DOC

VPN Setup for Routers - Getting it to work with an IPSec Client

By Katie James,2014-11-13 17:48
9 views 0
VPN Setup for Routers - Getting it to work with an IPSec Client

    VPN Setup for Routers - Getting it to work with an IPSec Client

     Technical Summary: This article will show how to setup a Broadband Router that has IPSec VPN capabilities for secure remote access to your home network from anywhere on the Internet. Detailed configuration will be shown for multiple brands of routers. The VPN IPSec client will be SSH-Sentinel since it is free for non-commercial use.

     How many times have you been at a friend’s house or at work and said 'Gosh, I wish I could get

    at that file on my hard drive at home'. With a broadband Internet connection and a shiny new 'VPN Router', you can connect to your home network over the Internet from anywhere on the planet SECURELY. This article will show you how.

     Our goal will be to establish an IPSec VPN connection from somewhere on the Internet to your home network. In addition, the remote computer will be able to mount network file shares (and printers too!) located on the home network.

     Possible Uses

    You can connect to your home hard drive:

    ; From work

    ; From a friends house

    ; From your laptop while on the road

    You could also allow your friends and relatives access to your network over the internet. That makes file sharing especially!

     Equipment Needed

     1 Solid Broadband Connection to your home

     (Preferably with a static IP address)

     1 VPN Broadband Router (about $150-$300)

     1 Copy of SSH-Sentinel (free for non-commercial use!)

     Most of the consumer level VPN routers operate just about the same way because they all licensed the same IPSec code. The only differences are the number of simultaneous 'VPN Tunnels' they support and how many different 'VPN Profiles' they support at once. They also have the same performance levels - 500kbps to 700kbps max IPSec throughput.

     A 'VPN Tunnel' is simply an IPSec VPN connection in this case. Each remote computer connecting to your home network is one VPN Tunnel.

     A 'VPN Profile' is a set of parameters that define how your router will connect to other VPN end points. Some routers support multiple profiles making it easy to use for connecting to your work Intranet 'and' using it to dial into from the road.

     Configuration Overview

    In this example, we will be working with two computers and a VPN Router. Throughout the screen shots and the rest of the article, I will refer to the following IP address. Please write them down or print them for reference, it will help you understand the rest of the article.

     Home WAN IP: 24.60.60.100 (from your ISP)

    Home LAN Router IP: 192.168.100.1

    Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0

    Computer on Home LAN: 192.168.100.2

    Remote (friends) computer on the Internet: 24.60.60.200

     Notes about IP Your Configuration

    It is wise to change the IP Schema of your home network from the default your router configures. This will aid you in connecting multiple networks together - especially two VPN routers of the same brand. Often the IP Schema is 192.168.1.0/255.255.255.0. All you need to do is change the second from the last number (octet) to something higher than 2 and less than 255. In this example, I made my LAN 192.160.100.0/255.255.255.0. This step is not totally necessary but it could save you some routing headaches later.

     It is also wise to convert your computers over to STATIC IP address instead of dynamic IP address. If your computers have dynamic IP address, you will not know what the IP address is of the computer you want to connect to from the road. One day it might be .2 the next day it might be .5. Again this is not necessary, but it will save you headaches later.

     Static IP Schema Example Example

    LAN Computer 1

     IP Address: 192.168.100.51

     subnet: 255.255.255.0

     Gateway: 192.168.100.1 (router address)

     DNS: 192,168.100.1 (router address again)

    LAN Computer 2

     IP Address: 192.168.100.52

     subnet: 255.255.255.0

     Gateway: 192.168.100.1 (router address)

     DNS: 192,168.100.1 (router address again)

    etc...

    VPN Router Tutorial - Getting it to work with an IPSec Client

     Part 4: Routing Traffic across the VPN

     We are ALOMST finished with the

    configutation process. The last thing we need

    to do is tell the client computer to route the correct traffic through the VPN Connection.

     IP Schema Review

    Home WAN IP: 24.60.60.100 (from your ISP)

    Home LAN Router IP: 192.168.100.1

    Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0

    Computer on Home LAN: 192.168.100.2

    Remote (friends) computer on the Internet: 24.60.60.200

     Lets Get To it

    Version 1.3 users will need to activate the VPN connection by right clicking the SSH Sentinel taskbar icon, sleecting Select VPN and then selecting the VPN connection you created. 1.3 users will get an error message if the connection fails.

     Version 1.2 users will activate the VPN network with a PING once we set up the routing.

     Routing

    From a command prompt (dos shell) type (with a home LAN computer IP address) PING 192.168.100.2

    You should see 'Desitination unreachable' message

     This is because the REMOTE computer does not know how to get to the private network: 192.168.100.0. Type ROUTE PRINT to see the current routing table.

     To add the home network to the routing table type in the following

    route add 192.168.100.0 mask 255.255.255.0 24.60.60.100

    The first number is the home lan network IP schema, the second is the network mask, and the third number is the Internet WAN IP address of the VPN router. This route will go away after the computer is rebooted and will need to be typed in again.

     Under Windows 2000 and XP, a parameter can be added that will make the route permanent. route -p add 192.168.100.0 mask 255.255.255.0 24.60.60.100

     I suggest putting this command in a BATCH file so it is easly accessible.

     Testing the connection

    From a command prompt (dos shell) type (with a home LAN computer IP address) PING 192.168.100.2

     For version 1.2 users, it mght take a couple of tries to get this command to work. When this PING is first run, the VPN connection is established. This can take up to 60 seconds or so.

     If you get a response, your VPN works!!!

     Mounting a network Drive across the VPN

     Our next set is to mount a shared network drive across the VPN. From the remote computer's file explorer, select "mount network drive' from the menu.

     Next type in the home LAN computer address and the name of the share this way. In this case, the computer I want to reach is at 192.168.10.2 and the share name I set up was 'c'

     Your VPN is now running!

    VPN Router Tutorial - Getting it to work with an IPSec Client

     Part 2a: Linksys BEFVP41 VPN Router Config

     From the VPN Screen of your Linksys BEFVP41 router, configure a VPN tunnel as shown in the picture below. You can name this tunnel anything you want - the name will not appear anywhere else - it is unimportant.

     Be sure to set the Local Secure Group to the LAN network as show. This will give the IPSec tunnel access to all of your LAN computers.

     The Pre-Shared key is VERY important. This key is the 'password' for your whole network. It will be given to anyone that needs VPN connectivity. A single word from the dictionary should never be used since hackers use dictionaries to break in. The key should be at least 8 characters long. The key shown (1234) is a VERY BAD key. I am using it only for diagnostics.

Down by the View Log button, there is a 'more' link. Press it and make sure it looks like the

picture below.

     Your router is now ready to receive incoming VPN Connections! The picture below shows a Linksys LOG of a successful incoming VPN connection. Please note: you will not be able to see a log like this till you try connecting.

     VPN Router Tutorial - Getting it to work with an IPSec Client

     Part 3a: IPSec Client Config: SSH Sentinel v1.2

    Click here if you are using v1.3

IPSec Client Software

    SSH Sentinel is my IPSec client of choice - primarily because it is free for non-commercial use. This beats the heck out of paying $150 per license for some of the other clients out there. SSH Sentinel however is not the most intuitive client on the market. Come to think of it, all IPSec client software programs are a little hard to set up for beginners.

     Version 1.2 or 1.3?

    When this tutorial was written, SSH Sentinel 1.3 was in BETA. I had a few problems with it retaining its settings so this tutorial was written with version 1.2. If you have version 1.3, click here

    for v1.3 instructions .

     Click here to download SSH Sentinel

     Where does it go?

    SSH Sentinel should be loaded on the REMOTE computers - the computers on the Internet that you want to have access to your LAN. SSH Sentinel is a free download for non-commercial use and can be found here.

     The Install

     When you see the following screen, select 'administrator email' and type in your email address

     Next, select 'self-signed certificate'

     Key Configuration

    Once installed, you will need to enter the 'POLICY EDITOR'. It can be reached from the start menu or by right clicking the blue SSH Sentinel icon in your task bar.

     From the SSH Sentinel Policy Editor, Select the Key Management tab and add a new key.

     Select create a preshared key when you see 'Mr. Buff'

     Create a name for the key and type in the exact key you typed into your router. Again, this key should be at least 8 characters long and should not be a single word from a dictionary

     You have now created a shared key. Now to create the VPN Connection.

     VPN Tunnel Config

     Now, from the Security Policy screen, add a new VPN Connecion. Note: The picture below shows one that was already added. You should only have the add button. The folder layout will look a little different in v 1.2 but that's ok.

     Type in the VPN Routers WAN address. You will need to click the 'IP' button to the right if you are typing a static IP address. Next, select the shared authentication key you just created and check the 'use legacy proposal' button. Last, type in the IP schema of the LAN network that is BEHIND the VPN router. and click OK.

These are the PROPERTIES of the new VPN connection we created. Be sure yours looks like

this.

Report this document

For any questions or suggestions please email
cust-service@docsford.com