Using VPN over Wireless LAN

  1. Setup Sentinel
  2. Setup Prestige VPN

You can use IPsec to improve the security for your wireless connections. This document guides you how it works and how to configure VPN rules in both Prestige and your wireless station. The following diagram depicts the scenario. We can protect the wireless connection between the laptop and Prestige. So that all traffic between your Wireless LAN station and AP are encrypted, and thus get you free from eavesdropping in Wireless LAN environment. But for authentication purpose, please use 802.1x which is also provided in Prestige wireless solutions.

 

The IP addresses we use in this example are as shown below.

PC1 

Prestige 
192.168.1.33 LAN: 192.168.1.1
WAN:  172.21.1.252

Before you continue, please note that in this document, we presume that you already complete the deployment of your Wireless LAN environment, including configuration in both your WLAN station and Prestige WLAN. If you have not complete them yet, please go back to application notes for how to configure WLAN in Infrastructure Mode.


1. Setup Sentinel

  1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor.

 

  1. Choose Key Management. Select My Keys, then press Add... button.

  1. Select Create a preshared key, and press Next.

  1. Give this preshared key a name, Prestige. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish.

  1. Press Apply in Main menu to save the above settings for later use.

  1. Switch to Security Policy tab. Choose VPN connections, and then press Add...

  1. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter Prestige's LAN IP address in Gateway IP address.

  1. Press ... button besides Remote network.

  1. Network Editor Window will pop out. Press New button, and Enter Prestige in Network name, and 192.168.1.0 in IP address field, and 0.0.0.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window.

  1. Choose Prestige as Authentication Key. Then click OK to save.

  1. In SSH Sentinel Policy Editor, you will get a new VPN connection, 192.168.1.1 (Prestige), choose this item, and then press Properties... button. 

  1. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". 

  1. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and  IPSec proposal to Encryption algorithm as DES, Integrity function as HMAC-MD5, PFS group as none.

  1. Press Apply to save all of the settings.

  1. Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item.

Note: 

A. When building VPN between Sentinel and Prestige, the tunnel can't be initiated from Prestige side. Please always initiate the tunnel from Sentinel.

B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.

 NOTE:

Please check your Prestige's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...


2. Setup Prestige VPN

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to Advanced -> VPN
  3. Select Negotiation Mode to Main, as we configured in Sentinel.
  4. Local IP, Address Type is Subnet, Address Start is 0.0.0.0 End/Subnet Mask is 0.0.0.0
  5. Remote IP, leave the field as default.
  6. My IP Addr is the LAN IP of Prestige.
  7. Secure Gateway IP Addr is 0.0.0.0.
  8. Select Encapsulation Mode to Tunnel.
  9. Check the ESP check box. (AH can not be used in SUA/NAT case)
  10. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in Sentinel.
  11. Enter the key string 12345678 in the Preshared Key text box, and click Apply.
  12. Press Advanced button to set IKE phase 1 and phase 2 parameters.
  13. Telnet or console connect to Prestige SMT menu 24.8, and then issue this command, "ipsec route lan on". Please note that, if you simply issue this command in Menu 24.8, this will be lose efficacy after rebooting, 
    to make it function all the time, please save this command into Prestige by the following CI command in Menu 24.8,

    a. please type "sys edit autoexec.net"
    b. press "i", then type "ipsec route lan on"
    c. press "x", to save the configuration.

See the VPN rule screen shot

Set IKE Phase 1 and Phase 2 parameters.


All contents copyright (c) 2005 ZyXEL Communications Corporation.