VPN IPSec Pass Through, 357 | Motorola 7000, 3352N, 3342, 2200

VPN IPSec Pass Through

This Motorola Netopia® service supports your independent VPN client software in a transparent manner. Motorola Netopia® has implemented an Application Layer Gateway (ALG) to support multiple PCs running IP Security protocols.

This feature has three elements:

1.On power up or reset, the address mapping function (NAT) of the Gateway’s WAN con- ﬁguration is turned on by default.

2.When you use your third-party VPN application, the Gateway recognizes the trafﬁc from your client and your unit. It allows the packets to pass through the NAT “protection layer” via the encrypted IPSec tunnel.

3.The encrypted IPSec tunnel is established “through” the Gateway.

A typical VPN IPSec Tunnel pass through is diagrammed below:

Motorola Netopia®

Gateway

☛NOTE:

Typically, no special conﬁguration is necessary to use the IPSec pass through feature.

In the diagram, VPN PC clients are shown behind the Motorola Netopia® Gateway and the secure server is at Corporate Headquarters across the WAN. You cannot have your secure server behind the Motorola Netopia® Gateway.

When multiple PCs are starting IPSec sessions, they must be started one at a time to allow the associations to be created and mapped.

VPN IPSec Tunnel Termination

This Motorola Netopia® service supports termination of VPN IPsec tunnels at the Gateway. This permits tunnelling from the Gateway without the use of third-party VPN client software on your client PCs.

357

Image 357

Motorola 7000, 3352N, 3342, 2200 manual VPN IPSec Pass Through, VPN IPSec Tunnel Termination, 357

Contents

Administrator’s Handbook Copyright Administrator’s HandbookPage Administrator’s Handbook Table of Contents Breadcrumb Trail Security Basic Troubleshooting Command Line Interface 223 Administrator’s Handbook Glossary Overview of Major Capabilities What’s New Introduction Administrator’s Handbook Intended Audience About Motorola Netopia DocumentationDocumentation Conventions General Internal Web Interface Command Line Interface Word About Example Screens Organization Administrator’s Handbook Basic Mode Setup Power Supply Installation Important Safety Instructions Wichtige Sicherheitshinweise AchtungBewahren Sie diese Anweisungen auf Microsoft Windows Setting up the Motorola Netopia GatewayPage Macintosh MacOS 8 or higher or Mac OS MiAVo Vdsl and Ethernet WAN models Quickstart Conﬁguring the Motorola Netopia Gateway You can skip to Home Page Basic Mode on PPPoE Quickstart Set up the Motorola Netopia Pocket Gateway Page Motorola Netopia Gateway Status Indicator Lights Home Page Basic Mode Down Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Open the Web Connection Accessing the Expert Web Interface Administrator’s Handbook Home Page Information Home Page Expert ModeSummary Information Field Status and/or Description NAT VoIP Toolbar Navigating the Web InterfaceLink Breadcrumb Trail Button Restart Restart Link Alert Symbol Button Help Help Conﬁgure Button ConﬁgureLink Quickstart Administrator’s Handbook Link LAN Administrator’s Handbook Page Administrator’s Handbook Wireless supported models Privacy Page Advanced About Closed System Mode Administrator’s Handbook Multiple SSIDs ExamplesWPA Version Allowed Administrator’s Handbook Page WiFi Multimedia Wireless MAC Authorization Administrator’s Handbook Use Radius Server Advanced Network Conﬁguration page appears PPP over Ethernet interface Link WAN DHCP/PPPoE/PPPoA Autosensing RIP-1 compatibility, or RIP-2 with MD5 Advanced Ethernet WAN interface Page Advanced IP GatewayOther WAN Options WAN Ethernet and Vdsl Gateways Adsl GatewaysAvailable Encapsulation types Administrator’s Handbook Page Sustained Cell Rate SCR Transmit Priority Comments Class Link Advanced IP Static Route Entry page appears Link IP Static Routes Changes link Link IP Static ARP Link Pinholes Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Administrator’s Handbook FAQs for the IPMaps Feature Conﬁgure the IPMaps Feature Motorola Netopia Gateway WAN Interface LAN Interface IPMaps Block Diagram192.168.1.1 192.168.1.2 Link Default Server Internet Gateway Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp Server Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Igmp Version 3 supports100 101 102 Link UPnP 103 Link LAN Management 104 Link Ethernet Bridge 105 Conﬁguring for Bridge Mode 106 107 Overview 108 Ethernet Switching/Policy Setup 109 Vlan Model Combining Bridging and Routing 110 111 Vlan Port Conﬁguration screen appears 112 113 114 115 116 Example 117 118 119 Click the Save and Restart link 120 Supported models only 121 SIP Line Entry 122 Call Features Settings 123 124 Link System 125 Link Syslog Parameters Log Event Messages Administration Related Log MessagesSystem Log Messages DSL Log Messages most common 127 Access-related Log Messages 128 129 Link Internal Servers 130 Link Software Hosting 131 List of Supported Games and Software 132 Rename a UserPC Check the Enable Backup Gateway checkbox Manual options133 134 Automatic options 135 136 Link Ethernet MAC Override 137 Link Clear Options 138 Link Time Zone Security Button Security139 140 Link Passwords 141 Link Firewall Conﬁguring for a BreakWater SettingUse a Motorola Netopia Firewall 142 Tips for making your BreakWater Basic Firewall Selection Basic Firewall Background143 144 BreakWater Setting ClearSailing SilentRunning LANdLocked 145 146 Link IPSec 147 SafeHarbour IPSec VPN 148 Conﬁguring a SafeHarbour VPN Parameter Motorola Netopia Peer Gateway 149 150 Be sure that you have SafeHarbour VPN enabled Parameter Descriptions Field Description151 Address/Value 152 153 Stateful Inspection Firewall installation procedure Link Stateful Inspection154 155 Exposed Addresses 156 Stateful Inspection Options Open Ports in Default Stateful Inspection InstallationPort Protocol Description LAN Private WAN Public Interface 157 General ﬁrewall terms Firewall TutorialBasic IP packet components Basic protocol types Firewall design rules Example TCP/UDP Ports TCP Port ServiceFirewall Logic 159 Implied rules Example ﬁlter set160 Example ﬁlters Filter basicsWhat it means Example network 162 Link Packet Filter What’s a ﬁlter and what’s a ﬁlter set?163 How ﬁlter sets work Filter priority164 ﬁltering rule How individual ﬁlters workParts of a ﬁlter Port numbers Port number comparisons Other ﬁlter attributes166 Putting the parts together Filtering example #1167 168 Design guidelines Filtering example #2169 170 An approach to using ﬁlters Working with IP Filters and Filter Sets Adding a ﬁlter set171 172 Adding ﬁlters to a ﬁlter set 173 174 Enter the Source Mask for the source IP address 175 Deleting a ﬁlter set 176 Associating a Filter Set with an Interface Policy-based Routing using Filtersets TOS ﬁeld matching177 178 Using the Security Monitoring Log Link Security Log179 TCP 180 181 Timestamp Background Install Button Install182 Required Files Link Install SoftwareBackground 183 Motorola Netopia ﬁrmware Image File Install the Motorola Netopia ﬁrmware ImageConﬁrm Motorola Netopia Firmware Image Files 184 185 Verify the Motorola Netopia Firmware Release 186 Use Motorola Netopia Software Feature Keys Link Install KeyObtaining Software Feature Keys Procedure Install a New Feature Key File 188 189 To check your installed features 190 Link Install Certiﬁcate 191 Administrator’s Handbook 192 193 Basic Troubleshooting Action Status Indicator LightsEthernet 194 195 Model 2241N only 196 Ethernet 1, 2, 3 197 Wireless 198 199 Special patterns 200 LAN 1, 2, 3 201 Wireless Link DSL 1 & 2 ADSL2+ Models only Ethernet 1, 2, 3202 203 204 LED Function Summary Matrix Active Wireless UnlitTrafﬁc Link Factory Reset Switch 207 Advanced Troubleshooting 208 Home Device Gateway 209 Expert Mode Button Troubleshoot210 211 Link System Status 212 Link Ports Ethernet 213 Link Ports DSL 214 Link IP Interfaces 215 Link DSL Circuit Conﬁguration 216 Link System Log Entire 217 Link Diagnostics 218 Link Network Tools 219 220 If Ping is not successful, possible causes are 221 Administrator’s Handbook 222 223 Command Line Interface 224 Overview Command Verbs Status and/or Description Keywords225 Saving Settings Using the CLI Help FacilityStarting and Ending a CLI Session Logging Shell Command Shortcuts About Shell CommandsShell Prompt 227 Common Commands Shell Commands License key Loglevel level229 Netstat -r NetstatQuit 230 Reset atm Reset arpReset cdmode Reset crash Reset wan-users all ip-address Reset security-logReset wan Reset wepkeys Show dhcp agent Show crashShow dhcp server leases Show diffserv Show etheroam ah Show featuresShow group-mgmt Show ip arp Show ip lan-discovery Show ip ﬁrewallShow ip routes Show ip state-insp Show summary Show statusShow vlan 236 237 Show wireless clients MACaddress Show wireless allUpload serveraddress ﬁlename conﬁrm View conﬁg WAN Commands Config Mode Prompt About Config CommandsNavigating the Config Hierarchy Show ppp stats lcp ipcp Guidelines Config Commands Entering Commands in Config ModeSet ip ethernet a ipaddress 241 Step Mode a CLI Conﬁguration Technique Displaying Current Gateway SettingsValidating Your Conﬁguration 242 Remote ATA Conﬁguration Commands Config Commands Set ata proﬁle 0.. ata-static-wan-gateway ipaddr Set ata proﬁle 0.. ata-user-password stringSet ata proﬁle 0.. ata-proxy-server ipaddr Set ata proﬁle 0.. ata-proxy-port port DSL Commands Set atm vcc n vpi 0 Bridging SettingsSet atm vcc n vci 0 Set atm vccn pppoe-sessions 1 Set bridge sys-bridge on off Set bridge table-timeout 30Set bridge concurrent-bridging-routing on off Set bridge dhcp-ﬁlterset string Dhcp Settings Set dhcp range 2.. end-address ipaddress Set dhcp range 2.. start-address ipaddressSet dhcp gen-option name name Set dhcp gen-option option 1 250 Option Data Format Data Size Can Bytes Conﬁgure Set dhcp gen-option data-type ascii hex dotted-decimal Set dhcp gen-option data data251 Set dhcp ﬁlterset name string rule n dhcp-option 0 Set dhcp ﬁlterset name string rule n match-str matchstring252 Set dhcp ﬁlterset name string rule n absent-pool ipaddress Set dhcp ﬁlterset name string rule n match-pool ipaddressSet dhcp assigned-ﬁlterset string 253 DMT Settings Domain Name System Settings 256 257 Igmp Settings Set igmp robustness value Set igmp snooping off onSet igmp query-intvl value Set igmp query-response-intvl value IP Settings Set ip dsl vccn netmask netmask Set ip dsl vccn restrictions admin-disabled noneSet ip dsl vccn addr-mapping on off Set ip dsl vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5 Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a address ipaddress Set ip ethernet a netmask netmask Set ip ethernet a restrictions none admin-disabledSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5 Set ip ethernet a subnet n netmask netmask Set ip ethernet a subnet n address ipaddressSet ip gateway option on off Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn restrictions admin-disabled noneSet ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip ip-ppp vccn igmp-null-source-addr on off Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn mcast-fwd on off Set ip ip-ppp vccn unnumbered on off Set ip igmp-forwarding off on Set ip static-arp ip-addressipaddressSet ip ipsec-passthrough off on Set ip prioritize off on Set diffserv option off on Set diffserv lohi-ratio 60 100 percent267 268 Qos off assure expedite network-control 269 Set diffserv qos dscp-map default custom 270 271 Queue Conﬁguration 272 273 Set queue name wfq weight-type bps 274 Set queue name priorityqueuename default-inputqueuename 275 Rate-limiting weighted fair queue to 100Kbps Set ip ethernet B rtsp-passthrough off on Set ip sip-passthrough on offSet ip static-routes destination-networknetaddress 276 Delete ip static-routes destination-network netaddress IPMaps SettingsSet ip-maps name name internal-ip ip address Set ip-maps name name external-ip ip address Network Address Translation NAT Pinhole Settings Network Address Translation NAT Default Settings PPPoE /PPPoA Settings Set ppp module vccn magic-number on off Set ppp module vccn restart-timer integerSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on off Set ppp module vccn port-authentication password password Set ppp module vccn port-authentication username usernameSet ppp module vccn connection-type instant-on always-on Set ppp module vccn time-out integer Set wan-over-ether pppoe on off PPPoE with IPoE SettingsSet wan-over-ether pppoe-with-ipoe on off Set wan-over-ether ipoe-sessions 1 Set atm vcc n encap pppoe-llc Ethernet Port SettingsSet ip ip-ppp vcc1 mcast-fwd on off Set ip ip-ppp vcc1 igmp-null-source-addr off on 802.3ah Ethernet OAM Settings Set preference verbose on off Command Line Interface Preference SettingsSet preference more lines 285 Set servers web-http 1 Port Renumbering SettingsSet servers telnet-tcp 1 286 Set security ipsec tunnels name 123 tun-enable on on off Security SettingsSet security ipsec option off on off Set security ipsec tunnels name 288 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 Set security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 local-id idvalue Set security ipsec tunnels name 123 remote-id idvalue290 291 Set security state-insp udp-timeout 30 Set security state-insp tcp-timeout 30Set security state-insp dos-detect off on 292 293 Set security state-insp xposed-addr exposed-address# n 294 Packet Filtering Settings 295 Operator 296 Snmp Settings System Settings Set system name name298 Set system username administrator name user name Set system idle-timeout telnet 1...120 http 1Set system password admin user Set system ftp-server option off on Sleep Contact-email string@domainname location string Set system zerotouch option on off300 Syslog 302 Default syslog installation procedure Wireless Settings supported models 304 Set wireless no-bridging off on Set wireless tx-power full medium fair low minimal305 306 Set wireless wmm option off on 307 Set wireless network-id privacy pre-shared-key string Set wireless network-id privacy default-keyid308 Set wireless mac-auth option on off Example 40bit key 02468ACE02309 Set radius radius-secret sharedsecret Set radius radius-name servernamestringSet radius alt-radius-name servernamestring Set radius alt-radius-secret sharedsecret Vlan Settings Set vlan name name ports port port-pbits 0 Set vlan name name ip-interface ipinterface312 313 Assign an IP interface Set vlan name PPPoE11 id 314 Set vlan name Video31 ports eth1 tag on 315 VoIP settings Set voip phone 0 1 sip-user-display-name name Set voip phone 0 1 sip-user-password passwordSet voip phone 0 1 sip-user-name username Set voip phone 0 1 auth-id string 318 Set voip phone 0 1 codec G72640 priority 1 2 3 4 5 6 7 none 319 320 DSL Forum settings UPnP settings 322 TR-069 Backup IP Gateway Settings 324 Set ip backup-gateway default ipaddress 325 Vdsl Settings 326 327 Vdsl Parameters Accepted Values 328 Parameter 329 Accepted Values 330 331 Glossary 332 333 334 Ethernet crossover cable. See crossover cable 335 336 337 338 339 340 341 Administrator’s Handbook 342 343 Description Manufacturer’s Declaration of Conformance Agency approvalsNorth America International 345 Declaration for Canadian users Australian Safety Information Important Safety InstructionsTelecommunication installation cautions 346 347 CFR Part 68 Information Electrical Safety Advisory Copyright Acknowledgments348 349 350 Wide Area Network Termination PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM351 Instant-On PPP Simpliﬁed Local Area Network SetupDhcp Dynamic Host Conﬁguration Protocol Server 352 Management DiagnosticsDNS Proxy Embedded Web Server Password Protection Remote Access ControlNetwork Address Translation NAT 354 Motorola Netopia Gateway Motorola Netopia Advanced Features for NATInternal Servers 355 Pinholes Default ServerCombination NAT Bypass Conﬁguration IP-Passthrough VPN IPSec Pass Through VPN IPSec Tunnel Termination357 SSL Certiﬁcate Support Stateful Inspection FirewallVLANs 358 359 Index 360 Config 361 362 NAT 264, 278 363 PPP 364 Shell 365 VPN 366 367 Administrator’s Handbook 368