Sierra Wireless AirLink Connection Manager Installation And Operation Manual
  1. Manuals
  2. Brands
  3. Sierra Wireless Manuals
  4. Server
  5. AirLink Connection Manager
  6. Installation and operation manual
Sierra Wireless AirLink Connection Manager Installation And Operation Manual

Sierra Wireless AirLink Connection Manager Installation And Operation Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Installation and Operations
Guide
AirLink Connection Manager
4119855
Rev 3

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the AirLink Connection Manager and is the answer not in the manual?

Questions and answers

Summary of Contents for Sierra Wireless AirLink Connection Manager

  • Page 1 Installation and Operations Guide AirLink Connection Manager 4119855 Rev 3...
  • Page 2 Notice totally lost. Although significant delays or losses of data are rare when wireless devices such as the Sierra Wireless modem are used in a normal manner with a well-constructed network, the Sierra Wireless modem should not be used in...

  • Page 3: Contact Information

    Preface Contact Information Sales information and technical Web: sierrawireless.com/company/contact-us/ support, including warranty and returns Global toll-free number: 1-877-687-7795 6:00 am to 5:00 pm PST Corporate and product information Web: sierrawireless.com Revision History Revision Release date Changes number • September 2016 Document created •...

  • Page 4: Table Of Contents

    Who Should Read This Guide ..........7 What is the AirLink Connection Manager (ACM)? ......7 FIPS-Compliant ACM .
  • Page 5 Contents Host Name ............19 Domain Name .
  • Page 6 ACM Installation and Operations Guide View VPN Configuration Details ......... 44 IKE Process Status .

  • Page 7: Introduction

    (ACM)? The ACM is a Virtual Private Network (VPN) server available in both an appliance format (supplied by Sierra Wireless in a Dell 1U form factor), and as a virtual machine running in VMWare vSphere Hypervisor (ESXi) 6.0 or above.

  • Page 8: Fips-Compliant Acm

    NCP Client for Windows ACM 1.6 and above support connections from systems using NCP Client for Windows. Refer to the AirLink Connection Manager Configuration Guide for NCP Client for details. Supported AirLink Gateways and Routers This document applies to the device versions in the following table.

  • Page 9: Installation

    It is not to be used as a replacement or substitute general purpose enterprise firewall/router. Sierra Wireless recommends that the ACM be installed behind the enterprise firewall so that policies and procedures relating to enterprise security are not significantly affected by the introduction of the ACM.

  • Page 10: Ethernet Connections

    ACM Installation and Operations Guide 2. At a minimum, enable the following protocols and ports for the translated address: · IP Protocol ESP · TCP/IP Port 2222 · UDP/IP 500 · UDP/IP 4500 If required by a customer security policy, the VPN between the AirLink gateway/ router and the ACM can be specified to route ALL traffic through the secure connection.
  • Page 11 Installation Note: Sierra Wireless can only provide remote technical support for the ACM if access to Port 2222 is enabled on the public or private interface. If only private interface access is available, an independent VPN access method must be provided.

  • Page 12: Configuration Overview

    Last login: Fri Apr 20 11:29:35 2016 from xyz.com admin@ACM:~$ Important: Sierra Wireless strongly recommends that you immediately change the Admin password from the default value (“inmotion”) to prevent unauthorized use of the system. See Admin Password on page 19 for details.

  • Page 13: Configuration Tree

    Configuration Overview Configuration Tree The ACM configuration is stored in attributes and nodes: • Attribute—Includes a name and a data value. • Node—A container for one or more attributes. A node can also contain sub- nodes to form a hierarchy of nodes. Attributes and nodes are referred to as ‘statements’...

  • Page 14: Add Or Modify Attributes

    ACM Installation and Operations Guide Note: Attribute changes (adding, modifying, deleting, loading defaults) do not take effect on the ACM until they are first committed to the running configuration. After committing the changes, they stay in effect until the server reboots. To keep them in effect across reboots, they must be saved before the server reboots.

  • Page 15: Delete Attributes

    Configuration Overview Delete Attributes To delete an attribute statement, use the delete command. The following example demonstrates the delete command being used to make the following change, and a snippet from the show command that displays the ‘-’ symbol: · delete the hash method for an esp group’s “proposal 1” user@ACM1-Production# delete vpn ipsec esp-group espgroup1 proposal 1 hash user@ACM1-Production# show...

  • Page 16: Discard Uncommitted Attribute Changes

    ACM Installation and Operations Guide user@ACM1-Production# show esp-group espgroup1 { compression enable mode tunnel pfs enable proposal 1 { > encryption aes256 hash md5 proposal 2 { encryption aes256 ..Discard Uncommitted Attribute Changes To remove pending attribute changes so they cannot be committed to the running configuration, use the discard command.

  • Page 17: Apply Configuration

    Configuration Overview Apply Configuration To apply changes to the ACM configuration, use the commit command. After applying the configuration changes, the symbol(s) (+, -, or >) located beside the changed attribute statement(s) disappear as shown in the example below. Note: Committing applies the changes only to the currently running configuration. For the committed changes to remain active after rebooting, they must be saved to the boot config- uration as described in Save Configuration...

  • Page 18: Restore Default Configuration

    ACM Installation and Operations Guide Restore Default Configuration You can restore the ACM to its default configuration using the load, commit, and save commands in configuration mode, as shown below. Warning: This process COMPLETELY replaces the ACM’s current configuration, so should be used only when absolutely necessary.

  • Page 19: Basic Configuration

    4: Basic Configuration Admin Password Important: Sierra Wireless strongly recommends that you immediately change the Admin password from the default value to prevent unauthorized use of the system. To change the default password of the admin account, use the following commands: admin@ACM:~# set system login user admin authentication plaintext-password <PASSWORD>...

  • Page 20: Inside Interface Ip Address

    ACM Installation and Operations Guide INSIDE Interface IP Address To change the IP address of the INSIDE interface, use the following commands. Note: The default IP address must also be deleted as shown below. admin@ACM:~# delete interfaces Ethernet eth1 address 10.99.0.1/24 admin@ACM:~# set interfaces ethernet eth1 address <LAN-IP-ADDRESS/SUBNET-BITMASK>...

  • Page 21: Acm Vpn Configuration

    5: ACM VPN Configuration VPN Overview A virtual private network (VPN) is a computer network that uses a public or private telecommunication infrastructure to provide mobile systems, such as AirLink gateways/routers, with secure access to the enterprise network. An ACM provides the VPN server function to several AirLink device clients. This is accomplished using TCP/IP standards and therefore routing plays a key role.
  • Page 22 ACM Installation and Operations Guide Table 5-1: ACM IKE / ESP Parameter Support ACM 1.6 (non-FIPS) ACM 1.6-FIPS Type Encryption aes128 aes128ccm16 aes128gcm16 aes256 aes256ccm16 aes256gcm16 3des Hash sha1 sha2_256 sha2_512 none DH Group none a. When aes128ccm16, aes128gcm16, aes256ccm16, or aes256gcm16 encryption is used, hash must be none.

  • Page 23: Ike Group Configuration

    ACM VPN Configuration IKE Group Configuration The procedure for configuring IKE groups varies depending on the IKE version being used. To configure IKE groups for: • oMG/MG90 routers, and NCP Client for Windows—See Configure IKE Groups with MOBIKE (IKEv2) on page 23. •...
  • Page 24 ACM Installation and Operations Guide b. After enabling DPD on the IKE group(s), set the global DPD parameters (these apply to DPD for all groups)—If not specified, default values are used (30 second timeout, 3 retries): set vpn ipsec ikev2-retransmit-timeout 15 set vpn ipsec ikev2-retransmit-tries 1 Note: Do not use the IKEv1 DPD configuration options “dead-peer-detection interval”...

  • Page 25: Esp Group

    ACM VPN Configuration Important: Always enable DPD, and always use “action clear”—do NOT use “action hold” or “action restart”. b. Set the DPD parameters (these must be set for each group): set vpn ipsec ike-group <IKE-GRP-NAME> dead-peer- detection interval <Interval_seconds> set vpn ipsec ike-group <IKE-GRP-NAME>...

  • Page 26: Vpn Peers

    ACM Installation and Operations Guide · ESP transform set proposals (Note: There can be more than one proposal.) Table 5-1 on page 22 for supported parameter values: set vpn ipsec esp-group <ESP-GRP-NAME> proposal 10 encryption <Encrypt_type> set vpn ipsec esp-group <ESP-GRP-NAME> proposal 10 hash <Hash_type>...
  • Page 27 ACM VPN Configuration Table 5-2: VPN Peer ID Types Peer Location in Software Peer ID Types Note: Make sure to use the described formats to enter peer IDs in the peer’s sofware interface, and use the same formats when entering the IDs on the ACM in the “set vpn ipsec site-to-site peer” command. oMG/MG90 router WAN >...
  • Page 28 ACM Installation and Operations Guide Configure VPN Peer Attributes For each VPN peer, configure the following attributes: Note: In these commands, replace <PeerID> with the peer ID type used by the ACM (described in Configure VPN Peer IDs on page 26. ·...

  • Page 29: Certificate Management And Revocation

    ACM VPN Configuration Certificate Management and Revocation The ACM can utilize a system of public key and certificates to allow or deny access to client devices. For a client device to connect to the ACM, its certificate must be signed by the same CA authority and must have the same cacert.pem certificate file that the ACM has.

  • Page 30: Configuring For Ncp Client For Windows

    The following subsections describe the server-side settings and configuration changes necessary to allow connections from NCP Client for Windows. For client- side configuration details, refer to the AirLink Connection Manager Configuration Guide for NCP Client. Assigning a Virtual IP Address from the Pool...

  • Page 31: Eap Authentication

    Note: The ACM always authenticates itself to the NCP Client using a pre-shared-key or certificate. The following describe the server-side steps to configure EAP authentication. For client-side configuration, refer to the AirLink Connection Manager Configuration Guide for NCP Client. Rev 3 Nov 17...

  • Page 32: Acm Server Protocols

    ACM server from a pool of servers (load balancing). If a server fails, the client devices that are connected to that server request assignment to another server from the pool (server redundancy). For configuration details, refer to the AirLink Connection Manager High Availability Setup Guide. Virtual Router Redundancy Protocol (VRRP) Overview of VRRP The ACM technology utilizes virtual router redundancy protocol (VRRP) to ensure that services are available in the event that an ACM goes down.
  • Page 33 Master ACM VRRP Group: 99 Priority: 7 Virtual IP: Virtual IP: Enterprise Internet 10.10.12.13 10.11.11.19 Sierra Wireless AirLink gateway/router Inside Outside Interface Interface VRRP Group: 99 Priority: 5 Figure 5-1: A master ACM is the ACM with the highest priority...
  • Page 34 Master ACM VRRP Group: 99 Priority: 7 Virtual IP: Virtual IP: Enterprise Internet 10.11.11.19 New Master elected 10.10.12.13 Sierra Wireless AirLink gateway/router Inside Outside Interface Interface Master ACM VRRP Group: 99 Priority: 5 Figure 5-2: The next highest priority ACM will become the master upon a failure VRRP has a feature called "pre-emption"...
  • Page 35 Interface (Former Master) ACM VRRP Group: 101 Priority: 7 Virtual IP: Virtual IP: Enterprise Internet 10.10.12.13 10.11.11.19 New Master ACM elected Sierra Wireless AirLink Sync Group gateway/router Inside Outside Interface Interface (New) Master ACM VRRP Group: 101 Priority: 5 Figure 5-4: A Sync Group elects a new master ACM upon the failure of an inside interface Note: If VRRP is enabled with the RFC compliant option, ensure a firewall is positioned on the outside of the ACMs to protect them.
  • Page 36 ACM Installation and Operations Guide 3. Enable pre-emption: set interfaces ethernet eth0 vrrp vrrp-group <VRRP GROUP #> preempt true 4. Set the priority of this ACM: set interfaces ethernet eth0 vrrp vrrp-group <VRRP GROUP #> priority <PRIORITY #> Important: Make sure to set a higher priority for the master ACM than the priorities for all backup ACMs.

  • Page 37: Airlink Omg/Mg90 Router Support

    ACM VPN Configuration Important: Make sure to set a higher priority for the master ACM than the priorities for all backup ACMs. 7. Add the VRRP group on eth1 to the sync group: set interfaces ethernet eth1 vrrp vrrp-group <VRRP GROUP #> sync-group <SYNC GROUP NAME> 8.

  • Page 38: Airlink Gateway/Router Support-Ls, Es, Gx, Mp Series

    ACM Installation and Operations Guide Table 5-3: oMG / MG90 IKE / ESP Parameter Support (Continued) ACM 1.6 MG90 non-FIPS FIPS non-FIPS FIPS non-FIPS FIPS Setup Type Requirements Hash sha1 sha2_256 sha2_512 none DH Group 4.1.x On the ACM: • Do not 4.1.x configure oMG...

  • Page 39: Acm/Airlink (Ls, Es, Gx, Mp Series) Setup Requirements

    ACM VPN Configuration ACM/AirLink (LS, ES, GX, MP Series) Setup Requirements When using AirLink gateways/routers (other than oMG and MG90) with the ACM, some limitations apply: • Some ACM features are not supported by AirLink devices. • Some AirLink features are not supported by ACM. The following tables describe these limitations and the restrictions these place on ACM configuration and AirLink configuration (using ACEmanager).

  • Page 40: Single Address' Type For Host2Lan Connection

    ACM Installation and Operations Guide Table 5-4: AirLink IKE / ESP Parameter Support (Continued) ACM 1.6 AirLink Type Setup Requirements DH Group On the AirLink device: • Configure the device to use only DH2 or DH5. On the ACM: • Configure the peer to use only DH2 or DH5.

  • Page 41: Main/Aggressive Mode Configuration

    ACM VPN Configuration iii. In Device USB IP, enter the AirLink device’s IP address. The default address is 192.168.14.31. If the gateway is part of a fleet, each gateway must be configured with a unique address—modify the third octet for each device (e.g. 192.168.14.31 for the first gateway, 192.168.15.31 for the second, etc.) iv.

  • Page 42: Ncp Client For Windows

    ACM Installation and Operations Guide NCP Client for Windows ACM supports VPN connections from mobile devices using NCP Client for Windows. For NCP Client product support, refer to https://www.ncp-e.com. NCP Client/ACM Setup Requirements When using NCP Client peers with the ACM, some limitations apply: •...
  • Page 43 ACM VPN Configuration Table 5-7: NCP Client IKE / ESP Parameter Support (Continued) ACM 1.6 NCP Client non-FIPS FIPS non-FIPS FIPS Type Setup Requirements DH Group On the NCP Client: • Configure the device to use any supported group except DH1. none Table 5-8: Additional ACM / NCP Client Setup Requirements Feature...

  • Page 44: Troubleshooting

    6: Troubleshooting Upgrading to ACM 1.6 When upgrading to ACM 1.6, you must enter a name to store the image file. To upgrade to ACM 1.6 from an earlier version: 1. Enter the following command: add system image <imagefile> (where <imagefile> is the pathname of an ISO file (such as “ACM-1.6.0- 20160719.1.iso) on the ACM or a URL to a remote file) 2.

  • Page 45: Ike Security Associations

    Troubleshooting IKE Security Associations To view IKE security associations: admin@ACM: show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- CN=omg_valid1 192.168.4.22 State Encrypt Hash D-H Grp NAT-T A-Time L-Time ----- ------- ---- ------- ----- ------ ------ aes256 sha1...

  • Page 46: Ipsec Security Associations

    ACM Installation and Operations Guide IPsec Security Associations To view IPsec security associations: admin@ACM: show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- Peer ID / IP Local ID / IP ------------ ------------- CN=omg_revoked1 192.168.4.22 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L- Time Proto ------ ----- ------------ ------- ---- ----- ------ -...

  • Page 47: Ipsec Ip Pool Status

    Troubleshooting IPsec IP Pool Status To view IPsec security associations: admin@ACM: show vpn ipsec ip-pool Leases in pool '192.168.114.0/24', usage: 3/254, 0 online 192.168.114.2 offline 'TestNCP2' 192.168.114.1 offline 'peapuser' 192.168.114.3 offline 'C=CA, ST=BC, O=InMotion, OU=eng, CN=Ttest1' Leases in pool '10.101.1.0/24', usage: 0/254, 0 online no matching leases found Debug Information To view more detailed information when you are troubleshooting, use the show...

  • Page 48: View Vrrp Configuration Details

    ACM Installation and Operations Guide peer-any-tunnel-1: remote: uses EAP_RADIUS authentication with EAP identity '%any' peer-any-tunnel-1: child: 192.168.114.0/24 === dynamic TUNNEL Security Associations (1 up, 0 connecting): peer-any-tunnel-1[19]: ESTABLISHED 72 seconds ago, 10.1.65.114[10.1.65.114]...10.1.65.66[] peer-any-tunnel-1[19]: IKEv2 SPIs: 89f07750b7bb0459_i 6cd14c493a517903_r*, rekeying disabled peer-any-tunnel-1[19]: IKE proposal: AES_CBC_256/ HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 peer-any-tunnel-1{30}: INSTALLED, TUNNEL, reqid 5, ESP...
  • Page 49 Troubleshooting Last transition: 1w2d2h39m29s admin@ACM:~$ admin@ACM:~$ show vrrp summary VRRP Addr Interface VRRP Interface Group Type Address State State --------- ----- ---- ------- ----- ----- eth0 192.168.3.33/24 up master eth1 192.168.9.33/24 up master admin@ACM:~$ On the backup ACM: admin@ACM:~$ show vrrp interface eth0 Physical interface: eth0, Source Address 192.168.2.95 Interface state: up, Group 99, State: backup Priority: 200, Advertisement interval: 1,...

  • Page 50: Dead Peer Detection Is Not Working

    ACM Installation and Operations Guide Dead Peer Detection is not Working If dead peer detection (DPD) is not functioning properly: • Make sure the correct “set vpn ipsec” DPD options are used: · When enabling DPD, use “action clear”—do not use “action hold” or “action reset”.

  • Page 51: Ncp Certificate Authentication Failed-"No Trusted Rsa Public Key

    Troubleshooting NCP Certificate Authentication Failed— “No trusted RSA public key” For NCP certification authentication to work with ACM, NCP must be configured to use ID Type “ASN1 Distinguished Name”. Figure 6-1: NCP Certificate Authentication ID Type Rev 3 Nov 17 4119855...

  • Page 52: Basic Configuration Requirements

    A: Basic Configuration Requirements This information is required for the initial configuration of the ACM so that it can be installed inside a customer network, boot successfully, and be accessible for further configuration. The following items must be configured before the ACM can accept connections. Table 1-1: Required ACM Configuration Items Item Note...

  • Page 53: Radius Server Settings

    B: RADIUS Server Settings Perform the following steps to configure the RADIUS Server: 1. Install the FreeRADIUS package (see http:freeradius.org for more information). 2. Add radiusd to the init script using the following command: chkconfig --level 2345 radiusd on 3. Add a firewall rule for UDP port 1812 using the following command: iptables -I INPUT -p udp -m state --state NEW -m udp --dport 1812 -j ACCEPT 4.

This manual is also suitable for:

Acm

Table of Contents