TheGreenBow IPSec VPN Client Configuration Guide Vigor 2910

Similar documents
Linksys BEFVP41. TheGreenBow IPSec VPN Client. Configuration Guide.

BIPAC 7500G. TheGreenBow IPSec VPN Client. Configuration Guide.

Contact:

Linksys RV042. TheGreenBow IPSec VPN Client Configuration Guide.

T.D.T. R-Router Series

Zywall 5. TheGreenBow IPSec VPN Client Configuration Guide.

Configuration Guide written by: Writer: TheGreenBow Engineering Team Company:

TheGreenBow IPsec VPN Client. Configuration Guide CISCO RV042. Website: Contact:

Billion BiGuard S10. TheGreenBow IPSec VPN Client. Configuration Guide.

Configuration Guide WatchGuard XTM 33

Netscreen NS-5GT. TheGreenBow IPSec VPN Client. Configuration Guide.

Configuration Guide Barracuda NG Firewall. TheGreenBow IPsec VPN Client. Written by: TheGreenBow TechSupport Team Company:

TheGreenBow IPsec VPN Client. Configuration Guide Palo Alto. Website: Contact:

Linksys WRVS4400N. TheGreenBow IPSec VPN Client. Configuration Guide.

First Choice Internet

T.D.T. M-/G- Series. TheGreenBow IPSec VPN Client. Configuration Guide.

Vyatta Router. TheGreenBow IPSec VPN Client. Configuration Guide. with Certificate.

TheGreenBow IPsec VPN Client. Configuration Guide STORMSHIELD. Website: Contact:

Efficient SpeedStream 5861

Case 1: VPN direction from Vigor2130 to Vigor2820

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Configuration of an IPSec VPN Server on RV130 and RV130W

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

VPNC Scenario for IPsec Interoperability

Firepower Threat Defense Site-to-site VPNs

FAQ about Communication

Use the IPSec VPN Wizard for Client and Gateway Configurations

How to create the IPSec VPN between 2 x RS-1200?

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Virtual Tunnel Interface

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

LP-1521 Wideband Router 123 Manual L VPN Configuration between two LP-1521`s with Dynamic IP.

Table of Contents 1 IKE 1-1

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Greenbow VPN Client Example

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Google Cloud VPN Interop Guide

How to Configure IPSec Tunneling in Windows 2000

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Service Managed Gateway TM. Configuring IPSec VPN

Proxicast IPSec VPN Client Example

A specific IP with specific Ports and Protocols uses a dedicated WAN (Load Balance Policy).

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

Integration Guide. Oracle Bare Metal BOVPN

KB How to Configure IPSec Tunneling in Windows 2000

Configure Cisco Router For Remote Access Ipsec Vpn Connections

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Sample excerpt. Virtual Private Networks. Contents

Connecting the DI-804V Broadband Router to your network

Appendix B NETGEAR VPN Configuration

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

FortiGate IPSec VPN Subnet-address Translation Technical Note

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuring VPNs in the EN-1000

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

HOW TO CONFIGURE AN IPSEC VPN

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

VPN Ports and LAN-to-LAN Tunnels

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall

Virtual Private Networks

VPN Tracker for Mac OS X

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client

Setting IPSec VPN connection between two SMC BR21VPN

Configuration Summary

The EN-4000 in Virtual Private Networks

Fortinet NSE7 Exam. Volume: 30 Questions

Configuring a Hub & Spoke VPN in AOS

Dynamic Multipoint VPN between CradlePoint and Cisco Router Example

CCNA Security PT Practice SBA

VPN Tracker for Mac OS X

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Chapter 5 Virtual Private Networking

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

VPN Connection through Zone based Firewall Router Configuration Example

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Configuring an IPSec Tunnel Between a Cisco SA500 and the Cisco VPN Client

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Application Note. Applies to MultiMax

Configuring the VPN Client

VPN Tracker for Mac OS X

WLAN Handset 2212 Installation and Configuration for VPN

HowTo IPSec Roadwarrior using PSK

S2S VPN with Azure Route Based

K15344: Troubleshooting the IPsec tunnel between two BIG-IP AFM systems

Transcription:

TheGreenBow IPSec VPN Client Configuration Guide Vigor 2910

Table of contents 1 Introduction 1.1 Goal of this document 1.2 VPN network topology 2 IPSec Main Mode Configuration 2.1 Vigor 2910 Configuration 2.2 TheGreenBow IPSec VPN Client Configuration 2.2.1 VPN Client Phase 1(IKE) Configuration 2.2.2 VPN Client Phase 2(IPSec) Configuration 2.2.3 Open the IPSec VPN tunnels 3 IPSec Aggressive Mode Configuration 3.1 Vigor 2910 Configuration 3.2 TheGreenBow IPSec VPN Client Configuration 3.2.1 VPN Client Phase 1(IKE) Configuration 3.2.2 VPN Client Phase 2(IPSec) Configuration 3.2.3 Open the IPSec VPN tunnels 4 VPN IPSec Troubleshooting 4.1 «PAYLOAD MALFORMED» error 4.2 «INVALID COOKIE» error 4.3 «no keystate» error 4.4 «received remote ID other than expected» error 4.5 «NO PROPOSAL CHOSEN» error 4.6 «INVALID ID INFORMATION» error 4.7 I clicked on Open tunnel, but nothing happens. 4.8 The VPN tunnel is up but I can t ping! 5 Contacts

1 Introduction 1.1 Goal of this document This VPN configuration guide describes how to configure TheGreenBow IPSec VPN Client with a Vigor 2910 router. 1.2 Network topology In our example, we will connect TheGreenBow VPN client to the LAN behind the Vigor 2910 Router. The VPN Client is connected to the Internet by a dialup/dsl connection from an ISP. The client will have a virtual IP address in the remote LAN. All the addresses in this document are given for example purpose.

2 IPSec Main Mode Configuration 2.1 Vigor 2910 Configuration This section describes how to build an IPSec VPN configuration(main mode) with your Vigor 2910 VPN router. Refer to http://www.draytek.com/support/index.php for more information. Vigor VPN configuration can be achieved with a web browser, so once connected to your VPN gateway, use the following setup links to configure the VPN. VPN and Remote Access Setup 1. Click on Remote Dial-in User link. Then click one index number to open an individual setup page for a dial-in user account, as shown below. a. Check the item Enable this account to activate the individual dial-in user account. b. Enter a number for Idle Timeout. Set it to 0 means no idle timeout. c. Make sure IPSec Tunnel is selected. d. Enable Specify Remote Node and type the IP address of the VPN client. e. Afterward, you should fill a Pre-Shared Key for this specific node. Press the IKE Pre-Shared Key button and enter the key in the pop-up window.

f. Select appropriate encryption algorithms in the IPSec Security Method field. This setup is for phase 2. Note: By default Vigor accepts all the attributes proposed by the VPN client. Note: If you Enable Specify Remote Node in step d, this profile is specified to one fixed remote user. If you want to create a profile which can be applied to many users, especially those who use dynamic IP addresses, don t check this box. In this case, you can t enter the Pre-Shared key as the way described in step e. You must setup the Pre-shared key in VPN and Remote Access Setup > IPSec General Setup

2.2 TheGreenBow IPSec VPN Client Configuration 2.2.1 VPN Client Phase 1(IKE) Configuration a. In the "Interface" field, you can select a star ("*"), if the VPN Client host receives a dynamic IP Address from an ISP for example. b. "Remote Gateway" field value is the Vigor 2910 router public IP address or DNS address. c. "Preshared Key" field value must be identical with the pre-shared key set in Vigor 2910 router. d. In the "IKE" field, Vigor router supports the following parameters. Encryption: DES/3DES Authentication: MD5/SHA Key Group: DH768/DH1024 Phase 1 configuration

2.2.2 VPN Client Phase 2(IPSec) Configuration a. In the "VPN Client address" field, you may define a static virtual IP address here. You can type any IP address here, even 0.0.0.0. It does not prevent you from establishing a VPN tunnel. b. Select Subnet address as "Address type", and enter the IP address (and subnet mask) of the remote LAN. c. In the "IKE" field, Vigor router supports the following parameters. Encryption: DES/3DES/AES128 Authentication: MD5/SHA Mode: Tunnel PFS Group: DH768/DH1024 Phase 2 configuration

2.2.3 Open the IPSec VPN tunnels Once both Vigor 2910 router and TheGreenBow IPSec VPN Client have been configured accordingly, you are ready to open VPN tunnels. First make sure you enable your firewall with IPSec traffic. 1. Click on "Apply Rules" to take into account all modifications we've made on your VPN Client configuration 2. Click on "Open Tunnel", or generate traffic that will automatically open a secure IPSec VPN Tunnel (e.g. ping, IE browser) 3. Select "Connections" to see opened VPN Tunnels 4. Select "Console" if you want to access to the IPSec VPN logs and adjust filters to display less IPSec messaging.

3 IPSec Aggressive Mode Configuration 3.1 Vigor 2910 Configuration This section describes how to build an IPSec VPN configuration(aggressive mode) with your Vigor 2910 VPN router. Refer to http://www.draytek.com/support/index.php for more information. Vigor VPN configuration can be achieved with a web browser, so once connected to your VPN gateway, use the following setup links to configure the VPN. Advanced Setup > VPN and Remote Access Setup 1. Click on Remote User Profile Setup (Teleworker) link. Then click one index number to open an individual setup page for a dial-in user account, as shown below. a. Check the item Enable this account to activate the individual dial-in user account. b. Enter a number for Idle Timeout. Set it to 0 means no idle timeout. c. Make sure IPSec Tunnel is selected. d. Enable Specify Remote Node and type the Peer ID of the VPN client. The corresponding value set in TheGreenBow is Local ID. e. Afterward, you should fill a Pre-Shared Key for this specific node. Press the IKE Pre-Shared Key button and enter the key in the pop-up window.

f. Select appropriate encryption algorithms in the IPSec Security Method field. This setup is for phase 2. Note: By default Vigor accepts all the attributes proposed by the VPN client. Note: The Local ID field is optional. If it is enabled, you must setup the Remote ID in TheGreenBow.

3.2 TheGreenBow IPSec VPN Client Configuration 3.2.1 VPN Client Phase 1(IKE) Configuration a. In the "Interface" field, you can select a star ("*"), if the VPN Client host receives a dynamic IP Address from an ISP for example. b. "Remote Gateway" field value is the Vigor 2910 router public IP address or DNS address. c. "Preshared Key" field value must be identical with the pre-shared key set in Vigor 2910 router. d. In the "IKE" field, Vigor router supports the following parameters. Encryption: DES/3DES Authentication: MD5/SHA Key Group: DH768/DH1024 Phase 1 configuration e. Click the Advance button. In the pop-up window please enable Aggressive Mode. Then you must setup the Local ID field. The Value must be identical with the one set in Vigor 2910 router(step d). Vigor only support DNS and Email types. Note: If you setup the Local ID field in Vigor 2910 router, the Remote ID field in TheGreenBow must be configured also.

3.2.2 VPN Client Phase 2(IPSec) Configuration a. In the "VPN Client address" field, you may define a static virtual IP address here. You can type any IP address here, even 0.0.0.0. It does not prevent you from establishing a VPN tunnel. b. Select Subnet address as "Address type", and enter the IP address (and subnet mask) of the remote LAN. c. In the "IKE" field, Vigor router supports the following parameters. Encryption: DES/3DES/AES128 Authentication: MD5/SHA Mode: Tunnel PFS Group: DH768/DH1024 Phase 2 configuration

3.2.3 Open the IPSec VPN tunnels Once both Vigor 2910 router and TheGreenBow IPSec VPN Client have been configured accordingly, you are ready to open VPN tunnels. First make sure you enable your firewall with IPSec traffic. 1. Click on "Apply Rules" to take into account all modifications we've made on your VPN Client configuration 2. Click on "Open Tunnel", or generate traffic that will automatically open a secure IPSec VPN Tunnel (e.g. ping, IE browser) 3. Select "Connections" to see opened VPN Tunnels 4. Select "Console" if you want to access to the IPSec VPN logs and adjust filters to display less IPSec messaging.

4 VPN IPSec Troubleshooting 4.1 «PAYLOAD MALFORMED» error 114920 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [SA][VID] 114920 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [NOTIFY] 114920 Default exchange_run: exchange_validate failed 114920 Default dropped message from 195.100.205.114 port 500 due to notification type PAYLOAD_MALFORMED 114920 Default SEND Informational [NOTIFY] with PAYLOAD_MALFORMED error If you have an «PAYLOAD MALFORMED» error you might have a wrong Phase 1 [SA], check if the encryption algorithms are the same on each side of the VPN tunnel. 4.2 «INVALID COOKIE» error 115933 Default message_recv: invalid cookie(s) 5918ca0c2634288f 7364e3e486e49105 115933 Default dropped message from 195.100.205.114 port 500 due to notification type INVALID_COOKIE 115933 Default SEND Informational [NOTIFY] with INVALID_COOKIE error If you have an «INVALID COOKIE» error, it means that one of the endpoint is using a SA that is no more in use. Reset the VPN connection on each side. 4.3 «no keystate» error 115315 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [SA][VID] 115317 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [SA][VID] 115317 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [KEY][NONCE] 115319 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [KEY][NONCE] 115319 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 115319 Default ipsec_get_keystate: no keystate in ISAKMP SA 00B57C50 Check if the preshared key is correct or if the local ID is correct (see «Advanced» button). You should have more information in the remote endpoint logs. 4.4 «received remote ID other than expected» error 120348 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [SA][VID] 120349 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [SA][VID] 120349 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [KEY][NONCE] 120351 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [KEY][NONCE] 120351 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 120351 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 120351 Default ike_phase_1_recv_id: received remote ID other than expected support@thegreenbow.fr The «Remote ID» value (see «Advanced» Button) does not match what the remote endpoint is expected.

4.5 «NO PROPOSAL CHOSEN» error 115911 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [SA][VID] 115913 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [SA][VID] 115913 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [KEY][NONCE] 115915 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [KEY][NONCE] 115915 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 115915 Default (SA BEFVP41-BEFVP41-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE] 115915 Default RECV Informational [HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error 115915 Default RECV Informational [HASH][DEL] 115915 Default BEFVP41-P1 deleted If you have an «NO PROPOSAL CHOSEN» error, check that the «Phase 2» encryption algorithms are the same on each side of the VPN Tunnel. Check «Phase 1» algorithms if you have this: 115911 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [SA][VID] 115911 Default RECV Informational [NOTIFY] with NO_PROPOSAL_CHOSEN error 4.6 «INVALID ID INFORMATION» error 122623 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [SA][VID] 122625 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [SA][VID] 122625 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [KEY][NONCE] 122626 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [KEY][NONCE] 122626 Default (SA BEFVP41-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 122626 Default (SA BEFVP41-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 122626 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 122626 Default (SA BEFVP41-BEFVP41-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE] 122626 Default RECV Informational [HASH][NOTIFY] with INVALID_ID_INFORMATION error 122626 Default RECV Informational [HASH][DEL] 122626 Default BEFVP41-P1 deleted If you have an «INVALID ID INFORMATION» error, check if «Phase 2» ID (local address and network address) is correct and match what is expected by the remote endpoint. Check also ID type ( Subnet address and Single address ). If network mask is not check, you are using a IPV4_ADDR type (and not a IPV4_SUBNET type). 4.7 I clicked on Open tunnel, but nothing happens. Read logs of each VPN tunnel endpoint. IKE requests can be dropped by firewalls. An IPSec Client uses UDP port 500 and protocol ESP (protocol 50). 4.8 The VPN tunnel is up but I can t ping! If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines: Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client IP address should not belong to the remote LAN subnet Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall. Check that every device between the client and the VPN server does accept ESP Check your VPN server logs. Packets can be dropped by one of its firewall rules. Check your ISP support ESP If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface (with Ethereal for example). You will have an indication that encryption works.

Check the default gateway value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is a no Default gateway setting. You cannot access to the computers in the LAN by their name. You must specify their IP address inside the LAN. We recommend you to install ethereal (http://www.ethereal.com) on one of your target computer. You can check that your pings arrive inside the LAN.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback