P202H Plus v2 - Routeur ZYXEL - Free user manual and instructions

Find the device manual for free P202H Plus v2 ZYXEL in PDF.

View the manual :

Manual assistant

Waiting for your message

Product information

Brand : ZYXEL

Model : P202H Plus v2

Category : Routeur

Download the PDF manual Print

Download the instructions for your Routeur in PDF format for free! Find your manual P202H Plus v2 - ZYXEL and take your electronic device back in hand. On this page are published all the documents necessary for the use of your device. P202H Plus v2 by ZYXEL.

USER MANUAL P202H Plus v2 ZYXEL

Version3.40 June. 2006

2. How do I access the P-202H Plus v2 SMT menu? 6

3. What data compression protocol does the P-202H Plus v2 support? 6

4. What is the default console port baud rate? Moreover, how do I

5. How do I upload the ZyNOS firmware code via console? 6

6. How do I upgrade/backup the ZyNOS firmware by using TFTP client

7. How do I upload ROMFILE via console port? 7

8. How do I backup/restore SMT configurations by using TFTP client

9. What should I do if I forget the system password? 8

10. What is SUA? When should I use SUA? 8

11. What is the difference between NAT and SUA? 8

12. How many network users can the SUA support? 9

13. How do I capture the PPP log in my P-202H Plus v2? 9

14. Why do we need the input filter in menu 3.1 and call filter in menu

15. How can I protect against IP spoofing attacks? 9

16. What is DNS proxy? 10

17. What is a Nailed-up Connection and when do I need to use it? 11

18. What are Device filters and Protocol filters? 11

19. Why can't I configure device filters or protocol filters? 11

20. The P-202H Plus v2 supports to upload the firmware and

configuration files using FTP, but how do I prevent the outside user

from 'FTP' my P-202H Plus v2? 11

1. How do I collect EPA trace? Moreover, how do I read it? 12

2. Can I prevent the dial-in user from occupying two channels? 12

3. How does 'Dial Prefix to Access Outside Line' in Menu 2 (European

4. What supplemental phone service does P-202H Plus v2 support 12

5. How do I do call waiting/call hold/call retrieve? 13

6. Why doesn't call waiting work as expected? 13

7. How do I do three way calling? 13

8. How do I remove a party from the three-way calling? 13

9. How do I do call transfer? 14

10. How do I blind call transfer? 14

11. What is call forwarding and how do I do it? 14

12. How do I suspend/resume a phone call (terminal portability)? 15

13. What is reminder ring? 15

14. Why doesn't my answering machine on POTS port stop recording?

2P-202H Plus v2 Support Notes

15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European

16. Does P-202H Plus v2 support MP callback to dial-in users? 16

17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting?

18. What are the differences between P-202H, P-202H Plus and P-202H Plus v2? 16

1. What is a network firewall? 17

2. What makes P-202H Plus v2 secure? 17

3. What are the basic types of firewalls? 17

4. What kind of firewall is the P-202H Plus v2? 18

5. Why do you need a firewall when your router has packet filtering and

6. What is Denials of Service (DoS)attack? 18

7. What is Ping of Death attack? 19

8. What is Teardrop attack? 19

9. What is SYN Flood attack? 19

10. What is LAND attack? 19

11 What is Brute-force attack? 19

12. What is IP Spoofing attack? 20

13. What are the default ACL firewall rules in P-202H Plus v2? 20

14. Why static/policy route be blocked by P-202H Plus v2? 20

1. How do I configure the firewall? 22

2. How do I prevent others from configuring my firewall? 23

3. Can I use a browser to configure my P-202H Plus v2? 23

4. Why can't I configure my router using Telnet over WAN? 23

5. Why can't I upload the firmware and configuration file using FTP

6. Why can't I configure my router using Telnet over LAN? 24

7. Why can't I upload the firmware and configuration file using FTP

1. When does the P-202H Plus v2 generate the firewall log? 24

2. What does the log show to us? 24

3. How do I view the firewall log? 25

4. When does the P-202H Plus v2 generate the firewall alert? 25

5. What does the alert show to us? 25

6. What is the difference between the log and alert? 26

IPSec Related FAQ 27

3P-202H Plus v2 Support Notes

2. Why do I need VPN? 27

3. What are most common VPN protocols? 28

6. What is IPSec? 28

8. What are the differences between 'Transport mode' and 'Tunnel

10. What is IKE? 29

11. What is Pre-Shared Key? 29

12. What are the differences between IKE and manual key VPN? 29

1. How do I configure P-202H Plus v2 VPN? 30

2. How many VPN connections does P-202H Plus v2 support? 30

3. What VPN protocols are supported by P-202H Plus v2 VPN? 30

4. What types of encryption does P-202H Plus v2 VPN support? 30

5. What types of authentication does P-202H Plus v2 VPN support? ... 30

6. I am planning my P-202H Plus v2-to-P-202H Plus v2 VPN

configuration. What do I need to know? 30

7. Does P-202H Plus v2 support dynamic secure gateway IP? 31

8. What VPN gateway that has been tested with P-202H Plus v2

9. What VPN software that has been tested with P-202H Plus v2

10.Will ZyXEL support Secure Remote Management? 32

11. Does P-202H Plus v2 VPN support NetBIOS broadcast? 32

12. What are the difference between the 'My IP Address' and 'Secure

Gateway IP Address' in Menu 27.1.1? 32

13. Is the host behind NAT allowed to use IPSec? 32

14. Why does VPN throughput decrease when staying in SMT menu

15. How do I configure P-202H Plus v2 with NAT for internal servers? 33

1. What is SSH Sentinel VPN client? 34

2. Why do I need to use Sentinel? 34

3. Does SSH Sentinel work with the PPP over Ethernet (PPPoE)

protocol, which is used by the ADSL Network Adapter cards? 34

4. How to configure Pre-IPSec filter? 34

5. What is "Acquire virtual IP address" for? Should I check this box? 34

6. What is "Extended Authentication"? Should I check this box? 34

7. Does Sentinel support IP range? 35

8. Does Sentinel support 2 VPN connections at the same time? 35

9. What is this option, “Attach the selected values to proposal only” for?

10. How to initiate a VPN tunnel from Sentinel?

11. Can P-202H Plus v2 be the initiator of VPN tunnel to Sentinel? 35

4P-202H Plus v2 Support Notes

12. How can I verify if the VPN connection is up in Sentinel? 35

8. Supplemental Service 95

1. Using IPSec VPN 139

2. P-202H Plus v2 vs 3rd Party VPN Gateway 159

3. P-202H Plus v2 vs 3rd Party VPN Software 208

4. Configure NAT for Internal Servers 346

5. VPN Routing between Branch Offices 347

3. LAN/WAN Packet Trace 370

4. Using TFTP to upload/download ZyNOS via LAN 381

5. Using FTP to Upload Firmware and Configuration Files 385

ZyNOS is ZyXEL's proprietary Network Operating System. It is the platform on all

P-202H Plus v2 routers that delivers network services and applications. It is

designed in a modular fashion so it is easy for developers to add new features.

New ZyNOS software upgrades can be easily downloaded from our FTP sites as

they become available.

2. How do I access the P-202H Plus v2 SMT menu?

The SMT interface is a menu driven interface, which can be accessed via a

RS232 console or a Telnet connection. To access the P-202H Plus v2 via SMT

console port, a computer equipped with communication software such as

HyperTerminal must be configured to the following parameters.

• VT100 terminal emulation

• N81 data format (No Parity, 8 data bits, 1 stop bit)

The default console port baud rate is 9600bps. You can change it to 115200bps

in Menu 24.2.2 to speed up access of the SMT.

3. What data compression protocol does the P-202H Plus v2 support?

The P-202H Plus v2 supports STAC compression. Please note that STAC is not

enabled in the P-202H Plus v2 by default. You can enable it in Remote Node

setup (SMT menu 11.2, Edit PPP Option).

4. What is the default console port baud rate? Moreover, how do I change it?

The default console port baud rate is 9600bps. When configuring the SMT,

please make sure that terminal baud rate is also 9600bps. You can change the

console baud rate from 9600bps to 57600 to speed up SMT access, by using

5. How do I upload the ZyNOS firmware code via console?

The procedure for uploading via console is as follows.

a. Enter debug mode when powering on the P-202H Plus v2 using a terminal

b. Enter 'ATUR' to start the uploading

c. Use X-modem protocol to transfer the ZyNOS code

d. Enter 'ATGO' to restart the P-202H Plus v2

6. How do I upgrade/backup the ZyNOS firmware by using TFTP client

The P-202H Plus v2 allows you to transfer the firmware from/to P-202H Plus v2

by using TFTP program via LAN. The procedure for uploading via TFTP is as

a. Use the TELNET client program in your PC to login to your P-202H Plus

v2, and use Menu 24.8 to enter CI command 'sys stdio 0' to disable

console idle timeout.

b. To upgrade firmware, use TFTP client program to put firmware in file 'ras'

in the P-202H Plus v2.

c. When the data transfer is finished, the P-202H Plus v2 will program the

upgraded firmware into FLASH ROM and reboot itself.

d. To backup your firmware, use the TFTP client program to get file 'ras'

from the P-202H Plus v2.

7. How do I upload ROMFILE via console port?

In some situations, such as losing the system password or the need of resetting

SMT to factory default you may need to upload the ROMFILE.

The procedure for uploading via the console port is as follows.

a. Enter debug mode when powering on the P-202H Plus v2 using a terminal

b. Enter 'ATUR3' to start the uploading

c. Use X-modem protocol to transfer ROMFILE

d. Enter 'ATGO' to restart the P-202H Plus v2

8. How do I backup/restore SMT configurations by using TFTP client

a. Use the TELNET client program in your PC to login to your P-202H Plus

v2, and use Menu 24.8 to enter CI command 'sys stdio 0' to disable

console idle timeout

7P-202H Plus v2 Support Notes

b. To backup the SMT configurations, use TFTP client program to get file

'rom-0' from the P-202H Plus v2.

c. To restore the SMT configurations, use the TFTP client program to save

your configuration in file 'rom-0' in the P-202H Plus v2.

9. What should I do if I forget the system password?

In case you forget the system password, you can upload ROMFILE to reset the

SMT to factory default. After uploading ROMFILE, the default system password

10. What is SUA? When should I use SUA?

SUA (Single User Account) is a unique feature supported by P-202H Plus v2

router which allows multiple people to access Internet concurrently for the cost of

a single user account.

When P-202H Plus v2 acting as SUA receives a packet from a local client

destined for the outside Internet, it replaces the source address in the IP packet

header with its own address and the source port in the TCP or UDP header with

another value chosen out of a local pool. It then recomputes the appropriate

header checksums and forwards the packet to the Internet as if it is originated

from P-202H Plus v2 using the IP address assigned by ISP. When reply packets

from the external Internet are received by P-202H Plus v2, the original IP source

address and TCP/UDP source port numbers are written into the destination fields

of the packet (since it is now moving in the opposite direction), the checksums

are recomputed, and the packet is delivered to its true destination. This is

because SUA keeps a table of the IP addresses and port numbers of the local

systems currently using it.

11. What is the difference between NAT and SUA?

NAT is a generic name defined in RFC 1631 'The IP Network Address Translator

SUA (Internet Single User Account) is ZyXEL's implementation and trade name

for functioning PAT (Port Address Translation) which is a specific type of NAT.

SUA( or PAT for NAT) translates address into port mapping.

The primary motivation for RFC 1631 is that there is not enough IP address to go

around. In addition, great many corporations simply did not bother to obtain legal

(globally unique) IP addresses for their networks and now finding themselves

unable to connect to the Internet.

Basically, NAT is a process of translating one address to another. A NAT

implementation can be as simple as substituting an IP address with another. This

8P-202H Plus v2 Support Notes

allows a network to rectify the illegal address problem mentioned above without

going through each and every host.

The aim of ZyXEL's SUA is to minimize the Internet access cost in a small office

environment by using a single IP address to represent the multiple hosts inside. It

does more than IP address translation, it also enables hosts on the LAN can

access the Internet at the same time.

12. How many network users can the SUA support?

The fixed-size translation table limits the number of simultaneous. A reasonable

number will be less than 20 users. Beyond that, the limited modem bandwidth

would probably become the bottleneck and any increase in the translation table

13. How do I capture the PPP log in my P-202H Plus v2?

The procedure to capture the PPP log in P-202H Plus v2 is as following.

To enable the capture of PPP log before a connection is established:

a. Enter SMT Menu 24.8, the CI command mode

To display the PPP log after a connection is disconnected:

b. Enter 'sys trcp sw off' command

c. Enter 'sys trcl disp' command

14. Why do we need the input filter in menu 3.1 and call filter in menu 11.1?

Two factory default filter sets have been optimized for Internet connection. They

are configured in menu 21 and applied to menu 3.1 and menu 11.5 to prevent

NETBIOS triggering the call. You can remove it if you do not need it.

15. How can I protect against IP spoofing attacks?

The P-202H Plus v2's filter sets provide a means to protect against IP spoofing

attacks. The basic scheme is as follows:

For the incoming data filter:

9P-202H Plus v2 Support Notes

• Deny packets from the outside that claim to be from the inside

• Allow everything that is not spoofing us

• Source IP Mask =w.x.y.z

• Action Matched =Drop

• Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:

For the outgoing data filters:

• Deny bounceback packet

• Allow packets that originate from us

• Destination IP Mask =w.x.y.z

• Action Matched =Drop

• Action No Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask.

16. What is DNS proxy?

If enabled, DNS Proxy allows the P-202H Plus v2 to act as the DNS server for

the local network. The P-202H Plus v2 gets the IP address of the actual DNS

server from the remote site via IPCP negotiation. Note this feature only works if

the remote site supports RFC 1877.

How do I turn on DNS Proxy?

DNS Proxy is enabled only if the selection of the DHCP field under DHCP Setup

in Menu 3.2 is Server and the Primary DNS Server is set to 0.0.0.0. (this is the

factory default). If the DNS Proxy is enabled, the P-202H Plus v2 will assign its IP

address as the Primary DNS in the responses to DHCP requests on the local

10P-202H Plus v2 Support Notes

How do I set DNS other than P-202H Plus v2 IP address?

The P-202H Plus v2 assigns the values entered in Primary DNS server and

Secondary DNS server fields in Menu 3.2 to the responses to the DHCP

requests on the local network if the DHCP Server function is enabled.

17. What is a Nailed-up Connection and when do I need to use it?

A Nailed-up Connection, when enabled, emulates a leased line connection even

though the physical line is a dial-up connection. The P-202H Plus v2 dials and

holds up a connection, without any traffic requesting it.

When you want the link to be always up, you need to use it.

18. What are Device filters and Protocol filters?

In ZyNOS, the filters have been separated into two groups. One group is called

'device filter group', and the other is called 'protocol filter group'. Generic filters

belong to the 'device filter group', TCP/IP and IPX filters belong to the 'protocol

19. Why can't I configure device filters or protocol filters?

In ZyNOS, you can not mix different filter groups in the same filter set.

20. The P-202H Plus v2 supports to upload the firmware and configuration

files using FTP, but how do I prevent the outside user from 'FTP' my P-202H Plus v2?

The P-202H Plus v2 supports to upload the firmware and configuration files using

FTP connections via LAN and WAN. So, this becomes unsecure that anyone can

make a FTP connection over the Internet to your P-202H Plus v2. To prevent

from outside users connecting to your P-202H Plus v2 via FTP, you can

configure a filter to block the FTP connection from WAN.

11P-202H Plus v2 Support Notes

1. How do I collect EPA trace? Moreover, how do I read it?

• Enable the trace in Menu 24.8 by the following CI command:

• Make a call to remote node or ISP by:

dev dial N (N is the remote node number)

dev channel drop bri0|bri1 (bri0 for B1 channel, bri1 for B2 channel)

• Display the trace by:

2. Can I prevent the dial-in user from occupying two channels?

Yes. You can use a CI command to prevent the dial-in user from occupying two

Please enter to menu 24.8 and type the CI command:

ppp lcp mpin off (or on to allow two channels)

3. How does 'Dial Prefix to Access Outside Line' in Menu 2 (European

This prefix will be placed in front of the outgoing call phone numbers when you

make an outgoing call.

4. What supplemental phone service does P-202H Plus v2 support

The P-202H Plus v2 supports the following supplementary phone features on

both of its POTS ports.

 Terminal Portability(Suspend/Resume)

Most supplementary services are not free, please check with your telephone

company for the services they offer.

5. How do I do call waiting/call hold/call retrieve?

• Put your current call on hold and answer the incoming call - after hearing

the call waiting tone, press and immediately release the Flash button on

• Put your current call on hold and switch to another call - press and

immediately release the Flash button on your telephone.

• Hang up your current call before answering the incoming call - hang up

the phone and wait for answering the incoming call.

• Hang up the current active call and switch back to the other call - hang up

and wait for the phone to ring. Then pick up the phone to return to the

6. Why doesn't call waiting work as expected?

An incoming caller will receive a busy signal if:

• You have two calls active (one active and one on hold; or both active by

using Three-Way Calling).

• You are dialing a number on the B channel the incoming caller is

attempting to reach, but have not yet established a connection.

If no action is taken to answer the call (call waiting indicator tone is ignored), the

call waiting tones will disappear after about 20 seconds.

7. How do I do three way calling?

• Press the Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number.

• When you are ready to conference the call together, press the Flash key

again to establish a three way conference call.

8. How do I remove a party from the three-way calling?

Simply press the Flash key. The last call that was added to the conference is

13P-202H Plus v2 Support Notes

If you hang up your telephone during a three-way call and the two other callers

remain on the line, the ISDN network will do an implicit transfer to directly

connect the two remaining callers together.

9. How do I do call transfer?

Call Transfer allows you to transfer an active call to a third party. This service

must be subscribed from your telephone company.

Transferring an active call to a third party:

• Once you have an active call (Caller A), press Flash key to put Caller A

on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• When you are ready to conference the two calls together, press Flash key

to a Three-Way Conference call.

• Hang up the phone. The ISDN network does an implicit transfer to directly

connect Caller A with Caller B.

10. How do I blind call transfer?

• Once you have an active call (Caller A), press Flash key to put the

existing call on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• Before Caller B picks up the call, you can transfer the call by pressing the

Flash key. The call is automatically transferred.

11. What is call forwarding and how do I do it?

The call forwarding means the switch will ring another number at a place where

you will be when sometime dials your directory number. There are two methods

to active call forwarding, either method should work fine and you can use

whichever one you are most comfortable.

 The first is exactly the same as on an analog line, i.e., you pick up the

handset and dial the access code assign by your telephone company and

the number that you want the calls forwarded. Check with your telephone

company for this access code.

 The second is with the 'phone flash' commands where you pick up the

handset and press the flash key before dialing the following:

*20*forward-number# Active CFB (Call Forwarding Busy)

*21*forward-number# Active CFU (Call Forwarding

14P-202H Plus v2 Support Notes

*22*forward-number# Active CFNR (Call Forwarding No Reply

12. How do I suspend/resume a phone call (terminal portability)?

The Terminal Portability service allows you to suspend a phone call temporarily.

You can then resume this call later, at another location if you so wish.

To suspend an active phone call:

• Press the flash key twice.

• Dial *3n*#, where n is any number from 1 to 9.

To resume your phone call:

• Reconnect at a (n) (ISDN) telephone that is linked to the same S/T

interface (Network Terminator-1, NT1) where you suspended the call.

• Pick up the handset and press the Flash key

• Dial #3n#, where n is any number from 1 to 9, but should be identical to

13. What is reminder ring?

The P-202H Plus v2 sends a single short ring to your telephone every time a call

has been forwarded(US switches only).

14. Why doesn't my answering machine on POTS port stop recording?

Most answering machines stop recording when a busy tone is detected. But

some may not. Some answering machine only recongnize that a calling party has

hung up after a period of silence. In this case, if such an answering machine is

attched to the POTS port of P-202H Plus v2 you need to configure the 'Hangup

Silence Time(sec)=' in SMT menu 2.1 to determine the silence time period. By

doing so, once P-202H Plus v2 receives busy tones from the switch it sends the

silence tone to the answering machine on POTS meanwhile.

15. What are CLIP and CLIR in Advanced Setup of Menu 2 (European

CLIP or CLIR refers to CLID Presented or Restricted. The P-202H Plus v2 can

set the CLIP/CLIR bit at SETUP message to request the Switch, to include the

15P-202H Plus v2 Support Notes

calling party number or not when the switch sends the SETUP message to the

called party. You need subscribe to it first (see supplemental services)

16. Does P-202H Plus v2 support MP callback to dial-in users?

No, P-202H Plus v2 only supports single link PPP to dial-in users.

17. Does ZyNOS support IRC, Real Player, CU-SeeMe and NetMeeting?

Yes. For the detail of the settings please refer to the Tested SUA Applications

18. What are the differences between P-202H, P-202H Plus and P-202H Plus

The differences between P-202H, P-202H Plus and P-202H Plus v2 are listed in

the following table.

Feature / Model P-202H P-202H Plus P-202H Plus v2

Ethernet Port 1 10/100M 4 10/100M 4 10/100M

Server (Dial-in user

Y Y Y RADIUS Y Y Y LAN-to-LAN Connection

Firewall FAQ General

1. What is a network firewall?

A firewall is a system or group of systems that enforces an access-control policy

between two networks. It may also be defined as a mechanism used to protect a

trusted network from an untrusted network. The firewall can be thought of two

mechanisms. One to block the traffic, and the other to permit traffic.

2. What makes P-202H Plus v2 secure?

The P-202H Plus v2 is pre-configured to automatically detect and thwart Denial

of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound

connection is allowed through the firewall to the private LAN. The P-202H Plus

v2supports Network Address Translation (NAT), which translates the private local

addresses to one or multiple public addresses. This adds a level of security since

the clients on the private LAN are invisible to the Internet.

3. What are the basic types of firewalls?

Conceptually, there are three types of firewalls:

1. Packet Filtering Firewall

2. Application-level Firewall

3. Stateful Inspection Firewall

Packet Filtering Firewalls generally make their decisions based on the header

information in individual packets. These header information include the source,

destination addresses and ports of the packets.

Application-level Firewalls generally are hosts running proxy servers, which

permit no traffic directly between networks, and which perform logging and

auditing of traffic passing through them. A proxy server is an application gateway

or circuit-level gateway that runs on top of general operating system such as

UNIX or Windows NT. It hides valuable data by requiring users to communicate

with secure systems by mean of a proxy. A key drawback of this device is

Stateful Inspection Firewalls restrict access by screening data packets against

defined access rules. They make access control decisions based on IP address

and protocol. They also 'inspect' the session data to assure the integrity of the

connection and to adapt to dynamic protocols. The flexible nature of StatefulP-202H Plus v2 Support Notes

Inspection firewalls generally provides the best speed and transparency,

however, they may lack the granular application level access control or caching

that some proxies support.

4. What kind of firewall is the P-202H Plus v2?

1. The P-202H Plus v2's firewall inspects packets contents and IP headers. It

is applicable to all protocols, that understands data in the packet is

intended for other layers, from network layer up to the application layer.

2. The P-202H Plus v2's firewall performs stateful inspection. It takes into

account the state of connections it handles so that, for example, a

legitimate incoming packet can be matched with the outbound request for

that packet and allowed in. Conversely, an incoming packet masquerading

as a response to a nonexistent outbound request can be blocked.

3. The P-202H Plus v2's firewall uses session filtering, i.e., smart rules, that

enhance the filtering process and control the network session rather than

control individual packets in a session.

4. The P-202H Plus v2's firewall is fast. It uses a hashing function to search

the matched session cache instead of going through every individual rule

5. The P-202H Plus v2's firewall provides email service to notify you for

routine reports and when alerts occur.

5. Why do you need a firewall when your router has packet filtering and

With the spectacular growth of the Internet and online access, companies that do

business on the Internet face greater security threats. Although packet filter and

NAT restrict access to particular computers and networks, however, for the other

companies this security may be insufficient, because packets filters typically

cannot maintain session state. Thus, for greater security, a firewall is considered.

6. What is Denials of Service (DoS)attack?

Denial of Service (DoS) attacks are aimed at devices and networks with a

connection to the Internet. Their goal is not to steal information, but to disable a

device or network so users no longer have access to network resources.

There are four types of DoS attacks:

1. Those that exploits bugs in a TCP/IP implementation such as Ping of

2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND Attacks.

18P-202H Plus v2 Support Notes

3. Brute-force attacks that flood a network with useless data such as Smurf

7. What is Ping of Death attack?

Ping of Death uses a 'PING' utility to create an IP packet that exceeds the

maximum 65535 bytes of data allowed by the IP specification. The oversize

packet is then sent to an unsuspecting system. Systems may crash, hang, or

8. What is Teardrop attack?

Teardrop attack exploits weakness in the reassemble of the IP packet fragments.

As data is transmitted through a network, IP packets are often broken up into

smaller chunks. Each fragment looks like the original packet except that it

contains an offset field. The Teardrop program creates a series of IP fragments

with overlapping offset fields. When these fragments are reassembled at the

destination, some systems will crash, hang, or reboot.

9. What is SYN Flood attack?

SYN attack floods a targeted system with a series of SYN packets. Each packet

causes the targeted system to issue a SYN-ACK response, While the targeted

system waits for the ACK that follows the SYN-ACK, it queues up all outstanding

SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are

moved off the queue only when an ACK comes back or when an internal timer

(which is set a relatively long intervals) terminates the TCP three-way handshake.

Once the queue is full , the system will ignore all incoming SYN requests, making

the system unavailable for legitimate users.

10. What is LAND attack?

In a LAN attack, hackers flood SYN packets to the network with a spoofed source

IP address of the targeted system. This makes it appear as if the host computer

sent the packets to itself, making the system unavailable while the target system

tries to respond to itself.

11 What is Brute-force attack?

A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP

specification known as directed or subnet broadcasting, to quickly flood the target

network with useless data. A Smurf hacker flood a destination IP address of each

packet is the broadcast address of the network, the router will broadcast the

ICMP echo request packet to all hosts on the network. If there are numerous

19P-202H Plus v2 Support Notes

hosts, this will create a large amount of ICMP echo request packet, the resulting

ICMP traffic will not only clog up the 'intermediary' network, but will also congest

the network of the spoofed source IP address, known as the 'victim' network.

This flood of broadcast traffic consumes all available bandwidth, making

communications impossible.

12. What is IP Spoofing attack?

Many DoS attacks also use IP Spoofing as part of their attack. IP Spoofing may

be used to break into systems, to hide the hacker's identity, or to magnify the

effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized

access to computers by tricking a router or firewall into thinking that the

communications are coming from within the trusted network. To engage in IP Spoofing, a hacker must modify the packet headers so that it appears that the

packets originate from a trusted host and should be allowed through the router or

13. What are the default ACL firewall rules in P-202H Plus v2?

There are two default ACLs pre-configured in the P-202H Plus v2, one allows all

connections from LAN to WAN and the other blocks all connections from WAN to

LAN except of the DHCP packets.

14. Why static/policy route be blocked by P-202H Plus v2?

P-202H Plus v2 is an ideal secure gateway for all data passing between the

Internet and the LAN/DMZ. For some reasons (load balance or backup line),

users may want traffic to be re-routed to another Internet access devices while

still be protected by P-202H Plus v2. In such case, the network topology is the

most important issue. Here is a common example that people mis-deploy the

20P-202H Plus v2 Support Notes

The above figure indicates the "triangle route" topology. It works fine if you turn

off firewall function on P-202H Plus v2 box. However, if you turn on firewall, your

connection will be blocked by firewall because of the following reason.

Step 1. Being the default gateway of PC, P-202H Plus v2 will receive all

"outgoing" traffic from PC.

Step 2. And because of Static route/Policy Routing, P-202H Plus v2

forwards the traffic to another gateway (ISDN/Router) which is in the

same segment as P-202H Plus v2's LAN.

Step 3. However the return traffic won't go back to P-202H Plus v2, in stead,

the "another gateway (ISDN/Router)" will send back the traffic to PC

directly. Because the gateway (say, P201) and the PC are in the same

When firewall is turned on, P-202H Plus v2 will check the outgoing traffic by ACL

and create dynamic sessions to allow return traffic to go back. To achieve Anti-

DoS, P-202H Plus v2 will send RST packets to the PC and the peer since it

never receives the TCP SYN/ACK packet. Thus the connection will always be

reset by P-202H Plus v2.

(A) Deploying your second gateway in IP alias segment is a better solution. In

this way, your connection can be always under control of firewall. And thus there

won't be Triangle Route problem.

21P-202H Plus v2 Support Notes

(B) Deploying your second gateway on WAN side.

Triangle Route topology in both CI command and Web configurator . You can

issue this command, "sys firewall ignore triangle all on" , to allow firewall

bypass triangle route checking. In Web GUI, you can find this option in firewall

But we would like to notify that if you allow Triangle Route, any traffic will

be easily injected into the protected network through the unprotected

gateway. In fact, it's a security hole in protected your network.

1. How do I configure the firewall?

P-202H Plus v2 supports a embedded web server so that you can use the web

brower to configure it from any OS platform.

22P-202H Plus v2 Support Notes

2. How do I prevent others from configuring my firewall?

There are several ways to protect others from touching the settings of your

1. Change the default password since it is required when setting up the

firewall using Telnet, Console or Web browser.

2. Limit who can Telnet to your router. You can enter the IP address of the

secured LAN host in SMT Menu 24.11 to allow Telnet to your P-202H Plus

v2. The default value in this field is 0.0.0.0, which means you do not care

which host is trying to Telnet your P-202H Plus v2.

3. Can I use a browser to configure my P-202H Plus v2?

Yes, you can use a web browser to configure the P-202H Plus v2.

4. Why can't I configure my router using Telnet over WAN?

There are three reasons that Telnet from WAN is blocked.

1. When the firewall is turned on, all connections from WAN to LAN are

blocked by the default ACL rule. To enable Telnet from WAN, you must

turn the firewall off (Menu 21.2) or create a firewall rule to allow Telnet

connection from WAN. The WAN-to-LAN ACL summary will look like as

Source IP= Telnet host

Destination IP= router' WAN IP Service= TCP/23

2. You have disabled Telnet service in Menu 24.11.

3. Telnet service is enabled but your host IP is not the secured host entered

in Menu 24.11. In this case, the error message 'Client IP is not allowed!'

is appeared on the Telnet screen.

4. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol

5. The console port is in use.

5. Why can't I upload the firmware and configuration file using FTP over

1. When the firewall is turned on, all connections from WAN to LAN are

blocked by the default ACL rule. To enable FTP from WAN, you must turn the

23P-202H Plus v2 Support Notes

firewall off (Menu 21.2) or create a firewall rule to allow FTP connection from

WAN. The WAN-to-LAN ACL summary will look like as shown below.

Destination IP= P-202H Plus v2's WAN IP Service= FTP TCP/21, TCP/20

2. You have disabled FTP service in Menu 24.11.

3. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol

6. Why can't I configure my router using Telnet over LAN?

1. You have disabled Telnet service in Menu 24.11.

2. Telnet service is enabled but your host IP is not the secured host entered

in Menu 24.11. In this case, the error message 'Client IP is not allowed!'

is appeared on the Telnet screen.

3. The default filter rule 3 (Telnet_FTP_LAN) is applied in the Input Protocol

4. The console port is in use.

7. Why can't I upload the firmware and configuration file using FTP over

1. 1. You have disabled FTP service in Menu 24.11.

2. The default filter rule 3 (Telnet_FTP_LAN) is applied in the Input Protocol

1. When does the P-202H Plus v2 generate the firewall log?

The P-202H Plus v2 generates the log immediately when the packet match,

doesn't match (or both) a firewall rule. The log for Default Permit (LAN to WAN,

WAN to LAN) is generated automatically. To generate the log for custom rules,

the Log option in Web Configurator must be set to Not Match, Match, or Both.

The Reason column for the default permit shown in the log will be 'default

permit, <1, 00> or <2, 00>'. Here <1, 00> means the LAN-to-WAN default ACL

set, <2, 00> means the WAN-to-LAN default ACL set.

2. What does the log show to us?

24P-202H Plus v2 Support Notes

The log supports up to 128 entries. There are 2 rows and 5 columns for each

entry. Please see the example shown below.

# Time Packet Information Reason Action

Where <X,Y> stands for <Set number, Rule number>. X=1,2 ; Y=00~10. There

are two policy sets, set 1 for rules checking connections from LAN to WAN and

set 2 for rules checking connections from WAN to LAN. So, X=1 means set 1 and

Y means the rule in the set. Because we can configure up to 10 rules in a set, so

Y can be from 1 to 10. If the rule number shows 00, it means the Default Rule.

3. How do I view the firewall log?

The log keeps 128 entries, the new entries will overwrite the old entries when the

log has over 128 entries.

There are three ways to view the firewall log:

1. View the log from SMT Menu 21.3-View Firewall Log

2. View the log using CI command-sys firewall display

3. View the log from Web Configurator

4. When does the P-202H Plus v2 generate the firewall alert?

The P-202H Plus v2 generates the alert when an attack is detected by the

firewall and sends it via Email. So, to send the alert you must configure the mail

server and Email address using Web Configurator. You can also specify how

frequently you want to receive the alert via Web Configurator.

5. What does the alert show to us?

The alert shown in the Email is actually the evens of the attack. So, the Reason

column shows Attack and the attack type. Please see the example shown

# Time Packet Information Reason Action

127|Mar 15 0 |From:192.168.1.1 To:192.168.1.1 |attack |block

| 03:04:54|ICMP type:00008 code:00000 |land |

25P-202H Plus v2 Support Notes

6. What is the difference between the log and alert?

A log entry is just added to the log inside the P-202H Plus v2 and e-mailed

together with all other log entries at the scheduled time as configured. An alert is

e-mailed immediately after an attacked is detected.

26P-202H Plus v2 Support Notes

IPSec Related FAQ IPSec FAQ VPN Overview

A VPN gives users a secure link to access corporate network over the Internet or

other public or private networks without the expense of lease lines. A secure

VPN is a combination of tunneling, encryption, authentication, access control and

auditing technologies/services used to transport traffic over the Internet or any

insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN?

There are some reasons to use a VPN. The most common reasons are because

of security and cost.

With authentication, VPN receiver can verify the source of packets and

guarantee the data integrity.

With encryption, VPN guarantees the confidentiality of the original user data.

1). Cut long distance phone charges

Because users typically dial the their local ISP for VPN, thus, long distance

phone charge is reduced than making a long direct connection to the remote

2).Reducing number of access lines

Many companies pay monthly charges for two types access lines: (1) high-speed

links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or

T1 lines to carry data. A VPN may allow a company to carry the data traffic over

its Internet access lines, thus reducing the need for some installed lines.

3. What are most common VPN protocols?

There are currently three major tunneling protocols for VPNs. They are Point-to-

Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet

Protocol Security (IPSec).

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets

to be encapsulated within Internet Protocol (IP) packets and forwarded over any

IP network, including the Internet itself. The PPTP is supported in Windows NT

and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-

Up Networking 1.2 upgrade.

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point

Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable

the operation of a virtual private network (VPN) over the Internet.

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task

Force) to provide security services compatible with the existing IP standard

(IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any

protocol that runs on top of IP, for instance TCP, UDP, and ICMP. The IPSec

provides cryptographic security services. These services allow for authentication,

integrity, access control, and confidentiality. IPSec allows for the information

exchanged between remote sites to be encrypted and verified. You can create

encrypted tunnels (VPNs), or just do encryption between computers. Since you

have so many options, IPSec is truly the most extensible and complete network

7. What secure protocols does IPSec support?

There are two protocols provided by IPSec, they are AH (Authentication Header,

protocol number 51) and ESP (Encapsulated Security Payload, protocol number

8. What are the differences between 'Transport mode' and 'Tunnel mode?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP

payload or only the upper-layer protocols of an IP payload. Transport mode is

mainly for an IP host to protect the data generated locally, while tunnel mode is

28P-202H Plus v2 Support Notes

for security gateway to provide IPSec service for other machines lacking of IPSec

In this case, Transport mode only protects the upper-layer protocols of IP

payload (user data). Tunneling mode protects the entire IP payload including

There is no restriction that the IPSec hosts and the security gateway must be

separate machines. Both IPSec protocols, AH and ESP, can operate in either

transport mode and tunnel mode.

A Security Association (SA) is a contract between two parties indicating what

security parameters, such as keys and algorithms they will use.

IKE is short for Internet Key Exchange. Key Management allows you to

determine whether to use IKE (ISAKMP) or manual key configuration to set up a

There are two phases in every IKE negotiation- phase 1 (Authentication) and

phase 2 (Key Exchange). Phase 1 establishes an IKE SA and phase 2 uses that

SA to negotiate SAs for IPSec.

11. What is Pre-Shared Key?

A pre-shared key identifies a communicating party during a phase 1 IKE

negotiation. It is called 'Pre-shared' because you have to share it with another

party before you can communicate with them over a secure connection.

12. What are the differences between IKE and manual key VPN?

The only difference between IKE and manual key is how the encryption keys and

SPIs are determined.

• For IKE VPN, the key and SPIs are negotiated from one VPN gateway to

the other. Afterward, two VPN gateways use this negotiated keys and

SPIs to send packets between two networks.

• For manual key VPN, the encryption key, authentication key (if needed),

and SPIs are predetermined by the administrator when configuring the

security association.

29P-202H Plus v2 Support Notes

IKE is more secure than manual key, because IKE negotiation can generate new

keys and SPIs randomly for the VPN connection.

1. How do I configure P-202H Plus v2 VPN?

You can configure P-202H Plus v2 for VPN using SMT or Web configurator. P-

202H Plus v2 1 supports Web only.

2. How many VPN connections does P-202H Plus v2 support?

One P-202H Plus v2 202H Plus supports 2 VPN connections.

3. What VPN protocols are supported by P-202H Plus v2 VPN?

All P-202H Plus v2 series support ESP (protocol number 50) and AH (protocol

4. What types of encryption does P-202H Plus v2 VPN support?

P-202H Plus v2 supports 56-bit DES and 168-bit 3DES.

5. What types of authentication does P-202H Plus v2 VPN support?

VPN vendors support a number of different authentication methods. P-202H Plus

v2 VPN supports both SHA1 and MD5.

AH provides authentication, integrity, and replay protection (but not

confidentiality). Its main difference with ESP is that AH also secures parts of the

IP header of the packet (like the source/destination addresses), but ESP does

ESP can provide authentication, integrity, replay protection, and confidentiality of

the data (it secures everything in the packet that follows the header). Replay

protection requires authentication and integrity (these two go always together).

(encryption) can be used with or without authentication/integrity. Similarly, one

could use authentication/integrity with or without confidentiality.

6. I am planning my P-202H Plus v2-to-P-202H Plus v2 VPN configuration.

What do I need to know?

30P-202H Plus v2 Support Notes

First of all, both P-202H Plus v2 must have VPN capabilities. Please check the

firmware version, V3.50 or later has the VPN capability.

If your P-202H Plus v2 is capable of VPN, you can find the VPN options in

For configuring a "box-to-box VPN", there are some tips:

1. If there is a NAT router running in the front of P-202H Plus v2, please

make sure the NAT router supports to pass through IPSec.

2. In NAT case (either run on the frond end router, or in P-202H Plus v2 VPN

box), only IPSec ESP tunneling mode is supported since NAT againsts AH

3. Source IP/Destination IP-- Please do not number the LANs (local and

remote) using the same exact range of private IP addresses. This will

make VPN destination addresses and the local LAN addresses are

indistinguishable, and VPN will not work.

4. Secure Gateway IP Address -- This must be a public, routable IP

address, private IP is not allowed. That means it can not be in the 10.x.x.x

subnet, the 192.168.x.x subnet, nor in the range 172.16.0.0 -

172.31.255.255 (these address ranges are reserved by internet standard

for private LAN numberings behind NAT devices). It is usually a static IP

so that we can pre-configure it in P-202H Plus v2 for making VPN

connections. If it is a dynamic IP given by ISP, you still can configure this

IP address after the remote P-202H Plus v2 is on-line and its WAN IP is

7. Does P-202H Plus v2 support dynamic secure gateway IP?

If the remote VPN gateways uses dynamic IP, we enter 0.0.0.0 as the Secure

Gateway IP Address in P-202H Plus v2. In this case, the VPN connection can

only be initiated from dynamic side to fixed side in order to update its dynamic IP

to the fixed side. However, if both gateways use dynamic IP addresses, it is no

way to establish VPN connection at all.

8. What VPN gateway that has been tested with P-202H Plus v2

We have tested P-202H Plus v2 successfully with the following third party VPN

9. What VPN software that has been tested with P-202H Plus v2

We have tested P-202H Plus v2 successfully with the following third party VPN

• Intel VPN, v. 6.90

• Windows 2000, IPSec

10.Will ZyXEL support Secure Remote Management?

Yes, we will support it and we are working on it currently.

11. Does P-202H Plus v2 VPN support NetBIOS broadcast?

The current 3.40 firmware release does not support it. But it is in our wish list.

12. What are the difference between the 'My IP Address' and 'Secure

Gateway IP Address' in Menu 27.1.1?

'My IP Adderss' is the Internet IP address of the local P-202H Plus v2. The

'Secure Gateway IP Address' is the Internet IP address of the remote IPSec

13. Is the host behind NAT allowed to use IPSec?

NAT Condition Supported IPSec Protocol

VPN Gateway embedded

NAT AH tunnel mode, ESP tunnel

NAT in Transport mode None

* The NAT router must support IPSec pass through. For example, for P-202H Plus v2 SUA/NAT routers, IPSec pass through is supported since ZyNOS 3.21.

The default port and the client IP have to be specified in menu 15-SUA Server

14. Why does VPN throughput decrease when staying in SMT menu 24.1?

If P-202H Plus v2 stays in menu 24.1, 24.8 and 27.3 a certain of memory is

allocated to generate the required statistics. So, we do not suggest to stay in

menu 24.1, 27.3 and 24.8 when VPN is in use.

15. How do I configure P-202H Plus v2 with NAT for internal servers?

Generally, without IPSec, to configure an internal server for outside access, we

need to configure the server private IP and its service port in SUA/NAT Server

However, if both NAT and IPSec is enabled in P-202H Plus v2, the edit of the

table is necessary only if the connection is a non-secure connections. For secure

connections, none SUA server settings are required since private IP is reachable

33P-202H Plus v2 Support Notes

1. What is SSH Sentinel VPN client?

Developed by SSH (http://www.ssh.com) Sentinel VPN client is a bundled

software with P-202H Plus v2 VPN solution. It supports IPSec/VPN.

2. Why do I need to use Sentinel?

SSH Sentinel(TM) is an easy-to-use software for remote working based on the

latest VPN technology. The software provides smooth integration with P-202H Plus v2 VPN which may be installed in HQ gateway.

3. Does SSH Sentinel work with the PPP over Ethernet (PPPoE) protocol,

which is used by the ADSL Network Adapter cards?

Yes, the latest release SSH Sentinel 1.3, also supports PPPoE, but due to the

wide range of PPPoE implementations and the fact, that we have a very limited

access to PPPoE adapters in general, we are not able to fully test this

As a consequence, it is hard to say with exactly which PPPoE drivers SSH Sentinel 1.3 is fully compatible.

4. How to configure Pre-IPSec filter?

In pre-ipsec configuration, never, remove the pre-IPSec filter rule that bypasses

IKE traffic. If you do, all your attempts to establish any IPSec connection are

bound to fail, because the negotiations never take place. Only when you would

like to have some TCP/UDP packets bypass IPSec, must you specify the traffic

as bypass in pre-ipsec filter. Otherwise, just not setup any bypass/discard/reject

on the traffic you would like to be protected by IPSec.

5. What is "Acquire virtual IP address" for? Should I check this box?

With this feature, Sentinel can obtain a virtual IP address assigned from VPN

gateway. However, if connecting with P-202H Plus v2, please not check this box.

P-202H Plus v2 doesn’t support this feature in current firmware.

6. What is "Extended Authentication"? Should I check this box?

With this feature, VPN connection from Sentinel can be authenticated to

authentication server, such as, RADIUS, TACAS, …etc. behind remote VPN

gateway. However, if connecting with P-202H Plus v2, please not check this box.

P-202H Plus v2 doesn’t support this feature in current firmware. It will support in

34P-202H Plus v2 Support Notes

7. Does Sentinel support IP range?

No, only subnet/single is supported. So when connecting with P-202H Plus v2,

please not use range as address type.

8. Does Sentinel support 2 VPN connections at the same time?

No, Sentinel doesn’t support it. Only one VPN connection can be activated at the

9. What is this option, “Attach the selected values to proposal only” for?

To increase compatibility, Sentinel sends many kinds of possible proposal for it’s

peer side, say P-202H Plus v2 to choose. If you uncheck this option, Sentinel will

only send out the proposal you configured. To decrease negotiation time, you

can uncheck this option, and verify phase1/phase2 parameters are consistent on

10. How to initiate a VPN tunnel from Sentinel?

Right click SSH icon in system tray, click the VPN connection you have setup in

Select VPN. Packets triggering doesn't work in this case.

11. Can P-202H Plus v2 be the initiator of VPN tunnel to Sentinel?

No. Sentinel is supposed to be a VPN solution for remote access. Please always

initiate your VPN tunnel from Sentinel but not from P-202H Plus v2.

12. How can I verify if the VPN connection is up in Sentinel?

You can check if your VPN connection is up by double clicking SSH icon in

system tray. If the connection is up, you should see your VPN network in the

13. I am using EnterNet 300, a PPPoE dial up software. Any concern?

If using EnterNet PPP over Ethernet client, the network access type must be set

from the client’s advanced connection settings to protocol driver. Open Enternet

300 Profiles window -> Connections -> Settings -> Advanced -> In Network

Access section choose Protocol Driver.

General Application Notes

A typical Internet access application of the P-202H Plus v2 is shown below. For a

small office, there are some components you need to check before accessing the

The P-202H Plus v2 is shipped with the following factory default:

1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits)

2. DHCP server enabled with IP pool starting from 192.168.1.33

3. Default SMT menu password = 1234

• Setting up the Win95/98 Workstation

1. Ethernet connection

All PCs must have an Ethernet adapter card installed.

• If you only have one PC, connect the PC's Ethernet adapter to the P-202H Plus v2's LAN port with a crossover (red one) Ethernet cable.

• If you have more than one PC, both the PC's Ethernet adapters and the P-

202H Plus v2's LAN port must be connected to an external hub with

straight Ethernet cable.

2. TCP/IP Installation

You must first install TCP/IP software on each PC before you can use it for

Internet access. If you have already installed TCP/IP, go to the next section to

configure it; otherwise, follow these steps to install:

manufacturers, then select TCP/IP from the Network Protocols and click

3. TCP/IP Configuration

Follow these steps to configure Windows TCP/IP:

36P-202H Plus v2 Support Notes

• In the Control Panel/Network window, click the TCP/IP entry to select it

and click Properties button.

• In the TCP/IP Properties window, select Obtain an IP address

Note: Do not assign arbitrary IP address and subnet mask to your PCs,

otherwise, you will not be able to access the Internet.

• Click the WINS configuration tab and select Disable WINS Resolution.

• Click the Gateway tab. Highlight any installed gateways and click the

Remove button until there are none listed.

• Click the DNS Configuration tab and select Disable DNS.

• Click OK to save and close the TCP/IP properties window

• Click OK to close the Network window. You will be prompted to insert your

Windows CD or disk. When the drivers are updated, you will be asked if

you want to restart the PC. Make sure your P-202H Plus v2 is powered on

before answering Yes to the prompt. Repeat the above steps for each

Windows PC on your network.

• Setting up the P-202H Plus v2 router

The following procedure is for the most typical usage of the P-202H Plus v2

where you have a single-user account (SUA). The PNC (P-202H Plus v2

Network Commander) is a Windows-based tool that helps you to easily configure

your P-202H Plus v2 for Internet access. It is included in the P-202H Plus v2

package. Please install the PNC first before configuring your P-202H Plus v2.

37P-202H Plus v2 Support Notes

• Pri Phone#= is the phone number your P-202H Plus v2 has to dial in order

• My Login and My Password are the login information provided by ISP.

• Since you have a single user Internet account, Single User Account

should be set to 'Yes'.

• For the Local IP Address field, since the IP address will be dynamically

assigned, you can either enter '0.0.0.0' or you can leave this field blank

After saving this menu, you will be asked if you want to perform an Internet

connection test. Select 'Yes' to perform the test. If the test fails, please check

again the above settings or refer to the User's Manual Troubleshooting section

for correction action.

When you have configured and saved Menu 4, you should see that you have

created a remote node in Menu 11. You can perform more advanced

configuration options to this remote node in this menu.

Configure a PPTP server behind SUA

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets

to be encapsulated within Internet Protocol (IP) packets and forwarded over any

IP network, including the Internet itself.

In order to run the Windows9x PPTP client, you must be able to establish an IP

connection with a tunnel server such as the Windows NT Server 4.0 Remote

Windows Dial-Up Networking uses the Internet standard Point-to-Point (PPP) to

provide a secure,optimized multiple-protocol network connection over dial-up

telephone lines. All data sent over this connection can be encrypted and

compressed, and multiple network level protocols (TCP/IP, NetBEUI and IPX)

can be run correctly. Windows NT Domain Login level security is preserved even

across the Internet.

Window95 PPTP Client / Internet / NT RAS Server Protocol Stack

PPTP appears as new modem type (Virtual Private Networking Adapter) that

can be selected when setting up a connection in the Dial-Up Networking folder.

The VPN Adapter type does not appear elsewhere in the system. Since PPTP

encapsulates its data stream in the PPP protocol, the VPN requires a second

dial-up adapter. This second dial-up adapter for VPN is added during the

installation phase of the Upgrade in addition to the first dial-up adapter that

provides PPP support for the analog or ISDN modem.P-202H Plus v2 Support Notes

The PPTP is supported in Windows NT and Windows 98 already. For Windows

95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.

This application note explains how to establish a PPTP connection with a remote

private network in the P-202H Plus v2 SUA case. In ZyNOS, all PPTP packets

can be forwarded to the internal PPTP Server (WinNT server) behind SUA. The

port number of the PPTP has to be entered in the SMT Menu 15 for P-202H Plus

v2 to forward to the appropriate private IP address of Windows NT server.

The following example shows how to dial to an ISP via the P-202H Plus v2 and

then establish a tunnel to a private network. There will be three items that you

need to set up for PPTP application, these are PPTP server (WinNT), PPTP

client (Win9x) and the P-202H Plus v2.

o PPTP server setup (WinNT)

 Add the VPN service from Control Panel>Network

 Add an user account for PPTP logged on user

 Select the network protocols from RAS such as IPX, TCP/IP NetBEUI

 Set the Internet gateway to P-202H Plus v2

o PPTP client setup (Win9x)

 Add one VPN connection from Dial-Up Networking by

entering the correct username & password and the IP

address of the P-202H Plus v2's Internet IP address for

logging to NT RAS server.

40P-202H Plus v2 Support Notes

 Set the Internet gateway to the router that is connecting to

o P-202H Plus v2 router setup

• Before making a VPN connection from Win9x to WinNT server, you need

to connect P-202H Plus v2 router to your ISP first.

• Enter the IP address of the PPTP server (WinNT server) and the port

number for PPTP as shown below.

When you have finished the above settings, you can ping to the remote

Win9x client from WinNT. This ping command is used to demonstrate that

remote the Win9x can be reached across the Internet. If the Internet

connection between two LANs is achive, you can place a VPN call from

the remote Win9x client.

C:\ping 203.66.113.2

When a dial-up connection to ISP is established, a default gateway is

assigned to the router traffic through that connection. Therefore, the

output below shows the default gateway of the Win95 client after the dial-

up connection has been established.

Before making a VPN connection from the Win9x client to the NT server,

you need to know the exact Internet IP address that the ISP assigns to P-

41P-202H Plus v2 Support Notes

202H Plus v2 router in SUA mode and enter this IP address in the VPN

dial-up dialog box. You can check this Internet IP address from PNC Monitor or SMT Menu 24.1. If the Internet IP address is a fixed IP address

provided by ISP in SUA mode, then you can always use this IP address

for reaching the VPN server.

In the following example, the IP address '140.113.1.225' is dynamically

assigned by ISP. You must enter this IP address in the 'VPN Server'

dialog box for reaching the PPTP server. After the VPN link is established,

you can start the network protocol application such as IP, IPX and

• IntroductionP-202H Plus v2 Support Notes

If you wish, you can make internal servers (e.g., Web, ftp or mail server)

accessible for outside users, even though SUA makes your LAN appear as a

single machine to the outside world. A service is identified by the port number.

Also, since you need to specify the IP address of a server in the P-202H Plus v2,

a server must have a fixed IP address and not be a DHCP client whose IP

address potentially changes each time it is powered on.

In addition to the servers for specific services, SUA supports a default server. A

service request that does not have a server explicitly designated for it is

forwarded to the default server. If the default server is not defined, the service

request is simply discarded.

To make a server visible to the outside world, specify the port number of the

service and the inside address of the server in 'Menu 15', Multiple Server

Configuration. The outside users can access the local server using the P-202H Plus v2's WAN IP address which can be obtained from menu 24.1.

• For example (Configuring an internal Web server for outside access) :

• Port numbers for some services

Generally, SUA makes your LAN appear as a single machine to the outside

world. LAN users are invisible to outside users. However, some applications such

as Cu-SeeMe, and ICQ will need to connect to the local user behind the P-202H Plus v2. In such case, a SUA server must be entered in menu 15 to forward the

incoming packets to the true destination behind SUA. Generally, we do not need

extra settings of menu 15 for an outgoing connection. But for some applications

we need to configure the menu 15 to make the outgoing connection work. After

the required menu 15 settings are completed the internal server or client

applications can be accessed by using the P-202H Plus v2's WAN IP address.

• SUA Supporting Table

The following are the required menu 15 settings for the various applications

ZyXEL SUA Supporting Table

44P-202H Plus v2 Support Notes

Required Settings in Menu 15

HTTP None 80/client IP FTP None 21/client IP TELNET None 23/client IP

For DCC, please set:

ICQ -> preference ->

connections -> firewall and

set the firewall time out to

80 seconds in firewall

1503/client IP Cisco IP/TV 2.0.0 None .

None Default/client IP QuakeII2.30

None Default/client IP QuakeIII1.05 beta None .

StartCraft. 6112/client IP .

Quick Time 4.0 None .

Since SUA enables your LAN to appear as a single computer to the Internet, it

is not possible to configure similar servers on the same LAN behind SUA.

Because White Pine Cu-SeeMe uses dedicate ports (port 7648 & port 24032) to

transmit and receive data, therefore only one local Cu-SeeMe is allowed within

With SUA enabled, NetMeeting users within the same LAN will not be able to

connect to the remote NetMeeting user, and as remote users are not able to

distinguish between local users with the same internet IP and SUA allows one

local NetMeeting user to connect to multiple Internet users at the same time.

Certain Quake servers do not allow multiple users to login using the same

unique IP, so only one Quake user will be allowed in this case. Moreover, when a

Quake server is configured behind SUA, P-202H Plus v2 will not be able to

provide information of that server on the internet.

Quake II has the same limitations as that of Quake I.

1. If a SMTP (port 25) server is configured in menu 15 the POP3 ( port 110)

packets will also be forwarded to the same SMTP server by the P-202H Plus v2 automatically. There is no need to configure additional POP3

server in menu 15. Two ports (25 & 110) must be configured in menu 15

to support both SMTP and POP3 services.

2. NetMeeting, RealPlayer, IP/TV and Quick Time are supported.

For example, if the workstation operating Cu-SeeMe has an IP of 192.168.1.34,

then the default SUA server must be set to 192.168.1.34. The peer Cu-SeeMe

user can reach this workstation by using P-202H Plus v2's WAN IP address

which can be obtained from menu 24.1.

46P-202H Plus v2 Support Notes

3. LAN to LAN IP Connection

This configuration note explains how to set up two P-202H Plus v2 routers for a

LAN-to-LAN connection. Once the connection is established, the workstations on

both LANs will be able to perform any TCP/IP applications (e.g., FTP, Telnet,

etc.). There will be three items that you need to set up. These are workstation

and the two P-202H Plus v2 routers.

• Setting up the workstation on both LANs

To set up the workstations, you will need to set the following parameters:P-202H Plus v2 Support Notes

o IP Address-the IP address assigned to the workstation itself

o Subnet Mask-the subnet mask used for your network. Class C

networks generally use a 24-bit netmask DNS (Domain Name

Server) Address-enter the IP address of the DNS server

o Default Gateway-the IP address of the P-202H Plus v2, the default

gateway for LAN1 is P-202H Plus v2 1 and for LAN2 is P-202H Plus v2 2.

The procedure for configuring these parameters for the workstations may differ

depending on the type of TCP/IP networking software you are using on your

workstations. If you are unfamiliar with how to set these parameters, you can

refer to the technical notes corresponding to your software.

For Windows 9x, please go to 'Win9x>Control Panel>Network>TCP/IP-Network

Adapter' for finishing the above settings.

• Setting up the P-202H Plus v2 1 & P-202H Plus v2 2

Before configuring the two remote nodes for this application, you need to

complete the following settings first in each P-202H Plus v2.

o General Setup in SMT Menu 1-enter the system information.

o ISDN Setup in SMT Menu 2- configure the ISDN parameters.

o Ethernet Setup in SMT Menu 3-enter the IP address of the P-202H Plus v2 and enable the DHCP server if it is required.

Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A TCP/IP Setup:

IP Subnet Mask= 255.255.255.0

Active= Yes Rem IP Addr= 203.66.113.1

Call Direction= Outgoing Edit IP= No

Incoming: Telco Option:

Rem Login= Transfer Type= 64K Rem Password= Allocated Budget(min)=

Rem CLID= N/A Period(hr)=

Call Back= N/A Schedules=

Press ENTER to Confirm or ESC to Cancel:

o Select the 'Active' field to 'Yes'

o Select the 'Call Direction' to 'Outgoing'

o Enter the correct node account in 'My Login' and 'My Password'

o Enter the phone number of the remote router in the 'Pri Phone #'

o Enter the IP address of the remote router in 'Rem IP Addr' field

o Enter the idle timer in the 'Idle Timeout' field for dropping the call if

there is no data traffic between the two remote nodes

• P-202H Plus v2 2 Setup

1. Ethernet Setup in SMT Menu 3

Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A TCP/IP Setup:

Active= Yes Rem IP Addr=202.113.5.1

Call Direction= Outgoing Edit IP= No

Incoming: Telco Option:

Rem Login= Transfer Type= 64K Rem Password= Allocated Budget(min)=

Rem CLID= N/A Period(hr)=

Call Back= N/A Schedules=

Sec Phone #= Idle Timeout(sec)= 100

Press ENTER to Confirm or ESC to Cancel:

50P-202H Plus v2 Support Notes

o Select the 'Active' field to 'Yes'

o Select the 'Call Direction' to 'Incoming'

o Enter the correct node account for the dial-in router in 'Rem Login'

and 'Rem Password' fields

o Enter the IP address of the remote router in 'Rem IP Addr' field.

After you have finished the above settings, you are ready to make a test for this

connection from Menu 24.4.5- 'Manual Call' by entering the node number.

Menu 24.4 - System Maintenance - Diagnostic

Manual Call Remote Node= N/A Host IP Address= N/A Configuring for Cisco Mutual Authentication

This configuration note explains what other settings you need to pay attention to

when configuring the P-202H Plus v2 talk to a Cisco router. Due to Cisco's

authentication scheme, you need to configure some additional fields in P-202H Plus v2 when talking to a Cisco device. There are two things you must pay

attention to. The first is Cisco's mutual authentication scheme, and the second is

their interpretation of CHAP.P-202H Plus v2 Support Notes

• If the Cisco router requests PAP, you have to configure more settings in

Menu 13 - Default Dial-in Setup

Telco Options: IP Address Supplied By:

CLID Authen= None Dial-in User= Yes

PPP Options: IP Start Addr= N/A Recv Authen= CHAP/PAP IP Count(1,4)= N/A Compression= Yes

Mutual Authen= Yes Session Options:

O/G Username= test Edit Filter Sets= No

O/G Password= ********

Multiple Link Options:

Max Trans Rate(Kbps)= 128

Callback Budget Management:

Allocated Budget(min)= 0

Press ENTER to Confirm or ESC to Cancel:

o Set 'Mutual Authen' to 'Yes'

o Set 'PAP Login' to the appropriate login name

o Set 'PAP Password' to the appropriate login password

• If the Cisco route requests CHAP, you have to configure more settings in

Incoming: Telco Option:

Rem Login= [cisco_hostname] Transfer Type= 64K Rem Password= **** Allocated Budget(min)=

Rem CLID= N/A Period(hr)=

Call Back= N/A Schedules=

Press ENTER to Confirm or ESC to Cancel:

o Set 'Incoming: Rem Login' to the 'Cisco device hostname'

o Set 'Incmoing: Rem Password' to be the same as 'Outgoing: My

o Set 'Outgoing: My Login' to the 'System Name' value in SMT Menu

[Note]! The Cisco device must be configured as a remote node but

NOT as a remote user in this case

4. Dial-in User Setup

Using an ISDN TA and Win9x Dial-Up Networking you can dial into P-202H Plus

v2 router with callback and without callback

This configuration note explains how to set up a workstation using an ISDN TA to

connect to the P-202H Plus v2 router. In this configuration, the workstation must

have TCP/IP dial-up program installed such as Windows Dial-up Networking to

make the call. Once the connection is established, the workstation will be able to

53P-202H Plus v2 Support Notes

perform any TCP/IP applications (e.g., FTP, Telnet, etc.). There will be two items

that you need to set up for this connection. They are the workstation and the P-

202H Plus v2 router.

• Setting up the Win9x Dial-Up Networking(DUN)

To set up the DUN for this connection, you will need to set the following

o Phone number- the phone number of the P-202H Plus v2 router

o Internet account-Username and Password

o IP Address-the IP address in this case will be dynamically assigned

by the P-202H Plus v2. Generally, you should simply enter 0.0.0.0

into the IP address field.

o DNS (Domain Name Server) Address- the IP address of the DNS

server on the remote LAN.

o Default Gateway-the IP address of the P-202H Plus v2.

Please find the last three settings in Win9x>Dial-Up

Networking>Properties>Server Types>TCP/IP Settings.

• Setting up the P-202H Plus v2

Before configuring the P-202H Plus v2 for this application, you need to first

complete the following settings.

o General Setup in SMT menu 1-enter the system information.

o ISDN Setup in SMT menu 2-Configure the ISDN number

o Ethernet Setup in SMT menu 3-enter the IP address of the P-202H Plus v2 and enable the DHCP server if it is required.

To setup the P-202H Plus v2 for this application, make sure you have the

following menus configured correctly.

54P-202H Plus v2 Support Notes

o Default Dial-in Setup in SMT menu 13

o Edit Dial-in User in SMT menu 14

Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A TCP/IP Setup:

IP Address= 192.68.135.1

IP Subnet Mask= 255.255.255.0

Menu 13 - Default Dial-in Setup

Telco Options: IP Address Supplied By:

CLID Authen= None Dial-in User= No

Mutual Authen= NO Session Options:

O/G Username= N/A Edit Filter Sets= No

O/G Password= N/A Multiple Link Options:

Max Trans Rate(Kbps)= 128

Callback Budget Management:

55P-202H Plus v2 Support Notes

Allocated Budget(min)= 0

Press ENTER to Confirm or ESC to Cancel:

• The Recv Authen field should be set to the type of authentication protocol

• Since the workstation needs to have its IP address assigned, set the IP Address Supplied By: Dial-in User field to 'No'.

• Make sure that IP Pool is set to 'Yes'.

• In IP Start Addr, enter the IP address that you want to assign to the

workstation when it dials in. In our example, this would be '192.68.135.10'.

• All the common properties in Menu 13 will be applied to all dial-in users.

Note: If the remote user uses the Win9x to dial in, the Recv Authen must

be set to PAP because Windows 9x will not respond to any periodic CHAP

challenge sent by the P-202H Plus v2 and will cause the P-202H Plus v2

3. Edit Dial-in User Setup in SMT menu 14.1

• Dial-in user without callback

Phone # Supplied by Caller= N/A Callback Phone #= N/A Rem CLID=

56P-202H Plus v2 Support Notes

• The User Name and Password fields should be set to the login username

and password that the workstation will provide when dialing in to the P-

202H Plus v2. Set the Active field to 'Yes'.

• Dial-in user with callback

Menu 14.1 - Edit Dial-in User

Phone # Supplied by Caller= Yes

Callback Phone #= N/A Rem CLID=

• There are two options for the callback, Mandatory and Optional. If the

Mandatory is configured, the P-202H Plus v2 router has to callback

anyway. If the Optional is configured, the dial-in user will have the chance

to cancel the callback.

• The number for calling back to the dial-in user can be specified by the

user during the connection or pre-configured in the Callback Phone #

field of the P-202H Plus v2.

How does ZyXEL filter work?

Conceptually, there are two categories of filter rules: device and protocol. The

Generic filter rules belong to the device category; they act on the raw data

from/to LAN and WAN. The IP and IPX filter rules belong to the protocol category;

they act on the IP and IPX packets.

In order to allow users to specify the local network IP address and port number in

the filter rules with SUA connections, the TCP/IP filter function has to be

executed before SUA for WAN outgoing packets and after the SUA for WAN

incoming IP packets. But at the same time, the Generic filter rules must be

applied at the point when the P-202H Plus v2 is receiving and sending the

packets; i.e. the ISDN interface. So, the execution sequence has to be changed.

The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow

for the packet from LAN to WAN is:

57P-202H Plus v2 Support Notes

1. LAN device and protocol input filter sets.

2. WAN protocol call and output filter sets.

3. If SUA is enabled, SUA converts the source IP address from 192.168.1.33

to 203.205.115.6 and port number from 1023 to 4034.

4. WAN device output and call filter sets.

The sequence of the logic flow for the packet from WAN to LAN is:

5. WAN device input filter sets.

6. If SUA is enabled, SUA converts the destination IP address from

203.205.115.6 to 92.168.1.33 and port number from 4034 to 1023.

7. WAN protocol input filter sets.

8. LAN device and protocol output filter sets.

Generic and TCP/IP (and IPX) filter rules are in different filter sets. The SMT will

detect and prevent the mixing of different category rules within any filter set in

Menu 21. In the following example, you will receive an error message 'Protocol

and device filter rules cannot be active together' if you try to activate a

TCP/IP (or IPX) filter rule in a filter set that has already had one or more active

Generic filter rules. You will receive the same error if you try to activate a Generic

filter rule in a filter set that has already had one or more active TCP/IP (or IPX)

Mask= N/A Value= N/A More= No Log= None

Action Matched= Check Next Rule

Action Not Matched= Check Next Rule

Source: IP Addr= 0.0.0.0

TCP Estab= N/A More= No Log= None

Action Matched= Check Next Rule

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Saving to ROM. Please wait...

Protocol and device rule cannot be active together

To separate the device and protocol filter categories; two new menus, Menu 11.5

and Menu 13.1, have been added, as well as some changes made to the Menu

3.1, Menu 11.1, and Menu 13. The new fields are shown below.

59P-202H Plus v2 Support Notes

Active= Yes Rem IP Addr= 0.0.0.0

Call Direction= Outgoing Edit IP= No

Incoming: Telco Option:

Rem Login= N/A Transfer Type= 64K Rem Password= N/A Allocated Budget(min)=

Rem CLID= N/A Period(hr)=

Call Back= N/A Schedules=

Press ENTER to Confirm or ESC to Cancel:

Menu 13 - Default Dial-in Setup

Telco Options: IP Address Supplied By:

CLID Authen= None Dial-in User= Yes

Mutual Authen= No Session Options:

O/G Username= N/A Edit Filter Sets= Yes

O/G Password= N/A Multiple Link Options:

Max Trans Rate(Kbps)= 128

Callback Budget Management:

Allocated Budget(min)= 0

Press ENTER to Confirm or ESC to Cancel:

SMT will also prevent you from entering a protocol filter set configured in Menu

21 to the device filters field in Menu 3.1, 11.5, or 13.1, or entering a device filter

set to the protocol filters field. Even though SMT will prevent the inconsistency

from being entered in ZyNOS, it is unable to resolve the intermixing problems

existing in the filter sets that were configured before. Instead, when ZyNOS

translates the old configuration into the new format, it will verify the filter rules

and log the inconsistencies. Please check the system log (Menu 24.3.1) before

putting your device into use.

Running the P-202H Plus v2 with wrong filter rules may cause it to keep the

ISDN line perpetually active, and/or allow undesired traffic to pass to the outside

world, and receive unwanted outside traffic. The first case may incur an

enormous ISDN bill; the second may lead to a data security hazard.

In order to avoid operational problems later, the P-202H Plus v2 will disable

its routing/bridging functions if there is an inconsistency among its filter

How do I know what packet is triggering the call?

If the user already knows the protocol type, the source port and the IP address of

the packet that is triggering the call, he can design the filter rule based on these

information. Otherwise, he can take a look at the SMT Menu 24.1 to see what is

the exact packet that triggers the outgoing call. The 'LAN Packet Which

Triggered Last Call' status in Menu 24.1 will show you the packet which triggers

the call. A display of the header of the packets is shown next.

LAN Packet which Triggered Last Call: (Type: IP)

45 00 00 2E CA 0E 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15

62P-202H Plus v2 Support Notes

We list the header of the IP, UDP and TCP in order to make you know more

about the format of the IP packet and IPX packet in Menu 24.1 for easy

configuration of a filter rule.

8-bit type of service

16-bit total length (in bytes)

16-bit identification 3-bit

13-bit fragment offset

8-bit time to live(TTL) 8-bit protocol 16-bit header checksum

32-bit source IP address

32-bit destination IP address

16-bit source port number 16-bit destination port number

32-bit sequence number

32-bit acknowledgment number

U R G A C K P S H R S T S Y N F I N

16-bit TCP checksum 16-bit urgent pointer

63P-202H Plus v2 Support Notes

Based on the above headers, we can then interpret the LAN Packet Which

Triggered Last Call as following:

LAN Packet which Triggered Last Call : (Type: IP)

45 00 00 2E CA 0E 40 00 1F 06 D7 09 CC F7 CB B4 CC D9 00 02 04 1C 00 15

IPX header in Menu 24.1:

LAN Packet Which Triggered Last Call: (Type: IPX)

00 28 01 01 00 00 00 00 FF FF FF FF FF FF 04 53 00 00 00 00 00 00 00 00 00

0004 53 00 01 FF FF FF FF FF 00 00 00 00

00 00 00 00 Destination network number

FF FF FF FF FF FF Destination node number

04 53 Destination socket number

00 00 00 00 Source network number

00 00 00 00 00 00 Source node number

04 53 Source socket number

A filter for blocking the FTP connections from WAN

The P-202H Plus v2 supports the firmware and configuration files upload using

FTP connections via LAN and WAN. So, it is possible that anyone can make a

FTP connection over the Internet to your P-202H Plus v2. To prevent outside

users from connecting to your P-202H Plus v2 via FTP, you can configure a filter

to block FTP connections from WAN.

Before configuring a filter, you need to know the following information:

1. The inbound packet type (protocol & port number): In this case, it is

TCP(06) protocol with port 20 or 21.

2. The source IP address: In this case, we block all connections from

outside so the source IP is 0.0.0.0.

3. The destination IP address: It is the P-202H Plus v2's IP address, but it

is not available in SUA case since most WAN IP address is dynamically

assigned by the ISP. So, we can only enter 0.0.0.0 as the destination IP in

the filter rule. Once 0.0.0.0 is set as the destination IP, no FTP

connections are allowed to reach the P-202H Plus v2 nor the FTP server

on the LAN. For the LAN-to-LAN connection, you enter the P-202H Plus

v2's LAN IP as the destination IP in the filter rule. After the FTP filter is

applied to the remote node, it only blocks the FTP connection to the P-

202H Plus v2 but still permits the FTP connection to the local FTP server.

o Create a filter set in Menu 21, e.g., set 3

o Create two filter rules in Menu 21.3.1 and Menu 21.3.2

 Rule 1- block the inbound FTP packet, TCP (06) protocol

o Apply the filter set in remote node, Menu 11

• Create a filter set in Menu 21

65P-202H Plus v2 Support Notes

Menu 21 - Filter Set Configuration

Set # Comments Set # Comments

• Rule 1- block the inbound FTP packet, TCP (06) protocol with port

Source: IP Addr= 0.0.0.0

Action Matched= Drop

66P-202H Plus v2 Support Notes

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

• Rule 2- block the inbound FTP packet, TCP (06) protocol with port number

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

• When two rules are completed, you can see the rule summary in Menu

67P-202H Plus v2 Support Notes

• Choose the remote node number where you want to block the inbound

FTP connections and apply the filter set in menu 11.5 by selecting the

'Edit Filter Sets' to 'Yes'.

Menu 11.1 - Remote Node Profile

Rem Node Name= hinet Edit PPP Options= No

Active= Yes Rem IP Addr= 0.0.0.0

Call Direction= Outgoing Edit IP= No

Incoming: Telco Option:

Rem Login= N/A Transfer Type= 64K Rem Password= N/A Allocated Budget(min)=

Rem CLID= N/A Period(hr)=

Outgoing: Nailed-Up Connection= No

Sec Phone #= Idle Timeout(sec)= 300

Press ENTER to Confirm or ESC to Cancel:

• Put the filter set number '3' to the 'Input Protocol Filter Set' in menu

11.5 for activating the FTP_WAN filter.

68P-202H Plus v2 Support Notes

A filter for blocking the web connections from LAN

If you want to avoid the outbound Web request to trigger a call to the remote web

server, you can configure a call filter set in P-202H Plus v2 to block this packet.

After the call filter is applied, the Web packet will not triggered the call to your ISP

or remote node. However, when the call is trigger by the other packets and the

Internet connection is established, the workstations then are able to access the

Before configuring a filter, you need to know the following information:

1. The outbound packet type (protocol & port number)

2. The source IP address

Generally, the outbound packets for Web service could be as following:

a. HTTP packet, TCP (06) protocol with port number 80

b. DNS packet, TCP (06) protocol with port number 53 or

c. DNS packet, UDP (17) protocol with port number 53

For all workstation on the LAN, the source IP address will be 0.0.0.0. Otherwise,

you have to enter an IP Address for the workstation you want to block. See the

procedure for configuring this filter below.

o Create a filter set in Menu 21, e.g., set 1

o Create three filter rules in Menu 21.1.1, Menu 21.1.2, Menu 21.1.3

 Rule 1- block the HTTP packet, TCP (06) protocol with port

 Rule 2- block the DNS packet, TCP (06) protocol with port

 Rule 3- block the DNS packet, UDP (17) protocol with port

o Apply the filter set in remote node, Menu 11

• Create a filter set in Menu 21

Menu 21 - Filter Set Configuration

Set # Comments Set # Comments

69P-202H Plus v2 Support Notes

Press ENTER to Confirm or ESC to Cancel:

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

70P-202H Plus v2 Support Notes

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

• Rule 3 for (c). DNS packet UDP(17)/Port number 53

Menu 21.1.2 - TCP/IP Filter Rule

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

• After the three rules are completed, you will see the rule summary in Menu

3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, N D F

• Then put the filter set number '1' in the 'Call Filter Set' field of SMT menu

11.5 for taking active.

Rem CLID= N/A Allocated Budget(min)= 5

Press ENTER to Confirm or ESC to Cancel:

A filter for blocking a specific client

If you want to forbid a specific local client from triggering a call to ISP, you can

configure a call filter set in P-202H Plus v2 to block the packets from this client.

After the call filter is applied, the packet that is sent from this client would not

trigger the call to your ISP or remote node. As long as the call is triggered by the

other clients and the Internet connection is established, this workstation will be

able to access the Internet or remote node.

1. Create a filter set in Menu 21, e.g., set 1

Menu 21 - Filter Set Configuration

Set # Comments Set # Comments

Press ENTER to Confirm or ESC to Cancel:

2. One rule one for blocking all packets from this client

Menu 21.1.1 - TCP/IP Filter Rule

Source: IP Addr= 192.168.1.5

TCP Estab= N/A More= No Log= None

Action Matched= Drop

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

• Source IP addrEnter the client IP in this field

74P-202H Plus v2 Support Notes

• IP Maskhere the IP mask is used to mask the bits of the

IP address given in the 'Source IP Addr=' field, for one workstation it is

• Action MatchedSet to 'Drop' to drop all the packets from this

• Action Not MatchedSet to 'Forward' to allow the packets from other

3. Apply the filter set number '1' in the 'Call Filter Set' field of SMT menu 11.5 for

Rem CLID= N/A Allocated Budget(min)= 5

Press ENTER to Confirm or ESC to Cancel:

4. If you want to prevent this client accessing the Internet or remote node, you

can apply this filter set to SMT Menu 3.1, the 'protocol filter' in the Input Filter

After this filter set is applied to this field, the client (192.168.1.5) will not be

the Internet or remote node any more.

A filter for blocking a specific MAC address

This configuration example will show you how to use a Generic Filter to block a

specific MAC address on the LAN.

Before you configure the filter you need to know the MAC address of the client.

The MAC address can be provided by the NICs. If there is the LAN packet

passing through the P-202H Plus v2 you can identify the MAC address from the

P-202H Plus v2's LAN packet trace. Please look at the following example to

know the trace of the LAN packets.

ras> sys trcp channel enet0 bothway

76P-202H Plus v2 Support Notes

Now a client on the LAN is trying to ping P-202H Plus v2………

- Total length: 60 (Octets)

- Fragment ID: 60172

- Flags: May be fragmented, Last fragment, Offset=0 (0x00)

- Time to live: 32 seconds/hops

- IP protocol type: ICMP (0x01)

- IP address 202.132.155.93 (Source IP address) ---->

202.132.155.99(Destination IP address)

From the above first trace, we know that a client is trying to ping the P-202H Plus

v2 router. And from the second trace, we know that the P-202H Plus v2 router

will send a reply to the client accordingly. The following sample filter will utilize

the 'Generic Filter Rule' to block the MAC address [00 80 c8 4c ea 63].

1. First, from the incoming LAN packet we know that the unwanted source MAC

address starts at the 7th Octet

TIME: 37c060 enet0-RECV len:74 call=0

2. We are now ready to configure the 'Generic Filter Rule' as below.

Action Matched= Drop

Action Not Matched= Forward

• Filter Type: Set the 'Filter Type' to 'Generic Filter Rule'.

• Active: Turn 'Active' to 'Yes'

• Offset (in bytes): Set to '6' since the source MAC address starts at 7th

octets we need to skip the first octets of the destination MAC address.

• Length (in bytes): Set to '6' since MAC address has 6 octets.P-202H Plus v2 Support Notes

• Mask (in hexadecimal): Specify the value that the P-202H Plus v2 will

logically qualify (logical AND) the data in the packet. Since the Length is

set to 6 octets the Mask for it should be 12 hexadecimal numbers. In this

case, we intent to set to 'ffffffffffff' to mask the incoming source MAC

address, [00 80 c8 4c ea 63].

• Value (in hexadecimal): Specify the MAC address [00 80 c8 4c ea 63]

that the P-202H Plus v2 should use to compare with the masked packet. If

the result from the masked packet matches the 'Value', then the packet is

• Action Matched= : Enter the action you want if the masked packet

matches the 'Value'. In this case, we will drop it.

• Action Not Matched= : Enter the action you want if the masked packet

does not match the 'Value'. In this case, we will forward it. If you want to

configure more rules please select 'Check Next Rule' to start configuring

the next new rule. However, please note that the 'Filter Type' must be also

'Generic Filter Rule' but not others. Because the Generic and TCP/IP (IPX)

filter rules must be in different filter sets.

Menu 21.1.2 - Generic Filter Rule

Action Matched= Drop

Action Not Matched= Forward

You can now apply it to the 'General Ethernet Setup' in Menu 3.1. Please note

that the 'Generic Filter' can only be applied to the 'Device Filter' but not the

'Protocol Filter' that is used for configuring the TCPIP and IPX filters.

Menu 3.1 - General Ethernet Setup

A filter for blocking the NetBIOS packets

The NETBIOS packets contain port numbers and need to be blocked in this case.

They are port number 137, 138 and 139 with UDP or TCP protocol. In addition,

the NETBIOS packet used to look for a remote DNS server can also trigger the

call. Therefore, the filter rules should cover the above packets.

The packets which need to be blocked are as following. Please configure two

filter sets with 4 and 2 rules respectively based on the following packets in SMT

o Rule 5-Destination port number 139 with protocol number 6 (TCP)

o Rule 6-Destination port number 139 with protocol number 17 (UDP)

o Rule 1-Source port number 137, Destination port number 53 with

protocol number 6 (TCP)

o Rule 2-Source port number 137, Destination port number 53 with

protocol number 17 (UDP)

Before starting to set the filter rules, please enter a name for each filter set in the

'Comments' field first.

Menu 21 - Filter Set Configuration

Set # Comments Set # Comments

------ ----------------- ------ -----------------

Press ENTER to Confirm or ESC to Cancel:

• Configure the first filter set 'NetBIOS_WAN' by selecting the Filter Set

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Rule 2-Destination port number 137 with protocol number 17 (UDP)

Source: IP Addr= 0.0.0.0

TCP Estab= N/A More= No Log= None

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Rule 3-Destination port number 138 with protocol number 6 (TCP)

Source: IP Addr= 0.0.0.0

Action Matched= Drop

82P-202H Plus v2 Support Notes

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Rule 4-Destination port number 138 with protocol number 17 (UDP)

Menu 21.1.4 - TCP/IP Filter Rule

Source: IP Addr= 0.0.0.0

TCP Estab= N/A More= No Log= None

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Rule 5-Destination port number 139 with protocol number 6 (TCP)

Menu 21.1.5 - TCP/IP Filter Rule

83P-202H Plus v2 Support Notes

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Rule 6-Destination port number 139 with protocol number 17 (UDP)

Menu 21.1.6 - TCP/IP Filter Rule

Source: IP Addr= 0.0.0.0

TCP Estab= N/A More= No Log= None

Action Matched= Drop

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

After the first filter set is finished, you will see the complete rules summary as

6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D F Apply the filter set 'NetBIOS_WAN' to the 'Protocol Filter' of the 'Call Filter Sets='

in the remote node setup 11.5 for taking active. You can enter to the menu 11.5

by selecting the 'Edit Filter Sets=' in menu 11.1 to 'Yes'.

Menu 11.1 - Remote Node Profile

Rem CLID= N/A Allocated Budget(min)= 0

• Configure the second filter set 'NetBIOS_LAN' by selecting the Filter Set

Rule 1-Source port number 137, Destination port number 53 with protocol

Source: IP Addr= 0.0.0.0

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Rule 2-Source port number 137, Destination port number 53 with protocol

Source: IP Addr= 0.0.0.0

TCP Estab= N/A More= No Log= None

Action Matched= Drop

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

After the first filter set is finished, you will see the complete rules summary as

2 Y IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D F Please apply this second filter set 'NetBIOS_LAN' in the 'protocol filters=' of the

'Input Filter Sets:' in the Menu 3 for blocking the packets from LAN.

Log Facility= Local 1

1. Active, use the space bar to turn on the syslog option.

2. Syslog IP Address, enter the IP address of the UNIX server that you wish to

3. Log Facility, use the space bar to toggle between the 7 different local options.

4. Types, use the space bar to toggle the logs we are going to record.

1. Make sure that your syslogd starts with -r argument.

-r, this option will enable the facility to receive message from the network using

an Internet domain socket with the syslog services. The default setting is not

88P-202H Plus v2 Support Notes

2. Edit the file /etc/syslog.conf by adding the following line at the end of the

/etc/syslog.conf file.

local1.* /var/log/zyxel.log

Where /var/log/zyxel.log is the full path of the log file.

• ZyXEL Syslog Message Format

P-202H Plus v2 sends 5 types of syslog messages to syslogd, they are:

2. Packet Triggered log

CDR Call Detail Record (CDR) logs all data phone line activity if set to

The first 48 bytes or octets and protocol type of the triggering

packet is sent to the UNIX syslog server when this field is set to

No filters are logged when this field is set to No. Filters with the

individual filter Log field set to Yes are logged when this field is

PPP log PPP events are logged when this field is set to Yes.

POTS log Voice calls are logged when this field is set to Yes.

1. CDR log(call messages)

sdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );

String = board xx line xx channel xx, call xx, str

board = the hardware board ID

line = the WAN ID in a board

channel = channel ID within the WAN

call = the call reference number which starts from 1 and increments by 1 for each

str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.)

89P-202H Plus v2 Support Notes

C01 Incoming Call xxxx (means connected speed) xxxxx (means Remote Call

L02 Tunnel Connected(L2TP)

C02 OutCall Connected xxxx (means connected speed) xxxxx (means Remote

C02 CLID call refused

Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0

channel 0, call 18, C01 Incoming Call 64000 4125678

Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0

channel 0, call 18, C02 Call Terminated

2. Packet triggered log

Data: We will send forty-eight Hex characters to the server

This message is available when the 'Log' is enabled in the filter rule setting. The

message consists of the packet header and the log of the filter rules.

sdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String );

dpo=xxxx]S04>R01mD IP[...] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R),P-202H Plus v2 Support Notes

Dst=202.132.154.1 ICMP]}S03>R01mF

91P-202H Plus v2 Support Notes

sdcmdSyslogSend( SYSLOG_POTSLOG, SYSLOG_NOTICE, String );

String = Call Connect / Disconnect: Dir = xx Remote Call= xxxxx Local Call=

Dir = Call Direction 1: Incoming call 2: Outgoing call

Remote Call = a string type which represents as the remote call number

Local Call = a string type which represents as the my(local) call number

Jul 19 12:08:25 192.168.1.1 ZyXEL Communications Corp.: Call Connect: Dir=2

Remote Call=5783942 Local Call=1

Jul 19 12:08:29 192.168.1.1 ZyXEL Communications Corp.: Call DisConnect:

Dir=2 Remote Call=2453140 Local Call=1

7. ISDN Leased Line Setup

Internet Access via ISDN Leased Line

This configuration illustrates an Internet Access over an ISDN leased line that is

installed by the telco.

Key Settings in P-202H Plus v2

Incoming Phone Numbers:

o Set to Leased/Unused if you are using one 64K-leased line

o Set to Leased/Leased if you are using one 128K-leased lines

o Set to Leased/Switch if you are using one 64K-leased line and one

The P-202H Plus v2 does not allow two leased lines to connect two different

remote nodes. Therefore, if the Leased/Leased is configured in Menu 2, it allows

a 128K-leased connection to a remote node or allows MP bundling to a remote

Address Mapping Set= N/A Telco Option:

Transfer Type= Leased

o My Login and My Password are the login information provided by

o Turn on SUA if you only have a single user Internet account.

93P-202H Plus v2 Support Notes

o Enter the IP address assigned from ISP for P-202H Plus v2, enter

'0.0.0.0' if the IP is dynamically assigned during the PPP

o Set the 'Transfer Type' to 'Leased' for the ISDN leased-line

After saving this menu, you will be asked if you want to perform an Internet

connection test. Select 'Yes' to perform the test. If the test fails, please check

again the above settings again.

When you have configured and saved Menu 4, you should see that you have

created a remote node in Menu 11. You can perform more advanced

configuration options to this remote node in this menu.

LAN-to-LAN Connection via ISDN Leased Line

This configuration illustrates a LAN-to-LAN connection over an ISDN leased line

that is subscribed from the telco.

• Key Settings in P-202H Plus v2

Incoming Phone Numbers:

94P-202H Plus v2 Support Notes

o Set to Leased/Unused if you are using one 64K-leased line

o Set to Leased/Leased if you are using one 128K-leased lines

o Set to Leased/Switch if you are using one 64K-leased line and one

The P-202H Plus v2 does not allow two leased lines to connect two different

remote nodes. Therefore,

if the Leased/Leased is configured in Menu 2, it allows a 128K-leased connection

to a remote node or allows MP bundling to a remote node.

Menu 11.1 - Remote Node Profile

Incoming: Telco Option:

Rem Login= Transfer Type= Leased

Rem Password= Allocated Budget(min)=

Rem CLID= N/A Period(hr)=

Call Back= N/A Schedules=

Sec Phone #= N/A Idle Timeout(sec)= 100

Press ENTER to Confirm or ESC to Cancel:

• Set the 'Transfer Type' to 'Leased' for the ISDN leased-line connection

8. Supplemental Service

The P-202H Plus v2 supports the following supplementary phone features on

both of its POTS ports.

6. Terminal Portability(Suspend/Resume)

Most supplementary services are not free, please check with your telephone

company for the services they offer.

How do I do call waiting/call hold/call retrieve?

• Put your current call on hold and answer the incoming call - after hearing

the call waiting tone, press and immediately release the Flash button on

• Put your current call on hold and switch to another call - press and

immediately release the Flash button on your telephone.

• Hang up your current call before answering the incoming call - hang up

the phone and wait for answering the incoming call.

• Hang up the current active call and switch back to the other call - hang up

and wait for the phone to ring. Then pick up the phone to return to the

Why doesn't call waiting work as expected?

An incoming caller will receive a busy signal if:

• You have two calls active (one active and one on hold; or both active by

using Three-Way Calling).

• You are dialing a number on the B channel the incoming caller is

attempting to reach, but have not yet established a connection.

If no action is taken to answer the call (call waiting indicator tone is ignored), the

call waiting tones will disappear after about 20 seconds.

How do I do three way calling?

• Press the Flash key to put the existing call on hold and receive a dial tone.

• Dial the third party's phone number.

• When you are ready to conference the call together, press the Flash key

again to establish a three way conference call.

How do I remove a party from the three-way calling?

Simply press the Flash key. The last call that was added to the conference is

96P-202H Plus v2 Support Notes

If you hang up your telephone during a three-way call and the two other callers

remain on the line, the ISDN network will do an implicit transfer to directly

connect the two remaining callers together.

How do I do call transfer?

Call Transfer allows you to transfer an active call to a third party. This service

must be subscribed from your telephone company.

Transferring an active call to a third party:

• Once you have an active call (Caller A), press Flash key to put Caller A

on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• When you are ready to conference the two calls together, press Flash key

to a Three-Way Conference call.

• Hang up the phone. The ISDN network does an implicit transfer to directly

connect Caller A with Caller B.

How do I blind call transfer?

• Once you have an active call (Caller A), press Flash key to put the

existing call on hold and receive a dial tone.

• Dial the third party's phone number (Caller B).

• Before Caller B picks up the call, you can transfer the call by pressing the

Flash key. The call is automatically transferred.

What is call forwarding and how do I do it?

The call forwarding means the switch will ring another number at a place where

you will be when sometime dials your directory number. There are two methods

to active call forwarding, either method should work fine and you can use

whichever one you are most comfortable.

 The first is exactly the same as on an analog line, i.e., you pick up the

handset and dial the access code assign by your telephone company and

the number that you want the calls forwarded. Check with your telephone

company for this access code.

 The second is with the 'phone flash' commands where you pick up the

handset and press the flash key before dialing the following:

*20*forward-number# Active CFB (Call Forwarding Busy)

*21*forward-number# Active CFU (Call Forwarding

97P-202H Plus v2 Support Notes

*22*forward-number# Active CFNR (Call Forwarding No Reply

#22# Deactive CFNR How do I suspend/resume a phone call (terminal portability)?

The Terminal Portability service allows you to suspend a phone call temporarily.

You can then resume this call later, at another location if you so wish.

To suspend an active phone call:

• Press the flash key twice.

• Dial *3n*#, where n is any number from 1 to 9.

To resume your phone call:

• Reconnect at a (n) (ISDN) telephone that is linked to the same S/T

interface (Network Terminator-1, NT1) where you suspended the call.

• Pick up the handset and press the Flash key

• Dial #3n#, where n is any number from 1 to 9, but should be identical to

What is reminder ring?

The P-202H Plus v2 sends a single short ring to your telephone every time a call

has been forwarded(US switches only).

What is MSN/subaddress and how do I do it?

Depending on your location, you may have Multiple Subscriber Number (MSN)

where the telephone company gives you more than one number for your ISDN

line. You can assign each number to a different port, e.g., the first number to data

calls, the second to A/B adapter 1 and so on.

Or (DSS1) the telephone company may give you only one number, but allow you

to assign your own subaddresses to different ports, e.g., subaddress 1 to data

calls and 2 to A/B adapter 1.

98P-202H Plus v2 Support Notes

The P-202H Plus v2 202H Plus supports the ISDN Device Control Protocol

(ISDN-DCP) from RVS-COM. The ISDN-DCP allows a workstation on the LAN to

run some CAPI applications. These applications include FAX, Voice, File transfer.

Using ISDN-DCP, the P-202H Plus v2 202H Plus behaves as a DCP server

which listens for DCP messages on TCP port number 2578 on its LAN port and

we call this feature as NetCAPI.

When the P-202H Plus v2 receives a DCP message from a DCP client (running

RVS-COM software), the P-202H Plus v2 sends the confirmation message to the

client and sends ISDN packets through the BRI port.

When the P-202H Plus v2 receives packets on its BRI port destined for one of

the DCP clients, the router formats the packet as a DCP message and sends it to

the corresponding client.

• Supported applications

1. G3/G4 FAX transmission

2. Euro File Transfer (EFT)

4. Autoanswer host mode

• Supported D-Channel Protocol

NetCAPI is available only for the European ISDN switch type DSS1.

To use the NetCAPI function of the P-202H Plus v2 202H Plus for FAX

transmission, file transfer and voice, you must install RVS-COM Lite 1.63 or

• P-202H Plus v2 Setup

All NetCAPI related settings are configured in menu 2.1 as shown below.

1. Edit the NetCAPI settings by setting the 'Edit NetCAPI Setup' to 'Yes'.

99P-202H Plus v2 Support Notes

Incoming Phone Numbers:

ISDN Data = 10000 Subaddress=

A/B Adapter 1 = Subaddress=

A/B Adapter 2 = Subaddress=

Incoming Phone Number Matching= Multiple Subscriber Number (MSN)

Analog Call Routing= N/A Global Analog Call= N/A Edit Advanced Setup = No

Edit NetCAPI Setup = Yes

Press ENTER to Confirm or ESC to Cancel:

2. Edit NetCAPI related settings in menu 2.1

Menu 2.2 - NetCAPI Setup

Max Number of Registered Users= 5

Incoming Data Call Number Matching= NetCAPI Access List:

Start IP End IP Operation

Press ENTER to Confirm or ESC to Cancel:

1. Active: Set to 'Yes' to enable the NetCAPI.

2. Max. Number of Registered Users: Enter the number of RVS-COM

clients for registering in the P-202H Plus v2. The maximum number is 5.

100P-202H Plus v2 Support Notes

3. Incoming Data Call Matching: This setting helps the P-202H Plus v2 to

forward the incoming call correctly by checking the MSN or subaddress

that the remote party calls.

 MSN: When this option is selected, the P-202H Plus v2 checks the

MSN called by the remote party. If the MSN matches the one

configured in menu 2, ISDN Data Number, the P-202H Plus v2 will

answer the call as a data call. If the MSN does not match any MSN

in menu 2, the P-202H Plus v2 will answer the call as a CAPI call

and forward it to the CAPI client.

 Subaddress: When this option is selected, the P-202H Plus v2

checks the subaddress called by the remote party. If the

subaddress matches the one configured in menu 2, ISDN Data

Number, the P-202H Plus v2 will answer the call as a data call. If

the subaddress does not match any subaddress in menu 2, the P-

202H Plus v2 will answer the call as a CAPI call and forward it to

 NetCAPI: When this option is selected, the P-202H Plus v2 always

answers the call as a CAPI call and forward it to the CAPI client.

4. Access List: Enter the IP range of the valid NetCAPI clients with desired

operation direction.

 Operation=Incoming: this permits the clients in this IP range to

 Operation=Outgoing: this permits the clients in this IP range to

 Operation=Both: this permits the clients in this IP range to both

place and answer calls.

 Operation=None: this means no calls for the clients in this IP

5. Start IP: Refers to the first IP address of a group of NetCAPI clients. Each

group contains contigunous IP addresses.

6. End IP: Refers to the last IP address in a NetCAPI client group.

7. Operation: Call control settings for the NetCAPI users

 Incoming: When this option is selected, the NetCAPI users have

permission to only accecpt incoming calls.

 Outgoing: When this option is selected, the NetCAPI users have

permission to only place outgoing calls.

 Both: When this option is selected, the NetCAPI users have

permission for both answering and placing calls.

 None: When this option is selected, no calls are allowed for the

To display the NetCAPI state machine log, use the dcp fsm disp command.

The following example shows the output of the dcp fsm disp command:

ISDN_DCP FSM Log, Entries = 6

To clear the NetCAPI state machine log, use the dcp fsm clear command.

dcp trcp sw on [on|off]

To enable/disable the NetCAPI packet log, use the dcp trcp sw on [on|off]

To display the NetCAPI packet log, use the dcp trcp disp command.

The following example shows the output of the dcp trcp disp command:

ISDN_DCP Message Log, Entries = 12

102P-202H Plus v2 Support Notes

To clear the NetCAPI packet log, use the dcp trcp clear command.

To display the NetCAPI status, use the dcp status disp command.

dcp object [object_id]

To display the NetCAPI objects, use the dcp object [object_id] commands.

A Network Access Server (NAS, e.g., a Router) operates as a client of RADIUS.

The RADIUS client is responsible for passing user information to designated

RADIUS servers, and then acting on the response which is returned. RADIUS

servers are responsible for receiving user connection requests, authenticating

the user, and then returning all configuration information necessary for the client

to deliver service to the user.

Transactions between the client and RADIUS server are authenticated through

the use of a shared secret, which is never sent over the network. In addition, any

user passwords are sent encrypted between the client and RADIUS server, to

eliminate the possibility that someone snooping on an unsecured network could

determine a user's password.

There has been some confusion in the assignment of port numbers for this

protocol. The early deployment of RADIUS was done using the erroneously

chosen port number 1645, which conflicts with the "datametrics" service. The

officially assigned port number for RADIUS is 1812. So, be sure which port your

RADIUS server uses before configuring it in the P-202H Plus v2.

[Note]: The P-202H Plus v2 is configured with default port 1645, please reboot

the P-202H Plus v2 it is changed to 1812.

• RADIUS Server Setup

1. Get Radius application S/W and install it first.

2. If the callback feature is required, please add the following ZyXEL

proprietary attributes in the 'Dictionary' file which generally locates in the

Radius installation folder. Please note, when editing RADIUS files some

RADIUS servers do not suggest DOS Editor or Notepad. So, you can try

3. Enter the RADIUS client IP and the encrypted key in the 'Clients' file. See an

# This file contains a list of clients which are allowed to make

# authentication requests and their encryption key.

# The first field is a valid hostname for the client.

# The second field (separated by blanks or tabs) is the encryption key.

203.66.113.187 key187

In this example, the new client 203.66.113.187 is the P-202H Plus v2 router. The

key 'key187' must be configured in SMT Menu 23.2 later..

4. Enter the user profile including username and password in the 'Users' file. See

# Example 1: PPP user without callback.

# Username Password= " "

#----------------------------------------------------------

ray Password = "12345"

# Example 2: PPP user with Callback.

# Username Password= " "

#----------------------------------------------------------

test Password = "1234"

Zyxel-Callback-Option = Mandatory,

Zyxel-Callback-Phone-Source = Preconfigured

CallBack-Number = "523444"

104P-202H Plus v2 Support Notes

5. Run "RADIUS.EXE -X15" to turn on the RADIUS service.

o Server Address--------Enter the IP address of the RADIUS server.

For example, 203.66.113.10.

o Port#------------------The default RADIUS/UDP port is 1645. Reboot

the P-202H Plus v2, if it is changed to 1812.

o Key-------------------The key must be the same with the one

configured in the 'Clients' file.

6. Please check there is no duplicate user setting in SMT menu 14 compared to

the 'Users' file in step 4.

11. Using CLID Callback

• What is CLID Callback?

CLID stands for Calling Line Identification (i.e., calling parting number) which can

be used by the ISDN CPE to call back without answering the call. The phone

number used for calling back is captured from the D channel message. So, if

your local ISDN switch is able to carry the calling party number, the P-202H Plus

v2 can use this phone number to call back to the remote party.

There are two types of callback that the P-202H Plus v2 supports, they are the

CLID callback and MS CBCP callback using Dial-Up Networking. Unlike the CLID

callback, when using the MS CBCP callback the CPE must answer the first call

to get the remote phone number from PPP CBCP negotiation and then call back

to the remote party after hanging up the first call. In such a case, the remote

party has to pay for the first phone call. While using the CLID callback, the

remote party does not have to pay for the first call since the call is not answered.

Therefore, you can not use Dial-Up Networking for the CLID callback since it

does not support the CLID callback.P-202H Plus v2 Support Notes

When calling back to a remote node the outgoing user information (username

and password) are configured in menu 11.1, Remote Node Profile. While calling

back to a dial-in user, the outgoing user information are configured in two fields in

menu 13, O/G Login and O/G Password.

• Setup the P-202H Plus v2 for calling back to a remote node

• Setup the P-202H Plus v2 for calling back to a dial-in user

• Setup the P-202H Plus v2 for calling back to a remote node

Generally, there are several settings must be checked when using the CLID

 The 'CLID Authentication' setting in menu 13 must be configured as

'Required' or 'Preferred'.

 The 'Remote CLID' setting in menu 11.1 must be entered for the CLID

 The 'Callback' setting in menu 11.1 must be toggled to 'Yes'.

 The 'Outgoing user information' in menu 11.1 must be entered.

 The 'Outgoing Phone number' in menu 11.1 must be entered.

The following SMT only show the main settings of the CLID callback, you can

refer to the user's manual or the support note for the other settings.

1. Toggle the 'CLID Authen' option in menu 13 to 'Required'.

Menu 13 - Default Dial-in Setup

Telco Options: IP Address Supplied By:

CLID Authen= Required Dial-in User= Yes

PPP Options: IP Start Addr= N/A Recv Authen= CHAP/PAP IP Count(1,2)= N/A Compression= Yes

O/G Login= N/A Session Options:

Multiple Link Options:

Max Trans Rate(Kbps)= 128

Callback Budget Management:

Allocated Budget(min)=

106P-202H Plus v2 Support Notes

Press ENTER to Confirm or ESC to Cancel:

2. Create a remote node for a LAN-to-LAN connnection using the CLID

Incoming: Telco Option:

Press ENTER to Confirm or ESC to Cancel:

Rem CLID Enter the remote phone number in this field which will be used

for the CLID authentication. If this number does not match the

one that the switch carries, the P-202H Plus v2 will drop the line

due to the CLID authentication failure.

Call Back Toggle to 'Yes' to turn on the callback function.

Enter the user name given by the remote node.

Outgoing: My Enter the password given by the remote node.

107P-202H Plus v2 Support Notes

Enter the phone number of the remote node for calling back.

• Setup the P-202H Plus v2 for calling back to a dial-in user

Generally, there are several settings must be checked when using the CLID

 The 'CLID Authentication' setting in menu 13 must be configured as

'Required' or 'Preferred'.

 The 'Outgoing user information' in menu 13 must be entered.

 The 'Callback' setting in menu 13 must be toggled to 'Mandatory'.

 The 'Callback Phone number' setting in menu 14.1 must be predefined in

 The 'Remote CLID' setting in menu 14.1 must be entered for the CLID

The following SMT only show the main settings of the CLID callback, you can

refer to the user's manual or the support note for the other settings.

1. Toggle the 'CLID Authen' option to 'Required' and enter the 'Outgoing user

information' in menu 13..

Menu 13 - Default Dial-in Setup

Telco Options: IP Address Supplied By:

CLID Authen= Required Dial-in User= Yes

PPP Options: IP Start Addr= N/A Recv Authen= CHAP/PAP IP Count(1,2)= N/A Compression= Yes

O/G Login= test Session Options:

Multiple Link Options:

Max Trans Rate(Kbps)= 128

Callback Budget Management:

Allocated Budget(min)=

108P-202H Plus v2 Support Notes

Press ENTER to Confirm or ESC to Cancel:

CLID Authen Toggle the 'CLID Authen' option in menu 13 to 'Required'.

Enter the user name given by the remote user for the

Enter the password given by the remote user for

2. Create a dial-in user profile using the CLID callback.

Phone # Supplied by Caller= No

Call Back Toggle to 'Mandatory' to turn on the callback function.

Enter the phone number of the remote user for calling back.

Rem CLID Enter the remote phone number in this field which will be used

for the CLID authentication. If this number does not match the

one that the switch carries, the P-202H Plus v2 will drop the line

due to the CLID authentication failure.

109P-202H Plus v2 Support Notes

The Simple Network Management Protocol (SNMP) is an applications-layer

protocol used to exchange the management information between network

devices (e.g., routers). By using SNMP, network administrators can more easily

manage network performance, find and solve network problems. The SNMP is a

member of the TCP/IP protocol suite, it uses the UDP to exchange messages

between a management Client and an Agent, residing in a network node.

There are two versions of SNMP: Version 1 and Version 2. ZyXEL supports

SNMPv1. Most of the changes introduced in Version 2 increase SNMP's security

capabilities. SNMP encompasses three main areas:

1. A small set of management operations.

2. Definitions of management variables.

3. Data representation.

The operations allowed are: Get, GetNext, Set, and Trap. These functions

operates on variables that exist in network nodes. Examples of variables include

statistic counters, node port status, and so on. All of the SNMP management

functions are carried out through these simple operations. No action operations

are available, but these can be simulated by the setting of flag variables. For

example, to reset a node, a counter variable named 'time to reset' could be set to

a value, causing the node to reset after the time had elapsed.

SNMP variables are defined using the OSI Abstract Syntax Notation One

(ASN.1). ASN.1 specifies how a variable is encoded in a transmitted data frame;

it is very powerful because the encoded data is self-defining. For example, the

encoding of a text string includes an indication that the data unit is a string, along

with its length and value. ASN.1 is a flexible way of defining protocols, especially

for network management protocols where nodes may support different sets of

manageable variables.

The net of variables that each node supports is called the Management

Information Base (MIB). The MIB is made up of several parts, including the

Standard MIB, specified as part of SNMP, and Enterprise Specific MIB, which are

defined by different manufacturer for hardware specific management.

The current Internet-standard MIB, MIB-II, is defined in RFC 1213 and contains

171 objects. These objects are grouped by protocol (including TCP, IP, UDP,

SNMP, and other categories, including 'system' and 'interface.'

110P-202H Plus v2 Support Notes

The Internet Management Model is as shown in figure 1. Interactions between

the NMS and managed devices can be any of four different types of commands:

Read is used to monitor the managed devices, NMSs read variables that

are maintained by the devices.

Write is used to control the managed devices, NMSs write variables that

are stored in the managed devices.

3. Traversal operations

NMSs use these operations to determine which variables a managed

device supports and to sequentially gather information from variable tables

(such as IP routing table) in managed devices.

The managed devices to asynchronously report certain events to NMSs

111P-202H Plus v2 Support Notes

2. SNMPv1 Operations

SNMP itself is a simple request/response protocol. 4 SNMPv1 operations are

Allows the NMS to retrieve an object variable from the agent.

Allows the NMS to retrieve the next object variable from a table or list

within an agent. In SNMPv1, when a NMS wants to retrieve all elements of

a table from an agent, it initiates a Get operation, followed by a series of

Allows the NMS to set values for object variables within an agent.

Used by the agent to inform the NMS of some events.

112P-202H Plus v2 Support Notes

The SNMPv1 messages contains two part. The first part contains a version and a

community name. The second part contains the actual SNMP protocol data unit

(PDU) specifying the operation to be performed (Get, Set, and so on) and the

object values involved in the operation. The following figure shows the SNMPv1

The SNMP PDU contains the following fields:

• PDU type Specifies the type of PDU.

• Request ID Associates requests with responses.

• Error status Indicates an error and an error type.

• Error index Associates the error with a particular object variable.

• Variable-bindings Associates particular object with their value.

2. ZyXEL SNMP Implementation

ZyXEL currently includes SNMP support in some P-202H Plus v2 routers. It is

implemented based on the SNMPv1, so it will be able to communicate with

SNMPv1 NMSs. Further, users can also add ZyXEL's private MIB in the NMS to

monitor and control additional system variables. The ZyXEL's private MIB tree is

shown in figure 3. For SNMPv1 operation, ZyXEL permits one community string

so that the router can belong to only one community and allows trap messages to

be sent to only one NMS manager.

Some traps are sent to the SNMP manager when anyone of the following events

113P-202H Plus v2 Support Notes

1. coldStart (defined in RFC-1215) :

If the machine coldstarts, the trap will be sent after booting.

2. warmStart (defined in RFC-1215) :

If the machine warmstarts, the trap will be sent after booting.

3. linkDown (defined in RFC-1215) :

If any link of IDSL or WAN is down, the trap will be sent with the port

number . The port number is its interface index under the interface group.

4. linkUp (defined in RFC-1215) :

If any link of IDSL or WAN is up, the trap will be sent with the port number .

The port number is its interface index under the interface group.

5. authenticationFailure (defined in RFC-1215) :

When receiving any SNMP get or set requirement with wrong community, this

trap is sent to the manager.

6. whyReboot (defined in ZYXEL-MIB) :

When the system is going to restart (warmstart), the trap will be sent with the

reason of restart before rebooting.

(i) For intentional reboot :

In some cases (download new files, CI command "sys reboot", ...), reboot is done

intentionally. And traps with the message "System reboot by user !" will be sent.

(ii) For fatal error :

System has to reboot for some fatal errors. And traps with the message of the

fatal code will be sent.

114P-202H Plus v2 Support Notes

• Downloading ZyXEL's private MIB

3. Configure the P-202H Plus v2 for SNMP The SNMP related settings in P-202H Plus v2 are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for

configuring all SNMP settings.

Menu 22 - SNMP Configuration

115P-202H Plus v2 Support Notes

Get Community= public

Set Community= public

Trusted Host= 192.168.1.33

Press ENTER to Confirm or ESC to Cancel:

Enter the correct Get Community. This Get Community must

match the 'Get-' and 'GetNext' community requested from the

NMS. The default is 'public'.

Enter the correct Set Community. This Set Community must

match the 'Set-community requested from the NMS. The default is

Enter the IP address of the NMS. The P-202H Plus v2 will only

respond to SNMP messages coming from this IP address. If

0.0.0.0 is entered, the P-202H Plus v2 will respond to all NMS

Enter the community name in each sent trap to the NMS. This

Trap Community must match what the NMS is expecting. The

default is 'public'.

Enter the IP address of the NMS that you wish to send the traps

• What is Multi-NAT?

1. Applying NAT in the SMT Menus

116P-202H Plus v2 Support Notes

3. Address Mapping Sets and NAT Server Sets

1. Internet Access Only

2. Internet Access with an Internal Server

3. Using Multiple Global IP addresses for clients and servers

4. Support Non NAT Friendly Applications

• What is Multi-NAT?

NAT (Network Address Translation-NAT RFC 1631) is the translation of an

Internet Protocol address used within one network to a different IP address

known within another network. One network is designated the inside network and

the other is the outside. Typically, a company maps its local inside network

addresses to one or more global outside IP addresses and "unmaps" the global

IP addresses on incoming packets back into local IP addresses. The IP

addresses for the NAT can be either fixed or dynamically assigned by the ISP. In

addition, you can designate servers, e.g., a web server and a telnet server, on

your local network and make them accessible to the outside world. If you do not

define any servers, NAT offers the additional benefit of firewall protection. In such

case, all incoming connections to your network will be filtered out by the P-202H Plus v2, thus preventing intruders from probing your network.

The SUA feature that the P-202H Plus v2 supports previously operates by

mapping the private IP addresses to a global IP address. It is only one subset of

the NAT. The ZyNOS V2.41 for the P-202H Plus v2 100IH is enhanced to

support the most of the features of the NAT based on RFC 1631, and we call this

feature as 'Multi-NAT'. For more information on IP address translation, please

refer to RFC 1631, The IP Network Address Translator (NAT).

If we define the local IP addresses as the Internal Local Addresses (ILA) and the

global IP addresses as the Inside Global Address (IGA), see the following figure.

The term "inside' refers to the set of networks that are subject to translation. NAT

operates by mapping the ILA to the IGA required for communication with hosts

on other networks. It replaces the original IP source address (and TCP or UDP

source port numbers) and then forwards each packet to the Internet ISP, thus

making them appear as if they had come from the NAT system itself (e.g., the P-

202H Plus v2 router). The P-202H Plus v2 keeps track of the original addresses

and port numbers so incoming reply packets can have their original values

117P-202H Plus v2 Support Notes

NAT supports five types of IP/port mapping. They are:

In One-to-One mode, the P-202H Plus v2 maps one ILA to one IGA.

In Many-to-One mode, the P-202H Plus v2 maps multiple ILA to one IGA.

This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's

Single User Account feature that previous ZyNOS routers supported (the

SUA only option in today's routers).

3. Many to Many Overload

In Many-to-Many Overload mode, the P-202H Plus v2 maps the multiple

4. Many to Many No Overload

global IP address. This allows us to specify multiple servers of different

types behind the NAT for outside access. Note, if you want to map each

server to one unique IGA please use the One-to-One mode.

The following table summarizes these types.

One-to-One ILA1<--->IGA1

Many-to-Many ILA1<--->IGA1

118P-202H Plus v2 Support Notes

Server 2 IP<--->IGA1

• SUA Versus NAT SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules,

Many-to-One and Server. The P-202H Plus v2 now has Full Feature NAT

support to map global IP addresses to local IP addresses of clients or servers.

With multiple global IP addresses, multiple severs of the same type (e.g., FTP

servers) are allowed on the LAN for outside access. In previous ZyNOS versions

(that supported SUA 'visible' servers had to be of different types. The P-202H Plus v2 supports NAT sets on a remote node basis. They are reusable, but only

one set is allowed for each remote node. The P-202H Plus v2 312 supports 2

sets since there is only one remote node. The default SUA (Read Only) Set in

menu 15.1 is a convenient, pre-configured, read only, Many-to-One mapping set,

sufficient for most purposes and helpful to people already familiar with SUA in

previous ZyNOS versions.

1. Applying NAT in the SMT Menus

3. Address Mapping Sets and NAT Server Sets

1. Applying NAT in the SMT Menus

You apply NAT via menus 4 and 11.3 as displayed next. The next figure how you

apply NAT for Internet access in menu 4. Enter 4 from the Main Menu to go to

Menu 4-Internet Access Setup.

Menu 4 - Internet Access Setup

Address Mapping Set= N/A Telco Options:

Transfer Type= 64K Multilink= Off

Press ENTER to Confirm or ESC to Cancel:

The following figure shows how you apply NAT to the remote node in menu

Address Mapping Set= N/A Metric= 2

Step 1. Enter 11 from the Main Menu.

Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the

120P-202H Plus v2 Support Notes

default NO to Yes, then press [ENTER] to bring up Menu 11.3-Remote Node

Network Layer Options.

The following table describes the options for Network Address Translation.

Field Options Description

When you select this option the SMT will

use Address Mapping Set 1 (Menu 15.1-

see later for further discussion).

NAT is disabled when you select this

When you select this option the SMT will

use Address Mapping Set 255 (Menu

15.1-see later for further discussion). This

option us basically Many-to-One Overload

mapping. Select Full Feature when you

require other mapping types. It is a

convenient, pre-configured, read only,

Many-to-One mapping set, sufficient for

most purposes and helpful to people

already familiar with SUA in previous

ZyNOS versions. Note that there is also a

Server type whose IGA is 0.0.0.0 in this

Table: Applying NAT in Menu 4 and Menu 11.3

2. Configuring NAT To configure NAT, enter 15 from the Main Menu to bring up the following

3. Address Mapping Sets and NAT Server Sets

121P-202H Plus v2 Support Notes

Use the Address Mapping Sets menus and submenus to create the mapping

table used to assign global addresses to LAN clients. Each remote node must

specify which NAT Address Mapping Set to use. The P312 has one remote node

and so allows you to configure only 1 NAT Address Mapping Set. You can see

two NAT Address Mapping sets in Menu 15.1. You can only configure Set 1. Set

255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT

will use Set1. When you select SUA Only, the SMT will use Set 255. For the

P100IH, there are 8 remote nodes and so allows you to configure 8 NAT Address

The NAT Server Set is a list of LAN side servers mapped to external ports. To

use this set (one set for the P312), a server rule must be set up inside the NAT Address Mapping set. Please see NAT Server Sets for further information on

Enter 1 to bring up Menu 15.1-Address Mapping Sets

Menu 15.1 - Address Mapping Sets

255. SUA (Read Only)

Enter Set Number to Edit:

Let's first look at Option 255. Option 255 is equivalent to SUA in previous ZyXEL

routers. The fields in this menu cannot be changed. Entering 255 brings up this

Menu 15.1.255 - Address Mapping Rules

Idx Local Start IP Local End IP Global Start IP Global End IP Type

Press ESC or RETURN to Exit:

The following table explains the fields in this screen. Please note that the fields in

this menu are read-only. The Type, Local and Global Start/End IPs are normally

(not for this read-only menu) configured in Menu 15.1.1.1 (described later) and

the values are displayed here.

Field Description Option/Example

This is the name of the set you selected in Menu

15.1 or enter the name of a new set you want to

SUA Idx This is the index or rule number. 1

IP This is the starting local IP address (ILA).

IP This is the starting local IP address (ILA). If the

rule is for all local IPs, then the Start IP is

0.0.0.0 and the End IP is 255.255.255.255.

Start IP This is the starting global IP address (IGA). If

you have a dynamic IP, enter 0.0.0.0 as the

End IP This is the ending global IP address (IGA). N/A Type This is the NAT mapping types.

123P-202H Plus v2 Support Notes

Please note that the fields in this menu are read-only. However, the settings of

the server set 1 can be modified in menu 15.2.1.

Now let's look at Option 1 in Menu 15.1. Enter 1 to bring up this menu.

Menu 15.1.1 - Address Mapping Rules

Idx Local Start IP Local End IP Global Start IP Global End IP Type

Action= Edit , Select Rule= 0

Press ENTER to Confirm or ESC to Cancel:

We will just look at the differences from the previous menu. Note that, this screen

is not read only, so we have extra Action and Select Rule fields. Not also that the

[?] in the Set Name field means that this is a required field and you must enter a

name for the set. The description of the other fields is as described above. The

Type, Local and Global Start/End IPs are configured in Menu 15.1.1 (described

later) and the values are displayed here.

Field Description Option

Enter a name for this set of rules. This is a required field.

Please note that if this field is left blank, the entire

set will be deleted.

They are 4 actions. The default is Edit. Edit means you

want to edit a selected rule (see following field). Insert

Before means to insert a new rule before the rule

selected. The rule after the selected rule will then be

moved down by one rule. Delete means to delete the

124P-202H Plus v2 Support Notes

selected rule and then all the rules after the selected

one will be advanced one rule. Save Set means to save

the whole set (note when you choose this action the

Select Rule item will be disabled).

When you choose Edit, Insert Before or Save Set in

the previous field the cursor jumps to this field to allow

you to select the rule to apply the action in question.

Note: Save Set in the Action field means to save the whole set. You must do this

if you make any changes to the set-including deleting a rule. No changes to the

set take place until this action is taken. Be careful when ordering your rules as

each rule is executed in turn beginning from the first rule.

Selecting Edit in the Action field and then selecting a rule brings up the following

menu, Menu 15.1.1.1-Address Mapping Rule in which you can edit an

individual rule and configure the Type, Local and Global Start/End IPs displayed

End = N/A Global IP:

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this screen.

Field Description Option/Example

Press [SPACEBAR] to toggle through a total of

5 types. These are the mapping types discussed

above plus a server type. Some examples follow

to clarify these a little more.

Start This is the starting local IP address (ILA) 0.0.0.0

This is the ending local IP address (ILA). If the

rule is for all local IPs, then put the Start IP as

0.0.0.0 and the End IP as 255.255.255.255.

This field is N/A for One-to-One type.

This is the starting global IP address (IGA). If

you have a dynamic IP, enter 0.0.0.0 as the

This is the ending global IP address (IGA). This

field is N/A for One-to-One, Many-to-One and

Local and Global IP fields are N/A for the Server Type.

Note: For all Local and Global IPs, the End IP address must begin after the IP Start address, i.e., you cannot have an End IP address beginning before the

The NAT Server Set is a list of LAN side servers mapped to external ports

(similar to the old SUA menu of before). If you wish, you can make inside servers

for different services, e.g., Web or FTP, visible to the outside users, even though

NAT makes your network appears as a single machine to the outside world. A

server is identified by the port number, e.g., Web service is on port 80 and FTP

As an example (see the following figure), if you have a Web server at

192.168.1.36 and a FTP server at 192.168.1.33, then you need to specify for port

80 (Web) the server at IP address 192.168.1.36 and for port 21 (FTP) another at

IP address 192.168.1.33.

126P-202H Plus v2 Support Notes

Please note that a server can support more than one service, e.g., a server can

provide both FTP and Mail service, while another provides only Web service.

The following procedures show how to configure a server behind NAT.

Step 1. Enter 15 in the Main Menu to go to Menu 15-NAT Setup.

Step 2. Enter 2 to go to Menu 15.2-NAT Server Setup.

Step 3. Enter the service port number in the Port# field and the inside IP address

of the server in the IP Address field.

Step 4. Press [SPACEBAR] at the 'Press ENTER to confirm...' prompt to save

your configuration after you define all the servers or press ESC at any time to

Menu 15.2 - NAT Server Setup (Used for SUA Only)

Rule Start Port No. End Port No. IP Address

127P-202H Plus v2 Support Notes

Press ENTER to Confirm or ESC to Cancel:

The most often used port numbers are shown in the following table. Please refer

RFC 1700 for further information about port numbers.

PPTP (Point-to-Point Tunneling

1. Internet Access Only

2. Internet Access with an Internal Server

3. Using Multiple Global IP addresses for clients and servers

4. Support Non NAT Friendly Applications

1. Internet Access Only

In our Internet Access example, we only need one rule where all our ILAs map to

one IGA assigned by the ISP. See the following figure.

128P-202H Plus v2 Support Notes

Address Mapping Set= N/A Telco Options:

Transfer Type= 64K Multilink= Off

Press ENTER to Confirm or ESC to Cancel:

From Menu 4 shown above simply choose the SUA Only option from the NAT

field. This is the Many-to-One mapping discussed earlier. The SUA read only

option from the NAT field in menu 4 and 11.3 is specifically pre-configured to

129P-202H Plus v2 Support Notes

2. Internet Access with an Internal Server

In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only)

to specify the Internet Server behind the NAT as shown in the NAT as shown

Menu 15.2 - NAT Server Setup (Used for SUA Only)

Rule Start Port No. End Port No. IP Address

Press ENTER to Confirm or ESC to Cancel:

130P-202H Plus v2 Support Notes

3. Using Multiple Global IP addresses for clients and servers (One-to-One,

Many-to-One, Server Set mapping types are used)

In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two

very busy internal FTP servers and also an internal general server for the web

and mail. In this case, we want to assign the 3 IGAs by the following way using 4

 Rule 1 (One-to-One type) to map the FTP Server 1 with ILA1

(192.168.1.10) to IGA1.

 Rule 2 (One-to-One type) to map the FTP Server 2 with ILA2

(192.168.1.11) to IGA2.

 Rule 3 (Many-to-One type) to map the other clients to IGA3.

 Rule 4 (Server type) to map a web server and mail server with ILA3

(192.168.1.20) to IGA3. Type Server allows us to specify multiple servers,

of different types, to other machines behind NAT on the LAN.

In this case, we need to configure Address Mapping Set 1 from Menu 15.1-

Address Mapping Sets. Therefore we must choose the Full Feature option

from the NAT field in menu 4 or menu 11.3.

Menu 4 - Internet Access Setup

Address Mapping Set= N/A Telco Options:

Transfer Type= 64K Multilink= Off

Press ENTER to Confirm or ESC to Cancel:

Go to menu 15.1 and choose 1 (not 255, SUA this time) to begin configuring this

new set. Enter a Set Name, choose the Edit Action and then select 1 from

Select Rule field. Press [ENTER] to confirm. See the following setup for the four

Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1

End = N/A Global IP:

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

132P-202H Plus v2 Support Notes

Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2

(192.168.1.11) to IGA2.

Menu 15.1.1.2 - - Rule 2

End = N/A Global IP:

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3.

Menu 15.1.1.3 - - Rule 3

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

133P-202H Plus v2 Support Notes

Rule 4 Setup: Select Server type to map our web server and mail server with

Start= N/A End = N/A Global IP:

End = N/A Server Mapping Set= 2

Press ENTER to Confirm or ESC to Cancel:

When we have configured all four rules Menu 15.1.1 should look as follows.

Menu 15.1.1 - Address Mapping Rules

Idx Local Start IP Local End IP Global Start IP Global End IP Type

134P-202H Plus v2 Support Notes

Press ESC or RETURN to Exit:

Now we configure all other incoming traffic to go to our web server aand mail

server from Menu 15.2.2 - NAT Server Setup (not Set 1, Set 1 is used for SUA Only case).

Menu 15.2 - NAT Server Setup (Used for SUA Only)

Rule Start Port No. End Port No. IP Address

Press ENTER to Confirm or ESC to Cancel:

4. Support Non NAT Friendly Applications

Some servers providing Internet applications such as some mIRC servers do not

allow users to login using the same IP address. In this case it is better to use

Many-to-Many No Overload or One-to-One NAT mapping types, thus each user

135P-202H Plus v2 Support Notes

One rule configured for using Many-to-Many No Overload mapping type is

Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

The three rules configured for using One-to-One mapping type is shown below.

Menu 15.1.1.1 - - Rule 1

136P-202H Plus v2 Support Notes

End = N/A Global IP:

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

End = N/A Global IP:

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

End = N/AP-202H Plus v2 Support Notes

End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel:

138P-202H Plus v2 Support Notes

1. Using IPSec VPN What is IPSec?

IPSec is a set of IP extensions developed by IETF (Internet Engineering Task

Force) to provide security services compatible with the existing IP standard

(IPv.4) and also the upcoming one(IPv.6). In addition, IPSec can protect any

protocol that runs on top of IP, for instance TCP, UDP, and ICMP. IPSec is truly

the most extensible and complete network security solution.

IPSec which is based on modern cryptographic technologies enables end-to-end

security so that every single piece of information sent to or from a computer can

be secured. It can also be deployed inside a network to form Virtual Private

Networks (VPNs) where two distincts and disparate networks become one by

connecting them with a tunnel secured by IPSec.

IPSec in tunnel mode is normally used when the ultimate destination of the

packet is different from the security termination point. We introduce two tunnel

This page guides us to setup a VPN connection between two P-202H Plus v2

routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P-

202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware

• III VPN As the figure shown below, the tunnel between P-202H Plus v2 1 and P-202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure. Because

the packets go through the IPSec tunnel are encrypted. To achieve this VPN

tunnel, the settings required for each P-202H Plus v2 are explained in the

The IP addresses we use in this example are as shown below.

Note: The following configurations are supposed both two VPN gateways have

fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as

the secure gateway IP address. In this case, the VPN connection can only be

initiated from dynamic side to fixed side to update its dynamic IP to the fixed side.

However, if both gateways use dynamic IP addresses, it is no way to establish

VPN connection at all.

1. Setup P-202H Plus v2 A

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default

password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

140P-202H Plus v2 Support Notes

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 B.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2 A)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2 A.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

202H Plus v2 B WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 B.

13. Enter the key string 12345678 in the Preshared Key text box, and click

141P-202H Plus v2 Support Notes

See the screen shot:

142P-202H Plus v2 Support Notes

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B.

143P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 A.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2 B)

7. Destination IP Address Start and Destination IP Address End are PC

1 IP in this example. (the secure remote host) Note: You may assign a

range of Local/Remote IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2 B.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

202H Plus v2 A WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

144P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 A.

13. Enter the key string 12345678 in the Preshared Key text box, and click

145P-202H Plus v2 Support Notes

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B.

146P-202H Plus v2 Support Notes

Q: How do we know the above tunnel works?

A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works.

Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can

ping to each other, it means that the IPSec tunnel has been established

successfully. If the ping fail, there are two methods to troubleshoot IPSec in P-

• Menu 27.2, SA Monitor

Through menu 27.2, you can monitor every IPSec connections running in P-

202H Plus v2 presently. The second column of each entry indicates the IPSec

rule name. So, if you can't see the name of your IPSec rule, it means that the SA

establishment fails. Please go back Menu 27 to check your settings.

Menu 27.2 - SA Monitor

Select Command= Refresh

Select Connection= N/A Press ENTER to Confirm or ESC to Cancel:

• Using CI command 'ipsec debug 1'

Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed

messages printed out to show how negotiations are taken place. If IPSec

connection fails, please dump 'ipsec debug 1' for our analysis. The following

shows an example of dumped messages.

P-202H Plus v2> ipsec debug 1

148P-202H Plus v2 Support Notes

To view the log for IPSec and IKE connections, please enter menu 27.3, View

IPSec Log. The log menu is also useful for troubleshooting please capture to us if

necessary. Please refer to the example below.

006 01 Jan 00:15:16 >>>>MM Receiving IKE Packet == 2

007 01 Jan 00:15:18 <<<<Sending IKE Packet == 3

008 01 Jan 00:15:18 >>>>MM Receiving IKE Packet == 4

009 01 Jan 00:15:19 <<<<Sending IKE Packet == 5

010 01 Jan 00:15:19 >>>>MM Receiving IKE Packet == 6

011 01 Jan 00:15:19 <<<<Sending IKE Packet == 6

012 01 Jan 00:15:19 >>>>QM Receiving IKE Packet == 15

013 01 Jan 00:15:19 <<<<Sending IKE Packet == 15

Clear IPSec Log (y/n):

Note, the 'Log' column in the current 3.50(WA.0) firmware just shows the IKE

state flow. In the future firmware, we will enhance it to show packet information

(such as protocol type, port number).

• Secure Gateway to PC Soft-PK VPN to P-202H Plus v2 Tunneling

1. Setup Soft-PK VPN

2. Setup P-202H Plus v2 VPN This page guides us to setup a VPN connection between the VPN software and

P-202H Plus v2 router. There will be several devices we need to setup for this

case. They are VPN software and P-202H Plus v2 router.

As the figure shown below, the tunnel between PC 1 and P-202H Plus v2

ensures the packets flow between them are secure. Because the packets go

through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required

settings for the software and P-202H Plus v2 are explained in the following

149P-202H Plus v2 Support Notes

The IP addresses we use in this example are as shown below.

1. Open Soft-PK Security Policy Editor

2. Add a new connection named 'P-202H Plus v2' as shown below.

3. Select Connection Security to Secure

150P-202H Plus v2 Support Notes

Remote Party Identity and Addressing settings:

4. In ID Type option, please choose IP Address option, and enter the IP address

of the remote PC (PC 2 in this case).

5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field.

151P-202H Plus v2 Support Notes

The detailed configuration is shown in the following figure.

Pre-Share Key Settings:

6. Extend P-202H Plus v2 icon, you may see My Identity.

7. Click My Identity, click the Pre-Shared Key icon in the right side of the

8. Enter a key you that later you will also need to configure in P-202H Plus v2 in

the pop out windows. In this example, we enter

12345678. See below.

152P-202H Plus v2 Support Notes

Security Policy Settings:

153P-202H Plus v2 Support Notes

9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation

10. Extend Security Policy icon, you will see two icons, Authentication (Phase

1) and Key Exchange (Phase 2).

11. The settings shown in the following two figures for both Phases are our

examples. You can choose any, but they should match whatever you enter in

154P-202H Plus v2 Support Notes

155P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default

password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Soft-PK.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure remote host) Note: You may assign a range

of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is PC 1 in

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

SHA1, as we configured in Soft-PK.

13. Enter the key string 12345678 in the Preshared Key text box, and click

156P-202H Plus v2 Support Notes

Figure 8: See the VPN rule screen shot

157P-202H Plus v2 Support Notes

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

158P-202H Plus v2 Support Notes

Please note that any configuration in 'IKE Setup' should match the settings in

In our network diagram figures, a dotted line indicates a logical connection (i.e.,

the two devices are not physically attached), a solid line indicates a physical

connection (i.e., there is a physical link between the two devices and they are

directly attached), and a pipe indicates a secure connection between two devices.

2. P-202H Plus v2 vs 3rd Party VPN Gateway

P-202H Plus v2 to P-202H Plus v2 Tunneling .

This page guides us to setup a VPN connection between two P-202H Plus v2

routers. Please note that, in addition to P-202H Plus v2 to P-202H Plus v2, P-

202H Plus v2 can also talk to other VPN hardwards. The tested VPN hardware

• III VPN As the figure shown below, the tunnel between P-202H Plus v2 1 and P-202H Plus v2 2 ensures the packets flow between PC 1 and PC 2 are secure. Because

the packets go through the IPSec tunnel are encrypted. To achieve this VPN

tunnel, the settings required for each P-202H Plus v2 are explained in the

The IP addresses we use in this example are as shown below.

Note: The following configurations are supposed both two VPN gateways have

fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as

the secure gateway IP address. In this case, the VPN connection can only be

initiated from dynamic side to fixed side to update its dynamic IP to the fixed side.

However, if both gateways use dynamic IP addresses, it is no way to establish

VPN connection at all.

1. Setup P-202H Plus v2 A

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default

password to login web configurator is 1234.

160P-202H Plus v2 Support Notes

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 B.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2 A)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2 A.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

202H Plus v2 B WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 B.

13. Enter the key string 12345678 in the Preshared Key text box, and click

161P-202H Plus v2 Support Notes

See the screen shot:

If you use SMT management, the VPN configurations are as shown below.

162P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B.

163P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 B Similar to the settings for P-202H Plus v2 A, P-202H Plus v2 B is configured in

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in P-202H Plus v2 A.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2 B)

7. Destination IP Address Start and Destination IP Address End are PC

1 IP in this example. (the secure remote host) Note: You may assign a

range of Local/Remote IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2 B.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-

202H Plus v2 A WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

164P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in P-202H Plus v2 A.

13. Enter the key string 12345678 in the Preshared Key text box, and click

See the screen shot:

If you use SMT management, the VPN configurations are as shown below.

165P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

Note that any configuration in 'IKE Setup' should be consistent in both P-202H Plus v2 A and P-202H Plus v2 B.

166P-202H Plus v2 Support Notes

Q: How do we know the above tunnel works?

A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works.

Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can

ping to each other, it means that the IPSec tunnel has been established

successfully. If the ping fail, there are two methods to troubleshoot IPSec in P-

• Menu 27.2, SA Monitor

Through menu 27.2, you can monitor every IPSec connections running in P-

202H Plus v2 presently. The second column of each entry indicates the IPSec

rule name. So, if you can't see the name of your IPSec rule, it means that the SA

establishment fails. Please go back Menu 27 to check your settings.

Select Command= Refresh

Select Connection= N/A Press ENTER to Confirm or ESC to Cancel:

• Using CI command 'ipsec debug 1'

Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed

messages printed out to show how negotiations are taken place. If IPSec

connection fails, please dump 'ipsec debug 1' for our analysis. The following

shows an example of dumped messages.

P-202H Plus v2> ipsec debug 1

168P-202H Plus v2 Support Notes

To view the log for IPSec and IKE connections, please enter menu 27.3, View

IPSec Log. The log menu is also useful for troubleshooting please capture to us if

necessary. The example shown below is a successful IPSec connection.

Index: Date/Time: Log:

Clear IPSec Log (y/n):

P-202H Plus v2 to Cisco Tunneling

This page guides us to setup a VPN connection between P-202H Plus v2 and

Cisco router. As the figure shown below, the tunnel between P-202H Plus v2 and

Cisco Router ensures the packets flow between them are secure. To setup this

VPN tunnel, the required settings for P-202H Plus v2 and Cisco Router are

explained in the following sections.

169P-202H Plus v2 Support Notes

The IP addresses we use in this example are as shown below.

1. When using Cisco Router to establish VPN, back-to-back connection is not

applicable. In other words, the WAN IP of P-202H Plus v2 and Cisco router can't

be in the same subnet.

2. The following configurations are supposed both two VPN gateways have fixed

IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the

secure gateway IP address. In this case, the VPN connection can only be

initiated from dynamic side to fixed side to update its dynamic IP to the fixed side.

From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

If the WAN IP of P-202H Plus v2 is also dynamic IP, we enter 0.0.0.0 as its My IP Address. When this IP is given by ISP, it will update to this field.

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web

configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Sonicwall.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

Sonicwall WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

ESP check box. (AH can not be used in SUA/NAT case)P-202H Plus v2 Support Notes

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sonicwall.

13. Enter the key string 12345678 in the Preshared Key text box, and click

There are two ways to configure Cisco VPN, use commands from console or use

Cisco ConfigMaker. Cisco ConfigMaker is an easy-to-use Windows

98/Me/NT/2000 application that configures Cisco routers, switches, hubs, and

other devices. We will guide you how to setup IPSec by using Cisco ConfigMakerP-202H Plus v2 Support Notes

in section 2.1. If you prefer to use commands from console, please go to

2.1 Setup Ciscro by ConfigMaker

You can download Cisco ConfigMaker from

http://www.cisco.com/warp/public/cc/pd/nemnsw/cm/index.shtml.

1. Select AutoDetect device Wizard in Devices window.

2. Make sure that the console has been connected to your PC. If the router is

detected successfully, a Cisco router should appear in the Network

3. Click right button of the mouse, choose Device Properties.... In

Passwords tab, setup the passwords for this router.

See the screen shot:

4. From Devices window choose a router, and add this router in Network

Diagram. Rename it as "P-202H Plus v2". Assign passwords, choose

TCP/IP as it's protocol, and then set the interface of WAN slot 0 as 1

172P-202H Plus v2 Support Notes

See the screen shot:

5. Layout your network topology in the Network Diagram as shown below.

You may choose network components, such as hosts, Internet, Ethernet

LAN from the Devices window.

173P-202H Plus v2 Support Notes

See the screen shot:

6. Connect the network components by Ethernet from the Connections

window in the left bottom. Specify the WAN and LAN IP addresses to P-

202H Plus v2 and Cisco.

174P-202H Plus v2 Support Notes

See the screen shot:

7. Select VPN from Connections window. During this stage, you have to

enter the pre-shared key, "12345678".

175P-202H Plus v2 Support Notes

See the screen shot:

8. Select VPN, then click the right button of the mouse, and choose

connection Properties.... Setup IPSec parameters as shown below. Note

that the parameters you set here should match settings in P-202H Plus v2.

In IKE Advanced Settings, Encryption Algorithm is 56-bit DES,

Authentication Algorithm is MD5 and the SA lifetime is 1 hr. In IPSec

Transform, Encryption Algorithm is 56-bit DES, Authentication

Algorithm is MD5, and SA lifetime is 1 hr.

176P-202H Plus v2 Support Notes

See the screen shot:

9. Choose the Cisco router, and click Deliver to save the settings.

177P-202H Plus v2 Support Notes

See the screen shot:

10. Enter Cisco commands mode from console and check if Cisco can make

a successful ping to P-202H Plus v2. You might have to tune the

configuration to accommodate your practical environment. For more

detailed information, please go to

http://www.cisco.com

11. In config mode, enter a command "crypto ipsec transform-set cm-

transformset-1 esp-des esp-md5-hmac".

12. After all of the settings, if PC1 and PC2 can reach each other, then IPSec

VPN has been established successfully. There is also an useful command

to debug IPSec VPN, "debug crypto ipsec".

2.2 Setup Cisco by Commands

Note that, in order to setup Cisco by commands, you have to connect your PC

and Cisco route by a console cable. Enter the following commands one per line.

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

logging rate-limit console 10 except errors

no ip dhcp-client network-discovery

crypto isakmp policy 1

authentication pre-share

crypto map cm-cryptomap 1 ipsec-isakmp

set transform-set cm-transformset-1

description connected to Internet

interface FastEthernet0

description connected to EthernetLAN_1

ip address 192.168.2.1 255.255.255.0

After all of the settings, if PC1 and PC2 can reach each other, then IPSec VPN

has been established successfully. There is also a useful command to debug

IPSec VPN, "debug crypto ipsec".

P-202H Plus v2 to SonicWALL Tunneling

This page guides us to setup a VPN connection between P-202H Plus v2 and

SonicWALL. As the figure shown below, the tunnel between PC 1 and PC 2

ensures the packets flow between them are secure. To setup this VPN tunnel,

the required settings for P-202H Plus v2 and SonicWALL are explained in the

The IP addresses we use in this example are as shown below.

Note: The following configurations are supposed both two VPN gateways have

fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as

the secure gateway IP address. In this case, the VPN connection can only be

initiated from dynamic side to fixed side to update its dynamic IP to the fixed side.

From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

181P-202H Plus v2 Support Notes

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web

configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Sonicwall.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

Sonicwall WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sonicwall.

13. Enter the key string 12345678 in the Preshared Key text box, and click

See the screen shot:

1. Login SonicWALL by giving the LAN IP address of SonicWALL, default is

2. Click Gernal menu, and click Network tab.

3. Select NAT Enabled as the Network Addressing Mode.

4. In LAN Settings, enter a LAN IP and Subnet Mask for SonicWALL.

5. In WAN Settings, enter a WAN IP, Subnet Mask, and WAN Gateway for

183P-202H Plus v2 Support Notes

6. In DNS Settings, enter the DNS IP.

7. Click Update to save the settings to SonicWALL.

8. Click DHCP, enable DHCP, and the Dynamic Ranges.

12. In Name option, give a name for this SA.

13. In IPSec Gateway Address, enter P-202H Plus v2 WAN IP

14. In Encryption Method option, select Encrypt and Authenticate (ESP DES HMAC MD5).

15. In Shared Secret option, enter 12345678 as the secret key.

16. Click Add New Network.

17. In Edit VPN Destination Network, enter remote secure host in Network

field, PC 1 in the case. And also enter its subnet mask and click Update.

18. Click Update to save VPN settings in VPN menu.

See the screen shot:

184P-202H Plus v2 Support Notes

If the SA is up, you can see a new button, Renegotiate appears in the Summary

screen.P-202H Plus v2 Support Notes

P-202H Plus v2 to WatchGuard Tunneling

This page guides us to setup a VPN connection between P-202H Plus v2 and

WatchGuard. As the figure shown below, the tunnel between PC 1 and PC 2

ensures the packets flow between them are secure. To setup this VPN tunnel,

the required settings for P-202H Plus v2 and WatchGuard are explained in the

The IP addresses we use in this example are as shown below.

Note: The following configurations are supposed both two VPN gateways have

fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as

the secure gateway IP address. In this case, the VPN connection can only be

initiated from dynamic side to fixed side to update its dynamic IP to the fixed side.

From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web

configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

to this policy.P-202H Plus v2 Support Notes

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

WatchGuard WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in WatchGuard.

13. Enter the key string 12345678 in the Preshared Key text box, and click

2. Enter IP of PC2, click OK.

3. In External Interface, enter the WAN IP for WatchGuard; and in Trusted

Interface, enter the LAN IP for WatchGuard. Then click Next.

4. Enter the Default Gateway of WatchGuard then click Next twice.

5. Enter your passwords for Status and Configuration then click Next.

188P-202H Plus v2 Support Notes

6. Select Use Serial Cable to Assign IP Address and Serial Port of your

computer then click Next and OK.

7. Turn the Firebox off and on again. Wait for the configuration file to be

8. In the 'WatchGuard Control Center' click on the Policy Manager icon.

9. Pull down Network -> Branch Office VPN -> IPSec. See the figure below.

10. Click Gateway, and click Add.

11. Enter a name for remote security gateway in Name field, enter the remote

gateway IP in Remote Gateway IP field.

189P-202H Plus v2 Support Notes

12. Select isakmp (dynamic) (IKE in P-202H Plus v2) as Key Negotiation

Type and enter a string as Share Key.I

13. Click Tunnels, and click Add.

14. Select the Gateway you had created and click OK.

15. Enter a name in Name field for this Tunnel.

16. Click Dynamic Security tab, select Type, Authentication and

Encryption for your SAP. These settings must be consistant with P-202H Plus v2 settings.

190P-202H Plus v2 Support Notes

17. Enable the Key expiration. Then click OK twice. (ESP, MD5-HMAC,

18. Click Add in the main menu to Add Routing Policy.

19. In Local Host, enter PC1 IP; in Remote Host, enter PC2 IP, then select

Secure in Disposition and Tunnel you had created. Then click OK

191P-202H Plus v2 Support Notes

20. Select 'Save to Firebox' and enter the write pass phrase for your

P-202H Plus v2 to NETSCREEN Tunneling

This page guides us to setup a VPN connection between P-202H Plus v2 and

NETSCREEN. As the figure shown below, the tunnel between PC 1 and PC 2

ensures the packets flow between them are secure. To setup this VPN tunnel,

the required settings for P-202H Plus v2 and NETSCREEN are explained in the

The IP addresses we use in this example are as shown below.

PC 1 P-202H Plus v2 NETSCREEN PC 2

192.168.1.33 LAN: 192.168.1.1 LAN: 192.168.78.1 192.168.78.5

192P-202H Plus v2 Support Notes

WAN: 202.132.154.1 WAN: 168.10.10.66

Note: The following configurations are supposed both two VPN gateways have

fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as

the secure gateway IP address. In this case, the VPN connection can only be

initiated from dynamic side to fixed side to update its dynamic IP to the fixed side.

From this connection, the source IP is obtained and then update to the previous

0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way

to establish VPN connection at all.

1. Setup P-202H Plus v2

1. Login P-202H Plus v2 by giving the LAN IP address of P-202H Plus v2 in

URL field. Default LAN IP is 192.168.1.1, default password to login web

configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in NETSCREEN.

6. Source IP Address Start and Source IP Address End are PC 1 IP in

this example. If a range of IP is used, please enter the start IP and the end

IP. For example, 192.168.1.33 to 192.168.1.35.

7. Destination IP Address Start and Destination IP Address End are PC

2 IP in this example. (the secure remote host)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is

NETSCREEN WAN IP in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in NETSCREEN.

13. Enter the key string

12345678 in the Preshared Key text box, and click

193P-202H Plus v2 Support Notes

See the screen shot:

If you use SMT management, the VPN configurations are as shown below.

194P-202H Plus v2 Support Notes

1. Edit IKE settings by selecting Edit IKE Setup option in menu27.1.1 to Yes and

then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

195P-202H Plus v2 Support Notes

for data transmission.

2. Setup NETSCREEN For VPN

1. Configure NETSCREEN by using its web configurator.

2. Login NETSCREEN by giving the LAN IP address of NETSCREEN in URL

Create Local & Remote Secure Host:

1. Click Address menu and click Trusted tab.

2. Click New Address to add the local secure host (192.168.78.5 in this

example) and give a name to this host address (Local Secure Host in this

example). See the screen shown below.

Note: The Netmask field here for single IP is 255.255.255.255. Please do

not enter the wrong netmask, otherwise, VPN can not be established

196P-202H Plus v2 Support Notes

3. Click OK to save it.

4. Click New Address to add the remote secure host (192.168.1.33 in this

example) and give a name to this host address (Remote Secure Host in

this example). See the screen shown below.

Note: The Netmask field here for single IP is 255.255.255.255. Please do

not enter the wrong netmask, otherwise, VPN can not be established

197P-202H Plus v2 Support Notes

5. Click OK to save it.

Create Outgoing & Incoming VPN Policy:

1. Click Policy menu and click Outgoing tab.

2. Click New Policy to configure the outgoing VPN policy.

3. Give a name to the policy.

4. Select the Local Secure Host that we configured above as the Source

5. Select the Remote Secure Host that we configured above as the

Destination Address.

6. Select ANY as the Service.

7. For the rest settings please refer to the following screen shot. And click

198P-202H Plus v2 Support Notes

8. Click Policy menu and click Incoming tab.P-202H Plus v2 Support Notes

9. Click New Policy to configure the incoming VPN policy.

10. Give a name to the policy.

11. Select the Remote Secure Host that we configured above as the Source

12. Select the Local Secure Host that we configured above as the

Destination Address.

13. Select ANY as the Service.

14. For the rest settings please refer to the following screen shot. And click

200P-202H Plus v2 Support Notes

201P-202H Plus v2 Support Notes

Create Phase 1 Proposal: Note that all phase 1 and phase 2 settings in

NETSCREEN must be consistent with P-202H Plus v2.

1. Click VPN menu and click P1 Proposal tab.

2. Click New Phase 1 Proposal to create phase 1 proposal.

3. Give a Name for this proposal, for example P-202H Plus v2.

4. Select Preshare as the Authentication Method.

5. Select Group 1 as DH Group.

6. Select DES-CBC as Encryption Algorithm.

7. Select MD5 as Hash Algorithm.

8. Enter 3600 in Lifetime field, check Sec checkbox. See the sceen shot

Create Phase 2 Proposal:

1. Click VPN menu and click P2 Proposal tab.

2. Click New Phase 2 Proposal to create phase 2 proposal.

3. Check Encryption (ESP) checkbox and select DES-CBC and MD5 as the

Encryption Algorithm and the Authentication Algorithm. See the

202P-202H Plus v2 Support Notes

2. Click New Remote Tunnel Gateway to add the local VPN gateway, i.e.,

3. Give a name to this gateway, for example NETSCREEN.

4. Click Static IP Address as for this example.

5. Enter WAN IP of NETSCREEN in the IP Address field.

6. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal.

203P-202H Plus v2 Support Notes

7. Enter 12345678 as the Preshared Key and click OK to save. See the

8. Click New Remote Tunnel Gateway to add the remote VPN gateway, i.e.,

9. Give a name to this gateway, for example P-202H Plus v2.

10. Click Static IP Address as for this example.

11. Enter WAN IP of P-202H Plus v2 in the IP Address field.

12. Select P-202H Plus v2 that we configure above as the Phase 1 Proposal.

204P-202H Plus v2 Support Notes

13. Enter 12345678 as the Preshared Key and click OK to save. See the

2. Click New AutoKey IKE Entry to add the entry for the local gateway, i.e.,

3. Select NETSCREEN as the Remote Gateway Tunnel Name.

4. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See

205P-202H Plus v2 Support Notes

5. Click VPN menu and click AutoKey IKE tab.

6. Click New AutoKey IKE Entry to add the entry for the remote gateway,

i.e., P-202H Plus v2.

7. Select P-202H Plus v2 as the Remote Gateway Tunnel Name.

8. Select P-202H Plus v2 as Phase 2 Proposal and click OK to save. See

206P-202H Plus v2 Support Notes

9. After all above settings have been finished, you can start to access the remote

secure PC. If the VPN is established successfully, you can see the traffic flow

from the Traffic Log by clicking Log menu. See the following screen

207P-202H Plus v2 Support Notes

You can also see the current active user from the Active Log by clicking Log

menu. See the following screen shot.

3. P-202H Plus v2 vs 3rd Party VPN Software

208P-202H Plus v2 Support Notes

Checkpoint VPN to P-202H Plus v2 Tunneling

This page guides us to setup a VPN connection between Checkpoint VPN and P-

202H Plus v2 router.

As the figure shown below, the tunnel between P-202H Plus v2 and Checkpoint

ensures the packets flow between them are secure. Because the packets go

through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required

settings for the software and P-202H Plus v2 are explained in the following.

The IP addresses we use in this example are as shown below.

209P-202H Plus v2 Support Notes

Edit LAN segment of P-202H Plus v210. In this example, we setup P-202H Plus

v210 as DHCP server, and it’s LAN IP address is 192.168.99.1.

Edit Internet Access of P-202H Plus v210.

210P-202H Plus v2 Support Notes

In SMT menu 27, create a VPN rule like following.

211P-202H Plus v2 Support Notes

2. Setup Checkpoint VPN Creating Network objects.

Click on New/Network, define the LAN segment of P-202H Plus v2. Select

Locationa as External.

(Note-Internal and external refer to whether this network is protected behind the

212P-202H Plus v2 Support Notes

Define the LAN segment of Checkpoint. Select Location as Internal.

If there are more than one network would like to utilize the VPN tunnel. You can

merge the networks into one group.

• Go to Manage/Network Objects.

• Click on New/Group

• Fill in the properties for the group objects as shown below.

213P-202H Plus v2 Support Notes

Creating VPN Objects

Define P-202H Plus v2 box as a tunnel end point. (Name: SOHO_TEST)

Select VPN tab to define the protected domain of ZW, and the Encryption

schemes used by the tunnel.

214P-202H Plus v2 Support Notes

215P-202H Plus v2 Support Notes

Define checkpoint box as a tunnel endpoint.

Select VPN tab to define the protected domain of Checkpoint, and the

Encryption schemes used by the tunnel.

Choose IKE and press Edit… to edit the Phase1 parameters and pre-shared key.

216P-202H Plus v2 Support Notes

Edit pre-shared key by selecting Pre-Shared Secret in Authentication Method.

Choose Pre-Shared Secret then press Edit-Secretes…

Select SOHO_TEST as peer, and input the pre-shared key.

Create a new rule at or near the top of the policy. This rule should include both

encryption domains as both source and destination and the action should be

encrypt as shown below.

217P-202H Plus v2 Support Notes

Double click on the "encrypt" action to edit the encryption properties. Select IKE

as the form of encryption, and click on edit and select the Phase 2 parameters.

WIN2K VPN to P-202H Plus v2

This page guides us to setup a VPN connection between the WIN2K VPN

software and P-202H Plus v2 router. There will be several devices we need to

setup for this case. They are WIN2K VPN software and P-202H Plus v2 router.

As the figure shown below, the tunnel between PC 1 and P-202H Plus v2

ensures the packets flow between them are secure. Because the packets go

through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required

settings for WIN2K and P-202H Plus v2 are explained in the following

sections. As the red pipe shown in the following figure, the tunneling endpoints

are WIN2K and P-202H Plus v2.P-202H Plus v2 Support Notes

The IP addresses we use in this example are as shown below.

PC 1 P-202H Plus v2 PC2

1. From Windows desktop, click Start, click Run, and in the Open textbox

2. On the Console window, click Add/Remove Snap-In.

219P-202H Plus v2 Support Notes

3. In the Add/Remove Snap-In dialog box, click Add.

220P-202H Plus v2 Support Notes

4. In the Add Standalone Snap-in dialog box, click Computer

Management, and then click Add.

5. Verify that Local Computer (default setting) is selected, and click Finish.

221P-202H Plus v2 Support Notes

6. In the Add Standalone Snap-in dialog box, click Group Policy, and then

7. Verify that Local Computer (default setting) is selected in the Group

Policy Object dialog box, and then click Finish.

222P-202H Plus v2 Support Notes

8. In the Add Standalone Snap-in dialog box, click Certifications, and then

9. In the Certificates snap-in dialog box, select Computer account, and

223P-202H Plus v2 Support Notes

10. Verify that Local Computer (default setting) is selected, and click Finish.

11. Click Close to close the Add Standalone Snap-in dialog box.

224P-202H Plus v2 Support Notes

12. Click OK to close the Add/Remove Snap-in dialog box.

- Create IPSec Policy

Typically, Windows 2000 gateway is not a member of a domain, so a local IPSec

policy is created. If your Windows 2000 gateway is a member of a domain that

already exists an local IPSec policy. In this case, you can create an Organization

Unit (OU) in Active Directory to make your WIN2K as a member of this OU by

assigning the IPSec policy to the Group Policy Object (GPO) of this OU. For

more information, please refer to the Assigning IPSec Policy section of Windows

1. From Windows desktop, click Start, click Run, and in the Open textbox

type SECPOL.MSC. Click OK.

225P-202H Plus v2 Support Notes

2. Right click IP Security Policies on Local Machine, and then click Create

3. Click Next, and type a name for your policy. For example, WIN2K to P-

202H Plus v2 Tunnel.

226P-202H Plus v2 Support Notes

4. Uncheck Active the default response rule check box, and click Next.

227P-202H Plus v2 Support Notes

5. Keep the Edit properties check box selected and click Finish.

5. A dialog window will bring up for you to configure two filter rules for this

228P-202H Plus v2 Support Notes

Note: The IPSec policy is created with default IKE main mode (phase 1) on the

General tab. Please check details by clicking the Advanced on this tab.

The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint.

Because there are two endpoints so we need two filter rules. One is for the

direction from PC 1 to PC 2 (endpoint is P-202H Plus v2), and the other is from

PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP

for local and remote VPN clients (PC 1 or PC 2) are required. See the guides

- Build a Filter List from PC 1 to PC 2

1. In policy properties, uncheck Use Add Wizard check box, and click Add

to create a new rule.

229P-202H Plus v2 Support Notes

2. On the IP Filter List tab, click Add.

230P-202H Plus v2 Support Notes

3. Type a name for the filter list (e.g., WIN2K to P-202H Plus v2), uncheck

Use Add Wizard check box, and click Add.

231P-202H Plus v2 Support Notes

4. In the Source address, choose A specific IP Address, and enter the IP

232P-202H Plus v2 Support Notes

5. In the Destination address, choose A specific IP Address, and enter

the IP address of PC 2

6. Uncheck Mirror check box.

233P-202H Plus v2 Support Notes

7. On the Protocol tab, leave the protocol type to Any, because IPSec

tunnels do not support protocol-specific or port specific filters.

8. On the Description tab, you can give a name for this filter list. The filter

name is displayed in the IPSec monitor when the tunnel is active.

234P-202H Plus v2 Support Notes

9. Click OK and Close to close the windows.

- Build a Filter List from PC 2 to PC 1

1. On the IP Filter List tab, click Add.

235P-202H Plus v2 Support Notes

2. Type a name for the filter list (e.g., P-202H Plus v2 to WIN2K), uncheck

Use Add Wizard check box, and click Add.

3. In the Source address, choose A specific IP Address, and enter the IP

236P-202H Plus v2 Support Notes

4. In the Destination address, choose A specific IP Address, and enter

the IP address of PC 1

5. Uncheck Mirror check box.

237P-202H Plus v2 Support Notes

6. On the Protocol tab, leave the protocol type to Any, because IPSec

tunnels do not support protocol-specific or port specific filters.

238P-202H Plus v2 Support Notes

7. On the Description tab, you can give a name for this filter list. The filter

name is displayed in the IPSec monitor when the tunnel is active.

8. Click OK and Close to close the windows.

239P-202H Plus v2 Support Notes

- Configure a Rule for PC 1 to PC 2 tunnel

1. Select the first filter list you created above from the IP Filter List. For

example, WIN2K to P-202H Plus v2.

2. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the

remote IPSec endpoint is P-202H Plus v2.

240P-202H Plus v2 Support Notes

3. Click Connection Type tab, click All network connections (or click LAN

connections if your WIN2K does not connect to ISP but LAN). In our

example, we choose All network connections.

4. Click Filter Action tab, uncheck Use Add Wizard check box, and click

241P-202H Plus v2 Support Notes

5. Leave Negotiate security as checked, and uncheck Accept unsecured

communication, but always respond using IPSec check box. You must

do this to ensure secure connections.

6. Click Add and select Custom (for expert users) if you want to define

specific algorithms and session key lifetimes). Please make sure the

settings match whatever we will configure in P-202H Plus v2 later.

242P-202H Plus v2 Support Notes

7. Click OK. On the General tab, give a name to the filter action. For

example, WIN2K to P-202H Plus v2, and click OK.

243P-202H Plus v2 Support Notes

8. Select the filter action you just created.

9. On the Authentication Methods tab, click Add to select Use this string

to protect the key exchange (pre-shared key) option. And enter the

string 12345678 in the text box.

244P-202H Plus v2 Support Notes

See the finished screen shot.

245P-202H Plus v2 Support Notes

- Configure a Rule for PC 2 to PC 1 tunnel

1. In the IPSec policy properties, click Add to create a new rule.

2. Select the second filter list you created above from the IP Filter List. For

example, P-202H Plus v2 to WIN2K.

246P-202H Plus v2 Support Notes

3. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the

remote IPSec endpoint is WIN2K.

4. Click Connection Type tab, click All network connections (or click LAN

connections if your WIN2K does not connect to ISP but LAN). In our

example, we choose All network connections.

247P-202H Plus v2 Support Notes

5. Click Filter Action tab, select the filter action you created.

6. On the Authentication Method tab, configure the same settings as done

248P-202H Plus v2 Support Notes

8. Enable both rules you created in the policy properties and click Close.

Figure 5: See the finished screen shot

249P-202H Plus v2 Support Notes

- Assign Your New IPSec Policy to Your Windows 2000

1. In the IP Security Policies on Local Machine MMC snap-in, right click your

new policy, and click Assign.

2. A green arrow will appear in the folder icon next to your policy. See the

250P-202H Plus v2 Support Notes

For more information about configure WIN2K IPSec, please refer to the following

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default

password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in WIN2K.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure WIN2K PC) Note: You may assign a range

of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote WIN2K's IP, that is PC 1 in this

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in WIN2K.

13. Enter the key string 12345678 in the Preshared Key text box, and click

251P-202H Plus v2 Support Notes

Figure 8: See the VPN rule screen shot

If you use SMT management, the VPN configurations are as shown below.

Menu 27.1.1 - IPSec Setup

Port Start= 0 End= N/A Enable Replay Detection= No

Key Management= IKE Edit IKE Setup= Yes

Edit Manual Setup= N/A Press ENTER to Confirm or ESC to Cancel:

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

Please note that any configuration in 'IKE Setup' should match the settings

configured in WIN2K Menu 27.1.1.1 - IKE Setup

Negotiation Mode= Main

Pre-Shared Key= 12345678

Encryption Algorithm= DES Authentication Algorithm= MD5

SA Life Time (Seconds)= 3600

Encapsulation= Tunnel

253P-202H Plus v2 Support Notes

Perfect Forward Secrecy (PFS)= None

Press ENTER to Confirm or ESC to Cancel

Soft-PK VPN to P-202H Plus v2 Tunneling

This page guides us to setup a VPN connection between the VPN software and

P-202H Plus v2 router. There will be several devices we need to setup for this

case. They are VPN software and P-202H Plus v2 router.

As the figure shown below, the tunnel between PC 1 and P-202H Plus v2

ensures the packets flow between them are secure. Because the packets go

through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required

settings for the software and P-202H Plus v2 are explained in the following

The IP addresses we use in this example are as shown below.

1. Open Soft-PK Security Policy Editor

2. Add a new connection named 'P-202H Plus v2' as shown below.

3. Select Connection Security to Secure

254P-202H Plus v2 Support Notes

Remote Party Identity and Addressing settings:

4. In ID Type option, please choose IP Address option, and enter the IP address

of the remote PC (PC 2 in this case).

5. Check Connect using Secure Gateway Tunnel, please also select IP Address as ID Type, and enter P-202H Plus v2's WAN IP address in the following field.

255P-202H Plus v2 Support Notes

The detailed configuration is shown in the following figure.

Pre-Share Key Settings:

6. Extend P-202H Plus v2 icon, you may see My Identity.

7. Click My Identity, click the Pre-Shared Key icon in the right side of the

8. Enter a key you that later you will also need to configure in P-202H Plus v2 in

the pop out windows. In this example, we enter

12345678. See below.

256P-202H Plus v2 Support Notes

Security Policy Settings:

257P-202H Plus v2 Support Notes

9. Click Security Policy option to choose Main Mode as Phase 1 Negotiation

10. Extend Security Policy icon, you will see two icons, Authentication (Phase

1) and Key Exchange (Phase 2).

11. The settings shown in the following two figures for both Phases are our

examples. You can choose any, but they should match whatever you enter in P-

258P-202H Plus v2 Support Notes

259P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default

password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we

configured in Soft-PK.

6. Source IP Address Start and Source IP Address End are PC 2 IP in

this example. (the secure host behind P-202H Plus v2)

7. Destination IP Address Start and Destination IP Address End are PC

1 in this example. (the secure remote host) Note: You may assign a range

of Source/Destination IP addresses for multiple VPN sessions.

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is PC 1 in

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to DES and Authentication Algorithm to

SHA1, as we configured in Soft-PK.

13. Enter the key string 12345678 in the Preshared Key text box, and click

260P-202H Plus v2 Support Notes

Figure 8: See the VPN rule screen shot

261P-202H Plus v2 Support Notes

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

262P-202H Plus v2 Support Notes

Please note that any configuration in 'IKE Setup' should match the settings in

Linux FreeS/WAN VPN to P-202H Plus v2 Tunneling

This page guides us to setup a VPN connection between FreeS/WAN and P-

202H Plus v2 router. There will be several devices we need to setup for this case.

They are Linux FreeS/WAN and P-202H Plus v2 router.

As the figure shown below, the tunnel between PC 1 and P-202H Plus v2

ensures the packets flow between them are secure. Because the packets go

through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required

settings for FreeS/WAN and P-202H Plus v2 are explained in the following

263P-202H Plus v2 Support Notes

The IP addresses we use in this example are as shown below.

1. Setup FreeS/WAN We presume that your Linux's kernel has been compiled to support FreeS/WAN,

and FreeS/WAN has been also installed successfully in your system. You can

refer to the following URL for more information,

http://www.FreeS/WAN.org/.

Two files must be configured in /etc directory.

leftnexthop=65.170.185.65

65.170.185.111 202.132.170.1 : PSK "12345678"

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. The LAN IP in tihs example is 192.168.0.1,

default password to login web configurator is 1234.

2. Click Advanced, and click VPN tab on the left.

3. On the SUMMARY menu, Select a policy to edit by clicking Edit.

4. On the CONFIGURE-IKE menu, check Active check box and give a name

5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, Linux

FreeS/WAN only supports Main mode.

6. In Local section, choose Subnet Address as Address Type. Source IP Address Start is 192.168.0.0 and End is 255.255.255.0 in this example.

(the secure network behind P-202H Plus v2)

7. In Remote section, choose Subnet Address as Address Type. Source IP Address Start is 192.168.10.0 and End is 255.255.255.0. (the secure

network behind Linux)

8. My IP Addr is the WAN IP of P-202H Plus v2.

9. Secure Gateway IP Addr is the remote secure gateway IP, that is Linx

box in this example.

10. Select Encapsulation Mode to Tunnel.

11. Check the ESP check box. (AH can not be used in SUA/NAT case)

12. Select Encryption Algorithm to 3DES and Authentication Algorithm to

13. Enter the key string 12345678 in the Preshared Key text box, and click

265P-202H Plus v2 Support Notes

You can click Advanced button to check IPSec Phase 1 and Phase 2

parameters. Please note that Linux FreeS/WAN only supports 3DES as

encryption algorithm, and DH2 or upper as key exchange group.

266P-202H Plus v2 Support Notes

267P-202H Plus v2 Support Notes

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit Key Management Setup' option in

menu27.1.1 to 'Yes' by pressing space bar and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate IPSec SAs which are used for data transmission.

Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm,

and DH2 or upper as key exchange group.

268P-202H Plus v2 Support Notes

SSH Sentinel to P-202H Plus v2 Tunneling

Sentinel (Static IP) to P-202H Plus v2(Static IP) Tunneling

This page guides us to setup a VPN connection between the Sentinel software

and P-202H Plus v2 router. There will be several devices we need to setup for

this case. They are Sentinel software and P-202H Plus v2 router.

As the figure shown below, the tunnel between PC 1, with Sentinel installed, and

P-202H Plus v2 ensures the packets flow between them are secure. Because the

packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel,

the required settings for Sentinel and P-202H Plus v2 are explained in the

following sections. As the red pipe shown in the following figure, the tunneling

endpoints are Sentinel and P-202H Plus v2.

269P-202H Plus v2 Support Notes

The IP addresses we use in this example are as shown below.

1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon,

and then choose Run Policy Editor.

2. Choose Key Management. Select My Keys, then press Add... button.

270P-202H Plus v2 Support Notes

3. Select Create a preshared key, and press Next.

271P-202H Plus v2 Support Notes

4. Give this preshared key a name, P-202H Plus v2. And then enter the

preshared key "12345678" in both Shared secret and Confirm shared

secret fields. Finally press Finish.

272P-202H Plus v2 Support Notes

5. Press Apply in Main menu to save the above settings for latter use.

273P-202H Plus v2 Support Notes

6. Switch to Security Policy tab. Choose VPN connections, and then press

274P-202H Plus v2 Support Notes

7. Add VPN Connection window will pop out. Press IP button besides

Gateway Name box. Enter P-202H Plus v210's WAN IP address in

8. Press ... button besides Remote network.

275P-202H Plus v2 Support Notes

9. Network Editor Window will pop out. Press New button, and Enter P-

202H Plus v2 in Network name, and 192.168.1.0 in IP address field, and

255.255.255.0 in Subnet Mask field. Then click OK to go back to Add

VPN Connection window.

10. Choose P-202H Plus v2 as Authentication Key. Then click OK to save.

276P-202H Plus v2 Support Notes

11. In SSH Sentinel Policy Editor, you will get a new VPN connection,

172.21.1.252(P-202H Plus v2), choose this item, and then press

Properties... button.

12. Choose Settings button in Remote endpoint section. Please uncheck the

boxes of "Acquire virtual IP address" and "Extended authentication".

277P-202H Plus v2 Support Notes

13. Tune IKE proposal to Encryption algorithm as DES, Integrity function as

MD5, IKE mode as main mode, IKE group as MODP 768 (group 1),

and IPSec proposal to Encryption algorithm as DES, Integrity funciton as

HMAC-MD5, PFS group as none.

278P-202H Plus v2 Support Notes

14. Press Apply to save all of the settings.

279P-202H Plus v2 Support Notes

15. Initiate VPN connection from Sentinel by selecting your VPN connection

from Select VPN item.

A. When building VPN between Sentinel and P-202H Plus v2, the tunnel

can't be initiated from P-202H Plus v2 side. Please always initiate the tunnel

B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as

ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing

"Select VPN" from SSH/Sentinel tray.

280P-202H Plus v2 Support Notes

Please check your P-202H Plus v2's release note, if your current firmware

version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega

Bytes setting in SA life time. Switch to Security Policy, the configuration page is

in <Your VPN connection>/Properties.../Advanced Tab/Settings...

281P-202H Plus v2 Support Notes

2. Setup P-202H Plus v2 VPN

1. Using a web browser, login P-202H Plus v2 by giving the LAN IP address

of P-202H Plus v2 in URL field. Default LAN IP is 192.168.1.1, default

password to login web configurator is 1234.

2. Go to Advanced -> VPN

3. Check Active box to enable this rule. Check Keep alive to make your

VPN connection stay permanent.

4. Select Negotiation Mode to Main, as we configured in Sentinel.

5. Local IP, Address Type is Subnet, Address Start is 192.168.1.0,

End/Subnet Mask is 255.255.255.0.

6. Remote IP, Address Type is Single, Address Start is Sentinel's IP,

7. My IP Addr is the WAN IP of P-202H Plus v2.

8. Secure Gateway IP Addr is also Sentinel's IP, 172.21.1.232

9. Select Encapsulation Mode to Tunnel.

10. Check the ESP check box. (AH can not be used in SUA/NAT case)

11. Select Encryption Algorithm to DES and Authentication Algorithm to

MD5, as we configured in Sentinel.

12. Enter the key string 12345678 in the Preshared Key text box, and click

13. Press Advanced button to set IKE phase 1 and phase 2 parameters.P-202H Plus v2 Support Notes

See the VPN rule screen shot

Set IKE Phase 1 and Phase 2 parameters.

283P-202H Plus v2 Support Notes

284P-202H Plus v2 Support Notes

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes'

and then pressing 'Enter'.

2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.

In Phase 2, two peers negotiate general purpose SAs which are secure channels

for data transmission.

285P-202H Plus v2 Support Notes

Please note that any configuration in 'IKE Setup' should match the settings

configured in Sentinel

Sentinel (Dynamic IP) to P-202H Plus v2(Static IP) Tunneling