Ads 468x60px

Showing posts with label IPSec. Show all posts
Showing posts with label IPSec. Show all posts

Monday, May 14, 2012

Maipu - IPSec Template



Hi All friends, Many time we came across requirement of IPSec configurations. Maipu every Router support IPSec. In this section, I will share IPSec Configuration template. It will help you to understand Maipu IPSec configuration steps.

Maipu IPSec configuration is having different command line than other vendors.

Before looking in details of IPSec template, let’s take a overview of IPSec working process -


IPSec working process –

IPSec works using IKE protocol (Internet Key Exchange).

IKE - When two devices communicate across the network to form secure tunnel. Both Routers/devices will negotiate on set of protocols, they are going to use for security, Encryption, Authentication and protection.

If both devices are using same set of protocols then only secure tunnel will form and data communication will start from secure tunnel or otherwise the secure tunnel will not be established.

In above discussion I used secure tunnel term, The secure tunnel is IPSec tunnel.

IPSec stands for IP packets security.

IPSec is having two modes of communications in Network – Transport and Tunnel Mode…

Some are well known types of VPN – Site to Site VPN, Easy VPN, Point to Multipoint VPN.

VPN -stands for Virtual Private Network, VPN tunnel means creating a private tunnel in public network. IPSec protocols are used to secure VPN tunnel. Data transfer will happen  securely from IPSec VPN.  

IPSec VPN Establishment process –
  • The Routers receives traffic considered "Intresting traffic" from LAN Network towards WAN for establishing a VPN connection.
  • IKE Phase 1 Negotiated and Security Association (SA) established.
  • IKE Phase 2 Negotiated and Security ASsociation (SA) established.
  • Data Transmitted thru IPSec Tunnel
  • Once Transmission is complete , Then IPSec tunnel torn down.


Configuration Steps for Maipu Router IPSec Configurations –
  • Set up Ike Proposal [ For IKE Phase I ]
  • Set up IPSec proposal[ For IKE Phase II ]
  • Define interesting traffic - flow
  • Set up crypto tunnel –include local wan interface
  • Map flow to crypto tunnel


Maipu IPSec Configuration Template –

crypto ike key pplhkhqtodel address x.x.x.x
### Define Crypto key ####
### Define Crypto IKE Phase 1 proposal ###
crypto ike proposal 1
 encryption 3des
 group group2
integrity sha1
 lifetime 28800
 exit

### Define Crypto IKE Phase 2 proposal ###
crypto ipsec proposal 1
 esp 3des
 ah sha1
 lifetime 28800
 exit

### Create IPSec Tunnel Interface ###
crypto tunnel t1
 local interface f0
 peer any
 set authentication preshared
 set ike proposal 1
 set ipsec proposal 1
set auto-up
 exit

### Create Interesting traffic rule, like ACL. Match source and destination traffic ####
crypto policy p1
 flow x.x.x.x x.x.x.x (local lan ip) x.x.x.x x.x.x.x (remote lan) ip tunnel t1
crypto policy p2
 flow x.x.x.x x.x.x.x (local lan ip) x.x.x.x x.x.x.x (remote lan) ip tunnel t1
exit

ex:
crypto policy p1
 flow 10.1.1.0 255.255.255.0 (local lan ip) 172.16.1.0 255.255.255.0 (remote lan) ip tunnel t1
crypto policy p2
 flow 10.1.1.0 255.255.255.0 (local lan ip) 192.168.1.0 255.255.255.0 (remote lan) ip tunnel t1
exit
crypto policy p3
flow 10.1.1.0 255.255.255.0 (local lan ip) 10.1.1.0 255.255.255.0 (local lan ip ) ip permit


Hope this template will help you in IPSec configuration in Maipu Routers.
Thanks for reading…

For feedback. Plz comment with Name and Mail ID..
Posted by Uttamkumar at 10:23 PM 27 comments
Labels: ,

Tuesday, April 12, 2011

MAIPU 1800 Case study for Roaming/Mobility

Requirement: Here Company require immediate solution to setup a roaming office for promotional events with all major services as in branch office.Many time we come across with this kind of requirement and limitation of physical wired uplink immediately.  The innovation of the 3G technology provides the good chances for enterprise networking and 3G-based applications, becomes one ideal choice for the enterprise network.
Compared with the fixed  wired line access it provides us more benefits-
Reduce access cost per user
Improve mobility and flexibility, enable mobile/roaming service and transaction Simplify and fasten deployment and maintaining.
Here you can see a live tested scenario for one company for same requirement.

Topology : 





Included Function
3G interface as the uplink.                                     
  --3G USB will be connected to router.
    Compatible models: HUAWEI EC1260 /1261 (dated May- 2011)
  --USB 3G interface will act as WAN and all LAN network devices can access the internet.
IPSEC tunnel
  --MP1800 is using certificate from HQ VPN gateway.
  -- IPSEC tunnel is established between MP1800 and HQ VPN gateway.
  --VOIP calls/data is going form VPN tunnel.
VOIP communication
  -- VOIP call , both way communication from MP1800 fxs to HQ fxs.
 
WIFI
  --PC/Laptop is using wireless network to access the internet resource via the MP1800 router.
  --PC/Laptop and wireless printer are in the same LAN network, so Laptop can print by that printer without any wired connection.

Configuration Template

3G wan link configuration template 
ip access-list standard 1
 10 permit any
 exit

dialer-list 1 protocol ip permit

chat-script g3dia ATDT
chat-script g3cdma2000connection AT^PPPCFG="9323863248","9323863248"

interface cellular0
 encapsulation ppp
 ppp pap sent-username 9323863248 password 9323863248
 ip address negotiated
 bandwidth 384
 load-interval 30
 dialer in-band
 dialer idle-timeout 0            ### interface should not time out ###
 dialer-group 1
 dialer string #777
 script connection g3cdma2000connection
 script dialer g3dia
 ip nat outside
 exit


ip route 0.0.0.0 0.0.0.0 cellular0  ### this routes must be configured, otherwise the 3G interface will not dial-up ###
For dialing – ping to some IP
Router# ping 4.2.2.2 –t

IPSEC certification template

Get the certification from HQ VPN gateway certification server:
crypto ca identity XXXX
 enrollment url 221.10.X.X
 exit  ###define the identity profile XXXX which is the IP address: 221.10.x.x ###
crypto ca authenticate xxxx  ### after this command you will get the root certification by following###

    % The Root CA Certificate has the following attributes:
  Serial Number: C1661E12562D1DBFBE41
  Subject: CN=maipu, OU=maipu communication, O=maipu, ST=sichuan, L=chengdu, C=china
  Issuer : CN=maipu, OU=maipu communication, O=maipu, ST=sichuan, L=chengdu, C=china
  Validity
    Start date: 2004-12-14 10:23:25
    End   date: 2014-12-13 10:23:25
  Usage: Sign

  Fingerprint(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

% Do you accept this certificate(Yes|No)?Y
% PKI: Get CA certificate success.


crypto ca enroll maipu 512 partner_ind_test   ### Certification request from remote server###
   
% Please input request password:****      ### Input password xxxx ####
    % The Certificate DN will be: CN= partner_ind_test
    % Waiting,Generate private key now,Key length 512!
    % Generating .. Done.
% PKI: Certificate enroll success.

IPSEC tunnel+ NAT template

ip access-list extended 1001
 10 deny ip 192.168.91.0 0.0.0.255 192.168.0.0 0.0.255.255
 20 permit ip any any
 exit

interface fastethernet0
 ip address 192.168.91.86 255.255.255.248
 ip nat inside
 exit
## LAN Network###

ip nat inside source list 1001 interface cellular0 overload

crypto tunnel delhi
 local interface cellular0
 peer address x.x.x.x
 set authentication rsa-sig
 set sec-level basic
 set auto-up
 exit

crypto policy p1
 flow 192.168.91.80 255.255.255.248 192.168.91.80 255.255.255.248 ip permit
 exit
### this flow will permit 192.168.91.80 local network communicate with each other ###

crypto policy p2
 flow 192.168.91.80 255.255.255.248 x.x.x.x 255.255.255.0 ip tunnel delhi
 exit
##In Maipu we define Flow and map the interesting traffic to crypto tunnel ###
## this flow is permit from LAN 192.168.91.80 to HQ core network ##

VOIP Configuration Template
callrouting-conf  ### type this command in Global configuration to enter in VOIP config mode ##
 dial-peer 1 pots
  destination-pattern 00911081
  port 1/0
  exit

 dial-peer 2 voip
  destination-pattern xx.
  session-target  sip-server
  exit      
 exit       

 fxs-card 1 
  channel 0 0 payload 4
  channel 0 0 enable
 exit       

voicesrv-conf
 black-white-list
  exit      
 code-mode mode1
 h323 start slow
 h323 send-dtmf h245-string
 h323 call-diversion default
 h323 h245Tunnel off
 h323 bearer-cap 3100hz
 h323 fill-send-complete enable
 h323 grq_interval 40
 h323 call-thrust-ttl 10
 call-transfer disable
 call-transfer consultation
 user-config enable
 exit

interface loopback0
 exit

interface fastethernet0
 sip-gateway voip interface
 sip-gateway voip proxy x.x.x.x
 sip-gateway voip registrar x.x.x.x
 sip-gateway voip password 123456
 exit
 sip-gateway


WIFI Configuration template:

ssid-security-profile wpa2
 secpol wpa2
 authpol psk ascii password
 ciphpol aes
exit

interface dot11radio0
 antenna rx left
 antenna tx right
 beacon period 100
 channel auto
 ssid MAIPU_MP1800_CPE_ROUTER
  security wpa2
  clientlimit 3
  fragment 2000
  vlan 1
  exit      
 exit

interface dot11radio0.1
 ip address 192.168.91.86 255.255.255.248
 encapsulation dot1q 1
 exit

ip dhcp pool wlan
 range 192.168.91.81 192.168.91.83 255.255.255.248
 dns-server 61.139.2.69 4.2.2.2 202.56.215.54
 default-router 192.168.91.86
 exit



Show Outputs :

Show int cellular 0   ### After generating the traffic, Cellular interface got IP ###
cellular0:
     line protocol is up
     Flags: (0xc0080f1) POINT-TO-POINT MULTICAST RUNNING
     Type: PPP
     Internet address: 115.240.57.192/32
     Destination Internet address: 220.224.141.129
     Metric: 0, MTU: 1500, BW: 384 Kbps, DLY: 100000 usec, VRF: global
     Reliability 255/255, Txload 30/255, Rxload 30/255
     Last clearing of "show interface" counters never
     30 seconds input rate 46000 bits/sec, 50 packets/sec
     30 seconds output rate 46000 bits/sec, 50 packets/sec
     17645 packets received; 18108 packets sent
     0 multicast packets received
     0 multicast packets sent
     0 input errors; 0 output errors
     0 collisions; 1 dropped
      LCP:OPENED
      IPCP:OPENED   NDSPCP:STOPPED
      encap-type: simply PPP
      Rx chars: 2043875, Tx chars 2002050
      Rx overrun 0, Tx underrun 0


### IPSEC status ###
#sh crypto ike sa   
localaddr                 peeraddr                 peer-identity         negotiation-state                          sa-id
115.240.57.192    221.10.5.195      CN=zongbu.maipu.com        STATE_QUICK_I2            10
115.240.57.192    221.10.5.195      CN=zongbu.maipu.com        STATE_MAIN_I4             9


#sh crypto ipsec sa
policy name : p2
  f (src, dst, protocol, src port, dst port) :  192.168.91.80/29  192.168.0.0/22  ip  any  any
  local tunnel endpoint : 115.240.57.192 remote tunnel endpoint : 221.10.5.195
  the pairs of ESP ipsec sa : id : 10, algorithm : DES HMAC-SHA1-96
    inbound esp ipsec sa :  spi : 0Xd3380201(3543663105)
                current input 16326 packets, 1173 kbytes
                encapsulation mode : Tunnel
                replay protection : ON
                remaining lifetime (seconds/kbytes) : 27533/4606826
                uptime is 0 hour 21 minute 7 second
    outbound esp ipsec sa :  spi : 0Xeae10ed0(3940617936)
                current output 16719 packets, 1057 kbytes
                encapsulation mode : Tunnel
                replay protection : ON
                remaining lifetime (seconds/kbytes) : 27533/4606942
                uptime is 0 hour 21 minute 7 second





VOIP:

#sh sip call detail
   sid       aid   cid    did    callingNum        calledNum        state            connTime
   c         34    17     18     8888888888        0289756          ST_CONNECT       00:00:05   
   Total active sip call: 1, connected: 1

IOS Details :


show ver
               MyPower (R) Operating System Software
MP1800 system image file (flash0: /flash/rp10-i-6.2.8.pck), version 6.2.8(integrity), Compiled on Ju
n 12 2010, 15:59:42
Copyright (C) 2010 Maipu Communication Technology Co., Ltd. All Rights Reserved.

MP1800 Version Information
                System ID           : 00017ab5dc4c
                Hardware Model                    : RM1800-31W with 256 MBytes SDRAM, 32 MBytes flash
                Hardware Version    : 002(Hotswap Unsupported)
                MPU CPLD Version    : 003
                Monitor Version     : 1.17
                Software Version    : 6.2.8(integrity)
                Software Image File : flash0: /flash/rp10-i-6.2.8.pck
                Compiled                  : Jun 12 2010, 15:59:42

System Uptime is 1 hour 51 minutes 21 seconds


This document is explained about the configuration of above solution using Maipu MP1800 router.

Plz provide your feedback on same…


Posted by Uttamkumar at 10:30 AM 18 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...