www.westermo.com LAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com Application Note LAN to LAN IPsec VPN Between MRD-3xx 3G routers AN-0003-03 Page 1 Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
LAN to LAN IPsec VPNBetween MRD-3xx 3G routers
AN-0003-03 Page 1Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
IPsec VPNA virtual private network (VPN) is a private data network that makes use of thepublic telecommunication infrastructure, maintaining privacy through the use of atunnelling protocol and security procedures. A virtual private network can becontrasted with a system of owned or leased lines that can only be used by onecompany. The main purpose of a VPN is to give the company the samecapabilities as private leased lines at much lower cost by using the shared publicinfrastructure. Phone companies have provided private shared resources for voicemessages for over a decade. A virtual private network makes it possible to havethe same protected sharing of public resources for data.
IPsec is a suite of protocols for providing peer authentication without transmittingthe actual keys. Confidentiality using encryption and integrity ensuring that thereceived data can only come from the authenticated peer and has not beenaltered in any way.
IPsec Encrypting Security Payload tunnels also provide transparency for all nodesand applications using IP and only the VPN gateways needs to be configured tosecurely connect geographically separated networks.
Firstly we will describe and determine all the parameters necessary for thisconfiguration. These values will be written into the “IPsec Network setup table”
The numbers and parameter values from the “IPsec Network setup table” will beused throughout this guide while first configuring the responder and secondly theinitiator.
AN-0003-03 Page 2Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Network setup description
This application note describes how to implement a LAN to LAN IPsec VPN tunnelbetween two Westermo MRD-3xx 3G Routers.
It is important to decide which of the two routers will be the initiator and which will bethe responder. In nearly all cases, the responder will be a VPN gateway, which islocated at a central location, such as company headquarters. In all cases theresponder must have a publicly accessible IP address to connect across internet.
In this example the MRD-310 has a 3G subscription that dynamically assigns aprivate IP address and is hidden behind a Network Address Translation (NAT)device. As such it can only be the initiator.
The MRD-330 has a 3G subscription with a fixed public IP address. The MRD-3303G Router will be the responder.
For authentication we will be using Pre-Shared Key (PSK). Simple and practical forinitial and small-scale VPN configurations it is however very susceptible to socialengineering. Large scale or long-term deployment should use certificates forauthentication.This IPsec configuration uses Internet Key Exchange (IKEv1). If the IP addresses ofboth gateways are fixed or certificates are used it is recommended to use IKE mainmode which takes longer to establish connection but provides a higher level ofsecurity than aggressive mode.In this example the combination of dynamic IP address and preshared key requiresus to use IKE aggressive mode.
IKE supports many different types of identifiers (ID) for this example we have chosentype 2 FQDN.Please review RFC 2407 for further details.
Encapsulated Security Payload (ESP) is the final encrypted tunnel joining the twoLAN together. A ESP tunnel is unidirectional so two tunnels are used for full duplexcommunication. Advanced Encryption Standard (AES) is the recommendedencryption standard to use since it is more secure and more efficient than the older3DES encryption.
This configuration is valid for:Westermo MRD-3xx firmware version 1.33
AN-0003-03 Page 3Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
IPsec Network setup table
Initiator ResponderGeneral
External Address IP or FQDN 1 any 2 217.174.89.203Internal IP address 3 192.168.20.0 4 192.168.33.0Internal subnet mask 5 255.255.255.0 6 255.255.255.0ID type 7 2 RFC2407 8 2ID value 9 mrd310.initiator 10 mrd330.responderPSK 11 secret
Certificate 12 13
NAT Traversal 14 YES
NAT-T keepalive 15 45sDead Peer Detection 16 YESDPD delay & timeout 17
MTU 18 19
IKE phase 1Mode 20 AggressiveEncryption 21 AES (128)Authentication 22 SHA1Diffie Hellman Group 23 2IKE SA Lifetime 24 28800s
IKE phase 2ESP encryption 25 AES (128)ESP authentication 26 SHA1
SA Lifetime 27 28800sPerfect Forward Secrecy 28 2
Internet
APNAPN
ResponderInitiator
192.168.20.0/24 192.168.33.0/24
217.174.88.165
192.168.20.200192.168.33.200
LAN to LAN IPsec tunnel
60/120
AN-0003-03 Page 4Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
1
MRD-330 Responder VPN configurationMake sure you have configured your MRD-3xx 3G router as described in the User Guide.Access the routers web interface and select VPN in the top menu followed by ”IPsec VPN” in the sub menu.
to start configuring a new VPN tunnel. Responder should not ”Initiate tunnel”.Press
Press
The Local interface should be WLS for the wireless 3G/GPRS interface. Remote host unchecked allows theinitiator to have any address.
Press
AN-0003-03 Page 5Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Configure the authentication for Internet Key Exchange (IKE) and Dead Peer Detection.The ID must be preceeded with a @ sign to indicate a type 2 or 3 ID (RFC2407) string.
21 22 23
119
20
24
10
Press
Next configure Phase 1 and Phase 2 encryption and proposal for the tunnel.
2528
26
27
Press
17
16
AN-0003-03 Page 6Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
LAN to LAN IPsec must know which IP packets to protect so these must be specified in tunnel networksaddress with subnet address/subnet mask. LAN subnet will apply the subnet and mask configured on theEthernet ports of the MRD-330
Press
4
3
151419
Finally we set NAT traversal since our MRD-310 has a private IP address dynamically assigned from the3G provider.Set Enabled, to start the IPsec VPN connection.Press
AN-0003-03 Page 7Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Firewall configuration
The default firewall policy for the wireless interface is deny all.The responder must open the IKE server port in order for the IKE exchange to start.Goto Firewall > Access Control webpage and select IPsec VPN allow box for the WLS interface.This allows traffic towards UDP ports 500 and 4500 as well as IP protocol 50 for ESP packets.There is no need change anything on the initiator firewall.
The firewall must beopened to allow IKE
(port 500 and 4500) andESP (protocol 50) to
Access the Responder
AN-0003-03 Page 8Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
MRD-310 Initiator VPN configurationMake sure you have configured your MRD-3xx 3G router as described in the User Guide.Access the routers web interface and select VPN in the top menu followed by ”IPsec VPN” in the sub menu.
to start configuring a new VPN tunnel.Press
2
The local interface should be WLS for the wireless 3G/GPRS interface.
Press
Press
AN-0003-03 Page 9Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Press
Press
21
10
22
11
9
20
23
24
Configure the authentication for Internet Key Exchange (IKE) and Dead Peer Detection.The ID must be preceeded with a @ sign to indicate a type 2 or 3 ID (RFC2407) string.
Next configure Phase 1 and Phase 2 encryption and proposal for the tunnel.
25
27
2628
17
16
AN-0003-03 Page 10Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
LAN to LAN IPsec must know which IP packets to protect so these must be specified in tunnel networksaddress with subnet address/subnet mask. LAN subnet will apply the subnet and mask configured on theEthernet port of the MRD-310
Finally we set NAT traversal since our MRD-310 has a private IP address dynamically assigned fromthe 3G provider.Set Enabled, to start the IPsec VPN connection.
Press
Press
4
3
14 1518
AN-0003-03 Page 11Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
<84>Oct 7 15:14:43 pluto[609]: added connection description "SecondSite"<84>Oct 7 15:14:43 pluto[609]: listening for IKE messages<84>Oct 7 15:14:43 pluto[609]: adding interface ipsec0/hso0 85.117.198.33:500<84>Oct 7 15:14:43 pluto[609]: loading secrets from "/etc/config/ipsec.secrets"<84>Oct 7 15:14:43 pluto[609]: "SecondSite" #1: initiating Aggressive Mode #1, connection "SecondSite"<84>Oct 7 15:15:15 pluto[609]: "SecondSite" #1: received Vendor ID payload [Dead Peer Detection]<84>Oct 7 15:15:15 pluto[609]: "SecondSite" #1: Aggressive mode peer ID is ID_FQDN: '@mrd330.responder'<84>Oct 7 15:15:15 pluto[609]: "SecondSite" #1: transition from state STATE_AGGR_I1 to state
STATE_AGGR_I2<84>Oct 7 15:15:15 pluto[609]: "SecondSite" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_shagroup=modp1024}
<84>Oct 7 15:15:15 pluto[609]: "SecondSite" #1: Dead Peer Detection (RFC 3706): enabled<84>Oct 7 15:15:15 pluto[609]: "SecondSite" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE {using isakmp#1}<84>Oct 7 15:15:16 pluto[609]: "SecondSite" #2: Dead Peer Detection (RFC 3706): enabled<84>Oct 7 15:15:16 pluto[609]: "SecondSite" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2<84>Oct 7 15:15:16 pluto[609]: "SecondSite" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x0437a6cc <0xefe713ab xfrm=AES_128-HMAC_SHA1 NATD=noneDPD=enabled}
Diagnostics
Systemlog from Initiator
Systemlog from Responder
<84>Oct 7 15:15:12 pluto[634]: added connection description "SecondSite"<84>Oct 7 15:15:12 pluto[634]: listening for IKE messages<84>Oct 7 15:15:12 pluto[634]: adding interface ipsec0/hso0 217.174.89.203:500<84>Oct 7 15:15:12 pluto[634]: adding interface ipsec0/hso0 217.174.89.203:4500<84>Oct 7 15:15:12 pluto[634]: loading secrets from "/etc/config/ipsec.secrets"<84>Oct 7 15:15:15 pluto[634]: packet from 85.117.198.33:500: received Vendor ID payload [Dead Peer
Detection]<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: Aggressive mode peer ID is ID_FQDN:
'@mrd310.initiator'<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: responding to Aggressive Mode, state #1,
connection "SecondSite" from 85.117.198.33<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: transition from state STATE_AGGR_R0 to
state STATE_AGGR_R1<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: STATE_AGGR_R1: sent AR1, expecting AI2<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: Aggressive mode peer ID is ID_FQDN:
'@mrd310.initiator'<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: transition from state STATE_AGGR_R1 to
state STATE_AGGR_R2<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: STATE_AGGR_R2: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_shagroup=modp1024}
<84>Oct 7 15:15:15 pluto[634]: "SecondSite"[1] 85.117.198.33 #1: Dead Peer Detection (RFC 3706): enabled<84>Oct 7 15:15:16 pluto[634]: "SecondSite"[1] 85.117.198.33 #2: responding to Quick Mode {msgid:ec8474a0}<84>Oct 7 15:15:16 pluto[634]: "SecondSite"[1] 85.117.198.33 #2: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1<84>Oct 7 15:15:16 pluto[634]: "SecondSite"[1] 85.117.198.33 #2: STATE_QUICK_R1: sent QR1, inbound Ipsec
SA installed, expecting QI2<84>Oct 7 15:15:16 pluto[634]: "SecondSite"[1] 85.117.198.33 #2: Dead Peer Detection (RFC 3706): enabled<84>Oct 7 15:15:16 pluto[634]: "SecondSite"[1] 85.117.198.33 #2: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2<84>Oct 7 15:15:16 pluto[634]: "SecondSite"[1] 85.117.198.33 #2: STATE_QUICK_R2: IPsec SA established
{ESP=>0xefe713ab <0x0437a6cc xfrm=AES_128-HMAC_SHA1 NATD=noneDPD=enabled}
AN-0003-03 Page 12Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
After a few seconds the negotiation should be completed and the Status > VPN should indicate Connectedand you can try to ping the right most subnet.If the connection is not successful review your configuration on both initiator and responder as well as theSystem Log on both units.
AN-0003-03 Page 13Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
IPsec Network setup table
Initiator ResponderGeneral
External Address IP or FQDN 1 2
Internal IP address 3 4
Internal subnet mask 5 6
ID type 7 RFC2407 8
ID value 9 10
PSK 11
Certificate 12 13
NAT Traversal 14
NAT-T keepalive 15
Dead Peer Detection 16
DPD delay & timeout 17
MTU 18 19
IKE phase 1 Mode 20
Encryption 21
Authentication 22
Diffie Hellman Group 23
IKE SA Lifetime 24
IKE phase 2ESP encryption 25
ESP authentication 26
SA Lifetime 27
Perfect Forward Secrecy 28
Internet
APNAPN
ResponderInitiator
LAN to LAN IPsec tunnel
AN-0003-03 Page 14Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
[email protected]: +46 (0)16 42 80 00Fax: +46 (0)16 42 80 01
[email protected]él : +33 1 69 10 21 00Fax : +33 1 69 10 21 01
United KingdomWeb: [email protected]: +44 (0)1489 580585Fax: +44 (0)1489 580586
[email protected] +65 6743 9801Fax +65 6745 0670
[email protected]: +49(0)7254 95400-0Fax: +49(0)7254-95400-9
Technical SupportIf you require assistance with any of the instructions in this application note you cancontact Westermo as follows:
AN-0003-03 Page 15Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
Related Documents
