MotorolaWorldwide
Search
Service ProvidersBusinessConsumers
Home » Support » Broadband Equipment

IPSec with IKE (Internet Key Exchange); Router-to-Router

CQG_053

This technote covers the configuration of an IPSec Tunnel profile using the Internet Key Exchange (IKE) protocol for 2 Netopia 3000 Series routers connecting to each other over the internet. It details the creation of the phase1 (IKE) profile and the phase2 (IPSec) profile in the Netopia routers.

PLEASE NOTE: If your router is currently running Netopia Enterprise Firmware version 8.0.10 and later, please see NQG_053: IPSec with IKE.

Firmware Reference

  • v7.2 and later -- Netopia 3300 Series
  • v6.3.0 R7 and later -- Netopia 3500 Series
  • v6.3.0 R9 and later -- Netopia 3341
  • v6.3.0 R2 thr. R7 -- Cayman 3220 / 2E

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Gateways and Routers.

Browse into the Netopia's web interface at http://192.168.1.254 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly.

Login with the admin user name and password. Admin login is required to save changes. If you are unsure of this, contact your network administrator.

Once logged in, click on the Expert Mode link in the left-hand side menu (if that link is visible). In the Expert Mode Confirmation screen click on Ok to continue. This menu bar will be visible at the top of your screen if you are in Expert Mode.

Menu

Remember to click the Submit button to save any entries. Hitting the back button without clicking Submit will undo any changes.

Once you have completed your configuration, click on the Save symbol in your upper right hand corner to validate the changes. Then click on Save and Restart.

Netopia Web GUI Home Page
The Netopia Web GUI Home Page in Expert Mode (Firmware v6.3 and later)

Notice

Caution: In the IPSec Security screen, there is an option to Enable IPSec Passthrough. Do Not enable this function. If there is a checkmark in the box to enable passthrough, the feature outlined in this technote will not work.

Please Note: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity.

Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Do not make changes to settings unless referenced in this configuration guide. IPSec tunnels are initiated when traffic on one side of the Netopia router tries to send traffic to the remote side of the other router. However, depending on hardware configuration, encryption options and etc. it can take some time for the tunnel to complete authentication and begin relaying traffic. Please bear this fact in mind when testing the tunnel connectivity with ping and other diagnostic tools. This configuration assumes that both sides of the VPN have static, valid Internet IP address on their WAN interfaces, and that NAT is not used in the VPN tunnel itself, though it may be used on the Internet connection.

Network

The following example configuration is based on two Netopia routers with connections to the Internet using NAT (Network Address Translation). It is not necessary for you to have NAT enabled on your Internet connection profile for this to work. The Local WAN IP addresses used in the configuration are only an example. While this Quick Guide does not cover all possible configuration options, the configuration detailed should work well in most situations.

Netopia Router A Network Netopia Router B Network
WAN IP Address: 172.20.10.216

 WAN IP Address: 172.20.30.216
WAN Subnet Mask: 255.255.255.0 WAN Subnet Mask: 255.255.255.0
Ethernet IP Address: 192.168.1.254 Ethernet Subnet Mask: 255.255.255.0

Configuration

Netopia Router A Configuration:
  1. Browse (with Internet Explorer, or Netscape) to the Netopia router at 192.168.2.254.
  2. At the Main screen click on Security option.
  3. Then click on the IPSec option.
  4. Use the default values on the following screen unless instructed to make changes. Make sure the Enable Safeharbour IPSec is checked.
  5. Click On so there is a check mark in this box, then click Submit.

    Safe Harbour IPSec

  6. Type in a name; for this example we will use IPSec to Netopia B.

    SafeHarbour IPSec Tunnel Entry

  7. Put in the Local Wan IP Address of Netopia router B which is 172.20.30.216.
  8. Encryption Protocol is ESP.
  9. Authentication Protocol is ESP.
  10. Key Management is IKE.
  11. Click Add. You will now be at a screen which reads Tunnel Details.
    Tunnel Details

    1. Enter the Peer Internal Network as 192.168.1.0.
    2. Enter the Peer Internal Netmask as 255.255.255.0.
    3. Negotiation Method is Main.
    4. Pre-Shared Key Type ASCII.
    5. Type in a Pre-Shared Key value that will be used in both Netopia routers. For this example we will use testing123.
    6. DH Group 2.
    7. PFS DH Group 2 (6.x firmware).
      (7.x firmware will have only an "enable" checkbox here).
    8. SA Encrypt Type DES.
    9. SA Hash Type MD-5.
    10. Leave all other fields as default.
    11. Hit Update.
  12. Click on the Save in the upper right hand corner.
  13. Click Save and Restart. This will restart the Netopia with the new IPSec configuration.
Netopia Router B Configuration:
  1. Browse (with Internet Explorer, or Netscape) into the Netopia router at 192.168.1.254.
  2. At the Main screen click on Security option.
  3. Then click on the IPSec option.
  4. Use the default values on the following screen unless instructed to make changes. Make sure the Enable SafeHarbour IPSec is checked.
  5. Click On so there is a check mark in this box, then click Submit.

    Safe Harbour IPSec

  6. Type in a name; for this example we will use IPSec to Netopia A.

    Safe Harbour IPSec Tunnel Entry

  7. Put in the Local Wan IP Address of the Netopia router A which is 172.20.10.216.
  8. Encryption Protocol is ESP.
  9. Authentication Protocol is ESP.
  10. Key Management is IKE.
  11. Click Add. You will now be at a screen which reads Tunnel Details.
    Tunnel Details
    1. Enter the Peer Internal Network as 192.168.2.0.
    2. Enter the Peer Internal Netmask as 255.255.255.0.
    3. Negotiation Method is Main.
    4. Pre-Shared Key Type ASCII.
    5. Type in the Pre-Shared Key that matches the Pre-Shared Key in the above Netopia configuration; in this example it is testing123.
    6. DH Group 2.
    7. PFS DH Group 2 (6.x firmware).
      (Again, 7.x firmware will have only an "enable" checkbox here).
    8. SA Encrypt Type DES.
    9. SA Hash Type MD-5.
    10. Leave all other fields as default.
    11. Hit Update.

  12. Click on the Save in the upper right hand corner.
  13. Click Save and Restart. This will restart the Netopia with the new IPSec configuration.
  14. You can now initiate traffic from a host machine behind Netopia B to the LAN side of the opposite router. (i.e. Ping 192.168.2.254 from a workstation on this LAN, or telnet from a workstation behind the Netopia to the Ethernet Interface of the remote Netopia or 192.168.2.254.

Conclusion

At this point, you are ready to test the configuration. Don't forget, the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets.


www.motorola.com  |  Terms of Use  |  Privacy Statement   |  Media Center  |  Site Map  |  Contact Us
© 2009 Netopia, Inc., a Motorola Company. All rights reserved.