FEC Onlineservices
 
Configuration of a VPN-IPSec tunnel between the Bintec Secure IPSec Client and the Bintec X2302 with Preshared Keys
This FAQ describes the VPN IPSec configuration of a Bintec X2302  (revision 7.1.15 patch 4) in alliance with the Bintec Secure IPSec Client (version 1.11 Build 90).


1. Conditions
  • The internet access at the Bintec X2302 is already working.
  • To reach the router via its official IP address and DynDNS name respectively the router has to be online.
  • The local network of the router has been configured to 192.168.10.0 with netmask 255.255.255.0. The router IP address is 192.168.10.1

2. IPSec configuration of the router
The configuration is done in the Setup Tool. When choosing the IPSec menu for the first time, the IPSec Wizard will be opened which leads you through some automatic configuration steps. The wizard must be performed when configuring the first peer.

X2302 Setup Tool                                    Bintec Access Networks GmbH
[IPSEC]: IPsec Configuration - Main Menu                                  x2302
_______________________________________________________________________________

 

          There are still some prerequisite configuration steps to do.
          Do you want to use the wizard?

                              Yes                 No

 
_______________________________________________________________________________
After starting the wizard please confirm the authentication method "current: PSK" (Pre Shared Keys).

X2302 Setup Tool                                    Bintec Access Networks GmbH
[IPSEC][WIZARD]: IPsec Configuration - Wizard Menu                        x2302
_______________________________________________________________________________

   IPsec 1st step configurations wizard

   Configuration History:
      - for ESP:  NULL Rijndael Twofish Blowfish CAST DES DES3               ^
                   MD5 SHA1 NOMAC                                            |
      - for AH:   SHA1 MD5                                                   |
   + Check default IKE profile ...                                           |
     already configured                                                      |
   + Check default IPSec profile ...                                         |
     already configured (default settings)                                   |
   + Check IPSEC Default Authentication Method ...                           |
     Currently set to "Pre Shared Keys"                                      =

   Use which Default IPSEC Authentication Method ?     current: PSK          
                                                       (<Space>  to choose)
                                                       (<Return> to select)
                                      Exit
_______________________________________________________________________________
In the next step of the wizard the Local ID of this router router is retrieved. Please enter e.g. the official IP address or a Dyndns name of the router. Follow up with option "Configure Peer".

Following parameters have to be configured:

Description = name of the VPN connection
Peer IDs = ID of the remote site (e.g. email address of the user)
Pre Shared Key = password of the encryption of the tunnel
Virtual Interface: yes  (to generate a route or an interface for this tunnel)

X2302 Setup Tool                                    Bintec Access Networks GmbH
[WIZARD][PEER]: IPsec Wizard - Configure Peer                             x2302
_______________________________________________________________________________


     Description:       VPN-Client                                  
     Admin Status:      up        Oper Status:   dormant

     Peer Address:                                                  
     Peer IDs:          benutzer@domain.de                          
     Pre Shared Key:    *************


     Virtual Interface: yes


                          SAVE                          CANCEL
_______________________________________________________________________________
After saving please proceed with the option "Configure Virtual interface" to configure the routing. In the menu "Basic IP-Settings" the IP address of the router and the IPSec Client is configured.

Local IP Address = local IP address of the router
Remote IP Address = IP address of the IPSec Client

X2302 Setup Tool                                    Bintec Access Networks GmbH
[WIZARD][PEER][PEER][IP][BASIC]: IP-Settings (VPN-Client)                 x2302
_______________________________________________________________________________


  IP Transit Network                    no                 


  Local IP Address                      192.168.10.1

  Default Route                         no                 

  Remote IP Address                     100.100.100.100  
  Remote Netmask                        255.255.255.255    


                    SAVE                               CANCEL
_______________________________________________________________________________
Once the IPSec Wizard is finished, it is necessary to configure the phase1 and phase2 parameters for the IPSec Tunnels.

X2302 Setup Tool                                    Bintec Access Networks GmbH
[IPSEC]: IPsec Configuration - Main Menu                                  x2302
_______________________________________________________________________________

  Enable IPSec     : yes

  Pre IPSec Rules >
  Configure Peers >
  Post IPSec Rules >

  IKE (Phase 1) Defaults   *autogenerated*        edit >
  IPsec (Phase 2) Defaults *autogenerated*        edit >
  Certificate and Key Management >

  Advanced Settings >
  Wizard >

  Monitoring >

                         SAVE                          CANCEL
_______________________________________________________________________________
Thereto you can adjust the "*autogenerated*" profile for the IKE and the IPSec phase in the submenu "edit", according to following specifications.

IKE-Phase 1 settings:

X2302 Setup Tool                                    Bintec Access Networks GmbH
[EDIT]                                                                    x2302
_______________________________________________________________________________

   Description (Idx 1) :    settings-phase1          
   Proposal              :  19 (Rijndael/MD5)        
   Lifetime              :  use default              
   Group                 :  2 (1024 bit MODP)        
   Authentication Method :  Pre Shared Keys          
   Mode                  :  aggressive               
   Heartbeats            :  none                     
   Block Time            :  30  
   Local ID              :  localid                  
   Local Certificate     :  none                     
   CA Certificates       :                           
   Nat-Traversal         :  enabled

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________
IPSec-Phase 2 settings:

X2302 Setup Tool                                    Bintec Access Networks GmbH
[EDIT]                                                                    x2302
_______________________________________________________________________________

   Description (Idx 1) :    settings-phase2          

   Proposal              :  23 (ESP(Rijndael/MD5))   
   Lifetime              :  use default              
   Use PFS               :  group 2 (1024 bit MODP)
   Heartbeats            :  none
   Propagate PMTU        :  yes

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________
3. Configuration of the Bintec Secure IPSec Client
After the installation you can run the Bintec Secure IPSec Client via  Start -> Programs -> Bintec Secure IPSec Client -> "Secure Client Monitor". Each IPSec tunnel to a remote site is applied and configured as a "Profile" like this connection to the X2302.

To configure a new VPN IPSec tunnel choose the button "New Entry" in Configuration -> Profile Settings-Configure, "Link to Corperate Network using IPSec". Enter a name for the profile e.g. "Central X2302", and choose the medium for this connection (e.g. "xDSL (PPPoE)").


Depending on the connection type you may be asked to enter your internet account data (username, password and calling number respectively). The "Bintec Secure IPSec Client" will control the internet connection by itself according to the status of the corresponding IPSec tunnel.


In the window "VPN gateway parameters" the static official IP address or the DynDNS name of the remote site has to be entered (e.g. gateway.dyndns.org).


The next window contains configuration parameters of some IPSec basic settings: 
Please choose "Aggressive Mode" at the "Exchange Mode" because both the Bintec X2302 router and the Bintec Secure IPSec Client have dynamic IP addresses assigned by the provider.

In our example the "PFS group" is set to "DH-Group 2 (1024 Bit)". We do not use the option "Use IP compression".


For the next step you have to enter the Pre Shared Keys two times.  The Preshared Key has to match with the Preshared Key of the peer on the router (e.g. supersecretgeheimkey). 

We recommend using the option "Fully qualified Username" in the field "Type"

Type
ID
Fully Qualified Username Emailadresse
Fully Qualified Domain Name Domain Name
IP Address IP Adresse
The "ID" must match the "Peer ID" of the IPSec peer in the Router  (benutzer@domain.de).


"Manual IP address" should be chosen at the option "IP address assignment". The address must match the "Remote IP Address" of the IPSec peer in the router. The address has been configured to 100.100.100.100 . Please set the netmask at 255.255.255.0. Do not  consider using an address out of the local network.

If you do not enter explicit IP addresses for DNS- and WINS-Server  the client uses the settings of the internet interface. 


For the last step, the Firewall of the "Bintec Secure IPSec Clients" is configured. If the client is directly connected to the internet the Firewall should be activated. When the Firewall is activated, you can define whether traffic outside the IPSec tunnel is permitted or not.


For a successful IPSec connection the phase 1 (IKE) and phase 2 (IPSec) parameters have to be adjusted.  This is the procedure done at the client´s site in the menu Configuration -> Profile Settings -> Configure IPSec General Settings-> Policy Editor. You should add a new entry with the following settings for the IKE and IPSec policy.  Afterwards, the policies for IKE (settings-phase1) and  IPSec (settings-phase2) have to be chosen.



By default, all packets would be sent to the tunnel by the client now. To avoid that the real private network of the head office should be entered in Configuration -> Profile Settings -> Configure -> Remote Networks.


4. Messages during dial-up
Debug messages of the router:

x2302:> debug all&
03:39:23 DEBUG/IPSEC: P1: peer 0 () sa 5 (R): new ip 84.149.198.151 <- ip 212.14.95.34
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'da8e937880010000'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'draft-ietf-ipsra-isakmp-xauth-06'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'draft-ietf-ipsec-nat-t-ike-03'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'draft-ietf-ipsec-nat-t-ike-00'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is '4a131c81070358455c5728f20e95452f'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'draft-ietf-ipsec-dpd-00.txt'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is 'cb1ed48b6d68269bb411b61a07bce24a'
03:39:23 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 212.14.95.34:58363 (No Id) is '12f5f28c457168a9702d9fe274cc0100'
03:39:23 DEBUG/IPSEC: P1: peer 1 (VPN-Client) sa 5 (R): identified ip 84.149.198.151 <- ip 212.14.95.34
03:39:24 DEBUG/IPSEC: P1: peer 1 (VPN-Client) sa 5 (R): notify id fqdn(any:0,[0..6]=localid) <- id usr@fqdn(any:0,[0..17]=benutzer@domain.de): Initial contact notification proto 1 spi(16) = [e53b1e90 88378399 : 4b9be543 a7774c4a]
03:39:24 DEBUG/IPSEC: P1: peer 1 (VPN-Client) sa 5 (R): [Aggr] NAT-T: port change: local: 84.149.198.151:500->84.149.198.151:4500, remote: 212.14.95.34:58363->212.14.95.34:58380
03:39:24 INFO/IPSEC: P1: peer 1 (VPN-Client) sa 5 (R): done id fqdn(any:0,[0..6]=localid) <- id usr@fqdn(any:0,[0..17]=benutzer@domain.de) AG[e53b1e90 88378399 : 4b9be543 a7774c4a]
03:39:24 INFO/IPSEC: P1: peer 1 (VPN-Client) sa 4 (R): delete ip 84.149.198.151 <- ip 212.14.95.34: Initial Contact
03:39:24 INFO/IPSEC: P2: peer 1 (VPN-Client) traf 0 bundle 3 (R): created 192.168.10.0/24:0 < any > 100.100.100.100/32:0 rekeyed 0
03:39:24 DEBUG/IPSEC: P2: peer 1 (VPN-Client) traf 0 bundle 3 (R): SA 5 established ESP[50cda695] in[0] Mode tunnel enc rijndael-cbc(16) auth md5(16)
03:39:24 DEBUG/IPSEC: P2: peer 1 (VPN-Client) traf 0 bundle 3 (R): SA 6 established ESP[06ce6dbc] out[0] Mode tunnel enc rijndael-cbc(16) auth md5(16)
03:39:24 INFO/IPSEC: Activate Bundle 3 (Peer 1 Traffic -1)
03:39:24 INFO/IPSEC: P2: peer 1 (VPN-Client) traf 0 bundle 3 (R): established  (84.149.198.151<->212.14.95.34) with 2 SAs life 28800 Sec/0 Kb rekey 25920 Sec/0 Kb Hb none


Debug messages of the IPSec client:

12.05.2005 13:06:34  IPSDIALCHAN::start building connection
12.05.2005 13:06:34  IPSDIAL::DNSREQ: resolving dnserver over lan: gateway.dyndns.org
12.05.2005 13:06:34  IPSDIAL->DNSREQ: resolved ipadr: 084.149.198.151
12.05.2005 13:06:34  NCPIKE-phase1:name(Bintec X2302) - outgoing connect request - aggressive mode.
12.05.2005 13:06:34  XMIT_MSG1_AGGRESSIVE - Bintec X2302
12.05.2005 13:06:35  RECV_MSG2_AGGRESSIVE - Bintec X2302
12.05.2005 13:06:35  IKE phase I: Setting LifeTime to 28800 seconds
12.05.2005 13:06:35  Bintec X2302 ->Support for NAT-T version - 3
12.05.2005 13:06:35  Turning on NATD mode - Bintec X2302 - 1
12.05.2005 13:06:35  IPSDIAL->FINAL_TUNNEL_ENDPOINT:084.149.198.151
12.05.2005 13:06:35  XMIT_MSG3_AGGRESSIVE - Bintec X2302
12.05.2005 13:06:35  NCPIKE-phase1:name(Bintec X2302) - connected
12.05.2005 13:06:35  XMIT_MSG1_QUICK - Bintec X2302
12.05.2005 13:06:35  RECV_MSG2_QUICK - Bintec X2302
12.05.2005 13:06:35  XMIT_MSG3_QUICK - Bintec X2302
12.05.2005 13:06:35  NCPIKE-phase2:name(Bintec X2302) - connected
12.05.2005 13:06:35  IPSDIAL  - verbunden mit Bintec X2302 auf Kanal 1.
12.05.2005 13:06:35  IPCP  - verbunden mit Bintec X2302 mit IP Adresse: 100.100.100.100. : 100.100.100.101.

 

wg

© 2013 bintec elmeg GmbH