Prestige to Prestige Tunneling

  1. Setup Prestige A
  2. Setup Prestige B
  3. Troubleshooting
  4. View Log

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between two Prestige routers. Please note that, in addition to Prestige to Prestige, Prestige can also talk to other VPN hardwards. The tested VPN hardware are shown below.

As the figure shown below, the tunnel between Prestige 1 and Prestige 2 ensures the packets flow between PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted.  To achieve this VPN tunnel, the settings required for each Prestige are explained in the following sections.

 topology1.gif (23564 bytes)

The IP addresses we use in this example are as shown below.

PC 1 

Prestige A Prestige B PC 2
202.132.155.33 LAN: 202.132.155.1
WAN:  202.132.154.1
LAN: 140.130.10.1
WAN:  168.10.10.66

140.130.10.33 

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.

1. Setup Prestige A

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in Prestige B.
  6. Source IP Address Start and Source IP Address End are PC 1 IP in this example. (the secure host behind Prestige A)
  7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host)
  8. My IP Addr is the WAN IP of Prestige A.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is Prestige B WAN IP in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in Prestige B.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

See the screen shot:


If you use SMT management, the VPN configurations are as shown below.

                Menu 27.1.1 - IPSec Setup 

          Index #= 1          Name= PrestigeA
          Active= Yes         Keep Alive= No
          Local ID type= IP           Content= 0.0.0.0
          My IP Addr= 202.132.154.1
          Peer ID type= IP            Content= 0.0.0.0
          Secure Gateway Addr= 168.10.10.66 

          Local:  Addr Type= SINGLE 
              IP Addr Start=
202.132.155.33      End/Subnet Mask= N/A
                 Port Start= 0                   End= N/A
          Remote: Addr Type= SINGLE
              IP Addr Start=
140.130.10.33      End/Subnet Mask= N/A
                 Port Start= 0                   End= N/A 

          Enable Replay Detection= No 
          Key Management= IKE 
          Edit IKE Setup= No 

                   Press ENTER to Confirm or ESC to Cancel: 

 

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.

Note that any configuration in 'IKE Setup' should be consistent in both Prestige A and Prestige B.  


                     Menu 27.1.1.1 - IKE Setup 

                    Phase 1 
                      Negotiation Mode= Main 
                      Pre-Shared Key= 12345678 
                      Encryption Algorithm= DES 
                      Authentication Algorithm= MD5 
                      SA Life Time (Seconds)= 3600 
                      Key Group= DH1 

                    Phase 2 
                      Active Protocol= ESP 
                      Encryption Algorithm= DES 
                      Authentication Algorithm= MD5 
                      SA Life Time (Seconds)= 3600 
                      Encapsulation= Tunnel 
                      Perfect Forward Secrecy (PFS)= None 

                    Press ENTER to Confirm or ESC to Cancel: 

 


2. Setup Prestige B

Similar to the settings for Prestige A, Prestige B is configured in the same way.

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in Prestige A.
  6. Source IP Address Start and Source IP Address End are PC 2 IP in this example. (the secure host behind Prestige B)
  7. Destination IP Address Start and Destination IP Address End are PC 1 IP in this example. (the secure remote  host) Note: You may assign a range of Local/Remote IP addresses for multiple VPN sessions.
  8. My IP Addr is the WAN IP of Prestige B.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is Prestige A WAN IP in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in Prestige A.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

See the screen shot:


If you use SMT management, the VPN configurations are as shown below.

                            Menu 27.1.1 - IPSec Setup 

          Index #= 1          Name= PrestigeB
          Active= Yes         Keep Alive= No
          Local ID type= IP           Content= 0.0.0.0
          My IP Addr= 168.10.10.66
          Peer ID type= IP            Content= 0.0.0.0
          Secure Gateway Addr= 202.132.154.1 

          Local:  Addr Type= SINGLE 
              IP Addr Start= 140.130.10.33      End/Subnet Mask= N/A
                 Port Start= 0                   End= N/A
          Remote: Addr Type= SINGLE
              IP Addr Start= 202.132.155.33     End/Subnet Mask= N/A
                 Port Start= 0                   End= N/A 
          Enable Replay Detection= No 
          Key Management= IKE 
          Edit IKE Setup= Yes 
 
                    Press ENTER to Confirm or ESC to Cancel: 
 

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.

Note that any configuration in 'IKE Setup' should be consistent in both Prestige A and Prestige B.

                              Menu 27.1.1.1 - IKE Setup

                    Phase 1
                      Negotiation Mode= Main
                      Pre-Shared Key= 12345678
                      Encryption Algorithm= DES
                      Authentication Algorithm= MD5
                      SA Life Time (Seconds)= 3600
                      Key Group= DH1

                    Phase 2
                      Active Protocol= ESP
                      Encryption Algorithm= DES
                      Authentication Algorithm= MD5
                      SA Life Time (Seconds)= 3600
                      Encapsulation= Tunnel
                      Perfect Forward Secrecy (PFS)= None

                    Press ENTER to Confirm or ESC to Cancel:
 

 


3. Troubleshooting

Q: How do we know the above tunnel works?

A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works.

Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in Prestige.

Through menu 27.2, you can monitor every IPSec connections running in Prestige presently. The second column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go back Menu 27 to check your settings.  

                                       Menu 27.2 - SA Monitor

 #                   Name                             Encap.  IPSec ALgorithm
 -- -------------------------------------------------- ---------- -------------------------
 1  PrestigeA      ca24f1eb6616b7c4 732c211ae9b01a0f   Tunnel   ESP DES-SHA1
 2
 3
 4
 5
 6
 7
 8
 9
 10

                    Select Command= Refresh
                    Select Connection= N/A

                    Press ENTER to Confirm or ESC to Cancel:
 

 

Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis.  The following shows an example of dumped messages.

Prestige> ipsec debug 1
IPSEC debug level 1
Prestige> catcher(): recv pkt numPkt<1>
get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80>
f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034
00000001 00000001 00000028 01010001 00000020 01010000 80010001 80020001
80040001 80030001 800b0001 800c0e10
In isadb_get_entry, nxt_pyld=1, exch=2
New SA
In responder
isadb_create_entry(): RESPONSOR:
##entering spGetPeerByAddr...
<deleted>

 


4. View Log

To view the log for IPSec and IKE connections, please enter menu 27.3, View IPSec Log. The log menu is also useful for troubleshooting please capture to us if necessary. Please refer to the example below.

Index: Date: Log:
---------------------------------------------------------
001 01 Jan 00:15:11 <<<<INFO Sending IKE Packet == 15
002 01 Jan 00:15:11 <<<<Sending IKE Packet == 15
003 01 Jan 00:15:11 <<<<INFO Sending IKE Packet == 15
004 01 Jan 00:15:11 <<<<Sending IKE Packet == 15
005 01 Jan 00:15:16 <<<<Sending IKE Packet == 0
006 01 Jan 00:15:16 >>>>MM Receiving IKE Packet == 2
007 01 Jan 00:15:18 <<<<Sending IKE Packet == 3
008 01 Jan 00:15:18 >>>>MM Receiving IKE Packet == 4
009 01 Jan 00:15:19 <<<<Sending IKE Packet == 5
010 01 Jan 00:15:19 >>>>MM Receiving IKE Packet == 6
011 01 Jan 00:15:19 <<<<Sending IKE Packet == 6
012 01 Jan 00:15:19 >>>>QM Receiving IKE Packet == 15
013 01 Jan 00:15:19 <<<<Sending IKE Packet == 15
Clear IPSec Log (y/n):