WIN2K VPN to Prestige Tunneling

  1. Setup WIN2K VPN
  2. Setup Prestige VPN

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between the WIN2K VPN software and Prestige router. There will be several devices we need to setup for this case. They are WIN2K VPN software and Prestige router.

As the figure shown below, the tunnel between PC 1 and Prestige ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for WIN2K and Prestige are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are WIN2K and Prestige.

The IP addresses we use in this example are as shown below.

PC 1 

Prestige  PC2
172.21.1.232 LAN: 192.168.1.1
WAN:  172.21.1.252

192.168.1.33


1. Setup WIN2K VPN

- Create a custom MMC console

  1. From Windows desktop, click Start, click Run, and in the Open textbox type MMC. Click OK.

  1. On the Console window, click Add/Remove Snap-In.

  1. In the Add/Remove Snap-In dialog box, click Add.

  1. In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add.

  1. Verify that Local Computer (default setting) is selected, and click Finish.

  1. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add.

  1. Verify that Local Computer (default setting) is selected in the Group Policy Object dialog box, and then click Finish.

  1. In the Add Standalone Snap-in dialog box, click Certifications, and then click Add.

  1. In the Certificates snap-in dialog box, select Computer account, and click Next.

  1. Verify that Local Computer (default setting) is selected, and click Finish.

  1. Click Close to close the Add Standalone Snap-in dialog box.

  1. Click OK to close the Add/Remove Snap-in dialog box.

mmc.gif (13323 bytes)


- Create IPSec Policy

Typically, Windows 2000 gateway is not a member of a domain, so a local IPSec policy is created. If your Windows 2000 gateway is a member of a domain that already exists an local IPSec policy. In this case, you can create an Organization Unit (OU) in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object (GPO) of this OU. For more information, please refer to the Assigning IPSec Policy section of Windows 2000 online help.

  1. From Windows desktop, click Start, click Run, and in the Open textbox type SECPOL.MSC. Click OK.

  1. Right click IP Security Policies on Local Machine, and then click Create IP Security Policy.

  1. Click Next, and type a name for your policy. For example, WIN2K to Prestige Tunnel.

  1. Uncheck Active the default response rule check box, and click Next.

  1. Keep the Edit properties check box selected and click Finish.

  1. A dialog window will bring up for you to configure two filter rules for this policy.

policy.gif (13477 bytes)

Note: The IPSec policy is created with default IKE main mode (phase 1) on the General tab. Please check details by clicking the Advanced on this tab.


The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint. Because there are two endpoints so we need two filter rules. One is for the direction from PC 1 to PC 2 (endpoint is Prestige), and the other is from PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP for local and remote VPN clients (PC 1 or PC 2) are required. See the guides below.

- Build a Filter List from PC 1 to PC 2

  1. In policy properties, uncheck Use Add Wizard check box, and click Add to create a new rule.

  1. On the IP Filter List tab, click Add.

  1. Type a name for the filter list (e.g., WIN2K to Prestige), uncheck Use Add Wizard check box, and click Add.

  1. In the Source address, choose A specific IP Address, and enter the IP address of PC 1

  1. In the Destination address, choose A specific IP Address, and enter the IP address of PC 2

  1. Uncheck Mirror check box.

  1. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters.

  1. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active.

  1. Click OK and Close to close the windows.

- Build a Filter List from PC 2 to PC 1

  1. On the IP Filter List tab, click Add.

  1. Type a name for the filter list (e.g., Prestige to WIN2K), uncheck Use Add Wizard check box, and click Add.

  1. In the Source address, choose A specific IP Address, and enter the IP address of PC 2

  1. In the Destination address, choose A specific IP Address, and enter the IP address of PC 1

  1. Uncheck Mirror check box.

  1. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters.

  1. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active.

  1. Click OK and Close to close the windows.


- Configure a Rule for PC 1 to PC 2 tunnel

  1. Select the first filter list you created above from the IP Filter List. For example, WIN2K to Prestige.

  1. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is Prestige.

  1. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections.

  1. Click Filter Action tab, uncheck Use Add Wizard check box, and click Add.

  1. Leave Negotiate security as checked, and uncheck Accept unsecured communication, but always respond using IPSec check box. You must do this to ensure secure connections.

  1. Click Add and select Custom (for expert users) if you want to define specific algorithms and session key lifetimes). Please make sure the settings match whatever we will configure in Prestige later.

  1. Click OK. On the General tab, give a name to the filter action. For example, WIN2K to Prestige, and click OK.

  1. Select the filter action you just created.

  1. On the Authentication Methods tab, click Add to select Use this string to protect the key exchange (pre-shared key) option. And enter the string 12345678 in the text box.

  1. Click OK.

See the finished screen shot.
rule.gif (15059 bytes)

- Configure a Rule for PC 2 to PC 1 tunnel

  1. In the IPSec policy properties, click Add to create a new rule.

  1. Select the second filter list you created above from the IP Filter List. For example, Prestige to WIN2K.

  1. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is WIN2K.

  1. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections.

  1. Click Filter Action tab, select the filter action you created.

  1. On the Authentication Method tab, configure the same settings as done in the first rule.

  1. Click Close.

  1. Enable both rules you created in the policy properties and click Close.

Figure 5: See the finished screen shot
tworules.gif (15700 bytes)


- Assign Your New IPSec Policy to Your Windows 2000

  1. In the IP Security Policies on Local Machine MMC snap-in, right click your new policy, and click Assign.

assign.gif (21872 bytes)

  1. A green arrow will appear in the folder icon next to your policy. See the screen shot below.

last.gif (18401 bytes)

For more information about configure WIN2K IPSec, please refer to the following web site.

1. http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
2. http://support.microsoft.com/support/kb/articles/q252/7/35.asp


2. Setup Prestige VPN

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in WIN2K.
  6. Source IP Address Start and Source IP Address End are PC 2 IP in this example. (the secure host behind Prestige)
  7. Destination IP Address Start and Destination IP Address End are PC 1 in this example. (the secure WIN2K PC) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.
  8. My IP Addr is the WAN IP of Prestige.
  9. Secure Gateway IP Addr is the remote WIN2K's IP, that is PC 1 in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in WIN2K.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

Figure 8: See the VPN rule screen shot


If you use SMT management, the VPN configurations are as shown below.

                            Menu 27.1.1 - IPSec Setup

          Index #= 1
          Name= Prestige
          Active= Yes

          My IP Addr= 172.21.1.252
          Secure Gateway IP Addr= 172.21.1.232
          Protocol= 0
          Local:  IP Addr Start= 192.168.1.33        End= 192.168.1.33
                     Port Start= 0                   End= N/A
          Remote: IP Addr Start= 172.21.1.232        End= 172.21.1.232
                     Port Start= 0                   End= N/A
          Enable Replay Detection= No
          Key Management= IKE
          Edit IKE Setup= Yes
          Edit Manual Setup= N/A

                    Press ENTER to Confirm or ESC to Cancel:
 

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.

Please note that any configuration in 'IKE Setup' should match the settings configured in WIN2K

                             Menu 27.1.1.1 - IKE Setup

                    Phase 1
                      Negotiation Mode= Main
                      Pre-Shared Key= 12345678
                      Encryption Algorithm= DES
                      Authentication Algorithm= MD5
                      SA Life Time (Seconds)= 3600
                      Key Group= DH1

                    Phase 2
                      Active Protocol= ESP
                      Encryption Algorithm= DES
                      Authentication Algorithm= MD5
                      SA Life Time (Seconds)= 3600
                      Encapsulation= Tunnel
                      Perfect Forward Secrecy (PFS)= None

                    Press ENTER to Confirm or ESC to Cancel