An Open Access Peon

04 September 2008

DG834/DG834G to OpenSwan VPN

The Netgear DG834 ADSL routers support IPSEC based Virtual Private Networks (VPN). The DG834 uses the Open Source Openswan software (http://www.openswan.org/). This blog provides the configuration details for how I connected an intranet LAN behind a DG834 to a Ubuntu-based Linux server in another LAN via the Internet.

Here's my setup:

NAS - [192.168.0.1] DG834G [starsky] - {inet}

{inet} - [hutch] ADSL ROUTER [192.168.1.1] - Backup

Where:
  • The NAS is a Western Digital network drive.
  • The Backup is a normal PC running Ubuntu with a RAID 5 SATA storage.
  • Both ADSL connections have static IPs.
  • starsky's public IP is 10.1.1.1
  • hutch's public IP is 10.2.2.2
  • Backup is set as the DMZ server in ADSL ROUTER.
The goal was to copy data from the NAS to the Backup and to provide Windows share access to the Backup from the 192.168.0.0/24 subnet.

The DG834G is running firmware version V2.10.22. I used the VPN Wizard to set up the VPN endpoint initially and then revised it in the VPN policy editor. The Policy Name can be anything (e.g. "Bob"). As I want this connection to be up all the time I set the "IKE Keep Alive" and set the connection to "Initiator and Responder". The Address Data is the host name of ADSL ROUTER (hutch). The Pre-shared Key should be something difficult to guess.



On Backup I installed Openswan and followed the defaults during installation:

$ sudo apt-get install openswan

I added to /etc/ipsec.conf:


conn Bob
type=tunnel
leftid=10.2.2.2 # hutch
left=%defaultroute
leftsubnet=192.168.1.0/24
right=10.1.1.1 # starsky
rightsubnet=192.168.0.0/24
keyexchange=ike
auto=start
auth=esp
authby=secret
pfs=no
rekey=no
ike=3des-sha1-modp1024
esp=3des-sha1


And to /etc/ipsec.secrets (where pre-shared key is the same as you entered into the DG834):

# secrets for "Bob"
hutch starsky
10.2.2.2 10.1.1.1: PSK "pre-shared key"


I then restarted Openswan:

sudo /etc/init.d/ipsec restart

Once the VPN has established (look in /var/log/auth.log) I can access Backup by browsing to it's IP address: //192.168.1.100/SHARENAME.

I'm not sure with the above configuration you can access the 192.168.1 subnet from the 192.168.0 subnet. Answers on a postcard ...


ADSL ROUTER is actually a DG834Gv4, but the firmware seems to be buggy. In the default firmware it won't allow Windows shares to be accessed across it and in the latest firmware (V5.01.09) the VPN connection is unreliable and won't re-establish unless the router is rebooted.

The above "works for me", but I'm by no means an IPSEC or Openswan expert so welcome any feedback/corrections.

1 Comments:

  • Thankyou for posting this. I just followed your guide and set up an amazon ec2 micro instance which is now on my home lan. Worked first time. Cheers!

    By Anonymous Anonymous, at 1:10 am  

Post a comment

<< Home