Certicom Security Builder IPSec Configuration
Version 1.0
August 4, 2006


Scenario 1: Client-to-gateway with preshared secrets

The following is a typical client-to-gateway VPN that uses a preshared secret 
for authentication.


                                                172.23.9.0/24
                                                      |
                                                      |--
     +---------+     /-^-^-^-^--\     +---------+     |
     | Client  |=====| Internet |=====| Gateway |-----|
     +---------+AW   \--v-v-v-v-/   BW+---------+BL   |
          14.15.16.17         22.23.24.25  172.23.9.1 |--
                                                      |


Client is connected to the Internet.  Client's interface has the address
14.15.16.17.

Gateway connects the internal LAN 172.23.9.0/24 to the Internet.  Gateway's
WAN (Internet) interface has the address 22.23.24.25. Gateway's LAN interface 
address, 172.23.9.1, can be used for testing IPSec but is not needed for 
configuring Client.

The IKE Phase 1 parameters used in Scenario 1 are:
   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "hr5xb84l6aa9r6"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying 

The IKE Phase 2 parameters used in Scenario 1 are:
   * TripleDES
   * SHA-1
   * ESP tunnel mode
   * MODP group 2 (1024 bits)
   * Perfect forward secrecy for rekeying
   * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
   * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 
        172.23.9.0/24, using IPv4 subnets 

To set up Client for this scenario, use the following steps:

Step 1: Run the CLI tool.  You will see the following output:

   Creating IKE context
   [Inf] Creating test context
   [Inf] SBIPSEC version 2.9.0
   cli>

Step 2: At the prompt, type "load scenario1".  You will see the following
output:

   Loading policy from file "policies/scenario1"
   Set IKE logging to 0x00000000
   Set IPSEC logging to 0x00000000

Step 3: At the prompt, type "show".  You will see the following output:

   set gwtype ikev1mm
   set gwip 22.23.24.25
   set localauth psk
   set localidtype ipv4
   set localpsk hr5xb84l6aa9r6
   set gwauth default
   set dns 0.0.0.0,0.0.0.0
   set wins 0.0.0.0,0.0.0.0
   set pfsflag 1
   set dnsflag 0
   set tpmflag 0
   set logoutdelsaflag 0
   set nifflag 0
   set nocontactflag 0
   set ipcompxform off
   set subnet 172.23.9.0,255.255.255.0
   set ikelt 28800
   set ike dh2,3des,sha1,hmac
   set ipseclt 3600
   set protocol 0
   set ipsec dh2,3des,sha1
   set retries 2
   set timeout 5
   set starent 0

Step 4: At the prompt, type "login".  This will initiate the IKE exchange
with the Gateway.  When successful, you will see the following output:

   [Inf] Login successful!

Step 5: At the prompt, type "ping 172.23.9.1".  This will send a ping to
the Gateways's LAN interface, and wait for a reply.  When successful, you will
see the following output:

   Ping 172.23.9.1 successful!

Step 6: At the prompt, type "logout".  This will delete the tunnel with the
Gateway.  When successful, you will see the following output:

   [Inf] Logout successful!

Step 7: At the prompt, type "exit".  This will exit CLI tool.

For diagnostics and debugging:
   For a list of other CLI commands, at the prompt, type "help".
   To enable IKE logging, at the prompt, type "logging ike all".
   To enable IPSec logging, at the prompt, type "logging ipsec all".

Security Builder IPSec is a software toolkit that implements IKE and 
IPSec.  The steps above describe how to configure the CLI (command-line
interface) tool for this scenario.  The CLI tool is developed using
Security Builder IPSec.  The scenario1 policy loaded in Step 3 populates
the ike_Policy2 structure in Security Builder IPSec as follows:

   tag = IKE_POLICY_TAG_V2
   gwType = IKE_POLICY_GATEWAY_IKEV1MM
   gwIP = 22.23.24.25
   localAuthInfo.type = IKE_POLICY_AUTHTYPE_PSK
   localAuthInfo.id.type = IKE_POLICY_AUTHIDTYPE_IPV4_ADDR
   localAuthInfo.psk.data = hr5xb84l6aa9r6
   localAuthInfo.psk.dataLen = 14
   flags = IKE_POLICY_FLAG_PFS
   subnets.num = 1
   subnets[0].ip = 172.23.9.0
   subnets[0].mask = 255.255.255.0
   ikeLifetime.seconds = 28800
   ikeProposals.num = 1
   ikeProposals.proposals[0].ikeGroup = IKE_POLICY_IKEGROUP_2
   ikeProposals.proposals[0].ikeCipher = IKE_POLICY_IKECIPHER_3DES
   ikeProposals.proposals[0].ikeHash = IKE_POLICY_IKEHASH_SHA
   ikeProposals.proposals[0].ikePrf = IKE_POLICY_IKEPRF_HMAC
   ipsecLifetime.seconds = 3600
   ipsecProposals.num = 1
   iProposals.proposals[0].ipsecGroup = IKE_POLICY_IPSECGROUP_2
   ipsecProposals.proposals[0].ipsecCipher = IKE_POLICY_IPSECCIPHER_3DES
   ipsecProposals.proposals[0].ipsecHash = IKE_POLICY_IPSECHASH_SHA