Configuring IPSec 3Com 5232 Router

[kerneldead]

Has anyone configured IPSec on a 3com 5000 series? I am needing to configure IPSec on my gateway router so that I can setup a vpn connection under Microsoft Windows on a remote laptop and while on the road connect to the router via a vpn. I have seen several howto's on IPSec tunnel from router to router, but not setup like this.

Thanks,

 

[engjohn]

From 3Com's KB.
This is for the old firmware 1.x not the newer 2.x, so some commands may be different.

Solution ID:
3KB14927

Router 5000 - How to terminate an L2TP tunnel on a Router 301x
Problem: Create a tunnel from a Windows XP to a router across the Internet via L2TP
Problem: How to terminate an L2TP tunnel on a Router 301x
Fact: L2TP
Fact: Microsoft Windows XP
Fact: Router 3013
Fact: ISDN
Fact: Dialup
Fact: Router 5680
Fact: Router 5640
Fact: Router 5231
Fact: Internet
Fact: IPSec
Cause:

NB. The IP address and usernames password are only examples and should not be used across the internet.

When any unknown address is received on the routers ethernet port, the destination address will be checked and matched in the routing table, if no route is matched, then the router passes the packet to it's default gateway (if configured), if the default gateway has not been confgured, then the router will drop these packets.

If the router has matched the destination address it will use that interface to send the packet (data), in our case it will dial the Internet. The connection will be created and data and internet connectivity will be established.

When the Windows XP user dials into the Internet, the user should be able to ping the WAN address of the router (1.1.1.1), if this can be acheived, start the L2TP VPN client software and make the appropriate changes to use PAP and check the IP protocol to "Obtain an IP address automatically" to the dial up client. Point the host name or IP address of 1.1.1.1 for the terminator of the tunnel (destination), and enter the username of tunnel with a password of tunnel.

Once connected, the router sees the incoming packet and matches the inbound packet to the NAT Server Global rule and the tunnel is terminated at this interface, the router will then check the authentication (username and password) and assign an IP address to this Tunnel of 9.9.9.x you should be able to ping any device on the local router ethernet side of 192.168.1.x and the PC's/Servers should be able to ping the 9.9.9.x address of the client VPN.
Fix:

Windows XP users must disable the IPSEC from the dialup connection, as Windows XP will only support PPTP, L2TP IPSEC VPN.

To turn off IPSEC to use only L2TP, please check the Microsoft knowledge web site for your current release of software.

Windows XP users for SP2 can use this link.

http://www.clavister.com/support/kb/10074/

3Com are not responsible for any modifications or the support of Microsoft products.
Cause:

If the Router has a static IP address and is running NAT, this dials the Internet, other windows XP users require a L2TP tunnel from their PC and wishes to terminate the tunnel on the Router.

The below configuration is for dialing the Internet connection with a Static IP address using NAT and only L2TP incoming connections are excepted and terminated on the Router.

The Router must have the extended code version for release 1.x, please apply for this code at

http://www.3com.com

and enter your 3C number of the router and register for this software.
Fix:

3Com Router Software Extended_V1.30
local-user tunnel service-type ppp password simple tunnel
l2tp enable
dialer-rule 1 ip permit
ip pool 1 9.9.9.1 9.9.9.10
info-center console
firewall enable
aaa-enable
aaa accounting-scheme optional
!
acl 2000 match-order auto
rule normal permit source any
!
acl 3000 match-order auto
rule normal permit tcp source any destination 192.168.1.1 255.255.255.255
!
interface Aux0
async mode flow
flow-control none
link-protocol ppp
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Bri0
link-protocol ppp
isdn service data
isdn service speech
undo dialer enable-circular
dialer bundle-member 1
!
interface Dialer1
link-protocol ppp
ppp pap local-user test password simple test
ip address 1.1.1.1 255.255.255.0
dialer bundle 1
dialer-group 1
dialer number 384000
nat outbound 2000 interface
nat server global 1.1.1.1 1701 inside 1.1.1.1 1701 tcp
nat server global 1.1.1.1 1701 inside 1.1.1.1 1701 udp
!
interface Virtual-Template1
link-protocol ppp
mtu 1500
ppp authentication-mode pap
remote address pool 1
ip address unnumbered Ethernet0
!
l2tp-group 1
allow l2tp virtual-template 1 remote 9929DG8-T30
mandatory-lcp
undo tunnel authentication
!
l2tp-group 2
!
quit
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
ip route-static 9.9.9.0 255.255.255.0 Virtual-Template 1 preference 60
!
return

[Router]

 

[engjohn]

i used that KB as a guide as was able to setup a 3036 running the newer code, and it worked for me.

 

[kerneldead]

engjohn:

I ended up using the article to turn off IPSEC to use only L2TP in windows xp pro and that did the trick. I will continue to keep an eye on this forum and provided any help that I can. For years I have only used cisco product until I came across this router, so it has been a little bit of a learning experience.

Thanks,

 

[engjohn]

great! glad you were able to make it work.
Pass along the knowledge and we all get smarter..