Building secure IPSEC VPN tunnel on the GE Orbit

Network Setup Name: VPN-SITEA-83 Name: VPN-SITEB-81 LAN: 172.1.1.1/24 LAN: 172.1.2.1/24 WAN: 166.155.25.83 WAN: 166.155.25.81 PSK: VPNorbitdemo PSK: VPNorbitdemo
This guide will walk you through the secure setup of the Orbit device and creating a single P2P IKE/IPSEC Tunnel. The above diagram shows two remote tunnels and using this guide you should be able to easily duplicate a second tunnel or more if necessary.
*When implementing a live tunnel, I do not recommend you use the 172.x.x.x addressing referenced in this guide.
This guide was written by Phillip A. Yancey of BCI Technologies.
If you have any issues or need support, call me at 407.847.8848 X 204
GLOSSARY
Device name and login banner example
Change default device IP address.
Set IPV4 Point-to-Point enabled
Set filter policy in_untrusted / out_untrusted
Verify internet access https://wanip
Firewall policy review using BCI script
Comparison of default vs BCI In_trusted policy
Comparison of default vs BCI in_untrusted policy
Comparison of default vs BCI out_trusted policy
Comparison of default vs BCI out_untrusted policy
LOCAL-NETS address set details
Setup IPsec Conn.
Secure Orbit Setup
System/User Authentication/Actions/Change Password

When setting up a cellular device it’s important to change the default password.
Since in this example our device will be using a public static IP address once active the default firewall allows https access.
*Make sure you type everything correctly and don’t forget your password. There are no back doors and if you forget your password the unit must go back to GE for re-flashing.
System/User Authentication/Basic Config/General

Consider decreasing login attempts and lockout time for added security.
Expand Password Options to further tighten password requirements.
*By default, non-admin users are already disabled.
System/General/Basic Config/Registration

Setup a device name that helps identify your device better. Site A and WAN IP ending in 83.
Disable the Run First time web wizard to keep it from popping up when logging in.
Setup a pre-login banner to show warnings or identification indicators when on the login page.

Example of Login banner and Device name.
Example of Login Banner.
Example of previously entered Device “name” field.
Services/DHCP Server/Basic Config/General

Make sure to disable DHCP by unchecking the enable box. (If not being used)
You may want to also delete the default DHCP policy to remove unnecessary configurations and avoid confusion later.
System/Time/Basic Config/Timezone

Having accurate time is important for accurate alarm and events logging. While the device will update from the cellular network it’s also wise to set a Timezone Location just in case.
Interfaces/Bridge/Basic Config/IPV4

The bridge is a layer2 MAC (media access control) linking other bridge devices together. By default, all interfaces inside Bridge are trusted and connected via MAC locally. Cell interfaces are never inside the bridge and therefore not trusted by default.
When outside the bridge an interface becomes a layer3 routed interface.
In this example we have changed the default Orbit IP address of 192.168.1.1/24 to our SITE_A address of 172.1.1.1/24
*Remember when changing a device IP we must also change our local machines IP. In this case our computer is using 172.1.1.100/24
Cellular Interface Setup
*SIM Cards should only be inserted into the Orbit when it’s powered off.
Interfaces/Cell/Status/Cellular

Once the device is setup, configured and secure, let’s move onto the Cellular Interface.
Check the Cellular status to see if your device and SIM are provisioning on the network properly.
Look at MDN or Mobile Device Number
*If a MDN doesn’t appear, you need to call provider support.
Look for APN or Access Point Name
*If APN doesn’t show you may need to wait longer, check antenna signal, or manually configure.
*It may work but if the IP address doesn’t match, you’re static then it’s being dynamically assigned and may keep changing.
Interfaces/Cell/Basic Config/Cellular/Connection Profile

Verizon uses the following APN's per region.
ne01.vzwstatic (North East)
nw01.vzwstatic (North West)
so01.vzwstatic (south)
mw01.vzwstatic (Midwest)
we01.vzwstatic (West)
At&t uses the following APN,Type,& Usage.
phone Smartphones
broadband Laptops and tablets
nxtgenphone Voice over LTE
m2m.com.attz IoT Devices
wap.cingular Legacy APN
i2gold Mobility, Uses static IP addresses.
IPSEC tunnels are great for small or test cellular applications but we recommended you consider a Private APN when scaling Cellular Networks. This is enclosed and encrypted non-internet routed networking.
Example: This unit is not pulling correct APN so we’ve manually configured to ensure it obtains the correct Static IP address.
Interfaces/Cell/Basic Config/IPV4/

Older Orbit Firmware may not automatically enable certain Cellular settings. Make sure to verify the following settings and ensure they are already configured.
Example:
Enable IPV4 On Cellular Interface
Enable DHCP On Cellular Interface
Enable Point to Point Connection on Cellular Interface
IPV4 will allow the Cellular interface to be configured.
DHCP will ensure a static or dynamic address is assigned.
Point to Point Connection will change how the devices routes traffic and must be disabled or un-checked.
Interfaces/Cell/Basic Config/Filter/

Make sure IN/OUT_UNTRUSTED firewall rules are configured to ensure (GE default) we do not trust traffic from the Cellular interface.
IN/OUT_UNTRUSTED policies will allow DNS, HTTPS, and NAT Masquerade “MASQ” for immediate Internet access.
*Changing the default password is important, but also consider disabling the Cellular interface when not being used during testing.
Interfaces/Cell/Basic Config/NAT

NAT is not used on the Cellular Interface when adding tunnels. Remove MASQ if showing under NAT Source.
REMOVE by deleting and committing changes.
*If MASQ is enabled once the tunnel is in operation you won’t be able to access remote LAN devices. MASQ is good to treat WAN address as local addresses. In the case of a tunnel, this breaks our IKE/IPSEC endpoint exchanges which use WAN addressing.
Interfaces/Cell/Status/IPV4/

In this example, we compare dynamically assigned IP verses static IP addressing.
Since our device did not automatically receive the correct Static APN the device received a dynamic IP of 10.128.158.194
Once our APN was manual configured, we received the correct IP of 166.155.25.81
In this Example we should be able to access https://166.155.25.81 (Use your static here) via the internet.
*Your ISP should provide any static or static range assignments in advanced.
*The goal here is to make sure we can hit our correct WAN address. Verify your unit is online by using your phone or a separate internet accessible device to access its WAN IP.
Firewall Setup
Easy CLI Import

Using the CLI button on the device manager menu will open access to the Orbit Router CLI or Command line interface. This isn’t necessary for setting up the firewall.
This is useful for entering script configurations that offer speedy deployment for complex configurations.
Type Config <hit enter>
Paste Script <hit enter>
Type Commit <hit enter>
Let’s review a BCI Firewall policy and compare with the Default GE Firewall policies. The BCI Firewall CLI Script used in this document can be found at the bottom of the guide.
Services/Firewall/Filter (Access Control list)
Here are policy comparison of the Default Firewall verses BCI’s Alternative firewall.
*The reference field indicates which Interface the filter is active on.

IN_TRUSTED - BCI Policy:
DROP all if source or destination is a DROP_LIST address.
ACCEPT ICMP if source is a LOCAL-NETS address.
ACCEPT TCP from all sources if port range is 502-503.
ACCEPT TCP from LOCAL-NETS for services HTTPS & SSH
DROP ALL from ALL.
* 502-503 is Modbus protocols, if you are using a different protocol you’ll want to modify or remove this rule.

IN_TRUSTED – GE Default Policy:
ACCEPT all from all.
*Comparison only.