FEC Onlineservices
 
IPSec connection with the FCI at an R232bw and the Setup Tool at an R1200
This FAQ describes the IPSec connection between an R232bw running the FCI Software 7.4.4 patch 2 and a R1200 with Software version 7.4.3 patch 5. Both sites have dynamic IP addresses. The configuration is done with the graphical Funkwerk Configuration Interface (FCI) on the R232bw and the Setup Tool on the R1200.

Scenario:


Conditions:
- R232bw is running with a FCI software version > 7.4.4
- Both routers have an active Internet connection.
- The DynDNS account is up-to-date on both sites.
- Both routers have different local IP networks.

1. IPSec Configuration on R232bw with FCI:
1.1 Phase 1:
Choose the VPN menu in the navigation bar and click on “IPSec”. Click the “Phase-1 Profile” register and “new” to add a new profile or edit the existing profile. In this window you can edit the phase 1 parameters (IKE). There is a possibility to choose two alternative IKE proposals beside the main proposal (Blowfish/MD5 in this example). DH Group and Lifetime are set to 2(1024bit) and 900sec/0Kbytes in this example. Because dynamic official IP addresses are used the mode has to be set to “Aggressive”. The Local ID has to match the Peer ID on the remote site. It can be set to the following values:

ID Type                                               ID
Fully Qualified Domain Name (FQDN)  Domain name (e.g. R232bw)
Fully Qualified User Name                   Email address (e.g. R232bw@test.de)
IPV4 Address                                      IP address
ASN.1 Distinguished name                  Certificate

In the Advanced Settings menu the Alive Check, Block Time and NAT Traversal can be selected.


1.2 Phase 2:
To add or edit the (IPSec) phase 2 parameters please click on the “Phase-2 Profile” register. Similar to the phase 1 configuration you can also set two alternative proposals. Use PFS Group is activated and the Lifetime is set to 900 sec and 0 KByte. In the Advanced Settings menu the Alive Check is set to Heartbeats (send & expect) and Propagate MTU is enabled.


1.3 Peer Configuration:
After the Phase 1 and Phase 2 settings are finished you can configure the IPSec peer. The Administrative Status should be up to activate the peer. Enter a name of the connection in the Description field. In the Peer Address field the address of the remote site has to be entered (here the DynDNS account of the R1200). The Peer ID has to match the Local ID of the remote site:

ID Type                                               ID
Fully Qualified Domain Name (FQDN)  Domain name (e.g. R232bw)
Fully Qualified User Name                   Email address (e.g. R232bw@test.de)
IPV4 Address                                      IP address
ASN.1 Distinguished name                  Certificate
 
A password for the encrypted connection has to be set in the Pre Shared Key  field (e.g. “test”)*. Under Interface Routes the IP settings have to be entered. Local IP is the IP address of the local interface of the router and Remote IP Address/Netmask defines the destination network. If there are more destination networks that should be routed via this IPSec tunnel you can click “add” at Router Entries. In the Advances Settings menu you can choose the Phase-1 and the Phase-2 Profile you have edited/added before. Advanced IP Options and IPSec Callback are not used in this example.

* ideally 25 - 50 characters


2. IPSec Configuration on R1200 with Setup Tool:
The IPSec configuration of the R1200 is done via the Setup Tool.  When the IPSec menu is selected for the first time you will be asked if you want to start the wizard. Confirm with “yes” and start the wizard. In the next step you will be asked which default IPSec authentication method you want to use. Choose “current: PSK” and enter your “local ID” (R1200 in this example). “Exit” the wizard afterwards.

2.1 Phase 1:
To edit the Phase 1 settings please choose “edit >” in the “IKE (Phase 1) Defaults”. In this menu you can edit an existing profile (autogenerated in this example) or add a new one. The settings have to correspond the phase 1 settings of the R232bw. The Proposal, Lifetime Policy, Group, etc. have to match the settings of the remote site. The only difference is the Local ID, which is R1200 on this site. When the profile configuration is finished choose “SAVE” and then “Exit” to get back to the IPSec main menu.

R1200 Setup Tool                      Funkwerk Enterprise Communications GmbH
[PHASE1][EDIT]                                                          r1200
_______________________________________________________________________________

   Description (Idx 1) :    *autogenerated*            
   Proposal              :  1 (Blowfish/MD5)
   Lifetime Policy       :  Propose this lifetime, accept and use all proposals
                            Seconds: 900         KBytes: 0
   Group                 :  2 (1024 bit MODP)
   Authentication Method :  Pre Shared Keys
   Mode                  :  aggressive
   Alive Check           :  Dead-Peer-Detection (DPD), Idle Mode
   Block Time            :  10
   Local ID              :  R1200
   Local Certificate     :  none
   CA Certificates       :
   Nat-Traversal         :  enabled

   View Proposals >

                         SAVE                          CANCEL
_______________________________________________________________________________

2.2 Phase 2:

To edit the Phase 2 settings please choose “edit >” in the “IPsec (Phase 2) Defaults”. According to the phase 1 profile you can edit an existing profile (autogenerated in this example) or add a new one. The settings have to be equal to the phase 2 settings of the R232bw. Afterwards choose “SAVE” and then “Exit” to get back to the IPSec main menu.

R1200 Setup Tool                      Funkwerk Enterprise Communications GmbH
[PHASE2][EDIT]                                                          r1200
_______________________________________________________________________________

   Description (Idx 1) :    *autogenerated*            

   Proposal              :  1 (ESP(Blowfish/MD5) no Comp
   Lifetime Policy       :  Propose this lifetime, accept and use all proposals
                            Seconds: 900         KBytes: 0
   Use PFS               :  group 2 (1024 bit MODP)
   Alive Check           :  Heartbeats (send and expect)
   Propagate PMTU        :  yes

   View Proposals >

 

 


                         SAVE                          CANCEL
_______________________________________________________________________________
2.3 Peer Configuration:
After finishing the Phase 1 and Phase 2 settings you can configure the IPSec peer. Choose “Configure Peers >” to add a new IPSec Peer with “APPEND”. Enter a name of the connection in the Description field. The DynDNS account of the remote R232bw has to be entered in the Peer Address field. The Peer ID has to match the Local ID of the remote site (here: R232bw). The ID name convention is equal to the name convention explained in the FCI peer configuration. A password for the encrypted connection has to be set in the Pre Shared Key field (e.g. “test”). IPSec Callback is not used in this scenario. The phase 1 and phase 2 profile can be selected within the Peer specific Settings submenu (see 2.3.1). To use the Virtual Interface Concept (recommended) please choose “yes” at Virtual Interface.  The IP settings have to be entered within the Interface IP Settings submenu.

R1200 Setup Tool                      Funkwerk Enterprise Communications GmbH
[IPSEC][PEERS][EDIT]: Configure Peer                                    r1200
_______________________________________________________________________________


     Description:       IPSec Test                                  
     Admin Status:      up

     Peer Address:      test.dyndns.org
     Peer IDs:          R232bw
     Pre Shared Key:    *

     IPSec Callback >
     Peer specific Settings >

     Virtual Interface: yes
     Interface IP Settings >

 

                          SAVE                          CANCEL
_______________________________________________________________________________

2.3.1 Peer specific Settings:

In this menu you can choose the IKE Phase 1 and the IPsec Phase 2 Profile you have edited/added before.

R1200 Setup Tool                      Funkwerk Enterprise Communications GmbH
[IPSEC][PEERS][EDIT][SPECIAL]: Special Settings (IPSec Test)            r1200
_______________________________________________________________________________


     Special settings for p1     IPSec Test

 

     IKE (Phase 1) Profile:   *autogenerated*        edit >

     IPsec (Phase 2) Profile: *autogenerated*        edit >

     Special Peer Type:       None
     Start Mode:              On Demand

 


                          SAVE                          CANCEL

_______________________________________________________________________________

2.3.2 Interface IP Settings:
After choosing “Basic IP-Settings” the IP address of the local interface of the router can be entered in the Local IP Address field. The Remote IP Address/Remote Netmask defines the destination network.

R1200 Setup Tool                      Funkwerk Enterprise Communications GmbH
[IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings (IPSec Test)               r1200
_______________________________________________________________________________


  IP Transit Network                    no                 

 


  Local IP Address                      10.10.0.1

 

  Default Route                         no

  Remote IP Address                     10.10.1.0
  Remote Netmask                        255.255.255.0



                    SAVE                               CANCEL
_______________________________________________________________________________
If there are more destination networks, which should be routed via this IPSec tunnel, you can add further routing entries in the “More Routing” submenu.

3. Test:
Start a debug all on the R1200 shell. After choosing Maintenance and then Diagnostics at the navigation bar of the FCI you can perform a Ping Test to the local IP address of the R1200.


r1200:> debug all&
01:15:46 DEBUG/INET: NAT: new incoming session on ifc 10001 prot 17 84.149.198.196:500/84.149.198.196:500 <- 88.65.214.63:1023
01:15:46 DEBUG/IPSEC: P1: peer 0 () sa 5 (R): new ip 84.149.198.196 <- ip 88.65.214.63
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'BINTEC'
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'RFC XXXX'
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'draft-ietf-ipsec-nat-t-ike-03'
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'draft-ietf-ipsec-nat-t-ike-02'
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'draft-ietf-ipsec-nat-t-ike-00'
01:15:47 INFO/IPSEC: P1: peer 0 () sa 5 (R): Vendor ID: 88.65.214.63:1023 (No Id) is 'Dead Peer Detection (DPD, RFC 3706)'
01:15:47 DEBUG/IPSEC: P1: peer 1 (IPSec Test) sa 5 (R): identified ip 84.149.198.196 <- ip 88.65.214.63
01:15:47 DEBUG/INET: NAT: new incoming session on ifc 10001 prot 17 84.149.198.196:4500/84.149.198.196:4500 <- 88.65.214.63:32779
01:15:47 DEBUG/IPSEC: P1: peer 1 (IPSec Test) sa 5 (R): notify id fqdn(any:0,[0..4]=R1200) <- id fqdn(any:0,[0..5]=R232bw) (unencrypted): Initial contact notification proto 1 spi(16) = [dc5149df 6581dc53 : 3bcf9789 1aa9372f]
01:15:47 DEBUG/IPSEC: P1: peer 1 (IPSec Test) sa 5 (R): [Aggr] NAT-T: port change: local: 84.149.198.196:500->84.149.198.196:4500, remote: 88.65.214.63:1023->88.65.214.63:32779
01:15:47 INFO/IPSEC: P1: peer 1 (IPSec Test) sa 5 (R): done id fqdn(any:0,[0..4]=R1200) <- id fqdn(any:0,[0..5]=R232bw) AG[dc5149df 6581dc53 : 3bcf9789 1aa9372f]
01:15:47 INFO/IPSEC: P2: peer 1 (IPSec Test) traf 0 bundle 4 (R): created 10.10.0.0/24:0 < any > 10.10.1.1/32:0 rekeyed 0
01:15:47 DEBUG/IPSEC: P2: peer 1 (IPSec Test) traf 0 bundle 4 (R): SA 7 established ESP[633ce918] in[0] Mode tunnel enc blowfish-cbc (128 bit) auth md5 (128 bit)
01:15:47 DEBUG/IPSEC: P2: peer 1 (IPSec Test) traf 0 bundle 4 (R): SA 8 established ESP[101370a7] out[0] Mode tunnel enc blowfish-cbc (128 bit) auth md5 (128 bit)
01:15:47 INFO/IPSEC: Activate Bundle 4 (Peer 1 Traffic -1)
01:15:47 INFO/IPSEC: P2: peer 1 (IPSec Test) traf 0 bundle 4 (R): established  (84.149.198.196<->88.65.214.63) with 2 SAs life 900 Sec/0 Kb rekey 810 Sec/0 Kb Hb both PMTU
r1200:>



on

© 2013 bintec elmeg GmbH