[Zywall Ipsec Vpn Client Serial Number
Pamula Harrison
We are going through a network transition and have several VPN software clients that used to connect to a Cisco PIX firewall. We are replacing these with multiple ZyXEL ZyWALL?s which will now handle the IPSEC VPN termination for gateway-to-gateway VPN?s, however some Cisco software clients are still in operation.
Is it possible to configure the Cisco VPN client to connect with the ZyWALL? I personally am not familiar with the Cisco client although I have dealt with other IPSEC VPN clients. The ZyWALL obviously has as part of its simple stage 1 IKE setup: -
as Generally,Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices
However, the Cisco bods at the other end seem to be having difficulties connecting although we can connect with a standard IPSEC client such as Greenbow or the Safenet client, this is why I wanted some example screen shots of the configuration pages.
The guys that are trying to connect using the Cisco client are using version 4.0.2 (A) as can be seen by the attachemnt. This still means nothing to me and I can't help them configure the client although they are saying thet there are minimal configureation options.
Looking at the main board inside the 110, shown below, you can see the case could be made smaller, as the main board only fills just over half of the case bottom. Underneath the large heatsink is a Cavium CN6230 quad-core 1GHz CPU, supported by 512 MB Flash and 1 GB RAM. The Ethernet component is a Realtek RTL8370M Gigabit Ethernet chip.
The ZyWALL 110 GUI provides four main tabs on the left for a dashboard, monitor options, configurations, and maintenance. Below is a screen shot of the main dashboard that displays device info, system status, system resource, interface status, firewall rules, logs and USB status.
There are seven 10/100/1000 Ethernet ports on the ZyWALL 110. Two of the ports are labeled and dedicated as WAN ports. One of the ports is labeled OPT. This port can be configured as an external, i.e.WAN port, or as an internal port with any of the internal interface types, i.e. LAN1, LAN2, WLAN, or DMZ. The other four ports are internal ports and can be configured with any of the internal interface types. There is a different firewall zone for each of the port types and a different subnet for each of the internal port types.
There are two dedicated WAN ports on the ZyWALL 110. Failover between WAN ports worked automatically. With both WAN ports enabled, I ran a continuous ping to google.com and deactivated one of the WAN ports. The router dropped one ping packet before it failed over to the backup WAN port and resumed connectivity. Re-activating the down WAN port was seemless and a traceroute confirmed traffic resumed using the primary interface.
There are two USB ports on the front of the device. They can be used to connect a 3G USB card as WWAN interface, which is a great idea for further network redundancy. ZyXEL lists 27 supported 3G USB cards on the 3G Card Support section of this page, most of which are made by Huawei, with a few Sierra cards thrown in.
The USB ports can also be used to connect a storage device to save system logs or device diagnostic information. The USB ports cannot be used for network file sharing. I connected several USB thumb drives and all were detected and available to save log files, an example shown below.
As you can see from the options in the criteria section above, more advanced bandwidth policies can be created. Policies can be created to control bandwidth by user, schedule, interface, source or destination address, DSCP value, and/or service type.
The ZyWALL 110 supports IPsec site-to-site VPN tunnels and IPsec, L2TP, and SSL remote VPN tunnels. Up to 100 concurrent IPsec tunnels and 25 concurrent SSL tunnels are supported. L2TP tunnels, which use IPsec encryption, count as part of the 100 concurrent IPsec tunnel limit.
I found configuring a VPN solution on the ZyWALL 110 was a multi-step process for all VPN types. There are Quick Setup menus (aka configuration wizards) for WAN Interfaces and VPNs. I used the regular menu instead of the Quick Setup for my configurations so I could explore all the options.
One of the challenging aspects of IPsec VPN configuration is getting all the parameters to match on both sides of a tunnel. Although IPsec is a standard technology, vendors use different terms referencing IPsec configurations. On the ZyWALL 110, you first configure a VPN Gateway, which is also referred to as Phase 1 or IKE on other VPN routers.
Second, you configure a VPN Connection, which is also referred to as Phase 2 or IPsec on other VPN routers. Once I applied my configurations, the VPN tunnel between the ZyWALL and Cisco came right up.
With site to site and remote IPsec successfully tested, I tested L2TP. The neat thing about L2TP VPNs is client software is included in many devices, including smart phones, tablets, Windows and Apple PCs. I successfully tested L2TP connections to the ZyWALL 110 from an iPhone 4 and a Windows 8 PC.
I struggled a bit with the ZyWALL manual on how to configure L2TP, so I poked around on the web and found this forum entry that helped me out. Essentially, you configure user names, establish an L2TP address pool for remote clients, create VPN Gateway and VPN Connection settings, then enable the L2TP server on the ZyWALL and create appropriate Firewall rules. Below are screenshots of my ZyWALL L2TP Gateway, Connection, and L2TP server configuration pages.
L2TP is a good solution for remote access, but I prefer SSL VPN connections for PCs. With SSL VPNs, remote clients use a browser to establish a remote VPN connection. Software and configurations are applied to the PC automatically once the end user authenticates through the browser.
I found configuring SSL access on the ZyWALL 110 easier than IPsec and L2TP. SSL VPN configurations only require creating user names, setting up an SSL VPN address pool for remote clients, establishing an SSL VPN access policy, and entering Firewall rules. Below are screenshots of my ZyWALL SSL address pool and access policy.
The ZyWALL is a VPN and a firewall device, with the focus on passing desired traffic at high speed. Configuring the firewall for filtering traffic is also a key feature. I found the ZyWALL firewall to have a good bit of capability and quite simple to configure. There is a basic checkbox to enable and disable the stateful packet inspection (SPI) firewall, which comes in handy for troubleshooting.
Firewall rules can be configured using zones, schedule objects, users, source and destination addresses or objects and service objects. I like this object-oriented approach to configuration, I find it more flexible. Each rule, once created, can be individually activated or deactivated.
I set up a simple rule to filter iperf traffic through any interface on the ZyWALL, as shown below. With the rule inactive, I had no problem running iperf tests. Once I activated this rule, I could no longer pass iperf traffic, validating the effectiveness of my rule.
In addition to creating firewall rules to filter traffic, the ZyWALL 110 has a session control mechanism that allows you to create a rule to limit the number of sessions a user or specific IP address can generate. This tool provides a form of end-user network control.
Routing performance for the ZyWALL 110 loaded with V3.10(AAAA.2) firmware and using our standard test method is summarized below. The maximum simultaneous connections result is at the limit of our test process, indicating the ZyWALL can certainly support plenty of user sessions.
Throughput results for unidirectional download and upload speeds are shown in the composite IxChariot plot below. The download speed result looks pretty consistent, but there is quite a bit more variation in the upload speed result.
795a8134c1