17 December 2013

We spent the last couple years using the ZyXEL ZyWALL 2WG after encountering major compatibility and configuration challenges with a Cisco RV220W. Although Cisco is very slow to update its firmware and clients (sometimes giving the impression of being abandonware), two years was enough time for there to be some changes. The QuickVPN client now works on Windows 7 64-bit (that was a known issue), and firmware has been updated. Given the changes, we decided to try out the CISCO SYSTEMS RV180W-A-K9-NA Wireless N VPN Router.

Why the RV180W?

The ZyWALL needed to be replaced. Although it "generally worked," wireless connections would be dropped regularly and require a reconnect, multiple users could not VPN from a single remote location, and one of our staff had frequent VPN connection problems. Inconsistent issues are some of the hardest to troubleshoot, and having three of them simply meant that the router was no longer an ideal solution for our office.

Because all SMB VPN are cheap, and this appeared to have a 50/50 chance of working. Amazon reviews showed it at 2.5 stars when we purchased (non-wireless version is rated higher). Netgear small business is also stuck at 3 stars, and even the low-end Sonicwalls get panned. In my research, it appeared that anything under $500 is really hit-or-miss, and the ratings were only high on products when there were not many reviews (i.e., the misses had not been reported yet). That might be cynical, but it did not seem like there was any amazing solution in the SMB space. If there were, one of the giants would probably gobble it up, repackage it, and charge more. So I went into this configuration knowing that half of the people who did the same thing wanted to throw the router away afterwards. Fortunately, the specs look pretty good and should theoretically support our small office (datasheet).

The Challenges

As with the previous VPN installations, there were some bumps in the road.

  1. Pre-firmware upgrade problems: Before upgrading the firmware, problems included inability to access remote network after successful QuickVPN connection, a "certificate cannot be found" error with QuickVPN, and an inability to get standard IPSEC tunnels to connect using third-party client software.
  2. Firmware upgrade problem: Upgrading the firmware with a configuration in place broke the interface. Eventually, with some grumbling, I reset it to factory settings and manually configured it. The interface was fine after the settings were reentered.
  3. QuickVPN tweaks: Upgrading the firmware and manually entering the configuration from scratch resolved the challenges I had with QuickVPN, so I would strongly encourage you to go that route.
  4. Existing Shrew Soft tutorial failed: This tutorial was designed for the SA 500, and the differences (or the updates to Shrew Soft) made it inadequate for configuring the RV180W. However, the configuration described below came from a merger of this tutorial with our current ZyWALL configuration.

Rejecting QuickVPN

QuickVPN connected easily with the updated router firmware. However, it is a black box solution with no configuration options. It was able to access the remote network except for one key system that had two network cards (i.e., to provide connectivity fail-over). Due to the way that QuickVPN handled the client IP address (it appeared to pass through the remote LAN's IP address), our dual-network device was unable to route packets back to the client. Because of the importance of that network resource and the lack of access to QuickVPN configurations, we quickly turned to a more direct IPSEC VPN option, which is outlined below.

ShrewSoft Configuration

The following is the (redacted) vpn configuration file we used. Note that there are several settings that need to be changed for your environment: the domain name, the manual IP address, the pre-shared key (from the "Authentication > Credentials" tab), and the remote network topology (from the "Policy" tab).

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:phase1-keylen:128
n:phase2-keylen:128
s:network-host:vpn.example.com
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:10.2.1.13
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:remote.com
s:ident-server-data:local.com
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:auto
s:policy-list-include:10.1.0.0 / 255.255.0.0

Cisco RV180W Configuration

The router obviously needs to have a matching configuration. Go through a Basic VPN Setup, and then you can edit the settings to match the ShrewSoft configuration above.

IKE Policy Configuration

  1. Direction: Responder
  2. Exchange Mode: Aggressive
  3. Local
    1. Identifier Type: FQDN
    2. Identifier: local.com
  4. Remote
    1. Identifier Type: FQDN
    2. Identifier: remote.com
  5. IKE SA Parameters
    1. Encryption Algorithm: AES-128
    2. Authentication Algorithm: SHA-1
    3. Authentication Method: Pre-Shared Key
    4. Pre-Shared Key: **** (match whatever you use in ShrewSoft)
    5. Diffie-Hellman (DH) Group: Group2 (1024 bit)
    6. SA-Lifetime Seconds: 28800
    7. Dead Peer Detection: Enable
    8. Detection Period: 10
    9. Reconnect after Failure Count: 3
  6. Extended Authentication
    1. XAUTH Type: Edge Device
    2. Authentication Type: User Database

VPN Policy Configuration

  1. Policy Type: Auto Policy
  2. Remote Endpoint: FQDN, remote.com
  3. Local Traffic Selection (may be different for your environment)
    1. Local IP: Subnet
    2. Start Address: 10.1.1.0
    3. Subnet Mask: 255.0.0.0
  4. Remote Traffic Selection
    1. Remote IP: Any
  5. Split DNS: Disable
  6. Auto Policy Parameters
    1. SA-Lifetime: 28800 seconds
    2. Encryption Algorithm: AES-128
    3. Integrity Algorithm: SHA-1
    4. PFS Key Group: Enable, DH-Group2 (1024 bit)
    5. Select IKE Policy: **** (name of IKE policy you just configured)

VPN Users

The above configuration references using the User Database. To configure the user database, click on the "VPN Users" link in the left navigation. When adding a user, assign them to the XAUTH protocol and enable them.

Final Steps

Adjust the .vpn file for each user so that they get their own IP address. The .vpn file can contain your Pre-Shared Key and all other information except for the user name and password. You can write a simple script to auto-generate the per-user .vpn files to manage the IP assignment, or you can adjust the instructions above to use DHCP. In either case, the client setup is quick and easy once you align the settings between the RV180W and the ShrewSoft VPN Client.



blog comments powered by Disqus