Application Note GRE over IPsec + OSPF between RobustOS ... · GRE over IPsec VPN established between central Cisco router and the R2000, and the internal traffic from ROS (192.168.1.0/24)

Application Note

GRE over IPsec + OSPF

between RobustOS and Cisco

Version: v.1.0.0

Date: 2017-08-25

Status: Confidential

Doc ID: GRE over IPsec + OSPF between RobustOS and Cisco_v1.0.0

Author: Vivian Chen

www.robustel.com

GRE over IPsec + OSPF with Cisco Router for RobustOS

1

Contents

Chapter 1 Introduction................................................................................................................................... 2

1.1 Overview ....................................................................................................................................... 2

1.2 Assumptions .................................................................................................................................. 2

1.3 Rectifications ................................................................................................................................. 3

1.4 Version .......................................................................................................................................... 3

Chapter 2 Application Topology...................................................................................................................... 4

Chapter 3 Configuration ................................................................................................................................. 5

3.1 Cisco Configuration ........................................................................................................................ 5

3.2 R2000_ROS Configuration .............................................................................................................. 7

3.2.1 Configure Link Manager ................................................................................................................... 7

3.2.2 Configure Cellular WAN .................................................................................................................... 8

3.2.3 Configure LAN IP Address ............................................................................................................... 11

3.2.4 IPsec Configuration ........................................................................................................................ 12

3.2.5 GRE Configuration .......................................................................................................................... 16

3.2.6 Configure OSPF dynamic route ....................................................................................................... 16

Chapter 4 Testing ......................................................................................................................................... 18

4.1 Network Status ............................................................................................................................ 18

4.2 VPN Status and Communication of ROS ....................................................................................... 18

4.3 VPN Status and Communication of Cisco ...................................................................................... 21

4.4 Event/Log .................................................................................................................................... 22


2

Chapter 1 Introduction

1.1 Overview

RobustOS(here after ROS) is a new operation system for Robustel's IOT gateway released in 2015, it is modular and

open software platform which could support third party development based on SDK/API, meanwhile, it support

different routing and VPN protocols for different application scenarios. The configuration web interface of the ROS is

a little differ from the existing R3000 series’ old platform.

VPN (Virtual Private Network) is a technology that establishes private network tunnel on the public network. GRE

over IPsec VPN is a kind of LAN to LAN communication or remote access VPN technology with the GRE and IPsec,

to offer the public and private network end-to-end encryption and authentication service.

This application note is written for customer who has good understanding Robustel products and experienced with

VPN. It shows customer how to configure and test the GRE over IPsec VPN between the ROS and Cisco router

through the cellular network.

1.2 Assumptions

The features of GRE over IPsec VPN has been fully tested and this Application Note is written by technically

competent engineer who is familiar with Robustel products and the application requirement.

This Application Note is basing on:

Product Model: Robustel GoRugged R2000 industrial cellular VPN router.

Firmware Version: R2000_ROS_ V3.0.0.

Configuration: This Application Note assumes the Robustel products are set to factory default. Most configure

steps are only shown if they are different from the factory default settings.


3

A public IP address, either dynamic or static, must be assigned to R2000 router on its WAN interface. If R2000

router works with dynamic public IP address, a DNS service must be used to park dynamic public IP address to a

static domain.

1.3 Rectifications

Appreciate for the corrections and rectifications to this Application Note, and if there are requests for new

Application Notes please also send to email address: [email protected].

1.4 Version

Updates between document versions are cumulative. Therefore, the latest document version contains all updates

made to previous versions.

Release Date Firmware Version Change Description

2017-8-25 v.1.0.0 Initial Release

mailto:[email protected]


4

Chapter 2 Application Topology

1. Cisco router runs as central router which has one static public IP address or dynamic public IP address as well as a

domain name.

2. The R2000 works with static public IP address.

3. GRE over IPsec VPN established between central Cisco router and the R2000, and the internal traffic from ROS

(192.168.1.0/24) to Cisco router (172.16.10.0/24) will be encrypted and vice versa.

Note: The two peer devices should have a fixed public IP address because they need to specify the peer public IP when

establish GRE tunnel, and make sure the data packets can be transmitted through the public network.


5

Chapter 3 Configuration

3.1 Cisco Configuration

Enter the configuration mode and check the IOS version of Cisco router. You should set your router in Enable mode

and then enter configuration mode. (e.g. type “configure terminal”).

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

The entries below set the host name of the Cisco router.

hostname cisco2811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ROMx$RGJMeV3dfHuOQu0z7Ffjh.

The entries below of Internet Security Association and Key Management Policy which is related to the configuration

of IKE on ROS. The following shows that Cisco uses 3des for the encryption algorithm, md5 for the hash algorithm,

and pre-shared keys for the authentication method, Diffie-Hellman is Group 2.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

The following entry defines the pre-share key, which identifies remote connection.

crypto isakmp key 0 cisco address 12.1.1.1

The following entry defines IPsec transform set called “TRA”. This transform set contains the settings required for the

IPsec VPN. They are: esp with 3des for encryption and esp with md5 for the authentication. And enter transport

mode.

crypto ipsec transform-set TRA esp-3des esp-md5-hmac

mode transport

The entries below set the GRE VPN of Cisco router.

crypto ipsec profile IPSPRO //Create the IPsec profile

set transform-set TRA //Apply IPsec profile to IPsec transform

interface Tunnel1

ip address 123.1.1.2 255.255.255.0 //Virtual IP address for GRE VPN


6

ip ospf mtu-ignore //Ignore mtu to build OSPF neighbor

tunnel source 58.1.1.1

tunnel destination 12.1.1.1

tunnel key 123456

tunnel protection ipsec profile IPSPRO //Apply Ipsec profile to tunnel

The Cisco router is connected to the Internet and LAN is connected to its FastEthernet0/1. The Crypto profile must be

applied to the WAN interface.

interface FastEthernet0/0

ip address 58.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.10.1 255.255.255.0

duplex auto

speed auto

!

The following entry configures the OSPF for Cisco router.

router ospf 1

router-id 1.1.1.1

network 172.16.10.0 0.0.0.255 area 0

network 123.1.1.0 0.0.0.255 area 0

Save the configuration for Cisco router.

copy running-config startup-config


7

3.2 R2000_ROS Configuration

3.2.1 Configure Link Manager

1.Install antenna, insert SIM cards in R2000-> power on R2000 and login R2000’s Web GUI page.

Note: Factory Settings when login Web GUI

Item Description

Username Admin

Password Admin

ETH0 192.168.0.1/255.255.255.0, LAN Mode

ETH1 192.168.0.1/255.255.255.0, LAN Mode

DHCP Server Enabled

2. Browse to Interface > Link Management.

Click the drop-down box of Primary Link and select WWAN1.

Click Submit

Click Save & Apply


8

3.2.2 Configure Cellular WAN

1. Browse to Interface > Link Management > Link Settings.

Click the modification box of WWAN1.

Enter the related parameters in WWAN Settings.

Enter the related parameters in Ping Detection Settings.

Click Submit.

Click Save & Apply.

Item Description Setting

Primary Link Select “WWAN1”, “WWAN2” or “WAN” as the primary connection interface WWAN1


9

● When enable “Automatic APN Selection”, the window will be display just like the following screenshot.


Dialup Number Dialup number for cellular dial-up connection, provided by local ISP *99***1#

Data Allowance Set the monthly data traffic limitation 0

Billing Day This option specifies the day of month for billing, and the data

traffic statistics will be recalculated from this day

1


10

● When disable “Automatic APN Selection”, the window will be display just like the following screenshot


APN Access Point Name for cellular dial-up connection, provided by

local ISP.

Internet

Username User Name for cellular dial-up connection, provided by local ISP Null

Password Password for cellular dial-up connection, provided by local ISP Null


Primary Server Router will ping this primary address/domain name to check that if the

current connectivity is active

8.8.8.8

Secondary

Server

Router will ping this secondary address/domain name to check that if

the current connectivity is active

NULL

Interval Set the ping interval 10

Retry Interval Set the ping retry interval 3

Timeout Set the ping timeout 1

Max Ping Tries Switch to another link or take emergency action if max continuous ping

tries reach

1


11

3.2.3 Configure LAN IP Address

1. Browse to Interface > LAN > LAN.

Click the modification box of LAN0.

Set IP address and netmask of LAN0 and DHCP settings accordingly.

Click Submit

Click Save & Apply


IP Address Set the IP address of LAN0 Enter accordingly

NetMask Set the Netmask of LAN0 Enter accordingly

MTU Set the MTU of LAN0 1500


12

2. Browse to Interface > Ethernet > ports.

Click the modification box of eth1.

Eth1 port is assigned to lan0 .

Click Submit

Click Save & Apply

3.2.4 IPsec Configuration

The following sections are related to the IPsec VPN parameters.

1. Browse to VPN-> IPsec->General. Enable NAT traversal feature.

Tick the checkbox of Enable NAT Traversal.

Type the value about Keepalive Interval(s).

Tick the checkbox of Debug Enable.

Click Submit

Click Save & Apply


Enable NAT Traversal Tick to enable NAT Traversal for IPsec. This item

must be enabled when router is in NAT Enable


13

environment.

Keepalive Interval

The interval that router sends keepalive packets to

NAT box to avoid removing the NAT mapping

actively.

60

Debug Enable Enable this function, IPsec information will be

outputted to the debug port. OFF

2. Browse to VPN-> IPsec->Tunnel.

Click Add button to enter the IPsec Tunnel settings.

Set IPsec Gateway address and mode accordingly


Gateway Enter the address of remote side IPsec VPN server. Enter accordingly

Mode

Select from “Tunnel” and “Transport”.

Tunnel: Uses the Tunnel protocol.

Transport: Uses the Transport protocol.

Select accordingly

Protocol

Select the security protocols from “ESP” and “AH”.

ESP: Uses the ESP protocol.

AH: Uses the AH protocol.

Select accordingly

Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly

Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly


14

Configure IKE Settings


Negotiation Mode Select from “Main” and “aggressive” for the IKE

negotiation mode. Select accordingly

Encryption Algorithm Select from “DES”, “3DES”, “AES128”, “AES192”

and “AES256”to be used in IKE negotiation. Select accordingly

IKE DH Group Select from “MODP768_1”, “MODP1024_2” and

“MODP1536_5”to be used in key negotiation. Select accordingly

Authentication Type Select from “PSK”, “CA”, “XAUTH Init PSK” and

“XAUTH Init CA” to be used in IKE negotiation. Select accordingly

PSK Secret Enter the Pre-shared Key. Enter accordingly

IKE Lifetime Set the lifetime in IKE negotiation. 3600

Configure SA Settings


Encrypt Algorithm Select from “3DES”, “AES128” and “AES256”

Select accordingly

Authentication

Algorithm

Select from “MD5” and “SHA1”to be used in SA

negotiation Select accordingly

PFS Group Select from “PFS_NULL”, “MODP768_1”, Select accordingly


15

“MODP1024_2” and “MODP1536_5”.

SA Lifetime Set the IPsec SA lifetime. 28800

DPD Interval

Set the interval after which DPD is triggered if no

IPsec protected packets are received from the

peer.

60

DPD Failures Set the timeout of DPD packets. 180

Configure Advanced Settings

Expert Options: leftprotoport=47/0;rightprotoport=47/0


16

3.2.5 GRE Configuration

1. Browse to VPN > GRE, add and enable the GRE tunnel.

2. Configure the parameters of GRE, and click Submit then Save & Apply.

GRE

Item Description Default

Index Show the index of the tunnel. 1

Enable Enable GRE tunnel. GRE (Generic Routing Encapsulation) is a protocol that

encapsulates packets in order to route other protocols over IP networks. ON

Description Enter some simple words about the GRE Tunnel. Null

Remote IP Address Set remote IP Address of the virtual GRE tunnel. Null

Local Virtual IP Set local IP Address of the virtual GRE tunnel. Null

Remote virtual IP Set remote IP Address of the virtual GRE tunnel. Null

Enable Default Route All the traffics of R2000 router will go through the GRE VPN. OFF

http://searchnetworking.techtarget.com/definition/protocolhttp://searchnetworking.techtarget.com/definition/packethttp://searchunifiedcommunications.techtarget.com/definition/Internet-Protocolhttp://searchnetworking.techtarget.com/definition/network


17

3.2.6 Configure OSPF dynamic route

1. Browse to Network > Dynamic Route

Click the OPSF button.

Set Route ID, Interface and Network accordingly.

Click Submit

Click Save & Apply

Enable NAT Tick to enable NAT for GRE. The source IP address of host Behind R2000 will be

disguised before accessing the remote GRE server. Disable

Secrets Set Tunnel Key of GRE. Null


18

Chapter 4 Testing

4.1 Network Status

1. Browse to Status.

2. Check whether ROS has obtained the assigned static IP address.

4.2 VPN Status and Communication of ROS

1. Browse to VPN-> IPsec->Status.

Check that if ROS has established IPsec VPN with Cisco router.


19

2. Browse to VPN-> GRE->Status.

● Check that if ROS has established GRE VPN with Cisco router.

3. Browse to Network->Dynamic Route->Status。

Check the virtual tunnel on Route table.


20

4. Browse to System-> Tools->Ping.

Ping from 192.168.1.1 to 172.16.10.1 and get ICMP reply from Cisco router. LAN to LAN communication is

working correctly, and ping the virtual IP of GRE VPN.


21

4.3 VPN Status and Communication of Cisco

1. Run the CLI and type “show ip route “ command to check the route-table in Cisco router.

2. Ping the virtual IP of GRE over IPsec VPN and LAN IP address behind R2000 , and get ICMP reply from remote

end.


22

4.4 Event/Log

Event/Log shows the running process and the status of R2000. Only the information that it related to the

configuration above will be explained below.


23

Chapter 1 Introduction1.1 Overview1.2 Assumptions1.3 Rectifications1.4 Version

Chapter 2 Application TopologyChapter 3 Configuration3.1 Cisco Configuration3.2 R2000_ROS Configuration3.2.1 Configure Link Manager3.2.2 Configure Cellular WAN3.2.3 Configure LAN IP Address3.2.4 IPsec Configuration3.2.5 GRE Configuration3.2.6 Configure OSPF dynamic route

Chapter 4 Testing4.1 Network Status4.2 VPN Status and Communication of ROS4.3 VPN Status and Communication of Cisco4.4 Event/Log

Application Note GRE over IPsec + OSPF between RobustOS ... · GRE over IPsec VPN established between central Cisco router and the R2000, and the internal traffic from ROS (192.168.1.0/24)

Documents