Questionnaire for IPsec VPN Deployment with CTM200

Model Revision

CTM-200 1.0

3066 Beta Avenue Burnaby, B.C. Phone: 604.294.4465 Fax: 604.294.4471 support@cypress.bc.ca

V5G 4K4

Overview

1 Overview
A VPN can be used to provide a secure, routable connection between a remote wireless device (modem) on the public Internet with a static IP and a remote server. The data being transmitted and received by the modem is secure within a protected VPN tunnel. Internet Protocol Security (IPsec) is a protocol suite that enables devices to secure communication at the Internet Protocol (IP), or network layer. IPsec provides security in the following ways: Data confidentiality: Data communicated across the tunnel is encrypted to prevent the deciphering of data if intercepted Origin authentication: The identity of each peer in the tunnel is validated to prevent the impersonation of devices Integrity Validation: Data communicated across the tunnel is validated to prevent data tampering The Cypress Chameleon series of industrial wireless data routers/modems support IPSec VPN communications.

2 Purpose of this Document

This document attempts to guide the user in validating their IPsec VPN router setup and to troubleshoot the CTM-200s IPsec interoperability with their VPN router.

3 CTM-200 features
3.1 IPsec protocols
The CTM-200 supports site-to-site VPN tunnels with equipment that supports the IPsec protocol suite, specifically, ESP (Encapsulating security payload) protocol in Tunnel mode.

3.2

IPsec device role

The CTM-200 supports both the IPsec initiator (client) and the responder (server) roles.

3.3

IPsec supported VPN Equipment

The CTM-200 interoperates with IPsec equipment using the above protocols including but not limited to the following hardware: Checkpoint VPN-1 Cisco PIX firewalls, VPN concentrators and routers running IOS Enterasys routers with VPN capabilities IBM/ISS Proventia UTM Intoto Juniper E-series and Netscreen series Nokia Nortel VPN Routers SonicWALL Firewall/VPN Appliances

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

4 Questionnaire
4.1 Are you familiar with IPsec VPN terminology and equipment?
If so, continue to the next steps. If not, you will first require a basic understanding of what a virtual private network (VPN) is and what Internet Protocol Security (IPsec) is, and how IPsec is used to achieve VPN tunnels. Please refer to some online resources for details. We suggest the following pages: IPsec on Wikipedia An Illustrated Guide to IPsec (Note: the CTM-200 only supports IPsec ESP (Encapsulating security payload) protocol in Tunnel mode) IPsec Simplified Also, please refer to your VPN routers documentation on configuring a site-to-site IPsec VPN for details.

4.2

Do you have a network diagram of the desired IPsec topology?

Please create a network diagram that completely specifies your IPsec topology and clearly includes the following elements, at a minimum: Corporate IPsec VPN router o WAN IP address o Local Subnet(s) o Intermediate local switches/routers o End devices/hosts CTM-200 o WAN IP address o Local Subnet(s) o Intermediate local switches/routers o End devices/hosts Test Host behind VPN router and its LAN IP address Test Host behind CTM-200 and its LAN IP address This IPsec topology will assist you with CTM-200 configuration, VPN functionality validation and verification, and troubleshooting.

4.3

What is your IPsec application?

Determine how you will be using the CTM-200 and its IPsec VPN functionality.

VPN between CTM-200 and Corporate VPN Router

Local network connected to CTM-200 (e.g. local site) is securely connected to the local network connected to the corporate VPN router (e.g. remote site). Most common VPN application Builds upon an organization's existing IT infrastructure

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

VPN between CTM-200 Devices

Local network connected to CTM-200 (e.g. local site) is securely connected to the local network connected to another CTM-200 (e.g. remote site). Low-cost VPN solution (i.e. another CTM-200 device instead of a corporate VPN router is required) Increased latency in VPN tunnel link, depending on type of wireless connection Please use the IPsec topology diagram to confirm your IPsec application.

4.4

Do you have access to the proper IT Resources?

During the support cycle, you should have access to resources (IT personnel) behind the your IPsec VPN router (Cisco, Juniper, etc.) equipment for validating data routing. IT personnel should have the ability to configure the VPN router equipment with the WAN IP address (static IP configurations) and LAN subnet of the CTM-200 (e.g. LAN0: 192.168.1.0/24 or LAN1: 192.168.2.0/24)

4.5

Have you verified that IPsec VPN configuration on your VPN router is valid and already working?

Before testing IPsec VPN interoperability with the CTM-200, please verify that the IPsec VPN configuration on your VPN router is valid and already working. Typically, verification involves configuring an alternate platform/ device (e.g. another VPN router, a laptop running IPsec VPN client software, etc.) as an IPsec VPN initiator and confirming that a valid VPN tunnel session can be established with your VPN router. If an alternate platform/device is not available, please review the VPN router configuration and consult the routers documentation to validate your router configuration.

4.6

Do you know the IPsec parameters already configured on the VPN router?

Gather configuration details about the current corporate/office IPsec VPN router. These settings will need to be matched on the CTM-200. IPsec Parameter NAT-Traversal (NAT-T) NAT-T Keep alive interval, in seconds Role of Current VPN router (Initiator or Responder) Split Tunneling or Full Tunneling IKE (Phase 1) IKE Exchange Mode (Main or Aggressive) VPN Routers WAN IP address Remote ID type (none, IP address, USER_FQDN,

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

FQDN, KEY_ID) Remote ID Verify Remote ID (Off or On) Proposal Check (obey, strict, claim, exact) IKE Encryption (3des, aes256, aes, des) IKE HMAC (sha1 or md5) IKE Diffie-Helman Group IKE Lifetime, in seconds IKE Rekeying (On or Off) Dead Peer Detection DPD Delay, in seconds DPD Retry DPD Maxfail IKE (Phase 2) IPsec Encryption (3des, aes256, aes,des, blowfish) IPsec HMAC (hmac_sha1 or hmac_md5) IPsec Perfect Forward Secrecy IPsec Lifetime, in seconds Tunnel Networks Protected remote subnets (IP address and netmask) behind VPN router

4.7

Do you know the IPsec parameters to be configured on the CTM-200 unit(s)?

Gather configuration details about the CTM-200 unit(s). Typically, this will be assigned to you by your IT personnel. CTM-200 LAN IP Local Tunnel Subnet (LAN0 or LAN1) LAN IP address of local tunnel subnet (e.g. 192.168.1.1) Local Tunnel network IP and subnet (e.g. 192.168.1.0/24) CTM-200 IPsec role If Initiator: Initial Contact: On Passive: Off If Responder: Initial Contact: Off Passive: On

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

CTM-200 IPsec Watchdog Parameters (used if CTM-200 is initiator and VPN tunnel must be up automatically) Remote Subnet Target LAN IP address Remote Target Ping Interval, in seconds CTM-200 IKE Phase 1 Local ID type (none, IP address, USER_FQDN, FQDN, KEY_ID) Local ID CTM-200 IKE Phase 2 Pre-Shared Key Please protect this information

4.8

Can basic communication occur between the CTM-200 and the VPN router?

Please follow the basic troubleshooting steps below to ensure basic communication (i.e. communication without the IPsec VPN tunnel) between the CTM-200 and the VPN router.

4.8.1 Verify RF signal strength

Determine if the RF signal strength (i.e. RSSI) is sufficient for reliable communication: In the Web interface on the Status | Details page, check the Primary and Secondary fields under System Info In the command-line interface, check the Primary and Secondary fields in cmd showstate Consistent RSSI below -95 dBm (e.g. -100 dBm) will result in unreliable communication (e.g. intermittent lost packets). Please try to reorient your RF antenna to improve signal conditions. Consider using a different RF antenna to improve RF signal conditions.

4.8.2 Basic Ping Test

1. Connect a laptop to the CTM-200 Ethernet port configured by the setting Local Tunnel Subnet 2. Find out the IP address of a host behind the customer's IPsec VPN router that accepts ICMP pings (e.g. ping target) 3. From a Windows Command Prompt on the laptop, continuously ping the target (e.g. 1.2.3.4): ping -t 1.2.3.4 4. The first few pings should return Request timed out followed by several successful pings:
Reply from 1.2.3.4: bytes=32 time=267ms TTL=49

4.8.3 Verify the CTM-200 has a valid IP address

From the web interface, verify on the Status | Info page that Cell: up and IP does not equal 0.0.0.0. From the command-line interface, verify that cmd ipadr returns an IP that does not equal 0.0.0.0

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

If the IP address is 0.0.0.0: Contact your wireless network provider and verify that the cell device's account has been activated Verify that the cell device has been properly configured in the CTM-200. See How to Activate a CTM-200 for details.

4.8.4 Verify the Ethernet device is connected to the correct LAN port
Verify that the Ethernet device (e.g. PC, laptop, etc.) is connected to the LAN port configured via cmd ipsec localnet (e.g. if cmd ipsec localnet 1 then the laptop should be connected to the Ethernet port marked "LAN1" or "LAN")

4.8.5 Validate Data Routing from CTM-200 to VPN router when VPN tunnel is disabled
From a PC connected to one of the CTM-200's Ethernet ports, ping the IPsec VPN router's outside/WAN IP address and see whether pings succeed. If pings fail, pings between the CTM-200 and router may be disabled on the network side. In this case, access another known service on the VPN router (e.g. HTTP web server, FTP server, etc.).

4.8.6 Validate Data Routing from VPN router to CTM-200 when VPN tunnel is disabled
From the IPsec VPN router or a PC connected to the router, ping the CTM-200 at its WAN IP address and see whether pings succeed. If pings fail, pings between the CTM-200 and router may be disabled on the network side. In this case, access another known service on the CTM-200 (e.g. Web configuration, Telnet/SSH access, etc.).

4.9

Are the CTM-200s IPsec settings valid?

Mismatching IPsec settings and configuring invalid settings, specifically Phase 1 and Phase 2 encryption settings and lifetime values, are common causes of errors for initial IPsec deployments.

4.9.1 Verify IPsec settings match VPN routers settings

Verify the correct VPN router WAN IP address is configured: cmd ipsec ikepeerid address cmd ipsec remgw cat /var/config/racoon/psk.txt # Preshared key is set to match IP in cmd ipsec remgw Verify the correct subnets behind the VPN router are configured (check network IP address and netmask): cmd ipsec remnet

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

For Phase 1 errors, verify the CTM-200 IKE Phase 1 settings match the VPN router's settings: cmd ipsec ikeauth cmd ipsec ikedhgroup cmd ipsec ikeenc cmd ipsec ikeexchange cmd ipsec ikehash cmd ipsec ikelifetime For Phase 2 errors, verify the CTM-200 IPsec Phase 2 settings match the VPN router's settings: cmd ipsec natt cmd ipsec saauth cmd ipsec saenc cmd ipsec salifetime cmd ipsec sapfsgroup

4.9.2 Ensure IPsec LAN IP is not contained in a configured IPsec remote subnet
Ensure that the LAN IP subnet used for IPsec is not contained in a configured IPsec remote subnet. For example, the following configuration is an invalid IPsec topology: cmd lanip 1 172.16.211.1 255.255.255.0 cmd ipsec localnet 1 cmd ipsec remnet 1 172.16.0.0 16 This is invalid because the LAN1 subnet 172.16.211.0/24 cannot be contained within a remote subnet 172.16.0.0/16. The typical symptom is that you cannot ping or Telnet the CTM-200 itself from a laptop connected to its IPsec LAN IP subnet.

4.10 Which IPsec negotiation phase is failing (IKE Phase 1 or IPsec Phase 2) and why?
4.10.1 Check the CTM-200s Syslog
Check the CTM-200s syslog to determine which of the IPsec negotiation phases are failing and the reason for the failure: 1. From the Web Interface, go to the Log | Syslog web page and view text under the Syslog Messages section

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Questionnaire

2. From the command-line interface, enter cmd syslog Sample IKE Phase 1 syslog error messages:
racoon: ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx racoon: ERROR: phase1 negotiation failed.

Reason for failure: Pre-shared key not set on initiator for configured remote gateway
racoon: ERROR: phase1 negotiation failed due to time up.

Reasons for failure: Incorrect remote gateway configured at responder, OR Mismatch in one or more IKE Phase 1 settings Sample IPsec Phase 2 syslog error messages:
racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.

Reason for failure: Remote subnet configured on initiator does not match actual remote subnet behind responder
racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. OR racoon: ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.

Reason for failure: Mismatch in one or more IPsec Phase 2 settings

4.10.2 Check the logs on the VPN router

Check the VPN routers logs to determine which of the IPsec negotiation phases are failing and the reason for the failure. Please consult your IT personnel or VPN routers documentation for details on obtaining logs.

4.10.3 Verify IPsec settings and retest

Based on the error messages in the CTM-200s syslog and VPN routers logs, verify the IPsec settings on both the CTM-200 and VPN router devices and retest.

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Information Required for Support

10

5 Information Required for Support

After going through this questionnaire, in some cases you may need to contact Cypress Solutions for troubleshooting assistance. In order for Cypress Solutions support staff to properly diagnose problems, please gather the following details below.

5.1.1 Provide a Detailed Topology Diagram

Refer to section 4.2 for instructions on how the topology should look

5.1.2 Enable Detailed IPsec VPN debugging on the CTM-200

Enable detailed IPsec debugging. In the Web interface under the IPsec | General page, set the Log Level field to debug. In the command-line enter the following commands: cmd ipsec loglevel debug cmd save cmd pwr mode 2

5.1.3 Capture Basic Diagnostic Logs

In the Web interface, copy the following details and paste them into a text file via Notepad, Wordpad, Word, etc. Status | Details (System Info) Status | ShowConfig Log | Syslog (Syslog Messages) Log | Events (Event Log) Status | RFstats From the Windows Command Prompt, start a Telnet session with logging in the current working directory using telnet <LAN IP address> f <log file name>, i.e. telnet 192.168.1.1 f ctm200.log In the command-line enter the following commands: cmd showstate cmd showconfig cmd syslog cmd event dump cmd rfstats

5.1.4 Check that the IPsec VPN tunnel is up

Capture the output of the following command: setkey -DP Sample output of working tunnel:
/ # setkey -DP

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Information Required for Support

11

172.16.7.0/24[any] 192.168.0.0/16[any] 255 out prio def ipsec esp/tunnel/173.181.245.148-69.90.37.170/unique#16815 created: May 22 17:01:24 2012 lastused: lifetime: 0(s) validtime: 0(s) spid=5225 seq=1 pid=20041 refcnt=1 192.168.0.0/16[any] 172.16.7.0/24[any] 255 fwd prio def ipsec esp/tunnel/69.90.37.170-173.181.245.148/require created: May 22 17:01:24 2012 lastused: lifetime: 0(s) validtime: 0(s) spid=5218 seq=2 pid=20041 refcnt=1 192.168.0.0/16[any] 172.16.7.0/24[any] 255 in prio def ipsec esp/tunnel/69.90.37.170-173.181.245.148/unique#16814 created: May 22 17:01:24 2012 lastused: lifetime: 0(s) validtime: 0(s) spid=5208 seq=3 pid=20041 refcnt=1

5.1.5 Capture routing table on CTM-200

Use ip route list instead of or in addition to route, it provides more info on the src routing (i.e. the 172.16.7.1 in this case):
root@CTM200:~# ip route list 10.64.64.64 dev ppp0 proto kernel scope link src 173.181.245.148 69.90.37.170 via 10.64.64.64 dev ppp0 ... 192.168.0.0/16 via 10.64.64.64 dev ppp0 src 172.16.7.1 default via 10.64.64.64 dev ppp0

5.1.6 Capture firewall rules for the IPsec tunnels defined

Use iptables -t nat -L to verify the prerouting/postrouting rules for the tunnels are defined.
root@CTM200:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source ACCEPT all -- 192.168.0.0/16 ... ACCEPT all -- 192.9.0.0/16 ACCEPT all -- 10.183.0.0/16 Chain POSTROUTING (policy ACCEPT) target prot opt source ACCEPT all -- anywhere ... ACCEPT all -- anywhere ACCEPT all -- anywhere ACCEPT esp -- anywhere MASQUERADE all -- anywhere

destination anywhere anywhere anywhere destination 192.168.0.0/16 192.9.0.0/16 10.183.0.0/16 anywhere anywhere

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

Technical Support

12

6 Technical Support
Cypress Solutions Service Support Group
1.877.985.2878 or 604.294.4465 9.00am to 5.00pm PST support@cypress.bc.ca

2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200