IPSec User Guide 2120028 Rev 2.
Important Notice Safety and Hazards Due to the nature of wireless communications, transmission and reception of data can never be guaranteed. Data may be delayed, corrupted (i.e., have errors) or be totally lost.
DIRECT, INDIRECT, SPECIAL, GENERAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS OR REVENUE OR ANTICIPATED PROFITS OR REVENUE ARISING OUT OF THE USE OR INABILITY TO USE ANY SIERRA WIRELESS PRODUCT, EVEN IF SIERRA WIRELESS AND/OR ITS AFFILIATES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR THEY ARE FORESEEABLE OR FOR CLAIMS BY ANY THIRD PARTY.
Post: Sierra Wireless America 39677 Eureka Drive Newark, CA USA 94560 Sierra Wireless 13811 Wireless Way Richmond, BC Canada V6V 3A4 Fax: 1-510-624-4299 1-604-231-1109 Web: www.sierrawireless.com Consult our website for up‐to‐date product descriptions, documentation, application notes, firmware upgrades, trouble‐ shooting tips, and press releases: www.sierrawireless.com Revision History Revision number Release date Changes 1.x Q2: 2008 IPSec User Guide documentation created. 2.
Contents Introducing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Key Features of IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPsec User Guide 2 2120028
1: Introducing IPSec • Overview • Scenarios 1 IP protocol that drives the Internet is inherently insecure. Internet Protocol Security (IPSec), which is a standards‐based protocol, secures communications of IP packets over public networks. Organizations are striving to protect their communication channels from unauthorized viewing and enforcing authenti‐ cation of the entities at the other side of the channel. Unauthorized access to the sensitive data can be avoided by using IPSec.
IPsec User Guide other end. The remote gateway is connected to a Remote network and the VPN is connected to the Local network. The communication of data is secure through the IPSec protocols.
Introducing IPSec Scenarios Sierra Wireless AirLink modems with IPSec are designed to support the gateway‐to‐gateway security model. IPsec is the most general security model, in that it allows either side to initiate a VPN session. Some user scenario’s are discussed in this section. In these examples, the term “VPN tunnel” is used to indicate a secure IPSec connection. Remote Access Scenarios 1. This scenario shows three remote access activities: a.
IPsec User Guide Figure 1-3: Corporate Email Server scenario c. Google (two way transmission of insecure data): The laptop user wants to access Google. The Google access can be performed while the corporate VPN tunnel is active. Figure 1-4: Web Server scenario d. Pass‐through (two way transmission of secure data): The AirLink modem has regular data connection with the laptop (VPN Client) and the VPN gateway.
Introducing IPSec Figure 1-5: Pass through mode The next chapter walks you through the installation and configuration steps of establishing an IPSec set‐up on your modem to connect to the test servers at Sierra Wireless. You can follow the same process for connecting to your own VPN gateway. Rev 2.2 Jun.
IPsec User Guide 6 2120028
2: Installation and Configuration • Set-Up • Installation • Configuration Settings Note: Factory default settings allow you to connect to Sierra Wireless test equipment. 2 This chapter covers installation and configuration steps (Sierra Wireless test set‐up), to use the IPSec feature. The illustration below shows the user being connected to the Sierra Wireless test environment set up.
IPsec User Guide Set-Up IPSec has a wide variety of user configuration options. When IPSec is enabled, it must be done for the purpose of creating a VPN tunnel with a corporate VPN box. In order for the Sierra Wireless AirLink modem to communicate with the VPN box, the modem must be configured to support at least one of the security policies of the VPN box. Hence, the VPN box security configuration must be available as a reference before config‐ uring the AirLink modem for IPSec.
IPsec User Guide Installation Please uninstall any previous versions of AceManager that had been installed on your PC, prior to installing the latest version of AceManager. AceManager is available for free from Sierra Wireless AirLink and can be downloaded from http://www.sierrawireless.com/ support/AirLink/Wireless_Ace.aspx.
IPsec User Guide Figure 2-3: IPSec Pane in AceManager 2. Click on IPSec The desired group tab will show respective parameters and details on the right side of the pane. Clicking on IPSec will display list of parameters with default values and user config‐ urable input fields (New Value). Table 2-1: Configuration Parameters in AceManager Name 9 Default Value Description IPSec Interface 0 Select 1-Modem-OTA. Choose “0” fir disabling IPSec. Choose “1” for enabling IPSec.
IPsec User Guide Table 2-1: Configuration Parameters in AceManager Name 10 Default Value Description IPSec Gateway 64.163.70.30 Fill in the IPSec of the VPN concentrator. Pre-shared Key 1 SierraWireless 8 to 31 case sensitive ASCII characters Negotiation Mode 1 The choices in drop down options are main or aggressive. IKE Encryption Algorithm 7 You can choose other options like, Blowfish, 3 DES, Cast 128 and AES. 3DES or AES can be used for stronger encryption.
IPsec User Guide Table 2-1: Configuration Parameters in AceManager Name 11 Default Value Description Remote Address 10.11.12.0 Address of the remote device. Choose from two options: 5Single Address and 17-Subnet Address. Remote Address - end or mask 255.255.255.0 Subnet address with the Subnet Mask. IPSec Encryption Algorithm 3 You can choose other options like, Blowfish, 3 DES, Cast 128 and AES. The option “0” indicates that IPSec encryption may not be used.
IPsec User Guide To confirm a successful connection, the following tests can be run: • Connect a PC to the modem and attempt to ping the IP address 10.11.12.13. The tunnel might take some time to be established. However once the tunnel is established you will receive responses to your ping. • Once the ability to ping the private address has been estab‐ lished, please try opening a browser and pointing it to http://10.11.12.13.
IPsec User Guide m. Outgoing Host Out of Band: To access internet by bypassing the IPSec tunnel, you can set this parameter as “1”. Note: In Chapter 1, Remote Access Scenarios section includes the Google web server scenario, where the outgoing Host Out of Band can be set to 1 to access internet outside the IPSec tunnel. 3. Click on Write, in the top bar. 4. Click on Reset, to reset the modem. 5. IPSec status displays as “Connected”. Once the tunnel comes up, ping the web browser.
IPsec User Guide Figure 2-5: PinPoint Configuration 2. Provide the Server IP Address on the right‐hand side pane. 3. Enter the Report Interval time. 4. Configure the IPSec Interface parameter as “1”, to enable IPSec. Once IPSec is enabled, the factory default settings should be restored. Table 2‐1 lists all the IPSec parameter default values. The required fields for IPSec to be estab‐ lished are: a. IPSec Gateway b. Pre-shared Key 1 c. IKE Encryption Algorithm d. IKE Authorization Algorithm e.
IPsec User Guide An AVL Application server modem report notification image is provided as an example. Figure 2-6: Application Server Tunnel 7. Once the tunnel comes up, check AVL Application server for the update. An example of a log of the modem, sending data through the tunnel is provided. Figure 2-7: Log sending data Network behind the modem You can have multiple machines (For example., PC1 and PC2) behind the modem on the same LAN. The Configuration steps are: 15 1.
Installation and Configuration Figure 2-8: Host Private Subnet 3. Click on PPP ethernet. Set the modem to private mode. Figure 2-9: PPP Ethernet configuration Rev 2.2 Jun.
IPsec User Guide 4. Configure the IPSec Interface parameter as “1”, to enable IPSec. Once IPSec is enabled, the factory default settings should be restored. Table 2‐1 lists all the IPSec parameter default values. The required fields for IPSec to be estab‐ lished are: a. IPSec Gateway b. Pre-shared Key 1 c. IKE Encryption Algorithm d. IKE Authorization Algorithm e. IKE Key Group f. IKE SA Life Time g. Remote Address h. IPSec Encryption Algorithm i. IPSec Authentication Algorithm j.
A: Sample Configuration File A VPN Configuration file Two examples of Static IP and Dynamic IP are provided in the following sections, respectively. Static IP Example IPSec Configuration for Cisco 1841 Router 1841_ppx2#show run Building configuration... Current configuration : 2202 bytes ! version 12.
IPsec User Guide username progent privilege 15 password 0 progent ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 28000 crypto isakmp key 6 key4567890123477 address 166.213.198.10 crypto isakmp key test address 70.2.190.17 ! ! crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto map IPSEC 30 ipsec-isakmp set peer 166.213.198.
Sample Configuration File interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 64.163.70.1 ip route 192.168.3.0 255.255.255.0 70.2.190.17 ip route 192.168.13.0 255.255.255.0 166.213.198.10 ! no ip http server no ip http secure-server ip nat pool nat 64.163.70.102 64.163.70.102 netmask 255.255.255.252 ip nat inside source list 110 pool nat overload ! access-list 101 permit ip 192.168.2.0 0.0.0.
IPsec User Guide Dynamic IP 1841b_dynamic# 1841b_dynamic#sh run Building configuration... Current configuration : 1479 bytes ! version 12.
Sample Configuration File ! crypto isakmp policy 100 encr 3des authentication pre-share group 2 lifetime 28000 crypto isakmp key 6 key4567890123477 address 0.0.0.0 0.0.0.0 noxauth ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map MODEM-DYN-MAP 1000 set security-association lifetime seconds 28000 set transform-set 3DES-SHA set pfs group2 match address 101 ! ! crypto map IPSEC 65535 ipsec-isakmp dynamic MODEM-DYN-MAP ! ! ! interface FastEthernet0/0 ip address 64.163.70.
IPsec User Guide ip route 0.0.0.0 0.0.0.0 64.163.70.1 ! ip http server no ip http secure-server ip nat pool nat 64.163.70.104 64.163.70.104 netmask 255.255.255.252 ip nat inside source list 110 pool nat overload ! access-list 101 permit ip 192.168.4.0 0.0.0.255 any access-list 101 permit ip any 192.168.4.0 0.0.0.
B: IPsec Architecture B Standards of the M2M IPSec Support Sierra Wireless M2M IPSec supports the following standards: • RFC 1829 – “The ESP DES‐CBC Transform” • RFC 2401 – “Security Architecture for the Internet Protocol” • RFC 2403 – “The Use of HMAC‐MD5‐96 within ESP and AH” • RFC 2404 – “The Use of HMAC‐SHA‐1‐96 within ESP and AH” • RFC 2405 – “The ESP DES‐CBC Cipher Algorithm With Explicit IV” • RFC 2406 – “IP Encapsulating Security Payload (ESP)” • RFC 2410 – “The NULL Encryption Algori
IPsec User Guide · MODP 4096 (available, but not currently supported) · MODP 6144 (available, but not currently supported) · MODP 8192 (available, but not currently supported) 2. IP Security (IPSec) a. IPSec Protocols · Encapsulating Security Protocol (ESP) b. Operational Modes · Tunnel Mode c. Cipher or Encryption Algorithms · DES · CAST128 · Blowfish · AES (future) · NULL encryption algorithm d.