application note gre over ipsec + ospf between robustos ... · gre over ipsec vpn established...
TRANSCRIPT
-
Application Note
GRE over IPsec + OSPF
between RobustOS and Cisco
Version: v.1.0.0
Date: 2017-08-25
Status: Confidential
Doc ID: GRE over IPsec + OSPF between RobustOS and Cisco_v1.0.0
Author: Vivian Chen
www.robustel.com
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
1
Contents
Chapter 1 Introduction................................................................................................................................... 2
1.1 Overview ....................................................................................................................................... 2
1.2 Assumptions .................................................................................................................................. 2
1.3 Rectifications ................................................................................................................................. 3
1.4 Version .......................................................................................................................................... 3
Chapter 2 Application Topology...................................................................................................................... 4
Chapter 3 Configuration ................................................................................................................................. 5
3.1 Cisco Configuration ........................................................................................................................ 5
3.2 R2000_ROS Configuration .............................................................................................................. 7
3.2.1 Configure Link Manager ................................................................................................................... 7
3.2.2 Configure Cellular WAN .................................................................................................................... 8
3.2.3 Configure LAN IP Address ............................................................................................................... 11
3.2.4 IPsec Configuration ........................................................................................................................ 12
3.2.5 GRE Configuration .......................................................................................................................... 16
3.2.6 Configure OSPF dynamic route ....................................................................................................... 16
Chapter 4 Testing ......................................................................................................................................... 18
4.1 Network Status ............................................................................................................................ 18
4.2 VPN Status and Communication of ROS ....................................................................................... 18
4.3 VPN Status and Communication of Cisco ...................................................................................... 21
4.4 Event/Log .................................................................................................................................... 22
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
2
Chapter 1 Introduction
1.1 Overview
RobustOS(here after ROS) is a new operation system for Robustel's IOT gateway released in 2015, it is modular and
open software platform which could support third party development based on SDK/API, meanwhile, it support
different routing and VPN protocols for different application scenarios. The configuration web interface of the ROS is
a little differ from the existing R3000 series’ old platform.
VPN (Virtual Private Network) is a technology that establishes private network tunnel on the public network. GRE
over IPsec VPN is a kind of LAN to LAN communication or remote access VPN technology with the GRE and IPsec,
to offer the public and private network end-to-end encryption and authentication service.
This application note is written for customer who has good understanding Robustel products and experienced with
VPN. It shows customer how to configure and test the GRE over IPsec VPN between the ROS and Cisco router
through the cellular network.
1.2 Assumptions
The features of GRE over IPsec VPN has been fully tested and this Application Note is written by technically
competent engineer who is familiar with Robustel products and the application requirement.
This Application Note is basing on:
Product Model: Robustel GoRugged R2000 industrial cellular VPN router.
Firmware Version: R2000_ROS_ V3.0.0.
Configuration: This Application Note assumes the Robustel products are set to factory default. Most configure
steps are only shown if they are different from the factory default settings.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
3
A public IP address, either dynamic or static, must be assigned to R2000 router on its WAN interface. If R2000
router works with dynamic public IP address, a DNS service must be used to park dynamic public IP address to a
static domain.
1.3 Rectifications
Appreciate for the corrections and rectifications to this Application Note, and if there are requests for new
Application Notes please also send to email address: [email protected].
1.4 Version
Updates between document versions are cumulative. Therefore, the latest document version contains all updates
made to previous versions.
Release Date Firmware Version Change Description
2017-8-25 v.1.0.0 Initial Release
mailto:[email protected]
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
4
Chapter 2 Application Topology
1. Cisco router runs as central router which has one static public IP address or dynamic public IP address as well as a
domain name.
2. The R2000 works with static public IP address.
3. GRE over IPsec VPN established between central Cisco router and the R2000, and the internal traffic from ROS
(192.168.1.0/24) to Cisco router (172.16.10.0/24) will be encrypted and vice versa.
Note: The two peer devices should have a fixed public IP address because they need to specify the peer public IP when
establish GRE tunnel, and make sure the data packets can be transmitted through the public network.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
5
Chapter 3 Configuration
3.1 Cisco Configuration
Enter the configuration mode and check the IOS version of Cisco router. You should set your router in Enable mode
and then enter configuration mode. (e.g. type “configure terminal”).
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
The entries below set the host name of the Cisco router.
hostname cisco2811
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ROMx$RGJMeV3dfHuOQu0z7Ffjh.
The entries below of Internet Security Association and Key Management Policy which is related to the configuration
of IKE on ROS. The following shows that Cisco uses 3des for the encryption algorithm, md5 for the hash algorithm,
and pre-shared keys for the authentication method, Diffie-Hellman is Group 2.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
The following entry defines the pre-share key, which identifies remote connection.
crypto isakmp key 0 cisco address 12.1.1.1
The following entry defines IPsec transform set called “TRA”. This transform set contains the settings required for the
IPsec VPN. They are: esp with 3des for encryption and esp with md5 for the authentication. And enter transport
mode.
crypto ipsec transform-set TRA esp-3des esp-md5-hmac
mode transport
The entries below set the GRE VPN of Cisco router.
crypto ipsec profile IPSPRO //Create the IPsec profile
set transform-set TRA //Apply IPsec profile to IPsec transform
interface Tunnel1
ip address 123.1.1.2 255.255.255.0 //Virtual IP address for GRE VPN
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
6
ip ospf mtu-ignore //Ignore mtu to build OSPF neighbor
tunnel source 58.1.1.1
tunnel destination 12.1.1.1
tunnel key 123456
tunnel protection ipsec profile IPSPRO //Apply Ipsec profile to tunnel
The Cisco router is connected to the Internet and LAN is connected to its FastEthernet0/1. The Crypto profile must be
applied to the WAN interface.
interface FastEthernet0/0
ip address 58.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.10.1 255.255.255.0
duplex auto
speed auto
!
The following entry configures the OSPF for Cisco router.
router ospf 1
router-id 1.1.1.1
network 172.16.10.0 0.0.0.255 area 0
network 123.1.1.0 0.0.0.255 area 0
Save the configuration for Cisco router.
copy running-config startup-config
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
7
3.2 R2000_ROS Configuration
3.2.1 Configure Link Manager
1.Install antenna, insert SIM cards in R2000-> power on R2000 and login R2000’s Web GUI page.
Note: Factory Settings when login Web GUI
Item Description
Username Admin
Password Admin
ETH0 192.168.0.1/255.255.255.0, LAN Mode
ETH1 192.168.0.1/255.255.255.0, LAN Mode
DHCP Server Enabled
2. Browse to Interface > Link Management.
Click the drop-down box of Primary Link and select WWAN1.
Click Submit
Click Save & Apply
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
8
3.2.2 Configure Cellular WAN
1. Browse to Interface > Link Management > Link Settings.
Click the modification box of WWAN1.
Enter the related parameters in WWAN Settings.
Enter the related parameters in Ping Detection Settings.
Click Submit.
Click Save & Apply.
Item Description Setting
Primary Link Select “WWAN1”, “WWAN2” or “WAN” as the primary connection interface WWAN1
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
9
● When enable “Automatic APN Selection”, the window will be display just like the following screenshot.
Item Description Setting
Dialup Number Dialup number for cellular dial-up connection, provided by local ISP *99***1#
Data Allowance Set the monthly data traffic limitation 0
Billing Day This option specifies the day of month for billing, and the data
traffic statistics will be recalculated from this day
1
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
10
● When disable “Automatic APN Selection”, the window will be display just like the following screenshot
Item Description Setting
APN Access Point Name for cellular dial-up connection, provided by
local ISP.
Internet
Username User Name for cellular dial-up connection, provided by local ISP Null
Password Password for cellular dial-up connection, provided by local ISP Null
Item Description Setting
Primary Server Router will ping this primary address/domain name to check that if the
current connectivity is active
8.8.8.8
Secondary
Server
Router will ping this secondary address/domain name to check that if
the current connectivity is active
NULL
Interval Set the ping interval 10
Retry Interval Set the ping retry interval 3
Timeout Set the ping timeout 1
Max Ping Tries Switch to another link or take emergency action if max continuous ping
tries reach
1
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
11
3.2.3 Configure LAN IP Address
1. Browse to Interface > LAN > LAN.
Click the modification box of LAN0.
Set IP address and netmask of LAN0 and DHCP settings accordingly.
Click Submit
Click Save & Apply
Item Description Setting
IP Address Set the IP address of LAN0 Enter accordingly
NetMask Set the Netmask of LAN0 Enter accordingly
MTU Set the MTU of LAN0 1500
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
12
2. Browse to Interface > Ethernet > ports.
Click the modification box of eth1.
Eth1 port is assigned to lan0 .
Click Submit
Click Save & Apply
3.2.4 IPsec Configuration
The following sections are related to the IPsec VPN parameters.
1. Browse to VPN-> IPsec->General. Enable NAT traversal feature.
Tick the checkbox of Enable NAT Traversal.
Type the value about Keepalive Interval(s).
Tick the checkbox of Debug Enable.
Click Submit
Click Save & Apply
Item Description Setting
Enable NAT Traversal Tick to enable NAT Traversal for IPsec. This item
must be enabled when router is in NAT Enable
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
13
environment.
Keepalive Interval
The interval that router sends keepalive packets to
NAT box to avoid removing the NAT mapping
actively.
60
Debug Enable Enable this function, IPsec information will be
outputted to the debug port. OFF
2. Browse to VPN-> IPsec->Tunnel.
Click Add button to enter the IPsec Tunnel settings.
Set IPsec Gateway address and mode accordingly
Item Description Setting
Gateway Enter the address of remote side IPsec VPN server. Enter accordingly
Mode
Select from “Tunnel” and “Transport”.
Tunnel: Uses the Tunnel protocol.
Transport: Uses the Transport protocol.
Select accordingly
Protocol
Select the security protocols from “ESP” and “AH”.
ESP: Uses the ESP protocol.
AH: Uses the AH protocol.
Select accordingly
Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly
Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
14
Configure IKE Settings
Item Description Setting
Negotiation Mode Select from “Main” and “aggressive” for the IKE
negotiation mode. Select accordingly
Encryption Algorithm Select from “DES”, “3DES”, “AES128”, “AES192”
and “AES256”to be used in IKE negotiation. Select accordingly
IKE DH Group Select from “MODP768_1”, “MODP1024_2” and
“MODP1536_5”to be used in key negotiation. Select accordingly
Authentication Type Select from “PSK”, “CA”, “XAUTH Init PSK” and
“XAUTH Init CA” to be used in IKE negotiation. Select accordingly
PSK Secret Enter the Pre-shared Key. Enter accordingly
IKE Lifetime Set the lifetime in IKE negotiation. 3600
Configure SA Settings
Item Description Setting
Encrypt Algorithm Select from “3DES”, “AES128” and “AES256”
Select accordingly
Authentication
Algorithm
Select from “MD5” and “SHA1”to be used in SA
negotiation Select accordingly
PFS Group Select from “PFS_NULL”, “MODP768_1”, Select accordingly
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
15
“MODP1024_2” and “MODP1536_5”.
SA Lifetime Set the IPsec SA lifetime. 28800
DPD Interval
Set the interval after which DPD is triggered if no
IPsec protected packets are received from the
peer.
60
DPD Failures Set the timeout of DPD packets. 180
Configure Advanced Settings
Expert Options: leftprotoport=47/0;rightprotoport=47/0
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
16
3.2.5 GRE Configuration
1. Browse to VPN > GRE, add and enable the GRE tunnel.
2. Configure the parameters of GRE, and click Submit then Save & Apply.
GRE
Item Description Default
Index Show the index of the tunnel. 1
Enable Enable GRE tunnel. GRE (Generic Routing Encapsulation) is a protocol that
encapsulates packets in order to route other protocols over IP networks. ON
Description Enter some simple words about the GRE Tunnel. Null
Remote IP Address Set remote IP Address of the virtual GRE tunnel. Null
Local Virtual IP Set local IP Address of the virtual GRE tunnel. Null
Remote virtual IP Set remote IP Address of the virtual GRE tunnel. Null
Enable Default Route All the traffics of R2000 router will go through the GRE VPN. OFF
http://searchnetworking.techtarget.com/definition/protocolhttp://searchnetworking.techtarget.com/definition/packethttp://searchunifiedcommunications.techtarget.com/definition/Internet-Protocolhttp://searchnetworking.techtarget.com/definition/network
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
17
3.2.6 Configure OSPF dynamic route
1. Browse to Network > Dynamic Route
Click the OPSF button.
Set Route ID, Interface and Network accordingly.
Click Submit
Click Save & Apply
Enable NAT Tick to enable NAT for GRE. The source IP address of host Behind R2000 will be
disguised before accessing the remote GRE server. Disable
Secrets Set Tunnel Key of GRE. Null
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
18
Chapter 4 Testing
4.1 Network Status
1. Browse to Status.
2. Check whether ROS has obtained the assigned static IP address.
4.2 VPN Status and Communication of ROS
1. Browse to VPN-> IPsec->Status.
Check that if ROS has established IPsec VPN with Cisco router.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
19
2. Browse to VPN-> GRE->Status.
● Check that if ROS has established GRE VPN with Cisco router.
3. Browse to Network->Dynamic Route->Status。
Check the virtual tunnel on Route table.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
20
4. Browse to System-> Tools->Ping.
Ping from 192.168.1.1 to 172.16.10.1 and get ICMP reply from Cisco router. LAN to LAN communication is
working correctly, and ping the virtual IP of GRE VPN.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
21
4.3 VPN Status and Communication of Cisco
1. Run the CLI and type “show ip route “ command to check the route-table in Cisco router.
2. Ping the virtual IP of GRE over IPsec VPN and LAN IP address behind R2000 , and get ICMP reply from remote
end.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
22
4.4 Event/Log
Event/Log shows the running process and the status of R2000. Only the information that it related to the
configuration above will be explained below.
-
GRE over IPsec + OSPF with Cisco Router for RobustOS
23
Chapter 1 Introduction1.1 Overview1.2 Assumptions1.3 Rectifications1.4 Version
Chapter 2 Application TopologyChapter 3 Configuration3.1 Cisco Configuration3.2 R2000_ROS Configuration3.2.1 Configure Link Manager3.2.2 Configure Cellular WAN3.2.3 Configure LAN IP Address3.2.4 IPsec Configuration3.2.5 GRE Configuration3.2.6 Configure OSPF dynamic route
Chapter 4 Testing4.1 Network Status4.2 VPN Status and Communication of ROS4.3 VPN Status and Communication of Cisco4.4 Event/Log