DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide This guide will show how to configure a Windows 2000/XP machine to make an IPsec VPN Tunnel connection to a DI-804HV. Below is the example network that this document is based on. Technical Requirement: Customer is required to understand their network and Windows 2000/XP well for this configuration. Please consult a Microsoft certified professional if unsure. The information provided here is for your reference only. D-Link will not be held responsible for any consequences arise from it. Internet DSL- 300G+ DI-804HV WAN IP: 10.0.0.1 IP: 10.0.0.2 LAN: 192.168.0.0/24 Windows 2000 Professional Workstation VPN Client

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 2 DI-804HV Configuration 1. Type in the IP address of the DI-804HV in the address bar of the browser. Log-in using the default username and password. 2. Click on VPN on the lefthand side menu. Make sure that VPN is checked and enter 5 for maximum number of tunnels. Click on Apply and then Restart to save the settings. Log-in again and then Click on Home VPN Dynamic VPN Settings. 3. Enter the following details for the Dynamic VPN connection. Enter the Tunnel name (client). Enter the Local Subnet/Netmask (192.168.0.0/255.255.255. 0). Enter the pre-share key. Click on Apply and then Restart to save the settings. Log-in again and come back to this screen. Now click on Select IKE Proposal.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 3 4. Under ID #1, enter the name 3DES-MD5, DH- Group = Group2, Encrypt algorithm = 3DES, Auth algorithm = MD5, Life Time = 28800, Life Time Unit = Sec. Set the Proposal ID at the bottom to #1 and then click on the Add to button. Click on Apply and then Restart. 5. Click on Home VPN Click on Dynamic VPN Settings Click on Select IPsec Proposal. Under ID #1, enter the Proposal Name = 3DES-MD5, DH- Group = Group2, Encap Protocol = ESP, Encrypt algorithm = 3DES, Auth algorithm = MD5, Life Time = 3600, Life Time Unit = Sec. Set the Proposal ID at the bottom to #1 and then click on the Add to button. Click on Apply and then Restart.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 4 Windows 2000/XP Configuration 1. Go into Start Run and the type in MMC to bring up the Console. 2. Click on Console and then Click on Add/Remove Snap In. In Windows XP, click on File Add/Remove Snap-in. 3. Click on the Add Button. 4. Select IP Security Policy Management and then Click on Add.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 5 5. Select Local computer and then click on Finish. 6. Click on Close on the Add Standalone Snap-in window. 7. Click on OK in the Add/Remove Snap-in.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 6 8. Right-Click on IP Security Policies on Local Machine. Select Create IP Security Policy. 9. The wizard should then come up. Click Next to continue. 10. Enter the name for the Policy as well as the description. Click Next.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 7 11. Uncheck Activate the default response rule. Click Next. 12. Click on Finish. 13. The Properties window for the newly created policy should then come up. Click on Add.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 8 14. Click on Add under IP Filter List. 15. Enter the name and the description for the New IP Filter List. Uncheck the Use Add Wizard. Click on Add. 16. Select A specific IP subnet for the Source address and enter the Internal LAN range on the DI-804HV side. Select My IP Address for the Destination address. Uncheck the Mirrored. Option at the bottom of the screen. Click OK.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 9 17. Click Close. 18. Select the newly created IP Filter. 19. Click on the Filter Action Tab. Select Require Security. Click on Edit.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 10 20. Move the 3DES/MD5 security method to the top. Check the Session key Perfect Forward Secrecy. Click OK. 21. Click on Connection Type Tab. Select All network connections. 22. Click on Tunnel Setting Tab. Specify the tunnel endpoint as the W2K Pro/XP client IP address (10.0.0.2 in this example).

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 11 23. Click on Authentication Methods Tab. Click on Kerberos and then Click on Edit. 24. Select Use this string to protect the key exchange (preshared key). Type in the Preshared key. Click OK. 25. Click Close.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 12 26. Select the newly created rule. Click on Add. 27. Click on Add under IP Filter List. 28. Enter the name and the description for the New IP Filter List. Uncheck the Use Add Wizard. Click on Add.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 13 29. Select My IP Address for the Source address. Uncheck the Mirrored. Option at the bottom of the screen. Select A specific IP subnet for the Destination address and enter the Internal LAN range on the DI-804V side. Click OK. 30. Click on Close. 31. Select the newly created IP Filter Right (Single User) to Left(DI-804HV ).

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 14 32. Click on the Filter Action Tab. Select Require Security. You don t need to click on Edit. 33. Click on Connection Type Tab. Select All network connections. 34. Click on Tunnel Setting Tab. Specify the tunnel endpoint as the WAN IP address of the DI-804HV.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 15 35. Click on Authentication Methods Tab. Click on Kerberos and then Click on Edit. 36. Select Use this string to protect the key exchange (preshared key). Type in the Preshared key. Click OK. 37. Click Close.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 16 38. Select the newly created rule Right (Single User).. Click Close. 39. Click on the General Tab and then the Advanced Button. 40. Check the Master key Perfect Forward Secrecy. Click on the Methods button.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 17 41. Move the IKE/3DES/MD5 to the top. Click OK. 42. Click OK. 43. Click Close. 44. Right-click on the new policy and select Assign to activate the policy.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 18 45. You can then ping an Internal LAN IP address on the DI-804HV side (i.e. 192.168.0.4 in this example) in the DOS prompt. It will then start Negotiating IP security and eventually you will get a reply. 46. Please note that if you make any changes to the IPsec policy, you will need to Restart the IPsec Policy Agent in order for the changes to take effect. You can do this by going into Start Settings Control Panel Administrative Tools Services. 47. In Windows 2000 Professional, you can monitor the IPsec tunnels that you have by running IPSECMON.EXE in Start Run. In Windows XP, you can add a snap-in in the MMC called IP Security Monitor.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide Page 19 48. In Windows XP, you can monitor the IPsec tunnel by adding the IP Security Monitor Snap/IP. You can do this by going into File Add/Remove Snap-In Click Add Select IP Security Monitor. You can check under IP Security Monitor Quick Mode Security Association for any active Tunnels.