This technote covers the configuration of an IPSec Tunnel profile using the Internet Key Exchange (IKE) protocol for a Netopia 3000 Series gateway with a tunnel from the SafeNet SoftRemote 8.1 VPN Client. Netopia Technical Support provides this document to you as an added service. The configurations described below have proven successful in many instances and have been tested in the Netopia labs. However, Netopia support cannot be responsible for issues with the installation and configuration of non-Netopia products. If the following suggestions do not provide the results you desire, please contact SafeNet, Inc. directly for technical support.

PLEASE NOTE: If your router is currently running Netopia Enterprise Firmware version 8.0.10 and later, please see NQG_054: IPSec from a SafeNet SoftRemote 8.1 VPN Client.

Firmware Reference

• v7.2 and later -- Netopia 3347-W
• v6.3.0 R7 and later -- Netopia 3500 Series
• v6.3.0 R9 and later -- Netopia 3341/3346
• v6.3.0 R2 thr. R7 -- Cayman 3220 / 2E

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Gateways and Routers.

Browse into the Netopia's web interface at http://192.168.1.254 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly.

Login with the admin user name and password. Admin login is required to save changes. If you are unsure of this, contact your network administrator.

Once logged in, click on the Expert Mode link in the left-hand side menu (if that link is visible). In the Expert Mode Confirmation screen click on Ok to continue. This menu bar will be visible at the top of your screen if you are in Expert Mode.

Remember to click the button to save any entries. Hitting the back button without clicking will undo any changes.

Once you have completed your configuration, click on the symbol in your upper right hand corner to validate the changes. Then click on Save and Restart.

The Netopia Web GUI Home Page in Expert Mode (Firmware v6.3 and later)

Notice

Caution: In the IPSec Security screen, there is an option to Enable IPSec Passthrough. Do Not enable this function. If there is a checkmark in the box to enable passthrough, the feature outlined in this technote will not work.

Please Note: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity.

Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Do not make changes to settings unless referenced in this configuration guide. IPSec tunnels are initiated when traffic on one side of the Netopia router tries to send traffic to the remote side of the other router. However, depending on hardware configuration, encryption options and etc. it can take some time for the tunnel to complete authentication and begin relaying traffic. Please bear this fact in mind when testing the tunnel connectivity with ping and other diagnostic tools. This configuration assumes that both sides of the VPN have static, valid Internet IP address on their WAN interfaces, and that NAT is not used in the VPN tunnel itself, though it may be used on the Internet connection.

Network

Please Note: Netopia Technical Support provides this document to you as an added service. The configurations described below have proven successful in many instances and have been tested in the Netopia labs. However, Netopia support cannot be responsible for issues with the installation and configuration of non-Netopia products. If the following suggestions do not provide the results you desire, please contact SafeNet, Inc. directly for technical support. The Local WAN IP addresses used in the configuration are only an example. While this technote does not cover all possible configuration options, the configuration detailed should work well in most situations.

Local WAN IP Address:	172.20.0.1
Default IP Gateway:	172.20.0.254
Ethernet IP Address:	192.168.1.254
Ethernet IP Subnet Mask:	255.255.255.0

Configuration

1. At the Netopia Main screen click on the Security option.
2. Click on the IPSec option.
3. Use the default values on the following screens unless instructed to make changes. Make sure the Enable SafeHarbour IPSec is checked.
4. Click On so there is a check mark in this box, then click Submit.
5. You will now see a box titled SafeHarbour IPSec Tunnel Entry.
   

   

   1. Type in a Name; for this example we will use IPSec to SafeNet.
   2. The example configuration here uses the above values for reference. When configuring your router and client, substitute the values in your router for these numbers wherever appropriate.
   3. Enter the Peer External IP Address of the Client which is 172.16.0.1 . (This would be the address of your Ethernet card on the SafeNet client side or the address of your PPP/PPPoE adapter). PLEASE NOTE: This must be a known value. The Netopia router cannot terminate an IPSec connection from a client or gateway with a dynamic public IP address represented as 0.0.0.0.
   4. Encryption Protocol is ESP.
   5. Authentication Protocol is ESP.
   6. Key Management is IKE.
   7. Click Add.
6. You will now be at a screen which reads Tunnel Details.
   
   
   1. Enter the Peer Internal Network as 1.1.1.1; This is the virtual adapter of the SafeNet Client.
   2. Enter the Peer Internal Netmask as 255.255.255.255. This is the virtual adapter of the SafeNet Client.
   3. Negotiation Method is Main.
   4. Pre-Shared Key Type ASCII.
   5. Type in the Pre-Shared Key that matches the Pre-Shared Key in the SafeNet client. (This is testing123 in our example). Please note the SafeNet client requires at least 8 characters.
   6. DH Group 2.
   7. PFS DH Group 2.
   8. SA Encrypt Type DES.
   9. SA Hash Type MD-5.
   10. Leave all other fields as default.
   11. Click on Update.
7. Then click on the in the upper right hand corner.
8. Click Save and Restart. This will restart the Netopia with the new IPSec configuration.

This completes the Netopia portion of the configuration.

SafeNet Client Setup

1. Open the SafeNet Client's Security Policy Editor for SafeNet SoftRemote.
2. Create a new connection by going to Edit, Add, then Connection and give it a descriptive name, for this Example we will use "To Netopia Router"since this is a Netopia Netopia model router.
   1. Connection Security =Secure.
   2. In the Remote Party Identity and Addressing section, ID Type = IP Subnet; Subnet = 192.168.1.0; Mask = 255.255.255.0 (in the example this is the Ethernet IP Address and Ethernet IP Subnet Mask of the Netopia. Supply your own router's IP addresses here if different); Protocol = All.
   3. Check Connect Using Secure Gateway Tunnel and set the IP Address to the Local WAN Address of the Netopia (172.20.0.1 in the example.)



3. Click on the My Identity section under "To Netopia Router".
   1. Select Certificate = None; ID Type = IP Address.
   2. Click on Pre-Shared Key, and then Enter Key.  Set this to the  Shared Secret agreed upon in the Netopia configuration. This can be any alphanumeric string; '12345678' for example.
      (Note: The Safenet client requires at least eight characters).
   3. Now go to the top tool bar and choose Options, then Global Policy Settings.
   4. Check Allow to Specify Internal Network Address, then hit OK.
   5. Set Virtual Adapter to Required.
   6. After completing step 4, step 5 and step 6, you should now see a Virtual Adapter IP Address.
   7. Set an Internal Network IP Address. Set this to 1.1.1.1 which matches the Remote Members field you set in the Netopia.
   8. Internet Interface = PPP Adapter if this is a Dial-Up connection, otherwise use your Ethernet Adapter (3Com EtherLink XL 10/100)  in this example.



4. Click on Security Policy.
   1. Under the Security Policy section, select Main Mode.
   2. Check Enable Perfect Forward Secrecy, then choose Diffie-Hellman Group 2.
   3. Leave Enable Replay Detection checked.



5. Click on Authentication (Phase 1) then Proposal 1.
   1. For Authentication Method, choose Pre-Shared Key.
   2. Under Encryption and Data Integrity Algorithms choose the Encrypt Alg as DES.
   3. Under Encryption and Data Integrity Algorithms choose the Data Alg as MD5.
   4. Leave SA Life to Unspecified.
   5. Choose Key Group as Diffie-Hellman Group 2.

6. Click on Key Exchange (Phase 2) and choose Proposal 1.
   1. Leave the SA Life as Unspecified.
   2. Leave Compression to None.
   3. Leave Encapsulation Protocol (ESP) checked.
   4. Leave Encrypt Alg to DES.
   5. Make  Hash Alg be MD5.
   6. Leave Encapsulation as Tunnel.
   7. Leave Authentication Protocol (AH) as unchecked.
7. When finished, for your settings to take effect in the SafeNet client software, go to File then Save Changes.

Conclusion

This completes the setup of an IPSec tunnel between the Netopia router and a PC equipped with the SafeNet VPN client software. You should now have secure access from the client PC to the network behind the Netopia.

At this point, you are ready to test the configuration. Try pinging from the SafeNet client side to the Netopia's ethernet interface (192.168.1.254 for this example). Bear in mind that the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets (at one second intervals).