WIN2K VPN to ZyWALL Tunneling

  1. Setup WIN2K VPN
  2. Setup ZyWALL VPN

This page guides us to setup a VPN connection between the WIN2K VPN software and ZyWALL router. There will be several devices we need to setup for this case. They are WIN2K VPN software and ZyWALL router.

As the figure shown below, the tunnel between PC 2 and ZyWALL ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for WIN2K and ZyWALL are explained in the following sections. As the red pipe shown in the following figure, the tunneling endpoints are WIN2K and ZyWALL.

The IP addresses we use in this example are as shown below.

PC 1 

ZyWALL  PC2
192.168.1.33 LAN: 192.168.1.1
WAN:  172.21.1.252

172.21.1.232

1. Setup WIN2K VPN

- Create a custom MMC console

  1. From Windows desktop, click Start, click Run, and in the Open textbox type MMC. Click OK.

  1. On the Console window, click Add/Remove Snap-In.

  1. In the Add/Remove Snap-In dialog box, click Add.

  1. In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add.

  1. Verify that Local Computer (default setting) is selected, and click Finish.

  1. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add.

  1. Verify that Local Computer (default setting) is selected in the Group Policy Object dialog box, and then click Finish.

  1. In the Add Standalone Snap-in dialog box, click Certifications, and then click Add.

  1. In the Certificates snap-in dialog box, select Computer account, and click Next.

  1. Verify that Local Computer (default setting) is selected, and click Finish.

  1. Click Close to close the Add Standalone Snap-in dialog box.

  1. Click OK to close the Add/Remove Snap-in dialog box.

mmc.gif (13323 bytes)

- Create IPSec Policy

Typically, Windows 2000 gateway is not a member of a domain, so a local IPSec policy is created. If your Windows 2000 gateway is a member of a domain that already exists an local IPSec policy. In this case, you can create an Organization Unit (OU) in Active Directory to make your WIN2K as a member of this OU by assigning the IPSec policy to the Group Policy Object (GPO) of this OU. For more information, please refer to the Assigning IPSec Policy section of Windows 2000 online help.

  1. From Windows desktop, click Start, click Run, and in the Open textbox type SECPOL.MSC. Click OK.

  1. Right click IP Security Policies on Local Machine, and then click Create IP Security Policy.

  1. Click Next, and type a name for your policy. For example, WIN2K to ZyWALL Tunnel.

  1. Uncheck Active the default response rule check box, and click Next.

  1. Keep the Edit properties check box selected and click Finish.

  1. A dialog window will bring up for you to configure two filter rules for this policy.

policy.gif (13477 bytes)

Note: The IPSec policy is created with default IKE main mode (phase 1) on the General tab. Please check details by clicking the Advanced on this tab.

The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint. Because there are two endpoints so we need two filter rules. One is for the direction from PC 1 to PC 2 (endpoint is ZyWALL), and the other is from PC 2 to PC 1 (endpoint is WIN2K). In each rule, a source IP and destination IP for local and remote VPN clients (PC 1 or PC 2) are required. See the guides below.

- Build a Filter List from PC 1 to PC 2

  1. In policy properties, uncheck Use Add Wizard check box, and click Add to create a new rule.

  1. On the IP Filter List tab, click Add.

  1. Type a name for the filter list (e.g., WIN2K to ZyWALL), uncheck Use Add Wizard check box, and click Add.

  1. In the Source address, choose A specific IP Address, and enter the IP address of PC 1

  1. In the Destination address, choose A specific IP Address, and enter the IP address of PC 2

  1. Uncheck Mirror check box.

  1. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters.

  1. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active.

  1. Click OK and Close to close the windows.

- Build a Filter List from PC 2 to PC 1

  1. On the IP Filter List tab, click Add.

  1. Type a name for the filter list (e.g., ZyWALL to WIN2K), uncheck Use Add Wizard check box, and click Add.

  1. In the Source address, choose A specific IP Address, and enter the IP address of PC 2

  1. In the Destination address, choose A specific IP Address, and enter the IP address of PC 1

  1. Uncheck Mirror check box.

  1. On the Protocol tab, leave the protocol type to Any, because IPSec tunnels do not support protocol-specific or port specific filters.

  1. On the Description tab, you can give a name for this filter list. The filter name is displayed in the IPSec monitor when the tunnel is active.

  1. Click OK and Close to close the windows.

- Configure a Rule for PC 1 to PC 2 tunnel

  1. Select the first filter list you created above from the IP Filter List. For example, WIN2K to ZyWALL.

  1. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is ZyWALL.

  1. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections.

  1. Click Filter Action tab, uncheck Use Add Wizard check box, and click Add.

  1. Leave Negotiate security as checked, and uncheck Accept unsecured communication, but always respond using IPSec check box. You must do this to ensure secure connections.

  1. Click Add and select Custom (for expert users) if you want to define specific algorithms and session key lifetimes). Please make sure the settings match whatever we will configure in ZyWALL later.

  1. Click OK. On the General tab, give a name to the filter action. For example, WIN2K to ZyWALL, and click OK.

  1. Select the filter action you just created.

  1. On the Authentication Methods tab, click Add to select Use this string to protect the key exchange (pre-shared key) option. And enter the string 12345678 in the text box.

  1. Click OK.

See the finished screen shot.
rule.gif (15059 bytes)

- Configure a Rule for PC 2 to PC 1 tunnel

  1. In the IPSec policy properties, click Add to create a new rule.

  1. Select the second filter list you created above from the IP Filter List. For example, ZyWALL to WIN2K.

  1. Click Tunnel Setting tab, enter the remote endpoint. For this filter list, the remote IPSec endpoint is WIN2K.

  1. Click Connection Type tab, click All network connections (or click LAN connections if your WIN2K does not connect to ISP but LAN). In our example, we choose All network connections.

  1. Click Filter Action tab, select the filter action you created.

  1. On the Authentication Method tab, configure the same settings as done in the first rule.

  1. Click Close.

  1. Enable both rules you created in the policy properties and click Close.

Figure 5: See the finished screen shot
tworules.gif (15700 bytes)

- Assign Your New IPSec Policy to Your Windows 2000

  1. In the IP Security Policies on Local Machine MMC snap-in, right click your new policy, and click Assign.

assign.gif (21872 bytes)

  1. A green arrow will appear in the folder icon next to your policy. See the screen shot below.

last.gif (18401 bytes)

For more information about configure WIN2K IPSec, please refer to the following web site.

1. http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
2. http://support.microsoft.com/support/kb/articles/q252/7/35.asp

2. Setup ZyWALL VPN

  1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to SECURITY->VPN->Press Add button
  3. check Active check box and give a name to this policy.
  4. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in WIN2K.
  5. Source IP Address Start and Source IP Address End are PC 2 IP in this example. (the secure host behind ZyWALL)
  6. Destination IP Address Start and Destination IP Address End are PC 1 in this example. (the secure WIN2K PC) Note: You may assign a range of Source/Destination IP addresses for multiple VPN sessions.
  7. My IP Addr is the WAN IP of ZyWALL.
  8. Secure Gateway IP Addr is the remote WIN2K's IP, that is PC 1 in this example.
  9. Select Encapsulation Mode to Tunnel.
  10. Check the ESP check box. (AH can not be used in SUA/NAT case)
  11. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in WIN2K.
  12. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

See the VPN rule screen shot

You can further adjust IKE Phase 1/Phase 2 parameters by pressing Advanced button.