MAIPU 1800 Case study for Roaming/Mobility

Requirement: Here Company require immediate solution to setup a roaming office for promotional events with all major services as in branch office.Many time we come across with this kind of requirement and limitation of physical wired uplink immediately.  The innovation of the 3G technology provides the good chances for enterprise networking and 3G-based applications, becomes one ideal choice for the enterprise network.

Compared with the fixed  wired line access it provides us more benefits-

Reduce access cost per user

Improve mobility and flexibility, enable mobile/roaming service and transaction Simplify and fasten deployment and maintaining.

Here you can see a live tested scenario for one company for same requirement.

Topology : 

Included Function

3G interface as the uplink.                                     

  --3G USB will be connected to router.

    Compatible models: HUAWEI EC1260 /1261 (dated May- 2011)

  --USB 3G interface will act as WAN and all LAN network devices can access the internet.

IPSEC tunnel

  --MP1800 is using certificate from HQ VPN gateway.

  -- IPSEC tunnel is established between MP1800 and HQ VPN gateway.

  --VOIP calls/data is going form VPN tunnel.

VOIP communication

  -- VOIP call , both way communication from MP1800 fxs to HQ fxs.

 

WIFI

  --PC/Laptop is using wireless network to access the internet resource via the MP1800 router.

  --PC/Laptop and wireless printer are in the same LAN network, so Laptop can print by that printer without any wired connection.

Configuration Template

3G wan link configuration template 

ip access-list standard 1

 10 permit any

 exit

dialer-list 1 protocol ip permit

chat-script g3dia ATDT

chat-script g3cdma2000connection AT^PPPCFG="9323863248","9323863248"

interface cellular0

 encapsulation ppp

 ppp pap sent-username 9323863248 password 9323863248

 ip address negotiated

 bandwidth 384

 load-interval 30

 dialer in-band

 dialer idle-timeout 0            ### interface should not time out ###

 dialer-group 1

 dialer string #777

 script connection g3cdma2000connection

 script dialer g3dia

 ip nat outside

 exit

ip route 0.0.0.0 0.0.0.0 cellular0  ### this routes must be configured, otherwise the 3G interface will not dial-up ###

For dialing – ping to some IP

Router# ping 4.2.2.2 –t

IPSEC certification template

Get the certification from HQ VPN gateway certification server:

crypto ca identity XXXX

 enrollment url 221.10.X.X

 exit  ###define the identity profile XXXX which is the IP address: 221.10.x.x ###

crypto ca authenticate xxxx  ### after this command you will get the root certification by following###

    % The Root CA Certificate has the following attributes:

  Serial Number: C1661E12562D1DBFBE41

  Subject: CN=maipu, OU=maipu communication, O=maipu, ST=sichuan, L=chengdu, C=china

  Issuer : CN=maipu, OU=maipu communication, O=maipu, ST=sichuan, L=chengdu, C=china

  Validity

    Start date: 2004-12-14 10:23:25

    End   date: 2014-12-13 10:23:25

  Usage: Sign

  Fingerprint(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

% Do you accept this certificate(Yes|No)?Y

% PKI: Get CA certificate success.

crypto ca enroll maipu 512 partner_ind_test   ### Certification request from remote server###

   

% Please input request password:****      ### Input password xxxx ####

    % The Certificate DN will be: CN= partner_ind_test

    % Waiting,Generate private key now,Key length 512!

    % Generating .. Done.

% PKI: Certificate enroll success.

IPSEC tunnel+ NAT template

ip access-list extended 1001

 10 deny ip 192.168.91.0 0.0.0.255 192.168.0.0 0.0.255.255

 20 permit ip any any

 exit

interface fastethernet0

 ip address 192.168.91.86 255.255.255.248

 ip nat inside

 exit

## LAN Network###

ip nat inside source list 1001 interface cellular0 overload

crypto tunnel delhi

 local interface cellular0

 peer address x.x.x.x

 set authentication rsa-sig

 set sec-level basic

 set auto-up

 exit

crypto policy p1

 flow 192.168.91.80 255.255.255.248 192.168.91.80 255.255.255.248 ip permit

 exit

### this flow will permit 192.168.91.80 local network communicate with each other ###

crypto policy p2

 flow 192.168.91.80 255.255.255.248 x.x.x.x 255.255.255.0 ip tunnel delhi

 exit

##In Maipu we define Flow and map the interesting traffic to crypto tunnel ###

## this flow is permit from LAN 192.168.91.80 to HQ core network ##

VOIP Configuration Template

callrouting-conf  ### type this command in Global configuration to enter in VOIP config mode ##

 dial-peer 1 pots

  destination-pattern 00911081

  port 1/0

  exit

 dial-peer 2 voip

  destination-pattern xx.

  session-target  sip-server

  exit      

 exit       

 fxs-card 1 

  channel 0 0 payload 4

  channel 0 0 enable

 exit       

voicesrv-conf

 black-white-list

  exit      

 code-mode mode1

 h323 start slow

 h323 send-dtmf h245-string

 h323 call-diversion default

 h323 h245Tunnel off

 h323 bearer-cap 3100hz

 h323 fill-send-complete enable

 h323 grq_interval 40

 h323 call-thrust-ttl 10

 call-transfer disable

 call-transfer consultation

 user-config enable

 exit

interface loopback0

 exit

interface fastethernet0

 sip-gateway voip interface

 sip-gateway voip proxy x.x.x.x

 sip-gateway voip registrar x.x.x.x

 sip-gateway voip password 123456

 exit

 sip-gateway

WIFI Configuration template:

ssid-security-profile wpa2

 secpol wpa2

 authpol psk ascii password

 ciphpol aes

exit

interface dot11radio0

 antenna rx left

 antenna tx right

 beacon period 100

 channel auto

 ssid MAIPU_MP1800_CPE_ROUTER

  security wpa2

  clientlimit 3

  fragment 2000

  vlan 1

  exit      

 exit

interface dot11radio0.1

 ip address 192.168.91.86 255.255.255.248

 encapsulation dot1q 1

 exit

ip dhcp pool wlan

 range 192.168.91.81 192.168.91.83 255.255.255.248

 dns-server 61.139.2.69 4.2.2.2 202.56.215.54

 default-router 192.168.91.86

 exit

Show Outputs :

Show int cellular 0   ### After generating the traffic, Cellular interface got IP ###

cellular0:

     line protocol is up

     Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING

     Type: PPP

     Internet address: 115.240.57.192/32

     Destination Internet address: 220.224.141.129

     Metric: 0, MTU: 1500, BW: 384 Kbps, DLY: 100000 usec, VRF: global

     Reliability 255/255, Txload 30/255, Rxload 30/255

     Last clearing of "show interface" counters never

     30 seconds input rate 46000 bits/sec, 50 packets/sec

     30 seconds output rate 46000 bits/sec, 50 packets/sec

     17645 packets received; 18108 packets sent

     0 multicast packets received

     0 multicast packets sent

     0 input errors; 0 output errors

     0 collisions; 1 dropped

      LCP:OPENED

      IPCP:OPENED   NDSPCP:STOPPED

      encap-type: simply PPP

      Rx chars: 2043875, Tx chars 2002050

      Rx overrun 0, Tx underrun 0

### IPSEC status ###

#sh crypto ike sa   

localaddr                 peeraddr                 peer-identity         negotiation-state                          sa-id

115.240.57.192    221.10.5.195      CN=zongbu.maipu.com        STATE_QUICK_I2            10

115.240.57.192    221.10.5.195      CN=zongbu.maipu.com        STATE_MAIN_I4             9

#sh crypto ipsec sa

policy name : p2

  f (src, dst, protocol, src port, dst port) :  192.168.91.80/29  192.168.0.0/22  ip  any  any

  local tunnel endpoint : 115.240.57.192 remote tunnel endpoint : 221.10.5.195

  the pairs of ESP ipsec sa : id : 10, algorithm : DES HMAC-SHA1-96

    inbound esp ipsec sa :  spi : 0Xd3380201(3543663105)

                current input 16326 packets, 1173 kbytes

                encapsulation mode : Tunnel

                replay protection : ON

                remaining lifetime (seconds/kbytes) : 27533/4606826

                uptime is 0 hour 21 minute 7 second

    outbound esp ipsec sa :  spi : 0Xeae10ed0(3940617936)

                current output 16719 packets, 1057 kbytes

                encapsulation mode : Tunnel

                replay protection : ON

                remaining lifetime (seconds/kbytes) : 27533/4606942

                uptime is 0 hour 21 minute 7 second

VOIP:

#sh sip call detail

   sid       aid   cid    did    callingNum        calledNum        state            connTime

   c         34    17     18     8888888888        0289756          ST_CONNECT       00:00:05   

   Total active sip call: 1, connected: 1

IOS Details :

show ver

               MyPower (R) Operating System Software

MP1800 system image file (flash0: /flash/rp10-i-6.2.8.pck), version 6.2.8(integrity), Compiled on Ju

n 12 2010, 15:59:42

Copyright (C) 2010 Maipu Communication Technology Co., Ltd. All Rights Reserved.

MP1800 Version Information

                System ID           : 00017ab5dc4c

                Hardware Model                    : RM1800-31W with 256 MBytes SDRAM, 32 MBytes flash

                Hardware Version    : 002(Hotswap Unsupported)

                MPU CPLD Version    : 003

                Monitor Version     : 1.17

                Software Version    : 6.2.8(integrity)

                Software Image File : flash0: /flash/rp10-i-6.2.8.pck

                Compiled                  : Jun 12 2010, 15:59:42

System Uptime is 1 hour 51 minutes 21 seconds

This document is explained about the configuration of above solution using Maipu MP1800 router.

Plz provide your feedback on same…