IPSec gateway and other features of ASUS SL1200
Encrypted tunnels are widely used. Most often, in our opinion, they are used for secure connection of remote company offices via non-secure networks (site-to-site). Another example of their use may be an employee’s remote access to the internal company network resources (remote access). In both cases, IPSec is not the last option to consider. In this article, on the example of two routers ASUS SL1200 we would like to consider a more rare use of IPSec tunnels - when all traffic of an office or branch is transmitted via VPN. A reasonable question may arise: why at all do we need this, when can we use such a scheme? The examples are not far to seek: internet traffic of a big number of branches is more efficiently checked for viruses centrally, by a powerful antivirus server installed in the Headquarters. This scheme was dubbed “hub and spoke”.
Internet access via an alternative gateway located in the network of some provider is another example of using the scheme at hand. Suppose your friend has two connections to different providers, while you are connected to only one of them. So, to access the internet via the second provider, you will have to establish a VPN connection between the nodes of your friend’s network and yours. To put it in a nutshell, we are sure that for those who want it won’t be a problem to find use of what we are going to speak about. Let’s begin with the fact that we deliberately did not study schemes with proxy-servers and VPN-concentrators, but are going to implement the whole thing on two routers of the same type.
If ASUS SL1200 is used specifically as the tunnel endpoints, we would strongly recommend the reader to update the router’s firmware at least to version 1.15. In this version some of the restrictions on subnets present in the earlier versions have been removed. We will describe how to evade these restrictions with earlier firmware versions at the end of the article. It is also worth noting that there is no use trying to employ AES as the router doesn’t support it despite the fact that DES, 3DES and AES support is stated on the SL1200 package.
In a local network with one connection, let’s agree to use addresses from 192.168.0.0/24 range. Subnet 192.168.1.0/24 has been chosen for a local segment with connections to two providers. 192.168.0.1 and 192.168.1.1 are IP-addresses of corresponding router LAN-interfaces. In the second segment 192.168.1.2 has been chosen for the second router, consequently, the appropriate default route pointing to this address shell be configured on the first router. Below is presented the scheme of the example considered.
We consider router configuration for operating with specific providers uninteresting and thus leave them out. Let’s go straight to configuring a tunnel on the left router and do it in the way shown below. Here, it is important to note that All is chosen as a remote group, i.e. all traffic may be encrypted by this tunnel. However, the selection of traffic to encrypt is made according to the firewall rules, of which we will speak below.
Configuration for the other end of the tunnel should be symmetrical.
Now we have to configure outbound and inbound firewall rules, so that they select traffic intended for the tunnel. In general, inbound and outbound rules should be symmetrical, and the right router configuration must be a mirror image of the settings on the left one, so we will only show how the left router in configured.
The only thing left to set is routing on the right router. For the simple example at hand we only have to point the route at the right end of the tunnel to 0.0.0.0/0 net via a device with 192.168.1.2 IP-address.
Now to access the internet, all data from the left subnet will have to be transmitted through the tunnel to the right subnet. Typical configuring hereon ends.
However, not all the actions described above can be successfully performed. For instance, in firmware versions earlier than 1.15, there is a web-interface bug prohibiting administrators to use certain subnet masks while configuring Local Secure Group and Remote Secure Group. For example, you can’t use 255.254.0.0 mask. If an administrator needs to use this particular mask, he can either manually edit the tunnel settings file or update the firmware. Each of these options has its bottlenecks which we will describe below.
The process of manual correction is comprised of several simple steps. Firstly, it is necessary to create a tunnel with the allowed masks, and then to access SL1200 via telnet. After entering login and password (it can be admin/admin) you should turn on privileged commands via enable, and then go to the OS command shell using shell. Then you should go to /configs/acc2/ipsec catalogue which contains a tunnel.conf file.login: adminPassword:SL1200> enSL1200# shSL1200# Command Not Found:SL1200# sh<-- Error: Ambiguous commandSL1200# sheprompt> pwd/prompt> lsbackup boot core etc lib proc sbin usr voipbin configs dev http mnt ramfs tmp var wirelessprompt> cd configs/prompt> lsCVS acl_tr.db log.conf resolv.conf sysinfo.db url_filter_msg.htmTZ dhcpd.conf log.db rip.db sysinfo.db~ usr.local.etcacc2 firmwaretm.db messages.buf ripd.conf syssetup.db usr.local.share.snmpacl.db fixed_dhcp.db proxyarp.db routetable.db syssrv.db varacl.xml if.db resolv-eth0.0 shadow timeout.db zebra.confacl_srv.db lblink.conf resolv-eth0.1 snmp.db timerange.dbprompt> cd acc2/prompt> lsdhcpd_status.conf global.mess.conf networking.net.conf syslogd.confglobal.daemon.conf ipsec snmp.conf system_srv_status.confglobal.main.conf networking.dev.conf sntp_status.confprompt> cd ipsec/prompt> lsdynamic.conf.test status.conf tunnel.confprompt>
For convenient editing let’s upload this file to an FTP-server.prompt> ftpftp> open 192.168.0.2Connected to 192.168.0.2.220 ftpsrv Microsoft FTP Service (Version 5.0).Name (192.168.0.2:root): user331 Password required for user.Password:230 User user logged in.Remote system type is Windows_NT.ftp> binary200 Type set to I.ftp> passivePassive mode on.ftp> put tunnel.conflocal: tunnel.conf remote: tunnel.conf227 Entering Passive Mode (192,168,0,2,14,146).125 Data connection already open; Transfer starting.226 Transfer complete.904 bytes sent in 0 secs (904 Kbytes/sec)ftp> bye221prompt>
It is possible to edit the file (change subnet masks in it) in any word processor, after which you should download it in the same way from the FTP-server to SL1200 (with the help of get command), exit the built-in FTP-client, close the command shell, save all earlier settings and restart the router.ftp> get tunnel.conflocal: tunnel.conf remote: tunnel.conf227 Entering Passive Mode (192,168,0,2,15,254).125 Data connection already open; Transfer starting.226 Transfer complete.907 bytes received in 0 secs (907 Kbytes/sec)ftp> bye221prompt> exitSL1200# saWait for save to finish...Saving ConfigurationSL1200# reloProceed with reloading the system ? [y/n]:
After restart, the web-interface will contain correct settings of the tunnel created; however, at the attempt of their changing, a message "Invalid Local Subnet Mask" will appear. This means that the restrictions are imposed only in the process of editing tunnel parameters via web-interface.
The second way is to update firmware at least to version 1.15. This way is simpler; however it also has its potential problems. Changing the access password to SL1200 via web-interface does not change it for telnet access. Consequently, even if a complicated password is used for web-interface, admin/admin will be still valid for telnet access. This means that the password for telnet sessions should be changed as well. Certainly, access to TCP-23 port can be blankly closed in Firewall-Advanced-Self Access menu; but in our view, a better way is to change this administrative password via passwd command in the embedded operating system console. Besides, this utility will alert you if you are entering a too simple password.login: adminPassword:SL1200> enaSL1200# sheprompt> passwdChanging password for rootEnter the new password (minimum of 5, maximum of 8 characters)Please use a combination of upper and lower case letters and numbers.Enter new password:Bad password: too simple.Warning: weak password (continuing).Re-enter new password:Password changed.prompt> exitSL1200#
It is necessary to change telnet access password on principle, but it should be kept in mind that firmware update restores the standard pair admin/admin, that is why it is necessary to change password after each update. We hope there is no need to explain to the reader what can be done via telnet. The most interesting thing available from the console is SL1200 web-interface password. If the password has been changed, in /configs catalogue you can find a webuser.db file, which exposes the web-interface password. Oh yes, password protection is truly up to the mark here!..prompt> pwd/configsprompt> lsCVS acl_tr.db log.conf resolv.conf sysinfo.db url_filter_msg.htmTZ dhcpd.conf log.db rip.db sysinfo.db~ usr.local.etcacc2 firmwaretm.db messages.buf ripd.conf syssetup.db usr.local.share.snmpacl.db fixed_dhcp.db proxyarp.db routetable.db syssrv.db varacl.xml if.db resolv-eth0.0 shadow timeout.db webuser.dbacl_srv.db lblink.conf resolv-eth0.1 snmp.db timerange.db zebra.confprompt> cat webuser.dbadmin passwd newpassguest passwd guestprompt>
Here we conclude the brief review of useful features of ASUS SL1200 and hope that the presented materials will help the users of this device to better understand the whole range of the functions of router series.