This is TikiWiki v1.9.9 -Sirius- © 2002–2007 by the Tiki community Mon 06 of Sep, 2010 [15:01 UTC]
Menu [hide]
Home
Categories
Toggle Wiki
Wiki Home
Last Changes
Rankings
List pages
Orphan pages
Sandbox
Toggle Image Galleries
Galleries
Rankings
Rankings
Toggle File Galleries
List galleries
Tikiwiki Assistant
Thank you for installing Tikiwiki!
Click the :: options in the Menu for more options. Please, also see TikiMovies for more setup details.

VPN Community

print
Previous page Parent page Next page TOC
TOC  >  Check Point Objects  >  VPN Community

VPN Community


Create a VPN Community object to be used with the SOHO VPN Routers


Step 1
Select New Community, Star to create a new VPN Community. Name the new community OpenWRT.

openwrt-general.gif-OpenWRT VPN Community, General
Figure 1: OpenWRT VPN Community, General


Step 2
Select Center Gateways from the left menu. Add the Location-A gateway.

openwrt-center-gw2.gif-OpenWRT VPN Community, Center Gateways
Figure 2: OpenWRT VPN Community, Center Gateways


Step 3
Select Satellite Gateways from the left menu. Add all of the SOHO VPN Router Interoperable Device objects to the list. (Normally Interoperable Device objects are added as they are created.)


openwrt-satellite2-gw.gif-OpenWRT VPN Community, Satellite Gateways
Figure 3: OpenWRT VPN Community, Satellite Gateways


Step 4
Select VPN Properties from the left menu. Select 3DES, MD5 for Phase 1. Select AES-128, MD5 for Phase 2. (Other combinations of encryption and key integrity may work as well. Other combinations may provide better throughput and/or encryption. Obviously, the Check Point settings must match the Openswan settings.)

openwrt-vpn_properties.gif-OpenWRT VPN Community, VPN Properties
Figure 4: OpenWRT VPN Community, VPN Properties


Performance Testing
The WRT54GL with a Broadcom 5352 200MHz CPU is fast enough to encrypt traffic at 2.97Mbits/second. This is just a little slower than the 3Mbps you would need for a full duplex T1 line. 2.97Mbps was best case during testing. Sustained throughput of 2.7Mbps is probably closer to what you should expect. Linksys and Asus each have a router with a faster Broadcom 4704 266MHz CPU. I tested the VPN performance of the WRTSL54GS router. The performance was between 4.16Mbps and 4.23Mbps. This is slightly higher than the 3.95Mbps predicted. The WRTSL54GS router’s processor is more than enough to handle a full T1 line.

CPU Bottelneck work-around
The motivation behind this project was to create a VPN for VoIP phones like the Cisco 7960. If want a pair of WRT54GL's to run a VPN and QoS on a 10Mbps Metro Ethernet connection, I have an idea. Setup two VLANs between the VPN router and the QoS router. VLAN1 is a small subnet inside the encryption domain. VLAN2 is another subnet ouside the encryption domain. VLAN1 is only used to connect VoIP phones and is given priority in QoS. VLAN2 is Internet only. You are connected to your corporate network with a software VPN client running on your laptop on VLAN2. The advantage is that the WRT54GL CPU is no longer a bottelneck. The disadvantage is that you can not perform QoS on traffic from the laptop. Since getting QoS working for VoIP is the primary goal, running QoS on traffic from the laptop might not be an issue.


Step 5
Select Tunnel Management from the left menu. Accept the default settings.


openwrt-advanced-tunnel-mgm.gif-OpenWRT VPN Community, Tunnel Management
Figure 5: OpenWRT VPN Community, Tunnel Management


Step 6
Select Advanced Settings from the left menu.


openwrt-advanced.gif-OpenWRT VPN Community, Advanced Settings
Figure 6: OpenWRT VPN Community, Advanced Settings


Step 7
Select VPN Routing from the left menu. Select the "To Center and to other satellites through center" radio button.


openwrt-advanced-vpn_routin.gif-OpenWRT VPN Community, Advanced Settings, VPN Routing
Figure 7: OpenWRT VPN Community, Advanced Settings, VPN Routing


Step 8
Select Advanced VPN Properties from the left menu. Select the IKE Phase 1 settings. Select Use Diffie-Hellman? Group 2 (1024 bit). Select renegotiate IKE Security Associations every 1440 minutes. Never check Aggressive Mode. Select IPSec Phase 2 settings. Never check Perfect Forward Secrecy. Select renegotiate IPSec security associations every 3600 seconds. Select NAT settings. Check Disable NAT inside the VPN community.


openwrt-advanced-vpn.gif-OpenWRT VPN Community, Advanced Settings, Advanced VPN Properties
Figure 8: OpenWRT VPN Community, Advanced Settings, Advanced VPN Properties


Step 9
Configure the VPN - IKE (Phase 1) settings in Global Properties, Remote Access. Select Policy, Global Properties, Remote Access, VPN - IKE (Phase 1). According the the DAIP note in Figure 8, it looks like I should have 3DES selected for the encryption algorithm and MD5 selected for data integrity in Figure 9. The settings in Figure 9 and 10 work. Maybe when I get done with the documentation, I'll try and figure out why the settings in Figure 9 and 10 work when you take into account the DAIP warning in Figure 8.


global-props-vpn-phase1.gif-Global Properties, Remote Access, VPN - IKE (Phase 1)
Figure 9: Global Properties, Remote Access, VPN - IKE (Phase 1)


Step 10
Configure the VPN - IPSec (Phase 2) settings in Global Properties, Remote Access. Select Policy, Global Properties, Remote Access, VPN - IPSec(Phase 2).


global-props-vpn-phase2.gif-Global Properties, Remote Access, VPN - IPSec (Phase 2)
Figure 10: Global Properties, Remote Access, VPN - IPSec (Phase 2)


Created by: system last modification: Monday 07 of May, 2007 [22:05:35 UTC] by kpalmer

source
history
similar
discuss
Powered by Tikiwiki Powered by PHP Powered by Smarty Powered by ADOdb Made with CSS Powered by RDF powered by The PHP Layers Menu System
RSS Wiki RSS Image Galleries RSS File Galleries RSS Forums
[ Execution time: 0.38 secs ]   [ Memory usage: 7.81MB ]   [ GZIP Disabled ]   [ Server load: 0.02 ]