Related Manuals for Nortel C251
Summary of Contents for Nortel C251
- Page 1 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Technical Configuration Guide Contivity 251 ABOT Deployment using Web GUI Version 1.0...
- Page 2 The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. Trademarks Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.
-
Page 3: Table Of Contents
C hanging VPI & VCI ................... 27 3 .7.3 C hanging LAN IP addresses and DHCP server IP............. 29 3 .7.4 P ower OFF and Power On C251 ................30 3 .7.5 T est ATM and Internet connection ................31 3 .7.6 C onfigure VPN Client Tunnel ................ - Page 4 A PPENDIX A: TERMINOLOGY ..................54 List of Figures F igure 1: C200 series ABOT Deployment Scenario ................5 F igure 2 C251 Front View ......................6 F igure 3 C251 Rear View ......................6 F igure 4: ABC VPN Topology ....................
-
Page 5: Introduction
The method takes the advantage of the unique feature of “Client Emulation” in C200 series to allow non-technical end-users to create IPSec VPN user tunnels between C251 and Contivity gateway in CO. The user tunnels are then used by technical personal in CO to gain controls of remote C251 for further downloading prepared configuration files in order to complete the complex ABOT configurations. -
Page 6: Target Audiences
Web GUI to configure or deploy ABOT for Contivity 200 series units. 1.3 Contivity 251 brief Contivity 251 (C251) is the ideal VPN over high-speed Internet access solution for SOHO and small branch office. It is capable of terminating IPSec at CO Contivity and are ideal for provider... -
Page 7: Why Abot
IP address configured as the responder. In our case, the C251 must be configured as “Aggressive” mode to behave as an “initiator”, and the Contivity Gateway in CO must be configured as the “responder”. In ABOT tunnel, only the Initiator (C251) can bring up the tunnel. -
Page 8: Adsl Brief
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 equivalent to 251's Single User Account feature (SUA). Therefore, traffic sent from the Contivity Gateway private network to the C200 private network does not make it further than the C200 assigned address. -
Page 9: Deployment Method
The proposed deployment method uses Client Emulation feature as a first step stone to establish a VPN connection between a C251 in branch office and a gateway in CO. ABOT configuration files are prepared in a CO by technicians then download to the C251 in remote branch office over the Client Emulation VPN connections. -
Page 10: Select C251 Model
2.3.1 VPI & VCI The Virtual Path Identifier (VPI) and Virtual Circuit Identifier (VCI) for ISP ATM backbone are the most important information to enter to get a C251 ADSL working. Each ADSL service provider uses a set of these two numbers. -
Page 11: Static Ip Address For Contivity Gateway In Co
If you select “IP” as your “Local ID Type”, you must create an Initiator ID that conforms to the rigid IP format in order to be accepted by C251. The IP address is used only as an ID and needs not to be a real address. -
Page 12: Define A Scheme For Bo Ip Addresses
254 hosts. 2.7 Minimum software requirement To use this method, the minimum requirement of software for C251 is V2.1. If you are currently running V2.0, upgrade it to V2.1. 2.8 Minimum LAB requirement... -
Page 13: C251 Factory Defaults And Minimum Changes
Internet in a plug and play fashion. The C251 hard client is designed as a 3DES client, and uses 3DES/SHA to connect to the CO Contivity user group. This method is the most secure algorithm of SA offered in this release. -
Page 14: Reset To Factory Default
(VPI) and Virtual Channel Identifier (VCI) numbers assigned to you. 2.11.1 Reset to factory default It is important to make sure that your C251 is in factory default setting before starting configurations, since the method is based on the assumption that your c251 is configured with default factory setting. -
Page 15: Downloading Configuration Files From Co Lab To Remote C251
When the download is completed, the remote C251 will activate the new configuration file and reboot automatically. After rebooting, a Ping from the C251 to the Contivity gateway will bring up the ABOT tunnel. Verify the connection by bi-direction pings. -
Page 16: Contivity C251 Deployment Example
Company ABC in NA has one small corporate central office and five remote branch offices. They plan to build a VPN (ABC VPN) using ISP Internet services and Nortel Contivity Gateways. The ABC VPN will allow remote branch offices to access to the private servers in headquarter CO with low cost of maintenance and high security. -
Page 17: Abc Vpn Topology
Figure 5: ABC VPN Topology 3.4 Order equipment and services ABC purchased 6 Contivity 251 units and one Contivity 1100 Gateway from Nortel. The Contivity units shipped directly to the remote locations with default factory configurations. ABC ordered ADSL internet access for each branch office including CO, and ordered broadband high speed internet access for CO Gateway. -
Page 18: Setup Co Lab
CO LAB will be setup as shown in the diagram below. The C1100 will serve as the ABC company gateway and as the staging equipment as well. The C251 will be configured to simulate Office-6 with VPI/VCI = 0/35, and private LAN with 192.168.16.0/24, management IP address of 192.168.16.1 The PC in CO is named as “S3”, and the PC in BO Office-6 is named as “S4”, and they both... -
Page 19: Configure Contivity Gateway 1100
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.6 Configure Contivity Gateway 1100 V04_80.124 C1100 gateway 192.168.3.1 priv-if 192.168.3.2 mgt DHCP server 192.168.3.0/24 ABOT responder Ip-pool: 172.16.55.1-10 192.168.3.9 Dynamic IP Figure 7: Configure C1100 from Factory Default 3.6.1 Configure IP address &... -
Page 20: Configure User Group For C1100
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 4: Configure public default gateway (must obtain gateway address from ISP) Default Public Route Menu 0) Gateway IP Address = 24.1.48.1 Cost = 10 A) Add New Gateway R) Return to the Main Menu 5: Configure DHCP server for priv ate LAN as defined Return to main Menu, and select “L”... - Page 21 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3: set IPSec connectivity w ith ip-pool “c251client”, and keep the rest as default...
- Page 22 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 4: set IPSec parameter for interw orking w ith C251 Client Emulation To interwork with the C251 client, keep IPSec parameters as factory default. The only change is to enable “triple DES with group 2”,...
-
Page 23: Configure Branch Office Group For C1100
April 26, 2004 5: Add a user to group “c251client”, the passw ord is “Contiv ity”, userID is “251” (the user group is for VPN connection by C251 hard clients) 3.6.3 Configure Branch Office Group for C1100 1: add Branch Office “c251abot” (for C251 ABOT connections) add connection “office6-972-123-6666”... - Page 24 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 2: Configure “Initiator ID”, pre-shared Key “Contiv ity”, local and remote netw ork...
-
Page 25: Re Build Configuration File For Bo C251_O Ffice
Build one ABOT tunnel, and test • Save the configuration file rom-0 to the PC disk and rename the file as “office6-972-123-6666rom-0”. Before configuration, make sure that the C251 is reset to Factory default. And the software is at least of VE251_2.1.0.0.007... -
Page 26: Startup With "Wizard Setup
C251 has default IP address of 192.168.1.1, the default DHCP IP range is 192.168.1.3-254/24, and the default Password is: "setup". Make sure the PC is configured with dynamic IP. Start IE on PC, and launch Web GUI of C251 using its default address of h ttp://192.168.1.1... -
Page 27: Changing Vpi & Vci
ADSL ISP. In this case, both CO office and Office_6 have VPI & VCI as 0/35. The window below shows the default setting of C251, and the VPI value should be changed to be 0, and the rest fields should be kept as default. - Page 28 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 The screen below shows the changed VPI, click “next” to continue. Keep all fields in this window as default shown below. Click “next” to continue...
-
Page 29: Changing Lan Ip Addresses And Dhcp Server Ip
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.7.3 Changing LAN IP addresses and DHCP server IP. Change default IP of LAN and DHCP from 192.168.1.0/24 to 192.168.16.0/24 for C251_Office_6. Click “change LAN configuration” to continue. Don’t click “Save Setting” button at this point. -
Page 30: Power Off And Power On C251
Filling the IP address of LAN and DHCP for C251_Office_6. See below screen shot. Click “Finish” 3.7.4 Power OFF and Power On C251 When you click the “Finish” button, the IP address and DHCP server on C251 will be updated, and you will lose the connection between the PC and the C251 for a while. -
Page 31: Test Atm And Internet Connection
April 26, 2004 3.7.5 Test ATM and Internet connection At this stage, PC on C251 private LAN should be able to connecting to internet. Test it by surfing w ww.google.com If you have trouble of accessing to Internet, check the C251 front panel to make sure that the DSL LED is solid green. -
Page 32: Configure Vpn Client Tunnel
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.7.6 Configure VPN Client Tunnel Go to VPN -> Setup... - Page 33 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Click No “1” to build a VPN Client In pull down menu, select “Contivity Client”...
- Page 34 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Filling informations as shown, and check “Active”, then click “Apply”. Note, the user name, password and gateway address should be found in your network planning sheet. When the VPN is configured, it is not active. To start the Client tunnel, click “Connect” button.
-
Page 35: Check Vpn Client Tunnel Status
3.7.7 Check VPN Client Tunnel status To check connection status, click “Back”, then select “Monitor” 3.7.7.1 Check C251 VPN Client tunnel status using VPN-SA Monitor For a success connection, VPN-SA Monitor should show similar status fields as below. Empty field indicates failure. - Page 36 April 26, 2004 3.7.7.2 Check C251 VPN Client tunnel status using System Log For a success connection, the System LOG should record similar connection events as below. See below. (By default, log is off. You must setup to receive log)
- Page 37 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.7.7.3 Check VPN Client tunnel status on Gateway C1100 Go to Status Session, the user of 251 minnow is currently connected, and the assigned IP is 172.16.55.10 Click “Details” for m ore information about the connection ISAKMP security association established with 251 (4.14.165.142) Local address: 24.1.61.69 Local Udp Port:500...
- Page 38 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.7.7.4 Gatew ay Event Log 04/19/2004 03:39:26 0 Security [11] Session: IPSEC[251] attempting login 04/19/2004 03:39:26 0 Security [01] Session: IPSEC[251] has no active sessions 04/19/2004 03:39:26 0 Security [01] Session: IPSEC[251] 251 minnow has no active accounts 04/19/2004 03:39:26 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from 251 (4.14.165.142) 04/19/2004 03:39:28 0 ISAKMP [02] Initial Contact Payload Received...
-
Page 39: Test Vpn Client Tunnel
• PC S4 (behind C251)should be able to ping PC S3 (behind C1100) • PC S3 should be able to ping the address (172.16.55.10) assigned to C251, but not further to the LAN behind C1100. • PC S3 should be able to remotely manage C251 with FTP, Telnet, HTTP using the assigned IP address of 172.16.55.10. - Page 40 Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 30ms, Average = 25ms FTP, Telnet, and HTTP The C251 can be remotely manage on PC S3 ( the host behind C1100) using: • FTP 172.16.55.10 • Telnet 172.16.55.10 •...
-
Page 41: Configure Vpn Abot
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.7.9 Configure VPN ABOT Go to Main Menu -> VPN, then select #2, and filling the following service data for C251_Offic_6 • Aggressive mode • DNS = office6-972-123-6666 • My IP = 0.0.0.0 •... - Page 42 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Note: The C251 does not allow ABOT to be active when Client emulation tunnel is activated. To activate BO, you must de-activate client emulation tunnel first. 3.7.9.1 Configure Static routing Build an ABOT tunnel using static routing.
-
Page 43: Activate Vpn Abot Tunnel
Version 1.0 April 26, 2004 Tw o tunnels were built for C251_office_6 Now, you have two tunnels built on C251 for the branch office-6. ABOT is active while Client is inactivate 3.7.10 Activate VPN ABOT Tunnel Unlike Client tunnel, there is no “connect” button for activating ABOT tunnel. To start the connection, simply sending ping packets from BO to the CO LAN behind C1100. -
Page 44: Test Vpn Abot Tunnel
PC S3 should be able to manage C251 with FTP, Telnet, HTTP using the assigned IP address. 3.7.12 Event Log on C251 To log events, you have to configure C251 and select the LOG types. By default, C251 does not collect any log. Below is a log during ABOT construction. 01/01/2000 01:01:37 WEB Login Successfully 192.168.16.3... -
Page 45: Pn-Sa Monitor
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.7.13 VPN-SA Monitor When ABOT tunnel is up and activation, you should be able to see the tunnel connection status, algorithm, and private LAN information. See below screen shot. 3.7.14 ABOT Session status on C1100... -
Page 46: Event Log On C1100
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Session Details ISAKMP security association established with office6-972-123-6666 (4.14.165.142) Local address: 24.1.61.69 Local Udp Port:500 Remote port:500 Initiator cookie: 220754DE4FE39F68 Responder cookie: 031DBFCB4285851C IKE encryption: 56-bit DES with Diffie-Hellman group 1 (MODP 768-bit prime) IKE Keepalive: Disabled. -
Page 47: Ping Bo-6 Lan From C1100 Lan
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 04/19/2004 04:09:25 0 Security [11] Session: IPSEC[office6-972-123-6666]:5 authorized 04/19/2004 04:09:25 0 Branch Office [01] Setting up branch office gateway [4.14.165.142] uid:[office6-972-123-6666] 04/19/2004 04:09:26 0 Branch Office [01] InstallBOSession: IPSEC[4.14.165.142] routing [STATIC] 04/19/2004 04:09:26 0 RTM [10] netWrite RTM_RouteDef: N 192.168.16.0 M 255.255.255.0 NumNH 1 NH 4.14.165.142 CM 0x7350b18... - Page 48 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Reply from 192.168.16.3: bytes=32 time=20ms TTL=126 Reply from 192.168.16.3: bytes=32 time=20ms TTL=126 Ping statistics for 192.168.16.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 30ms, Average = 22ms...
-
Page 49: Save Configuration File And Rename It
3.9 Repeat the procedure to the rest of BO Use the same procedure to build the reset of C251 configuration files. There is one exception that if a BO using different VPI & VCI other than 0/35, you have to change them to correct ones before saving the configuration file. -
Page 50: How To Change Vpi & Vci Number
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 3.10.2 How to change VPI & VCI number Main -> Advanced Setup -> WAN -> WAN setup Change VPI and VCI to match the service data for that BO, and leave the reset fields unchanged. Click “apply”... -
Page 51: Bo Office-6 Deployment, Setup User Client
April 26, 2004 3.11.1 BO Office-6 deployment, setup User Client BO office-6 end user received C251, and technical documents including “C251 Quick Start User Guide”, and instructions of how to change VPI/VCI by using Wizard setup (in Quick Start), and how to setup Client tunnel. -
Page 52: Repeat The Procedure To The Rest Bos
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 ftp> bin 200 Type I OK ftp> put office6-972-123-6666rom-0 rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK ftp: 106496 bytes sent in 16.60Seconds 6.42Kbytes/sec. -
Page 53: Reference Documentation
Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 4. Reference Documentation: The following Technical Publications can be found at h ttp://www.nortelnetworks.com Document Title Publication Description Num ber Contivity 221 ABOT Engineering Technical Publication Technical Configuration Guide for Deployments using Web GUI Contivity 251 VPN Switch 317516... -
Page 54: Appendix A: Terminology
ISDN: Integrated Synchronous Digital System • ISP: Internet Service Provider • NOC: Network Operation Center • NTP Nortel Technical Publication • POTS: Plain Old Telephone System • Private Interface: Intranet connection to a LAN • Public Interface: Internet connection to the outside world •... - Page 55 Conti vity 251 ABOT D eployment Version 1.0 April 26, 2004 Contact Us: For product support and sales information, visit the Nortel Networks web site at: http://www.nortelnetworks.com In North America, dial toll-free 1-800-4Nortel, outside North America, dial 987-288-3700. Copyright © 2004 Nortel Networks All rights reserved.
Need help?
Do you have a question about the C251 and is the answer not in the manual?
Questions and answers