Full Text Searchable PDF User Manual
VPN Setup for CNet’s CWR-854 802.11g Wireless Router
The instructions below are for getting an IPSec client to connect CNet’s wireless
broadband router CWR-854(F) with VPN capability. The VPN feature can be used for
secure remote access to a home or work network from anywhere on the Internet.
VPN Client Software
used for this test is SSH-Sentinel v1.4 which is free for non-
Connect securely to home/work computers over the Internet. You could be at work, at a
friend’s house or on the road.
A solid broadband connection to the Internet at home or work where CWR-854 is
used. CWR-854 needs to be configured for IPSec VPN capability
A client system with a VPN client software. We used SSH-Sentinel VPN client
software ( a trial version is available on the Internet)
In the first scenario we will be working with two computers and a CWR-854 VPN router.
The assumption is that we are away from home and need to access a computer on the
home network connected to CWR-854. The computer we’re working from is connected
to the Internet through a Cable/DSL modem or we are dialing up using a modem.
In the second scenario, the client system is also behind a NAT route. In this case the
computer we’re working on is connected to a router and through a Cable/DSL modem to
To configure VPN both on the client system as well as the router, we need to know about
the IP address schema used on the home network. By default the LAN IP of CWR-854 is
192.168.1.254. Computers that are be accessed from the Internet are better to have a
fixed IP address assigned to them. Below are what we need to know:
Home WAN IP address (this is the WAN IP of the VPN router CWR-854 used at home
or work) for example: 126.96.36.199
Home LAN IP address: (Default LAN IP of CWR-854 is 192.168.1.254)
Home LAN IP Network : (Default is 192.168.1.0, Subnet 255.255.255.0)
Computer to be accessed on the home network: 192.168.1.100
VPN Client (remote) computer on the Internet for example: 188.8.131.52
Router’s VPN Configuration:
Please use the routers’s default IP address 192.168.1.254 to access its configuration.
As shown above, CWR-854 can store 10 different VPN profiles. We need to enable
IPSec VPN and then click on edit to configure the first profile.
Use any name for the connection.
Authentication will be through the Pre-Shared Key (PSK). Basically anyone who
wants to have VPN connectivity to the router needs to have this key. We will
later on use this same key in the client configuration.
The next step is to enter the IP information for Local and remote sites. For local
site choose “Subnet Address” to allow access to the whole LAN network. For
remote site, choose “Any Address” so that the router accepts VPN requests from
any IP address.
Both local and remote systems are identified by IP.
Key management is auto (IKE). Click the advance key to see the settings for
phase 1 and 2 negotiations. In phase 1 peers are authenticated to each other and a
secure encrypted link is established to start phase 2 which is the actual negotiation
of security services for the IPSec-compliant VPN channel. As you can see in the
next image, 3DES and MD5 are the chosen encryption and authentication
methods and for additional security PFS (Perfect Forward Secrecy) is also
The last step to finalize VPN configuration is to enter the PSK (Pre-Shared Key) and
save settings. The router is now ready to accept incoming VPN connections.
In this scenario the remote system is behind a NAT router for example another CWR-
854. The connection is from VPN client >> NAT router>> Cable/DSL modem >>
Internet >>Cable/DSL modem >>VPN router.
The only difference in the configuration with scenario one is to configure the VPN
router’s remote site to be “NAT-T any address” as below picture shows:
VPN Client Configuration
The client software used for this test is SSH-Sentinel v1.4.
The SSH Sentinel software is configured in two steps. The first one involves the
creation of a key management and the second one is the actual VPN security policy.
After the software is installed, right click on the Sentinel icon in the task bar and
select “Run Policy Editor”.
Configuring SSH Sentinel Key Management
From the SSH Sentinel policy editor, click on “Key Management” tab. Then select
the add button under “My Keys” folder.
From the “New Authentication Key” window, select the “create a pre-shared key”
radio button and click next.
In the next window, type a name and the same exact key you have entered in the
router’s VPN configuration and click “Finish”.
Configuring SSH Sentinel Security Policy
From the Security Policy window, click on the “Security Policy” tab, select VPN
connections and click on “Add” button.
In the “Add VPN Connection” window, enter an IP address or a Domain Name
associated with the WAN IP of the CNet router. For remote network, click the “…”
micro button and enter the remote network information. The default LAN network
address of CWR-854 is 192.168.1.0 with 255.255.255.0 for subnet mask.
Click OK to save the changes and return to the “Rule Properties” window.
Click on the IPSec/IKE proposal settings button to view proposal parameters.
Click OK to go back to “Rule Properties” window. Click on the Advanced tab to
view Security association lifetimes as well as Audit and some other advanced
If the VPN client system is sitting behind a NAT device, you’ll need to check the box
next to “Pass NAT device” using NAT-T.
At this stage we’ve completed SSH Sentinel configuration and we are ready to
perform a diagnostic test. Click OK to go back to the SSH Sentinel Policy Editor
window and click “Apply” to update security policy changes we’ve made.
Now click on “Diagnostics” to start probing the connection to the VPN server. If
Diagnostics complete successfully, it means that you can establish an IPSec protected
connection to the VPN server.
We can now use the SSH Sentinel icon in the task bar, select the VPN server and
establish the VPN tunnel.
Testing VPN Connection
To test the VPN connection, bring up a DOS window and try a ping to the IP address
of one of the computers at home. If ping is successful then the connection is
established and you should be able to see and map network drives to systems behind
the VPN router.