FEC Onlineservices
 
IPSec backup with ISDN direct dial in to the remote site as of revision 7.1.1
This instruction shows the step-by-step configuration of an IPSec backup with a direct ISDN dial-up to the IPSec remote site. In this case a VPN 25 dials up to a X1200 II. Both devices have revision 7.1.12.



1. Scenario


The interface concept makes the configuration of a IPSec backup more easy, because the behaviour can be managed by the routing entries.


2. Configuration VPN Access 25: Configure ISDN WAN-Partner to the X1200 II

Append a WAN-Partner to the VPN 25 which establishes the ISDN connection to the head office.

VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[WAN][EDIT]: Configure WAN Partner                                   vpn25_test
_______________________________________________________________________________

  Partner Name                     Backup_X1200

  Encapsulation                    PPP
  Encryption                       none
  Compression                      none
  Calling Line Identification      no

  PPP >
  Advanced Settings >
  WAN Numbers >

  IP >
  Bridge >

                         SAVE                          CANCEL
_______________________________________________________________________________
VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[WAN][EDIT][PPP]: PPP Settings (Backup_X1200)                        vpn25_test
_______________________________________________________________________________
  
     Authentication                CHAP + PAP
     Partner PPP ID                x1200
     Local PPP ID                  vpn25
     PPP Password                  test

     Keepalives                    off
     Link Quality Monitoring       off

 
                         OK                            CANCEL
_______________________________________________________________________________
VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[WAN][EDIT][ADVANCED]: Advanced Settings (Backup_X1200)              vpn25_test
_______________________________________________________________________________

  Callback                               no
  Static Short Hold (sec)                300
  Idle for Dynamic Short Hold (%)        0
  Delay after Connection Failure (sec)   10
  Layer 1 Protocol                       ISDN 64 kbps

  Channel-Bundling                       no

  Extended Interface Settings (optional) >

  Special Interface Types                none

                    OK                                 CANCEL
_______________________________________________________________________________

Enter the number of the remote site:

VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[WAN][EDIT][WAN NUMBERS]: WAN Numbers (Backup_X1200)                 vpn25_test
_______________________________________________________________________________

     WAN Numbers for this partner:

       WAN Number            Direction
       0911123456789          outgoing


     ADD                 DELETE              EXIT
_______________________________________________________________________________

Configure the route to the LAN of the X1200 II:

VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[WAN][EDIT][IP][BASIC]: IP-Settings (Backup_X1200)                   vpn25_test
_______________________________________________________________________________

  IP Transit Network                        no

  Local IP Address                       192.168.200.1

  Default Route                               no

  Remote IP Address                      192.168.100.0
  Remote Netmask                         255.255.255.0

                    SAVE                               CANCEL
_______________________________________________________________________________

3. Configuration VPN Access 25: Adjust metric of the backup-route

Change the metric of the backup WAN-Partner to 5 within the routing:

VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[WAN][EDIT][IP][ROUTING]: IP Routing (Backup_X1200)                  vpn25_test
_______________________________________________________________________________

  The flags are:  U (Up), D (Dormant), B (Blocked),
                  G (Gateway Route), I (Interface Route),
                  S (Subnet Route), H (Host Route), E (Extended Route)

Destination     Gateway        Mask             Flags  Met.   Interface    Pro
192.168.100.0   192.168.200.1  255.255.255.0    DG     5     Backup_X1200  loc

 
     ADD                 ADDEXT              DELETE              EXIT
_______________________________________________________________________________

4. Configuration VPN Access 25: Configure the Block Time

Please set the Block Time to 120 seconds within the Phase 1 profile:

VPN Access 25 Setup Tool                Funkwerk Enterprise Communications GmbH
[IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT]                          vpn25_test
_______________________________________________________________________________

   Description (Idx 1) :    *autogenerated*
   Proposal              :  1 (Blowfish/MD5)
   Lifetime              :  use default
   Group                 :  2 (1024 bit MODP)
   Authentication Method :  Pre Shared Keys
   Mode                  :  aggressive
   Heartbeats            :  both
   Block Time            :  120
   Local ID              :  vpn25_test
   Local Certificate     :  none
   CA Certificates       :
   Nat-Traversal         :  disabled

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________

5. Configuration X1200 II: Configure ISDN WAN-Partner to the VPN Access 25

Append a WAN-Partner to the X1200 II which accepts the ISDN connection of  the VPN 25.

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[WAN][EDIT]: Configure WAN Partner                                X1200 II_test
_______________________________________________________________________________

  Partner Name                    Backup_VPN25

  Encapsulation                   PPP
  Encryption                      none
  Compression                     none
  Calling Line Identification     no

  PPP >
  Advanced Settings >
  WAN Numbers >

  IP >
  Bridge >

                         SAVE                          CANCEL
_______________________________________________________________________________
X1200 II Setup Tool                                 BinTec Access Networks GmbH
[WAN][EDIT][PPP]: PPP Settings (Backup_VPN25)                     X1200 II_test
_______________________________________________________________________________

     Authentication               CHAP + PAP
     Partner PPP ID               vpn25
     Local PPP ID                 x1200
     PPP Password                 test

     Keepalives                   off
     Link Quality Monitoring      off

 
                         OK                            CANCEL
_______________________________________________________________________________
Configure the route to the LAN of the VPN Access 25:

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[WAN][EDIT][IP][BASIC]: IP-Settings (Backup_VPN25)                X1200 II_test
_______________________________________________________________________________

  IP Transit Network                    no

  Local IP Address                      192.168.100.0

  Default Route                         no

  Remote IP Address                     192.168.200.0
  Remote Netmask                        255.255.255.0

                    SAVE                               CANCEL
_______________________________________________________________________________

6. Configuration X1200 II: Adjust metric of the backup-route

Change the metric of the backup WAN-Partner to 5 within the routing:

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[WAN][EDIT][IP][ROUTING]: IP Routing (Backup_VPN25)               X1200 II_test
_______________________________________________________________________________

  The flags are:  U (Up), D (Dormant), B (Blocked),
                  G (Gateway Route), I (Interface Route),
                  S (Subnet Route), H (Host Route), E (Extended Route)

  Destination     Gateway         Mask            Flags Met.  Interface   Pro
  192.168.200.0   192.168.100.0   255.255.255.0   DG    5     Backup_VPN25loc 

     ADD                 ADDEXT              DELETE              EXIT
_______________________________________________________________________________

7. Configuration X1200 II: Configure ISDN call acceptance

Enter own phone number on the ISDN interface:

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[WAN][INCOMING]: Incoming Call Answering                          X1200 II_test
_______________________________________________________________________________

  Item                   Number          Mode
  PPP (routing)          123456789       right to left

     ADD                 DELETE              EXIT
_______________________________________________________________________________

8. Configuration X1200 II: Configure the Block Time

Please set the Block Time to 120 seconds within the Phase 1 profile:

X1200 II Setup Tool                                 BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT]                       X1200 II_test
_______________________________________________________________________________

   Description (Idx 1) :    *autogenerated*
   Proposal              :  1 (Blowfish/MD5)
   Lifetime              :  use default
   Group                 :  2 (1024 bit MODP)
   Authentication Method :  Pre Shared Keys
   Mode                  :  aggressive
   Heartbeats            :  both
   Block Time            :  120
   Local ID              :  X1200 II_test
   Local Certificate     :  none
   CA Certificates       :
   Nat-Traversal         :  disabled

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________

9. Test

In case one of the DSL connections fails the IPSec tunnel will be disconnected and the VPN 25 will establish a direct ISDN dial up to the X1200 II.

Debug output  in the VPN Access 25 during a DSL outage at the X1200 II site:

vpn25-test:> debug all&
00:49:24 WARNING/IPSEC: Hearbeat lost - Peer 1 Traffic -1 Bundle  (4)
00:49:24 INFO/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): deleted (Heartbeat lost), Pkts: 27/34 Hb: 1/0 Bytes: 2212(3616)/2856(4624) rekeyed by 0
00:49:24 DEBUG/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): SA 10 deleted errors 0/0/0
00:49:24 DEBUG/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): SA 9 deleted errors 0/0/0
00:49:24 INFO/IPSEC: Destroy Bundle -4 (Peer 1 Traffic -1)
00:49:24 INFO/INET: dialup if 100001 prot 1 192.168.200.1:2048->192.168.100.1:41237
00:49:24 DEBUG/INET: NAT: new outgoing session on ifc 10002 prot 17 84.149.235.62:1056/84.149.235.62:32804 -> 217.237.148.1:53
00:49:24 DEBUG/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): identified ip 84.149.235.62 -> ip 213.6.125.207
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): failed id fqdn(any:0,[0..9]=vpn25_test) -> ip 213.6.125.207 (Timeout)
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 0 (-): blocked for 120 seconds
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): delete ip 84.149.235.62 -> ip 213.6.125.207: Blocked
00:49:39 INFO/INET: dialup if 10003 prot 1 192.168.200.1:2048->192.168.100.1:41215
00:49:39 DEBUG/PPP: Backup_X1200: dial number <0911123456789>
00:49:40 DEBUG/ISDN: stack 0: activate
00:49:40 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec
00:49:40 DEBUG/PPP: Backup_X1200: set ifSpeed, number of active connections: 0/0/0
00:49:40 DEBUG/PPP: Backup_X1200: set ifSpeed, number of active connections: 1/1/1
00:49:40 DEBUG/PPP: Backup_X1200: outgoing connection established
vpn25-test:>
Analog debug output at the X1200 II:

X1200 II_test:>
04:30:21 DEBUG/INET: NAT: delete session on ifc 10001 prot 17 213.6.125.207:500/213.6.125.207:500 <-> 84.149.235.62:1023
04:30:21 INFO/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): deleted (Interface down), Pkts: 26/27 Hb: 0/1 Bytes: 2184(3536)/2212(3616) rekeyed by 0
04:30:21 DEBUG/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): SA 10 deleted errors 0/0/0
04:30:21 DEBUG/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): SA 9 deleted errors 0/0/0
04:30:21 INFO/IPSEC: Destroy Bundle 4 (Peer 1 Traffic -1)
04:30:21 DEBUG/PPP: DSL ISP: set ifSpeed, number of active connections: 0/0/0
04:30:21 INFO/PPP: DSL ISP: outgoing connection closed, duration 230 sec, 17357 bytes received, 11943 bytes sent, 0 charging units, 0 charging amounts
04:30:45 DEBUG/PPP: dialin from <91196730> to local number <123456789> (7/0)
04:30:45 DEBUG/PPP: ?: call accepted, call not identified by number
04:30:45 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec
04:30:45 DEBUG/PPP: ?: set ifSpeed, number of active connections: 0/0/0
04:30:45 DEBUG/PPP: 10002 authenticated via CHAP_MD5
04:30:45 DEBUG/PPP: Backup_VPN25: call identified for <vpn25>
04:30:45 DEBUG/PPP: Backup_VPN25: set ifSpeed, number of active connections: 1/1/1
04:30:45 DEBUG/PPP: Backup_VPN25: incoming connection established
X1200 II_test:>
sm

2013 bintec elmeg GmbH