Embed Size (px)
Citation preview
1
VPN IPSec Application
Installation Guide
2
Configuring a IPSec LAN-to-LAN VPN Connection
Table 3: Network Configuration and Security Plan
Branch Office Head Office Local Network ID 192.168.0.0/24 192.168.1.0/24 Local Router IP 69.121.1.30 69.121.1.3
Remote Network ID 192.168.1.0/24 192.168.0.0/24 Remote Router IP 69.121.1.3 69.121.1.30
IKE Pre-shared Key 12345678 12345678 VPN Connection Type Tunnel mode Tunnel mode
Security Algorithm ESP:MD5 with 3DES ESP:MD5 with 3DES
Functions of IKE Pre-shared Key, VPN Connection Type and Security Algorithm MUST BE identically set up on both sides.
Attention
3
Configuring IPSec VPN in the Head Office
Item Function Description
1 Connection Name IPSec_HeadOffice Given a name of IPSec connection Subnet Check Subnet radio button IP Address 192.168.1.0 2 Netmask 255.255.255.0
Head office network
3 Secure Gateway Address (or Hostname) 69.121.1.30 IP address of the head office router (in
WAN side) Subnet Check Subnet radio button IP Address 192.168.0.0 4 Netmask 255.255.255.0
Branch office network
ESP Check ESP radio button Authentication MD5 Encryption 3DES Prefer Forward Security None
5
Pre-shared Key 12345678
Security plan
4
1
2
3
5
4
Configuring IPSec VPN in the Branch Office
Item Function Description 1 Connection Name IPSec_BranchOffice Given a name of IPSec connection
Subnet Check Subnet radio button IP Address 192.168.0.0 2 Netmask 255.255.255.0
Branch office network
3 Secure Gateway Address (or Hostname) 69.121.1.3 IP address of the head office router
(in WAN side) Subnet Check Subnet radio button IP Address 192.168.1.0 4 Netmask 255.255.255.0
Head office network
ESP Check ESP radio button Authentication MD5 Encryption 3DES Prefer Forward Security None
5
Pre-shared Key 12345678
Security plan
4
1
2
3
5
5
Configuring a IPSec Host-to-LAN VPN Connection
6
Configuring IPSec VPN in the Office
Item Function Description
1 Connection Name IPSec Given a name of IPSec connection Subnet Check Subnet radio button IP Address 192.168.1.0 2 Netmask 255.255.255.0
Head office network
3 Secure Gateway Address (or Hostname) 69.121.1.30 IP address of the head office router (in
WAN side) Single Address Check Single Address radio button 4 IP Address 69.121.1.30 Remote worker’s IP address ESP Check ESP radio button Authentication MD5 Encryption 3DES Prefer Forward Security None
5
Pre-shared Key 12345678
Security plan
4
1
2
3
5
7
Configuring IPSec VPN Tunnel thru Microsoft Windows in Remote Host Step 1 Click “Start” => “Run…” and type “secpol.msc” in the field. Click OK to the next step.
Step 2 Right-Click “IP Security Policies on Local Computer”. Click “Create IP Security Policy…” to the next step.
Step 3 Click Next > to the next step.
Step 4 Give a name to the IP Security Policy. Here we make it called “IPSec Test”. Click Next > to the next step.
8
Step 5 Check “Activate the default response rule.” box. If it is not checked. Click Next > to the next step.
Step 6 Click Next > to continue.
Step 7 Check “Edit Properties” box if it is not checked. Click Finish to the next step.
9
Step 8 Un-check “<Dynamic>” box if it is checked. Click Add… to the next step.
Step 9 Click Next > to the next step.
Step 10 Check “The tunnel endpoint is specified by this IP address:” radio button and enter the public IP of Remote Worker. Click Next > to the next step.
10
Step 11 Check “All network connections” radio button. Click Next > to the next step.
Step 12 Check “Use this string to protect the key exchange [preshared key]:” radio button and input the key. This pre-share key should be identical as the set up in the Router. Click Next > to the next step.
Step 13 Click Add… to the next step.
11
Step 14 Give a name and description to this IP Filter. Click Add… to configure an IP traffic filter that comes from Office LAN to Remote Worker.
Step 15 Click Next > to the next step.
Step 16 Select “Source address:” to “A specific IP Subnet” and enter both IP address and mask of Office LAN. Click Next > to the next step.
12
Step 17 Select “Destination address:” to “My IP Address”. Click Next > to the next step.
Step 18 Select protocol type, “Any”. Click Next > to the next step.
Step 19 Check “Edit properties” box if it is not checked. Click Finish to the next step.
13
Step 20 Un-check “Mirrored. Also match packets with the exact opposite source and destination addresses.” box if it is checked. Click OK to the next step.
Step 21 Traffic in filter is created and listed in the Filter field. It is necessary to create another filter for the opposite direction. Click OK to the next step.
Step 22 Check “Traffic in” radio button. Click Next > to the next step.
14
Step 23 A security plan must be create between Office LAN and Remote Worker. Note: This information should be identical on both Office LAN and Remote Worker. Click Add… to the next step.
Step 24 Click Next > to the next step.
Step 25 Give a name to this Filter Action. Click Next > to the next step.
15
Step 26 Check “Negotiate security” radio button. Click Next > to the next step.
Step 27 Check “Do not communicate with computers that do not support IPSec.” radio button. Click Next > to the next step.
Step 28 Check “Custom” radio button. Click Settings… to the next step.
16
Step 29 ESP mode (MD5 authentication and 3DES encryption method ) must be identical on both sites, the Office LAN and Remote Worker. Click OK to the next step.
Step 30 Click Next > to the next step.
Step 31 Un-check “Edit properties” box if it is checked. Click Finish to the next step.
17
Step 32 Check “Security Plan” radio button. Click Next > to the next step.
Step 33 Un-check “Edit properties” if it is checked. Click Finish to the next step.
Step 34 A rule called “Traffic in” in the IP Filter List. It is necessary to create another rule for Traffic out. Click Add… to the next step.
18
Step 35 Click Next > to the next step.
Step 36 Check “The tunnel endpoint is specified by this IP address:” radio button and enter the public IP of Office LAN. Click Next > to the next step.
Step 37 Check “All network connections” radio button. Click Next > to the next step.
19
Step 38 Check “Use this string to protect the key exchange [preshared key]:” radio button and enter the key. Note: This pre-share key must be identical as the set up in the router. Click Next > to the next step.
Step 39 Click Add… to the next step.
Step 40 Give a name and description to this IP Filter. Click Add… to configure an IP traffic filter that comes from Remote Worker to Office LAN.
20
Step 41 Click Next > to the next step.
Step 42 Select “Source address:” to “My IP Address”. Click Next > to the next step.
Step 43 Select “Destination address:” to “A specific IP Subnet” and enter both IP address and mask of Office LAN. Click Next > to the next step.
21
Step 44 Select protocol types, “Any”. Click Next > to the next step.
Step 45 Check “Edit properties” box if it is not checked . Click Finish to the next step.
Step 46 Un-check “Mirrored. Also match packets with the exact opposite source and destination addresses.” box if it is checked. Click OK to next step.
22
Step 47 Traffic out filter is created and listed in the Filter field. Both incoming and outgoing traffic rule, Traffic in and Traffic out are completed! Click OK to the next step.
Step 48 Check “Traffic out” radio button. Click Next > to the next step.
Step 49 Check “Security Plan” radio button. For both Traffic in and Traffic out, we should use the same security plan. Click Next > to the next step.
23
Step 50 Un-check “Edit properties” if it is checked. Click Finish to the next step.
Step 51 Click OK to apply your settings.
Step 52 Right click “IPSec Test”. Click “Assign” to enable IPSec setting on this machine.
Step 53 Congratulation! ! You have completed the setting.
Completed!
24
Configuring a IPSec LAN-to-LAN VPN Connection
25
Configuring IPSec VPN in the Head Office
Item Function Description
1 Connection Name IPSec_HeadOffice Given a name of IPSec connection Subnet Check Subnet radio button IP Address 192.168.1.0 2 Netmask 255.255.255.0
Head office network
3 Secure Gateway Address (or Hostname) 69.121.1.30 IP address of the head office router (in
WAN side) Subnet Check Subnet radio button IP Address 192.168.0.0 4 Netmask 255.255.255.0
Branch office network
ESP Check ESP radio button Authentication MD5 Encryption 3DES Prefer Forward Security None
5
Pre-shared Key 12345678
Security plan
4
1
2
3
5
26
Configuring IPSec VPN thru Microsoft Windows in Branch Office Step 1 Click “Start” => “Run…” and type “secpol.msc” in the field. Click OK to the next step.
Step 2 Right-Click “IP Security Policies on Local Computer”. Click “Create IP Security Policy…” to the next step.
Step 3 Click Next > to the next step.
Step 4 Give a name to the IP Security Policy. Here we make it called “IPSec Test”. Click Next > to the next step.
27
Step 5 Check “Activate the default response rule.” box. If it is not checked. Click Next > to the next step.
Step 6 Click Next > to the continue.
Step 7 Check “Edit Properties” box if it is not checked. Click Finish to the next step.
28
Step 8 Un-check “<Dynamic>” box if it is checked. Click Add… to the next step.
Step 9 Click Next > to the next step.
Step 10 Check “The tunnel endpoint is specified by this IP address:” radio button and enter the public IP of Branch Office. Click Next > to the next step.
29
Step 11 Check “All network connections” radio button. Click Next > to the next step.
Step 12 Check “Use this string to protect the key exchange [preshared key]:” radio button and input the key. This pre-share key should be identical as the set up in the Router. Click Next > to the next step.
Step 13 Click Add… to the next step.
30
Step 14 Give a name and description to this IP Filter. Click Add… to configure an IP traffic filter that comes from Head Office to Branch Office.
Step 15 Click Next > to the next step.
Step 16 Select “Source address:” to “A specific IP Subnet” and enter both IP address and mask of Office LAN. Click Next > to the next step.
31
Step 17 Select “Destination address:” to “A specific IP Subnet” and enter both IP address and mask of Branch Office LAN. Click Next > to the next step.
Step 18 Select protocol types, “Any”. Click Next > to the next step.
Step 19 Check “Edit properties” box if it is not checked. Click Finish to next step.
32
Step 20 Un-check “Mirrored. Also match packets with the exact opposite source and destination addresses.” box if it is checked. Click OK to next step.
Step 21 Traffic in filter is created and listed in the Filter field. It is necessary to create another filter for the opposite direction. Click OK to the next step.
Step 22 Check “Traffic in” radio button. Click Next > to the next step.
33
Step 23 A security plan must be create between Head and Branch office. Note: This information should be identical on both Head and Branch office. Click Add… to the next step.
Step 24 Click Next > to the next step.
Step 25 Give a name to this Filter Action. Click Next > to the next step.
34
Step 26 Check “Negotiate security” radio button. Click Next > to the next step.
Step 27 Check “Do not communicate with computers that do not support IPSec.” radio button. Click Next > to the next step.
Step 28 Check “Custom” radio button. Click Settings… to the next step.
35
Step 29 ESP mode (MD5 authentication and 3DES encryption method ) must be identical on both sites, the Branch office and Head office. Click OK to the next step.
Step 30 Click Next > to the next step.
Step 31 Un-check “Edit properties” box if it is checked. Click Finish to the next step.
36
Step 32 Check “Security Plan” radio button. Click Next > to the next step.
Step 33 Un-check “Edit properties” if it is checked. Click Finish to the next step.
Step 34 A rule called “Traffic in” in the IP Filter List. It is necessary to create another rule for Traffic out. Click Add… to the next step.
37
Step 35 Click Next > to the next step.
Step 36 Check “The tunnel endpoint is specified by this IP address:” radio button and enter the public IP of Head Office. Click Next > to next step.
Step 37 Check “All network connections” radio button. Click Next > to the next step.
38
Step 38 Check “Use this string to protect the key exchange [preshared key]:” radio button and enter the key. Note: This pre-share key must be identical as the set up in the router. Click Next > to the next step.
Step 39 Click Add… to the next step.
Step 40 Given a name and description of this IP Filter. Click Add… to configure an IP traffic filter that comes from Branch Office to Head Office.
39
Step 41 Click Next > to the next step.
Step 42 Select “Source address:” to “A specific IP Subnet” and enter both IP address and mask of Branch Office LAN. Click Next > to the next step.
Step 43 Select “Destination address:” to “A specific IP Subnet” and enter both IP address and mask of Head Office LAN. Click Next > to the next step.
40
Step 44 Select protocol type, “Any”. Click Next > to the next step.
Step 45 Check “Edit properties” box if it is not checked . Click Finish to the next step.
Step 46 Un-check “Mirrored. Also match packets with the exact opposite source and destination addresses.” box if it is checked. Click OK to the next step.
41
Step 47 Traffic out filter is created and listed in the Filter field. Both incoming and outgoing traffic rule, Traffic in and Traffic out are completed! Click OK to the next step.
Step 48 Check “Traffic out” radio button. Click Next > to the next step.
Step 49 Check “Security Plan” radio button. For both Traffic in and Traffic out, we should use the same security plan. Click Next > to the next step.
42
Step 50 Un-check “Edit properties” if it is checked. Click Finish to the next step.
Step 51 Click OK to apply your settings.
Step 52 Right click “IPSec Test”. Click “Assign” to enable IPSec setting on this machine.
43
Step 53 Congratulation! ! You have completed the setting.
Completed!
