Mocana Guide for VPNC IPsec Interoperability
Last update Feb. 25, 2007
Scenario 1: Gateway-to-gateway with preshared secrets
The following is a typical gateway-to-gateway VPN that uses a
preshared secret for authentication.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet.
Gateway A's LAN interface has the address 10.5.6.1, and its WAN
(Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet.
Gateway B's WAN (Internet) interface has the address 22.23.24.25.
Gateway B's LAN interface address, 172.23.9.1, can be used for testing
IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
- Main mode
- TripleDES
- SHA-1
- MODP group 2 (1024 bits)
- pre-shared secret of "hr5xb84l6aa9r6"
- SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
- TripleDES
- SHA-1
- ESP tunnel mode
- MODP group 2 (1024 bits)
- Perfect forward secrecy for rekeying
- SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
- Selectors for all IP protocols, all ports, between 10.5.6.0/24 and
172.23.9.0/24, using IPv4 subnets
To set up Gateway A for this scenario, use the following steps:
Windows XP Instructions
Note: Mocana Embedded IPsec/IKE is a source code based product that is platform independent. The following are instructions after the binaries are build for Windows Platform.
- Install Passthru Driver
- Go to Network Properties, click on Install > Service
- Click on Have Disk and select %mocanadir%/Driver/netsf.inf and click OK
- Click Continue until Driver is installed.
Note: Please uninstall if there is existing Passthru Driver.
- Disable Windows IPsec
- Go to Control Panel > Administrative Tools > Services
- Double-click on IPsec Services, and click on Stop.
- Change Startup type to Disabled so that if Windows will not automatically startup Windows IPsec service.
- Decrease MTU Size
- Go to Start > Run > regedit to go to Registry Editor
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\[Adapter ID]
- Double-click on MTU and set it to MTU size 1430 in decimal (if default is bigger than 1430)
Note: Mocana driver currently does NOT handle fragmentation (yet). If Mocana driver is the server, its outbound
packets may be dropped if packets size exceeds the MTU size.
- Enable TCP/IP Routing
- Go to Start > Run > regedit to go to Registry Editor
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- Double-click on IPEnableRouter and set it to 1
- Reboot Windows
- Make sure Default route 0.0.0.0 is using Gateway A address
- Open Command Prompt and run route print
- Make sure there is only 1 default route 0.0.0.0 to Gateway A address.
ie. Network destination 0.0.0.0 Netmask 0.0.0.0 Gateway 14.15.16.17
- If other 0.0.0.0 route exist beside using 14.15.16.17, delete the rest.
ie. route delete 0.0.0.0 10.5.6.1
- Run Mocana IKE server
- Open Command Prompt and go to %mocanadir% folder
- Run: ike.exe 14.15.16.17
Note: Ctrl+C to kill ike.
- Configure IPsec policy using TestIOCTL
- Open Command Prompt and go to%mocanadir% folder
- Run: TestIOCTL /add t1.conf
Note: t1.conf contain the IPsec policy. Please see TestIOCTL utility for more information.
TestIOCTL Utility
# To Add policy, use:
TestIOCTL /add t1.conf
# To display SA information, use:
TestIOCTL /dump
# To display SPD, use:
TestIOCTL /dump spd
# To flush SPD, use:
TestIOCTL /flush spd
# To flush SA, use:
TestIOCTL /flush
t1.conf contain the actual policy.
{ laddr 10.5.6.0/24 raddr 172.23.9.0/24 } ipsec { encr_algs 3des encr_auth_algs sha1 tladdr 14.15.16.17 traddr 22.23.24.25 }
# encr_algs : 3des, aes, blowfish, arcfour, des, any
# encr_auth_algs: sha1, md5, any
Mocana Corporation.
350 Sansome Street, Suite 210,
San Francisco, CA 94104.
+1.415.617.0055