lan to lan ipsec vpn - westermo sales · between a westermo mrd-310 3g router and a westermo dr-250...
TRANSCRIPT
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
LAN to LAN IPsec VPNConnecting the MRD-3xx 3G router to the DR-250 router with IPSec
AN-0004-03 Page 1Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
IPsec VPN
A virtual private network (VPN) is a private data network that makes use of thepublic telecommunication infrastructure, maintaining privacy through the use of atunnelling protocol and security procedures. A virtual private network can becontrasted with a system of owned or leased lines that can only be used by onecompany. The main purpose of a VPN is to give the company the samecapabilities as private leased lines at much lower cost by using the shared publicinfrastructure. Phone companies have provided private shared resources for voicemessages for over a decade. A virtual private network makes it possible to havethe same protected sharing of public resources for data.
IPsec is a suite of protocols for providing peer authentication without transmittingthe actual keys. Confidentiality using encryption and integrity ensuring that thereceived data can only come from the authenticated peer and has not beenaltered in any way.
IPsec Encrypting Security Payload tunnels also provide transparency for all nodesand applications using IP and only the VPN gateways needs to be configured tosecurely connect geographically separated networks.
Firstly we will describe and determine all the parameters necessary for thisconfiguration. These values will be written into the “IPsec Network setup table”
The numbers and parameter values from the “IPsec Network setup table” will beused throughout this guide while first configuring the responder and then theinitiator.
AN-0004-03 Page 2Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
Network setup description
This application note describes how to implement a LAN to LAN IPsec VPN tunnelbetween a Westermo MRD-310 3G Router and a Westermo DR-250 ADSL2+Router.
It is important to decide which of the two routers will be the initiator and which will bethe responder. In nearly all cases, the responder will be a VPN gateway, which islocated at a central location, such as company headquarters. In all cases theresponder must have a publicly accessible IP address to connect across internet.
In this example the MRD-310 has a 3G subscription that dynamically assigns aprivate IP address and is hidden behind a Network Address Translation (NAT)device. As such it can only be the initiator.
The DR-250 uses its ADSL WAN interface. The IP address assigned by the ISP ispublic but not fixed. In order to know the IP address of the DR-250 Router we usethe dynamic DNS service of www.dyndns.org to translate the Fully Qualified DomainName (FQDN) weslab.home.dyndns.org to a routable IP address. The DR-250Router will be the responder.
For authentication we will be using Pre-Shared Key (PSK). Simple and practical forinitial and small-scale VPN configurations it is however very susceptible to socialengineering. Large scale or long-term deployment should use certificates forauthentication.This IPsec configuration uses Internet Key Exchange (IKEv1). If the IP addresses ofboth gateways are fixed or certificates are used it is recommended to use IKE mainmode which takes longer to establish connection but provides a higher level ofsecurity than aggressive mode.In this example the combination of dynamic IP address and preshared key requiresus to use IKE aggressive mode.
IKE supports many different types of identifiers (ID) for this example we have chosentype 2 FQDN.Please review RFC 2407 for further details.
Encapsulated Security Payload (ESP) is the final encrypted tunnel joining the twoLAN together. A ESP tunnel is unidirectional so two tunnels are used for full duplexcommunication. Advanced Encryption Standard (AES) is the recommendedencryption standard to use since it is more secure and more efficient than the older3DES encryption.
This configuration is valid for:Westermo MRD-310/330 firmware version 1.33Westermo DR/MR-250 firmware version 5073
AN-0004-03 Page 3Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
IPsec Network setup table
Internet
APN
ResponderInitiator
192.168.20.0/24 192.168.0.0/24
weslab.home.dyndns.org
192.168.20.200 192.168.0.99
LAN to LAN IPsec tunnel
General
External Address IP or FQDN 1 any 2
weslab.home.dynd
ns.orgInternal IP address 3 192.168.20.0 4 192.168.0.0Internal subnet mask 5 255.255.255.0 6 255.255.255.0ID type 7 2 RFC2407 8 2ID value 9 mrd310 10 dr250PSK 11 123456Certificate 12 13
NAT Traversal 14 YESNAT-T keepalive 15 45Dead Peer Detection 16 YESDPD delay & timeout 17 60s/120sMTU 18 19
IKE phase 1 Mode 20 AggressiveEncryption 21 AES (128)Authentication 22 SHA1Diffie Hellman Group 23 2IKE SA Lifetime 24 28800s
IKE phase 2ESP encryption 25 AES (128)ESP authentication 26 SHA1SA Lifetime 27 28800sPerfect Forward Secrecy 28
AN-0004-03 Page 4Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
To enter the Preshared key for the connection we must create a user with the key which is linked to aneroute.Select: Users > User 14The user number has no impact on the VPN configuration but the Name and Password must match the PeerID value and PSK respectively.
DR-250 VPN Configuration
Make sure you have configured the DR-250 router as described in the User Guide.Access the routers web interface.In the left side menu select: Configure > ”VPN Configuration” > ”IKE Responder”Make sure that NAT traversal is enabled.
Remember to save to flash when done making changes.
Press
Press
14
21
2224
9
11
AN-0004-03 Page 5Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
DR-250 eroute configurationSelect: Configure > VPN Configuration > IPSEC Eroute 0For the correct ID type to be used set ”Send our ID as FQDN” to Yes.Leave Peer IP/hostname blank to indicate any adddress.Enter the values from the network table.
Remember to save to flash when done making changes.Press
10
26
4
9
25
5
3
6
1
27
8
AN-0004-03 Page 6Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
DR-250 WAN interface configurationIn this example the ADSL WAN interface uses bridged ethernet and the WAN interface becomes Ethernet 4.Select: Configure > ADSL Interface > ETH 4 BridgedSet the IPSec: parameter to ”ON-Remove SA when link down”
DR-250 firewall configurationWhen the IPsec VPN has been configured correctly we should only allow IPsec connections on the WANinterface.Add the entries below to open IKE udp ports 500 and 4500, IP protocol 50 (ESP) and finally all configurederoutes.There is an explicit end rule that blocks everything else.Once completed activate the firewall on the WAN interface (ETH 4).Save configuration and reboot the router.
AN-0004-03 Page 7Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
MRD-310 Initiator VPN configurationMake sure you have configured your MRD-3xx 3G router as described in the User Guide.Access the routers web interface and select VPN in the top menu followed by ”IPsec VPN” in the sub menu.
to start configure a new VPN tunnel.Press
The Local interface should be WLS for the wireless 3G/GPRS interface.Press
Press
2
AN-0004-03 Page 8Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
Configure the authentication for Internet Key Exchange (IKE) and Dead Peer Detection.The ID must be preceeded with a @ sign to indicate a type 2 or 3 ID (RFC2407) string.
Press
Press
21 22 23
24
25
27
2628
Next configure Phase 1 and Phase 2 encryption and proposal for the tunnel.
20
11
10
9
16
17
AN-0004-03 Page 9Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
Finally we set NAT traversal since our MRD-310 has a private IP address dynamically assigned fromthe 3G provider.Set Enabled, to start the IPsec VPN connection.
Press
Press
LAN to LAN IPsec must know which IP packets to protect so these must be specified in tunnel networksaddress with subnet address/subnet mask. LAN subnet will apply the subnet and mask configured on theEthernet port of the MRD-310
4
3
18
14 15
AN-0004-03 Page 10Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
Diagnostics
In the DR-250 you can configure a high level of debug detail for troubleshooting.Select: FULL MENU > Configure > AnalyserTurn the Analyser on and select IKE debug.The debug output can be viewed by selecting: FULL MENU > Status > Analyser Trace
In the MRD-310Select: Status > VPN for details about the VPN status.Further information is available in the System Log.
AN-0004-03 Page 11Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
IPsec Network setup table
Initiator ResponderGeneral
External Address IP or FQDN 1 2
Internal IP address 3 4
Internal subnet mask 5 6
ID type 7 RFC2407 8
ID value 9 10
PSK 11
Certificate 12 13
NAT Traversal 14
NAT-T keepalive 15
Dead Peer Detection 16
DPD delay & timeout 17
MTU 18 19
IKE phase 1 Mode 20
Encryption 21
Authentication 22
Diffie Hellman Group 23
IKE SA Lifetime 24
IKE phase 2ESP encryption 25
ESP authentication 26
SA Lifetime 27
Perfect Forward Secrecy 28
Internet
APN
ResponderInitiator
LAN to LAN IPsec tunnel
AN-0004-03 Page 12Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
www.westermo.comLAN to LAN IPsec MRD-310 to DR-250 www.westermo.com
Application Note
[email protected]: +46 (0)16 42 80 00Fax: +46 (0)16 42 80 01
[email protected]él : +33 1 69 10 21 00Fax : +33 1 69 10 21 01
United KingdomWeb: [email protected]: +44 (0)1489 580585Fax: +44 (0)1489 580586
[email protected] +65 6743 9801Fax +65 6745 0670
[email protected]: +49(0)7254 95400-0Fax: +49(0)7254-95400-9
Technical SupportIf you require assistance with any of the instructions in this application note you cancontact Westermo as follows:
AN-0004-03 Page 13Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]