2015. 3. 15. 23:23

Configuring Cisco’s Small Business RV120W Wireless-N VPN Firewall

2015. 3. 15. 23:23 in Cisco RV220W

출처:  http://www.sclaggett.com/Configuring-Ciscos-Small-Business-RV120W-Wireless-N-VPN-Firewall/

Configuring Cisco’s Small Business RV120W Wireless-N VPN Firewall

Cisco RV120W Wireless-N VPN Firewall is a wireless router designed to give home and small business users a reasonably-priced option for setting up remote VPN access. This document describes how to set up Cisco's router in a network topology that consists of two subnets, an outer one for daily use and an inner one for development, shown in Figure 1:

Figure 1
Figure 1: The design of a network consisting of two subnets with VPN access to the inner subnet.

Despite the term "QuickVPN" that Cisco uses to describe this device, neither their official documentation nor the information available online paint a full picture of exactly how to get it the VPN up and running. The steps in this document were arrived at through quite a bit of trial and error and will hopefully be of use to others trying to configure a similar setup. First, know the VPN supports two protocols: Cisco's QuickVPN protocol and the Point-to-Point Tunneling Protocol (PPTP). Each option comes with limitations:

  • QuickVPN: Using this protocol requires installing Cisco's QuickVPN client software on every client device. Be aware that the client application only runs on Windows. Mac and Linux clients will not be able to connect to the VPN unless it is configured with the next option, PPTP.
  • PPTP: This advantage of this protocol is that it is natively supported by both Windows and Mac clients and does not require the installation of any additional software. A slight disadvantage is Cisco's decision to limit the device to a maximum of five simultaneous PPTP connections. A much more significant disadvantage is the following:

PPTP is (as of Oct 2012) considered cryptographically broken and its use is no longer recommended by Microsoft.
- Wikipedia

This device can work fine if all of the clients are running Windows, but the options for Mac and Linux users aren't great. Below are instructions for configuring a VPN that supports both protocols. However, the use of PPTP is not recommended unless wrapped in an additional layer of encryption for security.

Router configuration

  1. Router configuration was done from a Windows 7 computer connecting via Ethernet with the network interface set to obtain its IP address dynamically using DHCP. Start by opening a browser and pointing it to 192.168.1.1.

Figure 2

  1. Log in width username admin and password admin.
  2. Cancel the setup wizard.

Figure 3

  1. Change the administrator password to something else.

Figure 4

  1. Download the latest router firmware from Cisco and update at Administration > Firmware Upgrade. The latest firmware as of this writing is 1.0.3.10.

Figure 5

  1. Get the IP addresses if the DNS servers provided by the DHCP server.
  2. Go to Networking > WAN (Internet) > IPv4 WAN (Internet) and make the following changes:
    • Internet connection type: Static IP
    • IP address: 10.1.1.2
    • Subnet mask: 255.255.255.0
    • Default gateway: 10.1.1.1
    • Primary DNS: [Primary DNS IP]
    • Secondary DNS: [Secondary DNS IP]

Figure 6

  1. Go to Networking > LAN (Local Network) > IPv4 LAN (Local Network) and make the following changes:
    • Host name: Zeus
    • IP address: 10.11.11.1
    • Subnet mask: 255.255.255.0
    • DHCP mode: DHCP server
    • Domain name: Zeus
    • Starting IP address: 10.11.11.50
    • Ending IP address: 10.11.11.99
    • Primary DNS: [Primary DNS IP]
    • Secondary DNS: [Secondary DNS IP]

Figure 7

  1. Wait for the router to reboot and connect to it over Ethernet at 10.11.11.1.
  2. Go to Wireless > Basic settings, select the first entry, click Edit to change the SSID name and click Save.

Figure 8

  1. Select the first entry again, click Edit Security Mode and make the following changes:
    • Security: WPA2 Personal
    • Encryption: AES
    • Key: [Make up a key]

Figure 9

  1. Go to Firewall > Attack prevention and make the following changes:
    • Respond to ping on WAN: Enable
    • Block fragmented packets: Disable

Figure 10

  1. Go to Security > SSL certificate, click Generate Certificate and make the following changes:
    • Name: Zeus
    • Subject: Zeus

Figure 11

  1. Click Export for Client... and save the file as Zeus.pem. This file is needed by the QuickVPN client.
  2. Click on Administration > Management interface > Web Access and make the following changes:
    • Remote management: Enable
    • Port number: 60433

Figure 12

  1. Click on VPN > IPSec > Basic VPN Setup and make the following changes:
    • Type: VPN client
    • New connection name: Zeus
    • Preshared key: [Make up a preshared key]
    • Local LAN IP address: 10.11.11.1
    • Local LAN subnet mask: 255.255.255.0

Figure 13

  1. Do the following to allow users to connect using PPTP:
    1. Click on VPN > IPSec > VPN Users and make the following changes:
      • PPTP Server: Enable
      • Starting IP address: 10.11.11.100
      • Ending IP address: 10.11.11.105

Figure 14

    1. Click Save.
    2. Click Add and make the following changes:
      • Username: [Your username]
      • Password: [Your password]
      • Protocol: PPTP
      • Enabled: Yes

Figure 15

    1. Click Save.
  1. Do the following to allow users to connect using QuickVPN:
    1. Click on VPN > IPSec > VPN Users.
    2. Click Add and make the following changes:

Figure 16
Note that the PPTP server doesn’t have to be enabled for QuickVPN but the two protocols can be supported simultaneously.

    1. Click Save.

Client configuration

QuickVPN client on Windows 7

  1. Unzip and install the QuickVPN client from Cisco.
  2. Copy the Zeus.pem that was downloaded from the VPN router to the following location on the client computer:
    C:\Program Files (x86)\Cisco Small Business\QuickVPN Client\
  3. Run the QuickVPN client with the following settings:
    • Profile name: Zeus
    • Server address: 10.1.1.2
    • Port for QuickVPN: 60443
    • User remote DNS server: Yes

Figure 31

  1. You can save the profile so you don’t have to enter it again.
  2. The QuickVPN client will change once a connection has been established:

Figure 32

  1. Note that the connection won’t show up in networking nor will you be assigned an IP on the remote network. You can check the connection by pinging a machine on the remote network.

PPTP on Windows 7

  1. Open the Network and Sharing Center and click on Set up a new connection or network:

Figure 17

  1. Select Connect to a workplace:

Figure 18

  1. Select Use my Internet connection (VPN):

Figure 19

  1. Enter the IP address of the server and give the VPN connection a name:

Figure 20

  1. Enter the username and password of a VPN user:

Figure 21

  1. Click Connect and wait for the connection to establish. The process may hang for a bit at the SSTP step:

Figure 22

  1. Connection established:

Figure 23

  1. Now the new VPN network shows up. Note the client has been assigned an IP address in the 10.11.11.101-105 range:

Figure 24

PPTP on Mac OS

  1. Open system preferences and click on Network.

Figure 25

  1. Click on the plus sign to add a new network service.

Figure 26

  1. Make the following changes:
    • Interface: VPN
    • VPN Type: PPTP
    • Service name: Zeus

Figure 27

  1. Click Create.
  2. Enter the IP address of the server and your username and click Apply.

Figure 28

  1. Click Connect and enter the name and password of a VPN user.

Figure 29

  1. You are now connected to the VPN and have been assigned an address in the PPTP block.

Figure 30

QuickVPN password restrictions

Cisco's QuickVPN client software contains a bug where the use of special characters in a user's password will cause the client will fail with a very generic error:

Figure 33

Unfortunately the actual source of the problem isn’t on the list: the QuickVPN client is shelling out to wget to start the remote connection but not encode the password properly:

C:\Program Files (x86)\Cisco Small Business\QuickVPN Client>wget https://wcrane2:gppL#nM0@10.1.1.2:60443/StartConnection.htm?version=1?IP=10.1.1.102?PASSWD=gppL#nM0?USER=wcrane2

The above URL is invalid and results in a slightly cryptic response that the QuickVPN client interprets as failure:

https://wcrane2:gppL#nM0@10.1.1.2:60443/StartConnection.htm?version=1?IP=10.1.1.102?PASSWD=gppL#nM0?USER=wcrane2: Bad port number.

Changing the password to remove the offending "#"character changes the command to something valid:

C:\Program Files (x86)\Cisco Small Business\QuickVPN Client>wget https://wcrane2:gppLnM0@10.1.1.2:60443/StartConnection.htm?version=1?IP=10.1.1.102?PASSWD=gppLnM0?USER=wcrane2

The client now receives a successful response and ultimately establishes a connection to the server:

--18:04:44-- https://wcrane2:*password*@10.1.1.2:60443/StartConnection.htm?version=1?IP=10.1.1.102?PASSWD=*password*?USER=wcrane2
=> `StartConnection.htm@version=1%3FIP=10.1.1.102%3FPASSWD=%2Apassword%2A%3FUSER=wcrane2'
Connecting to 10.1.1.2:60443... connected.

Created and maintained by Shane.
Published under the Creative Commons CC0 license.

Posted by 지에또일

티스토리툴바