This Quick Guide covers the configuration of an IPSec profile using the Internet Key Exchange (IKE) protocol for a Netopia Internet Gateway connecting to a Linksys router. On one side is an ENT (or 4000 or R-Series) router, and the other side is a Linksys Router running Firmware 1.40.4 and later.
Netopia technical support does not provide troubleshooting or configuration support on third party vendor products.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Note: IPSec tunneling supports IP routing only. IPX, AppleTalk or any protocol other than IP will not be routed across an IPSec tunnel.

Firmware References:

• v8.2 R1 (and up) - 3300 Enterprise Series
• v5.3.7   (and up) - 4000 Series 
• v4.8.2   (and up) - R-Series
• v1.40.4 (and up) - Linksys Router

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

On the Netopia Enterprise, 4000 Series and R-Series:

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting).
If your network has a different IP addressing scheme, modify this accordingly.
Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes.
If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.

The Netopia Main Menu Interface (Telnet or Console)

Network Example

PLEASE NOTE: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity. Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Netopia Router Network		Linksys Router Network
WAN IP Address:	110.10.10.1	WAN IP Address:	172.16.0.50
WAN Subnet Mask:	255.255.255.0	WAN Subnet Mask:	255.255.255.0
Ethernet IP Address:	192.168.2.1	Ethernet IP Address:	192.168.1.1
Ethernet Subnet Mask:	255.255.255.0	Ethernet Subnet Mask:	255.255.255.0

Note that this makes the Network Address of the Netopia's Ethernet interface 192.168.2.0 and the Network Address of the LAN interface of Linksys 192.168.1.0. These addresses will be used throughout the creation of the tunnel.

Netopia Configuration

In this Netopia, all connections are managed in a connection profile that contains all the pertinent information and options for that connection. To change an existing IPSec profile, go to
WAN Configuration -> Change Connection Profile, and select the appropriate profile.
To change an IKE profile that has already been created, go to
WAN Configuration -> IPSec configuration.
Do not make changes to settings unless referenced in this configuration guide. Unlike other connection types, there is no need to establish an IPSec connection; once the profile is configured, the tunnel is automatically and transparently active. However, depending on hardware configuration, encryption options and etc. it can take up to two minutes for the tunnel to complete authentication and begin relaying traffic. Please bear this fact in mind when testing the tunnel connectivity with ping and other diagnostic tools. This configuration assumes that both sides of the VPN have static, valid Internet IP address on their WAN interfaces, and that NAT is not used in the VPN tunnel itself, though it may be used on the Internet connection.

1. From the Main Menu, go to Quick Menus, Add Connection Profile.
2. Supply a descriptive Profile Name and set the Encapsulation Type to IPSec.



3. Select Encapsulation Options.
   1. Set Key Management to IKE.
   2. Select IKE Phase 1 Profile, ADD PH1 PROFILE.
   3. Supply a descriptive name for the IKE profile.

   

   4. Leave Mode at Main Mode.
   5. Leave Authentication Method at Shared Secret.
   6. Set the Shared Secret to an agreed upon password - this can be any alphanumeric string; test for example.
   7. Select either DES or 3DES for the Encryption Algorithm.
      Note: it is strongly recommended that you have the optional
      VPN accelerator card if you intend to use 3DES or have a 4000 series XL model router (4652-XL for example).
   8. Select MD5 for the Hash Algorithm.
   9. Diffie-Hellman Group defaults to Group 2; this may need to be changed to interoperate with other vendors'. (Note the Linksys is Group 1 by default so the Linksys will be changed to Group 2 1024 to match the Netopia )
   10. Leave the Advanced IKE Phase 1 Options alone.
   11. Select ADD IKE PHASE 1 PROFILE.

4. In the IPSec Tunnel Options screen:
   
   1. Make Sure that IKE Phase 1 Profile lists the IKE profile you just created.
      (IKE-2-Linksys in our example).
   2. Leave Encapsulation set to ESP.
   3. Set ESP Encryption Transform to DES. Note that it is strongly recommended that you have installed the optional VPN Accelerator card if you intend to use 3DES (or as stated above use a 4000 series XL model router). Null is not recommended; it offers no data security.
   4. Set ESP Authentication Transform to HMAC-MD5-96.
   5. If you have the VPN accelerator card, you will have an option for Compression Type; if your remote system supports LZS compression, you can specify LZS compression here. Otherwise, set compression to None.
   6. Go to Advanced IKE Options.
   7. Tab Perfect Forward Secrecy (PFS) to NO and hit Enter. Hit ESC.
   8. ENTER on COMMIT.

5. Arrow down to IP Profile Parameters and hit ENTER.

   

   1. Set Remote Tunnel Endpoint to the WAN Interface address of the Linksys router.
      (This is 172.16.0.50 in our example).
   2. Leave Remote Member Format at Subnet.
   3. Set Remote Member Address to the LAN interface network address of the remote system.
      (192.168.1.0 in the example).
   4. Set Remote Member Mask to the subnet mask used on the LAN interface of the Linksys router.
      (255.255.255.0 in the example).
   5. Leave Local Member Format as Subnet.
   6. Set Local Member Address to the network address associated with the Ethernet IP of the Netopia.
      (192.168.2.0 in the example).
   7. Set the Local Member Mask to the Ethernet IP Subnet Mask of the Netopia.
      (255.255.255.0 in the example).
   8. Leave Address Translation Enabled set to No.
   9. Leave Filter Set set to None, and leave the Advanced IP Profile Options alone.
   10. Arrow down to COMMIT and hit ENTER.
6. Now, on the Add Connection Profile screen, arrow down to COMMIT and hit ENTER.
7. Restart the Netopia after completing the configuration.

This completes the configuration of the Netopia side of the IPSec tunnel.

Linksys Configuration

1. Browse (with Internet Explorer, or Netscape) into the Linksys at 192.168.1.1.
2. At the Main screen click on WAN Connection Type and choose Static IP.

   

3. In the Specify WAN IP Address the WAN IP Address is 172.16.0.50 Subnet Mask is 255.255.255.0 for this technote. Default Gateway is 172.16.0.1 Please note this is for this guide only. Your IP address will be whatever you are using as a public ip address on your network. The IP addresses used are for the lab test only in this tech guide. DNS is not used in this technote but in a real world setting you would have the DNS of your ISP in this field.
4. At the top of the Linksys web interface you will click on VPN. This brings up the VPN Configuration screen.



5. Next to This Tunnel click the enable field.
6. Under Tunnel Name enter a descriptive name for the VPN tunnel. For this guide the tunnel is called Linksys to Ntpa.
7. Next to Local Secure Group leave the option as Subnet. Enter the Network IP address of the local Ethernet subnet of the Linksys, 192.168.1.0 with a subnet of 255.255.255.0 (for this example).
8. Next to Remote Secure Group leave the option as Subnet and enter the Network IP address of the LAN side of the Netopia. For this technote the Netopia Ethernet subnet is 192.168.2.0 with a subnet mask of 255.255.255.0
9. Next to Remote Security Gateway leave the option set to IP Addr Enter the Local WAN Address of the Netopia router. For this technote the Netopia WAN is 10.10.10.1
10. Encryption will remain DES.
11. Authentication will remain MD5.
12. Key Management is Auto (IKE).
13. PFS will remain UNCHECKED.
14. Next to Pre-shared Key enter the word test.
15. Make the Key Lifetime 28800.
16. Click on the button.
17. You should now be in the Advanced Settings for Selected IPSec Tunnel screen.



18. Under Phase 1 Operation Mode choose Main Mode.
19. Under Phase 1 Proposal 1 make or leave the Encryption DES.
20. Under Phase 1 Proposal 1 make or leave the Authentication MD5.
21. Under Phase 1 Proposal 1 make the Group 1024-bit. (This is the Diffie-Hellmann Group)
22. Under Phase 1 Proposal 1 make the Key Lifetime 28800 seconds. (This matches the Netopia default Phase 1 SA lifetime)
23. Under Phase 2 Proposal make the Group 1024-bit.
24. Under Phase 2 Proposal make the Key Lifetime 28800 seconds
25. Check the Keep Alive box
26. Click on Apply to save your changes.
27. You should be told that your Settings are Successful and be able to click Continue.
28. You should now be able to close the browser window for the Advanced features and you should be able to browse back to the VPN configuration screen.
29. The Linksys supports a View Log feature on the VPN configuration screen at the bottom that you can click on to see the Status of the Tunnel as it connects.

Conclusion

At this point, you are ready to test the configuration. Bear in mind that the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets.

Now you should be able to initiate traffic to the LAN (192.168.2.x) subnet on the Netopia. Do a ping from a workstation behind the Linksys router to the Ethernet interface of the Netopia (192.168.2.1 in this example). If you use the VPN log in the Linksys you should see the IPSec exchanges taking place. The diagram above shows a successful View Log in the Linksys router.

You can also view the successful IPSec negotiation in the Netopia WAN Event History log.
From the Main Menu, go to:

Utilities & Diagnostics...

---> Wan Event History...

...and view the following log.