Prestige to Prestige Tunneling
Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.
This page guides us to setup a VPN connection between two Prestige routers. Please note that, in addition to Prestige to Prestige, Prestige can also talk to other VPN hardwards. The tested VPN hardware are shown below.
As the figure shown below, the tunnel between Prestige 1 and Prestige 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each Prestige are explained in the following sections.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige A | Prestige B | PC 2 |
192.168.1.33 | LAN: 192.168.1.1 WAN: 202.132.154.1 |
LAN: 192.168.2.1 WAN: 168.10.10.66 |
192.168.2.33 |
Note: The following configurations are
supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses
dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this
case, the VPN connection can only be initiated from dynamic side to fixed side to update
its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it
is no way to establish VPN connection at all.
See the screen shot:
If you use SMT management, the VPN configurations are as shown below.
1. Edit IKE settings by selecting 'Edit IKE Setup' option
in menu27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:
In Phase 1, two IKE peers establish a secure channel for
key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data
transmission.
Note that any configuration in 'IKE Setup' should be consistent in both Prestige A and Prestige B.
Similar to the settings for Prestige A, Prestige B is configured in the same way.
See the screen shot:
If you use SMT management, the VPN configurations are as shown below.
1.
Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then
pressing 'Enter'.
2. There are two phases for IKE:
In Phase 1, two IKE peers establish a secure channel for
key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data
transmission.
Note that any configuration in 'IKE Setup' should be consistent in both Prestige A and Prestige B.
Q: How do we know the above tunnel works?
A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works.
Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in Prestige.
Through menu 27.2, you can monitor every IPSec connections running in Prestige presently. The second column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go back Menu 27 to check your settings.
Menu 27.2 - SA Monitor #
Name
Encap. IPSec ALgorithm
Select Command= Refresh
Press ENTER to Confirm or ESC to Cancel: |
Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages.
Prestige> ipsec debug 1 IPSEC debug level 1 Prestige> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 80010001 80020001 80040001 80030001 800b0001 800c0e10 In isadb_get_entry, nxt_pyld=1, exch=2 New SA In responder isadb_create_entry(): RESPONSOR: ##entering spGetPeerByAddr... <deleted> |
4. View Log
To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The
log menu is also useful for troubleshooting please capture to us if necessary. The
example shown below is a successful IPSec connection.
Index: Date/Time:
Log: ------------------------------------------------------------ 001 01 Jan 10:23:22 !! Cannot find outbound SA for rule <1> 002 01 Jan 10:23:22 Send Main Mode request to <168.10.10.66> 003 01 Jan 10:23:22 Send:<SA> 004 01 Jan 10:23:22 Recv:<SA> 005 01 Jan 10:23:24 Send:<KE><NONCE> 006 01 Jan 10:23:24 Recv:<KE><NONCE> 007 01 Jan 10:23:26 Send:<ID><HASH> 008 01 Jan 10:23:26 Recv:<ID><HASH> 009 01 Jan 10:23:26 Phase 1 IKE SA process done 010 01 Jan 10:23:26 Start Phase 2: Quick Mode 011 01 Jan 10:23:26 Send:<HASH><SA><NONCE><ID><ID> 012 01 Jan 10:23:26 Recv:<HASH><SA><NONCE><ID><ID> 013 01 Jan 10:23:26 Send:<HASH> Clear IPSec Log (y/n): |