www.westermo.com LAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com Application Note LAN to LAN IPsec VPN Between MRD-3xx 3G routers AN-0003-03 Page 1 Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
15
Embed
LAN to LAN IPsec VPN...tunnelling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
IPsec VPNA virtual private network (VPN) is a private data network that makes use of thepublic telecommunication infrastructure, maintaining privacy through the use of atunnelling protocol and security procedures. A virtual private network can becontrasted with a system of owned or leased lines that can only be used by onecompany. The main purpose of a VPN is to give the company the samecapabilities as private leased lines at much lower cost by using the shared publicinfrastructure. Phone companies have provided private shared resources for voicemessages for over a decade. A virtual private network makes it possible to havethe same protected sharing of public resources for data.
IPsec is a suite of protocols for providing peer authentication without transmittingthe actual keys. Confidentiality using encryption and integrity ensuring that thereceived data can only come from the authenticated peer and has not beenaltered in any way.
IPsec Encrypting Security Payload tunnels also provide transparency for all nodesand applications using IP and only the VPN gateways needs to be configured tosecurely connect geographically separated networks.
Firstly we will describe and determine all the parameters necessary for thisconfiguration. These values will be written into the “IPsec Network setup table”
The numbers and parameter values from the “IPsec Network setup table” will beused throughout this guide while first configuring the responder and secondly theinitiator.
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Network setup description
This application note describes how to implement a LAN to LAN IPsec VPN tunnelbetween two Westermo MRD-3xx 3G Routers.
It is important to decide which of the two routers will be the initiator and which will bethe responder. In nearly all cases, the responder will be a VPN gateway, which islocated at a central location, such as company headquarters. In all cases theresponder must have a publicly accessible IP address to connect across internet.
In this example the MRD-310 has a 3G subscription that dynamically assigns aprivate IP address and is hidden behind a Network Address Translation (NAT)device. As such it can only be the initiator.
The MRD-330 has a 3G subscription with a fixed public IP address. The MRD-3303G Router will be the responder.
For authentication we will be using Pre-Shared Key (PSK). Simple and practical forinitial and small-scale VPN configurations it is however very susceptible to socialengineering. Large scale or long-term deployment should use certificates forauthentication.This IPsec configuration uses Internet Key Exchange (IKEv1). If the IP addresses ofboth gateways are fixed or certificates are used it is recommended to use IKE mainmode which takes longer to establish connection but provides a higher level ofsecurity than aggressive mode.In this example the combination of dynamic IP address and preshared key requiresus to use IKE aggressive mode.
IKE supports many different types of identifiers (ID) for this example we have chosentype 2 FQDN.Please review RFC 2407 for further details.
Encapsulated Security Payload (ESP) is the final encrypted tunnel joining the twoLAN together. A ESP tunnel is unidirectional so two tunnels are used for full duplexcommunication. Advanced Encryption Standard (AES) is the recommendedencryption standard to use since it is more secure and more efficient than the older3DES encryption.
This configuration is valid for:Westermo MRD-3xx firmware version 1.33
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
1
MRD-330 Responder VPN configurationMake sure you have configured your MRD-3xx 3G router as described in the User Guide.Access the routers web interface and select VPN in the top menu followed by ”IPsec VPN” in the sub menu.
to start configuring a new VPN tunnel. Responder should not ”Initiate tunnel”.Press
Press
The Local interface should be WLS for the wireless 3G/GPRS interface. Remote host unchecked allows theinitiator to have any address.
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Configure the authentication for Internet Key Exchange (IKE) and Dead Peer Detection.The ID must be preceeded with a @ sign to indicate a type 2 or 3 ID (RFC2407) string.
21 22 23
119
20
24
10
Press
Next configure Phase 1 and Phase 2 encryption and proposal for the tunnel.
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
LAN to LAN IPsec must know which IP packets to protect so these must be specified in tunnel networksaddress with subnet address/subnet mask. LAN subnet will apply the subnet and mask configured on theEthernet ports of the MRD-330
Press
4
3
151419
Finally we set NAT traversal since our MRD-310 has a private IP address dynamically assigned from the3G provider.Set Enabled, to start the IPsec VPN connection.Press
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Firewall configuration
The default firewall policy for the wireless interface is deny all.The responder must open the IKE server port in order for the IKE exchange to start.Goto Firewall > Access Control webpage and select IPsec VPN allow box for the WLS interface.This allows traffic towards UDP ports 500 and 4500 as well as IP protocol 50 for ESP packets.There is no need change anything on the initiator firewall.
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
MRD-310 Initiator VPN configurationMake sure you have configured your MRD-3xx 3G router as described in the User Guide.Access the routers web interface and select VPN in the top menu followed by ”IPsec VPN” in the sub menu.
to start configuring a new VPN tunnel.Press
2
The local interface should be WLS for the wireless 3G/GPRS interface.
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
Press
Press
21
10
22
11
9
20
23
24
Configure the authentication for Internet Key Exchange (IKE) and Dead Peer Detection.The ID must be preceeded with a @ sign to indicate a type 2 or 3 ID (RFC2407) string.
Next configure Phase 1 and Phase 2 encryption and proposal for the tunnel.
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
LAN to LAN IPsec must know which IP packets to protect so these must be specified in tunnel networksaddress with subnet address/subnet mask. LAN subnet will apply the subnet and mask configured on theEthernet port of the MRD-310
Finally we set NAT traversal since our MRD-310 has a private IP address dynamically assigned fromthe 3G provider.Set Enabled, to start the IPsec VPN connection.
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE {using isakmp#1}<84>Oct 7 15:15:16 pluto[609]: "SecondSite" #2: Dead Peer Detection (RFC 3706): enabled<84>Oct 7 15:15:16 pluto[609]: "SecondSite" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2<84>Oct 7 15:15:16 pluto[609]: "SecondSite" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
www.westermo.comLAN to LAN IPsec MRD-310 to MRD-330 www.westermo.com
Application Note
After a few seconds the negotiation should be completed and the Status > VPN should indicate Connectedand you can try to ping the right most subnet.If the connection is not successful review your configuration on both initiator and responder as well as theSystem Log on both units.