Sentinel (Dynamic IP) to
Prestige(Dynamic
IP) Tunneling
- Setup Prestige
- Setup Sentinel
Note: Not all ZyXEL Prestige provide
VPN functionality. Please check the User's Manual from the packaged
CD-ROM.
This page guides us to setup a VPN connection between the SSH Sentinel software
and Prestige router. There will be several devices we need to setup for this case.
They are Sentinel and Prestige router.
As the figure shown below, the tunnel between PC 1, with Sentinel installed, and
Prestige ensures the
packets flow between them are secure. Because the packets go through the IPSec
tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and
Prestige are explained in the following sections. As the red pipe shown
in the following figure, the tunneling endpoints are Sentinel and Prestige.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige |
PC2 |
<Dynamic IP> |
LAN: 192.168.1.1 WAN: <Dynamic
IP> |
192.168.1.33 |
1. Setup Prestige
- Configure Prestige to use DDNS for WAN IP address update. You can refer to Using
DDNS for how to configure it. We presume that you have got a dynamic domain
name, Prestige.ddns.org, and update your current WAN IP successfully.
- Using a web browser, login Prestige by giving the LAN IP address of Prestige
in URL field. Default LAN IP is 192.168.1.1, default
password to login web configurator is 1234.
- Go to Advanced -> VPN
- Check Active box to enable this rule. Check Keep alive to
make your VPN connection stay permanent.
- Select Negotiation
Mode to Main..
- Local IP, Address Type is Subnet, Address Start is 192.168.1.0, End/Subnet
Mask is 255.255.255.0.
- Remote IP, leave this field as blank.
- My IP Addr, leave this field as 0.0.0.0.
- Secure Gateway IP Addr is Sentinel's IP,
since Sentinel is using dynamic IP address, fill this field as 0.0.0.0.
- Select Encapsulation Mode to Tunnel.
- Check the ESP check box. (AH can not be used in SUA/NAT
case)
- Select Encryption Algorithm to DES and Authentication
Algorithm to MD5..
- Enter the key string 12345678 in the Preshared
Key text box, and click Apply.
- Press Advanced button to set IKE phase 1 and phase 2 parameters.
See the VPN rule screen shot

Set IKE Phase 1 and Phase 2 parameters.

If you use SMT management, the VPN configurations are as shown below.

1. Edit IKE settings by selecting 'Edit IKE
Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
2. There
are two phases for IKE:
In Phase 1, two IKE peers establish a secure
channel for key exchanging.
In Phase 2, two peers negotiate general purpose
SAs which are secure channels for data transmission.
Please note that any configuration in 'IKE
Setup' should match the settings configured in Sentinel

2. Setup Sentinel
- From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor.
- Choose Key Management. Select My Keys,
then press Add... button.

- Select Create a preshared key, and press Next.

- Give this preshared key a name, Prestige. And then enter the
preshared key "12345678" in both Shared secret and Confirm
shared secret fields. Finally press Finish.

- Press Apply in Main menu to save the above settings for latter use.

- Switch to Security Policy tab. Choose VPN connections, and
then press Add...

- Add VPN Connection window will pop out. Enter Prestige.dyndns.org
in
Gateway IP address.
- Press ... button besides Remote network.

- Network Editor Window will pop out. Press New button, and
Enter Prestige in Network name, and 192.168.1.0 in IP address
field, and 255.255.255.0 in Subnet Mask field. Then click OK
to go back to Add VPN Connection window.

- Choose Prestige as Authentication Key. Then click OK
to save.

- In SSH Sentinel Policy Editor, you will get a new VPN
connection, Prestige.dyndns.org (Prestige), choose this item, and then press Properties...
button.

- Choose Settings button in Remote endpoint
section. Please uncheck the boxes of "Acquire virtual IP address"
and "Extended authentication".

- Tune IKE proposal to Encryption algorithm as DES,
Integrity function as MD5, IKE mode as main mode, IKE group as
MODP 768 (group 1), and IPSec proposal to Encryption
algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as
none.

- Press Apply to save all of the settings.

- Initiate VPN connection from Sentinel by selecting your VPN
connection from Select VPN item.
Note:
A. When building VPN between Sentinel and Prestige,
the tunnel can't be initiated from Prestige side. Please always initiate the
tunnel from Sentinel.
B. VPN tunnel on Sentinel can't be
initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can
only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.

NOTE:
Please check your Prestige's release note, if your current firmware version
doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes
setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN
connection>/Properties.../Advanced Tab/Settings...

All contents copyright (c) 2002 ZyXEL Communications Corporation.