Charlie 20030401 Appendix B Win 2000/XP IPSEC Setting guide Example: Win XP/2000 VPN Router (Configuration on WIN 2000 is similar to XP) 1. On Win 2000/XP, click [Start] button, select [Run], type secpol.msc in the field, then click [Run] Goto **Local Security Policy Settings** page 2.
Double-click [Administrative Tools]
Local Security Policy Settings Double-click [Local Security Policy]
Right-click [IP Security Policies on Local Computer], and click [Create IP Security Policy]. Click the [Next] button, enter your policy’s name (Here it is to_vpn_router). Then, click [Next]. Introduction Dis-select the [Activate the default response rule] check box, and click [Next] button. Click [Finish] button, make sure [Edit] check box is checked.
Build 2 Filter Lists: “xp->router” and “router->xp” Filter List 1: xp-> router In the “new policy’s properties” screen, disselect [Use Add Wizard] check box, and then click [Add] button to create a new rule.
click [Add] button
Enter a name, for example: xp->router and dis-select [Use Add Wizard] check box. Click [Add] button. In the Source address field, select [A specific IP Address]. and fill in IP Address: 192.168.1.1 In the Destination address field, select [A specific IP Subnet], fill in IP Address: 192.168.123.0 and Subnet mask: 255.255.255.0. If you want to select a protocol for your filter, click [Protocol] page.
Click [OK] button. Then click [OK] button on the “IP Filter List” page.
select [Filter Action], select [Require Security], then click [Edit] button.
select [Negotiate security], Select [Session key Perfect Forward Secrecy (PFS)] click [Edit] button.
select [Custom] button
Select [Data integrity and encryption (ESP)] Configure “Integrity algorithm”: [MD5] Configure “Encryption algorithm”: [DES] Configure “Generate a new key every [10000] seconds” Click [OK] button select [Authentication Methods] page, click [Add] button.
select [Use this string to protect the key exchange (preshared key)], and enter your preshared key string, such as mypresharedkey. Click [OK] button. Click [OK] button on [Authentication Methods] page.
configure [The tunnel endpoint is specified by this IP address]: 192.168.1.
select [All network connections] Tunnel 2: router->xp In the “new policy’s properties” page, dis-select [Use Add Wizard] check box, and then click [Add] button to create a new rule.
click [Add] button
Enter a name, such as router->xp and dis-select [Use Add Wizard] check box. Click [Add] button. In the Source address field, select [A specific IP Subnet]. fill in IP Address: 192.168.123.0 and Subnet mask: 255.255.255.0. In the Destination address field, select [A specific IP Address], and fill in IP Address: 192.168.1.1 If you want to select a protocol for your filter, click [Protocol] page.
Click [OK] button. Then click [OK] button on [IP Filter List] window.
select [Filter Action tab], select [Require Security], then click [Edit] button.
select [Negotiate security], Select [Session key Perfect Forward Secrecy (PFS)] click [Edit] button.
select [Custom] button
Select [Data integrity and encryption (ESP)] Configure “Integrity algorithm”: [MD5] Configure “Encryption algorithm”: [DES] Configure “Generate a new key every [10000] seconds” Click [OK] button select [Authentication Methods] page, click [Add] button.
select [Use this string to protect the key exchange (preshared key)], and enter the preshared key string, such as mypresharedkey. Click [OK] button. Click [OK] button on [Authentication Methods] page.
Configure [The tunnel endpoint is specified by this IP address]: 192.168.1.
select [All network connections]
Configure IKE properties Select [General] Click [Advanced…]
enable “Master key perfect forward security (PFS)” configure “Authenticate and generate a new key after every [10000] seconds” click [Methods…] click [Add] button Configure “Integrity algorithm”: [SHA1] Configure “Encryption algorithm”: [3DES] Configure “Diffie-Helman group”: [Medium (2)]
Settings on VPN router VPN Router: Wan IP address:192.168.1.254 Lan IP address:192.168.123.254 PC: 192.168.123.123 VPN Settings: VPN: Enable Max.
VPN Settings - Tunnel 1 – IKE Tunnel:1 Local Subnet:192.168.123.0 Local Netmask:255.255.255.0 Remote Subnet:192.168.1.1 Remote Netmask:255.255.255.255 Remote Gateway:192.168.1.
VPN Settings - Tunnel 1 - Set IKE Proposal ID: 1 Proposal Name: 1 DH Group: Group2 Encrypt. Algorithm: 3DES Auth. Algorithm: SHA1 Life Time: 10000 Life Time Unit: Sec.
VPN Settings - Tunnel 1 - Set IPSec Proposal ID: 1 Proposal Name: proposal1 DH Group: Group2 Encap. Protocol: ESP Encrypt. Algorithm: DES Auth. Algorithm:MD5 Life Time: 10000 Life Time Unit: Sec.
User can view VPN connection process in “System Log” page, and correct their settings. Phase1 is related to IKE settings, Phase2 is related to IPSEC settings.
Appendix C Console Mode (optional) When you forget the system password or the IP address of this product, you need enter console mode to reset them. Before invoking the console program, be sure to find a null modem cable and use it to connect from this product’s COM port to your computer’s COM port. Then, execute a terminal program, such as the Hyper Terminal of MS Windows 95. The connection parameters should be set to 19200 8-N-1. And, reboot this product.
