« First Signs of Real Estate Bubble Bursting | Main | Yahoos Bad Partner Sites List »
Configuring VPN with Xincom Router (603) for Office Network
May 9, 2008
After setting up a small office, I needed to access the computers at the office while I am at home. The easiest way this can be accomplished is by implementing a VPN.
As I was already using a Xincom 603 Twin WAN Router (with VPN endpoint capabilities), I aimed to make use of the VPN functionality of the Xincom 603 for this purpose. For the client side, I used The Greenbow VPN client.
Setting up a VPN is a complicated task. There are many parameters that you need to get right. Essentially there are two phases of negotiation for IPSEC VPN. You need to make sure that the client and the router are configured correctly with the same parameters.
Xincom documentation for VPN set up is very minimal. So I was having a tough time setting it up. What came to my rescue was documentation for similar hardware from Syswan. This documentation does a very good job of describing the various steps involved in setting up the Xincom 603 router. As the underlying hardware of Xincom and Syswan is essentially the same, you will have no problem getting your VPN configured with this guide.
VPN configuration on Xincom consist of two pages - IKE Global Setup and IPSec Policy Setup. Do not get overwhelmed my the many options. Spend some time playing with these pages and the VPN client and you will figure out the essentials.
As for the configuration of the client, Syswan documentation comes to your aid too. It so happened that the VPN client that I chose - The Greenbow VPN client - is essentially the same as the client that Syswan provides to its users. So if you follow the guide for the client from Syswan, it is very easy to get your VPN up and running in not time.
Xincom has the "distinguished ID" in the IPSEC Policy setup page for Remote Security Gateway. This is what you need to use if you do not have a public static ip address for your client side. The corresponding entry for distinguished ID is "Local ID" -> Email on the P1 Advanced page of The Greenbow client. You also need to make sure that the "Aggressive Mode" under "Advanced Features" is checked.
I however had some issues with the VPN client running from my LAN network at home. The problems were caused by the Xincom box that I used at home - Xincom 602. Though I was able to establish a tunnel through the Greenbow client, I was not able to ping the remove endpoint or any computers in the remote network.
Xincom 602 supports VPN passthrough. However, its firewall has some strict rules and it detects the packets from the VPN router as "port scan" and drops them. So you need to configure some Firewall Exception rules in order to make the client work through Xincom 602.
I was able to get some guides by contacting Xincom support. These guides tell you to Sysfilter exceptions for UDP ports 192, 500 and for ESP and GRE protocols. For ESP and GRE protocols give port range as 0-0. You also need to do protocol binding for these UDP ports and ESP & GRE protocols. I also added UDP port 4500 to the list. You can find these guides from Xincom here - see "Advanced Configuration Guides" towards the bottom of the page.
The Greenbow VPN client costs money. So if you want a free VPN client, you may want to consider Shrew Soft VPN client. I have not tried the Shrew Soft VPN client but it looks promising.
Posted by liveit at May 9, 2008 3:35 AM