Application Note

IPsec VPN with Cisco Router for R3000

Document Name: Application Note

Version: /v.1.0.0
Date: 2014-05-20
Status: /Confidential
DocID: /RT_AN002_R3000 S_IPsec VPN with Cisco Router for R3000

www.robustel.com
IPsec with Cisco router for R3000

Contents
Chapter 1. Introduction ...................................................................................................................................... 2
1.1 Overview........................................................................................................................................... 2
1.2 Assumptions ..................................................................................................................................... 2
1.3 Rectifications .................................................................................................................................... 2
1.4 File Version ....................................................................................................................................... 3
Chapter 2. Application Topology ........................................................................................................................ 4
Chapter 3. Configuration .................................................................................................................................... 5
3.1 Cisco Configuration ........................................................................................................................... 5
3.2 R3000 Configuration ......................................................................................................................... 6
3.2.1 Configure Link Management ............................................................................................................. 6
3.2.2 Configure Cellular WAN .................................................................................................................... 7
3.2.3 Configure LAN IP address .................................................................................................................. 9
3.2.4 IPsec Configuration ........................................................................................................................... 9
Chapter 4. Testing............................................................................................................................................. 13
4.1 Cellular Status ................................................................................................................................. 13
4.2 VPN Status and Communication ..................................................................................................... 13
4.3 Event/Log ........................................................................................................................................ 14
Chapter 5. Appendix......................................................................................................................................... 16
5.1 Firmware Version ............................................................................................................................ 16

1
IPsec with Cisco router for R3000

Chapter 1. Introduction

1.1 Overview

VPN (Virtual Private Network), it is a technology that establish private network tunnel on the public network. IPsec
VPN is a kind of LAN to LAN communication or remote access VPN technology with the IPsec protocol, to offer the
public and private network end-to-end encryption and authentication service.

This application note is written for customer who has good understanding Robustel products and experienced with
VPN. It shows customer how to configure and test the IPsec VPN between the R3000 and Cisco router through the
cellular network.

1.2 Assumptions

IPsec VPN feature has been fully test and this Application Note is written by technically competent engineer who is
familiar with Robustel products and the application requirement.
This Application Note is basing on:
 Product Model: Robustel GoRugged R3000 industrial cellular VPN router.
 Firmware Version: R3000_S_V1.01.01.fs.
 Configuration: This Application Note assumes the Robustel products are set to factory default. Most configure
steps are only shown if they are different from the factory default settings.

R3000’s cellular WAN could be dynamic or static, public or “private with NAT” IP address. The configuration will
be valid but depend on the capabilities and the IOS version of the Cisco router. R3000 working with dynamic
private IP address still could work for IPsec VPN, but central Cisco router must support NAT traversal feature and
R3000 would fully support NAT traversal by default settings.

The central Cisco router must be assigned a public IP address on its WAN interface. This one can be dynamic or
static. If central Cisco router working with dynamic public IP address, a DNS service must be used to parked
dynamic public IP address to a static domains.

 Note about Cisco NAT Traversal:

NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router
running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and
auto negotiated.

1.3 Rectifications

Appreciate for the corrections and Rectifications to this Application Note, and if there are requests for new
Application Notes please also send to email address: support@robustel.com .
2
IPsec with Cisco router for R3000

1.4 File Version

Updates between document versions are cumulative. Therefore, the latest document version contains all updates
made to previous versions.
Release Date Firmware Version Details
2014-05-20 1.01.01 First Release

3
IPsec with Cisco router for R3000

Chapter 2. Application Topology

1. Cisco router runs as central router which has one static public IP address or dynamic public IP address but with
domain name.
2. R3000 works on cellular network with any kind of IP which can access the Internet and communicate with Cisco
router successfully.
3. IPsec VPN established between central Cisco router and R3000, and the interesting traffic from R3000 side
(192.168.1.0/24) to Cisco router side (172.16.10.0/24) will be encrypted and vice versa.

4
IPsec with Cisco router for R3000

Chapter 3. Configuration

3.1 Cisco Configuration

Enter the configuration mode and check the IOS version of Cisco router. But you need to be in Enable mode and
entered configuration mode firstly(e.g. typing “configure terminal”).
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

The entries below sets the host name of the Cisco router.
hostname cisco2811
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ROMx$RGJMeV3dfHuOQu0z7Ffjh.

The entries below of Internet Security Association and Key Management Policy which is relate to the configuration of
IKE on R3000. The following shows that Cisco using 3des for the encryption algorithm, md5 for the hash algorithm,
and pre-shared keys for the authentication method, Diffie-Hellman is Group 2.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

The following entry configures NAT-T keep-alive.

crypto isakmp nat keepalive 60

The following entry defines the pre-share key, which identity remote connection.
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

The following entry defines IPsec transform set called “TRA”. This transform set contains the settings required for the
IPsec VPN. These are: esp with 3des for encryption and esp with md5 for the authentication.
crypto ipsec transform-set TRA esp-3des esp-md5-hmac

The following entries is required so that a remote peer with a dynamic IP address can establish an IPsec session with
Cisco router. Any such peer must match IPsec transform settings called TRA set. And IPsec VPN will only route packets
to tunnel that match the access-list 101.

5
IPsec with Cisco router for R3000

crypto dynamic-map DYN 10

set transform-set TRA
match address 101

The following crypto map simply states that the dynamic-map should be invoked with crypto static map.
crypto map SMAP 10 ipsec-isakmp dynamic DYN

The following entry defines access-list 101.

access-list 101 permit ip 172.16.10.0 0.0.0.255 192.168.1.0 0.0.0.255

The Cisco router is connected to the Internet and LAN side is connected to its FastEthernet0/1. The Crypto map must
be applied to the WAN interface. And enable NAT feature on both Ethernet interface.
interface FastEthernet0/0
ip address 58.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SMAP
!
interface FastEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
!
ip nat inside source list 100 interface FastEthernet0/0 overload

The following entry configure the default gateway for Cisco router.
ip route 0.0.0.0 0.0.0.0 58.1.1.100

Save the configuration for Cisco router.

copy running-config startup-config

3.2 R3000 Configuration

3.2.1 Configure Link Management

1. Install antenna, insert SIM card to R3000 -> power on R3000 and login R3000’s Web GUI page.

6
IPsec with Cisco router for R3000

Note: Factory Settings when login Web GUI

Item Description
Username admin
Password admin
Eth0 192.168.0.1/255.255.255.0, LAN mode
Eth1 192.168.0.1/255.255.255.0, LAN mode
DHCP Server Enabled.

2. Browse to “Configuration”-> “Link Management”.

 Click the drop-down box of “Primary Interface” and select “Cellular”.
 Click “Apply”.
Item Description Setting
Select “Cellular”, “Eth0”, “WiFi” as the primary connection
Primary Interface Cellular
interface.

3.2.2 Configure Cellular WAN

1. Browse to “Configuration”-> “Cellular WAN”-> “ISP Profile”.

 Click “Add” to enter the APN (Access Point Name) and Dialup No. for each ISP.
 If required please enter Username and Password in the appropriate fields.
 Click “Apply”.
Note: Usually APN, Username, Password and Dialup No. are provided by ISP accordingly.

7
IPsec with Cisco router for R3000

Item Description Setting

ISP Enter relevant ISP network name Enter accordingly
APN Enter correct APN for the network Enter accordingly
Username Enter correct Username for the network Enter accordingly
Password Enter correct Password for the network Enter accordingly
Dialup No. Enter correct Dialup No. for the network Enter accordingly

2. Browse to “Configuration”-> “Cellular WAN”-> “Basic”.

 In region “Cellular Settings”. Click the drop-down box of “Network Provider Type” of both SIM cards and select
the correct “ISP” that you configure in “Configuration”-> “Cellular WAN”-> “ISP Profile”.
 If required please enter PIN number for SIM1 and SIM 2 in “PIN Type”.
 In region “Connection Mode”. Click the drop-down box of “Connection Mode” to select the connection mode
accordingly. “Always Online” mode is selected in this Application Note.
 Click “Apply”.
Item Description Setting
Select from “Auto”, “Custom” or the ISP name you
Network Provider
preset in “Configuration”->”Cellular WAN”->”ISP Enter accordingly
Type
Profile”.
Select the connection mode when R3000 dial up to
Connection Mode Always Online
get access to Internet.

8
IPsec with Cisco router for R3000

3.2.3 Configure LAN IP address

1. Browse to “Configuration”-> “Ethernet”-> “Eth1”.

 Set IP address and netmask of Eth1 accordingly.
 Click “Apply”.
Note: Eth0 works under bridge mode with Eth1 by default settings. Eth0 and Eth1 will share the Eth1’s IP address
under bridge mode.

Item Description Setting

IP Address Set the IP address of Eth1 Enter accordingly
NetMask Set the Netmask of Eth1 Enter accordingly
MTU Set the MTU of Eth1 1500
Media Type Set the Media Type of Eth1 Auto-negotiation

3.2.4 IPsec Configuration

The following sections relate to the IPsec VPN parameters.

1. Browse to “Configuration”-> “IPsec”-> “IPsec Basic”. Enable NAT traversal feature.
 Tick the checkbox of “Enable NAT Traversal”.
 Type the value about Keepalive Interval(s).
 Click “Apply”.
Note: this item must be enabled when router under NAT environment.

Item Description Setting

Tick to enable NAT Traversal for IPSec. This item
Enable NAT Traversal must be enabled when router under NAT Enable
environment.
The interval that router sends keepalive packets to
Keepalive Interval NAT box so that to avoid it to remove the NAT 30
mapping active.

9
IPsec with Cisco router for R3000

2. IPsec Common, browse to “Configuration”-> “IPsec”-> “IPsec Tunnel”.

 Click “Add” to enter the IPsec Tunnel settings.
 Set IPsec Gateway address and subnets accordingly.

Item Description Setting

IPsec Gateway
Enter the address of remote side IPsec VPN server. Enter accordingly
Address
Select from “Tunnel” and “Transport”.
IPsec Mode Tunnel: Uses the Tunnel protocol. Select accordingly
Transport: Uses the Transport protocol.
Select the security protocols from “ESP” and “AH”.
IPsec Protocol ESP: Uses the ESP protocol. Select accordingly
AH: Uses the AH protocol.
Local Subnet Enter IPsec Local Protected subnet’s address. Enter accordingly
Local Subnet Mask Enter IPsec Local Protected subnet’s mask. Enter accordingly
Select from “IP Address”, “FQDN” and “User
Local ID Type FQDN” for IKE negotiation. “Default” stands for “IP Enter accordingly
Address”.
Remote Subnet Enter IPsec Remote Protected subnet’s address. Enter accordingly
Remote Subnet
Enter IPsec Remote Protected subnet’s mask. Enter accordingly
Mask
Select from “IP Address”, “FQDN” and “User
Remote ID Type Select accordingly
FQDN” for IKE negotiation.

3. Enable Phase 1 – IKE configuration.

 The Encryption and Authentication in phase 1 should be set to 3DES & MD5 to match settings on Cisco router.

10
IPsec with Cisco router for R3000

Item Description Setting

Select from “Main” and “aggressive” for the IKE
Negotiation Mode Select accordingly
negotiation mode in phase 1.
Select from “DES”, “3DES”, “AES128”, “AES192”
Encryption Algorithm Select accordingly
and “AES256”to be used in IKE negotiation.
Select from “MODP768_1”, “MODP1024_2” and
DH Group “MODP1536_5”to be used in key negotiation Select accordingly
phase 1.
Select from “PSK”, “CA”, “XAUTH Init PSK” and
Authentication Select accordingly
“XAUTH Init CA” to be used in IKE negotiation.
Secrets Enter the Pre-shared Key. Enter accordingly
Life Time @ IKE
Set the lifetime in IKE negotiation. 3600
Parameter

4. Phase 2 – IPsec SA configuration.

 The SA Algorithm should be set to 3DES_ MD5_96 to match settings on Cisco router.

Item Description Setting

The encryption and authentication algorithm to
SA Algorithm Select accordingly
use.
Select from “PFS_NULL”, “MODP768_1”,
PFS Group Select accordingly
“MODP1024_2” and “MODP1536_5”.
Life Time @ SA
Set the IPsec SA lifetime. 28800
Parameter
Set the interval after which DPD is triggered if no
DPD Time Interval 180
IPsec protected packets is received from the peer.
DPD Timeout Set the timeout of DPD packets. 60

11
IPsec with Cisco router for R3000

5. IPsec Advanced configuration.

 ICMP detection over IPsec could ping the IP device behind peer router, but we have no need to enable this
feature in this situation.
 Click “Apply”->”Save”->”Reboot”.

Item Description Setting

Tick to enable compressing the inner headers of IP
Enable Compress Disable
packets.
Enable ICMP
Click to enable ICMP detection. Disable
Detection
Enter the IP address or domain name or remote
ICMP Detection
server. Router will ping this address/domain name Null
Server
to check that if the current connectivity is active.
ICMP Detection Local
Set the local IP address. Null
IP
ICMP Detection
Set the ping interval time. 30
Interval
ICMP Detection
Set the ping timeout. 5
Timeout
If Router ping the preset address/domain name
ICMP Detection
time out continuously for Max Retries time, it will 3
Retries
try to re-establish the VPN tunnel.

12
IPsec with Cisco router for R3000

Chapter 4. Testing

4.1 Cellular Status

1. Browse to “Status”-> “System”->“Current WAN Link” and “Cellular Information”.

 Check that R3000 has dial up to get IP address and get access to the Internet.

4.2 VPN Status and Communication

1. Browse to “Status”-> “VPN” and “IPsec”.

 Check that R3000 has established IPsec VPN with Cisco router.

 Browse to “Administration”-> “Tools” and “Ping”.

Ping from 192.168.1.1 to 172.16.10.111 and got ICMP reply from Cisco router. LAN to LAN communication is
working correctly.

13
IPsec with Cisco router for R3000

4.3 Event/Log

Event/Log shows running process and status of R3000.

Note: Usually you can check the Event/Log file in “Status”-> “Event/Log”.
……
14-05-21 20:18:31 <2> router: change network (Null)->(Cellular - up)
14-05-21 20:18:31 <0> router: system service starting...
14-05-21 20:18:34 <3> ipsec: WARNING: 1DES is enabled
14-05-21 20:18:34 <3> ipsec: LEAK_DETECTIVE support [enabled]
14-05-21 20:18:34 <3> ipsec: OCF support for IKE [disabled]
14-05-21 20:18:34 <3> ipsec: SAref support [disabled]: Protocol not available
14-05-21 20:18:34 <3> ipsec: SAbind support [disabled]: Protocol not available
14-05-21 20:18:34 <3> ipsec: NSS support [disabled]
14-05-21 20:18:34 <3> ipsec: HAVE_STATSD notification support not compiled in
14-05-21 20:18:34 <3> ipsec: Setting NAT-Traversal port-4500 floating to on
14-05-21 20:18:34 <3> ipsec: port floating activation criteria nat_t=1/port_float=1
14-05-21 20:18:34 <3> ipsec: NAT-Traversal support [enabled]
14-05-21 20:18:34 <3> ipsec: using /dev/urandom as source of random entropy
14-05-21 20:18:34 <3> ipsec: starting up 1 cryptographic helpers
14-05-21 20:18:34 <3> ipsec: started helper pid=651 (fd:3)
14-05-21 20:18:34 <3> ipsec: Using Linux 2.6 IPsec interface code on 2.6.39 (experimental code)
14-05-21 20:18:34 <3> ipsec: using /dev/urandom as source of random entropy
14-05-21 20:18:36 <3> ipsec: added connection description "IPsec_Tunnel_1"
14-05-21 20:18:36 <3> ipsec: listening for IKE messages
14-05-21 20:18:36 <3> ipsec: adding interface eth2/eth2 10.176.190.244:500
14-05-21 20:18:36 <3> ipsec: adding interface eth2/eth2 10.176.190.244:4500
14-05-21 20:18:36 <3> ipsec: loading secrets from "/etc/ipsec.secrets"
14-05-21 20:18:40 <0> router: sent:AT+COPS?
14
IPsec with Cisco router for R3000

14-05-21 20:18:40 <0> router: rcvd:

+COPS: 0,2,"46001",2

OK
14-05-21 20:18:46 <3> ipsec: "IPsec_Tunnel_1" #1: initiating Main Mode
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method
set to=108
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Cisco-Unity]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Dead Peer Detection]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: ignoring unknown Vendor ID payload
[7ac012584790d658f76789c2c9a96743]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [XAUTH]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am
NATed
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: Main mode peer ID is ID_IPV4_ADDR: '58.1.1.1'
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: Dead Peer Detection (RFC 3706): enabled
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1 msgid:177b58b3 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
14-05-21 20:18:53 <3> ipsec: "IPsec_Tunnel_1" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=177b58b3
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: 1 IPSec connections are currently being managed
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: Dead Peer Detection (RFC 3706): enabled
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xc032ca9b <0xd076da6d xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}

15
IPsec with Cisco router for R3000

Chapter 5. Appendix

5.1 Firmware Version

The configuration above was tested on R3000 with firmware version R3000_S_V1.01.01.fs.

16