Conti vit y 251 ABOT D eployment
Version 1. 0
April 26, 2004
1.4 Why
ABOT?
C251 supports both Asymmetric Branch Office Tunnel (ABOT) and Peer-to-Peer BOT. Peer-to-
Peer BOT use main mode for IKE phase 1 exchange, and main mode can only be used if both
VPN switches have fixed public IP addresses. Since the C251’s public interface IP address is
normally dynamically assigned by ISP DHCP server, Peer-to-peer branch tunnels are not
applicable.
ABOT is suitable for a BOT with a fixed IP address on one end while a dynamically assigned IP
address on the other end. To make ABOT connection work, the end with a dynamic IP address
must be configured as the initiator and the other end with fixed IP address configured as the
responder. In our case, the C251 must be configured as “Aggressive” mode to behave as an
“initiator”, and the Contivity Gateway in CO must be configured as the “responder”. In ABOT
tunnel, only the Initiator (C251) can bring up the tunnel.
1.5 C200 Client Emulation
The Contivity 200 series have a unique feature called “
Client Emulation
”. Since this feature
allows a C200 to act as a user to establish a VPN tunnel to a remote Contivity Gateway, it is also
called “
Hard Client”
. Hard Client uses the IPSec protocol and supports a simple VPN rule. It
provides easy configuration, and can be setup by non-technical end users. Then, CO technical
personals can use client tunnel connection to gain remote control and perform further
configurations on C200, e.g. ABOT, firewall, NAT and etc.
By default, the Client Emulation is configured as a “Manual Tunnel” and requires user intervention
to “Connect” the tunnel. On release V2.1, the Client Emulation supports “on demand” tunneling as
well. In “on demand” mode, the client tunnel is automatically created whenever traffic demands a
tunnel connection and the user intervention is not required. Both modes are initiated only on
C200 side.
To enable “On-Demand” mode, go to VPN menu, select a client rule, then select “Advance” to
open the window below, and check the “On Demand Client Tunnel”.
C200 allows only one active Contivity Client at a time. That is, when Client tunnel is activated, all
other VPN connections must be deactivated.
In the “Client Emulation” configuration, there is a many-to-one NAT filter from the C200 private
LAN to the remote private LAN behind CO Contivity gateway. Many-to-One mode maps multiple
private IP addresses on C200 LAN to the IP address a ssigned by CO Contivity gateway. This is
