Mocana Guide for VPNC IPsec Interoperability

Last update Feb. 25, 2007

Scenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

10.5.6.0/24                                            172.23.9.0/24
    |                                                          |
  --|                                                          |--
    |     +-----------+     /-^-^-^-^--\     +-----------+     |
    |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
    |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
  --| 10.5.6.1   14.15.16.17           22.23.24.25  172.23.9.1 |--
    |                                                          |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

The IKE Phase 2 parameters used in Scenario 1 are:

To set up Gateway A for this scenario, use the following steps:

Windows XP Instructions

Note: Mocana Embedded IPsec/IKE is a source code based product that is platform independent. The following are instructions after the binaries are build for Windows Platform.
  1. Install Passthru Driver
    - Go to Network Properties, click on Install > Service
    - Click on Have Disk and select %mocanadir%/Driver/netsf.inf and click OK
    - Click Continue until Driver is installed.

    Note: Please uninstall if there is existing Passthru Driver.

  2. Disable Windows IPsec
    - Go to Control Panel > Administrative Tools > Services
    - Double-click on IPsec Services, and click on Stop.
    - Change Startup type to Disabled so that if Windows will not automatically startup Windows IPsec service.

  3. Decrease MTU Size
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ Interfaces\[Adapter ID]
    - Double-click on MTU and set it to MTU size 1430 in decimal (if default is bigger than 1430)

    Note: Mocana driver currently does NOT handle fragmentation (yet). If Mocana driver is the server, its outbound packets may be dropped if packets size exceeds the MTU size.

  4. Enable TCP/IP Routing
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    - Double-click on IPEnableRouter and set it to 1
    - Reboot Windows

  5. Make sure Default route 0.0.0.0 is using Gateway A address
    - Open Command Prompt and run route print
    - Make sure there is only 1 default route 0.0.0.0 to Gateway A address. ie. Network destination 0.0.0.0 Netmask 0.0.0.0 Gateway 14.15.16.17
    - If other 0.0.0.0 route exist beside using 14.15.16.17, delete the rest. ie. route delete 0.0.0.0 10.5.6.1

  6. Run Mocana IKE server
    - Open Command Prompt and go to %mocanadir% folder
    - Run: ike.exe 14.15.16.17

    Note: Ctrl+C to kill ike.

  7. Configure IPsec policy using TestIOCTL
    - Open Command Prompt and go to%mocanadir% folder
    - Run: TestIOCTL /add t1.conf

    Note: t1.conf contain the IPsec policy. Please see TestIOCTL utility for more information.

TestIOCTL Utility

# To Add policy, use:
TestIOCTL /add t1.conf

# To display SA information, use:
TestIOCTL /dump 

# To display SPD, use:
TestIOCTL /dump spd

# To flush SPD, use:
TestIOCTL /flush spd

# To flush SA, use:
TestIOCTL /flush 
  • t1.conf contain the actual policy.
     { laddr 10.5.6.0/24 raddr 172.23.9.0/24 } ipsec {  encr_algs 3des encr_auth_algs sha1 tladdr 14.15.16.17 traddr 22.23.24.25 } 
    
    # encr_algs	: 3des, aes, blowfish, arcfour, des, any
    # encr_auth_algs: sha1, md5, any
    

    Mocana Corporation. 350 Sansome Street, Suite 210, San Francisco, CA 94104. +1.415.617.0055