Linksys RVL200 as IPSec VPN gateway to Wyless example

The following steps reflect configuration of a Linksys model RVL200 to provide a persistent IPSec VPN connection to Wyless over an IPSec router. Any additional provisioning that may be required for NAT-Transversal is beyond the scope of this document.

Please note the following:

The Linksys RVL200 can connect no more than two subnets to each other.
It is presumed that the Linksys RVL200 router is started in its factory default configuration.
Also presumed is that VPN parameters have already been selected and negotiated with Wyless, via their VPN provisioning form. See the previous section Provisioning request to Service Provider.

The following main steps are performed:

Log into configuration page

Use an Ethernet cable connected from your PC to any of the four adjacent ports on the side of the Linksys RVL200 router. Open a web browser and navigate to the following IP address:

http://192.168.1.1/default

You should be prompted for login name and password (if not, check that your PC has a 192.168.1.nnn static IP address, the Ethernet cable is a crossover type, and the router is set to its default configuration).

The factory default login credentials for this Linksys model are “admin” for user name and “admin” for the password. After you login, you need to configure the device IP address to an address within the subnet agreed upon with Wyless.

Configure device IP address

From the Linksys router’s configuration menu, navigate to SetupNetwork to review the current LAN settings

Figure A..4. Linksys RVL200 Setup, Network menu

If the default IP address, 192.168.1.1 is not on the subnet as agreed upon with Wyless in their VPN form, the device’s IP will need to be changed to an IP on that subnet.

Consider the “internal IP subnet” is to be 10.111.90.0/24. The default configuration is changed to look as shown in Figure A..5 below.

Figure A..5. LAN Setting default re-configured to be on internal IP subnet

Note in this case the subnet mask is not changed, only because the internal subnet mask is a 24-bit mask by default, and need not change.

The VPN parameters may not explicitly state an IP address to use as the IPSec router’s IP address. In this case you can choose an address from any available IP address.

After changing the Linksys router’s Device IP Address, save the change by clicking the “Save Settings” link on the bottom right of the page.

This new IP address is immediately effective after saving. Therefore, it is necessary to navigate to this new IP address in your web browser, and login again.

Create and configure the IPSec tunnel

After login to the Linksys RVL200 router from a browser, navigate to the IPSec VPNGateway to Gateway page. Choose to “Add a new Tunnel”, as shown in Figure A..6 below.

Figure A..6. IPSec VPN menu item Add a new Tunnel (Linksys RVL200)

The Linksys RVL200 does not support multiple tunnels. If a tunnel has already been created, you may edit its parameters, or else delete it (and then add a new tunnel).

Figure A..7. Example IPSec VPN Tunnel definition in Linksys RVL200 router

Note that the customer’s termination address for the VPN (the customer’ VPN’s global IP) is obscured in this example. However, the IP address for the “Local Security Gateway IP” should be set to the actual value. The subnet’s IP address and subnet mask for the local network should be set to an internal IP.

Similarly, the “Remote Security Gateway IP” should be set to the Service Provider’s (Wyless) VPN termination IP address (also obscured in this example). The remote network IP address and subnet should be set to the mobile device subnet, in this case given by 10.120.82.0/24.

Other sections on this page are configured using the parameters previously agreed upon, including:.

Security Infrastructure Parameters

Includes those in the “VPN Parameters” section of the Wyless VPN provisioning form, such as.

The protocol used for key exchange. This example uses IKE with a pre-shared key. Other protocols are possible, if agreed upon beforehand.
The Diffie-Hellman (DH) group was recommended (and accepted) to be 2.
The encryption method, hashing, hashing method, and session lifetime parameters were recommended to be 3DES, MD5, and 86400. These parameters were used in both Phase 1 and Phase 2.

The “Phase 2 SA Life Time” parameter has a maximum value of 28800 seconds, so this value was used instead of 86400.

Additional Parameters

Other parameter guidelines on this IPSec VPN page are as follows:

“Keep-Alive” should be checked. This specifies the creation of a static connection.
A “Tunnel Name” should be entered, but it has no actual effect on the connection.

Final State

Apart from the changes to default configuration mentioned previously, no additional changes are necessary to create the VPN connection.