ISG50 Application Note Version 1.0 June, 2011
Scenario 1 - ISG50 is placed behind an existing ZyWALL 1.1 Application Scenario For companies with existing network infrastructures and demanding VoIP requirements, you can connect the ISG50 to the LAN or DMZ of the ZyWALL. The USG provides security services and the ISG50 acts as a pure IP PBX to provide VoIP services. Goal to Achieve IP phones from the Internet can register to ISG50 through USG s WAN IP and can talk to another IP phone which is connected under ISG50 s LAN zone.
1.2 Configuration Guide Network Conditions USG 20W: - WAN IP: 59.124.163.156 - SIP server IP (ISG50): 172.16.1.10 ISG50: - WAN IP: 172.16.1.10 USG 20W: Step 1. Click CONFIGURATION > Network > Interface > Ethernet to assign USG 20W a WAN IP.
Step 2. Assume ISG50 s WAN port is connected to LAN2 (port 4) of USG 20W. Configure an IP for this interface.
Step 3. For NAT setting, the user needs to configure the following: - Rule s name. - Set Virtual Server type to let USG 20W do packet forwarding. - Fill in the Original IP (WAN IP) address. - Fill in the Mapped IP (ISG s IP) address. - Configure the Original Port and the Mapped Port; here we set the SIP signaling port 5060 and RTP port range 10000-20000. Make sure these ports setting are the same as those set in ISG50.
Step 4. The user can create an address object for ISG50 for further configuration usage. Click Create new object for this function.
Step 5. Click CONFIGURATION > Network >Firewall to open the firewall configuration screen. Click on the Add button to create a firewall rule to enable the VoIP service to pass from the WAN to LAN2.
Step 6. Disable SIP ALG.
ISG50: Step 1. Set the WAN IP of USG 20W in the Fake IP field.
Step 2. Make sure the SIP signaling port and the RTP port range are the same as those you configured in the port forwarding in USG 20W.
Step 3. Disable the firewall in ISG50 since USG 20W acts as firewall.
Scenario 2 Secure site-to-site connections using IPSec VPN/ Secure client-to-site connections using IPSec VPN 2.1 Application Scenario The ISG50 can provide secure site-to-site access between remote locations and corporate resources through the Internet. Using IPSec VPN, companies can secure connections to branch offices, partners and headquarters. Besides, road warriors and telecommuters can access the company s network by installing the ZyXEL IPSec VPN client software. Goal to Achieve 1. Build an IPSec VPN tunnel between ISG50 and USG 20W. 2. Build an IPSec VPN tunnel for PC/laptop user s dynamic access to ISG50.
2.2 Configuration Guide 2.2.1 Secure site-to-site connections using IPSec VPN Network Conditions ISG50: USG 20W: - WAN IP: 59.124.163.156 - WAN IP: 59.124.163.151 - Local subnet: 10.5.5.0/24 - Local subnet: 192.168.2.0/24 IPSec VPN Conditions Phase 1: - Authentication: 1234567890 - Negotiation mode: Main - Encryption Algorithm: 3DES - Authentication Algorirhm: MD5 - Key Group: DH1 Phase 2: - Active Protocol: ESP - Encapsulation Mode: Tunnel - Encryption Algorithm: DES - Authentication Algorithm: SHA1 - Perfect Forward Secrecy (PFS): None
ISG50: Step 1. Click on the Add button to add a VPN gateway rule.
Step 2. To configure the VPN gateway rule, the user needs to fill in the following: - VPN gateway name. - Gateway address: My Address (ISG50 s IP) and Peer Gateway Address (USG s IP). - Authentication setting. -Shared Key. ID Type setting (Local and Peer side).
- Phase-1 setting Negotiation mode Encryption algorithm Authentication algorithm Key Group Step 3. Click CONFIGURATION > VPN > IPSec VPN > VPN Connection to configure the phase-2 rule.
Step 4. To configure the phase 2 rule, the user needs to fill in the following: - VPN connection name - VPN gateway selection
- Policy for Local network side Remote network side - Phase 2 Settings Active protocol Encapsulation mode Encryption algorithm Authentication algorithm Perfect Forward Secrecy Step 5. Click the Connect button to establish the VPN link. Once the tunnel is established, a connected icon will be displayed in front of the rule.
USG 20W: Step 1. Add a VPN gateway rule. Step 2. To configure the VPN gateway rule, user needs to fill in: - VPN gateway name - Gateway address: My Address (USG s IP) and Peer Gateway Address (ISG50 s IP) - Authentication setting -Shared Key ID Type setting (Local and Peer side)
- Phase-1 setting Negotiation mode Encryption algorithm Authentication algorithm Key Group Step 3. Configure the phase-2 rule.
Step 4. To configure the phase 2 rule, user needs to fill in: - VPN connection name - VPN gateway selection - Policy for Local network side Remote network side - Phase 2 Settings Active protocol Encapsulation mode Encryption algorithm Authentication algorithm Perfect Forward Secrecy
Before configuring Remote Policy in step 4, the user can create a specific object for the VPN subnet. Step 5. Click on the Connect button to establish the VPN link. Once the tunnel is established, a connected icon will be displayed in front of the rule.
Result: When the VPN tunnel is established, the user can find the SA information on MONITOR > VPN MONITOR > IPSec. ISG50: USG:
5.2.2 Secure client-to-site connections using IPSec VPN ISG50: - WAN IP: 59.124.163.156 - Local subnet: 192.168.1.0/24 IPSec VPN Conditions Phase 1: - Authentication: 111111111 - Negotiation mode: Main - Encryption Algorithm: DES - Authentication Algorithm: MD5 - Key Group: DH1 Phase 2: - Active Protocol: ESP - Encapsulation Mode: Tunnel - Encryption Algorithm: DES - Authentication Algorithm: SHA1 - Perfect Forward Secrecy (PFS): None
Step 1. Click CONFIGURATION > VPN > IPSec VPN > VPN Gateway to open the configuration screen. Click on the Add button to add a VPN gateway rule. Step 2. To configure the VPN gateway rule, the user needs to fill in the following: - VPN gateway name - Gateway address: My Address (ISG50) peer (Dynamic Address) - Authentication setting -Shared Key
- Phase 1 Setting Step 3. Click CONFIGURATION > VPN > IPSec VPN > VPN Connection to configure the phase 2 rule.
Step 4. To configure the phase-2 rule, the user needs to fill in the following: - VPN connection name - VPN gateway selection - Policy for - Phase-2 setting
Step 5. Start the ZyXEL IPSec VPN Client. Fill in the Phase 1 configuration.
Step 6. Configure the phase-2 parameters. Since it is a dynamic rule, the user MUST enable it from the VPN client. Click Open Tunnel to enable it. The icon will turn green if the VPN connection is established successfully.
Step 7. When the VPN tunnel is established, the user can find the SA information on MONITOR > VPN MONITOR > IPSec. Result: The user from IP 10.59.1.71 can ping the ISG50 s LAN1 IP 192.168.1.1.