Nortel C251, Contivity 251 ABOT Configuration Manual

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Technical Configuration Guide

Contivity 251 ABOT

Deploym ent using We b G UI

Version 1.0

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Abstract

This document details a methodology for using Web GUI to effectively and economically
deploy Contivity 251 ABOT connecti ons to their central office.

Revision C ont r ol

No Date Version Revi sed by Remarks

1 4/1/2004 draft Shangli Lu Initial Draft

2 4/26/2004 V1.0 Shangli Lu Reflected comments from reviewing

Copyright © 2004 Nortel Networ ks

All rights reserved. January 2004
The i nformati on in this document is subject to change wi thout notice. The statements,

confi gurations, techni cal data, and recommendations i n thi s document are believed to be
accurate and reliabl e, but are presented wi thout express or implied warranty. Users must take

full responsibility for their appli cations of any products specified in this document. T he
in formation i n this do cument is proprietary to Nortel Networks Inc.

The software described in this document i s furnished under a license agreement and may be
used only in accordance wi th the terms of that license.

Tr ade marks

Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are
trademarks of Nortel Networks.

Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.
All other product names, com pany names, marks, logos, and symbols are trademarks of their

respective owners.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Table of Conte nts

TU1.UT TUINTRODUCTIONUT............................................................................................................5

TU1.1UT TUC200- CONTIVITY GATEWAY ABO T TOPOLOGYUT..................................................................5

TU1.2UT TUTARGET AUDIENCESUT ......................................................................................................6

TU1.3UT TUCONTIVITY 251 BRIEFUT..................................................................................................... 6

TU1.4UT TUWHY ABOT?UT ...............................................................................................................7

TU1.5UT TUC200 CLIENT EMULATIONUT ...............................................................................................7

TU1.6UT TUADSL BRIEFUT .................................................................................................................8

TU2.UT TUDEPLOYMENT METHODUT ..............................................................................................9

TU2.1UT TUPLANNING YOUR VPN NETWORKUT......................................................................................9

TU2.2UT TUSELECT CONTI VITY SWITCHESUT.......................................................................................... 9

TU2.2.1UT TUSelect Contivity Secure IP Services GatewayUT ..............................................................9

TU2.2.2UT TUSelect C251 modelUT............................................................................................... 10

TU2.2.3UT TUIn areas where ADSL service is not availabl eUT ........................................................... 10

TU2.3UT TUGATHERING INFORMATION FROM ISPUT .............................................................................. 10

TU2.3.1UT TUVPI & VCIUT .........................................................................................................10

TU2.3.2UT TUStatic IP address for Contivity Gateway in COUT..........................................................11

TU2.4UT TUDEFINE A SCHEME FOR PRE-SHARED KEYSUT ........................................................................ 11

TU2.5UT TUDEFINE A SCHEME FOR ABOT INITIATOR IDUT ..................................................................... 11

TU2.6UT TUDEFINE A SCHEME FOR BO IP ADDRESSESUT.........................................................................12

TU2.7UT TUMINIMUM SOFTWARE REQUIREMENTUT................................................................................12

TU2.8UT TUMINIMUM LAB REQUIREMENTUT ....................................................................................... 12

TU2.9UT TUCONFIGURING CONTIVITY GATEWAY IN COUT......................................................................12

TU2.10UT TUPREPARE C251 CONFIGURATION FILES IN CO LABUT.......................................................... 12

TU2.11UT TUC251 FACTORY DEFAULTS AND MINIMUM CHANGESUT....................................................... 13

TU2.11.1UT TUReset to factory defaul tUT.........................................................................................14

TU2.11.2UT TUUsing the Reset ButtonUT ......................................................................................... 14

TU2.11.3UT TUUploading a Configuration File via C onsol e PortUT...................................................... 14

TU2.12UT TUPROVIDE END-USERS W ITH INSTRUCTIONSUT....................................................................14

TU2.13UT TUDOWNLOADING CONFIGURATION FILES FROM CO LAB TO REMOTE C251UT ............................15

TU3.UT TUCONTIVITY C251 DEPLOYMENT E XAMPL EUT...............................................................16

TU3.1UT TUABC VPN DEPLOYMENT TASKSUT..................................................................................... 16

TU3.2UT TUNETWORK PLANNINGUT....................................................................................................16

TU3.3UT TUABC VPN TOP OLOGYUT ..................................................................................................17

TU3.4UT TUORDER EQUIPMENT AND SERVICESUT .................................................................................. 17

TU3.5UT TUSETUP CO LAB UT...........................................................................................................18

TU3.6UT TUCONFIGURE CONTI VITY GATEWAY 1100UT .......................................................................... 19

TU3.6.1UT TUConfi gure IP address & DHC P for C1100:UT.............................................................. 19

TU3.6.2UT TUConfi gure User Group for C1100UT ...........................................................................20

TU3.6.3UT TUConfi gure Branch Off ice Group f or C1100UT...............................................................23

TU3.7UT TUPRE-BUILD CONFIGURATION FILE FOR BO C251_OFFICE_6UT................................................... 25

TU3.7.1UT TUStartup with “ Wizard Setup”UT ................................................................................. 26

TU3.7.2UT TUChanging VPI & VCIUT ........................................................................................... 27

TU3.7.3UT TUChanging L AN IP addresses and DHCP server IP.UT .................................................... 29

TU3.7.4UT TUPower OFF and Power On C251UT ...........................................................................30

TU3.7.5UT TUTest ATM and Internet connectionUT .......................................................................... 31

TU3.7.6UT TUConfi gure VPN Cl ient T unnelUT ................................................................................ 32

TU3.7.7UT TUC h eck VP N Cli en t Tunnel statusUT............................................................................. 35

TU3.7.8UT TUTest VPN Client Tunnel UT ........................................................................................ 39

TU3.7.9UT TUConf i gur e VPN ABOTUT .......................................................................................... 41

TU3.7.10UT TUActivate VPN ABOT TunnelUT .................................................................................. 43

TU3.7.11UT TUT est VPN ABOT TunnelUT........................................................................................ 44

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

TU3.7.12UT TUEvent Log on C251UT.............................................................................................. 44

TU3.7.13UT TUVPN -SA Monit or UT................................................................................................. 45

TU3.7.14UT TUABOT Session st atus on C1100UT.............................................................................. 45

TU3.7.15UT TUEvent Log on C1100UT ............................................................................................46

TU3.7.16UT TUPing BO-6 LAN from C 1100 L ANUT...........................................................................47

TU3.8UT TUSAVE CONFIGURATION FILE AND RENAME ITUT .....................................................................49

TU3.9UT TUREPEAT THE PROCEDURE TO THE REST OF BOUT.................................................................... 49

TU3.10UT TUPREPARE CONFIGURATION FILES FOR BO USING DIFFERENT VPI/VCIUT .................................49

TU3.10.1UT TUC hange VPI & VC I number before savingUT................................................................ 49

TU3.10.2UT TUHow t o change VPI & VCI numberUT.........................................................................50

TU3.11UT TUSTART DEPLOYMENTUT................................................................................................ 50

TU3.11.1UT TUBO Office-6 deployment, setup User Cli entUT .............................................................. 51

TU3.11.2UT TUDownl oad the configuration file to BO Office-6UT ........................................................ 51

TU3.11.3UT TURepeat the procedure to the rest BOsUT ...................................................................... 52

TU4.UT TUREFERE NCE DO CUME NT AT I O N:UT ............................................................................... 53

TU5.UT TUAPPE NDIX A: T E RMI NOLO G YUT.................................................................................... 54

List of Figures

TUFigure 1: C200 series ABOT Deployment ScenarioUT.......................................................................... 5

TUFigure 2 C251 Front ViewUT..........................................................................................................6

TUFigure 3 C251 Rear ViewUT ........................................................................................................... 6

TUFigure 4: ABC VPN T opologyUT ................................................................................................... 17

TUFigure 5: ABC Company CO LABUT ..............................................................................................18

TUFigure 6: Configure C1100 from Factory Defaul tUT..........................................................................19T

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1. Introduction

This document proposes a m ethod for using the Web GUI to effectively and economically deploy
large quanti ti es of Asymmetric Branch Office Tunnel s (ABOT) between Contivity 251 (C251)

switches located in various branch offices to a Contivity gateway in a Central Office (CO). See
Figure 1 for topology.

The m ethod takes the advantage of the unique feature of “Cl ient Em ul ation” i n C200 se rie s to
allow non-technical end-users to create IPSec VPN user tunnels between C251 and Contivity

gateway in CO. T he user tunnel s are then used by technical personal in CO to gain control s of
remote C251 for further downloading prepared configuration files i n order to complete the

complex ABOT configurations.
For si m plicity, the terms of “Contivity” and “Contivity Secure IP Services Gateway” are used

interchangeabl y in this document.

1.1 C200- Contivity Gateway ABO T Topol ogy

CO
NOC

Contivity
Gateway

C251
Home Offi ce

C221
SOHO

Internet

C251
Remote
office

C251
Remote

office

C251
SOHO

C221
Remote
office

C251
SOHO

Figure 1: C200 series ABOT Deployment Scenario

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1.2 Target Audiences

The target audi ences are network designers, network deployment engineers, installation
engineers, sales engineers for Enterprises or Carriers, network planners, and those who are

interested in using the Web GUI to configure or deploy ABOT for Contivity 200 series units.

1.3 Conti vi t y 251 br i ef

Contivity 251 (C251) is the ideal VPN over high-speed Internet access soluti on for SOHO and
sm all branch office. It i s capable of terminating IPSec at CO Contivity and are ideal for provider

provisioned networks or large enterpri se deployments
C251 supports up to five VPN Branch Office Tunnel (BOT) connections si multaneously, and

integrates four high-speed 10/100Mbps LAN ports and one high-speed ADSL port into a single
package. The ADSL port supports downstream transmission rates up to 8Mbps and upstream

transmission rates up to 832Kbps.
C251 support two types of VPN connection: Branch Offi ce Tunnel (BOT) and Contivity Client

tunnel. The BOT supports full VPN rules, while Conti vity Client supports a simple VPN rule.
C251 VPN i s based on IPSec standard and is full y interoperable with other IPSec-based VPN

product.
For full feature description, refer to NTP “Contivity 251 VPN Switch User’s Guide” from Nortel

Customer Support Web

Figure 2 C2 51 Front Vi ew

Figure 3 C251 Rear View

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1.4 Why ABOT?

C251 supports both Asymmetric Branch Offi ce Tunnel (ABOT) and Peer-to-Peer BOT . Peer-to­Peer BOT use main mode for IKE phase 1 exchange, and main mode can only be used if both

VPN swi tches have fixed public IP addresses. Since the C251’s public interface IP address is
nor m ally dyn am ically ass igned by I SP DHCP server, Peer-t o-pe er branch tunnels a re no t

applicabl e.
ABOT i s suitable for a BOT with a fixed IP address on one end while a dynamically assigned IP

address on the other end. To make ABOT connection work, the end with a dynamic IP address
must be configured as the i nitiator and the other end with fixed IP address configured as the

responder. In our case, the C251 must be configured as “Aggressi ve” mode to behave as an
“i nitiator”, and the Contivity Gateway i n CO must be configured as the “responder”. In ABOT

tunnel, only the Initiator (C251) can bring up the tunnel.

1.5 C200 Cli ent Emul at i on

The Contivity 200 series have a unique feature called “Client Emulation”. Since this feature
allows a C200 to act as a user to establish a VPN tunnel to a remote Contivity Gateway, it i s also

called “Har d Client”. Hard Client uses the IPSec protocol and supports a si mple VPN rule. It
provides easy configuration, and can be setup by non-technical end users. Then, CO technical

personals can use client tunnel connection to gain remote control and perform further
confi gurations on C200, e.g. ABOT, firewall, NAT and etc.

By default, the Client Emulati on is configured as a “Manual Tunnel” and requires user intervention
to “Connect” the tunnel. On release V2.1, the Client Emulation supports “on demand” tunneling as

well. In “on demand” mode, the client tunnel is automati cally created whenever traffic demands a
tunnel connecti on and the user intervention i s not requi red. Both modes are initiated only on

C200 side.
To enable “On-Dem and” mode, go to VPN menu, select a client rul e, then select “Advance” to

open the window below, and check the “On Demand Client Tunnel”.

C200 al lows only one acti ve Conti vity Client at a time. That i s, when Client tunnel is activated, all
other VPN connections must be deacti vated.

In the “Client Emulation” configuration, there i s a many-to-one NAT filter from the C200 private
LAN to the remote private LAN behind CO Contivity gateway. Many-to-One mode maps m ultiple

pri vate IP addresses on C200 LAN to the IP address assigned by CO Contivity gateway. This is

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

O

equivalent to 251's Single User Account feature (SUA). Therefore, traffic sent from the Contivity
Gateway private network to the C200 private network does not make it further than the C200

assigned address .
In Client Emulation configuration, the CO site is able to manage C200 but is not abl e to manage

C200’s private LAN since M:1 NAT inbound traffic cannot establish connecti ons without port
forwarding enabled. For full VPN capabilities, users should setup Branch Offi ce Tunnels, either

ABOT or static BOT.

1.6 ADSL brief

ADSL (Asymmetric Digital Subscriber Line) is a proven technology that takes the advantage of
standard copper l oops telephone lines to provide high-speed Internet “always on” access. ADSL

has i ts downstream capacity higher than its upstream capacity. E.g. Contivity 251 ADSL supports
downstream rates up to 8Mbps and upstream rates up to 832Kbps.

ADSL uses signal frequencies above those used by voice or fax, so the data si gnal does not
inter fer e w ith tele phon e signal.

In SOHO si te, data traffic and voi ce traffic are separated by spl itters. On CO site, they are
separated by a Di gital Subscriber Line Access Mul tiplexer (DSLAM ) switch. Voice traffic is then

sent to PSTN, while data traffic is sent to ATM backbone connecting to ISP and Internet.
The diagram bel ow illustrates the key elements of ADSL.

Internet

PSTN

SOH

fax

AT M or FR

phone

ISP

CO

PC

Contiv ity 251

Or ADSL Modem

splite

splite

DSLAM

Phone

wi re

0.8M

8M

Figure 4 ADSL Major Components

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2. Deployment Method

ABOT support full sets of VPN feature. But Configuring ABOT requires technical experiences and
resources. T he proposed deployment method uses Client Emulation feature as a first step stone

to establish a VPN connection between a C251 in branch office and a gateway in CO. ABOT
confi guration files are prepared in a CO by technicians then download to the C251 in remote

branch office over the Client Emulation VPN connecti ons.
Configuring “Client Emulation” is sim ple and can be done by any non-technical resources wi thout

requi ring on-site technical support. Therefore, C200 seri es can be directly shipped from
manufactures to end users using factory defaul t configuration without requi ring speci al staging

servi ces.
This deployment method is covered in the following steps:

• Planning your VPN network

• Selecting Contivity hardware.

• Obtaini ng ne tw or k data fr om ISP

• Preparing C251 ABOT configuration files (rom-0) for all sites

• Providing remote end-users with simple instructions to setup & start C251 Client tunnel.

• Downloading prepared configuration file from CO to remote C251 over cli ent tunnel. The

C251 will auto-reboot to acti vate the ABOT configuration.

• T esting the ABOT tunnel usi ng PING.

This method is assuming that CO technical resources have taken training classes of Nortel
Contivity products.

2. 1 Pl a nni ng your VPN Net w or k

Before deployment, the VPN network should be planned first. Network planning includes various
tasks such as determining Network topology, network size, branch offi ce locations, CO location,

Contivity VPN device models, bandwidth requirement, encryption type, NAT, and etc.
The following questions should be answered for planning deployment of ABOT connections:

• How many remote branch office (BO) sites are planned?

• What type of Internet access services is avai lable i n the remote BO?

• What type of Contivity Gateway in CO is requi red to support the current VPN

requi rement, e.g. number of tunnel s, bandwidth, interface, and etc?

• Do you consider fut ure g rowing (more BOs will join in near future?)

• What types of C200 are selected, C251 or C221? (Consi der the types of service available

in a BO area, e.g. ADSL? Cable Modem? Satellite Internet access?)

• Wh at t ypes of IP add ress scheme will be used for you r VPN?

• Wh at t ypes of “initiator ID” scheme will be used for you r VPN?

• Draw a Network topology prior to the deployment.

2.2 Sel ect Conti vi t y Swit ches

2.2.1 Sel ect Con t ivi ty S ecure I P S ervices Gateway

The following Contivity products can be used as Gateways in CO.

• Conti vity 1000 series (1010, 1050, 1100): Up to 30 VPN tunnel s

• Conti vity 600: Up to 50 VPN tunnels

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

• Conti vity 1700 series (1700 and 1740): Up to 500 VPN tunnel s

• Conti vity 2700: Up to 2000 VPN tunnels

• Conti vity 5000: Up to 5000 VPN tunnels

If Contivity 200 series is planned to be used in CO, this method is not appl i cabl e, since C200
Hard Cli ent cannot connect to C200 gateway. Thus, manually configuring i s requi red.

2.2.2 Sel ect C251 mod el

Refer to the following information to select su itable C251 models for locations where ADSL
services are available.

CA251: Annex A

• ADSL over an alog phone service

• Tone 6~ 31 (25 ~ 138 KHz)

• Mult i-mod e, G.D M T, ANSI T1.4 13, G.L ite

• Used throughout North, South and Central Amer ica, Asia and por tions of

Europe.

CB251: Annex B

• ADSL over ISDN,

• Tone 29~ 63 ( 125 ~ 270KHz)

• Multi -mode, G.DMT, ETSI

• Used mostly in Europe

CU251: U-R2

• ADSL over ISDN

• Tone 29~ 63 ( 125 ~ 270KHz)

• Multi -mode, G.DMT, ETSI

• Used in Ge rmany with Deutsche Telecom

2.2.3 In areas where ADSL service is n ot av ailable

In the areas where ADSL service is not available, consi der usi ng C221 over satelli te-based
Internet service or over Broadband High speed internet access service. E.g. DIRECWAY provide

satellite-based Internet servi ce anywhere in the continental U.S.

2.3 Gath e rin g Informa tio n fro m IS P

2.3.1 VP I & V CI

The Vi rtual Path Identifier (VPI) and Virtual Circui t Identifi er (VCI) for ISP AT M backbone are the
most important i nformation to enter to get a C251 ADSL working. Each ADSL service provi der

uses a set of these two numbers.
Below are a li st of the ADSL service Providers and thei r corresponding VPI/VCI numbers for

confi guring ADSL Modem s to work on their Networks. Users should always contact with their
service providers for the updated information.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

• DSL Extreme 0/35

• BellSouth 8/35

• Earthlink 0/35

• Covad 0/35

• Ameritech 0/35

• WorldCom 0/35

• New Edge 0/38

• SouthWestern Bell 0/35

• Pac Bell 0/35

• Verizon 0/35

• Sprint 8/35

• US West/Qwest 0/32

2.3.2 Stat ic I P add ress f or C on t ivi ty Gateway in CO

A static IP is a fixed IP that your ISP guaranteed you. A dynami c IP is not fixed, and it is
dynamically assigned by your ISP each time you login.

A fixed IP address should be purchased from your ISP for the Conti vity Gateway public interface.
Since this public interface IP address will be configured in all C200, a dynami cally assi gned IP

address i s not suitable.

2.4 Define a Scheme for Pre- shar ed keys

A pre-shared key i denti fies a communi cating party during a phase 1 IKE negotiation. Both ABOT
connection and Client tunnel connection require pre-shared keys. Plan your “key” scheme, and

generate keys for each branch offi ce.

2.5 Define a Scheme for ABOT Initiator ID

With aggressive negotiation mode, the C251 uses “Initiator ID” to establish ABOT to remote
gateway. The “Initiator ID” on the C251 is configured in the “content” field as a DNS domain name

or E-mail address. The DNS domain name or E-mail address in the “Local ID Type” fiel d is used
only for identi fi cation purposes and does not need to be a real domain name or e-mail address.

If you select “IP” as your “Local ID Type”, you must crea te an Initiator ID that conforms to the ri gid
IP format in order to be accepted by C251. The IP address is used onl y as an ID and needs not to

be a rea l ad dr ess .
Since C251 allows its DNS domain name or E-mail address to have up to 31 characters, it

provides network designers a flexibility to compose various identifications. When using special
ch arac ters, make sure they are accep ted by both CO and BO. This ID will be used in th e even t

log by the CO gateway during communi cation, and it i s important to plan a scheme and make the
ID meani ngful for future troubleshooting, logging, and accounting.

Each C251 must have a unique ID. Duplicated ID wil l be rej ected by gateway from connection.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2.6 Define a Scheme for BO IP addresses

Determine the private IP network addresses for the LAN on each site. Private IP addresses can
be selected from :

• 10.x.x.x

• 172.16.x.x-172-31.x.x

• 192.168.x.x

Ensure each BO LAN i s assi gned with a unique IP address to si m plify configuration task.
Reserve 192.168.1.0/24 for using only by C221 factory-defaul t configuration to avoid potential

address conflicts.
Private LAN address behind CO gateway should not use reserved 192.168.1.0/24.

Define subnet size for each site. 8 bits subnet with a mask of 255.255.255.0 is commonl y used
and it i s easy to configure and allows up to 254 hosts.

2.7 Mi ni mum software r equir em ent

To use this method, the minimum requirem ent of software for C251 is V2.1. If you are currently
r unn in g V 2.0 , upgr ade it to V2.1.

2. 8 Mi nimum LA B require m ent

The m inimum requirements for successful depl oyments are:

 CO gateway i s able to access to Internet and has a fixed IP assigned by ISP
 PCs with Microsoft Windows and Internet Explorer

 C251 is able to access to the Internet via ADSL connection.
 CO technical personal were trained to have knowl edge of Nortel Contivity products.

If your budget allows, you may want to build a controlled lab environment to simulate ADSL ISP.
To do so, you may need to purchase a DSLAM switch, and routers wi th ATM interfaces.

2. 9 Confi gur i ng Cont i v i t y G ateway i n CO

The m inimum requirements for configuring CO Contivi ty Gateway are:

• Upgrade Conti vity Gateway software to be 4.80 and above

• Confi gure private and publ i c interfaces of Contivity Gateway.

• Confi gure at least one user group for C251 Client connection

• Confi gure Branch Office groups. One connection per remote C251. Organize groups and

connections and name them to suit your organization needs.

• Confi gure IP addresses pools for C251 Hard Client address a ssignment.

• Confi gure Contivity for Internet access, and test the connection by surfi ng internet.

2.10 Prepare C251 confi gurat i on f iles i n CO Lab

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

1. Make sure that the C251 is reset to factory de fault.

2. Change C251 VPI/VCI to the number provided by ISP, and test DSL connecton.

3. Change the C251 LAN with planned IP address and subnet.

4. Confi gure the C251 with:

 One client tunnel (inactive).
 One BO tunnel (active).

5. T est the configuration to ensure that both ABOT and Client tunnel s are able to be
established.

6. Save the configuration file to local computer disk with a unique file name. Suggest that
the file name is bound wi th BO location.

7. Repeat the above procedures for each C251 and remote site.

2.11 C251 Factory Defaul t s and mi nimum changes

The C251 is shipped with a default factory configuration, and the default parameters work wi th
the majority of ADSL ISP installation s, bu t they may require minimum changes for working wi th

some ISPs.
Wi th the d efault c on figurati on, C251’s DHCP server on its priv ate interface is enab l ed an d t he

address ranges from 192.168.1.3 to 192.168.1.254/24. The C251 has a default management
interface address of 192.168.1.1/24 with a default password of “setup”. PCs connecting to the

C251 private interface will be assigned an IP address i n the same subnet if they have dynamic
addressi ng configured.

The fac tory de fa ult con fig uration ha s the DHCP client e na ble d on the p ubl ic in terfa c e. When
connecting to an ISP, a dynamic publi c IP address will be assigned by ISP. This default

confi guration all ows end users to access to the Internet in a plug and play fashion.
The C251 hard client is desi gned as a 3DES client, and uses 3DES/SHA to connect to the CO

Contivity user group. This method is the most secure algorithm of SA offered in this release.
The C251 has a default WAN setting as following. T he WAN default setting works with most

ADSL ISP providers. The VPI/VCI number may slightl y di ffer from providers.

• Routing m ode

• LLC multiplex

• ENET ENCAP en capsu lati o n

• V PI/V CI as 8/35

URouting mode

Routing mode is the default setting, and should al ways be used for buil ding VPN network
regardl ess who i s your ISP. Selecting “bridge mode” may all ow you to access to Internet, but not

allow you to establi sh VPN connecti on to Conti vity gateway.

UENET ENCAP E n ca p sula ti o n

Be sure to use the encapsulation method compatibl e with your ISP.
The C25 1 supp orts various en c ap sulation methods, and the defau lt mo de of “E NET ENCAP” will

work with almost all the ISP providers. “ENET ENCAP” method i s the MAC Encapsulated Routing
Link Protocol implemented with the IP network protocol. IP packets are routed between the

Ethernet interface and the WAN interface and then formatted so that they can be understood in a
bri dged environm ent. For instance, it encapsulates routed Ethernet frames into bridged ATM

cells. ENET ENCAP requires that you specify a gateway IP address in the Ethernet
Encaps ula ti on Gateway f i eld.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

ULLC-based Multiplexing

LLC-based multiplexing is the default factory setting and carries multiple protocol s over one VC,
and it i s used by most ISPs.

UVPI and VCI

The defaul t factory setting of VPI/VCI i s 0/35. Be sure to use the correct Virtual Path Identifier
(VPI) and Vi rtual Channel Identifier (VCI) numbers assigned to you.

2.11.1 Reset to f act ory d ef ault

It is important to m a ke sure that yo u r C251 is i n facto ry default setting before starting
confi gurations, since the method is based on the assum pti on that your c251 is configured wi th

default factory setting. If you are not sure, use the followi ng ways to reset it.

2.11.2 Usin g th e Reset Butt on

• Make sure the SYS LED is on (not blinking).

• Press the RESET button for about five seconds, and then release it. T he SYS LED

begins to blink, and then reboot. The defaul ts factory setting is restored when the
Contivity 251 boots up.

2.11.3 Uploading a Conf iguration File via Console Port

Download t he default configuration file from ht tp://www.nortelnetworks.com/ind ex .html, un z ip it
and save it in a folder.

• T urn off the Contivity 251, begin a terminal emulation software session and turn on the
Contivity 251 again. When you see the message "Press Any key to enter Debug Mode

withi n 3 seconds", press any key to enter debug mode.

• Enter "atlc" after "Enter Debug Mode" message.

• Wait for "Starting XM ODEM upl oad" message before activating Xmodem upload on your

terminal. This i s an example Xm odem configuration upload using HyperTerminal .

• Click Transfer, then Send File to display the following screen.

2.12 Provi de End-Users with I nst r uctions

Provide the remote end-users wi th very simple instructions for how establishing the initial
connection, and distri bute the instructions by FAX, phone, or m ail.

The i nstructions for setting up the C251 Client should contain the followi ng minimum information:

• ISP VPI/VCI numbers and how to configure

• How to confi gure Client Em ulation

• Username (configured in gateway user-group)

• Password (pre- shared key)

• CO gateway IP address

• Press “Connect” button to start Client connection

• How to use PING command for validation test.

Add additi onal information for scheduling and contact numbers. The end users shoul d have
Contivity 251 Quick Start Guide shipped to them for references.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2. 13 Downloading Configura t i on Fil es from CO lab t o
remot e C251

When the C251 hard client connection is established, CO Technicians download the pre-built
confi guration file to the remote C251 using the GUI “mai ntenance->Restore” tool or

usi ng FT P command.
When the download is completed, the remote C251 will activate th e ne w configurati on fil e a nd

reboot automatically. After rebooting, a Ping from the C251 to the Contivity gateway will brin g up
the ABOT tunnel. Verify the connection by bi -direction pings.

Repeat the same procedure for each site.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3. Contiv ity C251 Dep loyment Examp le

Company ABC in NA has one small corporate central office and five remote branch offices. They
plan to build a VPN (ABC VPN) using ISP Internet servi ces and Nortel Contivity Gateways. The

ABC VPN will all ow remote branch offices to access to the private servers in headquarter CO with
low cost of m aintenance and hi gh security.

Note, the confi gurations documented in this example were successful l y tested in live network.

3.1 ABC VPN Deployment Tasks

• Network planning

• network topol ogy draw

• order equipments and services and obtain i nformation from ISP

• Setup CO LAB

• Confi gure Contivity gateway C1100

• Pre-buil d fi ve BO-config-files in CO

• Send “startup” instructions to each BO

• Deployment ABOT, coordinate with BO

• Download c on fig f iles fro m CO to BO

3.2 Network planning

- Network topology: hub-spoke, 1x C1100 gateway, 6xC251 Annex-A

- Connectivity C251: configure one acti ve ABOT and one i nactive Client tunnel per C251

- BO IP address: 192.168.x.0/24, for pri vate LAN and 192.168.x.1 for C251 management

- Initiator ID structure: office#-areacode-phone#

- static IP from ISP: 24.1.61.69 for Contivity public Interface, and default gateway: 24.1.48.1

- IP-pool: 172.16.55.1-172.16.55.10 for C251 hard client access

- Software level : C1100 V04_80.124; C251 VE251_2.1.0.0.007 (V2.1)

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3. 3 ABC VPN Topology

UABC VPN T opology

BO-6
Name : C251_Office_6
KEY: Contivity
IP addr: 192.168.16. 0/24
Initial ID: office1-972-123-6666

BO-5
Name : C251_Office_5
KE Y: C on t i v it y
IP addr: 192.168.15. 0/24
Initial ID: office5-972-123-5555

BO-4
Name : C251_Office_4
KE Y: C on t i v it y
IP addr: 192.168.14. 0/24
Initial ID: office4-813-123-4444

CO
NOC

Ser v er
Dynamic IP

ULEGEND

V04_8 0. 124
C1100 gateway

192.168. 3. 1 priv-if

192.168. 3. 2 mgt
DHCP se r v e r

192.168.3.0/24
ABOT responder
Ip-pool: 172.16.55.1­10

ABOT

Publ i c interface
IP: 24.1. 61.69/20

Gw: 24.1.48.1

BO-2
Name : C251_Office_2
KEY: Contivity

IP addr: 192.168.12. 0/24
Initial ID: office2-214-123-2222

Interne t

BO-3
Name : C251_Office_3
KE Y: C on t i v it y

IP addr: 192.168.13. 0/24
Initial ID: office3-972-123-3333

Fig ure 5: ABC VPN Topology

3.4 Order equipm ent and services

ABC purchased 6 Contivity 251 uni ts and one Conti vity 1100 Gateway from Nortel. The Contivity
units shi pped directl y to the remote l ocations wi th defaul t factory configurati ons.

ABC ordered ADSL internet access for each branch office including CO, and ordered broadband
high speed internet access for CO Gateway.

Summary:

• order 6xC251 Annex-A with V2.1 SW, one for each BO, and one for CO

• order 1x1100 with V4.8 SW for CO

• order ADSL services for each BO

• order ADSL services for CO

• order Broadband Internet servi ce for CO, and static IP 24.1.61.69/20

• obtain VPI/VCI number for each location. Office-6 and CO has 0/35, and the reset are

8/35

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

A

3. 5 Setup CO LA B

CO LAB will be setup as shown in the diagra m belo w. The C11 00 will serve as th e A BC comp any
gateway and as the staging equipment as well.

The C251 will be configured to simulate Office-6 with VPI/VCI = 0/35, and private LAN with

192.168.16.0/24, management IP address of 192.168.16.1

The PC in CO i s named as “S3”, and the PC i n BO Office-6 is named as “S4”, and they both
runni ng M i crosoft Windows XP, and configured with dynamic IP.

U

BC Com pany CO LAB

UC251-C1100 tunneli ng
Uover live Internet

Public interface & gw

24.1 .61 .69 /24

24.1.48.1.1 gw

Cable

Modem

Comcast

Broadband

Hi gh Spee d

Access

Interne t

Verizon

PSTN

ADSL

DSL-Verizon.net

C11 00
V4.80

PC-S3 winXP

192.168.3.9
(dynamic)

private interface

192.168.3.1
DHCP-server

192.168.3.3-254
IP-Pool

172.16.55.1-10

ABO

initiatoresponde

Fig ure 6: ABC Company CO L AB

VPI/VCI = 0 /35

Default private

192.168.16.1
DHCP-server

192.168.16.3­254

C251

Annex-A
F/W V2.1

192.168.16.3

PC-S4 W inXP

(dynamic)

PSTN

pho ne line

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.6 Confi gure Conti vi t y G ateway 1100

V04_80.124
C1100 gateway

CO
NOC

S3

192.168.3.9

Dynamic IP

192.168. 3. 1 priv-if

192.168. 3. 2 mgt
DHCP s erver

192.168.3.0/24
ABOT responder
Ip-pool: 172.16. 55. 1-10

Figure 7: Configure C1100 from Fac tory Defa ult

3.6.1 C onfigu re IP add ress & DHCP for C1100:

1: Reset C1100 to Factory Default (V04_80.124)

Connect PC S3 to C1100 (both Ethernet and serial port), and open a Hyper terminal. In

“Mai n Menu ”, sel e ct “R” to rese t the C1100 to be factory default.

2: configure IP addresses for management and private interface
(address and mas k are de termined dur ing the phase of Network planni ng)

Slot 0, Port 1, Private LAN
Management IP Address = 192.168.3.2, ( Subnet Mask = 255.255.255.0 )

Interface IP Address = 19 2.168.3.1
Subnet Mask = 255.255.255.0

3: Configure publ i c i nterfac e (must obta i n IP address a nd mas k from ISP )

Slot 1, Port 1, Publi c LAN
IP Address = 24.1.61.69

Subnet Mask = 255.255.240.0
Spe ed/Dup lex = A utoN e go t i ate

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

4: Configure publ i c defa ult gatewa y (must obta i n gatewa y addr ess from ISP )

Default Publ i c Route Menu

0) Gateway IP Address = 24.1.48.1
Cost = 10

A) Add New Ga teway
R) Return to the Main Menu

5: Con figur e DHCP server for p riv a te LAN as defined

Return to main Menu, and select “L” to go to Command Line Interface. Enable s privileged
co mmands, the n typ e t he following commands to Configure and enable DHCP server

rangi ng as 192.168.3.0/24.:
Config t

ip dhcp server pool network 192.168.3.0 m ask 255.255.255.0
included-address 192.168.3.3 192.168.3.30

exit
service dhcp enable

exit

6: Renew PC IP address

On the PC, open a DOS command window, then issue the following commands to rel ease and
r enew t he IP address :

Ipconfig /release
Ipconfig /renew

To open a DOS command window, go to Start->Run, then type the name of “cmd”.
In this example, the PC S3 has a new IP address of 192.168.3.9.

Open WEB GUI to connect to C1100 usin g Uhttp://192.168.3.2U

3.6.2 C onfigu re User Group for C1100

Go to Profile->User Group

1: a dd User Gr oup “c2 51client”

2: a dd IP -P ool “c251c l ient”

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3: s et IPSec conne ctivity with i p-pool “c2 51 client”, and kee p the rest a s default

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

4: set IPSec parameter for interw orking with C251 Client Emulation

T o inte rwork with the C251 client,
keep IPSec parameters as factory

default. The only change is to
enable “triple DES with group 2”,

si nce “C251 cl ient emulati on is
being designed as a 3DES client

in the current rel ease.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

5: Add a user to group “ c251cl ient”, the pas sword is “Contivi ty”, userID is “251 ”
(the user gr oup is for V PN conne ction by C251 hard clients )

3.6.3 C onfigu re Branch Office Group for C1100

1: add Branch Office “c251abot” (for C251 ABOT connections)
add connection “office6-972-123-6666” under gr oup “c251 abot”

define connection type as “responder”, and add each conne ction per s ite .

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

2: Configure “I nitiator ID”, pre-sha red Ke y “Contivity”, local a nd remote network

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3: Configure ABOT group paramete r s

To interwork with the C251 ABOT, keep all the parameters in IPSec and Connecti vity as factory
default (V04_80.124) shown below:

3.7 Pre-buil d conf i gurat i on file f or BO C251_O f fice_6

Tasks:

• Build one C lien t tunnel, and test

• Bui ld one ABOT tunnel, and test

• Save the configuration file rom-0 to the PC disk and rename the file

as “office6-972-123-6666rom-0”.

Before configuration, make sure that the C251 is reset to Factory default. And the software i s at
least of VE251_2.1.0.0.007

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Office-6 ha s the service da ta of:

• Name: C251_Office_6

• KEY: Contivity

• IP addr: 192.168.16.0/24, 192.168.16.1 for management

• Initial ID: office6-972-123-6666

• VPI/VCI: 0/35

3.7.1 Start up wi t h “Wi z ard Setup ”

Power on C251, and connect PC to the Contivity 251 private LAN and connect phone li ne to
“DSL” port. Using front LED to check connectivity.

C251 has default IP address of 192.168.1.1, the default DHCP IP rang e is 192 .168.1 .3-254 /24 ,
and the default Password is: "setup".

Make sure the PC is configured with dynamic IP. Start IE on PC, and l aunch Web GUI of C251
usi ng its default address of Uhttp://192.168.1.1U, login with default “admin/setup”. Click “Wizard

Setup” to start.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.2 C hangin g VP I & VCI

To gain access to internet, the VPI & VCI number must be configured to match the number
provided by your local ADSL ISP. In this case, both CO office and Office_6 have VPI & VCI as

0/35.
The window below shows the default setting of C251, and the VPI value should be changed to be

0, and the rest fields should be kept as default.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

The screen below shows the changed VPI, click “next” to continue.

Keep all fields in this window as default shown below. Click “next” to continue

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.3 C hangin g LA N IP add resses and DHCP server IP.

Change default I P of LA N an d DHCP from 192. 168.1.0/24 to 19 2.1 68 .16.0/24 for C251_Office_6 .
Click “change LAN configuration” to continue. Don’t click “Save Setting” button at this point.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Filling the IP address of LAN and DHCP for C251 _Office_6 . See below screen shot. Click “Finish”

3.7.4 Po wer O FF and Power O n C 251

When you click the “Fini sh” button, the IP address and DHCP server on C251 will be update d,
and you will lose the connec tion be twee n the P C and the C251 for a while.

Wait a couple of minutes to give C251 time to save the new configuration. Then Power-OFF and
Power-O N C251 by usi ng the po wer bu tton o n its rear panel. After re booti ng , C25 1 will assign

the PC with a new IP address of 192.168.16.x. The connection between PC and C251 resumes.
To continue the configuration, open WEB GUI and type C251’s new IP address:

Uhttp://19 2.168.16.1U

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.5 Test ATM and In t ernet con necti on

At thi s stage, PC on C251 private LAN should be able to connecting to internet. T est it by surfing

Uwww.google.comU

If you have trouble of accessin g to Internet, check the C251 front panel to make sure that the
DSL LED is solid green. T o di agnose ATM connection, using the following steps.

Go to:
Main -> Maintenance -> di agnostic -> DSL Line, Click “ATM L oopb ack Test ”

If your VPI & VCI is configured correctly, and if your phone line has been configured with ADSL
service by your ISP, the ATM test should pass and give you a m essage of “ATM Loopback Test

Suc c ess”. See below.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.6 Configure VPN Client Tunnel

Go to VP N -> Se tup

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Clic k No “1” to bui ld a V PN Clien t

In pull down menu, select “Contivity Clien t”

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Filling informations as shown, and check “Active”, then click “Apply”. Note, the user name,
password and gateway address should be found in your network planning sheet.

When the VPN is configured, it i s not acti ve. To start the Client tunnel, click “Connect” button.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.7 C heck VPN Cli ent Tunnel status

To check connection status, click “Back”, then select “Monitor”

3.7.7.1 Check C251 VPN Client tunnel sta tus usi ng VPN-SA Moni tor

For a success connecti on, VPN-SA Monitor should show similar status fiel ds as below. Empty
fiel d indic ates fa ilure .

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.7.2 Check C251 VPN Client tunnel sta tus usi ng System Log

For a success connecti on, the System LOG should record similar connection events as below.
See below. (By defaul t, log i s off. You m ust setup to receive log)

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.7.3 Check VPN Client tunnel s tatus on Gateway C1100

Go to Status Session, the user of 251 m innow is currently connected, and the assi gned IP i s

172.16.55.10

Click “Detai ls” for more informa tion about the connection

ISAKMP security association established with 251 (4.14.165.142)

Local address: 24.1.61.69

Local Udp Port:500 Remote port:500

Initiator cookie: 34405DC001583BD7

Responder cookie: 60DCF56217C6C5CF

IKE encryption: Triple DES with Diffie-Hellman group 2 (MODP 1024-bit prime)

IKE Keepalive: Contivity Client keepalive

IPSec tunnel mode security associations established:

ESP 56-bit DES-CBC-HMAC-MD5 outbound SPI 0x5C32CF37 software session

14 packets sent

ESP 56-bit DES-CBC-HMAC-MD5 inbound SPI 0xC9F66 software session

14 packets successfully received

0 packets truncated

0 packets failed replay check

0 packets failed authentication

0 packets with invalid pad length (decryption failure)

Expires on MON APR 19 11:39:31 2004

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3. 7.7. 4 Ga teway Event Log

04/19/2004 03:39:26 0 Security [11] Session: IPSEC[251] attempting login

04/19/2004 03:39:26 0 Security [01] Session: IPSEC[251] has no active sessions

04/19/2004 03:39:26 0 Security [01] Session: IPSEC[251] 251 minnow has no active accounts

04/19/2004 03:39:26 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from 251
(4.14.165.142)

04/19/2004 03:39:28 0 ISAKMP [02] Initial Contact Payload Received

04/19/2004 03:39:28 0 ISAKMP [02] Group settings set to ignore Initial Contact Payload.

04/19/2004 03:39:28 0 Security [01] Session: IPSEC[251]:3 SHARED-SECRET authenticate
attempt...

04/19/2004 03:39:28 0 Security [01] Session: IPSEC[251]:3 attempting authentication using
LOCAL

04/19/2004 03:39:28 0 Security [11] Session: IPSEC[251]:3 authenticated using LOCAL

04/19/2004 03:39:28 0 Security [11] Session: IPSEC[251]:3 bound to group
/Base/c251clent/251 minnow

04/19/2004 03:39:28 0 Security [01] Session: IPSEC[251]:3 Incoming client version (V02_50
or V02_51), minimum version (V02_50 or V02_51) push action (none), action not needed

04/19/2004 03:39:28 0 Security [01] Session: IPSEC[251]:3 Building group filter permit
all

04/19/2004 03:39:28 0 Security [01] Session: IPSEC[251]:3 Applying group filter permit
all

04/19/2004 03:39:28 0 Security [13] Session: IPSEC[No Access Network]:Access Network
Passed - 4.14.165.142

04/19/2004 03:39:28 0 Security [11] Session: IPSEC[251]:3 authorized

04/19/2004 03:39:28 0 Security [12] Session: IPSEC[251]:3 physical addresses: remote

4.14.165.142 local 24.1.61.69

04/19/2004 03:39:28 0 Security [12] Session: IPSEC[251]:3 assigned IP address

172.16.55.10, mask 255.255.255.0

04/19/2004 03:39:28 0 L3if [02] L3ifCls::ResetDpdInUse: rem[ALL]@[4.14.165.142]
loc[ALL]@24.1.61.69 failed - not found

04/19/2004 03:39:28 0 ISAKMP [02] ISAKMP SA established with 251 (4.14.165.142)

04/19/2004 03:39:28 0 Security [12] Session: IPSEC[251]:3 physical addresses: remote

4.14.165.142 local 24.1.61.69

04/19/2004 03:39:31 0 Security [12] Session: IPSEC[251]:3 physical addresses: remote

4.14.165.142 local 24.1.61.69

04/19/2004 03:39:31 0 Outbound ESP from 24.1.61.69 to 4.14.165.142 SPI 0x5c32cf37 [03]
ESP encap session SPI 0x37cf325c bound to cpu 0

04/19/2004 03:39:31 0 Inbound ESP from 4.14.165.142 to 24.1.61.69 SPI 0x000c9f66 [03] ESP
decap session SPI 0x669f0c00 bound to cpu 0

04/19/2004 03:39:31 0 IPvfy.06eaa1b0{Tun} [01] SetExpectedSrcAddress: 0x0a3710ac, Bcast
0x00000000

04/19/2004 03:39:31 0 ISAKMP [03] Established IPsec SAs with 251 (4.14.165.142):

04/19/2004 03:39:31 0 ISAKMP [03] ESP 56-bit DES-CBC-HMAC-MD5 outbound SPI 0x5c32cf37

04/19/2004 03:39:31 0 ISAKMP [03] ESP 56-bit DES-CBC-HMAC-MD5 inbound SPI 0xc9f66

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.8 Test V P N Cli ent Tunnel

For a success VPN Cli e nt tunnel connection:

• PC S4 (behind C251)should be able to ping PC S3 (behind C1100)

• PC S3 should be abl e to ping the address (172.16.55.10) assigned to C251, but not

further to the LAN behind C1100.

• PC S3 should be abl e to remotely manage C251 with FTP, T elnet, HTTP usi ng the
assigned IP address of 172.16.55.10.

Ping from PC S4 to PC S3

C:\>ping -t 192.168.3.9

Pinging 192.168.3.9 with 32 bytes of data:

Reply from 192.168.3.9: bytes=32 time=31ms TTL=126

Reply from 192.168.3.9: bytes=32 time=29ms TTL=126

Reply from 192.168.3.9: bytes=32 time=29ms TTL=126

Reply from 192.168.3.9: bytes=32 time=30ms TTL=126

Reply from 192.168.3.9: bytes=32 time=30ms TTL=126

Reply from 192.168.3.9: bytes=32 time=32ms TTL=126

Reply from 192.168.3.9: bytes=32 time=29ms TTL=126

Reply from 192.168.3.9: bytes=32 time=29ms TTL=126

Reply from 192.168.3.9: bytes=32 time=28ms TTL=126

Reply from 192.168.3.9: bytes=32 time=29ms TTL=126

Reply from 192.168.3.9: bytes=32 time=28ms TTL=126

Ping statistics for 192.168.3.9:

Packets: Sent = 11, Received = 11, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 28ms, Maximum = 32ms, Average = 29ms

Control-C

^C

C:\>

Ping from PC S3 to 171.16.55.10 (C251 assigned address)

C:\Documents and Settings\Administrator>ping 172.16.55.10

Pinging 172.16.55.10 with 32 bytes of data:

Reply from 172.16.55.10: bytes=32 time=30ms TTL=253

Reply from 172.16.55.10: bytes=32 time=20ms TTL=253

Reply from 172.16.55.10: bytes=32 time=30ms TTL=253

Reply from 172.16.55.10: bytes=32 time=20ms TTL=253

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Ping statistics for 172.16.55.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 30ms, Average = 25ms

FTP, Tel net, and HTTP

The C251 can be remotely manage on PC S3 ( the host behind C1100) using:

• FTP 172.16.55.10

• Telnet 172.16.55.10

• http://172.16.55.10

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.9 Configure VPN ABOT

Go to Main Menu -> VPN, then sele c t #2 , and filli ng the fo llowing service da ta for C25 1_ Of fic_6

• Aggressive mode

• DNS = office6-972-123-6666

• My IP = 0.0.0.0

• Pre-shared key = Contivity

• Gateway = 24.1.61.69

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Note: The C251 does not al low ABOT to be active when Client emulati on tunnel is activated. To
activate BO, you must de-activate client emul ation tunnel first.

3. 7.9. 1 Configure Sta tic r outing

Build an ABOT tunnel using static routing.

Click “Apply” to active the configuration.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Two tunnels were built for C251_office_6

Now, you have two tunnels built on C251 for the branch office-6. ABOT is active while Client is
inactivate

3.7.10 Activate VPN A BOT Tu nn el

Unlike Client tunnel, there is no “connect” bu tton fo r acti vating ABOT tunnel. To start the
connection, simply sending ping packets from BO to the CO LAN behi nd C1100.

On PC S4, issue ping com mands as shown below:

C:\>ping -t 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:

Request timed out.

Request timed out.

Reply from 192.168.3.1: bytes=32 time=32ms TTL=63

Reply from 192.168.3.1: bytes=32 time=27ms TTL=63

Reply from 192.168.3.1: bytes=32 time=28ms TTL=63

Reply from 192.168.3.1: bytes=32 time=29ms TTL=63

Reply from 192.168.3.1: bytes=32 time=28ms TTL=63

Reply from 192.168.3.1: bytes=32 time=29ms TTL=63

Reply from 192.168.3.1: bytes=32 time=28ms TTL=63

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Reply from 192.168.3.1: bytes=32 time=28ms TTL=63

Reply from 192.168.3.1: bytes=32 time=30ms TTL=63

3.7.11 T est V P N ABOT Tu nn el

For a success VPN ABOT tunnel connection:

• PC S4 (behind C251)should be able to ping PC S3 (behind C1100)

• PC S3 should be abl e to ping the PC S4 (behind C251)

• PC S3 should be abl e to manage C251 with FTP, Telnet, HTTP using the assi gned IP

address.

3.7.12 E vent Log on C 251

To log events, you have to configure C251 and select the LOG types. By defaul t, C251 does not
collect any l og. Below is a log during ABOT construction.

1 01/01/2000 01:01:37 WEB Login Successfully 192.168.16.3 User:admin
2 01/01/2000 00:48:20 Start Phase 2: Quick Mode 24.1.61.69 4.14.165.142
IKE
3 01/01/2000 00:48:20 Send:[HASH] 4.14.165.142 24.1.61.69 IKE
4 01/01/2000 00:48:20 Adjust TCP MSS to 0 4.14.165.142 24.1.61.69 IKE
5 01/01/2000 00:48:19 Recv:[HASH][SA][NONCE][KE][ID][ID] 24.1.61.69

4.14.165.142 IKE
6 01/01/2000 00:48:19 !! IKE Packet Retransmit 4.14.165.142 24.1.61.69
IKE
7 01/01/2000 00:48:18 !! IKE Negotiation is in process 4.14.165.142

24.1.61.69 IKE
8 01/01/2000 00:48:15 Start Phase 2: Quick Mode 4.14.165.142 24.1.61.69
IKE
9 01/01/2000 00:48:15 Send:[HASH][SA][NONCE][KE][ID][ID] 4.14.165.142

24.1.61.69 IKE
10 01/01/2000 00:48:14 Start Phase 2: Quick Mode 4.14.165.142 24.1.61.69

IKE
11 01/01/2000 00:48:14 Send:[HASH][NOTFY:INIT_CONTACT] 4.14.165.142

24.1.61.69 IKE
12 01/01/2000 00:48:14 Recv:[SA][KE][NONCE][ID][HASH] 24.1.61.69

4.14.165.142 IKE
13 01/01/2000 00:48:13 Send:[SA][KE][NONCE][ID][VID] 4.14.165.142 24.1.61.69
IKE
14 01/01/2000 00:48:13 Send Aggressive Mode request to [24.1.61.69] 4.14.165.142

24.1.61.69
IKE

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.7.13 V P N-SA Mo ni t or

When ABOT tunnel is up and acti vation, you should be able to see the tunnel connection status,
algorithm, and private LAN i nformation. See below screen shot.

3.7.14 ABOT S ession statu s on C1100

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Sessi on Details

ISAKMP security association established with office6-972-123-6666 (4.14.165.142)

Local address: 24.1.61.69

Local Udp Port:500 Remote port:500

Initiator cookie: 220754DE4FE39F68

Responder cookie: 031DBFCB4285851C

IKE encryption: 56-bit DES with Diffie-Hellman group 1 (MODP 768-bit prime)

IKE Keepalive: Disabled.

IPSec tunnel mode security associations established:

Local subnet 192.168.3.0 mask 255.255.255.0

Remote subnet 192.168.16.0 mask 255.255.255.0

ESP 56-bit DES-CBC-HMAC-MD5 outbound SPI 0x8DB22D20 software session

98 packets sent

ESP 56-bit DES-CBC-HMAC-MD5 inbound SPI 0x16D8B9 software session

98 packets successfully received

0 packets truncated

0 packets failed replay check

0 packets failed authentication

0 packets with invalid pad length (decryption failure)

Expires on MON APR 19 12:09:29 2004

3.7.15 E vent Log on C 1100

04/19/2004 04:09:24 0 Security [11] Session: IPSEC[office6-972-123-6666] attempting login

04/19/2004 04:09:24 0 Security [01] Session: IPSEC[office6-972-123-6666] has no active
sessions

04/19/2004 04:09:24 0 Security [01] Session: IPSEC[office6-972-123-6666] office6-972-123­6666 has no active accounts

04/19/2004 04:09:24 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from office6­972-123-6666 (4.14.165.142)

04/19/2004 04:09:25 0 ISAKMP [02] Initial Contact Payload Received

04/19/2004 04:09:25 0 ISAKMP [02] Group settings set to ignore Initial Contact Payload.

04/19/2004 04:09:25 0 Security [01] Session: IPSEC[office6-972-123-6666]:5 SHARED-SECRET
authenticate attempt...

04/19/2004 04:09:25 0 Security [01] Session: IPSEC[office6-972-123-6666]:5 attempting
authentication using LOCAL

04/19/2004 04:09:25 0 Security [11] Session: IPSEC[office6-972-123-6666]:5 authenticated
using LOCAL

04/19/2004 04:09:25 0 Security [11] Session: IPSEC[office6-972-123-6666]:5 bound to group
/Base/c251abot/office6-972-123-6666

04/19/2004 04:09:25 0 Security [01] Session: IPSEC[office6-972-123-6666]:5 Building group
filter permit all

04/19/2004 04:09:25 0 Security [01] Session: IPSEC[office6-972-123-6666]:5 Applying group
filter permit all

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

04/19/2004 04:09:25 0 Security [11] Session: IPSEC[office6-972-123-6666]:5 authorized

04/19/2004 04:09:25 0 Branch Office [01] Setting up branch office gateway [4.14.165.142]
uid:[office6-972-123-6666]

04/19/2004 04:09:26 0 Branch Office [01] InstallBOSession: IPSEC[4.14.165.142] routing
[STATIC]

04/19/2004 04:09:26 0 RTM [10] netWrite RTM_RouteDef: N 192.168.16.0 M 255.255.255.0
NumNH 1 NH 4.14.165.142 CM 0x7350b18

04/19/2004 04:09:26 0 RTM [00] writeNewEntry: adding new: 192.168.16.0 to 192.168.16.255

04/19/2004 04:09:26 0 RTM [00] NextHop:newEntry NextHop: 4.14.165.142 NHI 24.1.61.69 C 66
CM 0x7350b18 PR (67d52dc) 24.1.61.69

04/19/2004 04:09:26 0 Branch Office [01] 7352c08 BranchOfficeCtxtCls::InstallRoute: Route
installed for rem[192.168.16.0-255.255.255.0]@4.14.165.142

04/19/2004 04:09:26 0 McRelay [00] Received circuit up for circuit num = 66. local

192.168.16.0

04/19/2004 04:09:26 0 McRelay [00] MC circuit enabled. circuit num = 66, ifp 184cb94

04/19/2004 04:09:26 0 RTM [00] Best::nextRoute fini for 0x40

04/19/2004 04:09:26 0 ISAKMP [02] ISAKMP SA established with office6-972-123-6666
(4.14.165.142)

04/19/2004 04:09:26 0 BaseCmsClient [00] RipCmsClient::New() : handling new circuit event
for circuit 66 [0x4cc62a0].

04/19/2004 04:09:26 0 RTM [00] Best::nextRoute fini for 0x1

04/19/2004 04:09:26 0 DHCP Relay Table [00] Circuit config node for interface

192.168.16.0 inserted

04/19/2004 04:09:29 0 Security [11] Session: network IPSEC[192.168.16.0-255.255.255.0]
attempting login

04/19/2004 04:09:29 0 Security [11] Session: network IPSEC[192.168.16.0-255.255.255.0]
logged in from gateway [4.14.165.142]

04/19/2004 04:09:29 0 Security [12] Session: IPSEC[office6-972-123-6666]:5 physical
addresses: remote 4.14.165.142 local 24.1.61.69

04/19/2004 04:09:29 0 Security [12] Session: IPSEC[-]:8 physical addresses: remote

4.14.165.142 local 24.1.61.69

04/19/2004 04:09:30 0 Outbound ESP from 24.1.61.69 to 4.14.165.142 SPI 0x8db22d20 [03]
ESP encap session SPI 0x202db28d bound to cpu 0

04/19/2004 04:09:30 0 Inbound ESP from 4.14.165.142 to 24.1.61.69 SPI 0x0016d8b9 [03] ESP
decap session SPI 0xb9d81600 bound to cpu 0

04/19/2004 04:09:30 0 Branch Office [00] 7352c08 BranchOfficeCtxtCls::RegisterTunnel:
rem[192.168.16.0-255.255.255.0]@[4.14.165.142] loc[192.168.3.0-255.255.255.0] overwriting
tunnel context [0] with [6eaa1b0]

04/19/2004 04:09:30 0 ISAKMP [03] Established IPsec SAs with office6-972-123-6666
(4.14.165.142):

04/19/2004 04:09:30 0 ISAKMP [03] ESP 56-bit DES-CBC-HMAC-MD5 outbound SPI 0x8db22d20

04/19/2004 04:09:30 0 ISAKMP [03] ESP 56-bit DES-CBC-HMAC-MD5 inbound SPI 0x16d8b9

3.7.16 Ping BO-6 LAN from C1100 LAN

C:\Documents and Settings\Administrator>ping 192.168.16.3

Pinging 192.168.16.3 with 32 bytes of data:

Reply from 192.168.16.3: bytes=32 time=30ms TTL=126

Reply from 192.168.16.3: bytes=32 time=20ms TTL=126

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Reply from 192.168.16.3: bytes=32 time=20ms TTL=126

Reply from 192.168.16.3: bytes=32 time=20ms TTL=126

Ping statistics for 192.168.16.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 30ms, Average = 22ms

C:\Documents and Settings\Administrator>ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 192.168.3.9

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.3.1

C:\Documents and Settings\Administrator>

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.8 Save Configurat ion fi l e and rename it

Once lab verifi cation passes, save the configurati on file to the local di sk. The file saved is named
as: office6-972-123-6666rom-0

To backup a configuration file, you can use either FTP, or GUI. Below is the GUI window for
saving the current configuration fi le to your computer.

Mai ntenance -> Configurati on -> backup

3.9 Repeat t he procedure t o the r est of BO

Use the same procedure to build the reset of C251 configuration files. T here is one exception that
if a BO usi ng different VPI & VCI other than 0/35, you have to change them to correct ones before

saving the configuration file.

3. 10 Prepar e Conf i gur ati on f il es f or BO us i ng dif f er ent
VPI/VCI

Since ABC CO and Office-6 have the same VPI & VCI as 0/35 and the rest of Branch Offices
have VPI & VCI as 8/35, one m ore step should be taken before saving the configuration file.

3.10.1 Change VPI & VCI number before saving

• Change the VPI/VCI back to 8/35 before saving.

• Save the configuration file and rename them as:

offi ce2-214-123-2222rom-0
offi ce3-972-123-3333rom-0

offi ce4-813-123-4444rom-0
offi ce5-972-123-5555rom-0

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.10.2 How to change V P I & VCI n umber

Mai n -> Advanced Setup -> WAN -> WAN setup
Change VPI and VCI to match the servi ce data for that BO, and leave the reset fields unchanged.

Click “appl y” button to save the change.

3.11 Star t Deployment

What information do you need to provide to your BO non-technical customer for setting up the
Cli ent Tun ne l ?

• how to change VPI/VCI if their ISP has different number other than 8/35

• ho w to setu p Client tunnel and how to start the client tunn el

• service data

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

3.11.1 BO Of fice-6 dep loy ment, setu p User Cl ien t

BO office-6 end user received C251, and technical documents including “C251 Qui ck Start User
Guide”, and i nstructions of how to change VPI/VCI by using Wi zard setup (in Quick Start), and

how to setup Client tunnel.
The Cl ient tunnel is setup using Office-6 service data shown in following wi ndow. Then click

“connect” to start the connection.
Note: End user does not need to change LAN IP address.

3.11.2 Downl oad th e con figurat ion f il e t o BO O f f ice-6

When connection is up, technician in CO downl oad prepared configurati on file to Office-6 using
FTP:

The config file is stored on C:\ office6-972-123-6666rom-0
During FTP, turn-on binary, and must use rom-0 as remote file name.

C251 will automati cally reboot from the configuration of office6-972-123-6666rom-0. After
rebooting, Office-6 will have a new management IP address, new DHCP server, and t wo tunn els

built and an active ABOT. Test the connecti vity by initia te Ping from BO.
The FTP procedure is shown as following:

C:\>ftp 172.16.55.10

Connected to 172.16.55.10.

220 FTP version 1.0 ready at Sat Jan 1 00:14:20 2000

User (172.16.55.10:(none)): admin

331 Enter PASS command

Password:

230 Logged in

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

ftp> bin

200 Type I OK

ftp> put office6-972-123-6666rom-0 rom-0

200 Port command okay

150 Opening data connection for STOR rom-0

226 File received OK

ftp: 106496 bytes sent in 16.60Seconds

6.42Kbytes/sec.

ftp> quit

251 Goodbye for writing flash

3.11.3 Repeat the p roced ure to the rest BOs

Using the same procedure to depl oy the rest of BOs.

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

4. Refere nce Docu mentat i on:

The following Technical Publ i cations can be found at: Uhttp://www.nortelnetworks.comU

Document Title Publication

Num ber

Contivity 221 ABOT
Technical Configuration

Guide
for Depl oyments usi ng

Web GUI
Contivity 251 VPN Swi tch
User's Guide
Contivit y 251 Annex A

ADSL VPN Swi tch
Release Notes
Contivity 251 VPN Swi tch

Qui ck Start Guide

Engineering Technical Publication

317516 Technical Publication
317519 Release Notes

317515 Technical Publication

Description

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

5. Appendix A: Terminology

• ABOT: Asymmet r ic Br anch O ff ice Tu nn el

• ADSL: Asymmetric Digital Subscrib e Line

• ATM: Asynchronous Transfer Mode.

• BO: Branch Office

• BOQS : Bran ch Offi ce Quick Star t

• BOT: Bran ch Office T unn el

• C1100: Contivity 1100

• C221: Contivity 221

• C25: Contivity 251

• Client Emulation: C200 hardware client simulating VPN client sw.

• CO: Central Office

• Conti vity Legacy Gateway: Legacy Contivity devices (excl ude 100, 200, 400)

• DHCP: Dy namic Host Co nfiguration Protoc ol

• DNS: Domain Name Sy ste m

• D SL: Dig ita l Su bscr ibe Line

• DSLAM : Digi tal Subscriber Line Access Mul tiplexer

• ISDN: Integrated Synchronous Digital System

• ISP: Internet Service Provider

• NOC: Network Operation Center

• NTP Nortel Tec hnical Publication

• POT S: Pl ain O ld Te le ph one Sy stem

• Private Interface: Intranet connecti on to a LAN

• Public Interface: Internet connection to the outside worl d

• SOHO: small office or home office

• VCI : Vi rtual Channel Identifier

• VPI: Virt ua l Path Iden tifi er

Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004

Contac t Us:

For product support and sales inform ation, visit the Nortel Networks website at:

http://www.nortelnetworks.com

In North America, dial tol l -free 1-800-4Nortel, outside North America, dial 987-288-3700.

Copyright © 2004 Nortel Networ ks

All rights reserved. January 2004
The i nformati on in this document is subject to change wi thout notice. The statements,

confi gurations, techni cal data, and recommendations i n thi s document are believed to be
accurate and reliabl e, but are presented wi thout express or implied warranty. Users must take

full responsibility for their appli cations of any products specified in this document. T he
in formation i n this do cument is proprietary to Nortel Networks Inc.

The software described in this document is furni shed under a license agreement and may be
used only in accordance wi th the terms of that license.

Tr ade marks

Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are
trademarks of Nortel Networks.

Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.

All other product names, company nam es, m arks, logos, and symbols are trademarks of
their respective ow ners.