Linux FreeS/WAN  VPN to Prestige Tunneling

  1. Setup FreeS/WAN VPN
  2. Setup Prestige VPN

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between FreeS/WAN and Prestige router. There will be several devices we need to setup for this case. They are Linux FreeS/WAN and Prestige router.

As the figure shown below, the tunnel between PC 1 and Prestige ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for FreeS/WAN and Prestige are explained in the following sections. 

The IP addresses we use in this example are as shown below.

LAN 1 

FreeS/WAN Linux box Prestige  LAN 2
192.168.10.0/24 LAN: 192.168.10.20
WAN:  65.170.185.111  Gateway:  65.170.185.65
LAN: 192.168.0.254
WAN:  202.132.170.1 Gateway: 202.132.170.254

192.168.0.0/24


1. Setup FreeS/WAN

We presume that your Linux's kernel has been compiled to support FreeS/WAN, and FreeS/WAN has been also installed successfully in your system. You can refer to the following URL for more information, http://www.FreeS/WAN.org/.

Two files must be configured in /etc directory.

ipsec.conf:

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
conn %default
        keyingtries=3
conn Prestige
        left=65.170.185.111
        leftsubnet=192.168.10.0/24
        leftnexthop=65.170.185.65
        right=202.132.170.1
        rightsubnet=192.168.0.0/24
        rightnexthop=202.132.170.254
        auto=start
        pfs=no 
        authby=secret

ipsec.secrets:

65.170.185.111  202.132.170.1 : PSK  "12345678"

 


2. Setup Prestige VPN

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. The LAN IP in tihs example is 192.168.0.1, default password to login web configurator is 1234.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, Linux FreeS/WAN only supports Main mode.
  6. In Local section, choose Subnet Address as Address Type. Source IP Address Start is 192.168.0.0 and End is 255.255.255.0 in this example. (the secure network behind Prestige)
  7. In Remote section, choose Subnet Address as Address Type. Source IP Address Start is 192.168.10.0 and End is 255.255.255.0. (the secure network behind Linux)
  8. My IP Addr is the WAN IP of Prestige.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is Linx box in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to 3DES and Authentication Algorithm to SHA1.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

You can click Advanced button to check IPSec Phase 1 and Phase 2 parameters. Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group. 


If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit Key Management Setup' option in menu27.1.1 to 'Yes' by pressing space bar and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate IPSec SAs which are used for data transmission.

Please note that Linux FreeS/WAN only supports 3DES as encryption algorithm, and DH2 or upper as key exchange group.