Nortel C251, Contivity 251 ABOT Configuration Manual

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Technical Configuration Guide

Contivity 251 ABOT

Deploym ent using We b G UI

Version 1.0

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Abstract

This document details a methodology for using Web GUI to effectively and economically
deploy Contivity 251 ABOT connecti ons to their central office.

Revision C ont r ol

No Date Version Revi sed by Remarks

1 4/1/2004 draft Shangli Lu Initial Draft

2 4/26/2004 V1.0 Shangli Lu Reflected comments from reviewing

Copyright © 2004 Nortel Networ ks

All rights reserved. January 2004
The i nformati on in this document is subject to change wi thout notice. The statements,

confi gurations, techni cal data, and recommendations i n thi s document are believed to be
accurate and reliabl e, but are presented wi thout express or implied warranty. Users must take

full responsibility for their appli cations of any products specified in this document. T he
in formation i n this do cument is proprietary to Nortel Networks Inc.

The software described in this document i s furnished under a license agreement and may be
used only in accordance wi th the terms of that license.

Tr ade marks

Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are
trademarks of Nortel Networks.

Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.
All other product names, com pany names, marks, logos, and symbols are trademarks of their

respective owners.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Table of Conte nts

TU1.UT TUINTRODUCTIONUT............................................................................................................5

TU1.1UT TUC200- CONTIVITY GATEWAY ABO T TOPOLOGYUT..................................................................5

TU1.2UT TUTARGET AUDIENCESUT ......................................................................................................6

TU1.3UT TUCONTIVITY 251 BRIEFUT..................................................................................................... 6

TU1.4UT TUWHY ABOT?UT ...............................................................................................................7

TU1.5UT TUC200 CLIENT EMULATIONUT ...............................................................................................7

TU1.6UT TUADSL BRIEFUT .................................................................................................................8

TU2.UT TUDEPLOYMENT METHODUT ..............................................................................................9

TU2.1UT TUPLANNING YOUR VPN NETWORKUT......................................................................................9

TU2.2UT TUSELECT CONTI VITY SWITCHESUT.......................................................................................... 9

TU2.2.1UT TUSelect Contivity Secure IP Services GatewayUT ..............................................................9

TU2.2.2UT TUSelect C251 modelUT............................................................................................... 10

TU2.2.3UT TUIn areas where ADSL service is not availabl eUT ........................................................... 10

TU2.3UT TUGATHERING INFORMATION FROM ISPUT .............................................................................. 10

TU2.3.1UT TUVPI & VCIUT .........................................................................................................10

TU2.3.2UT TUStatic IP address for Contivity Gateway in COUT..........................................................11

TU2.4UT TUDEFINE A SCHEME FOR PRE-SHARED KEYSUT ........................................................................ 11

TU2.5UT TUDEFINE A SCHEME FOR ABOT INITIATOR IDUT ..................................................................... 11

TU2.6UT TUDEFINE A SCHEME FOR BO IP ADDRESSESUT.........................................................................12

TU2.7UT TUMINIMUM SOFTWARE REQUIREMENTUT................................................................................12

TU2.8UT TUMINIMUM LAB REQUIREMENTUT ....................................................................................... 12

TU2.9UT TUCONFIGURING CONTIVITY GATEWAY IN COUT......................................................................12

TU2.10UT TUPREPARE C251 CONFIGURATION FILES IN CO LABUT.......................................................... 12

TU2.11UT TUC251 FACTORY DEFAULTS AND MINIMUM CHANGESUT....................................................... 13

TU2.11.1UT TUReset to factory defaul tUT.........................................................................................14

TU2.11.2UT TUUsing the Reset ButtonUT ......................................................................................... 14

TU2.11.3UT TUUploading a Configuration File via C onsol e PortUT...................................................... 14

TU2.12UT TUPROVIDE END-USERS W ITH INSTRUCTIONSUT....................................................................14

TU2.13UT TUDOWNLOADING CONFIGURATION FILES FROM CO LAB TO REMOTE C251UT ............................15

TU3.UT TUCONTIVITY C251 DEPLOYMENT E XAMPL EUT...............................................................16

TU3.1UT TUABC VPN DEPLOYMENT TASKSUT..................................................................................... 16

TU3.2UT TUNETWORK PLANNINGUT....................................................................................................16

TU3.3UT TUABC VPN TOP OLOGYUT ..................................................................................................17

TU3.4UT TUORDER EQUIPMENT AND SERVICESUT .................................................................................. 17

TU3.5UT TUSETUP CO LAB UT...........................................................................................................18

TU3.6UT TUCONFIGURE CONTI VITY GATEWAY 1100UT .......................................................................... 19

TU3.6.1UT TUConfi gure IP address & DHC P for C1100:UT.............................................................. 19

TU3.6.2UT TUConfi gure User Group for C1100UT ...........................................................................20

TU3.6.3UT TUConfi gure Branch Off ice Group f or C1100UT...............................................................23

TU3.7UT TUPRE-BUILD CONFIGURATION FILE FOR BO C251_OFFICE_6UT................................................... 25

TU3.7.1UT TUStartup with “ Wizard Setup”UT ................................................................................. 26

TU3.7.2UT TUChanging VPI & VCIUT ........................................................................................... 27

TU3.7.3UT TUChanging L AN IP addresses and DHCP server IP.UT .................................................... 29

TU3.7.4UT TUPower OFF and Power On C251UT ...........................................................................30

TU3.7.5UT TUTest ATM and Internet connectionUT .......................................................................... 31

TU3.7.6UT TUConfi gure VPN Cl ient T unnelUT ................................................................................ 32

TU3.7.7UT TUC h eck VP N Cli en t Tunnel statusUT............................................................................. 35

TU3.7.8UT TUTest VPN Client Tunnel UT ........................................................................................ 39

TU3.7.9UT TUConf i gur e VPN ABOTUT .......................................................................................... 41

TU3.7.10UT TUActivate VPN ABOT TunnelUT .................................................................................. 43

TU3.7.11UT TUT est VPN ABOT TunnelUT........................................................................................ 44

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

TU3.7.12UT TUEvent Log on C251UT.............................................................................................. 44

TU3.7.13UT TUVPN -SA Monit or UT................................................................................................. 45

TU3.7.14UT TUABOT Session st atus on C1100UT.............................................................................. 45

TU3.7.15UT TUEvent Log on C1100UT ............................................................................................46

TU3.7.16UT TUPing BO-6 LAN from C 1100 L ANUT...........................................................................47

TU3.8UT TUSAVE CONFIGURATION FILE AND RENAME ITUT .....................................................................49

TU3.9UT TUREPEAT THE PROCEDURE TO THE REST OF BOUT.................................................................... 49

TU3.10UT TUPREPARE CONFIGURATION FILES FOR BO USING DIFFERENT VPI/VCIUT .................................49

TU3.10.1UT TUC hange VPI & VC I number before savingUT................................................................ 49

TU3.10.2UT TUHow t o change VPI & VCI numberUT.........................................................................50

TU3.11UT TUSTART DEPLOYMENTUT................................................................................................ 50

TU3.11.1UT TUBO Office-6 deployment, setup User Cli entUT .............................................................. 51

TU3.11.2UT TUDownl oad the configuration file to BO Office-6UT ........................................................ 51

TU3.11.3UT TURepeat the procedure to the rest BOsUT ...................................................................... 52

TU4.UT TUREFERE NCE DO CUME NT AT I O N:UT ............................................................................... 53

TU5.UT TUAPPE NDIX A: T E RMI NOLO G YUT.................................................................................... 54

List of Figures

TUFigure 1: C200 series ABOT Deployment ScenarioUT.......................................................................... 5

TUFigure 2 C251 Front ViewUT..........................................................................................................6

TUFigure 3 C251 Rear ViewUT ........................................................................................................... 6

TUFigure 4: ABC VPN T opologyUT ................................................................................................... 17

TUFigure 5: ABC Company CO LABUT ..............................................................................................18

TUFigure 6: Configure C1100 from Factory Defaul tUT..........................................................................19T

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1. Introduction

This document proposes a m ethod for using the Web GUI to effectively and economically deploy
large quanti ti es of Asymmetric Branch Office Tunnel s (ABOT) between Contivity 251 (C251)

switches located in various branch offices to a Contivity gateway in a Central Office (CO). See
Figure 1 for topology.

The m ethod takes the advantage of the unique feature of “Cl ient Em ul ation” i n C200 se rie s to
allow non-technical end-users to create IPSec VPN user tunnels between C251 and Contivity

gateway in CO. T he user tunnel s are then used by technical personal in CO to gain control s of
remote C251 for further downloading prepared configuration files i n order to complete the

complex ABOT configurations.
For si m plicity, the terms of “Contivity” and “Contivity Secure IP Services Gateway” are used

interchangeabl y in this document.

1.1 C200- Contivity Gateway ABO T Topol ogy

CO
NOC

Contivity
Gateway

C251
Home Offi ce

C221
SOHO

Internet

C251
Remote
office

C251
Remote

office

C251
SOHO

C221
Remote
office

C251
SOHO

Figure 1: C200 series ABOT Deployment Scenario

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1.2 Target Audiences

The target audi ences are network designers, network deployment engineers, installation
engineers, sales engineers for Enterprises or Carriers, network planners, and those who are

interested in using the Web GUI to configure or deploy ABOT for Contivity 200 series units.

1.3 Conti vi t y 251 br i ef

Contivity 251 (C251) is the ideal VPN over high-speed Internet access soluti on for SOHO and
sm all branch office. It i s capable of terminating IPSec at CO Contivity and are ideal for provider

provisioned networks or large enterpri se deployments
C251 supports up to five VPN Branch Office Tunnel (BOT) connections si multaneously, and

integrates four high-speed 10/100Mbps LAN ports and one high-speed ADSL port into a single
package. The ADSL port supports downstream transmission rates up to 8Mbps and upstream

transmission rates up to 832Kbps.
C251 support two types of VPN connection: Branch Offi ce Tunnel (BOT) and Contivity Client

tunnel. The BOT supports full VPN rules, while Conti vity Client supports a simple VPN rule.
C251 VPN i s based on IPSec standard and is full y interoperable with other IPSec-based VPN

product.
For full feature description, refer to NTP “Contivity 251 VPN Switch User’s Guide” from Nortel

Customer Support Web

Figure 2 C2 51 Front Vi ew

Figure 3 C251 Rear View

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1.4 Why ABOT?

C251 supports both Asymmetric Branch Offi ce Tunnel (ABOT) and Peer-to-Peer BOT . Peer-to­Peer BOT use main mode for IKE phase 1 exchange, and main mode can only be used if both

VPN swi tches have fixed public IP addresses. Since the C251’s public interface IP address is
nor m ally dyn am ically ass igned by I SP DHCP server, Peer-t o-pe er branch tunnels a re no t

applicabl e.
ABOT i s suitable for a BOT with a fixed IP address on one end while a dynamically assigned IP

address on the other end. To make ABOT connection work, the end with a dynamic IP address
must be configured as the i nitiator and the other end with fixed IP address configured as the

responder. In our case, the C251 must be configured as “Aggressi ve” mode to behave as an
“i nitiator”, and the Contivity Gateway i n CO must be configured as the “responder”. In ABOT

tunnel, only the Initiator (C251) can bring up the tunnel.

1.5 C200 Cli ent Emul at i on

The Contivity 200 series have a unique feature called “Client Emulation”. Since this feature
allows a C200 to act as a user to establish a VPN tunnel to a remote Contivity Gateway, it i s also

called “Har d Client”. Hard Client uses the IPSec protocol and supports a si mple VPN rule. It
provides easy configuration, and can be setup by non-technical end users. Then, CO technical

personals can use client tunnel connection to gain remote control and perform further
confi gurations on C200, e.g. ABOT, firewall, NAT and etc.

By default, the Client Emulati on is configured as a “Manual Tunnel” and requires user intervention
to “Connect” the tunnel. On release V2.1, the Client Emulation supports “on demand” tunneling as

well. In “on demand” mode, the client tunnel is automati cally created whenever traffic demands a
tunnel connecti on and the user intervention i s not requi red. Both modes are initiated only on

C200 side.
To enable “On-Dem and” mode, go to VPN menu, select a client rul e, then select “Advance” to

open the window below, and check the “On Demand Client Tunnel”.

C200 al lows only one acti ve Conti vity Client at a time. That i s, when Client tunnel is activated, all
other VPN connections must be deacti vated.

In the “Client Emulation” configuration, there i s a many-to-one NAT filter from the C200 private
LAN to the remote private LAN behind CO Contivity gateway. Many-to-One mode maps m ultiple

pri vate IP addresses on C200 LAN to the IP address assigned by CO Contivity gateway. This is

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

O

equivalent to 251's Single User Account feature (SUA). Therefore, traffic sent from the Contivity
Gateway private network to the C200 private network does not make it further than the C200

assigned address .
In Client Emulation configuration, the CO site is able to manage C200 but is not abl e to manage

C200’s private LAN since M:1 NAT inbound traffic cannot establish connecti ons without port
forwarding enabled. For full VPN capabilities, users should setup Branch Offi ce Tunnels, either

ABOT or static BOT.

1.6 ADSL brief

ADSL (Asymmetric Digital Subscriber Line) is a proven technology that takes the advantage of
standard copper l oops telephone lines to provide high-speed Internet “always on” access. ADSL

has i ts downstream capacity higher than its upstream capacity. E.g. Contivity 251 ADSL supports
downstream rates up to 8Mbps and upstream rates up to 832Kbps.

ADSL uses signal frequencies above those used by voice or fax, so the data si gnal does not
inter fer e w ith tele phon e signal.

In SOHO si te, data traffic and voi ce traffic are separated by spl itters. On CO site, they are
separated by a Di gital Subscriber Line Access Mul tiplexer (DSLAM ) switch. Voice traffic is then

sent to PSTN, while data traffic is sent to ATM backbone connecting to ISP and Internet.
The diagram bel ow illustrates the key elements of ADSL.

Internet

PSTN

SOH

fax

AT M or FR

phone

ISP

CO

PC

Contiv ity 251

Or ADSL Modem

splite

splite

DSLAM

Phone

wi re

0.8M

8M

Figure 4 ADSL Major Components

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2. Deployment Method

ABOT support full sets of VPN feature. But Configuring ABOT requires technical experiences and
resources. T he proposed deployment method uses Client Emulation feature as a first step stone

to establish a VPN connection between a C251 in branch office and a gateway in CO. ABOT
confi guration files are prepared in a CO by technicians then download to the C251 in remote

branch office over the Client Emulation VPN connecti ons.
Configuring “Client Emulation” is sim ple and can be done by any non-technical resources wi thout

requi ring on-site technical support. Therefore, C200 seri es can be directly shipped from
manufactures to end users using factory defaul t configuration without requi ring speci al staging

servi ces.
This deployment method is covered in the following steps:

• Planning your VPN network

• Selecting Contivity hardware.

• Obtaini ng ne tw or k data fr om ISP

• Preparing C251 ABOT configuration files (rom-0) for all sites

• Providing remote end-users with simple instructions to setup & start C251 Client tunnel.

• Downloading prepared configuration file from CO to remote C251 over cli ent tunnel. The

C251 will auto-reboot to acti vate the ABOT configuration.

• T esting the ABOT tunnel usi ng PING.

This method is assuming that CO technical resources have taken training classes of Nortel
Contivity products.

2. 1 Pl a nni ng your VPN Net w or k

Before deployment, the VPN network should be planned first. Network planning includes various
tasks such as determining Network topology, network size, branch offi ce locations, CO location,

Contivity VPN device models, bandwidth requirement, encryption type, NAT, and etc.
The following questions should be answered for planning deployment of ABOT connections:

• How many remote branch office (BO) sites are planned?

• What type of Internet access services is avai lable i n the remote BO?

• What type of Contivity Gateway in CO is requi red to support the current VPN

requi rement, e.g. number of tunnel s, bandwidth, interface, and etc?

• Do you consider fut ure g rowing (more BOs will join in near future?)

• What types of C200 are selected, C251 or C221? (Consi der the types of service available

in a BO area, e.g. ADSL? Cable Modem? Satellite Internet access?)

• Wh at t ypes of IP add ress scheme will be used for you r VPN?

• Wh at t ypes of “initiator ID” scheme will be used for you r VPN?

• Draw a Network topology prior to the deployment.

2.2 Sel ect Conti vi t y Swit ches

2.2.1 Sel ect Con t ivi ty S ecure I P S ervices Gateway

The following Contivity products can be used as Gateways in CO.

• Conti vity 1000 series (1010, 1050, 1100): Up to 30 VPN tunnel s

• Conti vity 600: Up to 50 VPN tunnels

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

• Conti vity 1700 series (1700 and 1740): Up to 500 VPN tunnel s

• Conti vity 2700: Up to 2000 VPN tunnels

• Conti vity 5000: Up to 5000 VPN tunnels

If Contivity 200 series is planned to be used in CO, this method is not appl i cabl e, since C200
Hard Cli ent cannot connect to C200 gateway. Thus, manually configuring i s requi red.

2.2.2 Sel ect C251 mod el

Refer to the following information to select su itable C251 models for locations where ADSL
services are available.

CA251: Annex A

• ADSL over an alog phone service

• Tone 6~ 31 (25 ~ 138 KHz)

• Mult i-mod e, G.D M T, ANSI T1.4 13, G.L ite

• Used throughout North, South and Central Amer ica, Asia and por tions of

Europe.

CB251: Annex B

• ADSL over ISDN,

• Tone 29~ 63 ( 125 ~ 270KHz)

• Multi -mode, G.DMT, ETSI

• Used mostly in Europe

CU251: U-R2

• ADSL over ISDN

• Tone 29~ 63 ( 125 ~ 270KHz)

• Multi -mode, G.DMT, ETSI

• Used in Ge rmany with Deutsche Telecom

2.2.3 In areas where ADSL service is n ot av ailable

In the areas where ADSL service is not available, consi der usi ng C221 over satelli te-based
Internet service or over Broadband High speed internet access service. E.g. DIRECWAY provide

satellite-based Internet servi ce anywhere in the continental U.S.

2.3 Gath e rin g Informa tio n fro m IS P

2.3.1 VP I & V CI

The Vi rtual Path Identifier (VPI) and Virtual Circui t Identifi er (VCI) for ISP AT M backbone are the
most important i nformation to enter to get a C251 ADSL working. Each ADSL service provi der

uses a set of these two numbers.
Below are a li st of the ADSL service Providers and thei r corresponding VPI/VCI numbers for

confi guring ADSL Modem s to work on their Networks. Users should always contact with their
service providers for the updated information.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

• DSL Extreme 0/35

• BellSouth 8/35

• Earthlink 0/35

• Covad 0/35

• Ameritech 0/35

• WorldCom 0/35

• New Edge 0/38

• SouthWestern Bell 0/35

• Pac Bell 0/35

• Verizon 0/35

• Sprint 8/35

• US West/Qwest 0/32

2.3.2 Stat ic I P add ress f or C on t ivi ty Gateway in CO

A static IP is a fixed IP that your ISP guaranteed you. A dynami c IP is not fixed, and it is
dynamically assigned by your ISP each time you login.

A fixed IP address should be purchased from your ISP for the Conti vity Gateway public interface.
Since this public interface IP address will be configured in all C200, a dynami cally assi gned IP

address i s not suitable.

2.4 Define a Scheme for Pre- shar ed keys

A pre-shared key i denti fies a communi cating party during a phase 1 IKE negotiation. Both ABOT
connection and Client tunnel connection require pre-shared keys. Plan your “key” scheme, and

generate keys for each branch offi ce.

2.5 Define a Scheme for ABOT Initiator ID

With aggressive negotiation mode, the C251 uses “Initiator ID” to establish ABOT to remote
gateway. The “Initiator ID” on the C251 is configured in the “content” field as a DNS domain name

or E-mail address. The DNS domain name or E-mail address in the “Local ID Type” fiel d is used
only for identi fi cation purposes and does not need to be a real domain name or e-mail address.

If you select “IP” as your “Local ID Type”, you must crea te an Initiator ID that conforms to the ri gid
IP format in order to be accepted by C251. The IP address is used onl y as an ID and needs not to

be a rea l ad dr ess .
Since C251 allows its DNS domain name or E-mail address to have up to 31 characters, it

provides network designers a flexibility to compose various identifications. When using special
ch arac ters, make sure they are accep ted by both CO and BO. This ID will be used in th e even t

log by the CO gateway during communi cation, and it i s important to plan a scheme and make the
ID meani ngful for future troubleshooting, logging, and accounting.

Each C251 must have a unique ID. Duplicated ID wil l be rej ected by gateway from connection.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2.6 Define a Scheme for BO IP addresses

Determine the private IP network addresses for the LAN on each site. Private IP addresses can
be selected from :

• 10.x.x.x

• 172.16.x.x-172-31.x.x

• 192.168.x.x

Ensure each BO LAN i s assi gned with a unique IP address to si m plify configuration task.
Reserve 192.168.1.0/24 for using only by C221 factory-defaul t configuration to avoid potential

address conflicts.
Private LAN address behind CO gateway should not use reserved 192.168.1.0/24.

Define subnet size for each site. 8 bits subnet with a mask of 255.255.255.0 is commonl y used
and it i s easy to configure and allows up to 254 hosts.

2.7 Mi ni mum software r equir em ent

To use this method, the minimum requirem ent of software for C251 is V2.1. If you are currently
r unn in g V 2.0 , upgr ade it to V2.1.

2. 8 Mi nimum LA B require m ent

The m inimum requirements for successful depl oyments are:

 CO gateway i s able to access to Internet and has a fixed IP assigned by ISP
 PCs with Microsoft Windows and Internet Explorer

 C251 is able to access to the Internet via ADSL connection.
 CO technical personal were trained to have knowl edge of Nortel Contivity products.

If your budget allows, you may want to build a controlled lab environment to simulate ADSL ISP.
To do so, you may need to purchase a DSLAM switch, and routers wi th ATM interfaces.

2. 9 Confi gur i ng Cont i v i t y G ateway i n CO

The m inimum requirements for configuring CO Contivi ty Gateway are:

• Upgrade Conti vity Gateway software to be 4.80 and above

• Confi gure private and publ i c interfaces of Contivity Gateway.

• Confi gure at least one user group for C251 Client connection

• Confi gure Branch Office groups. One connection per remote C251. Organize groups and

connections and name them to suit your organization needs.

• Confi gure IP addresses pools for C251 Hard Client address a ssignment.

• Confi gure Contivity for Internet access, and test the connection by surfi ng internet.

2.10 Prepare C251 confi gurat i on f iles i n CO Lab

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1. Make sure that the C251 is reset to factory de fault.

2. Change C251 VPI/VCI to the number provided by ISP, and test DSL connecton.

3. Change the C251 LAN with planned IP address and subnet.

4. Confi gure the C251 with:

 One client tunnel (inactive).
 One BO tunnel (active).

5. T est the configuration to ensure that both ABOT and Client tunnel s are able to be
established.

6. Save the configuration file to local computer disk with a unique file name. Suggest that
the file name is bound wi th BO location.

7. Repeat the above procedures for each C251 and remote site.

2.11 C251 Factory Defaul t s and mi nimum changes

The C251 is shipped with a default factory configuration, and the default parameters work wi th
the majority of ADSL ISP installation s, bu t they may require minimum changes for working wi th

some ISPs.
Wi th the d efault c on figurati on, C251’s DHCP server on its priv ate interface is enab l ed an d t he

address ranges from 192.168.1.3 to 192.168.1.254/24. The C251 has a default management
interface address of 192.168.1.1/24 with a default password of “setup”. PCs connecting to the

C251 private interface will be assigned an IP address i n the same subnet if they have dynamic
addressi ng configured.

The fac tory de fa ult con fig uration ha s the DHCP client e na ble d on the p ubl ic in terfa c e. When
connecting to an ISP, a dynamic publi c IP address will be assigned by ISP. This default

confi guration all ows end users to access to the Internet in a plug and play fashion.
The C251 hard client is desi gned as a 3DES client, and uses 3DES/SHA to connect to the CO

Contivity user group. This method is the most secure algorithm of SA offered in this release.
The C251 has a default WAN setting as following. T he WAN default setting works with most

ADSL ISP providers. The VPI/VCI number may slightl y di ffer from providers.

• Routing m ode

• LLC multiplex

• ENET ENCAP en capsu lati o n

• V PI/V CI as 8/35

URouting mode

Routing mode is the default setting, and should al ways be used for buil ding VPN network
regardl ess who i s your ISP. Selecting “bridge mode” may all ow you to access to Internet, but not

allow you to establi sh VPN connecti on to Conti vity gateway.

UENET ENCAP E n ca p sula ti o n

Be sure to use the encapsulation method compatibl e with your ISP.
The C25 1 supp orts various en c ap sulation methods, and the defau lt mo de of “E NET ENCAP” will

work with almost all the ISP providers. “ENET ENCAP” method i s the MAC Encapsulated Routing
Link Protocol implemented with the IP network protocol. IP packets are routed between the

Ethernet interface and the WAN interface and then formatted so that they can be understood in a
bri dged environm ent. For instance, it encapsulates routed Ethernet frames into bridged ATM

cells. ENET ENCAP requires that you specify a gateway IP address in the Ethernet
Encaps ula ti on Gateway f i eld.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

ULLC-based Multiplexing

LLC-based multiplexing is the default factory setting and carries multiple protocol s over one VC,
and it i s used by most ISPs.

UVPI and VCI

The defaul t factory setting of VPI/VCI i s 0/35. Be sure to use the correct Virtual Path Identifier
(VPI) and Vi rtual Channel Identifier (VCI) numbers assigned to you.

2.11.1 Reset to f act ory d ef ault

It is important to m a ke sure that yo u r C251 is i n facto ry default setting before starting
confi gurations, since the method is based on the assum pti on that your c251 is configured wi th

default factory setting. If you are not sure, use the followi ng ways to reset it.

2.11.2 Usin g th e Reset Butt on

• Make sure the SYS LED is on (not blinking).

• Press the RESET button for about five seconds, and then release it. T he SYS LED

begins to blink, and then reboot. The defaul ts factory setting is restored when the
Contivity 251 boots up.

2.11.3 Uploading a Conf iguration File via Console Port

Download t he default configuration file from ht tp://www.nortelnetworks.com/ind ex .html, un z ip it
and save it in a folder.

• T urn off the Contivity 251, begin a terminal emulation software session and turn on the
Contivity 251 again. When you see the message "Press Any key to enter Debug Mode

withi n 3 seconds", press any key to enter debug mode.

• Enter "atlc" after "Enter Debug Mode" message.

• Wait for "Starting XM ODEM upl oad" message before activating Xmodem upload on your

terminal. This i s an example Xm odem configuration upload using HyperTerminal .

• Click Transfer, then Send File to display the following screen.

2.12 Provi de End-Users with I nst r uctions

Provide the remote end-users wi th very simple instructions for how establishing the initial
connection, and distri bute the instructions by FAX, phone, or m ail.

The i nstructions for setting up the C251 Client should contain the followi ng minimum information:

• ISP VPI/VCI numbers and how to configure

• How to confi gure Client Em ulation

• Username (configured in gateway user-group)

• Password (pre- shared key)

• CO gateway IP address

• Press “Connect” button to start Client connection

• How to use PING command for validation test.

Add additi onal information for scheduling and contact numbers. The end users shoul d have
Contivity 251 Quick Start Guide shipped to them for references.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2. 13 Downloading Configura t i on Fil es from CO lab t o
remot e C251

When the C251 hard client connection is established, CO Technicians download the pre-built
confi guration file to the remote C251 using the GUI “mai ntenance->Restore” tool or

usi ng FT P command.
When the download is completed, the remote C251 will activate th e ne w configurati on fil e a nd

reboot automatically. After rebooting, a Ping from the C251 to the Contivity gateway will brin g up
the ABOT tunnel. Verify the connection by bi -direction pings.

Repeat the same procedure for each site.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3. Contiv ity C251 Dep loyment Examp le

Company ABC in NA has one small corporate central office and five remote branch offices. They
plan to build a VPN (ABC VPN) using ISP Internet servi ces and Nortel Contivity Gateways. The

ABC VPN will all ow remote branch offices to access to the private servers in headquarter CO with
low cost of m aintenance and hi gh security.

Note, the confi gurations documented in this example were successful l y tested in live network.

3.1 ABC VPN Deployment Tasks

• Network planning

• network topol ogy draw

• order equipments and services and obtain i nformation from ISP

• Setup CO LAB

• Confi gure Contivity gateway C1100

• Pre-buil d fi ve BO-config-files in CO

• Send “startup” instructions to each BO

• Deployment ABOT, coordinate with BO

• Download c on fig f iles fro m CO to BO

3.2 Network planning

- Network topology: hub-spoke, 1x C1100 gateway, 6xC251 Annex-A

- Connectivity C251: configure one acti ve ABOT and one i nactive Client tunnel per C251

- BO IP address: 192.168.x.0/24, for pri vate LAN and 192.168.x.1 for C251 management

- Initiator ID structure: office#-areacode-phone#

- static IP from ISP: 24.1.61.69 for Contivity public Interface, and default gateway: 24.1.48.1

- IP-pool: 172.16.55.1-172.16.55.10 for C251 hard client access

- Software level : C1100 V04_80.124; C251 VE251_2.1.0.0.007 (V2.1)

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3. 3 ABC VPN Topology

UABC VPN T opology

BO-6
Name : C251_Office_6
KEY: Contivity
IP addr: 192.168.16. 0/24
Initial ID: office1-972-123-6666

BO-5
Name : C251_Office_5
KE Y: C on t i v it y
IP addr: 192.168.15. 0/24
Initial ID: office5-972-123-5555

BO-4
Name : C251_Office_4
KE Y: C on t i v it y
IP addr: 192.168.14. 0/24
Initial ID: office4-813-123-4444

CO
NOC

Ser v er
Dynamic IP

ULEGEND

V04_8 0. 124
C1100 gateway

192.168. 3. 1 priv-if

192.168. 3. 2 mgt
DHCP se r v e r

192.168.3.0/24
ABOT responder
Ip-pool: 172.16.55.1­10

ABOT

Publ i c interface
IP: 24.1. 61.69/20

Gw: 24.1.48.1

BO-2
Name : C251_Office_2
KEY: Contivity

IP addr: 192.168.12. 0/24
Initial ID: office2-214-123-2222

Interne t

BO-3
Name : C251_Office_3
KE Y: C on t i v it y

IP addr: 192.168.13. 0/24
Initial ID: office3-972-123-3333

Fig ure 5: ABC VPN Topology

3.4 Order equipm ent and services

ABC purchased 6 Contivity 251 uni ts and one Conti vity 1100 Gateway from Nortel. The Contivity
units shi pped directl y to the remote l ocations wi th defaul t factory configurati ons.

ABC ordered ADSL internet access for each branch office including CO, and ordered broadband
high speed internet access for CO Gateway.

Summary:

• order 6xC251 Annex-A with V2.1 SW, one for each BO, and one for CO

• order 1x1100 with V4.8 SW for CO

• order ADSL services for each BO

• order ADSL services for CO

• order Broadband Internet servi ce for CO, and static IP 24.1.61.69/20

• obtain VPI/VCI number for each location. Office-6 and CO has 0/35, and the reset are

8/35