Raintree Solutions, LLC

Computer Solutions for Santa Cruz County and Del Norte County, CA

  
    Servers, Workstations, Laptops, Custom Databases, Commercial Software, Point of Sale, Networks, Wireless, VPNs, Web Maintenance, Domain Registrations, Email Servers, Antivirus, AntiSpyware, AntiSpam, Preventative Maintenance, and more!    

Netopia - VPN to VPN Tunnel Using IPSec

Router A Router B
Ethernet IP Address: 192.168.2.1 Ethernet IP Address: 192.168.1.254
Ethernet Subnet Mask: 255.255.255.0 Ethernet Subnet Mask: 255.255.255.0
Local WAN IP Address: 172.20.10.216 Local WAN IP Address: 172.20.30.216

Configuration of Router A (beginning Firmware v4.8.2)

  1. From the Main Menu of router console screens, go to Quick Menus, and select Add Connection Profile.
  2. Under Profile Name, type Router B (or a name of your choice).
  3. In a router running firmware version 4.8.2 up to version 4.10, change Data Link Encapsulation to IPSec and select Data Link Options.
    NOTE: A section outlining Manual Key configuration instructions for firmware version 4.10 and higher immediately follows this segment.
    If your router has 4.10 firmware, please proceed to that segment.


    Figure 1: Firmware v4.8.2

  4. Verify that Encryption Transform is set to DES.
  5. For Encryption Key type in a 16-character hexadecimal string, e.g., 1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 5 for Router B below.
  6. Set Authentication Type to ESP.
  7. Set Authentication Transform to HMAC-MD5-96.
  8. For Authentication Key type in a 32-character hexadecimal string, e.g., 1234567890ABCDEF1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 8 for Router B below.
  9. Hit enter on COMMIT, then select IP Profile Parameters.
  10. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 10 for Router B below.
  11. Remote Tunnel Endpoint Address is the Local WAN Address of the remote router. E.g., when configuring router A as per the example, this value will be 172.20.30.216.
  12. Remote Members Network is the Ethernet Network Address of the remote router. E.g., when configuring router A as per the example, this value will be 192.168.1.0.
  13. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router A as per the example, this value will be 255.255.255.0.
  14. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
  15. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
  16. Leave Advanced IP Profile Options alone, and hit enter on COMMIT.
  17. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
  18. Restart the Netopia after completing the configuration.

This concludes the setup for Router A. Go to Configuration for Router B.

Configuration of Router A (beginning Firmware v4.10 and v5.3.4)

From above, beginning at step #3:

  1. Change Encapsulation Type to IPSec and then select Encapsulation Options. See Figure 2 below.


    Figure 2: Firmware v4.10 and v5.3.4

  2. Set Key Management to Manual.
  3. Set ESP Encryption Transform to DES.
  4. Set ESP Authentication Transform to HMAC-MD5-96
  5. Select IPSec Manual Keys and hit enter.
  6. Type in the 16 digit Encryption Key. Remember, this will have to match EXACTLTY the same value in router B. Hit the enter key.
  7. Type in the 32 digit MD5 ESP Auth. Key. Again, this will have to match exactly the same value as in router B. Hit the enter key.
  8. Hit esc once and then select COMMIT and hit enter.
  9. Select IP Profile Parameters and enter.
  10. Remote Tunnel Endpoint is the Local WAN Address of the remote router. E.g., when configuring router A as per the example, this value will be 172.20.30.216.
  11. Remote Member Address is the Ethernet Network Address of the remote router. E.g., when configuring router A as per the example, this value will be 192.168.1.0.
  12. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router A as per the example, this value will be 255.255.255.0.
  13. Local Member Address is the Ethernet Network Address of the local router. E.g., when configuring router A as per the example, this value will be 192.168.2.0.
  14. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router A as per the example, this value will be 255.255.255.0.
  15. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 17 for Router B below.
  16. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
  17. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
  18. Leave Advanced IP Profile Options alone. In a router running firmware version 4.10 and higher, your config screen should resemble Figure 3 Hit enter on COMMIT.


    Figure 3: Firmware v.4.10

  19. You will be moved back one screen in the menu hierarchy. Leave the Interface Group set to Any Port. Select COMMIT and hit enter.
  20. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
  21. Restart the Netopia after completing the configuration.

This concludes the setup for Router A for firmware version 4.10 (and higher).
Go to Configuration for Router B.

Configuration of Router B (beginning Firmware v4.8.2)

  1. From the Main Menu of router console screens, go to Quick Menus, and select Add Connection Profile.
  2. Under Profile Name, type Router A (or a name of your choice).
  3. In a router running firmware version 4.8.2 up to version 4.10, change Data Link Encapsulation to IPSec and select Data Link Options.
    NOTE: A section outlining Manual Key configuration instructions for firmware version 4.10 and higher immediately follows this segment.
    If your router has 4.10 firmware, please proceed to that segment.
  4. Verify that Encryption Transform is set to DES.
  5. For Encryption Key type in a 16-character hexadecimal string, e.g., 1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 5 for Router A above.
  6. Set Authentication Type to ESP.
  7. Set Authentication Transform to HMAC-MD5-96.
  8. For Authentication Key type in a 32-character hexadecimal string, e.g., 1234567890ABCDEF1234567890ABCDEF. This string MUST be EXACTLY the same as the key entered in configuration step 8 for Router A above.
  9. Hit enter on COMMIT, then select IP Profile Parameters.
  10. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 10 for Router A above.
  11. Remote Tunnel Endpoint Address is the Local WAN Address of the remote router. E.g., when configuring router B as per the example, this value will be 172.20.10.216.
  12. Remote Members Network is the Ethernet Network Address of the remote router. E.g., when configuring router B as per the example, this value will be 192.168.2.0.
  13. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router B as per the example, this value will be 255.255.255.0.
  14. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
  15. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
  16. Leave Advanced IP Profile Options alone, and hit enter on COMMIT.
  17. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
  18. Restart the Netopia after completing the configuration.

This concludes the setup for Router B.
See the Conclusion below.

Configuration of Router B (beginning Firmware v4.10 and v5.3.4)

From above, beginning at step #3:
  1. Change Encapsulation Type to IPSec and then select Encapsulation Options.
  2. Set Key Management to Manual.
  3. Set ESP Encryption Transform to DES.
  4. Set ESP Authentication Transform to HMAC-MD5-96
  5. Select IPSec Manual Keys and hit enter.
  6. Type in the 16 digit Encryption Key. Remember, this will have to match EXACTLTY the same value in router A. Hit the enter key.
  7. Type in the 32 digit MD5 ESP Auth. Key. Again, this will have to match exactly the same value as in router A. Hit the enter key.
  8. Hit esc once and then select COMMIT and hit enter.
  9. Select IP Profile Parameters and hit enter.
  10. Remote Tunnel Endpoint is the Local WAN Address of the remote router. E.g., when configuring router B as per the example, this value will be 172.20.10.216.
  11. Remote Member Address is the Ethernet Network Address of the remote router. E.g., when configuring router B as per the example, this value will be 192.168.2.0.
  12. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router B as per the example, this value will be 255.255.255.0.
  13. Local Member Address is the Ethernet IP Address of the local router. E.g., when configuring router B as per the example, this value will be 192.168.1.0.
  14. Remote Members Mask is the Ethernet Subnet Mask of the remote router. E.g., when configuring router B as per the example, this value will be 255.255.255.0.
  15. For SPI (Security Parameters Index) type in a value between 1 and 4294967295. This value MUST be EXACTLY the same as the value entered in configuration step 17 for Router A above.
  16. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
  17. Do not select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over an IPSec connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your IPSec tunnel, please read technote NIR 052: Netopia Router Firewall Features and Configuration.)
  18. Leave Advanced IP Profile Options alone. In a router running firmware version 4.10 and higher, your config screen should resemble Figure 4 Hit enter on COMMIT.


    Figure 4: Firmware v4.10 and v5.3.4

  19. You will be moved back one screen in the menu hierarchy. Leave the Interface Group set to Any Port. Select COMMIT and hit enter.
  20. You will be moved back one screen in the menu hierarchy. Hit enter on COMMIT to finish adding the profile.
  21. Restart the Netopia after completing the configuration.

This concludes the setup for Router B for firmware version 4.10 (and higher) for the R-Series, and version 5.3.4 (and higher) for the 4000-Series.

Conclusion

Once both routers are configured, an IPSec connection can be established to allow IP routing through the tunnel between the two LAN's.