Knowledgebase
Online Technical Support
Software Upgrades: Please check our latest Download section.
Search Tip: You can increase the accuracy of your searches by using as many keywords as possible. Remove any common words such as "a", "or", "the" as they will be used in the search. Do not use any operands such as +, or quotation marks to enclose phrases.
|
Issue:
How to configure for VPN using IKE pre-shared keys.
Solution:
Assuming that the Local router and the Remote router are both communicating over the network regardless of the communication method (ie., Frame-Relay, Leased PPP, ISDN, PPPoE), add the following VPN IKE configuration for security. Both routers require current VPN firmware.
Starting with the Local router configuration, from the main menu, select the following menus and options. Assume all else to use default settings.
1. Configuration menu
4. Packet Services menu
3. IP Security Set-up menu
1. IP Security [enabled]
6. Interfaces menu
1. IPSec interface [WAN]
Press the TAB key to return to the IP Security Set-up menu
3. IKE Peer Set-up menu
1. Edit IKE peer menu
For the "peer id or alias" enter a name to represent this IKE peer setup (ie., IKEPEER1)
For the "template id or alias", enter "none".
2. Peer IP address [enter the remote router's LAN or WAN ip address]
Note: if this router is configured for a numbered link use the WAN IP address. If configured for an unnumbered link use the LAN IP address.
3. Peer Pre-shared key menu
1. Pre shared [enter a key value. This same value must match the remote router's Pre-shared key]
Press the TAB key.
5. IKE phase 1 negotiation menu
For the proposal id, enter "1".
1. Authentication method [Pre-Shared]
2. Integrity algorithm [HMAC-MD5]
3. Encryption algorithm [DES]
4. DH group [Group1]
5. Lifetime [none]
6. Proposal [Active] * important to activate this proposal before continuing.
Press the TAB key 3 times to return to IP Security Setup menu.
4. Protection Set-up menu
1. Edit Protection suite menu
For the "protection id or alias", enter a name that will match the same name specified for the Protection suite in the IPsec SA Proposal of the Policy item. (ie., PS1)
2. SA mode [tunnel]
3. Lifetime [none]
4. Lifetime data [none]
5. Transform-1 [DES] [MD5]
6. Transform-2 [disabled]
7. Transform-3 [disabled]
Press the TAB key 2 times to return to the IP Security Set-up menu.
5. Policy Set-up menu
7. Local IP address [enter this Local router's LAN or WAN ip address]
Note: if this router is configured for a numbered link use the WAN IP address. If configured for an unnumbered link use the LAN IP address.
1. Edit Item menu
For the "policy item id or alias", enter a name to represent this policy item (ie., POLICY1)
5. Action [apply-IPsec]
6. SA Creation [IKE]
7. IKE ESP SA menu
1. Peer IP address [enter the remote router's LAN or WAN IP address]
Note: if configured for a numbered link use the WAN IP address. If configured for an unnumbered link use the LAN IP address.
2. IKE Phase 2 PFS [none]
3. IPsec SA Proposals menu
1. Protection Suite 1 [enter the same name specified for the Protection suite. ie., PS1 ]
Press the TAB key twice
8. Selection Rules menu
1. Src IP [enter Local router's LAN network address or narrow the range to a specific device address]
2. Dest IP [enter remote router's LAN network address or narrow the range to a specific device address]
3. Src port [any]
4. Dest port [any]
Press the TAB key to return to the Policy item menu.
Select option 3. Activate. This will activate the policy item. The Status option will change to [Active].
Press the = key to return to main menu
5. Save configuration
3. Diagnostics
1. Soft reset
You are done configuring the Local Router. Next repeat the above IKE configuration for the Remote router.
Note: The IKE negotiation will not begin until there is data sent from a device that is part of selection rules for the Src IP and Dst IP.