AN-001-WUK

HOW TO CONFIGURE AN
IPSEC VPN
LAN to LAN connectivity over a VPN between a MRD-455
4G router and a central ADSL-350 broadband router with
fixed IP address

AN-001-WUK
 Introduction

What is an IPSec VPN?

IPSec VPN’s create a secure Virtual Private Network between two or more private LAN networks,
over the internet.

The internet is generally accepted as a world wide insecure network, but using IPSec VPN’s can
make data transfer over the internet much more secure.

IPSec (Internet Protocol Security), utilises a selection of encryption and authentication algorithms
which are grouped together under a common banner. Different combinations of these protocols
can be used simultaneously to create a secure tunnel between two routers. Despite the fact that
business critical data may be traversing over a wireless connection via the internet to your central
office, the data itself is both encrypted and encapsulated with secure authentication up to a military
grade level of data protection.

It is quite possible to use IPSEC to secure communications between multiple different sites, the
diagram below shows three remote sites connecting back to a central location where a number of
devices can communicate to the various outstation units.

NB: IPSEC will only provide security for the links BETWEEN the routers. You must not consider the routers
themselves to actually be secure once a VPN is in place. Further security can be afforded through proper
username management and implementation of a firewall

AN-001-WUK
 Overview
The following pages show how to implement an IPSEC VPN between a pair of Westermo routers.
The MRD-455 4G router will be the initiator because this will most likely be given a dynamic and
NAT:ed IP address from the provider.

The ADSL-350 will be the responder because the ADSL IP address is known and is fixed.
In nearly all cases, the responder router will be a DSL router which is located at a central location,
such as company headquarters. In all cases the RESPONDER router will need to have a fixed,
publicly accessible IP address.

Thanks to Aggressive mode IPSec with the addition of a feature known as NAT-Traversal, the
initiating router does not require a fixed, publicly accessible IP address.

Phase 1: IKE
Internet Key Exchange (IKE) protocol defines what parameters are used to negotiate the initial
stage of the VPN connection, and provide security which is used in negotiating the second stage of
the VPN. This involves the creation of “IKE SA’s”.

Phase 2: IPsec
The IPSec transform defines the negotiation for the second stage of the VPN. This includes exactly
what authentication and encryption will be used in the VPN tunnel, along with IP addressing
information that allows data to flow from router to router. This involves the creation of “IPSec SA’s”.

Assummptions
This application note applies to; MRD-455 4G router an ADSL-350 DSL router and assumes both
are starting from a factory default configuration.

Corrections
Requests for corrections or amendments to this application note are welcome and should be
addressed to [email protected]

Requests for new application notes can be sent to the same address.

AN-001-WUK
 MRD-455 4G Router Configuration
LAN IP Address
Browse to Network  LAN

IP Address: 172.30.1.2
Netmask: 255.255.255.0

AN-001-WUK
 MRD-455 4G Router Configuration
4G Link
Browse to WIRELESS  PACKET MODE

Click Add new profile.

Enter the APN (Access Point Name) provided by your network SIM provider.
NB: Standard 4G/3G tariffs do not often require authentication

AN-001-WUK
 MRD-455 4G Router Configuration
Browse to WIRELESS  PACKET MODE continued.

Connection Mode: Always connect

SIM 1 profile: 1
NB: In this example the SIM card in slot 1 will use profile 1. You can set up multiple profiles and
assign them to either SIM slot 1 or 2 depending on the provider of the SIM card.

Refer to application note AN-004-WUK Dual SIM Failover.

AN-001-WUK
 MRD-455 4G Router Configuration
IPSec VPN Tunnel Configuration (Initiator)

Browse to VPN  IPSec

Click Add new tunnel group.

AN-001-WUK
 MRD-455 4G Router Configuration
IPSec VPN Tunnel Configuration (Initiator)

Group label: Free Text – tunnel description only

Enable: Enable
Operating mode: Tunnel (default)
Functional Mode: Connect immediately (i.e. tunnel initiator)

Local Interface: WLS (i.e. the 4G wireless interface)

Remote Host: The static broadband IP address of your ADSL-350

AN-001-WUK
 MRD-455 4G Router Configuration
IPSec VPN Tunnel Configuration (Initiator)
Phase 1 (IKE)

Authentication Method: Preshared Keys

Negotiation Mode: Aggressive Mode
NB: Aggressive Mode is for when the intitiator has a dynamic WAN IP address.

Pre-Shared Key: “top secret”

NB: Pre-shared key can be any alphanumeric string but must be identical on both routers (case sensitive).

Remote ID: @adsl350

Local ID: @mrd455
NB: The ID’s can be any string but the @ prefix is mandatory. ID’s must match on both routers.

IKE proposal: AES(128)-SHA1-DH Group 2 (1024)

IKE Lifetime (mins): 60

AN-001-WUK
 MRD-455 4G Router Configuration
IPSec VPN Tunnel Configuration (Initiator)
Phase 2 (IPSec)

Authentication Method: None

ESP proposal: AES(128)-SHA1

Perfect forward secrecy & group: P DH Grp 2 (1024)

Key Lifetime (mins): 480

AN-001-WUK
 MRD-455 4G Router Configuration
IPSec VPN Tunnel Configuration (Initiator)
Tunnel Options

Clear route when tunnel down: Uncheck (applies to responder only)

Leave the rest at default
Tunnel Networks

Local: Lan Subnet

Remote  Specify a subnet: 192.168.2.0./24

AN-001-WUK
 MRD-455 4G Router Configuration
IPSec VPN Tunnel Configuration (Initiator)

General IPSec Configuration.

Enabled: P

General IPSec Configuration.

Enable: Enable

AN-001-WUK
 ADSL-350 Broadband Router Configuration
LAN IP Address
Browse to Network  LAN

IP Address: 192.168.2.200
Netmask: 255.255.255.0

AN-001-WUK
 ADSL-350 Broadband Router Configuration
ADSL Link
Browse to ADSL  CONNECTION

Click Add new profile.

Default settings for a UK BT Broadband line.

AN-001-WUK
 ADSL-350 Broadband Router Configuration
ADSL Link
Browse to ADSL  CONNECTION continued..

Default settings for a UK BT Broadband line.

User: Your broadband username

Password: Your broadband password
NB: These details are issued by your broadband provider.

AN-001-WUK
 ADSL-350 Broadband Router Configuration
ADSL Link
Browse to ADSL  CONNECTION continued..

Broadband settings complete

NB: These are standard BT ADSL broadband settings. Contact your broadband provider for
details.

AN-001-WUK
 ADSL-350 Broadband Router Configuration
IPSec VPN Tunnel Configuration (Responder)

Browse to VPN  IPSec

Click Add new tunnel group.

AN-001-WUK
 ADSL-350 Broadband Router Configuration
IPSec VPN Tunnel Configuration (Responder)

Group label: Free Text – tunnel description only

Operating mode: Tunnel (default)
Functional Mode: Responder or Connect on demand

Local Interface: DSL-1 (i.e. the broadband interface)

Remote host has fixed address: Uncheck.
NB: Allows connection from dynamic IP

AN-001-WUK
 ADSL-350 Broadband Router Configuration
IPSec VPN Tunnel Configuration (Responder)
Phase 1 (IKE)

Authentication Method: Preshared Keys

Negotiation Mode: Aggressive Mode
NB: Aggressive Mode is for when the intitiator has a dynamic WAN IP address.

Pre-Shared Key: “top secret”

NB: Pre-shared key can be any alphanumeric string but must be identical on both routers (case sensitive).

Remote ID: @mrd455

Local ID: @adsl350
NB: The ID’s can be any string but the @ prefix is mandatory. ID’s must match on both routers.

IKE proposal: AES(128)-SHA1-DH Group 2 (1024)

IKE Lifetime (mins): 60

AN-001-WUK
 ADSL-350 Broadband Router Configuration
IPSec VPN Tunnel Configuration (Responder)

Phase 2 (IPSec)

Authentication Method: None

ESP proposal: AES(128)-SHA1

Perfect forward secrecy & group: P DH Grp 2 (1024)

Key Lifetime (mins): 480

AN-001-WUK
 ADSL-350 Broadband Router Configuration
IPSec VPN Tunnel Configuration (Responder)
Tunnel Options

Clear route when tunnel down: P

Tunnel Networks

Local: Lan Subnet

Remote  Specify a subnet: 172.30.1.0./24

AN-001-WUK
 ADSL-350 Broadband Router Configuration
IPSec VPN Tunnel Configuration (Responder)

General IPSec Configuration.

Enabled: P

General IPSec Configuration.

Enable: P

AN-001-WUK
 ADSL-350 Broadband Router Configuration
Firewall
By default, all incoming traffic to the router is blocked in the firewall. Therefore IPSec VPN
traffic needs to be allowes in to the DSL interface.

Browse to Firewall  Access Control

In the DSL-1 tick IPSec VPN to allow inbound VPN traffic.

AN-001-WUK
 VPN STATUS
MRD-455
Browse to Status  Alarms
Check that the VPN status is set to No Fault.

Double check that the VPN is connected by

browsing to Status  VPN

AN-001-WUK
 VPN STATUS
ADSL-350
Browse to Status  Alarms
Check that the VPN status is set to No Fault.

Double check that the VPN is connected by

browsing to Status  VPN

AN-001-WUK
 TESTING
NB: The following assumes that the router settings have been applied exactly
as set out in this application note.

MRD-455
Connect an ethernet cable from a PC or Laptop to LAN port 1 on the MRD-455.
Set your PC’s TCP/IP settings as follows;

IP address: 172.30.1.3
Subnet Mask: 255.255.255.0
Default Gateway: 172.30.1.2
Preferred DNS Server: 172.30.1.2

ADSL-350
Connect an ethernet cable from a PC or Laptop to LAN port 1 on the ADSL-350.
Set your PC’s TCP/IP settings as follows;

IP address: 192.168.2.2
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.200
Preferred DNS Server: 192.168.2.200

AN-001-WUK
 TESTING
NB: The following assumes that the router settings have been applied exactly
as set out in this application note.

MRD-455
From the PC (172.30.1.3) connected to the MRD-455, ping the PC (192.168.2.2)
connected to ADSL-350. You should get replies.

C:\Windows\System32>ping 192.168.2.2

Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time=625ms TTL=126
Reply from 192.168.2.2: bytes=32 time=585ms TTL=126
Reply from 192.168.2.2: bytes=32 time=471ms TTL=126
Reply from 192.168.2.2: bytes=32 time=534ms TTL=126

Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 471ms, Maximum = 625ms, Average = 553ms

ADSL-350
From the PC (192.168.2.2) connected to the ADSL-350, ping the PC (172.30.1.3)
connected to MRD-455. You should get replies.

C:\Windows\System32>ping 172.30.1.3

Pinging 172.30.1.3 with 32 bytes of data:

Reply from 172.30.1.3: bytes=32 time=579ms TTL=126
Reply from 172.30.1.3: bytes=32 time=419ms TTL=126
Reply from 172.30.1.3: bytes=32 time=442ms TTL=126
Reply from 172.30.1.3: bytes=32 time=526ms TTL=126

Ping statistics for 172.30.1.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 419ms, Maximum = 579ms, Average = 491ms

AN-001-WUK
 TROUBLESHOOTING
If you are having problems making a connection to the PC at the other
end of the VPN tunnel. See the following checklist.

VPN Status
On both routers browse to the Status  Alarms and Status  VPN pages and check the
VPN is connected.

PC Settings
On both PC’s check that the Default Gateway is set to the IP address of your local router.

PC – Disable all other connections.

To ensure your traffic is going via your Westermo routers and not over another network
interface, disable all other connections on both PC’s – particularly make sure WiFi is
turned off and any other VPN’s configured on your PC are disabled.

AN-001-WUK
 Revision history for version 1.0
Revision Rev by Revision note Date
00
01 JM Minor changes to wording and amend mistakes to DH groups 27/10/16
02 WN Changes to “clear route when tunnel is down” for responder only . 22/01/18
03
04
05
06
07

AN-001-WUK
AN-001-WUK