? a. Use the TELNET client program in your PC to login to your P-202H Plus v2, and use Menu 24.8 to enter CI command 'sys stdio 0' to disable console idle timeout All contents copyright © 2006 ZyXEL Communications Corporation. 7P-202H Plus v2 Support Notes b. To backup the SMT configurations, use TFTP client program to get file 'rom-0' from the P-202H Plus v2. c. To restore the SMT configurations, use the TFTP client program to save your configuration in file 'rom-0' in the P-202H Plus v2.

9. What should I do if I forget the system password?

In case you forget the system password, you can upload ROMFILE to reset the SMT to factory default. After uploading ROMFILE, the default system password is '1234'.

10. What is SUA? When should I use SUA?

SUA (Single User Account) is a unique feature supported by P-202H Plus v2 router which allows multiple people to access Internet concurrently for the cost of a single user account. When P-202H Plus v2 acting as SUA receives a packet from a local client destined for the outside Internet, it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool. It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from P-202H Plus v2 using the IP address assigned by ISP. When reply packets from the external Internet are received by P-202H Plus v2, the original IP source address and TCP/UDP source port numbers are written into the destination fields of the packet (since it is now moving in the opposite direction), the checksums are recomputed, and the packet is delivered to its true destination. This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it.

11. What is the difference between NAT and SUA?

NAT is a generic name defined in RFC 1631 'The IP Network Address Translator (NAT)'. SUA (Internet Single User Account) is ZyXEL's implementation and trade name for functioning PAT (Port Address Translation) which is a specific type of NAT. SUA( or PAT for NAT) translates address into port mapping. The primary motivation for RFC 1631 is that there is not enough IP address to go around. In addition, great many corporations simply did not bother to obtain legal (globally unique) IP addresses for their networks and now finding themselves unable to connect to the Internet. Basically, NAT is a process of translating one address to another. A NAT implementation can be as simple as substituting an IP address with another. This All contents copyright © 2006 ZyXEL Communications Corporation. 8P-202H Plus v2 Support Notes allows a network to rectify the illegal address problem mentioned above without going through each and every host. The aim of ZyXEL's SUA is to minimize the Internet access cost in a small office environment by using a single IP address to represent the multiple hosts inside. It does more than IP address translation, it also enables hosts on the LAN can access the Internet at the same time.

12. How many network users can the SUA support?

The fixed-size translation table limits the number of simultaneous. A reasonable number will be less than 20 users. Beyond that, the limited modem bandwidth would probably become the bottleneck and any increase in the translation table size will not help.

13. How do I capture the PPP log in my P-202H Plus v2?

The procedure to capture the PPP log in P-202H Plus v2 is as following. To enable the capture of PPP log before a connection is established: a. Enter SMT Menu 24.8, the CI command mode b. Enter 'sys trcl cl' command c. Enter 'sys trcl sw on' command d. Enter 'sys trcp sw on' command To display the PPP log after a connection is disconnected: a. Enter 'sys trcl sw off' command b. Enter 'sys trcp sw off' command c. Enter 'sys trcl disp' command

14. Why do we need the input filter in menu 3.1 and call filter in menu 11.1?

Two factory default filter sets have been optimized for Internet connection. They are configured in menu 21 and applied to menu 3.1 and menu 11.5 to prevent NETBIOS triggering the call. You can remove it if you do not need it.

15. How can I protect against IP spoofing attacks?

The P-202H Plus v2's filter sets provide a means to protect against IP spoofing attacks. The basic scheme is as follows: For the incoming data filter: All contents copyright © 2006 ZyXEL Communications Corporation. 9P-202H Plus v2 Support Notes

• Deny packets from the outside that claim to be from the inside

• Allow everything that is not spoofing us Filter rule setup:

• Action Matched =Drop

• Action Not Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask: For the outgoing data filters:

• Deny bounceback packet

• Allow packets that originate from us Filter rule setup:

• Action Matched =Drop

• Action No Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask.

16. What is DNS proxy?

If enabled, DNS Proxy allows the P-202H Plus v2 to act as the DNS server for the local network. The P-202H Plus v2 gets the IP address of the actual DNS server from the remote site via IPCP negotiation. Note this feature only works if the remote site supports RFC 1877. How do I turn on DNS Proxy? DNS Proxy is enabled only if the selection of the DHCP field under DHCP Setup in Menu 3.2 is Server and the Primary DNS Server is set to 0.0.0.0. (this is the factory default). If the DNS Proxy is enabled, the P-202H Plus v2 will assign its IP address as the Primary DNS in the responses to DHCP requests on the local network. All contents copyright © 2006 ZyXEL Communications Corporation. 10P-202H Plus v2 Support Notes How do I set DNS other than P-202H Plus v2 IP address? The P-202H Plus v2 assigns the values entered in Primary DNS server and Secondary DNS server fields in Menu 3.2 to the responses to the DHCP requests on the local network if the DHCP Server function is enabled.

17. What is a Nailed-up Connection and when do I need to use it?

A Nailed-up Connection, when enabled, emulates a leased line connection even though the physical line is a dial-up connection. The P-202H Plus v2 dials and holds up a connection, without any traffic requesting it. When you want the link to be always up, you need to use it.

18. What are Device filters and Protocol filters?

In ZyNOS, the filters have been separated into two groups. One group is called 'device filter group', and the other is called 'protocol filter group'. Generic filters belong to the 'device filter group', TCP/IP and IPX filters belong to the 'protocol filter group'.

19. Why can't I configure device filters or protocol filters?

In ZyNOS, you can not mix different filter groups in the same filter set.

20. The P-202H Plus v2 supports to upload the firmware and configuration

files using FTP, but how do I prevent the outside user from 'FTP' my P-202H Plus v2? The P-202H Plus v2 supports to upload the firmware and configuration files using FTP connections via LAN and WAN. So, this becomes unsecure that anyone can make a FTP connection over the Internet to your P-202H Plus v2. To prevent from outside users connecting to your P-202H Plus v2 via FTP, you can configure a filter to block the FTP connection from WAN.

All contents copyright © 2006 ZyXEL Communications Corporation. 11P-202H Plus v2 Support Notes

1. How do I collect EPA trace? Moreover, how do I read it?

• Enable the trace in Menu 24.8 by the following CI command: isdn fw ana on

• Make a call to remote node or ISP by: dev dial N (N is the remote node number)

• Drop the call by: dev channel drop bri0|bri1 (bri0 for B1 channel, bri1 for B2 channel)

• Display the trace by: isdn fw ana off isdn fw ana disp

2. Can I prevent the dial-in user from occupying two channels?

Yes. You can use a CI command to prevent the dial-in user from occupying two channels. Please enter to menu 24.8 and type the CI command: ppp lcp mpin off (or on to allow two channels)

3. How does 'Dial Prefix to Access Outside Line' in Menu 2 (European

firmware) work? This prefix will be placed in front of the outgoing call phone numbers when you make an outgoing call.

4. What supplemental phone service does P-202H Plus v2 support

The P-202H Plus v2 supports the following supplementary phone features on both of its POTS ports. Call Waiting Three Way Calling All contents copyright © 2006 ZyXEL Communications Corporation. 12P-202H Plus v2 Support Notes Call Transfer Call Forwarding Reminder Ring Terminal Portability(Suspend/Resume) Most supplementary services are not free, please check with your telephone company for the services they offer.

5. How do I do call waiting/call hold/call retrieve?

• Put your current call on hold and answer the incoming call - after hearing the call waiting tone, press and immediately release the Flash button on your telephone.

• Put your current call on hold and switch to another call - press and immediately release the Flash button on your telephone.

• Hang up your current call before answering the incoming call - hang up the phone and wait for answering the incoming call.

• Hang up the current active call and switch back to the other call - hang up and wait for the phone to ring. Then pick up the phone to return to the other call.

6. Why doesn't call waiting work as expected?

An incoming caller will receive a busy signal if:

• You have two calls active (one active and one on hold; or both active by using Three-Way Calling).

• You are dialing a number on the B channel the incoming caller is attempting to reach, but have not yet established a connection. If no action is taken to answer the call (call waiting indicator tone is ignored), the call waiting tones will disappear after about 20 seconds.

7. How do I do three way calling?

• Press the Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number.

• When you are ready to conference the call together, press the Flash key again to establish a three way conference call.

8. How do I remove a party from the three-way calling?

Simply press the Flash key. The last call that was added to the conference is dropped. All contents copyright © 2006 ZyXEL Communications Corporation. 13P-202H Plus v2 Support Notes If you hang up your telephone during a three-way call and the two other callers remain on the line, the ISDN network will do an implicit transfer to directly connect the two remaining callers together.

9. How do I do call transfer?

Call Transfer allows you to transfer an active call to a third party. This service must be subscribed from your telephone company. Transferring an active call to a third party:

• Once you have an active call (Caller A), press Flash key to put Caller A on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• When you are ready to conference the two calls together, press Flash key to a Three-Way Conference call.

• Hang up the phone. The ISDN network does an implicit transfer to directly connect Caller A with Caller B.

10. How do I blind call transfer?

• Once you have an active call (Caller A), press Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• Before Caller B picks up the call, you can transfer the call by pressing the Flash key. The call is automatically transferred.

11. What is call forwarding and how do I do it?

The call forwarding means the switch will ring another number at a place where you will be when sometime dials your directory number. There are two methods to active call forwarding, either method should work fine and you can use whichever one you are most comfortable. The first is exactly the same as on an analog line, i.e., you pick up the handset and dial the access code assign by your telephone company and the number that you want the calls forwarded. Check with your telephone company for this access code. The second is with the 'phone flash' commands where you pick up the handset and press the flash key before dialing the following: Command Meaning *20*forward-number# Active CFB (Call Forwarding Busy) *21*forward-number# Active CFU (Call Forwarding All contents copyright © 2006 ZyXEL Communications Corporation. 14P-202H Plus v2 Support Notes Unconditional) *22*forward-number# Active CFNR (Call Forwarding No Reply #20# Deactive CFB #21# Deactive CFU #22# Deactive CFNR

12. How do I suspend/resume a phone call (terminal portability)?

The Terminal Portability service allows you to suspend a phone call temporarily. You can then resume this call later, at another location if you so wish. To suspend an active phone call:

• Press the flash key twice.

• Dial *3n*#, where n is any number from 1 to 9. To resume your phone call:

• Reconnect at a (n) (ISDN) telephone that is linked to the same S/T interface (Network Terminator-1, NT1) where you suspended the call.

• Pick up the handset and press the Flash key

• Dial #3n#, where n is any number from 1 to 9, but should be identical to that used above.

13. What is reminder ring?

The P-202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded(US switches only).

14. Why doesn't my answering machine on POTS port stop recording?

Most answering machines stop recording when a busy tone is detected. But some may not. Some answering machine only recongnize that a calling party has hung up after a period of silence. In this case, if such an answering machine is attched to the POTS port of P-202H Plus v2 you need to configure the 'Hangup Silence Time(sec)=' in SMT menu 2.1 to determine the silence time period. By doing so, once P-202H Plus v2 receives busy tones from the switch it sends the silence tone to the answering machine on POTS meanwhile.

15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European

firmware)? CLIP or CLIR refers to CLID Presented or Restricted. The P-202H Plus v2 can set the CLIP/CLIR bit at SETUP message to request the Switch, to include the All contents copyright © 2006 ZyXEL Communications Corporation. 15P-202H Plus v2 Support Notes calling party number or not when the switch sends the SETUP message to the called party. You need subscribe to it first (see supplemental services)

16. Does P-202H Plus v2 support MP callback to dial-in users?

No, P-202H Plus v2 only supports single link PPP to dial-in users.

17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting?

Yes. For the detail of the settings please refer to the Tested SUA Applications page.

18. What are the differences between P-202H, P-202H Plus and P-202H Plus

v2? The differences between P-202H, P-202H Plus and P-202H Plus v2 are listed in the following table. Feature / Model P-202H P-202H Plus P-202H Plus v2 Ethernet Port 1 10/100M 4 10/100M 4 10/100M a/b adapter 2 - - Remote Access Server (Dial-in user suppport) Y Y Y

1. What is a network firewall?

A firewall is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms. One to block the traffic, and the other to permit traffic.

2. What makes P-202H Plus v2 secure?

The P-202H Plus v2 is pre-configured to automatically detect and thwart Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN. The P-202H Plus v2supports Network Address Translation (NAT), which translates the private local addresses to one or multiple public addresses. This adds a level of security since the clients on the private LAN are invisible to the Internet.

3. What are the basic types of firewalls?

Conceptually, there are three types of firewalls:

3. Stateful Inspection Firewall

Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These header information include the source, destination addresses and ports of the packets. Application-level Firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform logging and auditing of traffic passing through them. A proxy server is an application gateway or circuit-level gateway that runs on top of general operating system such as UNIX or Windows NT. It hides valuable data by requiring users to communicate with secure systems by mean of a proxy. A key drawback of this device is performance. All contents copyright © 2006 ZyXEL Communications Corporation.

Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also 'inspect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of StatefulP-202H Plus v2 Support Notes Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support.

4. What kind of firewall is the P-202H Plus v2?

1. The P-202H Plus v2's firewall inspects packets contents and IP headers. It

is applicable to all protocols, that understands data in the packet is intended for other layers, from network layer up to the application layer.

2. The P-202H Plus v2's firewall performs stateful inspection. It takes into

account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.

3. The P-202H Plus v2's firewall uses session filtering, i.e., smart rules, that

enhance the filtering process and control the network session rather than control individual packets in a session.

4. The P-202H Plus v2's firewall is fast. It uses a hashing function to search

the matched session cache instead of going through every individual rule for a packet.

5. The P-202H Plus v2's firewall provides email service to notify you for

routine reports and when alerts occur.

5. Why do you need a firewall when your router has packet filtering and

NAT built-in? With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. Although packet filter and NAT restrict access to particular computers and networks, however, for the other companies this security may be insufficient, because packets filters typically cannot maintain session state. Thus, for greater security, a firewall is considered.

6. What is Denials of Service (DoS)attack?

Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. There are four types of DoS attacks:

1. Those that exploits bugs in a TCP/IP implementation such as Ping of

2. Those that exploits weaknesses in the TCP/IP specification such as SYN

Flood and LAND Attacks. All contents copyright © 2006 ZyXEL Communications Corporation. 18P-202H Plus v2 Support Notes

3. Brute-force attacks that flood a network with useless data such as Smurf

7. What is Ping of Death attack?

Ping of Death uses a 'PING' utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot.

8. What is Teardrop attack?

Teardrop attack exploits weakness in the reassemble of the IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

9. What is SYN Flood attack?

SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response, While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set a relatively long intervals) terminates the TCP three-way handshake. Once the queue is full , the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

10. What is LAND attack?

In a LAN attack, hackers flood SYN packets to the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 11 What is Brute-force attack? A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous All contents copyright © 2006 ZyXEL Communications Corporation. 19P-202H Plus v2 Support Notes hosts, this will create a large amount of ICMP echo request packet, the resulting ICMP traffic will not only clog up the 'intermediary' network, but will also congest the network of the spoofed source IP address, known as the 'victim' network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible.

12. What is IP Spoofing attack?

Many DoS attacks also use IP Spoofing as part of their attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP Spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall.

13. What are the default ACL firewall rules in P-202H Plus v2?

There are two default ACLs pre-configured in the P-202H Plus v2, one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets.

14. Why static/policy route be blocked by P-202H Plus v2?

P-202H Plus v2 is an ideal secure gateway for all data passing between the Internet and the LAN/DMZ. For some reasons (load balance or backup line), users may want traffic to be re-routed to another Internet access devices while still be protected by P-202H Plus v2. In such case, the network topology is the most important issue. Here is a common example that people mis-deploy the static route. All contents copyright © 2006 ZyXEL Communications Corporation. 20P-202H Plus v2 Support Notes The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on P-202H Plus v2 box. However, if you turn on firewall, your connection will be blocked by firewall because of the following reason. Step 1. Being the default gateway of PC, P-202H Plus v2 will receive all "outgoing" traffic from PC. Step 2. And because of Static route/Policy Routing, P-202H Plus v2 forwards the traffic to another gateway (ISDN/Router) which is in the same segment as P-202H Plus v2's LAN. Step 3. However the return traffic won't go back to P-202H Plus v2, in stead, the "another gateway (ISDN/Router)" will send back the traffic to PC directly. Because the gateway (say, P201) and the PC are in the same segment. When firewall is turned on, P-202H Plus v2 will check the outgoing traffic by ACL and create dynamic sessions to allow return traffic to go back. To achieve Anti- DoS, P-202H Plus v2 will send RST packets to the PC and the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by P-202H Plus v2. Solutions. (A) Deploying your second gateway in IP alias segment is a better solution. In this way, your connection can be always under control of firewall. And thus there won't be Triangle Route problem. All contents copyright © 2006 ZyXEL Communications Corporation. 21P-202H Plus v2 Support Notes (B) Deploying your second gateway on WAN side. (C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology in both CI command and Web configurator . You can issue this command, "sys firewall ignore triangle all on" , to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall setup page. But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the protected network through the unprotected gateway. In fact, it's a security hole in protected your network. Configuration

1. How do I configure the firewall?

P-202H Plus v2 supports a embedded web server so that you can use the web brower to configure it from any OS platform. All contents copyright © 2006 ZyXEL Communications Corporation. 22P-202H Plus v2 Support Notes

2. How do I prevent others from configuring my firewall?

There are several ways to protect others from touching the settings of your firewall.

1. Change the default password since it is required when setting up the

firewall using Telnet, Console or Web browser.

2. Limit who can Telnet to your router. You can enter the IP address of the

secured LAN host in SMT Menu 24.11 to allow Telnet to your P-202H Plus v2. The default value in this field is 0.0.0.0, which means you do not care which host is trying to Telnet your P-202H Plus v2.

3. Can I use a browser to configure my P-202H Plus v2?

Yes, you can use a web browser to configure the P-202H Plus v2.

4. Why can't I configure my router using Telnet over WAN?

There are three reasons that Telnet from WAN is blocked.

1. When the firewall is turned on, all connections from WAN to LAN are

blocked by the default ACL rule. To enable Telnet from WAN, you must turn the firewall off (Menu 21.2) or create a firewall rule to allow Telnet connection from WAN. The WAN-to-LAN ACL summary will look like as shown below. Source IP= Telnet host Destination IP= router' WAN IP Service= TCP/23 Action=Forward

2. You have disabled Telnet service in Menu 24.11.

3. Telnet service is enabled but your host IP is not the secured host entered

in Menu 24.11. In this case, the error message 'Client IP is not allowed!' is appeared on the Telnet screen.

4. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol

5. The console port is in use.

5. Why can't I upload the firmware and configuration file using FTP over

1. When the firewall is turned on, all connections from WAN to LAN are

blocked by the default ACL rule. To enable FTP from WAN, you must turn the All contents copyright © 2006 ZyXEL Communications Corporation. 23P-202H Plus v2 Support Notes firewall off (Menu 21.2) or create a firewall rule to allow FTP connection from WAN. The WAN-to-LAN ACL summary will look like as shown below. Source IP= FTP host Destination IP= P-202H Plus v2's WAN IP Service= FTP TCP/21, TCP/20 Action=Forward

2. You have disabled FTP service in Menu 24.11.

3. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol

6. Why can't I configure my router using Telnet over LAN?

1. You have disabled Telnet service in Menu 24.11.

2. Telnet service is enabled but your host IP is not the secured host entered

in Menu 24.11. In this case, the error message 'Client IP is not allowed!' is appeared on the Telnet screen.

3. The default filter rule 3 (Telnet_FTP_LAN) is applied in the Input Protocol

4. The console port is in use.

7. Why can't I upload the firmware and configuration file using FTP over

1. 1. You have disabled FTP service in Menu 24.11.

2. The default filter rule 3 (Telnet_FTP_LAN) is applied in the Input Protocol

field in menu 3.1. Log and alert

1. When does the P-202H Plus v2 generate the firewall log?

The P-202H Plus v2 generates the log immediately when the packet match, doesn't match (or both) a firewall rule. The log for Default Permit (LAN to WAN, WAN to LAN) is generated automatically. To generate the log for custom rules, the Log option in Web Configurator must be set to Not Match, Match, or Both. The Reason column for the default permit shown in the log will be 'default permit, <1, 00> or <2, 00>'. Here <1, 00> means the LAN-to-WAN default ACL set, <2, 00> means the WAN-to-LAN default ACL set.

2. What does the log show to us?

All contents copyright © 2006 ZyXEL Communications Corporation. 24P-202H Plus v2 Support Notes The log supports up to 128 entries. There are 2 rows and 5 columns for each entry. Please see the example shown below. # Time Packet Information Reason Action 127|Mar 15 0 |From:192.168.1.34 To:202.132.155.93 |default permit |forward | 03:03:54|ICMP type:00008 code:00000 |<1,00> | Where <X,Y> stands for <Set number, Rule number>. X=1,2 ; Y=00~10. There are two policy sets, set 1 for rules checking connections from LAN to WAN and set 2 for rules checking connections from WAN to LAN. So, X=1 means set 1 and X=2 means set 2. Y means the rule in the set. Because we can configure up to 10 rules in a set, so Y can be from 1 to 10. If the rule number shows 00, it means the Default Rule.

3. How do I view the firewall log?

The log keeps 128 entries, the new entries will overwrite the old entries when the log has over 128 entries. There are three ways to view the firewall log:

1. View the log from SMT Menu 21.3-View Firewall Log

The P-202H Plus v2 generates the alert when an attack is detected by the firewall and sends it via Email. So, to send the alert you must configure the mail server and Email address using Web Configurator. You can also specify how frequently you want to receive the alert via Web Configurator.

5. What does the alert show to us?

The alert shown in the Email is actually the evens of the attack. So, the Reason column shows Attack and the attack type. Please see the example shown below. # Time Packet Information Reason Action 127|Mar 15 0 |From:192.168.1.1 To:192.168.1.1 |attack |block | 03:04:54|ICMP type:00008 code:00000 |land | All contents copyright © 2006 ZyXEL Communications Corporation. 25P-202H Plus v2 Support Notes

6. What is the difference between the log and alert?

A log entry is just added to the log inside the P-202H Plus v2 and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.

A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN?

There are some reasons to use a VPN. The most common reasons are because of security and cost. Security 1). Authentication With authentication, VPN receiver can verify the source of packets and guarantee the data integrity. 2). Encryption With encryption, VPN guarantees the confidentiality of the original user data. Cost 1). Cut long distance phone charges Because users typically dial the their local ISP for VPN, thus, long distance phone charge is reduced than making a long direct connection to the remote office. 2).Reducing number of access lines Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines. All contents copyright © 2006 ZyXEL Communications Corporation. 27P-202H Plus v2 Support Notes

3. What are most common VPN protocols?

There are currently three major tunneling protocols for VPNs. They are Point-to- Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial- Up Networking 1.2 upgrade.

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is truly the most extensible and complete network security solution.

7. What secure protocols does IPSec support?

There are two protocols provided by IPSec, they are AH (Authentication Header, protocol number 51) and ESP (Encapsulated Security Payload, protocol number 50).

8. What are the differences between 'Transport mode' and 'Tunnel mode?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is All contents copyright © 2006 ZyXEL Communications Corporation. 28P-202H Plus v2 Support Notes for security gateway to provide IPSec service for other machines lacking of IPSec capability. In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data. There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode.

A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use.

IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN. There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

11. What is Pre-Shared Key?

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called 'Pre-shared' because you have to share it with another party before you can communicate with them over a secure connection.

12. What are the differences between IKE and manual key VPN?

The only difference between IKE and manual key is how the encryption keys and SPIs are determined.

• For IKE VPN, the key and SPIs are negotiated from one VPN gateway to the other. Afterward, two VPN gateways use this negotiated keys and SPIs to send packets between two networks.

• For manual key VPN, the encryption key, authentication key (if needed), and SPIs are predetermined by the administrator when configuring the security association. All contents copyright © 2006 ZyXEL Communications Corporation. 29P-202H Plus v2 Support Notes IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly for the VPN connection. P-202H Plus v2 VPN

2. How many VPN connections does P-202H Plus v2 support?

One P-202H Plus v2 202H Plus supports 2 VPN connections.

3. What VPN protocols are supported by P-202H Plus v2 VPN?

All P-202H Plus v2 series support ESP (protocol number 50) and AH (protocol number 51).

4. What types of encryption does P-202H Plus v2 VPN support?

P-202H Plus v2 supports 56-bit DES and 168-bit 3DES.

5. What types of authentication does P-202H Plus v2 VPN support?

VPN vendors support a number of different authentication methods. P-202H Plus v2 VPN supports both SHA1 and MD5. AH provides authentication, integrity, and replay protection (but not confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (like the source/destination addresses), but ESP does not. ESP can provide authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the header). Replay protection requires authentication and integrity (these two go always together). Confidentiality (encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality.

6. I am planning my P-202H Plus v2-to-P-202H Plus v2 VPN configuration.

What do I need to know? All contents copyright © 2006 ZyXEL Communications Corporation. 30P-202H Plus v2 Support Notes First of all, both P-202H Plus v2 must have VPN capabilities. Please check the firmware version, V3.50 or later has the VPN capability. If your P-202H Plus v2 is capable of VPN, you can find the VPN options in Advanced>VPN tab. For configuring a "box-to-box VPN", there are some tips:

1. If there is a NAT router running in the front of P-202H Plus v2, please

make sure the NAT router supports to pass through IPSec.

2. In NAT case (either run on the frond end router, or in P-202H Plus v2 VPN

box), only IPSec ESP tunneling mode is supported since NAT againsts AH mode.

3. Source IP/Destination IP-- Please do not number the LANs (local and

remote) using the same exact range of private IP addresses. This will make VPN destination addresses and the local LAN addresses are indistinguishable, and VPN will not work.

4. Secure Gateway IP Address -- This must be a public, routable IP

address, private IP is not allowed. That means it can not be in the 10.x.x.x subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 -

172.31.255.255 (these address ranges are reserved by internet standard

for private LAN numberings behind NAT devices). It is usually a static IP so that we can pre-configure it in P-202H Plus v2 for making VPN connections. If it is a dynamic IP given by ISP, you still can configure this IP address after the remote P-202H Plus v2 is on-line and its WAN IP is available from ISP.

7. Does P-202H Plus v2 support dynamic secure gateway IP?

If the remote VPN gateways uses dynamic IP, we enter 0.0.0.0 as the Secure Gateway IP Address in P-202H Plus v2. In this case, the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

8. What VPN gateway that has been tested with P-202H Plus v2

successfully? We have tested P-202H Plus v2 successfully with the following third party VPN gateways.

• WatchGuard Firebox II All contents copyright © 2006 ZyXEL Communications Corporation. 31P-202H Plus v2 Support Notes

9. What VPN software that has been tested with P-202H Plus v2

successfully? We have tested P-202H Plus v2 successfully with the following third party VPN software.

• Windows 2000, IPSec 10.Will ZyXEL support Secure Remote Management? Yes, we will support it and we are working on it currently.

11. Does P-202H Plus v2 VPN support NetBIOS broadcast?

The current 3.40 firmware release does not support it. But it is in our wish list.

12. What are the difference between the 'My IP Address' and 'Secure

Gateway IP Address' in Menu 27.1.1? 'My IP Adderss' is the Internet IP address of the local P-202H Plus v2. The 'Secure Gateway IP Address' is the Internet IP address of the remote IPSec gateway.

13. Is the host behind NAT allowed to use IPSec?

All contents copyright © 2006 ZyXEL Communications Corporation.

NAT Condition Supported IPSec Protocol VPN Gateway embedded NAT AH tunnel mode, ESP tunnel mode VPN client/gateway behind ESP tunnel modeP-202H Plus v2 Support Notes NAT

NAT in Transport mode None

• The NAT router must support IPSec pass through. For example, for P-202H Plus v2 SUA/NAT routers, IPSec pass through is supported since ZyNOS 3.21. The default port and the client IP have to be specified in menu 15-SUA Server Setup.

14. Why does VPN throughput decrease when staying in SMT menu 24.1?

If P-202H Plus v2 stays in menu 24.1, 24.8 and 27.3 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay in menu 24.1, 27.3 and 24.8 when VPN is in use.

15. How do I configure P-202H Plus v2 with NAT for internal servers?

Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. However, if both NAT and IPSec is enabled in P-202H Plus v2, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case. For example: host-----------P-202H Plus v2(NAT)-----------------Internet----Secure host

SSH Sentinel FAQ All contents copyright © 2006 ZyXEL Communications Corporation. 33P-202H Plus v2 Support Notes

1. What is SSH Sentinel VPN client?

Developed by SSH (http://www.ssh.com) Sentinel VPN client is a bundled software with P-202H Plus v2 VPN solution. It supports IPSec/VPN.

2. Why do I need to use Sentinel?

SSH Sentinel(TM) is an easy-to-use software for remote working based on the latest VPN technology. The software provides smooth integration with P-202H Plus v2 VPN which may be installed in HQ gateway.

3. Does SSH Sentinel work with the PPP over Ethernet (PPPoE) protocol,

which is used by the ADSL Network Adapter cards? Yes, the latest release SSH Sentinel 1.3, also supports PPPoE, but due to the wide range of PPPoE implementations and the fact, that we have a very limited access to PPPoE adapters in general, we are not able to fully test this functionality. As a consequence, it is hard to say with exactly which PPPoE drivers SSH Sentinel 1.3 is fully compatible.

4. How to configure Pre-IPSec filter?

In pre-ipsec configuration, never, remove the pre-IPSec filter rule that bypasses IKE traffic. If you do, all your attempts to establish any IPSec connection are bound to fail, because the negotiations never take place. Only when you would like to have some TCP/UDP packets bypass IPSec, must you specify the traffic as bypass in pre-ipsec filter. Otherwise, just not setup any bypass/discard/reject on the traffic you would like to be protected by IPSec.

5. What is "Acquire virtual IP address" for? Should I check this box?

With this feature, Sentinel can obtain a virtual IP address assigned from VPN gateway. However, if connecting with P-202H Plus v2, please not check this box. P-202H Plus v2 doesn’t support this feature in current firmware.

6. What is "Extended Authentication"? Should I check this box?

With this feature, VPN connection from Sentinel can be authenticated to authentication server, such as, RADIUS, TACAS, …etc. behind remote VPN gateway. However, if connecting with P-202H Plus v2, please not check this box. P-202H Plus v2 doesn’t support this feature in current firmware. It will support in the near future. All contents copyright © 2006 ZyXEL Communications Corporation. 34P-202H Plus v2 Support Notes

7. Does Sentinel support IP range?

No, only subnet/single is supported. So when connecting with P-202H Plus v2, please not use range as address type.

8. Does Sentinel support 2 VPN connections at the same time?

No, Sentinel doesn’t support it. Only one VPN connection can be activated at the same time.

9. What is this option, “Attach the selected values to proposal only” for?

To increase compatibility, Sentinel sends many kinds of possible proposal for it’s peer side, say P-202H Plus v2 to choose. If you uncheck this option, Sentinel will only send out the proposal you configured. To decrease negotiation time, you can uncheck this option, and verify phase1/phase2 parameters are consistent on both sides.

10. How to initiate a VPN tunnel from Sentinel?

Right click SSH icon in system tray, click the VPN connection you have setup in Select VPN. Packets triggering doesn't work in this case.

11. Can P-202H Plus v2 be the initiator of VPN tunnel to Sentinel?

No. Sentinel is supposed to be a VPN solution for remote access. Please always initiate your VPN tunnel from Sentinel but not from P-202H Plus v2.

12. How can I verify if the VPN connection is up in Sentinel?

You can check if your VPN connection is up by double clicking SSH icon in system tray. If the connection is up, you should see your VPN network in the popped out window.

13. I am using EnterNet 300, a PPPoE dial up software. Any concern?

If using EnterNet PPP over Ethernet client, the network access type must be set from the client’s advanced connection settings to protocol driver. Open Enternet 300 Profiles window -> Connections -> Settings -> Advanced -> In Network Access section choose Protocol Driver. Application Notes All contents copyright © 2006 ZyXEL Communications Corporation. 35P-202H Plus v2 Support Notes General Application Notes

A typical Internet access application of the P-202H Plus v2 is shown below. For a small office, there are some components you need to check before accessing the Internet.

• Before you begin The P-202H Plus v2 is shipped with the following factory default:

1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits)

2. DHCP server enabled with IP pool starting from 192.168.1.33

3. Default SMT menu password = 1234

• Setting up the Win95/98 Workstation

1. Ethernet connection

All PCs must have an Ethernet adapter card installed.

• If you only have one PC, connect the PC's Ethernet adapter to the P-202H Plus v2's LAN port with a crossover (red one) Ethernet cable.

• If you have more than one PC, both the PC's Ethernet adapters and the P- 202H Plus v2's LAN port must be connected to an external hub with straight Ethernet cable.

2. TCP/IP Installation

You must first install TCP/IP software on each PC before you can use it for Internet access. If you have already installed TCP/IP, go to the next section to configure it; otherwise, follow these steps to install:

• In the Select Network Protocol windows, select Microsoft from the manufacturers, then select TCP/IP from the Network Protocols and click OK.

3. TCP/IP Configuration

Follow these steps to configure Windows TCP/IP: All contents copyright © 2006 ZyXEL Communications Corporation. 36P-202H Plus v2 Support Notes

• In the Control Panel/Network window, click the TCP/IP entry to select it and click Properties button.

• In the TCP/IP Properties window, select Obtain an IP address automatically. Note: Do not assign arbitrary IP address and subnet mask to your PCs, otherwise, you will not be able to access the Internet.

• Click the WINS configuration tab and select Disable WINS Resolution.

• Click the Gateway tab. Highlight any installed gateways and click the Remove button until there are none listed.

• Click the DNS Configuration tab and select Disable DNS.

• Click OK to save and close the TCP/IP properties window

• Click OK to close the Network window. You will be prompted to insert your Windows CD or disk. When the drivers are updated, you will be asked if you want to restart the PC. Make sure your P-202H Plus v2 is powered on before answering Yes to the prompt. Repeat the above steps for each Windows PC on your network.

• Setting up the P-202H Plus v2 router The following procedure is for the most typical usage of the P-202H Plus v2 where you have a single-user account (SUA). The PNC (P-202H Plus v2 Network Commander) is a Windows-based tool that helps you to easily configure your P-202H Plus v2 for Internet access. It is included in the P-202H Plus v2 package. Please install the PNC first before configuring your P-202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation. 37P-202H Plus v2 Support Notes Example:

• Pri Phone#= is the phone number your P-202H Plus v2 has to dial in order to access your ISP.

• My Login and My Password are the login information provided by ISP.

• Since you have a single user Internet account, Single User Account should be set to 'Yes'.

• For the Local IP Address field, since the IP address will be dynamically assigned, you can either enter '0.0.0.0' or you can leave this field blank After saving this menu, you will be asked if you want to perform an Internet connection test. Select 'Yes' to perform the test. If the test fails, please check again the above settings or refer to the User's Manual Troubleshooting section for correction action. When you have configured and saved Menu 4, you should see that you have created a remote node in Menu 11. You can perform more advanced configuration options to this remote node in this menu.

• Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. In order to run the Windows9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server. Windows Dial-Up Networking uses the Internet standard Point-to-Point (PPP) to provide a secure,optimized multiple-protocol network connection over dial-up telephone lines. All data sent over this connection can be encrypted and compressed, and multiple network level protocols (TCP/IP, NetBEUI and IPX) can be run correctly. Windows NT Domain Login level security is preserved even across the Internet. Window95 PPTP Client / Internet / NT RAS Server Protocol Stack All contents copyright © 2006 ZyXEL Communications Corporation.

PPTP appears as new modem type (Virtual Private Networking Adapter) that can be selected when setting up a connection in the Dial-Up Networking folder. The VPN Adapter type does not appear elsewhere in the system. Since PPTP encapsulates its data stream in the PPP protocol, the VPN requires a second dial-up adapter. This second dial-up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial-up adapter that provides PPP support for the analog or ISDN modem.P-202H Plus v2 Support Notes The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.

• Configuration This application note explains how to establish a PPTP connection with a remote private network in the P-202H Plus v2 SUA case. In ZyNOS, all PPTP packets can be forwarded to the internal PPTP Server (WinNT server) behind SUA. The port number of the PPTP has to be entered in the SMT Menu 15 for P-202H Plus v2 to forward to the appropriate private IP address of Windows NT server.

• Example The following example shows how to dial to an ISP via the P-202H Plus v2 and then establish a tunnel to a private network. There will be three items that you need to set up for PPTP application, these are PPTP server (WinNT), PPTP client (Win9x) and the P-202H Plus v2. o PPTP server setup (WinNT) Add the VPN service from Control Panel>Network Add an user account for PPTP logged on user Enable RAS port Select the network protocols from RAS such as IPX, TCP/IP NetBEUI Set the Internet gateway to P-202H Plus v2 o PPTP client setup (Win9x) Add one VPN connection from Dial-Up Networking by entering the correct username & password and the IP address of the P-202H Plus v2's Internet IP address for logging to NT RAS server. All contents copyright © 2006 ZyXEL Communications Corporation. 40P-202H Plus v2 Support Notes Set the Internet gateway to the router that is connecting to ISP o P-202H Plus v2 router setup

• Before making a VPN connection from Win9x to WinNT server, you need to connect P-202H Plus v2 router to your ISP first.

• Enter the IP address of the PPTP server (WinNT server) and the port number for PPTP as shown below. When you have finished the above settings, you can ping to the remote Win9x client from WinNT. This ping command is used to demonstrate that remote the Win9x can be reached across the Internet. If the Internet connection between two LANs is achive, you can place a VPN call from the remote Win9x client. For example: C:\ping 203.66.113.2 When a dial-up connection to ISP is established, a default gateway is assigned to the router traffic through that connection. Therefore, the output below shows the default gateway of the Win95 client after the dial- up connection has been established. Before making a VPN connection from the Win9x client to the NT server, you need to know the exact Internet IP address that the ISP assigns to P- All contents copyright © 2006 ZyXEL Communications Corporation. 41P-202H Plus v2 Support Notes 202H Plus v2 router in SUA mode and enter this IP address in the VPN dial-up dialog box. You can check this Internet IP address from PNC Monitor or SMT Menu 24.1. If the Internet IP address is a fixed IP address provided by ISP in SUA mode, then you can always use this IP address for reaching the VPN server. In the following example, the IP address '140.113.1.225' is dynamically assigned by ISP. You must enter this IP address in the 'VPN Server' dialog box for reaching the PPTP server. After the VPN link is established, you can start the network protocol application such as IP, IPX and NetBEUI. Configure an Internal Server Behind SUA

All contents copyright © 2006 ZyXEL Communications Corporation.

• IntroductionP-202H Plus v2 Support Notes If you wish, you can make internal servers (e.g., Web, ftp or mail server) accessible for outside users, even though SUA makes your LAN appear as a single machine to the outside world. A service is identified by the port number. Also, since you need to specify the IP address of a server in the P-202H Plus v2, a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on. In addition to the servers for specific services, SUA supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default server is not defined, the service request is simply discarded.

• Configuration To make a server visible to the outside world, specify the port number of the service and the inside address of the server in 'Menu 15', Multiple Server Configuration. The outside users can access the local server using the P-202H Plus v2's WAN IP address which can be obtained from menu 24.1.

• For example (Configuring an internal Web server for outside access) :

• Port numbers for some services All contents copyright © 2006 ZyXEL Communications Corporation.

• Introduction Generally, SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. However, some applications such as Cu-SeeMe, and ICQ will need to connect to the local user behind the P-202H Plus v2. In such case, a SUA server must be entered in menu 15 to forward the incoming packets to the true destination behind SUA. Generally, we do not need extra settings of menu 15 for an outgoing connection. But for some applications we need to configure the menu 15 to make the outgoing connection work. After the required menu 15 settings are completed the internal server or client applications can be accessed by using the P-202H Plus v2's WAN IP address.

All contents copyright © 2006 ZyXEL Communications Corporation. 44P-202H Plus v2 Support Notes Required Settings in Menu 15 Port/IP Application Outgoing Connection Incoming Connection HTTP None 80/client IP FTP None 21/client IP TELNET None 23/client IP (and remove Telnet filter in WAN port) POP3 None 110/clinet IP SMTP None 25/client IP mIRC None for Chat. For DCC, please set Default/Client IP

Windows PPTP None 1723/client IP ICQ 99a None for Chat. For DCC, please set: ICQ -> preference -> connections -> firewall and set the firewall time out to 80 seconds in firewall setting. Default/client IP Cornell 1.1 Cu-SeeMe None 7648/client IP White Pine 3.1.2 Cu-SeeMe 7648/client IP & 24032/client IP Default/client IP White Pine 4.0 Cu-SeeMe 7648/client IP & 24032/client IP Default/client IP Microsoft NetMeeting 2.1 &

None Default/client IP QuakeII2.30

None Default/client IP QuakeIII1.05 beta None . StartCraft. 6112/client IP . Quick Time 4.0 None . All contents copyright © 2006 ZyXEL Communications Corporation. 45P-202H Plus v2 Support Notes pcAnywhere 8.0 None 5631/client IP 5632/client IP 22/client IP

Since SUA enables your LAN to appear as a single computer to the Internet, it is not possible to configure similar servers on the same LAN behind SUA.

Because White Pine Cu-SeeMe uses dedicate ports (port 7648 & port 24032) to transmit and receive data, therefore only one local Cu-SeeMe is allowed within the same LAN.

With SUA enabled, NetMeeting users within the same LAN will not be able to connect to the remote NetMeeting user, and as remote users are not able to distinguish between local users with the same internet IP and SUA allows one local NetMeeting user to connect to multiple Internet users at the same time.

Certain Quake servers do not allow multiple users to login using the same unique IP, so only one Quake user will be allowed in this case. Moreover, when a Quake server is configured behind SUA, P-202H Plus v2 will not be able to provide information of that server on the internet.

Quake II has the same limitations as that of Quake I. Notes

1. If a SMTP (port 25) server is configured in menu 15 the POP3 ( port 110)

packets will also be forwarded to the same SMTP server by the P-202H Plus v2 automatically. There is no need to configure additional POP3 server in menu 15. Two ports (25 & 110) must be configured in menu 15 to support both SMTP and POP3 services.

2. NetMeeting, RealPlayer, IP/TV and Quick Time are supported.

Configurations For example, if the workstation operating Cu-SeeMe has an IP of 192.168.1.34, then the default SUA server must be set to 192.168.1.34. The peer Cu-SeeMe user can reach this workstation by using P-202H Plus v2's WAN IP address which can be obtained from menu 24.1. All contents copyright © 2006 ZyXEL Communications Corporation. 46P-202H Plus v2 Support Notes

• Introduction This configuration note explains how to set up two P-202H Plus v2 routers for a LAN-to-LAN connection. Once the connection is established, the workstations on both LANs will be able to perform any TCP/IP applications (e.g., FTP, Telnet, etc.). There will be three items that you need to set up. These are workstation and the two P-202H Plus v2 routers.

• Setting up the workstation on both LANs All contents copyright © 2006 ZyXEL Communications Corporation.

To set up the workstations, you will need to set the following parameters:P-202H Plus v2 Support Notes o IP Address-the IP address assigned to the workstation itself o Subnet Mask-the subnet mask used for your network. Class C networks generally use a 24-bit netmask DNS (Domain Name Server) Address-enter the IP address of the DNS server o Default Gateway-the IP address of the P-202H Plus v2, the default gateway for LAN1 is P-202H Plus v2 1 and for LAN2 is P-202H Plus v2 2. The procedure for configuring these parameters for the workstations may differ depending on the type of TCP/IP networking software you are using on your workstations. If you are unfamiliar with how to set these parameters, you can refer to the technical notes corresponding to your software. For Windows 9x, please go to 'Win9x>Control Panel>Network>TCP/IP-Network Adapter' for finishing the above settings.

• Setting up the P-202H Plus v2 1 & P-202H Plus v2 2 Before configuring the two remote nodes for this application, you need to complete the following settings first in each P-202H Plus v2. o General Setup in SMT Menu 1-enter the system information. o ISDN Setup in SMT Menu 2- configure the ISDN parameters. o Ethernet Setup in SMT Menu 3-enter the IP address of the P-202H Plus v2 and enable the DHCP server if it is required. o Remote Node Setup in SMT Menu 11

Menu 11.1 - Remote Node Profile Rem Node Name= LAN2 Edit PPP Options= No Active= Yes Rem IP Addr= 203.66.113.1 Call Direction= Outgoing Edit IP= No Incoming: Telco Option: Rem Login= Transfer Type= 64K Rem Password= Allocated Budget(min)= Rem CLID= N/A Period(hr)= Call Back= N/A Schedules= Outgoing: Carrier Access Code= My Login= test Nailed-Up Connection= No My Password= ******** Toll Period(sec)= 0 Authen= CHAP/PAP Session Options: Pri Phone #= 5007025 Edit Filter Sets= No Sec Phone #= Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Key Settings: o Select the 'Active' field to 'Yes' o Select the 'Call Direction' to 'Outgoing' o Enter the correct node account in 'My Login' and 'My Password' fields o Enter the phone number of the remote router in the 'Pri Phone #' field o Enter the IP address of the remote router in 'Rem IP Addr' field o Enter the idle timer in the 'Idle Timeout' field for dropping the call if there is no data traffic between the two remote nodes

All contents copyright © 2006 ZyXEL Communications Corporation. 50P-202H Plus v2 Support Notes Key Settings: o Select the 'Active' field to 'Yes' o Select the 'Call Direction' to 'Incoming' o Enter the correct node account for the dial-in router in 'Rem Login' and 'Rem Password' fields o Enter the IP address of the remote router in 'Rem IP Addr' field. After you have finished the above settings, you are ready to make a test for this connection from Menu 24.4.5- 'Manual Call' by entering the node number.

Enter Menu Selection Number: Manual Call Remote Node= N/A Host IP Address= N/A Configuring for Cisco Mutual Authentication

• Introduction All contents copyright © 2006 ZyXEL Communications Corporation.

This configuration note explains what other settings you need to pay attention to when configuring the P-202H Plus v2 talk to a Cisco router. Due to Cisco's authentication scheme, you need to configure some additional fields in P-202H Plus v2 when talking to a Cisco device. There are two things you must pay attention to. The first is Cisco's mutual authentication scheme, and the second is their interpretation of CHAP.P-202H Plus v2 Support Notes

• If the Cisco router requests PAP, you have to configure more settings in Menu 13 as follows. Menu 13 - Default Dial-in Setup Telco Options: IP Address Supplied By: CLID Authen= None Dial-in User= Yes IP Pool= No PPP Options: IP Start Addr= N/A Recv Authen= CHAP/PAP IP Count(1,4)= N/A Compression= Yes Mutual Authen= Yes Session Options: O/G Username= test Edit Filter Sets= No O/G Password= ******** Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: Allocated Budget(min)= 0 Period(hr)= 0 Press ENTER to Confirm or ESC to Cancel: Key Settings: o Set 'Mutual Authen' to 'Yes' o Set 'PAP Login' to the appropriate login name o Set 'PAP Password' to the appropriate login password

[Note]! The Cisco device must be configured as a remote node but NOT as a remote user in this case

4. Dial-in User Setup

Using an ISDN TA and Win9x Dial-Up Networking you can dial into P-202H Plus v2 router with callback and without callback

• Introduction This configuration note explains how to set up a workstation using an ISDN TA to connect to the P-202H Plus v2 router. In this configuration, the workstation must have TCP/IP dial-up program installed such as Windows Dial-up Networking to make the call. Once the connection is established, the workstation will be able to All contents copyright © 2006 ZyXEL Communications Corporation. 53P-202H Plus v2 Support Notes perform any TCP/IP applications (e.g., FTP, Telnet, etc.). There will be two items that you need to set up for this connection. They are the workstation and the P- 202H Plus v2 router.

• Setting up the Win9x Dial-Up Networking(DUN) To set up the DUN for this connection, you will need to set the following parameters: o Phone number- the phone number of the P-202H Plus v2 router o Internet account-Username and Password o IP Address-the IP address in this case will be dynamically assigned by the P-202H Plus v2. Generally, you should simply enter 0.0.0.0 into the IP address field. o DNS (Domain Name Server) Address- the IP address of the DNS server on the remote LAN. o Default Gateway-the IP address of the P-202H Plus v2. Please find the last three settings in Win9x>Dial-Up Networking>Properties>Server Types>TCP/IP Settings.

• Setting up the P-202H Plus v2 Before configuring the P-202H Plus v2 for this application, you need to first complete the following settings. o General Setup in SMT menu 1-enter the system information. o ISDN Setup in SMT menu 2-Configure the ISDN number o Ethernet Setup in SMT menu 3-enter the IP address of the P-202H Plus v2 and enable the DHCP server if it is required. To setup the P-202H Plus v2 for this application, make sure you have the following menus configured correctly. All contents copyright © 2006 ZyXEL Communications Corporation. 54P-202H Plus v2 Support Notes o Default Dial-in Setup in SMT menu 13 o Edit Dial-in User in SMT menu 14

Menu 13 - Default Dial-in Setup Telco Options: IP Address Supplied By: CLID Authen= None Dial-in User= No IP Pool= Yes PPP Options: IP Start Addr= 192.68.135.10 Recv Authen= CHAP/PAP IP Count(1,4)= 4 Compression= Yes Mutual Authen= NO Session Options: O/G Username= N/A Edit Filter Sets= No O/G Password= N/A Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: All contents copyright © 2006 ZyXEL Communications Corporation. 55P-202H Plus v2 Support Notes Allocated Budget(min)= 0 Period(hr)= 0 Press ENTER to Confirm or ESC to Cancel:

• The Recv Authen field should be set to the type of authentication protocol you want to use.

• Since the workstation needs to have its IP address assigned, set the IP Address Supplied By: Dial-in User field to 'No'.

• Make sure that IP Pool is set to 'Yes'.

• In IP Start Addr, enter the IP address that you want to assign to the workstation when it dials in. In our example, this would be '192.68.135.10'.

• All the common properties in Menu 13 will be applied to all dial-in users. Note: If the remote user uses the Win9x to dial in, the Recv Authen must be set to PAP because Windows 9x will not respond to any periodic CHAP challenge sent by the P-202H Plus v2 and will cause the P-202H Plus v2 to drop the call.

3. Edit Dial-in User Setup in SMT menu 14.1

• Dial-in user without callback Menu 14.1 - Edit Dial-in User User Name= abc Active= Yes Passwd= ********* Callback= No Phone # Supplied by Caller= N/A Callback Phone #= N/A Rem CLID= Idle Timeout= 100 All contents copyright © 2006 ZyXEL Communications Corporation. 56P-202H Plus v2 Support Notes

• The User Name and Password fields should be set to the login username and password that the workstation will provide when dialing in to the P- 202H Plus v2. Set the Active field to 'Yes'.

• Dial-in user with callback Menu 14.1 - Edit Dial-in User User Name= abc Active= Yes Passwd= ********* Callback= Mandatory Phone # Supplied by Caller= Yes Callback Phone #= N/A Rem CLID= Idle Timeout= 100

• There are two options for the callback, Mandatory and Optional. If the Mandatory is configured, the P-202H Plus v2 router has to callback anyway. If the Optional is configured, the dial-in user will have the chance to cancel the callback.

• The number for calling back to the dial-in user can be specified by the user during the connection or pre-configured in the Callback Phone # field of the P-202H Plus v2.

How does ZyXEL filter work? Conceptually, there are two categories of filter rules: device and protocol. The Generic filter rules belong to the device category; they act on the raw data from/to LAN and WAN. The IP and IPX filter rules belong to the protocol category; they act on the IP and IPX packets. In order to allow users to specify the local network IP address and port number in the filter rules with SUA connections, the TCP/IP filter function has to be executed before SUA for WAN outgoing packets and after the SUA for WAN incoming IP packets. But at the same time, the Generic filter rules must be applied at the point when the P-202H Plus v2 is receiving and sending the packets; i.e. the ISDN interface. So, the execution sequence has to be changed. The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow for the packet from LAN to WAN is: All contents copyright © 2006 ZyXEL Communications Corporation. 57P-202H Plus v2 Support Notes

1. LAN device and protocol input filter sets.

2. WAN protocol call and output filter sets.

3. If SUA is enabled, SUA converts the source IP address from 192.168.1.33

to 203.205.115.6 and port number from 1023 to 4034.

4. WAN device output and call filter sets.

The sequence of the logic flow for the packet from WAN to LAN is:

5. WAN device input filter sets.

6. If SUA is enabled, SUA converts the destination IP address from

203.205.115.6 to 92.168.1.33 and port number from 4034 to 1023.

7. WAN protocol input filter sets.

8. LAN device and protocol output filter sets.

Generic and TCP/IP (and IPX) filter rules are in different filter sets. The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21. In the following example, you will receive an error message 'Protocol and device filter rules cannot be active together' if you try to activate a TCP/IP (or IPX) filter rule in a filter set that has already had one or more active Generic filter rules. You will receive the same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP/IP (or IPX) filter rules. Menu 21.1.1: Menu 21.1.1 - Generic Filter Rule All contents copyright © 2006 ZyXEL Communications Corporation. 58P-202H Plus v2 Support Notes Filter #: 1,1 Filter Type= Generic Filter Rule Active= Yes Offset= 0 Length= 0 Mask= N/A Value= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Menu 21.1.2: Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Saving to ROM. Please wait... Protocol and device rule cannot be active together To separate the device and protocol filter categories; two new menus, Menu 11.5 and Menu 13.1, have been added, as well as some changes made to the Menu 3.1, Menu 11.1, and Menu 13. The new fields are shown below. All contents copyright © 2006 ZyXEL Communications Corporation. 59P-202H Plus v2 Support Notes Menu 3.1: Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Menu 11.1: Menu 11.1 - Remote Node Profile Rem Node Name= abc Edit PPP Options= No Active= Yes Rem IP Addr= 0.0.0.0 Call Direction= Outgoing Edit IP= No Incoming: Telco Option: Rem Login= N/A Transfer Type= 64K Rem Password= N/A Allocated Budget(min)= Rem CLID= N/A Period(hr)= Call Back= N/A Schedules= Outgoing: Carrier Access Code= My Login= wxyz Nailed-Up Connection= No My Password= ******** Toll Period(sec)= 0 Authen= CHAP/PAP Session Options: Pri Phone #= 140812345678 Edit Filter Sets= Yes Sec Phone #= 140822345678 Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Menu 11.5: All contents copyright © 2006 ZyXEL Communications Corporation. 60P-202H Plus v2 Support Notes Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Menu 13: Menu 13 - Default Dial-in Setup Telco Options: IP Address Supplied By: CLID Authen= None Dial-in User= Yes IP Pool= Yes PPP Options: IP Start Addr= 123.234.111.163 Recv Authen= CHAP/PAP IP Count(1,4)= 4 Compression= Yes Mutual Authen= No Session Options: O/G Username= N/A Edit Filter Sets= Yes O/G Password= N/A Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: Allocated Budget(min)= 0 Period(hr)= 0 Press ENTER to Confirm or ESC to Cancel: Menu 13.1: All contents copyright © 2006 ZyXEL Communications Corporation. 61P-202H Plus v2 Support Notes Menu 13.1 - Default Dial-in Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3.1, 11.5, or 13.1, or entering a device filter set to the protocol filters field. Even though SMT will prevent the inconsistency from being entered in ZyNOS, it is unable to resolve the intermixing problems existing in the filter sets that were configured before. Instead, when ZyNOS translates the old configuration into the new format, it will verify the filter rules and log the inconsistencies. Please check the system log (Menu 24.3.1) before putting your device into use. Running the P-202H Plus v2 with wrong filter rules may cause it to keep the ISDN line perpetually active, and/or allow undesired traffic to pass to the outside world, and receive unwanted outside traffic. The first case may incur an enormous ISDN bill; the second may lead to a data security hazard. In order to avoid operational problems later, the P-202H Plus v2 will disable its routing/bridging functions if there is an inconsistency among its filter rules. How do I know what packet is triggering the call? If the user already knows the protocol type, the source port and the IP address of the packet that is triggering the call, he can design the filter rule based on these information. Otherwise, he can take a look at the SMT Menu 24.1 to see what is the exact packet that triggers the outgoing call. The 'LAN Packet Which Triggered Last Call' status in Menu 24.1 will show you the packet which triggers the call. A display of the header of the packets is shown next. LAN Packet which Triggered Last Call: (Type: IP) 45 00 00 2E CA 0E 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15 00 33 2D 5E 55 80 B5 C0 50 18 1F 9B E7 D4 00 00 50 41 53 56 0D 0A All contents copyright © 2006 ZyXEL Communications Corporation. 62P-202H Plus v2 Support Notes We list the header of the IP, UDP and TCP in order to make you know more about the format of the IP packet and IPX packet in Menu 24.1 for easy configuration of a filter rule. IP Header

4-bit version 4-bit length 8-bit type of service (TOS) 16-bit total length (in bytes) 16-bit identification 3-bit flag 13-bit fragment offset 8-bit time to live(TTL) 8-bit protocol 16-bit header checksum 32-bit source IP address 32-bit destination IP address Option (if any) Data UDP Header

16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgment number 4-bit header length Reserved (6 bits)

16-bit window size 16-bit TCP checksum 16-bit urgent pointer Option (if any) All contents copyright © 2006 ZyXEL Communications Corporation. 63P-202H Plus v2 Support Notes Data (if any) Based on the above headers, we can then interpret the LAN Packet Which Triggered Last Call as following: LAN Packet which Triggered Last Call : (Type: IP) 45 00 00 2E CA 0E 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15 06 = TCP Protocol CC F7 CB B4= 204.247.203.180 = Source IP CC D9 00 02= 204.217.0.2 = Destination IP 04 1C=1052(dec)= Source port number 00 15= 21(dec)=Destination port number = FTP port IPX header in Menu 24.1: LAN Packet Which Triggered Last Call: (Type: IPX) 00 28 01 01 00 00 00 00 FF FF FF FF FF FF 04 53 00 00 00 00 00 00 00 00 00 0004 53 00 01 FF FF FF FF FF 00 00 00 00 01 IPX packet type 00 00 00 00 Destination network number FF FF FF FF FF FF Destination node number 04 53 Destination socket number 00 00 00 00 Source network number 00 00 00 00 00 00 Source node number 04 53 Source socket number IPX packet type: 01=RIP 02=echo 03=error 04=SAP 05=SPX 11=NCP 14=NetBIOS Socket number: All contents copyright © 2006 ZyXEL Communications Corporation.

• Introduction The P-202H Plus v2 supports the firmware and configuration files upload using FTP connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over the Internet to your P-202H Plus v2. To prevent outside users from connecting to your P-202H Plus v2 via FTP, you can configure a filter to block FTP connections from WAN.

• Before you begin Before configuring a filter, you need to know the following information:

1. The inbound packet type (protocol & port number): In this case, it is

TCP(06) protocol with port 20 or 21.

2. The source IP address: In this case, we block all connections from

outside so the source IP is 0.0.0.0.

3. The destination IP address: It is the P-202H Plus v2's IP address, but it

is not available in SUA case since most WAN IP address is dynamically assigned by the ISP. So, we can only enter 0.0.0.0 as the destination IP in the filter rule. Once 0.0.0.0 is set as the destination IP, no FTP connections are allowed to reach the P-202H Plus v2 nor the FTP server on the LAN. For the LAN-to-LAN connection, you enter the P-202H Plus v2's LAN IP as the destination IP in the filter rule. After the FTP filter is applied to the remote node, it only blocks the FTP connection to the P- 202H Plus v2 but still permits the FTP connection to the local FTP server.

• Configuration o Create a filter set in Menu 21, e.g., set 3 o Create two filter rules in Menu 21.3.1 and Menu 21.3.2 Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20 Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21 o Apply the filter set in remote node, Menu 11

• Create a filter set in Menu 21

• Rule 2- block the inbound FTP packet, TCP (06) protocol with port number

• When two rules are completed, you can see the rule summary in Menu

• Put the filter set number '3' to the 'Input Protocol Filter Set' in menu

11.5 for activating the FTP_WAN filter.

Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters=

All contents copyright © 2006 ZyXEL Communications Corporation. 68P-202H Plus v2 Support Notes A filter for blocking the web connections from LAN

• Introduction If you want to avoid the outbound Web request to trigger a call to the remote web server, you can configure a call filter set in P-202H Plus v2 to block this packet. After the call filter is applied, the Web packet will not triggered the call to your ISP or remote node. However, when the call is trigger by the other packets and the Internet connection is established, the workstations then are able to access the Web page.

• Configuration Before configuring a filter, you need to know the following information:

1. The outbound packet type (protocol & port number)

2. The source IP address

Generally, the outbound packets for Web service could be as following: a. HTTP packet, TCP (06) protocol with port number 80 b. DNS packet, TCP (06) protocol with port number 53 or c. DNS packet, UDP (17) protocol with port number 53 For all workstation on the LAN, the source IP address will be 0.0.0.0. Otherwise, you have to enter an IP Address for the workstation you want to block. See the procedure for configuring this filter below. o Create a filter set in Menu 21, e.g., set 1 o Create three filter rules in Menu 21.1.1, Menu 21.1.2, Menu 21.1.3 Rule 1- block the HTTP packet, TCP (06) protocol with port number 80 Rule 2- block the DNS packet, TCP (06) protocol with port number 53 Rule 3- block the DNS packet, UDP (17) protocol with port number 53 o Apply the filter set in remote node, Menu 11

• Create a filter set in Menu 21 Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments All contents copyright © 2006 ZyXEL Communications Corporation. 69P-202H Plus v2 Support Notes

Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation. 70P-202H Plus v2 Support Notes

• After the three rules are completed, you will see the rule summary in Menu

• Then put the filter set number '1' in the 'Call Filter Set' field of SMT menu

11.5 for taking active.

All contents copyright © 2006 ZyXEL Communications Corporation.

Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= 1 device filters= A filter for blocking a specific client

• Introduction If you want to forbid a specific local client from triggering a call to ISP, you can configure a call filter set in P-202H Plus v2 to block the packets from this client. After the call filter is applied, the packet that is sent from this client would not trigger the call to your ISP or remote node. As long as the call is triggered by the other clients and the Internet connection is established, this workstation will be able to access the Internet or remote node.

1. Create a filter set in Menu 21, e.g., set 1

All contents copyright © 2006 ZyXEL Communications Corporation.

Enter Filter Set Number to Configure= 0 Edit Comments= Press ENTER to Confirm or ESC to Cancel:

2. One rule one for blocking all packets from this client

Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None Source: IP Addr= 192.168.1.5 IP Mask= 255.255.255.255 Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Key Settings:

• Source IP addr................Enter the client IP in this field All contents copyright © 2006 ZyXEL Communications Corporation. 74P-202H Plus v2 Support Notes

• IP Mask..........................here the IP mask is used to mask the bits of the IP address given in the 'Source IP Addr=' field, for one workstation it is

• Action Matched................Set to 'Drop' to drop all the packets from this client

• Action Not Matched.........Set to 'Forward' to allow the packets from other clients

3. Apply the filter set number '1' in the 'Call Filter Set' field of SMT menu 11.5 for

Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= All contents copyright © 2006 ZyXEL Communications Corporation. 75P-202H Plus v2 Support Notes device filters= Call Filter Sets: protocol filters= 1 device filters=

4. If you want to prevent this client accessing the Internet or remote node, you

can apply this filter set to SMT Menu 3.1, the 'protocol filter' in the Input Filter Sets Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= 1 device filters= Output Filter Sets: protocol filters= device filters=

After this filter set is applied to this field, the client (192.168.1.5) will not be allowed to access the Internet or remote node any more. A filter for blocking a specific MAC address This configuration example will show you how to use a Generic Filter to block a specific MAC address on the LAN. Before you Begin Before you configure the filter you need to know the MAC address of the client. The MAC address can be provided by the NICs. If there is the LAN packet passing through the P-202H Plus v2 you can identify the MAC address from the P-202H Plus v2's LAN packet trace. Please look at the following example to know the trace of the LAN packets. ras> sys trcp channel enet0 bothway ras> sys trcp sw on All contents copyright © 2006 ZyXEL Communications Corporation. 76P-202H Plus v2 Support Notes Now a client on the LAN is trying to ping P-202H Plus v2……… ras> sys trcp sw off ras> sys trcp disp TIME: 37c060 enet0-RECV len:74 call=0 0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00 0010: 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020: 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040: 77 61 62 63 64 65 66 67 68 69 TIME: 37c060 enet0-XMIT len:74 call=0 0000: [00 80 c8 4c ea 63] [00 a0 c5 01 23 45] 08 00 45 00 0010: 00 3c 00 07 00 00 fe 01 f0 ef ca 84 9b 63 ca 84 0020: 9b 5d 00 00 4d 5c 03 00 05 00 61 62 63 64 65 66 0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040: 77 61 62 63 64 65 66 67 68 69 The detailed format of the Ethernet Version II: + Ethernet Version II - Address: 00-80-C8-4C-EA-63 (Source MAC) ----> 00-A0-C5-23-45 (Destination MAC) - Ethernet II Protocol Type: IP + Internet Protocol - Version (MSB 4 bits): 4 - Header length (LSB 4 bits): 5 - Service type: Precd=Routine, Delay=Normal, Thrput=Normal, Reli=Normal - Total length: 60 (Octets) - Fragment ID: 60172 - Flags: May be fragmented, Last fragment, Offset=0 (0x00) - Time to live: 32 seconds/hops - IP protocol type: ICMP (0x01) - Checksum: 0xE3EA - IP address 202.132.155.93 (Source IP address) ---->

202.132.155.99(Destination IP address)

- No option + Internet Control Message Protocol - Type: 8 - Echo Request - Code: 0 All contents copyright © 2006 ZyXEL Communications Corporation. 77P-202H Plus v2 Support Notes - Checksum: 0x455C - Identifier: 768 - Sequence Number: 1280 - Optional Data: (32 bytes)

• Configurations From the above first trace, we know that a client is trying to ping the P-202H Plus v2 router. And from the second trace, we know that the P-202H Plus v2 router will send a reply to the client accordingly. The following sample filter will utilize the 'Generic Filter Rule' to block the MAC address [00 80 c8 4c ea 63].

1. First, from the incoming LAN packet we know that the unwanted source MAC

address starts at the 7th Octet TIME: 37c060 enet0-RECV len:74 call=0 0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00 0010: 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020: 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040: 77 61 62 63 64 65 66 67 68 69

2. We are now ready to configure the 'Generic Filter Rule' as below.

• Active: Turn 'Active' to 'Yes'

• Offset (in bytes): Set to '6' since the source MAC address starts at 7th octets we need to skip the first octets of the destination MAC address. All contents copyright © 2006 ZyXEL Communications Corporation.

• Length (in bytes): Set to '6' since MAC address has 6 octets.P-202H Plus v2 Support Notes

• Mask (in hexadecimal): Specify the value that the P-202H Plus v2 will logically qualify (logical AND) the data in the packet. Since the Length is set to 6 octets the Mask for it should be 12 hexadecimal numbers. In this case, we intent to set to 'ffffffffffff' to mask the incoming source MAC address, [00 80 c8 4c ea 63].

• Value (in hexadecimal): Specify the MAC address [00 80 c8 4c ea 63] that the P-202H Plus v2 should use to compare with the masked packet. If the result from the masked packet matches the 'Value', then the packet is considered matched.

• Action Matched= : Enter the action you want if the masked packet matches the 'Value'. In this case, we will drop it.

• Action Not Matched= : Enter the action you want if the masked packet does not match the 'Value'. In this case, we will forward it. If you want to configure more rules please select 'Check Next Rule' to start configuring the next new rule. However, please note that the 'Filter Type' must be also 'Generic Filter Rule' but not others. Because the Generic and TCP/IP (IPX) filter rules must be in different filter sets. Menu 21.1.2 - Generic Filter Rule Filter #: 1,2 Filter Type= Generic Filter Rule Active= Yes Offset= 6 Length= 6 Mask= ffffffffffff Value= 0080c810234a More= No Log= None Action Matched= Drop Action Not Matched= Forward You can now apply it to the 'General Ethernet Setup' in Menu 3.1. Please note that the 'Generic Filter' can only be applied to the 'Device Filter' but not the 'Protocol Filter' that is used for configuring the TCPIP and IPX filters. Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= device filters= 1 Output Filter Sets: All contents copyright © 2006 ZyXEL Communications Corporation. 79P-202H Plus v2 Support Notes protocol filters= device filters= A filter for blocking the NetBIOS packets

• Introduction The NETBIOS packets contain port numbers and need to be blocked in this case. They are port number 137, 138 and 139 with UDP or TCP protocol. In addition, the NETBIOS packet used to look for a remote DNS server can also trigger the call. Therefore, the filter rules should cover the above packets.

• Configuration The packets which need to be blocked are as following. Please configure two filter sets with 4 and 2 rules respectively based on the following packets in SMT menu 21. Filter Set 1: o Rule 1-Destination port number 137 with protocol number 6 (TCP) o Rule 2-Destination port number 137 with protocol number 17 (UDP) o Rule 3-Destination port number 138 with protocol number 6 (TCP) o Rule 4-Destination port number 138 with protocol number 17 (UDP) o Rule 5-Destination port number 139 with protocol number 6 (TCP) o Rule 6-Destination port number 139 with protocol number 17 (UDP) Filter Set 2: o Rule 1-Source port number 137, Destination port number 53 with protocol number 6 (TCP) o Rule 2-Source port number 137, Destination port number 53 with protocol number 17 (UDP) Before starting to set the filter rules, please enter a name for each filter set in the 'Comments' field first. Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments

Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation.

After the first filter set is finished, you will see the complete rules summary as below. Menu 21.2 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D N 2 Y IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D F Please apply this second filter set 'NetBIOS_LAN' in the 'protocol filters=' of the 'Input Filter Sets:' in the Menu 3 for blocking the packets from LAN. All contents copyright © 2006 ZyXEL Communications Corporation.

1. Active, use the space bar to turn on the syslog option.

2. Syslog IP Address, enter the IP address of the UNIX server that you wish to

3. Log Facility, use the space bar to toggle between the 7 different local options.

4. Types, use the space bar to toggle the logs we are going to record.

1. Make sure that your syslogd starts with -r argument.

-r, this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services. The default setting is not enabled. All contents copyright © 2006 ZyXEL Communications Corporation. 88P-202H Plus v2 Support Notes

2. Edit the file /etc/syslog.conf by adding the following line at the end of the

• ZyXEL Syslog Message Format P-202H Plus v2 sends 5 types of syslog messages to syslogd, they are:

2. Packet Triggered log

CDR Call Detail Record (CDR) logs all data phone line activity if set to Yes. Packet triggered The first 48 bytes or octets and protocol type of the triggering packet is sent to the UNIX syslog server when this field is set to Yes. Filter log No filters are logged when this field is set to No. Filters with the individual filter Log field set to Yes are logged when this field is set to Yes. PPP log PPP events are logged when this field is set to Yes. POTS log Voice calls are logged when this field is set to Yes.

1. CDR log(call messages)

Format: sdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.) C01 Incoming Call xxxxBps xxxxx (L2TP,xxxxx means Remote Call ID) All contents copyright © 2006 ZyXEL Communications Corporation. 89P-202H Plus v2 Support Notes C01 Incoming Call xxxx (means connected speed) xxxxx (means Remote Call ID) L02 Tunnel Connected(L2TP) C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote Call ID) C02 CLID call refused L02 Call Terminated C02 Call Terminated Example: Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C01 Incoming Call 64000 4125678 Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C02 Call Terminated

2. Packet triggered log

This message is available when the 'Log' is enabled in the filter rule setting. The message consists of the packet header and the log of the filter rules. Format: All contents copyright © 2006 ZyXEL Communications Corporation.

Format: All contents copyright © 2006 ZyXEL Communications Corporation. 91P-202H Plus v2 Support Notes sdcmdSyslogSend( SYSLOG_POTSLOG, SYSLOG_NOTICE, String ); String = Call Connect / Disconnect: Dir = xx Remote Call= xxxxx Local Call= xxxxx Dir = Call Direction 1: Incoming call 2: Outgoing call Remote Call = a string type which represents as the remote call number Local Call = a string type which represents as the my(local) call number Example: Jul 19 12:08:25 192.168.1.1 ZyXEL Communications Corp.: Call Connect: Dir=2 Remote Call=5783942 Local Call=1 Jul 19 12:08:29 192.168.1.1 ZyXEL Communications Corp.: Call DisConnect: Dir=2 Remote Call=2453140 Local Call=1

7. ISDN Leased Line Setup

Internet Access via ISDN Leased Line

This configuration illustrates an Internet Access over an ISDN leased line that is installed by the telco. Key Settings in P-202H Plus v2 o Menu 2 - ISDN Setup o Menu 4 - Internet Access Setup Menu 2 - ISDN Setup Switch Type: DSS-1 B Channel Usage= Leased/Unused Incoming Phone Numbers: ISDN Data =

All contents copyright © 2006 ZyXEL Communications Corporation. 92P-202H Plus v2 Support Notes Advance Setup = No B Channel Usage: o Set to Leased/Unused if you are using one 64K-leased line o Set to Leased/Leased if you are using one 128K-leased lines o Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node. Menu 4 - Internet Access Setup ISP's Name= hinet Pri Phone #= N/A Sec Phone #= N/A My Login= test My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Telco Option: Transfer Type= Leased Multilink= Off Idle Timeout= 100 Key Settings: o My Login and My Password are the login information provided by ISP. o Turn on SUA if you only have a single user Internet account. All contents copyright © 2006 ZyXEL Communications Corporation. 93P-202H Plus v2 Support Notes o Enter the IP address assigned from ISP for P-202H Plus v2, enter '0.0.0.0' if the IP is dynamically assigned during the PPP connection o Set the 'Transfer Type' to 'Leased' for the ISDN leased-line connection After saving this menu, you will be asked if you want to perform an Internet connection test. Select 'Yes' to perform the test. If the test fails, please check again the above settings again. When you have configured and saved Menu 4, you should see that you have created a remote node in Menu 11. You can perform more advanced configuration options to this remote node in this menu. LAN-to-LAN Connection via ISDN Leased Line

This configuration illustrates a LAN-to-LAN connection over an ISDN leased line that is subscribed from the telco.

• Key Settings in P-202H Plus v2 o Menu 2 - ISDN Setup o Menu 11 - Remote Node Setup Menu 2 - ISDN Setup Switch Type: DSS-1 B Channel Usage= Leased/Unused Incoming Phone Numbers: ISDN Data = Advance Setup = No All contents copyright © 2006 ZyXEL Communications Corporation. 94P-202H Plus v2 Support Notes B Channel Usage: o Set to Leased/Unused if you are using one 64K-leased line o Set to Leased/Leased if you are using one 128K-leased lines o Set to Leased/Switch if you are using one 64K-leased line and one switch line The P-202H Plus v2 does not allow two leased lines to connect two different remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection to a remote node or allows MP bundling to a remote node. Menu 11.1 - Remote Node Profile Rem Node Name= LAN1 Edit PPP Options= No Active= Yes Rem IP Addr= 140.113.1.1 Call Direction= ******** Edit IP= No Incoming: Telco Option: Rem Login= Transfer Type= Leased Rem Password= Allocated Budget(min)= Rem CLID= N/A Period(hr)= Call Back= N/A Schedules= Outgoing: Carrier Access Code= My Login= test Nailed-Up Connection= No My Password= ******** Toll Period(sec)= 0 Authen= CHAP/PAP Session Options: Pri Phone #= N/A Edit Filter Sets= No Sec Phone #= N/A Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel:

• Set the 'Transfer Type' to 'Leased' for the ISDN leased-line connection

8. Supplemental Service

The P-202H Plus v2 supports the following supplementary phone features on both of its POTS ports.

All contents copyright © 2006 ZyXEL Communications Corporation.

6. Terminal Portability(Suspend/Resume)

Most supplementary services are not free, please check with your telephone company for the services they offer. How do I do call waiting/call hold/call retrieve?

• Put your current call on hold and answer the incoming call - after hearing the call waiting tone, press and immediately release the Flash button on your telephone.

• Put your current call on hold and switch to another call - press and immediately release the Flash button on your telephone.

• Hang up your current call before answering the incoming call - hang up the phone and wait for answering the incoming call.

• Hang up the current active call and switch back to the other call - hang up and wait for the phone to ring. Then pick up the phone to return to the other call. Why doesn't call waiting work as expected? An incoming caller will receive a busy signal if:

• You have two calls active (one active and one on hold; or both active by using Three-Way Calling).

• You are dialing a number on the B channel the incoming caller is attempting to reach, but have not yet established a connection. If no action is taken to answer the call (call waiting indicator tone is ignored), the call waiting tones will disappear after about 20 seconds. How do I do three way calling?

• Press the Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number.

• When you are ready to conference the call together, press the Flash key again to establish a three way conference call. How do I remove a party from the three-way calling? Simply press the Flash key. The last call that was added to the conference is dropped. All contents copyright © 2006 ZyXEL Communications Corporation. 96P-202H Plus v2 Support Notes If you hang up your telephone during a three-way call and the two other callers remain on the line, the ISDN network will do an implicit transfer to directly connect the two remaining callers together. How do I do call transfer? Call Transfer allows you to transfer an active call to a third party. This service must be subscribed from your telephone company. Transferring an active call to a third party:

• Once you have an active call (Caller A), press Flash key to put Caller A on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• When you are ready to conference the two calls together, press Flash key to a Three-Way Conference call.

• Hang up the phone. The ISDN network does an implicit transfer to directly connect Caller A with Caller B. How do I blind call transfer?

• Once you have an active call (Caller A), press Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• Before Caller B picks up the call, you can transfer the call by pressing the Flash key. The call is automatically transferred. What is call forwarding and how do I do it? The call forwarding means the switch will ring another number at a place where you will be when sometime dials your directory number. There are two methods to active call forwarding, either method should work fine and you can use whichever one you are most comfortable. The first is exactly the same as on an analog line, i.e., you pick up the handset and dial the access code assign by your telephone company and the number that you want the calls forwarded. Check with your telephone company for this access code. The second is with the 'phone flash' commands where you pick up the handset and press the flash key before dialing the following: Command Meaning *20*forward-number# Active CFB (Call Forwarding Busy) *21*forward-number# Active CFU (Call Forwarding All contents copyright © 2006 ZyXEL Communications Corporation. 97P-202H Plus v2 Support Notes Unconditional) *22*forward-number# Active CFNR (Call Forwarding No Reply #20# Deactive CFB #21# Deactive CFU #22# Deactive CFNR How do I suspend/resume a phone call (terminal portability)? The Terminal Portability service allows you to suspend a phone call temporarily. You can then resume this call later, at another location if you so wish. To suspend an active phone call:

• Press the flash key twice.

• Dial *3n*#, where n is any number from 1 to 9. To resume your phone call:

• Reconnect at a (n) (ISDN) telephone that is linked to the same S/T interface (Network Terminator-1, NT1) where you suspended the call.

• Pick up the handset and press the Flash key

• Dial #3n#, where n is any number from 1 to 9, but should be identical to that used above. What is reminder ring? The P-202H Plus v2 sends a single short ring to your telephone every time a call has been forwarded(US switches only). What is MSN/subaddress and how do I do it? Depending on your location, you may have Multiple Subscriber Number (MSN) where the telephone company gives you more than one number for your ISDN line. You can assign each number to a different port, e.g., the first number to data calls, the second to A/B adapter 1 and so on. Or (DSS1) the telephone company may give you only one number, but allow you to assign your own subaddresses to different ports, e.g., subaddress 1 to data calls and 2 to A/B adapter 1.

• What is NetCAPI ? All contents copyright © 2006 ZyXEL Communications Corporation. 98P-202H Plus v2 Support Notes The P-202H Plus v2 202H Plus supports the ISDN Device Control Protocol (ISDN-DCP) from RVS-COM. The ISDN-DCP allows a workstation on the LAN to run some CAPI applications. These applications include FAX, Voice, File transfer. Using ISDN-DCP, the P-202H Plus v2 202H Plus behaves as a DCP server which listens for DCP messages on TCP port number 2578 on its LAN port and we call this feature as NetCAPI. When the P-202H Plus v2 receives a DCP message from a DCP client (running RVS-COM software), the P-202H Plus v2 sends the confirmation message to the client and sends ISDN packets through the BRI port. When the P-202H Plus v2 receives packets on its BRI port destined for one of the DCP clients, the router formats the packet as a DCP message and sends it to the corresponding client.

• Supported applications

4. Autoanswer host mode

• Supported D-Channel Protocol NetCAPI is available only for the European ISDN switch type DSS1.

• RVS-COM Setup To use the NetCAPI function of the P-202H Plus v2 202H Plus for FAX transmission, file transfer and voice, you must install RVS-COM Lite 1.63 or above first.

• P-202H Plus v2 Setup All NetCAPI related settings are configured in menu 2.1 as shown below.

1. Edit the NetCAPI settings by setting the 'Edit NetCAPI Setup' to 'Yes'.

Switch Type: DSS-1 B Channel Usage= Switch/Switch All contents copyright © 2006 ZyXEL Communications Corporation. 99P-202H Plus v2 Support Notes Incoming Phone Numbers: ISDN Data = 10000 Subaddress= A/B Adapter 1 = Subaddress= A/B Adapter 2 = Subaddress= Incoming Phone Number Matching= Multiple Subscriber Number (MSN) Analog Call Routing= N/A Global Analog Call= N/A Edit Advanced Setup = No Edit NetCAPI Setup = Yes Press ENTER to Confirm or ESC to Cancel:

2. Edit NetCAPI related settings in menu 2.1

1. Active: Set to 'Yes' to enable the NetCAPI.

2. Max. Number of Registered Users: Enter the number of RVS-COM

clients for registering in the P-202H Plus v2. The maximum number is 5. All contents copyright © 2006 ZyXEL Communications Corporation. 100P-202H Plus v2 Support Notes

3. Incoming Data Call Matching: This setting helps the P-202H Plus v2 to

forward the incoming call correctly by checking the MSN or subaddress that the remote party calls. MSN: When this option is selected, the P-202H Plus v2 checks the MSN called by the remote party. If the MSN matches the one configured in menu 2, ISDN Data Number, the P-202H Plus v2 will answer the call as a data call. If the MSN does not match any MSN in menu 2, the P-202H Plus v2 will answer the call as a CAPI call and forward it to the CAPI client. Subaddress: When this option is selected, the P-202H Plus v2 checks the subaddress called by the remote party. If the subaddress matches the one configured in menu 2, ISDN Data Number, the P-202H Plus v2 will answer the call as a data call. If the subaddress does not match any subaddress in menu 2, the P- 202H Plus v2 will answer the call as a CAPI call and forward it to the CAPI client. NetCAPI: When this option is selected, the P-202H Plus v2 always answers the call as a CAPI call and forward it to the CAPI client.

4. Access List: Enter the IP range of the valid NetCAPI clients with desired

operation direction. Operation=Incoming: this permits the clients in this IP range to only answer calls. Operation=Outgoing: this permits the clients in this IP range to only place calls. Operation=Both: this permits the clients in this IP range to both place and answer calls. Operation=None: this means no calls for the clients in this IP range are allowed.

5. Start IP: Refers to the first IP address of a group of NetCAPI clients. Each

group contains contigunous IP addresses.

6. End IP: Refers to the last IP address in a NetCAPI client group.

7. Operation: Call control settings for the NetCAPI users

Incoming: When this option is selected, the NetCAPI users have permission to only accecpt incoming calls. Outgoing: When this option is selected, the NetCAPI users have permission to only place outgoing calls. Both: When this option is selected, the NetCAPI users have permission for both answering and placing calls. None: When this option is selected, no calls are allowed for the NetCAPI users.

• What is RADIUS? A Network Access Server (NAS, e.g., a Router) operates as a client of RADIUS. The RADIUS client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecured network could determine a user's password. There has been some confusion in the assignment of port numbers for this protocol. The early deployment of RADIUS was done using the erroneously chosen port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812. So, be sure which port your RADIUS server uses before configuring it in the P-202H Plus v2. [Note]: The P-202H Plus v2 is configured with default port 1645, please reboot the P-202H Plus v2 it is changed to 1812.

1. Get Radius application S/W and install it first.

2. If the callback feature is required, please add the following ZyXEL

proprietary attributes in the 'Dictionary' file which generally locates in the Radius installation folder. Please note, when editing RADIUS files some RADIUS servers do not suggest DOS Editor or Notepad. So, you can try Wordpad instead.

3. Enter the RADIUS client IP and the encrypted key in the 'Clients' file. See an

example below. # This file contains a list of clients which are allowed to make # authentication requests and their encryption key. # The first field is a valid hostname for the client. # The second field (separated by blanks or tabs) is the encryption key.

In this example, the new client 203.66.113.187 is the P-202H Plus v2 router. The key 'key187' must be configured in SMT Menu 23.2 later..

4. Enter the user profile including username and password in the 'Users' file. See

an example below. # Example 1: PPP user without callback.

# Example 2: PPP user with Callback.

5. Run "RADIUS.EXE -X15" to turn on the RADIUS service.

• P-202H Plus v2 Setup Menu 23.2 - System Security - External Server Authentication Server: Active= Yes Type= RADIUS Server Address= 203.66.113.10 Port #= 1645 Key= key187 Key Settings: o Server Address--------Enter the IP address of the RADIUS server. For example, 203.66.113.10. o Port#------------------The default RADIUS/UDP port is 1645. Reboot the P-202H Plus v2, if it is changed to 1812. o Key-------------------The key must be the same with the one configured in the 'Clients' file.

6. Please check there is no duplicate user setting in SMT menu 14 compared to

the 'Users' file in step 4.

11. Using CLID Callback

• What is CLID Callback? CLID stands for Calling Line Identification (i.e., calling parting number) which can be used by the ISDN CPE to call back without answering the call. The phone number used for calling back is captured from the D channel message. So, if your local ISDN switch is able to carry the calling party number, the P-202H Plus v2 can use this phone number to call back to the remote party. All contents copyright © 2006 ZyXEL Communications Corporation.

There are two types of callback that the P-202H Plus v2 supports, they are the CLID callback and MS CBCP callback using Dial-Up Networking. Unlike the CLID callback, when using the MS CBCP callback the CPE must answer the first call to get the remote phone number from PPP CBCP negotiation and then call back to the remote party after hanging up the first call. In such a case, the remote party has to pay for the first phone call. While using the CLID callback, the remote party does not have to pay for the first call since the call is not answered. Therefore, you can not use Dial-Up Networking for the CLID callback since it does not support the CLID callback.P-202H Plus v2 Support Notes When calling back to a remote node the outgoing user information (username and password) are configured in menu 11.1, Remote Node Profile. While calling back to a dial-in user, the outgoing user information are configured in two fields in menu 13, O/G Login and O/G Password.

• Setup the P-202H Plus v2 for calling back to a remote node

• Setup the P-202H Plus v2 for calling back to a dial-in user

• Setup the P-202H Plus v2 for calling back to a remote node Generally, there are several settings must be checked when using the CLID callback. They are: The 'CLID Authentication' setting in menu 13 must be configured as 'Required' or 'Preferred'. The 'Remote CLID' setting in menu 11.1 must be entered for the CLID authentication. The 'Callback' setting in menu 11.1 must be toggled to 'Yes'. The 'Outgoing user information' in menu 11.1 must be entered. The 'Outgoing Phone number' in menu 11.1 must be entered. The following SMT only show the main settings of the CLID callback, you can refer to the user's manual or the support note for the other settings.

1. Toggle the 'CLID Authen' option in menu 13 to 'Required'.

Menu 13 - Default Dial-in Setup Telco Options: IP Address Supplied By: CLID Authen= Required Dial-in User= Yes IP Pool= No PPP Options: IP Start Addr= N/A Recv Authen= CHAP/PAP IP Count(1,2)= N/A Compression= Yes Mutual Authen= No O/G Login= N/A Session Options: O/G Password= N/A Edit Filter Sets= No Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: Allocated Budget(min)= All contents copyright © 2006 ZyXEL Communications Corporation. 106P-202H Plus v2 Support Notes Period(hr)= Press ENTER to Confirm or ESC to Cancel:

2. Create a remote node for a LAN-to-LAN connnection using the CLID

callback. Menu 11.1 - Remote Node Profile Rem Node Name= LAN1 Edit PPP Options= No Active= Yes Rem IP Addr= 192.168.2.1 Call Direction= Both Edit IP= No Incoming: Telco Option: Rem Login= test Transfer Type= 64K Rem Password= **** Allocated Budget(min)= Rem CLID= 20000 Period(hr)= Call Back= Yes Schedules= Outgoing: Nailed-Up Connection= N/A My Login= test Toll Period(sec)= 0 My Password= **** Session Options: Authen= CHAP/PAP Edit Filter Sets= No Pri Phone #= 20000 Idle Timeout(sec)= 300 Sec Phone #= Press ENTER to Confirm or ESC to Cancel: CLID Settings: Option Description Rem CLID Enter the remote phone number in this field which will be used for the CLID authentication. If this number does not match the one that the switch carries, the P-202H Plus v2 will drop the line due to the CLID authentication failure. Call Back Toggle to 'Yes' to turn on the callback function. Outgoing: My Login Enter the user name given by the remote node. Outgoing: My Enter the password given by the remote node. All contents copyright © 2006 ZyXEL Communications Corporation. 107P-202H Plus v2 Support Notes Password Outgoing: Pri Phone # Enter the phone number of the remote node for calling back.

• Setup the P-202H Plus v2 for calling back to a dial-in user Generally, there are several settings must be checked when using the CLID callback. They are: The 'CLID Authentication' setting in menu 13 must be configured as 'Required' or 'Preferred'. The 'Outgoing user information' in menu 13 must be entered. The 'Callback' setting in menu 13 must be toggled to 'Mandatory'. The 'Callback Phone number' setting in menu 14.1 must be predefined in menu. The 'Remote CLID' setting in menu 14.1 must be entered for the CLID authentication. The following SMT only show the main settings of the CLID callback, you can refer to the user's manual or the support note for the other settings.

1. Toggle the 'CLID Authen' option to 'Required' and enter the 'Outgoing user

information' in menu 13.. Menu 13 - Default Dial-in Setup Telco Options: IP Address Supplied By: CLID Authen= Required Dial-in User= Yes IP Pool= No PPP Options: IP Start Addr= N/A Recv Authen= CHAP/PAP IP Count(1,2)= N/A Compression= Yes Mutual Authen= No O/G Login= test Session Options: O/G Password= **** Edit Filter Sets= No Multiple Link Options: Max Trans Rate(Kbps)= 128 Callback Budget Management: Allocated Budget(min)= All contents copyright © 2006 ZyXEL Communications Corporation. 108P-202H Plus v2 Support Notes Period(hr)= Press ENTER to Confirm or ESC to Cancel: CLID Settings: Option Description CLID Authen Toggle the 'CLID Authen' option in menu 13 to 'Required'. O/G Login Enter the user name given by the remote user for the authentication. O/G Password Enter the password given by the remote user for the authentication.

2. Create a dial-in user profile using the CLID callback.

Enter the phone number of the remote user for calling back. Rem CLID Enter the remote phone number in this field which will be used for the CLID authentication. If this number does not match the one that the switch carries, the P-202H Plus v2 will drop the line due to the CLID authentication failure. All contents copyright © 2006 ZyXEL Communications Corporation. 109P-202H Plus v2 Support Notes

The Simple Network Management Protocol (SNMP) is an applications-layer protocol used to exchange the management information between network devices (e.g., routers). By using SNMP, network administrators can more easily manage network performance, find and solve network problems. The SNMP is a member of the TCP/IP protocol suite, it uses the UDP to exchange messages between a management Client and an Agent, residing in a network node. There are two versions of SNMP: Version 1 and Version 2. ZyXEL supports SNMPv1. Most of the changes introduced in Version 2 increase SNMP's security capabilities. SNMP encompasses three main areas:

1. A small set of management operations.

2. Definitions of management variables.

3. Data representation.

The operations allowed are: Get, GetNext, Set, and Trap. These functions operates on variables that exist in network nodes. Examples of variables include statistic counters, node port status, and so on. All of the SNMP management functions are carried out through these simple operations. No action operations are available, but these can be simulated by the setting of flag variables. For example, to reset a node, a counter variable named 'time to reset' could be set to a value, causing the node to reset after the time had elapsed. SNMP variables are defined using the OSI Abstract Syntax Notation One (ASN.1). ASN.1 specifies how a variable is encoded in a transmitted data frame; it is very powerful because the encoded data is self-defining. For example, the encoding of a text string includes an indication that the data unit is a string, along with its length and value. ASN.1 is a flexible way of defining protocols, especially for network management protocols where nodes may support different sets of manageable variables. The net of variables that each node supports is called the Management Information Base (MIB). The MIB is made up of several parts, including the Standard MIB, specified as part of SNMP, and Enterprise Specific MIB, which are defined by different manufacturer for hardware specific management. The current Internet-standard MIB, MIB-II, is defined in RFC 1213 and contains 171 objects. These objects are grouped by protocol (including TCP, IP, UDP, SNMP, and other categories, including 'system' and 'interface.' All contents copyright © 2006 ZyXEL Communications Corporation. 110P-202H Plus v2 Support Notes The Internet Management Model is as shown in figure 1. Interactions between the NMS and managed devices can be any of four different types of commands:

Read is used to monitor the managed devices, NMSs read variables that are maintained by the devices.

Write is used to control the managed devices, NMSs write variables that are stored in the managed devices.

3. Traversal operations

NMSs use these operations to determine which variables a managed device supports and to sequentially gather information from variable tables (such as IP routing table) in managed devices.

The managed devices to asynchronously report certain events to NMSs use trap. All contents copyright © 2006 ZyXEL Communications Corporation. 111P-202H Plus v2 Support Notes

SNMP itself is a simple request/response protocol. 4 SNMPv1 operations are defined as below.

• Get Allows the NMS to retrieve an object variable from the agent.

• GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a NMS wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.

• Set Allows the NMS to set values for object variables within an agent.

• Trap Used by the agent to inform the NMS of some events. All contents copyright © 2006 ZyXEL Communications Corporation. 112P-202H Plus v2 Support Notes The SNMPv1 messages contains two part. The first part contains a version and a community name. The second part contains the actual SNMP protocol data unit (PDU) specifying the operation to be performed (Get, Set, and so on) and the object values involved in the operation. The following figure shows the SNMPv1 message format. The SNMP PDU contains the following fields:

• PDU type Specifies the type of PDU.

• Request ID Associates requests with responses.

• Variable-bindings Associates particular object with their value.

2. ZyXEL SNMP Implementation

ZyXEL currently includes SNMP support in some P-202H Plus v2 routers. It is implemented based on the SNMPv1, so it will be able to communicate with SNMPv1 NMSs. Further, users can also add ZyXEL's private MIB in the NMS to monitor and control additional system variables. The ZyXEL's private MIB tree is shown in figure 3. For SNMPv1 operation, ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager. Some traps are sent to the SNMP manager when anyone of the following events happens: All contents copyright © 2006 ZyXEL Communications Corporation. 113P-202H Plus v2 Support Notes

1. coldStart (defined in RFC-1215) :

If the machine coldstarts, the trap will be sent after booting.

2. warmStart (defined in RFC-1215) :

If the machine warmstarts, the trap will be sent after booting.

3. linkDown (defined in RFC-1215) :

If any link of IDSL or WAN is down, the trap will be sent with the port number . The port number is its interface index under the interface group.

4. linkUp (defined in RFC-1215) :

If any link of IDSL or WAN is up, the trap will be sent with the port number . The port number is its interface index under the interface group.

5. authenticationFailure (defined in RFC-1215) :

When receiving any SNMP get or set requirement with wrong community, this trap is sent to the manager.

6. whyReboot (defined in ZYXEL-MIB) :

When the system is going to restart (warmstart), the trap will be sent with the reason of restart before rebooting. (i) For intentional reboot : In some cases (download new files, CI command "sys reboot", ...), reboot is done intentionally. And traps with the message "System reboot by user !" will be sent. (ii) For fatal error : System has to reboot for some fatal errors. And traps with the message of the fatal code will be sent. All contents copyright © 2006 ZyXEL Communications Corporation. 114P-202H Plus v2 Support Notes

• Downloading ZyXEL's private MIB

3. Configure the P-202H Plus v2 for SNMP

The SNMP related settings in P-202H Plus v2 are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings. Menu 22 - SNMP Configuration SNMP: All contents copyright © 2006 ZyXEL Communications Corporation. 115P-202H Plus v2 Support Notes Get Community= public Set Community= public Trusted Host= 192.168.1.33 Trap: Community= public Destination= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: Key Settings: Option Descriptions Get Community Enter the correct Get Community. This Get Community must match the 'Get-' and 'GetNext' community requested from the NMS. The default is 'public'. Set Community Enter the correct Set Community. This Set Community must match the 'Set-community requested from the NMS. The default is 'public'. Trusted Host Enter the IP address of the NMS. The P-202H Plus v2 will only respond to SNMP messages coming from this IP address. If

0.0.0.0 is entered, the P-202H Plus v2 will respond to all NMS

managers. Trap Community Enter the community name in each sent trap to the NMS. This Trap Community must match what the NMS is expecting. The default is 'public'. Trap Destination Enter the IP address of the NMS that you wish to send the traps to. If 0.0.0.0 is entered, the P-202H Plus v2 will not send trap any NMS manager.

1. Applying NAT in the SMT Menus

All contents copyright © 2006 ZyXEL Communications Corporation. 116P-202H Plus v2 Support Notes

3. Address Mapping Sets and NAT Server Sets

2. Internet Access with an Internal Server

3. Using Multiple Global IP addresses for clients and servers

4. Support Non NAT Friendly Applications

• What is Multi-NAT? NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and "unmaps" the global IP addresses on incoming packets back into local IP addresses. The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them accessible to the outside world. If you do not define any servers, NAT offers the additional benefit of firewall protection. In such case, all incoming connections to your network will be filtered out by the P-202H Plus v2, thus preventing intruders from probing your network. The SUA feature that the P-202H Plus v2 supports previously operates by mapping the private IP addresses to a global IP address. It is only one subset of the NAT. The ZyNOS V2.41 for the P-202H Plus v2 100IH is enhanced to support the most of the features of the NAT based on RFC 1631, and we call this feature as 'Multi-NAT'. For more information on IP address translation, please refer to RFC 1631, The IP Network Address Translator (NAT).

• How NAT works If we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA), see the following figure. The term "inside' refers to the set of networks that are subject to translation. NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers) and then forwards each packet to the Internet ISP, thus making them appear as if they had come from the NAT system itself (e.g., the P- 202H Plus v2 router). The P-202H Plus v2 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. All contents copyright © 2006 ZyXEL Communications Corporation. 117P-202H Plus v2 Support Notes

• NAT Mapping Types NAT supports five types of IP/port mapping. They are:

In One-to-One mode, the P-202H Plus v2 maps one ILA to one IGA.

In Many-to-One mode, the P-202H Plus v2 maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).

3. Many to Many Overload

In Many-to-Many Overload mode, the P-202H Plus v2 maps the multiple ILA to shared IGA.

4. Many to Many No Overload

In Many-to-Many No Overload mode, the P-202H Plus v2 maps each ILA to unique IGA.

In Server mode, the P-202H Plus v2 maps multiple inside servers to one global IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode. The following table summarizes these types. NAT Type IP Mapping One-to-One ILA1<--->IGA1 Many-to-One (SUA/PAT)

• SUA Versus NAT SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules, Many-to-One and Server. The P-202H Plus v2 now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers. With multiple global IP addresses, multiple severs of the same type (e.g., FTP servers) are allowed on the LAN for outside access. In previous ZyNOS versions (that supported SUA 'visible' servers had to be of different types. The P-202H Plus v2 supports NAT sets on a remote node basis. They are reusable, but only one set is allowed for each remote node. The P-202H Plus v2 312 supports 2 sets since there is only one remote node. The default SUA (Read Only) Set in menu 15.1 is a convenient, pre-configured, read only, Many-to-One mapping set, sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions.

1. Applying NAT in the SMT Menus

3. Address Mapping Sets and NAT Server Sets

1. Applying NAT in the SMT Menus

The following figure shows how you apply NAT to the remote node in menu

Menu 11.3 - Remote Node Network Layer Options Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Press ENTER to Confirm or ESC to Cancel: Step 1. Enter 11 from the Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the All contents copyright © 2006 ZyXEL Communications Corporation. 120P-202H Plus v2 Support Notes default NO to Yes, then press [ENTER] to bring up Menu 11.3-Remote Node Network Layer Options. The following table describes the options for Network Address Translation. Field Options Description Full Feature When you select this option the SMT will use Address Mapping Set 1 (Menu 15.1- see later for further discussion). None NAT is disabled when you select this option. Network Address Translation SUA Only When you select this option the SMT will use Address Mapping Set 255 (Menu 15.1-see later for further discussion). This option us basically Many-to-One Overload mapping. Select Full Feature when you require other mapping types. It is a convenient, pre-configured, read only, Many-to-One mapping set, sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions. Note that there is also a Server type whose IGA is 0.0.0.0 in this set. Table: Applying NAT in Menu 4 and Menu 11.3

To configure NAT, enter 15 from the Main Menu to bring up the following screen. Menu 15 - NAT Setup

3. Address Mapping Sets and NAT Server Sets

All contents copyright © 2006 ZyXEL Communications Corporation. 121P-202H Plus v2 Support Notes Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients. Each remote node must specify which NAT Address Mapping Set to use. The P312 has one remote node and so allows you to configure only 1 NAT Address Mapping Set. You can see two NAT Address Mapping sets in Menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set1. When you select SUA Only, the SMT will use Set 255. For the P100IH, there are 8 remote nodes and so allows you to configure 8 NAT Address Mapping Sets. The NAT Server Set is a list of LAN side servers mapped to external ports. To use this set (one set for the P312), a server rule must be set up inside the NAT Address Mapping set. Please see NAT Server Sets for further information on these menus. Enter 1 to bring up Menu 15.1-Address Mapping Sets Menu 15.1 - Address Mapping Sets

Enter Set Number to Edit:

Let's first look at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers. The fields in this menu cannot be changed. Entering 255 brings up this screen. All contents copyright © 2006 ZyXEL Communications Corporation.

Press ESC or RETURN to Exit: The following table explains the fields in this screen. Please note that the fields in this menu are read-only. The Type, Local and Global Start/End IPs are normally (not for this read-only menu) configured in Menu 15.1.1.1 (described later) and the values are displayed here. Field Description Option/Example Set Name This is the name of the set you selected in Menu

15.1 or enter the name of a new set you want to

create. SUA Idx This is the index or rule number. 1 Local Start

This is the starting local IP address (ILA).

This is the starting local IP address (ILA). If the rule is for all local IPs, then the Start IP is

0.0.0.0 and the End IP is 255.255.255.255.

Global Start IP This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP.

Global End IP This is the ending global IP address (IGA). N/A Type This is the NAT mapping types. Many-to-One and Server All contents copyright © 2006 ZyXEL Communications Corporation. 123P-202H Plus v2 Support Notes Please note that the fields in this menu are read-only. However, the settings of the server set 1 can be modified in menu 15.2.1. Now let's look at Option 1 in Menu 15.1. Enter 1 to bring up this menu. Menu 15.1.1 - Address Mapping Rules Set Name= ? Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- ------

Action= Edit , Select Rule= 0 Press ENTER to Confirm or ESC to Cancel: We will just look at the differences from the previous menu. Note that, this screen is not read only, so we have extra Action and Select Rule fields. Not also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The description of the other fields is as described above. The Type, Local and Global Start/End IPs are configured in Menu 15.1.1 (described later) and the values are displayed here. Field Description Option Set Name Enter a name for this set of rules. This is a required field. Please note that if this field is left blank, the entire set will be deleted. Rule1 Action They are 4 actions. The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a new rule before the rule selected. The rule after the selected rule will then be moved down by one rule. Delete means to delete the Edit Insert Before Delete Save Set All contents copyright © 2006 ZyXEL Communications Corporation. 124P-202H Plus v2 Support Notes selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action the Select Rule item will be disabled). Select Rule When you choose Edit, Insert Before or Save Set in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question.

Note: Save Set in the Action field means to save the whole set. You must do this if you make any changes to the set-including deleting a rule. No changes to the set take place until this action is taken. Be careful when ordering your rules as each rule is executed in turn beginning from the first rule. Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1-Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs displayed in Menu 15.1.1. Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: Start= 0.0.0.0 End = N/A Global IP: Start= 0.0.0.0 End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Field Description Option/Example Type Press [SPACEBAR] to toggle through a total of 5 types. These are the mapping types discussed above plus a server type. Some examples follow to clarify these a little more. One-to-One Many-to-One Many-to-Many Overload All contents copyright © 2006 ZyXEL Communications Corporation. 125P-202H Plus v2 Support Notes Many-to-Many No Overload Server Start This is the starting local IP address (ILA) 0.0.0.0 Local

End This is the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as

0.0.0.0 and the End IP as 255.255.255.255.

This field is N/A for One-to-One type.

Start This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP.

End This is the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server types.

Local and Global IP fields are N/A for the Server Type. Note: For all Local and Global IPs, the End IP address must begin after the IP Start address, i.e., you cannot have an End IP address beginning before the Start IP address.

• NAT Server Sets The NAT Server Set is a list of LAN side servers mapped to external ports (similar to the old SUA menu of before). If you wish, you can make inside servers for different services, e.g., Web or FTP, visible to the outside users, even though NAT makes your network appears as a single machine to the outside world. A server is identified by the port number, e.g., Web service is on port 80 and FTP on port 21. As an example (see the following figure), if you have a Web server at

192.168.1.36 and a FTP server at 192.168.1.33, then you need to specify for port

80 (Web) the server at IP address 192.168.1.36 and for port 21 (FTP) another at IP address 192.168.1.33. All contents copyright © 2006 ZyXEL Communications Corporation. 126P-202H Plus v2 Support Notes Please note that a server can support more than one service, e.g., a server can provide both FTP and Mail service, while another provides only Web service. The following procedures show how to configure a server behind NAT. Step 1. Enter 15 in the Main Menu to go to Menu 15-NAT Setup. Step 2. Enter 2 to go to Menu 15.2-NAT Server Setup. Step 3. Enter the service port number in the Port# field and the inside IP address of the server in the IP Address field. Step 4. Press [SPACEBAR] at the 'Press ENTER to confirm...' prompt to save your configuration after you define all the servers or press ESC at any time to cancel. Menu 15.2 - NAT Server Setup (Used for SUA Only)

Rule Start Port No. End Port No. IP Address

All contents copyright © 2006 ZyXEL Communications Corporation. 127P-202H Plus v2 Support Notes

Press ENTER to Confirm or ESC to Cancel:

The most often used port numbers are shown in the following table. Please refer RFC 1700 for further information about port numbers. Service Port Number FTP 21 Telnet 23 SMTP 25 DNS (Domain Name Server) 53 www-http (Web) 80 PPTP (Point-to-Point Tunneling Protocol)

2. Internet Access with an Internal Server

3. Using Multiple Global IP addresses for clients and servers

4. Support Non NAT Friendly Applications

1. Internet Access Only

In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP. See the following figure. All contents copyright © 2006 ZyXEL Communications Corporation. 128P-202H Plus v2 Support Notes

Menu 4 - Internet Access Setup ISP's Name= ChangeMe Pri Phone #= 1234 Sec Phone #= My Login= ChangeMe My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Telco Options: Transfer Type= 64K Multilink= Off Idle Timeout= 100 Press ENTER to Confirm or ESC to Cancel: From Menu 4 shown above simply choose the SUA Only option from the NAT field. This is the Many-to-One mapping discussed earlier. The SUA read only option from the NAT field in menu 4 and 11.3 is specifically pre-configured to handle this case.

All contents copyright © 2006 ZyXEL Communications Corporation. 129P-202H Plus v2 Support Notes

2. Internet Access with an Internal Server

In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only) to specify the Internet Server behind the NAT as shown in the NAT as shown below. Menu 15.2 - NAT Server Setup (Used for SUA Only)

Rule Start Port No. End Port No. IP Address

Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation. 130P-202H Plus v2 Support Notes

3. Using Multiple Global IP addresses for clients and servers (One-to-One,

Many-to-One, Server Set mapping types are used) In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by the following way using 4 NAT rules. Rule 1 (One-to-One type) to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1. Rule 2 (One-to-One type) to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2. Rule 3 (Many-to-One type) to map the other clients to IGA3. Rule 4 (Server type) to map a web server and mail server with ILA3 (192.168.1.20) to IGA3. Type Server allows us to specify multiple servers, of different types, to other machines behind NAT on the LAN. Step 1: In this case, we need to configure Address Mapping Set 1 from Menu 15.1- Address Mapping Sets. Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11.3. Menu 4 - Internet Access Setup ISP's Name= ChangeMe Pri Phone #= 1234 Sec Phone #= All contents copyright © 2006 ZyXEL Communications Corporation. 131P-202H Plus v2 Support Notes My Login= ChangeMe My Password= ******** My WAN IP Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= N/A Telco Options: Transfer Type= 64K Multilink= Off Idle Timeout= 100 Press ENTER to Confirm or ESC to Cancel: Step 2: Go to menu 15.1 and choose 1 (not 255, SUA this time) to begin configuring this new set. Enter a Set Name, choose the Edit Action and then select 1 from Select Rule field. Press [ENTER] to confirm. See the following setup for the four rules in our case. Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1. Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright © 2006 ZyXEL Communications Corporation. 132P-202H Plus v2 Support Notes Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2. Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. Menu 15.1.1.3 - - Rule 3 Type: Many-to-One Local IP: Start= 0.0.0.0 End = 255.255.255.255 Global IP: Start= [Enter IGA3] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation. 133P-202H Plus v2 Support Notes Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu 15.1.1.4 - - Rule 4 Type: Server Local IP: Start= N/A End = N/A Global IP: Start=[Enter IGA3] End = N/A Server Mapping Set= 2 Press ENTER to Confirm or ESC to Cancel: When we have configured all four rules Menu 15.1.1 should look as follows. Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- ------

All contents copyright © 2006 ZyXEL Communications Corporation. 134P-202H Plus v2 Support Notes Press ESC or RETURN to Exit:

Rule Start Port No. End Port No. IP Address

Press ENTER to Confirm or ESC to Cancel:

4. Support Non NAT Friendly Applications

Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. The following figure illustrates this. All contents copyright © 2006 ZyXEL Communications Corporation. 135P-202H Plus v2 Support Notes One rule configured for using Many-to-Many No Overload mapping type is shown below. Menu 15.1.1.1 - - Rule 1 Type: Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= [Enter IGA1] End = [Enter IGA3] Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The three rules configured for using One-to-One mapping type is shown below. Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: All contents copyright © 2006 ZyXEL Communications Corporation. 136P-202H Plus v2 Support Notes Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation.

Menu 15.1.1.3 - - Rule 3 Type: One-to-One Local IP: Start= 192.168.1.12 End = N/AP-202H Plus v2 Support Notes Global IP: Start= [Enter IGA3] End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

What is IPSec? IPSec is a set of IP extensions developed by IETF (Internet Engineering Task Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one(IPv.6). In addition, IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. IPSec is truly the most extensible and complete network security solution. IPSec which is based on modern cryptographic technologies enables end-to-end security so that every single piece of information sent to or from a computer can be secured. It can also be deployed inside a network to form Virtual Private Networks (VPNs) where two distincts and disparate networks become one by connecting them with a tunnel secured by IPSec. Tunnel mode IPSec in tunnel mode is normally used when the ultimate destination of the packet is different from the security termination point. We introduce two tunnel mode examples:

View Log This page guides us to setup a VPN connection between two P-202H Plus v2 routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P- 202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware are shown below.

• ZyXEL VPN solutions All contents copyright © 2006 ZyXEL Communications Corporation. 139P-202H Plus v2 Support Notes

• III VPN As the figure shown below, the tunnel between P-202H Plus v2 1 and P-202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each P-202H Plus v2 are explained in the following sections.

The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 A P-202H Plus v2 B PC 2

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

1. Setup P-202H Plus v2 A

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

All contents copyright © 2006 ZyXEL Communications Corporation. 140P-202H Plus v2 Support Notes

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 B.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2 A)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2 A.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 B.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 141P-202H Plus v2 Support Notes See the screen shot:

All contents copyright © 2006 ZyXEL Communications Corporation. 142P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation. 143P-202H Plus v2 Support Notes

Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way.

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 A.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2 B)

7. Destination IP Address Start and Destination IP Address End are PC

1 IP in this example. (the secure remote host) Note: You may assign a range of Local/Remote IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2 B.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

All contents copyright © 2006 ZyXEL Communications Corporation. 144P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 A.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. See the screen shot:

All contents copyright © 2006 ZyXEL Communications Corporation. 145P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation. 146P-202H Plus v2 Support Notes

Q: How do we know the above tunnel works? A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works. Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in P- 202H Plus v2.

• Menu 27.2, SA Monitor Through menu 27.2, you can monitor every IPSec connections running in P- 202H Plus v2 presently. The second column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go back Menu 27 to check your settings. Menu 27.2 - SA Monitor # Name Encap. IPSec ALgorithm -- -------------------------------------------------- ---------- ------------------------- 1 P-202H Plus v2A ca24f1eb6616b7c4 732c211ae9b01a0f Tunnel ESP DES-SHA1 All contents copyright © 2006 ZyXEL Communications Corporation. 147P-202H Plus v2 Support Notes

Select Command= Refresh Select Connection= N/A Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation. 148P-202H Plus v2 Support Notes

To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The log menu is also useful for troubleshooting please capture to us if necessary. Please refer to the example below. Index: Date: Log:

001 01 Jan 00:15:11 <<<<INFO Sending IKE Packet == 15 002 01 Jan 00:15:11 <<<<Sending IKE Packet == 15 003 01 Jan 00:15:11 <<<<INFO Sending IKE Packet == 15 004 01 Jan 00:15:11 <<<<Sending IKE Packet == 15 005 01 Jan 00:15:16 <<<<Sending IKE Packet == 0 006 01 Jan 00:15:16 >>>>MM Receiving IKE Packet == 2 007 01 Jan 00:15:18 <<<<Sending IKE Packet == 3 008 01 Jan 00:15:18 >>>>MM Receiving IKE Packet == 4 009 01 Jan 00:15:19 <<<<Sending IKE Packet == 5 010 01 Jan 00:15:19 >>>>MM Receiving IKE Packet == 6 011 01 Jan 00:15:19 <<<<Sending IKE Packet == 6 012 01 Jan 00:15:19 >>>>QM Receiving IKE Packet == 15 013 01 Jan 00:15:19 <<<<Sending IKE Packet == 15 Clear IPSec Log (y/n): Note, the 'Log' column in the current 3.50(WA.0) firmware just shows the IKE state flow. In the future firmware, we will enhance it to show packet information (such as protocol type, port number).

This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and P-202H Plus v2 are explained in the following sections. All contents copyright © 2006 ZyXEL Communications Corporation. 149P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2

2. Add a new connection named 'P-202H Plus v2' as shown below.

3. Select Connection Security to Secure

All contents copyright © 2006 ZyXEL Communications Corporation. 150P-202H Plus v2 Support Notes

Remote Party Identity and Addressing settings:

4. In ID Type option, please choose IP Address option, and enter the IP address

of the remote PC (PC 2 in this case).

5. Check Connect using Secure Gateway Tunnel, please also select IP

Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field. All contents copyright © 2006 ZyXEL Communications Corporation. 151P-202H Plus v2 Support Notes The detailed configuration is shown in the following figure. Pre-Share Key Settings:

6. Extend P-202H Plus v2 icon, you may see My Identity.

7. Click My Identity, click the Pre-Shared Key icon in the right side of the

8. Enter a key you that later you will also need to configure in P-202H Plus v2 in

the pop out windows. In this example, we enter 12345678. See below. All contents copyright © 2006 ZyXEL Communications Corporation. 152P-202H Plus v2 Support Notes Security Policy Settings: All contents copyright © 2006 ZyXEL Communications Corporation. 153P-202H Plus v2 Support Notes

9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation

10. Extend Security Policy icon, you will see two icons, Authentication (Phase

1) and Key Exchange (Phase 2).

11. The settings shown in the following two figures for both Phases are our

examples. You can choose any, but they should match whatever you enter in P-202H Plus All contents copyright © 2006 ZyXEL Communications Corporation. 154P-202H Plus v2 Support Notes v2.

All contents copyright © 2006 ZyXEL Communications Corporation. 155P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Soft-PK.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure remote host) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is PC 1 in

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

SHA1, as we configured in Soft-PK.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 156P-202H Plus v2 Support Notes Figure 8: See the VPN rule screen shot

All contents copyright © 2006 ZyXEL Communications Corporation. 157P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation. 158P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings in VPN software.

Network Diagram Key In our network diagram figures, a dotted line indicates a logical connection (i.e., the two devices are not physically attached), a solid line indicates a physical connection (i.e., there is a physical link between the two devices and they are directly attached), and a pipe indicates a secure connection between two devices.

2. P-202H Plus v2 vs 3rd Party VPN Gateway

P-202H Plus v2 to P-202H Plus v2 Tunneling . This page guides us to setup a VPN connection between two P-202H Plus v2 routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P- 202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware are shown below.

• ZyXEL VPN solution All contents copyright © 2006 ZyXEL Communications Corporation. 159P-202H Plus v2 Support Notes

• III VPN As the figure shown below, the tunnel between P-202H Plus v2 1 and P-202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each P-202H Plus v2 are explained in the following sections.

The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 A P-202H Plus v2 B PC 2

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

1. Setup P-202H Plus v2 A

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. All contents copyright © 2006 ZyXEL Communications Corporation. 160P-202H Plus v2 Support Notes

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 B.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2 A)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2 A.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 B.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 161P-202H Plus v2 Support Notes See the screen shot:

If you use SMT management, the VPN configurations are as shown below. All contents copyright © 2006 ZyXEL Communications Corporation. 162P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation. 163P-202H Plus v2 Support Notes

Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in the same way.

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 A.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2 B)

7. Destination IP Address Start and Destination IP Address End are PC

1 IP in this example. (the secure remote host) Note: You may assign a range of Local/Remote IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2 B.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

All contents copyright © 2006 ZyXEL Communications Corporation. 164P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 A.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. See the screen shot:

If you use SMT management, the VPN configurations are as shown below. All contents copyright © 2006 ZyXEL Communications Corporation. 165P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B. All contents copyright © 2006 ZyXEL Communications Corporation. 166P-202H Plus v2 Support Notes

Q: How do we know the above tunnel works? A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works. Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in P- 202H Plus v2.

• Menu 27.2, SA Monitor Through menu 27.2, you can monitor every IPSec connections running in P- 202H Plus v2 presently. The second column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go back Menu 27 to check your settings. All contents copyright © 2006 ZyXEL Communications Corporation.

Select Command= Refresh Select Connection= N/A Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation. 168P-202H Plus v2 Support Notes

To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The log menu is also useful for troubleshooting please capture to us if necessary. The example shown below is a successful IPSec connection. Index: Date/Time: Log:

All contents copyright © 2006 ZyXEL Communications Corporation. 169P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 Cisco PC 2

1. When using Cisco Router to establish VPN, back-to-back connection is not

applicable. In other words, the WAN IP of P-202H Plus v2 and Cisco router can't be in the same subnet.

2. The following configurations are supposed both two VPN gateways have fixed

IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all. If the WAN IP of P-202H Plus v2 is also dynamic IP, we enter 0.0.0.0 as its My IP Address. When this IP is given by ISP, it will update to this field.

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Sonicwall.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

Sonicwall WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

All contents copyright © 2006 ZyXEL Communications Corporation.

ESP check box. (AH can not be used in SUA/NAT case)P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sonicwall.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. See the screen shot:

2 Setup Cisco All contents copyright © 2006 ZyXEL Communications Corporation.

There are two ways to configure Cisco VPN, use commands from console or use Cisco ConfigMaker. Cisco ConfigMaker is an easy-to-use Windows 98/Me/NT/2000 application that configures Cisco routers, switches, hubs, and other devices. We will guide you how to setup IPSec by using Cisco ConfigMakerP-202H Plus v2 Support Notes in section 2.1. If you prefer to use commands from console, please go to section

2.1 Setup Ciscro by ConfigMaker

You can download Cisco ConfigMaker from http://www.cisco.com/warp/public/cc/pd/nemnsw/cm/index.shtml.

1. Select AutoDetect device Wizard in Devices window.

2. Make sure that the console has been connected to your PC. If the router is

detected successfully, a Cisco router should appear in the Network Diagram Window.

3. Click right button of the mouse, choose Device Properties.... In

Passwords tab, setup the passwords for this router. See the screen shot:

4. From Devices window choose a router, and add this router in Network

Diagram. Rename it as "P-202H Plus v2". Assign passwords, choose TCP/IP as it's protocol, and then set the interface of WAN slot 0 as 1 Ethernet. All contents copyright © 2006 ZyXEL Communications Corporation. 172P-202H Plus v2 Support Notes See the screen shot:

5. Layout your network topology in the Network Diagram as shown below.

You may choose network components, such as hosts, Internet, Ethernet LAN from the Devices window. All contents copyright © 2006 ZyXEL Communications Corporation. 173P-202H Plus v2 Support Notes See the screen shot:

6. Connect the network components by Ethernet from the Connections

window in the left bottom. Specify the WAN and LAN IP addresses to P- 202H Plus v2 and Cisco. All contents copyright © 2006 ZyXEL Communications Corporation. 174P-202H Plus v2 Support Notes See the screen shot:

7. Select VPN from Connections window. During this stage, you have to

enter the pre-shared key, "12345678". All contents copyright © 2006 ZyXEL Communications Corporation. 175P-202H Plus v2 Support Notes See the screen shot:

8. Select VPN, then click the right button of the mouse, and choose

connection Properties.... Setup IPSec parameters as shown below. Note that the parameters you set here should match settings in P-202H Plus v2. In IKE Advanced Settings, Encryption Algorithm is 56-bit DES, Authentication Algorithm is MD5 and the SA lifetime is 1 hr. In IPSec Transform, Encryption Algorithm is 56-bit DES, Authentication Algorithm is MD5, and SA lifetime is 1 hr. All contents copyright © 2006 ZyXEL Communications Corporation. 176P-202H Plus v2 Support Notes See the screen shot:

9. Choose the Cisco router, and click Deliver to save the settings.

All contents copyright © 2006 ZyXEL Communications Corporation. 177P-202H Plus v2 Support Notes See the screen shot:

10. Enter Cisco commands mode from console and check if Cisco can make

a successful ping to P-202H Plus v2. You might have to tune the configuration to accommodate your practical environment. For more detailed information, please go to http://www.cisco.com

12. After all of the settings, if PC1 and PC2 can reach each other, then IPSec

VPN has been established successfully. There is also an useful command to debug IPSec VPN, "debug crypto ipsec".

2.2 Setup Cisco by Commands

Note that, in order to setup Cisco by commands, you have to connect your PC and Cisco route by a console cable. Enter the following commands one per line. All contents copyright © 2006 ZyXEL Communications Corporation.

version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption

ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery

interface FastEthernet0 description connected to EthernetLAN_1 ip address 192.168.2.1 255.255.255.0 speed auto

no scheduler allocate end After all of the settings, if PC1 and PC2 can reach each other, then IPSec VPN has been established successfully. There is also a useful command to debug IPSec VPN, "debug crypto ipsec". P-202H Plus v2 to SonicWALL Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and SonicWALL. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and SonicWALL are explained in the following sections.

The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 Sonicwall PC 2

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

All contents copyright © 2006 ZyXEL Communications Corporation. 181P-202H Plus v2 Support Notes

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Sonicwall.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

Sonicwall WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sonicwall.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 182P-202H Plus v2 Support Notes See the screen shot:

1. Login SonicWALL by giving the LAN IP address of SonicWALL, default is

3. Select NAT Enabled as the Network Addressing Mode.

4. In LAN Settings, enter a LAN IP and Subnet Mask for SonicWALL.

5. In WAN Settings, enter a WAN IP, Subnet Mask, and WAN Gateway for

SonicWALL. All contents copyright © 2006 ZyXEL Communications Corporation. 183P-202H Plus v2 Support Notes

6. In DNS Settings, enter the DNS IP.

7. Click Update to save the settings to SonicWALL.

12. In Name option, give a name for this SA.

13. In IPSec Gateway Address, enter P-202H Plus v2 WAN IP

14. In Encryption Method option, select Encrypt and Authenticate (ESP

15. In Shared Secret option, enter 12345678 as the secret key.

16. Click Add New Network.

17. In Edit VPN Destination Network, enter remote secure host in Network

field, PC 1 in the case. And also enter its subnet mask and click Update.

All contents copyright © 2006 ZyXEL Communications Corporation. 184P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation.

If the SA is up, you can see a new button, Renegotiate appears in the Summary screen.P-202H Plus v2 Support Notes P-202H Plus v2 to WatchGuard Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and WatchGuard. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and WatchGuard are explained in the following sections. The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 WatchGuard PC 2

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

All contents copyright © 2006 ZyXEL Communications Corporation.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

WatchGuard WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in WatchGuard.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 187P-202H Plus v2 Support Notes See the screen shot:

3. In External Interface, enter the WAN IP for WatchGuard; and in Trusted

Interface, enter the LAN IP for WatchGuard. Then click Next.

4. Enter the Default Gateway of WatchGuard then click Next twice.

5. Enter your passwords for Status and Configuration then click Next.

All contents copyright © 2006 ZyXEL Communications Corporation. 188P-202H Plus v2 Support Notes

6. Select Use Serial Cable to Assign IP Address and Serial Port of your

computer then click Next and OK.

7. Turn the Firebox off and on again. Wait for the configuration file to be

9. Pull down Network -> Branch Office VPN -> IPSec. See the figure below.

10. Click Gateway, and click Add.

11. Enter a name for remote security gateway in Name field, enter the remote

gateway IP in Remote Gateway IP field. All contents copyright © 2006 ZyXEL Communications Corporation. 189P-202H Plus v2 Support Notes

12. Select isakmp (dynamic) (IKE in P-202H Plus v2) as Key Negotiation

Type and enter a string as Share Key.I

13. Click Tunnels, and click Add.

14. Select the Gateway you had created and click OK.

15. Enter a name in Name field for this Tunnel.

16. Click Dynamic Security tab, select Type, Authentication and

Encryption for your SAP. These settings must be consistant with P-202H Plus v2 settings. All contents copyright © 2006 ZyXEL Communications Corporation. 190P-202H Plus v2 Support Notes

17. Enable the Key expiration. Then click OK twice. (ESP, MD5-HMAC,

18. Click Add in the main menu to Add Routing Policy.

19. In Local Host, enter PC1 IP; in Remote Host, enter PC2 IP, then select

Secure in Disposition and Tunnel you had created. Then click OK twice.

All contents copyright © 2006 ZyXEL Communications Corporation. 191P-202H Plus v2 Support Notes

20. Select 'Save to Firebox' and enter the write pass phrase for your

WatchGuard. P-202H Plus v2 to NETSCREEN Tunneling This page guides us to setup a VPN connection between P-202H Plus v2 and NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for P-202H Plus v2 and NETSCREEN are explained in the following sections.

The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 NETSCREEN PC 2

192.168.1.33 LAN: 192.168.1.1 LAN: 192.168.78.1 192.168.78.5

All contents copyright © 2006 ZyXEL Communications Corporation. 192P-202H Plus v2 Support Notes WAN: 202.132.154.1 WAN: 168.10.10.66 Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in NETSCREEN.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. If a range of IP is used, please enter the start IP and the end IP. For example, 192.168.1.33 to 192.168.1.35.

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

NETSCREEN WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in NETSCREEN.

13. Enter the key string

12345678 in the Preshared Key text box, and click Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 193P-202H Plus v2 Support Notes See the screen shot:

If you use SMT management, the VPN configurations are as shown below. All contents copyright © 2006 ZyXEL Communications Corporation. 194P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting Edit IKE Setup option in menu27.1.1 to Yes and

then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels All contents copyright © 2006 ZyXEL Communications Corporation. 195P-202H Plus v2 Support Notes for data transmission.

1. Configure NETSCREEN by using its web configurator.

2. Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL

field Create Local & Remote Secure Host:

1. Click Address menu and click Trusted tab.

2. Click New Address to add the local secure host (192.168.78.5 in this

example) and give a name to this host address (Local Secure Host in this example). See the screen shown below. Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly. All contents copyright © 2006 ZyXEL Communications Corporation. 196P-202H Plus v2 Support Notes

3. Click OK to save it.

4. Click New Address to add the remote secure host (192.168.1.33 in this

example) and give a name to this host address (Remote Secure Host in this example). See the screen shown below. Note: The Netmask field here for single IP is 255.255.255.255. Please do not enter the wrong netmask, otherwise, VPN can not be established correctly. All contents copyright © 2006 ZyXEL Communications Corporation. 197P-202H Plus v2 Support Notes

5. Click OK to save it.

Create Outgoing & Incoming VPN Policy:

1. Click Policy menu and click Outgoing tab.

2. Click New Policy to configure the outgoing VPN policy.

3. Give a name to the policy.

4. Select the Local Secure Host that we configured above as the Source

5. Select the Remote Secure Host that we configured above as the

Destination Address.

6. Select ANY as the Service.

7. For the rest settings please refer to the following screen shot. And click

OK to save. All contents copyright © 2006 ZyXEL Communications Corporation. 198P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation.

9. Click New Policy to configure the incoming VPN policy.

10. Give a name to the policy.

11. Select the Remote Secure Host that we configured above as the Source

12. Select the Local Secure Host that we configured above as the

Destination Address.

13. Select ANY as the Service.

14. For the rest settings please refer to the following screen shot. And click

OK to save. All contents copyright © 2006 ZyXEL Communications Corporation. 200P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 201P-202H Plus v2 Support Notes Create Phase 1 Proposal: Note that all phase 1 and phase 2 settings in NETSCREEN must be consistent with P-202H Plus v2.

1. Click VPN menu and click P1 Proposal tab.

2. Click New Phase 1 Proposal to create phase 1 proposal.

3. Give a Name for this proposal, for example P-202H Plus v2.

4. Select Preshare as the Authentication Method.

5. Select Group 1 as DH Group.

6. Select DES-CBC as Encryption Algorithm.

7. Select MD5 as Hash Algorithm.

8. Enter 3600 in Lifetime field, check Sec checkbox. See the sceen shot

below. Create Phase 2 Proposal:

3. Check Encryption (ESP) checkbox and select DES-CBC and MD5 as the

Encryption Algorithm and the Authentication Algorithm. See the All contents copyright © 2006 ZyXEL Communications Corporation. 202P-202H Plus v2 Support Notes screenshot. Create VPN Gateway:

1. Click VPN menu and click Gateway tab.

2. Click New Remote Tunnel Gateway to add the local VPN gateway, i.e.,

3. Give a name to this gateway, for example NETSCREEN.

4. Click Static IP Address as for this example.

5. Enter WAN IP of NETSCREEN in the IP Address field.

6. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal.

All contents copyright © 2006 ZyXEL Communications Corporation. 203P-202H Plus v2 Support Notes

7. Enter 12345678 as the Preshared Key and click OK to save. See the

8. Click New Remote Tunnel Gateway to add the remote VPN gateway, i.e.,

9. Give a name to this gateway, for example P-202H Plus v2.

10. Click Static IP Address as for this example.

11. Enter WAN IP of P-202H Plus v2 in the IP Address field.

12. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal.

All contents copyright © 2006 ZyXEL Communications Corporation. 204P-202H Plus v2 Support Notes

13. Enter 12345678 as the Preshared Key and click OK to save. See the

2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e.,

3. Select NETSCREEN as the Remote Gateway Tunnel Name.

4. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See

the screen shot. All contents copyright © 2006 ZyXEL Communications Corporation. 205P-202H Plus v2 Support Notes

5. Click VPN menu and click AutoKey IKE tab.

6. Click New AutoKey IKE Entry to add the entry for the remote gateway,

i.e., P-202H Plus v2.

7. Select P-202H Plus v2 as the Remote Gateway Tunnel Name.

8. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See

the screen shot. All contents copyright © 2006 ZyXEL Communications Corporation. 206P-202H Plus v2 Support Notes

9. After all above settings have been finished, you can start to access the remote

secure PC. If the VPN is established successfully, you can see the traffic flow from the Traffic Log by clicking Log menu. See the following screen shot. All contents copyright © 2006 ZyXEL Communications Corporation. 207P-202H Plus v2 Support Notes

You can also see the current active user from the Active Log by clicking Log menu. See the following screen shot.

3. P-202H Plus v2 vs 3rd Party VPN Software

All contents copyright © 2006 ZyXEL Communications Corporation. 208P-202H Plus v2 Support Notes Checkpoint VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between Checkpoint VPN and P- 202H Plus v2 router. As the figure shown below, the tunnel between P-202H Plus v2 and Checkpoint ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and P-202H Plus v2 are explained in the following. The IP addresses we use in this example are as shown below. LAN 1 Checkpoint P-202H Plus

Remove default fliter rule from Menu 3.1 All contents copyright © 2006 ZyXEL Communications Corporation. 209P-202H Plus v2 Support Notes Edit LAN segment of P-202H Plus v210. In this example, we setup P-202H Plus v210 as DHCP server, and it’s LAN IP address is 192.168.99.1. Edit Internet Access of P-202H Plus v210. All contents copyright © 2006 ZyXEL Communications Corporation. 210P-202H Plus v2 Support Notes In SMT menu 27, create a VPN rule like following.

All contents copyright © 2006 ZyXEL Communications Corporation. 211P-202H Plus v2 Support Notes

Creating Network objects. Click on New/Network, define the LAN segment of P-202H Plus v2. Select Locationa as External. (Note-Internal and external refer to whether this network is protected behind the Checkpoint or not.) All contents copyright © 2006 ZyXEL Communications Corporation. 212P-202H Plus v2 Support Notes Define the LAN segment of Checkpoint. Select Location as Internal. If there are more than one network would like to utilize the VPN tunnel. You can merge the networks into one group.

• Go to Manage/Network Objects.

• Fill in the properties for the group objects as shown below. All contents copyright © 2006 ZyXEL Communications Corporation. 213P-202H Plus v2 Support Notes Creating VPN Objects Define P-202H Plus v2 box as a tunnel end point. (Name: SOHO_TEST) Select VPN tab to define the protected domain of ZW, and the Encryption schemes used by the tunnel. All contents copyright © 2006 ZyXEL Communications Corporation. 214P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 215P-202H Plus v2 Support Notes Define checkpoint box as a tunnel endpoint. Select VPN tab to define the protected domain of Checkpoint, and the Encryption schemes used by the tunnel. Choose IKE and press Edit… to edit the Phase1 parameters and pre-shared key. All contents copyright © 2006 ZyXEL Communications Corporation. 216P-202H Plus v2 Support Notes Edit pre-shared key by selecting Pre-Shared Secret in Authentication Method. Choose Pre-Shared Secret then press Edit-Secretes… Select SOHO_TEST as peer, and input the pre-shared key. Define VPN policy. Create a new rule at or near the top of the policy. This rule should include both encryption domains as both source and destination and the action should be encrypt as shown below. All contents copyright © 2006 ZyXEL Communications Corporation. 217P-202H Plus v2 Support Notes Double click on the "encrypt" action to edit the encryption properties. Select IKE as the form of encryption, and click on edit and select the Phase 2 parameters. WIN2K VPN to P-202H Plus v2 This page guides us to setup a VPN connection between the WIN2K VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are WIN2K VPN software and P-202H Plus v2 router. All contents copyright © 2006 ZyXEL Communications Corporation.

As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for WIN2K and P-202H Plus v2 are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are WIN2K and P-202H Plus v2.P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2

1. From Windows desktop, click Start, click Run, and in the Open textbox

All contents copyright © 2006 ZyXEL Communications Corporation. 219P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 220P-202H Plus v2 Support Notes

4. In the Add Standalone Snap-in dialog box, click Computer

Management, and then click Add.

5. Verify that Local Computer (default setting) is selected, and click Finish.

All contents copyright © 2006 ZyXEL Communications Corporation. 221P-202H Plus v2 Support Notes

6. In the Add Standalone Snap-in dialog box, click Group Policy, and then

7. Verify that Local Computer (default setting) is selected in the Group

Policy Object dialog box, and then click Finish.

All contents copyright © 2006 ZyXEL Communications Corporation. 222P-202H Plus v2 Support Notes

8. In the Add Standalone Snap-in dialog box, click Certifications, and then

9. In the Certificates snap-in dialog box, select Computer account, and

click Next. All contents copyright © 2006 ZyXEL Communications Corporation. 223P-202H Plus v2 Support Notes

10. Verify that Local Computer (default setting) is selected, and click Finish.

12. Click OK to close the Add/Remove Snap-in dialog box.

- Create IPSec Policy Typically, Windows 2000 gateway is not a member of a domain, so a local IPSec policy is created. If your Windows 2000 gateway is a member of a domain that already exists an local IPSec policy. In this case, you can create an Organization Unit (OU) in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object (GPO) of this OU. For more information, please refer to the Assigning IPSec Policy section of Windows 2000 online help.

1. From Windows desktop, click Start, click Run, and in the Open textbox

type SECPOL.MSC. Click OK. All contents copyright © 2006 ZyXEL Communications Corporation. 225P-202H Plus v2 Support Notes

2. Right click IP Security Policies on Local Machine, and then click Create

3. Click Next, and type a name for your policy. For example, WIN2K to P-

All contents copyright © 2006 ZyXEL Communications Corporation. 227P-202H Plus v2 Support Notes

5. Keep the Edit properties check box selected and click Finish.

5. A dialog window will bring up for you to configure two filter rules for this

policy. All contents copyright © 2006 ZyXEL Communications Corporation.

228P-202H Plus v2 Support Notes Note: The IPSec policy is created with default IKE main mode (phase 1) on the General tab. Please check details by clicking the Advanced on this tab. The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint. Because there are two endpoints so we need two filter rules. One is for the direction from PC 1 to PC 2 (endpoint is P-202H Plus v2), and the other is from PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP for local and remote VPN clients (PC 1 or PC 2) are required. See the guides below. - Build a Filter List from PC 1 to PC 2

1. In policy properties, uncheck Use Add Wizard check box, and click Add

to create a new rule. All contents copyright © 2006 ZyXEL Communications Corporation. 229P-202H Plus v2 Support Notes

2. On the IP Filter List tab, click Add.

All contents copyright © 2006 ZyXEL Communications Corporation. 230P-202H Plus v2 Support Notes

3. Type a name for the filter list (e.g., WIN2K to P-202H Plus v2), uncheck

Use Add Wizard check box, and click Add. All contents copyright © 2006 ZyXEL Communications Corporation. 231P-202H Plus v2 Support Notes

4. In the Source address, choose A specific IP Address, and enter the IP

All contents copyright © 2006 ZyXEL Communications Corporation. 232P-202H Plus v2 Support Notes

5. In the Destination address, choose A specific IP Address, and enter

the IP address of PC 2

All contents copyright © 2006 ZyXEL Communications Corporation. 233P-202H Plus v2 Support Notes

7. On the Protocol tab, leave the protocol type to Any, because IPSec

tunnels do not support protocol-specific or port specific filters.

8. On the Description tab, you can give a name for this filter list. The filter

name is displayed in the IPSec monitor when the tunnel is active.

All contents copyright © 2006 ZyXEL Communications Corporation. 234P-202H Plus v2 Support Notes

9. Click OK and Close to close the windows.

- Build a Filter List from PC 2 to PC 1

All contents copyright © 2006 ZyXEL Communications Corporation. 235P-202H Plus v2 Support Notes

2. Type a name for the filter list (e.g., P-202H Plus v2 to WIN2K), uncheck

Use Add Wizard check box, and click Add.

3. In the Source address, choose A specific IP Address, and enter the IP

All contents copyright © 2006 ZyXEL Communications Corporation. 236P-202H Plus v2 Support Notes

4. In the Destination address, choose A specific IP Address, and enter

the IP address of PC 1

5. Uncheck Mirror check box.

All contents copyright © 2006 ZyXEL Communications Corporation. 237P-202H Plus v2 Support Notes

6. On the Protocol tab, leave the protocol type to Any, because IPSec

tunnels do not support protocol-specific or port specific filters.

All contents copyright © 2006 ZyXEL Communications Corporation. 238P-202H Plus v2 Support Notes

7. On the Description tab, you can give a name for this filter list. The filter

name is displayed in the IPSec monitor when the tunnel is active.

8. Click OK and Close to close the windows.

All contents copyright © 2006 ZyXEL Communications Corporation. 239P-202H Plus v2 Support Notes - Configure a Rule for PC 1 to PC 2 tunnel

1. Select the first filter list you created above from the IP Filter List. For

example, WIN2K to P-202H Plus v2.

2. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the

remote IPSec endpoint is P-202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation.

3. Click Connection Type tab, click All network connections (or click LAN

connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections.

All contents copyright © 2006 ZyXEL Communications Corporation. 241P-202H Plus v2 Support Notes

5. Leave Negotiate security as checked, and uncheck Accept unsecured

communication, but always respond using IPSec check box. You must do this to ensure secure connections.

6. Click Add and select Custom (for expert users) if you want to define

specific algorithms and session key lifetimes). Please make sure the settings match whatever we will configure in P-202H Plus v2 later.

All contents copyright © 2006 ZyXEL Communications Corporation. 242P-202H Plus v2 Support Notes

7. Click OK. On the General tab, give a name to the filter action. For

example, WIN2K to P-202H Plus v2, and click OK.

All contents copyright © 2006 ZyXEL Communications Corporation. 243P-202H Plus v2 Support Notes

8. Select the filter action you just created.

9. On the Authentication Methods tab, click Add to select Use this string

to protect the key exchange (pre-shared key) option. And enter the string 12345678 in the text box.

See the finished screen shot.

All contents copyright © 2006 ZyXEL Communications Corporation. 245P-202H Plus v2 Support Notes - Configure a Rule for PC 2 to PC 1 tunnel

1. In the IPSec policy properties, click Add to create a new rule.

2. Select the second filter list you created above from the IP Filter List. For

All contents copyright © 2006 ZyXEL Communications Corporation. 246P-202H Plus v2 Support Notes

3. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the

remote IPSec endpoint is WIN2K.

4. Click Connection Type tab, click All network connections (or click LAN

connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections. All contents copyright © 2006 ZyXEL Communications Corporation. 247P-202H Plus v2 Support Notes

5. Click Filter Action tab, select the filter action you created.

6. On the Authentication Method tab, configure the same settings as done

All contents copyright © 2006 ZyXEL Communications Corporation. 248P-202H Plus v2 Support Notes

8. Enable both rules you created in the policy properties and click Close.

Figure 5: See the finished screen shot

1. In the IP Security Policies on Local Machine MMC snap-in, right click your

new policy, and click Assign.

2. A green arrow will appear in the folder icon next to your policy. See the

All contents copyright © 2006 ZyXEL Communications Corporation. 250P-202H Plus v2 Support Notes For more information about configure WIN2K IPSec, please refer to the following web site.

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in WIN2K.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure WIN2K PC) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote WIN2K's IP, that is PC 1 in this

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in WIN2K.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 251P-202H Plus v2 Support Notes Figure 8: See the VPN rule screen shot

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Please note that any configuration in 'IKE Setup' should match the settings configured in WIN2K Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= 12345678 Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 3600 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 3600 Encapsulation= Tunnel All contents copyright © 2006 ZyXEL Communications Corporation. 253P-202H Plus v2 Support Notes Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel Soft-PK VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between the VPN software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are VPN software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and P-202H Plus v2 are explained in the following sections. The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2

2. Add a new connection named 'P-202H Plus v2' as shown below.

3. Select Connection Security to Secure

Remote Party Identity and Addressing settings:

4. In ID Type option, please choose IP Address option, and enter the IP address

of the remote PC (PC 2 in this case).

5. Check Connect using Secure Gateway Tunnel, please also select IP

Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field. All contents copyright © 2006 ZyXEL Communications Corporation. 255P-202H Plus v2 Support Notes The detailed configuration is shown in the following figure. Pre-Share Key Settings:

6. Extend P-202H Plus v2 icon, you may see My Identity.

7. Click My Identity, click the Pre-Shared Key icon in the right side of the

8. Enter a key you that later you will also need to configure in P-202H Plus v2 in

the pop out windows. In this example, we enter 12345678. See below. All contents copyright © 2006 ZyXEL Communications Corporation. 256P-202H Plus v2 Support Notes Security Policy Settings: All contents copyright © 2006 ZyXEL Communications Corporation. 257P-202H Plus v2 Support Notes

9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation

10. Extend Security Policy icon, you will see two icons, Authentication (Phase

1) and Key Exchange (Phase 2).

11. The settings shown in the following two figures for both Phases are our

examples. You can choose any, but they should match whatever you enter in P- 202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation. 258P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 259P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Soft-PK.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure remote host) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is PC 1 in

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

SHA1, as we configured in Soft-PK.

13. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 260P-202H Plus v2 Support Notes Figure 8: See the VPN rule screen shot

All contents copyright © 2006 ZyXEL Communications Corporation. 261P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation. 262P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings in VPN software. Linux FreeS/WAN VPN to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between FreeS/WAN and P- 202H Plus v2 router. There will be several devices we need to setup for this case. They are Linux FreeS/WAN and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1 and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for FreeS/WAN and P-202H Plus v2 are explained in the following sections. All contents copyright © 2006 ZyXEL Communications Corporation. 263P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. LAN 1 FreeS/WAN Linux box P-202H Plus

We presume that your Linux's kernel has been compiled to support FreeS/WAN, and FreeS/WAN has been also installed successfully in your system. You can refer to the following URL for more information, http://www.FreeS/WAN.org/. Two files must be configured in /etc directory. ipsec.conf: All contents copyright © 2006 ZyXEL Communications Corporation.

65.170.185.111 202.132.170.1 : PSK "12345678"

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. The LAN IP in tihs example is 192.168.0.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, Linux

FreeS/WAN only supports Main mode.

6. In Local section, choose Subnet Address as Address Type. Source IP

Address Start is 192.168.0.0 and End is 255.255.255.0 in this example. (the secure network behind P-202H Plus v2)

7. In Remote section, choose Subnet Address as Address Type. Source IP

Address Start is 192.168.10.0 and End is 255.255.255.0. (the secure network behind Linux)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is Linx

box in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to 3DES and Authentication Algorithm to

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 265P-202H Plus v2 Support Notes You can click Advanced button to check IPSec Phase 1 and Phase 2 parameters. Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group. All contents copyright © 2006 ZyXEL Communications Corporation. 266P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 267P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit Key Management Setup' option in

menu27.1.1 to 'Yes' by pressing space bar and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate IPSec SAs which are used for data transmission. Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group. All contents copyright © 2006 ZyXEL Communications Corporation. 268P-202H Plus v2 Support Notes

SSH Sentinel to P-202H Plus v2 Tunneling Sentinel (Static IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Sentinel installed, and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and P-202H Plus v2 are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Sentinel and P-202H Plus v2.

All contents copyright © 2006 ZyXEL Communications Corporation. 269P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2

1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon,

and then choose Run Policy Editor.

2. Choose Key Management. Select My Keys, then press Add... button.

All contents copyright © 2006 ZyXEL Communications Corporation. 270P-202H Plus v2 Support Notes

3. Select Create a preshared key, and press Next.

All contents copyright © 2006 ZyXEL Communications Corporation. 271P-202H Plus v2 Support Notes

4. Give this preshared key a name, P-202H Plus v2. And then enter the

preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation. 272P-202H Plus v2 Support Notes

5. Press Apply in Main menu to save the above settings for latter use.

All contents copyright © 2006 ZyXEL Communications Corporation. 273P-202H Plus v2 Support Notes

7. Add VPN Connection window will pop out. Press IP button besides

Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address.

8. Press ... button besides Remote network.

All contents copyright © 2006 ZyXEL Communications Corporation. 275P-202H Plus v2 Support Notes

9. Network Editor Window will pop out. Press New button, and Enter P-

202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and

255.255.255.0 in Subnet Mask field. Then click OK to go back to Add

VPN Connection window.

10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save.

All contents copyright © 2006 ZyXEL Communications Corporation. 276P-202H Plus v2 Support Notes

11. In SSH Sentinel Policy Editor, you will get a new VPN connection,

12. Choose Settings button in Remote endpoint section. Please uncheck the

boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation. 277P-202H Plus v2 Support Notes

13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as

MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation. 278P-202H Plus v2 Support Notes

14. Press Apply to save all of the settings.

All contents copyright © 2006 ZyXEL Communications Corporation. 279P-202H Plus v2 Support Notes

15. Initiate VPN connection from Sentinel by selecting your VPN connection

from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray. All contents copyright © 2006 ZyXEL Communications Corporation. 280P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation. 281P-202H Plus v2 Support Notes

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Go to Advanced -> VPN

3. Check Active box to enable this rule. Check Keep alive to make your

VPN connection stay permanent.

4. Select Negotiation Mode to Main, as we configured in Sentinel.

5. Local IP, Address Type is Subnet, Address Start is 192.168.1.0,

End/Subnet Mask is 255.255.255.0.

6. Remote IP, Address Type is Single, Address Start is Sentinel's IP,

7. My IP Addr is the WAN IP of P-202H Plus v2.

8. Secure Gateway IP Addr is also Sentinel's IP, 172.21.1.232

9. Select Encapsulation Mode to Tunnel.

10. Check the ESP check box. (AH can not be used in SUA/NAT case)

11. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sentinel.

12. Enter the key string 12345678 in the Preshared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation.

See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation. 283P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 284P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation. 285P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel Sentinel (Dynamic IP) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Sentinel installed, and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and P-202H Plus v2 are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Sentinel and P-202H Plus v2.

All contents copyright © 2006 ZyXEL Communications Corporation. 286P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2 <Dynamic> LAN: 192.168.1.1 WAN: 172.21.1.252

1. From Tool Tray of Windows system, right click on your Sentinel icon, and

All contents copyright © 2006 ZyXEL Communications Corporation. 287P-202H Plus v2 Support Notes

3. Select Create a preshared key, and press Next.

All contents copyright © 2006 ZyXEL Communications Corporation. 288P-202H Plus v2 Support Notes

4. Give this preshared key a name, P-202H Plus v2. And then enter the

preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation. 289P-202H Plus v2 Support Notes

5. Press Apply in Main menu to save the above settings for latter use.

All contents copyright © 2006 ZyXEL Communications Corporation. 290P-202H Plus v2 Support Notes

6. Switch to Security Policy tab. Choose VPN connections, and then press

Add... All contents copyright © 2006 ZyXEL Communications Corporation. 291P-202H Plus v2 Support Notes

7. Add VPN Connection window will pop out. Press IP button besides

Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address.

8. Press ... button besides Remote network.

All contents copyright © 2006 ZyXEL Communications Corporation. 292P-202H Plus v2 Support Notes

9. Network Editor Window will pop out. Press New button, and Enter P-

202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and

255.255.255.0 in Subnet Mask field. Then click OK to go back to Add

VPN Connection window.

10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save.

All contents copyright © 2006 ZyXEL Communications Corporation. 293P-202H Plus v2 Support Notes

11. In SSH Sentinel Policy Editor, you will get a new VPN connection,

12. Choose Settings button in Remote endpoint section. Please uncheck the

boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation. 294P-202H Plus v2 Support Notes

13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as

MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation. 295P-202H Plus v2 Support Notes

14. Press Apply to save all of the settings.

All contents copyright © 2006 ZyXEL Communications Corporation. 296P-202H Plus v2 Support Notes

15. Initiate VPN connection from Sentinel by selecting your VPN connection

from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray. All contents copyright © 2006 ZyXEL Communications Corporation. 297P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation. 298P-202H Plus v2 Support Notes

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Go to Advanced -> VPN

3. Check Active box to enable this rule. Check Keep alive to make your

VPN connection stay permanent.

4. Select Negotiation Mode to Main, as we configured in Sentinel.

5. Local IP, Address Type is Subnet, Address Start is 192.168.1.0,

End/Subnet Mask is 255.255.255.0.

6. Remote IP, leave it as default setup. 0.0.0.0/0.0.0.0

7. My IP Addr is the WAN IP of P-202H Plus v2.

10. Check the ESP check box. (AH can not be used in SUA/NAT case)

11. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sentinel.

All contents copyright © 2006 ZyXEL Communications Corporation. 299P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation. 300P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 301P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation. 302P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel Sentinel (Behind NAT) to P-202H Plus v2(Static IP) Tunneling This page guides us to setup a VPN connection between the Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Sentinel installed, and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and P-202H Plus v2 are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Sentinel and P-202H Plus v2.

All contents copyright © 2006 ZyXEL Communications Corporation. 303P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 NAT Router P-202H Plus v2 PC2

1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon,

and then choose Run Policy Editor.

All contents copyright © 2006 ZyXEL Communications Corporation.

3. Select Create a preshared key, and press Next.

All contents copyright © 2006 ZyXEL Communications Corporation. 305P-202H Plus v2 Support Notes

4. Give this preshared key a name, P-202H Plus v2. And then enter the

preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation. 306P-202H Plus v2 Support Notes

5. Press Apply in Main menu to save the above settings for latter use.

All contents copyright © 2006 ZyXEL Communications Corporation. 307P-202H Plus v2 Support Notes

6. Switch to Security Policy tab. Choose VPN connections, and then press

Add... All contents copyright © 2006 ZyXEL Communications Corporation. 308P-202H Plus v2 Support Notes

7. Add VPN Connection window will pop out. Press IP button besides

Gateway Name box. Enter P-202H Plus v210's WAN IP address in Gateway IP address.

8. Press ... button besides Remote network.

All contents copyright © 2006 ZyXEL Communications Corporation. 309P-202H Plus v2 Support Notes

9. Network Editor Window will pop out. Press New button, and Enter P-

202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and

255.255.255.0 in Subnet Mask field. Then click OK to go back to Add

VPN Connection window.

10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save.

All contents copyright © 2006 ZyXEL Communications Corporation. 310P-202H Plus v2 Support Notes

11. In SSH Sentinel Policy Editor, you will get a new VPN connection,

12. Choose Settings button in Remote endpoint section. Please uncheck the

boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation. 311P-202H Plus v2 Support Notes

13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as

MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation. 312P-202H Plus v2 Support Notes

14. Press Apply to save all of the settings.

All contents copyright © 2006 ZyXEL Communications Corporation. 313P-202H Plus v2 Support Notes

15. Initiate VPN connection from Sentinel by selecting your VPN connection

from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray. All contents copyright © 2006 ZyXEL Communications Corporation. 314P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings... All contents copyright © 2006 ZyXEL Communications Corporation. 315P-202H Plus v2 Support Notes

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Go to Advanced -> VPN

3. Check Active box to enable this rule. Check Keep alive to make your

VPN connection stay permanent.

4. Select Negotiation Mode to Main, as we configured in Sentinel.

5. Local IP, Address Type is Subnet, Address Start is 192.168.1.0,

End/Subnet Mask is 255.255.255.0.

6. Remote IP Address Start is Sentinel's IP, 192.168.2.33.

7. My IP Addr is the WAN IP of P-202H Plus v2.

8. Secure Gateway IP Addr is the NAT Router's IP.

9. Select Encapsulation Mode to Tunnel.

10. Check the ESP check box. (AH can not be used in SUA/NAT case)

11. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sentinel.

All contents copyright © 2006 ZyXEL Communications Corporation. 316P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation. 317P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 318P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation. 319P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel

3. Setup in NAT Router

In this case, since VPN connection can only be initiated from SSH Sentinel, no NAT port forwarding is needed. Sentinel (Dynamic IP) to P-202H Plus v2(Dynamic IP) Tunneling This page guides us to setup a VPN connection between the SSH Sentinel software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Sentinel and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Sentinel installed, and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and P-202H Plus v2 are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Sentinel and P-202H Plus v2.

All contents copyright © 2006 ZyXEL Communications Corporation. 320P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2 <Dynamic IP> LAN: 192.168.1.1 WAN: <Dynamic IP>

can refer to Using DDNS for how to configure it. We presume that you have got a dynamic domain name, P-202H Plus v2.ddns.org, and update your current WAN IP successfully.

2. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

3. Go to Advanced -> VPN

4. Check Active box to enable this rule. Check Keep alive to make your

VPN connection stay permanent.

5. Select Negotiation Mode to Main..

6. Local IP, Address Type is Subnet, Address Start is 192.168.1.0,

End/Subnet Mask is 255.255.255.0.

7. Remote IP, leave this field as blank.

8. My IP Addr, leave this field as 0.0.0.0.

9. Secure Gateway IP Addr is Sentinel's IP, since Sentinel is using dynamic

IP address, fill this field as 0.0.0.0.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

All contents copyright © 2006 ZyXEL Communications Corporation. 321P-202H Plus v2 Support Notes See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation. 322P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 323P-202H Plus v2 Support Notes If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. All contents copyright © 2006 ZyXEL Communications Corporation. 324P-202H Plus v2 Support Notes Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel

1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon,

and then choose Run Policy Editor. All contents copyright © 2006 ZyXEL Communications Corporation. 325P-202H Plus v2 Support Notes

2. Choose Key Management. Select My Keys, then press Add... button.

All contents copyright © 2006 ZyXEL Communications Corporation. 326P-202H Plus v2 Support Notes

3. Select Create a preshared key, and press Next.

All contents copyright © 2006 ZyXEL Communications Corporation. 327P-202H Plus v2 Support Notes

4. Give this preshared key a name, P-202H Plus v2. And then enter the

preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish. All contents copyright © 2006 ZyXEL Communications Corporation. 328P-202H Plus v2 Support Notes

5. Press Apply in Main menu to save the above settings for latter use.

All contents copyright © 2006 ZyXEL Communications Corporation. 329P-202H Plus v2 Support Notes

6. Switch to Security Policy tab. Choose VPN connections, and then press

Add... All contents copyright © 2006 ZyXEL Communications Corporation. 330P-202H Plus v2 Support Notes

7. Add VPN Connection window will pop out. Enter P-202H Plus

v2.dyndns.org in Gateway IP address.

8. Press ... button besides Remote network.

All contents copyright © 2006 ZyXEL Communications Corporation.

9. Network Editor Window will pop out. Press New button, and Enter P-

202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and

255.255.255.0 in Subnet Mask field. Then click OK to go back to Add

VPN Connection window.P-202H Plus v2 Support Notes

10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save.

11. In SSH Sentinel Policy Editor, you will get a new VPN connection, P-

202H Plus v2.dyndns.org (P-202H Plus v2), choose this item, and then press Properties... button. All contents copyright © 2006 ZyXEL Communications Corporation. 332P-202H Plus v2 Support Notes

12. Choose Settings button in Remote endpoint section. Please uncheck the

boxes of "Acquire virtual IP address" and "Extended authentication". All contents copyright © 2006 ZyXEL Communications Corporation. 333P-202H Plus v2 Support Notes

13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as

MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none. All contents copyright © 2006 ZyXEL Communications Corporation. 334P-202H Plus v2 Support Notes

14. Press Apply to save all of the settings.

All contents copyright © 2006 ZyXEL Communications Corporation. 335P-202H Plus v2 Support Notes

15. Initiate VPN connection from Sentinel by selecting your VPN connection

from Select VPN item. Note: A. When building VPN between Sentinel and P-202H Plus v2, the tunnel can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel from Sentinel. B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray. All contents copyright © 2006 ZyXEL Communications Corporation. 336P-202H Plus v2 Support Notes NOTE: Please check your P-202H Plus v2's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...

All contents copyright © 2006 ZyXEL Communications Corporation. 337P-202H Plus v2 Support Notes Intel VPN client to P-202H Plus v2 Tunneling This page guides us to setup a VPN connection between the Intel VPN client software and P-202H Plus v2 router. There will be several devices we need to setup for this case. They are Intel VPN software and P-202H Plus v2 router. As the figure shown below, the tunnel between PC 1, with Intel VPN client installed, and P-202H Plus v2 ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Intel VPN client and P-202H Plus v2 are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Intel VPN client and P-202H Plus v2.

The IP addresses we use in this example are as shown below. PC 1 P-202H Plus v2 PC2

1. Select Tunnels/New.../IPSEC Tunnel to create a VPN connection.

All contents copyright © 2006 ZyXEL Communications Corporation. 338P-202H Plus v2 Support Notes

2. Give this Tunnel a name, P-202H Plus v2, for example. Specify VPN

Gateway IP Address as 172.21.1.252. Tunnel Applies to All network connections. Uncheck Enable IP Address assignment and WINS/DNS via VPN Gateway. All contents copyright © 2006 ZyXEL Communications Corporation. 339P-202H Plus v2 Support Notes

3. Select Security Associations tab. Press Add... to edit the IP address of

None, Authentication HMAC MD5, Encryption DES (56-bit key), uncheck Transport mode. Specify the Phase 2 SA life time you would like to use. Click OK to save the settings. All contents copyright © 2006 ZyXEL Communications Corporation. 340P-202H Plus v2 Support Notes

4. Select Shared Secret as Authentication Method, and Enter the pre-

shared key: 12345678. Then press Advanced... to edit Phase 1 parameters. All contents copyright © 2006 ZyXEL Communications Corporation. 341P-202H Plus v2 Support Notes

5. Specify phase SA life time you would like to have, 60 minutes for

example. Encryption as DES 56-bit key, Authentication as HMAC MD5, and Diffie-Hellman Group as 1-RSA 768 bits. Click OK to save. All contents copyright © 2006 ZyXEL Communications Corporation. 342P-202H Plus v2 Support Notes

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure SSH PC) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote SSH's IP, that is PC 1 in this

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

All contents copyright © 2006 ZyXEL Communications Corporation. 343P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in SSH.

See the VPN rule screen shot Set IKE Phase 1 and Phase 2 parameters. All contents copyright © 2006 ZyXEL Communications Corporation. 344P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging. In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission. Please note that any configuration in 'IKE Setup' should match the settings configured in SSH Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= 12345678 Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel:

All contents copyright © 2006 ZyXEL Communications Corporation. 346P-202H Plus v2 Support Notes Some tips for this application: Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. The NAT router then will forward the incoming connections to the internal server according to the service port and private IP entered in SUA/NAT Server Table. However, if both NAT and IPSec is enabled in P-202H Plus v2, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case. Remember, IPSec is an IP-in-IP encapsulation, the internal IP header is not translated by NAT. For example: Internal Server----P-202H Plus v2(NAT+IPSec)-----ADSL Modem----Internet---- Remote Network

5. VPN Routing between Branch Offices

This page guides us how to setup VPN routing between branch offices through headquarter. So that whenever branch office A wants to talk to branch office B, headquarter plays as a VPN relay. Users can gain benefit from such application when the scale of branch offices is very large, because no additional VPN tunnels between branch offices are needed. In this support note, we skip the detailed configuration steps for Internet access and presume that you are familiar with basic ZyNOS VPN configuration. As the figure shown below, each branch office have a VPN tunnel to headquarter, thus PCs in branch offices can access systems in headquarter via the tunnel. Through VPN routing, P-202H Plus v2 series now provide you a solution to let PCs in branch offices talk to each other through the existing VPN tunnels concentrated on the headquarter. This feature is available in P-202H Plus v210, P-202H Plus v250 and P-202H Plus v2100. All contents copyright © 2006 ZyXEL Communications Corporation. 347P-202H Plus v2 Support Notes The IP addresses we use in this example are as shown below. Branch_A Headquarter Branch_B WAN:202.3.1.1 LAN:192.168.3.1 WAN:202.1.1.1 LAN:192.168.1.1 WAN:202.2.1.1 LAN:192.168.2.1 LAN of Branch_A LAN of Headquarter LAN of Branch_B

192.168.3.0/24 192.168.1.0/24 192.168.2.0/24

1. Setup VPN in branch office A

Because VPN routing enables branch offices to talk to each other via tunnels concentrated on headquarter. In this step, we configure an IPSec rule in P-202H Plus v2 (Branch_A) for PCs behind branch office A to access both LAN segments of headquarter and branch office B. Because the LAN segments of headquarter and branch office B are continuous, we merge them into one single rule by including these two segments in Remote section. If by any chance, the two segments are not continuous, we strongly recommend you to setup different rules for these segments.

1. Click Advanced, and click VPN tab on the left.

2. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. Give this VPN rule a name, Branch_A.

5. Select Key Management to IKE and Negotiation Mode to Main.

All contents copyright © 2006 ZyXEL Communications Corporation. 348P-202H Plus v2 Support Notes

6. In Local section, select Address Type to Range Address, set IP

Address Start to 192.168.3.0, and End to 192.168.3.255. This section covers the LAN segment of branch office A.

7. In Remote section, select Address Type to Range Address, set IP

Address Start to 192.168.1.0 and End to 192.168.2.255. This section covers the LAN segment of both headquarter and branch office B.

8. My IP Addr is the WAN IP of this P-202H Plus v2, 202.3.1.1.

9. Set Secure Gateway Addr to the IP address of Headquarter, 202.1.1.1.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

SHA-1. These parameters are for IKE phase 2 negotiation. You can set more detailed configuration by pressing Advanced button.

13. Enter the key string 12345678 in the Pre-shared Key text box, and click

Apply. All contents copyright © 2006 ZyXEL Communications Corporation. 349P-202H Plus v2 Support Notes You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation. 350P-202H Plus v2 Support Notes

2. Setup VPN in branch office B

Be very careful about the remote IP address in branch office B, because for systems behind branch office B want to systems behind branch office A and headquarter, we have to specify these two segments in Remote section. However if we include these two segments in one rule, the LAN segment of branch office B will be also included in this single rule, which means intercommunication inside branch office B will run into VPN tunnel. To avoid such situation, we need two separate rules to cover the LAN segment of branch office A and headquarter.

1. The first rule in Branch_ B.

This rule is for branch office B to access headquarter. All contents copyright © 2006 ZyXEL Communications Corporation. 351P-202H Plus v2 Support Notes You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation. 352P-202H Plus v2 Support Notes

2. The second rule in Branch_B

This rule is for branch office B to access branch office A. All contents copyright © 2006 ZyXEL Communications Corporation. 353P-202H Plus v2 Support Notes You can setup IKE phase 1 and phase 2 parameters by pressing Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the correspondent VPN rule in headquarter. All contents copyright © 2006 ZyXEL Communications Corporation. 354P-202H Plus v2 Support Notes

3. Setup VPN in Headquarter

1. The correspondent rule for Branch_A in headquarter

All contents copyright © 2006 ZyXEL Communications Corporation. 355P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 356P-202H Plus v2 Support Notes

2. The correspondent rule for Branch_B_1 in headquarter

All contents copyright © 2006 ZyXEL Communications Corporation. 357P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 358P-202H Plus v2 Support Notes

2. The correspondent rule for Branch_B_2 in headquarter

All contents copyright © 2006 ZyXEL Communications Corporation. 359P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 360P-202H Plus v2 Support Notes

All contents copyright © 2006 ZyXEL Communications Corporation. 361P-202H Plus v2 Support Notes Support Tool

1. Using ZyXEL ISDN D Channel Analyzer, EPA

Introduction An ISDN call connection failure can be diagnosed by using P-202H Plus v2's ISDN embedded protocol analyzer (EPA). The cause code in the EPA log can also help us to diagnose the disconnection of an ISDN call. Using EPA Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the EPA. The EPA will not operate by Telnet. The steps for enabling the EPA are as follows:

1. Enter to SMT Menu 11 and note which node N you will be dialing

2. Enter to SMT Menu 24.8

3. Enable the EPA capture capability by:

P-202H Plus v2>isdn fw ana on

4. Manually dial to remote node N

P-202H Plus v2>dev dial N (N is the node number in Menu 11)

5. Wait for all progress messages, and manually drop the call:

P-202H Plus v2>dev channel drop [bri0|bri1|all] (bri0 for B1 channel, bri1 for B2 channel, all for all channels)

6. Turn off the EPA by:

Introduction The P-202H Plus v2 supports the trace of PPP log, that we can diagnose from the trace by referring to the PPP numbers or use the ZPKTTOOL to interpret for us. P-202H Plus v2 ZPKTTOOL tool is a DOS utility that interprets the dump of the PPP log in P-202H Plus v2. A PPP call connection failure can be diagnosed by using P-202H Plus v2's PPP protocol analyzer. Using PPP Protocol Analyzer You must connect the P-202H Plus v2 to a terminal program via the serial port to capture the PPP log. The PPP log will not operate by Telnet. The steps for capturing the PPP log are as follows:

• Enter to SMT Menu 11 and note which node N you will be dialing

All contents copyright © 2006 ZyXEL Communications Corporation. 366P-202H Plus v2 Support Notes

• Manually dial to remote node N P-202H Plus v2>dev dial N (N is the node number in Menu 11) Example:

• Wait for all progress messages, and manually drop the call: P-202H Plus v2>dev channel drop [bri0|bri1] (bri0 for B1 channel, bri1 for B2 channel)

• Turn off the PPP trace by: P-202H Plus v2>sys trcl sw off P-202H Plus v2>sys trcp sw off

• Dump the PPP log by: P-202H Plus v2>sys trcl disp The trace appears on the screen as in the following example. Press <Enter> key to dump the entire trace. Example: All contents copyright © 2006 ZyXEL Communications Corporation.

• Copy and paste the trace to an editor and save it as a text file

• Run the ZPKTTOOL program to interpret the PPP log, to know the detailed trace, please refer to the ppp numbers. All contents copyright © 2006 ZyXEL Communications Corporation. 369P-202H Plus v2 Support Notes

3. LAN/WAN Packet Trace

The P-202H Plus v2 records packet trace and analyzes packets running on LAN and WAN interfaces. It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of the P-202H Plus v2. It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule. The format of the display is as following: Packet:

0 11880.160 ENET0-R[0062] TCP 192.168.1.2:1108->192.31.7.130:80

[index] [timer/second][channel-receive/transmit][length] [protocol] [sourceIP/port] [destIP/port] There are two ways to dump the trace:

1. Online Trace--display the trace real time on screen

2. Offline Trace--capture the trace first and display later

The details for capturing the trace in SMT menu 24.8 are as follows. All contents copyright © 2006 ZyXEL Communications Corporation. 370P-202H Plus v2 Support Notes Online Trace

1.1 Disable to capture the WAN packet by entering: sys trcp channel [bri0|bri1]

1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0

1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on

1.4 Display the brief trace online by entering: sys trcd brief

1.5 Display the detailed trace online by entering: sys trcd parse

1.1 Disable to capture the LAN packet by entering: sys trcp channel enet0

1.2 Enable to capture the WAN packet by entering: sys trcp channel [bri0|bri1]

1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on

1.4 Display the brief trace online by entering: sys trcd brief

1.5 Display the detailed trace online by entering: sys trcd parse

All contents copyright © 2006 ZyXEL Communications Corporation. 376P-202H Plus v2 Support Notes Offline Trace

1.1 Disable to capture the WAN packet by entering: sys trcp channel [bri0|bri1]

1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0

1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on

1.4 Wait for packet passing through P-202H Plus v2 over LAN

1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off

1.6 Display the trace briefly by entering: sys trcp brief

1.7 Display specific packets by using: sys trcp parse <from_index>

1.1 Disable to capture the LAN packet by entering: sys trcp channel enet0

1.2 Enable to capture the WAN packet by entering: sys trcp channel [bri0|bri1]

1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on

1.4 Wait for packet passing through P-202H Plus v2 over WAN

1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off

All contents copyright © 2006 ZyXEL Communications Corporation. 378P-202H Plus v2 Support Notes

1.6 Display the trace briefly by entering: sys trcp brief

1.7 Display specific packets by using: sys trcp parse <from_index>

4. Using TFTP to upload/download ZyNOS via LAN

o TELNET to your P-202H Plus v2 first before running the TFTP software o Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.8 o Run the TFTP client software o Enter the IP address of the P-202H Plus v2 o To upload the firmware, please save the remote file as 'ras' to P- 202H Plus v2. After the transfer is complete, the P-202H Plus v2 will program the upgraded firmware into FLASH ROM and reboot itself. o To download the firmware, please get the remote file 'ras' from the P-202H Plus v2. An example:

All contents copyright © 2006 ZyXEL Communications Corporation. 381P-202H Plus v2 Support Notes The 192.168.1.1 is the IP address of the P-202H Plus v2. The local file is the source file of the ZyNOS firmware that is available in your hard disk. The remote file is the file name that will be saved in P-202H Plus v2. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for file transfering. Using TFTP to upload/download SMT configurations via LAN o TELNET to your P-202H Plus v2 first before running the TFTP software o Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.8 o Run the TFTP client software o To download the SMT configuration, please get the remote file 'rom-0' from the P-202H Plus v2. o To upload the SMT configuration, please save the remote file as 'rom-0' in the P-202H Plus v2. An Example: The 192.168.1.1 is the IP address of the P-202H Plus v2. The local file is the source file of your configuration file that is available in your hard disk. The remote file is the file name that will be saved in P-202H Plus v2. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for file transfering.

• Using TFTP command on Windows NT All contents copyright © 2006 ZyXEL Communications Corporation. 382P-202H Plus v2 Support Notes Before you begin:

1. TELNET to your P-202H Plus v2 first before using TFTP command

2. Type the CI command 'sys stdio 0' to disable console idle timeout in

1. TELNET to your P-202H Plus v2 first before using TFTP command

2. Type the CI command 'sys stdio 0' to disable console idle timeout in

Menu 24.8 and stay in Menu 24.8 Example: [cppwu@faelinux cppwu]$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Password: **** Copyright (c) 1999 ZyXEL Communications Corp. All contents copyright © 2006 ZyXEL Communications Corporation. 383P-202H Plus v2 Support Notes P-202H Plus v2 Main Menu Getting Started Advanced Management

5. Using FTP to Upload Firmware and Configuration Files

In addition to upload the firmware and configuration file via the console port and TFTP client, you can also upload the firmware and configuration files to the P- 202H Plus v2 202 using FTP. To use this feature, your workstation must have a FTP client software. There are two examples as shown below.

1. Using FTP command in terminal

Step 1 Use FTP client from your workstation to connect to the P-202H Plus v2 by entering the IP address of the P-202H Plus v2. Step

Press 'Enter' key to ignore the username, because the P-202H Plus v2 does not check the username. Step 3 Enter the SMT password as the FTP login password, the default is '1234'. Step 4 Enter command 'bin' to set the transfer type to binary. Step 5 Use 'put' command to transfer the file to the P-202H Plus v2. Note: The remote file name for the firmware is 'ras' and for the configuration file is 'rom-0' (rom-zero, not capital o). Example: C:\temp>ftp 202.132.155.97 Connected to 202.132.155.97. 220 FTP version 1.0 ready at Thu Jan 1 00:02:09 1970 User (202.132.155.97:(none)): <Enter> 331 Enter PASS command Password:**** 230 Logged in ftp> bin 200 Type I OK ftp> put p202e.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 924512 bytes sent in 4.83Seconds 191.41Kbytes/sec. ftp> Here, the 'p202e.bin' is the local file and 'ras' is the remote file that will be saved in the P-202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation. 385P-202H Plus v2 Support Notes The P-202H Plus v2 reboots automatically after the uploading is finished.

Rename the local firmware and configuration files to 'ras' and 'rom-0', because we can not specify the remote file name in the FTP client software. Step

Use FTP client from your workstation to connect to the P-202H Plus v2 by entering the IP address of the P-202H Plus v2. Step

Enter the SMT password as the FTP login password. The default is '1234'. Step

Press 'OK' key to ignore the username, because the P-202H Plus v2 does not check the username. Example:

1. Connect to the P-202H Plus v2 by entering the P-202H Plus v2's IP and SMT

password in the FTP software. Set the transfer type to 'Auto-Detect' or 'Binary'.

All contents copyright © 2006 ZyXEL Communications Corporation. 386P-202H Plus v2 Support Notes

2. Press 'OK' to ignore the 'Username' prompt.

3. To upload the firmware file, we transfer the local 'ras' file to overwrite the

remote 'ras' file. To upload the configuration file, we transfer the local 'rom-0' to overwrite the remote 'rom-0' file.

4.The P-202H Plus v2 reboots automatically after the uploading is finished.

All contents copyright © 2006 ZyXEL Communications Corporation. 387P-202H Plus v2 Support Notes CI Command List CI has the following command syntax: command <iface | device > subcommand [param] command subcommand [param] command ? | help command subcommand ? | help General user interface:

Shows the following commands and all major (sub)commands

Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware release. Please goto ZyXEL public WEB site http://www.zyxel.com/support/download_index.php to download firmware package (*.zip), you should unzip the package to get the release note in PDF format.

All contents copyright © 2006 ZyXEL Communications Corporation. 388P-202H Plus v2 Support Notes Troubleshooting

1. Internet Connection

Related SMT screens and CI commands: - SMT Menu 1, 4 - SMT Menu 24.1 and 24.4 -isdn loop -dev dial Some basic knowledge about Internet Connection Setup Before we start any verification or troubleshooting of Internet setup, let us first give a brief introduction of the connection setup sequence. Any PPP call to Internet or other (ISDN) router can be divided into the following steps: - Dialing - LCP negotiation - Authentication ( it can be None/PAP/CHAP) - NCP negotiation ( NCP can be IPCP, BACP, BCP, CCP, IPXCP) The P-202H Plus v2 provides a very clear log for each step of the call setup. The following shows the messages displayed in each steps. If a step fails, an error message is displayed. Start Dialing chan<1> phone<20301> <------------- Dialing Call CONNECT speed<64000> type<2> chan<0> <------- Dial OK ( After call is up, P-202H Plus v2 will start LCP negotiation ) LCP opened <----------------------------------- Lcp OK CHAP login to remote OK! <------------------------- Auth OK IPCP negotiation started <------------------------- Ipcp negotiation BACP negotiation started ***BCP stopped <------------------------- Bcp Not available CCP stopped <----------------------------------- Ccp Not available IPCP opened <----------------------------------- IPCP OK BACP opened <----------------------------------- Bacp OK All contents copyright © 2006 ZyXEL Communications Corporation. 389P-202H Plus v2 Support Notes Internet connection verification steps:

• Setup Menu 4 for Internet Access.

• Perform a connection test (after you save Menu 4 ).

• You should see the call connected, LCP up or opened, CHAP/PAP login OK and IPCP up or opened. Internet connection test failed:

• Setup Menu 4 for Internet Access,

• Perform a connection test (after you save Menu 4 ). You could get the following errors. Some common problem troubleshooting examples

• Call didn't connect - Try again later and also verify the phone number.

• Login to remote failed

• IP address been rejected by your ISP

• ISDN protocol mismatch

• Disconnect by far-end

• Other unknown reason - Cannot make outcall Dial no number This could mean that your ISDN line is not up. Dial Fail *** LINK IS NOT AVAILABLE This could mean that your two channels are connected to other sites (or A/B adapter in use). - Call didn't connect - Try again later and also verify the phone number. Dialing chan<1> phone(last 9-digit): 40202 ### Hit any key to continue.### Dial no answer All contents copyright © 2006 ZyXEL Communications Corporation.

This means the far-end is not answering.P-202H Plus v2 Support Notes Dialing chan<1> phone(last 9-digit): 40202 ### Hit any key to continue.### Dial busy This means the far-end is busy. Dialing chan<1> phone(last 9-digit): 40202 ### Hit any key to continue.### Dial timeout This means you have been timeed out in making a connection. Please refer to next chapter for more detailed discussion on this. - Login to remote failed Dialing chan<1> phone (last 9-digit): 40201 ### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened CHAP login to remote failed LCP closed Recv'd TERM-REQ Recv'd TERM-ACK state 5 LCP stopped TRY: Verify username and password with your ISP again or retype the username and password field again. When you retype the name and password and hit return at 'Press Enter to confirm or Esc to Cancel', if you don't see 'Saving to ROM' message, then your original entry is the same as your retry, this means maybe the name/pw from the ISP is incorrect. You must call your ISP and verify the name and password again. - IP address been rejected by your ISP Dialing chan<1> phone (last 9-digit): 40201 ### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened All contents copyright © 2006 ZyXEL Communications Corporation. 391P-202H Plus v2 Support Notes CHAP login to remote OK! IPCP negotiation started IPCP opened Recv'd TERM-ACK state 4 LCP stopped sys log disp: " PP09 WARN Local IP mismatch, proposed 192.68.135.183, PP09 WARN neg'd 204.247.1.1, make sure RIP is turned on" This means that you configured your P-202H Plus v2 Menu 3.2 as

192.68.135.183, but the ISP thinks you should be 204.247.1.1. The P-202H Plus

v2 dropped the call for you, because even if the call is up, your network will still be unable to talk to the Internet! TRY: 1. If you have a class C network of 204.247.1.0/24, then you should change your Menu 3.2 to use that address. 2. If you have only one IP address

204.247.1.1/32, then you should configure your P-202H Plus v2 to enable Single

User Account (SUA) ( For more information on how to configure SUA, please refer to application note. ) - ISDN protocol mismatch Dialing chan<1> phone (last 9-digit): 40201 ### Hit any key to continue.### Call CONNECT speed<64000> chan<1> prot<1> You see the call connected, but nothing else after that . After a while it says Line down. This could be because of the low level protocol mismatch. Let's say you use 64K to dial into a X.75 or V.120 only router. TRY: Contact your ISP and make sure they use 'Clear Channel' ISDN protocol, or change your Telco option to X.75 or V.120 ( for DSS1 or 1TR6 only). - Disconnect by far-end All contents copyright © 2006 ZyXEL Communications Corporation.

Dialing chan<1> phone (last 9-digit): 40201 ### Hit any key to continue.### Call CONNECT speed<64000> chan<1> prot<1> LCP upP-202H Plus v2 Support Notes CHAP send response CHAP login to remote OK! IPCP negotiation started BACP stopped IPCP up LCP down IPCP down LCP stopped The call connected, IPCP was up, but still the call dropped. The call could have been dropped by the far-end for some unknown reason. You need to verify the problem with your ISP. Sometimes if the far-end is using Ascend Pipeline for your connection, they will let IPCP up and check the IP address, if IP address is not the same as what's configured in their 'Connection Profile', they would drop the call and give no log about it! - Other unknown reason For any other unknown reason, you have to look at the packet trace to decide what went wrong. To collect the trace,

• Go to Menu 11, and mark down which remote number # is for Internet access.

• Go to CI (Menu 24.8)

• Turn on the screen capture/log capability

• sys trcl cl ( to clear the trace )

• sys trcl sw on ( to turn on the trace log )

• sys trcp sw on ( to turn on the packet trace )

• After the call failed

• sys trcl disp Summary: Failure reasons Actions Dial failed - check disconnect cause - go to SMT memu 24.1 to verify that channel status is not DOWN. If DOWN, it might be ISDN Init failure. - Do ISDN loopback test Authentication failed - check name and password All contents copyright © 2006 ZyXEL Communications Corporation. 393P-202H Plus v2 Support Notes Lcp negotiation failed - trace PPP packets Ipcp negotiation failed - check if IP address is correct - check if IP is turned on in a remote node. - check if SUA is needed All others - collect PPP traces

2. Remote Node/Dial-in User Connection

Related SMT screens and CI commands: - SMT Menu 2 - SMT Menu 24.4.12 - SMT Menu 24.9 - isdn dial # (pre-ZyNOS) or dev dial # (ZyNOS) - sys log disp Cannot outcall to a Remote node Use CI "isdn dial <node#>" to verify a outgoing call for a remote node. Use CI 'system event' an incoming call from a remote node. The following are some possible failure reasons for a outgoing call: - Dial failed ( please refer to previous chapter for more details. ) - ISDN protocol mismatched ( please refer to previous chapter for more details. ) - Incoming only remote node, check Menu 11

• Pre-ZyNOS: P2864> isdn dial 1

• Dial not allowed, or No Channel ( Call to a incoming only remote node, or no free B chan ) ### Hit any key to continue.### All contents copyright © 2006 ZyXEL Communications Corporation.

Some common troubleshooting examples:

• Phone number is in Black List, check Menu 24.9.2

• Call exceeded the Call budget, check Menu 24.9.3

• Login to remote node failed, check the name and password again

• PPP negotiation failed

• IP address mismatched

- Phone number is in Black List, check Menu 24.9.2

• Pre-ZyNOS: P2864> isdn dial 1 Start dialing for node<1> ***Call failed, number is Blacklisted ### Hit any key to continue.###

• ZyNOS: Zyxel> dev dial 1 $$$ Call is blocked

- Login to remote node failed, check the name and password again

• Pre-ZyNOS: P2864> isdn dial 1 Start dialing for node<1> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> chan<1> prot<1> LCP up CHAP send response ***Login to remote failed. Check name/passwd. Receive Terminate REQ LCP down Line Down chan<1>

• ZyNOS: zyxel> dev dial 1 Start dialing for node<1> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened CHAP login to remote failed LCP closed Recv'd TERM-REQ Recv'd TERM-ACK state 5 LCP stopped

- IP address mismatched

• Pre-ZyNOS: P128> isdn dial 4 Start dialing for node<4> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> chan<1> prot<1> LCP up CHAP send response CHAP login to remote OK! IPCP negotiation started BACP negotiation started IPCP up ***Remote subnet mismatch, cfg'd 100.0.0.0 ***Remote subnet mismatch, neg'd 200.0.0.0 LCP down IPCP down ***Ip route: code=05 P1=00 P2=00 P3=00 Receive Terminate ACK LCP stopped

• ZyNOS: P128> dev dial 4 Start dialing for node<4> Dialing chan<1> phone(last 9-digit):40201### Hit any key to continue.### Call CONNECT speed<64000> type<2> chan<0> LCP opened CHAP login to remote OK! IPCP negotiation started All contents copyright © 2006 ZyXEL Communications Corporation. 399P-202H Plus v2 Support Notes BACP negotiation started IPCP up LCP closed IPCP closed Recv'd TERM-ACK state 4 LCP stopped P128> sys log disp 18 417888 PP0a ERROR Remote subnet mismatch, cfg'd 100.1.1.1 19 417889 PP0a ERROR neg'd 200.0.0.0 20 417892 PP0a WARN ip_route: code=05 P1=00 P2=00 P3=00 In this example, the IP address of the remote node is 100.1.1.1, but after PPP is up, the far-end claims that their IP is in 200.0.0.0 network. P-202H Plus v2 will drop the call, becuase of the IP address mismatch in this case.

Cannot answer incoming call from a Remote node or Dial-in User The following are some of the possible reasons the P-202H Plus v2 not answering an incoming call: - System can't answer call - ISDN protocol mismatched - System authentication not set correctly - Far-end name/password not correct - IP address mismatched To collect the trace or to identify the problem, just use 'sys event' command in CI and wait for an incoming call. If it is a PPP related problem, then use the following steps to collect PPP trace:

4. <Wait for an incoming call ( or issue 'sys event' ), after the call stops

All contents copyright © 2006 ZyXEL Communications Corporation. 400P-202H Plus v2 Support Notes Cannot callback to a Dial-in User The P-202H Plus v2 only supports Microsoft's proprietary CallBack Control Protocol (CBCP). Thus, the P-202H Plus v2 will be able to do PPP callback to only to those devices that also support CBCP. This means that if a dial-in user is using a different package such as Trumpet which doesn't support CBCP, then the P-202H Plus v2 will not callback to the user.

Related SMT screens and CI commands: - SMT Menu 2 - ip route stat /* display ip route table and statistic counters */ - ip route errcnt disp /* display ip route error counters */ - ip route errcnt clear /* clear ip route error counters */ - sys filter disp /* display filter statistic counters */ - sys filter clear /* clear filter statistic counters */ IP Routing problem causes An IP packet for the LAN destination should be routed to the LAN interface ( enif0 in P-202H Plus v2 ), and IP packet for a remote node destination should be sent to the WAN interface if the connection is up, or else the packet will trigger an outcall to that remote node ( if the remote node is not set for 'incoming' only in Call Direction. ) If a packet cannot be routed or cannot trigger a call to remote node, the reason may be due to:

• routing table problem

• the packet has been filtered

• cannot trigger the outcall or the outcall failed due to the reason stated in previous chapter ( Incoming only remote node, Black List, Call Budget, or PPP negotiation failed. ) Steps to verify IP routing problem (1) check if there is any routing error ('ip route errcnt disp'). (2) check if the counter of the specified route increased ('ip route status'). (3) check if any filter counter increased ('sys filter disp'). (4) check if there is any LAN or WAN problem ( refer to sessions: LAN or WAN connection) All contents copyright © 2006 ZyXEL Communications Corporation. 401P-202H Plus v2 Support Notes < Example >

1. Clear the error counter and display it to verify all counters are 0.

P2864> ip route errcnt cl P2864> ip route errcnt dis last route error code = 0 ipRouteFail_Disable 0 ipRouteFail_PktLen 0 ipRouteFail_Header 0 ipRouteFail_CkSum 0 ipRouteFail_OptLen 0 ipRouteFail_OptSRoute 0 ipRouteFail_OptSSRoute 0 ipRouteFail_OptRRoute 0 ipRouteFail_TTL 0 ipRouteFail_No_Route 0 ipRouteFail_Wan_Route 0 ipRouteFail_RnNull 0 ipRouteFail_DF 0 ipRouteFail_Fragment 0

2. Display the IP routing table, and check the 'Use' field for the 'problem' route.

We assume that we are troubleshooting the route to 100.1.1.1 and trying to figure out why the call was not triggered to the remote node. P2864> P2864> ip route st Dest FF Len Interface Gateway Metric stat Timer Use

3. Do a PING to that remote node (IP address 100.1.1.1) from the P-202H Plus

default 00 0 wanIdle Internet 2 0023 0 0 We can see the 'Use' increased from 0 to 3. This is correct, since each 'ip ping' command will try to send 3 packets. So no problem in IP routing. All contents copyright © 2006 ZyXEL Communications Corporation.

| This counter is increased by 1 This ipRouteFail_Wan_Route means routing cannot get a WAN resource to dial out. You can go to Menu 24.1 and verify if both B channels are up already or if the Link is 'Down'. < Example >

1. If the routing table show the 'Use' is the same as before the PING. ( Or any

other traffic that you think should route and trigger the outcall. ) Furthermore, the error counters are still 0's. P-202H Plus v2> ip route st Dest FF Len Interface Gateway Metric stat Timer Use

2. You may want to verify if you have plugged in any filters for that remote node

or LAN. P-202H Plus v2> sys filter sw on P-202H Plus v2> sys filter disp Drop 0 Forward 0 SetNotConfig 0 SetNotActive 0 NonRuleMatch 0 InvalidSet 0 GenMatch 0 GenNotMatch 0 IpMatch 0 IpDefaultMatch 0 IpDefaultNotMatch 0 IpSourceAddr 0 IpDestAddr 0 IpSourceRoute 0 IpTcpConn 0 IpSourcePort 0 IpDestPort 0 IpProtocol 0 All contents copyright © 2006 ZyXEL Communications Corporation. 403P-202H Plus v2 Support Notes IpxMatch 0 IpxDefaultMatch 0 IpxDefaultNotMatch 0 IpxPacketType 0 IpxDestNetwork 0 IpxDestNode 0 IpxDestSocket 0 IpxSourceNetwork 0 IpxSourceNode 0 IpxSourceSocket 0

3. Start a PING or start the traffic from the LAN side to trigger the outcall, and

then display the filter counters again. If the 'Drop' field show some numbers there, then it means that the packet has been filter out, so no outcall was made when the packet was sent to the P- 202H Plus v2.

4. Reset to default configuration file

There are two cases you need to upload the default configuration file to the P- 202H Plus v2, they are:

1. You forget the SMT password and want to reset the password to 1234.

2. You want to reset the configurations to defaults.

Please note that the default configuration file for the new ZyNOS is not compatible with the one for previous ZyNOS versions. So when upgrading your Pretige from the previous ZyNOS to please also update the default configuration file for the new ZyNOS.

• The procedure for uploading the configuration file via the console port is as follows. a. Enter debug mode when powering on the P-202H Plus v2 using a terminal emulator b. Enter 'ATUR3' to start the uploading. c. Use X-modem protocol to transfer the configuration file. d. Enter 'ATGO' to restart the P-202H Plus v2.

• The procedure for uploading the configuration file using TFTP client program via LAN is as follows. a. Use the TELNET client program in your PC to login to your P-202H Plus v2. All contents copyright © 2006 ZyXEL Communications Corporation. 404P-202H Plus v2 Support Notes b. Enter CI command 'sys stdio 0' in menu 24.8 to disable console idle timeout. c. Start the TFTP client program and enter the P-202H Plus v2's IP address. d. To upload the configuration file, put the local configuration file to the P- 202H Plus v2 as a remote file name 'rom-0

All contents copyright © 2006 ZyXEL Communications Corporation. 405P-202H Plus v2 Support Notes Reference

1. ISDN Disconnection Cause

This source of this ISDN cause is from ETS 300 102-1 Annex G. You can download the complete ETS 300 102-1 standard, the layer 3 basic call control, from the site www.etsi.org. Normal Class Code Disconnection Cause 1 Unallocated 2 No route to specified transit network 3 No route to destination 6 Channel unacceptable

Call awarded and being delivered in an established channel 16 Nomal call clearing 17 User busy 18 No user responding 19 No answer from user (user alerted) 21 Call rejected 22 Number changed 27 Destination out of order 28 Invalid formate (address incomplete) 29 Facility rejected 30 Response to status enquiry 31 Normal, unspecified Resource Unavailable Class 34 No circuit/channel available 38 Network out of order 41 Temporary failure All contents copyright © 2006 ZyXEL Communications Corporation. 406P-202H Plus v2 Support Notes 42 Switching equipment congestion 43 Access information discarded 44 Request circuit/channel not available 47 Resource unavailable, unspecified Service or Option not Available Class 49 Quality of service not available 50 Requested facility not subscribed 57 Bearer capability not authorized 58 Bearer capability not presently available 63 Serice or option not available, unspecified Service or Option not Implemented Class 65 Bearer capability not implemented 66 Channel type not implemented 69 Requested facility not implemented

Only restricted digital information bearer capability is unavailable 79 Service option not implemented, unspecified Invalid Message (e.g., parameter out of range) Class 81 Invalid call reference value 82 Identified channel does not exist 83 A suspended call exist, but this call identify 84 Call identity in use 85 No call suspended 86 Call having the requested call identity has been cleared 88 Incompatible destination All contents copyright © 2006 ZyXEL Communications Corporation. 407P-202H Plus v2 Support Notes 91 Invalid transit network selection 95 Invalid message, unspecified Protocol Error (e.g., unknown message) Class 96 Mandatory information element is missing 97 Message type non-existent or not implemented

The Point-to-Point Protocol (PPP) Data Link Layer [146,147,175] contains a 16 bit Protocol field to identify the encapsulated protocol. The Protocol field is consistent with the ISO 3309 (HDLC) extension mechanism for Address fields. All Protocols MUST be assigned such that the least significant bit of the most significant octet equals "0", and the least significant bit of the least significant octet equals "1".