How To Industrial Networking Prepared by: Matt Crites Product: Date: April 2014 Any RAM or SN 6xxx series router Legacy firmware 3.14/4.14 or lower Subject: This document provides a step by step procedure for building an IPsec VPN tunnel between an SN/RAM device and Windows 7. Windows 7 has a firewall built into its OS. This firewall has an IPsec VPN that is compatible with the SN VPN daemon for machine to machine communication over a Cellular link. Windows Firewall must be enabled on the client PC for this setup to work correctly. Pre-requisites: SN/RAM-6xxx Local Ethernet connection PC running Windows 7 Windows 7 Firewall enabled Part 1: Setting up PC to Configure SN Click on the Windows Start button icon on the bottom right of the screen and browse to the Control Panel menu item on the right side of the Start menus: The control panel window will pop up on the screen:
Click on the link to access network and Internet settings. In Windows 7, it will be labeled as Network and Internet The displays should be similar to the following: Access Network Connection Settings Click on the link labeled Network and Sharing Center to access the network connection settings. The Network and Sharing Center Window will come up.
Click on the link on the left side of screen labeled Change adapter settings to access the local area connection Choose the correct adapter to access the Local Area Connection. Unless it was manually changed, the adapter should be labeled Local Area Connection. Right click onto the correct adapter and click Properties (Windows 7 may display a popup window asking to confirm the operation) Click on the Internet Protocol item to highlight. In Windows 7, it will be labeled as Internet Protocol Version 4 (TCP/IPv4)
Click on the Properties button Select Use the following IP address and fill in the blank fields with the information below: o IP address: 192.168.0.2 o Subnet mask: 255.255.255.0 o Default gateway: 192.168.0.1 o Preferred DNS: 192.168.0.1
Click OK The previous screen will appear Click OK Verify that you are connected to the Sixnet router. Open a Command Prompt window on your laptop Verify connectivity to the router by running a ping to the IP Address of the Ethernet port you are connected Part 2: Getting Connected To SN Open a web browser and enter the following in the address bar: http://192.168.0.1:10000 Login pop-up screen should pop up. User Name enter: admin (lowercase letters) For Password enter: six digit serial number of router (lowercase letters)
Part 3: Server VPN Configuration The VPN Configuration page can be found under Networking Tunnel (VPN) Settings IPSEC Click on the Configuration menu item and the following window will appear: Click on the pull down menu at the Enable IPSEC? field
Click on the Add button and the following pop-up window will appear: Tunnel Name: Enter some descriptive text in this field as an aid identifying it. The value must not contain spaces. Enable Tunnel? : Click on the pull down menu at the Enable Tunnel field Click on Yes to reveal the IPSEC Tunnel configuration fields Tunnel Type: o Choose Server from drop down menu Tunnel Negotiation Mode?: o Choose Main from the drop down menu.
The following settings are being used as an example. Adjust the settings to match whichever methods you like. Note: These settings must match on both sides of VPN tunnel. Phase 1 Encryption: o Choose AES128 from drop down menu. Phase 1 Authentication: o Choose SHA1 from drop down menu. Phase 1 DH Group: o Choose Group 2 1024 bits from drop down menu.
Phase 1 ISAKMP Time (minutes): o Set time to 60 minutes Pre-Shared Key: o Choose the alpha-numeric string that will be shared between the two endpoints. Phase 2 Auth Type: o Choose ESP from drop down menu Phase 2 Encryption: o Choose 3DES from drop down menu Phase 2 Authentication: o Choose SHA1 from drop down menu Phase 2 ISAKMP Time (minutes): o Set the time for 480 minutes Use Perfect Forward Secrecy?: o Set this to No Dead Peer Detection Action: o Set to Restart. Note: The two DPD fields can be left at defaults of 30 and 60 seconds. Local Private Subnet(s): o Set the subnet for the local side of the tunnel. This would be the subnet that is connected directly to the SN device. For this example, we are using one single address of 192.168.0.2/32. Remote Public IP Address: o Leave the field blank for %any or enter the outside IP of your network Remote Private Subnet(s): o Set the subnet for the remote side of the tunnel. This would be the subnet that is connected to the Windows 7 PC on opposite side of tunnel. For this example, we are using one single address of 192.168.31.195/32 but you can enter a subnet in its place. When complete, click OK to exit back to the IPsec tunnel screen. Click Apply to save the settings. Click on the OK button to acknowledge the content
Part 4: Configuring Windows Firewall as a IPsec VPN Client Click on Start and browse the Control Panel menu item.
Click System and Security Click Windows Firewall The Windows Firewall page will load. Click Advanced Settings on the left menu bar. Note: Please ensure Windows Firewall is turned on before proceeding further.
Right-click on Connection Security Rules on left side menu bar and select New Rule Under Rule Type menu, choose Tunnel
On Tunnel Type screen, choose Custom Configuration Under the Requirements menu, choose Require authentication for inbound and outbound connections
In the Tunnel Endpoints screen, click Add to add the local endpoint of the tunnel. Select This IP address or subnet radio button and enter the local IP and subnet on the client (Windows 7 side) of the tunnel. In this example, we are using a single IP of 192.168.31.195/32. Click OK to return to previous screen
In the What is the local tunnel endpoint (closest to computers in Endpoint 1)? field, type Any for both IPv4 and IPv6 In the What is the remote tunnel endpoint (closest to computers in Endpoint 2)? field, type the WAN IP of SN router. Click the Add button to enter the IP and subnet that will be on the Server or SN side of the tunnel. When finished, Click Next In the Authentication Method screen, select the Advanced radio button then click Customize
Click Add under First Authentication Heading Click the Preshared key radio button. Enter the same alpha numeric preshared key that was entered into the SN. Click OK
Click Next In the Profile menu, leave as defaults Click Next On the Name page, type the name you would like to give the new VPN connection. Add a description, if needed. Click Finish when complete
Part 5: Configuring Windows Global Firewall Rule On the Windows Firewall Advanced Screen, right click Windows Firewall and Advanced Settings on the left menu bar. Click Properties Click the IPsec Settings Tab Under IPsec defaults, Click Customize
Under Key exchange (Main Mode), click Advanced radio button then click Customize Type the Minutes under Key Lifetimes that was configured on SN. Put a check in the Use Diffie-Hellman for enhanced security check box under Key exchange options Click Add under the Security methods heading
Under each drop down menu, select the Phase 1 settings that match the SN configuration. Click OK when finished Click OK to return to Customize IPsec Settings page Under Data Protection (Quick Mode), click Advanced radio button then click Customize Place a check in Require encryption for all connection security rules that use these settings check box Click Add under Data integrity and encryption heading
Select the correct Phase 2 settings that match the SN configuration Click OK Under Authentication Method, select Advanced radio button and click Customize Click the Preshared key radio button and type the preshared key into the field Click OK when finished. Click OK again
Part 6: Testing Connection Open a command prompt on the client (Windows) machine Ping the IP configured on other side of tunnel If tunnel was successfully created, you should receive 4 successful replies returned. Note: It may take several ping attempts before successful replies will be returned while the tunnel is negotiating and building. Open a command prompt on the remote (SN) machine Ping the IP configured on the other side of the tunnel If neither side can ping successfully, Windows firewall might be blocking the ping replies. A firewall rule will need to be added to Windows Firewall to allow inbound ping traffic.
Part 7: Adding Ping Rule to Firewall Open Windows Advanced Firewall Settings page Right click Inbound Rules on left side menu bar Click New Rule Under Rule Type, click Custom radio button then click Next
Under Program, select All Programs radio button then click Next Under Protocol and Ports page, select ICMPv4 under Protocol type drop down then click Next
Under Scope page, select Any IP addresses radio button under Which local IP addresses does this rule apply to? Select These IP addresses under Which remote IP addresses does this rule apply to? radio button Click Add Select This IP address or subnet radio button and enter the IP of the host on server side of tunnel. Click OK
Under Action page, select Allow the connection radio button Click Next Under the Profile page, leave the three checkboxes marked Click Next
Under the Name page, give the new rule a name and description, if necessary. Click Finished when complete The new firewall will now appear in under the Inbound Rules heading.
Reattempt ping request to remote host. Pings should now be successful. If they are still timing out, check syslog on SN router under Status Syslog for tunnel establishment.