ctm-200 ipsec vpn questionnaire

Questionnaire for

IPsec VPN

Deployment with

CTM200

Model

CTM-200

Revision 1.0

3066 Beta Avenue Burnaby, B.C. V5G 4K4

Phone: 604.294.4465

Fax: 604.294.4471

[email protected]

© 2012 Cypress Solutions Questionnaire for IPsec VPN Deployment with CTM200

2 Overview

1 Overview

A VPN can be used to provide a secure, routable connection between a remote wireless device (modem) on the public Internet with a static IP and a remote server. The data being transmitted and received by the modem is secure within a protected VPN tunnel. Internet Protocol Security (IPsec) is a protocol suite that enables devices to secure communication at the Internet Protocol (IP), or network layer. IPsec provides security in the following ways:

Data confidentiality: Data communicated across the tunnel is encrypted to prevent the deciphering of data if intercepted

Origin authentication: The identity of each peer in the tunnel is validated to prevent the impersonation of devices

Integrity Validation: Data communicated across the tunnel is validated to prevent data tampering The Cypress Chameleon series of industrial wireless data routers/modems support IPSec VPN communications.

2 Purpose of this Document

This document attempts to guide the user in validating their IPsec VPN router setup and to troubleshoot the CTM-200’s IPsec interoperability with their VPN router.

3 CTM-200 features

3.1 IPsec protocols

The CTM-200 supports site-to-site VPN tunnels with equipment that supports the IPsec protocol suite, specifically, ESP (Encapsulating security payload) protocol in Tunnel mode.

3.2 IPsec device role

The CTM-200 supports both the IPsec initiator (client) and the responder (server) roles.

3.3 IPsec supported VPN Equipment

The CTM-200 interoperates with IPsec equipment using the above protocols including but not limited to the following hardware:

Checkpoint VPN-1 Cisco PIX firewalls, VPN concentrators and routers running IOS Enterasys routers with VPN capabilities IBM/ISS Proventia UTM Intoto Juniper E-series and Netscreen series Nokia Nortel VPN Routers SonicWALL Firewall/VPN Appliances


3 Questionnaire

4 Questionnaire

4.1 Are you familiar with IPsec VPN terminology and equipment?

If so, continue to the next steps. If not, you will first require a basic understanding of what a virtual private network (VPN) is and what Internet Protocol Security (IPsec) is, and how IPsec is used to achieve VPN tunnels. Please refer to some online resources for details. We suggest the following pages:

IPsec on Wikipedia

An Illustrated Guide to IPsec (Note: the CTM-200 only supports IPsec ESP (Encapsulating security payload) protocol in Tunnel mode)

IPsec Simplified Also, please refer to your VPN router’s documentation on configuring a site-to-site IPsec VPN for details.

4.2 Do you have a network diagram of the desired IPsec topology?

Please create a network diagram that completely specifies your IPsec topology and clearly includes the following elements, at a minimum:

Corporate IPsec VPN router o WAN IP address o Local Subnet(s) o Intermediate local switches/routers o End devices/hosts

CTM-200 o WAN IP address o Local Subnet(s) o Intermediate local switches/routers o End devices/hosts

Test Host behind VPN router and its LAN IP address

Test Host behind CTM-200 and its LAN IP address This IPsec topology will assist you with CTM-200 configuration, VPN functionality validation and verification, and troubleshooting.

4.3 What is your IPsec application?

Determine how you will be using the CTM-200 and its IPsec VPN functionality.

VPN between CTM-200 and Corporate VPN Router

Local network connected to CTM-200 (e.g. local site) is securely connected to the local network connected to the corporate VPN router (e.g. remote site).

Most common VPN application

Builds upon an organization's existing IT infrastructure

http://en.wikipedia.org/wiki/IPsec

http://www.unixwiz.net/techtips/iguide-ipsec.html

http://www.netcraftsmen.net/resources/archived-articles/446-ipsec-simplified.html


4 Questionnaire

VPN between CTM-200 Devices

Local network connected to CTM-200 (e.g. local site) is securely connected to the local network connected to another CTM-200 (e.g. remote site).

Low-cost VPN solution (i.e. another CTM-200 device instead of a corporate VPN router is required)

Increased latency in VPN tunnel link, depending on type of wireless connection Please use the IPsec topology diagram to confirm your IPsec application.

4.4 Do you have access to the proper IT Resources?

During the support cycle, you should have access to resources (IT personnel) behind the your IPsec VPN router (Cisco, Juniper, etc.) equipment for validating data routing. IT personnel should have the ability to configure the VPN router equipment with the WAN IP address (static IP configurations) and LAN subnet of the CTM-200 (e.g. LAN0: 192.168.1.0/24 or LAN1: 192.168.2.0/24)

4.5 Have you verified that IPsec VPN configuration on your VPN router is valid and already working?

Before testing IPsec VPN interoperability with the CTM-200, please verify that the IPsec VPN configuration on your VPN router is valid and already working. Typically, verification involves configuring an alternate platform/ device (e.g. another VPN router, a laptop running IPsec VPN client software, etc.) as an IPsec VPN initiator and confirming that a valid VPN tunnel session can be established with your VPN router. If an alternate platform/device is not available, please review the VPN router configuration and consult the router’s documentation to validate your router configuration.

4.6 Do you know the IPsec parameters already configured on the VPN router?

Gather configuration details about the current corporate/office IPsec VPN router. These settings will need to be matched on the CTM-200.

IPsec Parameter

NAT-Traversal (NAT-T)

NAT-T Keep alive interval, in seconds

Role of Current VPN router (Initiator or Responder)

Split Tunneling or Full Tunneling

IKE (Phase 1)

IKE Exchange Mode (Main or Aggressive)

VPN Router’s WAN IP address

Remote ID type (none, IP address, USER_FQDN,


5 Questionnaire

FQDN, KEY_ID)

Remote ID

Verify Remote ID (Off or On)

Proposal Check (obey, strict, claim, exact)

IKE Encryption (3des, aes256, aes, des)

IKE HMAC (sha1 or md5)

IKE Diffie-Helman Group

IKE Lifetime, in seconds

IKE Rekeying (On or Off)

Dead Peer Detection

DPD Delay, in seconds

DPD Retry

DPD Maxfail

IKE (Phase 2)

IPsec Encryption (3des, aes256, aes,des, blowfish)

IPsec HMAC (hmac_sha1 or hmac_md5)

IPsec Perfect Forward Secrecy

IPsec Lifetime, in seconds

Tunnel Networks

Protected remote subnets (IP address and netmask) behind VPN router

4.7 Do you know the IPsec parameters to be configured on the CTM-200 unit(s)?

Gather configuration details about the CTM-200 unit(s). Typically, this will be assigned to you by your IT personnel.

CTM-200 LAN IP

Local Tunnel Subnet (LAN0 or LAN1)

LAN IP address of local tunnel subnet (e.g. 192.168.1.1)

Local Tunnel network IP and subnet (e.g. 192.168.1.0/24)

CTM-200 IPsec role If Initiator:

Initial Contact: On

Passive: Off If Responder:

Initial Contact: Off

Passive: On


6 Questionnaire

CTM-200 IPsec Watchdog Parameters (used if CTM-200 is initiator and VPN tunnel must be up automatically)

Remote Subnet Target LAN IP address

Remote Target Ping Interval, in seconds

CTM-200 IKE Phase 1

Local ID type (none, IP address, USER_FQDN, FQDN, KEY_ID)

Local ID

CTM-200 IKE Phase 2

Pre-Shared Key Please protect this information

4.8 Can basic communication occur between the CTM-200 and the VPN router?

Please follow the basic troubleshooting steps below to ensure basic communication (i.e. communication without the IPsec VPN tunnel) between the CTM-200 and the VPN router.

4.8.1 Verify RF signal strength

Determine if the RF signal strength (i.e. RSSI) is sufficient for reliable communication:

In the Web interface on the Status | Details page, check the Primary and Secondary fields under System Info

In the command-line interface, check the Primary and Secondary fields in cmd showstate Consistent RSSI below -95 dBm (e.g. -100 dBm) will result in unreliable communication (e.g. intermittent lost packets). Please try to reorient your RF antenna to improve signal conditions. Consider using a different RF antenna to improve RF signal conditions.

4.8.2 Basic Ping Test

1. Connect a laptop to the CTM-200 Ethernet port configured by the setting Local Tunnel Subnet 2. Find out the IP address of a host behind the customer's IPsec VPN router that accepts ICMP pings

(e.g. ping target) 3. From a Windows Command Prompt on the laptop, continuously ping the target (e.g. 1.2.3.4):

ping -t 1.2.3.4 4. The first few pings should return Request timed out followed by several successful pings:

Reply from 1.2.3.4: bytes=32 time=267ms TTL=49

4.8.3 Verify the CTM-200 has a valid IP address

From the web interface, verify on the Status | Info page that Cell: up and IP does not equal 0.0.0.0. From the command-line interface, verify that cmd ipadr returns an IP that does not equal 0.0.0.0


7 Questionnaire

If the IP address is 0.0.0.0:

Contact your wireless network provider and verify that the cell device's account has been activated

Verify that the cell device has been properly configured in the CTM-200. See How to Activate a CTM-200 for details.

4.8.4 Verify the Ethernet device is connected to the correct LAN port

Verify that the Ethernet device (e.g. PC, laptop, etc.) is connected to the LAN port configured via cmd ipsec localnet (e.g. if cmd ipsec localnet 1 then the laptop should be connected to the Ethernet port marked "LAN1" or "LAN")

4.8.5 Validate Data Routing from CTM-200 to VPN router when VPN tunnel is disabled

From a PC connected to one of the CTM-200's Ethernet ports, ping the IPsec VPN router's outside/WAN IP address and see whether pings succeed. If pings fail, pings between the CTM-200 and router may be disabled on the network side. In this case, access another known service on the VPN router (e.g. HTTP web server, FTP server, etc.).

4.8.6 Validate Data Routing from VPN router to CTM-200 when VPN tunnel is disabled

From the IPsec VPN router or a PC connected to the router, ping the CTM-200 at its WAN IP address and see whether pings succeed. If pings fail, pings between the CTM-200 and router may be disabled on the network side. In this case, access another known service on the CTM-200 (e.g. Web configuration, Telnet/SSH access, etc.).

4.9 Are the CTM-200’s IPsec settings valid?

Mismatching IPsec settings and configuring invalid settings, specifically Phase 1 and Phase 2 encryption settings and lifetime values, are common causes of errors for initial IPsec deployments.

4.9.1 Verify IPsec settings match VPN router’s settings

Verify the correct VPN router WAN IP address is configured: cmd ipsec ikepeerid address cmd ipsec remgw cat /var/config/racoon/psk.txt # Preshared key is set to match IP in cmd ipsec remgw Verify the correct subnets behind the VPN router are configured (check network IP address and netmask): cmd ipsec remnet

http://www.cypress.bc.ca/how_to_activate_a_ctm200.html

http://www.cypress.bc.ca/how_to_activate_a_ctm200.html


8 Questionnaire

For Phase 1 errors, verify the CTM-200 IKE Phase 1 settings match the VPN router's settings: cmd ipsec ikeauth cmd ipsec ikedhgroup cmd ipsec ikeenc cmd ipsec ikeexchange cmd ipsec ikehash cmd ipsec ikelifetime For Phase 2 errors, verify the CTM-200 IPsec Phase 2 settings match the VPN router's settings: cmd ipsec natt cmd ipsec saauth cmd ipsec saenc cmd ipsec salifetime cmd ipsec sapfsgroup

4.9.2 Ensure IPsec LAN IP is not contained in a configured IPsec remote subnet

Ensure that the LAN IP subnet used for IPsec is not contained in a configured IPsec remote subnet. For example, the following configuration is an invalid IPsec topology: cmd lanip 1 172.16.211.1 255.255.255.0 cmd ipsec localnet 1 cmd ipsec remnet 1 172.16.0.0 16 This is invalid because the LAN1 subnet 172.16.211.0/24 cannot be contained within a remote subnet 172.16.0.0/16. The typical symptom is that you cannot ping or Telnet the CTM-200 itself from a laptop connected to its IPsec LAN IP subnet.

4.10 Which IPsec negotiation phase is failing (IKE Phase 1 or IPsec Phase 2) and why?

4.10.1 Check the CTM-200’s Syslog

Check the CTM-200’s syslog to determine which of the IPsec negotiation phases are failing and the reason for the failure:

1. From the Web Interface, go to the Log | Syslog web page and view text under the Syslog Messages section


9 Questionnaire

2. From the command-line interface, enter cmd syslog Sample IKE Phase 1 syslog error messages:

racoon: ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx

racoon: ERROR: phase1 negotiation failed.

Reason for failure: Pre-shared key not set on initiator for configured remote gateway

racoon: ERROR: phase1 negotiation failed due to time up.

Reasons for failure: Incorrect remote gateway configured at responder, OR Mismatch in one or more IKE Phase 1 settings

Sample IPsec Phase 2 syslog error messages: racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.

Reason for failure: Remote subnet configured on initiator does not match actual remote subnet behind responder

racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be

deleted.

OR

racoon: ERROR: notification NO-PROPOSAL-CHOSEN received in informational

exchange.

Reason for failure: Mismatch in one or more IPsec Phase 2 settings

4.10.2 Check the logs on the VPN router

Check the VPN router’s logs to determine which of the IPsec negotiation phases are failing and the reason for the failure. Please consult your IT personnel or VPN router’s documentation for details on obtaining logs.

4.10.3 Verify IPsec settings and retest

Based on the error messages in the CTM-200’s syslog and VPN router’s logs, verify the IPsec settings on both the CTM-200 and VPN router devices and retest.


10 Information Required for Support


After going through this questionnaire, in some cases you may need to contact Cypress Solutions for troubleshooting assistance. In order for Cypress Solutions support staff to properly diagnose problems, please gather the following details below.

5.1.1 Provide a Detailed Topology Diagram

Refer to section 4.2 for instructions on how the topology should look

5.1.2 Enable Detailed IPsec VPN debugging on the CTM-200

Enable detailed IPsec debugging.

In the Web interface under the IPsec | General page, set the Log Level field to debug.

In the command-line enter the following commands: cmd ipsec loglevel debug cmd save cmd pwr mode 2

5.1.3 Capture Basic Diagnostic Logs

In the Web interface, copy the following details and paste them into a text file via Notepad, Wordpad, Word, etc. Status | Details (System Info) Status | ShowConfig Log | Syslog (Syslog Messages) Log | Events (Event Log) Status | RFstats From the Windows Command Prompt, start a Telnet session with logging in the current working directory using telnet <LAN IP address> –f <log file name>, i.e. telnet 192.168.1.1 –f ctm200.log In the command-line enter the following commands: cmd showstate cmd showconfig cmd syslog cmd event dump cmd rfstats

5.1.4 Check that the IPsec VPN tunnel is up

Capture the output of the following command: setkey -DP Sample output of working tunnel: / # setkey -DP



172.16.7.0/24[any] 192.168.0.0/16[any] 255

out prio def ipsec

esp/tunnel/173.181.245.148-69.90.37.170/unique#16815

created: May 22 17:01:24 2012 lastused:

lifetime: 0(s) validtime: 0(s)

spid=5225 seq=1 pid=20041

refcnt=1

192.168.0.0/16[any] 172.16.7.0/24[any] 255

fwd prio def ipsec

esp/tunnel/69.90.37.170-173.181.245.148/require




refcnt=1

192.168.0.0/16[any] 172.16.7.0/24[any] 255

in prio def ipsec

esp/tunnel/69.90.37.170-173.181.245.148/unique#16814




refcnt=1

5.1.5 Capture routing table on CTM-200

Use ip route list instead of or in addition to route, it provides more info on the src routing (i.e. the 172.16.7.1 in this case):

root@CTM200:~# ip route list

10.64.64.64 dev ppp0 proto kernel scope link src 173.181.245.148

69.90.37.170 via 10.64.64.64 dev ppp0

...

192.168.0.0/16 via 10.64.64.64 dev ppp0 src 172.16.7.1

default via 10.64.64.64 dev ppp0

5.1.6 Capture firewall rules for the IPsec tunnels defined

Use iptables -t nat -L to verify the prerouting/postrouting rules for the tunnels are defined. root@CTM200:~# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 192.168.0.0/16 anywhere

...



Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere 192.168.0.0/16

...



ACCEPT esp -- anywhere anywhere

MASQUERADE all -- anywhere anywhere


12 Technical Support

6 Technical Support

Cypress Solutions Service

Support Group 1.877.985.2878 or 604.294.4465

9.00am to 5.00pm PST [email protected]

mailto:[email protected]

ctm-200 ipsec vpn questionnaire

Documents