ipsec vpn between robustel routers - m2m nordic aps · ipsec with between robustel routers for...

Application Note

IPsec VPN Between Robustel Routers

Document Name: Application Note

Version: /v.1.0.0

Date: 2014-06-30

Status: /Confidential

DocID: /RT_AN008_R3000 S_IPsec VPN Between Robustel Routers

www.robustel.com

IPsec with between Robustel Routers for R3000

1

Contents

Chapter 1. Introduction ...................................................................................................................................... 2

1.1 Overview........................................................................................................................................... 2

1.2 Assumptions ..................................................................................................................................... 2

1.3 Rectifications .................................................................................................................................... 2

1.4 File Version ....................................................................................................................................... 3

Chapter 2. Application Topology ........................................................................................................................ 4

Chapter 3. Configuration .................................................................................................................................... 5

3.1 R3000 Configuration ......................................................................................................................... 5

3.1.1 Configure Link Management ............................................................................................................. 5

3.1.2 Configure Ethernet WAN .................................................................................................................. 6

3.1.3 Configure LAN IP address .................................................................................................................. 6

3.1.4 Configure IPsec VPN.......................................................................................................................... 7

3.2 R3000 Lite Configuration ................................................................................................................ 10

3.2.1 Configure Cellular WAN .................................................................................................................. 10

3.2.2 Configure LAN IP address ................................................................................................................ 11

3.2.3 Configure IPsec VPN........................................................................................................................ 12

Chapter 4. Testing............................................................................................................................................. 15

4.1 Current WAN Status ........................................................................................................................ 15

4.2 VPN Status and Communication ..................................................................................................... 15

4.3 Event/Log ........................................................................................................................................ 17

Chapter 5. Appendix ......................................................................................................................................... 21

5.1 Firmware Version ............................................................................................................................ 21


2

Chapter 1. Introduction

1.1 Overview

VPN (Virtual Private Network), it is a technology that establish private network tunnel on the public network. IPsec

VPN is a kind of LAN to LAN communication or remote access VPN technology with the IPsec protocol, to offer the

public and private network end-to-end encryption and authentication service.

This application note is written for customer who has good understanding Robustel products and experienced with

VPN. It shows customer easily configure the IPsec VPN between two local area networks using Robustel GoRugged

R3000s at both side.

1.2 Assumptions

IPsec VPN feature has been fully test and this Application Note is written by technically competent engineer who is

familiar with Robustel products and the application requirement.

This Application Note is basing on:

Product Model: Robustel GoRugged R3000 industrial cellular VPN router.

Robustel GoRugged R3000 Lite industrial cellular VPN router.

Firmware Version: R3000_S_V1.01.01.fs.

R3000_L_V1.01.01.fs.

Configuration: This Application Note assumes the Robustel products are set to factory default. Most configure

steps are only shown if they are different from the factory default settings.

R3000 works with wired network (static public IP address) and R3000 Lite will be connecting to the cellular

network (i.e. GPRS, EDGE, UMTS, HSDPA or HSUPA). R3000 Lite connecting to cellular networks is usually

allocated a dynamic private IP address, in this case, R3000 Lite need to be assigned public IP address from ISP

carrier. Because IPsec initiator always need to know where to connect, and R3000/R3000 Lite only support to

specify remote IPsec Gateway in IPsec common part.

The IPsec initiator and IPsec responder router must be assigned a public IP address on its WAN interface. This

one can be dynamic or static. If R3000/R3000 Lite working with dynamic public IP address, a DNS service must

be used to parked dynamic public IP address to a static domains.

1.3 Rectifications

Appreciate for the corrections and Rectifications to this Application Note, and if there are requests for new

Application Notes please also send to email address: [email protected] .

mailto:[email protected]


3

1.4 File Version

Updates between document versions are cumulative. Therefore, the latest document version contains all updates

made to previous versions.

Release Date Firmware Version Details

2014-06-11 V1.01.01 First Release


4

Chapter 2. Application Topology

1. R3000 runs as central router which has one static public IP address, or dynamic public IP address but with

domain name.

2. R3000 Lite works on cellular network with any kind of IP which can access the Internet and communicate with

central R3000 successfully.

3. IPsec VPN established between central R3000 and R3000 Lite, and the interesting traffic from R3000 side

(192.168.1.0/24) to R3000 Lite side (192.168.0.0/24) will be encrypted and vice versa.


5

Chapter 3. Configuration

3.1 R3000 Configuration

3.1.1 Configure Link Management

1. Power on R3000 and login R3000’s Web GUI page.

Note: Factory Settings when login Web GUI

Item Description

Username admin

Password admin

Eth0 192.168.0.1/255.255.255.0, LAN mode

Eth1 192.168.0.1/255.255.255.0, LAN mode

DHCP Server Enabled.

2. Browse to “Configuration”-> “Link Management”.

Click the drop-down box of “Primary Interface” and select “Eth0”.

Click “Apply”.

Item Description Setting

Primary Interface Select “Cellular”, “Eth0”, “WiFi” as the primary connection

interface. Eth0


6

3.1.2 Configure Ethernet WAN

1. Browse to “Configuration”-> “Ethernet”-> “Eth0”.

Click “Add” to enter the APN (Access Point Name) and Dialup No. for each ISP.


IP Address, Netmask

and Gateway Set the IP address, Netmask, Gateway of Eth0. Enter accordingly

MTU, Media Type Set the MTU, Media Type of Eth0. Enter accordingly

DNS server Set the Primary DNS server and Secondary DNS

server of Eth0. Enter accordingly

Multiple IP Address Assign multiple IP addresses for Eth0. Enter accordingly

3.1.3 Configure LAN IP address



7

Set IP address and netmask of Eth1 accordingly.

Click “Apply”.

Note: Eth0 works under bridge mode with Eth1 by default settings. Eth0 and Eth1 will share the Eth1’s IP address

under bridge mode.


IP Address Set the IP address of Eth1 Enter accordingly

NetMask Set the Netmask of Eth1 Enter accordingly

MTU Set the MTU of Eth1 1500

Media Type Set the Media Type of Eth1 Auto-negotiation

3.1.4 Configure IPsec VPN

The following sections relate to the IPsec VPN parameters.

1. Browse to “Configuration”-> “IPsec”-> “IPsec Basic”. Enable NAT Traversal feature.

Tick the checkbox of “Enable NAT Traversal”.

Type the value about Keepalive Interval(s).

Click “Apply”.

Note: this item must be enabled when router under NAT environment.


Enable NAT Traversal

Tick to Enable NAT Traversal for IPSec. This item

must be enabled when router under NAT

environment.

Enable

Keepalive Interval

The interval that router sends keepalive packets to

NAT box so that to avoid it to remove the NAT

mapping active.

30


8

2. IPsec Common, browse to “Configuration”-> “IPsec”-> “IPsec Tunnel”.

Click “Add” to enter the IPsec Tunnel settings.

Set IPsec Gateway address and subnets accordingly.


IPsec Gateway

Address Enter the address of remote side IPsec VPN server. Enter accordingly

IPsec Mode

Select from “Tunnel” and “Transport”.

Tunnel: Uses the Tunnel protocol.

Transport: Uses the Transport protocol.

Select accordingly

IPsec Protocol

Select the security protocols from “ESP” and “AH”.

ESP: Uses the ESP protocol.

AH: Uses the AH protocol.

Select accordingly

Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly

Local Subnet Mask Enter IPsec Local Protected subnet’s mask. Enter accordingly

Local ID Type

Select from “IP Address”, “FQDN” and “User

FQDN” for IKE negotiation. “Default” stands for “IP

Address”.

Enter accordingly

Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly

Remote Subnet

Mask Enter IPsec Remote Protected subnet’s mask. Enter accordingly

Remote ID Type Select from “IP Address”, “FQDN” and “User

FQDN” for IKE negotiation. Select accordingly

3. Enable Phase 1 – IKE configuration.

IKE(Internet Security Association and Key Management Policy) is the first phase while establishing a secure link


9

between two peer. The following entries which is related to the configuration of IKE on R3000.

The Encryption and Authentication in phase 1 should be set to 3DES & MD5 to match settings with peer side. IKE

Diffie-Hellman should be set MODP1024_2 and pre-share key for authentication.


Negotiation Mode Select from “Main” and “aggressive” for the IKE

negotiation mode in phase 1. Select accordingly

Encryption Algorithm Select from “DES”, “3DES”, “AES128”, “AES192”

and “AES256”to be used in IKE negotiation. Select accordingly

DH Group

Select from “MODP768_1”, “MODP1024_2” and

“MODP1536_5”to be used in key negotiation

phase 1.

Select accordingly

Authentication Select from “PSK”, “CA”, “XAUTH Init PSK” and

“XAUTH Init CA” to be used in IKE negotiation. Select accordingly

Secrets Enter the Pre-shared Key. Enter accordingly

Life Time @ IKE

Parameter Set the lifetime in IKE negotiation. 3600

4. Phase 2 – IPsec SA configuration.

This will determine what traffic is routed to remote network over VPN encryption tunnel.

The SA Algorithm should be set to 3DES_ MD5_96 to match settings on peer side.


SA Algorithm The encryption and authentication algorithm to

use. Select accordingly

PFS Group Select from “PFS_NULL”, “MODP768_1”,

“MODP1024_2” and “MODP1536_5”. Select accordingly

Life Time @ SA

Parameter Set the IPsec SA lifetime. 28800

DPD Time Interval Set the interval after which DPD is triggered if no

IPsec protected packets is received from the peer. 60

DPD Timeout Set the timeout of DPD packets. 180


10

5. Click “Apply”->”Save”->”Reboot”.

3.2 R3000 Lite Configuration

1. Install antenna, insert the SIM card to R3000 Lite -> power on R3000 Lite and login R3000 Lite’s Web GUI page.

Note: Factory Settings when login Web GUI

Item Description

Username admin

Password admin

Eth0 192.168.0.1/255.255.255.0

DHCP Server Enabled.

3.2.1 Configure Cellular WAN

1. Browse to “Configuration”-> “Cellular WAN”-> “ISP Profile”.

Click “Add” to enter the APN (Access Point Name) and Dialup No. for each ISP.

If required please enter Username and Password in the appropriate fields.

Click “Apply”.

Note: Usually APN, Username, Password and Dialup No. are provided by ISP accordingly.


ISP Enter relevant ISP network name Enter accordingly

APN Enter correct APN for the network Enter accordingly

Username Enter correct Username for the network Enter accordingly

Password Enter correct Password for the network Enter accordingly


11

Dialup No. Enter correct Dialup No. for the network Enter accordingly

2. Browse to “Configuration”-> “Cellular WAN”-> “Basic”.

In region “Cellular Settings”. Click the drop-down box of “Network Provider Type” of the SIM card and select the

correct “ISP” that you configure in “Configuration”-> “Cellular WAN”-> “ISP Profile”.

If required please enter PIN number for the SIM in “PIN Type”.

In region “Connection Mode”. Click the drop-down box of “Connection Mode” to select the connection mode

accordingly. “Always Online” mode is selected in this Application Note.

Click “Apply”.


Network Provider

Type

Select from “Auto”, “Custom” or the ISP name you

preset in “Configuration”->”Cellular WAN”->”ISP

Profile”.

Enter accordingly

Connection Mode Select the connection mode when R3000 dial up to

get access to Internet. Always Online

3.2.2 Configure LAN IP address


Set IP address and netmask of Eth0 accordingly.

Click “Apply”.

Note: Eth0 works under bridge mode with Eth1 by default settings. Eth0 and Eth1 will share the Eth1’s IP address

under bridge mode.


IP Address Set the IP address of Eth0 Enter accordingly


12

NetMask Set the Netmask of Eth0 Enter accordingly

MTU Set the MTU of Eth0 1500

Media Type Set the Media Type of Eth0 Auto-negotiation

3.2.3 Configure IPsec VPN

The following sections relate to the IPsec VPN parameters.

1. Browse to “Configuration”-> “IPsec”-> “IPsec Basic”. Enable NAT Traversal feature.

Tick the checkbox of “Enable NAT Traversal”.

Type the value about Keepalive Interval(s).

Click “Apply”.

Note: this item must be enabled when router under NAT environment.


Enable NAT Traversal

Tick to Enable NAT Traversal for IPSec. This item

must be enabled when router under NAT

environment.

Enable

Keepalive Interval

The interval that router sends keepalive packets to

NAT box so that to avoid it to remove the NAT

mapping active.

30

2. IPsec Common, browse to “Configuration”-> “IPsec”-> “IPsec Tunnel”.

Click “Add” to enter the IPsec Tunnel settings.

Set IPsec Gateway address and subnets accordingly.


13


IPsec Gateway

Address Enter the address of remote side IPsec VPN server. Enter accordingly

IPsec Mode

Select from “Tunnel” and “Transport”.

Tunnel: Uses the Tunnel protocol.

Transport: Uses the Transport protocol.

Select accordingly

IPsec Protocol

Select the security protocols from “ESP” and “AH”.

ESP: Uses the ESP protocol.

AH: Uses the AH protocol.

Select accordingly

Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly

Local Subnet Mask Enter IPsec Local Protected subnet’s mask. Enter accordingly

Local ID Type

Select from “IP Address”, “FQDN” and “User

FQDN” for IKE negotiation. “Default” stands for “IP

Address”.

Enter accordingly

Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly

Remote Subnet

Mask Enter IPsec Remote Protected subnet’s mask. Enter accordingly

Remote ID Type Select from “IP Address”, “FQDN” and “User

FQDN” for IKE negotiation. Select accordingly

3. Enable Phase 1 – IKE configuration.

IKE(Internet Security Association and Key Management Policy) is the first phase while establishing a secure link

between two peer. The following entries which is relate to the configuration of IKE on R3000.

The Encryption and Authentication in phase 1 should be set to 3DES & MD5 to match settings with peer side. IKE

Diffie-Hellman should be set MODP1024_2 and pre-share key for authentication.


Negotiation Mode Select from “Main” and “aggressive” for the IKE

negotiation mode in phase 1. Select accordingly

Encryption Algorithm Select from “DES”, “3DES”, “AES128”, “AES192”

and “AES256”to be used in IKE negotiation. Select accordingly

DH Group Select from “MODP768_1”, “MODP1024_2” and

“MODP1536_5”to be used in key negotiation Select accordingly


14

phase 1.

Authentication Select from “PSK”, “CA”, “XAUTH Init PSK” and

“XAUTH Init CA” to be used in IKE negotiation. Select accordingly

Secrets Enter the Pre-shared Key. Enter accordingly

Life Time @ IKE

Parameter Set the lifetime in IKE negotiation. 3600

4. Phase 2 – IPsec SA configuration.

This will determine what traffic is routed to remote network over VPN encryption tunnel.

The SA Algorithm should be set to 3DES_ MD5_96 to match settings on peer side.


SA Algorithm The encryption and authentication algorithm to

use. Select accordingly

PFS Group Select from “PFS_NULL”, “MODP768_1”,

“MODP1024_2” and “MODP1536_5”. Select accordingly

Life Time @ SA

Parameter Set the IPsec SA lifetime. 28800

DPD Time Interval Set the interval after which DPD is triggered if no

IPsec protected packets is received from the peer. 60

DPD Timeout Set the timeout of DPD packets. 180

5. Click “Apply”->”Save”->”Reboot”.


15

Chapter 4. Testing

4.1 Current WAN Status

1. Browse to “Status”-> “System”->“Current WAN Link”.

Check that R3000 has static public IP address.

2. Browse to “Status”-> “System”->“Current WAN Link” and “Cellular Information”.

Check that R3000 Lite has dial up to get IP address and get access to the Internet.

4.2 VPN Status and Communication

1. Browse to “Status”-> “VPN” and “IPsec”.

Check that R3000 has established IPsec VPN with R3000 Lite.


16

2. Browse to “Status”-> “VPN” and “IPsec”.

Check that R3000 Lite has established IPsec VPN with R3000.

Test on R3000, Browse to “Administration”-> “Tools” and “Ping”.

Ping from 192.168.0.11 to 192.168.1.11 and got ICMP reply from R3000 Lite. LAN to LAN communication is

working correctly.

Test on R3000 Lite, Browse to “Administration”-> “Tools” and “Ping”.

Ping from 192.168.0.11 to 192.168.1.11 and got ICMP reply from R300. LAN to LAN communication is working

correctly.


17

4.3 Event/Log

Event/Log shows running process and status of R3000.

Note: Usually you can check the Event/Log file in “Status”-> “Event/Log”.

……

14-06-12 21:32:11 <0> router: system service starting...

14-06-12 21:32:15 <3> ipsec: WARNING: 1DES is enabled

14-06-12 21:32:15 <3> ipsec: LEAK_DETECTIVE support [enabled]

14-06-12 21:32:15 <3> ipsec: OCF support for IKE [disabled]

14-06-12 21:32:15 <3> ipsec: SAref support [disabled]: Protocol not available

14-06-12 21:32:15 <3> ipsec: SAbind support [disabled]: Protocol not available

14-06-12 21:32:15 <3> ipsec: NSS support [disabled]

14-06-12 21:32:15 <3> ipsec: HAVE_STATSD notification support not compiled in

14-06-12 21:32:15 <3> ipsec: Setting NAT-Traversal port-4500 floating to on

14-06-12 21:32:15 <3> ipsec: port floating activation criteria nat_t=1/port_float=1

14-06-12 21:32:15 <3> ipsec: NAT-Traversal support [enabled]

14-06-12 21:32:15 <3> ipsec: using /dev/urandom as source of random entropy

14-06-12 21:32:15 <3> ipsec: starting up 1 cryptographic helpers

14-06-12 21:32:15 <3> ipsec: started helper pid=601 (fd:3)

14-06-12 21:32:15 <3> ipsec: Using Linux 2.6 IPsec interface code on 2.6.39 (experimental code)


14-06-12 21:32:16 <3> ipsec: added connection description "IPsec_Tunnel_1"

14-06-12 21:32:16 <3> ipsec: listening for IKE messages

14-06-12 21:32:16 <3> ipsec: adding interface eth0/eth0 202.96.1.102:500

14-06-12 21:32:16 <3> ipsec: adding interface eth0/eth0 202.96.1.102:4500

14-06-12 21:32:16 <3> ipsec: loading secrets from "/etc/ipsec.secrets"

14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload [Openswan (this version)

2.6.38 ]

14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload [Dead Peer Detection]

14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload [RFC 3947] method set


18

to=115

14-06-12 21:32:21 <3> ipsec: packet from 77.211.24.126:500: received Vendor ID payload

[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115


[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115


[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115


[draft-ietf-ipsec-nat-t-ike-00]

14-06-12 21:32:21 <3> ipsec: "IPsec_Tunnel_1" #1: responding to Main Mode

14-06-12 21:32:21 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

14-06-12 21:32:21 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_R1: sent MR1, expecting MI2

14-06-12 21:32:22 <3> ipsec: "IPsec_Tunnel_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):

no NAT detected


14-06-12 21:32:23 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_R2: sent MR2, expecting MI3

14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: Main mode peer ID is ID_IPV4_ADDR: '77.211.24.126'


14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established

{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

14-06-12 21:32:25 <3> ipsec: "IPsec_Tunnel_1" #1: Dead Peer Detection (RFC 3706): enabled

14-06-12 21:32:26 <3> ipsec: "IPsec_Tunnel_1" #1: the peer proposed: 192.168.1.0/24:0/0 -> 192.168.0.0/24:0/0

14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: responding to Quick Mode proposal {msgid:6e079759}

14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: us:

192.168.1.0/24===202.96.1.102<202.96.1.102>---202.96.1.100

14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: them: 77.211.24.126<77.211.24.126>===192.168.0.0/24

14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_R0 to state

STATE_QUICK_R1

14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,

expecting QI2

14-06-12 21:32:27 <3> ipsec: "IPsec_Tunnel_1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using

isakmp#1 msgid:cdbde09c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}

14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: 1 IPSec connections are currently being managed


14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_R1 to state

STATE_QUICK_R2

14-06-12 21:32:30 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_R2: IPsec SA established tunnel mode

{ESP=>0x17a1c8b3 <0x9e3940c9 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}


14-06-12 21:32:31 <3> ipsec: "IPsec_Tunnel_1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

14-06-12 21:32:31 <3> ipsec: "IPsec_Tunnel_1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode

{ESP=>0x259c9d6d <0xe4087afd xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}

……


19

Event/Log shows running process and status of R3000 Lite.

Note: Usually you can check the Event/Log file in “Status”-> “Event/Log”.

……

14-06-12 21:28:04 <0> router: system service starting...

14-06-12 21:28:08 <3> ipsec: WARNING: 1DES is enabled

14-06-12 21:28:08 <3> ipsec: LEAK_DETECTIVE support [enabled]

14-06-12 21:28:08 <3> ipsec: OCF support for IKE [disabled]

14-06-12 21:28:08 <3> ipsec: SAref support [disabled]: Protocol not available

14-06-12 21:28:08 <3> ipsec: SAbind support [disabled]: Protocol not available

14-06-12 21:28:08 <3> ipsec: NSS support [disabled]

14-06-12 21:28:08 <3> ipsec: HAVE_STATSD notification support not compiled in

14-06-12 21:28:08 <3> ipsec: Setting NAT-Traversal port-4500 floating to on

14-06-12 21:28:08 <3> ipsec: port floating activation criteria nat_t=1/port_float=1

14-06-12 21:28:08 <3> ipsec: NAT-Traversal support [enabled]


14-06-12 21:28:08 <3> ipsec: starting up 1 cryptographic helpers

14-06-12 21:28:08 <3> ipsec: started helper pid=600 (fd:3)

14-06-12 21:28:08 <3> ipsec: Using Linux 2.6 IPsec interface code on 2.6.39 (experimental code)


14-06-12 21:28:09 <3> ipsec: added connection description "IPsec_Tunnel_1"

14-06-12 21:28:09 <3> ipsec: listening for IKE messages

14-06-12 21:28:09 <3> ipsec: adding interface eth2/eth2 :500 77.211.24.126

14-06-12 21:28:09 <3> ipsec: adding interface eth2/eth2 :4500 77.211.24.126

14-06-12 21:28:09 <3> ipsec: loading secrets from "/etc/ipsec.secrets"

14-06-12 21:28:19 <3> ipsec: "IPsec_Tunnel_1" #1: initiating Main Mode

14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]

14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Dead Peer Detection]

14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [RFC 3947] method set to=115

14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: enabling possible NAT-traversal with method RFC 3947

(NAT-Traversal)

14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

14-06-12 21:28:21 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I2: sent MI2, expecting MR2

14-06-12 21:28:23 <3> ipsec: "IPsec_Tunnel_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):

no NAT detected


14-06-12 21:28:23 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I3: sent MI3, expecting MR3

14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #1: Main mode peer ID is ID_IPV4_ADDR: '202.96.1.102'


14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I4: ISAKMP SA established

{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}


14-06-12 21:28:24 <3> ipsec: "IPsec_Tunnel_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using

isakmp#1 msgid:c106dc2c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}

14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: 1 IPSec connections are currently being managed



20

14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

14-06-12 21:28:28 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode

{ESP=>0xb8edb626 <0x8980ac45 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}

14-06-12 21:28:37 <3> router: modem monitor failed 1/3 to test AT command ATE0

……


21

Chapter 5. Appendix

5.1 Firmware Version

The configuration above was tested on R3000 with firmware version R3000_S_V1.01.01.fs.

The configuration above was tested on R3000 Lite with firmware version R3000_L_V1.01.01.fs.

ipsec vpn between robustel routers - m2m nordic aps · ipsec with between robustel routers for...

Documents