>> Netopia >> Support >> International Broadband Equipment Support >> Eircom 3300 Series Support Page >> IEQG_053
IPSec with IKE (Internet Key Exchange); Router-to-Router IEQG_053
This technote covers the configuration of an IPSec Tunnel profile using the Internet Key Exchange (IKE) protocol for 2 Netopia 3300 Series routers connecting to each other over the internet. It details the creation of the phase1 (IKE) profile and the phase2 (IPSec) profile in the Netopia routers.
PLEASE NOTE: Utilizing the IPSec feature of your Netopia gateway requires the purchase of a feature key to unlock this functionality. Click Here! to purchase this key online.
PLEASE NOTE: If you have router that is currently running Netopia Enterprise Firmware version 8.0.10 and later, please see NQG_053: IPSec with IKE.
Firmware Reference v7.2 (and later) -- Netopia 3300 Series

Before You Start
[an error occurred while processing this directive]

Notice
Caution: In the IPSec Security screen, there is an option to Enable IPSec Passthrough.
Do Not enable this function. If there is a checkmark in the box to enable passthrough, the feature outlined in this technote will not work.

Please Note: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity.
Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Do not make changes to settings unless referenced in this configuration guide. IPSec tunnels are initiated when traffic on one side of the Netopia router tries to send traffic to the remote side of the other router. However, depending on hardware configuration, encryption options and etc. it can take some time for the tunnel to complete authentication and begin relaying traffic. Please bear this fact in mind when testing the tunnel connectivity with ping and other diagnostic tools. This configuration assumes that both sides of the VPN have static, valid Internet IP address on their WAN interfaces, and that NAT is not used in the VPN tunnel itself, though it may be used on the Internet connection.

Network
The following example configuration is based on two Netopia routers with connections to the Internet using NAT (Network Address Translation). It is not necessary for you to have NAT enabled on your Internet connection profile for this to work. The Local WAN IP addresses used in the configuration are only an example. While this Quick Guide does not cover all possible configuration options, the configuration detailed should work well in most situations.

Netopia Router A Network Netopia Router B Network

WAN IP Address:

172.20.10.216

WAN IP Address:

172.20.30.216

WAN Subnet Mask:

255.255.255.0

WAN Subnet Mask:

255.255.255.0

Ethernet IP Address:

192.168.1.254

Ethernet Subnet Mask:

255.255.255.0

Configuration
Netopia Router A Configuration:

  1. Browse (with Internet Explorer, or Netscape) to the Netopia router at 192.168.2.254.
  2. At the Main screen click on Security option.
  3. Then click on the IPSec option.
  4. Use the default values on the following screen unless instructed to make changes.
    Make sure the Enable Safeharbour IPSec is checked.
  5. Click On so there is a check mark in this box, then click Submit.

  6. Type in a name; for this example we will use IPSec to Netopia B.

  7. Put in the Local Wan IP Address of Netopia router B which is 172.20.30.216.
  8. Encryption Protocol is ESP.
  9. Authentication Protocol is ESP.
  10. Key Management is IKE.
  11. Click Add. You will now be at a screen which reads Tunnel Details.



    1. Enter the Peer Internal Network as 192.168.1.0.
    2. Enter the Peer Internal Netmask as 255.255.255.0.
    3. Negotiation Method is Main.
    4. Pre-Shared Key Type ASCII.
    5. Type in a Pre-Shared Key value that will be used in both Netopia routers. For this example we will use testing123.
    6. DH Group 2.
    7. PFS DH Group 2 (6.x firmware).
      (7.x firmware will have only an "enable" checkbox here).
    8. SA Encrypt Type DES.
    9. SA Hash Type MD-5.
    10. Leave all other fields as default.
    11. Hit Update.





  12. Click on the in the upper right hand corner.
  13. Click Save and Restart. This will restart the Netopia with the new IPSec configuration.
Netopia Router B Configuration:

  1. Browse (with Internet Explorer, or Netscape) into the Netopia router at 192.168.1.254.
  2. At the Main screen click on Security option.
  3. Then click on the IPSec option.
  4. Use the default values on the following screen unless instructed to make changes. Make sure the Enable SafeHarbour IPSec is checked.
  5. Click On so there is a check mark in this box, then click Submit.

  6. Type in a name; for this example we will use IPSec to Netopia A.

  7. Put in the Local Wan IP Address of the Netopia router A which is 172.20.10.216.
  8. Encryption Protocol is ESP.
  9. Authentication Protocol is ESP.
  10. Key Management is IKE.
  11. Click Add. You will now be at a screen which reads Tunnel Details.



    1. Enter the Peer Internal Network as 192.168.2.0.
    2. Enter the Peer Internal Netmask as 255.255.255.0.
    3. Negotiation Method is Main.
    4. Pre-Shared Key Type ASCII.
    5. Type in the Pre-Shared Key that matches the Pre-Shared Key in the above Netopia configuration; in this example it is testing123.
    6. DH Group 2.
    7. PFS DH Group 2 (6.x firmware).
      (Again, 7.x firmware will have only an "enable" checkbox here).
    8. SA Encrypt Type DES.
    9. SA Hash Type MD-5.
    10. Leave all other fields as default.
    11. Hit Update.

  12. Click on the in the upper right hand corner.
  13. Click Save and Restart. This will restart the Netopia with the new IPSec configuration.
  14. You can now initiate traffic from a host machine behind Netopia B to the LAN side of the opposite router. (i.e. Ping 192.168.2.254 from a workstation on this LAN, or telnet from a workstation behind the Netopia to the Ethernet Interface of the remote Netopia or 192.168.2.254.

Conclusion
At this point, you are ready to test the configuration. Don't forget, the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets.

Other Related Documents
Purchase a Feature Key Upgrade.
Installing a Feature Key for the 3300 Series
Configuring TCP/IP Properties

Copyright © 2003-2005 Netopia, Inc. All rights reserved.