Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Similar documents
Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Quick Note 05. Configuring Port Forwarding to access an IP camera user interface on a TransPort LR54. 7 November 2017

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Quick Note 13. Configuring a main mode IPsec VPN between a Digi TransPort and a Netgear DG834G. UK Support

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Configuration of an IPSec VPN Server on RV130 and RV130W

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

VPNC Scenario for IPsec Interoperability

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

HOW TO CONFIGURE AN IPSEC VPN

Configuring VPNs in the EN-1000

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Quick Note 060. Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x

Case 1: VPN direction from Vigor2130 to Vigor2820

Configuring LAN-to-LAN IPsec VPNs

Integration Guide. Oracle Bare Metal BOVPN

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

FAQ about Communication

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Efficient SpeedStream 5861

Virtual Tunnel Interface

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Virtual Private Networks

The EN-4000 in Virtual Private Networks

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Configuring a Hub & Spoke VPN in AOS

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

LAN-to-LAN IPsec VPNs

Configuring IPSec tunnels on Vocality units

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

S2S VPN with Azure Route Based

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information (GRE over IPSec with BGP)

Table of Contents 1 IKE 1-1

Configuring Remote Access IPSec VPNs

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Google Cloud VPN Interop Guide

Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security.

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

Use the IPSec VPN Wizard for Client and Gateway Configurations

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Chapter 6 Virtual Private Networking

Application Note 37 GRE over IPSEC with a Cisco Router UK Support November 2015

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Virtual Private Network. Network User Guide. Issue 05 Date

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Site-to-Site VPN with SonicWall Firewalls 6300-CX

VPN Overview. VPN Types

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Abstract. Avaya Solution & Interoperability Test Lab

Internet Key Exchange

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Firepower Threat Defense Site-to-site VPNs

VPN Setup for CNet s CWR g Wireless Router

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Virtual Private Cloud. User Guide. Issue 03 Date

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Sample excerpt. Virtual Private Networks. Contents

LP-1521 Wideband Router 123 Manual L VPN Configuration between two LP-1521`s with Dynamic IP.

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

VPN Configuration Guide. NETGEAR FVS318v3

Google Cloud VPN Interop Guide

WLAN Handset 2212 Installation and Configuration for VPN

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

M!DGE/MG102i VPN Configuration

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

Appendix B NETGEAR VPN Configuration

NetVanta Series Quick Start Guide L2-13B May Network Diagram. Unpacking and Inspecting the System. Unit.

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

T.D.T. R-Router Series

Presenter John Baker

Cisco Exam Questions & Answers

Release Notes ( ) Digi TransPort WR/LR Product Family

Greenbow VPN Client Example

VPN Ports and LAN-to-LAN Tunnels

User Manual/Web Interface

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Cisco Unified Operating System Administration Web Interface

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Cisco Unified Operating System Administration Web Interface for Cisco Emergency Responder

IPSec Site-to-Site VPN (SVTI)

Site-to-Site VPN. VPN Basics

Transcription:

Quick Note Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Contents 1 Introduction... 3 1.1 Outline... 3 1.2 Assumptions... 3 1.3 Corrections... 4 2 Version... 4 3 Connect WAN Configuration (Responder)... 5 3.1 Tunnel Configuration... 5 3.1.1 Tunnel Settings... 5 3.1.2 Phase 1, Phase 2 & Pre-shared key settings... 7 4 TransPort LR54 Configuration... 9 4.1 Configure Phase 1 settings... 9 4.2 Configure Phase 2 settings... 10 4.2.1 Authentication and encryption settings... 10 4.2.2 Local and Remote traffic selector settings... 11 4.3 Configure Peer address... 12 4.4 Turn IPSec on... 12 5 Testing... 13

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 1 INTRODUCTION 1.1 Outline This document will describe how to configure an IPSec VPN between a TransPort LR54 as the Initiator and a Connect WAN 3G as the Responder. The document will assume that WAN connectivity is configured and available on both units. IPSec VPN Tunnel 10.10.10.0/24 Internet Digi Connect WAN 3G 192.168.1.0/24 TransPort LR 54 1.2 Assumptions This guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi TransPort router and configure it with basic routing functions This application note applies to: Model: DIGI TransPort LR54 and Connect WAN 3G Firmware versions: LR54: 1.1.0.6 and later DCWAN: 2.17.6.1 Configuration: This document assumes that the devices are set to their factory default configurations. Most configuration commands are shown only if they differ from the factory default. Please note: This application note has been specifically rewritten for the specified firmware versions and later but will work on earlier versions of firmware. Please contact tech.support@digi.com if your require assistance in upgrading the firmware of the TransPort or Connect WAN router. Page 3

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 1.3 Corrections Requests for corrections or amendments to this application note are welcome and should be addressed to: tech.support@digi.com Requests for new application notes can be sent to the same address. 2 VERSION Version Number Status 1.0 published Page 4

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 3 CONNECT WAN CONFIGURATION (RESPONDER) 3.1 Tunnel Configuration Open a web browser to the IP address of the Connect WAN router. Navigate to: Configuration Network > Virtual Private Network (VPN) Settings > VPN Policy Settings Click Add 3.1.1 Tunnel Settings Configure the VPN mode for incoming and set the remaining settings as required or like in the below example: Page 5

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway Parameter Setting Description Description LR54 Tun This is the description of the Tunnel VPN Tunnel ISAKMP Tunnel mode used. IPSec with IKE and Preshared key Local Endpoint Lan to Lan type VPN connecting 2 Local endpoint is a subnet Type subnets. VPN Mode Accept connections from any VPN device Responder mode Network Interface Mobile0 Interface used to build the IPSec VPN Tunnel Use the following as the identity dcwan3g Local ID Local Endpoint IP Local subnet IP Address on the 192.168.1.0 Address Connect WAN side Local Endpoint Local subnet Mask on the Connect 255.255.255.0 Subnet Mask WAN side Remote Endpoint Remote subnet IP Address on the 10.10.10.0 IP Address TransPort LR side Remote Enpoint Subnet Mask 255.255.255.0 Remote subnet Mask on the TransPort LR side Page 6

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 3.1.2 Phase 1, Phase 2 & Pre-shared key settings Page 7

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway Parameter Setting Description Remote VPN ID lr54 Remote VPN ID used on the TransPort LR54 Pre-shared key digitestvpn123 Pre-shared key used for the Connection Mode Main Use Main mode as the connection mode. NAT Traversal Checked Enable NAT Traversal ISAKMP Phase 1 policies Authentication Pre-Shared Key PSK Authentication Encyprtion AES (256-bit) Encryption Type Integrity SHA1 Integrity algorithm SA Lifetime 86400 secs Security Association lifetime Diffie Hellman Group 14 DH Group ISAKMP Phase 2 Settings Diffie-Hellman Group 14 DH Group ISAKMP Phase 2 Policies Encryption AES (256-bit) Encryption Type Authentication SHA1 Authentication algorithm SA Lifetime 28200 Security Association lifetime Click Apply to save and apply the changes. Page 8

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 4 TRANSPORT LR54 CONFIGURATION Please Note: At the time of this document, the configuration of the TransPort LR54 is exclusively done via CLI (Command Line Interface) All IKE and IPSec configuration is done within the ipsec command. The following command will show all available options: ipsec 1? 4.1 Configure Phase 1 settings Configure the IKE Phase 1 settings to match the settings of the Connect WAN Router. IKE version 1 SHA 1 Group 5 AES 256 4800 lifetime MAIN mode Enter the parameters as follow: digi.router> ipsec 1 ike 1 digi.router> ipsec 1 ike-authentication sha1 digi.router> ipsec 1 ike-diffie-hellman group5 digi.router> ipsec 1 ike-encryption aes256 digi.router> ipsec 1 ike-lifetime 4800 digi.router> ipsec 1 ike-mode main Type the following to verify the IKE Phase 1 settings: ipsec 1 ik? digi.router> ipsec 1 ik? Configures an IPsec Syntax: ipsec 1 <parameter> <value> Available Parameters: Parameter Current Value Description ----------------------------------------------------------------------------- --- ike 1 IKE version to use for this IPsec ike-authentication sha1 IKE authentication type for IPsec ike-diffie-hellman group5 IKE Diffie-Hellman group for IPsec ike-encryption aes256 IKE encryption type ike-lifetime 4800 Key lifetime in seconds Page 9

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway ike-mode main IKEv1 mode to use for this IPsec ike-tries 3 Number of attempts to negotiate 4.2 Configure Phase 2 settings 4.2.1 Authentication and encryption settings Configure the Phase 2 authentication and encryption settings to match the settings of the Connect WAN Router. Pre-shared key SHA 1 Group 5 AES 128 3600 lifetime psk Enter the parameters as follow: digi.router> ipsec 1 auth-by psk digi.router> ipsec 1 esp-authentication sha1 digi.router> ipsec 1 esp-diffie-hellman group5 digi.router> ipsec 1 esp-encryption aes128 digi.router> ipsec 1 lifetime 3600 digi.router> ipsec 1 psk digitestvpn123 Type the following to verify the Phase 2 authentication and encryption settings: digi.router> ipsec 1 es? Configures an IPsec Syntax: ipsec 1 <parameter> <value> Available Parameters: Parameter Current Value Description ----------------------------------------------------------------------------- --- esp-authentication sha1 ESP authentication type for IPsec esp-diffie-hellman group5 ESP Diffie-Hellman group for IPsec esp-encryption aes128 ESP encryption type for IPsec Page 10

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 4.2.2 Local and Remote traffic selector settings Configure the Phase 2 local and remote traffic selector settings to match the settings of the Connect WAN Router. Local ID Remote ID Local network : 10.10.10.0 Local mask : 255.255.255.0 Remote network: 192.168.1.0 Remote mask : 255.255.255.0 Enter the parameters as follow: digi.router> ipsec 1 local-id lr54 digi.router> ipsec 1 remote-id dcwan3g digi.router> ipsec 1 local-mask 255.255.255.0 digi.router> ipsec 1 local-network 10.10.10.0 digi.router> ipsec 1 remote-mask 255.255.255.0 digi.router> ipsec 1 remote-network 192.168.1.0 Type the following to verify the Phase 2 local and remote traffic selector settings: digi.router> ipsec 1 loc? Configures an IPsec Syntax: ipsec 1 <parameter> <value> Available Parameters: Parameter Current Value Description ----------------------------------------------------------------------------- --- local-id lr54 Local ID used for this IPsec local-mask 255.255.255.0 Local network mask for this IPsec local-network 10.10.10.0 Local network for this IPsec digi.router> ipsec 1 rem? Configures an IPsec Syntax: ipsec 1 <parameter> <value> Available Parameters: Parameter Current Value Description ----------------------------------------------------------------------------- --- Page 11

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway remote-id dcwan3g Remote ID used for this IPsec remote-mask 255.255.255.0 Remote network mask for this remote-network 192.168.1.0 Remote network for this IPsec 4.3 Configure Peer address To configure the Peer address, in this example, the IP address of the Mobile interface of the Connect WAN router do the following: digi.router> ipsec 1 peer x.x.x.x x.x.x.x being an IP address reachable via the WAN interface of the LR54. 4.4 Turn IPSec on To enable the configured IPSec VPN, do the following: digi.router> ipsec 1 state on The configuration is complete and the should now be built. To verify if the is up, do the following: digi.router> show ipsec # Status Peer Local Remote Uptime --------------------------------------------------------------------------- 1 Up 90.122.0.189 10.10.10.0/24 192.168.1.0/24 10 seconds Page 12

Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway 5 TESTING Verify that data is going through the by issueing a ping from the Connect WAN router to the local Ethernet interface of the LR54. From the web interface, this can be done from Administration > System Information > Diagnostic PING 10.10.10.1: 64 data bytes 64 bytes from 10.10.10.1: icmp_seq=0 time=41 ms 64 bytes from 10.10.10.1: icmp_seq=1 time=65 ms 64 bytes from 10.10.10.1: icmp_seq=2 time=87 ms --- 10.10.10.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss To test the VPN from the LR54 command line, it is needed to add a firewall rule in order to bypass the MASQUERADE (NAT) rules in place. Add the following rule: firewall -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -d 192.168.1.0/24 -j ACCEPT To check the firewall and view the rule: firewall -t nat -L -v Ping should now be going through: digi.router> ping 192.168.1.50 PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data. 64 bytes from 192.168.1.50: icmp_seq=1 ttl=255 time=3.86 ms 64 bytes from 192.168.1.50: icmp_seq=2 ttl=255 time=0.483 ms 64 bytes from 192.168.1.50: icmp_seq=3 ttl=255 time=0.492 ms 64 bytes from 192.168.1.50: icmp_seq=4 ttl=255 time=0.522 ms 64 bytes from 192.168.1.50: icmp_seq=5 ttl=255 time=0.518 ms --- 192.168.1.50 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 0.483/1.176/3.865/1.344 ms Page 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback