This Quick Guide covers the configuration of an IPSec profile using the Manual Key protocol for a Netopia Internet Gateway. This configuration will also cover a Netopia connecting to most other IPSec security gateway products. While this Quick Guide does not cover all possible configuration options, the configuration detailed should work well in most situations.

Please Note: This document is based on two Netopia Internet Gateway routers with connections to the Internet using NAT (Network Address Translation). This configuration will also cover a Netopia connecting to most other IPSec security gateway products. Please refer to the documentation provided for other products as regards their configuration.
Netopia technical support does not provide troubleshooting or configuration support on third party vendor products.

Note: IPSec tunneling supports IP routing only. IPX, AppleTalk or any protocol other than IP will not be routed across an IPSec tunnel.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Firmware References:

• v8.2 R1 (and up) - 3300 Enterprise Series
• v5.3.4   (and up) - 4000 Series
• v4.8.2   (and up) - R-Series

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.

The Netopia Main Menu Interface

Network

PLEASE NOTE: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity.

Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Router A		Router B
Ethernet IP Address:	192.168.2.1	Ethernet IP Address:	192.168.1.254
Ethernet Subnet Mask:	255.255.255.0	Ethernet Subnet Mask:	255.255.255.0
Local WAN IP Address:	172.20.10.216	Local WAN IP Address:	172.20.30.216

Configuration of Router A (beginning Firmware v4.8.2)

1. From the Main Menu of router console screens, go to Quick Menus, and select Add Connection Profile.
2. Under Profile Name, type Router B (or a name of your choice).
3. In a router running firmware version 4.8.2 up to version 4.10, change Data Link Encapsulation to IPSec and select Data Link Options.
   NOTE: A section outlining Manual Key configuration instructions for firmware version 4.10 and higher immediately follows this segment.
   If your router has 4.10 firmware, please proceed to that segment.


Figure 1: Firmware v4.8.2

4. Verify that Encryption Transform is set to DES.
5. For Encryption Key type in a 16-character hexadecimal string, e.g., 1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 5 for Router B below.
6. Set Authentication Type to ESP.
7. Set Authentication Transform to HMAC-MD5-96.
8. For Authentication Key type in a 32-character hexadecimal string, e.g., 1234567890ABCDEF1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 8 for Router B below.
9. Hit enter on COMMIT, then select IP Profile Parameters.
10. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 10 for Router B below.
11. Remote Tunnel Endpoint Address is the Local WAN Address of the remote router. E.g., when configuring router A as per the example, this value will be 172.20.30.216.
12. Remote Members Network is the Ethernet Network Address of the remote router. E.g., when configuring router A as per the example, this value will be 192.168.1.0.
13. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router A as per the example, this value will be 255.255.255.0.
14. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
15. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
16. Leave Advanced IP Profile Options alone, and hit enter on COMMIT.
17. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
18. Restart the Netopia after completing the configuration.

This concludes the setup for Router A. Go to Configuration for Router B.

Configuration of Router A (beginning Firmware v4.10 and v5.3.4)

From above, beginning at step #3:

3. Change Encapsulation Type to IPSec and then select Encapsulation Options. See Figure 2 below.


Figure 2: Firmware v4.10 and v5.3.4

4. Set Key Management to Manual.
5. Set ESP Encryption Transform to DES.
6. Set ESP Authentication Transform to HMAC-MD5-96
7. Select IPSec Manual Keys and hit enter.
8. Type in the 16 digit Encryption Key. Remember, this will have to match EXACTLTY the same value in router B. Hit the enter key.
9. Type in the 32 digit MD5 ESP Auth. Key. Again, this will have to match exactly the same value as in router B. Hit the enter key.
10. Hit esc once and then select COMMIT and hit enter.
11. Select IP Profile Parameters and enter.
12. Remote Tunnel Endpoint is the Local WAN Address of the remote router. E.g., when configuring router A as per the example, this value will be 172.20.30.216.
13. Remote Member Address is the Ethernet Network Address of the remote router. E.g., when configuring router A as per the example, this value will be 192.168.1.0.
14. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router A as per the example, this value will be 255.255.255.0.
15. Local Member Address is the Ethernet Network Address of the local router. E.g., when configuring router A as per the example, this value will be 192.168.2.0.
16. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router A as per the example, this value will be 255.255.255.0.
17. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 17 for Router B below.
18. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
19. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
20. Leave Advanced IP Profile Options alone. In a router running firmware version 4.10 and higher, your config screen should resemble Figure 3 Hit enter on COMMIT.


Figure 3: Firmware v.4.10

21. You will be moved back one screen in the menu hierarchy. Leave the Interface Group set to Any Port. Select COMMIT and hit enter.
22. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
23. Restart the Netopia after completing the configuration.

This concludes the setup for Router A for firmware version 4.10 (and higher).
Go to Configuration for Router B.

Configuration of Router B (beginning Firmware v4.8.2)

1. From the Main Menu of router console screens, go to Quick Menus, and select Add Connection Profile.
2. Under Profile Name, type Router A (or a name of your choice).
3. In a router running firmware version 4.8.2 up to version 4.10, change Data Link Encapsulation to IPSec and select Data Link Options.
   NOTE: A section outlining Manual Key configuration instructions for firmware version 4.10 and higher immediately follows this segment.
   If your router has 4.10 firmware, please proceed to that segment.
4. Verify that Encryption Transform is set to DES.
5. For Encryption Key type in a 16-character hexadecimal string, e.g., 1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 5 for Router A above.
6. Set Authentication Type to ESP.
7. Set Authentication Transform to HMAC-MD5-96.
8. For Authentication Key type in a 32-character hexadecimal string, e.g., 1234567890ABCDEF1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 8 for Router A above.
9. Hit enter on COMMIT, then select IP Profile Parameters.
10. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 10 for Router A above.
11. Remote Tunnel Endpoint Address is the Local WAN Address of the remote router. E.g., when configuring router B as per the example, this value will be 172.20.10.216.
12. Remote Members Network is the Ethernet Network Address of the remote router. E.g., when configuring router B as per the example, this value will be 192.168.2.0.
13. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router B as per the example, this value will be 255.255.255.0.
14. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
15. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
16. Leave Advanced IP Profile Options alone, and hit enter on COMMIT.
17. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
18. Restart the Netopia after completing the configuration.

This concludes the setup for Router B.
See the Conclusion below.

Configuration of Router B (beginning Firmware v4.10 and v5.3.4)

From above, beginning at step #3:

3. Change Encapsulation Type to IPSec and then select Encapsulation Options.
4. Set Key Management to Manual.
5. Set ESP Encryption Transform to DES.
6. Set ESP Authentication Transform to HMAC-MD5-96
7. Select IPSec Manual Keys and hit enter.
8. Type in the 16 digit Encryption Key. Remember, this will have to match EXACTLTY the same value in router A. Hit the enter key.
9. Type in the 32 digit MD5 ESP Auth. Key. Again, this will have to match exactly the same value as in router A. Hit the enter key.
10. Hit esc once and then select COMMIT and hit enter.
11. Select IP Profile Parameters and hit enter.
12. Remote Tunnel Endpoint is the Local WAN Address of the remote router. E.g., when configuring router B as per the example, this value will be 172.20.10.216.
13. Remote Member Address is the Ethernet Network Address of the remote router. E.g., when configuring router B as per the example, this value will be 192.168.2.0.
14. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router B as per the example, this value will be 255.255.255.0.
15. Local Member Address is the Ethernet IP Address of the local router. E.g., when configuring router B as per the example, this value will be 192.168.1.0.
16. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router B as per the example, this value will be 255.255.255.0.
17. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 17 for Router A above.
18. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
19. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
20. Leave Advanced IP Profile Options alone. In a router running firmware version 4.10 and higher, your config screen should resemble Figure 4 Hit enter on COMMIT.


Figure 4: Firmware v4.10 and v5.3.4

21. You will be moved back one screen in the menu hierarchy. Leave the Interface Group set to Any Port. Select COMMIT and hit enter.
22. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
23. Restart the Netopia after completing the configuration.

This concludes the setup for Router B for firmware version 4.10 (and higher) for the R-Series, and version 5.3.4 (and higher) for the 4000-Series.

Conclusion

Once both routers are configured, an IPSec connection can be established to allow IP routing through the tunnel between the two LAN's.