MotorolaWorldwide
Search
Service ProvidersBusinessConsumers
Home » Support » Broadband Equipment

IPSec with IKE (Internet Key Exchange)

NQG_053

This Quick Guide covers the configuration of an IPSec profile using the Internet Key Exchange (IKE) protocol for a Netopia router. While this Quick Guide does not cover all possible configuration options, the configuration detailed should work well in most situations.

This document outlines the creation of the phase1 (IKE) profile and the phase2 (IPSec) profile in the Netopia. In the Netopia, all connections are managed in a connection profile that contains all the pertinent information and options for that connection. To change an IPSec profile that has already been created, go to WAN Configuration -> Change Connection Profile, and select the appropriate profile. To change an IKE profile that has already been created, go to WAN Configuration -> IPSec configuration. Do not make changes to settings unless referenced in this configuration guide. Unlike other connection types, there is no need to establish an IPSec connection; once the profile is configured, the tunnel is automatically and transparently active. However, depending on hardware configuration, encryption options and etc. it can take up to two minutes for the tunnel to complete authentication and begin relaying traffic. Please bear this fact in mind when testing the tunnel connectivity with ping and other diagnostic tools. This configuration assumes that both sides of the VPN have static, valid Internet IP address on their WAN interfaces, and that NAT is not used in the VPN tunnel itself, though it may be used on the Internet connection.

Please Note: This document is based on two Netopia Internet Gateway routers with connections to the Internet using NAT (Network Address Translation). This configuration will also cover a Netopia connecting to most other IPSec security gateway products. Please refer to the documentation provided for other products as regards their configuration.

Netopia technical support does not provide troubleshooting or configuration support on third party vendor products.

Note: IPSec tunneling supports IP routing only. IPX, AppleTalk or any protocol other than IP will not be routed across an IPSec tunnel.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Firmware References:

  • v8.2 R1 (and up) - 3300 Enterprise Series
  • v5.3.7   (and up) - 4000 Series  
  • v4.10   (and up) - R-Series

Before you start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.


The Netopia Main Menu Interface

Network

PLEASE NOTE: The IP Addressing used in this technote is for illustrative purposes only. The IP's given in the configuration examples are non-routable and are not supported for VPN connectivity and routing. They are used here as examples, and your ISP will provide you with routable IP's for your internet connectivity. Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.

Local Router Network Remote Router Network
WAN IP Address: 172.16.0.2 WAN IP Address: 172.16.0.1
WAN Subnet Mask: 255.255.0.0 WAN Subnet Mask: 255.255.0.0
Ethernet IP Address: 192.168.2.1 Ethernet IP Address: 192.168.1.254
Ethernet Subnet Mask: 255.255.255.0 Ethernet Subnet Mask: 255.255.255.0

Netopia Configuration

  1. From the Main Menu of router console screens, go to Quick Menus, and select Add Connection Profile.
  2. Go to Quick Menus, Add Connection Profile.
  3. Supply a descriptive Profile Name and set the Encapsulation Type to IPSec.
  4. Select Encapsulation Options
  5. Set Key Management to IKE
  6. Select IKE Phase 1 Profile, ADD PH1 PROFILE
  7. Supply a descriptive name for the IKE profile
  8. Leave Mode at Main Mode.
  9. Leave Authentication Method at Shared Secret
  10. Set the Shared Secret to an agreed upon password - this can be any alphanumeric string, 'Netopia1234' for example.
  11. Select either DES or 3DES for the Encryption Algorithm. Note: it is strongly recommended that you have the optional VPN accelerator card if you intend to use 3DES.
  12. Select either MD5 or SHA1 for the Hash Algorithm
  13. Diffie-Hellman Group defaults to Group 2; to interoperate with other vendors' equipment, you may sometimes need to specify Group 1.
  14. Leave the Advanced IKE Phase 1 Options alone.
  15. Select ADD IKE PHASE 1 PROFILE
  16. Make Sure that IKE Phase 1 Profile lists the IKE profile you just created.
  17. Leave Encapsulation set to ESP
  18. Set ESP Encryption Transform to either DES or 3DES. Note that it is strongly recommended that you have installed the optional VPN Accelerator card if you intend to use 3DES. Null is not recommended; it offers no data security.
  19. Set ESP Authentication Transform to either HMAC-MD5-96 or HMAC-SHA1-96
  20. If you have the VPN accelerator card, you will have an option for Compression Type; if your remote system supports LZS compression, you can specify LZS compression here. Otherwise, set compression to None.
  21. Leave the Advanced IKE Options alone.
  22. Hit enter on COMMIT
  23. Arrow down to IP Profile Parameters and hit ENTER
  24. Set Remote Tunnel Endpoint to the WAN Interface address of the remote system (172.16.0.1 in the example).
  25. Leave Remote Member Format at Subnet
  26. Set Remote Member Address to the LAN interface network address of the remote system (192.168.1.0 in the example).
  27. Set Remote Member Mask to the subnet mask used on the LAN interface of the remote system (255.255.255.0 in the example)
  28. Leave Local Member Format as Subnet
  29. Set Local Member Address to the network address associated with the Ethernet IP of the Netopia (192.168.2.0 in the example).
  30. Set the Local Member Mask to the Ethernet IP Subnet Mask of the Netopia (255.255.255.0 in the example).
  31. Leave Address Translation Enabled set to No
  32. Leave Filter Set set to None, and leave the Advanced IP Profile Options alone.
  33. Arrow down to COMMIT and hit ENTER. Repeat this for the Add Connection Profile screen.

Conclusion

This completes the Netopia portion of the configuration. If your remote system is another Netopia router, simply repeat the above procedure, reversing all the IP addresses for the various fields.

At this point, you are ready to test the configuration. Bear in mind that the tunnel can take upwards of 120 seconds to authenticate, so if you are testing using ping, send at least 120 packets.

www.motorola.com  |  Terms of Use  |  Privacy Statement   |  Media Center  |  Site Map  |  Contact Us
© 2009 Netopia, Inc., a Motorola Company. All rights reserved.