Posted: Thu Dec 10, 2009 14:40 Post subject: need to configure ipsec VPN tunnel with policy NAT
Help! Just got the following info today and need to have it working by tomorrow or have our Linksys WRT54G, running DD-WRT v24-sp1 replaced with a high-dollar, externally managed Cisco device. Any help you can give as far as how to configure would be much appreciated!!!
Peer address 75.32.90.130
Encryption Method: 3DES
Hash Method: SHA 1
DH group 2
Authentication is pre-share and your key is: xxxxx
Your only host address will be 10.0.0.47/32
Aggressive Mode: No
Subnet key negotiation: Disabled
Perfect Forward Secrecy: Disabled
Security Association (SA) Timers:
Renegotiate IKE SA every 86,400 seconds
Renegotiate IPSec SA every 28,800 second
You didnt specify what kind of VPN though, CLIENT or SITE to SITE.
Site to Site will require something on the other end that can talk to OpenVPN for it to work (IE watchguard/netscreen) and for a client you will need the openVPN client software on every machine that will come in on the IKE_VPN tunnel.
and when you say that supports NAT, i have to ask why?
normally youd just terminate the VPN connections to your LAN or a 2nd interface and route that to your lan, throwing nat into the VPN becomes messy and normally would only be used if you needed to host services at the other end of the VPN using a 1 to 1 NAT>VPN setup.
Posted: Thu Dec 10, 2009 15:20 Post subject: Re: need to configure ipsec VPN tunnel with policy NAT
LeeR wrote:
Help! Just got the following info today and need to have it working by tomorrow or have our Linksys WRT54G, running DD-WRT v24-sp1 replaced with a high-dollar, externally managed Cisco device.
I would go for the high-dollar Cisco device, your chance of getting the WRT54G running tomorrow if you have not setup an ipsec VPN tunnel on it before is quite slim..
WRT54G comes in many version, some of them with very limited amount of program memory.
The first thing you should check is if there is a dd-wrt version with VPN that fits in your router.
You are also running an ancient and buggy version of dd-wrt now so you will have to upgrade to a more recent build. _________________ Kernel panic: Aiee, killing interrupt handler!
if he wants a painless VPN solution watchguard is the way to go, he can get a core/peak and an Edge and setting up a VPN site to site will take less then 30 seconds after the routers are up and running.
and the price would be 1/3 of that of a cisco ASA type device.
It is site to site. From our side, we will be the one accessing services available at the other end. Not sure why they need policy based NAT, but they say it is a requirement.
but since there are services you need to access at the other side, before continuing, you should let us know what they are.
there are some services that will NOT work over a Nat based IKE VPN. Such as services that work on layer2 Broadcasts. VoIP services such as conference calls and LAMP notifications for Voicemail is one.
what is the device at the other end, we know that your side is a DD-WRT router (Running VPN i hope). Remember i said that the other side needs to be able to talk to OpenVPN for this to work.
