Page 131 / 296
Scroll up to view Page 126 - 130
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-19
201-10301-02, May 2005
VPNC Scenario 1: Gateway to Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
Figure 8-10:
VPN Consortium Scenario 1
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
•
Main mode
•
TripleDES
•
SHA-1
•
MODP group 2 (1024 bits)
•
pre-shared secret of "hr5xb84l6aa9r6"
•
SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
•
TripleDES
•
SHA-1
•
ESP tunnel mode
•
MODP group 2 (1024 bits)
•
Perfect forward secrecy for rekeying
•
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
•
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
10.5.6.0/24
10.5.6.1
Gateway A
14.15.16.17
22.23.24.25
172.23.9.0/24
Internet
Gateway B
172.23.9.1
Page 132 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-20
Virtual Private Networking
201-10301-02, May 2005
Scenario 1: FWG114P v2 to FWG114P v2 with Preshared Secrets
Note
: This scenario assumes all ports are open on the FWG114P v2. You can verify this by
reviewing the security settings as seen in the
“Rules menu” on page 6-5
.
Figure 8-11:
LAN to LAN VPN access from an
FWG114P v2
to an
FWG114P v2
Use this scenario illustration and configuration screens as a model to build your configuration.
1.
Log in to the FWG114P v2 labeled Gateway A as in the illustration.
Log in at the default address of
with the default user name of
admin
and
default password of
password
, or using whatever password and LAN address you have
chosen.
2.
Configure the WAN (Internet) and LAN IP addresses of the FWG114P v2.
a.
From the main menu Setup section, click on the Basic Setup link.
Figure 8-12:
FWG114P v2
Internet IP Address menu
b.
Configure the WAN Internet Address according to the settings above and click Apply to
save your settings. For more information on configuring the WAN IP settings in the Basic
Setup topics, please see
“Manually Configuring Your Internet Connection” on page 3-18
.
*DWHZD\#
%
6FHQDULR#5
5915;15<15=
7717817917;
:$@#,A
:$@#,A
5=71781?15379
541;1<15379
/$@#,A
/$@#,A
*DWHZD\#
$
+Á¡.?wjËoåÔ± ¤~Ë8¢Áj£j ÄË4¢ÁjÝ? £Ê+Á¢¥ÍË.jÁÜjÁ
485 ¤|+
+Á¡.?wjËoåÔ± ¤~Ë8¢Áj£j ÄË4¢ÁjÝ? £Ê+Á¢¥ÍË.jÁÜjÁ
485 ¤|+
WAN IP
addresses
ISP provides
these addresses
Page 133 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-21
201-10301-02, May 2005
c.
From the main menu Advanced section, click on the LAN IP Setup link.
Figure 8-13:
LAN IP configuration menu
d.
Configure the LAN IP address according to the settings above and click Apply to save
your settings. For more information on LAN TCP/IP setup topics, please see
“Using the
LAN IP Setup Options” on page 10-5
.
Note:
After you click Apply to change the LAN IP address settings, your workstation will
be disconnected from the FWG114P v2. You will have to log on with
which is now the address you use to connect to the built-in web-based configuration
manager of the FWG114P v2.
Page 134 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-22
Virtual Private Networking
201-10301-02, May 2005
3.
Set up the IKE Policy illustrated below on the FWG114P v2.
a.
From the main menu VPN section, click on the IKE Policies link, and then click the Add
button to display the screen below.
Figure 8-14:
Scenario 1 IKE Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see
“IKE
Policies’ Automatic Key and Authentication Management” on page 8-3
.
Page 135 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-23
201-10301-02, May 2005
4.
Set up the FWG114P v2 VPN -Auto Policy illustrated below.
a.
From the main menu VPN section, click on the VPN Policies link, and then click on the
Add Auto Policy button.
Figure 8-15:
Scenario 1 VPN - Auto Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see
“IKE
Policies’ Automatic Key and Authentication Management” on page 8-3
.
Note:
Selecting ANY for the Traffic Selectors means all traffic goes through the IPSec
tunnel and prevents access to the Internet.
5.
After applying these changes, all traffic from the range of LAN IP addresses specified on
FWG114P v2 A and FWG114P v2 B will flow over a secure VPN tunnel.
WAN IP
address
LAN IP
addresses
19216811.live