All rights reserved. January 2004
The i nformati on in this document is subject to change wi thout notice. The statements,
confi gurations, techni cal data, and recommendations i n thi s document are believed to be
accurate and reliabl e, but are presented wi thout express or implied warranty. Users must take
full responsibility for their appli cations of any products specified in this document. T he
in formation i n this do cument is proprietary to Nortel Networks Inc.
The software described in this document i s furnished under a license agreement and may be
used only in accordance wi th the terms of that license.
Tr ade marks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are
trademarks of Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.
All other product names, com pany names, marks, logos, and symbols are trademarks of their
respective owners.
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
TUFigure 4: ABC VPN T opologyUT ................................................................................................... 17
TUFigure 5: ABC Company CO LABUT ..............................................................................................18
TUFigure 6: Configure C1100 from Factory Defaul tUT..........................................................................19T
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
1. Introduction
This document proposes a m ethod for using the Web GUI to effectively and economically deploy
large quanti ti es of Asymmetric Branch Office Tunnel s (ABOT) between Contivity 251 (C251)
switches located in various branch offices to a Contivity gateway in a Central Office (CO). See
Figure 1 for topology.
The m ethod takes the advantage of the unique feature of “Cl ient Em ul ation” i n C200 se rie s to
allow non-technical end-users to create IPSec VPN user tunnels between C251 and Contivity
gateway in CO. T he user tunnel s are then used by technical personal in CO to gain control s of
remote C251 for further downloading prepared configuration files i n order to complete the
complex ABOT configurations.
For si m plicity, the terms of “Contivity” and “Contivity Secure IP Services Gateway” are used
interchangeabl y in this document.
1.1 C200- Contivity Gateway ABO T Topol ogy
CO
NOC
Contivity
Gateway
C251
Home Offi ce
C221
SOHO
Internet
C251
Remote
office
C251
Remote
office
C251
SOHO
C221
Remote
office
C251
SOHO
Figure 1: C200 series ABOT Deployment Scenario
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
1.2 Target Audiences
The target audi ences are network designers, network deployment engineers, installation
engineers, sales engineers for Enterprises or Carriers, network planners, and those who are
interested in using the Web GUI to configure or deploy ABOT for Contivity 200 series units.
1.3 Conti vi t y 251 br i ef
Contivity 251 (C251) is the ideal VPN over high-speed Internet access soluti on for SOHO and
sm all branch office. It i s capable of terminating IPSec at CO Contivity and are ideal for provider
provisioned networks or large enterpri se deployments
C251 supports up to five VPN Branch Office Tunnel (BOT) connections si multaneously, and
integrates four high-speed 10/100Mbps LAN ports and one high-speed ADSL port into a single
package. The ADSL port supports downstream transmission rates up to 8Mbps and upstream
transmission rates up to 832Kbps.
C251 support two types of VPN connection: Branch Offi ce Tunnel (BOT) and Contivity Client
tunnel. The BOT supports full VPN rules, while Conti vity Client supports a simple VPN rule.
C251 VPN i s based on IPSec standard and is full y interoperable with other IPSec-based VPN
product.
For full feature description, refer to NTP “Contivity 251 VPN Switch User’s Guide” from Nortel
Customer Support Web
Figure 2 C2 51 Front Vi ew
Figure 3 C251 Rear View
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
1.4 Why ABOT?
C251 supports both Asymmetric Branch Offi ce Tunnel (ABOT) and Peer-to-Peer BOT . Peer-toPeer BOT use main mode for IKE phase 1 exchange, and main mode can only be used if both
VPN swi tches have fixed public IP addresses. Since the C251’s public interface IP address is
nor m ally dyn am ically ass igned by I SP DHCP server, Peer-t o-pe er branch tunnels a re no t
applicabl e.
ABOT i s suitable for a BOT with a fixed IP address on one end while a dynamically assigned IP
address on the other end. To make ABOT connection work, the end with a dynamic IP address
must be configured as the i nitiator and the other end with fixed IP address configured as the
responder. In our case, the C251 must be configured as “Aggressi ve” mode to behave as an
“i nitiator”, and the Contivity Gateway i n CO must be configured as the “responder”. In ABOT
tunnel, only the Initiator (C251) can bring up the tunnel.
1.5 C200 Cli ent Emul at i on
The Contivity 200 series have a unique feature called “Client Emulation”. Since this feature
allows a C200 to act as a user to establish a VPN tunnel to a remote Contivity Gateway, it i s also
called “Har d Client”. Hard Client uses the IPSec protocol and supports a si mple VPN rule. It
provides easy configuration, and can be setup by non-technical end users. Then, CO technical
personals can use client tunnel connection to gain remote control and perform further
confi gurations on C200, e.g. ABOT, firewall, NAT and etc.
By default, the Client Emulati on is configured as a “Manual Tunnel” and requires user intervention
to “Connect” the tunnel. On release V2.1, the Client Emulation supports “on demand” tunneling as
well. In “on demand” mode, the client tunnel is automati cally created whenever traffic demands a
tunnel connecti on and the user intervention i s not requi red. Both modes are initiated only on
C200 side.
To enable “On-Dem and” mode, go to VPN menu, select a client rul e, then select “Advance” to
open the window below, and check the “On Demand Client Tunnel”.
C200 al lows only one acti ve Conti vity Client at a time. That i s, when Client tunnel is activated, all
other VPN connections must be deacti vated.
In the “Client Emulation” configuration, there i s a many-to-one NAT filter from the C200 private
LAN to the remote private LAN behind CO Contivity gateway. Many-to-One mode maps m ultiple
pri vate IP addresses on C200 LAN to the IP address assigned by CO Contivity gateway. This is
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
O
equivalent to 251's Single User Account feature (SUA). Therefore, traffic sent from the Contivity
Gateway private network to the C200 private network does not make it further than the C200
assigned address .
In Client Emulation configuration, the CO site is able to manage C200 but is not abl e to manage
C200’s private LAN since M:1 NAT inbound traffic cannot establish connecti ons without port
forwarding enabled. For full VPN capabilities, users should setup Branch Offi ce Tunnels, either
ABOT or static BOT.
1.6 ADSL brief
ADSL (Asymmetric Digital Subscriber Line) is a proven technology that takes the advantage of
standard copper l oops telephone lines to provide high-speed Internet “always on” access. ADSL
has i ts downstream capacity higher than its upstream capacity. E.g. Contivity 251 ADSL supports
downstream rates up to 8Mbps and upstream rates up to 832Kbps.
ADSL uses signal frequencies above those used by voice or fax, so the data si gnal does not
inter fer e w ith tele phon e signal.
In SOHO si te, data traffic and voi ce traffic are separated by spl itters. On CO site, they are
separated by a Di gital Subscriber Line Access Mul tiplexer (DSLAM ) switch. Voice traffic is then
sent to PSTN, while data traffic is sent to ATM backbone connecting to ISP and Internet.
The diagram bel ow illustrates the key elements of ADSL.
Internet
PSTN
SOH
fax
AT M or FR
phone
ISP
CO
PC
Contiv ity 251
Or ADSL Modem
splite
splite
DSLAM
Phone
wi re
0.8M
8M
Figure 4 ADSL Major Components
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
2. Deployment Method
ABOT support full sets of VPN feature. But Configuring ABOT requires technical experiences and
resources. T he proposed deployment method uses Client Emulation feature as a first step stone
to establish a VPN connection between a C251 in branch office and a gateway in CO. ABOT
confi guration files are prepared in a CO by technicians then download to the C251 in remote
branch office over the Client Emulation VPN connecti ons.
Configuring “Client Emulation” is sim ple and can be done by any non-technical resources wi thout
requi ring on-site technical support. Therefore, C200 seri es can be directly shipped from
manufactures to end users using factory defaul t configuration without requi ring speci al staging
servi ces.
This deployment method is covered in the following steps:
• Planning your VPN network
• Selecting Contivity hardware.
• Obtaini ng ne tw or k data fr om ISP
• Preparing C251 ABOT configuration files (rom-0) for all sites
• Providing remote end-users with simple instructions to setup & start C251 Client tunnel.
• Downloading prepared configuration file from CO to remote C251 over cli ent tunnel. The
C251 will auto-reboot to acti vate the ABOT configuration.
• T esting the ABOT tunnel usi ng PING.
This method is assuming that CO technical resources have taken training classes of Nortel
Contivity products.
2. 1 Pl a nni ng your VPN Net w or k
Before deployment, the VPN network should be planned first. Network planning includes various
tasks such as determining Network topology, network size, branch offi ce locations, CO location,
Contivity VPN device models, bandwidth requirement, encryption type, NAT, and etc.
The following questions should be answered for planning deployment of ABOT connections:
• How many remote branch office (BO) sites are planned?
• What type of Internet access services is avai lable i n the remote BO?
• What type of Contivity Gateway in CO is requi red to support the current VPN
requi rement, e.g. number of tunnel s, bandwidth, interface, and etc?
• Do you consider fut ure g rowing (more BOs will join in near future?)
• What types of C200 are selected, C251 or C221? (Consi der the types of service available
in a BO area, e.g. ADSL? Cable Modem? Satellite Internet access?)
• Wh at t ypes of IP add ress scheme will be used for you r VPN?
• Wh at t ypes of “initiator ID” scheme will be used for you r VPN?
• Draw a Network topology prior to the deployment.
2.2 Sel ect Conti vi t y Swit ches
2.2.1 Sel ect Con t ivi ty S ecure I P S ervices Gateway
The following Contivity products can be used as Gateways in CO.
• Conti vity 1000 series (1010, 1050, 1100): Up to 30 VPN tunnel s
• Conti vity 600: Up to 50 VPN tunnels
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
• Conti vity 1700 series (1700 and 1740): Up to 500 VPN tunnel s
• Conti vity 2700: Up to 2000 VPN tunnels
• Conti vity 5000: Up to 5000 VPN tunnels
If Contivity 200 series is planned to be used in CO, this method is not appl i cabl e, since C200
Hard Cli ent cannot connect to C200 gateway. Thus, manually configuring i s requi red.
2.2.2 Sel ect C251 mod el
Refer to the following information to select su itable C251 models for locations where ADSL
services are available.
CA251: Annex A
• ADSL over an alog phone service
• Tone 6~ 31 (25 ~ 138 KHz)
• Mult i-mod e, G.D M T, ANSI T1.4 13, G.L ite
• Used throughout North, South and Central Amer ica, Asia and por tions of
Europe.
CB251: Annex B
• ADSL over ISDN,
• Tone 29~ 63 ( 125 ~ 270KHz)
• Multi -mode, G.DMT, ETSI
• Used mostly in Europe
CU251: U-R2
• ADSL over ISDN
• Tone 29~ 63 ( 125 ~ 270KHz)
• Multi -mode, G.DMT, ETSI
• Used in Ge rmany with Deutsche Telecom
2.2.3 In areas where ADSL service is n ot av ailable
In the areas where ADSL service is not available, consi der usi ng C221 over satelli te-based
Internet service or over Broadband High speed internet access service. E.g. DIRECWAY provide
satellite-based Internet servi ce anywhere in the continental U.S.
2.3 Gath e rin g Informa tio n fro m IS P
2.3.1 VP I & V CI
The Vi rtual Path Identifier (VPI) and Virtual Circui t Identifi er (VCI) for ISP AT M backbone are the
most important i nformation to enter to get a C251 ADSL working. Each ADSL service provi der
uses a set of these two numbers.
Below are a li st of the ADSL service Providers and thei r corresponding VPI/VCI numbers for
confi guring ADSL Modem s to work on their Networks. Users should always contact with their
service providers for the updated information.
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
• DSL Extreme 0/35
• BellSouth 8/35
• Earthlink 0/35
• Covad 0/35
• Ameritech 0/35
• WorldCom 0/35
• New Edge 0/38
• SouthWestern Bell 0/35
• Pac Bell 0/35
• Verizon 0/35
• Sprint 8/35
• US West/Qwest 0/32
2.3.2 Stat ic I P add ress f or C on t ivi ty Gateway in CO
A static IP is a fixed IP that your ISP guaranteed you. A dynami c IP is not fixed, and it is
dynamically assigned by your ISP each time you login.
A fixed IP address should be purchased from your ISP for the Conti vity Gateway public interface.
Since this public interface IP address will be configured in all C200, a dynami cally assi gned IP
address i s not suitable.
2.4 Define a Scheme for Pre- shar ed keys
A pre-shared key i denti fies a communi cating party during a phase 1 IKE negotiation. Both ABOT
connection and Client tunnel connection require pre-shared keys. Plan your “key” scheme, and
generate keys for each branch offi ce.
2.5 Define a Scheme for ABOT Initiator ID
With aggressive negotiation mode, the C251 uses “Initiator ID” to establish ABOT to remote
gateway. The “Initiator ID” on the C251 is configured in the “content” field as a DNS domain name
or E-mail address. The DNS domain name or E-mail address in the “Local ID Type” fiel d is used
only for identi fi cation purposes and does not need to be a real domain name or e-mail address.
If you select “IP” as your “Local ID Type”, you must crea te an Initiator ID that conforms to the ri gid
IP format in order to be accepted by C251. The IP address is used onl y as an ID and needs not to
be a rea l ad dr ess .
Since C251 allows its DNS domain name or E-mail address to have up to 31 characters, it
provides network designers a flexibility to compose various identifications. When using special
ch arac ters, make sure they are accep ted by both CO and BO. This ID will be used in th e even t
log by the CO gateway during communi cation, and it i s important to plan a scheme and make the
ID meani ngful for future troubleshooting, logging, and accounting.
Each C251 must have a unique ID. Duplicated ID wil l be rej ected by gateway from connection.
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
2.6 Define a Scheme for BO IP addresses
Determine the private IP network addresses for the LAN on each site. Private IP addresses can
be selected from :
• 10.x.x.x
• 172.16.x.x-172-31.x.x
• 192.168.x.x
Ensure each BO LAN i s assi gned with a unique IP address to si m plify configuration task.
Reserve 192.168.1.0/24 for using only by C221 factory-defaul t configuration to avoid potential
address conflicts.
Private LAN address behind CO gateway should not use reserved 192.168.1.0/24.
Define subnet size for each site. 8 bits subnet with a mask of 255.255.255.0 is commonl y used
and it i s easy to configure and allows up to 254 hosts.
2.7 Mi ni mum software r equir em ent
To use this method, the minimum requirem ent of software for C251 is V2.1. If you are currently
r unn in g V 2.0 , upgr ade it to V2.1.
2. 8 Mi nimum LA B require m ent
The m inimum requirements for successful depl oyments are:
CO gateway i s able to access to Internet and has a fixed IP assigned by ISP
PCs with Microsoft Windows and Internet Explorer
C251 is able to access to the Internet via ADSL connection.
CO technical personal were trained to have knowl edge of Nortel Contivity products.
If your budget allows, you may want to build a controlled lab environment to simulate ADSL ISP.
To do so, you may need to purchase a DSLAM switch, and routers wi th ATM interfaces.
2. 9 Confi gur i ng Cont i v i t y G ateway i n CO
The m inimum requirements for configuring CO Contivi ty Gateway are:
• Upgrade Conti vity Gateway software to be 4.80 and above
• Confi gure private and publ i c interfaces of Contivity Gateway.
• Confi gure at least one user group for C251 Client connection
• Confi gure Branch Office groups. One connection per remote C251. Organize groups and
connections and name them to suit your organization needs.
• Confi gure IP addresses pools for C251 Hard Client address a ssignment.
• Confi gure Contivity for Internet access, and test the connection by surfi ng internet.
2.10 Prepare C251 confi gurat i on f iles i n CO Lab
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
1. Make sure that the C251 is reset to factory de fault.
2. Change C251 VPI/VCI to the number provided by ISP, and test DSL connecton.
3. Change the C251 LAN with planned IP address and subnet.
4. Confi gure the C251 with:
One client tunnel (inactive).
One BO tunnel (active).
5. T est the configuration to ensure that both ABOT and Client tunnel s are able to be
established.
6. Save the configuration file to local computer disk with a unique file name. Suggest that
the file name is bound wi th BO location.
7. Repeat the above procedures for each C251 and remote site.
2.11 C251 Factory Defaul t s and mi nimum changes
The C251 is shipped with a default factory configuration, and the default parameters work wi th
the majority of ADSL ISP installation s, bu t they may require minimum changes for working wi th
some ISPs.
Wi th the d efault c on figurati on, C251’s DHCP server on its priv ate interface is enab l ed an d t he
address ranges from 192.168.1.3 to 192.168.1.254/24. The C251 has a default management
interface address of 192.168.1.1/24 with a default password of “setup”. PCs connecting to the
C251 private interface will be assigned an IP address i n the same subnet if they have dynamic
addressi ng configured.
The fac tory de fa ult con fig uration ha s the DHCP client e na ble d on the p ubl ic in terfa c e. When
connecting to an ISP, a dynamic publi c IP address will be assigned by ISP. This default
confi guration all ows end users to access to the Internet in a plug and play fashion.
The C251 hard client is desi gned as a 3DES client, and uses 3DES/SHA to connect to the CO
Contivity user group. This method is the most secure algorithm of SA offered in this release.
The C251 has a default WAN setting as following. T he WAN default setting works with most
ADSL ISP providers. The VPI/VCI number may slightl y di ffer from providers.
• Routing m ode
• LLC multiplex
• ENET ENCAP en capsu lati o n
• V PI/V CI as 8/35
URouting mode
Routing mode is the default setting, and should al ways be used for buil ding VPN network
regardl ess who i s your ISP. Selecting “bridge mode” may all ow you to access to Internet, but not
allow you to establi sh VPN connecti on to Conti vity gateway.
UENET ENCAP E n ca p sula ti o n
Be sure to use the encapsulation method compatibl e with your ISP.
The C25 1 supp orts various en c ap sulation methods, and the defau lt mo de of “E NET ENCAP” will
work with almost all the ISP providers. “ENET ENCAP” method i s the MAC Encapsulated Routing
Link Protocol implemented with the IP network protocol. IP packets are routed between the
Ethernet interface and the WAN interface and then formatted so that they can be understood in a
bri dged environm ent. For instance, it encapsulates routed Ethernet frames into bridged ATM
cells. ENET ENCAP requires that you specify a gateway IP address in the Ethernet
Encaps ula ti on Gateway f i eld.
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
ULLC-based Multiplexing
LLC-based multiplexing is the default factory setting and carries multiple protocol s over one VC,
and it i s used by most ISPs.
UVPI and VCI
The defaul t factory setting of VPI/VCI i s 0/35. Be sure to use the correct Virtual Path Identifier
(VPI) and Vi rtual Channel Identifier (VCI) numbers assigned to you.
2.11.1 Reset to f act ory d ef ault
It is important to m a ke sure that yo u r C251 is i n facto ry default setting before starting
confi gurations, since the method is based on the assum pti on that your c251 is configured wi th
default factory setting. If you are not sure, use the followi ng ways to reset it.
2.11.2 Usin g th e Reset Butt on
• Make sure the SYS LED is on (not blinking).
• Press the RESET button for about five seconds, and then release it. T he SYS LED
begins to blink, and then reboot. The defaul ts factory setting is restored when the
Contivity 251 boots up.
2.11.3 Uploading a Conf iguration File via Console Port
Download t he default configuration file from ht tp://www.nortelnetworks.com/ind ex .html, un z ip it
and save it in a folder.
• T urn off the Contivity 251, begin a terminal emulation software session and turn on the
Contivity 251 again. When you see the message "Press Any key to enter Debug Mode
withi n 3 seconds", press any key to enter debug mode.
• Enter "atlc" after "Enter Debug Mode" message.
• Wait for "Starting XM ODEM upl oad" message before activating Xmodem upload on your
terminal. This i s an example Xm odem configuration upload using HyperTerminal .
• Click Transfer, then Send File to display the following screen.
2.12 Provi de End-Users with I nst r uctions
Provide the remote end-users wi th very simple instructions for how establishing the initial
connection, and distri bute the instructions by FAX, phone, or m ail.
The i nstructions for setting up the C251 Client should contain the followi ng minimum information:
• ISP VPI/VCI numbers and how to configure
• How to confi gure Client Em ulation
• Username (configured in gateway user-group)
• Password (pre- shared key)
• CO gateway IP address
• Press “Connect” button to start Client connection
• How to use PING command for validation test.
Add additi onal information for scheduling and contact numbers. The end users shoul d have
Contivity 251 Quick Start Guide shipped to them for references.
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
2. 13 Downloading Configura t i on Fil es from CO lab t o
remot e C251
When the C251 hard client connection is established, CO Technicians download the pre-built
confi guration file to the remote C251 using the GUI “mai ntenance->Restore” tool or
usi ng FT P command.
When the download is completed, the remote C251 will activate th e ne w configurati on fil e a nd
reboot automatically. After rebooting, a Ping from the C251 to the Contivity gateway will brin g up
the ABOT tunnel. Verify the connection by bi -direction pings.
Repeat the same procedure for each site.
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004
3. Contiv ity C251 Dep loyment Examp le
Company ABC in NA has one small corporate central office and five remote branch offices. They
plan to build a VPN (ABC VPN) using ISP Internet servi ces and Nortel Contivity Gateways. The
ABC VPN will all ow remote branch offices to access to the private servers in headquarter CO with
low cost of m aintenance and hi gh security.
Note, the confi gurations documented in this example were successful l y tested in live network.
3.1 ABC VPN Deployment Tasks
• Network planning
• network topol ogy draw
• order equipments and services and obtain i nformation from ISP
IP addr: 192.168.12. 0/24
Initial ID: office2-214-123-2222
Interne t
BO-3
Name : C251_Office_3
KE Y: C on t i v it y
IP addr: 192.168.13. 0/24
Initial ID: office3-972-123-3333
Fig ure 5: ABC VPN Topology
3.4 Order equipm ent and services
ABC purchased 6 Contivity 251 uni ts and one Conti vity 1100 Gateway from Nortel. The Contivity
units shi pped directl y to the remote l ocations wi th defaul t factory configurati ons.
ABC ordered ADSL internet access for each branch office including CO, and ordered broadband
high speed internet access for CO Gateway.
Summary:
• order 6xC251 Annex-A with V2.1 SW, one for each BO, and one for CO
• order 1x1100 with V4.8 SW for CO
• order ADSL services for each BO
• order ADSL services for CO
• order Broadband Internet servi ce for CO, and static IP 24.1.61.69/20
• obtain VPI/VCI number for each location. Office-6 and CO has 0/35, and the reset are
8/35
Loading...
+ 38 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.