54
MDS Orbit MCR-4G Technical Manual
MDS 05-6628A01, Rev. B
}
actions {
action accept;
}
}
rule 2 {
match {
ipsec {
direction
out;
tunnel-src-address <CELL INTERFACE IP ADDRESS>/32;
tunnel-dst-address <VPN SERVER IP ADDRESS>/32;
}
}
actions {
action accept;
}
}
rule 10 {
match {
protocol all;
}
actions {
action drop;
}
}
}
VPN configuration involves the following high level steps:
1. Configure an IKE policy specifying an authentication method, cipher suites to be included in the
proposal during IKE phase-1 and the credentials to be used for authentication e.g. certificates or
preshared-keys.
2. Configure an IKE peer specifying peer endpoint address, IKE policy to used for IKE phase-1 negotia-
tion. The “role” specifies whether MCR initiates connection (initiator) or it waits for the connection
from the peer (responder). This should usually be set to “initiator”.
3. Configure an IPsec policy specifying ESP cipher suites to be included in the proposal during IKE
phase-2.
4. Configure an IPsec connection specifying IKE peer, IPsec policy, local and remote private IP subnets.
NOTE:
The above configuration parameters should match with the corresponding parameters set in the
peer. Otherwise, the IPsec VPN connection will not succeed. Typical configuration mistakes
include incorrect security credentials (psk or certificates/keys), mismatched cipher suite configu-
ration, and mismatched local and remote subnet configuration
.
The following example describes the step-by-step VPN configuration for the example network shown in
figure above. We’ll assume that certificates are being used as security credentials and have already been
loaded in the MCR either manually or via SCEP.
1. Ensure that cellular interface has been configured.
2. Ensure that device has been configured with certificates/keys.
3. Ensure that device has been configured to obtain time via NTP.
NOTE:
The VPN connection will fail unless the time is synchronized on the device because certificate
validation will fail.
4. Enable VPN service
