Sentinel (Behind NAT) to Prestige(Static IP) Tunneling

  1. Setup SSH Sentinel
  2. Setup Prestige VPN
  3. Setup NAT Router

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between the Sentinel software and Prestige router. There will be several devices we need to setup for this case. They are Sentinel software and Prestige router.

As the figure shown below, the tunnel between PC 1, with Sentinel installed, and Prestige ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Sentinel and Prestige are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Sentinel and Prestige.

¡@

The IP addresses we use in this example are as shown below.

PC 1 

NAT Router

Prestige 

PC2
192.168.2.33 LAN: 192.168.2.1
WAN: 172.21.1.232
LAN: 192.168.1.1
WAN:  172.21.1.252

192.168.1.33


1. Setup SSH Sentinel

  1. From Tool Tray of Windows system, right click on your SSH/Sentinel icon, and then choose Run Policy Editor.

 

  1. Choose Key Management. Select My Keys, then press Add... button.

  1. Select Create a preshared key, and press Next.

  1. Give this preshared key a name, Prestige. And then enter the preshared key "12345678" in both Shared secret and Confirm shared secret fields. Finally press Finish.

  1. Press Apply in Main menu to save the above settings for latter use.

  1. Switch to Security Policy tab. Choose VPN connections, and then press Add...

  1. Add VPN Connection window will pop out. Press IP button besides Gateway Name box. Enter Prestige10's WAN IP address in Gateway IP address.

  1. Press ... button besides Remote network.

  1. Network Editor Window will pop out. Press New button, and Enter Prestige in Network name, and 192.168.1.0 in IP address field, and 255.255.255.0 in Subnet Mask field. Then click OK to go back to Add VPN Connection window.

  1. Choose Prestige as Authentication Key. Then click OK to save.

  1. In SSH Sentinel Policy Editor, you will get a new VPN connection, 172.21.1.252(Prestige), choose this item, and then press Properties... button. 

  1. Choose Settings button in Remote endpoint section. Please uncheck the boxes of "Acquire virtual IP address" and "Extended authentication". 

  1. Tune IKE proposal to Encryption algorithm as DES, Integrity function as MD5, IKE mode as main mode, IKE group as MODP 768 (group 1), and  IPSec proposal to Encryption algorithm as DES, Integrity funciton as HMAC-MD5, PFS group as none.

  1. Press Apply to save all of the settings.

  1. Initiate VPN connection from Sentinel by selecting your VPN connection from Select VPN item.

Note: 

A. When building VPN between Sentinel and Prestige, the tunnel can't be initiated from Prestige side. Please always initiate the tunnel from Sentinel.

B. VPN tunnel on Sentinel can't be initiated by triggered packets (such as ping, ftp, telnet, HTTP...etc.) You can only initiate VPN tunnel by choosing "Select VPN" from SSH/Sentinel tray.

 NOTE:

Please check your Prestige's release note, if your current firmware version doesn't support Mega Bytes as SA lifetime. You have to Zero your Mega Bytes setting in SA life time. Switch to Security Policy, the configuration page is in <Your VPN connection>/Properties.../Advanced Tab/Settings...


2. Setup Prestige VPN

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to Advanced -> VPN
  3. Check Active box to enable this rule. Check Keep alive to make your VPN connection stay permanent.
  4. Select Negotiation Mode to Main, as we configured in Sentinel.
  5. Local IP, Address Type is Subnet, Address Start is 192.168.1.0, End/Subnet Mask is 255.255.255.0.
  6. Remote IP Address Start is Sentinel's IP, 192.168.2.33.
  7. My IP Addr is the WAN IP of Prestige.
  8. Secure Gateway IP Addr is the NAT Router's IP.
  9. Select Encapsulation Mode to Tunnel.
  10. Check the ESP check box. (AH can not be used in SUA/NAT case)
  11. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in Sentinel.
  12. Enter the key string 12345678 in the Preshared Key text box, and click Apply.
  13. Press Advanced button to set IKE phase 1 and phase 2 parameters.

See the VPN rule screen shot

Set IKE Phase 1 and Phase 2 parameters.


If you use SMT management, the VPN configurations are as shown below.

¡@

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.

Please note that any configuration in 'IKE Setup' should match the settings configured in Sentinel


3. Setup in NAT Router

In this case, since VPN connection can only be initiated from SSH Sentinel, no NAT port forwarding is needed.


All contents copyright (c) 2002 ZyXEL Communications Corporation.