Sierra Wireless ACM Installation And Operation Manual Download Page 47

Page: 47 / 53

Troubleshooting

Rev 3 Nov 17

4119855

IPsec IP Pool Status

To view IPsec security associations:

admin@ACM: show vpn ipsec ip-pool

Leases in pool '192.168.114.0/24', usage: 3/254, 0 online

192.168.114.2 offline 'TestNCP2'

192.168.114.1 offline 'peapuser'

192.168.114.3 offline 'C=CA, ST=BC, O=InMotion, OU=eng,

CN=Ttest1'

Leases in pool '10.101.1.0/24', usage: 0/254, 0 online

no matching leases found

Debug Information

To view more detailed information when you are troubleshooting, use the

show

vpn debug

command (for all debug information) or the

show vpn debug peer

<PeerID>

command (to debug a specific peer):

admin@ACM: show vpn debug

Status of IKE charon daemon (strongSwan 5.3.2, Linux

3.0.23-1-586-vyatta, i686):

uptime: 3 days, since Nov 27 15:26:05 2015

malloc: sbrk 409600, mmap 0, used 273032, free 136568

worker threads: 11 of 16 idle, 5/0/0/0 working, job

queue: 0/0/0/0, scheduled: 0

loaded plugins: charon ldap aes rc2 sha1 sha2 md5 random

nonce x509 revocation constraints pubkey pkcs1

pkcs7 pkcs8 pkcs12 sshkey pem openssl fips-prf

agent xcbc cmac hmac ctr ccm gcm curl attr kernel-

netlink resolve socket-default stroke updown eap-

identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-

radius eap-tls eap-ttls eap-tnc xauth-generic

xauth-eap tnc-tnccs error-notify certexpire

addrblock

Virtual IP pools (size/online/offline):

172.18.114.0/24: 254/1/1

Listening IP addresses:

10.1.65.114

192.168.114.1

10.1.97.114

Connections:

peer-any-tunnel-1: 10.1.65.114...%any IKEv2

peer-any-tunnel-1: local: [10.1.65.114] uses pre-

shared key authentication

Summary of Contents for ACM

Page 1: ...Installation and Operations Guide AirLink Connection Manager 4119855 Rev 3 ...

Page 2: ...NTAL CONSEQUENTIAL PUNITIVE OR EXEMPLARY DAMAGES INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS OR REVENUE OR ANTICIPATED PROFITS OR REVENUE ARISING OUT OF THE USE OR INABILITY TO USE ANY SIERRA WIRELESS PRODUCT EVEN IF SIERRA WIRELESS AND OR ITS AFFILIATES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR THEY ARE FORESEEABLE OR FOR CLAIMS BY ANY THIRD PARTY Notwithstanding the foregoing in no...

Page 3: ...nd returns Web sierrawireless com company contact us Global toll free number 1 877 687 7795 6 00 am to 5 00 pm PST Corporate and product information Web sierrawireless com Revision number Release date Changes 1 September 2016 Document created 2 May 2017 Added FIPS content 3 November 2017 Added important notice to change password ...

Page 4: ...ts 9 Connecting the ACM to Your Network 9 Ethernet Connections 10 Connecting to the ACM from an Inside Device 10 Configuration Overview 12 Logging In and Out 12 Change to Configuration Mode 12 Configuration Tree 13 Manage Configuration Attributes 13 Add or Modify Attributes 14 Delete Attributes 15 Show Uncommitted Attribute Changes 15 Discard Uncommitted Attribute Changes 16 Apply Configuration 17...

Page 5: ...d Revocation 29 Configuring for NCP Client for Windows 30 Assigning a Virtual IP Address from the Pool 30 EAP Authentication 31 ACM Server Protocols 32 Virtual Router Redundancy Protocol VRRP 32 AirLink oMG MG90 Router Support 37 oMG MG90 IKE ESP Negotiation Parameters 37 AirLink Gateway Router Support LS ES GX MP Series 38 ACM AirLink LS ES GX MP Series Setup Requirements 39 Single Address Type f...

Page 6: ...sec Security Associations 46 IPsec IP Pool Status 47 Debug Information 47 View VRRP Configuration Details 48 Dead Peer Detection is not Working 50 vpn ipsec lifetime Command is Not Available 50 VPN Tunnel Establishes with Mismatched IKE Group 50 NCP Certificate Authentication Failed No trusted RSA public key 51 Basic Configuration Requirements 52 RADIUS Server Settings 53 ...

Page 7: ...ices and applications in the router gateway s vehicle area network Figure 1 1 shows how the ACM fits into a standard enterprise deployment Figure 1 1 The ACM fits between firewalls in an enterprise deployment The ACM eliminates session interruptions when secure IP traffic is switched from one wireless network to another because it is based on IKEv2 Mobile Internet Key Exchange MOBIKE standards MOB...

Page 8: ...eral Information Processing Standard 140 2 security level 1 http csrc nist gov groups STM cmvp documents 140 1 140sp 140sp2164 pdf NCP Client for Windows ACM 1 6 and above support connections from systems using NCP Client for Windows Refer to the AirLink Connection Manager Configuration Guide for NCP Client for details Supported AirLink Gateways and Routers This document applies to the device vers...

Page 9: ...s recommends that the ACM be installed behind the enterprise firewall so that policies and procedures relating to enterprise security are not significantly affected by the introduction of the ACM When used in this mode the ACM security footprint is limited to AirLink devices must be able to access the ACM from the WAN Typically this requires that the ACM be assigned a public IP address If the IP a...

Page 10: ...45 connectors not supplied to connect the ACM Ethernet ports to the network infrastructure Connect Port 1 GB1 the outside interface to the network connected to the enterprise firewall Connect Port 2 GB2 the inside interface to the internal network Note Any additional ports that may be present are unused Figure 2 1 Rear panel of ACM Connecting to the ACM from an Inside Device The ACM may be pre con...

Page 11: ...Note Sierra Wireless can only provide remote technical support for the ACM if access to Port 2222 is enabled on the public or private interface If only private interface access is available an independent VPN access method must be provided ...

Page 12: ...om admin ACM Important Sierra Wireless strongly recommends that you immediately change the Admin password from the default value inmotion to prevent unauthorized use of the system See Admin Password on page 19 for details To log out of the ACM use the exit command admin ACM exit Change to Configuration Mode By default the system will be in operational mode after logging in to the ACM as indicated ...

Page 13: ...e Configuration Attributes When the ACM server boots its boot configuration is loaded into its running configuration While the server is running configuration attributes are managed using the commands shown in Table 3 1 Table 3 1 Configuration Attribute Management Commands Command Purpose Details set Add or modify an attribute See Add or Modify Attributes on page 14 delete Delete an attribute See ...

Page 14: ...atement use the set command The following example demonstrates the set command being used to make the following changes and a snippet from the show command which displays the and symbols change the hash method for an esp group s proposal 1 from sha1 to md5 add a new proposal 2 to the esp group add the encryption method for the new proposal 2 user ACM1 Pro duction set vpn ipsec esp group espgroup1 ...

Page 15: ...osal 1 hash user ACM1 Production show esp group espgroup1 compression enable mode tunnel pfs enable proposal 1 encryption aes256 hash md5 Show Uncommitted Attribute Changes To view pending attribute changes use the show command When the command is used the plus symbol appears next to new attributes the greater than symbol appears next to modified attributes the minus symbol appears next to deleted...

Page 16: ...ation use the discard command After discarding the configuration changes the configuration reverts to the state it was in prior to the changes and the symbol s or located beside the changed attribute statement s disappear The following example shows the discard command being used and a snippet from the show command which displays the original attribute values for proposal 1 no proposal 2 it is no ...

Page 17: ...the boot config uration as described in Save Configuration on page 17 The following example shows the commit command being used when there pending changes and a snippet from the show command which shows that all changes have been applied there are no or symbols admin ACM commit user ACM1 Production show esp group espgroup1 compression enable mode tunnel pfs enable proposal 1 encryption aes256 chan...

Page 18: ...s process COMPLETELY replaces the ACM s current configuration so should be used only when absolutely necessary DO NOT perform this via a remote login session if you do you will lose your connection to the ACM when the configuration including the outside IP address is replaced admin ACM load opt vyatta etc config boot default admin ACM commit Commits changes to running configuration admin ACM save ...

Page 19: ...and is no longer available in plain text Host Name To change the ACM s default hostname use the following commands admin ACM set system host name HOST NAME admin ACM commit Domain Name To change the ACM s domain name use the following commands admin ACM set system domain name DOMAIN NAME admin ACM commit OUTSIDE Interface IP Address To change the IP address of the OUTSIDE interface use the followi...

Page 20: ... set interfaces ethernet eth1 address LAN IP ADDRESS SUBNET BITMASK admin ACM commit INSIDE Routing Information IP Address To specify how VPN traffic will be routed from the ACM to the enterprise network application servers only if intermediate routers exist use the following commands admin ACM set protocols static route ENTERPRISE NETWORK MASK next hop NEXT HOP IP ADDRESS DNS Server To change the...

Page 21: ...the VPN refer to the device s Software Configuration Guide IPsec VPN The ACM uses the strongSwan internet protocol security IPsec implementation for securing communications by authenticating and encrypting each IP packet of a communication session IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic key...

Page 22: ...28ccm16 aes128gcm16 aes256ccm16 or aes256gcm16 encryption is used hash must be none aes128gcm16 Ya aes256 Y Y Y Y aes256ccm16 Ya aes256gcm16 Ya 3des Y Y Hash sha1 Y Y sha2_256 Y Y Y Y sha2_512 Y Y Y Y md5 Y Y none Ya DH Group 1 2 Y Y 5 Y Y 14 Y Y Y Y 15 Y Y Y Y 16 Y Y Y Y 17 Y Y 18 Y Y 19 Y Y 20 Y Y 21 Y Y none Yb b DH group none is not recommended For greater security choose a supported ESP DH gr...

Page 23: ...e delivery of secure and extremely high performance mobile communications To enable this switching feature both the ACM and the peer supported device must Enable IKEv2 as the Key Exchange Mechanism Enable MOBIKE Use the set vpn ipsec ike group command to configure the IKE group parameters as described below Note The attribute values used in the commands below are examples only use values that are ...

Page 24: ...up_type set vpn ipsec ike group IKE GRP NAME proposal 10 encryption Encrypt_type set vpn ipsec ike group IKE GRP NAME proposal 10 hash Hash_type Configure IKE Groups with IKEv1 Note oMG2000 500 MG90 and NCP Client for Windows should be configured for IKEv2 see Configure IKE Groups with MOBIKE IKEv2 on page 23 The following AirLink gateways support the IKEv1 protocol IKEv2 is not supported LS ES GX...

Page 25: ...page 22 for supported parameter values set vpn ipsec ike group IKE GRP NAME proposal 10 dh group Dh_group_type set vpn ipsec ike group IKE GRP NAME proposal 10 encryption Encrypt_type set vpn ipsec ike group IKE GRP NAME proposal 10 hash Hash_type ESP Group Use the set vpn ipsec esp group command to configure the ESP group parameters as described below Note The attribute values used in the command...

Page 26: ...s To configure a VPN peer ID on the ACM Use the following command set vpn ipsec site to site peer PeerID where PeerID is one of the supported types described in Table 5 2 on page 27 or any If the PeerID is A supported Peer ID Type from Table 5 2 The ACM creates connections for each peer using different PSKs This is the preferred method for oMG MG90 routers and other AirLink gateways routers as it ...

Page 27: ...eries VPN VPN Field Peer Identity Type Recommended type FQDN Free format string User must ensure this is a unique string Format FQDN Alternate types User FQDN Free format string User must ensure string is unique Format USER_FQDN IP Router s IP address Format IP Note If FQDN or User FQDN is used read Main Aggressive Mode Configuration on page 41 for additional instructions NCP Client for Windows Pr...

Page 28: ...subnet behind the ACM In general this is the enterprise LAN set vpn ipsec site to site peer PeerID tunnel 1 local subnet LAN SUBNET SUBNET BITMASK Use the AirLink gateway router s LAN subnet as the remote subnet set vpn ipsec site to site peer PeerID tunnel 1 remote subnet oMG LAN SUBNET SUBNET BITMASK VPN ID When the ACM is located within a DMZ behind an external firewall the VPN connection is se...

Page 29: ...erver scp P 2222 ACM_key_file_name admin ACM IP config auth 2 Provision the CA certificates set vpn ipsec x509 ca ca_cert_name ca cert file config auth ca_cert_file_name set vpn ipsec x509 ca ca_cert_name ca cert type RSA ECDSA 3 Provision the host certificate set vpn ipsec x509 host host_cert_name cert file config auth ACM_cert_file_name set vpn ipsec x509 host host_cert_name cert type RSA ECDSA ...

Page 30: ...e RSA set vpn ipsec x509 host ACM_host cert_name cert file config auth ACM_host_cert pem set vpn ipsec x509 host ACM_host cert_name cert type RSA set vpn ipsec x509 host ACM_host cert_name key file config auth ACM_host_cert pem set vpn ipsec x509 host ACM_host cert_name key type RSA Pre shared keys Use the following commands Note Pre shared keys are not recommended for NCP Client because all clien...

Page 31: ... 1 remote source ip the IP pool EAP Authentication Important IPSec VPN IKEv2 EAP authentication is supported only for NCP Client for Windows connecting with non FIPS ACMs It is NOT supported on AirLink gateways routers If using a non FIPS ACM EAP authentication can optionally be used for NCP Client for Windows ACM 1 6 and above support using EAP for IKEv2 to authenticate the client to the server w...

Page 32: ...re clustered together with a master server providing all services and the other appliances available to take the master s place if it fails High Availability Configuration For very large customers many client devices each client device oMG MG90 router is assigned to a random ACM server from a pool of servers load balancing If a server fails the client devices that are connected to that server requ...

Page 33: ...gure 5 1 Figure 5 1 A master ACM is the ACM with the highest priority In the event that this master goes down the ACM with the next highest priority will be elected as the new master and all ACMs are notified as shown in Figure 5 2 on page 34 If two ACMs have the same priority the device with the higher IP address will be elected as the master note that during startup this conflict is resolved by ...

Page 34: ...n in Figure 5 3 Figure 5 3 Pre emption allows a new higher priority ACM to take over as the master Outside Interface Virtual IP 10 10 12 13 Outside Subnet Master ACM VRRP Group 99 Priority 7 Master ACM VRRP Group 99 Priority 5 Failed New Master elected Internet Virtual IP 10 11 11 19 Inside Subnet Enterprise Inside Interface Inside Interface Outside Interface Sierra Wireless AirLink gateway router...

Page 35: ...he ACMs to protect them Configuring the Master and Backup ACMs To configure the master ACM and each backup ACM do the following for each ACM 1 Create the VRRP configuration node for eth0 to enable VRRP on that interface and assign the VRRP group Note All of the ACMs must use the same group set interfaces ethernet eth0 vrrp vrrp group VRRP GROUP 2 Specify the virtual IP address of the VRRP group se...

Page 36: ... group do the following for each ACM 1 Add the sync group configuration to the existing configuration for a VRRP group on eth0 set interfaces ethernet eth0 vrrp vrrp group VRRP GROUP sync group SYNC GROUP NAME 2 Display the VRRP configuration on eth0 optional show interfaces ethernet eth0 vrrp 3 Create the VRRP configuration node for eth1 on the ACM to enable VRRP on that interface assign the VRRP...

Page 37: ...ters see AirLink Gateway Router Support LS ES GX MP Series on page 38 oMG MG90 IKE ESP Negotiation Parameters When using oMG MG90 peers with the ACM some limitations apply Some ACM features are not supported by oMG MG90 Some oMG MG90 features are not supported by ACM The following table describes these limitations and the restrictions these place on ACM configuration and oMG MG90 configuration Tab...

Page 38: ...Y Y Y Y 4 1 xc 14 Y Y Y Y Y Y 4 1 xc Y Y 15 Y Y Y Y Y Y 4 1 xc Y Y 16 Y Y Y Y Y Y 4 1 xc Y Y 17 Y Y Y Y 4 1 xc 18 Y Y Y 4 1 xc 19 Y Y Y Y Y 20 Y Y Y Y 21 Y Y Y Y none Yd Yd Y Y Yd a Pending release Q3 2017 b When aes128ccm16 aes128gcm16 aes256ccm16 or aes256gcm16 encryption is used hash must be none c ESP DH group support is available in 4 1 x In versions 4 1 the DH group for ESP is inherited from...

Page 39: ...and the restrictions these place on ACM configuration and AirLink configuration using ACEmanager Table 5 4 AirLink IKE ESP Parameter Support ACM 1 6 AirLink Type IKE ESP IKE ESP Setup Requirements Encryption aes128 Y Y Y Y On the AirLink device Use only AES128 AES256 or 3DES the ACM does not support DES or None aes128ccm16 aes128gcm16 aes256 Y Y Y Y aes256ccm16 aes256gcm16 3des Y Y Y Y des none Y ...

Page 40: ...nd update if necessary the IP address that will be used USB IP address i In ACEmanager select LAN USB ii In USB Device Mode make sure USBNET is selected DH Group 1 Y Y On the AirLink device Configure the device to use only DH2 or DH5 On the ACM Configure the peer to use only DH2 or DH5 Make sure the dh group is configured in esp group proposals 2 Y Y Y Y 5 Y Y Y Y 14 Y Y 15 Y Y 16 Y Y 17 Y Y 18 Y ...

Page 41: ... drop down list c In Local Address enter the IP address USB or Ethernet set in step 1 d Click Apply e Click Reboot Main Aggressive Mode Configuration AirLink gateways routers support IKEv1 in main mode and aggressive mode When determining whether to configure an AirLink device for aggressive mode consider the following use cases For each device configured to use aggressive mode configure the ACM u...

Page 42: ...upported by ACM The following table describes these limitations and the restrictions these place on ACM configuration and NCP configuration Table 5 7 NCP Client IKE ESP Parameter Support Type ACM 1 6 NCP Client Setup Requirements non FIPS FIPS non FIPS FIPS IKE ESP IKE ESP IKE ESP IKE ESP Encryption aes128 Y Y Y Y Y Y Y Y On the NCP Client Use only AES128 AES256 or 3DES the ACM does not support DE...

Page 43: ...ements Feature Support limitation Setup Requirement PFS ACM always uses PFS On the NCP Client enable PFS Authentication For certificate authentication ACM supports only the NCP ID type ASN1 Distinguished Name On the NCP Client configure the ID type as ASN1 Distinguished Name Certificates NCP may not support RSA 3072 Onthe NCP Client configure to use RSA 2048 If RSA 3072 is attempted and fails chan...

Page 44: ...tion of the imagefile name e g 1 6 0 rc3 20160719 1 or an alternate name of your choice and press Enter to continue Note The name must contain only letters digits and special characters _ Example bolded text represents your input admin ACM add system image ACM 1 6 0 20160719 1 iso Checking MD5 checksums of files on the ISO image OK What would you like to name this image 1 6 0 20160719 1 View VPN C...

Page 45: ... Time up aes256 sha1 5 no n a 0 Peer ID IP Local ID IP 192 100 1 2 192 168 4 22 State Encrypt Hash D H Grp NAT T A Time L Time up aes256 sha1 5 yes 15942 28800 IPsec Process Status To view the status of the IPsec process admin ACM show vpn ipsec status Charon Process Running PID 14981 1 Active IPsec Tunnels IPsec Interfaces eth0 192 168 4 10 eth1 no IP on interface statically configured as local i...

Page 46: ...68 4 22 Tunnel State Bytes Out In Encrypt Hash NAT T A Time L Time Proto 7 down n a n a n a no n a 0 all Peer ID IP Local ID IP CN omg_valid1 192 168 4 22 Tunnel State Bytes Out In Encrypt Hash NAT T A Time L Time Proto 1 up 71 4K 71 8K aes128 sha1 no n a 0 all Peer ID IP Local ID IP 192 100 1 2 192 168 4 22 Tunnel State Bytes Out In Encrypt Hash NAT T A Time L Time Proto 2 up 233 6K 232 0K aes128...

Page 47: ...an 5 3 2 Linux 3 0 23 1 586 vyatta i686 uptime 3 days since Nov 27 15 26 05 2015 malloc sbrk 409600 mmap 0 used 273032 free 136568 worker threads 11 of 16 idle 5 0 0 0 working job queue 0 0 0 0 scheduled 0 loaded plugins charon ldap aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl fips prf agent xcbc cmac hmac ctr ccm gcm curl attr k...

Page 48: ... 8 pkts 2s ago rekeying disabled peer any tunnel 1 30 192 168 114 0 24 172 18 114 2 32 View VRRP Configuration Details To view VRRP configuration details on the master ACM or backup ACM use the show vrrp command with appropriate parameters as shown below On the master admin ACM show vrrp interface eth0 Physical interface eth0 Source Address 192 168 3 112 Interface state up Group 99 State master Pr...

Page 49: ...erface state up Group 99 State backup Priority 200 Advertisement interval 1 Authentication type none Preempt true VIP count 1 VIP 192 168 3 33 24 Master router 192 168 3 112 Master Priority 250 Sync group ACM Last transition 1w2d2h41m34s admin ACM show vrrp interface eth1 Physical interface eth1 Source Address 192 168 9 106 Interface state up Group 101 State backup Priority 200 Advertisement inter...

Page 50: ...either IKEv1 or IKEv2 and has been removed VPN Tunnel Establishes with Mismatched IKE Group Note This issue applies to IKEv1 and IKEv2 If the ACM is configured with multiple IKE groups e g group_1 group_2 and has configured a peer with one of those groups e g group_1 a VPN tunnel will be established if the peer uses any of the configured IKE groups For example On the ACM ACM configured with IKE gr...

Page 51: ...19855 NCP Certificate Authentication Failed No trusted RSA public key For NCP certification authentication to work with ACM NCP must be configured to use ID Type ASN1 Distinguished Name Figure 6 1 NCP Certificate Authentication ID Type ...

Page 52: ...he enterprise address space must be specified for your particular situation Table 1 1 Required ACM Configuration Items Item Note Example Outside IP address and netmask This address must be accessible from the mobile network In most cases this is a globally routable IP address Outside default gateway Needed in most cases To be discussed prior to shipping if this is not desired Public DNS server Def...

Page 53: ... NEW m udp dport 1812 j ACCEPT 4 Edit etcraddbclients conf and add the ACM as a client with the secret password 5 Edit etcraddbusers and add the EAP identities eapuser and peapuser 6 Add a server certificate server private key and CA certificate to etcraddbcerts 7 Edit etcraddbeap conf Modify the tls section to point to the three files from the previous step Comment out the following line since th...

Search results

Summary of Contents for ACM

Reviews:

Related manuals for ACM

Brands by name

Popular brands

Sierra Wireless ACM, Installation And Operation Manual

Search results

Summary of Contents for ACM

Reviews:

Related manuals for ACM

Brands by name

Popular brands