Prestige to Prestige Tunneling
Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.
This page guides us to setup a VPN connection between two Prestige routers. Please note that, in addition to Prestige to Prestige, Prestige can also talk to other VPN hardwards. The tested VPN hardware are shown below.
As the figure shown below, the tunnel between Prestige 1 and Prestige 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each Prestige are explained in the following sections.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige A | Prestige B | PC 2 |
202.132.155.33 | LAN: 202.132.155.1 WAN: 202.132.154.1 |
LAN: 140.130.10.1 WAN: 168.10.10.66 |
140.130.10.33 |
Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.
See the screen shot:
If you use SMT management, the VPN configurations are as shown below.
1. Edit IKE settings by selecting 'Edit IKE Setup' option
in menu27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:
In Phase 1, two IKE peers establish a secure channel for
key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data
transmission.
Note that any configuration in 'IKE Setup' should be
consistent in both Prestige A and Prestige B.
Similar to the settings for Prestige A, Prestige B is configured in the same way.
See the screen shot:
If you use SMT management, the VPN configurations are as shown below.
1.
Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then
pressing 'Enter'.
2. There are two phases for IKE:
In Phase 1, two IKE peers establish a secure channel for
key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data
transmission.
Note that any configuration in 'IKE Setup' should be
consistent in both Prestige A and Prestige B.
Q: How do we know the above tunnel works?
A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works.
Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in Prestige.
Through menu 27.2, you can monitor every IPSec connections running in Prestige presently. The second column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go back Menu 27 to check your settings.
Menu 27.2 - SA Monitor #
Name
Encap. IPSec ALgorithm
Select Command= Refresh
Press ENTER to Confirm or ESC to Cancel: |
Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages.
Prestige> ipsec debug 1 IPSEC debug level 1 Prestige> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 80010001 80020001 80040001 80030001 800b0001 800c0e10 In isadb_get_entry, nxt_pyld=1, exch=2 New SA In responder isadb_create_entry(): RESPONSOR: ##entering spGetPeerByAddr... <deleted> |
To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The log menu is also useful for troubleshooting please capture to us if necessary. Please refer to the example below.
Index: Date: Log: --------------------------------------------------------- 001 01 Jan 00:15:11 <<<<INFO Sending IKE Packet == 15 002 01 Jan 00:15:11 <<<<Sending IKE Packet == 15 003 01 Jan 00:15:11 <<<<INFO Sending IKE Packet == 15 004 01 Jan 00:15:11 <<<<Sending IKE Packet == 15 005 01 Jan 00:15:16 <<<<Sending IKE Packet == 0 006 01 Jan 00:15:16 >>>>MM Receiving IKE Packet == 2 007 01 Jan 00:15:18 <<<<Sending IKE Packet == 3 008 01 Jan 00:15:18 >>>>MM Receiving IKE Packet == 4 009 01 Jan 00:15:19 <<<<Sending IKE Packet == 5 010 01 Jan 00:15:19 >>>>MM Receiving IKE Packet == 6 011 01 Jan 00:15:19 <<<<Sending IKE Packet == 6 012 01 Jan 00:15:19 >>>>QM Receiving IKE Packet == 15 013 01 Jan 00:15:19 <<<<Sending IKE Packet == 15 Clear IPSec Log (y/n): |
Note, the 'Log' column in the current 3.50(WA.0) firmware just shows the IKE state flow. In the future firmware, we will enhance it to show packet information (such as protocol type, port number).