Application Note 10. IPSec Over Cellular using Digi Transport Routers Pre-shared keys. UK Support February 2010

Transcription

1 Application Note 10 IPSec Over Cellular using Digi Transport Routers Pre-shared keys UK Support February 2010

2 Contents 1 Introduction Outline Assumptions Corrections Version Digi WR41 VPN INItiator Configuration Inside Ethernet Interface Outside Cellular PPP Interface WR41 Wireless WAN (W-WAN) Module WR41 Phase 1 IKE WR41 Phase 2 IPSec WR41 Initiator Pre-shared Key WR41 Configure Packet Analyser for Debugging DR6410 VPN Responder Configuration Inside LAN Ethernet Interface Outside ADSL PPP Interface DR6410 Phase 1 IKE DR6410 Phase 2 IPSEC DR6410 Initiator Pre-shared Key TESTING Successful connection from the initiator point of view: Eventlog IPSEC Security Associations Debugging Debug Failed Connection: Phase 2 - No Matching Eroute Debug Failed Connection: Phase 1 - Aggressive mode off Debug Failed Connection: Phase 1 - Preshared Key Incorrect Debug Failed Connection: Phase 1 - Algorithm unsupported... 25

3 5.5 IPSec Debug for Successful Connection Configuration Files Sarian DR6410 Responder Configuration Sarian WR41 Initiator Configuration Sarian Firmware Versions Figures Figure 1-1: Overview Diagram... 4 Figure 2-1: WR41 Ethernet 0 configuration... 6 Figure 2-2: WR41 PPP 1 Configuration... 7 Figure 2-3: WR41 W-WAN Module configuration... 8 Figure 2-4: WR41 Phase 1 IKE... 9 Figure 2-5: WR41 Phase 2 IPSec Figure 2-6: WR41 Initiator Pre-shared Key Figure 2-7: WR41 Packet Analyser for Debugging Figure 3-1: DR6410 Ethernet 0 configuration Figure 3-2: DR6410 ADSL Interface Figure 3-3: DR6410 Phase 1 IKE Figure 3-4: DR6410 Phase 2 IPSEC Figure 3-5: DR6410 Pre-Shared Key Figure 3-6: WR41 Packet Analyser for Debugging Figure 4-1: WR41 Eventlog Figure 4-2: DR6410 IPSec SA s Figure 4-3: WR41 IPSec SA s... 21

4 1 INTRODUCTION 1.1 Outline This application note aims to enable the reader to easily configure an IPSec VPN tunnel between two local area networks using a Sarian at both ends of the tunnel. The diagram below details the IP number scheme and architecture of this example configuration. Figure 1-1: Overview Diagram Page 4

5 1.2 Assumptions This guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product, and of the requirements for their specific application. Configuration: This application note assumes that the WR41 will be connecting to a cellular network (i.e. GPRS, EDGE, 3G, HSDPA or HSUPA). Routers connecting to cellular networks are usually allocated a private IP address which would translate to a routable internet external IP at the border of the mobile internet network. In this case, the mode of IPSec needs to be aggressive mode with NAT-Traversal. The IPSec responders IP address needs to be in the public address range and is either fixed or dynamic. In the case of the latter, a type of dynamic DNS hostname will be required because the IPSec initiator always needs to know where to connect. This application note applies to; Models shown: Digi Transport WR41 and DR6410 Mk2 Other Compatible Models: Digi Transport VC7400 VPN Concentrator, WR, SR or DR. Firmware versions: All Versions Configuration: This Application Note assumes the devices are set to their factory default configurations. Most configuration commands are only shown if they differ from the factory default. For the purpose of this application note the following applies: The IPSec responder router s IP address must be in the public address range and fully routable. 1.3 Corrections Requests for corrections or amendments to this application note are welcome and should be addressed to: uksupport@digi.com Requests for new application notes can be sent to the same address. 1.4 Version Version Number: 3.0 Status: Published Page 5

6 2 DIGI WR41 VPN INITIATOR CONFIGURATION As with all Digi Transport routers you have the option of configuring the IPSec parameters either via the web interface or by writing a new configuration file. We will show the web configuration in this application note. Only the parts of the configuration files that specifically relate to the configuration of this example will be explained in detail. (The configuration files used for this application note can be found in their entirety at the end of this document). 2.1 Inside Ethernet Interface CONFIGURATION INTERFACES ETHERNET ETH 0 CONFIGURE First, configure the Ethernet interface with an IP and set up monitoring: Parameter Setting Description IP analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup IP address: Enter the IP address of the LAN interface for the router Figure 2-1: WR41 Ethernet 0 configuration 2.2 Outside Cellular PPP Interface CONFIGURATION INTERFACES PPP PPP 0-4 PPP 1 STANDARD Page 6

7 IPSec is enabled on the outgoing interface; in this example the outgoing interface is the cellular interface PPP 1. IP analysis is also enabled on this interface for use during the testing phase. Parameter Setting Description IP analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup IPSec: On-Remove SAs when link down Turn on IPSec on the interface Figure 2-2: WR41 PPP 1 Configuration 2.3 WR41 Wireless WAN (W-WAN) Module CONFIGURATION INTERFACES MOBILE W-WAN MODULE SIM n Parameter Setting Description APN Your APN Enter the APN of your mobile provider PIN/Confirm PIN Your PIN code Enter the SIM PIN if required Page 7

8 Figure 2-3: WR41 W-WAN Module configuration 2.4 WR41 Phase 1 IKE IKE is the first stage in establishing a secure link between two endpoints and has to be configured to match the settings on the VPN host Sarian. In this example 3Des and MD5 are used to encrypt and authenticate. Aggressive mode is enabled. MODP group 2 is used, meaning we use a 1024 bit key for the IKE Diffie-Hellman exchange. Set the IKE SAs to be removed when the IPSec SAs are removed. Set debug to very high as this will help to see that everything has completed correctly when the two units build the VPN tunnel. CONFIGURATION VPN IPSEC IKE IKE 0 Parameter Setting Description Encryption algorithm: 3DES The encryption algorithm to be used for IKE exchanges over the IP connection Authentication algorithm: MD5 The algorithm used to authenticate the IKE session Aggressive mode: ON Aggressive mode is used in this example IKE MODP group: 2(1024) The key length used in the IKE Diffie-Hellman exchange SA removal mode: Choose option Remove IKE SA when last IPSEC SA removed Debug Level: Very High This will allow for detailed debugging and can be turned off once you are happy that this is working Page 8

9 2.5 WR41 Phase 2 IPSec Figure 2-4: WR41 Phase 1 IKE Next configure the eroute (encrypted route). This will determine what traffic is routed to the remote network over the VPN. Most of the phase two IPSec configuration is done within this area. NB: In Aggressive mode the Peer ID and the Our ID can be any alpha-numeric value as long as they correspond with the remote VPN router. They are also case sensitive. CONFIGURATION VPN IPSEC IPSEC EROUTES EROUTE 0 Parameter Setting Description Peer IP/hostname: IP address of the vpn host machine Peer ID: Hostsarian The ID of the VPN responder router (remote router) Our ID: Clientsarian The ID of the VPN initiator router (this router) Local subnet IP address: Packets will be directed through this tunnel if the source and destination IP matches Local subnet mask: Subnet mask for the network Remote subnet IP Packets will be directed through this tunnel if the address: source and destination IP matches: Remote subnet mask: Subnet mask for the network ESP authentication MD5 The IPSEC ESP authentication algorithm is MD5: Page 9

10 algorithm: ESP encryption algorithm: 3DES Duration (kb): 0 The IPSEC encryption algorithm to use is 3DES This can be used to exchange keys more quickly if a certain amount of data is exchanged No SA action: Use IKE We want to route matching packets over the VPN Create SAs Yes, route with The router will try to setup the VPN automatically automatically: matching interface Authentication Preshared Keys Preshared keys will be used for authentication method: Display IKE lookup This will provide Error message detail in the Yes debug info: analyser trace for debug and testing Page 10

11 Figure 2-5: WR41 Phase 2 IPSec Page 11

12 2.6 WR41 Initiator Pre-shared Key CONFIGURATION SECURITY USERS USERS User 10 In this section the preshared key is set up. The preshared key is enabled by creating a username with the name of the remote peer (Peer ID from the eroute) and the password is the preshared key. Parameter Setting Description Name: responder Name should match the Peer ID: value from Eroute 0 Password: Test Enter the password in a production environment you will want to choose a more secure shared key than this Confirm Password: Test Re-enter the password in a production environment you will want to choose a more secure shared key than this Access Level: None This user will not be granted any admin access as only used as a preshared key Figure 2-6: WR41 Initiator Pre-shared Key Page 12

13 2.7 WR41 Configure Packet Analyser for Debugging This is just to double check that the analyser is setup correctly. Remove any settings that do not match here. DIAGNOSTICS ANALYSER SETTINGS Parameter Setting Description Analyser ON Enable logging to the analyser trace IKE: IKE Debug When this is ticked we will see IKE debug in the analyser trace I-PAK: Max I-PAK size: 1500 We will then be able to collect most full sized packets IP Source: ETH 0 Enable logging for this interface IP source: PPP 1 Enable logging for this interface IP filters: Ports: ~500,4500 Restrict the ports logged to only show IKE and IPSec Figure 2-7: WR41 Packet Analyser for Debugging Page 13

14 3 DR6410 VPN RESPONDER CONFIGURATION 3.1 Inside LAN Ethernet Interface First, configure the Ethernet interface with an IP and set up monitoring: CONFIGURATION INTERFACES ETHERNET ETH 0 CONFIGURE Parameter Setting Description IP Analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup IP Address Enter Interface IP Enter the IP address of the Lan interface for the router 3.2 Outside ADSL PPP Interface Figure 3-1: DR6410 Ethernet 0 configuration In this example a DSL link is used, this link provided a static IP for the host Sarian. IPSec is enabled on this interface. CONFIGURATION INTERFACES PPP PPP 0 4 PPP 1 STANDARD Parameter Setting Description IP Analysis: On Turn on analysis for this interface so we can troubleshoot if there are problems with the setup Username: Username ADSL access username Password (Assigned): Password ADSL access password Confirm Password Password Confirm ADSL access password. IPSec On-Keep SA s when link down Enable IPSec on the ADSL interface Page 14

15 Figure 3-2: DR6410 ADSL Interface 3.3 DR6410 Phase 1 IKE CONFIGURATION VPN IPSEC IKE RESPONDER Next configure the debug level and also check that the IKE 0 initiators config. I.e. By default the responder IKE values are not restricted and should cover the values assigned in the initiators IKE 0 config. Parameter Setting Description Debug Level: Very High This will allow for detailed debugging and can be turned off once you are happy that this is working Figure 3-3: DR6410 Phase 1 IKE Page 15

16 3.4 DR6410 Phase 2 IPSEC As this is the responder unit and the client doesn t have a static IP due to connecting over a Cellular network we do not initiate the IPSec tunnel from this end so there are 3 less items to configure here than on the initiator Sarian. CONFIGURATION IPSEC IPSEC EROUTES EROUTE 0 9 EROUTE 0 Parameter Setting Description Peer ID: Initiator Id of the VPN Client machine Our ID: responder ID of our machine Local subnet IP address: Local network address Packets will be directed through this tunnel if the source and destination IP matches Local subnet mask: Local subnet address Subnet mask for the network Remote subnet IP address: Remote network address Packets will be directed through this tunnel if the source and destination IP matches: Remote subnet Remote subnet mask: address Subnet mask for the network ESP authentication The IPSEC ESP authentication algorithm is MD5: MD5 algorithm: ESP encryption algorithm: 3DES The IPSEC encryption algorithm to use is 3DES Duration (kb): 0 This can be used to exchange keys more quickly if a certain amount of data is exchanged Authentication method: Preshared Keys Preshared keys will be used Display IKE lookup This will provide Error message detail in the Yes debug info: analyser trace for debug and testing Page 16

17 Figure 3-4: DR6410 Phase 2 IPSEC Page 17

18 3.5 DR6410 Initiator Pre-shared Key In this section the preshared key is set up, the preshared key is set up by creating a username with the name of the remote peer (responder) vpn id and the password is the preshared key. CONFIGURATION SECURITY USERS USER USER 10 Parameter Setting Description Name: initiator Name should match the Peer ID: value from Eroute 0 Password: Test Enter the password in a production environment you will want to choose a more secure shared key than this Re-enter the password in a production Confirm Password: Test environment you will want to choose a more secure shared key than this Access Level: None This user will not be granted any admin access as only used as a preshared key Figure 3-5: DR6410 Pre-Shared Key Page 18

19 Configure Analyser This is just to double check that the analyser is setup correctly. Remove any settings that do not match here. Parameter Setting Description Analyser ON Enable logging to the analyser trace IKE: IKE Debug When this is ticked we will see IKE debug in the analyser trace I-PAK: Max I-PAK We will then be able to collect most full sized 1500 size: packets IP Source: ETH 0 Enable logging for this interface IP source: PPP 1 Enable logging for this interface IP filters: Ports: ~4500,500 Restrict the ports logged to only show IKE and IPSec Figure 3-6: WR41 Packet Analyser for Debugging Page 19

20 4 TESTING 4.1 Successful connection from the initiator point of view: Eventlog The eventlog shows the events occuring within the operating system. Here you can see the cellular interface (PPP 1) establishing followed by the VPN. DIAGNOSTICS EVENTLOG Figure 4-1: WR41 Eventlog Page 20

21 4.1.2 IPSEC Security Associations On successful connection you will see the IPSec SAs in both the Initiator and the Responder IPSec SAs list. Here you can see the peer IP the remote and local networks, the authentication algorithm and time left until keys are again exchanged. DR6410: DIAGNOSTICS STATUS IPSEC IPSEC SAs EROUTE 0 9 EROUTE 0 WR41: Figure 4-2: DR6410 IPSec SA s DIAGNOSTICS STATUS IPSEC IPSEC SAs Figure 4-3: WR41 IPSec SA s Page 21

22 If the event log and the IPSec output show as above then you should be able to ping the LAN interface or a node on the remote network: C:\Documents and Settings\XP>ping t Pinging with 32 bytes of data: Reply from : bytes=32 time=2170ms TTL=249 Reply from : bytes=32 time=159ms TTL=249 Reply from : bytes=32 time=162ms TTL=249 Reply from : bytes=32 time=156ms TTL=249 Reply from : bytes=32 time=165ms TTL=249 Reply from : bytes=32 time=164ms TTL=249 Reply from : bytes=32 time=152ms TTL=249 Reply from : bytes=32 time=149ms TTL=249 Reply from : bytes=32 time=158ms TTL=249 Reply from : bytes=32 time=157ms TTL=249 Reply from : bytes=32 time=159ms TTL=249 Reply from : bytes=32 time=159ms TTL=249 Reply from : bytes=32 time=158ms TTL=249 Ping statistics for : Packets: Sent = 13, Received = 13, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 149ms, Maximum = 2170ms, Average = 312ms The first ping may result in a longer turn around time if you need to bring up the vpn when the first packet arrives. Page 22

23 5 DEBUGGING 5.1 Debug Failed Connection: Phase 2 - No Matching Eroute When the Sarian attempts to bring up the eroute there can be a number of reasons for failure. Below you will see the IPSec debug for a successful connection here. We have changed the config given in this example with the following change on the initiator: eroute 0 locip " " The corresponding line from the responder is: eroute 0 remip " " When the connection fails the following error will be seen in the event log of both ends of the connection: 08:14:03, 22 Apr 2008,IKE SA Removed. Peer: responder,rx Delete Notification 08:14:03, 22 Apr 2008,IKE SA Removed. Peer: responder,rx Delete Notification 08:14:03, 22 Apr 2008,IKE Notification: No Proposal Chosen,RX 08:14:03, 22 Apr 2008,IKE Notification: Responder Lifetime,RX 08:14:03, 22 Apr 2008,New Phase 2 IKE Session ,Initiator 08:14:02, 22 Apr 2008,IKE Keys Negotiated. Peer: responder 08:14:02, 22 Apr 2008,New Phase 1 IKE Session ,Initiator 08:14:02, 22 Apr 2008,IKE Request Received From Eroute 0 Above is the connection from the initiators end and below is the event log from the responder: 08:14:10, 22 Apr 2008,IKE SA Removed. Peer: initiator,successful Negotiation 08:14:10, 22 Apr 2008,IKE Notification: No Proposal Chosen,TX 08:14:10, 22 Apr 2008,IKE Notification: Initial Contact,RX 08:14:10, 22 Apr 2008,New Phase 2 IKE Session ,Responder 08:14:09, 22 Apr 2008,IKE Keys Negotiated. Peer: initiator 08:14:09, 22 Apr 2008,New Phase 1 IKE Session ,Responder Note that in both you will see the message No Proposal Chosen, RX to indicate received and TX to indicate sent. In other words if you only see this line: 08:14:10, 22 Apr 2008,IKE Notification: No Proposal Chosen,TX It will be clear that you are looking at the responder. To find out why the responder rejected this communication the analyser trace needs to be set up. If you have followed the instructions above you will have the analyser trace already configured. Please note that the communication, in this example, fails at phase 2, the keys are clearly indicated as having been negotiated and this message can be seen in both event logs: Page 23

24 08:14:10, 22 Apr 2008,New Phase 2 IKE Session ,Initiator 08:14:03, 22 Apr 2008,New Phase 2 IKE Session ,Responder To find out why phase 2 is failing we will need to look at the analyser logs search for the line that includes the error code :ER <number>:. In this example we have the error: :14: IKE DEBUG (21016):ER 0: remote IP outside traffic selector range The line below this provides a better explanation of the error: :14: IKE DEBUG (21016):Unable to locate eroute matching this negotiation As can be seen from the config change there is now an eroute mismatch at the initiator and responder routers and the IPSec tunnel will not succeed until this is changed. Please note that the number in brackets after IKE DEBUG in this case (21016) will be found against all the logging entries for that particular event within the analyser trace, When there is more than one IPSec tunnel trying to start being able to isolate the conversation using this sequence number is very handy indeed. The relevant excerpt from the log is below showing the responder trying to match the eroute and then failing to do so: :14: IKE DEBUG (21016):Locating eroute matching this negotiation :14: IKE DEBUG (21016):ER 0: remote IP outside traffic selector range :14: IKE DEBUG (21016):Unable to locate eroute matching this negotiation :14: IKE DEBUG (21016):No proposal chosen :14: IKE DEBUG (21016):Sending IKE phase 2 notification :14: IKE DEBUG (21016):Notification type (14) No Proposal Chosen Page 24

25 5.2 Debug Failed Connection: Phase 1 - Aggressive mode off Because the responder cannot in this example initiate a tunnel due to the network limitations of the GPRS network being natted behind an internet gateway and thus preventing us from initiating communication to the initiator we have to use aggressive mode. When aggressive mode is off you will see an error as per below on the initiator: 08:56:06, 22 Apr 2008,IKE SA Removed. Peer:,Negotiation Failure 08:56:06, 22 Apr 2008,IKE Negotiation Failed. Peer:,No Password Available 08:56:06, 22 Apr 2008,IKE Request Received From Eroute Debug Failed Connection: Phase 1 - Preshared Key Incorrect Below is the event log from the initiator showing the response when the shared secret is wrong on one end: 09:11:42, 22 Apr 2008,IKE SA Removed. Peer: responder,negotiation Failure 09:11:42, 22 Apr 2008,IKE Negotiation Failed. Peer: responder,authorisation Failed 09:11:42, 22 Apr 2008,IKE Negotiation Failed. Peer:,Bad Packet 09:11:42, 22 Apr 2008,New Phase 1 IKE Session ,Initiator 09:11:42, 22 Apr 2008,IKE Request Received From Eroute 0 To rectify this problem ensure that the password is the same on both ends the responder needs a password for the initiators id in our example this is set up on user Debug Failed Connection: Phase 1 - Algorithm unsupported If any settings are removed from CONFIGURATION VPN IPSEC IKE RESPONDER then the initiator will need to use the right IKE encryption & authentication algorithm and IKE MODP group. For the purpose of this test the following change was made on the responder s config: ike 0 rencalgs "AES,DES" As the initiator is configured to use 3DES then the following will be seen in the initiator debug: 09:26:50, 22 Apr 2008,IKE Negotiation Failed. Peer:,Bad Packet 09:26:49, 22 Apr 2008,IKE Request Received From Eroute 0 In the responder analyser trace you will see the following after the initial IKE packet has been received: :28: IKE DEBUG (21842): Checking attribute 1: Encryption algorithm Enc Alg: 1: 3DES Requested Alg. not supported Page 25

26 To resolve this at the initiator end change the Ike encryption algorithm or at the responder end add the encryption algorithm. Please note that the settings in the responder CONFIGURATION VPN IPSEC IKE RESPONDER and the initiator CONFIGURATION VPN IPSEC IKE IKE 0 should match. If they do not you will see errors on Phase 1 negotiation as above. 5.5 IPSec Debug for Successful Connection Below is a successful negotiation between the two test Sarians. This log is taken from the responder. Key elements are outlined below in bold to make it easier to see the steps in the communication. IKE DEBUG: Handling IKE packet IKE DEBUG: Locating IKE context IKE DEBUG: Packet for new phase 1 session IKE DEBUG: Preparing for new Phase 1 negotiation IKE DEBUG (504):IKE context located. Local session ID: 0x504 IKE DEBUG (504):Checking packet IKE DEBUG (504):Validating payloads IKE DEBUG (504):Checking payload (1) SA IKE DEBUG (504):Checking payload (4) Key Ex IKE DEBUG (504):Checking payload (10) Nonce IKE DEBUG (504):Checking payload (5) ID IKE DEBUG (504):Checking payload (13) Vendor ID Page 26

27 IKE DEBUG (504):Checking payload (13) Vendor ID IKE DEBUG (504):Checking payload (13) Vendor ID IKE DEBUG (504):Checking payload (13) Vendor ID IKE DEBUG (504):Packet payloads check out OK IKE DEBUG (504):Packet type (4) Agressive mode IKE DEBUG (504):IKE role Responder IKE DEBUG (504):Handling aggressive mode packet and SA state is (0) IDLE IKE DEBUG (504):Processing SA message IKE DEBUG (504):Processing Vendor ID payloads af ca d a1 f1 c9 6b fc Peer supports our version of DPD IKE DEBUG (504): 7d a ca 6f 2c 17 9d d 56 Peer supports our version of NAT traversal IKE DEBUG (504): 90 cb e bb 69 6e b5 ec 42 7b 1f Peer supports our version of NAT traversal IKE DEBUG (504): 12 f5 f2 8c a9 70 2d 9f e2 74 cc IKE DEBUG (504):DH g_x length: 128 IKE DEBUG (504):Processing ID payload IKE DEBUG: Decoding ID type 11 Key ID IKE DEBUG: Decoded ID is initiator Page 27

28 IKE DEBUG (504):Checking next SA payload IKE DEBUG (504):Checking SA proposals IKE DEBUG (504):Checking proposal number 1 IKE DEBUG (504):Checking transform payloads. Expecting 1 transforms IKE DEBUG (504):Transforms payloads OK IKE DEBUG (504):Proposal payload OK IKE DEBUG (504):SA payload valid IKE DEBUG (504): Transform attributes Attribute 1: Encryption algorithm Enc Alg: 5: 3DES Attribute 2: Hash algorithm HASH alg: 1: MD5 Attribute 3: Authentication method Auth Method: 1: PRESHARED Attribute 4: DH group description Maths group: 2: DH group 2 Attribute 11: Life type Life type (1) secs. Expecting life duration attribute next Attribute 12: Life duration Life duration value 1260 IKE DEBUG (504):Selecting transform from proposal 1 Checking transform attributes IKE DEBUG (504): Checking attribute 1: Encryption algorithm Enc Alg: 5: 3DES Alg. is supported IKE DEBUG (504): Checking attribute 2: Hash algorithm HASH alg: 1: MD5 Alg. is supported Page 28

29 IKE DEBUG (504): Checking attribute 3: Authentication method Auth Method: 1: PRESHARED Method is supported IKE DEBUG (504): Checking attribute 4: DH group description Maths group: 2: DH group 2 Group is supported IKE DEBUG (504): Checking attribute 11: Life type Life type (1) secs. Expecting life duration attribute next IKE DEBUG (504): Checking attribute 12: Life duration Life duration value 1260 IKE DEBUG (504):Transform 1 has all required attributes IKE DEBUG (504):Selected transform IKE DEBUG (504):Retrieving password IKE DEBUG: Decoding ID type 11 Key ID IKE DEBUG: Decoded ID is initiator IKE DEBUG (504):Password retrieved for ID initiator IKE DEBUG (504):Requesting DH KE data from DH task IKE DEBUG (504):Waiting on data from DH task IKE DEBUG (504):IKE aggressive mode result 1 IKE DEBUG: IKE got data from DH task IKE DEBUG (504):DH data for IKE ctx 0 in state IDLE Page 29

30 IKE DEBUG (504):Requesting DH shared secret from DH task IKE DEBUG (504):Changing IKE SA state from IDLE to Awaiting DH data :51: IKE DEBUG: IKE got data from DH task :51: IKE DEBUG (504):DH data for IKE ctx 0 in state Awaiting DH data :51: IKE DEBUG (504):Generating SKEYID :51: IKE DEBUG (504):Generating SKEYID_d :51: IKE DEBUG (504):Generating SKEYID_a :51: IKE DEBUG (504):Generating SKEYID_e :51: IKE DEBUG (504):Generating key material :51: IKE DEBUG (504):IKE key material generated :51: IKE DEBUG (504):Sending aggressive mode SA message :51: IKE DEBUG: Adding proposal nb: 1, protocol ID: 1, spi size: 0, nb_transforms: :51: IKE DEBUG (504): Transform attributes Attribute 1: Encryption algorithm Enc Alg: 5: 3DES Attribute 2: Hash algorithm HASH alg: 1: MD5 Attribute 3: Authentication method Auth Method: 1: PRESHARED Attribute 4: DH group description Maths group: 2: DH group 2 Attribute 11: Life type Life type (1) secs. Expecting life duration attribute next Attribute 12: Life duration Life duration value :51: Page 30

31 IKE DEBUG: Adding SA payload header doi: 1, situation :51: IKE DEBUG (504):ID generated :51: IKE DEBUG (504):Create HASH using password :51: IKE DEBUG: Adding Vendor ID payloads for use with DPD :51: IKE DEBUG: Adding Vendor ID payloads for use with NAT traversal :51: IKE DEBUG (504):Adding NATD payloads :51: IKE DEBUG: Adding CISCO UNITY Vendor ID payload :51: IKE DEBUG (504):Transmit IKE packet :51: IKE DEBUG (504):Transmit to peer :51: A1 01 D FA D7 F6 E...Õ...2.X. ö D4 B F4 A D 77 F8 DA 9B D0 78 Ô. B.ô..wøÚ Ðx EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Bö..ò..ö B C 04 EC 0A BE 3B F 66 9A 29 3C E4 84 E9 3B 8C BB 31.. Ofš..ä é.œ.1 DB CA 7D F F 68 FE 3A Û..S7..ñ1.u5.hþ. AC A 8C 40 D B5 94 FD BF. F.Œ..QFµ ý.b. 8A CA 8F D6 CF E D 73 EB 35 Š.H.T.ÖÏé. msë5 C0 A8 3A 5E 79 FD 84 DE 14 F8 B5 0C EF 75 CA 54...yý Þ.øµ..u.T DE D8 C4 D1 A1 41 C EB 7B CD ÞØ.Ñ.A.s3uë.tR F 77 D9 BB 6E 8A B3 50 E4 9E 60 1F EC E5 A5 p.wù.nš³päž...å 19 DA BA B 5F C6 BB A D8 64.Ú....Æ...QØd B CA 4B F2 D4 DD KòÔÝ B2 C B F ôresp 6F 6E D D B A6 38 D0 onder... k.8ð 5B C F9 C7 F4 DF 05 0D AF CA D7..g.ù.ôß A1 F1 C9 6B FC D h.ñ.k üww D A CA 6F 2C 17 9D D....S..o...R CB E BB 69 6E V......in.c B5 EC 42 7B 1F DB F7 B DA 92 µ.b...û ±h.ú 2B F8 CC 88 7C FD D9 4F 15 0D DD D3.ø.ˆ.ýÙO... ÝÓ 6F 09 D1 32 8C 57 DB 16 CB C9 FD FA D o.ñ2œwû...ý.ó F5 F2 8C A9 70 2D 9F E2 74 CC 01...òŒEqh.p..ât Page 31

32 IP (Final) From LOC TO REM IFACE: PPP 1 45 IP Ver: 4 Hdr Len: TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 01 A1 Length: D5 ID: Frag Offset: 0 Congestion: Normal May Fragment Last Fragment FA TTL: Proto: UDP Checksum: D7 F6 Src IP: D4 B Dst IP: UDP: 01 F4 SRC Port: IKE (500) A8 89 DST Port:??? (43145) 01 8D Length: F8 Checksum: IKE: DA 9B D0 78 EF 42 F6 85 I_CKY F0 2F F2 B4 A6 23 F6 1F R_CKY 01 Next Payload: SA (1) 10 Ver: Type: 4 00 Flags: ID: Len: Next Header: Key Ex (4) 0A Next Header: Nonce (10) 05 Next Header: ID (5) 08 Next Header: Hash (8) 0D Next Header: Vendor ID (13) 0D Next Header: Vendor ID (13) 0D Next Header: Vendor ID (13) 82 Next Header: NATD (130) 82 Next Header: NATD (130) 0D Next Header: Vendor ID (13) 00 Next Header: None (0) :51: IKE DEBUG (504):Changing IKE SA state from Awaiting DH data to PH1 sent KE C 00 D E D4 B E...Ð..è.FPÔ. B D7 F6 A X. ö.p..h... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö C C7 A8 A1 CC... D6 C4 CA E0 56 F0 1C 39 A C8 21 3D 6C 36 Ö..àV l6 Page 32

33 1A E5 A E CE BE B3 48 1B A FB A0 F9 1A 6D FA 16 C7 D3 CB 34 AA 60 2B 89 B6 3F F8 C5 6C 6E A4 27.å..pt.ãg.Î..p³H... û.ù.m...ó.4....ø.ln.. IP (In) From REM TO LOC IFACE: PPP 1 45 IP Ver: 4 Hdr Len: TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 7C Length: D0 ID: Frag Offset: 0 Congestion: Normal May Fragment Last Fragment E8 TTL: Proto: UDP Checksum: D4 B Src IP: D7 F6 Dst IP: UDP: A9 50 SRC Port:??? (43344) DST Port: IKE FLOAT (4500) Length: Checksum: 0 IKE DEBUG: Handling IKE packet IKE DEBUG: Locating IKE context IKE DEBUG: Packet for existing negotiation IKE DEBUG (504):Located SA for existing phase 1 negotiation IKE DEBUG (504):IKE context located. Local session ID: 0x504 IKE DEBUG (504):Checking packet IKE DEBUG (504):IKE decrypting packet IKE DEBUG (504):Validating payloads IKE DEBUG (504):Checking payload (8) Hash Page 33

34 IKE DEBUG (504):Checking payload (130) NATD IKE DEBUG (504):Checking payload (130) NATD IKE DEBUG (504):Packet payloads check out OK IKE DEBUG (504):Packet type (4) Agressive mode IKE DEBUG (504):IKE role Responder IKE DEBUG (504):Handling aggressive mode packet and SA state is (3) PH1 sent KE IKE DEBUG (504):Processing agressive mode HASH message IKE DEBUG (504):Processing NATD payloads IKE DEBUG (504):HASH's same, we are not behind a NAT box IKE DEBUG (504):Remote is behind a NAT box IKE DEBUG (504):Verifying phase 1 HASH payload IKE DEBUG (504):Phase 1 agressive mode negotiation completed successfully IKE DEBUG (504):Changing IKE SA state from PH1 sent KE to PH1 complete IKE DEBUG (504):Saving completed phase 1 negotiation local ID: 0x1f8 IKE DEBUG (504):Send IKE lifetime (1200) notification to peer IKE DEBUG (504):IKE aggressive mode result 0 IKE DEBUG (504):Resetting IKE context 0 Page 34

35 IKE DEBUG (504):Retaining completed phase 1 SA local ID: 0x1f8 IKE DEBUG: IKE request to send LIFETIME notification IKE DEBUG (504):Prepare for new Phase 2 negotiation IKE DEBUG (505):New phase 2 session IKE DEBUG: Got new phase 2 session ID: 0xb IKE DEBUG (505):Changing IKE SA state from PH1 complete to PH2 Initial IKE DEBUG (505):Encrypting IKE packet :51: IKE DEBUG: send LIFETIME notification lifetime :51: IKE DEBUG (505):Transmit IKE packet :51: IKE DEBUG (505):Transmit to peer :51: D FA D7 F6 E..t.Ö...3RX. ö D4 B A Ô. B..P... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö B C9 3F 4C 5B......T..L CE 00 C BA C Î..ppiSA...e 55 2E AA 17 A7 73 EC A6 E3 05 5D 97 B9 7E C7 E3 U...s..ã.....ã 1C 74 F B BF 7E F D 1B 2B 9A 1B.tóD.k...G...š. A F IP (Final) From LOC TO REM IFACE: PPP 1 45 IP Ver: 4 Hdr Len: TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal Length: D6 ID: Frag Offset: 0 Congestion: FA TTL: Proto: UDP Normal May Fragment Last Fragment Page 35

36 33 52 Checksum: D7 F6 Src IP: D4 B Dst IP: UDP: SRC Port: IKE FLOAT (4500) A9 50 DST Port:??? (43344) Length: Checksum: :51: IKE DEBUG (505):Resetting IKE context :51: IKE DEBUG (505):Removing IKE SA :51: D4 00 D E F7 D4 B E..Ô.Ñ..è.E Ô. B D7 F6 A C X. ö.p.... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö EE 6C B4 FF 41 AC 5B...îl....A.. BA A 60 D0 E3 E9 4D F9 F2 53 B8 D6. IP.š.ÐãéMùòS.Ö 71 A3 F3 A D5 CA 7B 74 6B 4E DE CF D3 C5 q.ó..dõ..tknþïó. 9D BF B6 6F F1 48 5B FB 9A DA. oñh.ûš.tsú 4B 8D 09 A2 20 D0 DD EB 1C E7 1C AE K...ÐÝ6..dë.ç.. 2B D8 B1 E5 EB E9 DD 6F 6C DA BA 0E AD AE.3iرåëéÝolÚ B8 F5 B AC FE F6 C µ.2.t.þö.GI8 9C A6 28 B4 40 2F F B1 16 AC 51 8C E8 46 œ.....7±..qœèf A3 7E 98 0A B9 C0 AE 2E 0F 1F 86 8A E3 36 yq..... Šã6 54 F4 82 EF EE 16 F0 42 E B CC Tô..î..Bå..±sS9. C5 EB 65 1C.ëe. IP (In) From REM TO LOC IFACE: PPP 1 45 IP Ver: 4 Hdr Len: TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 D4 Length: D1 ID: Frag Offset: 0 Congestion: Normal May Fragment Last Fragment E8 TTL: Proto: UDP 45 F7 Checksum: D4 B Src IP: D7 F6 Dst IP: UDP: A9 50 SRC Port:??? (43344) DST Port: IKE FLOAT (4500) 00 C0 Length: Checksum: 0 Page 36

37 :51: IKE DEBUG: Handling IKE packet :51: IKE DEBUG: Locating IKE context :51: IKE DEBUG: Packet for existing negotiation :51: IKE DEBUG: Packet for unknown phase 2 negotiation :51: IKE DEBUG: Packet for new phase 2 negotiation :51: IKE DEBUG (504):Prepare for new Phase 2 negotiation :51: IKE DEBUG (506):New phase 2 session :51: IKE DEBUG (506):Changing IKE SA state from PH1 complete to PH2 Initial :51: IKE DEBUG (506):IKE context located. Local session ID: 0x :51: IKE DEBUG (506):Checking packet :51: IKE DEBUG (506):IKE decrypting packet IKE DEBUG (506):Validating payloads IKE DEBUG (506):Checking payload (8) Hash IKE DEBUG (506):Checking payload (1) SA IKE DEBUG (506):Checking payload (10) Nonce IKE DEBUG (506):Checking payload (5) ID IKE DEBUG (506):Checking payload (5) ID IKE DEBUG (506):Checking payload (11) Notify Page 37

38 IKE DEBUG (506):Packet payloads check out OK IKE DEBUG (506):Packet type (32) Quick mode IKE DEBUG (506):IKE role Responder IKE DEBUG (506):Handling quick mode packet and SA state is (6) PH2 Initial IKE DEBUG (506):Process phase 2 SA message IKE DEBUG (506):Checking phase 2 HASH payload IKE DEBUG (506):HASH payload valid IKE DEBUG (506):Handling NOTIFY payload with message type IKE DEBUG (506):Checking next SA payload IKE DEBUG (506):Checking SA proposals IKE DEBUG (506):Checking proposal number 1 IKE DEBUG (506):Checking transform payloads. Expecting 1 transforms IKE DEBUG (506):Transforms payloads OK IKE DEBUG (506):Proposal payload OK IKE DEBUG (506):SA payload valid IKE DEBUG (506): Phase 2 proposal 1 Proposal has 1 transforms IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES Attribute (4) Mode Mode: 61443:??? Page 38

39 Attribute (5) Authentication Algorithm Auth Alg: 1 MD5 Attribute (1) Life type Life type (1) secs. Expecting life duration attribute next Attribute (2) Life duration Life duration value 1200 IKE DEBUG (506):Selecting transform from proposal 1 Select from 1 tranforms IKE DEBUG (506):IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES Alg. is supported IKE DEBUG (506):Checking attribute (4) Mode Mode: 61443: UDP Tunnel IKE DEBUG (506):Checking attribute (5) Authentication Algorithm Auth Alg: 1 MD5 Alg. is supported IKE DEBUG (506):Checking attribute (1) Life type Life type (1) secs. Expecting life duration attribute next IKE DEBUG (506):Checking attribute (2) Life duration Life duration value 1200 IKE DEBUG (506):Transform 1 has all required transform attributes IKE DEBUG (506):Getting remote subnet details ID type 4 len 8 Subnet mask is Subnet IP is IKE DEBUG (506):Getting local subnet details ID type 4 len 8 Subnet mask is Subnet IP is IKE DEBUG (506):Locating eroute matching this negotiation IKE DEBUG (506):Located eroute 0 our ID: responder Page 39

40 IKE DEBUG (506):Sending phase 2 SA reply IKE DEBUG: Got IPSec spi 0xcd IKE DEBUG: Adding proposal nb: 1, protocol ID: 3, spi size: 4, nb_transforms: 1 IKE DEBUG (506): Phase 2 proposal 1 Proposal has 1 transforms IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES Attribute (4) Mode Mode: 61443:??? Attribute (5) Authentication Algorithm Auth Alg: 1 MD5 Attribute (1) Life type Life type (1) secs. Expecting life duration attribute next Attribute (2) Life duration Life duration value 1200 IKE DEBUG (506):Sending phase 2 SA message IKE DEBUG: Adding SA payload header doi: 1, situation 1 IKE DEBUG (506):Not doing PFS. KE payload not required IKE DEBUG (506):Adding remote subnet details IKE DEBUG (506):Adding subnet ID IP: MASK: IKE DEBUG (506):Adding local subnet details IKE DEBUG (506):Adding subnet ID IP: MASK: IKE DEBUG (506):Encrypting IKE packet :51: IKE DEBUG (506):Transmit IKE packet :51: IKE DEBUG (506):Transmit to peer Page 40

41 :51: D4 01 D FA F D7 F6 E..Ô....2ñX. ö D4 B A C Ô. B..P... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö EE 6C B îl... 8He9 5C C 4E B3 D0 FF 77 9F F 13.YQLNI.³Ð.w.r... C1 33 C B 6B AD E4 57 BB 0C 8C CD.3.qƒ.k.äW..Œ... B F FC C8 7D E5 2A D4 AB 32 9.Oü...2. å.ô.2 F1 89 EB 1F B B9 07 E5 ñ ë å 4E A BA A8 56 A3 29 AB 7C 94 DA N. XŠ..V... Ú. D1 8C 62 0F 42 E4 6E 3B 5F 7F C 6B EF ÑŒb.Bän...C.k. F2 A C0 B1 5C 79 4E C9 0B 48 ò....±.yn Au..H 9F 2C 65 CC 17 5C 36 F B2 26 F5 67..e...6ñAVˆ...g AA C0 25 D7 97 1C B6 5E F9 E0 3C 8E C6 B1 13 9E.....ùà.ŽÆ±.ž 6C 31 0A F4 l1.ô IP (Final) From LOC TO REM IFACE: PPP 1 45 IP Ver: 4 Hdr Len: TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal 00 D4 Length: D7 ID: Frag Offset: 0 Congestion: Normal May Fragment Last Fragment FA TTL: Proto: UDP 32 F1 Checksum: D7 F6 Src IP: D4 B Dst IP: UDP: SRC Port: IKE FLOAT (4500) A9 50 DST Port:??? (43344) 00 C0 Length: Checksum: :51: IKE DEBUG (506):Changing IKE SA state from PH2 Initial to PH2 sent SA :51: IKE DEBUG (506):IKE quick mode result :51: D E D4 B E..T.Ò..è.FvÔ. B D7 F6 A X. ö.p.... DA 9B D0 78 EF 42 F6 85 F0 2F F2 B4 A6 23 F6 1F Ú Ðx.Bö..ò..ö EE 6C A 5B 2B A5...îl...4j.. E7 F A4 06 8D D D9 31 FA BC ç. 4...Ù C 94 A4 U.. Page 41

42 IP (In) From REM TO LOC IFACE: PPP 1 45 IP Ver: 4 Hdr Len: TOS: Routine Delay: Normal Throughput: Normal Reliability: Normal Length: D2 ID: Frag Offset: 0 Congestion: Normal May Fragment Last Fragment E8 TTL: Proto: UDP Checksum: D4 B Src IP: D7 F6 Dst IP: UDP: A9 50 SRC Port:??? (43344) DST Port: IKE FLOAT (4500) Length: Checksum: :51: IKE DEBUG: Handling IKE packet :51: IKE DEBUG: Locating IKE context :51: IKE DEBUG: Packet for existing negotiation :51: IKE DEBUG (506):Located SA for existing phase 2 negotiation :51: IKE DEBUG (506):IKE context located. Local session ID: 0x :51: IKE DEBUG (506):Checking packet :51: IKE DEBUG (506):IKE decrypting packet :51: IKE DEBUG (506):Validating payloads :51: IKE DEBUG (506):Checking payload (8) Hash :51: IKE DEBUG (506):Packet payloads check out OK Page 42

43 :51: IKE DEBUG (506):Packet type (32) Quick mode :51: IKE DEBUG (506):IKE role Responder :51: IKE DEBUG (506):Handling quick mode packet and SA state is (7) PH2 sent SA :51: IKE DEBUG (506):Processing HASH reply message :51: IKE DEBUG (506):Phase 2 negotiation completed successfully :51: IKE DEBUG (506):Preparing to create IPSec SA's :51: IKE DEBUG (506):Generating IPSec key material :51: IKE DEBUG (506):40 bytes of key material required :51: IKE DEBUG (506):Changing IKE SA state from PH2 sent SA to PH2 complete :51: IKE DEBUG (506):IKE quick mode result :51: IKE DEBUG (506):IKE SA timed out :51: IKE DEBUG: Resetting IKE context :51: IKE DEBUG (506):Removing IKE SA Page 43

44 6 CONFIGURATION FILES 6.1 Sarian DR6410 Responder Configuration This is the configuration file from VPN Responder DR6410: eth 0 IPaddr " " eth 0 bridge ON eth 0 ipanon ON lapb 0 ans OFF lapb 0 tinact 120 lapb 1 tinact 120 lapb 3 dtemode 0 lapb 4 dtemode 0 lapb 5 dtemode 0 lapb 6 dtemode 0 def_route 0 ll_ent "ppp" def_route 0 ll_add 1 def_route 1 ll_ent "PPP" def_route 1 ll_add 3 def_route 2 ll_ent "PPP" def_route 2 ll_add 4 eroute 0 peerid "initiator" eroute 0 ourid "responder" eroute 0 locip " " eroute 0 locmsk " " eroute 0 remip " " eroute 0 remmsk " " eroute 0 ESPauth "MD5" eroute 0 ESPenc "3DES" eroute 0 lkbytes 0 eroute 0 authmeth "PRESHARED" eroute 0 debug ON dhcp 0 IPmin " " dhcp 0 mask " " dhcp 0 gateway " " dhcp 0 DNS " " dhcp 0 wifionly ON ppp 0 timeout 300 ppp 1 IPaddr " " ppp 1 username "your ADSL username" ppp 1 epassword "PTJ5WU1NRFM=" ppp 1 timeout 0 ppp 1 aodion 1 ppp 1 immoos ON ppp 1 autoassert 1 ppp 1 ipsec 2 ppp 1 echo 10 ppp 1 echodropcnt 5 ppp 1 l1iface "AAL" ppp 1 ipanon ON ppp 3 l_pap OFF ppp 3 l_chap OFF Page 44

45 ppp 3 l_addr ON ppp 3 r_chap OFF ppp 3 r_addr OFF ppp 3 IPaddr " " ppp 3 username "ENTER WWAN Username" ppp 3 epassword "KD5lSVJDVVg=" ppp 3 phonenum "*98*1#" ppp 3 timeout 0 ppp 3 use_modem 1 ppp 3 aodion 1 ppp 3 immoos ON ppp 3 autoassert 1 ppp 3 defpak 16 ppp 4 l_acfc ON ppp 4 l_pfc ON ppp 4 IPaddr " " ppp 4 IPmin " " ppp 4 username "Enter PSTN Username" ppp 4 timeout 60 ppp 4 use_modem 3 ppp 4 defpak 16 ike 0 deblevel 4 modemcc 0 info_asy_add 9 modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" modemcc 0 apn "Your.APN.Goes.Here" modemcc 0 link_retries 10 modemcc 0 stat_retries 30 modemcc 0 sms_interval 1 modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.Goes.Here" modemcc 0 link_retries_2 10 modemcc 0 stat_retries_2 30 modemcc 0 sms_interval_2 1 ana 0 anon ON ana 0 l1on ON ana 0 lapdon 0 ana 0 asyon 1 ana 0 ipfilt "~500,4500" ana 0 ikeon ON ana 0 maxdata 1500 ana 0 logsize 45 cmd 0 unitid "ss%s>" cmd 0 cmdnua "99" cmd 0 hostname "sarian.router" cmd 0 tremto 1200 cmd 0 web_suffix ".wb2" user 1 name "jules" user 1 epassword "Mip6CVY=" user 1 access 0 user 2 access 0 user 3 access 0 user 4 access 0 Page 45

46 user 5 access 0 user 6 access 0 user 7 access 0 user 8 access 0 user 9 access 0 user 10 name "initiator" user 10 epassword "LDplTg==" user 10 access 4 local 0 transaccess 2 sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privssh.pem" ssh 0 nb_listen 5 ssh 0 v1 OFF wifi 0 enabled OFF wifi 0 ssid "sarian.router.sn:%s" wifi 1 enabled OFF 6.2 Sarian WR41 Initiator Configuration This is the configuration file from VPN Client HR4110: eth 0 IPaddr " " eth 0 ipanon ON lapb 0 ans OFF lapb 0 tinact 120 lapb 1 tinact 120 lapb 3 dtemode 0 lapb 4 dtemode 0 lapb 5 dtemode 0 lapb 6 dtemode 0 def_route 0 ll_ent "ppp" def_route 0 ll_add 1 eroute 0 peerip " " eroute 0 peerid "responder" eroute 0 ourid "initiator" eroute 0 locip " " eroute 0 locmsk " " eroute 0 remip " " eroute 0 remmsk " " eroute 0 ESPauth "MD5" eroute 0 ESPenc "3DES" eroute 0 lkbytes 0 eroute 0 authmeth "PRESHARED" eroute 0 nosa "TRY" eroute 0 autosa 1 eroute 0 debug ON dhcp 0 IPmin " " dhcp 0 mask " " dhcp 0 gateway " " dhcp 0 DNS " " dhcp 0 respdelms 500 ppp 0 timeout 300 ppp 1 r_chap OFF Page 46

47 ppp 1 IPaddr " " ppp 1 phonenum "*98*1#" ppp 1 timeout 0 ppp 1 use_modem 1 ppp 1 aodion 1 ppp 1 autoassert 1 ppp 1 ipsec 1 ppp 1 ipanon ON ppp 3 defpak 16 ppp 4 defpak 16 ike 0 encalg "3DES" ike 0 aggressive ON ike 0 ikegroup 2 ike 0 deblevel 4 ike 0 delmode 1 modemcc 0 info_asy_add 7 modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" modemcc 0 apn "internet" modemcc 0 link_retries 10 modemcc 0 stat_retries 30 modemcc 0 sms_interval 1 modemcc 0 sms_access 1 modemcc 0 sms_concat 0 modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.goes.here" modemcc 0 link_retries_2 10 modemcc 0 stat_retries_2 30 ana 0 anon ON ana 0 l1on ON ana 0 lapdon 0 ana 0 asyon 1 ana 0 ipfilt "~500,4500" ana 0 ikeon ON ana 0 maxdata 1500 ana 0 logsize 45 cmd 0 unitid "ss%s>" cmd 0 cmdnua "99" cmd 0 hostname "digi.router" cmd 0 asyled_mode 2 cmd 0 tremto 1200 cmd 0 web_suffix ".wb2" user 0 access 0 user 1 name "username" user 1 epassword "KD5lSVJDVVg=" user 1 access 0 user 2 access 0 user 3 access 0 user 4 access 0 user 5 access 0 user 6 access 0 user 7 access 0 user 8 access 0 Page 47

48 user 9 access 0 user 10 name "responder" user 10 epassword "LDplTg==" user 10 access 4 local 0 transaccess 2 sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privssh.pem" ssh 0 nb_listen 5 ssh 0 v1 OFF 6.3 Sarian Firmware Versions This is the firmware \ hardware information from VPN Host DR6410: Sarian Systems. Sarian DR6410-HPA Mk.II DSL2/2+ Router Ser#:92903 HW Revision: 7502a Software Build Ver5076. Oct :59:48 9W ARM Sarian Bios Ver 5.70 v35 197MHz B128-M128-F300-O100001,0 MAC:00042d016ae7 Power Up Profile: 0 Async Driver Revision: 1.19 Int clk Ethernet Hub Driver Revision: 1.11 Firewall Revision: 1.0 EventEdit Revision: 1.0 Timer Module Revision: 1.1 AAL Revision: 1.0 ADSL Revision: 1.0 (B)USBHOST Revision: 1.0 L2TP Revision: 1.10 PPTP Revision: 1.00 TACPLUS Revision: 1.00 MySQL Revision: 0.01 LAPB Revision: 1.12 X25 Layer Revision: 1.19 MACRO Revision: 1.0 PAD Revision: 1.4 X25 Switch Revision: 1.7 V120 Revision: 1.16 TPAD Interface Revision: 1.12 SCRIBATSK Revision: 1.0 BASTSK Revision: 1.0 ARM Sync Driver Revision: 1.18 TCP (HASH mode) Revision: 1.14 TCP Utils Revision: 1.13 PPP Revision: 1.19 WEB Revision: 1.5 SMTP Revision: 1.1 FTP Client Revision: 1.5 FTP Revision: 1.4 IKE Revision: 1.0 PollANS Revision: 1.2 PPPOE Revision: 1.0 BRIDGE Revision: 1.1 MODEM CC (Option 3G) Revision: 1.4 Page 48