ipsec vpn between robustel routers - m2m nordic aps · ipsec with between robustel routers for...
TRANSCRIPT
Application Note
IPsec VPN Between Robustel Routers
Document Name: Application Note
Version: /v.1.0.0
Date: 2014-06-30
Status: /Confidential
DocID: /RT_AN008_R3000 S_IPsec VPN Between Robustel Routers
www.robustel.com
IPsec with between Robustel Routers for R3000
1
Contents
Chapter 1. Introduction ...................................................................................................................................... 2
1.1 Overview........................................................................................................................................... 2
1.2 Assumptions ..................................................................................................................................... 2
1.3 Rectifications .................................................................................................................................... 2
1.4 File Version ....................................................................................................................................... 3
Chapter 2. Application Topology ........................................................................................................................ 4
Chapter 3. Configuration .................................................................................................................................... 5
3.1 R3000 Configuration ......................................................................................................................... 5
3.1.1 Configure Link Management ............................................................................................................. 5
3.1.2 Configure Ethernet WAN .................................................................................................................. 6
3.1.3 Configure LAN IP address .................................................................................................................. 6
3.1.4 Configure IPsec VPN.......................................................................................................................... 7
3.2 R3000 Lite Configuration ................................................................................................................ 10
3.2.1 Configure Cellular WAN .................................................................................................................. 10
3.2.2 Configure LAN IP address ................................................................................................................ 11
3.2.3 Configure IPsec VPN........................................................................................................................ 12
Chapter 4. Testing............................................................................................................................................. 15
4.1 Current WAN Status ........................................................................................................................ 15
4.2 VPN Status and Communication ..................................................................................................... 15
4.3 Event/Log ........................................................................................................................................ 17
Chapter 5. Appendix ......................................................................................................................................... 21
5.1 Firmware Version ............................................................................................................................ 21
IPsec with between Robustel Routers for R3000
2
Chapter 1. Introduction
1.1 Overview
VPN (Virtual Private Network), it is a technology that establish private network tunnel on the public network. IPsec
VPN is a kind of LAN to LAN communication or remote access VPN technology with the IPsec protocol, to offer the
public and private network end-to-end encryption and authentication service.
This application note is written for customer who has good understanding Robustel products and experienced with
VPN. It shows customer easily configure the IPsec VPN between two local area networks using Robustel GoRugged
R3000s at both side.
1.2 Assumptions
IPsec VPN feature has been fully test and this Application Note is written by technically competent engineer who is
familiar with Robustel products and the application requirement.
This Application Note is basing on:
Product Model: Robustel GoRugged R3000 industrial cellular VPN router.
Robustel GoRugged R3000 Lite industrial cellular VPN router.
Firmware Version: R3000_S_V1.01.01.fs.
R3000_L_V1.01.01.fs.
Configuration: This Application Note assumes the Robustel products are set to factory default. Most configure
steps are only shown if they are different from the factory default settings.
R3000 works with wired network (static public IP address) and R3000 Lite will be connecting to the cellular
network (i.e. GPRS, EDGE, UMTS, HSDPA or HSUPA). R3000 Lite connecting to cellular networks is usually
allocated a dynamic private IP address, in this case, R3000 Lite need to be assigned public IP address from ISP
carrier. Because IPsec initiator always need to know where to connect, and R3000/R3000 Lite only support to
specify remote IPsec Gateway in IPsec common part.
The IPsec initiator and IPsec responder router must be assigned a public IP address on its WAN interface. This
one can be dynamic or static. If R3000/R3000 Lite working with dynamic public IP address, a DNS service must
be used to parked dynamic public IP address to a static domains.
1.3 Rectifications
Appreciate for the corrections and Rectifications to this Application Note, and if there are requests for new
Application Notes please also send to email address: [email protected] .
IPsec with between Robustel Routers for R3000
3
1.4 File Version
Updates between document versions are cumulative. Therefore, the latest document version contains all updates
made to previous versions.
Release Date Firmware Version Details
2014-06-11 V1.01.01 First Release
IPsec with between Robustel Routers for R3000
4
Chapter 2. Application Topology
1. R3000 runs as central router which has one static public IP address, or dynamic public IP address but with
domain name.
2. R3000 Lite works on cellular network with any kind of IP which can access the Internet and communicate with
central R3000 successfully.
3. IPsec VPN established between central R3000 and R3000 Lite, and the interesting traffic from R3000 side
(192.168.1.0/24) to R3000 Lite side (192.168.0.0/24) will be encrypted and vice versa.
IPsec with between Robustel Routers for R3000
5
Chapter 3. Configuration
3.1 R3000 Configuration
3.1.1 Configure Link Management
1. Power on R3000 and login R3000’s Web GUI page.
Note: Factory Settings when login Web GUI
Item Description
Username admin
Password admin
Eth0 192.168.0.1/255.255.255.0, LAN mode
Eth1 192.168.0.1/255.255.255.0, LAN mode
DHCP Server Enabled.
2. Browse to “Configuration”-> “Link Management”.
Click the drop-down box of “Primary Interface” and select “Eth0”.
Click “Apply”.
Item Description Setting
Primary Interface Select “Cellular”, “Eth0”, “WiFi” as the primary connection
interface. Eth0
IPsec with between Robustel Routers for R3000
6
3.1.2 Configure Ethernet WAN
1. Browse to “Configuration”-> “Ethernet”-> “Eth0”.
Click “Add” to enter the APN (Access Point Name) and Dialup No. for each ISP.
Item Description Setting
IP Address, Netmask
and Gateway Set the IP address, Netmask, Gateway of Eth0. Enter accordingly
MTU, Media Type Set the MTU, Media Type of Eth0. Enter accordingly
DNS server Set the Primary DNS server and Secondary DNS
server of Eth0. Enter accordingly
Multiple IP Address Assign multiple IP addresses for Eth0. Enter accordingly
3.1.3 Configure LAN IP address
1. Browse to “Configuration”-> “Ethernet”-> “Eth1”.
IPsec with between Robustel Routers for R3000
7
Set IP address and netmask of Eth1 accordingly.
Click “Apply”.
Note: Eth0 works under bridge mode with Eth1 by default settings. Eth0 and Eth1 will share the Eth1’s IP address
under bridge mode.
Item Description Setting
IP Address Set the IP address of Eth1 Enter accordingly
NetMask Set the Netmask of Eth1 Enter accordingly
MTU Set the MTU of Eth1 1500
Media Type Set the Media Type of Eth1 Auto-negotiation
3.1.4 Configure IPsec VPN
The following sections relate to the IPsec VPN parameters.
1. Browse to “Configuration”-> “IPsec”-> “IPsec Basic”. Enable NAT Traversal feature.
Tick the checkbox of “Enable NAT Traversal”.
Type the value about Keepalive Interval(s).
Click “Apply”.
Note: this item must be enabled when router under NAT environment.
Item Description Setting
Enable NAT Traversal
Tick to Enable NAT Traversal for IPSec. This item
must be enabled when router under NAT
environment.
Enable
Keepalive Interval
The interval that router sends keepalive packets to
NAT box so that to avoid it to remove the NAT
mapping active.
30
IPsec with between Robustel Routers for R3000
8
2. IPsec Common, browse to “Configuration”-> “IPsec”-> “IPsec Tunnel”.
Click “Add” to enter the IPsec Tunnel settings.
Set IPsec Gateway address and subnets accordingly.
Item Description Setting
IPsec Gateway
Address Enter the address of remote side IPsec VPN server. Enter accordingly
IPsec Mode
Select from “Tunnel” and “Transport”.
Tunnel: Uses the Tunnel protocol.
Transport: Uses the Transport protocol.
Select accordingly
IPsec Protocol
Select the security protocols from “ESP” and “AH”.
ESP: Uses the ESP protocol.
AH: Uses the AH protocol.
Select accordingly
Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly
Local Subnet Mask Enter IPsec Local Protected subnet’s mask. Enter accordingly
Local ID Type
Select from “IP Address”, “FQDN” and “User
FQDN” for IKE negotiation. “Default” stands for “IP
Address”.
Enter accordingly
Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly
Remote Subnet
Mask Enter IPsec Remote Protected subnet’s mask. Enter accordingly
Remote ID Type Select from “IP Address”, “FQDN” and “User
FQDN” for IKE negotiation. Select accordingly
3. Enable Phase 1 – IKE configuration.
IKE(Internet Security Association and Key Management Policy) is the first phase while establishing a secure link
IPsec with between Robustel Routers for R3000
9
between two peer. The following entries which is related to the configuration of IKE on R3000.
The Encryption and Authentication in phase 1 should be set to 3DES & MD5 to match settings with peer side. IKE
Diffie-Hellman should be set MODP1024_2 and pre-share key for authentication.
Item Description Setting
Negotiation Mode Select from “Main” and “aggressive” for the IKE
negotiation mode in phase 1. Select accordingly
Encryption Algorithm Select from “DES”, “3DES”, “AES128”, “AES192”
and “AES256”to be used in IKE negotiation. Select accordingly
DH Group
Select from “MODP768_1”, “MODP1024_2” and
“MODP1536_5”to be used in key negotiation
phase 1.
Select accordingly
Authentication Select from “PSK”, “CA”, “XAUTH Init PSK” and
“XAUTH Init CA” to be used in IKE negotiation. Select accordingly
Secrets Enter the Pre-shared Key. Enter accordingly
Life Time @ IKE
Parameter Set the lifetime in IKE negotiation. 3600
4. Phase 2 – IPsec SA configuration.
This will determine what traffic is routed to remote network over VPN encryption tunnel.
The SA Algorithm should be set to 3DES_ MD5_96 to match settings on peer side.
Item Description Setting
SA Algorithm The encryption and authentication algorithm to
use. Select accordingly
PFS Group Select from “PFS_NULL”, “MODP768_1”,
“MODP1024_2” and “MODP1536_5”. Select accordingly
Life Time @ SA
Parameter Set the IPsec SA lifetime. 28800
DPD Time Interval Set the interval after which DPD is triggered if no
IPsec protected packets is received from the peer. 60
DPD Timeout Set the timeout of DPD packets. 180
IPsec with between Robustel Routers for R3000
10
5. Click “Apply”->”Save”->”Reboot”.
3.2 R3000 Lite Configuration
1. Install antenna, insert the SIM card to R3000 Lite -> power on R3000 Lite and login R3000 Lite’s Web GUI page.
Note: Factory Settings when login Web GUI
Item Description
Username admin
Password admin
Eth0 192.168.0.1/255.255.255.0
DHCP Server Enabled.
3.2.1 Configure Cellular WAN
1. Browse to “Configuration”-> “Cellular WAN”-> “ISP Profile”.
Click “Add” to enter the APN (Access Point Name) and Dialup No. for each ISP.
If required please enter Username and Password in the appropriate fields.
Click “Apply”.
Note: Usually APN, Username, Password and Dialup No. are provided by ISP accordingly.
Item Description Setting
ISP Enter relevant ISP network name Enter accordingly
APN Enter correct APN for the network Enter accordingly
Username Enter correct Username for the network Enter accordingly
Password Enter correct Password for the network Enter accordingly
IPsec with between Robustel Routers for R3000
11
Dialup No. Enter correct Dialup No. for the network Enter accordingly
2. Browse to “Configuration”-> “Cellular WAN”-> “Basic”.
In region “Cellular Settings”. Click the drop-down box of “Network Provider Type” of the SIM card and select the
correct “ISP” that you configure in “Configuration”-> “Cellular WAN”-> “ISP Profile”.
If required please enter PIN number for the SIM in “PIN Type”.
In region “Connection Mode”. Click the drop-down box of “Connection Mode” to select the connection mode
accordingly. “Always Online” mode is selected in this Application Note.
Click “Apply”.
Item Description Setting
Network Provider
Type
Select from “Auto”, “Custom” or the ISP name you
preset in “Configuration”->”Cellular WAN”->”ISP
Profile”.
Enter accordingly
Connection Mode Select the connection mode when R3000 dial up to
get access to Internet. Always Online
3.2.2 Configure LAN IP address
1. Browse to “Configuration”-> “Ethernet”-> “Eth0”.
Set IP address and netmask of Eth0 accordingly.
Click “Apply”.
Note: Eth0 works under bridge mode with Eth1 by default settings. Eth0 and Eth1 will share the Eth1’s IP address
under bridge mode.
Item Description Setting
IP Address Set the IP address of Eth0 Enter accordingly
IPsec with between Robustel Routers for R3000
12
NetMask Set the Netmask of Eth0 Enter accordingly
MTU Set the MTU of Eth0 1500
Media Type Set the Media Type of Eth0 Auto-negotiation
3.2.3 Configure IPsec VPN
The following sections relate to the IPsec VPN parameters.
1. Browse to “Configuration”-> “IPsec”-> “IPsec Basic”. Enable NAT Traversal feature.
Tick the checkbox of “Enable NAT Traversal”.
Type the value about Keepalive Interval(s).
Click “Apply”.
Note: this item must be enabled when router under NAT environment.
Item Description Setting
Enable NAT Traversal
Tick to Enable NAT Traversal for IPSec. This item
must be enabled when router under NAT
environment.
Enable
Keepalive Interval
The interval that router sends keepalive packets to
NAT box so that to avoid it to remove the NAT
mapping active.
30
2. IPsec Common, browse to “Configuration”-> “IPsec”-> “IPsec Tunnel”.
Click “Add” to enter the IPsec Tunnel settings.
Set IPsec Gateway address and subnets accordingly.
IPsec with between Robustel Routers for R3000
13
Item Description Setting
IPsec Gateway
Address Enter the address of remote side IPsec VPN server. Enter accordingly
IPsec Mode
Select from “Tunnel” and “Transport”.
Tunnel: Uses the Tunnel protocol.
Transport: Uses the Transport protocol.
Select accordingly
IPsec Protocol
Select the security protocols from “ESP” and “AH”.
ESP: Uses the ESP protocol.
AH: Uses the AH protocol.
Select accordingly
Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly
Local Subnet Mask Enter IPsec Local Protected subnet’s mask. Enter accordingly
Local ID Type
Select from “IP Address”, “FQDN” and “User
FQDN” for IKE negotiation. “Default” stands for “IP
Address”.
Enter accordingly
Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly
Remote Subnet
Mask Enter IPsec Remote Protected subnet’s mask. Enter accordingly
Remote ID Type Select from “IP Address”, “FQDN” and “User
FQDN” for IKE negotiation. Select accordingly
3. Enable Phase 1 – IKE configuration.
IKE(Internet Security Association and Key Management Policy) is the first phase while establishing a secure link
between two peer. The following entries which is relate to the configuration of IKE on R3000.
The Encryption and Authentication in phase 1 should be set to 3DES & MD5 to match settings with peer side. IKE
Diffie-Hellman should be set MODP1024_2 and pre-share key for authentication.
Item Description Setting
Negotiation Mode Select from “Main” and “aggressive” for the IKE
negotiation mode in phase 1. Select accordingly
Encryption Algorithm Select from “DES”, “3DES”, “AES128”, “AES192”
and “AES256”to be used in IKE negotiation. Select accordingly
DH Group Select from “MODP768_1”, “MODP1024_2” and
“MODP1536_5”to be used in key negotiation Select accordingly
IPsec with between Robustel Routers for R3000
14
phase 1.
Authentication Select from “PSK”, “CA”, “XAUTH Init PSK” and
“XAUTH Init CA” to be used in IKE negotiation. Select accordingly
Secrets Enter the Pre-shared Key. Enter accordingly
Life Time @ IKE
Parameter Set the lifetime in IKE negotiation. 3600
4. Phase 2 – IPsec SA configuration.
This will determine what traffic is routed to remote network over VPN encryption tunnel.
The SA Algorithm should be set to 3DES_ MD5_96 to match settings on peer side.
Item Description Setting
SA Algorithm The encryption and authentication algorithm to
use. Select accordingly
PFS Group Select from “PFS_NULL”, “MODP768_1”,
“MODP1024_2” and “MODP1536_5”. Select accordingly
Life Time @ SA
Parameter Set the IPsec SA lifetime. 28800
DPD Time Interval Set the interval after which DPD is triggered if no
IPsec protected packets is received from the peer. 60
DPD Timeout Set the timeout of DPD packets. 180
5. Click “Apply”->”Save”->”Reboot”.
IPsec with between Robustel Routers for R3000
15
Chapter 4. Testing
4.1 Current WAN Status
1. Browse to “Status”-> “System”->“Current WAN Link”.
Check that R3000 has static public IP address.
2. Browse to “Status”-> “System”->“Current WAN Link” and “Cellular Information”.
Check that R3000 Lite has dial up to get IP address and get access to the Internet.
4.2 VPN Status and Communication
1. Browse to “Status”-> “VPN” and “IPsec”.
Check that R3000 has established IPsec VPN with R3000 Lite.
IPsec with between Robustel Routers for R3000
16
2. Browse to “Status”-> “VPN” and “IPsec”.
Check that R3000 Lite has established IPsec VPN with R3000.
Test on R3000, Browse to “Administration”-> “Tools” and “Ping”.
Ping from 192.168.0.11 to 192.168.1.11 and got ICMP reply from R3000 Lite. LAN to LAN communication is
working correctly.
Test on R3000 Lite, Browse to “Administration”-> “Tools” and “Ping”.
Ping from 192.168.0.11 to 192.168.1.11 and got ICMP reply from R300. LAN to LAN communication is working
correctly.
IPsec with between Robustel Routers for R3000
17
4.3 Event/Log
Event/Log shows running process and status of R3000.
Note: Usually you can check the Event/Log file in “Status”-> “Event/Log”.
……
14-06-12 21:32:11 <0> router: system service starting...
14-06-12 21:32:15 <3> ipsec: WARNING: 1DES is enabled
14-06-12 21:32:15 <3> ipsec: LEAK_DETECTIVE support [enabled]
14-06-12 21:32:15 <3> ipsec: OCF support for IKE [disabled]
14-06-12 21:32:15 <3> ipsec: SAref support [disabled]: Protocol not available
14-06-12 21:32:15 <3> ipsec: SAbind support [disabled]: Protocol not available
14-06-12 21:32:15 <3> ipsec: NSS support [disabled]
14-06-12 21:32:15 <3> ipsec: HAVE_STATSD notification support not compiled in
14-06-12 21:32:15 <3> ipsec: Setting NAT-Traversal port-4500 floating to on
14-06-12 21:32:15 <3> ipsec: port floating activation criteria nat_t=1/port_float=1
14-06-12 21:32:15 <3> ipsec: NAT-Traversal support [enabled]
14-06-12 21:32:15 <3> ipsec: using /dev/urandom as source of random entropy
14-06-12 21:32:15 <3> ipsec: starting up 1 cryptographic helpers
14-06-12 21:32:15 <3> ipsec: started helper pid=601 (fd:3)
14-06-12 21:32:15 <3> ipsec: Using Linux 2.6 IPsec interface code on 2.6.39 (experimental code)
14-06-12 21:32:15 <3> ipsec: using /dev/urandom as source of random entropy
14-06-12 21:32:16 <3> ipsec: added connection description "IPsec_Tunnel_1"
14-06-12 21:32:16 <3> ipsec: listening for IKE messages
14-06-12 21:32:16 <3> ipsec: adding interface eth0/eth0 202.96.1.102:500
14-06-12 21:32:16 <3> ipsec: adding interface eth0/eth0 202.96.1.102:4500
14-06-12 21:32:16 <3> ipsec: loading secrets from "/etc/ipsec.secrets"
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload [Openswan (this version)
2.6.38 ]
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload [Dead Peer Detection]
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload [RFC 3947] method set
IPsec with between Robustel Routers for R3000
18
to=115
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
14-06-12 21:32:21 <3> ipsec: "IPsec_Tunnel_1" #1: responding to Main Mode
14-06-12 21:32:21 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
14-06-12 21:32:21 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_R1: sent MR1, expecting MI2
14-06-12 21:32:22 <3> ipsec: "IPsec_Tunnel_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):
no NAT detected
14-06-12 21:32:23 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
14-06-12 21:32:23 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_R2: sent MR2, expecting MI3
14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: Main mode peer ID is ID_IPV4_ADDR: '77.211.24.126'
14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: Dead Peer Detection (RFC 3706): enabled
14-06-12 21:32:26 <3> ipsec: "IPsec_Tunnel_1" #1: the peer proposed: 192.168.1.0/24:0/0 -> 192.168.0.0/24:0/0
14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: responding to Quick Mode proposal {msgid:6e079759}
14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: us:
192.168.1.0/24===202.96.1.102<202.96.1.102>---202.96.1.100
14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: them: 77.211.24.126<77.211.24.126>===192.168.0.0/24
14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1 msgid:cdbde09c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: 1 IPSec connections are currently being managed
14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: Dead Peer Detection (RFC 3706): enabled
14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x17a1c8b3 <0x9e3940c9 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
14-06-12 21:32:31 <3> ipsec: "IPsec_Tunnel_1" #3: Dead Peer Detection (RFC 3706): enabled
14-06-12 21:32:31 <3> ipsec: "IPsec_Tunnel_1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
14-06-12 21:32:31 <3> ipsec: "IPsec_Tunnel_1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x259c9d6d <0xe4087afd xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
……
IPsec with between Robustel Routers for R3000
19
Event/Log shows running process and status of R3000 Lite.
Note: Usually you can check the Event/Log file in “Status”-> “Event/Log”.
……
14-06-12 21:28:04 <0> router: system service starting...
14-06-12 21:28:08 <3> ipsec: WARNING: 1DES is enabled
14-06-12 21:28:08 <3> ipsec: LEAK_DETECTIVE support [enabled]
14-06-12 21:28:08 <3> ipsec: OCF support for IKE [disabled]
14-06-12 21:28:08 <3> ipsec: SAref support [disabled]: Protocol not available
14-06-12 21:28:08 <3> ipsec: SAbind support [disabled]: Protocol not available
14-06-12 21:28:08 <3> ipsec: NSS support [disabled]
14-06-12 21:28:08 <3> ipsec: HAVE_STATSD notification support not compiled in
14-06-12 21:28:08 <3> ipsec: Setting NAT-Traversal port-4500 floating to on
14-06-12 21:28:08 <3> ipsec: port floating activation criteria nat_t=1/port_float=1
14-06-12 21:28:08 <3> ipsec: NAT-Traversal support [enabled]
14-06-12 21:28:08 <3> ipsec: using /dev/urandom as source of random entropy
14-06-12 21:28:08 <3> ipsec: starting up 1 cryptographic helpers
14-06-12 21:28:08 <3> ipsec: started helper pid=600 (fd:3)
14-06-12 21:28:08 <3> ipsec: Using Linux 2.6 IPsec interface code on 2.6.39 (experimental code)
14-06-12 21:28:08 <3> ipsec: using /dev/urandom as source of random entropy
14-06-12 21:28:09 <3> ipsec: added connection description "IPsec_Tunnel_1"
14-06-12 21:28:09 <3> ipsec: listening for IKE messages
14-06-12 21:28:09 <3> ipsec: adding interface eth2/eth2 :500 77.211.24.126
14-06-12 21:28:09 <3> ipsec: adding interface eth2/eth2 :4500 77.211.24.126
14-06-12 21:28:09 <3> ipsec: loading secrets from "/etc/ipsec.secrets"
14-06-12 21:28:19 <3> ipsec: "IPsec_Tunnel_1" #1: initiating Main Mode
14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Dead Peer Detection]
14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [RFC 3947] method set to=115
14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: enabling possible NAT-traversal with method RFC 3947
(NAT-Traversal)
14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
14-06-12 21:28:23 <3> ipsec: "IPsec_Tunnel_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):
no NAT detected
14-06-12 21:28:23 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
14-06-12 21:28:23 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #1: Main mode peer ID is ID_IPV4_ADDR: '202.96.1.102'
14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #1: Dead Peer Detection (RFC 3706): enabled
14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1 msgid:c106dc2c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: 1 IPSec connections are currently being managed
14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: Dead Peer Detection (RFC 3706): enabled
IPsec with between Robustel Routers for R3000
20
14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xb8edb626 <0x8980ac45 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
14-06-12 21:28:37 <3> router: modem monitor failed 1/3 to test AT command ATE0
……
IPsec with between Robustel Routers for R3000
21
Chapter 5. Appendix
5.1 Firmware Version
The configuration above was tested on R3000 with firmware version R3000_S_V1.01.01.fs.
The configuration above was tested on R3000 Lite with firmware version R3000_L_V1.01.01.fs.