MotorolaWorldwide
Search
Service ProvidersBusinessConsumers
Home » Support » Broadband Equipment

SafeNet SoftRemote 8.1 IPSec VPN Client

NQG_054

Netopia Technical Support provides this document to you as an added service. The configurations described below have proven successful in many instances and have been tested in the Netopia labs. However, Netopia support cannot be responsible for issues with the installation and configuration of non-Netopia products. If the following suggestions do not provide the results you desire, please contact SafeNet, Inc. directly for technical support.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Firmware References:
  • v8.2 R1 (and up) - 3300 Enterprise Series
  • v5.3.7   (and up) - 4000 Series 
  • v4.8.2   (and up) - R-Series

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.


The Netopia Main Menu Interface

Network

PLEASE NOTE: The IP addresses used in the following scenarios are examples only.
Substitute the appropriate values of your network and internet addresses.

Local WAN IP Address: 172.20.0.1
Default IP Gateway: 172.20.0.254
Ethernet IP Address: 192.168.1.1
Ethernet IP Subnet Mask: 255.255.255.0

Netopia Setup

  1. From the Main Menu, go to Quick Menus.
  2. Select Add Connection Profile.
    Give the IPSec Profile a descriptive name such as "SafeNet Client".
  3. Set the Encapsulation Type to IPSec.
  4. Go to Encapsulation Options.
    1. Set Key Management to IKE.
    2. Select IKE Phase 1 Profile, ADD PH1 PROFILE.
    3. Supply a descriptive name for the IKE profile.
    4. Set Mode at Agressive Mode.
    5. Leave Local Identity Type at IPv4 Address.
    6. Set the Local Identity Value to the WAN IP of the Netopia.
    7. Set the Remote Identity Type to Email Address.
    8. Enter an Email Address as the Remote Identity Value.
    9. Leave Authentication Method at Shared Secret.
    10. Set the Shared Secret to an agreed upon password - this can be any alphanumeric string, '12345678' for example.
      (Note: The Safenet client requires at least eight characters).
    11. Select either des or 3des for the Encryption Algorithm.
      Note: it is strongly recommended that you have the optional VPN accelerator card if you intend to use 3des. We will choose des for this technote example.
    12. Select either md5 or sha1 for the Hash Algorithm.
    13. Diffie-Hellman Group defaults to Group 2; to interoperate with other vendors' equipment, you may sometimes need to specify Group 1.
    14. Leave the Advanced IKE Phase 1 Options alone.
    15. Select ADD IKE PHASE 1 PROFILE. Hit ENTER.

  5. Make Sure that IKE Phase 1 Profile... lists the IKE profile you just created.
    1. Leave Encapsulation set to ESP.
    2. Set ESP Encryption Transform to either DES or 3DES. Note that it is strongly recommended that you have installed the optional VPN Accelerator card if you intend to use 3DES. Null is not recommended; it offers no data security.
    3. Set ESP Authentication Transform to either HMAC-MD5-96 or HMAC-SHA1-96.
    4. If you have the VPN accelerator card, you will have an option for Compression Type; if your remote system supports LZS compression, you can specify LZS compression here. Otherwise, set compression to None.
    5. Leave the Advanced IKE Options alone.
    6. Arrow down and hit ENTER on COMMIT.

  6. Arrow down to IP Profile Parameters and hit ENTER.
    1. Set Remote Tunnel Endpoint to the WAN Interface address of the remote system if known. For this technote we will assume this is a commuter profile so we make the Remote Tunnel Endpoint 0.0.0.0.
    2. Leave Remote Member Format at Subnet. You can use Host however, both will work properly for our example.
    3. Set Remote Member Address to the LAN interface network address of the remote system. For the SafeNet client this will be what is define in the Virtual Adapter Settings  (1.1.1.1  in the example).
    4. Set Remote Member Mask to the subnet mask used on the LAN interface of the remote system (255.255.255.255 in the example since this is a single address).
    5. Leave Local Member Format as Subnet.
    6. Set Local Member Address to the network address associated with the Ethernet IP of the Netopia (192.168.1.0 in the example).
    7. Set the Local Member Mask to the Ethernet IP Subnet Mask of the Netopia (255.255.255.0 in the example).
    8. Leave Address Translation Enabled set to No.
    9. Leave Filter Set set to None, and leave the Advanced IP Profile Options alone.

  7. Arrow down to COMMIT and hit ENTER.

  8. In the Add Connection Profile screen, arrow down to COMMIT and hit ENTER.
  9. Restart the Netopia after completing the configuration.

This completes the Netopia portion of the configuration.

SafeNet Client Setup

  1. Open the SafeNet Client's Security Policy Editor for SafeNet SoftRemote.
  2. Create a new connection by going to Edit, Add, then Connection and give it a descriptive name. For this Example we will use "To Netopia Router".
    1. Connection Security =Secure.
    2. In the Remote Party Identity and Addressing section, ID Type = IP Subnet; Subnet = 192.168.1.0; Mask = 255.255.255.0 (in the example this is the Ethernet IP Address and Ethernet IP Subnet Mask of the Netopia. Supply your own router's IP addresses here if different); Protocol = All.
    3. Check Connect Using Secure Gateway Tunnel and set the IP Address to the Local WAN Address of the Netopia (172.20.0.1 in the example.)

  3. Click on the My Identity section under "To Netopia Router".
    1. Select Certificate = None; ID Type = E-mail Address and enter an E-mail address in the space below to match the value entered in the Netopia.
    2. Click on Pre-Shared Key, and then Enter Key.  Set this to the  Shared Secret agreed upon in the Netopia configuration. This can be any alphanumeric string; '12345678' for example.
      (Note: The Safenet client requires at least eight characters).
    3. Now go to the top tool bar and choose Options, then Global Policy Settings.
    4. Check Allow to Specify Internal Network Address, then hit OK.
    5. Set Virtual Adapter to Required.
    6. After completing step 4, step 5 and step 6, you should now see a Virtual Adapter IP Address.
    7. Set an Internal Network IP Address. Set this to 1.1.1.1 which matches the Remote Members field you set in the Netopia.
    8. Internet Interface = PPP Adapter if this is a Dial-Up connection, otherwise use your Ethernet Adapter (3Com EtherLink XL 10/100)  in this example.

  4. Click on Security Policy.
    1. Under the Security Policy section, select Aggressive Mode.
    2. Check Enable Perfect Forward Secrecy, then choose Diffie-Hellman Group 2.
    3. Leave Enable Replay Detection checked.

  5. Click on Authentication (Phase 1) then Proposal 1.
    1. For Authentication Method, choose Pre-Shared Key.
    2. Under Encryption and Data Integrity Algorithms choose the Encrypt Alg as DES.
    3. Under Encryption and Data Integrity Algorithms choose the Data Alg as MD5.
    4. Leave SA Life to Unspecified.
    5. Choose Key Group as Diffie-Hellman Group 2.

  6. Click on Key Exchange (Phase 2) and choose Proposal 1.
    1. Leave the SA Life as Unspecified.
    2. Leave Compression to None.
    3. Leave Encapsulation Protocol (ESP) checked.
    4. Leave Encrypt Alg to DES.
    5. Make  Hash Alg be MD5.
    6. Leave Encapsulation as Tunnel.
    7. Leave Authentication Protocol (AH) as unchecked.
  7. When finished, for your settings to take effect in the SafeNet client software, go to File then Save Changes.

Conclusion

This completes the setup of an IPSec tunnel between the Netopia router and a PC equipped with the SafeNet VPN client software. You should now have secure access from the client PC to the network behind the Netopia.

At this point, you are ready to test the configuration. Try pinging from the SafeNet client side to the Netopia's ethernet interface (192.168.1.1 for this example). Bear in mind that the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets (at one second intervals).


www.motorola.com  |  Terms of Use  |  Privacy Statement   |  Media Center  |  Site Map  |  Contact Us
© 2009 Netopia, Inc., a Motorola Company. All rights reserved.