IPSec Pass through via Gateway to Gateway VPN Connection 1. Connection 2 In the diagram depicted below, the left side router represents the SME200/SME100/SME50 in HQ and right side represents the PC installed VPN Client Software at Home which is behind the Home Router with IPSec Pass Through. SME200/SME100/SME50 in HQ (Left-side) IP = A.A.A.A (Fixed IP) Local Secure Subnet = 192.168.5.0 ; Subnet Mask = 255.255.255.0 Security Type = (IP only) SME200/SME100/SME50 or Home Gateway or Router at Home (Right-side) IP = Dynamic IP (PPPoE) IPSec pass through enable PC with SafeNet Client Software at Home (Right-side) IP = Dynamic IP or Fixed IP (actually, don t care) Security Type = (Dynamic IP + E-mail Addr. (USER FQDN) Authentication) 1
(192.168.5.0/24)-- --( A.A.A.A)------(internet )------(Dynamic IP)-- --(192.168.1.41) 2
2. Settings for SME200/SME100/SME50 in HQ 2.1 Basic Settings 1. The tunnel number will be generated automatically, and create a tunnel name. In here, we use Left as a tunnel name. 2. If we are creating the VPN tunnel via WAN1 3. Enable check-box is a option for users if this tunnel will be enable (working) or disable (not working) 2.2 Local Group Settings Note: All the types selected should be same with the Remote setting of PC installed with SafeNet at Home. (Right-side). 1. Select the Local Security Gateway Type as IP Only, and IP address will be shown automatically. (SME200/SME100/SME50 can detect its IP address) 2. Select the Local Security Group Type. There are three types of local security group: IP, Subnet and IP range. Select the local security group type as Subnet and enter the IP address and Subnet Mask. 2.3 Remote Group Settings Note: All the types selected should be the same as My Identify setting of PC installed with SafeNet 3
at Home (Right-side. ) 1. Because the IP of Home Router with IPSec pass through is Dynamic IP, select the Dynamic IP + E-mail Addr. (USER FQDN) Authentication for remote security gateway type 2. E-mail address (USER FQDN) is charles@vpn_player.com, for example 3. There are three types of remote security group: IP, Subnet and IP range. Select the type as IP and enter the IP address of PC installed with SafeNet at Home (Right Side) 2.4 IPSec Settings Note: All the parameters we are going to set have to be the same as the setting of PC with SafeNet at Home. (Right-side) For example, we are using IKE with Pre-shared key, Phase1/2 DH group is Group1, Phase1/2 Encryption is DES, Phase1/2 Authentication is MD5, Phase1 SA Life Time is 28800 seconds Phase2 SA Life Time is 3600 seconds Pre-shared Key is secretkey To increase the security level, we can enable PFS (Perfect Forward Secrecy). If PFS box is checked, SME200/SME100/SME50 will periodically regenerate (every 3600 seconds Phase2 SA Life Time) Gold Key based on pre-shared key. 4
5
3. Settings for PC installed with SafeNet at Home (Right-side) 3.1 Remote Party Identify and Addressing Note: All the settings should be the same as the Local Group Setup of Left-side (HQ) SME200/SME100/SME50 1. There are six types of ID Type for Remote Party: IP, Domain Name, E-mail address, IP Subnet, IP Address Range and Distinguished Name. Select the IP Subnet and enter the Subnet and Mask that is same with the Local Security Group Type of HQ SME200/SME100/SME50. 2. Select All Protocol and check the box of Connect using Secure Gateway Tunnel. 3. Select the ID Type as IP Address and enter the IP address or HQ SME200/SME100/SME50 (Left-side). 6
3.2 My Identify 1. Enter the Pre-Shared Key that is same with the pre-shared key of HQ SME200/SME100/SME50 2. Select None in Certificate drop-down menu 3. Enter the ID Type of PC installed with SafeNet at Home. There are three type of ID Type: IP, Domain Name and E-mail address. But if main mode is selected, there will be no Domain Name and E-mail address options. Select Aggressive Mode, and select ID Type as E-mail Address, and enter the E-mail address that is same with the Remote Group Setting of HQ SME200/SME100/SME50. (Left-side). 3.3 Security Policy Note: All the settings should be the same as the IPSec Setup of Left-side (HQ) SME200/SME100/SME50 3.3.1 Select the Phase 1 Negotiation Mode and PFS 1. Select Phase 1 Negotiation Mode. There are three modes, Main Mode, Aggressive Mode and 7
User Manual Keys. In this scenario, select the Aggressive Mode, and it should be same with the mode in VPN advanced setting of HQ SME200/SME100/SME50. 2. Check the box of Enable PFS, and it should be same with the PFS in IPSec Setup setting of HQ SME200/SME100/SME50. 3. Select the PFS Key Group that should be same with the IPSec Setup setting of HQ SME200/SME100/SME50. Once PFS is enabled, users have to set up the PFS Key Group for phase II. 3.3.2 Setting for Authentication (Phase 1) 1. Select the Authentication Method as Pre-shared Key. 2. Select the Encryption and Data Integrity Algorithms, enter the SA Life time and select the Key Group. All settings here should be same with the setting in Phase 1 of IPSec setup of HQ SME200/SME100/SME50. 8
3.3.3 Setting for Key Exchange (Phase 2) Enter SA Life time, select the Encapsulation Protocol, and all settings should be same with the Phase 2 settings of HQ SME200/SME100/SME50. 9
3.4 Log Viewer You can check the Log information of Phase 1, Phase 2, and see the SPI value in Log Viewer to make sure the tunnel is created successfully. 10