User Guide

ManualsBrandsASUS ManualsOtherSL500

Table Of Contents

APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET

SECURITY ROUTER AND A WINDOWS 2000/XP PC

Release date: 11/12/2003

1 Introduction

This application note details the steps for creating an IKE IPSec VPN tunnel between an ASUS Internet Security

Router and a PC running Microsoft Windows 2000 or XP. It is assumed that both sides have static IP address for

the WAN interface, and a default route configured. All settings and screen dumps contained in this application

notes are taken from a Microsoft Windows 2000/XP, and an ASUS Internet Security Router. You may change the

IP address, subnet mask and default gateway IP address of any device to match your true network environment.

2 Network Setup

Connect all the devices as indicated in Figure 2.1. The IKE IPSec tunnel ends at the Internet Security Router and

PC2. Note that in the actual applications, the Internet Security Router and the Windows 2000/XP PC are most

likely connected via the Internet instead of a switch as shown in Figure 2.1.

123456

789101112

12x

10x

11x

Ethernet

12x

10x

11x

Windows 2000/XP

PC1:

192.168.1.10

WAN: 192.168.18.146

PC2:

192.168.19.166

Switch

LAN: 192.168.1.1

Internet Security

Router

Figure 2.1. Network Diagram

2.1 Configure the IP Address of the Windows PC – PC2

1. Open the “Internet Protocol (TCP/IP) Properties” dialog box

a) For Windows 2000, click on “Start” è select “Settings” è click on “Network and Dial-up Connections”

icon è right click on “Local Area Connection” icon or the icon that represents your PC’s network card

è select “Properties” è double click on “Internet Protocol (TCP/IP)”.

b) For Windows XP, click on “Start” è select “Control Panel” è click on “Network Connections” icon è

right click on “Local Area Connection” icon the icon that represents your PC’s network card è select

“Properties” è double click on “Internet Protocol (TCP/IP)”.

2. Set a static IP address – 192.168.19.166 (see Figure 2.2)

a) Click on “Use the following IP address:” radio button.

b) Enter IP address, subnet mask and default gateway as illustrated in Figure 2.2.

Summary of content (38 pages)

PAGE 1
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Release date: 11/12/2003 1 Introduction This application note details the steps for creating an IKE IPSec VPN tunnel between an ASUS Internet Security Router and a PC running Microsoft Windows 2000 or XP.
PAGE 2
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Figure 2.2. Configure the IP address of the Windows 2000/XP PC 2.1.1 Verify the Routing Table in the Windows 2000/XP After the IP address and default gateway have been properly configured for your PC, enter “route print” command in the Command Prompt window to verify the routing table. Default route entry Figure 2.3.
PAGE 3
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 2.2 Configure the IP Address of the Internet Security Router You need to login as admin in order to configure the settings for the Internet Security Router. 2.2.1 Configure the WAN Port Click on the “WAN” menu and then click on the “WAN” submenu to access WAN Configuration page. Make sure the settings for IP address, subnet mask and the gateway address are set exactly as shown in Figure 2.4.
PAGE 4
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Default route Figure 2.6. Routing Table in the Internet Security Router 3 Configure IKE IPSec VPN Settings on Windows 2000/XP Using Automatic Keying Note that Microsoft Windows OS does not support manual key mode for IKE IPSec VPN. Only automatic keying using preshared key will be demonstrated in this document.
PAGE 5
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 3. In the Add/Remove Snap-in dialog box, click on the “Add” button to continue. 4. In the Add Standalone Snap-in dialog box, select “IP Security Policy Management” (you may need to scroll down the list to see this item) and then click on the “Add” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 6
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Select “IP Security Policy Management” 5. Select “Local computer” which will be managed by this IP security policy and click the “Finish” button. Select “Local computer” 6. Click the “Close” button. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 7
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 7. You can see that “IP Security Policies on Local Machine” is added. Click the “OK” button to return to the MMC console window. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 8
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 3.2 Configure VPN Policies in Windows 2000/XP 3.2.1 Configure an Outbound VPN Policy in Windows 2000/XP 1. In the MMC console window, right-click on the “IP Security Policies on Local Machine” (on the left hand pane of the MMC console window) and then select “Create IPSec Security Policy” from the context menu as shown in the following figure. 2. “IP Security Policy Wizard” dialog box displays.
PAGE 9
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 4. Clear the “Activate the default response rule” check box, and then click the “Next” button to continue. Make sure this check box is cleared. 5. Make sure the “Edit Properties” check box is checked (it is by default), and then click the “Finish” button. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 10
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Make sure this check box is checked. 6. In the “SL1000_Policy Properties” dialog box, make sure that the “Use Add Wizard” check box in the lower-right corner is checked, and then click the “Add” button to start the Security Rule Wizard. Make sure this check box is checked. 7. Click the “Next” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 11
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 8. Select “The tunnel endpoint is specified by this IP address:”, enter “192.168.18.146” as the tunnel endpoint for this rule and then click the “Next” button to continue. 9. Select “All network connections” as the network type and then click the “Next” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 12
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 10. Select “Use this string to protect the key exchange (preshared key):” as the authentication method and enter “1234” as the preshared key. Make sure that this preshared key matches what is configured for the Internet Security Router. To make it more secure, you may choose a longer string. Note that you must not use a blank string for the preshared key. Click the “Next” button to continue. 11.
PAGE 13
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 12. Name your filter “WIN_SL1000” and click the “Add” button to continue. 13. Select “My IP Address” as the Source address, select “A specific IP Subnet” and enter “192.168.1.0/255.255.255.0” as the Destination address. Clear the “Mirrored” check box and then click the “OK” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 14
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Make sure “Mirrored” check box is cleared. 14. Click the “Close” button to close the IP Filter List dialog box. 15. In the Security Rule Wizard dialog box, select the newly created IP filter, “WIN_SL1000”, and click the “Next” button to configure Filter Action. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 15
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Select this item. 16. In the Filter Action dialog box, check the “Use Add Wizard” check box and then click the “Add” button to continue. Make sure this box is checked. 17. Click the “Next” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 16
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 18. Name this filter action, “Action1”, and click the “Next” button to continue. 19. In the Filter Action General Options dialog box, select “Negotiate security”, and then click the “Next” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 17
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 20. Select “Do not communicate with computers that do not support IPSec” from the “Filter Action Wizard” page, and then click the “Next” button to continue. 21. Select “High {Encapsulated Secure Payload}” from the list of security methods, and click the “Next” button to conitnue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 18
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 22. Make sure the “Edit Properties” check box is cleared (this is the default setting), and then click the “Finish” button to close “Filter Action Wizard” dialog box. Make sure this box is cleared. 23. In the “Filter Action” dialog box, select “Action1” for this security rule and then click the “Next” button to close the Filter Action dialog box. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 19
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 24. Make sure the “Edit Properties” check box is cleared (this is the default setting), and then click the “Finish” button to close the Security Rule Wizard. Make sure this box is cleared. 3.2.2 Configure an Inbound VPN Policy in Windows 2000/XP 1. Check the “Use Add Wizard” option and then click the “Add” button to create another IP Security Rule. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 20
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Make sure this box is checked. 2. Click the “Next” button to continue. 3. Select “The tunnel endpoint is specified by this IP address:”, enter “192.168.19.166” as the tunnel endpoint for this rule and then click the “Next” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 21
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 4. Select “All network connections” as the network type and then click the “Next” button to continue. 5. Select “Use this string to protect the key exchange (preshared key):” as the authentication method and enter “1234” as the preshared key. Make sure that this preshared key matches what is configured for the Internet Security Router. To make it more secure, you may choose a longer string.
PAGE 22
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 6. In the “IP Filter List dialog” box, click the “Add” button. A list of IP filter is displayed. 7. Name your filter, “SL1000_WIN”, and click the “Add” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 23
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 8. Select “A specific IP Subnet” from the “Source address:” drop-down list and enter “192.168.1.0/255.255.255.0” as the Source address and select “My IP Address” as the Destination address. Clear the “Mirrored” check box and then click the “OK” button to continue. Make sure “Mirrored” check box is cleared. 9. Click the “Close” button to close the “IP Filter List” dialog box.
PAGE 24
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 10. In the “Security Rule Wizard” dialog box, select the newly created security rule, “SL1000_WIN”, and click the “Next” button to configure Filter Action. Select this item. 11. Select “Action1” as the filter action and then click the “Next” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 25
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Select “Action1” as the filter 12. Click the “Finish” button to close the “Security Rule Wizard”. 13. Click the “Close” button to complete the IPSec configuration task. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 26
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 14. Right-click the “SL1000_Policy”, and select “Assign” from the context menu. 15. You can see that a green dot appears on the lower right corner of the icon. It identifies that “SL1000_Policy” has been assigned as an active IPSec policy. The status in the “Policy Assigned” column should change from “No” to “Yes”. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 27
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Green dot Changed from “No” to “Yes” 3.3 Configure the Internet Security Router You need to login as admin to the Internet Security Router in order to configure the Internet Security Router. The procedure involves VPN policy setup, firewall outbound and inbound ACL rules. 3.3.
PAGE 28
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Figure 3.1. VPN Policy Configuration Settings After the new VPN policy is created, you can see it displayed in the “Site to Site Access List Rules” as shown in Figure 3.2. New VPN policy Figure 3.2. Verify the New VPN Policy 3.3.2 Configure an Outbound ACL Rule for the VPN Policy This step is needed only when firewall is enabled.
PAGE 29
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC menu and then click the “Outbound ACL” submenu to access the Outbound ACL configuration page. Enter the outbound ACL settings in the firewall Outbound ACL configuration page as shown in Figure 3.3. Click the “Add” button to create the new rule when done with the configuration. The newly created ACL rule will be displayed in the Outbound Access Control List table as shown in Figure 3.4.
PAGE 30
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Make sure “Enable” is selected for VPN. Figure 3.5. The Inbound ACL Rule Settings for the VPN Policy New inbound ACL Figure 3.6. Inbound ACL Summary 4 Verify the IPSec VPN Connection There are several ways to check if the IVPN connection is good or bad. You may start with the simplest tool (i.e.
PAGE 31
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Ping response during negotiation of the VPN tunnel. Successful Ping response. Figure 4.1. Ping Example for Verifying IPSec VPN Connection 4.2 Monitor IPSec VPN Traffic on the Internet Security Router The Internet Security Router comes with the monitoring tool for the IPSec VPN traffic.
PAGE 32
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Click this icon to display details on IPSec SA. Figure 4.2. VPN Statistics on the Internet Security Router Copyright 2003, ASUSTeK Computer, Inc.
PAGE 33
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Figure 4.3. IPSec SA Example 4.3 ipsecmon 4.3.1 Windows 2000 Windows 2000 includes a program called ipsecmon for monitoring the IPSec VPN traffic. If you cannot find it in your computer, you may download it from Microsoft website. This program provides details about your IPSec VPN traffic, such as IPSec/IKE statistics, information about connecting parties and etc.
PAGE 34
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Figure 4.4. IP Security Monitor Example 4.3.2 Windows XP For Windows XP, ipsecmon is integrated into MMC console. Follow the instructions below to install and use ipsecmon. 1. Start the MMC console: From the Windows desktop, click on “Start”, and then click on “Run”. Enter “mmc” in the pop-up “Run” dialog window (as shown in the figure below) and then click on the “OK” button to continue. 2.
PAGE 35
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 3. In the Add/Remove Snap-in dialog box, click on the “Add” button to continue. 4. In the Add Standalone Snap-in dialog box, select “IP Security Monitor” (you may need to scroll down the list to see this item) and then click on the “Add” button to continue. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 36
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Select “IP Security Monitor” 5. Click the “Close” button. 6. You can see that “IP Security Monitor” is added. Click the “OK” button to return to the MMC console window. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 37
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 7. MMC console displays. Click on the “+” symbol to expand available options for “IP Security Monitor”. Click “+” to expand available options. 8. The following figure shows all the available options for IP Security Monitor. You may click any of the options to find out detail information regarding your IPSec VPN connection. Copyright 2003, ASUSTeK Computer, Inc.
PAGE 38
APPLICATION NOTES – CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC Name of your computer Available options Copyright 2003, ASUSTeK Computer, Inc.