IPSec VPN

User Guide

Version 1.0

ZTE CORPORATION
ZTE Plaza, Keji Road South,
Hi-Tech Industrial Park,
Nanshan District, Shenzhen,
P. R. China
518057
Tel: (86) 755 26771900 800-9830-9830
Fax: (86) 755 26772236
URL: http://support.zte.com.cn
E-mail: doc@zte.com.cn
LEGAL INFORMATION

Copyright © 2006 ZTE CORPORATION.

The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.

All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.

This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.

ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.

ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.

Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.

The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History

Date Revision No. Serial No. Reason for Issue

May.20, 2008 R1.0 Sjzl20081976 First edition
ZTE CORPORATION
Values Your Comments & Suggestions!
Your opinion is of great value and will help us improve the quality of our product
documentation and offer better services to our customers.
Please fax to (86) 755-26772236 or mail to Documentation R&D Department, ZTE
CORPORATION, ZTE Plaza, A Wing, Keji Road South, Hi-Tech Industrial Park,
Shenzhen, P. R. China 518057.
Thank you for your cooperation!

Document
IPSec VPN User Guide
Name
Document Revision
Product Version V1.0 R1.0
Number
Equipment
Serial No. sjzly20081976
Installation Date

Presentation:
(Introductions, Procedures, Illustrations, Completeness, Level of Detail, Organization,
Appearance)
 Good  Fair  Average  Poor  Bad  N/A

Your evaluation Accessibility:

of this
(Contents, Index, Headings, Numbering, Glossary)
documentation
 Good  Fair  Average  Poor  Bad  N/A

Intelligibility:
(Language, Vocabulary, Readability & Clarity, Technical Accuracy, Content)
 Good  Fair  Average  Poor  Bad  N/A

Please check the suggestions which you feel can improve this documentation:
 Improve the overview/introduction  Make it more concise/brief
 Improve the Contents  Add more step-by-step procedures/tutorials
 Improve the organization  Add more troubleshooting information
 Include more figures  Make it less technical
Your  Add more examples  Add more/better quick reference aids
suggestions for  Add more detail  Improve the index
improvement of
this  Other suggestions
documentation __________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
# Please feel free to write any comments on an attached sheet.

If you wish to be contacted regarding your comments, please complete the following:
Name Company
Postcode Address
Telephone E-mail
This page is intentionally blank.
Contents

Contents ..........................................................................5

About This Manual............................................................i

Purpose .................................................................................i
Intended Audience ..................................................................i
What Is in This Manual.............................................................i
Conventions ......................................................................... iii
How to Get in Touch .............................................................. iv

Chapter 1......................................................................1
System Overview ............................................................1
Overview...............................................................................1
About ZXSEC US IPSec VPNs............................................. 1
Using the web-based manager and CLI to configure IPSec VPNs...2
About this document ........................................................ 3
Document conventions............................................................4
Typographic conventions .........................................................5

Chapter 2......................................................................7
Configuring IPSec VPNs ..................................................7
Overview...............................................................................7
IPSec VPN overview ......................................................... 7
Planning your VPN ........................................................... 8
Network topologies.................................................................8
Choosing policy-based or route-based VPNs ........................ 9
General preparation steps ............................................... 10
How to use this guide to configure an IPSec VPN ............... 10

Chapter 3....................................................................13
Gateway-to-gateway configurations ............................13
Overview ............................................................................ 13
Configuration overview ................................................... 13
Gateway-to-gateway infrastructure requirements .................... 15
General configuration steps............................................. 15
Configure the VPN peers ................................................. 16
Configuration example.................................................... 19
Define the phase 1 parameters on ZXSEC US_1 ...................... 19
Define the phase 2 parameters on ZXSEC US_1 ...................... 20
Define the firewall policy on ZXSEC US_1 ............................... 21
Configure ZXSEC US_2 ......................................................... 23

Chapter 4....................................................................27
Hub-and-spoke configurations ......................................27
Overview ............................................................................ 27
Configuration overview ................................................... 27
Hub-and-spoke infrastructure requirements ............................ 28
General configuration steps............................................. 28
Configure the hub .......................................................... 30
Define the spoke VPN configurations ...................................... 30
Configuring communication between spokes (policy-based VPN) 32
Configuring communication between spokes (route-based VPN) 32
Using a zone as a concentrator.............................................. 33
Using a zone with a policy as a concentrator ........................... 33
Using firewall policies as a concentrator.................................. 34
Configure the spokes...................................................... 34
Configuring firewall policies for hub-to-spoke communication .... 35
Configuring firewall policies for spoke-to-spoke communication . 36

Basic configuration example ............................................ 37

Define the phase 1 parameters on ZXSEC US_1 ...................... 38
Define the phase 2 parameters on ZXSEC US_1 ...................... 39
Define the IPSec firewall policies on ZXSEC US_1 .................... 40
Define the VPN concentrator on ZXSEC US_1 .......................... 42
Configure Spoke_1 .............................................................. 42
Configure Spoke_2 .............................................................. 45
US Desktop in hub-and-spoke VPN example ...................... 47
Configuring ZXSEC US_1 ...................................................... 49
 Define the phase 1 parameters .............................................. 50
Define the phase 2 parameters .............................................. 51
Define the IPSec firewall policies ............................................ 52
Define the VPN concentrator .................................................. 55
Configuring Spoke_1 ............................................................ 55
Configuring Spoke_2 ............................................................ 58
Configuring the US Desktop software ...................................... 61

Chapter 5....................................................................63
Dynamic DNS configurations ........................................63
Overview............................................................................. 63
Configuration overview ................................................... 63
Dynamic DNS infrastructure requirements ............................... 65
General configuration steps............................................. 65
Configure the dynamically-addressed VPN peer ................. 66
Configure the fixed-address VPN peer .............................. 68

Chapter 6....................................................................71
US Desktop dialup-client ...............................................71
Overview............................................................................. 71
Configuration overview ................................................... 71
Peer identification................................................................. 72
Automatic configuration of US Desktop dialup clients ................ 73
How the ZXSEC US unit determines which settings to apply....... 73
Using virtual IP addresses ..................................................... 74
US Desktop dialup-client infrastructure requirements................ 76
US Desktop-to-ZXSEC US VPN configuration steps ............. 76
Configure the ZXSEC US unit........................................... 77
Configuring ZXSEC US unit VPN settings ................................. 78
Configuring the ZXSEC US unit as a VPN policy server .............. 80
Configuring DHCP service on the ZXSEC US unit ...................... 81
Configure the US Desktop Host Security application ........... 83
Configuring US Desktop to work with VPN policy distribution...... 83
Configuring US Desktop manually........................................... 83

US Desktop dialup-client configuration example................. 85

Configuring ZXSEC US_1....................................................... 85
 Define the phase 1 parameters.............................................. 86
Define the phase 2 parameters.............................................. 87
Define the IPSec firewall policy.............................................. 87
Configure ZXSEC US_1 to assign VIPs .................................... 88
Configuring the US Desktop Host Security application......... 89

Chapter 7....................................................................91
ZXSEC US dialup-client..................................................91
Overview ............................................................................ 91

Configuration overview ................................................... 91

ZXSEC US dialup-client infrastructure requirements ................. 94
ZXSEC US dialup-client configuration steps ....................... 95
Configure the dialup server to accept ZXSEC US dialup-client
connections................................................................... 96
Configure the ZXSEC US dialup client ............................... 98

Chapter 8..................................................................101
Internet-browsing configuration.................................101
Overview ...........................................................................101
Configuration overview ................................................. 101
Creating an Internet browsing firewall policy ................... 103
Routing all remote traffic through the VPN tunnel ............ 104
Configuring a ZXSEC US remote peer to support Internet browsing
........................................................................................104
Configuring a US Desktop application to support Internet browsing
........................................................................................105

Chapter 9..................................................................107
Redundant VPN configurations ...................................107
Overview ...........................................................................107
Configuration overview ................................................. 107
Redundant infrastructure requirements .................................108
General configuration steps - route-based VPN ................ 109
Configure the VPN peers - route-based VPN .................... 109
Redundant route-based VPN configuration example.......... 111
Configuring ZXSEC US_1 .....................................................112
 Configuring ZXSEC US_2..................................................... 117
General configuration steps - policy-based VPN ............... 123
Configure the VPN peers - policy-based VPN.................... 123
Policy-based redundant tunnel configuration example....... 125
Configuring ZXSEC US_1..................................................... 126
Define the phase 1 parameters ............................................ 127
Define the phase 2 parameters ............................................ 128
Define the IPSec firewall policies .......................................... 129
Configuring the ping servers ................................................ 131
Configuring ZXSEC US_2..................................................... 131

Partially redundant tunnel configuration example............. 135

Configuring ZXSEC US_1..................................................... 136
Define the phase 1 parameters ............................................ 137
Define the phase 2 parameters ............................................ 138
Define the IPSec firewall policies .......................................... 138
Configuring the ping servers ................................................ 140
Configuring ZXSEC US_2..................................................... 141

Chapter 10.............................................................145
Transparent VPN configurations.................................145
Overview........................................................................... 145
Configuration overview ................................................. 145
Transparent VPN infrastructure requirements......................... 148
Before you begin ................................................................ 149
Configure the VPN peers ............................................... 149

Chapter 11.............................................................153
Manual-key configurations..........................................153
Overview........................................................................... 153
Configuration overview ................................................. 153
Specify the manual keys for creating a tunnel ................. 154

Chapter 12.............................................................157
Auto Key phase 1 parameters.....................................157
Overview........................................................................... 157
 Defining the tunnel ends............................................... 158
Choosing main mode or aggressive mode ....................... 159
Authenticating the ZXSEC US unit.................................. 159
Authenticating the ZXSEC US unit with digital certificates ........160
Authenticating the ZXSEC US unit with a pre-shared key .........161
Authenticating remote peers and clients ......................... 163
Enabling VPN access for specific certificate holders .................163
Before you begin ................................................................164
Enabling VPN access by peer identifier...................................166
Enabling VPN access using user accounts and pre-shared keys .167
Defining IKE negotiation parameters .............................. 169
Generating keys to authenticate an exchange ........................170
Defining IKE negotiation parameters .....................................171
Defining the remaining phase 1 options .......................... 172
NAT traversal .....................................................................173
NAT keepalive frequency .....................................................173
Dead peer detection ............................................................173
Using XAuth authentication ........................................... 174
Using the ZXSEC US unit as an XAUTH server ........................174
Authenticating the ZXSEC US unit as a client with XAUTH ........175

Chapter 13.............................................................177
Phase 2 parameters ....................................................177
Overview ...........................................................................177

Basic phase 2 settings .................................................. 177

Exchanging keys to implement security associations ........ 178
Defining the remaining tunnel creation options ................ 178
Replay detection .................................................................179
Perfect forward secrecy .......................................................179
Autokey Keep Alive .............................................................179
DHCP-IPsec........................................................................179
Quick mode identities..........................................................180
Configure the phase 2 parameters ................................. 180
Specifying the phase 2 parameters .......................................181

Chapter 14.............................................................185
Defining firewall policies.............................................185
Overview........................................................................... 185
Defining firewall addresses............................................ 185
Defining firewall policies ............................................... 186
Defining an IPSec firewall policy for a policy-based VPN .......... 187
Before you begin ................................................................ 188
Defining multiple IPSec policies for the same tunnel ............... 189
Defining firewall policies for a route-based VPN ...................... 190

Chapter 15.............................................................193
Monitoring and testing VPNs ......................................193
Overview........................................................................... 193
Monitoring VPN connections .......................................... 193
Monitoring connections to remote peers ................................ 193
Monitoring dialup IPSec connections ..................................... 194
Monitoring IKE sessions ................................................ 195
Testing VPN connections ............................................... 196
Logging VPN events ..................................................... 196
VPN troubleshooting tips............................................... 199
A word about NAT devices ................................................... 200

Tables ..........................................................................201

Figures.........................................................................203

Index ...........................................................................205
This page is intentionally blank.
About This Manual

Purpose
This manual is ZXSEC US IPSec VPN User Guide. It is written for
the ZXSEC US IPSec VPN system. This manual is intended for
the system user and other management personnel who are
related to the system.

Intended Audience
This manual is intended for users and technicians who perform
operation activities on the ZXSEC US IPSec VPN.

What Is in This Manual

This manual contains the following chapters:

T ABLE 1 CH APTER SUMM ARY

Chapter Summary
Chapter 1, System Introduce the overall information of the
Overview IPSec VPN system.
Chapter 2, Configuring provide a brief overview of IPSec
IPSec VPNs technology and includes general
information about how to configure IPSec
VPNs using this guide.
Chapter 3, Gateway-to- Explain how to set up a basic gateway-to-
gateway configurations gateway (site-to-site) IPSec VPN.
Chapter 4, Hub-and- Describe how to set up hub-and-spoke
spoke configurations IPSec VPNs consisting of VPN peers and/or
US Desktop dialup clients.
Chapter 5, Dynamic Describe how to configure a site-to-site
DNS configurations VPN, in which one ZXSEC US unit has a
static IP address and the other ZXSEC US
unit has a static domain name and a
dynamic IP address.

Confidential and Proprietary Information of ZTE CORPORATION i

IPSec VPN User Guide

Chapter Summary
Chapter 6, US Desktop The US Desktop Host Security application
dialup-client is a VPN client with antivirus, antispam
configurations and firewall capabilities. This section
explains how to configure dialup VPN
connections between a ZXSEC US unit and
one or more US Desktop Host Security
applications.
Chapter 7, ZXSEC US Explain how to set up a ZXSEC US dialup-
dialup-client client IPSec VPN. In a ZXSEC US dialup-
configuration client configuration, a ZXSEC US unit with
a static IP address acts as a dialup server
and a ZXSEC US unit having a dynamic IP
address initiates a VPN tunnel with the
ZXSEC US dialup server.
Chapter 8, Internet- Explain how to support secure web
browsing configuration browsing performed by dialup VPN clients,
and/or hosts behind a remote VPN peer.
Remote users can access the private
network behind the local ZXSEC US unit
and browse the Internet securely. All
traffic generated remotely is subject to the
firewall policy that controls traffic on the
private network behind the local ZXSEC US
unit.
Chapter 9, Redundant Discusse the options for supporting
VPN configurations redundant and partially redundant IPSec
VPNs. Both policy-based and route-based
approaches are shown.
Chapter 10, Describe transparent VPN configurations,
Transparent VPN in which two ZXSEC US units create a VPN
configurations tunnel between two separate private
networks transparently.

Chapter 11, Manual- Explain how to manually define

key configurations cryptographic keys to establish an IPSec
VPN, either policy-based or route-based.
Chapter 12, Auto Key Auto Key phase 1 parameters
phase 1 parameters Provide detailed step-by-step procedures
for configuring a ZXSEC US unit to accept
a connection from a remote peer or dialup
client. The phase 1 parameters identify the
remote peer or clients and support
authentication through preshared keys or
digital certificates. You can increase access
security further using peer identifiers,
certificate distinguished names, group
names, or the ZXSEC US extended
authentication (XAuth) option for
authentication purposes.
Chapter 13, Phase 2 Describe the phase 2 parameters that are
parameters required to establish communication
through a VPN.

ii Confidential and Proprietary Information of ZTE CORPORATION

 错误！未定义样式。

Chapter Summary
Chapter 14, Defining Explain how to specify the source and
firewall policies destination IP addresses of traffic
transmitted through an IPSec VPN, and
how to define appropriate firewall policies.
Chapter 15, Monitoring Provide some general maintenance and
and testing VPNs monitoring procedures for VPNs.

Conventions
Typographic ZTE documents employ the following typographical conventions.
al
Conventions T ABLE 2 TYPOGRAPHICAL CONVENTIONS

Typeface Meaning
Italics References to other Manuals and documents.
“
Quotes” Links on screens.
Bold Menus, menu options, function names, input
fields, radio button names, check boxes, drop-
down lists, dialog box names, window names.
CAPS Keys on the keyboard and buttons on screens
and company name.
Constant width Text that you type, program code, files and
directory names, and function names.
[] Optional parameters.
{} Mandatory parameters.
| Select one of the parameters that are delimited
by it.
Note: Provides additional information about a
certain topic.

Mouse T ABLE 3 M OUSE OPER ATION CONVENTIONS

Operation
Conventions Typeface Meaning
Click Refers to clicking the primary mouse button (usually
the left mouse button) once.
Double-click Refers to quickly clicking the primary mouse button
(usually the left mouse button) twice.
Right-click Refers to clicking the secondary mouse button
(usually the right mouse button) once.
Drag Refers to pressing and holding a mouse button and
moving the mouse.

Confidential and Proprietary Information of ZTE CORPORATION iii

IPSec VPN User Guide

How to Get in Touch

The following sections provide information on how to obtain
support for the documentation and the software.
Customer If you have problems, questions, comments, or suggestions
Support regarding your product, contact us by e-mail at
support@zte.com.cn. You can also call our customer support
center at (86) 755 26771900 and (86) 800-9830-9830.
Documentati ZTE welcomes your comments and suggestions on the quality
on Support and usefulness of this document. For further questions,
comments, or suggestions on the documentation, you can
contact us by e-mail at doc@zte.com.cn; or you can fax your
comments and suggestions to (86) 755 26772236. You can also
browse our website at http://support.zte.com.cn, which contains
various interesting subjects like documentation, knowledge base,
forum and service request.

iv Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1

System Overview

Overview
This chapter introduces you to ZXSEC US VPNs and the following
topics:
 About ZXSEC US IPSec VPNs
 About this document
 ZTE documentation
 Customer service and technical support

About ZXSEC US IPSec

VPNs
A virtual private network (VPN) is a way to use a public network,
such as the Internet, to provide remote offices or individual
users with secure access to private networks. For example, a
company that has two offices in different cities, each with its
own private network, can use a VPN to create a secure tunnel
between the offices. Similarly, telecommuters can use VPN
clients to access private data resources securely from a remote
location.
With the ZXSEC US unit’s built-in VPN capabilities, small home
offices, medium- sized businesses, enterprises, and service
providers can ensure the confidentiality and integrity of data
transmitted over the Internet. The ZXSEC US unit provides
enhanced authentication, strong encryption, and restricted
access to company network resources and services.
ZXSEC US units support the Internet Protocol Security (IPSec), a
framework for the secure exchange of packets at the IP layer, to
authenticate and encrypt traffic. ZXSEC US units implement the
Encapsulated Security Payload (ESP) protocol in tunnel mode.

Confidential and Proprietary Information of ZTE CORPORATION 1

IPSec VPN User Guide

The encrypted packets look like ordinary packets that can be

routed through any IP network. Internet Key Exchange (IKE) is
performed automatically based on preshared keys or X.509
digital certificates. As an option, you can specify manual keys.
Because ZXSEC US units support industry standard IPSec VPN
technologies, you can configure an IPSec VPN between a ZXSEC
US unit and most third-party IPSec VPN devices. For more
information about ZXSEC US VPN interoperability, contact ZTE™
Technical Support.

Using the web-based manager and

CLI to configure IPSec VPNs
The ZXSEC US unit provides two user interfaces to configure
operating parameters: the web-based manager, and the CLI.
In the web-based manager:
 IPSec VPN operating parameters are located on the following
tabs:
 VPN > IPSEC > Auto Key
 VPN > IPSEC > Manual Key
 VPN > IPSEC > Concentrator
 VPN > Certificates
In the CLI, the following commands are available to configure
comparable VPN settings:

 config vpn ipsec phase1

 config vpn ipsec phase1-interface

 config vpn ipsec phase2

 config vpn ipsec phase2-interface
 config vpn ipsec manualkey
 config vpn ipsec manualkey-interface
 config vpn ipsec concentrator

 config vpn ipsec US Desktop

 execute vpn certificate

For detailed information about these CLI commands, refer to the
“vpn”and “ execute”chapters of the ZXSEC US CLI Reference.

2 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 1 IPSec VPN User Guide

About this document

This document explains how to configure VPNs using the web-
based manager. To define comparable parameters through
the CLI, see the ZXSEC US CLI Reference.
This document contains the following chapters:
 Configuring IPSec VPNs provides a brief overview of IPSec
technology and includes general information about how to
configure IPSec VPNs using this guide.
 Gateway-to-gateway configurations explains how to set up
a basic gateway-to- gateway (site-to-site) IPSec VPN. In a
gateway-to-gateway configuration, two ZXSEC US units
create a VPN tunnel between two separate private
networks.
 Hub-and-spoke configurations describes how to set up
hub-and-spoke IPSec VPNs consisting of VPN peers and/or
US Desktop™ dialup clients. In a hub- and-spoke
configuration, connections to a number of remote peers
and/or clients radiate from a single, central ZXSEC US hub.
 Dynamic DNS configurations describes how to configure a
site-to-site VPN, in which one ZXSEC US unit has a static
IP address and the other ZXSEC US unit has a static
domain name and a dynamic IP address.
 US Desktop dialup-client configurations guides you
through configuring a US Desktop dialup-client IPSec VPN.
In a US Desktop dialup-client configuration, the ZXSEC US
unit acts as a dialup server and VPN client functionality is
provided by the US Desktop Host Security application
installed on a remote host.
 ZXSEC US dialup-client configurations explains how to set
up a ZXSEC US dialup-client IPSec VPN. In a ZXSEC US
dialup-client configuration, a ZXSEC US unit with a static
IP address acts as a dialup server and a ZXSEC US unit
having a dynamic IP address initiates a VPN tunnel with
the ZXSEC US dialup server.
 Internet-browsing configuration explains how to support
secure web browsing performed by dialup VPN clients,
and/or hosts behind a remote VPN peer. Remote users can
access the private network behind the local ZXSEC US unit
and browse the Internet securely. All traffic generated
remotely is subject to the firewall policy that controls
traffic on the private network behind the local ZXSEC US
unit.
 Redundant VPN configurations discusses the options for
supporting redundant and partially redundant tunnels in an
IPSec VPN configuration. A ZXSEC US unit can be
configured to support redundant tunnels to the same
remote peer if the ZXSEC US unit has more than one
interface to the Internet.

Confidential and Proprietary Information of ZTE CORPORATION 3

IPSec VPN User Guide

 Transparent VPN configurations describes transparent VPN

configurations, in which two ZXSEC US units create a VPN
tunnel between two separate private networks
transparently. In Transparent mode, all interfaces of the
ZXSEC US unit except the management interface are
invisible at the network layer.
 Manual-key configurations explains how to manually define
cryptographic keys to establish an IPSec VPN tunnel. If
one VPN peer uses specific authentication and encryption
keys to establish a tunnel, both VPN peers must be
configured to use the same encryption and authentication
algorithms and keys.
 Auto Key phase 1 parameters provides detailed step-by-
step procedures for configuring a ZXSEC US unit to accept
a connection from a remote peer or dialup client. The basic
phase 1 parameters identify the remote peer or clients and
support authentication through preshared keys or digital
certificates. You can increase VPN connection security
further using peer identifiers, certificate distinguished
names, group names, or the ZXSEC US extended
authentication (XAuth) option for authentication purposes.
 Phase 2 parameters provides detailed step-by-step
procedures for configuring an IPSec VPN tunnel. During
phase 2, the specific IPSec security associations needed to
implement security services are selected and a tunnel is
established.
 Defining firewall policies explains how to specify the source
and destination IP addresses of traffic transmitted through
an IPSec VPN tunnel, and how to define a firewall
encryption policy. Firewall policies control all IP traffic
passing between a source address and a destination
address.
 Monitoring and testing VPNs provides some general
monitoring and testing procedures for VPNs.

Document conventions
The following document conventions are used in this guide:
 In the examples, private IP addresses are used for both
private and public IP addresses.
 Notes and Cautions are used to provide important
information:

Note: Highlights useful additional information.

4 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 1 IPSec VPN User Guide

Caution: Warns you about commands or procedures that could have

unexpected or undesirable results including loss of data or damage to
equipment.

Typographic conventions
ZXSEC US documentation uses the following typographical
conventions:

T ABLE 4 TYPOGR APHIC AL CONVEN TIONS:

Convention Example
In the Gateway Name field, type a name for
the remote VPN
Keyboard input
peer or client (for example,
Central_Office_1).
config vpn ipsec phase2
Code examples edit US1toDialupClients
set single-source enable end
config vpn ipsec phase2
CLI command edit <tunnel_name>
syntax
set single-source enable end

Document names ZXSEC US Administration Guide

<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
File content <BODY><H4>You must authenticate to use
this
service.</H4>

Go to VPN > IPSEC > Auto Key and select

Menu commands
Create Phase 1.
Initiator: tunnel 172.16.20.143,
Program output transform=ESP_3DES, HMAC_SHA1

Variables <tunnel_name>

Confidential and Proprietary Information of ZTE CORPORATION 5

IPSec VPN User Guide

This page is intentionally blank.

6 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2

Configuring IPSec VPNs

Overview
This section provides a brief overview of IPSec technology and
includes general information about how to configure IPSec
VPNs using this guide.
The following topics are included in this section:

 IPSec VPN overview

 Planning your VPN
 General preparation steps
 How to use this guide to configure an IPSec VPN

IPSec VPN overview

IPSec can be used to tunnel network-layer (layer 3) traffic
between two VPN peers (or a VPN server and its client). When
an IPSec VPN tunnel is established between a ZXSEC US unit
and a remote VPN peer or client, packets are transmitted using
ESP security in tunnel mode.
Cleartext packets that originate from behind the ZXSEC US
unit are encrypted as follows:
 IP packets are encapsulated within IPSec packets to form
secure tunnels
 The IP packet remains unaltered, but the header of the
new IPSec packet refers to the end points of the VPN
tunnel

When a ZXSEC US unit receives a connection request from a

remote peer, it uses phase 1 parameters to establish a secure
connection and authenticate the VPN peer. Then, if the firewall

Confidential and Proprietary Information of ZTE CORPORATION 7

IPSec VPN User Guide

policy permits the connection, the ZXSEC US unit establishes

the VPN tunnel using phase 2 parameters and applies the
IPSec firewall policy. Key management, authentication, and
security services are negotiated dynamically through the IKE
protocol.

Planning your VPN

To save time later and be ready to configure a VPN correctly, it
is a good idea to plan the VPN configuration ahead of time. All
VPN configurations comprise a number of required and
optional parameters. Before you begin, you have to determine:
 where does the IP traffic originate, and where does it need
to be delivered
 which hosts, servers, or networks to include in the VPN
 which VPN devices to include in the configuration
 through which interfaces will the VPN devices communicate
with each other
 through which interfaces will private networks have access
to the VPN gateways
Once you have this information, you can select a VPN topology
that meets the requirements of your situation (refer to
“Network topologies”).

Network topologies
The topology of your network will determine how remote peers
and clients connect
to the VPN and how VPN traffic is routed. You can read about
various network topologies and find the high-level procedures
needed to configure IPSec VPNs in one of these sections:
1. Gateway-to-gateway configurations
2. Hub-and-spoke configurations
3. Dynamic DNS configurations
4. US Desktop dialup-client configurations
5. ZXSEC US dialup-client configurations
6. Internet-browsing configuration
7. Redundant VPN configurations
8. Transparent VPN configurations
9. Manual-key configurations

8 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 IPSec VPN User Guide

These sections contain high-level configuration guidelines with

cross-references to detailed configuration procedures. If you
need more detail to complete a step, select the cross-
reference in the step to drill-down to more detail. Return to
the original procedure to complete the procedure. For a
general overview of how to configure a VPN, refer to “ General
preparation steps”below.

Choosing policy-based or
route-based VPNs
T A B L E 5 C O M PA RI SO N O F P OL I C Y - B A S ED A N D R O U T E - B A S ED V P N S

Policy-based Route-based
Available in NAT/Route or
Available only in NAT/Route mode
Transparent mode
Requires a firewall policy with Requires only a simple firewall
IPSEC action that specifies the policy with ACCEPT action. A
VPN tunnel. One policy controls separate policy is required for
connections in both directions. connections in each direction.

You select whether a VPN is policy-based or route-based when

you define its phase 1 parameters. IPSec interface mode is
advanced phase 1 option, enabled by default.
When you select Interface mode in a phase 1 configuration, you
create a virtual IPSec interface as a subinterface to a local ZXSEC
US interface. You can view these virtual IPSec interfaces on the
System > Network > Interface page displayed under their
associated physical interface names in the Name column.
You can also associate an IPSec interface with an aggregate or
VLAN interface. For more information about the Interface page,
see the System Network chapter of the ZXSEC US Administration
Guide.
You create a route-based VPN by defining a firewall policy to
permit traffic to flow between a virtual IPSec interface and
another interface.
You create a policy-based VPN by defining an IPSec firewall policy
between two interfaces associated with a VPN tunnel that is not
interface mode.

Confidential and Proprietary Information of ZTE CORPORATION 9

IPSec VPN User Guide

General preparation steps

A VPN configuration defines relationships between the VPN
devices and the private hosts, servers, or networks making up
the VPN. Configuring a VPN involves gathering and recording
the following information. You will need this information to
configure the VPN.
 Identify the private IP address(es) of traffic generated by
participating hosts, servers, and/or networks. These IP
addresses represent the source addresses of traffic that is
permitted to pass through the VPN. A IP source address can
be an individual IP address, an address range, or a subnet
address.
 Identify the public IP addresses of the VPN end-point
interfaces. The VPN devices establish tunnels with each
other through these interfaces.
 Identify the private IP address(es) associated with the
VPN-device interfaces to the private networks. Computers
on the private network(s) behind the VPN gateways will
connect to their VPN gateways through these interfaces.

How to use this guide to

configure an IPSec VPN
This guide uses a task-based approach to provide all of the
procedures needed to create different types of VPN
configurations. Follow the step-by-step configuration
procedures in this guide to set up the VPN.
The following configuration procedures are common to all
IPSec VPNs:
10. Define the phase 1 parameters that the ZXSEC US unit
needs to authenticate remote peers or clients and establish
a secure a connection. See “
Auto Key phase 1 parameters” .
11. Define the phase 2 parameters that the ZXSEC US unit
needs to create a VPN tunnel with a remote peer or dialup
client. See “
Phase 2 parameters”
12. Specify the source and destination addresses of IP packets
that are to be transported through the VPN tunnel. See
“Defining firewall addresses”
.
13. Create an IPsec firewall policy to define the scope of
permitted services between the IP source and destination
addresses. See “Defining firewall policies”
.

10 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 IPSec VPN User Guide

Note: The steps given above assume that you will

perform Steps 1 and 2 to have theZXSEC US unit generate
unique IPSec encryption and authentication keys automatically.
In situations where a remote VPN peer or client requires a
specific IPSec encryption and/or authentication key, you must
configure the ZXSEC US unit to use manual keys instead of
performing Steps 1 and 2. For more information, see “ Manual-
key configurations”.

Confidential and Proprietary Information of ZTE CORPORATION 11

IPSec VPN User Guide

This page is intentionally blank.

12 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 3

Gateway-to-gateway
configurations

Overview
This section explains how to set up a basic gateway-to-
gateway (site-to-site) IPSec VPN.
The following topics are included in this section:
 Configuration overview
 General configuration steps
 Configure the VPN peers
 Configuration example

Configuration overview
In a gateway-to-gateway configuration, two ZXSEC US units
create a VPN tunnel between two separate private networks.
All traffic between the two networks is encrypted and
protected by ZXSEC US firewall policies.

F I G U R E 1 E X A MP L E G A T EW A Y- T O - G AT E W AY C O N F I G U RA T I O N

Confidential and Proprietary Information of ZTE CORPORATION 13

IPSec VPN User Guide

Note: In some cases, computers on the private network

behind one VPN peer may (by co-incidence) have IP addresses
that are already used by computers on the network behind the
other VPN peer. In this type of situation (ambiguous routing),
conflicts may occur in one or both of the ZXSEC US routing
tables and traffic destined for the remote network through the
tunnel may not be sent.

In other cases, computers on the private network behind one

VPN peer may obtain IP addresses from a local DHCP server.
However, unless the local and remote networks use different
private network address spaces, unintended ambiguous
routing and/or IP-address overlap issues may arise. For a
discussion of the related issues, see “
ZXSEC US dialup client
configurations”.
You can set up a fully meshed or partially meshed configuration
(refer to Figure 2 and Figure 3)

FIGURE 2 FULLY MESHED CONFIGUR ATION

In a fully meshed network, all VPN peers are connected to

each other, with one hop between peers. This topology is the
most fault-tolerant: if one peer goes down, the rest of the
network is not affected. This topology is difficult to scale
because it requires connections between all peers. In addition,
unnecessary communication can occur between peers. We
recommend a hub-and-spoke configuration instead (see “ Hub-
and-spoke configurations” ).

14 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 3 IPSec VPN User Guide

FIGURE 3 P ARTI ALLY MESHED CONFIGUR ATION

A partially meshed network is similar to a fully meshed

network, but instead of having tunnels between all peers,
tunnels are only configured between peers that communicate
with each other regularly.

Gateway-to-gateway infrastructure
requirements
 The ZXSEC US units at both ends of the tunnel must be
operating in NAT/Route mode and have static public IP
addresses.

General configuration steps

When a ZXSEC US unit receives a connection request from a
remote VPN peer, it uses IPSec phase 1 parameters to
establish a secure connection and authenticate the VPN peer.
Then, if the firewall policy permits the connection, the ZXSEC
US unit establishes the tunnel using IPSec phase 2 parameters
and applies the IPSec firewall policy. Key management,
authentication, and security services are negotiated
dynamically through the IKE protocol.
To support these functions, the following general configuration
steps must be performed both ZXSEC US units:
 Define the phase 1 parameters that the ZXSEC US unit
needs to authenticate the remote peer and establish a
secure connection.
 Define the phase 2 parameters that the ZXSEC US unit
needs to create a VPN tunnel with the remote peer.

Confidential and Proprietary Information of ZTE CORPORATION 15

IPSec VPN User Guide

 Create firewall policies to control the permitted services

and permitted direction of traffic between the IP source
and destination addresses.
For more information, refer to “
Configure the VPN peers”
below.

Configure the VPN peers

Configure the VPN peers as follows:
1. At the local ZXSEC US unit, define the phase 1
configuration needed to establish a secure connection with
the remote peer. Refer to “ Auto Key phase 1 parameters”.
Enter these settings in particular:
Name
Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway
Select Static IP Address.
IP Address
Type the IP address of the remote peer public interface.
Local Interface
Select the ZXSEC US unit’
s public interface.
Enable IPSec
You must select Advanced to refer to this setting. If IPSec
Interface Mode is enabled, the ZXSEC US unit creates a
virtual IPSec interface for a route-based VPN. Disable this
option if you want to create a policy-based VPN. For more
information, refer to “
Choosing policy- based or route-based
VPNs” .
Interface Mode
After you select OK to create the phase 1 configuration, you
cannot change this setting.
2. Define the phase 2 parameters needed to create a VPN
tunnel with the remote peer. Refer to “
Phase 2 parameters”
.
Enter these settings in particular:
Name
Enter a name to identify this phase 2 configuration.
Phase 1
Selet the name of the phase 1 configuration that you
defined.
3. Define names for the addresses or address ranges of the
private networks that the VPN links. These addresses are

16 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 3 IPSec VPN User Guide

used in the firewall policies that permit communication

between the networks. For more information, refer to
“Defining firewall addresses”
.
Enter these settings in particular:
 Define an address name for the IP address and
netmask of the private network behind the local ZXSEC
US unit.
 Define an address name for the IP address and netmask
of the private network behind the remote peer.

4. Define firewall policies to permit communication between the

private networks through the VPN tunnel. Route-based and
policy-based VPNs require different firewall policies. For
detailed information about creating firewall policies, refer to
“Defining firewall policies”4.
Policy-based VPN firewall policy
Define an IPSec firewall policy to permit communications
between the source and destination addresses. Enter these
settings in particular:
Source Interface/Zone
Select the interface that connects to the private network
behind this ZXSEC US unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this ZXSEC US unit.
Destination Interface/Zone
Select the ZXSEC US unit’
s public interface.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select IPSEC.
VPN Tunnel
Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote
network to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications
between the source and destination addresses. Enter these
settings in particular:

Confidential and Proprietary Information of ZTE CORPORATION 17

IPSec VPN User Guide

Source Interface/Zone
Select the interface that connects to the private network
behind this ZXSEC US unit.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind this ZXSEC US unit.
Destination Interface/Zone
Select the VPN Tunnel (IPSec Interface) you configured in Step
1.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action
Select ACCEPT.
NAT
Disable.
To permit the remote client to initiate communication, you
need to define a firewall policy for communication in that
direction. Enter these settings in particular:
Source Interface/Zone
Select the VPN Tunnel (IPSec Interface) you configured in Step
1.
Source Address Name
Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone
Select the interface that connects to the private network
behind this ZXSEC US unit.
Destination Address Name
Select the address name that you defined in Step 3 for the
private network behind this ZXSEC US unit.
Action
Select ACCEPT.
NAT
Disable.
5. Place VPN policies in the policy list above any other policies
having similar source and destination addresses.
6. Repeat this procedure at the remote ZXSEC US unit.

18 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 3 IPSec VPN User Guide

Configuration example
The following example demonstrates how to set up a basic
gateway-to-gateway IPSec VPN that uses preshared keys to
authenticate the two VPN peers.

F I G U R E 4 E X A MP L E G A T EW A Y- T O - G AT E W AY C O N F I G U RA T I O N

In this example, the network devices are assigned IP addresses

as shown in Figure 4.

Define the phase 1 parameters on

ZXSEC US_1
The phase 1 configuration defines the parameters that ZXSEC
US_1 will use to authenticate ZXSEC US_2 and establish a
secure connection. For the purposes of this example, a preshared
key will be used to authenticate ZXSEC US_2. The same
preshared key must be specified at both ZXSEC US units.
Before you define the phase 1 parameters, you need to:
 Reserve a name for the remote gateway.
 Obtain the IP address of the public interface to the
remote peer.
 Reserve a unique value for the preshared key.
The key must contain at least 6 printable characters and should
only be known by network administrators. For optimum
protection against currently known attacks, the key should
consist of a minimum of 16 randomly chosen alphanumeric
characters.
To define the phase 1 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:

Confidential and Proprietary Information of ZTE CORPORATION 19

IPSec VPN User Guide

Name
Type a name to identify the VPN tunnel (for example,
US1toUS2_Tunnel).
Remote Gateway
Static IP Address
IP Address
172.16.30.1
Local Interface
Port 2
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key.
Peer Options
Accept any peer ID Advanced
Advanced
Enable IPSec
Enable to create a route-based VPN.
Interface Mode
Disable to create a policy-based VPN.
This example shows both policy and route-based VPNs.

Define the phase 2 parameters on

ZXSEC US_1
The basic phase 2 settings associate IPSec phase 2 parameters
with the phase 1 configuration and specify the remote end point
of the VPN tunnel. Before you define the phase 2 parameters,
you need to reserve a name for the tunnel.
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information and
select OK:
Name
Enter a name for the phase 2 configuration (for example,
US1toUS2_phase2).

20 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 3 IPSec VPN User Guide

Phase 1
Select the Phase 1 configuration that you defined previously
(for example, US1toUS2_Tunnel).

Define the firewall policy on ZXSEC

US_1
Firewall policies control all IP traffic passing between a source
address and a destination address.
An IPSec firewall policy is needed to allow the transmission of
encrypted packets, specify the permitted direction of VPN traffic,
and select the VPN tunnel that will be subject to the policy. A
single policy is needed to control both inbound and outbound IP
traffic through a VPN tunnel.
Before you define firewall policies, you must first specify the IP
source and destination addresses. In a gateway-to-gateway
configuration:

 The IP source address corresponds to the private network

behind the local ZXSEC US unit.
 The IP destination address refers to the private network
behind the remote VPN peer.
To define the IP address of the network behind ZXSEC
US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
Finance_Network).
Subnet/IP Range Enter the IP address of the private
network behind ZXSEC US_1 (for example, 192.168.12.0/24).
To specify the address of the network behind ZXSEC US_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range Enter the IP address of the private
network behind ZXSEC US_2 (for example, 192.168.22.0/24).
To define the firewall policy for a policy-based VPN
1. Go to Firewall > Policy.

Confidential and Proprietary Information of ZTE CORPORATION 21

IPSec VPN User Guide

2. Select Create New, enter the following information, and select

OK:
Source Interface/Zone Port 1
Source Address Name Finance_Network
Destination Interface/Zone Port 2
Destination Address Name HR_
Network Schedule As required. Service As required.
Action IPSEC
VPN Tunnel US1toUS2_Tunnel
Allow Inbound Enable
Allow Outbound Enable
Inbound NAT Disable
3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To define firewall policies for a route-based VPN
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Port 1
Source Address Name Finance_Network
Destination Interface/Zone US1toUS2_Tunnel
Destination Address Name HR_Network
Schedule As required.
Service As required.
Action ACCEPT
NAT Disable
3. Select Create New, enter the following information, and select
OK:
Source Interface/Zone US1toUS2_Tunnel
Source Address Name HR_Network
Destination Interface/Zone Port 1
Destination Address Name Finance_Network
Schedule As required.
Service As required.
Action ACCEPT
NAT Disable

22 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 3 IPSec VPN User Guide

4. Place the policies in the policy list above any other policies
having similar source and destination addresses.

Configure ZXSEC US_2

The configuration of ZXSEC US_2 is similar to that of ZXSEC
US_1. You must:
 Define the phase 1 parameters that ZXSEC US_2 needs to
authenticate ZXSEC US_1 and establish a secure
connection.
 Define the phase 2 parameters that ZXSEC US_2 needs to
create a VPN tunnel with ZXSEC US_1.
 Create the firewall policy and define the scope of
permitted services between the IP source and destination
addresses.
To define the phase 1 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Type a name for the VPN tunnel (for example,
US2toUS1_Tunnel).
Remote GatewayStatic IP Address
IP Address 172.16.20.1
Local Interface Port 2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in
the ZXSEC US_1 configuration.
Peer Options Accept any peer ID
Advanced
Enable IPSec Enable to create a route-based VPN.
Disable to create a policy-based VPN.
Interface Mode This example shows both policy and route-
based VPNs.
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information and
select OK:
Name Enter a name for the phase 2 configuration (for
example, US2toUS1_phase2).

Confidential and Proprietary Information of ZTE CORPORATION 23

IPSec VPN User Guide

Phase 1 Select the gateway that you defined previously

(for example, US2toUS1_Tunnel).
To define the IP address of the network behind ZXSEC
US_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range 192.168.22.0/24
This is the IP address of the private network behind ZXSEC US_2.
To define the IP address of the network behind ZXSEC
US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
Finance_Network).
Subnet/IP Range Enter the IP address of the private network behind
ZXSEC US_1 (for example, 192.168.12.0/24).

To define the firewall policy for a policy-based VPN

1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Port 2
Source Address Name HR_Network
stination Interface/Zone Port 1
Destination Address Name Finance_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US2toUS1_Tunnel
Allow Inbound Enable
Allow Outbound Enable Inbound
NAT Disable
3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To define the firewall policies for a route-based VPN
1. Go to Firewall > Policy.

24 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 3 IPSec VPN User Guide

2. Select Create New, enter the following information to create

an outbound policy, and then select OK:
Source Interface/Zone Port 2
Source Address Name HR_Network
Destination Interface/Zone US2toUS1_Tunnel
Destination Address Name Finance_Network
Schedule As required.
Service As required
Action ACCEPT
NAT Disable
3. Select Create New, enter the following information to create
an inbound policy, and then select OK:
Source Interface/Zone US2toUS1_Tunnel
Source Address Name Finance_Network
Destination Interface/Zone Port 2
Destination Address Name HR_Network
Schedule As required.
Service As required.
Action ACCEPT
NAT Disable
4. Place the policy in the policy list above any other policies
having similar source and destination addresses.

Confidential and Proprietary Information of ZTE CORPORATION 25

IPSec VPN User Guide

This page is intentionally blank.

26 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4

Hub-and-spoke
configurations

Overview
This section describes how to set up hub-and-spoke IPSec VPNs
consisting of VPN peers and/or US Desktop dialup clients.
The following topics are included in this section:
 Configuration overview
 General configuration steps
 Configure the hub
 Configure the spokes
 Basic configuration example
 US Desktop in hub-and-spoke VPN example

Configuration overview
In a hub-and-spoke configuration, connections to a number of
remote peers and/or clients radiate from a single, central ZXSEC
US unit. Site-to-site connections between the remote peers
and/or clients do not exist; however, VPN tunnels between the
remote peers and/or clients can be established through the
ZXSEC US unit “ hub”.
In a hub-and-spoke network, all VPN tunnels terminate at the
hub. The peers and/or clients that connect to the hub are known
as “spokes”. The hub functions as a concentrator on the network,
managing all VPN connections between the spokes. VPN traffic
passes from one tunnel to the other through the hub.

Confidential and Proprietary Information of ZTE CORPORATION 27

IPSec VPN User Guide

F I G U R E 5 EXAMPL E HUB-AND - SPO K E C O N F I G U RA T I O N

The examples in this chapter show statically addressed spokes

only.

Hub-and-spoke infrastructure
requirements
 The ZXSEC US hub must be operating in NAT/Route mode
and have a static public IP address.
 Spokes may have static IP addresses, dynamic IP
addresses (refer to “US Desktop dialup-client
configurations” and/or “ZXSEC US dialup-client
configurations”), or static domain names and dynamic IP
addresses (refer to “Dynamic DNS configurations” ).

General configuration steps

When a ZXSEC US unit receives a connection request from a
remote VPN peer or client, it uses IPSec phase 1 parameters to
establish a secure connection and authenticate the VPN peer or
client. Then, if the firewall policy permits the connection, the
ZXSEC US unit establishes the tunnel using IPSec phase 2
parameters and applies the IPSec firewall policy. Key
management, authentication, and security services are
negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration
steps must be performed at the hub:

28 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

 Define the phase 1 parameters that the hub needs to

authenticate the spokes and establish secure connections.
 Define the phase 2 parameters that the hub needs to
create VPN tunnels with the spokes.
 Create firewall policies for each spoke and define the
scope of permitted services between the hub and each
spoke.
 Define the permitted communications between spokes.
For a policy-based VPN, define the VPN concentrator. For
a route-based VPN, define appropriate firewall policies.
For more information, refer to “
Configure the hub”
.
You must configure each remote peer and/or client that will
function as a spoke. When the spokes have static IP addresses,
the following configuration steps must be performed at each
spoke:
 Define phase 1 authentication parameters to initiate a
connection with the hub.
 Define phase 2 tunnel creation parameters to establish a VPN
tunnel with the hub.
 Specify a source address that represents the network behind
the spoke.
 Specify a destination address that represents the network
behind the hub.
 Create several destination addresses to represent the
networks behind each of the other spokes.
 Define the firewall policy to enable communications between
the spoke and the hub.
 Define additional firewall policies to enable communications
between the spoke and each of the other spokes.
For more information, refer to “
Configure the spokes”
.

Note: o avoid creating a large number of destination

addresses and firewall policies at each spoke, you can define a
destination address group at each spoke to represent the
networks behind the other spokes. You could then define a
single firewall policy to enable communications between the
spoke and the group of network addresses associated with the
other spokes. For information about how to create an address
group, refer to the “ Firewall Address”chapter of the ZXSEC US
Administration Guide.

Confidential and Proprietary Information of ZTE CORPORATION 29

IPSec VPN User Guide

Configure the hub

At the ZXSEC US unit that acts as the hub, you need to

 configure the VPN to each spoke

 configure communication between spokes
You configure communication between spokes differently for a
policy-based VPN than for a route-based VPN. For a policy-based
VPN, you configure a VPN concentrator. For a route-based VPN,
you must either define firewall policies or group the IPSec
interfaces into a zone

Define the spoke VPN configurations

Perform these steps at the ZXSEC US unit that will act as the hub.
The following procedure assumes that the spokes have static IP
addresses. If you want to include the US Desktop Host Security
application as a spoke, refer to “
US Desktop in hub-and-spoke
VPN example” .
To configure the VPN hub
1. At the hub, define the phase 1 configuration for each spoke.
Refer to “ Auto Key phase 1 parameters”. Enter these settings
in particular:
Name Enter a name to identify the VPN tunnel. This
name appears in phase 2 configurations, firewall policies and
the VPN monitor.
Remote GatewaySelect Static IP Address.
IP Address Type the IP address of the public interface
to the spoke.
Local Interface Select the ZXSEC US unit’
s public interface.
Enable IPSec You must select Advanced to refer to this
setting. If IPSec Interface Mode is enabled, the ZXSEC US unit
creates a virtual IPSec interface for a route-based VPN.
Disable this option if you want to create a policy-based VPN.
For more information, refer to “ Choosing policy-based or
route-based VPNs” .
Interface Mode After you select OK to create the phase 1
configuration, you cannot change this setting.
2. Define the phase 2 parameters needed to create a VPN tunnel
with each spoke. Refer to “
Phase 2 parameters” . Enter these
settings in particular:
Name Enter a name to identify this spoke phase 2
configuration.

30 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Phase 1 Select the name of the phase 1 configuration that you

defined for this spoke.
3. Define a name for the address of the private network behind
the hub. For more information, refer to “ Defining firewall
addresses”.
4. Define names for the addresses or address ranges of the
private networks behind each spoke. For more information,
refer to “
Defining firewall addresses”
.
5. Define the VPN concentrator. Refer to “
To define the VPN
concentrator”on page 33.
6. Define firewall policies to permit communication between the
hub and the spokes. For more information, refer to “ Defining
firewall policies”on page 162.
Policy-based VPN firewall policy
Define an IPSec firewall policy to permit communications between
the hub and the spoke. Enter these settings in particular:
Source Interface/Zone Select the hub’
s interface to the internal
(private) network.
Source Address Name Select the source address that you
defined in Step 3.
Destination Interface/Zone Select the hub’
s public network
interface.
Destination Address Name Select the address name you defined
in Step 4 for the private network behind the spoke ZXSEC US unit.
Action IPSEC
VPN Tunnel Select the name of the phase 1 configuration that you
created for the spoke in Step 1.
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
Route-based VPN firewall policies
Define ACCEPT firewall policies to permit communications
between the hub and the spoke. You need one policy for each
direction. Enter these settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPSec Interface)
you configured in Step 1.
Source Address Name Select the address name you defined in
Step 4 for the private network behind the spoke ZXSEC US unit.
Destination Interface/Zone Select the hub’
s interface to the
internal (private) network. Destination Address Name Select the
source address that you defined in Step 3. Action Select ACCEPT.
NAT Enable.
Source Interface/Zone Select the address name you defined in
Step 4 for the private network behind the spoke ZXSEC US unit.

Confidential and Proprietary Information of ZTE CORPORATION 31

IPSec VPN User Guide

Source Address Name Select the VPN Tunnel (IPSec Interface)

you configured in Step 1.
Destination Interface/Zone Select the source address that you
defined in Step 3.
Destination Address Name Select the hub’
s interface to the
internal (private) network.
Action Select ACCEPT.
NAT Enable.
7. In the policy list, arrange the policies in the following order:
 IPSec policies that control traffic between the hub and the
spokes first
 the default firewall policy last

Configuring communication between

spokes (policy-based VPN)
For a policy-based hub-and-spoke VPN, you define a
concentrator to enable communication between the spokes.
To define the VPN concentrator
1. At the hub, go to VPN > IPSEC > Concentrator and select
Create New.
2. In the Concentrator Name field, type a name to identify the
concentrator.
3. From the Available Tunnels list, select a VPN tunnel and then
select the right- pointing arrow.

Note: To remove tunnels from the VPN concentrator, select the

tunnel in the Members list and select the left-pointing arrow.

4. Repeat Step 3 until all of the tunnels associated with the

spokes are included in the concentrator.
5. Select OK.

Configuring communication between

spokes (route-based VPN)
For a route-based hub-and-spoke VPN, there are several ways
you can enable communication between the spokes:
 put all of the IPSec interfaces into a zone and enable
intra-zone traffic. This eliminates the need for any firewall
policy for the VPN, but you cannot apply a protection
profile to scan the traffic for security threats.

32 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

 put all of the IPSec interfaces into a zone and create a

single zone-to-zone firewall policy
 create a firewall policy for each pair of spokes that are
allowed to communicate with each other. The number of
policies required increases rapidly as the number of
spokes increases.

Using a zone as a concentrator

A simple way to provide communication among all of the spokes
is to create a zone and allow intra-zone communication. You
cannot apply a protection profile using this method.
1. Go to System > Network > Zone.
2. In the Zone Name field, enter a name, such as
Our_VPN_zone.
3. Clear Block intra-zone traffic.
4. In the Interface Members list, select the IPSec interfaces that
are part of your VPN.
5. Select OK.

Using a zone with a policy as a

concentrator
If you put all of the hub IPSec interfaces involved in the VPN into
a zone, you can enable communication among all of the spokes
and apply a protection profile with just one firewall policy.
To create a zone for the VPN
1. Go to System > Network > Zone.
2. In the Zone Name field, enter a name, such as
Our_VPN_zone.
3. Select Block intra-zone traffic.
4. In the Interface Members list, select the IPSec interfaces that
are part of your VPN.
5. Select OK.
To create a firewall policy for the zone
1. Go to Firewall > Policy.
Select Create New and enter these settings:
Source Interface/Zone Select the zone you created for your
VPN.
Source Address Name Select All.

Confidential and Proprietary Information of ZTE CORPORATION 33

IPSec VPN User Guide

Destination Interface/Zone Select the zone you created for your

VPN.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Enable.
Protection profile If you want to apply a protection profile to this
traffic, select the appropriate profile.
2. Select OK.

Using firewall policies as a

concentrator
To enable communication between two spokes, you need to
define an ACCEPT firewall policy for them. To allow either spoke
to initiate communication, you must create a policy for each
direction. This procedure describes a firewall policy for
communication from Spoke 1 to Spoke 2. Others are similar.
1. Define names for the addresses or address ranges of the
private networks behind each spoke. For more information,
refer to “
Defining firewall addresses”
.
2. Go to Firewall > Policy. Select Create New and enter these
settings in particular:
Source Interface/Zone Select the IPSec interface that connects
to Spoke 1.
Source Address Name Select the address of the private
network behind Spoke 1.
Destination Interface/Zone Select the IPSec interface that
connects to Spoke 2.
Destination Address Name Select the address of the private
network behind Spoke 2.
Action Select ACCEPT.
NAT Enable.
Protection profile If you want to apply a protection profile to this
traffic, select the appropriate profile.
3. Select OK.

Configure the spokes

The following procedure assumes that the spokes are ZXSEC US
units that have static IP addresses. If you want to include the US
Desktop Host Security application as a spoke, refer to “ US
Desktop in hub-and-spoke VPN example” . Perform these steps at
each ZXSEC US unit that will act as a spoke.

34 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

To create the phase 1 configuration

1. At the spoke, define the phase 1 parameters that the spoke
will use to establish a secure connection with the hub. Refer
to “ Auto Key phase 1 parameters” . Enter these settings in
particular:
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the public interface to the hub.
Enable IPSec Enable if you are creating a route-based VPN.
Interface Mode Clear if you are creating a policy-based VPN.
2. Create the phase 2 tunnel definition. Refer to “ Phase 2
parameters”. Enter these settings in particular:
Remote Gateway Select the set of phase 1 parameters that you
defined for the hub.
You can select the name of the hub from the Static IP Address part of
the list.

Configuring firewall policies for hub-

to-spoke communication
1. Create an address for this spoke. Refer to “
Defining firewall
addresses”. Enter the IP address and netmask of the private
network behind the spoke.
2. Create an address to represent the hub. Refer to “ Defining
firewall addresses”
. Enter the IP address and netmask of the
private network behind the hub.
3. Define the firewall policy to enable communication with the
hub.
Policy-based VPN firewall policy
Define an IPSec firewall policy to permit communications with the
hub. Refer to “Defining firewall policies”. Enter these settings in
particular:
Source Interface/Zone Select the spoke’
s interface to the
internal (private) network.
Source Address Name Select the spoke address you defined in
Step 1.
Destination Interface/Zone Select the spoke’
s interface to the
external (public) network.
Destination Address Name Select the hub address you defined in
Step 2.
Action Select IPSEC
VPN Tunnel Select the name of the phase 1 configuration you
defined. Select Allow inbound to enable traffic from the remote
network to initiate the tunnel.

Confidential and Proprietary Information of ZTE CORPORATION 35

IPSec VPN User Guide

Select Allow outbound to enable traffic from the local network to

initiate the tunnel.
Route-based VPN firewall policy
Define two firewall policies to permit communications to and
from the hub. Enter these settings in particular:
Source Interface/Zone Select the virtual IPSec interface you
created.
Source Address Name Select the hub address you defined in
Step 1.
Destination Interface/Zone Select the spoke’
s interface to the
internal (private) network.
Destination Address Name Select the spoke addresses you
defined in Step 2.
Action Select ACCEPT
NAT Enable
Source Interface/Zone Select the spoke’
s interface to the
internal (private) network.
Source Address Name Select the spoke address you defined in
Step 1.
Destination Interface/Zone Select the virtual IPSec interface you
created.
Destination Address Name Select the hub destination addresses
you defined in Step 2.
Action Select ACCEPT
NAT Enable

Configuring firewall policies for

spoke-to-spoke communication
Each spoke requires firewall policies to enable communication
with the other spokes. Instead of creating separate firewall
policies for each spoke, you can create an address group that
contains the addresses of the networks behind the other spokes.
The firewall policy then applies to all of the spokes in the group.
1. Define destination addresses to represent the networks
behind each of the other spokes. Add these addresses to an
address group. For more information, refer to “Configuring
Address Groups”section in the “Firewall Address”chapter of the
ZXSEC US Administration Guide.

2. Define the firewall policy to enable communication between

this spoke and the spokes in the address group you created.

36 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Policy-based VPN firewall policy

Define an IPSec firewall policy to permit communications with
the other spokes. Refer to “ Defining firewall policies”
. Enter
these settings in particular:
Source Interface/Zone Select this spoke’
s internal (private)
network interface.
Source Address Name Select this spoke’
s source address.
Destination Interface/Zone Select the spoke’
s interface to the
external (public) network.
Destination Address Name Select the spoke address group you
defined in Step 1.
Action Select IPSEC
VPN Tunnel Select the name of the phase 1 configuration you
defined. Select Allow inbound to enable traffic from the remote
network to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
Route-based VPN firewall policy
Define two firewall policies to permit communications to and
from the other spokes. Enter these settings in particular:
Source Interface/Zone Select the virtual IPSec interface you
created.
Source Address Name Select the spoke address group you
defined in Step 1.
Destination Interface/Zone Select the spoke’
s interface to the
internal (private) network.
Destination Address Name Select this spoke’
s address name.
Action Select ACCEPT
NAT Enable
Source Interface/Zone Select the spoke’
s interface to the
Source Address Name Select this spoke’
s address name.
Destination Interface/Zone Select the virtual IPSec interface
you created. Destination Address Name Select the spoke address
group you defined in Step 1. Action Select ACCEPT
NAT Enable
3. Place this policy or policies in the policy list above any other
policies having similar source and destination addresses.

Basic configuration example

This example demonstrates how to set up a basic hub-and-spoke
IPSec VPN that uses preshared keys to authenticate VPN peers.

Confidential and Proprietary Information of ZTE CORPORATION 37

IPSec VPN User Guide

F I G U R E 6 EXAMPL E HUB-AND - SPO K E C O N F I G U RA T I O N

In the example configuration, the network devices are assigned

IP addresses as shown in Figure 6. The steps for setting up the
example hub-and-spoke configuration create a VPN among Site 1,
Site 2, and the HR Network. The Finance network is not included
in the VPN.

Define the phase 1 parameters on

ZXSEC US_1
The phase 1 configuration defines the parameters that ZXSEC
US_1 will use to authenticate spokes and establish secure
connections. For the purposes of this example, preshared keys
will be used to authenticate the spokes.
Before you define the phase 1 parameters, you need to:
 Reserve a name for each spoke.
 Obtain the IP address of the public interface to each
spoke.
 Reserve a unique preshared key for each tunnel.
You need one preshared key to authenticate Spoke_1 and a
different preshared key to authenticate Spoke_2. Each key must
contain at least 6 printable characters and should only be known
by network administrators. For optimum protection against
currently known attacks, each key should consist of a minimum
of 16 randomly chosen alphanumeric characters.
To define the phase 1 parameters
1. At ZXSEC US_1, go to VPN > IPSEC > Auto Key.

38 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

2. Define the phase 1 parameters that the hub will use to

establish a secure connection to Spoke_1. Select Create
Phase 1, enter the following information, and select OK:
Name Type a name for the spoke (for example,
US1toSP1_Tunnel).
Remote Gateway Static IP Address
IP Address 172.16.20.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
3. Define the phase 1 parameters that the hub will use to
establish a secure connection to Spoke_2. Select Create
Phase 1, enter the following information, and select OK:
Name Type a name for the spoke (for example,
US1toSP2_Tunnel).
Remote Gateway Static IP Address
IP Address 172.16.30.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID

Define the phase 2 parameters on

ZXSEC US_1
The basic phase 2 settings associate IPSec phase 2 parameters
with the phase 1 configuration and specify the remote end points
of the VPN tunnels. Before you define the phase 2 parameters,
you need to reserve a name for each tunnel.
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Create a phase 2 tunnel definition for Spoke_1. Select Create
Phase 2, enter the following information, and select OK:
Name Enter a name for the phase 2 definition (for example,
US1toSP1_ph2).
Phase 1 Select the Phase 1 configuration that you defined previously for
Spoke_1 (for example, US1toSP1_Tunnel).

3. Create a phase 2 tunnel definition for Spoke_2. Select Create

Phase 2, enter the following information, and select OK:

Confidential and Proprietary Information of ZTE CORPORATION 39

IPSec VPN User Guide

Name Enter a name for the phase 2 definition (for example,

US1toSP2_ph2).
Phase 1 Select the Phase 1 configuration that you defined
previously for Spoke_2 (for example, US1toSP2_Tunnel).

Define the IPSec firewall policies on

ZXSEC US_1
Firewall policies control all IP traffic passing between a source
address and a destination address. An IPSec firewall policy is
needed to allow the transmission of encrypted packets, specify
the permitted direction of VPN traffic, and select the VPN tunnel
that will be subject to the policy. A single policy is needed to
control both inbound and outbound IP traffic through a VPN
tunnel.
Before you define the policy, you must first specify the IP source
and destination addresses. In the example hub-and-spoke
configuration:
 The source IP address corresponds to the HR network
behind ZXSEC US_1.
 The destination IP addresses refer to the private networks
behind Spoke_1 and Spoke_2.
To define the IP source address of the HR network behind
ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range Enter the IP address of the HR network behind
ZXSEC US_1 (for example, 192.168.22.0/24).

To specify the destination address of IP packets delivered

to Spoke_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_1).
Subnet/IP Range Enter the IP address of the private network
behind Spoke_1 (for example, 192.168.33.0/24).
To specify the destination address of IP packets delivered
to Spoke_2
1. Go to Firewall > Address.

40 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

2. Select Create New, enter the following information, and select

OK:
Address Name Enter an address name (for example, Site_2).
Subnet/IP Range Enter the IP address of the private network
behind Spoke_2 (for example, 192.168.44.0/24).

To define the IPSec firewall policy for hub-to-Spoke_1

traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the HR network.
Address Name
HR_Network
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_1
Schedule As required. Service As required.
Action IPSEC
VPN Tunnel US1toSP1_Tunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To define the IPSec firewall policy for hub-to-Spoke_2
traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the HR network.
Address Name
HR_Network
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_2
Schedule As required. Service As required. Action IPSEC
VPN Tunnel US1toSP2_Tunnel

3. In the policy list, arrange the policies in the following order:

 IPSec policies that control traffic between the hub and the
spokes first

Confidential and Proprietary Information of ZTE CORPORATION 41

IPSec VPN User Guide

 the default firewall policy last

Define the VPN concentrator on

ZXSEC US_1
The concentrator specifies which spokes to include in the hub-
and-spoke configuration.
To define the VPN concentrator
1. Go to VPN > IPSec > Concentrator and select Create
New.
2. In the Concentrator Name field, type a name to identify the
concentrator (for example, Hub_1).
3. From the Available Tunnels list, select US1toSP1_Tunnel and
select the right- pointing arrow.
4. From the Available Tunnels list, select US1toSP2_Tunnel and
select the right- pointing arrow.
5. Select OK.

Configure Spoke_1
The Spoke_1 configuration requires the following settings:
 phase 1 authentication parameters to initiate a connection
with the hub
 phase 2 tunnel creation parameters to establish a VPN
tunnel with the hub
 a source address that represents the network behind
Spoke_1
 a destination address that represents the HR network
behind the hub
 an IPSec firewall policy to enable communications
between Spoke_1 and the hub
 a destination address that represents the network behind
Spoke_2
 an IPSec firewall policy to enable communications
between Spoke_1 and Spoke_2
To define the phase 1 parameters
1. At Spoke_1, go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Type a name for the hub (for example, ZXSEC US_1).

42 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Remote Gateway Static IP Address

IP Address 172.16.10.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in the
ZXSEC US_1 configuration.
Peer Options Accept any peer ID
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information, and
select OK:
Name Enter a name for the tunnel (for example,
SP1toUS1_Tunnel).
Phase 1 Select the name that you defined previously for the hub
(for example, ZXSEC US_1).

To define the IP source address of the network behind

Spoke_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_1).
Subnet/IP Range Enter the IP address of the private network
behind Spoke_1 (for example, 192.168.33.0/24).
To specify the destination address of IP packets delivered
to ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range Enter the IP address of the HR network behind
ZXSEC US_1 (for example, 192.168.22.0/24).

To define the IPSec firewall policy to enable

communications with the hub
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name

Confidential and Proprietary Information of ZTE CORPORATION 43

IPSec VPN User Guide

Site_1
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
HR_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP1toUS1_Tunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To specify the IP address of the network behind Spoke_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_2).
Subnet/IP Range Enter the IP address of the network behind
Spoke_2 (for example, 192.168.44.0/24).

To define the IPSec firewall policy for Spoke_1-to-

Spoke_2 traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_1
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_2
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP1toUS1_Tunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.

44 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Configure Spoke_2
The Spoke_2 configuration requires the following settings:
 phase 1 authentication parameters to initiate a connection
with the hub
 phase 2 tunnel creation parameters to establish a VPN
tunnel with the hub
 a source address that represents the network behind
Spoke_2
 a destination address that represents the HR network
behind the hub
 an IPSec firewall policy to enable communications
between Spoke_2 and the hub
 a destination address that represents the network behind
Spoke_1
 an IPSec firewall policy to enable communications
between Spoke_2 and Spoke_1
To define the phase 1 parameters
1. At Spoke_2, go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Type a name for the hub (for example, ZXSEC US_1).
Remote Gateway Static IP Address
IP Address 172.16.10.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in the
ZXSEC US_1 configuration.
Peer Options Accept any peer ID

To define the phase 2 parameters

1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information, and
select OK:
Name Enter a name for the tunnel (for example,
SP2toUS1_Tunnel).
Phase 1 Select the name that you defined previously for the hub
(for example, ZXSEC US_1).

Confidential and Proprietary Information of ZTE CORPORATION 45

IPSec VPN User Guide

To define the IP source address of the network behind

Spoke_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_2).
Subnet/IP Range Enter the IP address of the private network
behind Spoke_2 (for example, 192.168.44.0/24).

To specify the destination address of IP packets delivered

to ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range Enter the IP address of the HR network behind
ZXSEC US_1 (for example, 192.168.22.0/24).

To define the IPSec firewall policy to enable

communications with the hub
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_2
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
HR_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP2toUS1_Tunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To specify the IP address of the network behind Spoke_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_1).

46 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Subnet/IP Range Enter the IP address of the network behind

Spoke_1 (for example, 192.168.33.0/24).
To define the IPSec firewall policy for Spoke_2-to-
Spoke_1 traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_2
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_1
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP1toUS1_Tunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.

US Desktop in hub-and-
spoke VPN example
This example that demonstrates how to include US Desktop
dialup clients in a basic hub-and-spoke IPSec VPN. The VPN peers
and clients use preshared keys for authentication purposes.

Confidential and Proprietary Information of ZTE CORPORATION 47

IPSec VPN User Guide

F I G U R E 7 E X AMP LE H UB - AND - SP OKE C ON F IG URAT IO N W IT H U S D E S K T O P DI AL U P

CL IENTS

In the example, the network devices are assigned IP addresses

as shown in Figure 7. The US Desktop Host Security application
is assigned a Virtual IP (VIP) address manually. For more
information, refer to “
US Desktop dialup-client configurations”
.
example hub-and-spoke configuration create a VPN among Site 1,
Site 2, the HR Network, and the dialup clients (US Desktop_1
and US Desktop_2). The Finance network is not included in the
VPN.
All ZXSEC US units in the example configuration operate in
NAT/Route mode and have static public IP addresses.

Note: A ZXSEC US spoke may have a dynamic IP address,

or a static domain name anddynamic IP address. For more
information, contact ZTE Technical Support.
The remote hosts on which the US Desktop Host Security
application is installed obtain dynamic IP addresses from an ISP
when they connect to the Internet. By default, the US Desktop
Host Security application encrypts IP traffic and addresses the
encrypted packets to the public interface of the ZXSEC US hub.
Encrypted packets from the ZXSEC US hub are addressed either
to the public IP address of the remote US Desktop host, or if the
host computer is behind a NAT device, the IP address of the NAT
device.

48 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Note: For encrypted traffic to pass through the NAT device,

the device must be NAT-T compatible. For more information,
refer to “
NAT traversal”
.
When the remote host is located behind a NAT device,
unintended IP-address overlap issues may arise between the
remote private network and the private network behind the
ZXSEC US unit (for details, refer to “
US Desktop dialup-client
configurations”). To prevent IP-address overlap, a VIP
configuration is recommended. A VIP configuration enables you
to assign uncommonly used IP addresses (for example,
10.254.254.1 and 10.254.254.2) to US Desktop dialup clients.

Note: More than one dialup client can connect to the same
VPN tunnel. When you need to configure access for a group of
dialup clients, assign a VIP address to each dialup client from a
subnet comprising VIP addresses (for example,
10.254.254.0/24). As an alternative, you may configure a VIP
address range (for example, 10.254.254.[100-110]).
In the example, VIP addresses are assigned to the dialup clients
manually. When a VIP address is assigned, the US Desktop Host
Security application and the ZXSEC US unit both use the VIP
address as the IP address of the US Desktop dialup client for the
duration of the connection. As a result, when the ZXSEC US unit
receives a packet from a US Desktop dialup client that has a VIP
address, the source address in the encrypted packet IP header
will be the VIP address used by the US Desktop Host Security
application.
Assigning VIP addresses manually enables you to create an IPSec
firewall policy that allows connections from a specific VIP address,
a VIP address range, or a subnet address comprising VIP
addresses.

Configuring ZXSEC US_1

When a ZXSEC US unit receives a connection request from a
remote VPN peer or client, it uses IPSec phase 1 parameters to
establish a secure connection and authenticate the VPN peer or
client. Then, if the firewall policy permits the connection, the
ZXSEC US unit establishes the tunnel using IPSec phase 2
parameters and applies the IPSec firewall policy. Key
management, authentication, and security services are
negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration
steps must be performed at ZXSEC US_1:
 Define the phase 1 parameters that the ZXSEC US unit needs
to authenticate the spokes and establish secure connections.
Refer to “
Define the phase 1 parameters” .

Confidential and Proprietary Information of ZTE CORPORATION 49

IPSec VPN User Guide

 Define the phase 2 parameters that the ZXSEC US unit needs

to create VPN tunnels with the spokes. Refer to “
Define the
phase 2 parameters” .
 Create one IPSec firewall policy for each tunnel and define
the scope of permitted services between the hub and each
spoke. Refer to “
Define the IPSec firewall policies”
.
 Define the VPN concentrator, which determines the spokes to
include in the configuration. Refer to “ Define the VPN
concentrator”.

Define the phase 1 parameters

The phase 1 configuration defines the parameters that ZXSEC
US_1 will use to authenticate spokes and establish secure
connections. For the purposes of this example, preshared keys
are used to authenticate the spokes.
Before you define the phase 1 parameters, you need to:
 Reserve a name for each phase 1 configuration. A phase 1
configuration is needed for each ZXSEC US spoke. A single
phase 1 configuration is needed for the US Desktop dialup
clients.
 Obtain the IP address of the public interface to each ZXSEC
US spoke.
 Decide which VIP addresses to use for US Desktop dialup
clients. To prevent IP- address overlap, choose VIP addresses
from a network that is not commonly used (for example,
10.254.254.0/24).
 Reserve a unique preshared key for each tunnel.

You need one preshared key to authenticate Spoke_1, a second

different preshared key to authenticate Spoke_2, and a third
unique preshared key to authenticate the US Desktop dialup
clients. Each key must contain at least 6 printable characters and
should only be known by network administrators. For optimum
protection against currently known attacks, each key should
consist of a minimum of 16 randomly chosen alphanumeric
characters.
To define the phase 1 parameters
1. At ZXSEC US_1, go to VPN > IPSEC > Auto Key.
2. Define the phase 1 parameters that the hub will use to
establish a secure connection to Spoke_1. Select Create
Phase 1, enter the following information, and select OK:
Name Type a name for the spoke (for example, Spoke_1).
Remote Gateway Static IP Address
IP Address 172.16.20.1

50 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Local Interface Internal

Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID

3. Define the phase 1 parameters that the hub will use to

establish a secure connection to Spoke_2. Select Create
Phase 1, enter the following information, and select OK:
Name Type a name for the spoke (for example, Spoke_2).
Remote GatewayStatic IP Address
IP Address 172.16.30.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
4. Define the phase 1 parameters that the hub will use to
establish a secure connection with the US Desktop dialup
clients. Select Create Phase 1, enter the following information,
and select OK:
Name Type a name for the remote gateway (for example,
Dialup_clients).
Remote GatewayDialup User
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID

Define the phase 2 parameters

The basic phase 2 settings associate IPSec phase 2 parameters
with the phase 1 configuration and specify the remote end points
of the VPN tunnels. Before you define the phase 2 parameters,
you need to reserve a name for each tunnel.
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Create a phase 2 tunnel definition for Spoke_1. Select Create
Phase 2, enter the following information, and select OK:

Confidential and Proprietary Information of ZTE CORPORATION 51

IPSec VPN User Guide

Name Enter a name for the tunnel (for example,

US1toSP1_Tunnel).
Phase 1 Select the Phase 1 configuration that you defined
previously for Spoke_1 (for example, Spoke_1).

3. Create a phase 2 tunnel definition for Spoke_2. Select Create

Phase 2, enter the following information, and select OK:
Name Enter a name for the tunnel (for example,
US1toSP2_Tunnel).
Phase 1 Select the Phase 1 configuration that you defined
previously for Spoke_2 (for example, Spoke_2).

4 Create a phase 2 tunnel definition for the US Desktop

dialup clients. Select Create Phase 2, enter the following information,
and select OK:
Name Enter a name for the tunnel (for example,
US1toDialupClients).
Phase 1 Select the Phase 1 configuration that you defined previously (for
example, Dialup_clients).

Define the IPSec firewall policies

Firewall policies control all IP traffic passing between a source
address and a destination address. An IPSec firewall policy is
needed to allow the transmission of encrypted packets, specify
the permitted direction of VPN traffic, and select the VPN tunnel
that will be subject to the policy. A single policy is needed to
control both inbound and outbound IP traffic through a VPN
tunnel.
Before you define the policy, you must first specify the IP source
and destination addresses. In the example hub-and-spoke
configuration:
 The IP source address corresponds to the HR network behind
ZXSEC US_1.
 The IP destination addresses refer to the private networks
behind Spoke_1 and Spoke_2, and the VIP addresses
associated with US Desktop dialup clients.
To define the IP source address of the HR network behind
ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range Enter the IP address of the HR network behind
ZXSEC US_1 (for example, 192.168.22.0/24).

52 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

To specify the destination address of IP packets delivered

to Spoke_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_1).
Subnet/IP Range Enter the IP address of the private network
behind Spoke_1 (for example, 192.168.33.0/24).

To specify the destination address of IP packets delivered

to Spoke_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_2).
Subnet/IP Range Enter the IP address of the private network behind
Spoke_2 (for example, 192.168.44.0/24).

To specify the VIP destination addresses assigned to US

Desktop dialup clients
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
VIP_addresses).
Subnet/IP Range Enter the IP address of the designated VIP network (for
example, 10.254.254.0/24).

To define the IPSec firewall policy for hub-to-Spoke_1

traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the HR network.
Address Name
HR_Network
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_1
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toSP1_Tunnel

Confidential and Proprietary Information of ZTE CORPORATION 53

IPSec VPN User Guide

To define the IPSec firewall policy for hub-to-Spoke_2

traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the HR network.
Address Name
HR_Network
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_2
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toSP2_Tunnel

To define the IPSec firewall policy for hub-to-US Desktop traffic

1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
HR_Network
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
VIP_addresses
Schedule As required
Service As required
Action IPSEC
VPN Tunnel US1toDialupClients

3. In the policy list, arrange the policies in the following order:

 IPSec policies that control traffic between the hub and the
spokes first
 the default firewall policy last

54 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Define the VPN concentrator

The concentrator specifies which spokes to include in the hub-
and-spoke configuration.
To define the VPN concentrator
1. Go to VPN > IPSec > Concentrator and select Create New.
2. In the Concentrator Name field, type a name to identify the
concentrator (for example, Hub_1).
3. From the Available Tunnels list, select US1toSP1_Tunnel and
select the right- pointing arrow.
4. From the Available Tunnels list, select US1toSP2_Tunnel and
select the right- pointing arrow.
5. From the Available Tunnels list, select US1toDialupClients
and select the right- pointing arrow.
6. Select OK.

Configuring Spoke_1
The Spoke_1 configuration requires the following settings:
 phase 1 authentication parameters to initiate a connection
with the hub
 phase 2 tunnel creation parameters to establish a VPN tunnel
with the hub
 a source address that represents the network behind
Spoke_1
 a destination address that represents the HR network behind
the hub
 an IPSec firewall policy to enable communications between
Spoke_1 and the hub
 a destination address that represents the network behind
Spoke_2
 an IPSec firewall policy to enable communications between
Spoke_1 and Spoke_2
 a destination address that represents the VIP addresses
assigned to US Desktop dialup clients
 an IPSec firewall policy to enable communications between
Spoke_1 and the US Desktop dialup clients
To define the phase 1 parameters
1. At Spoke_1, go to VPN > IPSEC > Auto Key.

Confidential and Proprietary Information of ZTE CORPORATION 55

IPSec VPN User Guide

2. Select Create Phase 1, enter the following information, and

select OK:
Name Type a name for the hub (for example, ZXSEC US_1).
Remote Gateway Static IP Address
IP Address 172.16.10.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in the
ZXSEC US_1 configuration.
Peer Options Accept any peer ID
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information, and
select OK:
Name Enter a name for the tunnel (for example,
SP1toUS1_Tunnel).
Phase 1 Select the name that you defined previously for the hub
(for example, ZXSEC US_1).

To define the IP source address of the network behind

Spoke_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_1).
Subnet/IP Range Enter the IP address of the private network
behind Spoke_1 (for example, 192.168.33.0/24).

To specify the destination address of IP packets delivered

to ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).

Subnet/IP Range Enter the IP address of the HR network

behind ZXSEC US_1 (for example, 192.168.22.0/24).
To define the IPSec firewall policy to enable
communications with the hub
1. Go to Firewall > Policy.

56 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

2. Select Create New, enter the following information, and select

OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_1
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
HR_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP1toUS1_Tunnel

To specify the IP address of the network behind Spoke_2

1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_2).
Subnet/IP Range Enter the IP address of the network behind Spoke_2
(for example, 192.168.44.0/24).

To define the IPSec firewall policy for Spoke_1-to-

Spoke_2 traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_1
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_2
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP1toUS1_Tunnel

To specify the VIP destination addresses assigned to US

Desktop dialup clients
1. Go to Firewall > Address.

Confidential and Proprietary Information of ZTE CORPORATION 57

IPSec VPN User Guide

2. Select Create New, enter the following information, and select

OK:
Address Name Enter an address name (for example,
VIP_addresses).
Subnet/IP Range Enter the IP address of the designated VIP network (for
example, 10.254.254.0/24).

To define the IPSec firewall policy for Spoke_1-to-US

Desktop traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_1
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
VIP_addresses
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP1toUS1_Tunnel

3. In the policy list, arrange the policies in the following order:

 IPSec policies that control traffic between Spoke_1 and
the hub first
 the default firewall policy last

Configuring Spoke_2
The Spoke_2 configuration requires the following settings:
 phase 1 authentication parameters to initiate a connection
with the hub
 phase 2 tunnel creation parameters to establish a VPN
tunnel with the hub
 a source address that represents the network behind
Spoke_2
 a destination address that represents the HR network
behind the hub
 an IPSec firewall policy to enable communications
between Spoke_2 and the hub

58 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

 a destination address that represents the network behind

Spoke_1
 an IPSec firewall policy to enable communications
between Spoke_2 and Spoke_1
 the destination address that represents the VIP addresses
assigned to US Desktop dialup clients
 an IPSec firewall policy to enable communications
between Spoke_2 and the US Desktop dialup clients
To define the IPSec firewall policy to enable
communications with the hub
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_2
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
HR_Network
Schedule As required.
Service As required.
Action IPSEC

VPN Tunnel SP2toUS1_Tunnel

To specify the IP address of the network behind Spoke_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Site_1).
Subnet/IP Range Enter the IP address of the network behind Spoke_1
(for example, 192.168.33.0/24).

To define the IPSec firewall policy for Spoke_2-to-

Spoke_1 traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_2

Confidential and Proprietary Information of ZTE CORPORATION 59

IPSec VPN User Guide

Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
Site_1
Schedule As required.
Service As required.
Action IP
VPN Tunnel SP2toUS1_Tunnel

To specify the VIP destination addresses assigned to US

Desktop dialup clients
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
VIP_addresses).
Subnet/IP Range Enter the IP address of the designated VIP
network (for example, 10.254.254.0/24).

To define the IPSec firewall policy for Spoke_2-to-US

Desktop traffic
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the interface to the internal (private) network.
Address Name
Site_2
Destination Interface/Zone
Select the interface to the external (public) network.
Address Name
VIP_addresses
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel SP2toUS1_Tunnel

3. In the policy list, arrange the policies in the following order:

 IPSec policies that control traffic between Spoke_2 and
the hub first
 the default firewall policy last

60 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 4 IPSec VPN User Guide

Configuring the US Desktop

software
The following procedure explains how to configure the US
Desktop Host Security application to connect to ZXSEC US_1.
Each US Desktop dialup client uses its manually assigned VIP
address as its IP source address for the duration of the
connection.
To configure US Desktop
At the remote host, start US Desktop.
1. Go to VPN > Connections and select Add.
2. In the Connection Name field, type a descriptive name for the
connection (for example, ZXSEC US_1).
3. In the Remote Gateway field, type the public static IP address
of the ZXSEC US hub (for example, 172.16.10.1).
4. In the Remote Network fields, type the private IP address
and netmask of the HR network behind the ZXSEC US unit
(for example, 192.168.22.0/255.255.255.0).
5. From the Authentication Method list, select Preshared Key.
6. In the Preshared Key field, type the preshared key. The value
must be identical to the preshared key that you specified
previously for US Desktop dialup clients in the ZXSEC US_1
configuration.
7. Select Advanced.
8. In the Advanced Settings dialog box, select Acquire virtual IP
address and then select Manually Set.
9. In the IP and Subnet Mask fields, enter the VIP address and
netmask that the
10. US Desktop Host Security application will use as its source
address for transmitting IP packets through the tunnel (for
example, 10.254.254.1/255.255.255.0).

Note: US Desktop settings determine which DNS server

and Windows Internet Service (WINS) server the client can
access after the tunnel has been established. For more
information, refer to US Desktop online Help.
11. Select OK.
12. Retain the default advanced settings unless changes are
needed to make the IKE and IPSec proposals match the
phase 1 and 2 settings on the ZXSEC US hub.
13. In the Remote Network group, select Add.

Confidential and Proprietary Information of ZTE CORPORATION 61

IPSec VPN User Guide

14. In the IP and Subnet Mask fields, type the IP address of the
private network behind Spoke_1 (for example,
192.168.33.0/255.255.255.0) and select OK.
15. In the Remote Network group, select Add.
16. In the IP and Subnet Mask fields, type the IP address of the
private network behind Spoke_2 (for example,
192.168.44.0/255.255.255.0) and select OK.
17. Select OK twice to close the dialog boxes.
18. Exit US Desktop and repeat this procedure at all other remote
US Desktop hosts. When you assign a VIP address to the next
remote US Desktop host in Step 10, ensure that you use a
different VIP address from the designated VIP network.

62 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 5

Dynamic DNS
configurations

Overview
This section describes how to configure a site-to-site VPN, in
which one ZXSEC US unit has a static IP address and the other
ZXSEC US unit has a static domain name and a dynamic IP
address.
The following topics are included in this section:
 Configuration overview
 General configuration steps
 Configure the dynamically-addressed VPN peer
 Configure the fixed-address VPN peer

Configuration overview
In this type of scenario, one of the ZXSEC US units in a gateway-
to-gateway configuration has a static domain name (for example,
example.com) and a dynamic IP address. Refer to ZXSEC US_2
in Figure 8. Whenever that ZXSEC US unit connects to the
Internet (and possibly also at predefined intervals set by the ISP),
the ISP may assign a different IP address to the ZXSEC US unit.
Therefore, remote peers have to locate the ZXSEC US unit
through DNS lookup.

Confidential and Proprietary Information of ZTE CORPORATION 63

IPSec VPN User Guide

F I G U R E 8 E X A MP L E D Y N AM I C D N S C O N F I G U RA T I O N

In Figure 8, ZXSEC US_1 requests a DNS lookup before initiating

a connection to ZXSEC US_2. ZXSEC US_2 pushes its dynamic IP
address to a dynamic DNS server whenever its address changes
to ensure that all DNS servers are updated.
When a remote peer (such as ZXSEC US_1 in Figure 8) initiates
a connection to the domain name, a DNS server looks up and
returns the IP address that matches the domain name. The
remote peer uses the retrieved IP address to establish a
connection with the ZXSEC US unit.
To ensure that DNS servers are able to discover the current IP
address associated with a ZXSEC US domain name, the ZXSEC
US unit with the domain name subscribes to a dynamic DNS
service. A dynamic DNS service ensures that any changes to IP
addresses are propagated to all Internet DNS servers.
Whenever the ZXSEC US unit detects that its IP address has
changed, it notifies the dynamic DNS server and provides the
new IP address to the server. The dynamic DNS server makes
the updated IP address available to all DNS servers and the new
IP address remains in effect until the ZXSEC US unit detects that
its IP address has changed again.
A ZXSEC US unit that has static domain name and a dynamic IP
address can initiate VPN connections anytime—the remote peer
replies to the ZXSEC US unit using the source IP address that
was sent in the packet header. However, changes to a dynamic
IP address must be resolved before a remote peer can establish a
VPN connection to the domain name—the remote peer must
request a DNS lookup for the matching IP address before
initiating the connection.

64 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 5 IPSec VPN User Guide

Dynamic DNS infrastructure

requirements
 A basic gateway-to-gateway configuration must be in
place (refer to “Gateway-to- gateway configurations”
)
except one of the ZXSEC US units has a static domain
name and a dynamic IP address instead of a static IP
address.
 A DNS server must be available to VPN peers that initiate
connections to the domain name. For instructions about
how to configure ZXSEC US units to look up the IP
address of a domain name, refer to the “
System Network
DNS”section of the ZXSEC US Administration Guide.
 The ZXSEC US unit with the domain name must subscribe
to one of the supported dynamic DNS services. Contact
one of the services to set up an account. For more
information and instructions about how to configure the
ZXSEC US unit to push its dynamic IP address to a
dynamic DNS server, refer to the “ System Network
Interface”section of the ZXSEC US Administration Guide.

General configuration steps

When a ZXSEC US unit receives a connection request from a
remote VPN peer, it uses IPSec phase 1 parameters to establish
a secure connection and authenticate the VPN peer. Then, if the
firewall policy permits the connection, the ZXSEC US unit
establishes the tunnel using IPSec phase 2 parameters and
applies the firewall policy. Key management, authentication, and
security services are negotiated dynamically through the IKE
protocol.
To support these functions, the following general
configuration steps must be performed:
 Configure the ZXSEC US unit that has a domain name
with a dynamic IP address. This unit uses a Local ID
string to identify itself to the remote peer. Refer to
“Configure the dynamically-addressed VPN peer”.
 Configure the fixed-address VPN peer. To initiate a VPN
tunnel with the dynamically-addressed peer, this unit
must retrieve the IP address for the domain from the
dynamic DNS service. Refer to “ Configure the fixed-
address VPN peer” .

Confidential and Proprietary Information of ZTE CORPORATION 65

IPSec VPN User Guide

Configure the dynamically-

addressed VPN peer
Configure the ZXSEC US unit that has a domain name as follows:
1. Define the phase 1 parameters needed to establish a secure
connection with the remote peer. Refer to “
Auto Key phase 1
parameters” . Select Advanced and enter these settings in
particular:
NameS Enter a name to identify the VPN tunnel.
This name appears in phase 2 configurations, firewall policies and the
VPN monitor.
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the public interface to the
remote peer.
Mode Select Aggressive.
Local ID Type a character string that the local ZXSEC US
unit can use to identify itself to the remote peer (for example,
you could type the fully qualified domain name of the ZXSEC
US unit, example.com). This value must be identical to the
value in the Accept this peer ID field of the phase 1 remote
gateway configuration on the remote peer.
2. Define the phase 2 parameters needed to create a VPN tunnel
with the remote peer. Refer to “Phase 2 parameters” . Enter
these settings in particular:
Name Enter a name to identify this phase 2
configuration.
Phase 1 Select the name of the phase 1 configuration that you
defined.
3. Define names for the addresses or address ranges of the
private networks that the VPN links. These addresses are
used in the firewall policies that permit communication
between the networks. For more information, refer to
“Defining firewall addresses”
.
Enter these settings in particular:
 Define an address name for the IP address and netmask of
the private network behind the local ZXSEC US unit.
 Define an address name for the IP address and netmask of
the private network behind the remote peer.
4. Define firewall policies to permit communications between the
private networks through the VPN tunnel. Route-based and
policy-based VPNs require different firewall policies. For
detailed information about creating firewall policies, refer to
“Defining firewall policies”.

66 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 5 IPSec VPN User Guide

Policy-based VPN firewall polic

Define an IPSec policy to permit communication between the
private networks. Enter these settings in particular, and then
select OK:
Source Interface/Zone Select the interface that connects to the
private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC US unit.
Destination Interface/Zone Select the ZXSEC US unit’
s
public interface.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind the remote peer.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1
configuration that you created in Step 1.
Select Allow inbound to enable traffic from the remote
network to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.

Route-based VPN firewall policies

Define ACCEPT firewall policies to permit communication between
the private networks. To define a policy to permit the local
ZXSEC US unit to initiate communication, enter these settings in
particular:
Source Interface/Zone Select the interface that connects to
the private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC
US unit.
Destination Interface/Zone Select the VPN Tunnel (IPSec
Interface) you configured in Step 1.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind the
remote peer.
Action Select ACCEPT.
NAT Disable.
To permit the remote peer to initiate communication, you
need to define a firewall
policy for communication in that direction. Enter these settings in
particular:
Source Interface/Zone Select the VPN Tunnel (IPSec
Interface) you configured in Step 1.

Confidential and Proprietary Information of ZTE CORPORATION 67

IPSec VPN User Guide

Source Address Name Select the address name that you

defined in Step 3 for the private network behind the remote
peer.
Destination Interface/Zone Select the interface that
connects to the private network behind this ZXSEC US unit.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind this
ZXSEC US unit.
Action Select ACCEPT.
NAT Disable.
5. Place these policies in the policy list above any other policies
having similar source and destination addresses.

Configure the fixed-address

VPN peer
The fixed-address VPN peer needs to retrieve the IP address
from the dynamic DNS service to initiate communication with the
dynamically-addressed peer that has domain name. Configure
the fixed-address peer as follows:
1. Define the phase 1 parameters needed to establish a secure
connection with the remote peer. For more information, refer
to “Auto Key phase 1 parameters. Enter these settings in
particular, and then select OK:
Name Enter a name to identify the VPN tunnel. This
name appears in phase 2 configurations, firewall policies and
the VPN monitor.
Remote GatewaySelect Dynamic DNS.
Dynamic DNS Type the fully qualified domain name of the
remote peer (for example, example.com).
Mode Select Aggressive.
Peer Options Select Accept this peer ID, and type the
identifier of the dynamically-addressed ZXSEC US unit. This is
the value you entered in the Local ID field of the other unit’
s
phase 1 remote gateway configuration.
2. Define the phase 2 parameters needed to create a VPN
tunnel with the remote peer. Refer to “
Phase 2 parameters”
.
Enter these settings in particular:
Name Enter a name to identify this phase 2 configuration.
Phase 1 Select the name of the phase 1 configuration that
you defined for the remote peer. You can select the name of
the remote gateway from the Dynamic DNS part of the list.

68 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 5 IPSec VPN User Guide

3. Define names for the addresses or address ranges of the

private networks that the VPN links. Refer to “ Defining
firewall addresses” on page 161. Enter these settings in
particular:
 Define an address name for the IP address and netmask of
the private network behind the local ZXSEC US unit.
 Define an address name for the IP address and netmask of
the private network behind the remote peer.
4. Define the firewall policies to permit communications between
the source and destination addresses. Refer to “ Defining
firewall policies”
. Enter these settings in particular and then
select OK:S
Source Interface/Zone Select the interface that connects to
the private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC
US unit.
Destination Interface/Zone Select the ZXSEC US unit’
s
public interface.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind the
remote peer.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1
configuration that you created in Step 1.
Select Allow inbound to enable traffic from the remote
network to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications
between the source and destination addresses. Enter these
settings in particular:
Source Interface/Zone Select the interface that connects to
the private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC
US unit.
Destination Interface/Zone Select the VPN Tunnel (IPSec
Interface) you configured in Step 1.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind the
remote peer.
Action Select ACCEPT.
NAT Disable.

Confidential and Proprietary Information of ZTE CORPORATION 69

IPSec VPN User Guide

To permit the remote client to initiate communication, you need

to define a firewall
policy for communication in that direction. Enter these settings in
particular:
Source Interface/Zone Select the VPN Tunnel (IPSec
Interface) you configured in Step 1.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind the remote
peer.
Destination Interface/Zone Select the interface that
connects to the private network behind this ZXSEC US unit.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind this
ZXSEC US unit.
Action Select ACCEPT.
NAT Disable.
5. Place these policies in the policy list above any other policies
having similar source and destination addresses.

70 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 6

US Desktop dialup-client

configurations

Overview
The US Desktop Host Security application is a VPN client with
antivirus, antispam and firewall capabilities. This section explains
how to configure dialup VPN connections between a ZXSEC US
unit and one or more US Desktop Host Security applications.
US Desktop users are usually mobile or remote users who need
to connect to a private network behind a ZXSEC US unit. For
example, the users might be employees who connect to the
office network while traveling or from their homes.
For greatest ease of use, the US Desktop application can
download the VPN settings from the ZXSEC US unit to configure
itself automatically. This section covers both automatic and
manual configuration.

The following topics are included in this section:

 Configuration overview
 US Desktop-to-ZXSEC US VPN configuration steps
 Configure the ZXSEC US unit
 Configure the US Desktop Host Security application
 US Desktop dialup-client configuration example

Configuration overview
Dialup users typically obtain dynamic IP addresses from an ISP
through Dynamic Host Configuration Protocol (DHCP) or Point-to-
Point Protocol over Ethernet (PPPoE). Then, the US Desktop Host

Confidential and Proprietary Information of ZTE CORPORATION 71

IPSec VPN User Guide

Security application initiates a connection to a ZXSEC US dialup

server.

F I G U R E 9 E X A MP L E U S D E S K T O P D IALU P- CL I E N T CON FI G U R AT I O N

By default the US Desktop dialup client has the same IP address

as the host PC on which it runs. If the host connects directly to
the Internet, this is a public IP address. If the host is behind a
NAT device, such as a router, the IP address is a private IP
address. The NAT device must be NAT_T compatible to pass
encrypted packets (refer to “ NAT traversal” ). The US Desktop
application also can be configured to use a virtual IP address
(VIP). For the duration of the connection, the US Desktop
application and the ZXSEC US unit both use the VIP address as
the IP address of the US Desktop dialup client.
The US Desktop application sends its encrypted packets to the
VPN remote gateway, which is usually the public interface of the
ZXSEC US unit. It also uses this address to download VPN
settings from the ZXSEC US unit. Refer to “ Automatic
configuration of US Desktop dialup clients”
.

Peer identification
The US Desktop application can establish an IPSec tunnel with a
ZXSEC US unit configured to act as a dialup server. When the
ZXSEC US unit acts as a dialup server, it does not identify the
client using the phase 1 remote gateway address. The IPSec
tunnel is established if authentication is successful and the IPSec
firewall policy associated with the tunnel permits access. There
are several different ways to authenticate dialup clients and
restrict access to private networks based on client credentials.
For more information, refer to “ Authenticating remote peers and
clients”.

72 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

Automatic configuration of US
Desktop dialup clients
The US Desktop application can obtain its VPN settings from the
ZXSEC US VPN server. US Desktop users need to know only the
ZXSEC US VPN server IP address and their user name and
password on the ZXSEC US unit.
The ZXSEC US unit listens for VPN policy requests from clients on
TCP port 8900. When the dialup client connects:
 The client initiates a Secure Sockets Layer (SSL)
connection to the ZXSEC US unit.
 The ZXSEC US unit requests a user name and password
from the US Desktop user. Using these credentials, it
authenticates the client and determines which VPN policy
applies to the client.
 Provided that authentication is successful, the ZXSEC US
unit downloads a VPN policy to the client over the SSL
connection. The information includes IPSec phase 1 and
phase 2 settings, and the IP addresses of the private
networks that the client is authorized to access.
 The client uses the VPN policy settings to establish an
IPSec phase 1 connection and phase 2 tunnel with the
ZXSEC US unit.

How the ZXSEC US unit determines

which settings to apply
The ZXSEC US unit checks the virtual domain associated with the
connection to determine which VPN policies have been configured
in that domain. Each VPN policy specifies a user group and an
IPSec tunnel.
Next, the ZXSEC US unit selects the VPN policy that matches the
dialup client’ s user group and determines which tunnel is
specified in the VPN policy. The ZXSEC US unit searches all IPSec
firewall polices to determine which policies specify the tunnel.
Finally, the ZXSEC US unit searches the implicated IPSec firewall
policies to determine which private network(s) the dialup clients
may access. The rest of the VPN policy information is retrieved
from the existing IPSec phase 1 and phase 2 parameters in the
dialup-client configuration.

Confidential and Proprietary Information of ZTE CORPORATION 73

IPSec VPN User Guide

Using virtual IP addresses

When the US Desktop host PC is located behind a NAT device,
unintended IP address overlap issues may arise between the
private networks at the two ends of the tunnel. For example, the
client’s host might receive a private IP address from a DHCP
server on its network that by co-incidence is the same as a
private IP address on the network behind the ZXSEC US unit. A
conflict will occur in the host’
s routing table and the US Desktop
Host Security application will be unable to send traffic through
the tunnel. Configuring virtual IP (VIP) addresses for US Desktop
applications prevents this problem.
Using VIPs ensures that client IP addresses are in a predictable
range. You can then define firewall policies that allow access only
to that source address range. If you do not use VIP, the firewall
policies must allow all source addresses because you cannot
predict the IP address for a remote mobile user.
The US Desktop application must not have the same IP address
as any host on the private network behind the ZXSEC US unit or
any other connected US Desktop application. You can ensure this
by reserving a range of IP addresses on the private network for
US Desktop users. Or, you can assign US Desktop VIPs from an
uncommonly used subnet such as 10.254.254.0/24 or
192.168.254.0/24.
You can reserve a VIP address for a particular client according to
its device MAC address and type of connection. The DHCP server
then always assigns the reserved VIP address to the client. For
more information about this feature, refer to the “dhcp reserved-
address”section in the “ system”chapter of the ZXSEC US CLI
Reference.

Note:
To determine the VIP address that the US Desktop Host Security
application is using, type ipconfig/all at the Windows
Command Prompt on the US Desktop host. The output will also
show the IP address that has been assigned to the host Network
Interface Card (NIC).
It is best to assign VIPs using DHCP over IPSec. The ZXSEC US
dialup server can act as a DHCP server or relay requests to an
external DHCP server. You can also configure VIPs manually on
US Desktop applications, but it is more difficult to ensure that all
clients use unique addresses.

Note:
If you assign a VIP on the private network behind the ZXSEC US
unit and enable DHCP-IPsec (a phase 2 advanced option), the
ZXSEC US unit acts as a proxy on the local private network for
the US Desktop dialup client. Whenever a host on the network

74 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

behind the dialup server issues an ARP request for the device
MAC address of the US Desktop host, the ZXSEC US unit
answers the ARP request on behalf of the US Desktop host and
forwards the associated traffic to the US Desktop host through
the tunnel. For more information, refer to “
DHCP-IPsec”
.

Note: ZXSEC US units fully support RFC 3456, Dynamic

Host Configuration Protocol (DHCPv4) Configuration of IPsec
Tunnel Mode. The ZXSEC US DHCP over IPSec feature can be
enabled to allocate VIP addresses to US Desktop dialup clients
using a ZXSEC US DHCP server if a policy-based VPN is
configured. DHCP over IPSec is not compatible with ZXSEC US
route-based VPNs.
Figure 10 shows an example of a US Desktop-to-ZXSEC US VPN
where the US Desktop application is assigned a VIP on an
uncommonly used subnet. The diagram also shows that while the
destination for the information in the encrypted packets is the
private network behind the ZXSEC US unit, the destination of the
IPSec packets themselves is the public interface of the ZXSEC US
unit that acts as the end of the VPN tunnel.

F I G U R E 1 0 I P A D D RES S A S SI G N M ENTS I N A U S D E S K T O P D IALU P- CL I E N T

C O N FI G U R AT I O N

Confidential and Proprietary Information of ZTE CORPORATION 75

IPSec VPN User Guide

US Desktop dialup-client
infrastructure requirements
 To support policy-based VPNs, the ZXSEC US dialup
server may operate in either NAT/Route mode or
Transparent mode. NAT/Route mode is required if you
want to create a route-based VPN.
 If the US Desktop dialup clients will be configured to
obtain VIP addresses through ZXSEC US DHCP relay, a
DHCP server must be available on the network behind the
ZXSEC US unit and the DHCP server must have a direct
route to the ZXSEC US unit.
 If the ZXSEC US interface to the private network is not
the default gateway, the private network behind the
ZXSEC US unit must be configured to route IP traffic
destined for dialup clients back (through an appropriate
gateway) to the ZXSEC US interface to the private
network. As an alternative, you can configure the IPSec
firewall policy on the ZXSEC US unit to perform inbound
NAT on IP packets. Inbound NAT translates the source
addresses of inbound decrypted packets into the IP
address of the ZXSEC US interface to the local private
network.

US Desktop-to-ZXSEC US
VPN configuration steps
Configuring dialup client capability for US Desktop dialup clients
involves the following general configuration steps:
 If you will be using VIP addresses to identify dialup clients,
determine which VIP addresses to use. As a precaution,
consider using VIP addresses that are not commonly used.
 Configure the ZXSEC US unit to act as a dialup server.
Refer to “
Configure the ZXSEC US unit”
.
 If the dialup clients will be configured to obtain VIP
addresses through DHCP over IPSec, configure the ZXSEC
US unit to act as a DHCP server or to relay DHCP requests
to an external DHCP server.
 Configure the dialup clients. Refer to “
Configure the US
Desktop Host Security application”.

76 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

Note:
When a ZXSEC US unit has been configured to accept
connections from US Desktop dialup-clients, you can optionally
arrange to have an IPSec VPN configuration downloaded to
ZXSEC US dialup clients automatically. For more information,
refer to “
Configuring the ZXSEC US unit as a VPN policy server”
.

Configure the ZXSEC US

unit
Configuring the ZXSEC US unit to establish VPN connections with
US Desktop Host Security users involves the following steps:
 configure the VPN settings
 if the dialup clients use automatic configuration, configure
the ZXSEC US unit as a VPN policy server
 if the dialup clients obtain virtual IP addresses by DHCP
over IPSec, configure an IPSec DHCP server or relay
(policy-based VPN only)
The procedures in this section cover basic setup of policy-based
and route-based VPNs compatible with US Desktop Host Security.
A route-based VPN is simpler to configure, but it does not
support DHCP over IPSec assignment of virtual addresses to US
Desktop users
Only common preshared key and certificate authentication is
shown here. For information about other types of authentication,
refer to the Authenticating US Desktop Dialup Clients Technical
Note.
The default ZXSEC US phase 1 and 2 VPN settings match the
default US Desktop VPN settings if you have registered (licensed)
your US Desktop application.S

Note:
To accept connections from US Desktop evaluation version
applications, you must select DES for encryption and MD5 for
authentication.

Confidential and Proprietary Information of ZTE CORPORATION 77

IPSec VPN User Guide

Configuring ZXSEC US unit VPN

settings
To configure ZXSEC US unit VPN settings to support US Desktop
users, you need to:
 configure the ZXSEC US Phase 1 VPN settings
 configure the ZXSEC US Phase 2 VPN settings
 add the firewall policy
1. At the local ZXSEC US unit, define the phase 1 configuration
needed to establish a secure connection with the US Desktop
peer. Refer to “ Auto Key phase 1 parameters” . Enter these
settings in particular:
Name Enter a name to identify the VPN tunnel. This name
appears in phase 2 configurations, firewall policies and the
VPN monitor.
Remote GatewaySelect Dialup User.
Local Interface Select the interface through which clients
connect to the ZXSEC US unit.
Mode Select Main (ID Protection).
Authentication Method Select Pre-shared Key.
Pre-shared Key Enter the pre-shared key. This must be the
same preshared key provided to the US Desktop users.
Peer option Select Accept any peer ID.
Enable IPSec Interface Mode You must select Advanced to
refer to this setting. If IPSec Interface Mode is enabled, the
ZXSEC US unit creates a virtual IPSec interface for a route-
based VPN. Disable this option if you want to create a policy-
based VPN. After you select OK to create the phase 1
configuration, you cannot change this setting.

2. Define the phase 2 parameters needed to create a VPN

tunnel with the US Desktop peer. Refer to “ Phase 2
parameters”. Enter these settings in particular:
Name Enter a name to identify this phase 2 configuration.
Phase 1 Select the name of the phase 1 configuration that
you defined.
Advanced Select to configure the following optional setting.
DHCP-IPsec Select if you provide virtual IP addresses to
clients using DHCP.
3. Define names for the addresses or address ranges of the
private networks that the VPN links. These addresses are
used in the firewall policies that permit communication

78 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

between the networks. For more information, refer to

“Defining firewall addresses”
.
Enter these settings in particular:
 Define an address name for the individual address or the
subnet address that the dialup users access through the
VPN.
 If US Desktop users are assigned virtual IP addresses,
define an address name for the subnet to which these
VIPs belong.
4. Define firewall policies to permit communication between the
private networks through the VPN tunnel. Route-based and
policy-based VPNs require different firewall policies. For
detailed information about creating firewall policies, refer to
“Defining firewall policies”.
Policy-based VPN firewall policy
Define an IPSec firewall policy to permit communications between
the source and destination addresses. Enter these settings in
particular:
Source Interface/Zone Select the interface that connects to the
private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC US unit.
Destination Interface/Zone Select the ZXSEC US unit’
s
public interface.
Destination Address Name If US Desktop users are
assigned VIPs, select the address name that you defined in Step 3 for
the VIP subnet. Otherwise, select All.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you
created in Step 1.
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Select Allow Outbound if you want to allow hosts on the private
network to initiate communications with the US Desktop users after
the tunnel is established.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications
between the source and destination addresses. Enter these
settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPSec Interface)
you configured in Step 1.
Source Address Name Select All.
Destination Interface/Zone Select the interface that
connects to the private network behind this ZXSEC US unit.
Destination Address Name Select All.
Action Select ACCEPT.

Confidential and Proprietary Information of ZTE CORPORATION 79

IPSec VPN User Guide

NAT Disable.
If you want to allow hosts on the private network to initiate
communications with the US Desktop users after the tunnel is
established, you need to define a firewall policy for
communication in that direction. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to
the private network behind this ZXSEC US unit.
Source Address Name Select All.
Destination Interface/Zone Select the VPN Tunnel (IPSec
Interface) you configured in Step 1.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Disable.
5. Place VPN policies in the policy list above any other policies
having similar source and destination addresses.

Configuring the ZXSEC US unit as a

VPN policy server
When a US Desktop application set to automatic configuration
connects to the ZXSEC US unit, the ZXSEC US unit requests a
user name and password. If the user supplies valid credentials,
the ZXSEC US unit downloads the VPN settings to the US
Desktop application.
You must do the following to configure the ZXSEC US unit to
work as a VPN policy server for US Desktop automatic
configuration:
1. Create user accounts for US Desktop users.
2. Create a user group for US Desktop users and the user
accounts that you created in step 1.
For more information about user accounts and user groups,
refer to the ZXSEC US User Authentication Guide or to the
User chapter of the ZXSEC US Administration Guide.
3. Connect to the ZXSEC US unit CLI and configure VPN policy
distribution as follows:
config vpn ipsec US Desktop
edit <policy_name>
set phase2_name <tunnel_name>
set usergroupname <group_name>
set status enable
end

80 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

<tunnel_name> must be the Name you specified in the step 2 of

“Configure the ZXSEC US unit” . <group_name> must be the name
of the user group your created for US Desktop users.

Configuring DHCP service on the

ZXSEC US unit
If the US Desktop dialup clients are configured to obtain a VIP
address using DHCP, configure the ZXSEC US dialup server to
either:
 relay DHCP requests to a DHCP server behind the ZXSEC
US unit (refer to “
To configure DHCP relay on the ZXSEC
US unit”below).
 act as a DHCP server (refer to “
To configure a DHCP
server on the ZXSEC US unit”
).
To configure DHCP relay on the ZXSEC US unit
1. Go to System > DHCP > Service.
2. Expand the row that corresponds to the interface to the
Internet (for example, external or wan1).
3. In the Relay row beneath the interface name, select the Edit
icon.
4. Select DHCP Relay Agent Enable
5. For Type select IPSEC.
6. In the DHCP Server IP field, type the IP address of the DHCP
server.
7. Select OK.
8. If a router is installed between the ZXSEC US unit and the
DHCP server, define a static route to the DHCP server. Refer
to the “Router Static”chapter of the ZXSEC US Administration
Guide.
To configure a DHCP server on the ZXSEC US unit
1. Go to System > DHCP > Service.
2. Expand the row that corresponds to the interface to the
Internet (for example, external or wan1).
3. In the Servers row beneath the interface name, select the
Add DHCP Server icon (+).
4. In the Name field, type a name for the ZXSEC US DHCP
server configuration.
5. Select IPSec, enter the following information and select OK:
IP Range Enter the range of VIP addresses that the DHCP server
can dynamically assign to dialup clients when they connect. As a
precaution, do not assign VIP addresses that match the private

Confidential and Proprietary Information of ZTE CORPORATION 81

IPSec VPN User Guide

network behind the ZXSEC US unit (for example, if the dialup clients
need to access a host on local subnet 192.168.12.0/24, you could
configure the DHCP server to assign any VIP address in the
10.254.254.100 to 10.254.254.125 range). If you need to exclude
specific IP addresses from the range, you can define an exclusion
range (refer to Advanced below).
Network Mask Enter the network mask of the IP addresses that
you specified in the IP Range fields (for example, 255.255.255.0 for
a class C network).
Default Gateway Enter the IP address of the default gateway that
the DHCP server assigns to DHCP clients.
Domain If you want the ZXSEC US unit to assign a domain name
to dialup clients when they connect, enter the registered domain
name.
Lease Time Specify a lease time:

 Select Unlimited to allow the dialup client to use the

assigned IP address for an unlimited amount of time (that
is, until the client disconnects).
 Enter the amount of time (in days, hours, and minutes)
that the dialup client may use the assigned IP address,
after which the dialup client must request new settings
from the DHCP server. The range is from 5 minutes to
100 days.
Advanced Set these Advanced options as applicable:
 In the DNS Server 1 field, type the IP address of the DNS
server that dialup clients can access after the tunnel has
been established. You can specify up to three DNS
servers.
 In the WINS Server 1 field, type the IP address of the
Windows Internet Service (WINS) server that dialup
clients can access after the tunnel has been established.
You can specify a second WINS server if required.
 If you want to send DHCP options to the dialup client,
type the option code in the Code field, and if applicable,
type any associated data in the Option field (for more
information, refer to RFC 2132, DHCP Options and BOOTP
Vendor Extensions).
 To specify any VIP addresses that must be excluded from
the VIP address range, select Add, and then type the
starting and ending IP addresses. You can add more than
one range to exclude.

82 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

Configure the US Desktop

Host Security application
The following procedure explains how to configure the US
Desktop Host Security application to communicate with a remote
ZXSEC US dialup server using the VIP address that you specify
manually.

Configuring US Desktop to work with

VPN policy distribution
If the remote ZXSEC US gateway is configured as a VPN policy
server, you can configure the US Desktop software to download
the VPN settings from the ZXSEC US gateway.

Note: For VPNs with automatic configuration, only

preshared keys are supported. Certificates are not supported.
To add a VPN with automatic configuration on the US Desktop PC
1. Go to VPN > Connections.
2. Select Advanced and then select Add.
3. In the New Connection dialog box, enter a connection name.
4. For Configuration, select Automatic.
5. For Policy Server, enter the IP address or FQDN of the ZXSEC
US gateway.
6. Select OK.

Configuring US Desktop manually

This procedure explains how to configure the US Desktop
application manually using the default IKE and IPSec settings.
For more information, refer to the US Desktop Host Security User
Guide.
This procedure includes instructions for configuring a virtual IP
for the US Desktop application, either manually or using DHCP
over IPSec.
To create a US Desktop VPN configuration
1. Go to VPN > Connections.
2. Select Advanced and then select Add.
3. Enter the following information:

Confidential and Proprietary Information of ZTE CORPORATION 83

IPSec VPN User Guide

Connection Name Enter a descriptive name for the

connection.
Configuration Select Manual
Remote GatewayEnter the IP address or the fully qualified
domain name (FQDN) of the remote gateway.
Remote Network Enter the IP address and netmask of the
network behind the ZXSEC US unit.
Authentication Method Select Pre-shared Key.
Pre-shared Key Enter the pre-shared key.
4. Follow the remaining steps only if you want to configure a VIP.
Otherwise, select OK.
5. Select Advanced.
6. Enable Acquire a virtual IP address and then select the
adjacent Config button.
7. Enter the following information and select OK.
Options Select one of these options:
DHCP Obtain virtual IP address from the ZXSEC US unit
using DHCP over IPSec.
Manually Set Assign the virtual IP address manually
using the settings in the Manual VIP section.
Manual VIP These settings are available only if you
select Manually Set in the Options section.
IP Enter the IP address that the US Desktop dialup client
uses.
This address must not conflict with any IP address at either
end of the VPN tunnel.
Subnet Mask Enter the subnet for the private network.
DNS Server/WINS Server Optionally, enter the
addresses of the DNS and WINS servers that the US Desktop
user can access through the VPN.
DHCP Obtain virtual IP address from the ZXSEC US unit
using DHCP over IPSec.
8. Select OK twice to close the dialog boxes.
9. Repeat this procedure for each US Desktop dialup client.

84 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

US Desktop dialup-client
configuration example
This example demonstrates how to set up a US Desktop dialup-
client IPSec VPN that uses preshared keys for authentication
purposes. In the example configuration, the DHCP over IPSec
feature is enabled in the US Desktop Host Security application so
that the US Desktop Host Security application can acquire a VIP
address through ZXSEC US DHCP relay.

F I G U R E 1 1 E X A MP L E U S D E S K T O P D IALU P- CL I E N T CON FI G U R AT I O N

In the example configuration:

 VIP addresses that are not commonly used (in this case,
10.254.254.0/24) are assigned to the US Desktop dialup
clients using a DHCP server.
 The dialup clients are provided access to Server_1 at IP
address 192.168.12.1 behind ZXSEC US_1.
 The other network devices are assigned IP addresses as
shown in Figure 11.
 NAT is enabled in the firewall policy to translate the source
IP addresses of the decrypted inbound packets to the IP
address of the ZXSEC US interface to the private network.

Configuring ZXSEC US_1

When a ZXSEC US unit receives a connection request from a
dialup client, it uses IPSec phase 1 parameters to establish a
secure connection and authenticate the client. Then, if the
firewall policy permits the connection, the ZXSEC US unit
establishes the tunnel using IPSec phase 2 parameters and
applies the IPSec firewall policy. Key management,
authentication, and security services are negotiated dynamically
through the IKE protocol.

Confidential and Proprietary Information of ZTE CORPORATION 85

IPSec VPN User Guide

To support these functions, the following general configuration

steps must be performed at the ZXSEC US unit:
 Define the phase 1 parameters that the ZXSEC US unit
needs to authenticate the dialup clients and establish a
secure connection. Refer to “ Define the phase 1
parameters”.
 Define the phase 2 parameters that the ZXSEC US unit
needs to create a VPN tunnel and enable all dialup clients
having VIP addresses on the 10.254.254.0/24 network to
connect using the same tunnel definition. Refer to “
Define
the phase 2 parameters”.
 Create an IPSec firewall policy to control the permitted
services and permitted direction of traffic between the IP
source address and the dialup clients. A single policy
controls both inbound and outbound IP traffic through the
VPN tunnel. Refer to “
Define the IPSec firewall policy”.
 Configure the ZXSEC US unit to relay DHCP requests from
dialup clients to the DHCP server. Refer to “ Configure
ZXSEC US_1 to assign VIPs”.

Define the phase 1 parameters

The phase 1 configuration defines the parameters that ZXSEC
US_1 will use to authenticate dialup clients and establish a secure
connection. For the purposes of this example, a preshared key
will be used to authenticate dialup clients. The same preshared
key must be specified when you configure the US Desktop Host
Security application on each remote host.
Before you define the phase 1 parameters, you need to:
 Reserve a name for the phase 1 configuration.
 Reserve a unique value for the preshared key.
The key must contain at least 6 printable characters and should
only be known by network administrators. For optimum
protection against currently known attacks, the key should
consist of a minimum of 16 randomly chosen alphanumeric
characters.
To define the phase 1 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Enter a name to identify the VPN tunnel (for
example, US1toDialupClients).
Remote GatewayDialup User
Local Interface Port 1

86 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPSec Disable

Interface Mode

Define the phase 2 parameters

The basic phase 2 settings associate IPSec phase 2 parameters
with the phase 1 configuration and specify the remote end point
of the VPN tunnel. Before you define the phase 2 parameters,
you need to reserve a name for the tunnel.
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key and select Create Phase 2.
2. Select Advanced, enter the following information, and select
OK:
Name Enter a name for the phase 2 configuration (for example,
US1toDialupP2).
Phase 1 Select the gateway that you defined previously (for
example, US1toDialupClients).
Advanced Select DHCP-IPsec Enable.

Define the IPSec firewall policy

Firewall policies control all IP traffic passing between a source
address and a destination address. An IPSec firewall policy is
needed to allow the transmission of encrypted packets, specify
the permitted direction of VPN traffic, and select the VPN tunnel
that will be subject to the policy. A single policy is needed to
control both inbound and outbound IP traffic through a VPN
tunnel.
Before you define the policy, you must first specify the IP source
address. The IP source address corresponds to the private IP
address of Server_1 behind the ZXSEC US unit (for example,
192.168.12.1/32).
Because VIP addresses are assigned through ZXSEC US DHCP
relay, you do not need to define a specific destination address.
Instead, you will select the predefined destination address “
all”in
the IPSec firewall policy to refer to dialup clients.

Confidential and Proprietary Information of ZTE CORPORATION 87

IPSec VPN User Guide

To define the private IP address of Server_1 behind ZXSEC

US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example, Server_1).
Subnet/IP Range Enter the private IP address of the server (for
example 192.168.12.1/32).

To define the firewall policy

1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Port 2.
Source Address Name Server_1
Destination Interface/Zone Port 1
Destination Address Name all
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toDialupClients.
Allow Inbound Enable
Allow Outbound Enable if you want to allow hosts on the private
network behind the ZXSEC US unit to initiate communications with the
US Desktop users after the tunnel is established.
Inbound NAT Enable
3. Place the policy in the policy list above any other policies
having similar source and destination addresses.

Configure ZXSEC US_1 to assign

VIPs
In the example configuration, dialup clients obtain VIP addresses
through a ZXSEC US DHCP server.

Note: You may optionally configure the ZXSEC US unit to act as a

DHCP relay instead. Refer to“
To configure DHCP relay on the ZXSEC US
unit”
.

To configure a DHCP server on the ZXSEC US unit

1. Go to System > DHCP > Service.
2. Expand the row that corresponds to Port 1.

88 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 6 IPSec VPN User Guide

3. In the Servers row beneath the interface name, select the

Add DHCP Server icon.
4. Select IPSec, enter the following information and select OK:
Name Enter a name for the DHCP server, ClientVIPs for
example.
Enable Select
Type Select IPSEC
IP Range 10.254.254.1 -10.254.254.100

Network Mask 255.255.255.0

Default Gateway Enter the IP address of the default gateway
that the DHCP server assigns to DHCP clients.

Configuring the US Desktop

Host Security application
The following procedure explains how to configure the US
Desktop Host Security application to connect to ZXSEC US_1 and
broadcast a DHCP request. The dialup client uses the VIP
address acquired through ZXSEC US DHCP relay as its IP source
address for the duration of the connection.
To configure US Desktop
1. At the remote host, start US Desktop.
2. Go to VPN > Connections and select Add.
3. In the Connection Name field, type a descriptive name for the
connection.
4. In the Remote Gateway field, type the public static IP address
of the ZXSEC US unit.
5. In the Remote Network fields, type the private IP address
and netmask of the server that US Desktop needs to access
behind the ZXSEC US unit (for example,
192.168.12.1/255.255.255.255).
6. From the Authentication Method list, select Preshared Key.
7. In the Preshared Key field, type the preshared key. The value
must be identical to the preshared key that you specified
previously in the ZXSEC US_1 configuration.
8. Select Advanced.
9. In the Advanced Settings dialog box, select Acquire virtual IP
address and then select Config.
10. Verify that the Dynamic Host Configuration Protocol (DHCP)
over IPSec option is selected, and then select OK.
11. Select OK twice to close the dialog boxes.

Confidential and Proprietary Information of ZTE CORPORATION 89

IPSec VPN User Guide

12. Exit US Desktop and repeat this procedure at all other remote
hosts.

90 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 7

ZXSEC US dialup-client

configuration

Overview
This section explains how to set up a ZXSEC US dialup-client
IPSec VPN. In a ZXSEC US dialup-client configuration, a ZXSEC
US unit with a static IP address acts as a dialup server and a
ZXSEC US unit having a dynamic IP address initiates a VPN
tunnel with the ZXSEC US dialup server.
The following topics are included in this section:
 Configuration overview
 ZXSEC US dialup-client configuration steps
 Configure the dialup server to accept ZXSEC US dialup-client
connections
 Configure the ZXSEC US dialup client

Configuration overview
A dialup client can be a ZXSEC US unit—the ZXSEC US dialup
client typically obtains a dynamic IP address from an ISP through
the Dynamic Host Configuration Protocol (DHCP) or Point-to-Point
Protocol over Ethernet (PPPoE) before initiating a connection to a
ZXSEC US dialup server.

Confidential and Proprietary Information of ZTE CORPORATION 91

IPSec VPN User Guide

F I G U R E 1 2 E XAMPL E ZXSEC US D IA LU P- CL I EN T CO NF I GU R A TI O N

In a dialup-client configuration, the ZXSEC US dialup server does

not rely on a phase 1 remote gateway address to establish an
IPSec VPN connection with dialup clients. As long as
authentication is successful and the IPSec firewall policy
associated with the tunnel permits access, the tunnel is
established.
Several different ways to authenticate dialup clients and restrict
access to private networks based on client credentials are
available. To authenticate ZXSEC US dialup clients and help to
distinguish them from US Desktop dialup clients when multiple
clients will be connecting to the VPN through the same tunnel,
we recommend that you assign a unique identifier (local ID) to
each ZXSEC US dialup client. For more information, refer to
“Authenticating remote peers and clients”.

Note: Whenever you add a unique identifier (local ID) to a

ZXSEC US dialup client for identification purposes, you must
select Aggressive mode on the ZXSEC US dialup server and also
specify the identifier as a peer ID on the ZXSEC US dialup server.
For more information, refer to “ Enabling VPN access using user
accounts and pre-shared keys” .
Users behind the ZXSEC US dialup server cannot initiate the
tunnel because the ZXSEC US dialup client does not have a static
IP address. After the tunnel is initiated by users behind the
ZXSEC US dialup client, traffic from the private network behind
the ZXSEC US dialup server can be sent to the private network
behind the ZXSEC US dialup client.
Encrypted packets from the ZXSEC US dialup client are
addressed to the public interface of the dialup server. Encrypted
packets from the dialup server are addressed either to the public
IP address of the ZXSEC US dialup client (if the dialup client
connects to the Internet directly), or if the ZXSEC US dialup
client is behind a NAT device, encrypted packets from the dialup
server are addressed to the public IP address of the NAT device.

92 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 7 IPSec VPN User Guide

Note: If a router with NAT capabilities is in front of the

ZXSEC US dialup client, the router must be NAT_T compatible
for encrypted traffic to pass through the NAT device. For more
information, refer to “NAT traversal”
.
When the ZXSEC US dialup server decrypts a packet from the
ZXSEC US dialup client, the source address in the IP header may
be one of the following values, depending on the configuration of
the network at the far end of the tunnel:
 If the ZXSEC US dialup client connects to the Internet
directly, the source address will be the private IP address
of a host or server on the network behind the ZXSEC US
dialup client.
 If the ZXSEC US dialup client is behind a NAT device, the
source address will be the public IP address of the NAT
device.
In some cases, computers on the private network behind the
ZXSEC US dialup client may (by co-incidence) have IP addresses
that are already used by computers on the network behind the
ZXSEC US dialup server. In this type of situation (ambiguous
routing), conflicts may occur in one or both of the ZXSEC US
routing tables and traffic destined for the remote network
through the tunnel may not be sent.
In many cases, computers on the private network behind the
ZXSEC US dialup client will most likely obtain IP addresses from
a local DHCP server behind the ZXSEC US dialup client. However,
unless the local and remote networks use different private
network address spaces, unintended ambiguous routing and/or
IP-address overlap issues may arise.
To avoid these issues, you can configure ZXSEC US DHCP relay
on the dialup client instead of using a DHCP server on the
network behind the dialup client. The ZXSEC US dialup client can
be configured to relay DHCP requests from the local private
network to a DHCP server that resides on the network behind the
ZXSEC US dialup server (refer to Figure 13). You configure the
ZXSEC US dialup client to pass traffic from the local private
network to the remote network by enabling ZXSEC US DHCP
relay on the ZXSEC US dialup client interface that is connected to
the local private network.

Confidential and Proprietary Information of ZTE CORPORATION 93

IPSec VPN User Guide

F I G U R E 1 3 P REVE NTI N G NETW ORK OVER L A P I N A ZXSEC US D I ALU P -CLI E N T

CON F IG URAT IO N

Afterward, when a computer on the network behind the dialup

client broadcasts a DHCP request, the dialup client relays the
message through the tunnel to the remote DHCP server. The
remote DHCP server responds with a private IP address for the
computer. To avoid ambiguous routing and network overlap
issues, the IP addresses assigned to computers behind the dialup
client cannot match the network address space used by the
private network behind the ZXSEC US dialup server.
When the DHCP server resides on the private network behind the
ZXSEC US dialup server as shown in Figure 13, the IP destination
address specified in the IPSec firewall policy on the ZXSEC US
dialup client must refer to that network.

Note: If the DHCP server is not directly connected to the

private network behind the ZXSEC US dialup server (that is, its
IP address does not match the IP address of the private
network), you must add (to the ZXSEC US dialup client’ s routing
table) a static route to the DHCP server, and the IP destination
address specified in the IPSec firewall policy on the ZXSEC US
dialup client must refer to the DHCP server address. In this case,
the DHCP server must be configured to assign IP addresses that
do not belong to the network on which the DHCP server resides.
In addition, the IP addresses cannot match the network address
space used by the private network behind the ZXSEC US dialup
server.

ZXSEC US dialup-client
infrastructure requirements
 To support a policy-based VPN, the ZXSEC US dialup server
may operate in either NAT/Route mode or Transparent mode.

94 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 7 IPSec VPN User Guide

NAT/Route mode is required if you want to create a route-

based VPN.
 The ZXSEC US dialup server has a static public IP address.
 Computers on the private network behind the ZXSEC US
dialup client can obtain IP addresses either from a DHCP
server behind the ZXSEC US dialup client, or a DHCP server
behind the ZXSEC US dialup server.
 If the DHCP server resides on the network behind the
dialup client, the DHCP server must be configured to
assign IP addresses that do not match the private
network behind the ZXSEC US dialup server.
 If the DHCP server resides on the network behind the
ZXSEC US dialup server, the DHCP server must be
configured to assign IP addresses that do not match the
private network behind the ZXSEC US dialup client. In
addition, the ZXSEC US dialup client routing table must
contain a static route to the DHCP server (refer to the
“Router Static”chapter of the ZXSEC US Administration
Guide).

ZXSEC US dialup-client
configuration steps
The procedures in this section assume that computers on the
private network behind the ZXSEC US dialup client obtain IP
addresses from a local DHCP server. The assigned IP addresses
do not match the private network behind the ZXSEC US dialup
server.

Note: In situations where IP-address overlap between the

local and remote private networks is likely to occur, ZXSEC US
DHCP relay can be configured on the ZXSEC US dialup client to
relay DHCP requests to a DHCP server behind the ZXSEC US
dialup server. For more information, refer to “
To configure DHCP
relay on the ZXSEC US unit” .
Configuring dialup client capability for ZXSEC US dialup clients
involves the following general configuration steps:
 Determine which IP addresses to assign to the private
network behind the ZXSEC US dialup client, and add the
IP addresses to the DHCP server behind the ZXSEC US
dialup client. Refer to the software supplier’
s
documentation to configure the DHCP server.
 Configure the ZXSEC US dialup server. Refer to
“Configure the dialup server to accept ZXSEC US dialup-
client connections”
.

Confidential and Proprietary Information of ZTE CORPORATION 95

IPSec VPN User Guide

 Configure the ZXSEC US dialup client. Refer to “

Configure
the ZXSEC US dialup client”
.

Configure the dialup server

to accept ZXSEC US dialup-
client connections
Before you begin, optionally reserve a unique identifier (peer ID)
for the ZXSEC US dialup client. The dialup client will supply this
value to the ZXSEC US dialup server for authentication purposes
during the IPSec phase 1 exchange. In addition, the value will
enable you to distinguish ZXSEC US dialup-client connections
from US Desktop dialup-client connections. The same value must
be specified on the dialup server and on the dialup client.
1. At the ZXSEC US dialup server, define the phase 1
parameters needed to authenticate the ZXSEC US dialup
client and establish a secure connection. Refer to “ Auto Key
phase 1 parameters” . Enter these settings in particular:
Name Enter a name to identify the VPN tunnel. This name
appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway Select Dialup User.
Local Interface Select the interface through which clients
connect to the ZXSEC US unit.
Mode If you will be assigning an ID to the ZXSEC US dialup
client, select Aggressive.
Peer Options If you will be assigning an ID to the ZXSEC US
dialup client, select Accept this peer ID and type the identifier that
you reserved for the ZXSEC US dialup client into the adjacent field.
Enable IPSec You must select Advanced to refer to this setting.
If IPSec Interface Mode is enabled, the ZXSEC US unit creates a
virtual IPSec interface for a route-based VPN. Disable this option if
you want to create a policy-based VPN.
Interface Mode After you select OK to create the phase 1
configuration, you cannot change this setting.
2. Define the phase 2 parameters needed to create a VPN tunnel
with the ZXSEC US dialup client. Refer to “ Phase 2
parameters” . Enter these settings in particular:
Name Enter a name to identify this phase 2 configuration.
Phase 1 Select the name of the phase 1 configuration that you
defined.

3. Define names for the addresses or address ranges of the

private networks that the VPN links. Refer to “ Defining
firewall addresses”
. Enter these settings in particular:

96 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 7 IPSec VPN User Guide

 Define an address name for the server, host, or network

behind the ZXSEC US dialup server.
 Define an address name for the private network behind
the ZXSEC US dialup client.
4. Define the firewall policies to permit communications
between the private networks through the VPN tunnel. Route-
based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, refer
to “
Defining firewall policies”
.
Policy-based VPN firewall policy
Define an IPSec firewall policy. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to the
private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC US unit.
Destination Interface/Zone Select the ZXSEC US unit’
s
public interface.
Destination Address Name Select the address name that
you defined in Step 3.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you
created in Step 1.
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Clear Allow Outbound to prevent traffic from the local network from
initiating the tunnel after the tunnel has been established.
Route-based VPN firewall policy
Define an ACCEPT firewall policy to permit communications
between hosts on the private network behind the ZXSEC US
dialup client and the private network behind this ZXSEC US
dialup server. Because communication cannot be initiated in the
opposite direction, there is only one policy. Enter these settings
in particular:
Source Interface/Zone Select the VPN tunnel (IPSec interface)
created in Step 1.
Source Address Name Select All.
Destination Interface/Zone Select the interface that
connects to the private network behind this ZXSEC US unit.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Disable
5. Place the policy in the policy list above any other policies
having similar source and destination addresses.

Confidential and Proprietary Information of ZTE CORPORATION 97

IPSec VPN User Guide

Configure the ZXSEC US

dialup client
Configure the ZXSEC US dialup client as follows:
1. At the ZXSEC US dialup client, define the phase 1 parameters
needed to authenticate the dialup server and establish a
secure connection. Refer to “ Auto Key phase 1 parameters”.
Enter these settings in particular:
Name Enter a name to identify the VPN tunnel. This name
appears in phase 2 configurations, firewall policies and the VPN
monitor.
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the dialup server’
s public
interface.
Local Interface Select the interface that connects to the public
network.
Mode Because the ZXSEC US dialup client has a dynamic IP
address, select Aggressive.
Advanced Select to view the following options.
Local ID If you defined a peer ID for the dialup client in the
ZXSEC US dialup server configuration, enter the identifier of the
dialup client. The value must be identical to the peer ID that you
specified previously
in the ZXSEC US dialup server configuration.
Enable IPSec If IPSec Interface Mode is enabled, the ZXSEC
US unit creates a virtual IPSec interface for a route-based VPN.
Disable this option if you want to create a policy-based VPN..
Interface Mode After you select OK to create the phase 1
configuration, you cannot change this setting.
Mode Because the ZXSEC US dialup client has a dynamic IP
address, select Aggressive.
2. Define the phase 2 parameters needed to create a VPN tunnel
with the dialup server. Refer to “
Phase 2 parameters”. Enter
these settings in particular:
Name Enter a name to identify this phase 2 configuration.
Phase 1 Select the set of phase 1 parameters that you defined in
step 1.
3. Define names for the addresses or address ranges of the
private networks that the VPN links. Refer to “ Defining
firewall addresses”
. Enter these settings in particular:
 Define an address name for the server, host, or network
behind the ZXSEC US dialup server.
 Define an address name for the private network behind
the ZXSEC US dialup client.

98 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 7 IPSec VPN User Guide

4. Define firewall policies to permit communication between the

private networks through the VPN tunnel. Route-based and
policy-based VPNs require different firewall policies. For
detailed information about creating firewall policies, refer to
“Defining firewall policies”.
Policy-based VPN firewall policy
Define an IPSec firewall policy to permit communications between
the source and destination addresses. Enter these settings in
particular:
Source Interface/Zone Select the interface that connects to the
private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined in Step 3 for the private network behind this ZXSEC US unit.
Destination Interface/Zone Select the ZXSEC US unit’
s
public interface.
Destination Address Name Select the address name that
you defined in Step 3 for the private network behind the dialup server.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you
created in Step 1.
Clear Allow inbound to prevent traffic from the remote network from
initiating the tunnel after the tunnel has been established.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
Route-based VPN firewall policy
Define an ACCEPT firewall policy to permit communications
between hosts on the private network behind this ZXSEC US
dialup client and the private network behind the ZXSEC US
dialup server. Because communication cannot be initiated in the
opposite direction, there is only one policy. Enter these settings
in particular:
Source Interface/Zone Select the interface that connects to the
private network behind this ZXSEC US unit.
Source Address Name Select All.
Destination Interface/Zone Select the VPN tunnel (IPSec
interface) created in Step 1.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Disable

5. Place the policy in the policy list above any other policies
having similar source and destination addresses.

Confidential and Proprietary Information of ZTE CORPORATION 99

IPSec VPN User Guide

This page is intentionally blank.

100 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 8

Internet-browsing
configuration

Overview
This section explains how to support secure web browsing
performed by dialup VPN clients, and/or hosts behind a remote
VPN peer. Remote users can access the private network behind
the local ZXSEC US unit and browse the Internet securely. All
traffic generated remotely is subject to the firewall policy that
controls traffic on the private network behind the local ZXSEC US
unit.
The following topics are included in this section:
 Configuration overview
 Creating an Internet browsing firewall policy
 Routing all remote traffic through the VPN tunnel

Configuration overview
A VPN provides secure access to a private network behind the
ZXSEC US unit. You can also enable VPN clients to access the
Internet securely. The ZXSEC US unit inspects and processes all
traffic between the VPN clients and hosts on the Internet
according to the Internet browsing policy. This is accomplished
even though the same ZXSEC US interface is used for both
encrypted VPN client traffic and unencrypted Internet traffic.
In Figure 14, ZXSEC US_1 enables secure Internet browsing for
US Desktop Host Security users such as Dialup_1 and users on
the Site_2 network behind ZXSEC US_2, which could be a VPN
peer or a dialup client.

Confidential and Proprietary Information of ZTE CORPORATION 101

IPSec VPN User Guide

F I G U R E 1 4 E X A MP L E I N T E R N E T - B ROW S I N G CON F I G U RA T I O N

You can adapt any of the following configurations to provide

secure Internet browsing:
 a gateway-to-gateway configuration (refer to “
Gateway-
to-gateway configurations”
)
 a US Desktop dialup-client configuration (refer to “
US
Desktop dialup-client configurations”
)
 a ZXSEC US dialup-client configuration (refer to “
ZXSEC
US dialup-client configurations”
)
The procedures in this section assume that one of these
configurations is in place, and that it is operating properly.
To create an internet-browsing configuration based on an existing
gateway-to- gateway configuration, you must edit the gateway-
to-gateway configuration as follows:
 On the ZXSEC US unit that will provide Internet access,
create an Internet browsing firewall policy. Refer to
“Creating an Internet browsing firewall policy”
, below.
 Configure the remote peer or client to route all traffic
through the VPN tunnel. You can do this on a ZXSEC US
unit or on a US Desktop Host Security application. Refer
to “Routing all remote traffic through the VPN tunnel”
.

102 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 8 IPSec VPN User Guide

Creating an Internet
browsing firewall policy
On the ZXSEC US unit that acts as a VPN server and will provide
secure access to the Internet, you must create an Internet
browsing firewall policy. This policy differs depending on whether
your gateway-to-gateway configuration is policy- based or route-
based.
To create an Internet browsing policy - policy-based VPN
1. Go to Firewall > Policy.
2. Select Create New, enter the following information and then
select OK:
Source Interface The interface to which the VPN tunnel is bound.
Source Address Name The address of the remote ZXSEC US
gateway. Destination Interface The interface to which the VPN
tunnel is bound. (Same as Source Address).
Destination Address Name All
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel Select the tunnel that provides access to the private
network behind the ZXSEC US unit.
Protection Profile Select the protection profile that you want to
apply to Internet access.
Allow Inbound Enable
Allow Outbound Enable
Inbound NAT Enable Configure other settings as needed.
To create an Internet browsing policy - route-based VPN
1. Go to Firewall > Policy.
2. Select Create New, enter the following information and then
select OK:
Source Interface The IPSec VPN interface.
Source Address Name All
Destination Interface The interface that connects to the
Internet. The virtual IPSec interface is configured on this physical
interface.
Destination Address Name All
Schedule As required.
Service As required.
Action ACCEPT NAT Enable
Protection Profile Select the protection profile that you want to
apply to Internet access.

Confidential and Proprietary Information of ZTE CORPORATION 103

IPSec VPN User Guide

Configure other settings as needed.

The VPN clients must be configured to route all Internet traffic
through the VPN tunnel.

Routing all remote traffic

through the VPN tunnel
To make use of the Internet browsing configuration on the VPN
server, the VPN peer or client must route all traffic through the
VPN tunnel. Usually, only the traffic destined for the private
network behind the ZXSEC US VPN server is sent through the
tunnel.
The remote end of the VPN can be a ZXSEC US unit that acts as
a peer in a gateway-to-gateway configuration or a US Desktop
Host Security application that protects an individual client such
as a notebook PC.
 To configure a remote peer ZXSEC US unit for Internet
browsing via VPN, refer to “ Configuring a ZXSEC US
remote peer to support Internet browsing” .
 To configure a US Desktop Host Security application for
Internet browsing via VPN, refer to “ Configuring a US
Desktop application to support Internet browsing” .
These procedures assume that your VPN connection to the
protected private network is working and that you have
configured the ZXSEC US VPN server for Internet browsing as
described in “
Creating an Internet browsing firewall policy”
.

Configuring a ZXSEC US remote

peer to support Internet browsing
The configuration changes to send all traffic through the VPN
differ for policy- based and route-based VPNs.

To route all traffic through a policy-based VPN

1. At the ZXSEC US dialup client, go to Firewall > Policy.
2. Select the Edit icon in the row that corresponds to the IPSec
firewall policy.
3. From the Address Name list under Destination, select all.
4. Select OK.
All packets are routed through the VPN tunnel, not just packets
destined for the protected private network.

104 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 8 IPSec VPN User Guide

To route all traffic through a route-based VPN

1. At the ZXSEC US dialup client, go to Router > Static.
2. Select the Edit icon for the default route (destination IP
0.0.0.0). If there is no default route, select Create New. Enter
the following information and select OK:
Destination IP/Mask 0.0.0.0/0.0.0.0
Device Select the IPSec virtual interface.
Gateway Enter the remote gateway IP address for the VPN.
Distance Leave at default.
All packets are routed through the VPN tunnel, not just packets
destined for the protected private network.

Configuring a US Desktop
application to support Internet
browsing
By default, the US Desktop application configures the PC so that
traffic destined for the remote protected network passes through
the VPN tunnel but all other traffic is sent to the default gateway.
You need to modify the US Desktop settings so that it configures
the PC to route all outbound traffic through the VPN.
To route all traffic through VPN - US Desktop application
1. At the remote host, start US Desktop.
2. Go to VPN > Connections.
3. Select the definition that connects US Desktop to the ZXSEC
US dialup server.
4. Select Advanced and then select Edit.
5. In the Edit Connection dialog box, select Advanced.
6. In the Remote Network group, select Add.
7. In the IP and Subnet Mask fields, type 0.0.0.0/0.0.0.0 and
select OK. The address is added to the Remote Network list.
The first destination IP address in the list establishes a VPN
tunnel. The second destination address (0.0.0.0/0.0.0.0 in
this case) forces all other traffic through the VPN tunnel.
8. Select OK twice to close the dialog boxes.

Confidential and Proprietary Information of ZTE CORPORATION 105

IPSec VPN User Guide

This page is intentionally blank.

106 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 9

Redundant VPN
configurations

Overview
This section discusses the options for supporting redundant and
partially redundant IPSec VPNs. Both policy-based and route-
based approaches are shown.
The following topics are included in this section:
 Configuration overview
 General configuration steps - route-based VPN
 Configure the VPN peers - route-based VPN
 Redundant route-based VPN configuration example
 General configuration steps - policy-based VPN
 Configure the VPN peers - policy-based VPN
 Policy-based redundant tunnel configuration example
 Partially redundant tunnel configuration example

Configuration overview
A ZXSEC US unit can be configured to support redundant VPNs to
the same remote peer if the ZXSEC US unit has more than one
interface to the Internet. In a fully redundant configuration, the
remote peer must have the same number of Internet
connections.
When more than one public ZXSEC US interface is available, you
can configure more than one VPN to ensure that a remote peer
can access the ZXSEC US unit should the primary connection fail.
If the primary connection fails, the ZXSEC US unit can establish a
VPN using the redundant connection.

Confidential and Proprietary Information of ZTE CORPORATION 107

IPSec VPN User Guide

Note: You can set up a partially redundant IPSec VPN

between a local ZXSEC US unit and a remote VPN peer that
receives a dynamic IP address from an ISP before it connects to
the ZXSEC US unit. In this case, the VPN peer has only one
connection to the Internet. The VPN is said to be partially
redundant because the local ZXSEC US unit supports a
redundant connection, but the remote VPN peer does not. For
more information, refer to “ Partially redundant tunnel
configuration example”.
In Figure 15, two separate interfaces to the Internet are available
on both VPN peers.

F I G U R E 1 5 E XA M P LE R ED U N D A N T - T U N N E L CON F I G U RA T I O N

Note: A VPN that is created using manual keys (refer to

“Manual-key configurations”
) cannot be included in a redundant-
tunnel configuration.

Redundant infrastructure
requirements
 Both VPN peers must have at least two public interfaces
and have static IP addresses for each public interface.
 Both VPN peers must be operating in NAT/Route mode.

108 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

General configuration steps -

route-based VPN
A redundant configuration at each VPN peer includes:
 one phase 1 configuration (virtual IPSec interface) for
each path between the two peers. In a fully-meshed
redundant configuration, each network interface on one
peer can communicate with each network interface on the
remote peer. If both peers have two public interfaces, this
means that each peer has four paths, for example.
 one phase 2 definition for each phase 1 configuration
 one static route for each IPSec interface, with different
distance values to prioritize the routes
 two Accept firewall policies per IPSec interface, one for
each direction of traffic
 dead peer detection enabled in each phase 1 definition
The procedures in this section assume that two separate
interfaces to the Internet are available on each VPN peer.

Configure the VPN peers -

route-based VPN
Configure each VPN peer as follows:
1. Ensure that the interfaces used in the VPN have static IP
addresses.
2. Create a phase 1 configuration for each of the paths between
the peers. Enable IPSec Interface mode so that this creates a
virtual IPSec interface. Enable dead peer detection so that
one of the other paths is activated if this path fails.
Enter these settings in particular:
Path 1
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the primary interface of the
remote peer.
Local Interface Select the primary public interface of this peer.
Enable IPSec Interface Mode Enable
Dead Peer Detection Enable Other settings as required by
VPN.
Path 2
Remote Gateway Select Static IP Address.

Confidential and Proprietary Information of ZTE CORPORATION 109

IPSec VPN User Guide

IP Address Type the IP address of the secondary interface of the

remote peer.
Local Interface Select the primary public interface of this peer.
Enable IPSec Interface Mode Enable
Dead Peer Detection Enable Other settings as required by
VPN.
Path 3
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the primary interface of the
remote peer.
Local Interface Select the secondary public interface of this
peer.
Enable IPSec Interface Mode Enable
Dead Peer Detection Enable Other settings as required by
VPN.
Path 4
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the secondary interface of the
remote peer.
Local Interface Select the secondary public interface of this
peer.
Enable IPSec Interface Mode Enable Dead Peer
Detection Enable Other settings as required by VPN.
For more information, refer to “
Auto Key phase 1 parameters”
.
3. Create a phase 2 definition for each path. Refer to “
Phase 2
parameters”. Enter these settings in particular:
Phase 1 Select the phase 1 configuration (virtual IPSec
interface) that you defined for this path. You can select the
name from the Static IP
Address part of the list.
4. Create a route for each path to the other peer. If there are
two ports on each peer, there are four possible paths between
the peer devices.
Destination IP/Mask The IP address and netmask of the
private network behind the remote peer.
Device One of the virtual IPSec interfaces on the local peer.
Distance For each path, enter a different value to prioritize the
paths.
5. Define the firewall policy for the local primary interface. Refer
to “Defining firewall policies”. You need to create two policies
for each path to enable communication in both directions.
Enter these settings in particular:
Source Interface/Zone Select the local interface to the internal (private)
network Source Address Name All

110 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Destination Interface/Zone Select one of the virtual IPSec

interfaces you created in Step 2.
Destination Address Name All
Schedule Always
Service Any Action ACCEPT
Source Interface/Zone Select one of the virtual IPSec interfaces
you created in Step 2.
Source Address Name All
Destination Interface/Zone Select the local interface to the
internal (private) network.
Destination Address Name All
Schedule Always
Service Any Action ACCEPT
6. Place the policy in the policy list above any other policies
having similar source and destination addresses.
7. Repeat this procedure at the remote ZXSEC US unit.

Redundant route-based VPN

configuration example
This example demonstrates a fully redundant site-to-site VPN
configuration using route-based VPNs. At each site, the ZXSEC
US unit has two interfaces connected to the Internet through
different ISPs. This means that there are four possible paths for
communication between the two units. In this example, these
paths, listed in descending priority, are:
 ZXSEC US_1 WAN 1 to ZXSEC US_2 WAN 1
 ZXSEC US_1 WAN 1 to ZXSEC US_2 WAN 2
 ZXSEC US_1 WAN 2 to ZXSEC US_2 WAN 1
 ZXSEC US_1 WAN 2 to ZXSEC US_2 WAN 2

Confidential and Proprietary Information of ZTE CORPORATION 111

IPSec VPN User Guide

F I G U R E 1 6 E X A MP L E R E DUNDANT R O UT E - BA S E D V P N C ONFI GU R AT I ON

For each path, VPN configuration, firewall policies and routing are
defined. By specifying a different routing distance for each path,
the paths are prioritized. A VPN tunnel is established on each
path, but only the highest priority one is used.
If the highest priority path goes down, the traffic is automatically
routed over the next highest priority path. You could use dynamic
routing, but to keep this example simple, static routing is used.

Configuring ZXSEC US_1

You must
 configure the interfaces involved in the VPN
 define the phase 1 configuration for each of the four
possible paths, creating a virtual IPSec interface for each
one
 define the phase 2 configuration for each of the four
possible paths
 configure routes for the four IPSec interfaces, assigning
the appropriate priorities
 configure incoming and outgoing firewall policies between
the internal interface and each of the virtual IPSec
interfaces

112 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

To configure the network interfaces

1. Go to System > Network > Interface.
2. Select the Edit icon for the Internal interface, enter the
following information and then select OK:
Addressing mode Manual
IP/Netmask 192.168.12.0/255.255.255.0

3. Select the Edit icon for the WAN1 interface, enter the
following information and then select OK:
Addressing mode Manual
IP/Netmask 10.10.10.2/255.255.255.0

4. Select the Edit icon for the WAN2 interface, enter the
following information and then select OK:
Addressing mode Manual
IP/Netmask 172.16.20.2/255.255.255.0

To configure the IPSec interfaces (phase 1 configurations)

1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Site_1_A
Remote Gateway Static IP Address
IP Address 10.10.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select

3. Select Create Phase 1, enter the following information, and

select OK:
Name Site_1_B
Remote Gateway Static IP Address
IP Address 172.16.30.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. Peer
Options Accept any peer ID Advanced

Confidential and Proprietary Information of ZTE CORPORATION 113

IPSec VPN User Guide

Enable IPSec Interface Mode Select

Dead Peer Detection Select
4. Select Create Phase 1, enter the following information, and
select OK:
Name Site_1_C
Remote GatewayStatic IP Address
IP Address 10.10.20.2
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. Peer
Options Accept any peer ID Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select
5. Select Create Phase 1, enter the following information, and
select OK:
Name Site_1_D
Remote GatewayStatic IP Address
IP Address 172.16.30.2
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. Peer
Options Accept any peer ID Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select
To define the phase 2 configurations for the four VPNs
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information and
select OK:
Name Route_A.
Phase 1 Site_1_A
3. Select Create Phase 2, enter the following information and
select OK:
Name Route_B.
Phase 1 Site_1_B
4. Select Create Phase 2, enter the following information and
select OK:

114 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Name Route_C.
Phase 1 Site_1_C
5. Select Create Phase 2, enter the following information and
select OK:
Name Route_D.
Phase 1 Site_1_D
To configure routes
1. Go to Router > Static.
2. Select Create New, enter the following default gateway
information and then select OK:
Destination IP/Mask 0.0.0.0/0.0.0.0
Device WAN1
Gateway 10.10.10.1
Distance 10
3. Select Create New, enter the following information and then
select OK:
Destination IP/Mask 192.168.22.0/255.255.255.0
Device Site_1_A
Distance 1
4. Select Create New, enter the following information and then
select OK:
Destination IP/Mask 192.168.22.0/255.255.255.0
Device Site_1_B
Distance 2
5. Select Create New, enter the following information and then
select OK:
Destination IP/Mask 192.168.22.0/255.255.255.0
Device Site_1_C
Distance 3
6. Select Create New, enter the following information and then
select OK:
Destination IP/Mask 192.168.22.0/255.255.255.0
Device Site_1_D
Distance 4
To configure firewall policies
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:

Confidential and Proprietary Information of ZTE CORPORATION 115

IPSec VPN User Guide

Source Interface/Zone Internal

Source Address Name All
Destination Interface/Zone Site_1_A
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
3. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_1_A
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
4. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All
Destination Interface/Zone Site_1_B
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
5. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_1_B
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
6. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All

116 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Destination Interface/Zone Site_1_C

Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
7. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_1_C
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
8. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All
Destination Interface/Zone Site_1_D
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
9. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_1_D
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT

Configuring ZXSEC US_2

The configuration for ZXSEC US_2 is very similar that of ZXSEC
US_1. You must
 configure the interfaces involved in the VPN

Confidential and Proprietary Information of ZTE CORPORATION 117

IPSec VPN User Guide

 define the phase 1 configuration for each of the four

possible paths, creating a virtual IPSec interface for each
one
 define the phase 2 configuration for each of the four
possible paths
 configure routes for the four IPSec interfaces, assigning
the appropriate priorities
 configure incoming and outgoing firewall policies between
the internal interface and each of the virtual IPSec
interfaces
To configure the network interfaces
1. Go to System > Network > Interface.
2. Select the Edit icon for the Internal interface, enter the
following information and then select OK:
Addressing mode Manual
IP/Netmask 192.168.22.0/255.255.255.0

3. Select the Edit icon for the WAN1 interface, enter the
following information and then select OK:
Addressing mode Manual
IP/Netmask 10.10.20.2/255.255.255.0

4. Select the Edit icon for the WAN2 interface, enter the
following information and then select OK:
Addressing mode Manual
IP/Netmask 172.16.30.2/255.255.255.0

To configure the IPSec interfaces (phase 1 configurations)

1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Site_2_A
Remote Gateway Static IP Address
IP Address 10.10.10.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. Peer Options
Accept any peer ID Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select
3. Select Create Phase 1, enter the following information, and
select OK:
Name Site_2_B

118 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Remote Gateway Static IP Address

IP Address 172.16.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID

Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select
4. Select Create Phase 1, enter the following information, and
select OK:
Name Site_2_C
Remote Gateway Static IP Address
IP Address 10.10.10.2
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select
5. Select Create Phase 1, enter the following information, and
select OK:
Name Site_2_D
Remote Gateway Static IP Address
IP Address 172.16.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPSec Interface Mode Select
Dead Peer Detection Select
To define the phase 2 configurations for the four VPNs
1. Go to VPN > IPSEC > Auto Key.

Confidential and Proprietary Information of ZTE CORPORATION 119

IPSec VPN User Guide

2. Select Create Phase 2, enter the following information and

select OK:
Name Route_A.
Phase 1 Site_2_A

3. Select Create Phase 2, enter the following information and

select OK:
Name Route_B.
Phase 1 Site_2_B

4. Select Create Phase 2, enter the following information and

select OK:
Name Route_C.
Phase 1 Site_2_C

5. Select Create Phase 2, enter the following information and

select OK:
Name Route_D.
Phase 1 Site_2_D

To configure routes
1. Go to Router > Static.
2. Select Create New, enter the following default gateway
information and then select OK:
Destination IP/Mask 0.0.0.0/0.0.0.0
Device WAN1
Gateway 10.10.10.1
Distance 10

3. Select Create New, enter the following information and then

select OK:
Destination IP/Mask 192.168.12.0/255.255.255.0
Device Site_2_A
Distance 1

4. Select Create New, enter the following information and then

select OK:
Destination IP/Mask 192.168.12.0/255.255.255.0
Device Site_2_B
Distance 2

5. Select Create New, enter the following information and then

select OK:
Destination IP/Mask 192.168.12.0/255.255.255.0
Device Site_2_C
Distance 3

120 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

6. Select Create New, enter the following information and then

select OK:
Destination IP/Mask 192.168.12.0/255.255.255.0
Device Site_2_D
Distance 4

To configure firewall policies

1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All
Destination Interface/Zone Site_2_A
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
3. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_2_A
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
4. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All
Destination Interface/Zone Site_2_B
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
5. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_2_B
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All

Confidential and Proprietary Information of ZTE CORPORATION 121

IPSec VPN User Guide

Schedule Always
Service Any
Action ACCEPT
6. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All
Destination Interface/ZoneSite_2_C
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
7. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_2_C
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
8. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Internal
Source Address Name All
Destination Interface/Zone Site_2_D
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
9. Select Create New, enter the following information, and select
OK:
Source Interface/Zone Site_2_D
Source Address Name All
Destination Interface/Zone Internal
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT

122 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

General configuration steps -

policy-based VPN
A redundant configuration at each VPN peer includes:
 one set of phase 1 parameters for the primary remote
interface, and another set for the redundant remote
interface
 one phase 2 definition for the primary tunnel and another
for the redundant tunnel
 one IPSec firewall policy per local interface — a single
IPSec policy per interface controls both inbound and
outbound IP traffic through the VPN tunnel
 a ping server configured on each local interface

The procedures in this section assume that two separate

interfaces to the Internet are available on each VPN peer. The
source addresses specified in both IPSec firewall policies on the
same VPN peer must be identical. Similarly, the destination
addresses specified in both IPSec firewall policies on the same
VPN peer must be identical.

Configure the VPN peers -

policy-based VPN
Configure the VPN peers as follows:
1. At the local ZXSEC US unit, configure phase 1 parameters for
the primary interface of the remote peer. Refer to “ Auto Key
phase 1 parameters” . Enter these settings in particular:
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the primary interface of the
remote peer.
Local Interface The interface that connects to the primary
interface of the remote peer.
2. Repeat Step 1 for the redundant interface of the remote peer.
3. Create a phase 2 definition for the primary tunnel. Refer to
“Phase 2 parameters”
. Enter these settings in particular:
Phase 1 Select the phase 1 configuration that you defined for
the primary interface of the remote peer. You can select the name of
the gateway from the Static IP Address part of the list.

4. Repeat Steps 3 and 4 for the redundant tunnel.

5. Define the source and destination addresses of the IP packets
that are to be transported through the primary and redundant

Confidential and Proprietary Information of ZTE CORPORATION 123

IPSec VPN User Guide

tunnels. Refer to “ Defining firewall addresses”

. Enter these
settings in particular:
 For the originating address (source address), enter the IP
address and netmask of the private network behind the
local ZXSEC US unit.
 For the remote address (destination address), enter the IP
address and netmask of the private network behind the
remote peer.
6. Define the IPSec firewall policy for the local primary interface.
Refer to “ Defining firewall policies”
. Enter these settings in
particular:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
Select the source address that you defined in Step 6.
Destination Interface/Zone
Select the local primary interface to the Internet.
Address Name
Select the destination address that you defined in Step 6.
Action IPSEC
VPN Tunnel Select the name of the phase 2 tunnel configuration
that you created in Step 3.
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
7. Place the policy in the policy list above any other policies
having similar source and destination addresses.
8. Define an IPSec firewall policy for the local redundant
interface. Refer to “ Defining firewall policies”
. Enter these
settings in particular:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
Select the source address that you defined in Step 6.
Destination Interface/Zone
Select the local redundant interface to the Internet.

Address Name
Select the destination address that you defined in Step 6.
Action IPSEC
VPN Tunnel Select the name of the phase 2 configuration that you
created in Step 5.

124 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Select Allow inbound to enable traffic from the remote network to

initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
9. Place the policy in the policy list directly beneath the policy
for the primary interface.
10. Configure ping servers on the local primary and redundant
interfaces. Refer to “
To add a ping server to an interface”in
the “ System Network” chapter of the ZXSEC US
Administration Guide.
11. Repeat this procedure at the remote ZXSEC US unit.

Policy-based redundant
tunnel configuration example
This example demonstrates how to set up a redundant-tunnel
IPSec VPN that uses preshared keys for authentication purposes.
In the example configuration (refer to Figure 17):
 Two separate interfaces to the Internet are available on
both VPN peers.
 Both VPN peers have static IP addresses for each public
interface.
 Both VPN peers operate in NAT/Route mode.

Confidential and Proprietary Information of ZTE CORPORATION 125

IPSec VPN User Guide

FIGURE 17 E XAMPLE REDUNDANT-TUNNEL CONFIGURATION

Configuring ZXSEC US_1

When a ZXSEC US unit receives a connection request from a
remote VPN peer, it uses IPSec phase 1 parameters to establish
a secure connection and authenticate the VPN peer. Then, if the
firewall policy permits the connection, the ZXSEC US unit
establishes the tunnel using IPSec phase 2 parameters and
applies the IPSec firewall policy. Key management,
authentication, and security services are negotiated dynamically
through the IKE protocol.
To support these functions, the following general configuration
steps must be performed at the ZXSEC US unit:
 Define the phase 1 parameters that the ZXSEC US unit
needs to authenticate the remote peer and establish a
secure connection. Refer to “ Define the phase 1
parameters”.
 Define the phase 2 parameters that the ZXSEC US unit
needs to create a VPN tunnel with the remote peer. Refer
to “
Define the phase 2 parameters” .
 Create IPSec firewall policies to control the permitted
services and permitted direction of traffic between the IP
source address and the IP destination address. Refer to
“Define the IPSec firewall policies”
.

126 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

 Configure ping servers on the local interfaces to enable

the ZXSEC US unit to determine whether the remote
interfaces are accessible. If one of the tunnels fails, a
response will not be received and the ZXSEC US until will
fail over to the other tunnel. Refer to “Configuring the
ping servers”.
The redundant-tunnel configuration on ZXSEC US_1 must
include:
 one set of phase 1 parameters for the primary remote
interface, and another set for the redundant remote
interface
 one phase 2 definition for the primary tunnel and another
for the redundant tunnel
 one IPSec firewall policy per local interface — a single
IPSec policy per interface controls both inbound and
outbound IP traffic through the VPN tunnel
 a ping server configured on each local interface.

Define the phase 1 parameters

The phase 1 configuration defines the parameters that ZXSEC
US_1 will use to authenticate ZXSEC US_2 and establish a
secure connection. For the purposes of this example, a preshared
key will be used to authenticate ZXSEC US_2. The same
preshared key must be specified at both ZXSEC US units.
Before you define the phase 1 parameters, you need to:
 Reserve a name for the primary remote interface.
 Reserve a name for the redundant remote interface.
 Obtain the IP addresses of the two remote interfaces.
 Reserve a unique value for the preshared key.

The key must contain at least 6 printable characters and should

only be known by network administrators. For optimum
protection against currently known attacks, the key should
consist of a minimum of 16 randomly chosen alphanumeric
characters.
To define the phase 1 parameters for the primary remote
interface
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information for the
primary interface of the remote peer, and select OK:
Name Type a name for the primary remote interface (for
example, ZXSEC US_2_primary).
Remote Gateway Static IP Address

Confidential and Proprietary Information of ZTE CORPORATION 127

IPSec VPN User Guide

IP Address 10.10.20.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key Pre-shared Key Enter
the preshared key.
Peer Options Accept any peer ID
Advanced Select Dead Peer Detection.

To define the phase 1 parameters for the redundant

remote interface
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information for the
redundant interface of the remote peer, and select OK:
Name Type a name for the redundant remote interface (for
example, ZXSEC US_2_redundant).
Remote Gateway Static IP Address
IP Address 172.16.30.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously for the
primary remote interface.
Peer Options Accept any peer ID
Advanced Select Dead Peer Detection.

Define the phase 2 parameters

The basic phase 2 settings associate IPSec phase 2 parameters
with the phase 1 configuration and specify the remote end point
of the VPN tunnel. Before you define the phase 2 parameters,
you need to reserve a name for each tunnel. One phase 2
definition is needed for the primary tunnel, and another is
needed for the redundant tunnel.
To define the phase 2 parameters for the primary tunnel
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2 and enter the following information:
Name Enter a name for the primary tunnel (for example,
US1toUS2_PTunnel).
Phase 1 Select the primary remote interface that you defined
previously (for example, ZXSEC US_2_primary).

3. Select OK.

128 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

To define the phase 2 parameters for the redundant tunnel

1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2 and enter the following information:
Name Enter a name for the redundant tunnel (for example,
US1toUS2_RTunnel).
Phase 1 Select the primary remote interface that you defined
previously (for example, ZXSEC US_2_redundant).

3. Select OK.

Define the IPSec firewall policies

Firewall policies control all IP traffic passing between a source
address and a destination address. An IPSec firewall policy is
needed for each interface in the redundant-tunnel configuration
to allow the transmission of encrypted packets, specify the
permitted direction of VPN traffic, and select the VPN tunnel that
will be subject to the policy. A single policy per interface is
needed to control both inbound and outbound IP traffic through
the VPN tunnel.
Before you define the policies, you must first specify the
associated IP source and destination addresses. The source
addresses specified in both IPSec firewall policies must be
identical. Similarly, the destination addresses specified in both
IPSec firewall policies must be identical. In both cases:
 The source IP address corresponds to the private network
behind the local ZXSEC US unit.
 The destination IP address refers to the private network
behind the remote VPN peer.
To define the IP source address of the network behind
ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
Finance_Network).
Subnet/IP Range Enter the IP address of the private network
behind ZXSEC US_1 (for example, 192.168.12.0/24).

To specify the destination address of IP packets delivered

to ZXSEC US_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:

Confidential and Proprietary Information of ZTE CORPORATION 129

IPSec VPN User Guide

Address Name Enter an address name (for example,

HR_Network).
Subnet/IP Range Enter the IP address of the private network
behind ZXSEC US_2 (for example, 192.168.22.0/24).
To define the IPSec firewall policy for the local primary interface
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
Finance_Network
Destination Interface/Zone
Select the local primary interface to the Internet.
Address Name
HR_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toUS2_PTunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To define the IPSec firewall policy for the local redundant
interface
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
Finance_Network
Destination Interface/Zone
Select the local redundant interface to the Internet.
Address Name
HR_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toUS2_RTunnel

130 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

3. Place the policy in the policy list directly beneath the policy
that you created for the primary interface.

Configuring the ping servers

When you enable ping servers on the local interfaces, ping
commands are sent periodically to the remote interfaces that you
specify. If a response is not received, the ZXSEC US unit switches
over to the redundant tunnel automatically.
The procedure below configures ZXSEC US_1 to ping the public
interfaces of ZXSEC US_2. This configuration ensures that the
entire path between ZXSEC US_1 and ZXSEC US_2 is tested.

Note: If required for your situation, you may ping an ISP

gateway or another major gateway instead. When you specify an
ISP gateway or another major gateway, the tunnel fails over
when the specified gateway fails to respond.
To add a ping server to the local primary interface
1. Go to System > Network > Interface.
2. In the row that corresponds to the primary interface, select
the Edit button.
3. In the Ping Server field, type the IP address of the primary
remote interface on ZXSEC US_2.
4. Select Enable.
5. In the Administrative Access group, ensure that PING is
selected.
6. Select OK.

Configuring ZXSEC US_2

The configuration of ZXSEC US_2 is similar to that of ZXSEC
US_1. You must:
 Define the phase 1 parameters that ZXSEC US_2 needs to
authenticate ZXSEC US_1 and establish a secure
connection.
 Define the phase 2 parameters that ZXSEC US_2 needs to
create a VPN tunnel with ZXSEC US_1.
 Create an IPSec firewall policy for each interface in the
redundant-tunnel configuration and define the scope of
permitted services between the IP source and destination
addresses.

Confidential and Proprietary Information of ZTE CORPORATION 131

IPSec VPN User Guide

 Configure ping servers on the local interfaces to enable

ZXSEC US_2 to determine whether the ZXSEC US_1
interfaces are accessible.
To define the phase 1 parameters for the primary remote
interface
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information for the
primary interface of the remote peer, and select OK:
Name Type a name for the primary remote interface (for
example, ZXSEC US_1_primary).
Remote Gateway Static IP Address
IP Address 10.10.10.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in the
ZXSEC US_1 configuration.
Peer Options Accept any peer ID
Advanced Select Dead Peer Detection.
To define the phase 1 parameters for the redundant
remote interface
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information for the
redundant interface of the remote peer, and select OK:
Name Type a name for the redundant remote interface
(for example, ZXSEC US_1_redundant).
Remote GatewayStatic IP Address
IP Address 172.16.20.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in
the ZXSEC US_1 configuration.
Peer Options Accept any peer ID
Advanced Select Dead Peer Detection.
To define the phase 2 parameters for the primary tunnel
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2 and enter the following information:

132 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Name Enter a name for the primary tunnel (for example,

US2toUS1_PTunnel).
Remote GatewaySelect the primary remote interface that
you defined previously (for example, ZXSEC US_1_primary).
3. Select OK.
To define the phase 2 parameters for the redundant tunnel
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2 and enter the following information:
Name Enter a name for the redundant tunnel (for
example,
US2toUS1_RTunnel).
Phase 1 Select the primary remote interface that you
defined previously (for example, ZXSEC US_1_redundant).
3. Select OK.
To define the IP source address of the network behind
ZXSEC US_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
HR_Network).
Subnet/IP Range Enter the IP address of the private
network behind ZXSEC US_2 (for example, 192.168.22.0/24).
To specify the destination address of IP packets delivered to
ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
Finance_Network).
Subnet/IP Range Enter the IP address of the private network
behind ZXSEC US_1 (for example, 192.168.12.0/24).
To define the IPSec firewall policy for the local primary interface
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
HR_Network
Destination Interface/Zone

Confidential and Proprietary Information of ZTE CORPORATION 133

IPSec VPN User Guide

Select the local primary interface to the Internet.

Address Name
Finance_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US2toUS1_PTunnel

3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To define the IPSec firewall policy for the local redundant
interface
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
HR_Network
Destination Interface/Zone
Select the local redundant interface to the Internet.
Address Name Finance_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US2toUS1_RTunnel

3. Place the policy in the policy list directly beneath the policy
that you created for the primary interface.
To add a ping server to the local primary interface
1. Go to System > Network > Interface.
2. In the row that corresponds to the primary interface, select
the Edit button.
3. In the Ping Server field, type the IP address of the primary
remote interface on ZXSEC US_1.
4. Select Enable.
5. In the Administrative Access group, ensure that PING is
selected.
6. Select OK.

134 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Partially redundant tunnel

configuration example
This example demonstrates how to set up a partially redundant
IPSec VPN tunnel between a local ZXSEC US unit and a remote
VPN peer that receives a dynamic IP address from an ISP before
it connects to the ZXSEC US unit. For more information about
ZXSEC US dialup-client configurations, refer to “ ZXSEC US
dialup-client configurations”
.
In the example configuration (refer to Figure 18), both ZXSEC
US units use preshared keys for authentication purposes, and the
ZXSEC US dialup client (ZXSEC US_2) identifies itself using a
unique identifier (peer ID).
In this case, ZXSEC US_2 has only one connection to the
Internet. If the link to the ISP were to go down, the connection
to ZXSEC US_1 would be lost, and the tunnel would be taken
down. The tunnel is said to be partially redundant because
ZXSEC US_2 does not support a redundant connection.
When a ZXSEC US unit has more than one interface to the
Internet (refer to ZXSEC US_1 in Figure 18), you can configure
redundant tunnels—if the primary connection fails, the ZXSEC US
unit can establish a tunnel using the redundant connection.

F I G U R E 1 8 E XA M PLE PAR T I A L L Y R ED UN DA NT T U NNEL C ON F I GU R ATI ON

Confidential and Proprietary Information of ZTE CORPORATION 135

IPSec VPN User Guide

In the configuration example:

Both ZXSEC US units operate in NAT/Route mode.
 Two separate interfaces to the Internet (10.10.10.1 and
172.16.20.2) are available on ZXSEC US_1. Each interface
has a static public IP address.
 ZXSEC US_2 has a single connection to the Internet and
obtains a dynamic public IP address (for example,
172.16.30.1) when it connects to the Internet.
 ZXSEC US_2 forwards IP packets from the SOHO network
(192.168.22.0/24) to the corporate network
(192.168.12.0/24) behind ZXSEC US_1 through a
partially redundant IPSec VPN tunnel. Encrypted packets
from ZXSEC US_2 are addressed to the public interface of
ZXSEC US_1. Encrypted packets from ZXSEC US_1 are
addressed to the public IP address of ZXSEC US_2.

Configuring ZXSEC US_1

1. When a ZXSEC US dialup server receives a connection
request from a ZXSEC US dialup client, it uses IPSec phase 1
parameters to establish a secure connection and authenticate
the dialup client. Then, if the firewall policy permits the
connection, the ZXSEC US dialup server establishes the
tunnel using IPSec phase
2. parameters and applies the IPSec firewall policy. Key
management, authentication, and security services are
negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration

steps must be performed at ZXSEC US_1:
 Define the phase 1 parameters that the dialup server
needs to authenticate the dialup client and establish a
secure connection. Refer to “ Define the phase 1
parameters”.
 Define the phase 2 parameters that the dialup server
needs to create a VPN tunnel with the dialup client. Refer
to “
Define the phase 2 parameters” .
 Create IPSec firewall policies to control the permitted
services and permitted direction of traffic between the IP
source address and the IP destination address. A single
IPSec policy per interface controls both inbound and
outbound IP traffic through the VPN tunnel. Refer to
“Define the IPSec firewall policies”
.
 Configure a ping server on each local interface. Refer to
“Configuring the ping servers”
.

136 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Define the phase 1 parameters

The phase 1 configuration defines the parameters that ZXSEC
US_1 will use to authenticate ZXSEC US_2 and establish a
secure connection. For the purposes of this example, a preshared
key will be used to authenticate ZXSEC US_2. The same
preshared key must be specified at both ZXSEC US units.
In addition, a peer ID for ZXSEC US_2 is added to the ZXSEC
US_1 configuration to provide additional VPN connection security
— the tunnel will be initiated only by ZXSEC US_2 when ZXSEC
US_2 attempts to connect to ZXSEC US_1.
Before you define the phase 1 parameters, you need to:
 Reserve a name for the phase 1 configuration.
 Reserve a unique value for the preshared key. The key
must contain at least 6 printable characters and should
only be known by network administrators. For optimum
protection against currently known attacks, the key
should consist of a minimum of 16 randomly chosen
alphanumeric characters.
 Reserve a unique identifier for ZXSEC US_2 to identify
itself to ZXSEC US_1. You will record the value in the
ZXSEC US_1 configuration as described below and will
need to assign the value to ZXSEC US_2 when you
configure ZXSEC US_2 (refer to “ Configuring ZXSEC
US_2” ).
To define the phase 1 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Type a name for the remote gateway (for example,
ZXSEC US_2GW).
Remote Gateway Dialup User
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Select Accept this peer ID and type the
identifier that nyou reserved for ZXSEC US_2 (for example, ZXSEC
US_2).
Advanced Select Dead Peer Detection.

Confidential and Proprietary Information of ZTE CORPORATION 137

IPSec VPN User Guide

Define the phase 2 parameters

The basic phase 2 settings associate IPSec phase 2 parameters
with the phase 1 configuration and specify the remote end point
of the VPN tunnel. Before you define the phase 2 parameters,
you need to reserve a name for the tunnel.
To define the phase 2 parameters
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2, enter the following information and
select OK:
Name Enter a name for the tunnel (for example,
US1toUS2_Tunnel).
Phase 1 Select the gateway that you defined previously (for
example, ZXSEC US_2GW).

Define the IPSec firewall policies

Firewall policies control all IP traffic passing between a source
address and a destination address. An IPSec firewall policy is
needed for each interface in the redundant-tunnel configuration
to allow the transmission of encrypted packets, specify the
permitted direction of VPN traffic, and select the VPN tunnel that
will be subject to the policy. A single IPSec policy per interface is
needed to control both inbound and outbound IP traffic through
the VPN tunnel.
Before you define the policies, you must first specify the
associated IP source and destination addresses. The source
addresses specified in both IPSec firewall policies must be
identical. Similarly, the destination addresses specified in both
firewall policies must be identical. In both cases:
 The source IP address corresponds to the corporate
network behind ZXSEC US_1 (for example,
192.168.12.0/24).
 The destination IP address refers to the SOHO network
behind ZXSEC US_2 (for example, 192.168.22.0/24).
To define the IP source address of the network behind
ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
Corporate_Network).

138 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

Subnet/IP Range Enter the IP address of the private network

behind ZXSEC US_1 (for example, 192.168.12.0/24).
To specify the destination address of IP packets delivered
to ZXSEC US_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
SOHO_Network).
Subnet/IP Range Enter the IP address of the private network
behind ZXSEC US_2 (for example, 192.168.22.0/24).
To define the IPSec firewall policy for the local primary
interface
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.
Address Name
Corporate_Network
Destination Interface/Zone
Select the local primary interface to the Internet.
Address Name
SOHO_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toUS2_Tunnel
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Clear Allow outbound to prevent traffic from the local network from
initiating the tunnel after the tunnel has been established.
3. Place the policy in the policy list above any other policies
having similar source and destination addresses.
To define the IPSec firewall policy for the local redundant
interface
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.

Confidential and Proprietary Information of ZTE CORPORATION 139

IPSec VPN User Guide

Address Name
Corporate_Network
Destination Interface/Zone
Select the local redundant interface to the Internet.
Address Name
SOHO_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US1toUS2_Tunnel
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Clear Allow outbound to prevent traffic from the local network from
initiating the tunnel after the tunnel has been established.
3. Place the policy in the policy list directly beneath the policy
that you created for the primary interface.

Configuring the ping servers

When you enable a ping server on a local interface, ICMP Echo
messages are sent to the IP address that you specify to
determine if a remote host is active.
Optimally, ZXSEC US_1 would be configured to ping ZXSEC US_2
to ensure that the entire path between ZXSEC US_1 and ZXSEC
US_2 is tested. However, because the public IP address of ZXSEC
US_2 is assigned dynamically when ZXSEC US_2 establishes a
connection to the Internet (that is, the IP address is not known
ahead of time), you cannot configure ZXSEC US_1 to ping
ZXSEC US_2 directly. Instead, you may configure ZXSEC US_1
to ping an ISP gateway between ZXSEC US_1 and ZXSEC US_2.
When you specify an ISP gateway, the tunnel fails over when the
specified gateway fails to respond.
To add a ping server to the local primary interface
1. Go to System > Network > Interface.
2. In the row that corresponds to the primary interface, select
the Edit button.
3. In the Ping Server field, type the public IP address of the ISP
gateway.
4. Select Enable.
5. In the Administrative Access group, ensure that PING is
selected.
6. Select OK.

140 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

To add a ping server to the local redundant interface

1. Go to System > Network > Interface.
2. In the row that corresponds to the redundant interface, select
the Edit button.
3. In the Ping Server field, type the public IP address of the
same gateway that you specified for the primary interface.
4. Select Enable.
5. In the Administrative Access group, ensure that PING is
selected.
6. Select OK.

Configuring ZXSEC US_2

The configuration of ZXSEC US_2 is similar to that of ZXSEC
US_1. You must:
 Define the phase 1 parameters that ZXSEC US_2 needs to
authenticate ZXSEC US_1 and establish a secure
connection. You need one set of phase 1 parameters for
the primary ZXSEC US_1 gateway, and another set for the
redundant ZXSEC US_1 gateway.
 Define the phase 2 parameters that ZXSEC US_2 needs to
create a VPN tunnel with ZXSEC US_1. You need one
phase 2 definition that specifies both the primary and
redundant ZXSEC US_1 gateways.
 Create an IPSec firewall policy to define the scope of
permitted services between the IP source and destination
addresses. A single policy is needed to control both
inbound and outbound IP traffic through the VPN tunnel.
To define the phase 1 parameters for the primary ZXSEC
US_1 gateway
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Type a name for the primary ZXSEC US_1 gateway (for
example, ZXSEC US_1_primary).
Remote Gateway Static IP Address
IP Address 10.10.10.1
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in the
ZXSEC US_1 configuration.

Confidential and Proprietary Information of ZTE CORPORATION 141

IPSec VPN User Guide

Peer Options Accept any peer ID

Advanced Set these Advanced options:
 In the Local ID field, type the identifier that you reserved
for ZXSEC US_2 (for example, ZXSEC US_2). The value
must be identical to the peer ID that you specified
previously in the ZXSEC US_1 configuration.
 Select Dead Peer Detection.
To define the phase 1 parameters for the redundant ZXSEC
US_1 gateway
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1, enter the following information, and
select OK:
Name Type a name for the redundant ZXSEC US_1 gateway
(for example, ZXSEC US_1_redundant).
Remote Gateway Static IP Address
IP Address 172.16.20.2
Local Interface Internal
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. The value must be
identical to the preshared key that you specified previously in the
ZXSEC US_1 configuration.
Peer Options Accept any peer ID
Advanced Set these Advanced options:
 In the Local ID field, type the identifier that you reserved
for ZXSEC US_2 (for example, ZXSEC US_2). The value
must be identical to the peer ID that you specified
previously in the ZXSEC US_1 configuration.
 Select Dead Peer Detection.

To define the phase 2 parameters

1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 2 and enter the following information:
Name Enter a name for the tunnel (for example,
US2toUS1_Tunnel).
Phase 1 Select the primary remote gateway that you defined
previously (for example, ZXSEC US_1_primary).

3. Select the add button beside the Remote Gateway list.

4. From the second list, select the redundant remote gateway
(for example, ZXSEC US_1_redundant).
5. Select OK.

142 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 9 IPSec VPN User Guide

To define the IP source address of the network behind

ZXSEC US_2
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
SOHO_Network).
Subnet/IP Range Enter the IP address of the private network
behind ZXSEC US_2 (for example, 192.168.22.0/24).
To specify the destination address of IP packets delivered
to ZXSEC US_1
1. Go to Firewall > Address.
2. Select Create New, enter the following information, and select
OK:
Address Name Enter an address name (for example,
Corporate_Network).
Subnet/IP Range Enter the IP address of the private network
behind ZXSEC US_1 (for example, 192.168.12.0/24).
To define the IPSec firewall policy
1. Go to Firewall > Policy.
2. Select Create New, enter the following information, and select
OK:
Source Interface/Zone
Select the local interface to the internal (private) network.

Address Name SOHO_Network

Destination Interface/Zone
Select the local interface to the Internet.
Address Name Corporate_Network
Schedule As required.
Service As required.
Action IPSEC
VPN Tunnel US2toUS1_Tunnel
Clear Allow inbound to prevent traffic from the remote network from
initiating the tunnel after the tunnel has been established.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
3. Place the policy in the policy list above any other policies
having similar source and destination addresses.

Confidential and Proprietary Information of ZTE CORPORATION 143

IPSec VPN User Guide

This page is intentionally blank.

144 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 10

Transparent VPN
configurations

Overview
This section describes transparent VPN configurations, in which
two ZXSEC US units create a VPN tunnel between two separate
private networks transparently.
The following topics are included in this section:
 Configuration overview
 Configure the VPN peers

Configuration overview
In Transparent mode, all interfaces of the ZXSEC US unit except
the management interface (which by default is assigned IP
address 10.10.10.1/255.255.255.0) are invisible at the network
layer. Typically, when a ZXSEC US unit runs in Transparent mode,
different network segments are connected to the ZXSEC US
interfaces.
Figure 19 shows the management station on the same subnet.
The management station can connect to the ZXSEC US unit
directly through the web-based manager.

Confidential and Proprietary Information of ZTE CORPORATION 145

IPSec VPN User Guide

F I G U R E 1 9 M A N AGEM E N T S TA T I O N O N I N T ER N AL N E T W O R K

An edge router typically provides a public connection to the

Internet and one interface of the ZXSEC US unit is connected to
the router. If the ZXSEC US unit is managed from an external
address (refer to Figure 20), the router must translate (NAT) a
routable address to direct management traffic to the ZXSEC US
management interface.

F I G U R E 2 0 M A N A G E M EN T S TA T I O N O N E X T ER N AL N ET W O R K

In a transparent VPN configuration, two ZXSEC US units create a

VPN tunnel between two separate private networks transparently.
All traffic between the two networks is encrypted and protected
by ZXSEC US firewall policies.
Both ZXSEC US units may be running in Transparent mode, or
one could be running in Transparent mode and the other running
in NAT/Route mode. If the remote peer is running in NAT/Route
mode, it must have a static public IP address.

Note: VPNs between two ZXSEC US units running in

Transparent mode do not support inbound/outbound NAT
(supported through CLI commands) within the tunnel. In
addition, a ZXSEC US unit running in Transparent mode cannot
be used in a hub-and-spoke configuration.

146 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 10 IPSec VPN User Guide

Encrypted packets from the remote VPN peer are addressed to

the management interface of the local ZXSEC US unit. If the
local ZXSEC US unit can reach the VPN peer locally, a static route
to the VPN peer must be added to the routing table on the local
ZXSEC US unit. If the VPN peer connects through the Internet,
encrypted packets from the local ZXSEC US unit must be routed
to the edge router instead.
For information about how to add a static route to the ZXSEC US
routing table, refer to the “
Router Static”chapter of the ZXSEC
US Administration Guide.
In the example configuration shown in Figure 20, Network
Address Translation (NAT) is enabled on the router. When an
encrypted packet from the remote VPN peer arrives at the router
through the Internet, the router performs inbound NAT and
forwards the packet to the ZXSEC US unit. Refer to the software
supplier’
s documentation to configure the router.
If you want to configure a VPN between two ZXSEC US units
running in Transparent mode, each unit must have an
independent connection to a router that acts as a gateway to the
Internet, and both units must be on separate networks that have
a different address space. When the two networks linked by the
VPN tunnel have different address spaces (refer to Figure 21), at
least one router must separate the two ZXSEC US units, unless
the packets can be redirected using ICMP (refer to Figure 22).

F I G U R E 2 1 LI NK BETW EEN TW O ZXSEC US UNITS RUNNING I N TR ANSPARENT MODE

In Figure 22, interface C behind the router is the default gateway

for both ZXSEC US units. Packets that cannot be delivered on
Network_1 are routed to interface C by default. Similarly,
packets that cannot be delivered on Network_2 are routed to
interface C. In this case, the router must be configured to
redirect packets destined for Network_1 to interface A and
redirect packets destined for Network_2 to interface B.

Confidential and Proprietary Information of ZTE CORPORATION 147

IPSec VPN User Guide

F I G U R E 2 2 I C M P R ED I R E CTI N G PACK E TS T O T W O Z X S E C U S U NI TS RUN NI N G I N

TRA N S PARE N T M O D E

If there are additional routers behind the ZXSEC US unit (refer to

Figure 23) and the destination IP address of an inbound packet is
on a network behind one of those routers, the ZXSEC US routing
table must include routes to those networks. For example, in
Figure 23, the ZXSEC US unit must be configured with static
routes to interfaces A and B in order to forward packets to
Network_1 and Network_2 respectively.

F I G U R E 2 3 DE S T I N A T I O N S O N R E M O T E N ET W O RK S B EH I N D I N T E R N A L ROU T E R S

Transparent VPN infrastructure

requirements
 The local ZXSEC US unit must be operating in Transparent
mode.
 The management IP address of the local ZXSEC US unit
specifies the local VPN gateway. The management IP
address is considered a static IP address for the local VPN
peer.

148 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 10 IPSec VPN User Guide

 If the local ZXSEC US unit is managed through the

Internet, or if the VPN peer connects through the Internet,
the edge router must be configured to perform inbound
NAT and forward management traffic and/or encrypted
packets to the ZXSEC US unit.
 If the remote peer is operating in NAT/Route mode, it
must have a static public IP address.
A ZXSEC US unit operating in Transparent mode requires the
following basic configuration to operate as a node on the IP
network:
 The unit must have sufficient routing information to reach
the management station.
 For any traffic to reach external destinations, a default
static route to the edge router must be present in the
ZXSEC US routing table. The router forwards packets to
the Internet.
 When all of the destinations are located on the external
network, the ZXSEC US unit may route packets using a
single default static route. If the network topology is
more complex, one or more static routes in addition to
the default static route may be required in the ZXSEC US
routing table.

Before you begin

An IPSec VPN definition links a gateway with a tunnel and an
IPSec policy. If your network topology includes more than one
virtual domain, you must choose components that were created
in the same virtual domain. Therefore, before you define a
transparent VPN configuration, choose an appropriate virtual
domain in which to create the required interfaces, firewall
policies, and VPN components.
For more information, refer to the “ Using virtual domains”
chapter of the ZXSEC US Administration Guide.

Configure the VPN peers

The following procedure assumes that the local VPN peer
operates in Transparent mode. The remote VPN peer may
operate in NAT/Route mode or Transparent mode.
1. At the local ZXSEC US unit, define the phase 1 parameters
needed to establish a secure connection with the remote peer.
Refer to “Auto Key phase 1 parameters” . Select Advanced
and enter these settings in particular:
Remote Gateway Select Static IP Address.

Confidential and Proprietary Information of ZTE CORPORATION 149

IPSec VPN User Guide

IP Address Type the IP address of the public interface to the

remote peer. If the remote peer is a ZXSEC US unit running in
Transparent mode, type the IP address of the remote management
interface.
Advanced Select Nat-traversal, and type a value into the
Keepalive Frequency field. These settings protect the headers of
encrypted packets from being altered by external NAT devices and
ensure that NAT address mappings do not change while the VPN
tunnel is open. For more information, refer to “
NAT traversal”and
“NAT keepalive frequency”.
2. Define the phase 2 parameters needed to create a VPN tunnel
with the remote peer. Refer to “Phase 2 parameters” . Enter
these settings in particular:
Phase 1 Select the set of phase 1 parameters that you defined
for the remote peer. The name of the remote peer can be selected
from the Static IP Address list.

3. Define the source and destination addresses of the IP packets

that are to be transported through the VPN tunnel. Refer to
“Defining firewall addresses” . Enter these settings in
particular:
 For the originating address (source address), enter the IP
address of the local management interface (for example,
10.10.10.1/32).
 For the remote address (destination address), enter the IP
address and netmask of the private network behind the
remote peer (for example, 192.168.10.0/24). If the
remote peer is a ZXSEC US unit running in Transparent
mode, enter the IP address of the remote management
interface instead.
4. Define an IPSec firewall policy to permit communications
between the source and destination addresses. Refer to
“Defining firewall policies”
. Enter these settings in particular:
Source Interface/Zone Select the local interface to the internal
(private) network.
Source Address Name Select the source address that you
defined in Step 3.
Destination Interface/Zone Select the interface to the edge
router. When you configure the IPSec firewall policy on a remote
peer that operates in NAT/Route mode, you select the public
interface to the external (public) network instead.
Destination Address Name Select the destination address that
you defined in Step 3.
Action IPSEC
VPN Tunnel Select the name of the phase 2 tunnel configuration that
you created in Step 2.
Select Allow inbound to enable traffic from the remote network to
initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.

150 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 10 IPSec VPN User Guide

5. Place the policy in the policy list above any other policies
having similar source and destination addresses.
6. Repeat this procedure at the remote ZXSEC US unit.

Confidential and Proprietary Information of ZTE CORPORATION 151

IPSec VPN User Guide

This page is intentionally blank.

152 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 11

Manual-key
configurations

Overview
This section explains how to manually define cryptographic keys
to establish an IPSec VPN, either policy-based or route-based.
The following topics are included in this section:
 Configuration overview
 Specify the manual keys for creating a tunnel

Configuration overview
If required, you can manually define cryptographic keys for the
ZXSEC US unit to establish an IPSec VPN. You define manual
keys where:
 Prior knowledge of the encryption and/or authentication
key is required (that is, one of the VPN peers requires a
specific IPSec encryption and/or authentication key).
 Encryption and authentication needs to be disabled.
In both cases, you do not specify IPSec phase 1 and phase 2
parameters; you define manual keys on the VPN > IPSEC >
Manual Key tab instead.
If one VPN peer uses specific authentication and encryption keys
to establish a tunnel, both VPN peers must be configured to use
the same encryption and authentication algorithms and keys.

Note: It may not be safe or practical to define manual keys

because network administrators must be trusted to keep the
keys confidential, and propagating changes to remote VPN peers
in a secure manner may be difficult.

Confidential and Proprietary Information of ZTE CORPORATION 153

IPSec VPN User Guide

It is essential that both VPN peers be configured with matching

encryption and authentication algorithms, matching
authentication and encryption keys, and complementary Security
Parameter Index (SPI) settings.
Each SPI identifies a Security Association (SA). The value is
placed in ESP datagrams to link the datagrams to the SA. When
an ESP datagram is received, the recipient refers to the SPI to
determine which SA applies to the datagram. An SPI must be
specified manually for each SA. Because an SA applies to
communication in one direction only, you must specify two SPIs
per configuration (a local SPI and a remote SPI) to cover
bidirectional communications between two VPN peers.

Caution: If you are not familiar with the security policies,

SAs, selectors, and SA databases for your particular installation,
do not attempt the following procedure without qualified
assistance.

Specify the manual keys for

creating a tunnel
Specify the manual keys for creating a tunnel as follows:
1. Go to VPN > IPSEC > Manual Key and select Create New.
2. Include appropriate entries as follows:
VPN Tunnel Name Type a name for the VPN tunnel.
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-
f) that represents the SA that handles outbound traffic on the local
ZXSEC US unit. The valid range is from 0x100 to 0xffffffff. This
value must match the Remote SPI value in the manual key
configuration at the remote peer.
Remote SPIType a hexadecimal number (up to 8 characters, 0-9, a-
f) that represents the SA that handles inbound traffic on the local
ZXSEC US unit. The valid range is from 0x100 to 0xffffffff. This
value must match the Local SPI value in the manual key
configuration at the remote peer.
Remote Gateway Type the IP address of the public interface to
the remote peer. The address identifies the recipient of ESP
datagrams.
Local Interface Select the name of the physical, aggregate, or
VLAN interface to which the IPSec tunnel will be bound. The ZXSEC
US unit obtains the IP address of the interface from System >
Network > Interface settings. This is available in NAT/Route mode
only.
Encryption Select one of the following symmetric-key encryption
algorithms:

154 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 11 IPSec VPN User Guide

Algorithm
 DES-Digital Encryption Standard, a 64-bit block algorithm
that uses a 56-bit key.
 3DES-Triple-DES, in which plain text is encrypted three
times by three keys.
 AES128-A 128-bit block algorithm that uses a 128-bit key.
 AES192-A 128-bit block algorithm that uses a 192-bit key.
 AES256-A 128-bit block algorithm that uses a 256-bit key.
Authentication Select one of the following message digests:
Algorithm
 MD5-Message Digest 5 algorithm, which produces a 128-
bit message digest.
 SHA1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
Authentication Key If you selected:
 MD5, type a 32-character hexadecimal number (0-9, a-f)
nseparated into two segments of 16 characters.
 SHA1, type 40-character hexadecimal number (0-9, a-f)
separated into one segment of 16 characters and a
second segment of 24 characters.
IPSec Interface Mode Select to create a route-based VPN.
A virtual IPSec interface is created on the Local Interface that
you selected. This option is available only in NAT/Route mode.
3. Select OK.

Confidential and Proprietary Information of ZTE CORPORATION 155

IPSec VPN User Guide

This page is intentionally blank.

156 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 12

Auto Key phase 1

parameters

Overview
This section provides detailed step-by-step procedures for
configuring a ZXSEC US unit to accept a connection from a
remote peer or dialup client. The phase 1 parameters identify the
remote peer or clients and support authentication through
preshared keys or digital certificates. You can increase access
security further using peer identifiers, certificate distinguished
names, group names, or the ZXSEC US extended authentication
(XAuth) option for authentication purposes.

Note: The information and procedures in this section do not

apply to VPN peers that
perform negotiations using manual keys. Refer to “
Manual-key
configurations”instead.
The following topics are included in this section:
 Overview
 Defining the tunnel ends
 Choosing main mode or aggressive mode
 Authenticating the ZXSEC US unit
 Authenticating remote peers and clients
 Defining IKE negotiation parameters
 Defining the remaining phase 1 options
 Using XAuth authentication
IPSec phase 1 settings define:
 the ends of the IPSec tunnel, remote and local
 whether the various phase 1 parameters are exchanged in
multiple rounds ith encrypted authentication information

Confidential and Proprietary Information of ZTE CORPORATION 157

IPSec VPN User Guide

(main mode) or in a single message with authentication

information that is not encrypted (aggressive mode)
 whether a preshared key or digital certificates will be used
to authenticate the XECS US unit to the VPN peer or
dialup client
 whether the VPN peer or dialup client is required to
authenticate to the ZXSEC US unit. A remote peer or
dialup client can authenticate by peer ID or, if the ZXSEC
US unit authenticates by certificate, it can authenticate by
peer certificate.
 the IKE negotiation proposals for encryption and
authentication ptional XAUTH authentication, which
requires the remote user to enter a user name and
password. A ZXSEC US VPN server can act as an XAUTH
server to authenticate dialup users. A ZXSEC US unit that
is a dialup client can also be configured as an XAUTH
client to authenticate itself to the VPN server.

Defining the tunnel ends

To begin defining the phase 1 configuration, you go to VPN >
IPSEC > Auto Key and select Create Phase 1. Enter a
descriptive name for the VPN tunnel. This is particularly
important if you will create several tunnels.
The phase 1 configuration mainly defines the ends of the IPSec
tunnel. The emote end is the remote gateway with which the
ZXSEC US unit exchanges IPSec packets. The local end is ZXSEC
US interface that sends and receives IPSec packets.
The remote gateway can be any of the following:
 a static IP address
 a domain name with a dynamic IP address
 a dialup client
A statically addressed remote gateway is the simplest to
configure. You specify he IP address. Unless restricted in the
firewall policy, either the remote peer or a peer on the network
behind the ZXSEC US unit can bring up the tunnel.
If the remote peer has a domain name and subscribes to a
dynamic DNS service, you need to specify only the domain name.
The ZXSEC US unit performs a DNS query to determine the
appropriate IP address. Unless restricted in the firewall policy,
either the remote peer or a peer on the network behind the
ZXSEC US unit can bring up the tunnel.
If the remote peer is a dialup client, only the dialup client can
bring up the tunnel. The IP address of the client is not known
until it connects to the ZXSEC US unit.

158 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

This configuration is a typical way to provide a VPN for client PCs

running VPN lient software such as the US Desktop Host Security
application.
The local end of the VPN tunnel, the Local Interface, is the ZXSEC
US interface that sends and receives the IPSec packets. This is
usually the public interface of the ZXSEC US unit that is
connected to the Internet. Packets from this interface pass to the
private network through a firewall policy. If you are configuring
an interface mode VPN, in the Advanced phase 1 settings you
can optionally specify a unique address for the ZXSEC US end of
the tunnel. By default, the ZXSEC US unit uses the P address of
the selected Local Interface taken from the System > Network >
Interface settings.

Choosing main mode or

aggressive mode
The ZXSEC US unit and the remote peer or dialup client
exchange phase 1 arameter in either Main mode or Aggressive
mode.
 In Main mode, the phase 1 parameters are exchanged in
multiple rounds with encrypted authentication information
 In Aggressive mode, the phase 1 parameters are
exchanged in single message with authentication
information that is not encrypted.
Main mode is more secure, but you must select Aggressive mode
if there is more than one dialup phase 1 configuration for the
interface IP address and the remote VPN peer or client is
authenticated using an identifier (local ID). Descriptions of he
peer options in this guide indicate if either Main or Aggressive
mode is required.

Authenticating the ZXSEC

US unit
The ZXSEC US unit can authenticate itself to remote peers or
dialup clients using either a pre-shared key or an RSA Signature
(certificate).

Confidential and Proprietary Information of ZTE CORPORATION 159

IPSec VPN User Guide

Authenticating the ZXSEC US unit

with digital certificates
To authenticate the ZXSEC US unit using digital certificates, you
must have the required certificates installed on the remote peer
and on the ZXSEC US unit. The signed server certificate on one
peer is validated by the presence of the root certificate installed
on the other peer. If you use certificates to authenticate the
ZXSEC US unit, you can also require the remote peers or dialup
clients to authenticate using certificates.
For more information about obtaining and installing certificates,
refer to the ZXSEC US ertificate Management User Guide.
To authenticate the ZXSEC US unit using digital
certificates
1. Go to VPN > IPSEC > Auto Key.
2. Select Create Phase 1 to add a new phase 1 configuration or
select the Edit button beside an existing Phase 1
configuration.
3. Include appropriate entries as follows:
Name Enter a name that reflects the origination of the remote
connection.
Remote Gateway Select the nature of the remote connection:
 Static IP Address.
 Dialup User.
 Dynamic DNS.
For more information, refer to “
Defining the tunnel ends”
.
Local Interface Select the interface that is the local end of the
IPSec tunnel. For more information, refer to “ Defining the tunnel
ends”.
Mode Select Main or Aggressive mode.
 In Main mode, the phase 1 parameters are exchanged in
multiple rounds with encrypted authentication information.
 In Aggressive mode, the phase 1 parameters are
exchanged in single message with authentication
information that is not encrypted.
When the remote VPN peer or client has a dynamic IP address, or the
remote VPN peer or client will be authenticated using an identifier (local
ID), you must select Aggressive mode if there is more than one dialup
phase 1 configuration for the interface IP address.
For more information, refer to “
Choosing main mode or aggressive
mode”.
Authentication Method Select RSA Signature.
Certificate Name Select the name of the server certificate that
the ZXSEC US nit will use to authenticate itself to the remote peer or

160 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

dialup lient during phase 1 negotiations. To obtain and load the

equired server certificate, refer to the ZXSEC US Certificate
anagement User Guide.
Peer Options Peer options define the authentication
requirements for emote peers or dialup clients, not for the
ZXSEC US unit itself.
For more information, refer to “
Authenticating remote peers
and
clients”
.
Advanced You can retain the default settings unless changes
are needed to meet your specific requirements. Refer to
“Defining IKE negotiation parameters”
.
4. If you are configuring authentication parameters for a dialup
user group, optionally define extended authentication (XAuth)
parameters. Refer to “ Using the ZXSEC US unit as an XAUTH
server”.
5. Select OK.

Authenticating the ZXSEC US unit

with a pre-shared key
The simplest way to authenticate a ZXSEC US unit to its remote
peers or dialup clients is by means of a pre-shared key. This is
less secure than using certificates, especially if it used alone,
without requiring peer IDs or extended authentication
(XAuth). Also, you need to have a secure way to distribute the
pre-shared key to the peers.
If you use pre-shared key authentication alone, all remote peers
and dialup clients must be configured with the same pre-shared
key. Optionally, you can configure remote peers and dialup
clients with unique pre-shared keys. On the ZXSEC US
unit, these are configured in user accounts, not in the phase_1
settings. For more information, refer to “ Enabling VPN access
using user accounts and pre-shared keys”.
The pre-shared key must contain at least 6 printable characters
and should be known only to network administrators. For
optimum protection against currently known attacks, the key
should consist of a minimum of 16 randomly chosen
alphanumeric characters.
If you authenticate the ZXSEC US unit using a pre-shared key,
you can require remote peers or dialup clients to authenticate
using peer IDs, but not client certificates.
To authenticate the ZXSEC US unit with a pre-shared key
1. Go to VPN > IPSEC > Auto Key.

Confidential and Proprietary Information of ZTE CORPORATION 161

IPSec VPN User Guide

2. Select Create Phase 1 to add a new phase 1 configuration or

select the Edit button beside an existing configuration.
3. Include appropriate entries as follows:
Name Enter a name that reflects the origination of the remote
onnection.
Remote Gateway Select the nature of the remote connection:
 Static IP Address.
 Dialup User.
 Dynamic DNS.
For more information, refer to “
Defining the tunnel ends”
.
Local Interface Select the interface that is the local end of the
IPSec tunnel. For more information, refer to “ Defining the tunnel
ends”.
Mode Select Main or Aggressive mode.
 In Main mode, the phase 1 parameters are exchanged in
multiple rounds with encrypted authentication nformation.
 In Aggressive mode, the phase 1 parameters are
exchanged in single message with authentication
information that is not encrypted.
When the remote VPN peer or client has a dynamic IP address,
or the remote VPN peer or client will be authenticated using
an identifier (local ID), you must select Aggressive mode if
there is more than one dialup phase 1 configuration for the
interface IP address.
For more information, refer to “
Choosing main mode or
aggressive mode”on page 140.
Authentication Method Select Pre-shared Key.
Pre-shared Key Enter the preshared key that the ZXSEC US
unit will use to authenticate itself to the remote peer or dialup
client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at
least 6 printable characters and should only be known by
network administrators. For optimum protection against
currently known attacks, the key should consist of a minimum
of 16 randomly chosen alphanumeric characters.
Peer options Peer options define the authentication
requirements for remote peers or dialup clients, not for the
ZXSEC US unit itself. You can require the use of peer IDs, but
not client ertificates. For more information, refer to
“Authenticating remote peers and clients”.
Advanced You can retain the default settings unless changes
are needed to meet your specific requirements. Refer to
“Defining IKE negotiation parameters”
.
4. If you are configuring authentication parameters for a dialup
user group, optionally define extended authentication (XAuth)

162 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

parameters. Refer to “
Using the ZXSEC US unit as an XAUTH
server”
.
5. Select OK.

Authenticating remote peers

and clients
Certificates or pre-shared keys restrict who can access the VPN
tunnel, but they do not identify or authenticate the remote peers
or dialup clients. You have the following options for
authentication:
 You can permit access only for remote peers or clients
who use certificates that you recognize. This is available
only if the ZXSEC US unit authenticates using certificates.
Refer to “ Enabling VPN access for specific certificate
holders” .
 You can permit access only for remote peers or clients
that have certain peer identifier (local ID) value
configured. This is available with both certificate and
preshared key authentication. Refer to “ Enabling VPN
access by peer identifier”
.
 You can permit access to remote peers or dialup clients
who each have a unique preshared key. Each peer or
client must have a user account on the ZXSEC US unit.
Refer to “Enabling VPN access using user accounts and
pre-shared keys”.
 You can permit access to remote peers or dialup clients
who each have a nique peer ID and a unique preshared
key. Each peer or client must have a user account on the
ZXSEC US unit. Refer to “ Enabling VPN access using user
accounts and pre-shared keys” .
For authentication of users of the remote peer or dialup client
device, refer to “
Using Auth authentication”.

Enabling VPN access for specific

certificate holders
When a VPN peer or dialup client is configured to authenticate
using digital certificates, it sends the DN of its certificate to the
ZXSEC US unit. This DN can be used to allow VPN access for the
certificate holder. That is, a ZXSEC US unit can
be configured to deny connections to all remote peers and dialup
clients except the one having the specified DN.

Confidential and Proprietary Information of ZTE CORPORATION 163

IPSec VPN User Guide

Before you begin

The following procedures assume that you already have an
existing phase 1 configuration (refer to “ Authenticating the
ZXSEC US unit with digital certificates”
). Follow the procedures
below to add certificate-based authentication parameters to the
existing configuration.
Before you begin, you must obtain the certificate DN of the
remote peer or dialup client. If you are using the US Desktop
Host Security application as a dialup client, refer to US Desktop
online Help for information about how to view the certificate N.
To view the certificate DN of a ZXSEC US unit, refer to “ To view
server certificate information and obtain the local DN”.
Afterward, use the config user peer CLI command to load the DN
value into the ZXSEC US configuration. For example, if a remote
VPN peer uses server certificates issued by your own
organization, you would enter information similar to the following:
config user peer edit DN_US1000
set cn 192.168.2.160
set cn-type ipv4
end
The value that you specify to identify the entry (for example,
DN_US1000) is displayed in the Accept this peer certificate only
list in the IPSec phase 1 configuration when you return to the
web-based manager.
If the remote VPN peer has a CA-issued certificate to support a
higher level of credibility, you would enter information similar to
the following:
config user peer edit CA_US1000
set ca CA_Cert_1
set subject US1000_at_site1
end
The value that you specify to identify the entry (for example,
CA_US1000) is displayed in the Accept this peer certificate only
list in the IPSec phase 1 configuration when you return to the
web-based manager. For more information about these CLI
commands, refer to the “ user” chapter of the ZXSEC US CLI
Reference.
A group of certificate holders can be created based on existing
user accounts for ialup clients. To create the user accounts for
dialup clients, refer to the “ User” chapter of the ZXSEC US
Administration Guide. To create the certificate group afterward,
use the config user peergrp CLI command. Refer to the “ user”
chapter of the ZXSEC US CLI Reference.

164 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

To view server certificate information and obtain the local

DN
1. Go to VPN > Certificates > Local Certificates.

FIGURE 24 L OC AL CERTIFICATES

2. Note the CN value in the Subject field (for example, CN =

172.16.10.125, N = info@ZTE.com, or CN =
www.example.com).
To view CA root certificate information and obtain the CA
certificate name
1. Go to VPN > Certificates > CA Certificates.

FIGURE 25 CA CERTIFICATES

2. Note the value in the Name column (for example, CA_Cert_1).

To enable access for a specific certificate holder or a
group of certificate holders
1. At the ZXSEC US VPN server, go to VPN > IPSEC > Auto Key.
2. In the list of defined configurations, select the Edit button to
edit the existing phase 1 configuration.
3. From the Authentication Method list, select RSA Signature.
4. Under Peer Options, select one of these options:
 To accept a specific certificate holder, select Accept this
peer certificate only nd select the name of the certificate
that belongs to the remote peer or dialup client. The
certificate DN must be added to the ZXSEC US
configuration through CLI commands before it can be
selected here. Refer to “Before you begin” .
 To accept dialup clients who are members of a certificate
group, select Accept this peer certificate group only and
select the name of the group. The group must be added
to the ZXSEC US configuration through CLI commands
before it can be selected here. Refer to “ Before you
begin” .
5. If you want the ZXSEC US VPN server to supply the DN of a
local server certificate for authentication purposes, select
Advanced and then from the Local ID list, elect the DN of the
certificate that the ZXSEC US VPN server is to use.
6. Select OK.

Confidential and Proprietary Information of ZTE CORPORATION 165

IPSec VPN User Guide

Enabling VPN access by peer

identifier
Whether you use certificates or pre-shared keys to authenticate
the ZXSEC US unit, you can require that remote peers or clients
have a particular peer ID. This adds another piece of information
that is required to gain access to the VPN. More than one ZXSEC
US/US Desktop dialup client may connect through the same VPN
tunnel when the dialup clients share a preshared key and
assume the same identifier.
You cannot require a peer ID for a remote peer or client that
uses a pre-shared key and has a static IP address.
To authenticate remote peers or dialup clients using one
peer ID
1. At the ZXSEC US VPN server, go to VPN > IPSEC > Auto
Key (IKE).
2. In the list, select the Edit icon of a phase 1 configuration to
edit its parameters.
3. Select Aggressive mode in any of the following cases:
 the ZXSEC US VPN server authenticates a ZXSEC US
dialup client that uses a dedicated tunnel
 a ZXSEC US unit has a dynamic IP address and subscribes
to a dynamic DNS service
 ZXSEC US/US Desktop dialup clients sharing the same
preshared key and local ID connect through the same
VPN tunnel
4. Select Accept this peer ID and type the identifier into the
corresponding field.
5. Select OK.
To assign an identifier (local ID) to a ZXSEC US unit
Use this procedure to assign a peer ID to a ZXSEC US unit that
acts as a remote peer or dialup client.
1. Go to VPN > IPSEC > Auto Key (IKE).
2. In the list, select the Edit icon of a phase 1 configuration to
edit its parameters.
3. Select Advanced.
4. In the Local ID field, type the identifier that the ZXSEC US
unit will use to identify itself.
5. Set Mode to Aggressive if any of the following conditions
apply:
 The ZXSEC US unit is a dialup client that will use a unique
ID to connect to a XECS US dialup server through a
dedicated tunnel.

166 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

 The ZXSEC US unit has a dynamic IP address, subscribes

to a dynamic DNS service, and will use a unique ID to
connect to the remote VPN peer through a dedicated
tunnel.
 The ZXSEC US unit is a dialup client that shares the
specified ID with multiple dialup clients to connect to a
ZXSEC US dialup server through the same tunnel.
6. Select OK.
To configure the US Desktop Host Security application
Follow this procedure to add a peer ID to an existing US Desktop
configuration:
1. Start the US Desktop Host Security application.
2. Go to VPN > Connections, select the existing configuration,
and then select advanced > Edit.
3. Select Advanced.
4. Under Policy, select Config.
5. In the Local ID field, type the identifier that will be shared by
all dialup clients. This value must match the Accept this peer
ID value that you specified previously in the phase 1 gateway
configuration on the ZXSEC US unit.
6. Select OK to close all dialog boxes.
7. Configure all dialup clients the same way using the same
preshared key and local ID.

Enabling VPN access using user

accounts and pre-shared keys
You can permit access only to remote peers or dialup clients that
have pre-shared keys and/or peer IDs configured in user
accounts on the ZXSEC US unit.
If you want two VPN peers (or a ZXSEC US unit and a dialup
client) to accept reciprocal connections based on peer IDs, you
must enable the exchange of their identifiers when you define
the phase 1 parameters.
The following procedures assume that you already have an
existing phase 1 configuration (refer to “ Authenticating the
ZXSEC US unit with digital certificates”). Follow the procedures
below to add ID checking to the existing configuration.
Before you begin, you must obtain the identifier (local ID) of the
remote peer or dialup client. If you are using the US Desktop
Host Security application as a dialup client, refer to the
Authenticating US Desktop Dialup Clients Technical Note to view
or assign an identifier. To assign an identifier to a ZXSEC US
dialup client or a ZXSEC US unit that has a dynamic IP address

Confidential and Proprietary Information of ZTE CORPORATION 167

IPSec VPN User Guide

and subscribes to a dynamic DNS service, refer to “

To assign an
identifier (local ID) to a ZXSEC US unit”
.
If required, a dialup user group can be created from existing user
accounts for dialup clients. To create the user accounts and user
groups, refer to the “ User” chapter of the ZXSEC US
Administration Guide.
To authenticate dialup clients using unique preshared
keys and/or peer IDs
The following procedure supports ZXSEC US/US Desktop dialup
clients that use unique preshared keys and/or peer IDs. The
client must have an account on the ZXSEC US unit and be a
member of the dialup user group.
The dialup user group must be added to the ZXSEC US
configuration before it can be selected (refer to the “
User”
chapter of the ZXSEC US Administration Guide).
The ZXSEC US dialup server compares the local ID that you
specify at each dialup client to the ZXSEC US user-account user
name. The dialup-client preshared key is compared to a ZXSEC
US user-account password.
1. At the ZXSEC US VPN server, go to VPN > IPSEC > Auto
Key (IKE).
2. In the list, select the Edit icon of a phase 1 configuration to
edit its parameters.
3. If the clients have unique peer IDs, set Mode to Aggressive.
4. Clear the Pre-shared Key field (the field should be empty).
5. Select Accept peer ID in dialup group and then select the
group name from the list of user groups.
6. Select OK.
To configure US Desktop dialup clients - pre-shared key
and peer ID
Follow this procedure to add a unique pre-shared key and unique
peer ID to an existing US Desktop configuration:
1. Start the US Desktop Host Security application.
2. Go to VPN > Connections, select the existing configuration,
and then select
Advanced > Edit.
3. In the Preshared Key field, type the ZXSEC US password that
belongs to the dialup client (for example, 1234546).
4. Select Advanced.
5. Under Policy, select Config.
6. In the Local ID field, type the ZXSEC US user name that you
assigned previously to the dialup client (for example,
USC1ient1).

168 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

7. Select OK to close all dialog boxes.

Configure all US Desktop dialup clients this way using unique
preshared keys and local IDs.
To configure US Desktop dialup clients - preshared key
only
Follow this procedure to add a unique pre-shared key to an
existing US Desktop configuration:
1. Start the US Desktop Host Security application.
2. Go to VPN > Connections, select the existing configuration,
and then select
Advanced > Edit.
3. In the Preshared Key field, type the user name, followed by a
“+” sign, followed by the password that you specified
previously in the user account settings on the ZXSEC US unit
(for example, FC2+1US6LK)
4. Select OK to close all dialog boxes.
Configure all the US Desktop dialup clients this way using their
unique peer ID and pre-shared key values.

Defining IKE negotiation

parameters
In phase 1, the two peers exchange keys to establish a secure
communication channel between them. As part of the phase 1
process, the two peers authenticate each other (refer to
“Authenticating remote peers and clients” ) and negotiate a way
to encrypt further communications for the duration of the session.
The P1 Proposal parameters select the encryption and
authentication algorithms that are used to generate keys for
protecting negotiations.
The IKE negotiation parameters determine:
 which encryption algorithms may be applied for
converting messages into a form that only the intended
recipient can read
 which authentication hash may be used for creating a
keyed hash from a preshared or private key
 which Diffie-Hellman group will be used to generate a
secret session key
Phase 1 negotiations (in main mode or aggressive mode) begin
as soon as a remote VPN peer or client attempts to establish a
connection with the ZXSEC US unit. Initially, the remote peer or
dialup client sends the ZXSEC US unit a list of potential
cryptographic parameters along with a session ID. The ZXSEC

Confidential and Proprietary Information of ZTE CORPORATION 169

IPSec VPN User Guide

US unit compares those parameters to its own list of advanced

phase 1 parameters and responds with its choice of matching
parameters to use for authenticating and encrypting packets.
The two peers handle the exchange of encryption keys between
them, and authenticate the exchange through a preshared key
or a digital signature.

Generating keys to authenticate an

exchange
The ZXSEC US unit supports the generation of secret session
keys automatically using a Diffie-Hellman algorithm. The Keylife
setting in the P1 Proposal area determines the amount of time
before the phase 1 key expires. Phase 1 negotiations are
rekeyed automatically when there is an active security
association. Refer to “
Dead peer detection”.

Note: You can enable or disable automatic rekeying

between IKE peers through the phase1-rekey attribute of the
config system global CLI command. For more information,
refer to the “
system”chapter of the ZXSEC US CLI Reference.
When you use a preshared key (shared secret) to set up two-
party authentication, the remote VPN peer or client and the
ZXSEC US unit must both be configured with the same preshared
key. Each party uses a session key derived from the Diffie-
Hellman exchange to create an authentication key, which is used
to sign a known combination of inputs using an authentication
algorithm (such as HMAC-MD5 or HMAC-SHA-1). Each party
signs a different combination of inputs and the other party
verifies that the same result can be computed.

Note: When you use preshared keys to authenticate VPN

peers or clients, you must distribute matching information to all
VPN peers and/or clients whenever the preshared key changes.
As an alternative, the remote peer or dialup client and ZXSEC US
unit can exchange digital signatures to validate each other’ s
identity with respect to their public keys. In this case, the
required digital certificates (refer to the ZXSEC US certificate
Management User Guide) must be installed on the remote peer
and on the ZXSEC US unit. By exchanging certificate DNs, the
signed server certificate on one peer is validated by the presence
of the root certificate installed on the other peer.
The following procedure assumes that you already have a phase
1 definition that describes how remote VPN peers and clients will
be authenticated when they attempt to connect to a local ZXSEC
US unit. For information about the Local ID and XAuth options,
refer to “ Enabling VPN access using user accounts and pre-
shared keys”and “ Using the ZXSEC US unit as an XAUTH server” .

170 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

Follow this procedure to add IKE negotiation parameters to the

existing definition.

Defining IKE negotiation parameters

1. Go to VPN > IPSEC > Auto Key (IKE).
2. In the list, select the Edit button to edit the phase 1
parameters for a particular remote gateway.
3. Select Advanced and include appropriate entries as follows:
P1 Proposal Select the encryption and authentication
algorithms that will be used to generate keys for protecting
negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer must be configured to use at least one of the proposals
that you define.
You can select any of the following symmetric-key algorithms:
 DES-Digital Encryption Standard, a 64-bit block algorithm
that uses a 56-bit key.
 3DES-Triple-DES, in which plain text is encrypted three
times by three keys.
 AES128-A 128-bit block algorithm that uses a 128-bit key.
 AES192-A 128-bit block algorithm that uses a 192-bit key.
 AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to
check the authenticity of messages during phase 1
negotiations:
 MD5-Message Digest 5, the hash algorithm developed by
RSA Data Security.
 SHA1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
To specify a third combination, use the add button beside the fields for
the second combination.
DH Group Select one or more Diffie-Hellman groups from DH group
1, 2, and 5. When using aggressive mode, DH groups cannot be
pegotiated.

 If both VPN peers (or a VPN server and its client) have
static IP addresses and use aggressive mode, select a
single DH group. The setting on the ZXSEC US unit must
be identical to the setting on the remote peer or dialup
client.
 When the remote VPN peer or client has a dynamic IP
address and uses aggressive mode, select up to three DH
groups on the ZXSEC US unit and one DH group on the
remote peer or dialup client. The setting on the remote

Confidential and Proprietary Information of ZTE CORPORATION 171

IPSec VPN User Guide

peer or dialup client must be identical to one of the

selections on the ZXSEC US unit.
 If the VPN peer or client employs main mode, you can
select multiple DH groups. At least one of the settings on
the remote peer or dialup client must be identical to the
selections on the ZXSEC US unit.
Keylife Type the amount of time (in seconds) that will be
allowed to pass before the IKE encryption key expires. When the key
expires, a new key is generated without interrupting service. The
keylife can be from 120 to 172800 seconds.
Nat-traversal Enable this option if a NAT device exists
between the local ZXSEC US unit and the VPN peer or client. The
local ZXSEC US unit and the VPN peer or client must have the same
NAT traversal setting (both selected or both cleared).
Keepalive Frequency If you enabled NAT traversal, enter a
keepalive frequency setting. The value represents an interval from 0
to 900 seconds.
Dead Peer Detection Enable this option to reestablish VPN
tunnels on idle connections and clean up dead IKE peers if required.
4. Select OK.

Defining the remaining phase

1 options
Additional advanced phase 1 settings are available to ensure the
smooth operation of phase 1 negotiations:
 Nat-traversal—If outbound encrypted packets will be
subjected to NAT, this option determines whether the
packet will be wrapped in a UDP IP header to protect the
encrypted packet from modification. Refer to “ NAT
traversal”below.
 Keepalive Frequency—If outbound encrypted packets will
be subjected to NAT, this option determines how
frequently empty UDP packets will be sent through the
NAT device to prevent NAT address mapping from
changing before the lifetime of a session expires. Refer to
“NAT keepalive frequency”below.
 Dead Peer Detection—This option determines whether the
ZXSEC US unit will detect dead IKE peers and terminate a
session between the time when a VPN connection
becomes idle and the phase 1 encryption key expires.
Refer to “
Dead peer detection”.

172 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

NAT traversal
Network Address Translation (NAT) is a way to convert private
IP addresses to publicly routable Internet addresses and vise
versa. When an IP packet passes through a NAT device, the
source or destination address in the IP header is modified.
ZXSEC US units support NAT version 1 (encapsulate on port 500
with non-IKE marker), version 3 (encapsulate on port 4500 with
non-ESP marker), and compatible versions.
NAT cannot be performed on IPSec packets in ESP tunnel mode
because the packets do not contain a port number. As a result,
the packets cannot be demultiplexed. To work around this
problem, the ZXSEC US unit provides a way to protect IPSec
packet headers from NAT modifications. When the Nat-traversal
option is enabled, outbound encrypted packets are wrapped
inside a UDP IP header that contains a port number. This extra
encapsulation allows NAT devices to change the port number
without modifying the IPsec packet directly.
To provide the extra layer of encapsulation on IPSec packets,
the Nat-traversal option must be enabled whenever a NAT
device exists between two ZXSEC US VPN peers or a ZXSEC US
unit and a dialup client such as US Desktop. On the receiving
end, the ZXSEC US unit or US Desktop removes the extra layer
of encapsulation before decrypting the packet.

NAT keepalive frequency

When a NAT device performs network address translation on a
flow of packets, the NAT device determines how long the new
address will remain valid if the flow of traffic stops (for example,
the connected VPN peer may be idle). The device may reclaim
and reuse a NAT address when a connection remains idle for too
long. To work around this problem, when you enable NAT
traversal, you can specify how often the ZXSEC US unit should
send periodic keepalive packets through the NAT device in order
to ensure that the NAT address mapping does not change during
the lifetime of a session. The keepalive interval should be smaller
than the session lifetime value used by the NAT device.

Dead peer detection

Sometimes, due to routing problems or other difficulties, the
communication link between a ZXSEC US unit and a VPN peer or
client may go down—packets could be lost if the connection is left
to time out on its own. The ZXSEC US unit provides a mechanism
called Dead Peer Detection (DPD) to prevent this situation and
reestablish IKE negotiations automatically before a connection

Confidential and Proprietary Information of ZTE CORPORATION 173

IPSec VPN User Guide

times out: the active phase 1 security associations are caught

and renegotiated (rekeyed) efore the phase 1 encryption key
expires. By default, DPD send probe messages every five seconds
(refer to dpd-retryinterval in the ZXSEC US CLI Reference).
In the web-based manager, the Dead Peer Detection option can
be enabled when you define advanced phase 1 options. The
config vpn ipsec phase1 CLI command supports additional
options for specifying a long and short idle time, a retry count,
and a retry interval. For more information about these CLI
commands, refer to the ZXSEC US CLI Reference.

Using XAuth authentication

Extended authentication (XAuth) increases security by requiring
authentication of the user of the remote dialup client in a
separate exchange at the end of phase 1. XAuth draws on
existing ZXSEC US user group definitions and uses established
authentication mechanisms such as PAP, CHAP, RADIUS and
LDAP to authenticate dialup clients. You can configure a ZXSEC
US unit to function either as an XAuth server or an XAuth client.

Using the ZXSEC US unit as an

XAUTH server
A ZXSEC US unit can act as an XAUTH server for dialup clients.
When the phase 1 negotiation completes, the ZXSEC US unit
challenges the user for a user name and password. It then
forwards the user’ s credentials to an external RADIUS or LDAP
server for verification.
The authentication protocol to use for XAUTH depends on the
capabilites of the authentication server and the XAuth client:
 Select PAP whenever possible. Select CHAP instead if
applicable.
 You must select PAP for all implementations of LDAP and
some implementations of Microsoft RADIUS.
 Select MIXED when the authentication server supports
CHAP but the XAuth client does not. The ZXSEC US unit
will use PAP to communicate with the XAuth client and
CHAP to communicate with the authentication server.
To authenticate a dialup user group using XAuth settings
Before you begin, create user accounts and user groups to
identify the dialup clients that need to access the network behind
the ZXSEC US dialup server. If password protection will be
provided through an external RADIUS or LDAP server, you must
configure the ZXSEC US dialup server to forward authentication

174 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 12 IPSec VPN User Guide

requests to the authentication server. For information about

these topics, refer to the “User” chapter of the ZXSEC US
Administration Guide.
1. At the ZXSEC US dialup server, go to VPN > IPSEC > Auto
Key (IKE).
2. In the list, select the Edit icon of a phase 1 configuration to
edit its parameters for a particular remote gateway.
3. Select Advanced.
4. Under XAuth, select Enable as Server.
5. The Server Type setting determines the type of encryption
method to use between the XAuth client, the ZXSEC US unit
and the authentication server. Select one of the following
options:
 PAP—Password Authentication Protocol.
 CHAP— Challenge-Handshake Authentication Protocol.
 MIXED—Use PAP between the XAuth client and the ZXSEC
US unit, and CHAP between the ZXSEC US unit and the
authentication server.
6. From the User Group list, select the user group that needs to
access the private network behind the ZXSEC US unit. The
group must be added to the ZXSEC US configuration before it
can be selected here.
7. Select OK.

Authenticating the ZXSEC US unit

as a client with XAUTH
If the ZXSEC US unit acts as a dialup client, the remote peer,
acting as an XAUTH server, might require a user name and
password. You can configure the ZXSEC US unit as an XAuth
client, with its own user name and password, which it provides
when challenged.
To configure the ZXSEC US dialup client as an XAuth client
1. At the ZXSEC US dialup client, go to VPN > IPSEC > Auto
Key (IKE).
2. In the list, select the Edit icon of a phase 1 configuration to
edit its parameters for a particular remote gateway.
3. Select Advanced.
4. Under XAuth, select Enable as Client.
5. In the Username field, type the ZXSEC US PAP, CHAP,
RADIUS, or LDAP user name that the ZXSEC US XAuth server
will compare to its records when the ZXSEC US XAuth client
attempts to connect.

Confidential and Proprietary Information of ZTE CORPORATION 175

IPSec VPN User Guide

6. In the Password field, type the password to associate with

the user name.
7. Select OK.

176 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 13

Phase 2 parameters

Overview
This section describes the phase 2 parameters that are required
to establish communication through a VPN.
The following topics are included in this section:
 Basic phase 2 settings
 Exchanging keys to implement security associations
 Defining the remaining tunnel creation options
 Configure the phase 2 parameters

Basic phase 2 settings

After phase 1 negotiations complete successfully, phase 2 begins.
The phase 2 parameters define the algorithms that the ZXSEC
US unit may use to encrypt and transfer data for the remainder
of the session.
The basic phase 2 settings associate IPSec phase 2 parameters
with a phase 1 configuration.
When you define phase 2 parameters, you can choose any set of
phase 1 parameters to set up a secure connection and
authenticate the remote peer

F I G U R E 2 6 B A SI C P H A S E 2 S ET T I N G S ( V P N > I P S E C > A U T O K E Y ( I K E ) >

C RE A T E P H A S E 2

Confidential and Proprietary Information of ZTE CORPORATION 177

IPSec VPN User Guide

The information and procedures in this section do not apply to

VPN peers that perform negotiations using manual keys. Refer to
“Manual-key configurations”instead.

Exchanging keys to
implement security
associations
In phase 2, the ZXSEC US unit and the VPN peer or client
exchange keys again to establish a secure communication
channel between them. The P2 Proposal parameters select the
encryption and authentication algorithms needed to generate
keys for protecting the implementation details of Security
Associations (SAs). The keys are generated automatically using a
Diffie-Hellman algorithm.
 The Keylife setting sets a limit on the length of time that a
phase 2 key can be used. Alternatively, you can set a limit
on the number of kilobytes (KB) of processed data, or
both. If you select both, the key expires when either the
time has passed or the number of KB have been
processed. When the phase 2 key expires, a new key is
generated without interrupting service.
 The Autokey Keep Alive setting is used to rekey phase 2
SA negotiations when the key life expires so that the
tunnel will not shut down. Enable the option to ensure
that the tunnel remains active when no data is being
processed.

Defining the remaining tunnel

creation options
The following additional advanced phase 2 settings are available
to enhance the operation of the tunnel:
 Enable replay detection
 Enable perfect forward secrecy (PFS)
 Quick Mode Identities

178 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 13 IPSec VPN User Guide

F I G U R E 2 7 AD V AN C E D P H AS E 2 S E T T I N G S

Replay detection
IPSec tunnels can be vulnerable to replay attacks. Replay
detection enables the ZXSEC US unit to check all IPSec packets
to refer to if they have been received before.
If any encrypted packets arrive out of order, the ZXSEC US unit
discards them.

Perfect forward secrecy

By default, phase 2 keys are derived from the session key
created in phase 1. Perfect forward secrecy forces a new Diffie-
Hellman exchange when the tunnel starts and whenever the
phase 2 keylife expires, causing a new key to be generated each
time. This exchange ensures that the keys created in phase 2 are
unrelated to the phase 1 keys or any other keys generated
automatically in phase 2.

Autokey Keep Alive

Enable the option if you want the tunnel to remain active when
no data is being processed.

DHCP-IPsec
Select this option if the ZXSEC US unit assigns VIP addresses to
US Desktop dialup clients through a DHCP server or relay. This
option is available only if the Remote Gateway in the phase 1

Confidential and Proprietary Information of ZTE CORPORATION 179

IPSec VPN User Guide

configuration is set to Dialup User and it works only on policy-

based VPNs.
The DHCP-IPSec option causes the ZXSEC US dialup server to
act as a proxy for US Desktop dialup clients that have VIP
addresses on the subnet of the private network behind the
ZXSEC US unit. In this case, the ZXSEC US dialup server acts as a
proxy on the local private network for the US Desktop dialup
client. When a host on the network behind the dialup server
issues an ARP request that corresponds to the device MAC
address of the US Desktop host, the ZXSEC US unit answers the
ARP request on behalf of the US Desktop host and forwards the
associated traffic to the US Desktop host through the tunnel.

Quick mode identities

The Quick Mode Identities setting determines the method that
will be used to choose selectors for IKE negotiations. You can:
 Choose a selector from a firewall encryption policy. In this
case, the VPN tunnel specified in the firewall encryption
policy is referenced.
 Disable selector negotiation for a tunnel to avoid
negotiation errors. For example, invalid ID information
may result when the set of policies between the peers is
not symmetric.
 Specify the firewall encryption policy source and
destination IP addresses, ports, and IP protocol to use for
selector negotiations. When this option is set, VPN clients
cannot propose selectors.

Configure the phase 2

parameters
Follow this procedure to create an IPSec phase 2 definition.

Note: If you are creating a hub-and-spoke configuration or

an Internet-browsing configuration, you may have already
started defining some of the required phase 2 parameters. If so,
edit the existing definition to complete the configuration.

180 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 13 IPSec VPN User Guide

Specifying the phase 2 parameters

1. Go to VPN > IPSEC > Auto Key (IKE).
2. Select Create Phase 2 to add a new phase 2 configuration or
select the Edit button beside an existing phase 2
configuration.
3. Include appropriate entries as follows:
Name Enter a name to identify the phase 2 configuration.
Phase 1Select the phase 1 configuration that describes how remote
peers or dialup clients will be authenticated on this tunnel, and how the
connection to the remote peer or dialup client will be secured.
4. Select Advanced.
5. Include appropriate entries as follows:
P2 Proposal Select the encryption and authentication
algorithms that will be used to change data into encrypted code.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer must be configured to use at least one of the proposals
that you define.
You can select any of the following symmetric-key algorithms:
 NULL-Do not use an encryption algorithm.
 DES-Digital Encryption Standard, a 64-bit block algorithm
that uses a 56-bit key.
 3DES-Triple-DES, in which plain text is encrypted three
times by three keys.
 AES128-A 128-bit block algorithm that uses a 128-bit key.
 AES192-A 128-bit block algorithm that uses a 192-bit key.
 AES256-A 128-bit block algorithm that uses a 256-bit key.

You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
NULL-Do not use a message digest.
 MD5-Message Digest 5, the hash algorithm developed by
RSA Data Security.
 SHA1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
To specify one combination only, set the Encryption and
Authentication options of the second combination to NULL. To
specify a third combination, use the Add button beside the fields
for the second combination.
Enable replay detection Optionally enable or disable replay
detection. Replay attacks occur when an unauthorized party

Confidential and Proprietary Information of ZTE CORPORATION 181

IPSec VPN User Guide

intercepts a series of IPSec packets and replays them back

into the tunnel.
Enable perfect forward secrecy (PFS) Enable or disable
PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife
expires.
DH Group Select one Diffie-Hellman group (1, 2, or 5). The
remote peer or dialup client must be configured to use the
same group.
Keylife Select the method for determining when the phase
2 key expires: Seconds, KBytes, or Both. If you select both,
the key expires when either the time has passed or the
number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Alive Enable the option if you want the
tunnel to remain active when no data is being processed.
DHCP-IPSec Select Enable if the ZXSEC US unit acts as a
dialup server and ZXSEC US DHCP server or relay will be used
to assign VIP addresses to US Desktop dialup clients. The
DHCP server or relay parameters must be configured
separately.
If the ZXSEC US unit acts as a dialup server and the US
Desktop dialup client VIP addresses match the network behind
the dialup server, select Enable to cause the ZXSEC US unit to
act as a proxy for the dialup clients.
This is available only for phase 2 configurations associated with a dialup phase
1 configuration. It works only on policy-based VPNs.

Quick Mode Selector

Optionally specify the source and destination IP addresses to
be used as selectors for IKE negotiations. If the ZXSEC US
unit is a dialup server, the default value 0.0.0.0/0 should be
kept unless you need to circumvent problems caused by
ambiguous IP addresses between one or more of the private
networks making up the VPN. You can specify a single host IP
address, an IP address range, or a network address. You may
optionally specify source and destination port numbers and/or
a protocol number.
If you are editing an existing phase 2 configuration, the
Source address and Destination address fields are unavailable
if the tunnel has been configured to use firewall addresses as
selectors. This option exists only in the CLI. Refer to the dst-
addr-type, dst-name, src-addr-type and src-name
keywords for the vpn ipsec phase2 command in the ZXSEC
US CLI Reference.
Source address If the ZXSEC US unit is a dialup server,
type the source IP address that corresponds to the local
sender(s) or network behind the local VPN peer (for example,
172.16.5.0/24 or

182 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 13 IPSec VPN User Guide

172.16.5.0/255.255.255.0 for a subnet, or

172.16.5.1/32 or
172.16.5.1/255.255.255.255 for a server or
host, or 192.168.10.[80-100] or
192.168.10.80-192.168.10.100 for an
address range). A value of 0.0.0.0/0 means all IP
addresses behind the local VPN peer.
If the ZXSEC US unit is a dialup client, source address must
refer to the private network behind the ZXSEC US dialup client.
Source port Type the port number that the local VPN
peer uses to transport traffic related to the specified service
(protocol number). The range is 0 to 65535.
To specify all ports, type 0.
Destination address Type the destination IP address that
corresponds to the recipient(s) or network behind the remote
VPN peer (for example, 192.168.20.0/24 for a subnet, or
172.16.5.1/32 for a server or host, or 192.168.10.[80-100]
for an address range). A value of 0.0.0.0/0 means all IP
addresses behind the remote VPN peer.
Destination port Type the port number that the remote VPN
peer uses to transport traffic related to the specified service
(protocol number). The range is 0 to 65535. To specify all
ports, type 0.
Protocol Type the IP protocol number of the service. The
range is 1 to 255. To specify all services, type 0.
6. Select OK.

Confidential and Proprietary Information of ZTE CORPORATION 183

IPSec VPN User Guide

This page is intentionally blank.

184 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 14

Defining firewall policies

Overview
This section explains how to specify the source and destination
IP addresses of traffic transmitted through an IPSec VPN, and
how to define appropriate firewall policies.
The following topics are included in this section:
 Defining firewall addresses
 Defining firewall policies

Defining firewall addresses

A VPN tunnel has two end points. These end points may be VPN
peers such as two ZXSEC US gateways. Encrypted packets are
transmitted between the end points. At each end of the VPN
tunnel, a VPN peer intercepts encrypted packets, decrypts the
packets, and forwards the decrypted IP packets to the intended
destination.
You need to define firewall addresses for the private networks
behind each peer. You will use these addresses as the source or
destination address depending on the firewall policy.
In general:
 In a gateway-to-gateway, hub-and-spoke, dynamic DNS,
redundant-tunnel, or transparent configuration, you need
to define a firewall address for the private IP address of
the network behind the remote VPN peer (for example,
192.168.10.0/255.255.255.0 or 192.168.10.0/24).
 In a peer-to-peer configuration, you need to define a
firewall address for the private IP address of a server or
host behind the remote VPN peer (for example,
172.16.5.1/255.255.255.255 or 172.16.5.1/32 or
172.16.5.1).

Confidential and Proprietary Information of ZTE CORPORATION 185

IPSec VPN User Guide

 For a ZXSEC US dialup server in a dialup-client or

Internet-browsing configuration:
 If you are not using VIP addresses, or if the ZXSEC US
dialup server assigns VIP addresses to US Desktop dialup
clients through ZXSEC US DHCP relay, select the
predefined destination address “all”in the firewall policy
to refer to the dialup clients.
 If you assign VIP addresses to US Desktop dialup clients
manually, you need to define a firewall address for the VIP
address assigned to the dialup client (for example,
10.254.254.1/32), or a subnet address from which the
VIP addresses are assigned (for example,
10.254.254.0/24 or 10.254.254.0/255.255.255.0).
 For a ZXSEC US dialup client in a dialup-client or Internet-
browsing configuration, you need to define a firewall
address for the private IP address of a host, server, or
network behind the ZXSEC US dialup server.
To define an IP address
1. Go to Firewall > Address and select Create New.
2. In the Address Name field, type a descriptive name that
represents the network, server(s), or host(s).
3. In the Subnet/IP Range field, type the corresponding IP
address and subnet mask (for example, 172.16.5.0/24 or
172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32
for a server or host) or IP address range (for example,
192.168.10.[80-100] or 192.168.10.80-192.168.10.100).
4. Select OK.

Defining firewall policies

Firewall policies allow IP traffic to pass between interfaces on a
ZXSEC US unit.
You can limit communication to particular traffic by specifying
source address and destination addresses.
Policy-based and route-based VPNs require different firewall
policies.
 A policy-based VPN requires an IPSec firewall policy. You
specify the interface to the private network, the interface
to the remote peer and the VPN tunnel. A single policy
can enable traffic inbound, outbound, or in both directions.
 A route-based VPN requires an Accept firewall policy for
each direction. As source and destination interfaces, you
specify the interface to the private network and the
virtual IPSec interface (phase 1 configuration) of the VPN.

186 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 14 IPSec VPN User Guide

The IPSec interface is the destination interface for the outbound

policy and the source interface for the inbound policy.
There are examples of firewall policies for both policy-based and
route-based VPNs throughout this guide.

Defining an IPSec firewall policy for

a policy-based VPN
An IPSec firewall policy enables the transmission and reception
of encrypted packets, specifies the permitted direction of VPN
traffic, and selects the VPN tunnel. In most cases, a single policy
is needed to control both inbound and outbound IP traffic
through a VPN tunnel.
In addition to these operations, firewall policies specify which IP
addresses can initiate a tunnel. Traffic from computers on the
local private network initiates the tunnel when the Allow
outbound option is selected. Traffic from a dialup client or
computers on the remote network initiates the tunnel when the
Allow inbound option is selected.
When a ZXSEC US unit runs in NAT/Route mode, you can also
enable inbound or outbound NAT. Outbound NAT may be
performed on outbound encrypted packets, or on IP packets
before they are sent through the tunnel. Inbound NAT is
performed on IP packets emerging from the tunnel. These
options are not selected by default in firewall policies.
When used in conjunction with the natip CLI attribute (refer to
the “config firewall”chapter of the ZXSEC US CLI Reference),
outbound NAT enables you to change the source addresses of IP
packets before they go into the tunnel. This feature is often used
to resolve ambiguous routing when two or more of the private
networks making up a VPN have the same or overlapping IP
addresses. For examples of how to use these two features
together, refer to the ZXSEC US Outbound NAT for IPSec VIP
Technical Note and the ZXSEC US IPSec VPN Subnet-address
Translation Technical Note.
When inbound NAT is enabled, inbound encrypted packets are
intercepted and decrypted, and the source IP addresses of the
decrypted packets are translated into the IP address of the
ZXSEC US interface to the local private network before they are
routed to the private network. If the computers on the local
private network can communicate only with devices on the local
private network (that is, the ZXSEC US interface to the private
network is not the default gateway) and the remote client (or
remote private network) does not have an IP address in the
same network address space as the local private network, enable
inbound NAT.
Most firewall policies control outbound IP traffic. An outbound
policy usually has a source address originating on the private

Confidential and Proprietary Information of ZTE CORPORATION 187

IPSec VPN User Guide

network behind the local ZXSEC US unit, and a destination

address belonging to a dialup VPN client or a network behind the
remote VPN peer. The source address that you choose for the
firewall policy identifies from where outbound cleartext IP
packets may originate, and also defines the local IP address or
addresses that a remote server or client will be allowed to access
through the VPN tunnel. The destination address that you choose
for the firewall policy identifies where IP packets must be
forwarded after they are decrypted at the far end of the tunnel,
and determines the IP address or addresses that the local
network will be able to access at the far end of the tunnel.
You can fine-tune a policy for services such as HTTP, FTP, and
POP3; enable logging, traffic shaping, antivirus protection, web
filtering, email filtering, file transfer, and email services
throughout the VPN; and optionally allow connections according
to a predefined schedule. For more information, refer to the
“Firewall Policy”chapter of the ZXSEC US Administration Guide.

Note: As an option, differentiated services can be enabled in

the firewall policy through CLI commands. For more information,
refer to the “firewall”chapter of the ZXSEC US CLI Reference.
When a remote server or client attempts to connect to the
private network behind a ZXSEC US gateway, the firewall policy
intercepts the connection attempt and starts the VPN tunnel. The
ZXSEC US unit uses the remote gateway specified in its phase 1
tunnel configuration to reply to the remote peer. When the
remote peer receives a reply, it checks its own firewall policy,
including the tunnel configuration, to determine which
communications are permitted. As long as one or more services
are allowed through the VPN tunnel, the two peers begin to
negotiate the tunnel.

Before you begin

Before you define the IPSec policy, you must:
 Define the IP source and destination addresses. Refer to
“Defining firewall addresses”
.
 Specify the phase 1 authentication parameters. Refer to
“Auto Key phase 1 parameters”.
 Specify the phase 2 parameters. Refer to “
Phase 2
parameters”.
To define an IPSec firewall policy
1. Go to Firewall > Policy and select Create New.
2. Include appropriate entries as follows:
Source Interface/Zone Select the local interface to the internal
(private) network.

188 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 14 IPSec VPN User Guide

Source Address Name Select the name that corresponds to the

local network, server(s), or host(s) from which IP packets may
originate.
Destination Interface/Zone Select the local interface to the
external (public) network.
Destination Address Name Select the name that
corresponds to the remote network, server(s), or host(s) to which IP
packets may be delivered.
Schedule Keep the default setting (always) unless changes are
needed to meet specific requirements.
Service Keep the default setting (ANY) unless changes are
needed to meet your specific requirements.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 tunnel configuration to
which this policy will apply.
Allow Inbound Select if traffic from the remote network will be
allowed to initiate the tunnel.
Allow Outbound Select if traffic from the local network will be
allowed to initiate the tunnel.
Inbound NAT Select if you want to translate the source IP
addresses of inbound decrypted packets into the IP address of the
ZXSEC US interface to the local private network.
Outbound NAT Select if you want to translate the source IP
addresses of outbound cleartext packets into the IP address that you
specify.
Outbound NAT should not be selected unless you specify a natip
value through the CLI. Outbound NAT, when used in combination
with the natip value, translates the source addresses of IP packets
sent through the tunnel into the substitution address that you
provide through the natip value. To specify a natip value, refer to
the “config firewall”chapter of the ZXSEC US CLI Reference.

3. You may enable a protection profile, and/or event logging, or

select advanced settings to authenticate a user group, or
shape traffic. For more information, refer to the “ Firewall
Policy”chapter of the ZXSEC US Administration Guide.
4. Select OK.
5. Place the policy in the policy list above any other policies
having similar source and destination addresses.

Defining multiple IPSec policies for

the same tunnel
You must define at least one IPSec policy for each VPN tunnel. If the same
remote server or client requires access to more than one network
behind a local ZXSEC US unit, the ZXSEC US unit must be
configured with an IPSec policy for each network. Multiple policies
may be required to configure redundant connections to a remote

Confidential and Proprietary Information of ZTE CORPORATION 189

IPSec VPN User Guide

destination or control access to different services at different

times.
To ensure a secure connection, the ZXSEC US unit must evaluate
IPSEC policies before ACCEPT and DENY firewall policies. Because
the ZXSEC US unit reads policies starting at the top of the list,
you must move all IPSec policies to the top of the list. When you
define multiple IPSec policies for the same tunnel, you must
reorder the IPSec policies that apply to the tunnel so that specific
constraints can be evaluated before general constraints.

Note: Adding multiple IPSec policies for the same VPN

tunnel can cause conflicts if thepolicies specify similar source
and destination addresses but have different settings for the
same service. When policies overlap in this manner, the system
may apply the wrong IPSec policy or the tunnel may fail.
For example, if you create two equivalent IPSec policies for two
different tunnels, it does not matter which one comes first in the
list of IPSec policies—the system will select the correct policy
based on the specified source and destination addresses. If you
create two different IPSec policies for the same tunnel (that is,
the two policies treat traffic differently depending on the nature
of the connection request), you might have to reorder the IPSec
policies to ensure that the system selects the correct IPSec policy.
Reordering is especially important when the source and
destination addresses in both policies are similar (for example, if
one policy specifies a subset of the IP addresses in another
policy). In this case, place the IPSec policy having the most
specific constraints at the top of the list so that it can be
evaluated first.

Defining firewall policies for a route-

based VPN
When you define a route-based VPN, you create a virtual IPSec
interface on the physical interface that connects to the remote
peer. You create ordinary Accept firewall policies to enable traffic
between the IPSec interface and the interface that connects to
the private network. This makes configuration simpler than for
policy- based VPNs, which require IPSec firewall policies.
To define firewall policies for a route-based VPN
Define an ACCEPT firewall policy to permit communications
between the local private network and the private network
behind the remote peer. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to the
private network behind this ZXSEC US unit.
Source Address Name Select the address name that you
defined for the private network behind this ZXSEC US unit.

190 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 14 IPSec VPN User Guide

Destination Interface/Zone Select the IPSec Interface you

configured.
Destination Address Name Select the address name that
you defined for the private network behind the remote peer.
Action Select ACCEPT.
NAT Disable.
To permit the remote client to initiate communication, you need
to define a firewall policy for communication in that direction.
Enter these settings in particular:
Source Interface/Zone Select the IPSec Interface you
configured.
Source Address Name Select the address name that you
defined for the private network behind the remote peer.
Destination Interface/Zone Select the interface that
connects to the private network behind this ZXSEC US unit.

Destination Address Name Select the address name that

you defined for the private network behind this ZXSEC US unit.
Action Select ACCEPT.
NAT Disable.

Confidential and Proprietary Information of ZTE CORPORATION 191

IPSec VPN User Guide

This page is intentionally blank.

192 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 15

Monitoring and testing

VPNs

Overview
This section provides some general maintenance and monitoring
procedures for VPNs.
The following topics are included in this section:
 Monitoring VPN connections
 Monitoring IKE sessions
 Testing VPN connections
 Logging VPN events
 VPN troubleshooting tips

Monitoring VPN connections

You can use the monitor to view activity on IPSec VPN tunnels
and start or stop those tunnels. The display provides a list of
addresses, proxy IDs, and timeout information for all active
tunnels.

Monitoring connections to remote

peers
The list of tunnels provides information about VPN connections to
remote peers that have static IP addresses or domain names.
You can use this list to view status and IP addressing information
for each tunnel configuration. You can also start and stop
individual tunnels from the list.

Confidential and Proprietary Information of ZTE CORPORATION 193

IPSec VPN User Guide

To view the list of static-IP and dynamic-DNS tunnels

1. Go to VPN > IPSEC > Monitor.

F I G U R E 2 8 LI ST OF STATI C-I P AN D D YNAMI C-DNS TU NN EL S

To establish or take down a VPN tunnel

1. Go to VPN > IPSEC > Monitor.
2. In the list of tunnels, select the Bring down tunnel or Bring
up tunnel button in the row that corresponds to the tunnel
that you want to bring down or up.

Monitoring dialup IPSec connections

The list of dialup tunnels provides information about the status of
tunnels that have been established for dialup clients. The list
displays the IP addresses of dialup clients and the names of all
active tunnels. The number of tunnels shown in the list can
change as dialup clients connect and disconnect.
To view the list of dialup tunnels
1. Go to VPN > IPSEC > Monitor.

FIGURE 29 L IST OF DI ALUP TUNNELS

Note: If you take down an active tunnel while a dialup client

such as US Desktop is still connected, US Desktop will continue
to show the tunnel connected and idle. The dialup client must
disconnect before another tunnel can be initiated.
The list of dialup tunnels displays the following statistics:
 The Name column displays the name of the tunnel.
 The meaning of the value in the Remote gateway column
changes, depending on the configuration of the network
at the far end:
 When a US Desktop dialup client establishes a tunnel, the
Remote gateway column displays either the public IP
address and UDP port of the remote host device (on
which the US Desktop Host Security application is
installed), or if a NAT device exists in front of the remote
host, the Remote gateway column displays the public IP
address and UDP port of the remote host.

194 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 15 IPSec VPN User Guide

 When a ZXSEC US dialup client establishes a tunnel, the

Remote gateway column displays the public IP address
and UDP port of the ZXSEC US dialup client.
 The Username column displays the peer ID, certificate
name, or XAuth user name of the dialup client (if a peer
ID, certificate name, or XAuth user name was assigned to
the dialup client for authentication purposes).
 The Timeout column displays the time before the next key
exchange. The time is calculated by subtracting the time
elapsed since the last key exchange from the keylife.
 The Proxy ID Source column displays the IP addresses of
the hosts, servers, or private networks behind the ZXSEC
US unit. A network range may be displayed if the source
address in the firewall encryption policy was expressed as
a range of IP addresses.
 The meaning of the value in the Proxy ID Destination
column changes, depending on the configuration of the
network at the far end:
 When a US Desktop dialup client establishes a tunnel:
If VIP addresses are not used and the remote host
connects to the Internet directly, the Proxy ID Destination
field displays the public IP address of the Network
Interface Card (NIC) in the remote host.
If VIP addresses are not used and the remote host is
behind a NAT device, the Proxy ID Destination field
displays the private IP address of the NIC in the remote
host.
If VIP addresses were configured (manually or through
ZXSEC US DHCP relay), the Proxy ID Destination field
displays either the VIP address belonging to a US Desktop
dialup client, or a subnet address from which VIP
addresses were assigned.
 When a ZXSEC US dialup client establishes a tunnel, the
Proxy ID Destination field displays the IP address of the
remote private network.

Monitoring IKE sessions

You can display a list of all active sessions and view activity by
port number. By default, the following ports are used for IPSec
VPN-related communications:
 port numbers 500 and 4500 for IPSec IKE activity
 port number 4500 for NAT traversal activity
If required, active sessions can be stopped from this view. For
more information, refer to the “ System Status”chapter of the
ZXSEC US Administration Guide.

Confidential and Proprietary Information of ZTE CORPORATION 195

IPSec VPN User Guide

To view the list of active sessions

1. Go to System>Status.
2. In the Statistics section, select Details on the Sessions line.

F I G U R E 3 0 S ESSIO N L IST

Testing VPN connections

To confirm whether a VPN has been configured correctly, issue a
ping command on the network behind the ZXSEC US unit to test
the connection to a computer on the remote network. A VPN
tunnel will be established automatically when the first data
packet destined for the remote network is intercepted by the
ZXSEC US unit.
To confirm that a VPN between a local network and a dialup client
has been configured correctly, at the dialup client, issue a ping
command to test the connection to the local network. The VPN
tunnel initializes when the dialup client attempts to connect.

Logging VPN events

You can configure the ZXSEC US unit to log VPN events. For IPSec VPNs,
phase 1 and phase 2 authentication and encryption events are logged. For
information about how to interpret log messages, refer to the ZXSEC US
Log Message Reference.
To log VPN events
1. Go to Log&Report > Log Config > Log Setting.
2. Enable the storage of log messages to one or more of the
following locations:
 a USLog unit
 the ZXSEC US system memory
 a remote computer running a syslog server

Note: If available on your ZXSEC US unit, you can enable

the storage of log messages to a system hard disk. In addition,
as an alternative to the options listed above, you may choose to
forward log messages to a remote computer running a
WebTrends firewall reporting server. For more information about
enabling either of these options through CLI commands, refer to
the “log”chapter of the ZXSEC US CLI Reference.

196 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 15 IPSec VPN User Guide

3. If the options are concealed, select the blue arrow beside

each option to reveal and configure associated settings.
4. If logs will be written to system memory, from the Log Level
list, select Information. For more information, refer to the
“ Log&Report”chapter of the ZXSEC US Administration Guide.
5. Select Apply.
To filter VPN events
1. Go to Log&Report > Log Config > Event Log.
2. Verify that the IPSec negotiation event option is selected.
3. Select Apply.
To view event logs
1. Go to Log&Report > Log Access > Event.
2. If the option is available from the Type list, select the log file
from disk or memory. Entries similar to the following indicate
that a tunnel has been established.
2005-03-31 15:38:29 log_id=0101023004 type=event
subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/0000000000000000
action=negotiate init=local mode=main stage=1
dir=outbound status=success msg="Initiator: sent
172.16.62.11 main mode message #1 (OK)"
2005-03-31 15:38:29 log_id=0101023004 type=event
subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=main stage=2
dir=outbound status=success msg="Initiator: sent
172.16.62.11 main mode message #2 (OK)"
2005-03-31 15:38:29 log_id=0101023004 type=event
subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=main stage=3
dir=outbound status=success msg="Initiator: sent
172.16.62.11 main mode message #3 (OK)"
2005-03-31 15:38:29 log_id=0101023004 type=event
subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=main stage=3
dir=inbound status=success msg="Initiator: parsed
172.16.62.11 main mode message #3 (DONE)"

Confidential and Proprietary Information of ZTE CORPORATION 197

IPSec VPN User Guide

2005-03-31 15:38:29 log_id=0101023004 type=event

subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=quick stage=1
dir=outbound status=success msg="Initiator: sent
172.16.62.11 quick mode message #1 (OK)"
2005-03-31 15:38:29 log_id=0101023006 type=event
subtype=ipsec pri=notice vd=root
loc_ip=172.16.62.10 loc_port=500 rem_ip=172.16.62.11
rem_port=500 out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=install_sa in_spi=66867f2b out_spi=e22de275
msg="Initiator: tunnel 172.16.62.10/172.16.62.11 install
ipsec sa"
2005-03-31 15:38:29 log_id=0101023004 type=event
subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate init=local mode=quick stage=2
dir=outbound status=success msg="Initiator: sent
172.16.62.11 quick mode message #2 (DONE)"
2005-03-31 15:38:29 log_id=0101023002 type=event
subtype=ipsec pri=notice vd=root loc_ip=172.16.62.10
loc_port=500 rem_ip=172.16.62.11 rem_port=500
out_if=port2 vpn_tunnel=asdf
cookies=151c3a5c6dd93c54/5ed26a81fb7a2d0c
action=negotiate status=success msg="Initiator: tunnel
172.16.62.11, transform=ESP_3DES, HMAC_SHA1"
Entries similar to the following indicate that phase 1
negotiations broke down because the preshared keys
belonging to the VPN peers were not identical. A
tunnel was not established.
2005-03-31 16:06:39 log_id=0101023003 type=event
subtype=ipsec pri=error vd=root loc_ip=192.168.70.2
loc_port=500 rem_ip=192.168.80.2 rem_port=500
out_if=port2 vpn_tunnel=s
cookies=3896343ae575f210/0a7ba199149e31e9
action=negotiate status=negotiate_error msg="Negotiate
SA Error: probable pre-shared secret mismatch"
For more information about how to interpret error log
messages, refer to the ZXSEC US Log Message Reference.

198 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 15 IPSec VPN User Guide

VPN troubleshooting tips

Most connection failures are due to a configuration mismatch
between the ZXSEC US unit and the remote peer. In general,
begin troubleshooting an IPSec VPN connection failure as follows:
1. Ping the remote network or client to verify whether the
connection is up. Refer to “
Testing VPN connections”
.
2. Verify the configuration of the ZXSEC US unit and the remote
peer. The following IPSec parameters must agree:
 The mode setting for ID protection (main or aggressive)
on both VPN peers must be identical.
 The authentication method (preshared keys or certificates)
used by the client must be supported on the ZXSEC US
unit and configured properly.
 If preshared keys are being used for authentication
purposes, both VPN peers must have identical preshared
keys.
 The remote client must have at least one set of phase 1
encryption, authentication, and Diffie-Hellman settings
that match corresponding settings on the ZXSEC US unit.
 Both VPN peers must have the same NAT traversal setting
(enabled or disabled).
 The remote client must have at least one set of phase 2
encryption and authentication algorithm settings that
match the corresponding settings on the ZXSEC US unit.
 If you are using manual keys to establish a tunnel, the
Remote SPI setting on the ZXSEC US unit must be
identical to the Local SPI setting on the remote peer, and
vise versa.
3. Refer to Table 2 to correct the problem.

T ABLE 6 VP N TROUBLE-SHOOTING TIPS

Configuration
Correction
problem
Select complementary mode settings.
Mode settings do not
Refer to “
Choosing main mode or
match.
aggressive mode”

Confidential and Proprietary Information of ZTE CORPORATION 199

IPSec VPN User Guide

Configuration
Correction
problem
Go to VPN > Phase 1.
Depending on the Remote Gateway and
Authentication Method settings, you have a
choice of options to authenticate ZXSEC US
Peer ID or certificate dialup clients or
name of the remote
VPN peers by ID or certificate name (refer
peer or dialup client is
to
not recognized by
ZXSEC US VPN server. “
Authenticating remote peers and clients”
).
If you are configuring authentication
parameters for US Desktop dialup clients,
refer to the Authenticating US Desktop
Dialup Clients Technical Note.
Preshared keys do not Reenter the preshared key. Refer to
match. “Authenticating remote peers and clients”
.
Make sure that both VPN peers have at
Phase 1 or phase 2 key least one set of proposals in common for
exchange proposals each phase. Refer to
are mismatched. “
Defining IKE negotiation parameters”
and “
Configure the phase 2 parameters”
Select or clear both options as required.
NAT traversal settings
Refer to “NAT traversal”and “ NAT
are mismatched.
keepalive frequency” .
SPI settings for manual
Enter complementary SPI settings. Refer to
key tunnels are
“Manual-key configurations”
.
mismatched.

A word about NAT devices

When a device with NAT capabilities is located between two VPN
peers or a VPN peer and a dialup client, the device must be
NAT_T compatible for encrypted traffic to pass through the NAT
device. For more information, refer to “
NAT traversal”
.

200 Confidential and Proprietary Information of ZTE CORPORATION

Tables

Table 1 Chapter Summary............................错误！未定义书签。

Table 2 Typographical Conventions................错误！未定义书签。
Table 3 Mouse Operation Conventions............错误！未定义书签。
Table 4 typographical conventions: ...............错误！未定义书签。
Table 5 Comparison of policy-based and route-based VPNs错误！
未定义书签。
Table 6 VPN trouble-shooting tips..................错误！未定义书签。

Confidential and Proprietary Information of ZTE CORPORATION 201

IPSec VPN User Guide

This page is intentionally blank.

202 Confidential and Proprietary Information of ZTE CORPORATION

Figures

Figure 1 Example gateway-to-gateway configuration ............ 13

Figure 2 Fully meshed configuration ................................... 14
Figure 3 Partially meshed configuration............................... 15
Figure 4 Example gateway-to-gateway configuration ............ 19
Figure 5 Example hub-and-spoke configuration .................... 28
Figure 6 Example hub-and-spoke configuration .................... 38
Figure 8 Example hub-and-spoke configuration with US Desktop
dialup clients .................................................................... 48
Figure 9 Example dynamic DNS configuration ...................... 64
Figure 10 Example US Desktop dialup-client configuration ..... 72
Figure 11 IP address assignments in a US Desktop dialup-client
configuration .................................................................... 75
Figure 12 Example US Desktop dialup-client configuration ..... 85
Figure 13 Example ZXSEC US dialup-client configuration ....... 92
Figure 14 Preventing network overlap in a ZXSEC US dialup-
client configuration ............................................................ 94
Figure 15 Example Internet-browsing configuration ............ 102
Figure 16 Example redundant-tunnel configuration ............. 108
Figure 17 Example redundant route-based VPN configuration
..................................................................................... 112
Figure 18 Example redundant-tunnel configuration ............. 126
Figure 19 Example partially redundant tunnel configuration . 135
Figure 20 Management station on internal network............. 146
Figure 21 Management station on external network............ 146
Figure 22 Link between two ZXSEC US units running in
Transparent mode ........................................................... 147
Figure 23 ICMP redirecting packets to two ZXSEC US units
running in Transparent mode ............................................ 148
Figure 24 Destinations on remote networks behind internal
routers........................................................................... 148
Figure 25 Local Certificates.............................................. 165
Figure 26 CA Certificates ................................................. 165

Confidential and Proprietary Information of ZTE CORPORATION 203

IPSec VPN User Guide

Figure 27 Basic Phase 2 settings (VPN > IPSEC > Auto Key (IKE)
> Create Phase 2 ............................................................ 177
Figure 28 Advanced phase 2 settings ................................ 179
Figure 29 List of static-IP and dynamic-DNS tunnels .......... 194
Figure 30 List of dialup tunnels ........................................ 194
Figure 31 Session list...................................................... 196

204 Confidential and Proprietary Information of ZTE CORPORATION

Index

Symbols
(XAuth)

A
Accept peer ID in dialup group
Accept this peer certificate group only
Accept this peer certificate only
Accept this peer ID
Address, IP address example
Allow inbound, encryption policy
Allow outbound, encryption policy
ambiguous routing
resolving in ZXSEC US dialup-client configuration
authenticating
based on peer IDs
IPsec VPN peers and clients 143 through IPSec certificate
through XAuth settings
authenticating ZXSEC US unit with pre-shared key
Authentication Algorithm, Manual Key
Authentication Key, Manual Key
authentication server, external for XAuth
Autokey Keep Alive
IPSec interface mode
Autokey Keep Alive, Phase 2

C
Certificate Name, Phase 1
certificate, IPSec group
Local ID setting
using DN to establish access
viewing local DN

Confidential and Proprietary Information of ZTE CORPORATION 205

IPSec VPN User Guide

CLI
using instead of web-based manager
comments, documentation concentrator, defining configuring
dynamic DNS VPN
US Desktop dialup-client VPN
US Desktop in dialup-client VPN
ZXSEC US dialup-client VPN
ZXSEC US in dialup-client IPSec VPN
gateway-to-gateway IPSec VPN
hub-and-spoke IPSec VPN
IPSec VPNs
manual key IPSec VPN
transparent IPSec VPN
customer service

D
DDNS services, subscribing to
Dead Peer Detection, Phase 1
DH Group
IPSec interface mode
DH Group, Phase 1
DH Group, Phase 2
DHCP relay
in US Desktop dialup-client configuration
in ZXSEC US dialup-client configuration
DHCP server
in US Desktop dialup-client configuration
DHCP-IPSec
IPSec interface mode
DHCP-IPsec, phase 2 156
dialup-client IPSec configuration
configuration steps for ZXSEC US dialup clients
DHCP relay for US Desktop VIP
DHCP server for US Desktop VIP
dialup server for US Desktop dialup clients
dialup server for ZXSEC US dialup clients

206 Confidential and Proprietary Information of ZTE CORPORATION

 Index

ZXSEC US client configuration

infrastructure requirements for US Desktop access
infrastructure requirements for ZXSEC US client ac- cess
Diffie-Hellman algorithm
DNS server, dynamic DNS configuration
documentation commenting on
ZTE
domain name, dynamic DNS configuration
dynamic DNS configuration configuration steps
domain name configuration
infrastructure requirements
overview
remote VPN peer configuration
supported DDNS services
dynamic IP address for remote host
ZXSEC US DDNS peer
ZXSEC US dialup client

E
Enable perfect forward secrecy (PFS) IPSec interface mode
Enable perfect forward secrecy (PFS), Phase 2
Enable replay detection
IPSec interface mode
Enable replay detection, Phase 2
Encryption Algorithm, Manual Key
Encryption Key, Manual Key
encryption policy
allow outbound and inbound
defining IP addresses
defining IPSec
defining multiple for same IPSec tunnel
enabling specific services
evaluating multiple
outbound and inbound NAT
traffic direction
examples

Confidential and Proprietary Information of ZTE CORPORATION 207

IPSec VPN User Guide

basic hub-and-spoke VPN

US Desktop in hub-and-spoke VPN
ZXSEC US dialup in partially redundant configuration
gateway-to-gateway VPN
redundant-tunnel VPN

F
firewall IP addresses defining IPSec
firewall policy
defining for policy-based VPN
defining for route-based VPN
US Desktop dialup-client configuration configuration steps
US Desktop configuration
overview
US Desktop dialup-client IPSec configuration
VIP address assignment
ZXSEC US dialup-client IPSec configuration
ZXSEC US acting as client
using DHCP relay in
ZXSEC US documentation commenting on
ZTE customer service
ZTE documentation
ZTE Knowledge Center

G
gateway-to-gateway IPSec configuration configuration example
23 configuration steps
infrastructure requirements
overview
generating
IPSec phase 1 keys
IPSec phase 2 keys

H
hub-and-spoke IPSec configuration basic configuration example
concentrator, defining configuration steps
US Desktop in hub-and-spoke VPN example

208 Confidential and Proprietary Information of ZTE CORPORATION

 Index

hub configuration infrastructure requirements 30 overview

spoke configuration

I
IKE negotiation parameters
Inbound NAT, encryption policy
Internet-browsing
configuring US Desktop
Internet-browsing firewall policy
VPN server
Internet-browsing IPSec configuration US Desktop dialup-client
configuration gateway-to-gateway configuration infrastructure
requirements
overview
introduction
ZXSEC US IPSec VPNs
ZTE documentation
IPSec VPN Guide
IPSec VPN
authentication methods
authentication options
certificates
extended authentication (XAuth)
firewall IP addresses, defining
firewall IPSec policy
ZXSEC US implementation
keeping tunnel open
overview
peer identification
phase 1 parameters
phase 2 parameters
role of encryption policy

K
Keepalive Frequency, Phase 1
Keylife
IPSec interface mode

Confidential and Proprietary Information of ZTE CORPORATION 209

IPSec VPN User Guide

Keylife, Phase 1
Keylife, Phase 2

L
LDAP server, external for XAuth
Local ID
for certificates
for peer IDs
to identify ZXSEC US dialup clients
Local SPI, Manual Key

M
manual key IPSec configuration configuration steps overview
meshed VPN
Mode, Phase 1

N
NAT
keepalive frequency
traversal
Nat-traversal, Phase 1
negotiating
IPSec phase 1 parameters
IPSec phase 2 parameters
network topology dynamic DNS
US Desktop dialup-client
ZXSEC US dialup-client
fully meshed network
gateway-to-gateway
hub-and-spoke
Internet-browsing
manual key
partially meshed network
redundant-tunnel
supported IPSec VPNs
transparent VPN

210 Confidential and Proprietary Information of ZTE CORPORATION

 Index

O
Outbound NAT, encryption policy
overlap
resolving IP address
resolving through ZXSEC US DHCP relay

P
P1 Proposal, Phase 1
P2 Proposal
Phase 2 IPSec interface mode
P2 Proposal, Phase 2
partially meshed VPN
partially redundant tunnel configuration example configuration
peer ID
assigning to ZXSEC US unit
enabling
Local ID setting
perfect forward secrecy, enabling
phase 1 parameters authentication method authentication
options defining
negotiating
overview
phase 2 parameters configuring
defining
negotiating
planning VPN configuration
pre-shared key
authenticating ZXSEC US unit with
Pre-shared Key, Phase 1

Q
Quick mode identities, Phase 2
Quick Mode Selector
IPSec interface mode

Confidential and Proprietary Information of ZTE CORPORATION 211

IPSec VPN User Guide

RADIUS server, external for XAuth

redundant IPSec VPN configuration
partially-redundant configuration
redundant VPNs
policy-based configuration
route-based configuration
redundant-tunnel IPSec configuration example configuration
infrastructure requirements 96 overview
remote client
authenticating with certificates
ZXSEC US dialup-client
in Internet-browsing IPSec configuration
Remote Gateway, Phase 1
remote peer
authenticating with certificates
dynamic DNS configuration
gateway-to-gateway IPSec configuration
manual key IPSec configuration
transparent IPSec VPN configuration
Remote SPI, Manual Key
replay detection, enabling
route-based VPN
firewall policy
routing, transparent VPN IPSec configuration

S
source IP address example
subscribing to DDNS service

T
technical support
Transparent mode
transparent VPN IPSec configuration configuration steps
infrastructure requirements
overview
prerequisites to configuration

212 Confidential and Proprietary Information of ZTE CORPORATION

 Index

V
VIP address, US Desktop dialup clients
virtual domain, transparent VPN IPSec configuration
VPN basic settings
general steps for configuring IPSec
interoperability
VPNs planning configurations
preparation steps

W
web-based manager

X
XAUTH
ZXSEC US unit as client
ZXSEC US unit as server
XAuth (extended authentication)
authenticating users with
XAuth client, ZXSEC US unit as
XAuth Enable as Client, Phase 1
XAuth Enable as Server, Phase 1
XAuth server, ZXSEC US unit as

Confidential and Proprietary Information of ZTE CORPORATION 213