I am trying to set up an IPSec tunnel to a service provider using a SnapGear SG560 (the product identifier below doesn't list the SG560, so I've selected the SG565, but it really is a 560, not sure if they're similar enough products or too different). The other end of the tunnel is some type of Cisco device (the service provider is being really vague about this). After much trying, I have been able to get the IPSEC tunnel running from the SnapGear. Now I'm having trouble getting the networks on both sides talking, and here's where it gets interesting. I was given the following instruction (in their entirety) from the service provider: 1. client will need to make ACL from 172.28.7.10 to host 192.168.50.83 and 192.168.50.86 2. client will need to NAT interesting traffic to 172.28.7.0 255.255.255.0 I believe I've accomplished the first part through a pair of Source NAT rules. Here's teh configuration I've got for those: Outgoing Interface: Any Source Address: Any Destination Address: 192.168.50.83 Services: Any Translate Packet Fields To Source Address: 172.28.7.10 To Source Ports: Any Outgoing Interface: Any Source Address: Any Destination Address: 192.168.50.83 Services: Any Translate Packet Fields To Source Address: 172.28.7.10 To Source Ports: Any I'm not exactly clear on what the second piece is wanting. And that's my problem in terms of understanding what else I should do to configure the device. Ultimately, I think what they want is for all traffic from our site to the two nodes on their network to appear to be coming from the 172.28.7.10 address. Realistically, since there's only one machine that will be actually contacting those two nodes, I could almost limit it to say that it's coming from the one machine and then appear to come from the 172.28.7.10 address. If anyone could help shed some light on this, I'd appreciate it. The service provider is unwilling (and realistically unable) to provide support on this device as they're not familiar with it, and it would be unreasonable to ask them to blindly support all routers that are available out there. But since I'm having trouble understanding what they're asking for, I'm not sure what else to configure on my SG560, or if what I have configured thus far is even correct. Thanks in advance for any and all assistance!!

show ipsec stats
this command was introduced in code 7.0
it will show the active tunnels, the previous tunnels and several other stats of inbound and outbound packets.....
for example:- IPsec Global Statistics ----------------------- Active tunnels: 2 Previous tunnels: 9 Inbound Bytes: 4933013 Decompressed bytes: 4933013 Packets: 80348 Dropped packets: 0 Replay failures: 0 Authentications: 80348 Authentication failures: 0 Decryptions: 80348 Decryption failures: 0 Decapsulated fragments needing reassembly: 0 Outbound Bytes: 4441740 Uncompressed bytes: 4441740 Packets: 74029 Dropped packets: 0 Authentications: 74029 Authentication failures: 0 Encryptions: 74029 Encryption failures: 0 Fragmentation successes: 3 Pre-fragmentation successes:2 Post-fragmentation successes: 1 Fragmentation failures: 2 Pre-fragmentation failures:1 Post-fragmentation failures: 1 Fragments created: 10 PMTUs sent: 1 PMTUs recvd: 2 Protocol failures: 0 Missing SA failures: 0 System capacity failures: 0

Cisco VPN
Upgrade your router to the latest firmware. You can download firmware at http://www.dlink.com.au/tech/ .
Disable all Firewall Software (ZoneAlarm, Windows XP Firewall, etc.).
Configuring PC running VPN Client Software:
Step 1 Disable all Firewall Software (ZoneAlarm, Windows XP Firewall, etc.).
Step 2 Change IP Address to be outside of the routers DHCP Pool (i.e. 192.168.0.99). By default the DHCP pool is 192.168.0.100 - 192.168.0.199.
Step 3 Configure Cisco VPN Client - Connection Properties.
Step 4 Check Enable Transparent Tunneling.
Step 5 Allow IPSec over UDP ( NAT/PAT).
Configuring Router using the Web-based configuration:
Step 1 Open the Web Configuration Page by entering 192.168.0.1 into your web browser. Enter username (admin) and your password (blank by default).
Step 2 Check the Status tab and make sure that you are running the latest version of firmware. If not, upgrade firmware before proceeding.
Step 3 Click on the Miscellaneous button on the Tools tab. Enable both PPTP and IPSec.
Step 4 Click Apply.
Step 5 Click on the Virtual Servers button on the Advanced tab.
Step 6 Enable IPSec from the list and configure as follows:
Private IP: IP Address of the PC running Cisco VPN Client
Protocol: UDP
Private Port: 500
Public Port: 500
Schedule: Always.
Step 7 Click Apply and then Continue.
Step 8 Enable PPTP from the list and configure as follows:
Private IP: IP Address of the PC running Cisco VPN Client
Protocol: TCP
Private Port: 1723
Public Port: 1723
Schedule: Always.
Step 9 Click Apply and then Continue.


http://www.dlink.com.au/tech/default.asp?model=DI-524UP

Hi, Since this box just uses Checkpoint, There wont be much of complication in that. In box level you can take the help of CLI Help. For your ref. im giving the link of Manual.

http://www.allyourprices.com/product-specifications/10126220/Celestix-One-FV940-Security-Appliance.html

According to specs, it does support IPSEC. You'll have to go through the device's web config (usually 192.168.0.1 or 192.168.1.1) to change the settings.

04810481

the following is from a nice guide i found on the net, see if it works for you: First thing to check is whether your router has any settings for PPTP or IPsec "pass through". These are commonly found in Linksys routers but you may have to hunt around for them on other makes. All you need to do is enable the setting for the VPN protocol that you're using, reboot your router and, if you're lucky, the VPN connection will come right up. Note: Not all routers have these enables and the lack of them doesn't necessarily mean that you can't get VPN working. Open up that Firewall Still no connection? The next step is to try opening some ports in your router's firewall to get your VPN connection made. In each case, you'll need to open the specific ports (and protocol) to the IP address of the computer that you're running the VPN client on. NOTE that port mappings work with only one computer at a time. If you have multiple VPN clients that you need to connect, your router will have to support the VPN protocol that you're using without requiring ports opened. If you're using Microsoft's PPTP protocol, TCP port 1723 is the port you'll need to forward to allow PPTP control traffic to pass. Figure 2 shows the Forwarding screen on a Linksys BEFSR41 set to forward this port to a client with IP address 192.168.5.100. PPTP also needs IP protocol 47 (Generic Routing Encapsulation) for the VPN data traffic itself, but note that this is a required protocol, not a port. The ability to handle this protocol must be built into the router's NAT "engine"?which is true of most present-generation routers. IPsec-based VPN's need UDP port 500 opened for ISAKMP key negotiations, IP protocol 51 for Authentication Header traffic (not always used), and IP protocol 50 for the "encapsulated data itself. Again, the only "forwardable" item here is UDP port 500, which is also shown programmed in Figure 2 to the same LAN client machine?protocols 50 and 51 must be built into your router. Tip: Not all routers are created equal! Some allow only one VPN tunnel to be opened and used by a single client. Others support multiple tunnels, but with one client per tunnel. Unfortunately, most vendors don't make the VPN pass through capabilities of their products clear in their documentation, nor do they have support staff properly trained to provide this information either. In most cases, your only option is to try a router in your specific application, and make sure you can return it and get your money back if you can't get it working. Still not Working? Getting many IPsec-based VPN setups working can be a black art due to the wide variation in techniques used by various vendors. Although IPsec products have become more uniform as the technology matures, your company may use older, more proprietary products that may not be configured with NAT in mind, or require additional ports to be opened in your firewall.

Windows XP or Windows 2000 IP Address: 140.111.1.2 ? User ISP provide IP Address, this is only a sample Subnet Mask: 255.255.255.0 BEFVP41 WAN IP Address: 140.111.1.1 ? User ISP provide IP Address, this is only a sample Subnet Mask: 255.255.255.0 LAN IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 Step-by-Step [Windows 2000/XP] Create IPSec Policy 1. Click the Start button, select Run, and type secpol.msc. in the open field. 2. Right-click IP Security Policies on Local Computer and click Create IP Security Policy. 3. Click the Next button, and then type a name for your policy (for example, ?to_befvp41?). Then, click Next. 4. Deselect the Activate the default response rule check box and then click the Next button. 5. Click the Finish button, making sure the Edit check box is checked. Build 2 Filter Lists: ?WinXP? BEFVP41? and ?BEFVP41? WinXP?. Note: The references in this section to ?WinXP? can easily be exchanged for ?Win2000?, if running Windows 2000. Filter List 1: WinXP? BEFVP41 1. In the new policy properties, deselect the Use Add Wizard check box and then click the Add button to create a new rule. 2. From the IP Filter List tab, click the Add button. 3. Type an appropriate name ?WinXP? BEFVP41? for the filter list, deselect the Use Add Wizard check box, and click the Add button. 4. In the Source address field, select My IP Address. 5. In the Destination address field, select A specific IP Subnet, and fill in the IP Address 192.168.1.0 and Subnet mask 255.255.255.0. 6. If you want to type a description for your filter, click the Description tab. 7. Click the OK button. Then click the OK (for WinXP) or Close (for WIN2000) button on the IP Filter List window. Filter List 2: BEFVP41? WinXP 8. On the IP Filter List tab, click the Add button. 9. Type an appropriate name ?BEFVP41? WinXP? for the filter list, deselect the Use Add Wizard check box, and click the Add button. 10. In the Source address field, select A specific IP Subnet, and fill in the IP Address 192.168.1.0 and Subnet mask 255.255.255.0. 11. In the Destination address field, select My IP Address. 12. If you want to type a description for your filter, click the Description tab. 13. Click the OK button and click the OK (for WinXP) or Close (for Win2000) button on IP Filter List window. Configure Individual Rule of 2 Tunnels Tunnel 1: WinXP? BEFVP41 1. From the IP Filter List tab, click the filter list WinXP? BEFVP41. 2. From the Filter Action tab, click the filter action ?Require Security?, and click the Edit button. 3. verify that the Negotiate security option is enabled, and deselect the Accept unsecured communication, but always respond using IPSec check box. 4. Select the Session key perfect forward secrecy (PFS) and remember to check the PFS option on the BEFVP41, and click the OK button. 5. From the Authentication Methods tab, click the Edit button. 6. Change the authentication method to Use this string (preshared key), enter the string ?XYZ12345?, and click the OK button. This new Preshared key will be displayed. Click the OK button to continue. 7. From the Tunnel Setting tab, click The tunnel endpoint is specified by this IP Address radio button and type the WAN IP Address 140.111.1.1 of the BEFVP41. 8. From the Connection Type tab, Select All network connections and click the OK button to finish this rule. Tunnel 2: BEFVP41? WinXP 9. In the new policy properties, deselect the Use Add Wizard check box and click the Add button to create the second IP Filter. 10. From the IP Filter List tab, click the filter list BEFVP41? WinXP. 11. From the Filter Action tab, select the filter action Require Security. 12. From the Authentication Methods tab, click the Edit button. 13. Change the authentication method to Use this string (preshared key), enter the string ?XYZ12345?, and then click the OK button. This new Preshared key will be displayed. Click the OK button to continue. 14. From the Tunnel Setting tab, click the radio button for The tunnel endpoint is specified by this IP Address and type the Windows 2000/XP IP Address 140.111.1.2. 15. From the Connection Type tab, select All network connections. Then, click the OK (for WInXP) or Close (for Win2000) button to finish . 16. From the Rules tab, click the OK button to go back to the secpol screen. Assign New IPSec Policy 1. In the IP Security Policies on Local Computer MMC snap-in, right-click the policy named to_befvp41, and click Assign. A green arrow appears in the folder icon. [BEFVP41] Setup Screen 1. Open your web browser and enter 192.168.1.1 in the Address field and press the Enter key. 2. When the User name and Password field appears, skip the user name and enter the default password admin and press the

This example will demonstrate how to create a Virtual private Network (VPN) between two remote locations through the Internet. The VPN policy will use 3DES IPSec to securely send/receive encrypted data over the Internet. When the VPN tunnel is enabled, the two offices will virtually appear to be on the same local network. This example will consist of two DI-804V VPN Routers with a simple setup. The two remote offices in this example will be known as Office A and Office B. Both VPN Routers must already be set up and able to access each other. This is only an example, your setup will vary using the WAN IP address provided by your ISP. Please note the differences in the IP addresses for each office. We will begin by configuring the DI-804V at Office A. Start by going into VPN Settings under the Basic Setup menu. Step 1. In the Connection Name field, type in OfficeA. Click ADD. Step 2. A properties screen will appear for the new connection you have made. Fill in the appropriate information for Office A: Connection Name: OfficeA Local IPSEC Identifier: Local Remote IPSEC Identifier: Remote Remote IP Network: 192.168.1.0 Remote IP Netmask: 255.255.255.0 Remote Gateway IP: 192.170.0.2 Network Interface: WAN ETHERNET Secure Association: IKE Perfect Forward Secure: Enabled PreShared Key: 123456 Key Life: 28800 IKE Life Time: 3600 Step 3 Click SAVE. There should now be a VPN policy created for Office A. Now you will want to Save & Restart the DI-804V. Note: 123456 is an example of a preshared key, please fill in any secret preshared key you desire. Keep in mind that both sites require the same preshared key. Office A setup is now complete, we will now configure Office B with the other DI-804V, Follow the same steps previously with Ofice A to create a VPN policy. Step 1 Please change the appropriate information. Connection Name: OfficeB Local IPSEC Identifier: Local Remote IPSEC Identifier: Remote Remote IP Network: 192.168.0.0 Remote IP Netmask: 255.255.255.0 Remote Gateway IP: 192.170.0.1 Network Interface: WAN ETHERNET Secure Association: IKE Perfect Forward Secure: Enabled PreShared Key: 123456 Key Life: 28800 IKE Life Time: 3600 Step 2 Click SAVE. There should now be a VPN policy created for Office B. Now you will want to Save & Restart the DI-804V. After the VPN policies have been created for the two Offices, the two remote locations should authenticate and connect. To view the status of the VPN connection, go to the Device Status menu. On the bottom-left side of the menu, click on the VPN Status icon. A VPN Status pop-up screen will appear showing VPN connection status. If a VPN tunnel is active, the State should indicate Q-Estab. Go to a DOS prompt and ping the internal IP address of the remote network.

Step 1: Log into the web based configuration of the router by typing in the IP address of the router (default: 192.168.0.1) in your web browser. By default the username is admin and there is no password. Step 2: Click the VPN button on the left column, select the checkbox to Enable the VPN, and then in the box next to Max. number of tunnels , enter the maximum numbers of VPN tunnels that you would like to have connected. Step 3: In the space provided, enter the Tunnel Name for ID number 1, select IKE, and then click More. Step 4: In the Local Subnet and Local Netmask fields enter the network identifier for the local DI-804HV´s LAN and the corresponding subnet mask. Step 5: In the Remote Subnet and Remote Netmask fields enter the network identifier for the remote DI-804HV´s LAN and the corresponding subnet mask. Step 6: In the Remote Gateway field enter the WAN IP address of the remote DI-804HV and in the Preshared Key field, enter a key which must be exactly the same as the Preshared Key that is configured on the remote DI-804HV. Step 7: Click Apply and then click on Select IKE Proposal... Step 8: Enter a name for proposal ID number 1 and select Group 1, 2, or 5 from the DH Group dropdown menu. Step 9: Select DES or 3DES as the Encryption Algorithm and either SHA-1 or MD5 as the Authentication Algorithm. Step 10: Enter a Lifetime value and then either select Sec. or KByte as the unit for the lifetime value. Step 11: Select 1 out of the Proposal ID dropdown menu and click Add To, which will add the proposal that was just configured to the IKE Proposal Index. Click Apply and then click Back. Step 12: Click on Select IPSec Proposal... Step 13: Enter a name for proposal ID number 1 and select Group 1, 2, 5, or None from the DH Group dropdown menu. Step 14: Select ESP or AH as the Encapsulation Protocol. Step 15: Select DES or 3DES as the Encryption Algorithm and either SHA-1, MD5, or None as the Authentication Algorithm. Step 16: Enter a Lifetime value and then either select Sec. or KB as the unit for the lifetime value. Step 17: Select 1 out of the Proposal ID dropdown menu and click Add To, which will add the proposal that was just configured to the IPSec Proposal Index. Click Apply and then click Restart. Step 18: Follow these instructions to configure your Other DI-804HV using the exact same settings for the IKE Proposal and the IPSec Proposal. Also make sure that Step 4 is configured to reflect the LAN settings for what is now the Local DI-804HV and that Steps 5 & 6 are configured to reflect the Subnet and WAN IP of what is now the Remote DI-804HV Step 19: To establish the connection, open a command prompt and ping an IP address of a computer on the remote LAN. Once you receive replies the tunnel has been established.