Professional Documents
Culture Documents
RT - AN002 - R3000 S - IPsec VPN With Cisco Router For R3000
RT - AN002 - R3000 S - IPsec VPN With Cisco Router For R3000
www.robustel.com
IPsec with Cisco router for R3000
Contents
Chapter 1. Introduction ...................................................................................................................................... 2
1.1 Overview........................................................................................................................................... 2
1.2 Assumptions ..................................................................................................................................... 2
1.3 Rectifications .................................................................................................................................... 2
1.4 File Version ....................................................................................................................................... 3
Chapter 2. Application Topology ........................................................................................................................ 4
Chapter 3. Configuration .................................................................................................................................... 5
3.1 Cisco Configuration ........................................................................................................................... 5
3.2 R3000 Configuration ......................................................................................................................... 6
3.2.1 Configure Link Management ............................................................................................................. 6
3.2.2 Configure Cellular WAN .................................................................................................................... 7
3.2.3 Configure LAN IP address .................................................................................................................. 9
3.2.4 IPsec Configuration ........................................................................................................................... 9
Chapter 4. Testing............................................................................................................................................. 13
4.1 Cellular Status ................................................................................................................................. 13
4.2 VPN Status and Communication ..................................................................................................... 13
4.3 Event/Log ........................................................................................................................................ 14
Chapter 5. Appendix......................................................................................................................................... 16
5.1 Firmware Version ............................................................................................................................ 16
1
IPsec with Cisco router for R3000
Chapter 1. Introduction
1.1 Overview
VPN (Virtual Private Network), it is a technology that establish private network tunnel on the public network. IPsec
VPN is a kind of LAN to LAN communication or remote access VPN technology with the IPsec protocol, to offer the
public and private network end-to-end encryption and authentication service.
This application note is written for customer who has good understanding Robustel products and experienced with
VPN. It shows customer how to configure and test the IPsec VPN between the R3000 and Cisco router through the
cellular network.
1.2 Assumptions
IPsec VPN feature has been fully test and this Application Note is written by technically competent engineer who is
familiar with Robustel products and the application requirement.
This Application Note is basing on:
Product Model: Robustel GoRugged R3000 industrial cellular VPN router.
Firmware Version: R3000_S_V1.01.01.fs.
Configuration: This Application Note assumes the Robustel products are set to factory default. Most configure
steps are only shown if they are different from the factory default settings.
R3000’s cellular WAN could be dynamic or static, public or “private with NAT” IP address. The configuration will
be valid but depend on the capabilities and the IOS version of the Cisco router. R3000 working with dynamic
private IP address still could work for IPsec VPN, but central Cisco router must support NAT traversal feature and
R3000 would fully support NAT traversal by default settings.
The central Cisco router must be assigned a public IP address on its WAN interface. This one can be dynamic or
static. If central Cisco router working with dynamic public IP address, a DNS service must be used to parked
dynamic public IP address to a static domains.
1.3 Rectifications
Appreciate for the corrections and Rectifications to this Application Note, and if there are requests for new
Application Notes please also send to email address: support@robustel.com .
2
IPsec with Cisco router for R3000
Updates between document versions are cumulative. Therefore, the latest document version contains all updates
made to previous versions.
Release Date Firmware Version Details
2014-05-20 1.01.01 First Release
3
IPsec with Cisco router for R3000
1. Cisco router runs as central router which has one static public IP address or dynamic public IP address but with
domain name.
2. R3000 works on cellular network with any kind of IP which can access the Internet and communicate with Cisco
router successfully.
3. IPsec VPN established between central Cisco router and R3000, and the interesting traffic from R3000 side
(192.168.1.0/24) to Cisco router side (172.16.10.0/24) will be encrypted and vice versa.
4
IPsec with Cisco router for R3000
Chapter 3. Configuration
Enter the configuration mode and check the IOS version of Cisco router. But you need to be in Enable mode and
entered configuration mode firstly(e.g. typing “configure terminal”).
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
The entries below sets the host name of the Cisco router.
hostname cisco2811
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ROMx$RGJMeV3dfHuOQu0z7Ffjh.
The entries below of Internet Security Association and Key Management Policy which is relate to the configuration of
IKE on R3000. The following shows that Cisco using 3des for the encryption algorithm, md5 for the hash algorithm,
and pre-shared keys for the authentication method, Diffie-Hellman is Group 2.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
The following entry defines the pre-share key, which identity remote connection.
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
The following entry defines IPsec transform set called “TRA”. This transform set contains the settings required for the
IPsec VPN. These are: esp with 3des for encryption and esp with md5 for the authentication.
crypto ipsec transform-set TRA esp-3des esp-md5-hmac
The following entries is required so that a remote peer with a dynamic IP address can establish an IPsec session with
Cisco router. Any such peer must match IPsec transform settings called TRA set. And IPsec VPN will only route packets
to tunnel that match the access-list 101.
5
IPsec with Cisco router for R3000
The following crypto map simply states that the dynamic-map should be invoked with crypto static map.
crypto map SMAP 10 ipsec-isakmp dynamic DYN
The Cisco router is connected to the Internet and LAN side is connected to its FastEthernet0/1. The Crypto map must
be applied to the WAN interface. And enable NAT feature on both Ethernet interface.
interface FastEthernet0/0
ip address 58.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SMAP
!
interface FastEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
!
ip nat inside source list 100 interface FastEthernet0/0 overload
The following entry configure the default gateway for Cisco router.
ip route 0.0.0.0 0.0.0.0 58.1.1.100
1. Install antenna, insert SIM card to R3000 -> power on R3000 and login R3000’s Web GUI page.
6
IPsec with Cisco router for R3000
7
IPsec with Cisco router for R3000
8
IPsec with Cisco router for R3000
9
IPsec with Cisco router for R3000
10
IPsec with Cisco router for R3000
11
IPsec with Cisco router for R3000
12
IPsec with Cisco router for R3000
Chapter 4. Testing
13
IPsec with Cisco router for R3000
4.3 Event/Log
OK
14-05-21 20:18:46 <3> ipsec: "IPsec_Tunnel_1" #1: initiating Main Mode
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method
set to=108
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
14-05-21 20:18:48 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Cisco-Unity]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [Dead Peer Detection]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: ignoring unknown Vendor ID payload
[7ac012584790d658f76789c2c9a96743]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: received Vendor ID payload [XAUTH]
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am
NATed
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
14-05-21 20:18:50 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: Main mode peer ID is ID_IPV4_ADDR: '58.1.1.1'
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #1: Dead Peer Detection (RFC 3706): enabled
14-05-21 20:18:51 <3> ipsec: "IPsec_Tunnel_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1 msgid:177b58b3 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
14-05-21 20:18:53 <3> ipsec: "IPsec_Tunnel_1" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=177b58b3
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: 1 IPSec connections are currently being managed
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: Dead Peer Detection (RFC 3706): enabled
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
14-05-21 20:18:54 <3> ipsec: "IPsec_Tunnel_1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xc032ca9b <0xd076da6d xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
15
IPsec with Cisco router for R3000
Chapter 5. Appendix
The configuration above was tested on R3000 with firmware version R3000_S_V1.01.01.fs.
16