Implementing a VPN on a Linksys WRV54G VPN Broadband Router

The Linksys WRV54G is an access point/router combination that Linksys designed for the small office, or home user that desires a higher level of security than WEP or WPA can provide. The WRV54G offers all of the security features of other access points, but also provides the capability of setting up an IPSec VPN tunnel. A VPN tunnel allows two points to establish an encrypted session using a selected protocol. Other protocols can then be transmitted through this tunnel. A basic example of this is a Secure Shell (SSH) tunnel. A firewall can be configured to allow only SSH traffic (port 22) inbound. The client can then tunnel other traffic, such as HTTP (port 80) through the established SSH tunnel. This both encrypts the HTTP traffic, and removes the requirement to allow port 80 traffic through the firewall. Additionally, because some form of authentication (passphrase, key exchange, or both) is required to establish the initial SSH tunnel, additional user level access controls are in place.

This section describes the process of setting up an IPSec tunnel to utilize the VPN features on the WRV54G. First, we discuss the steps that must be taken on Windows 2000 or XP clients to prepare for VPN access. Then, the configuration steps that are required on the WRV54G are detailed.

Preparing Windows 2000 or XP Computers for Use with the WRV54G

There are four steps that you need to take to configure your Windows 2000 or XP computer to establish a VPN tunnel with the WRV54G.

1. Create an IPSec policy.

2. Build two filter lists.

3. Establish the tunnel rules.

4. Assign the IPSec policy to the computer.

Creating an IPSec Policy

Click Start | Run and type secpol.msc in the Open textbox to open the Local Security Settings screen, as seen in Figure 11.28.

Figure 11.28: Local Security Settings

Right-click IP Security Policies on Local Computer and select Create IP Security Policy to open the IP Security Policy Wizard. Click Next on the IP Security Policy Wizard window.

Enter a name for your security policy in the Name textbox (as shown in Figure 11.29) and click Next.

Figure 11.29: Naming the Local Security Policy

Remove the checkbox next to Activate the default response rule, as shown in Figure 11.30, and click Next.

Figure 11.30: Deactivate the Default Response Rule

Finally, make sure that the Edit properties checkbox is selected, as shown in Figure 11.31, and click Finish.

Figure 11.31: Completing the Local Policy Creation

Building Filter Lists

Selecting the Edit properties checkbox before finishing the IP Security Policy Wizard opens the Properties window for your new security policy (Figure 11.32).

Figure 11.32: The Policy Properties

Deselect the Use Add Wizard checkbox and click Add to open the New Rule Properties window. By default, this window opens on the IP Filter List tab. Click Add again to open the IP Filter List window. Enter a name for the filter, as shown in Figure 11.33. Deselect the Use Add Wizard checkbox and click Add.

Figure 11.33: The IP Filter List Window

The Filter Properties window opens on the Addressing tab. Choose My IP Address in the Source Address field and A specific IP Subnet in the Destination Address field. In the IP Address field enter 192.168.1.0. This represents all addresses in the range 192.168.1.1–192.168.1.255. If you are using a different range, make sure to adjust this accordingly. Enter the Subnet Mask for your network in the Subnet Mask field (see Figure 11.34). By default, this is 255.255.255.0. Click the OK button to close this window.

Figure 11.34: The IP Filter Settings

Next, click OK in Windows XP or Close in Windows 2000. This filter is used for communication from your computer to the router.

You will then need to create a filter for communication from the router to your computer. In the New Rule Properties window, highlight the rule you just created, as shown in Figure 11.35, and click Add.

Figure 11.35: Creating the Second Filter

This opens the IP Filter List window. Enter a name for the new filter in the Name textbox and click Add. On the Addressing tab, choose A specific IP Subnet in the Source Address field. In the IP Address field, enter 192.168.1.0. This represents all addresses in the range 192.168.1.1–192.168.1.255. If you are using a different range, you will need to adjust this accordingly. Enter the subnet mask for your network in the Subnet Mask field. By default, this is 255.255.255.0. Choose My IP Address in the Destination Address field (Figure 11.36).

Figure 11.36: The Filter Properties Window

Click the OK button to close this window. Next, click OK in Windows XP or Close in Windows 2000. This filter is used for communication from the router to your computer.

Establishing the Tunnel Rules

The rules that are employed by the tunnels must be set up in order to properly filter traffic through the VPN tunnel. First, select the tunnel you created for communication from your computer to the router and then click the Filter Action tab. Next, select the Require Security radio button and click Edit to open the Require Security Properties window, as shown in Figure 11.37.

Figure 11.37: The Require Security Properties Window

Ensure that the Negotiate security radio button is selected. Then, deselect Accept unsecured communication, but always respond using IPSec and select Session key perfect forward security (PFS), as shown in Figure 11.38

Figure 11.38: The Security Methods Options

Click OK to return to the New Rule Properties window. Select the Authentication Methods tab and click Edit to open the Edit Authentication Method Properties window. Choose the Use this string (preshared key) radio button and enter the pre-shared key in the textbox (Figure 11.39). This can be a combination of up to 24 letters and numbers, but special characters are not allowed. Make sure that you remember this key as it will be used later when the router is configured.

Figure 11.39: Entering the Pre-Shared Key

Next, click the OK button in Windows XP or the Close button in Windows 2000.

Select the Tunnel Setting tab on the New Rule Properties window. Select The tunnel endpoint is specified by this IP address and enter the external IP address of the WRV54G, as shown in Figure 11.40. This is the IP address your router uses to communicate with the Internet.

Figure 11.40: The Tunnel Setting Tab

Next, click the Connection Type tab (as shown in Figure 11.41). Select All network connections if you want this rule to apply to both Internet and local area network (LAN) connections. Choose Local area network (LAN) if you want this tunnel to apply only to connections made from the local network. Choose Remote access if you want this rule to apply only to connections made from the Internet.

Figure 11.41: Select the Connection Type

After you have selected the type of network connections that the rule applies to, click Close.

Another filter rule must be created to allow communication from the router to your computer. To create this rule, repeat the steps outline in this section, but enter the IP address of your computer as the Tunnel Endpoint instead of the IP address of the router.

Assigning the Security Policy

Finally, you must assign your new security policy to the local computer. In the Local Security Settings window, right-click the new policy that you have just created and select Assign, as shown in Figure 11.42.

Figure 11.42: Assigning the Security Policy

Your computer is now configured to communicate over a VPN tunnel.

Enabling the VPN on the Linksys WRV54G

Now that your computer is configured to communicate over an IPSec VPN tunnel, you must configure the WRV54G to communicate with your computer. Using your web browser, type the IP Address of the WRV54G into your address bar. This is 192.168.1.1, by default. You will be prompted for your username and password.

From the setup screen, select Security | VPN to display the VPN settings, as seen in Figure 11.43.

Figure 11.43: The WRV54G VPN Settings

Select the Enabled radio button for VPN Tunnel. Choose a name for this tunnel and enter it in the Tunnel Name textbox. Next, enter the IP address and netmask of the local network in the IP Address and Mask fields for the Local Secure Group. Use 192.168.1.0 to allow all IP addresses between 192.168.1.1–192.168.1.255.

Enter the IP address and netmask of the computer you just configured in the IP Address and Mask fields for the Remote Secure Group. Next, choose 3DES from the Encryption drop-down box. This requires the use of Triple Data Encryption Standard encryption. Choose SHA1 from the Authentication drop-down box.

Choose Auto(IKE) as the Key Exchange Method and select the Enabled radio button for PFS. This enables the use of Internet Key Exchange (IKE) and Perfect Forward Secrecy (PFS).

Finally, select the radio button next to Pre-Shared Key and enter the same pre-shared key you entered on your computer while setting it up.

Once you have entered these settings, your VPN setup screen should look similar to Figure 11.44.

Figure 11.44: The Completed VPN Settings

Click Save Settings to save your settings and establish a VPN tunnel between the WRV54G and your computer.