Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.
This page guides us to setup a VPN connection between the SSH Sentinel software and Prestige router. There will be several devices we need to setup for this case. They are Sentinel and Prestige router.
As the figure shown below, the tunnel between PC 1, with Sentinel installed, and Prestige ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and Prestige are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Sentinel and Prestige.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige | PC2 |
<Dynamic IP> | LAN: 192.168.1.1 WAN: <Dynamic IP> |
192.168.1.33 |
See the VPN rule screen shot
Set IKE Phase 1 and Phase 2 parameters.
If you use SMT management, the VPN configurations are as shown below.
Menu 27.1.1 - IPSec Setup Index #= 1 Name= to_sentinel Active= Yes Keep Alive= Yes Local ID type= IP Content= 0.0.0.0 My IP Addr= 0.0.0.0 Peer ID type= IP Content= 0.0.0.0 Secure Gateway Addr= 0.0.0.0 Protocol= 0 Local: Addr Type= SUBNET IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0 Port Start= 0 End= N/A Remote: Addr Type= N/A IP Addr Start= N/A End/Subnet Mask= N/A Port Start= N/A End= N/A Enable Replay Detection= No Key Management= IKE Edit Key Management Setup= No Press ENTER to Confirm or ESC to Cancel: |
1. Edit IKE settings by selecting 'Edit IKE
Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
2. There
are two phases for IKE:
In Phase 1, two IKE peers establish a secure
channel for key exchanging.
In Phase 2, two peers negotiate general purpose
SAs which are secure channels for data transmission.
Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel
Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main Pre-Shared Key= 12345678 Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 33600 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None Press ENTER to Confirm or ESC to Cancel: |
Note:
A. When building VPN between Sentinel and Prestige, the tunnel can't be initiated from Prestige side. Please always initiate the tunnel from Sentinel.
B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.
NOTE:
Please check your Prestige's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...
All contents copyright (c) 2005 ZyXEL Communications Corporation.