Intel VPN client to Prestige Tunneling

  1. Setup Intel VPN client 
  2. Setup Prestige VPN

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between the Intel VPN client software and Prestige router. There will be several devices we need to setup for this case. They are Intel VPN software and Prestige router.

As the figure shown below, the tunnel between PC 1, with Intel VPN client installed, and Prestige ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for Intel VPN client and Prestige are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are Intel VPN client and Prestige.

 

The IP addresses we use in this example are as shown below.

PC 1 

Prestige  PC2
172.21.1.232 LAN: 192.168.1.1
WAN:  172.21.1.252

192.168.1.33


1. Setup Intel

  1. Select Tunnels/New.../IPSEC Tunnel to create a VPN connection.

 

  1. Give this Tunnel a name, Prestige, for example. Specify VPN Gateway IP Address as 172.21.1.252. Tunnel Applies to All network connections. Uncheck  Enable IP Address assignment and WINS/DNS via VPN Gateway.

  1. Select Security Associations tab. Press Add... to edit the IP address of remote VPN network. IP Address 192.168.1.0, Subnet Mask 255.255.255.0, Protocol ALL, Port ALL. And Phase 2 parameters. AH None, Authentication HMAC MD5, Encryption DES (56-bit key), uncheck Transport mode. Specify the Phase 2 SA life time you would like to use.  Click OK to save the settings.

  1. Select Shared Secret as Authentication Method, and Enter the pre-shared key: 12345678. Then press Advanced... to edit Phase 1 parameters.

  1. Specify phase SA life time you would like to have, 60 minutes for example. Encryption as DES 56-bit key,  Authentication as HMAC MD5, and Diffie-Hellman Group as 1-RSA 768 bits. Click OK to save.


2. Setup Prestige VPN

  1. Using a web browser, login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in SSH.
  6. Source IP Address Start and Source IP Address End are PC 2 IP in this example. (the secure host behind Prestige)
  7. Destination IP Address Start and Destination IP Address End are PC 1 in this example. (the secure SSH PC) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.
  8. My IP Addr is the WAN IP of Prestige.
  9. Secure Gateway IP Addr is the remote SSH's IP, that is PC 1 in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in SSH.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.
  14. Press Advanced button to set IKE phase 1 and phase 2 parameters.

See the VPN rule screen shot

Set IKE Phase 1 and Phase 2 parameters.


If you use SMT management, the VPN configurations are as shown below.

                            
                            Menu 27.1.1 - IPSec Setup

          Index #= 1        Name= to_ssh
           Active= Yes       Keep Alive= No
          Local ID type= IP         Content= 0.0.0.0
          My IP Addr= 172.21.1.252
          Peer ID type= IP          Content= 0.0.0.0       
          Secure Gateway Addr= 172.21.1.232
          Protocol= 0
          Local:  Addr Type= SUBNET
              IP Addr Start= 192.168.1.0          End= 255.255.255.0
                 Port Start= 0                    End= N/A
          Remote: Addr Type= SINGLE
              IP Addr Start= 172.21.1.232         End= N/A
                 Port Start= 0                    End= N/A
          Enable Replay Detection= No
          Key Management= IKE
          Edit Key Management Setup= No

                    Press ENTER to Confirm or ESC to Cancel:
 

1. Edit IKE settings by selecting 'Edit IKE Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
2. There are two phases for IKE:

In Phase 1, two IKE peers establish a secure channel for key exchanging.
In Phase 2, two peers negotiate general purpose SAs which are secure channels for data transmission.

Please note that any configuration in 'IKE Setup' should match the settings configured in SSH

                            
                            Menu 27.1.1.1 - IKE Setup

                    Phase 1
                      Negotiation Mode= Main
                      Pre-Shared Key= 12345678
                      Encryption Algorithm= DES
                      Authentication Algorithm= MD5
                      SA Life Time (Seconds)= 28800
                      Key Group= DH1

                    Phase 2
                      Active Protocol= ESP
                      Encryption Algorithm= DES
                      Authentication Algorithm= MD5
                      SA Life Time (Seconds)= 28800
                      Encapsulation= Tunnel
                      Perfect Forward Secrecy (PFS)= None

                    Press ENTER to Confirm or ESC to Cancel: