This Tech Tip is mostly obsolete: we've since written a replacementTech Tip that shows the superior IKE/shared secrets method of configuration, andit replaces the manual key method described here. But we'llleave this one here for posterity.
Download Netopia 802.11b WLAN USB Adapter for Windows to net driver. Update Windows network adapter drivers for your Acer Ferrari laptop. WLan Driver 802.11n Rel. You can simulate a dial-up connection using a PC-DC server, Netopia setup, or DreamPi. You can also use actual dial-up service if you still have a landline phone. DreamPi is by far the most popular method and is essentially a pre-configured PC-DC server which uses a Raspberry Pi; this is the method I would recommend as it’s the cheapest. List of all available Netopia Network Router user manuals in our database. Find your product on the list. Netopia R9100 Ethernet-to-Ethernet Router - This is a low-cost (around $400 street price) that has an Ethernet port on one side and an eight-port hub on the other side.
This tech note reflects our experience creating an IPSec VPN between aNetopia R9100 router and the Sonicwall Pro (and Pro-VX) internet firewallappliance. We hope it will save you the time that we have put in on this.
•Tech Tip: DynamicNetopia-to-Sonicwall IPSec VPNwith IKE
We have long used Netopia and Sonicwall products at our own and atcustomer networks, and as such have learned them moderately well.
Netopia R9100 Ethernet-to-Ethernet Router - This is a low-cost(around $400 street price) that has an Ethernet port on one side and aneight-port hub on the other side. There are quite a few units in the Rseries, but this one is our preference because the Ethernet port on the'outside' provides more flexibility than those with (say) DSL interfaces.
They support IPSec and a great deal more flexibility in configuringthe finer points of NAT, and w have used them as VPN boxes as well ason DSL and cable modem circuits. Though these are more expensive thancheaper units from (say) Linksys, we have found Netopia support to beso good that we're more than willing to pay for a product with realengineering behind it.
Vendor product information can be foundhere.
Sonicwall Pro Security Appliance - These are mid-range firewallsthat perform stateful inspection and have a very good web-basedconfiguration system. In addition to the obvious 'inside' and 'outside'Ethernet ports, there is a third 'DMZ' port that is used for parkingpublic web and mail servers in a way that minimizes the exposure shouldone of them be compromised. These units support IPSec VPNs and come withvarying numbers of supported clients. They recently introduced failoversupport, where a pair of Sonicwalls can work in parallel, with a backupunit taking over should the primary fail. A customer has done this andit seems to work pretty well.
The Sonicwall Pro-VX is a high-performance version of the Pro,and it has a street price of around $3500. Vendor product informationcan be foundhere.
All configurations are with the Netopia R9100 (with 4.8.2 firmware)on a home DSL circuit making outbound connections to Sonicwall units(w/ 6.0.0 firmware) at customer locations. We know this also works withNetopia 4.8.3 firmware, and suspect it works with pretty much any R-seriesrouter. At no time does the Sonicwall initiate a connection tothe Netopia.
Our main configuration uses NAT through the IPSec tunnel, so that wecan reach the customer's systems easily but reverse traffic is notallowed. We have lots of customers and cannot permit intermixing oftheir packets. Sorry. Running NAT also simplifies the remote routingbecause responses back to the Netopia side need only know about a singleIP address.
We must be clear that these instructions all assume that both routersare already working correctly in their 'normal' firewall modes, andthat these instructions are only for the VPN setup. We don't care todescribe out-of-the-box configuration. We also presume that you knowabout networks in general.
There are three IP addresses or networks involved in a VPN, andwe'll describe our examples here.
- Target Network
- This is the full network that we're ultimatelytrying to get to, and it's usually a private address range such as 10.x.x.x.The remote network is behind the Sonicwall on the other end, and we cannotever get to this network directly. We wish to be on this network as if wewere directly attached, and for our example we will use 10.1.0.0/16. Thisis a class B address with 64k hosts.
- Gateway Address
- This is the 'public' IP address of the IPSecinterface, and it's the address of the Sonicwall itself. We don't reallyhave very many good ideas for an example, so for no good reason we'll pick22.214.171.124.
- Local Network
- This is the IP address of the localworkstation that is behind the R9100. A reasonable custom for networksbehind a Netopia is to also use one of the private addresses, so forour example we will use 192.168.1.0/24, with the Netopia's insideaddress being 192.168.1.1.
Create a new connection profile for this VPN tunnel. Select 'WANConfiguration', then 'Add Connection Profile', and you'll be given ascreen that looks like this. Our changes are shown in bold withcommentary in italics.
The Data Link Options item brings up the next screen, which allows forentering of the encryption and authorization keys. It appears thatNetopia only supports manual keying mode, not the shared secret modethat's also supported by the Sonicwall and others. This seems reallyinconvenient, though we've not done it any other way to have firsthandexperience with it.
Note: Only Netopia units with the optional VPN accelerator card will show 3DESas an option, but we don't have one of those yet so can only do 56-bit DES.Those with experience are encouraged to let us know.
The two encryption keys are both long strings of hex digits, and these willbe entered here and again later in the Sonicwall. We have observed that theSonicwall permits longer strings than does the Netopia -- perhaps due to the3DES support -- but it seems happy to take the 16 and 32-digit strings we enterhere.
We typically enter passwords and keys like this into the excellentand free programPassword Safe fromCounterpane Labs, and use the Windows cut/paste operations. This is especiallyhelpful with long strings of hex digits, though it requires specialsteps to work with the Netopia. Normally one telnets to the insideinterface of the router, but pasting large strings simply doesn't workproperly (Netopia has been notified). Instead, telnet to the outsideIP address and it should behave correctly.
Enter these changes with COMMIT to return to the main connection-profilescreen, then select the 'IP Profile Parameters...' menu. This sets up allthe options related to the IP address, and we have hammered out the detailsonly by doing this a lot.
The SPI (Security Parameters Index) is a number that seems to select thisentire set of parameters for IPSec, and we believe it's needed becauseit's possible to have more than one tunnel described between any givenpair of networks (different encryption, etc.), and the SPI selects thelist of parameters that you actually want. It's actually possible to seta different SPI for the incoming and outgoing connections, but wedon't need that.
SPI must be unique across the entire VPN base, and this means that theconsultant talking to multiple unrelated customers have to plan carefully.We believe that we can't use SPI (say) 1234 for one customer and thenthe same SPI for a different connection to a different customer. But we'renot sure. The SPI entered in the Netopia is in decimal, and SPI from1-255 are supposed to be reserved for other purposes. The Sonicwall takesthe SPI in hex but doesn't make this obvious, so keep this in mind.
The 'Remote Tunnel Endpoint Address' is the outside LAN IP addressof the remote SonicWall, and this is always the public, routable IPaddress.
The 'Remote Members Network' and '... Netmask' reflect the INSIDE addressof the Sonicwall LAN, and it's the 10.1.0.0/16 network that is protectedby the firewall.
We typically enable 'Address Translation' because it permits a one-wayconnection to the remote network, and this makes for a much easier routingon the other end. If we are routing a full network (anything more than oneIP address), then the Sonicwall must be told about it. By using a single IP,routing is a non-issue.
We'll touch on the 'NAP Map List' and 'NAT Server List' shortly, butthe 'PAT IP Address' must be the Netopia's inside IP address. Thisis in contrast to the default value of 0.0.0.0, which is the outsideaddress of the Netopia, and this default causes no end of trouble.We very much wish we had found this much earlier in the process.
Strictly speaking, setting up of NAT is supposed to be part of thebasic Netopia configuration, but the value of Easy-PAT is normallycreated by the router by default, and it essentially hides the entireinside network behind a single external IP address. Adding a 'NAT ServerList' allows for very limited reverse traffic from the remote networkback to the local, such as a web server or secure shell. We don'tnormally enable this.
Setting this up on the Sonicwall is much easier. First use a web browserand login to the firewall as the administrator. This presents a set of menuswith the tabs on the left. Click the VPN button on the left, which bringsup a multi-tabbed set of panels. Click on the Configure tab at the top,then configure this screen per this image:
We'll note a few items:
|Security Association||-Add New SA- - this allows addition of a new security associationas opposed to modifying the old one.|
|IPSec Keying Mode||Manual Key -- this sets the manual key mode with long hex strings,as opposed to the 'pre-shared secret' mode.|
|Name||This is a printable name for the connection|
|Disable This SA||This box may be checked to temporarily disable this Security Association(as opposed to deleting it entirely). Don't check this box.|
|IPSec Remote Gateway||Leave this blank. This field is only used when the Sonicwall ismaking an outbound VPN connection, but in our configuration it'llonly be accepting inbound connections.|
|Enable Windows Networking||We generally leave this unchecked, but we suspect that for connectionsthat will heavily use Windows broadcast for NETBIOS name resolution it mustbe checked. Experiment as required, but it most likely doesn't affect baseTCP/IP connectivity.|
|Incoming SPI||This is the same value as the SPI programmed into the Netopia, andit must be in hexadecimal. It's regrettable that there is no obviousindication of this requirement, as it caused us to burn a lot of time.|
|Outgoing SPI||We typically make this the same as the Incoming SPI, but since theSonicwall is not making outbound connections, it's probably not needed.|
|Encryption Method||This must match the Netopia configuration, which isEncrypt and Authenticate (ESP DES HMAC MD5).|
|Encryption Key||This must be the same 16-character hex value programmed into the Netopia. Thedefault value is an apparently random 48-character value that is appropriate for3DES, but we replace it with our value.|
|Authentication Key||This is the same 32-character hex value as entered into the Netopia forthe same purpose.|
|Destination Networks||Since the source of this VPN -- the Netopia -- is using a singleIP address via NAT, we need not enter any local network information. Butif NAT is not used, the entire local network (on the Netopia side) mustbe described here.|
Once this information is entered, click Update to make this informationtake effect. This should not require a reboot of the Sonicwall, andback on the Netopia side, simply try to connect with a machine on theremote network. This should bring up the VPN after a few seconds andstart the connection.
Netopia Network & Wireless Cards Driver Download
In practice, we usually set up the Sonicwall first, because the randomkeys that get filled in by default seem random enough to us. We typicallytrim the 48-character encryption key down to 16 characters, then cut fromthe browser and paste into Password Safe. This makes it easier to be surethat we've not misrecorded the hex keys. Once the Sonicwall is set up, westart with the Netopia and use our saved keys.
Netopia Network & Wireless Cards Driver Downloads
more to be filled in here