- 10.x.x.x
- 172.16.x.x-172.31.x.x
- 192.168.x.x
Caution: If you have a firewall device of any type, hardware or software, on the network, and the IPsec tunnel must pass though it, it will be necessary to open port 500 (UDP) and protocols 50 and 51 in the configuration of the rules of the firewall to allow the IPsec encrypted data to pass.
The Netopia router has the ability to act as an IPsec client or gateway device. When operating in this manner, the Netopia is managing the IPsec connections directly. The following technote discusses connections created between the Netopia and another IPsec device. If you wish to have IPsec traffic passthrough the Netopia to a device on your LAN, this technote is not relevant. Please refer instead to the Netopia IPsec & NAT Passthrough Issues Technote. If you are trying to connect an IPsec client or device to the Netopia R-series router, please refer to the following documentation.
Due to the increasing popularity of IPsec as a VPN option, Netopia has been testing IPsec connections between Netopia Routers and other popular devices.
Please note that this information is being offered as an added service, however, Netopia cannot be responsible for the configurations of non-Netopia products.
Two of the major requirements for IPsec compatibility with the Netopia are:
- The Netopia only operates in "Tunnel" mode; "Transport" mode connections are not supported
- The Netopia stores the SPIs for its manual keys in Decimal (0-9) format. Most other vendors store their manual key SPIs in Hexadecimal (0-F) format. It will usually be necessary to convert the SPIs in use to insure that the values are compatible. For example, if the remote VPN gateway is using a SPI of 256 in hex, the SPI in the Netopia needs to be 598. The Windows Calculator utility in 'Scientific' mode can assist you in converting hexadecimal values to decimal and vice versa
All latest firmware releases support IKE. To check on new releases, please refer to our firmware page.
When using IKE, the Netopia defaults to using Diffie-Hellman group 2. Some vendors may require this to be changed to group 1.
When using IKE to authenticate a tunnel where either side has a dynamic IP address, Aggressive Mode should be used instead of Main Mode.
To change an IKE profile after it has been created, go to:
Wan Configuration --> IPsec Configuration
- Netopia R-series Routers (all) 4.11.3 is the latest firmware
- Netopia 4000 Series Products: 5.3.x firmware and above
- Netopia 3300 Series Products: 7.x and 8.x firmware and above
- Cayman Products: 6.3.0R7 firmware and above
- Netscreen 5XP 4.0.2 R0 firmware
- Cisco IOS 12.1 and above
- Cisco PIX: Please refer to our Application note, IPsec Connection to Cisco PIX with IKE
- Cisco 3000 series 3.6 firmware and above
- Nortel Contivity IPsec connection: Please refer to our Application note, IPsec w/IKE to a Nortel Contivity VPN Switch
- IRE Safenet Client: Please see our detailed technote NQG_054: Configuring a Netopia Router for IPsec from a SafeNet SoftRemote 8.1 VPN client.
Notes: The results were generated during in house testing in Netopia's QA lab, and also at the International IPsec Compatibility bake off conference in Helsinki, Finland. Filed results from beta sites are also included in some cases. Testing usually included both main and aggressive mode, with the Netopia as both initiator and responder. Testing typically included re-keying at least once or twice. MD5 and SHA1 were used in different cases, but use of 3DES, DH group2 and ESP were used in all cases. In a few cases, group5 was tested. AH was not tested, nor were manual keys and DES (there has been discussion recently in favour of removing manual keys and DES from the IPsec standard). All tests involved pinging through the VPN, although some testing of other services (ftp, etc.) was also done in certain cases.
(These devices were all tested in March of 2001 and were determined to be compatible. However, not all of these devices have been retested with each firmware revision.)- Netscreen 10
- Netscreen 5
- Cisco 5000 series: This was formerly Compatible Systems
- Checkpoint Firewall-1 with VPN v4.1: Please refer to our Application note, IPsec Connection to a Check Point Firewall Using IKE
- Sonicwall Tele-2: All the SonicWall devices should be similar, and should work
- WatchGuard Firebox II: It seems that not all the WatchGuard products work the same
- BSD/FreeBSD: The same package will probably work on other Unix/Linux platforms
- F-Secure VPN+ V.5.2
- Compaq SSH Toolkit V.5.1b
- Samsung Secui V.1.1
- Ericsson AX1 54e client/server: R9100 initiating to AX1 was ok, but AX1 initiating to R9100 failed. It failed in this release of firmware we were running as we only supported connections incoming on port 500. Ericsson uses random ports to initiate to take into account NAT. We will be fixing this in our firmware to allow for random incoming ports on initiation.
- Zyxel: A SOHO gateway box.
- SSH: unix based client or server application.
- PGP Desktop Security client : available for Mac or PC
- Kame: This is the code base that Netopia built its implementation on
- NetCelo: An implementation that is based on FreeBSD and FreeS/WAN code.
- Trilogy: A developer's toolkit.
- Ashley-Laurent: Mac & PC clients.
- Avayya (formerly VPNet): A secure gateway.
- Trustworks: A client application.
- Cosine: VPN concentrator.
If you encounter any problems with compatibility with the above products on current firmware releases, please contact Netopia Tech Support.
For other related information, please check our Notice on Configuring VPN Tunnels with Netopia Routers
This document will be updated regularly as Netopia adds new IPsec capabilities, so you may wish to bookmark this technote and check it periodically.