ipsec user guide

8/6/2019 IPsec User Guide

1/32

IPSec

User Guide

2120028Rev 2.2


2/32


3/32

Rev 2.2 Aug.08 i

Important Notice Duetothenatureofwirelesscommunications,transmissionandreceptionofdatacanneverbeguaranteed.Datamaybedelayed,corrupted(i.e.,haveerrors)orbetotallylost.AlthoughsignificantdelaysorlossesofdataarerarewhenwirelessdevicessuchastheSierraWirelessAirLinkProduct

Name

are

used

in

a

normal

manner

with

a

well

constructed

network,theSierraWirelessAirLinkProductNameshouldnotbeusedinsituationswherefailuretotransmitorreceivedatacouldresultindamageofanykindtotheuseroranyotherparty,includingbutnotlimitedtopersonalinjury,death,orlossofproperty.SierraWirelessacceptsnoresponsibilityfordamagesofanykindresultingfromdelaysorerrorsindatatransmittedorreceivedusingtheSierraWirelessAirLinkProductName,orforfailureoftheSierraWirelessAirLinkProductNametotransmitorreceivesuchdata.

Safety and Hazards DonotoperatetheSierraWirelessAirLinkProductNamein

areaswhere

blasting

is

in

progress,

where

explosive

atmospheresmaybepresent,nearmedicalequipment,nearlifesupportequipment,oranyequipmentwhichmaybesusceptibletoanyformofradiointerference.Insuchareas,theSierraWirelessAirLinkProductNameMUSTBEPOWEREDOFF.TheSierraWirelessAirLinkProductNamecantransmitsignalsthatcouldinterferewiththisequipment.

DonotoperatetheSierraWirelessAirLinkProductNameinanyaircraft,whethertheaircraftisonthegroundorinflight.Inaircraft,theSierraWirelessAirLinkProductNameMUSTBEPOWEREDOFF.Whenoperating,theSierraWirelessAirLinkProductNamecantransmitsignalsthatcouldinterferewithvariousonboardsystems.

Note: Some airlines may permit the use of cellular phones while the

aircraft is on the ground and the door is open. Sierra Wireless AirLink

Product Name may be used at this time.

ThedriveroroperatorofanyvehicleshouldnotoperatetheSierraWirelessAirLinkProductNamewhileincontrolofavehicle.Doingsowilldetractfromthedriveroroperatorscontrolandoperationofthatvehicle.Insomestatesandprovinces,operatingsuchcommunicationsdeviceswhileincontrolofavehicleisanoffence.

Limitation of

Liability

TheinformationinthismanualissubjecttochangewithoutnoticeanddoesnotrepresentacommitmentonthepartofSierraWireless.SIERRAWIRELESSANDITSAFFILIATESSPECIFICALLYDISCLAIMLIABILITYFORANYANDALL


4/32

Rev 2.2 Aug.08 ii

DIRECT,INDIRECT,SPECIAL,GENERAL,INCIDENTAL,CONSEQUENTIAL,PUNITIVEOREXEMPLARYDAMAGESINCLUDING,BUTNOTLIMITEDTO,LOSSOFPROFITSORREVENUEORANTICIPATEDPROFITSORREVENUEARISINGOUTOFTHEUSEORINABILITYTOUSEANYSIERRAWIRELESSPRODUCT,EVENIFSIERRAWIRELESSAND/ORITSAFFILIATESHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGESORTHEYAREFORESEEABLEORFORCLAIMSBYANYTHIRDPARTY.

Notwithstandingtheforegoing,innoeventshallSierraWirelessand/oritsaffiliatesaggregateliabilityarisingunderorinconnectionwiththeSierraWirelessproduct,regardlessofthenumberofevents,occurrences,orclaimsgivingrisetoliability,beinexcessofthepricepaidbythepurchaserfortheSierraWirelessproduct.

Patents Portionsofthisproductmaybecoveredbysomeorallofthe

followingUSpatents:5,515,013 5,629,960 5,845,216 5,847,553 5,878,2345,890,057 5,929,815 6,169,884 6,191,741 6,199,1686,339,405 6,359,591 6,400,336 6,516,204 6,561,8516,643,501 6,653,979 6,697,030 6,785,830 6,845,2496,847,830 6,876,697 6,879,585 6,886,049 6,968,1716,985,757 7,023,878 7,053,843 7,106,569 7,145,2677,200,512 D442,170 D459,303

andotherpatentspending.

Copyright 2008SierraWireless.Allrightsreserved.

Trademarks AirCardandHeartoftheWirelessMachineareregisteredtrademarksofSierraWireless.WatcherisatrademarkofSierraWireless,registeredintheEuropeanCommunity.AirLinkandAceWarearetrademarksofSierraWireless.SierraWireless,theSierraWirelesslogo,theredwavedesign,andtheredtippedantennaaretrademarksofSierraWireless.

WindowsisaregisteredtrademarkofMicrosoftCorporation.

Othertrademarksarethepropertyoftherespectiveowners.


5/32

Rev 2.2 Aug.08 iii

Contact

Information

Consultourwebsiteforuptodateproductdescriptions,documentation,applicationnotes,firmwareupgrades,troubleshootingtips,andpressreleases:

www.sierrawireless.com

Revision History

Support Desk: Phone: 1-877-231-1144

Hours: 5:00 AM to 5:00 PM Pacific Time,

Monday to Friday, except US HolidaysE-mail: [email protected]

Sales Desk: Phone: 1-510-624-42001-604-232-1488

Hours: 8:00 AM to 5:00 PM Pacific Time

E-mail: [email protected]

Post: Sierra Wireless America39677 Eureka DriveNewark, CAUSA 94560

Sierra Wireless

13811 Wireless WayRichmond, BCCanada V6V 3A4

Fax: 1-510-624-42991-604-231-1109

Web: www.sierrawireless.com

Revision

number

Release

date

Changes

1.x Q2: 2008 IPSec User Guide documentation created.

2.x Q2:2008 IPSec User Guide documentation revised and updated.
http://sierrawireless.com/mailto:[email protected]:[email protected]://sierrawireless.com/mailto:[email protected]://sierrawireless.com/http://sierrawireless.com/mailto:[email protected]


6/32

Rev 2.2 Aug.08 1

ContentsIntroducing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Key Features of IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Remote Access Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Set-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Modem Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8AT*RESETCFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Network behind the modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

VPN Configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Static IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Dynamic IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

IPsec Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Standards of the M2M IPSec Support . . . . . . . . . . . . . . . . . . . . . . . . . 24

Security Algorithms: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Reference Material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25


7/32

Rev 2.2 Aug.08 1

11: Introducing IPSec

Overview

Scenarios IPprotocolthatdrivestheInternetisinherentlyinsecure.InternetProtocolSecurity(IPSec),whichisastandardsbasedprotocol,securescommunicationsofIPpacketsoverpublicnetworks.

Organizationsarestrivingtoprotecttheircommunicationchannelsfromunauthorizedviewingandenforcingauthenticationoftheentitiesattheothersideofthechannel.

UnauthorizedaccesstothesensitivedatacanbeavoidedbyusingIPSec.ByapplyingsecurityattheIPlayerintheOSImodel,communicationscanbeprotected.InthismannertheupperlayersintheOSImodelcanleveragethesecurityservicesprovidedattheIPlayer.

SierraWirelessAirLinkhasaddedIPSec,asalatestadditiontothelistoffeatures,inalltheALEOSpoweredAirLinkXandXTplatformsofdevices.

Overview

IPSecisacommonnetworklayersecuritycontrolandisusedtocreateavirtualprivatenetwork(VPN).

TheadvantagesoftheIPSecfeatureincludes:

DataProtection:DataContentConfidentialityallowsusers

toprotecttheirdatafromanyunauthorizedview,becausethedataisencrypted(encryptionalgorithmsareused).

AccessControl:AccessControlimpliesasecurityservicethatpreventsunauthorizeduseofaSecurityGateway,anetworkbehindagatewayorbandwidthonthatnetwork.

DataOriginAuthentication:DataOriginAuthenticationverifiestheactualsender,thuseliminatingthepossibilityofforgingtheactualsendersidentificationbyathirdparty.

DataIntegrity:DataIntegrityAuthenticationallowsbothendsofthecommunicationchanneltoconfirmthattheoriginaldatasenthasbeenreceivedastransmitted,

withoutbeingtamperedwithintransit.Thisisachievedbyusingauthenticationalgorithmsandtheiroutputs.

TheIPSecarchitecturemodelincludestheSierraWirelessAirLinkmodemasaremotegatewayatoneendcommunicating,throughaVPNtunnel,withaVPNgatewayatthe


8/32

IPsec User Guide

2 2120028

otherend.TheremotegatewayisconnectedtoaRemotenetworkandtheVPNisconnectedtotheLocalnetwork.ThecommunicationofdataissecurethroughtheIPSecprotocols.

Figure 1-1: IPSec Architecture

Key Features of IPSec VPN

IPseciscompatiblewithawiderangeofapplications

ProvidesenhanceddatasecurityforallapplicationsconnectedthroughacompatibleAirlinkgateway

Noadditionalinstallationrequired

Simplewizardbasedsetup

Remotemanagement,controlandconfigurationviaAceWaretoolsandutilities

Securetwowaycommunicationchannelwithdataencryption

Canbedownloaded,configuredandinstalledovertheairforcurrentlydeployedAirLinkRavenX,PinPointXandRavenXTdevice

Sectionsinthisdocument,thatprovidefurtherinformationaboutIPSec,are:

1. UserscenarioswithgraphicillustrationoftheIPSecfeature.

2. VPNconfigurationsettingsandVPNparameters.

3. IPsecconfigurationsettings.ItisassumedthataudiencehasknowledgeofAceManager.

4. Testingandbasictroubleshooting.


9/32

Introducing IPSec

Rev 2.2 Aug.08 3

Scenarios

SierraWirelessAirLinkmodemswithIPSecaredesignedtosupportthegatewaytogatewaysecuritymodel.

IPsecisthemostgeneralsecuritymodel,inthatitallowseithersidetoinitiateaVPNsession.Someuserscenariosarediscussedinthissection.

Intheseexamples,thetermVPNtunnelisusedtoindicateasecureIPSecconnection.

Remote Access Scenarios

1. Thisscenarioshowsthreeremoteaccessactivities:

a. AVLApplicationServer(onewaytransmissionofsecuredata): AirLinkmodemhasGPScapability(PinPointmodel).ThemodemhassetupaVPNtunnel

withacorporate

VPN

box

and

is

configured

to

send

GPSlocationdatatothecorporatenetwork.

Figure 1-2: AVL Application Server scenario

b. CorporateEmailServer(twowaytransmissionofsecuredata):AirLinkmodemisconnectedtoalaptop.ThemodemsetuphasaVPNtunnelwiththecorporateVPNbox.Throughthemodem,thelaptopcansecurelyaccessthecorporateemailserver.


10/32

IPsec User Guide

4 2120028

Figure 1-3: Corporate Email Server scenario

c. Google(twowaytransmissionofinsecuredata):ThelaptopuserwantstoaccessGoogle.TheGoogleaccesscanbeperformedwhilethecorporateVPNtunnelisactive.

Figure 1-4: Web Server scenario

d. Passthrough(twowaytransmissionofsecuredata):TheAirLinkmodemhasregulardataconnectionwiththelaptop(VPNClient)andtheVPNgateway.


11/32

Introducing IPSec

Rev 2.2 Aug.08 5

Figure 1-5: Pass through mode

ThenextchapterwalksyouthroughtheinstallationandconfigurationstepsofestablishinganIPSecsetuponyourmodemtoconnecttothetestserversatSierraWireless.You

canfollowthesameprocessforconnectingtoyourownVPNgateway.


12/32

Rev 2.2 Aug.08 6

22: Installation and Configuration Set-Up Installation

Configuration Settings Thischaptercoversinstallationandconfigurationsteps(SierraWirelesstestsetup),tousetheIPSecfeature.

Note: Factory default settings

allow you to connect to Sierra

Wireless test equipment.

TheillustrationbelowshowstheuserbeingconnectedtotheSierraWirelesstestenvironmentsetup.TheuserlaptopconnectedtoanAirLinkmodem,communicateswiththewebserverovertheinternetandthroughtheSierraWirelessVPNGateway(CiscoandNetgear).

Figure 2-1: User set up

Oncethetunnelisestablishedandyouareconnectedtothewebserver,thewebbrowserdisplaysconnectivitytothe

SierraWireless

IPSec

test

server.

Figure 2-2: Connection to the web browser


13/32

IPsec User Guide

7 2120028

Set-Up

IPSechasawidevarietyofuserconfigurationoptions.WhenIPSecisenabled,itmustbedoneforthepurposeofcreatingaVPNtunnelwithacorporateVPNbox.InorderfortheSierra

WirelessAirLinkmodemtocommunicatewiththeVPNbox,themodemmustbeconfiguredtosupportatleastoneofthesecuritypoliciesoftheVPNbox.Hence,theVPNboxsecurityconfigurationmustbeavailableasareferencebeforeconfiguringtheAirLinkmodemforIPSec.

Theinstallationstepsareasfollows:

1. ForStaticIP:UsingyourmodemsstaticIP,configureyourCiscoVPNtoallowatunneltobeestablishedwithyourmodemsIPaddress.

2. ForDynamicIP:ConfigureyourCiscoVPNtoallowatunneltobeestablisheddynamicallywithyourmodemscurrentIPaddress

3. ConnectyourPCtothemodem,andlaunchAceManager.NavigatetotheIPSecconfigurationscreen. SelecttheparametersthatcorrespondtoyourCiscoconfiguration,andpresstheWritebuttononthetop.CloseAceManager.

4. Openabrowserorotherapplicationandattempttocommunicatewithyourenterprisenetwork.

Modem Configuration Requirements

Themodemshouldbeprovisionedandcapableofpassingtrafficoverthecarriernetwork. Ifthemodemisnotprovisioned,youwillneedtoactivateitinordertoconfiguretheaccountparameters. TheQuickStartGuideforyourmodemwillleadyouthroughthestepstoactivateorconfigureyourmodem.YoucanaccesstheQuickStartGuidesonthesupportpageforyourmodem.For1xorEVDOmodems,youwillalsoneedaSetupWizard,whichisavailableonthesupportpageaswell.

ThemodemcanhaveastaticordynamicIPaddress,whichcanbeobtainedfromAceManager.TheIPaddressislistedasthefirstdisplayedentryontheStatuspage.

Themodemfirmwareversionshouldbe3.3orhigher. Ifthemodemfirmwareis3.2orlower,youwillneedtoupgradethe

modemfirmware.

Please

contact

your

Sierra

Wireless

sales

engineerfortheappropriatefirmwareupdateutility.


14/32

IPsec User Guide

8 2120028

Installation

PleaseuninstallanypreviousversionsofAceManagerthathadbeeninstalledonyourPC,priortoinstallingthelatestversionofAceManager.

AceManagerisavailableforfreefromSierraWirelessAirLinkandcanbedownloadedfromhttp://www.sierrawireless.com/support/AirLink/Wireless_Ace.aspx.

OncethisnewversionofAceManagerandthenewfirmwareisinstalledonyourPC, pleaseperformafactorydefaultresetofthemodemusingaATcommand:

AT*RESETCFG

Thiscommandwillresetthemodemwithfactorydefaultsandoncethemodemcomesbackup,pleaseconnectthemodemwithAceManager.

Configuration Settings

OncetheAceManagerapplicationisinstalled,youcanrunitfromyourStartmenuorfromtheicononthedesktop.

1. Start AceManager

Start > All Programs >AirLink Communications > AceManager


15/32

IPsec User Guide

9 2120028

Figure 2-3: IPSec Pane in AceManager

2. Click on IPSec

Thedesiredgrouptabwillshowrespectiveparametersanddetailsontherightsideofthepane.ClickingonIPSecwilldisplaylistofparameterswithdefaultvaluesanduserconfigurableinputfields(NewValue).

Table 2-1: Configuration Parameters in AceManager

Name Default Value Description

IPSec Interface 0 Select 1-Modem-OTA.Choose 0 fir disabling IPSec.Choose 1 for enabling IPSec.Choose 4 when you useethernet for testing IPSec.

IPSec Status Disconnected Shows the status of IPSec.


16/32

IPsec User Guide

10 2120028

IPSec Gateway 64.163.70.30 Fill in the IPSec of the VPNconcentrator.

Pre-shared Key 1 SierraWireless 8 to 31 case sensitive ASCIIcharacters

Negotiation Mode 1 The choices in drop down optionsare main or aggressive.

IKE Encryption Algorithm 7 You can choose other optionslike, Blowfish, 3 DES, Cast 128and AES.3DES or AES can be used forstronger encryption.

IKE Authentication Algorithm 2 Three different authenticationalgorithms are among the drop-down choices.1-MD5 is for minimal security and2-SH-1 is higher security. 5-SHA-256 is also an option.

IKE Key Group 2 Different Key Groups are, 1-DH1,2-DH2 and 3-DH3.

IKE SA Life Time 7200 (seconds) Enter the lifetime of VPN of howlong it is valid. 0 reflects noexpiry.

Local Address Type 1 Choose from drop-down menu.

1 indicates Modem Public

IP. It is the IP of the device

behind the modem, when the

modem is in public mode. 2 indicates Host Private

Subnet of the device behind

the modem on the same

subnet, when the modem is

in private mode.

5 indicates Single Address.

17 indicates Subnet

Address.

Local Address 0.0.0.0 Local Address of the deviceconnected to the modem.

Local Address - end or mask 0.0.0.0 Subnet address with the SubnetMask

Remote Address Type 17 Network behind the Concentrator.




17/32

IPsec User Guide

11 2120028

Remote Address 10.11.12.0 Address of the remote device.Choose from two options: 5-Single Address and 17-Subnet

Address.

Remote Address - end or mask 255.255.255.0 Subnet address with the SubnetMask.

IPSec Encryption Algorithm 3 You can choose other optionslike, Blowfish, 3 DES, Cast 128and AES. The option 0 indicatesthat IPSec encryption may not beused.3DES or AES can be used forstronger encryption.

IPSec Authentication Algorithm 2 Three different authenticationalgorithms are among the drop-down choices.1-MD5 is for minimal security and2-SH-1 is higher security. 5-SHA-256 is also an option. 0 is alsoan option for not applying IPSecaunthentication algorithm.

IPSec Key Group 2 Different Key Groups are, 1-DH1,2-DH2 and 5-DH5.DH5 denotes highest security

IPSec SA Life Time 7200 (seconds) This indicates how often themodem renegotiates the IKE SA.While the renegotiation happensthe VPN tunnel getsdisconnected temporarily.

Incoming Out of Band 0 Enable (1) or Disable (0) accessto modem remotely frommachines that are not part of theIPSec network.

Outgoing Aleos Out of Band 1 Enable (1) or Disable (0) sendingof ALEOS traffic over the IPSectunnel to a remote location.This option allows ALEOSgenerated data (E.g. RAP) to besent outside the IPSec tunnel.

Outgoing Host Out of Band 0 Enable (1) or Disable (0) accessto resources outside the IPSecnetwork. (e.g. Enable access tosites like www.google.com overnon IPSec channel).




18/32

IPsec User Guide

12 2120028

Toconfirmasuccessfulconnection,thefollowingtestscanberun:

ConnectaPCtothemodemandattempttopingtheIPaddress10.11.12.13. Thetunnelmighttakesometimeto

beestablished.Howeveroncethetunnelisestablishedyou

will

receive

responses

to

your

ping. Oncetheabilitytopingtheprivateaddresshasbeenestab

lished,pleasetryopeningabrowserandpointingittohttp://10.11.12.13.

Oncethesetwotestspass,abaselinefortheIPSecconfigurationinthemodemhasbeenestablished.

YoucannowbegintomaketheIPSecconfigurationchangestogetthemodemconnectingtoyourownIPSecgateway.

DifferentscenariousecasesandtheirconfigurationstepsinAceManager,toestablishtheIPSectunnel,areaddressedinthefollowingsections.

HTTP Server

APCconnectedtoaSierraWirelessAirLinkModemuseswebbrowsertoviewanHTTPserverbehindtheIPsecGateway.

TheConfigurationstepsare:

1. InAceManager,clickontheIPSectab.PleaserefertoFigure23.

2. ConfiguretheIPSecInterfaceparameteras1,toenableIPSec.OnceIPSecisenabled,thefactorydefaultsettingsshouldberestored. Table21listsalltheIPSecparameterdefaultvalues.TherequiredfieldsforIPSectobeestab

lishedare:

a. IPSecGateway

b. Pre-sharedKey1

c. IKEEncryptionAlgorithm

d. IKEAuthorizationAlgorithm

e. IKEKeyGroup

f. IKESALifeTime

g. RemoteAddress

h. IPSecEncryptionAlgorithm

i. IPSecAuthenticationAlgorithm

j. IPSecKeyGroupk. IPSecSALifeTime

l. IncomingOutofBand:Ifyouwantmobiletermination


19/32

IPsec User Guide

13 2120028

m. OutgoingHostOutofBand:ToaccessinternetbybypassingtheIPSectunnel,youcansetthisparameteras1.

Note: In Chapter 1, Remote Access Scenariossection includes the

Google web server scenario, where the outgoing Host Out of Bandcan be set to 1 to access internet outside the IPSec tunnel.

3. ClickonWrite,inthetopbar.4. ClickonReset,toresetthemodem.5. IPSecstatusdisplaysasConnected.

Oncethetunnelcomesup,pingthewebbrowser.Thewebbrowsershouldbeabletoreachtheserver.Anexampleofawebbrowserscreenshot,afterthetunnelestablishes,isprovided.

Figure 2-4: Web Browser

Application Server

ASierraWirelessAirLinkModemsendsAVLApplicationServerdatathroughthetunnelfortheReportServerthatis

behindtheIPsecGateway.


1. InAceManager,clickonthePinPointtabandensurevaluesthatcorrespondtoFigure25.


20/32

IPsec User Guide

14 2120028

Figure 2-5: PinPoint Configuration

2. ProvidetheServerIPAddressontherighthandsidepane.

3. EntertheReportIntervaltime.

4. ConfiguretheIPSecInterfaceparameteras1,toenableIPSec.OnceIPSecisenabled,thefactorydefaultsettingsshouldberestored. Table21listsalltheIPSecparameterdefaultvalues.TherequiredfieldsforIPSectobeestablishedare:

a. IPSecGateway

b. Pre-sharedKey1



e. IKEKeyGroup

f. IKESALifeTime

g. RemoteAddress



j. IPSecKeyGroup

k. IPSecSALifeTime


m. OutgoingHostOutofBand :Toaccessinternetoutsidethe

tunnel,fromthemodem.

5. ClickonWrite.6. ClickonReset,toresetthemodem.


21/32

IPsec User Guide

15 2120028

AnAVLApplicationservermodemreportnotificationimageisprovidedasanexample.

Figure 2-6: Application Server Tunnel

7. Oncethetunnelcomesup,checkAVLApplicationserverfortheupdate.

Anexampleofalogofthemodem,sendingdatathroughthetunnelisprovided.

Figure 2-7: Log sending data

Network behind the modem

Youcanhavemultiplemachines(Forexample.,PC1andPC2)behindthemodemonthesameLAN.


1. InAceManager,clickonIPSecoption.

2. GotoLocaladdresstypeandsetitto2(HostPrivateSubnet).


22/32

Installation and Configuration

Rev 2.2 Aug.08 16

Figure 2-8: Host Private Subnet

3. ClickonPPPethernet.Setthemodemtoprivatemode.

Figure 2-9: PPP Ethernet configuration


23/32

IPsec User Guide

17 2120028

4. ConfiguretheIPSecInterfaceparameteras1,toenableIPSec.OnceIPSecisenabled,thefactorydefaultsettingsshouldberestored. Table21listsalltheIPSecparameterdefaultvalues.TherequiredfieldsforIPSectobeestablishedare:

a. IPSecGateway

b. Pre-sharedKey1



e. IKEKeyGroup

f. IKESALifeTime

g. RemoteAddress



j. IPSecKeyGroup

k. IPSecSALifeTime


m. OutgoingHostOutofBand :Toaccessinternetoutsidethetunnel,fromthemodem.

5. MakesurethestaticIPaddressofPC2isonthesamesubnetasthemodemshostprivateIP.PC1picksupthedynamicIPaddressandPC2shouldbesettoastaticIPaddress.

6. ClickonReset,toresetthemodem.TheIPSectunnelissetup.

Nowyoushouldbeabletoreachtheothersideoftheserver

fromPC1an/orPC2. Boththemachines(PC1andPC2)canbecommunicatedwith,fromtheserverthroughtheIPSectunnel.Themodemshouldbereachablefromtheremoteserveraswell.


24/32

Rev 2.2 Aug.08 18

AA: Sample Configuration File

VPN Configuration file

TwoexamplesofStaticIPandDynamicIPareprovidedinthefollowingsections,respectively.

Static IP

ExampleIPSecConfigurationforCisco1841Router1841_ppx2#show run

Building configuration...

Current configuration : 2202 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 1841_ppx2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!


25/32

IPsec User Guide

19

username progent privilege 15 password 0 progent

!

crypto isakmp policy 2

encr 3des

authentication pre-sharegroup 2

lifetime 28000

crypto isakmp key 6 key4567890123477 address 166.213.198.10

crypto isakmp key test address 70.2.190.17

!

!

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto map IPSEC 30 ipsec-isakmp

set peer 166.213.198.10

set security-association lifetime seconds 28000

set transform-set 3DES-SHA

set pfs group2

match address 101

crypto map IPSEC 40 ipsec-isakmp

set peer 70.2.190.17


set transform-set 3DES-SHA

set pfs group2

match address 102

!

!

!

interface FastEthernet0/0

ip address 64.163.70.102 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed 10

crypto map IPSEC

!


26/32

Sample Configuration File

Rev 2.2 Aug.08 20


ip address 192.168.2.1 255.255.255.0

ip nat inside


duplex autospeed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 64.163.70.1

ip route 192.168.3.0 255.255.255.0 70.2.190.17

ip route 192.168.13.0 255.255.255.0 166.213.198.10

!

no ip http server

no ip http secure-server

ip nat pool nat 64.163.70.102 64.163.70.102 netmask255.255.255.252

ip nat inside source list 110 pool nat overload

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 host 166.213.198.10

access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.13.100

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.13.0

0.0.0.255

access-list 110 deny ip 192.168.2.0 0.0.0.255 host 166.213.198.10

access-list 110 permit ip 192.168.2.0 0.0.0.255 any

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login local

transport input all

!

end


27/32

IPsec User Guide

21

Dynamic IP

1841b_dynamic#

1841b_dynamic#sh run

Building configuration...

Current configuration : 1479 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 1841b_dynamic

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

!

!

!

username sw privilege 15 password 0 sw

!

!


28/32

Sample Configuration File

Rev 2.2 Aug.08 22

!

crypto isakmp policy 100

encr 3des

authentication pre-share

group 2lifetime 28000

crypto isakmp key 6 key4567890123477 address 0.0.0.0 0.0.0.0 no-

xauth

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map MODEM-DYN-MAP 1000


set transform-set 3DES-SHAset pfs group2

match address 101

!

!

crypto map IPSEC 65535 ipsec-isakmp dynamic MODEM-DYN-MAP

!

!

!


ip address 64.163.70.104 255.255.255.0


speed 100

full-duplex

crypto map IPSEC

!


ip address 192.168.4.1 255.255.255.0


duplex autospeed auto

!

ip classless


29/32

IPsec User Guide

23

ip route 0.0.0.0 0.0.0.0 64.163.70.1

!

ip http server

no ip http secure-server

ip nat pool nat 64.163.70.104 64.163.70.104 netmask255.255.255.252

ip nat inside source list 110 pool nat overload

!

access-list 101 permit ip 192.168.4.0 0.0.0.255 any

access-list 101 permit ip any 192.168.4.0 0.0.0.255

!

!

control-plane

!

!line con 0

line aux 0

line vty 0 4

login

!

end


30/32

Rev 2.2 Aug.08 24

BB: IPsec ArchitectureStandards of the M2M IPSec Support

Sierra

Wireless

M2M

IPSec

supports

the

following

standards:

RFC1829TheESPDESCBCTransform

RFC2401SecurityArchitecturefortheInternetProtocol

RFC2403TheUseofHMACMD596withinESPandAH

RFC2404TheUseofHMACSHA196withinESPandAH

RFC2405TheESPDESCBCCipherAlgorithmWithExplicitIV

RFC2406IPEncapsulatingSecurityPayload(ESP)

RFC

2410

The

NULL

Encryption

Algorithm

and

Its

Use

WithIPSec

RFC2451TheESPCBCModeCipherAlgorithms

RFC3602TheAESCBCCipherAlgorithmandItsUsewithIPSec(futureenhancement)

Security Algorithms:

1. InternetKeyExchange(IKE)

a. AuthenticationforIKEMessages(HashingAlgorithms)

MD5

SHA1

b. ExchangeModesSupportedinPhase1andPhase2ofIKE

MainMode

AggressiveMode

QuickMode

InformationalMode

c. AuthenticationMethods(usedinPhase1)

Authenticationusingpresharedkeys

AuthenticationusingRSAsignatures

d. OakleyGroups:usedduringPhase1tocalculatekeysfortheIKESecurityAssociation

FirstOakleyGroup(MODP768) SecondOakleyGroup(MODP1024)

FifthOakleyGroup(MODP1536)

MODP2048(available,butnotcurrentlysupported)



31/32

IPsec User Guide

25




2. IPSecurity(IPSec)

a. IPSecProtocols

EncapsulatingSecurityProtocol(ESP)

b. OperationalModes

TunnelMode

c. CipherorEncryptionAlgorithms

DES

CAST128

Blowfish

AES(future)

NULLencryptionalgorithm

d. UsageOptionsModemcansupportunencryptedtraffic,andoneoptionbelowforencryption:

Noauthenticationorencryption Authenticationonly

Encryptiononly

AuthenticationandEncryption

Reference Material

NationalInstituteofStandardsandTechnology.GuidetoIPsecVPNs.RetrievedJanuary7,2008,fromhttp://csrc.nist.gov/publications/nistpubs/80077/sp80077.pdfforIPsecWhitePaperresource.

5ArticlesonIPsecbyCisco:http://www.ciscopress.com/authors/bio.asp?a=523e23133b154e8eb051c71d7fd6528d&rl=1

IPsecsetuponLinux(includesusefulexamples):http://lartc.org/howto/lartc.ipsec.html


32/32

ipsec user guide

Documents