FEC Onlineservices
 
IPSec LAN to LAN connection with interface peers
This instruction shows the step-by-step IPSec configuration of a  Bintec router to establish a secure connection between a branch office and the head office (example with image 7.1.12p1 IPSec). Preshared Key is used for authentication.

1.Scenario


In this example the X4000 has a static IP address and is connected to the internet via the en1 interface. The official IP address of the X4000 is 62.62.62.6 (Gateway=62.62.62.1). The branch office has a T-DSL internet connection and the X1200 II receives a dynamic official IP address from the provider via the WAN interface.

Conditions

Both the X4000 and the  X1200 II require a valid IPSec license and a current IPSec-Bootimage as of version 7.1.1.

2. Configuration X4000: Routing
Configure IP address for interface en1 (62.62.62.6) and en4-0 (192.168.0.1). Configure default route at the en1 interface via Gateway 62.62.62.1. This can be verified via the command "netstat -r".

x4000:> netstat -r
Typ Destination      Netmask          Gateway          Metric  Interface  Proto
LOC 62.62.62.0       255.255.255.248  62.62.62.6       0       en1        local
DEF default                           62.62.62.1       1       en1        local
LOC 192.168.0.0      255.255.255.0    192.168.0.1      0       en4-0      local
x4000:>
3. Configuration X4000: IPSec basic configuration
When starting the IPSec menu for the first time the IPSec Wizard start before the real IPSec configuration menu.

The IPSec-Wizard serves for the automatic configuration of some  mandatory  IPSec basic settings and for the basic configuration of a IPSec peer. All further configurations (further IPSec peer and detail settings) have to be done via the real IPSec menu.

4. Configuration X4000: IPSec configuration in the main menu

BINTEC-X4000 Setup Tool                                Bintec Communications AG
[IPSEC]: IPsec Configuration - Main Menu                                  X4000
末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末
  Enable IPSec     : yes

  Pre IPSec Rules >
  Configure Peers >
  Post IPSec Rules >

  IKE (Phase 1) Defaults   *autogenerated*        edit >
  IPsec (Phase 2) Defaults *autogenerated*        edit >
  Certificate and Key Management >

  Advanced Settings >
  Wizard >

  Monitoring >

                         SAVE                          CANCEL
末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末
At first the profile for phase 1 will be configured.

X4100 Setup Tool                                       BinTec Communications AG
[IPSEC][PHASE1][EDIT]                                                     X4000
_______________________________________________________________________________

   Description (Idx 1) :    *autogenerated*
   Proposal              :  2 (DES3/MD5)
   Lifetime              :  use default
   Group                 :  2 (1024 bit MODP)
   Authentication Method :  Pre Shared Keys
   Mode                  :  aggressive
   Heartbeats            :  both
   Block Time            :  0
   Local ID              :  X4000
   Local Certificate     :  none
   CA Certificates       :
   Nat-Traversal         :  disabled

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________
In the next step the profile for phase 2 will be configured.

X4100 Setup Tool                                       BinTec Communications AG
[IPSEC][PHASE2][EDIT]                                                     X4000
_______________________________________________________________________________

   Description (Idx 1) :    *autogenerated*

   Proposal              :  2 (ESP(DES3/MD5) no Comp)
   Lifetime              :  900 Sec/11000 Kb (1)
   Use PFS               :  group 2 (1024 bit MODP)
   Heartbeats            :  both
   Propagate PMTU        :  yes


   View Proposals >
   Edit Lifetimes >  

                         SAVE                          CANCEL
_______________________________________________________________________________
5. Configuration X4000: IPSec peer configuration

BINTEC-X4000 Setup Tool                                BinTec Communications AG
[IPSEC][PEERS][EDIT]: Configure Peer                                      X4000
_______________________________________________________________________________

     Description:       X1200II
     Admin Status:      up        Oper Status:   dormant

     Peer Address:     
     Peer IDs:          X1200II
     Pre Shared Key:    *

     IPSec Callback >
     Peer specific Settings >

     Virtual Interface: yes
     Interface IP Settings >

                          SAVE                          CANCEL
_______________________________________________________________________________
When choosing the Aggressive-Mode the parameter "PeerId", "LocalId" and "PreSharedKey" are important because they are used for the authentication of the peer. Further information regarding the parameters can be found  within the MIB Reference for IPSec. The route to the branch office is configured in Interface IP Settings -> Basic IP-Settings.

BINTEC-X4000 Setup Tool                                Bintec Communications AG
[IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings                              X4000
末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末

    IP Transit Network                    no
    Local IP Address                      192.168.0.1

    Default Route                         no

    Remote IP Address                     192.168.200.0
    Remote Netmask                        255.255.255.0

                    SAVE                               CANCEL
末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末末
Now the peer is configured with the Virtual Interface concept.

6. Configuration X1200 II: Routing
IP-Adresse fr Interface en1 konfigurieren. Eine Default Route mu゚ ber das WAN-Interface T-DSL konfiguriert werden.

Configure IP address for interface en1. A default route via the WAN interface T-DSL has to be configured.

x1200II:> netstat -r
Typ Destination      Netmask          Gateway          Metric  Interface  Proto
LOC 192.168.200.0    255.255.255.0    192.168.200.1    0       en1        local
DEF default                           0.0.0.0          1       T-DSL      local
LOC 212.185.251.109  255.255.255.255  212.185.228.147  0       T-DSL      other
x1200II:>
7. Configuration X1200 II: IPSec basic and peer configuration
The IPSec basic configuration is done analog to the X4000. The settings for phase 1 + 2 have to be identical except to the local ID. The peer configuration is done as follows.

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT]: Configure Peer                                    X1200II
_______________________________________________________________________________

     Description:       X4000                                       
     Admin Status:      up        Oper Status:   dormant

     Peer Address:      62.62.62.6                                  
     Peer IDs:          X4000                                       
     Pre Shared Key:    *                                                

     IPSec Callback >
     Peer specific Settings >
    
     Virtual Interface: yes
     Interface IP Settings >

                          SAVE                          CANCEL
_______________________________________________________________________________
The route to the LAN of the head office is configured in Interface IP Settings -> Basic IP-Settings.

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings (X4000)                    X1200II
_______________________________________________________________________________

  IP Transit Network                    no 

  Local IP Address                      192.168.200.1

  Default Route                         no

  Remote IP Address                     192.168.0.0
  Remote Netmask                        255.255.255.0

                    SAVE                               CANCEL
_______________________________________________________________________________
Now the peer is configured with the Virtual Interface concept.

Notes:
The parameter "ipsecGlobMaxSysLogLevel" should be changed to debug. Through this the IPSec messages are displayed more detailed after entering the command "debug all&". These messages are helpful during trouble shooting.

jk

ゥ 2013 bintec elmeg GmbH