Documente Academic
Documente Profesional
Documente Cultură
Model Revision
CTM-200 1.0
3066 Beta Avenue Burnaby, B.C. Phone: 604.294.4465 Fax: 604.294.4471 support@cypress.bc.ca
V5G 4K4
Overview
1 Overview
A VPN can be used to provide a secure, routable connection between a remote wireless device (modem) on the public Internet with a static IP and a remote server. The data being transmitted and received by the modem is secure within a protected VPN tunnel. Internet Protocol Security (IPsec) is a protocol suite that enables devices to secure communication at the Internet Protocol (IP), or network layer. IPsec provides security in the following ways: Data confidentiality: Data communicated across the tunnel is encrypted to prevent the deciphering of data if intercepted Origin authentication: The identity of each peer in the tunnel is validated to prevent the impersonation of devices Integrity Validation: Data communicated across the tunnel is validated to prevent data tampering The Cypress Chameleon series of industrial wireless data routers/modems support IPSec VPN communications.
3 CTM-200 features
3.1 IPsec protocols
The CTM-200 supports site-to-site VPN tunnels with equipment that supports the IPsec protocol suite, specifically, ESP (Encapsulating security payload) protocol in Tunnel mode.
3.2
The CTM-200 supports both the IPsec initiator (client) and the responder (server) roles.
3.3
The CTM-200 interoperates with IPsec equipment using the above protocols including but not limited to the following hardware: Checkpoint VPN-1 Cisco PIX firewalls, VPN concentrators and routers running IOS Enterasys routers with VPN capabilities IBM/ISS Proventia UTM Intoto Juniper E-series and Netscreen series Nokia Nortel VPN Routers SonicWALL Firewall/VPN Appliances
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
4 Questionnaire
4.1 Are you familiar with IPsec VPN terminology and equipment?
If so, continue to the next steps. If not, you will first require a basic understanding of what a virtual private network (VPN) is and what Internet Protocol Security (IPsec) is, and how IPsec is used to achieve VPN tunnels. Please refer to some online resources for details. We suggest the following pages: IPsec on Wikipedia An Illustrated Guide to IPsec (Note: the CTM-200 only supports IPsec ESP (Encapsulating security payload) protocol in Tunnel mode) IPsec Simplified Also, please refer to your VPN routers documentation on configuring a site-to-site IPsec VPN for details.
4.2
Please create a network diagram that completely specifies your IPsec topology and clearly includes the following elements, at a minimum: Corporate IPsec VPN router o WAN IP address o Local Subnet(s) o Intermediate local switches/routers o End devices/hosts CTM-200 o WAN IP address o Local Subnet(s) o Intermediate local switches/routers o End devices/hosts Test Host behind VPN router and its LAN IP address Test Host behind CTM-200 and its LAN IP address This IPsec topology will assist you with CTM-200 configuration, VPN functionality validation and verification, and troubleshooting.
4.3
Determine how you will be using the CTM-200 and its IPsec VPN functionality.
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
4.4
During the support cycle, you should have access to resources (IT personnel) behind the your IPsec VPN router (Cisco, Juniper, etc.) equipment for validating data routing. IT personnel should have the ability to configure the VPN router equipment with the WAN IP address (static IP configurations) and LAN subnet of the CTM-200 (e.g. LAN0: 192.168.1.0/24 or LAN1: 192.168.2.0/24)
4.5
Have you verified that IPsec VPN configuration on your VPN router is valid and already working?
Before testing IPsec VPN interoperability with the CTM-200, please verify that the IPsec VPN configuration on your VPN router is valid and already working. Typically, verification involves configuring an alternate platform/ device (e.g. another VPN router, a laptop running IPsec VPN client software, etc.) as an IPsec VPN initiator and confirming that a valid VPN tunnel session can be established with your VPN router. If an alternate platform/device is not available, please review the VPN router configuration and consult the routers documentation to validate your router configuration.
4.6
Do you know the IPsec parameters already configured on the VPN router?
Gather configuration details about the current corporate/office IPsec VPN router. These settings will need to be matched on the CTM-200. IPsec Parameter NAT-Traversal (NAT-T) NAT-T Keep alive interval, in seconds Role of Current VPN router (Initiator or Responder) Split Tunneling or Full Tunneling IKE (Phase 1) IKE Exchange Mode (Main or Aggressive) VPN Routers WAN IP address Remote ID type (none, IP address, USER_FQDN,
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
FQDN, KEY_ID) Remote ID Verify Remote ID (Off or On) Proposal Check (obey, strict, claim, exact) IKE Encryption (3des, aes256, aes, des) IKE HMAC (sha1 or md5) IKE Diffie-Helman Group IKE Lifetime, in seconds IKE Rekeying (On or Off) Dead Peer Detection DPD Delay, in seconds DPD Retry DPD Maxfail IKE (Phase 2) IPsec Encryption (3des, aes256, aes,des, blowfish) IPsec HMAC (hmac_sha1 or hmac_md5) IPsec Perfect Forward Secrecy IPsec Lifetime, in seconds Tunnel Networks Protected remote subnets (IP address and netmask) behind VPN router
4.7
Gather configuration details about the CTM-200 unit(s). Typically, this will be assigned to you by your IT personnel. CTM-200 LAN IP Local Tunnel Subnet (LAN0 or LAN1) LAN IP address of local tunnel subnet (e.g. 192.168.1.1) Local Tunnel network IP and subnet (e.g. 192.168.1.0/24) CTM-200 IPsec role If Initiator: Initial Contact: On Passive: Off If Responder: Initial Contact: Off Passive: On
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
CTM-200 IPsec Watchdog Parameters (used if CTM-200 is initiator and VPN tunnel must be up automatically) Remote Subnet Target LAN IP address Remote Target Ping Interval, in seconds CTM-200 IKE Phase 1 Local ID type (none, IP address, USER_FQDN, FQDN, KEY_ID) Local ID CTM-200 IKE Phase 2 Pre-Shared Key Please protect this information
4.8
Can basic communication occur between the CTM-200 and the VPN router?
Please follow the basic troubleshooting steps below to ensure basic communication (i.e. communication without the IPsec VPN tunnel) between the CTM-200 and the VPN router.
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
If the IP address is 0.0.0.0: Contact your wireless network provider and verify that the cell device's account has been activated Verify that the cell device has been properly configured in the CTM-200. See How to Activate a CTM-200 for details.
4.8.4 Verify the Ethernet device is connected to the correct LAN port
Verify that the Ethernet device (e.g. PC, laptop, etc.) is connected to the LAN port configured via cmd ipsec localnet (e.g. if cmd ipsec localnet 1 then the laptop should be connected to the Ethernet port marked "LAN1" or "LAN")
4.8.5 Validate Data Routing from CTM-200 to VPN router when VPN tunnel is disabled
From a PC connected to one of the CTM-200's Ethernet ports, ping the IPsec VPN router's outside/WAN IP address and see whether pings succeed. If pings fail, pings between the CTM-200 and router may be disabled on the network side. In this case, access another known service on the VPN router (e.g. HTTP web server, FTP server, etc.).
4.8.6 Validate Data Routing from VPN router to CTM-200 when VPN tunnel is disabled
From the IPsec VPN router or a PC connected to the router, ping the CTM-200 at its WAN IP address and see whether pings succeed. If pings fail, pings between the CTM-200 and router may be disabled on the network side. In this case, access another known service on the CTM-200 (e.g. Web configuration, Telnet/SSH access, etc.).
4.9
Mismatching IPsec settings and configuring invalid settings, specifically Phase 1 and Phase 2 encryption settings and lifetime values, are common causes of errors for initial IPsec deployments.
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
For Phase 1 errors, verify the CTM-200 IKE Phase 1 settings match the VPN router's settings: cmd ipsec ikeauth cmd ipsec ikedhgroup cmd ipsec ikeenc cmd ipsec ikeexchange cmd ipsec ikehash cmd ipsec ikelifetime For Phase 2 errors, verify the CTM-200 IPsec Phase 2 settings match the VPN router's settings: cmd ipsec natt cmd ipsec saauth cmd ipsec saenc cmd ipsec salifetime cmd ipsec sapfsgroup
4.9.2 Ensure IPsec LAN IP is not contained in a configured IPsec remote subnet
Ensure that the LAN IP subnet used for IPsec is not contained in a configured IPsec remote subnet. For example, the following configuration is an invalid IPsec topology: cmd lanip 1 172.16.211.1 255.255.255.0 cmd ipsec localnet 1 cmd ipsec remnet 1 172.16.0.0 16 This is invalid because the LAN1 subnet 172.16.211.0/24 cannot be contained within a remote subnet 172.16.0.0/16. The typical symptom is that you cannot ping or Telnet the CTM-200 itself from a laptop connected to its IPsec LAN IP subnet.
4.10 Which IPsec negotiation phase is failing (IKE Phase 1 or IPsec Phase 2) and why?
4.10.1 Check the CTM-200s Syslog
Check the CTM-200s syslog to determine which of the IPsec negotiation phases are failing and the reason for the failure: 1. From the Web Interface, go to the Log | Syslog web page and view text under the Syslog Messages section
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Questionnaire
2. From the command-line interface, enter cmd syslog Sample IKE Phase 1 syslog error messages:
racoon: ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx racoon: ERROR: phase1 negotiation failed.
Reason for failure: Pre-shared key not set on initiator for configured remote gateway
racoon: ERROR: phase1 negotiation failed due to time up.
Reasons for failure: Incorrect remote gateway configured at responder, OR Mismatch in one or more IKE Phase 1 settings Sample IPsec Phase 2 syslog error messages:
racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Reason for failure: Remote subnet configured on initiator does not match actual remote subnet behind responder
racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. OR racoon: ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
10
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
11
172.16.7.0/24[any] 192.168.0.0/16[any] 255 out prio def ipsec esp/tunnel/173.181.245.148-69.90.37.170/unique#16815 created: May 22 17:01:24 2012 lastused: lifetime: 0(s) validtime: 0(s) spid=5225 seq=1 pid=20041 refcnt=1 192.168.0.0/16[any] 172.16.7.0/24[any] 255 fwd prio def ipsec esp/tunnel/69.90.37.170-173.181.245.148/require created: May 22 17:01:24 2012 lastused: lifetime: 0(s) validtime: 0(s) spid=5218 seq=2 pid=20041 refcnt=1 192.168.0.0/16[any] 172.16.7.0/24[any] 255 in prio def ipsec esp/tunnel/69.90.37.170-173.181.245.148/unique#16814 created: May 22 17:01:24 2012 lastused: lifetime: 0(s) validtime: 0(s) spid=5208 seq=3 pid=20041 refcnt=1
destination anywhere anywhere anywhere destination 192.168.0.0/16 192.9.0.0/16 10.183.0.0/16 anywhere anywhere
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200
Technical Support
12
6 Technical Support
Cypress Solutions Service Support Group
1.877.985.2878 or 604.294.4465 9.00am to 5.00pm PST support@cypress.bc.ca
2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200