This Technote is based on two Netopia Internet Gateway routers with connections to the Internet using NAT (Network Address Translation). It is not necessary for you to have NAT enabled on your internet connection profile for this to work. On one side is an ENT (or 4000 or R-Series) router, and the other side is a Netopia 3300/3500 Series Internet Gateway. While this document does not cover all possible configuration options, this example will also cover a Netopia connecting to most other IPSec security gateway products. Please refer to the documentation provided for other products as regards their configuration.
Netopia technical support does not provide troubleshooting or configuration support on third party vendor products.

This document assumes that your 3300/3500 Series Netopia has the SafeHarbor VPN IPSec Tunnel option installed on the router. Click here to purchase the upgrade.
Please Note: Feature upgrades are non-refundable.

Note: IPSec tunneling supports IP routing only. IPX, AppleTalk or any protocol other than IP will not be routed across an IPSec tunnel.

Firmware References:

• v6.3.0 R7 (and up) - 3500 Series
• v7.2.0 R1 (and up) - 3300 Residential Series
• v8.2 R1 (and up) - 3300 Enterprise Series
• v5.3.7   (and up) - 4000 Series 
• v4.8.2   (and up) - R-Series

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

On the Netopia Enterprise, 4000 Series and R-Series:

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.

On the Netopia 3300 Series and 3500 Series:

Browse into the Netopia router's web interface at http://192.168.1.254 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly.

Login with the admin user name and password. Admin login is required to save changes. If you are unsure of this, contact your network administrator.

Remember to click the Submit button to save any entries. Hitting the back button without clicking "Submit" will undo any changes.

Once you have completed your configuration, click on the symbol in your upper right hand corner to validate the changes. Then click on Save and Restart.

The Netopia Main Menu Interface (Telnet or Console)

The Netopia Main Menu Interface (Web GUI)

Network Example

PLEASE NOTE: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity. Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Local Router Network		Remote Router Network
WAN IP Address:	172.20.10.216	WAN IP Address:	172.20.30.216
WAN Subnet Mask:	255.255.255.0	WAN Subnet Mask:	255.255.255.0
Ethernet IP Address:	192.168.2.1	Ethernet IP Address:	192.168.1.254
Ethernet Subnet Mask:	255.255.255.0	Ethernet Subnet Mask:	255.255.255.0

Note that this makes the Network Address of the Netopia's (Local) Ethernet interface 192.168.2.0 and the Network Address of the LAN interface of 3300/3500 Series (Remote) 192.168.1.0. These addresses will be used throughout the creation of the tunnel.

ENT, 4000 and R-Series Configuration (Telnet Interface)

In this Netopia, all connections are managed in a connection profile that contains all the pertinent information and options for that connection. To change an existing IPSec profile, go to WAN Configuration -> Change Connection Profile, and select the appropriate profile.

To change an IKE profile that has already been created, go to WAN Configuration -> IPSec configuration.

Do not make changes to settings unless referenced in this configuration guide. Unlike other connection types, there is no need to establish an IPSec connection; once the profile is configured, the tunnel is automatically and transparently active. However, depending on hardware configuration, encryption options and etc. it can take up to two minutes for the tunnel to complete authentication and begin relaying traffic. Please bear this fact in mind when testing the tunnel connectivity with ping and other diagnostic tools. This configuration assumes that both sides of the VPN have static, valid Internet IP address on their WAN interfaces, and that NAT is not used in the VPN tunnel itself, though it may be used on the Internet connection.

1. From the Main Menu, go to Quick Menus, Add Connection Profile.
2. Supply a descriptive Profile Name and set the Encapsulation Type to IPSec.
3. Select Encapsulation Options.
   1. Set Key Management to IKE.
   2. Select IKE Phase 1 Profile, ADD PH1 PROFILE.
   3. Supply a descriptive name for the IKE profile.
   4. Leave Mode at Main Mode.
   5. Leave Authentication Method at Shared Secret.
   6. Set the Shared Secret to an agreed upon password - this can be any alphanumeric string; testing123 for example.
   7. Select either DES or 3DES for the Encryption Algorithm.
      Note: it is strongly recommended that you have the optional
      VPN accelerator card if you intend to use 3DES.
   8. Select MD5 for the Hash Algorithm.
   9. Diffie-Hellman Group defaults to Group 2; this may need to be changed to interoperate with other vendors'.
   10. Leave the Advanced IKE Phase 1 Options alone.
   11. Select ADD IKE PHASE 1 PROFILE.
       
       
       
       
4. In the IPSec Tunnel Options screen:
   
   
   1. Make Sure that IKE Phase 1 Profile lists the IKE profile you just created.
      (Phase-1-IKE in our example).
   2. Leave Encapsulation set to ESP.
   3. Set ESP Encryption Transform to DES. Note that it is strongly recommended that you have installed the optional VPN Accelerator card if you intend to use 3DES. Null is not recommended; it offers no data security.
   4. Set ESP Authentication Transform to HMAC-MD5-96.
   5. If you have the VPN accelerator card, you will have an option for Compression Type; if your remote system supports LZS compression, you can specify LZS compression here. Otherwise, set compression to None.
   6. Leave the Advanced IKE Options alone.
   7. ENTER on COMMIT.
      
      
      
      
5. Arrow down to IP Profile Parameters and hit ENTER.
   1. Set Remote Tunnel Endpoint to the WAN Interface address of the remote system. (This is 172.20.30.216 in our example).
   2. Leave Remote Member Format at Subnet.
   3. Set Remote Member Address to the LAN interface network address of the remote system. (192.168.1.0 in the example).
   4. Set Remote Member Mask to the subnet mask used on the LAN interface of the Cayman router. (255.255.255.0 in the example).
   5. Leave Local Member Format as Subnet.
   6. Set Local Member Address to the network address associated with the Ethernet IP of the Netopia. (192.168.2.0 in the example).
   7. Set the Local Member Mask to the Ethernet IP Subnet Mask of the Netopia. (255.255.255.0 in the example).
   8. Leave Address Translation Enabled set to No.
   9. Leave Filter Set set to None, and leave the Advanced IP Profile Options alone.
   10. Arrow down to COMMIT and hit ENTER.
       
       
       
       
6. Now, on the Add Connection Profile screen, arrow down to COMMIT and hit ENTER.
   
   
7. Restart the Netopia after completing the configuration.

This completes the configuration of the Netopia side of the IPSec tunnel.

3300/3500 Series Web Interface

1. Browse (with Internet Explorer, or Netscape) into the router at 192.168.1.254.
2. At the Main screen click on Security Option.
3. Then click on the IPSec option.
4. Use the default values on the following screen unless instructed to make changes. Make sure the Enable Safeharbour IPSec is checked.
5. Click On so there is a check mark in this box, then click Submit.
6. You will now see a box titled SafeHarbour IPSec Tunnel Entry.
7. Type in a name; for this example we will use IPSec to Netopia.

   

8. Put in the Local Wan IP Address of the opposite router which is 172.20.10.216.
9. Encryption Protocol is ESP.
10. Authentication Protocol is ESP.
11. Key Management is IKE.
12. Click Add. You will now be at a screen which reads Tunnel Details.
    1. Enter the Peer Internal Network as 192.168.2.0.
    2. Enter the Peer Internal Netmask as 255.255.255.0.
    3. Negotiation Method is Main.
    4. Pre-Shared Key Type ASCII.
    5. Type in the Pre-Shared Key that matches the Pre-Shared Key in the Netopia. (This is testing123 in our example).
    6. DH Group 2.
    7. PFS DH Group 2.
    8. SA Encrypt Type DES.
    9. SA Hash Type MD-5.
    10. Leave all other fields as default.
    11. Click on Update.
13. Now click on the in the upper right hand corner.
14. Click Save and Restart. This will restart the gateway with the new IPSec configuration.
15. You can now initiate traffic from a host machine behind the Cayman, or Netopia, to the LAN side of the opposite router. (i.e. Ping 192.168.1.254 from a workstation behind the Netopia, or telnet from a workstation behind the 3300/3500 to the Ethernet Interface of Netopia or 192.168.2.1.

Conclusion

At this point, you are ready to test the configuration. Bear in mind that the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets.