WIN2K VPN to
Prestige Tunneling
- Setup
WIN2K VPN
- Setup Prestige VPN
Note: Not all ZyXEL Prestige provide
VPN functionality. Please check the User's Manual from the packaged
CD-ROM.
This page guides us to setup a VPN connection between the WIN2K VPN software
and Prestige router. There will be several devices we need to setup for this case.
They are WIN2K VPN software and Prestige router.
As the figure shown below, the tunnel between PC 1 and Prestige ensures the
packets flow between them are secure. Because the packets go through the IPSec
tunnel are encrypted. To setup this VPN tunnel, the required settings for WIN2K
and Prestige are explained in the following sections. As the red pipe shown
in the following figure, the tunneling endpoints are WIN2K and Prestige.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige |
PC2 |
172.21.1.232 |
LAN: 192.168.1.1 WAN:
172.21.1.252 |
192.168.1.33 |
1. Setup WIN2K
VPN
- Create a custom MMC console
- From Windows desktop, click Start, click
Run, and in the Open textbox type
MMC. Click OK.

- On the Console window, click Add/Remove Snap-In.

- In the Add/Remove Snap-In dialog box, click
Add.

- In the Add Standalone Snap-in dialog box, click
Computer Management, and then click Add.

- Verify that Local Computer (default setting) is selected,
and click Finish.

- In the Add Standalone Snap-in dialog box, click
Group Policy, and then click Add.

- Verify that Local Computer (default setting) is selected
in the Group Policy Object dialog box, and then click
Finish.

- In the Add Standalone Snap-in dialog box, click
Certifications, and then click Add.

- In the Certificates snap-in dialog box, select
Computer account, and click Next.

- Verify that Local Computer (default setting) is selected,
and click Finish.

- Click Close to close the Add Standalone
Snap-in dialog box.

- Click OK to close the Add/Remove
Snap-in dialog box.

- Create IPSec Policy
Typically, Windows 2000 gateway is not a member of a domain, so a local IPSec
policy is created. If your Windows 2000 gateway is a member of a domain that
already exists an local IPSec policy. In this case, you can create an
Organization Unit (OU) in Active Directory to make your WIN2K as a member of this
OU by assigning the IPSec policy to the Group Policy Object (GPO) of this OU.
For more information, please refer to the Assigning IPSec Policy section of
Windows 2000 online help.
- From Windows desktop, click Start, click
Run, and in the Open textbox type
SECPOL.MSC. Click OK.

- Right click IP Security Policies on Local Machine, and
then click Create IP Security Policy.

- Click Next, and type a name for your policy. For example,
WIN2K to Prestige Tunnel.

- Uncheck Active the default response rule check box, and
click Next.

- Keep the Edit properties check box
selected and click Finish.

- A dialog window will bring up for you to configure two filter rules for
this policy.

Note: The IPSec policy is created with default IKE main mode (phase 1) on the
General tab. Please check details by clicking the Advanced on
this tab.
The IPSec tunnel consists of two rules, each of which specifies a tunnel
endpoint. Because there are two endpoints so we need two filter rules. One is
for the direction from PC 1 to PC 2 (endpoint is Prestige), and the other is from
PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP
for local and remote VPN clients (PC 1 or PC 2) are required. See the guides
below.
- Build a Filter List from PC 1 to PC 2
- In policy properties, uncheck Use Add Wizard check box,
and click Add to create a new rule.

- On the IP Filter List tab, click Add.

- Type a name for the filter list (e.g., WIN2K to Prestige), uncheck
Use Add Wizard check box, and click Add.

- In the Source address, choose A specific IP
Address, and enter the IP address of PC 1

- In the Destination address, choose A specific IP
Address, and enter the IP address of PC 2

- Uncheck Mirror check box.

- On the Protocol tab, leave the protocol type to Any,
because IPSec tunnels do not support protocol-specific or port specific
filters.

- On the Description tab, you can give a name for this
filter list. The filter name is displayed in the IPSec monitor when the tunnel
is active.

- Click OK and Close to close the windows.

- Build a Filter List from PC 2 to PC 1
- On the IP Filter List tab, click Add.

- Type a name for the filter list (e.g., Prestige to WIN2K), uncheck
Use Add Wizard check box, and click Add.

- In the Source address, choose A specific IP
Address, and enter the IP address of PC 2

- In the Destination address, choose A specific IP
Address, and enter the IP address of PC 1

- Uncheck Mirror check box.

- On the Protocol tab, leave the protocol type to Any,
because IPSec tunnels do not support protocol-specific or port specific
filters.

- On the Description tab, you can give a name for this
filter list. The filter name is displayed in the IPSec monitor when the tunnel
is active.

- Click OK and Close to close the windows.

- Configure a Rule for PC 1 to PC 2 tunnel
- Select the first filter list you created above from the IP Filter
List. For example, WIN2K to Prestige.

- Click Tunnel Setting tab, enter the remote endpoint. For
this filter list, the remote IPSec endpoint is Prestige.

- Click Connection Type tab, click All network
connections (or click LAN connections if your WIN2K does not connect
to ISP but LAN). In our example, we choose All network
connections.

- Click Filter Action tab, uncheck Use Add
Wizard check box, and click Add.

- Leave Negotiate security as checked, and uncheck
Accept unsecured communication, but always respond using
IPSec check box. You must do this to ensure secure connections.

- Click Add and select Custom (for expert
users) if you want to define specific algorithms and session key lifetimes).
Please make sure the settings match whatever we will configure in Prestige later.


- Click OK. On the General tab, give a
name to the filter action. For example, WIN2K to Prestige, and click
OK.

- Select the filter action you just created.

- On the Authentication Methods tab, click
Add to select Use this string to protect the key
exchange (pre-shared key) option. And enter the string
12345678 in the text box.

- Click OK.

See the finished screen shot.

- Configure a Rule for PC 2 to PC 1 tunnel
- In the IPSec policy properties, click Add to create a new rule.

- Select the second filter list you created above from the IP Filter
List. For example, Prestige to WIN2K.

- Click Tunnel Setting tab, enter the remote endpoint. For
this filter list, the remote IPSec endpoint is WIN2K.

- Click Connection Type tab, click All network
connections (or click LAN connections if your WIN2K does not connect
to ISP but LAN). In our example, we choose All network
connections.

- Click Filter Action tab, select the filter action you
created.

- On the Authentication Method tab, configure the same
settings as done in the first rule.

- Click Close.

- Enable both rules you created in the policy properties and click
Close.
Figure 5: See the finished screen shot

- Assign Your New IPSec Policy to Your Windows 2000
- In the IP Security Policies on Local Machine MMC snap-in, right click your
new policy, and click Assign.
- A green arrow will appear in the folder icon next to your policy. See the
screen shot below.

For more information about configure WIN2K IPSec, please refer to the
following web site.
1. http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
2.
http://support.microsoft.com/support/kb/articles/q252/7/35.asp
2. Setup Prestige VPN
- Using a web browser, login Prestige by giving the LAN IP address of Prestige
in URL field. Default LAN IP is 192.168.1.1, default password
to login web configurator is 1234.
- Click Advanced, and click VPN tab on the
left.
- On the SUMMARY menu, Select a policy to edit by clicking
Edit.
- On the CONFIGURE-IKE menu, check Active
check box and give a name to this policy.
- Select IPSec Keying Mode to IKE and
Negotiation Mode to Main, as we configured
in WIN2K.
- Source IP Address Start and Source IP Address
End are PC 2 IP in this example. (the secure host
behind Prestige)
- Destination IP Address Start and Destination IP
Address End are PC 1 in this example. (the secure
WIN2K PC) Note: You may assign a range of Source/Destination IP addresses for
multiple VPN sessions.
- My IP Addr is the WAN IP of Prestige.
- Secure Gateway IP Addr is the remote WIN2K's
IP, that is PC 1 in this example.
- Select Encapsulation Mode to Tunnel.
- Check the ESP check box. (AH can not be used in SUA/NAT
case)
- Select Encryption Algorithm to DES and
Authentication Algorithm to MD5, as we
configured in WIN2K.
- Enter the key string 12345678 in the Preshared
Key text box, and click Apply.
Figure 8: See the VPN rule screen shot

If you use SMT management, the VPN configurations are as shown below.
Menu 27.1.1 - IPSec Setup
Index #= 1 Name= Prestige
Active= Yes
Keep Alive= No
Local ID type= IP
Content= 0.0.0.0
My IP Addr=
172.21.1.252
Peer ID type= IP
Content= 0.0.0.0
Secure
Gateway Addr=
172.21.1.232
Protocol= 0
Local: Addr Type= SINGLE
IP Addr Start= 192.168.1.33 End/Subnet Mask= N/A
Port Start=
0
End= N/A
Remote: Addr Type= SINGLE
IP Addr Start= 172.21.1.232 End/Subnet Mask= N/A
Port Start=
0
End= N/A
Enable
Replay Detection= No
Key Management=
IKE Edit IKE
Setup= Yes
Edit Manual Setup= N/A
Press ENTER to Confirm or ESC to Cancel:
|
1. Edit IKE settings by selecting 'Edit IKE
Setup' option in menu 27.1.1 to 'Yes' and then pressing 'Enter'.
2. There
are two phases for IKE:
In Phase 1, two IKE peers establish a secure
channel for key exchanging.
In Phase 2, two peers negotiate general purpose
SAs which are secure channels for data transmission.
Please note that any configuration in 'IKE
Setup' should match the settings configured in WIN2K
Menu 27.1.1.1 - IKE Setup
Phase 1
Negotiation Mode= Main
Pre-Shared Key= 12345678
Encryption Algorithm= DES
Authentication Algorithm=
MD5
SA Life Time (Seconds)= 3600
Key Group= DH1
Phase 2
Active Protocol= ESP
Encryption Algorithm= DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 3600
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None
Press ENTER to Confirm or ESC to Cancel
|