Kategorie: VPN-IPSec
IPSec Backup mit ISDN-Direkteinwahl zur Gegenstelle ab 7.1.1
Diese Anleitung zeigt schrittweise die Konfigurationen eines IPSec-Backups durch eine direkte ISDN-Verbindung zur IPSec-Gegenstelle. In diesem Fall wählt sich eine VPN Access 25 in eine X1200 II ein. Beide Geräte haben einen Softwarestand von 7.1.12.
1. Szenario
2. Konfiguration VPN Access 25: ISDN WAN-Partner zur X1200 II konfigurieren
3. Konfiguration VPN Access 25: Metric der Backup-Route anpassen
4. Konfiguration VPN Access 25: Block Time konfigurieren
5. Konfiguration X1200 II: ISDN WAN-Partner zur VPN Access 25 konfigurieren
6. Konfiguration X1200 II: Metric der Backup-Route anpassen
7. Konfiguration X1200 II: ISDN-Rufannahme konfigurieren
8. Konfiguration X1200 II: Block Time konfigurieren
9. Test
2. Konfiguration VPN Access 25: ISDN WAN-Partner zur X1200 II konfigurieren
3. Konfiguration VPN Access 25: Metric der Backup-Route anpassen
4. Konfiguration VPN Access 25: Block Time konfigurieren
5. Konfiguration X1200 II: ISDN WAN-Partner zur VPN Access 25 konfigurieren
6. Konfiguration X1200 II: Metric der Backup-Route anpassen
7. Konfiguration X1200 II: ISDN-Rufannahme konfigurieren
8. Konfiguration X1200 II: Block Time konfigurieren
9. Test
1. Szenario
Dieser Anleitung liegt die FAQ „IPSec mit dynamischen IP-Adressen und DynDNS auf beiden Seiten“ zugrunde. Das Interface-Konzept erleichtert das Einrichten eines IPSec-Backups, da man das Verhalten durch die Routingeinträge steuern kann.
2. Konfiguration VPN Access 25: ISDN WAN-Partner zur X1200 II konfigurieren
Legen Sie in der VPN Access 25 einen WAN Partner an, der die ISDN-Verbindung zur Zentrale herstellt.
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[WAN][EDIT]: Configure WAN Partner vpn25_test
_______________________________________________________________________________
Partner Name Backup_X1200
Encapsulation PPP
Encryption none
Compression none
Calling Line Identification no
PPP >
Advanced Settings >
WAN Numbers >
IP >
Bridge >
SAVE CANCEL
_______________________________________________________________________________
[WAN][EDIT]: Configure WAN Partner vpn25_test
_______________________________________________________________________________
Partner Name Backup_X1200
Encapsulation PPP
Encryption none
Compression none
Calling Line Identification no
PPP >
Advanced Settings >
WAN Numbers >
IP >
Bridge >
SAVE CANCEL
_______________________________________________________________________________
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[WAN][EDIT][PPP]: PPP Settings (Backup_X1200) vpn25_test
_______________________________________________________________________________
Authentication CHAP + PAP
Partner PPP ID x1200
Local PPP ID vpn25
PPP Password test
Keepalives off
Link Quality Monitoring off
OK CANCEL
_______________________________________________________________________________
[WAN][EDIT][PPP]: PPP Settings (Backup_X1200) vpn25_test
_______________________________________________________________________________
Authentication CHAP + PAP
Partner PPP ID x1200
Local PPP ID vpn25
PPP Password test
Keepalives off
Link Quality Monitoring off
OK CANCEL
_______________________________________________________________________________
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[WAN][EDIT][ADVANCED]: Advanced Settings (Backup_X1200) vpn25_test
_______________________________________________________________________________
Callback no
Static Short Hold (sec) 300
Idle for Dynamic Short Hold (%) 0
Delay after Connection Failure (sec) 10
Layer 1 Protocol ISDN 64 kbps
Channel-Bundling no
Extended Interface Settings (optional) >
Special Interface Types none
OK CANCEL
_______________________________________________________________________________
[WAN][EDIT][ADVANCED]: Advanced Settings (Backup_X1200) vpn25_test
_______________________________________________________________________________
Callback no
Static Short Hold (sec) 300
Idle for Dynamic Short Hold (%) 0
Delay after Connection Failure (sec) 10
Layer 1 Protocol ISDN 64 kbps
Channel-Bundling no
Extended Interface Settings (optional) >
Special Interface Types none
OK CANCEL
_______________________________________________________________________________
Tragen Sie die Rufnummer der Gegenstelle ein:
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[WAN][EDIT][WAN NUMBERS]: WAN Numbers (Backup_X1200) vpn25_test
_______________________________________________________________________________
WAN Numbers for this partner:
WAN Number Direction
0911123456789 outgoing
ADD DELETE EXIT
_______________________________________________________________________________
[WAN][EDIT][WAN NUMBERS]: WAN Numbers (Backup_X1200) vpn25_test
_______________________________________________________________________________
WAN Numbers for this partner:
WAN Number Direction
0911123456789 outgoing
ADD DELETE EXIT
_______________________________________________________________________________
Konfigurieren Sie die Route zum LAN der X1200 II:
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[WAN][EDIT][IP][BASIC]: IP-Settings (Backup_X1200) vpn25_test
_______________________________________________________________________________
IP Transit Network no
Local IP Address 192.168.200.1
Default Route no
Remote IP Address 192.168.100.0
Remote Netmask 255.255.255.0
SAVE CANCEL
_______________________________________________________________________________
[WAN][EDIT][IP][BASIC]: IP-Settings (Backup_X1200) vpn25_test
_______________________________________________________________________________
IP Transit Network no
Local IP Address 192.168.200.1
Default Route no
Remote IP Address 192.168.100.0
Remote Netmask 255.255.255.0
SAVE CANCEL
_______________________________________________________________________________
3. Konfiguration VPN Access 25: Metric der Backup-Route anpassen
Ändern Sie im Routing des Backup WAN-Partners die Metric auf 5:
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[WAN][EDIT][IP][ROUTING]: IP Routing (Backup_X1200) vpn25_test
_______________________________________________________________________________
The flags are: U (Up), D (Dormant), B (Blocked),
G (Gateway Route), I (Interface Route),
S (Subnet Route), H (Host Route), E (Extended Route)
Destination Gateway Mask Flags Met. Interface Pro
192.168.100.0 192.168.200.1 255.255.255.0 DG 5 Backup_X1200 loc
ADD ADDEXT DELETE EXIT
_______________________________________________________________________________
[WAN][EDIT][IP][ROUTING]: IP Routing (Backup_X1200) vpn25_test
_______________________________________________________________________________
The flags are: U (Up), D (Dormant), B (Blocked),
G (Gateway Route), I (Interface Route),
S (Subnet Route), H (Host Route), E (Extended Route)
Destination Gateway Mask Flags Met. Interface Pro
192.168.100.0 192.168.200.1 255.255.255.0 DG 5 Backup_X1200 loc
ADD ADDEXT DELETE EXIT
_______________________________________________________________________________
4. Konfiguration VPN Access 25: Block Time konfigurieren
Ändern Sie im Profil der Phase 1 die Block Time auf 120 Sekunden:
VPN Access 25 Setup Tool Funkwerk Enterprise Communications GmbH
[IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT] vpn25_test
_______________________________________________________________________________
Description (Idx 1) : *autogenerated*
Proposal : 1 (Blowfish/MD5)
Lifetime : use default
Group : 2 (1024 bit MODP)
Authentication Method : Pre Shared Keys
Mode : aggressive
Heartbeats : both
Block Time : 120
Local ID : vpn25_test
Local Certificate : none
CA Certificates :
Nat-Traversal : disabled
View Proposals >
Edit Lifetimes >
SAVE CANCEL
_______________________________________________________________________________
[IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT] vpn25_test
_______________________________________________________________________________
Description (Idx 1) : *autogenerated*
Proposal : 1 (Blowfish/MD5)
Lifetime : use default
Group : 2 (1024 bit MODP)
Authentication Method : Pre Shared Keys
Mode : aggressive
Heartbeats : both
Block Time : 120
Local ID : vpn25_test
Local Certificate : none
CA Certificates :
Nat-Traversal : disabled
View Proposals >
Edit Lifetimes >
SAVE CANCEL
_______________________________________________________________________________
5. Konfiguration X1200 II: ISDN WAN-Partner zur VPN Access 25 konfigurieren
Legen Sie in der X1200 II einen WAN Partner an, der die ISDN-Verbindung von der VPN Access 25 entgegennimmt:
X1200 II Setup Tool BinTec Access Networks GmbH
[WAN][EDIT]: Configure WAN Partner X1200 II_test
_______________________________________________________________________________
Partner Name Backup_VPN25
Encapsulation PPP
Encryption none
Compression none
Calling Line Identification no
PPP >
Advanced Settings >
WAN Numbers >
IP >
Bridge >
SAVE CANCEL
_______________________________________________________________________________
[WAN][EDIT]: Configure WAN Partner X1200 II_test
_______________________________________________________________________________
Partner Name Backup_VPN25
Encapsulation PPP
Encryption none
Compression none
Calling Line Identification no
PPP >
Advanced Settings >
WAN Numbers >
IP >
Bridge >
SAVE CANCEL
_______________________________________________________________________________
X1200 II Setup Tool BinTec Access Networks GmbH
[WAN][EDIT][PPP]: PPP Settings (Backup_VPN25) X1200 II_test
_______________________________________________________________________________
Authentication CHAP + PAP
Partner PPP ID vpn25
Local PPP ID x1200
PPP Password test
Keepalives off
Link Quality Monitoring off
OK CANCEL
_______________________________________________________________________________
[WAN][EDIT][PPP]: PPP Settings (Backup_VPN25) X1200 II_test
_______________________________________________________________________________
Authentication CHAP + PAP
Partner PPP ID vpn25
Local PPP ID x1200
PPP Password test
Keepalives off
Link Quality Monitoring off
OK CANCEL
_______________________________________________________________________________
Konfigurieren Sie die Route zum LAN der VPN Access 25:
X1200 II Setup Tool BinTec Access Networks GmbH
[WAN][EDIT][IP][BASIC]: IP-Settings (Backup_VPN25) X1200 II_test
_______________________________________________________________________________
IP Transit Network no
Local IP Address 192.168.100.0
Default Route no
Remote IP Address 192.168.200.0
Remote Netmask 255.255.255.0
SAVE CANCEL
_______________________________________________________________________________
[WAN][EDIT][IP][BASIC]: IP-Settings (Backup_VPN25) X1200 II_test
_______________________________________________________________________________
IP Transit Network no
Local IP Address 192.168.100.0
Default Route no
Remote IP Address 192.168.200.0
Remote Netmask 255.255.255.0
SAVE CANCEL
_______________________________________________________________________________
6. Konfiguration X1200 II: Metric der Backup-Route anpassen
Ändern Sie im Routing des Backup WAN-Partners die Metric auf 5:
X1200 II Setup Tool BinTec Access Networks GmbH
[WAN][EDIT][IP][ROUTING]: IP Routing (Backup_VPN25) X1200 II_test
_______________________________________________________________________________
The flags are: U (Up), D (Dormant), B (Blocked),
G (Gateway Route), I (Interface Route),
S (Subnet Route), H (Host Route), E (Extended Route)
Destination Gateway Mask Flags Met. Interface Pro
192.168.200.0 192.168.100.0 255.255.255.0 DG 5 Backup_VPN25loc
ADD ADDEXT DELETE EXIT
_______________________________________________________________________________
[WAN][EDIT][IP][ROUTING]: IP Routing (Backup_VPN25) X1200 II_test
_______________________________________________________________________________
The flags are: U (Up), D (Dormant), B (Blocked),
G (Gateway Route), I (Interface Route),
S (Subnet Route), H (Host Route), E (Extended Route)
Destination Gateway Mask Flags Met. Interface Pro
192.168.200.0 192.168.100.0 255.255.255.0 DG 5 Backup_VPN25loc
ADD ADDEXT DELETE EXIT
_______________________________________________________________________________
7. Konfiguration X1200 II: ISDN-Rufannahme konfigurieren
Tragen Sie im ISDN Interface die eigene Rufnummer ein:
X1200 II Setup Tool BinTec Access Networks GmbH
[WAN][INCOMING]: Incoming Call Answering X1200 II_test
_______________________________________________________________________________
Item Number Mode
PPP (routing) 123456789 right to left
ADD DELETE EXIT
_______________________________________________________________________________
[WAN][INCOMING]: Incoming Call Answering X1200 II_test
_______________________________________________________________________________
Item Number Mode
PPP (routing) 123456789 right to left
ADD DELETE EXIT
_______________________________________________________________________________
8. Konfiguration X1200 II: Block Time konfigurieren
Ändern Sie im Profil der Phase 1 die Block Time auf 120 Sekunden:
X1200 II Setup Tool BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT] X1200 II_test
_______________________________________________________________________________
Description (Idx 1) : *autogenerated*
Proposal : 1 (Blowfish/MD5)
Lifetime : use default
Group : 2 (1024 bit MODP)
Authentication Method : Pre Shared Keys
Mode : aggressive
Heartbeats : both
Block Time : 120
Local ID : X1200 II_test
Local Certificate : none
CA Certificates :
Nat-Traversal : disabled
View Proposals >
Edit Lifetimes >
SAVE CANCEL
_______________________________________________________________________________
[IPSEC][PEERS][EDIT][SPECIAL][PHASE1][EDIT] X1200 II_test
_______________________________________________________________________________
Description (Idx 1) : *autogenerated*
Proposal : 1 (Blowfish/MD5)
Lifetime : use default
Group : 2 (1024 bit MODP)
Authentication Method : Pre Shared Keys
Mode : aggressive
Heartbeats : both
Block Time : 120
Local ID : X1200 II_test
Local Certificate : none
CA Certificates :
Nat-Traversal : disabled
View Proposals >
Edit Lifetimes >
SAVE CANCEL
_______________________________________________________________________________
9. Test
Sollte nun auf einer der beiden Seiten DSL ausfallen, wird der Tunnel getrennt und die VPN Access 25 baut eine direkte ISDN Verbindung zur X1200 II auf.
Debug-Ausgabe bei der VPN Access 25 bei einem DSL-Ausfall am X1200 II:
vpn25-test:> debug all&
00:49:24 WARNING/IPSEC: Hearbeat lost - Peer 1 Traffic -1 Bundle (4)
00:49:24 INFO/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): deleted (Heartbeat lost), Pkts: 27/34 Hb: 1/0 Bytes: 2212(3616)/2856(4624) rekeyed by 0
00:49:24 DEBUG/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): SA 10 deleted errors 0/0/0
00:49:24 DEBUG/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): SA 9 deleted errors 0/0/0
00:49:24 INFO/IPSEC: Destroy Bundle -4 (Peer 1 Traffic -1)
00:49:24 INFO/INET: dialup if 100001 prot 1 192.168.200.1:2048->192.168.100.1:41237
00:49:24 DEBUG/INET: NAT: new outgoing session on ifc 10002 prot 17 84.149.235.62:1056/84.149.235.62:32804 -> 217.237.148.1:53
00:49:24 DEBUG/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): identified ip 84.149.235.62 -> ip 213.6.125.207
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): failed id fqdn(any:0,[0..9]=vpn25_test) -> ip 213.6.125.207 (Timeout)
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 0 (-): blocked for 120 seconds
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): delete ip 84.149.235.62 -> ip 213.6.125.207: Blocked
00:49:39 INFO/INET: dialup if 10003 prot 1 192.168.200.1:2048->192.168.100.1:41215
00:49:39 DEBUG/PPP: Backup_X1200: dial number <0911123456789>
00:49:40 DEBUG/ISDN: stack 0: activate
00:49:40 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec
00:49:40 DEBUG/PPP: Backup_X1200: set ifSpeed, number of active connections: 0/0/0
00:49:40 DEBUG/PPP: Backup_X1200: set ifSpeed, number of active connections: 1/1/1
00:49:40 DEBUG/PPP: Backup_X1200: outgoing connection established
vpn25-test:>
00:49:24 WARNING/IPSEC: Hearbeat lost - Peer 1 Traffic -1 Bundle (4)
00:49:24 INFO/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): deleted (Heartbeat lost), Pkts: 27/34 Hb: 1/0 Bytes: 2212(3616)/2856(4624) rekeyed by 0
00:49:24 DEBUG/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): SA 10 deleted errors 0/0/0
00:49:24 DEBUG/IPSEC: P2: peer 1 (X1200 II_test) traf 0 bundle -4 (I): SA 9 deleted errors 0/0/0
00:49:24 INFO/IPSEC: Destroy Bundle -4 (Peer 1 Traffic -1)
00:49:24 INFO/INET: dialup if 100001 prot 1 192.168.200.1:2048->192.168.100.1:41237
00:49:24 DEBUG/INET: NAT: new outgoing session on ifc 10002 prot 17 84.149.235.62:1056/84.149.235.62:32804 -> 217.237.148.1:53
00:49:24 DEBUG/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): identified ip 84.149.235.62 -> ip 213.6.125.207
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): failed id fqdn(any:0,[0..9]=vpn25_test) -> ip 213.6.125.207 (Timeout)
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 0 (-): blocked for 120 seconds
00:49:39 INFO/IPSEC: P1: peer 1 (X1200 II_test) sa 11 (I): delete ip 84.149.235.62 -> ip 213.6.125.207: Blocked
00:49:39 INFO/INET: dialup if 10003 prot 1 192.168.200.1:2048->192.168.100.1:41215
00:49:39 DEBUG/PPP: Backup_X1200: dial number <0911123456789>
00:49:40 DEBUG/ISDN: stack 0: activate
00:49:40 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec
00:49:40 DEBUG/PPP: Backup_X1200: set ifSpeed, number of active connections: 0/0/0
00:49:40 DEBUG/PPP: Backup_X1200: set ifSpeed, number of active connections: 1/1/1
00:49:40 DEBUG/PPP: Backup_X1200: outgoing connection established
vpn25-test:>
Analoge Debug-Ausgabe bei der X1200 II:
X1200 II_test:>
04:30:21 DEBUG/INET: NAT: delete session on ifc 10001 prot 17 213.6.125.207:500/213.6.125.207:500 <-> 84.149.235.62:1023
04:30:21 INFO/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): deleted (Interface down), Pkts: 26/27 Hb: 0/1 Bytes: 2184(3536)/2212(3616) rekeyed by 0
04:30:21 DEBUG/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): SA 10 deleted errors 0/0/0
04:30:21 DEBUG/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): SA 9 deleted errors 0/0/0
04:30:21 INFO/IPSEC: Destroy Bundle 4 (Peer 1 Traffic -1)
04:30:21 DEBUG/PPP: DSL ISP: set ifSpeed, number of active connections: 0/0/0
04:30:21 INFO/PPP: DSL ISP: outgoing connection closed, duration 230 sec, 17357 bytes received, 11943 bytes sent, 0 charging units, 0 charging amounts
04:30:45 DEBUG/PPP: dialin from <91196730> to local number <123456789> (7/0)
04:30:45 DEBUG/PPP: ?: call accepted, call not identified by number
04:30:45 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec
04:30:45 DEBUG/PPP: ?: set ifSpeed, number of active connections: 0/0/0
04:30:45 DEBUG/PPP: 10002 authenticated via CHAP_MD5
04:30:45 DEBUG/PPP: Backup_VPN25: call identified for <vpn25>
04:30:45 DEBUG/PPP: Backup_VPN25: set ifSpeed, number of active connections: 1/1/1
04:30:45 DEBUG/PPP: Backup_VPN25: incoming connection established
X1200 II_test:>
04:30:21 DEBUG/INET: NAT: delete session on ifc 10001 prot 17 213.6.125.207:500/213.6.125.207:500 <-> 84.149.235.62:1023
04:30:21 INFO/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): deleted (Interface down), Pkts: 26/27 Hb: 0/1 Bytes: 2184(3536)/2212(3616) rekeyed by 0
04:30:21 DEBUG/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): SA 10 deleted errors 0/0/0
04:30:21 DEBUG/IPSEC: P2: peer 1 (vpn25_test) traf 0 bundle 4 (R): SA 9 deleted errors 0/0/0
04:30:21 INFO/IPSEC: Destroy Bundle 4 (Peer 1 Traffic -1)
04:30:21 DEBUG/PPP: DSL ISP: set ifSpeed, number of active connections: 0/0/0
04:30:21 INFO/PPP: DSL ISP: outgoing connection closed, duration 230 sec, 17357 bytes received, 11943 bytes sent, 0 charging units, 0 charging amounts
04:30:45 DEBUG/PPP: dialin from <91196730> to local number <123456789> (7/0)
04:30:45 DEBUG/PPP: ?: call accepted, call not identified by number
04:30:45 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec
04:30:45 DEBUG/PPP: ?: set ifSpeed, number of active connections: 0/0/0
04:30:45 DEBUG/PPP: 10002 authenticated via CHAP_MD5
04:30:45 DEBUG/PPP: Backup_VPN25: call identified for <vpn25>
04:30:45 DEBUG/PPP: Backup_VPN25: set ifSpeed, number of active connections: 1/1/1
04:30:45 DEBUG/PPP: Backup_VPN25: incoming connection established
X1200 II_test:>
sm