top of page
Search

Building secure IPSEC VPN tunnel on the GE Orbit





Network Setup Name: VPN-SITEA-83 Name: VPN-SITEB-81 LAN: 172.1.1.1/24 LAN: 172.1.2.1/24 WAN: 166.155.25.83 WAN: 166.155.25.81 PSK: VPNorbitdemo PSK: VPNorbitdemo

This guide will walk you through the secure setup of the Orbit device and creating a single P2P IKE/IPSEC Tunnel. The above diagram shows two remote tunnels and using this guide you should be able to easily duplicate a second tunnel or more if necessary.


*When implementing a live tunnel, I do not recommend you use the 172.x.x.x addressing referenced in this guide.



This guide was written by Phillip A. Yancey of BCI Technologies.

If you have any issues or need support, call me at 407.847.8848 X 204


 

GLOSSARY

 

Secure Orbit Setup

Change admin password

Disable non-admin accounts

Set device name

Set device login banner

Device name and login banner example

Disable DHCP

Change default device IP address.


Cellular Interface Setup

Check SIM status

Set manual APN

Set IPV4 enabled

Set IPV4 DHCP enabled

Set IPV4 Point-to-Point enabled

Set filter policy in_untrusted / out_untrusted

Remove NAT filters

Verify device WAN IPV4

Verify internet access https://wanip


Firewall Setup

Firewall policy review using BCI script

Comparison of default vs BCI In_trusted policy

Comparison of default vs BCI in_untrusted policy

Comparison of default vs BCI out_trusted policy

Comparison of default vs BCI out_untrusted policy

CELL-IP address set details

DROP_LIST address set details

LOCAL-NETS address set details


Site to Site VPN Setup

Setup IKE Policy

Setup IKE Peer

Setup IPsec Policy

Setup IPsec Conn.

Remote LAN access

Review of Encrypted Traffic

Review of IKE/IPSEC Exchange

Troubleshooting

Adding another Tunnel

BCI Firewall CLI Scripts




 

Secure Orbit Setup

 

System/User Authentication/Actions/Change Password

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Device Password Change

When setting up a cellular device it’s important to change the default password.

Since in this example our device will be using a public static IP address once active the default firewall allows https access.



*Make sure you type everything correctly and don’t forget your password. There are no back doors and if you forget your password the unit must go back to GE for re-flashing.



System/User Authentication/Basic Config/General

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Setup of Additional Password Settings

Consider decreasing login attempts and lockout time for added security.

Expand Password Options to further tighten password requirements.





*By default, non-admin users are already disabled.



System/General/Basic Config/Registration

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Device Name Setup

Setup a device name that helps identify your device better. Site A and WAN IP ending in 83.


Disable the Run First time web wizard to keep it from popping up when logging in.


Setup a pre-login banner to show warnings or identification indicators when on the login page.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Login Banner and Device Name

Example of Login banner and Device name.


Example of Login Banner.


Example of previously entered Device “name” field.





Services/DHCP Server/Basic Config/General

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of DHCP Disable and Removal

Make sure to disable DHCP by unchecking the enable box. (If not being used)




You may want to also delete the default DHCP policy to remove unnecessary configurations and avoid confusion later.







System/Time/Basic Config/Timezone

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Timezone Location Setup

Having accurate time is important for accurate alarm and events logging. While the device will update from the cellular network it’s also wise to set a Timezone Location just in case.







Interfaces/Bridge/Basic Config/IPV4

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Bridge IPV4 Setup

The bridge is a layer2 MAC (media access control) linking other bridge devices together. By default, all interfaces inside Bridge are trusted and connected via MAC locally. Cell interfaces are never inside the bridge and therefore not trusted by default.


When outside the bridge an interface becomes a layer3 routed interface.


In this example we have changed the default Orbit IP address of 192.168.1.1/24 to our SITE_A address of 172.1.1.1/24




*Remember when changing a device IP we must also change our local machines IP. In this case our computer is using 172.1.1.100/24





 

Cellular Interface Setup

 



*SIM Cards should only be inserted into the Orbit when it’s powered off.


Interfaces/Cell/Status/Cellular

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cellular Status

Once the device is setup, configured and secure, let’s move onto the Cellular Interface.


Check the Cellular status to see if your device and SIM are provisioning on the network properly.

  • Look at MDN or Mobile Device Number

*If a MDN doesn’t appear, you need to call provider support.

  • Look for APN or Access Point Name


*If APN doesn’t show you may need to wait longer, check antenna signal, or manually configure.

*It may work but if the IP address doesn’t match, you’re static then it’s being dynamically assigned and may keep changing.



Interfaces/Cell/Basic Config/Cellular/Connection Profile

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cell APN Setup

Verizon uses the following APN's per region.

ne01.vzwstatic (North East)

nw01.vzwstatic (North West)

so01.vzwstatic (south)

mw01.vzwstatic (Midwest)

we01.vzwstatic (West)

At&t uses the following APN,Type,& Usage.

phone Smartphones

broadband Laptops and tablets

nxtgenphone Voice over LTE

m2m.com.attz IoT Devices

wap.cingular Legacy APN

i2gold Mobility, Uses static IP addresses.


IPSEC tunnels are great for small or test cellular applications but we recommended you consider a Private APN when scaling Cellular Networks. This is enclosed and encrypted non-internet routed networking.

Example: This unit is not pulling correct APN so we’ve manually configured to ensure it obtains the correct Static IP address.

Interfaces/Cell/Basic Config/IPV4/

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IPV4 DHCP Enable Setup

Older Orbit Firmware may not automatically enable certain Cellular settings. Make sure to verify the following settings and ensure they are already configured.


Example:

  • Enable IPV4 On Cellular Interface

  • Enable DHCP On Cellular Interface

  • Enable Point to Point Connection on Cellular Interface

IPV4 will allow the Cellular interface to be configured.

DHCP will ensure a static or dynamic address is assigned.

Point to Point Connection will change how the devices routes traffic and must be disabled or un-checked.




Interfaces/Cell/Basic Config/Filter/

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cell Filter Setup

Make sure IN/OUT_UNTRUSTED firewall rules are configured to ensure (GE default) we do not trust traffic from the Cellular interface.


IN/OUT_UNTRUSTED policies will allow DNS, HTTPS, and NAT Masquerade “MASQ” for immediate Internet access.


*Changing the default password is important, but also consider disabling the Cellular interface when not being used during testing.

Interfaces/Cell/Basic Config/NAT

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cellular NAT Configuration

NAT is not used on the Cellular Interface when adding tunnels. Remove MASQ if showing under NAT Source.




REMOVE by deleting and committing changes.




*If MASQ is enabled once the tunnel is in operation you won’t be able to access remote LAN devices. MASQ is good to treat WAN address as local addresses. In the case of a tunnel, this breaks our IKE/IPSEC endpoint exchanges which use WAN addressing.




Interfaces/Cell/Status/IPV4/

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Static & Dynamic IP assignment

In this example, we compare dynamically assigned IP verses static IP addressing.


Since our device did not automatically receive the correct Static APN the device received a dynamic IP of 10.128.158.194


Once our APN was manual configured, we received the correct IP of 166.155.25.81


In this Example we should be able to access https://166.155.25.81 (Use your static here) via the internet.



*Your ISP should provide any static or static range assignments in advanced.


*The goal here is to make sure we can hit our correct WAN address. Verify your unit is online by using your phone or a separate internet accessible device to access its WAN IP.




 

Firewall Setup

 

Easy CLI Import


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of CLI Script Import

Using the CLI button on the device manager menu will open access to the Orbit Router CLI or Command line interface. This isn’t necessary for setting up the firewall.

This is useful for entering script configurations that offer speedy deployment for complex configurations.

  • Type Config <hit enter>

  • Paste Script <hit enter>

  • Type Commit <hit enter>


Let’s review a BCI Firewall policy and compare with the Default GE Firewall policies. The BCI Firewall CLI Script used in this document can be found at the bottom of the guide.


 


Services/Firewall/Filter (Access Control list)


Here are policy comparison of the Default Firewall verses BCI’s Alternative firewall.

*The reference field indicates which Interface the filter is active on.

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IN_TRUSTED BCI Filter


IN_TRUSTED - BCI Policy:


  1. DROP all if source or destination is a DROP_LIST address.

  2. ACCEPT ICMP if source is a LOCAL-NETS address.

  3. ACCEPT TCP from all sources if port range is 502-503.

  4. ACCEPT TCP from LOCAL-NETS for services HTTPS & SSH

  5. DROP ALL from ALL.

* 502-503 is Modbus protocols, if you are using a different protocol you’ll want to modify or remove this rule.


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IN_TRUSTED GE Default Filter

IN_TRUSTED – GE Default Policy:


  1. ACCEPT all from all.


*Comparison only.