How to Set Up a Peer-to-Peer VPN

Between Two Q-Series™ Routers

Application Note

Executive Summary
This application note shows you how to set up a Virtual Private Network (VPN) between two
Q-Series Q2200 T1 QoS Access Routers.

A VPN between Routers addresses the need to connect remote employees and offices in a safe,
relatively inexpensive way. VPNs use public wide area networks (WANs)—most notably, the Internet—
to negotiate a secure, encrypted stream of traffic. In this way, organizations can extend their
networks without leasing more lines, a practice that becomes prohibitively expensive as the number
of remote offices and users and the geographical distance between them grows.

Overview
While several technologies are available for VPN implementation, the Internet Protocol Security
(IPSec) protocol has become the most widely deployed. IPSec offers outstanding authentication
and encryption, plus the advantage of operating at the network layer where its functions are
independent of the applications that are using it.

The Kentrox Q-Series Router (“the Router”) uses a robust IPSec implementation for its VPN feature,
including use of the Internet Key Exchange (IKE) to establish a secure communications channel over
which to negotiate an IPSec security association.

192.168.10.0/24
Portland Office Seattle Office
192.168.2.0/24 168.14.5.0/24
VPN Tunnel
Static IP
Q2200 Q2200 168.14.5.10
WAN
Server
LAN IP: 192.168.2.1 LAN IP: 168.14.5.1 168.14.5.8
WAN IP: 192.168.3.1 WAN IP: 168.14.1.1
Static IP
192.168.2.4

192.168.8.0/24

Figure 1: The Router’s VPN enables secure site-to-site traffic flow over public networks.

A typical setup shows a Q-Series Q2200 Router at a remote office securely communicating with the
Router at another remote office. This paper describes how to configure these two Q-Series Routers
as remote peers.
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Procedure
This paper assumes that you have installed and configured the Q-Series Routers for Internet access at
both of the locations from which you want to set up a VPN.

In this example, each Router is a VPN peer gateway with the following IP addresses:

Seattle Office Router

LAN IP address: 168.14.5.1
WAN IP address: 168.14.1.1

Portland Office Router

LAN IP address: 192.168.2.1
WAN IP address: 192.168.3.1

Step 1. Configure VPN Global Settings

On each Router, browse to Configure > VPN > Global settings and edit these fields. Click OK
when you are finished.

Parameter Seattle Portland

Local ID ipwan ipwan

For each Router, this must be set to its own local

WAN-side IP address. You can use the IP Address list
ipwan, which is created when you configure the T1
WAN interface. Ipwan will automatically be updated if
you change the Router’s WAN IP address.
Egress ToS Action copy copy

Ingress ToS Action

Use the default values unless you are familiar with the
QoS features of the Q-Series Routers and your WAN
traffic, and you wish to modify the QoS behavior of all
IPSec packets.
Egress DF Bit Action copy copy

Use the default value for this field.

Enable Strict Encryption enabled enabled

Use the default value for this field.

2
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Step 2. Configure the Peer Gateway

Each Router will add the other as a remote peer gateway. Browse to Configure > VPN > Gateways >
Add Peer Gateways and edit these fields. Click Create when you are finished.

Parameter Seattle Portland

Gateway Name Portland1 Seattle1

This is an arbitrary name for the gateway and does

not need to match at both endpoints. The name can
be up to sixteen alphanumeric characters in length,
including hyphens and underscores, and must start
with a letter. The name should be unique among
other names configured for use in the Router.
Remote ID Type and Remote Address 192.168.3.1 168.14.1.1

Select ipAddress and enter the Local ID (as configured

in Step 1) of the remote peer in the Remote Address
text box. Note that this is the remote peer’s WAN-side
IP address, not the LAN-side address.
Initiator Negotiation Mode automatic automatic

In this example, you can only use main mode if there

is no NAT device between the Routers. This is very
atypical for edge routers like the ones shown in this
configuration. However, if you are uncertain, contact
your service provider.
Authentication Type and Pre-Share Password <password> <password>

Currently, you can only use a pre-shared key

(password) for authentication. The password can be
up to 63 ACSII characters and the same password
must be entered at both sites.
Diffie-Hellman Group DH5 DH5

DH1, DH2, and DH5 are available. DH5 offers the

most security, but is the most processing-intensive.
This selection must match at both sites.
Phase 1 Encryption/Hash 3des-sha 3des-sha

Select from all permutations of encryption (AES, DES,

3DES) and hashing algorithms (SHA-1, MD5). 3DES
uses a longer key than DES and AES. SHA-1 provides
stronger authentication.

Your selection must match at both sites.

3
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Parameter Seattle Portland

Lifetime Format and Lifetime 28800 seconds 28800 seconds

This needs to match at both sites.

Enable Gateway enable enable
Enable NAT Traversal enable enable

This applies to NAT-T for the Router as the proposal

initiator. NAT-T is always enabled for the Router as the
responder.
Enable UDP Checksum disable disable

This must match at both sites.

Keep-Alive Interval 10 10

If a NAT device is located between the two Routers,

the keep-alive interval must be less than the NAT
device’s session timeout. Only the Router behind the
NAT device will transmit the NAT-T keep-alive packets.

Step 3. Configure the Tunnel

Browse to Configure > VPN > Gateways and click Add Tunnel for the gateway to which you want
to add a tunnel.

Parameter Seattle Portland

Tunnel Name SeaPort_1 PortSea_1

This is an arbitrary name for the tunnel and does

not need to match at both endpoints. The name
must start with a letter, and can be up to sixteen
alphanumeric characters, including hyphens and
underscores. The name should be unique among the
other names and lists used in the Router(s).
Local Address 168.14.5.0/24 192.168.2.0/24

Local host address, subnet address, or IP Address list

for tunnel traffic.
Remote Address 192.168.2.0/24 168.14.5.0/24

Remote host address, subnet address, or IP Address

list.

4
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Parameter Seattle Portland

Enable Tunnel enable enable
Transform ESP ESP

Select ESP or AH, but not both. If you choose ESP,

you need to specify both the authentication and
encryption algorithms. AH requires authentication
(hash) algorithms only. This selection must match at
both sites.
Authentication sha sha

MD5, SHA-1, or none (null). SHA-1 provides stronger

authentication. This selection must match at both
sites.
Encryption 3des 3des

AES, DES, or 3DES. 3DES uses a longer key than DES

and AES. This selection must match at both sites.
Perfect Forward Secrecy noPfs noPfs

To generate new keying material for the tunnel,

specify a Diffie-Hellman algorithm. This is more secure
but increases processing time. This selection must
match at both sites.
Lifetime Format and Lifetime 28800 seconds 28800 seconds

This needs to match at both tunnel endpoints, but

does not need to match the gateway lifetime.

5
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Figure 2 is a composite of the pages you complete at each site to configure the VPN.

Step 1

Step 2 Step 3

Figure 2: Never forget an important IPSec parameter with the easy-to-use GUI.

6
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Step 4. Configure ACL Policies (optional)

When a gateway is enabled, ACL Firewall policies are automatically created to permit IKE traffic for
gateway negotiation. These policies use the gateway source and destination addresses (in other
words, the Router host addresses), and “ike” for the application. These policies remain enabled as
long as the gateway is enabled.

When a tunnel is enabled, ACL Firewall policies are automatically created to permit traffic through
the tunnel using the tunnel source and destination addresses and “any” for the application. These
policies remain enabled as long as the tunnel is enabled.

Note that a slightly different scheme is used if you are configuring a VPN with a remote
client instead of a peer. For more information, see the paper ““How to set up a client-to-
peer VPN with a Q-Series Router” on the Kentrox web site.

Add new policies to override the automatically created ones if there is any traffic you want to limit
through the tunnel. For example, you may want to add inbound and outbound policies to prohibit
users on the LANs behind either Router to communicate using Internet Relay Chat (IRC).

The Rank for automatically-created VPN policies is 32768, a number reserved solely for this type of
policy. Because the rank gives the policy a relatively low priority, you can easily configure new policies
to override the auto-created ones, and rank them at the highest priority of 0.

This sample procedure uses the GUI to create an ACL Firewall outbound policy to prohibit IRC traffic
from traversing the firewall from the Portland Office 192.168.10.0/24 LAN subnet in Figure 1, to the
LAN at the Seattle office.

1. Browse to Configure > Firewall > Outbound Policies > Add Outbound Policy.

2. Name the policy. Policy names must be unique, and can be up to 16 alphanumeric characters, but
must start with a letter.

3. Enter 0 for the policy Rank.

4. Select deny for the Action.

5. For the Source Address, enter the subnet address 192.168.10.0/24.

6. For the Destination Address enter the subnet address 168.14.5.0/24. You can create an IP
Address list for this address if you plan on using it frequently.

7. Select irc from the Application drop-down list.

8. Select the Enable Policy check box.

7
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Step 5. Verification and Troubleshooting

From a host behind either Router, ping a host on the VPN on the opposite LAN. The ping should be
successful.

For example, from the Seattle Office host with the IP address 168.14.5.10, you could issue the
command:

ping 192.168.2.4

You can also use the VPN (IKE) Log to verify that Tunnel configuration is successful and complete. The
log shows the exchange of parameters for each phase of negotiation.

Figure 3 shows sample output in the VPN Log where Phase 2 negotiation has failed. To determine the
cause, examine each parameter as displayed in the log to confirm that the correct values were used to
configure the gateway and tunnel. Negotiation may also fail when the remote peer cannot be reached.

Figure 3: VPN negotiation messages can be viewed from the GUI, CLI, or Syslog.

Set the severity level for the VPN Log on the Configure > System > Logs page, and view log contents
on the Monitor > Logs > VPN Log page. If you are using the CLI, set the VPN log (ikeLog) level to
verbose to “view” to make it easy to pinpoint any breakdown in IKE negotiations.
Syslog is also a good choice for viewing detailed information about IKE negotiations from a host on
which the GUI is not available. For more information on Syslog, consult your User’s Guide.

Note that this VPN implementation does not apply NAT to IP address headers for traffic that
traverses the VPN tunnels. Therefore, the local-to-remote address mapping must be unique.
In other words, you cannot use the same address scheme for subnets at opposite ends of
the tunnel, or traffic will never exit the local LAN.

8
 How to Set Up a Peer-to-Peer VPN Between Two Q-Series Routers

Conclusion
A well-designed VPN can greatly benefit a company. For example, it will:

• Extend geographic connectivity

• Improve security

• Reduce operational costs versus traditional WAN

• Reduce transit time and transportation costs for remote users

• Improve productivity

• Simplify network topology

• Provide global networking opportunities

• Provide telecommuter support

• Provide broadband networking compatibility

• Provide faster ROI (return on investment) than a traditional WAN

The Router’s GUI makes VPN configuration easier than most VPN appliances. However, if you do want
to set up a VPN between a Q-Series Router and another vendor’s VPN appliance, visit the Kentrox
website for more examples.

Also, if you need or prefer to use the CLI instead of the GUI, the commands for the example presented
in this application note appear in the following section.

CLI command summary

Seattle
ipsec set vpn localID ipwan
ipsec set vpn ingressTosAction copy
ipsec set vpn egressTosAction copy
ipsec set vpn dfBitAction copy
ipsec set vpn strictEncryption enable
ipsec set vpn ikeLog enable ikeLogLevel verbose

ipsec add remotePeer Portland1 peerId-address 192.168.3.1 preshareKey

fm6520wrt DH5 3des-sha
ipsec set remotePeer Portland1 lifetime 28800
ipsec set remotePeer Portland1 natTraversal enabled
ipsec set remotePeer Portland1 natTraversal keepAliveInterval 10
ipsec set remotePeer Portland1 natTraversal udpChecksum disabled
ipsec set remotePeer Portland1 state enabled
ipsec connect remotePeer Portland1

9
How to Set Up a Peer-to-Peer VPN Between Two Q-Series

ipsec remotePeer Portland1 add tunnel SeaPort1 noPfs-ESP-3des-sha

ipsec remotePeer
192.168.2.0/24
ipsec remotePeer
ipsec remotePeer
ipsec remotePeer
Portland1 set tunnel SeaPort1 match 168.14.5.0/24
Portland1 set tunnel SeaPort1 lifetime 28800
Portland1 set tunnel SeaPort1 state enabled
Portland1 connect SeaPort1

Portland
ipsec set vpn localID ipwan state enable
ipsec set vpn ingressTosAction copy
ipsec set vpn egressTosAction copy
ipsec set vpn dfBitAction copy
ipsec set vpn strictEncryption enable
ipsec set vpn ikeLog enable ikeLogLevel verbose

ipsec add remotePeer Seattle1 peerId-address 168.14.1.1 preshareKey

fm6520wrt DH5 3des-sha
ipsec set remotePeer Seattle1 lifetime 28800
ipsec set remotePeer Seattle1 diffie-hellman DH5

ipsec set remotePeer Seattle1 natTraversal enabled

ipsec set remotePeer Seattle1 natTraversal keepAliveInterval 10
ipsec set remotePeer Seattle1 natTraversal udpChecksum disabled
ipsec set remotePeer Seattle1 state enabled
ipsec connect remotePeer Seattle1

ipsec remotePeer Seattle1 add tunnel PortSea_1 noPfs-ESP-3des-sha

ipsec remotePeer
168.14.5.0/24
ipsec remotePeer
ipsec remotePeer
ipsec remotePeer
Seattle1 set tunnel PortSea_1 match 192.168.2.0/24
Seattle1 set tunnel PortSea_1 lifetime 28800
Seattle1 set tunnel PortSea_1 state enabled
Seattle1connect PortSea_1

policy enable acl

policy add acl lan-wan IRC_Traffic 0 outbound deny
policy set acl lan-wan IRC_Traffic match 192.168.10.0/24 ipwan irc
policy set acl lan-wan IRC_Traffic state enable

04-15-002 5/04 Copyright © 2004 by Kentrox, LLC. All Rights Reserved. Kentrox is a registered trademark and Q-Series is a
trademark of Kentrox, LLC. Information published here is current as of the date of publication.

Kentrox, LLC
20010 NW Tanasbourne Drive
Hillsboro, OR 97124
Phone 503-643-1681
Toll Free 800-733-5511