ipsec user guide
TRANSCRIPT
-
8/6/2019 IPsec User Guide
1/32
IPSec
User Guide
2120028Rev 2.2
-
8/6/2019 IPsec User Guide
2/32
-
8/6/2019 IPsec User Guide
3/32
Rev 2.2 Aug.08 i
Important Notice Duetothenatureofwirelesscommunications,transmissionandreceptionofdatacanneverbeguaranteed.Datamaybedelayed,corrupted(i.e.,haveerrors)orbetotallylost.AlthoughsignificantdelaysorlossesofdataarerarewhenwirelessdevicessuchastheSierraWirelessAirLinkProduct
Name
are
used
in
a
normal
manner
with
a
well
constructed
network,theSierraWirelessAirLinkProductNameshouldnotbeusedinsituationswherefailuretotransmitorreceivedatacouldresultindamageofanykindtotheuseroranyotherparty,includingbutnotlimitedtopersonalinjury,death,orlossofproperty.SierraWirelessacceptsnoresponsibilityfordamagesofanykindresultingfromdelaysorerrorsindatatransmittedorreceivedusingtheSierraWirelessAirLinkProductName,orforfailureoftheSierraWirelessAirLinkProductNametotransmitorreceivesuchdata.
Safety and Hazards DonotoperatetheSierraWirelessAirLinkProductNamein
areaswhere
blasting
is
in
progress,
where
explosive
atmospheresmaybepresent,nearmedicalequipment,nearlifesupportequipment,oranyequipmentwhichmaybesusceptibletoanyformofradiointerference.Insuchareas,theSierraWirelessAirLinkProductNameMUSTBEPOWEREDOFF.TheSierraWirelessAirLinkProductNamecantransmitsignalsthatcouldinterferewiththisequipment.
DonotoperatetheSierraWirelessAirLinkProductNameinanyaircraft,whethertheaircraftisonthegroundorinflight.Inaircraft,theSierraWirelessAirLinkProductNameMUSTBEPOWEREDOFF.Whenoperating,theSierraWirelessAirLinkProductNamecantransmitsignalsthatcouldinterferewithvariousonboardsystems.
Note: Some airlines may permit the use of cellular phones while the
aircraft is on the ground and the door is open. Sierra Wireless AirLink
Product Name may be used at this time.
ThedriveroroperatorofanyvehicleshouldnotoperatetheSierraWirelessAirLinkProductNamewhileincontrolofavehicle.Doingsowilldetractfromthedriveroroperatorscontrolandoperationofthatvehicle.Insomestatesandprovinces,operatingsuchcommunicationsdeviceswhileincontrolofavehicleisanoffence.
Limitation of
Liability
TheinformationinthismanualissubjecttochangewithoutnoticeanddoesnotrepresentacommitmentonthepartofSierraWireless.SIERRAWIRELESSANDITSAFFILIATESSPECIFICALLYDISCLAIMLIABILITYFORANYANDALL
-
8/6/2019 IPsec User Guide
4/32
Rev 2.2 Aug.08 ii
DIRECT,INDIRECT,SPECIAL,GENERAL,INCIDENTAL,CONSEQUENTIAL,PUNITIVEOREXEMPLARYDAMAGESINCLUDING,BUTNOTLIMITEDTO,LOSSOFPROFITSORREVENUEORANTICIPATEDPROFITSORREVENUEARISINGOUTOFTHEUSEORINABILITYTOUSEANYSIERRAWIRELESSPRODUCT,EVENIFSIERRAWIRELESSAND/ORITSAFFILIATESHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGESORTHEYAREFORESEEABLEORFORCLAIMSBYANYTHIRDPARTY.
Notwithstandingtheforegoing,innoeventshallSierraWirelessand/oritsaffiliatesaggregateliabilityarisingunderorinconnectionwiththeSierraWirelessproduct,regardlessofthenumberofevents,occurrences,orclaimsgivingrisetoliability,beinexcessofthepricepaidbythepurchaserfortheSierraWirelessproduct.
Patents Portionsofthisproductmaybecoveredbysomeorallofthe
followingUSpatents:5,515,013 5,629,960 5,845,216 5,847,553 5,878,2345,890,057 5,929,815 6,169,884 6,191,741 6,199,1686,339,405 6,359,591 6,400,336 6,516,204 6,561,8516,643,501 6,653,979 6,697,030 6,785,830 6,845,2496,847,830 6,876,697 6,879,585 6,886,049 6,968,1716,985,757 7,023,878 7,053,843 7,106,569 7,145,2677,200,512 D442,170 D459,303
andotherpatentspending.
Copyright 2008SierraWireless.Allrightsreserved.
Trademarks AirCardandHeartoftheWirelessMachineareregisteredtrademarksofSierraWireless.WatcherisatrademarkofSierraWireless,registeredintheEuropeanCommunity.AirLinkandAceWarearetrademarksofSierraWireless.SierraWireless,theSierraWirelesslogo,theredwavedesign,andtheredtippedantennaaretrademarksofSierraWireless.
WindowsisaregisteredtrademarkofMicrosoftCorporation.
Othertrademarksarethepropertyoftherespectiveowners.
-
8/6/2019 IPsec User Guide
5/32
Rev 2.2 Aug.08 iii
Contact
Information
Consultourwebsiteforuptodateproductdescriptions,documentation,applicationnotes,firmwareupgrades,troubleshootingtips,andpressreleases:
www.sierrawireless.com
Revision History
Support Desk: Phone: 1-877-231-1144
Hours: 5:00 AM to 5:00 PM Pacific Time,
Monday to Friday, except US HolidaysE-mail: [email protected]
Sales Desk: Phone: 1-510-624-42001-604-232-1488
Hours: 8:00 AM to 5:00 PM Pacific Time
E-mail: [email protected]
Post: Sierra Wireless America39677 Eureka DriveNewark, CAUSA 94560
Sierra Wireless
13811 Wireless WayRichmond, BCCanada V6V 3A4
Fax: 1-510-624-42991-604-231-1109
Web: www.sierrawireless.com
Revision
number
Release
date
Changes
1.x Q2: 2008 IPSec User Guide documentation created.
2.x Q2:2008 IPSec User Guide documentation revised and updated.
http://sierrawireless.com/mailto:[email protected]:[email protected]://sierrawireless.com/mailto:[email protected]://sierrawireless.com/http://sierrawireless.com/mailto:[email protected] -
8/6/2019 IPsec User Guide
6/32
Rev 2.2 Aug.08 1
ContentsIntroducing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Key Features of IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Remote Access Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Set-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Modem Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8AT*RESETCFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Network behind the modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VPN Configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Static IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Dynamic IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IPsec Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Standards of the M2M IPSec Support . . . . . . . . . . . . . . . . . . . . . . . . . 24
Security Algorithms: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Reference Material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
-
8/6/2019 IPsec User Guide
7/32
Rev 2.2 Aug.08 1
11: Introducing IPSec
Overview
Scenarios IPprotocolthatdrivestheInternetisinherentlyinsecure.InternetProtocolSecurity(IPSec),whichisastandardsbasedprotocol,securescommunicationsofIPpacketsoverpublicnetworks.
Organizationsarestrivingtoprotecttheircommunicationchannelsfromunauthorizedviewingandenforcingauthenticationoftheentitiesattheothersideofthechannel.
UnauthorizedaccesstothesensitivedatacanbeavoidedbyusingIPSec.ByapplyingsecurityattheIPlayerintheOSImodel,communicationscanbeprotected.InthismannertheupperlayersintheOSImodelcanleveragethesecurityservicesprovidedattheIPlayer.
SierraWirelessAirLinkhasaddedIPSec,asalatestadditiontothelistoffeatures,inalltheALEOSpoweredAirLinkXandXTplatformsofdevices.
Overview
IPSecisacommonnetworklayersecuritycontrolandisusedtocreateavirtualprivatenetwork(VPN).
TheadvantagesoftheIPSecfeatureincludes:
DataProtection:DataContentConfidentialityallowsusers
toprotecttheirdatafromanyunauthorizedview,becausethedataisencrypted(encryptionalgorithmsareused).
AccessControl:AccessControlimpliesasecurityservicethatpreventsunauthorizeduseofaSecurityGateway,anetworkbehindagatewayorbandwidthonthatnetwork.
DataOriginAuthentication:DataOriginAuthenticationverifiestheactualsender,thuseliminatingthepossibilityofforgingtheactualsendersidentificationbyathirdparty.
DataIntegrity:DataIntegrityAuthenticationallowsbothendsofthecommunicationchanneltoconfirmthattheoriginaldatasenthasbeenreceivedastransmitted,
withoutbeingtamperedwithintransit.Thisisachievedbyusingauthenticationalgorithmsandtheiroutputs.
TheIPSecarchitecturemodelincludestheSierraWirelessAirLinkmodemasaremotegatewayatoneendcommunicating,throughaVPNtunnel,withaVPNgatewayatthe
-
8/6/2019 IPsec User Guide
8/32
IPsec User Guide
2 2120028
otherend.TheremotegatewayisconnectedtoaRemotenetworkandtheVPNisconnectedtotheLocalnetwork.ThecommunicationofdataissecurethroughtheIPSecprotocols.
Figure 1-1: IPSec Architecture
Key Features of IPSec VPN
IPseciscompatiblewithawiderangeofapplications
ProvidesenhanceddatasecurityforallapplicationsconnectedthroughacompatibleAirlinkgateway
Noadditionalinstallationrequired
Simplewizardbasedsetup
Remotemanagement,controlandconfigurationviaAceWaretoolsandutilities
Securetwowaycommunicationchannelwithdataencryption
Canbedownloaded,configuredandinstalledovertheairforcurrentlydeployedAirLinkRavenX,PinPointXandRavenXTdevice
Sectionsinthisdocument,thatprovidefurtherinformationaboutIPSec,are:
1. UserscenarioswithgraphicillustrationoftheIPSecfeature.
2. VPNconfigurationsettingsandVPNparameters.
3. IPsecconfigurationsettings.ItisassumedthataudiencehasknowledgeofAceManager.
4. Testingandbasictroubleshooting.
-
8/6/2019 IPsec User Guide
9/32
Introducing IPSec
Rev 2.2 Aug.08 3
Scenarios
SierraWirelessAirLinkmodemswithIPSecaredesignedtosupportthegatewaytogatewaysecuritymodel.
IPsecisthemostgeneralsecuritymodel,inthatitallowseithersidetoinitiateaVPNsession.Someuserscenariosarediscussedinthissection.
Intheseexamples,thetermVPNtunnelisusedtoindicateasecureIPSecconnection.
Remote Access Scenarios
1. Thisscenarioshowsthreeremoteaccessactivities:
a. AVLApplicationServer(onewaytransmissionofsecuredata): AirLinkmodemhasGPScapability(PinPointmodel).ThemodemhassetupaVPNtunnel
withacorporate
VPN
box
and
is
configured
to
send
GPSlocationdatatothecorporatenetwork.
Figure 1-2: AVL Application Server scenario
b. CorporateEmailServer(twowaytransmissionofsecuredata):AirLinkmodemisconnectedtoalaptop.ThemodemsetuphasaVPNtunnelwiththecorporateVPNbox.Throughthemodem,thelaptopcansecurelyaccessthecorporateemailserver.
-
8/6/2019 IPsec User Guide
10/32
IPsec User Guide
4 2120028
Figure 1-3: Corporate Email Server scenario
c. Google(twowaytransmissionofinsecuredata):ThelaptopuserwantstoaccessGoogle.TheGoogleaccesscanbeperformedwhilethecorporateVPNtunnelisactive.
Figure 1-4: Web Server scenario
d. Passthrough(twowaytransmissionofsecuredata):TheAirLinkmodemhasregulardataconnectionwiththelaptop(VPNClient)andtheVPNgateway.
-
8/6/2019 IPsec User Guide
11/32
Introducing IPSec
Rev 2.2 Aug.08 5
Figure 1-5: Pass through mode
ThenextchapterwalksyouthroughtheinstallationandconfigurationstepsofestablishinganIPSecsetuponyourmodemtoconnecttothetestserversatSierraWireless.You
canfollowthesameprocessforconnectingtoyourownVPNgateway.
-
8/6/2019 IPsec User Guide
12/32
Rev 2.2 Aug.08 6
22: Installation and Configuration Set-Up Installation
Configuration Settings Thischaptercoversinstallationandconfigurationsteps(SierraWirelesstestsetup),tousetheIPSecfeature.
Note: Factory default settings
allow you to connect to Sierra
Wireless test equipment.
TheillustrationbelowshowstheuserbeingconnectedtotheSierraWirelesstestenvironmentsetup.TheuserlaptopconnectedtoanAirLinkmodem,communicateswiththewebserverovertheinternetandthroughtheSierraWirelessVPNGateway(CiscoandNetgear).
Figure 2-1: User set up
Oncethetunnelisestablishedandyouareconnectedtothewebserver,thewebbrowserdisplaysconnectivitytothe
SierraWireless
IPSec
test
server.
Figure 2-2: Connection to the web browser
-
8/6/2019 IPsec User Guide
13/32
IPsec User Guide
7 2120028
Set-Up
IPSechasawidevarietyofuserconfigurationoptions.WhenIPSecisenabled,itmustbedoneforthepurposeofcreatingaVPNtunnelwithacorporateVPNbox.InorderfortheSierra
WirelessAirLinkmodemtocommunicatewiththeVPNbox,themodemmustbeconfiguredtosupportatleastoneofthesecuritypoliciesoftheVPNbox.Hence,theVPNboxsecurityconfigurationmustbeavailableasareferencebeforeconfiguringtheAirLinkmodemforIPSec.
Theinstallationstepsareasfollows:
1. ForStaticIP:UsingyourmodemsstaticIP,configureyourCiscoVPNtoallowatunneltobeestablishedwithyourmodemsIPaddress.
2. ForDynamicIP:ConfigureyourCiscoVPNtoallowatunneltobeestablisheddynamicallywithyourmodemscurrentIPaddress
3. ConnectyourPCtothemodem,andlaunchAceManager.NavigatetotheIPSecconfigurationscreen. SelecttheparametersthatcorrespondtoyourCiscoconfiguration,andpresstheWritebuttononthetop.CloseAceManager.
4. Openabrowserorotherapplicationandattempttocommunicatewithyourenterprisenetwork.
Modem Configuration Requirements
Themodemshouldbeprovisionedandcapableofpassingtrafficoverthecarriernetwork. Ifthemodemisnotprovisioned,youwillneedtoactivateitinordertoconfiguretheaccountparameters. TheQuickStartGuideforyourmodemwillleadyouthroughthestepstoactivateorconfigureyourmodem.YoucanaccesstheQuickStartGuidesonthesupportpageforyourmodem.For1xorEVDOmodems,youwillalsoneedaSetupWizard,whichisavailableonthesupportpageaswell.
ThemodemcanhaveastaticordynamicIPaddress,whichcanbeobtainedfromAceManager.TheIPaddressislistedasthefirstdisplayedentryontheStatuspage.
Themodemfirmwareversionshouldbe3.3orhigher. Ifthemodemfirmwareis3.2orlower,youwillneedtoupgradethe
modemfirmware.
Please
contact
your
Sierra
Wireless
sales
engineerfortheappropriatefirmwareupdateutility.
-
8/6/2019 IPsec User Guide
14/32
IPsec User Guide
8 2120028
Installation
PleaseuninstallanypreviousversionsofAceManagerthathadbeeninstalledonyourPC,priortoinstallingthelatestversionofAceManager.
AceManagerisavailableforfreefromSierraWirelessAirLinkandcanbedownloadedfromhttp://www.sierrawireless.com/support/AirLink/Wireless_Ace.aspx.
OncethisnewversionofAceManagerandthenewfirmwareisinstalledonyourPC, pleaseperformafactorydefaultresetofthemodemusingaATcommand:
AT*RESETCFG
Thiscommandwillresetthemodemwithfactorydefaultsandoncethemodemcomesbackup,pleaseconnectthemodemwithAceManager.
Configuration Settings
OncetheAceManagerapplicationisinstalled,youcanrunitfromyourStartmenuorfromtheicononthedesktop.
1. Start AceManager
Start > All Programs >AirLink Communications > AceManager
-
8/6/2019 IPsec User Guide
15/32
IPsec User Guide
9 2120028
Figure 2-3: IPSec Pane in AceManager
2. Click on IPSec
Thedesiredgrouptabwillshowrespectiveparametersanddetailsontherightsideofthepane.ClickingonIPSecwilldisplaylistofparameterswithdefaultvaluesanduserconfigurableinputfields(NewValue).
Table 2-1: Configuration Parameters in AceManager
Name Default Value Description
IPSec Interface 0 Select 1-Modem-OTA.Choose 0 fir disabling IPSec.Choose 1 for enabling IPSec.Choose 4 when you useethernet for testing IPSec.
IPSec Status Disconnected Shows the status of IPSec.
-
8/6/2019 IPsec User Guide
16/32
IPsec User Guide
10 2120028
IPSec Gateway 64.163.70.30 Fill in the IPSec of the VPNconcentrator.
Pre-shared Key 1 SierraWireless 8 to 31 case sensitive ASCIIcharacters
Negotiation Mode 1 The choices in drop down optionsare main or aggressive.
IKE Encryption Algorithm 7 You can choose other optionslike, Blowfish, 3 DES, Cast 128and AES.3DES or AES can be used forstronger encryption.
IKE Authentication Algorithm 2 Three different authenticationalgorithms are among the drop-down choices.1-MD5 is for minimal security and2-SH-1 is higher security. 5-SHA-256 is also an option.
IKE Key Group 2 Different Key Groups are, 1-DH1,2-DH2 and 3-DH3.
IKE SA Life Time 7200 (seconds) Enter the lifetime of VPN of howlong it is valid. 0 reflects noexpiry.
Local Address Type 1 Choose from drop-down menu.
1 indicates Modem Public
IP. It is the IP of the device
behind the modem, when the
modem is in public mode. 2 indicates Host Private
Subnet of the device behind
the modem on the same
subnet, when the modem is
in private mode.
5 indicates Single Address.
17 indicates Subnet
Address.
Local Address 0.0.0.0 Local Address of the deviceconnected to the modem.
Local Address - end or mask 0.0.0.0 Subnet address with the SubnetMask
Remote Address Type 17 Network behind the Concentrator.
Table 2-1: Configuration Parameters in AceManager
Name Default Value Description
-
8/6/2019 IPsec User Guide
17/32
IPsec User Guide
11 2120028
Remote Address 10.11.12.0 Address of the remote device.Choose from two options: 5-Single Address and 17-Subnet
Address.
Remote Address - end or mask 255.255.255.0 Subnet address with the SubnetMask.
IPSec Encryption Algorithm 3 You can choose other optionslike, Blowfish, 3 DES, Cast 128and AES. The option 0 indicatesthat IPSec encryption may not beused.3DES or AES can be used forstronger encryption.
IPSec Authentication Algorithm 2 Three different authenticationalgorithms are among the drop-down choices.1-MD5 is for minimal security and2-SH-1 is higher security. 5-SHA-256 is also an option. 0 is alsoan option for not applying IPSecaunthentication algorithm.
IPSec Key Group 2 Different Key Groups are, 1-DH1,2-DH2 and 5-DH5.DH5 denotes highest security
IPSec SA Life Time 7200 (seconds) This indicates how often themodem renegotiates the IKE SA.While the renegotiation happensthe VPN tunnel getsdisconnected temporarily.
Incoming Out of Band 0 Enable (1) or Disable (0) accessto modem remotely frommachines that are not part of theIPSec network.
Outgoing Aleos Out of Band 1 Enable (1) or Disable (0) sendingof ALEOS traffic over the IPSectunnel to a remote location.This option allows ALEOSgenerated data (E.g. RAP) to besent outside the IPSec tunnel.
Outgoing Host Out of Band 0 Enable (1) or Disable (0) accessto resources outside the IPSecnetwork. (e.g. Enable access tosites like www.google.com overnon IPSec channel).
Table 2-1: Configuration Parameters in AceManager
Name Default Value Description
-
8/6/2019 IPsec User Guide
18/32
IPsec User Guide
12 2120028
Toconfirmasuccessfulconnection,thefollowingtestscanberun:
ConnectaPCtothemodemandattempttopingtheIPaddress10.11.12.13. Thetunnelmighttakesometimeto
beestablished.Howeveroncethetunnelisestablishedyou
will
receive
responses
to
your
ping. Oncetheabilitytopingtheprivateaddresshasbeenestab
lished,pleasetryopeningabrowserandpointingittohttp://10.11.12.13.
Oncethesetwotestspass,abaselinefortheIPSecconfigurationinthemodemhasbeenestablished.
YoucannowbegintomaketheIPSecconfigurationchangestogetthemodemconnectingtoyourownIPSecgateway.
DifferentscenariousecasesandtheirconfigurationstepsinAceManager,toestablishtheIPSectunnel,areaddressedinthefollowingsections.
HTTP Server
APCconnectedtoaSierraWirelessAirLinkModemuseswebbrowsertoviewanHTTPserverbehindtheIPsecGateway.
TheConfigurationstepsare:
1. InAceManager,clickontheIPSectab.PleaserefertoFigure23.
2. ConfiguretheIPSecInterfaceparameteras1,toenableIPSec.OnceIPSecisenabled,thefactorydefaultsettingsshouldberestored. Table21listsalltheIPSecparameterdefaultvalues.TherequiredfieldsforIPSectobeestab
lishedare:
a. IPSecGateway
b. Pre-sharedKey1
c. IKEEncryptionAlgorithm
d. IKEAuthorizationAlgorithm
e. IKEKeyGroup
f. IKESALifeTime
g. RemoteAddress
h. IPSecEncryptionAlgorithm
i. IPSecAuthenticationAlgorithm
j. IPSecKeyGroupk. IPSecSALifeTime
l. IncomingOutofBand:Ifyouwantmobiletermination
-
8/6/2019 IPsec User Guide
19/32
IPsec User Guide
13 2120028
m. OutgoingHostOutofBand:ToaccessinternetbybypassingtheIPSectunnel,youcansetthisparameteras1.
Note: In Chapter 1, Remote Access Scenariossection includes the
Google web server scenario, where the outgoing Host Out of Bandcan be set to 1 to access internet outside the IPSec tunnel.
3. ClickonWrite,inthetopbar.4. ClickonReset,toresetthemodem.5. IPSecstatusdisplaysasConnected.
Oncethetunnelcomesup,pingthewebbrowser.Thewebbrowsershouldbeabletoreachtheserver.Anexampleofawebbrowserscreenshot,afterthetunnelestablishes,isprovided.
Figure 2-4: Web Browser
Application Server
ASierraWirelessAirLinkModemsendsAVLApplicationServerdatathroughthetunnelfortheReportServerthatis
behindtheIPsecGateway.
TheConfigurationstepsare:
1. InAceManager,clickonthePinPointtabandensurevaluesthatcorrespondtoFigure25.
-
8/6/2019 IPsec User Guide
20/32
IPsec User Guide
14 2120028
Figure 2-5: PinPoint Configuration
2. ProvidetheServerIPAddressontherighthandsidepane.
3. EntertheReportIntervaltime.
4. ConfiguretheIPSecInterfaceparameteras1,toenableIPSec.OnceIPSecisenabled,thefactorydefaultsettingsshouldberestored. Table21listsalltheIPSecparameterdefaultvalues.TherequiredfieldsforIPSectobeestablishedare:
a. IPSecGateway
b. Pre-sharedKey1
c. IKEEncryptionAlgorithm
d. IKEAuthorizationAlgorithm
e. IKEKeyGroup
f. IKESALifeTime
g. RemoteAddress
h. IPSecEncryptionAlgorithm
i. IPSecAuthenticationAlgorithm
j. IPSecKeyGroup
k. IPSecSALifeTime
l. IncomingOutofBand:Ifyouwantmobiletermination
m. OutgoingHostOutofBand :Toaccessinternetoutsidethe
tunnel,fromthemodem.
5. ClickonWrite.6. ClickonReset,toresetthemodem.
-
8/6/2019 IPsec User Guide
21/32
IPsec User Guide
15 2120028
AnAVLApplicationservermodemreportnotificationimageisprovidedasanexample.
Figure 2-6: Application Server Tunnel
7. Oncethetunnelcomesup,checkAVLApplicationserverfortheupdate.
Anexampleofalogofthemodem,sendingdatathroughthetunnelisprovided.
Figure 2-7: Log sending data
Network behind the modem
Youcanhavemultiplemachines(Forexample.,PC1andPC2)behindthemodemonthesameLAN.
TheConfigurationstepsare:
1. InAceManager,clickonIPSecoption.
2. GotoLocaladdresstypeandsetitto2(HostPrivateSubnet).
-
8/6/2019 IPsec User Guide
22/32
Installation and Configuration
Rev 2.2 Aug.08 16
Figure 2-8: Host Private Subnet
3. ClickonPPPethernet.Setthemodemtoprivatemode.
Figure 2-9: PPP Ethernet configuration
-
8/6/2019 IPsec User Guide
23/32
IPsec User Guide
17 2120028
4. ConfiguretheIPSecInterfaceparameteras1,toenableIPSec.OnceIPSecisenabled,thefactorydefaultsettingsshouldberestored. Table21listsalltheIPSecparameterdefaultvalues.TherequiredfieldsforIPSectobeestablishedare:
a. IPSecGateway
b. Pre-sharedKey1
c. IKEEncryptionAlgorithm
d. IKEAuthorizationAlgorithm
e. IKEKeyGroup
f. IKESALifeTime
g. RemoteAddress
h. IPSecEncryptionAlgorithm
i. IPSecAuthenticationAlgorithm
j. IPSecKeyGroup
k. IPSecSALifeTime
l. IncomingOutofBand:Ifyouwantmobiletermination
m. OutgoingHostOutofBand :Toaccessinternetoutsidethetunnel,fromthemodem.
5. MakesurethestaticIPaddressofPC2isonthesamesubnetasthemodemshostprivateIP.PC1picksupthedynamicIPaddressandPC2shouldbesettoastaticIPaddress.
6. ClickonReset,toresetthemodem.TheIPSectunnelissetup.
Nowyoushouldbeabletoreachtheothersideoftheserver
fromPC1an/orPC2. Boththemachines(PC1andPC2)canbecommunicatedwith,fromtheserverthroughtheIPSectunnel.Themodemshouldbereachablefromtheremoteserveraswell.
-
8/6/2019 IPsec User Guide
24/32
Rev 2.2 Aug.08 18
AA: Sample Configuration File
VPN Configuration file
TwoexamplesofStaticIPandDynamicIPareprovidedinthefollowingsections,respectively.
Static IP
ExampleIPSecConfigurationforCisco1841Router1841_ppx2#show run
Building configuration...
Current configuration : 2202 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841_ppx2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
-
8/6/2019 IPsec User Guide
25/32
IPsec User Guide
19
username progent privilege 15 password 0 progent
!
crypto isakmp policy 2
encr 3des
authentication pre-sharegroup 2
lifetime 28000
crypto isakmp key 6 key4567890123477 address 166.213.198.10
crypto isakmp key test address 70.2.190.17
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map IPSEC 30 ipsec-isakmp
set peer 166.213.198.10
set security-association lifetime seconds 28000
set transform-set 3DES-SHA
set pfs group2
match address 101
crypto map IPSEC 40 ipsec-isakmp
set peer 70.2.190.17
set security-association lifetime seconds 28000
set transform-set 3DES-SHA
set pfs group2
match address 102
!
!
!
interface FastEthernet0/0
ip address 64.163.70.102 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map IPSEC
!
-
8/6/2019 IPsec User Guide
26/32
Sample Configuration File
Rev 2.2 Aug.08 20
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex autospeed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.163.70.1
ip route 192.168.3.0 255.255.255.0 70.2.190.17
ip route 192.168.13.0 255.255.255.0 166.213.198.10
!
no ip http server
no ip http secure-server
ip nat pool nat 64.163.70.102 64.163.70.102 netmask255.255.255.252
ip nat inside source list 110 pool nat overload
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 host 166.213.198.10
access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.13.100
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.13.0
0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 host 166.213.198.10
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input all
!
end
-
8/6/2019 IPsec User Guide
27/32
IPsec User Guide
21
Dynamic IP
1841b_dynamic#
1841b_dynamic#sh run
Building configuration...
Current configuration : 1479 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841b_dynamic
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
username sw privilege 15 password 0 sw
!
!
-
8/6/2019 IPsec User Guide
28/32
Sample Configuration File
Rev 2.2 Aug.08 22
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2lifetime 28000
crypto isakmp key 6 key4567890123477 address 0.0.0.0 0.0.0.0 no-
xauth
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map MODEM-DYN-MAP 1000
set security-association lifetime seconds 28000
set transform-set 3DES-SHAset pfs group2
match address 101
!
!
crypto map IPSEC 65535 ipsec-isakmp dynamic MODEM-DYN-MAP
!
!
!
interface FastEthernet0/0
ip address 64.163.70.104 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
crypto map IPSEC
!
interface FastEthernet0/1
ip address 192.168.4.1 255.255.255.0
ip virtual-reassembly
duplex autospeed auto
!
ip classless
-
8/6/2019 IPsec User Guide
29/32
IPsec User Guide
23
ip route 0.0.0.0 0.0.0.0 64.163.70.1
!
ip http server
no ip http secure-server
ip nat pool nat 64.163.70.104 64.163.70.104 netmask255.255.255.252
ip nat inside source list 110 pool nat overload
!
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip any 192.168.4.0 0.0.0.255
!
!
control-plane
!
!line con 0
line aux 0
line vty 0 4
login
!
end
-
8/6/2019 IPsec User Guide
30/32
Rev 2.2 Aug.08 24
BB: IPsec ArchitectureStandards of the M2M IPSec Support
Sierra
Wireless
M2M
IPSec
supports
the
following
standards:
RFC1829TheESPDESCBCTransform
RFC2401SecurityArchitecturefortheInternetProtocol
RFC2403TheUseofHMACMD596withinESPandAH
RFC2404TheUseofHMACSHA196withinESPandAH
RFC2405TheESPDESCBCCipherAlgorithmWithExplicitIV
RFC2406IPEncapsulatingSecurityPayload(ESP)
RFC
2410
The
NULL
Encryption
Algorithm
and
Its
Use
WithIPSec
RFC2451TheESPCBCModeCipherAlgorithms
RFC3602TheAESCBCCipherAlgorithmandItsUsewithIPSec(futureenhancement)
Security Algorithms:
1. InternetKeyExchange(IKE)
a. AuthenticationforIKEMessages(HashingAlgorithms)
MD5
SHA1
b. ExchangeModesSupportedinPhase1andPhase2ofIKE
MainMode
AggressiveMode
QuickMode
InformationalMode
c. AuthenticationMethods(usedinPhase1)
Authenticationusingpresharedkeys
AuthenticationusingRSAsignatures
d. OakleyGroups:usedduringPhase1tocalculatekeysfortheIKESecurityAssociation
FirstOakleyGroup(MODP768) SecondOakleyGroup(MODP1024)
FifthOakleyGroup(MODP1536)
MODP2048(available,butnotcurrentlysupported)
MODP3072(available,butnotcurrentlysupported)
-
8/6/2019 IPsec User Guide
31/32
IPsec User Guide
25
MODP4096(available,butnotcurrentlysupported)
MODP6144(available,butnotcurrentlysupported)
MODP8192(available,butnotcurrentlysupported)
2. IPSecurity(IPSec)
a. IPSecProtocols
EncapsulatingSecurityProtocol(ESP)
b. OperationalModes
TunnelMode
c. CipherorEncryptionAlgorithms
DES
CAST128
Blowfish
AES(future)
NULLencryptionalgorithm
d. UsageOptionsModemcansupportunencryptedtraffic,andoneoptionbelowforencryption:
Noauthenticationorencryption Authenticationonly
Encryptiononly
AuthenticationandEncryption
Reference Material
NationalInstituteofStandardsandTechnology.GuidetoIPsecVPNs.RetrievedJanuary7,2008,fromhttp://csrc.nist.gov/publications/nistpubs/80077/sp80077.pdfforIPsecWhitePaperresource.
5ArticlesonIPsecbyCisco:http://www.ciscopress.com/authors/bio.asp?a=523e23133b154e8eb051c71d7fd6528d&rl=1
IPsecsetuponLinux(includesusefulexamples):http://lartc.org/howto/lartc.ipsec.html
-
8/6/2019 IPsec User Guide
32/32