Example of a working VPN between a client laptop and a domain network


Client used:
ZyWall IPSec VPN Client version 2.4.204.61.003
Security appliance used: Firewall model used: Zyxell 35

On the client side:

Client Configuration Phase 1 settings:

Name: ANYNAME
Interface ANY
Remote Gateway 99.99.99.99 (use the external ip address of the gateway device (firewall or router)
Pres-shared Key: abcd1234
IKE section
Encryption DES
Authentication: MD5
Key Group: DH2
click on Advanced Settings
On the local and Remote ID section select:
Local ID: email;
set the value for the id as: 123@yahoo.com (or your email address if you prefer)
Remote ID: EMAIL
set the value for the id as: 123@yahoo.com (or your email address if you prefer)

PHASE 2 (IPSec Configuration)Name: ANYNAME TUNNEL
VPN Client Adress: automatically entered by the software, (always the ip address of the client machine)
Address Type: SUBNET ADDRESS
Remote LAN address: 192.168.1.0
Subnet Mask: 255.255.255.0
(here you enter the network ip of you network, so, it could be 10.0.1.0 255.255.255.0, or 172.16.1.0 – 255.255.255.0, or any other subnet you are using; NOTE: the last octet of the network is ALWAYS 0 to define the subnet, not 1

ESP section:
Encryption DES
Authentication: MD5
Mode: Tunnel
PFS check box: UNCHECKED
Save and apply the changes

On the Gateway side (Your firewall Zyxel 35 or router)

Gateway Policy Settings:

Property Section:

Name: ANYNAME
Gateway Policy Information section
My addres: 99.99.99.99 (this is the external ip address of your security applicance – firewall or router)
Primay remote gateway: 0.0.0.0

Authentication Key Section

Pre-Shared Key abcd1234 (make sure this key mathces the key used in the client)
Local ID type: E-MAIL
content: 123@yahoo.com
Peer ID Type: E-MAIL
content: 123@yahoo.com

Extended Authentication section

Enable Extended authentication box: UNCHECKED
Client mode radio button is selected by default un and password fields leave in blank

IKE Proposal section

Negotiation mode: Main
Encryption Algorithm: DES
Authentication Algorithm: MD5
SA Life Time 28800
Key Group: DH2
click Apply to save the new gateway rule

NETWORK Policy settings:

Property Section:

Active check box: CHECKED
NAME: ANYNAME
Protocol: 0
All 3 checkboxes unchecked (nailed-up, allow netbios, and check ipsec)
Gateway Policy Information
autofilled (normally the same name as the gateway policy name)

Local Network section:

Address type: SUBNET ADDRESS
Starting IP Address: 192.168.1.0
Ending IP Address: / Subnet 255.255.255.0
Local Port: Start: 0 End: 0
Remote Network
Address Type: SINGLE ADDRESS
Starting 0.0.0.0
Ending (dimmed field)
Remote Port: satrt: 0 end: 0

IPSec Proposal Section

Encapsulation Mode: TUNNEL
Active Protocol: ESP
Encryption Algorithm: DES
Authentication Algorithm: MD5
SA Life Time (Seconds) 28800
Perfect Forward Secrecy (PFS) NONE
Enable Replay Detection box: UNCHECKED
Enable Multiple Proposals box: UNCHECKED

On the Client side, goto the Phase 2 GUI screen and click on OPEN TUNNEL; The tunnell should open without errors

If you try to connect the tunnell using the Zyxell 35 GUI screen by clicking on the CONNECT button (arrow pointing up), and you get an error message: “Cannot Dial a Dynamic Rule” DON’T worry; The firewall is trying to tell you: You cannot establish a VPN connection with a Dynamic ip because the firewall DOES NOT KNOW what the ip of client really is; That is WHY you need to establish the connection from the client side (the client ALWAYS knows what its own IP is)!

Keep in mind of the following private networks:
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: