Académique Documents
Professionnel Documents
Culture Documents
Application Note
Executive Summary
This application note shows you how to set up a Virtual Private Network (VPN) between two
Q-Series Q2200 T1 QoS Access Routers.
A VPN between Routers addresses the need to connect remote employees and offices in a safe,
relatively inexpensive way. VPNs use public wide area networks (WANs)—most notably, the Internet—
to negotiate a secure, encrypted stream of traffic. In this way, organizations can extend their
networks without leasing more lines, a practice that becomes prohibitively expensive as the number
of remote offices and users and the geographical distance between them grows.
Overview
While several technologies are available for VPN implementation, the Internet Protocol Security
(IPSec) protocol has become the most widely deployed. IPSec offers outstanding authentication
and encryption, plus the advantage of operating at the network layer where its functions are
independent of the applications that are using it.
The Kentrox Q-Series Router (“the Router”) uses a robust IPSec implementation for its VPN feature,
including use of the Internet Key Exchange (IKE) to establish a secure communications channel over
which to negotiate an IPSec security association.
192.168.10.0/24
Portland Office Seattle Office
192.168.2.0/24 168.14.5.0/24
VPN Tunnel
Static IP
Q2200 Q2200 168.14.5.10
WAN
Server
LAN IP: 192.168.2.1 LAN IP: 168.14.5.1 168.14.5.8
WAN IP: 192.168.3.1 WAN IP: 168.14.1.1
Static IP
192.168.2.4
192.168.8.0/24
Figure 1: The Router’s VPN enables secure site-to-site traffic flow over public networks.
A typical setup shows a Q-Series Q2200 Router at a remote office securely communicating with the
Router at another remote office. This paper describes how to configure these two Q-Series Routers
as remote peers.
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
Procedure
This paper assumes that you have installed and configured the Q-Series Routers for Internet access at
both of the locations from which you want to set up a VPN.
In this example, each Router is a VPN peer gateway with the following IP addresses:
Use the default values unless you are familiar with the
QoS features of the Q-Series Routers and your WAN
traffic, and you wish to modify the QoS behavior of all
IPSec packets.
Egress DF Bit Action copy copy
2
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
3
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
4
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
5
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
Figure 2 is a composite of the pages you complete at each site to configure the VPN.
Step 1
Step 2 Step 3
Figure 2: Never forget an important IPSec parameter with the easy-to-use GUI.
6
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
When a tunnel is enabled, ACL Firewall policies are automatically created to permit traffic through
the tunnel using the tunnel source and destination addresses and “any” for the application. These
policies remain enabled as long as the tunnel is enabled.
Note that a slightly different scheme is used if you are configuring a VPN with a remote
client instead of a peer. For more information, see the paper ““How to set up a client-to-
peer VPN with a Q-Series Router” on the Kentrox web site.
Add new policies to override the automatically created ones if there is any traffic you want to limit
through the tunnel. For example, you may want to add inbound and outbound policies to prohibit
users on the LANs behind either Router to communicate using Internet Relay Chat (IRC).
The Rank for automatically-created VPN policies is 32768, a number reserved solely for this type of
policy. Because the rank gives the policy a relatively low priority, you can easily configure new policies
to override the auto-created ones, and rank them at the highest priority of 0.
This sample procedure uses the GUI to create an ACL Firewall outbound policy to prohibit IRC traffic
from traversing the firewall from the Portland Office 192.168.10.0/24 LAN subnet in Figure 1, to the
LAN at the Seattle office.
1. Browse to Configure > Firewall > Outbound Policies > Add Outbound Policy.
2. Name the policy. Policy names must be unique, and can be up to 16 alphanumeric characters, but
must start with a letter.
6. For the Destination Address enter the subnet address 168.14.5.0/24. You can create an IP
Address list for this address if you plan on using it frequently.
7
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
For example, from the Seattle Office host with the IP address 168.14.5.10, you could issue the
command:
ping 192.168.2.4
You can also use the VPN (IKE) Log to verify that Tunnel configuration is successful and complete. The
log shows the exchange of parameters for each phase of negotiation.
Figure 3 shows sample output in the VPN Log where Phase 2 negotiation has failed. To determine the
cause, examine each parameter as displayed in the log to confirm that the correct values were used to
configure the gateway and tunnel. Negotiation may also fail when the remote peer cannot be reached.
Figure 3: VPN negotiation messages can be viewed from the GUI, CLI, or Syslog.
Set the severity level for the VPN Log on the Configure > System > Logs page, and view log contents
on the Monitor > Logs > VPN Log page. If you are using the CLI, set the VPN log (ikeLog) level to
verbose to “view” to make it easy to pinpoint any breakdown in IKE negotiations.
Syslog is also a good choice for viewing detailed information about IKE negotiations from a host on
which the GUI is not available. For more information on Syslog, consult your User’s Guide.
Note that this VPN implementation does not apply NAT to IP address headers for traffic that
traverses the VPN tunnels. Therefore, the local-to-remote address mapping must be unique.
In other words, you cannot use the same address scheme for subnets at opposite ends of
the tunnel, or traffic will never exit the local LAN.
8
How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers
Conclusion
A well-designed VPN can greatly benefit a company. For example, it will:
• Improve security
• Improve productivity
The Router’s GUI makes VPN configuration easier than most VPN appliances. However, if you do want
to set up a VPN between a Q-Series Router and another vendor’s VPN appliance, visit the Kentrox
website for more examples.
Also, if you need or prefer to use the CLI instead of the GUI, the commands for the example presented
in this application note appear in the following section.
9
How to Set Up a Peer-to-Peer VPN Between Two Q-Series
Portland
ipsec set vpn localID ipwan state enable
ipsec set vpn ingressTosAction copy
ipsec set vpn egressTosAction copy
ipsec set vpn dfBitAction copy
ipsec set vpn strictEncryption enable
ipsec set vpn ikeLog enable ikeLogLevel verbose
04-15-002 5/04 Copyright © 2004 by Kentrox, LLC. All Rights Reserved. Kentrox is a registered trademark and Q-Series is a
trademark of Kentrox, LLC. Information published here is current as of the date of publication.
Kentrox, LLC
20010 NW Tanasbourne Drive
Hillsboro, OR 97124
Phone 503-643-1681
Toll Free 800-733-5511