GPRS / 3G Services: VPN solutions supported

Transcription

1 GPRS / 3G Services: VPN solutions supported GPRS / 3G VPN soluti An O2 White Paper An O2 White Paper

2 Contents Page No Chapter No. 1. Executive summary 2. O2 Bearer Service 2.1. Introduction 2.2. Datalink 2.3. Resilient Datalink 2.4. VPN support 3. O2 Mobile Web service 3.1. Introduction 3.2. VPN support IPSec based VPN solutions PPTP and SSL based VPN solutions 3.3. IP addresses allocated to Mobile Web users 4. O2 Mobile Web VPN service 4.1. Introduction 4.2. VPN support Introduction IPSec, PPTP and SSL Based VPN Solutions 4.3. IP addresses allocated to Mobile Web VPN users 5. Service comparison 6. Glossary of terms

3 1. Executive summary Virtual Private Network (VPN) technology has emerged as one of the most effective and popular ways of allowing remote users to securely access corporate and Intranet resources. Many organisations already access their corporate network via fixed line technologies (e.g. PSTN, ISDN or a broadband connection) and are looking to capitalise on their existing investment in a VPN infrastructure. A VPN solution used in conjunction with O2 s GPRS/3G services allows people to connect to the LAN environment in a secure and simple manner whilst away from the office or home environment. Currently, O2 s GPRS/3G portfolio consists of three service offerings: O2 Bearer Service: O2 provides private circuit(s) to connect the customer network to O2 s network. The customer can select between 2 bearer service products: DataLink consists of a single leased line and a router installed on the Customer Premises Resilient DataLink resilience is provided via the use of two leased lines and two routers. O2 Mobile Web service: full Internet access is provided and VPN solutions can be used in conjunction with this service. O2 Mobile Web VPN service: this service was specifically introduced to allow customers to access their LAN environment via VPN technology. This paper provides a brief description of the O2 GPRS/3G services and considers how VPN solutions can be used in conjunction with each of these services. 3

4 2. O2 Bearer Service 2.1. Introduction O2 s Bearer Service offers business customers a high quality private mobile data connection to their own private domain. O2 s Bearer Service can be used to support both GPRS and 3G data traffic (e.g. the same infrastructure supports both 3G and GPRS users). Dynamic or static mobile device IP allocation. Private or Public IP Addresses for the mobile devices. This service is designed for customers that require a private connection to their company LAN, which will offer them the highest quality of service and most consistent data communications performance. The key aspects of O2 s Bearer Service are as follows: Each connection is defined by a unique, private Access Point Name (APN). Connectivity is provided via a physical leased line that connects the O2 network with the customer s LAN. Customers can define which Subscriber Identification Module (SIM) cards are able to access their APN. The service can be configured to precisely match a customer s requirements in terms of security for instance. The service does not provide any direct access to the Internet. All private Bearer Services connect to resilient GPRS Gateway Support Nodes (GGSN s) in the O2 network. The installation of this service offers customers the opportunity to design the mobile data connectivity service of their choice. Almost every aspect of the service can be configured to the customer s requirements as this is a private service that connects customers to the O2 GPRS and 3G networks directly, using physical leased line infrastructure. O2 s Bearer Service is delivered and managed end-toend by O2 to ensure the smoothest service delivery and shortest problem resolution timescales. O2 proactively monitor the status of the service and produce detailed usage reports to ensure suitable service levels are maintained at all times. The leased line infrastructure offers the highest level of availability via two basic types of physical connection: DataLink (refer to section 2.2) and Resilient DataLink (refer to section 2.3). Customers wishing to order O2 Bearer Services should discuss their options with their O2 Account Manager in the first instance. A detailed, Application For Service, form is used to capture customer requirements and service can be provided in 43 working days after this form has been processed. Customer configuration choices include: APN name (normally the same as their Internet registered Domain Name). Private (restricted) or Public (open) APN access. O2 or customer hosted RADIUS authentication. 4

5 2.2. DataLink Connectivity for Bearer Service customers is via a single or multiple leased lines (128 kbit/s, 256 kbit/s, 512 kbit/s, 2 Mbit/s, 4 Mbit/s etc.), terminating on a single router that is installed, at the customer s premises. Once installed, the router presents an Ethernet connection to the customers LAN. Figure 1 details, at a top level, a typical GPRS/3G Bearer Service connection. Each DataLink can support multiple APNs, each with it s own Bearer Service definition. This is useful where customers wish to provide separacy of service to different internal departments, external customers or application user bases. Radius Server DHCP Server GRE Tunnel O2 Data Network Leased Line Firewall Corporate Network Remote User Figure 1: Top Level Overview of a typical GPRS/3G Bearer Service connection. 5

6 2.3. Resilient DataLink 2.4. VPN support For those customers requiring the very highest levels of availability, O2 offers a Resilient DataLink leased line option to Bearer Service customers. Two links and routers are provided as part of this solution. The two links and routers can be terminated at the same site. However, it is strongly recommended that they are deployed in different computer rooms which are served by different exchanges and duct routes. O2 does not impose any restrictions on the type of data or ports that can be used for data transfer between the mobile devices and the corporate network. Consequently, it is straightforward to use any type of VPN solution with O2 s bearer service. LAN connectivity is required between the two O2 routers and Hot Standby Routing Protocol (HSRP) provides resilience against router failure by allowing two or more routers to share the same virtual IP address (and MAC address) on the same Ethernet LAN segment. 6

7 3. O2 Mobile Web service 3.1. Introduction O2 s Mobile Web service allows customers to get onto the Internet via GPRS and/or 3G (refer to Figure 2). In this instance customers do not have their own APN. The key aspects of the service are detailed below: Users can surf the Internet, access FTP servers, access and generally utilise Internet resources. This is a public service and can be used by any O2 pay monthly customer. The APN associated with the service is mobile.o2.co.uk If customers have an Internet facing VPN gateway then they might already support remote access via the Internet. If this is the case they should be able to use the Mobile Web service to allow people to access their network via GPRS. By default Mobile Web users enjoy an optimised experience when accessing Internet content at no extra cost. This network hosted optimisation can speed up the delivery of Web pages by optimising graphic images and compressing text content. It can however degrade the image quality in Web pages and interfere with some other Internet applications. If this is experienced, the optimisation platform can be bypassed by changing the user name in the Mobile Web settings of the handset/device, as follows: Default settings includes optimisation: User name: o2web Password: password No optimisation required: User name: bypass Password: password The Mobile Web APN is associated with all new O2 pay monthly SIM cards. If customers do not wish this APN to be available to users they should specify this requirement prior to SIMs being provisioned. The O2 Mobile Web service uses private IP addressing and Port Address Translation (PAT) when users access Internet resources. PAT was defined by the Internet Engineering Task Force (IETF) as a way to convert private IP addresses to public routable Internet addresses and enables organisations to minimise the number of Internet IP addresses they require e.g. by using PAT, companies can connect thousands of systems/users to the Internet via a few IP addresses. The use of PAT has major implications as although PAT provides many benefits, some applications, including IPSec VPNs, can experience issues when PAT is being used. The issues surround trying to ensure packet integrity when a packet passes through a PAT device, in this instance the O2 firewall that is used in the Mobile Web environment, the original IP address is modified. This is not allowed when using IPSec VPN solutions, because any modification of the packet will result in a failed integrity check and will prevent the VPN tunnel from being created. As a consequence IPSec and PAT can function together only when PAT occurs before the packet is encrypted. Whilst this will normally work fine in gateway-to-gateway communications, remote access solutions are problematic because the IPSec VPN client on a remote laptop will encrypt the packet before it travels to the PAT device, subsequently breaking the IPSec VPN connection. To enable IPSec VPNs to work with Network Address Translation (NAT) or PAT devices, a solution called NAT Traversal was developed it should be noted that this is sometimes also known as UDP encapsulation. The main technology behind this solution is UDP (User Data Protocol) encapsulation, wherein the IPSec packet is encapsulated inside a UDP/IP header, allowing NAT or PAT devices to change IP or port addresses without modifying the IPSec packet. In order for NAT Traversal to work properly the VPN solution (e.g. client and server) must be configured for NAT traversal working. 7

8 O2 Data Network O2 Mobile Web Service Firewall Remote User Radius Server (allocates Private IP Addresses) Internet Figure 2: Top Level Overview of O2 s Mobile Web Service. 8

9 3.2. VPN support IPSec based VPN solutions Unless customers wish to support split tunnelling they are recommended to use O2 s Mobile Web VPN service in conjunction with their IPSec based VPN solution (refer to section 4 for more information on O2 s Mobile Web VPN solution) PPTP and SSL based VPN solutions Customers can use Point-to-Point Tunnelling Protocol (PPTP) and SSL based VPN solutions in conjunction with O2 s Mobile Web Service. Split tunnelling is the process of allowing a remote VPN user to access the Internet at the same time that the user is allowed to access resources on the corporate LAN via the VPN solution. This method of network access enables the user to access remote resources, such as , at the same time as accessing the public network. An advantage of using split tunnelling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server. A disadvantage of this method is that the corporate LAN IP policy is not imposed on the user as they access the Internet directly. If IPSec VPN solutions are to be used in conjunction with O2 s Mobile Web service NAT Traversal, sometimes known as UDP encapsulation, must be utilised. NAT Traversal allows IPSec based VPN solutions to be used in situations where NAT and PAT are being utilised. However, it is not without its issues for example, private address space can overlap and create routing issues, and NAT Traversal is not supported with AH (Authenticated Header) IPSec connections. If customers are not sure whether their IPSec based VPN solution supports NAT Traversal they should consult with their VPN vendor or Systems Integrator. 9

10 3.3. IP addresses allocated to Mobile Web users Users are allocated a dynamic, private unregistered IP address when a data session is initiated. However, it should be noted that users of O2 s Mobile Web service will be allocated a public IP address, via an O2 Internet facing firewall, when they access Internet resources. The public IP addresses will be allocated from the following ranges: to to to

11 4. O2 Mobile Web VPN service 4.1. Introduction O2 s Mobile Web VPN service was specifically developed to allow customers to use their VPN solutions with GPRS and 3G assuming the customers VPN solution can be utilised via people connected to the Internet (refer to Figure 3). The key aspects of the service are as follows: Customers do not have their own APN. This is a public service and can be used by any O2 pay monthly customer. The APN associated with the service is vpn.o2.co.uk and a user name of user and password of password should be used. Users are allocated a public IP address and are on the Internet. Users cannot directly surf the Internet, access FTP servers, access or utilise Internet resources: At the request of customers the service was set-up so only VPN protocols can be used when users first establish their GPRS or 3G connection e.g. the firewall associated with the service will block all other traffic. Once the VPN session is in place, users will be able to browse the Intranet/Internet and access other corporate resources assuming the corporate security policy allows such transactions to take place. Split tunnelling will not work as users are not able to access Internet resources directly. It is possible to confirm connectivity exists between the VPN client and server via the ping command. O2 Data Network O2 Mobile Web VPN Service Firewall Remote User Radius Server (allocates Public IP addresses) VPN Server Internet VPN Tunnel Corporate Network Figure 3: A VPN Tunnel Established between a Remote User and the Corporate LAN. 11

12 The O2 Mobile Web VPN service does not include any optimisation capability, delivers public registered IP addresses to mobile devices and allows access only to VPN applications. The service offers businesses the ability to provide secure LAN access to their users via the Internet and control their usage through the application of their internal IT policy. Access to Mobile Web VPN can be requested via O2 Customer Services and is usually provisioned within 24 hours. 12

13 4.2. VPN support Introduction Unless customers wish to support split tunnelling (refer to section for a description of what is meant by the term split tunnelling) they are recommended to use O2 s Mobile Web VPN service in conjunction with their VPN solution IPSec, PPTP and SSL Based VPN Solutions As detailed in the following text IPSec, PPTP and SSL based VPN solutions will work in conjunction with O2 s Mobile Web VPN service. The protocols supported by the Mobile Web VPN service are as follows: Ping (allows people to confirm that connectivity exists between their device, a laptop for instance, and the VPN server). Protocol 50 (ESP). Protocol 51 (AH). Protocol 47 (GRE) (required to support PPTP) Layer 2 Tunnel Protocol (L2TP). The Mobile Web VPN service allows the ports detailed below to be used: UDP port 500 (IKE). TCP port 1723 (required to support PPTP). UDP port 4500 (required for NAT-T). UDP port 1701 (required to support: L2TP/IPSec). TCP port 259 (required to support: FW1_MEP Checkpoint NG FP3 MEP determines closest entry point only used if using NG FP3 Clients and more than one entry point into the network) TCP port 264 (required to support: FW1_topo Check Point VPN-1 SecuRemote Topology Requests.). UDP port 2746 (required to support: VPN1_IPSEC_ encapsulation Check Point VPN-1 SecuRemote IPSEC Transport Encapsulation Protocol). UDP port 50000: required for Barron McCann X-Kryptor VPN solution. TCP port 50000: required for Barron McCann X-Kryptor VPN solution. UDP port 10000: many VPN solutions use this port when NAT traversal is being used. TCP port 10000: this is the default port used by Cisco VPN solutions when the IPSec over TCP option is selected. UDP 2233: used by the Shiva VPN solution. UDP 10025: used by the Shiva VPN solution. UDP 10026: used by the Shiva VPN solution. UDP 10027: used by the Shiva VPN solution. TCP 10027: used by the Shiva VPN solution. TCP 10028: used by the Shiva VPN solution. TCP port 389: used by AT&T s VPN service. TCP port 709: used by AT&T s VPN service. TCP port 5080: used by AT&T s VPN service. TCP port 443 (SSL). UDP port 443 (some VPN solutions require that a UDP port be used this port has been opened up for this purpose). UDP port 12000: used by Good Technology Mobile Messaging solution. TCP port 15000: used by Good Technology Mobile Messaging solution. O2 s Mobile Web VPN Solution can be used in conjunction with AT&T s Global VPN Solution. 13

14 4.3. IP addresses allocated to Mobile Web VPN users Users will be allocated a public IP address from the range to

15 5. Service comparison Table 1 summarises the differences between the O2 GPRS/3G services. Service Comparison Matrix Metric Bearer Service Mobile Web Mobile Web VPN APN Customers Choice mobile.o2.co.uk vpn.o2.co.uk Access Type Public or Private Public Public Number of devices supported Direct Internet Connectivity Unlimited Unlimited Unlimited Internet Connectivity via corporate LAN subject to IT policy Mobile IP Addresses Customers Choice Private (PAT) 1 Public IP Address Allocation Customers Choice Dynamic Dynamic Supported Protocols All Most Internet VPN Only Bearer Optimisation Customers Choice Optional No Content Optimisation Customers Choice Optional No TCP Inactivity Timeout UDP Inactivity Timeout Customers Choice Customers Choice Yes 60 minutes (normal operation) 10 minutes (load conditions) 10 minutes (normal operation) 15 seconds (load conditions) Internet Connectivity via corporate LAN subject to IT policy 60 minute 15 minute Access Lead Time 43 working days Immediate <24 hours Service Reach End to End Gateway only Gateway only Service Performance 2 Table 1: Service Comparison Matrix. O2 pro-actively monitors the status of the Bearer Service Best endeavours Best endeavours 1. Users are allocated a dynamic, private unregistered IP address. However, it should be noted that users of O2 s Mobile Web service will be allocated a public IP address, via an Internet facing firewall, when they access Internet resources. The public IP addresses will be allocated from the following ranges: to to to Although O2 endeavour to provide the highest level of service on all its GPRS/3G Services if problems are experienced with the public services (i.e. Mobile Web or Mobile Web VPN services) it is far more difficult to ascertain what is happening and where the problem lies for instance a number of ISPs may lie between O2 and the customer. Hence, the term, best endeavours is used in the table. 15

16 6. Glossary of terms APN DHCP FTP GPRS GSM IETF IP ISDN LAN L2TP NAT PAT PPTP PSTN SIM SSL TCP UDP URL VPN WAN Access Point Name Dynamic Host Configuration Protocol File Transfer Protocol General Packet Radio Service Global System for Mobile Communications Internet Engineering Task Force Internet Protocol Integrated Service Digital Network Local Area Network Layer 2 Tunnel Protocol Network Address Translation Port Address Translation Point-to-Point Tunnelling Protocol Public Switched Telephone Network Subscriber Identity Module Secure Sockets Layer Transmission Control Protocol User Datagram Protocol Uniform Resource Locator Virtual Private Network Wide Area Network All Rights Reserved. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic or machine readable form without the prior permission of Telefonica UK Limited. 16