Search

Building secure IPSEC VPN tunnel on the GE Orbit





Network Setup Name: VPN-SITEA-83 Name: VPN-SITEB-81 LAN: 172.1.1.1/24 LAN: 172.1.2.1/24 WAN: 166.155.25.83 WAN: 166.155.25.81 PSK: VPNorbitdemo PSK: VPNorbitdemo

This guide will walk you through the secure setup of the Orbit device and creating a single P2P IKE/IPSEC Tunnel. The above diagram shows two remote tunnels and using this guide you should be able to easily duplicate a second tunnel or more if necessary.


*When implementing a live tunnel, I do not recommend you use the 172.x.x.x addressing referenced in this guide.



This guide was written by Phillip A. Yancey of BCI Technologies.

If you have any issues or need support, call me at 407.847.8848 X 204


 

GLOSSARY

 

Secure Orbit Setup

Change admin password

Disable non-admin accounts

Set device name

Set device login banner

Device name and login banner example

Disable DHCP

Change default device IP address.


Cellular Interface Setup

Check SIM status

Set manual APN

Set IPV4 enabled

Set IPV4 DHCP enabled

Set IPV4 Point-to-Point enabled

Set filter policy in_untrusted / out_untrusted

Remove NAT filters

Verify device WAN IPV4

Verify internet access https://wanip


Firewall Setup

Firewall policy review using BCI script

Comparison of default vs BCI In_trusted policy

Comparison of default vs BCI in_untrusted policy

Comparison of default vs BCI out_trusted policy

Comparison of default vs BCI out_untrusted policy

CELL-IP address set details

DROP_LIST address set details

LOCAL-NETS address set details


Site to Site VPN Setup

Setup IKE Policy

Setup IKE Peer

Setup IPsec Policy

Setup IPsec Conn.

Remote LAN access

Review of Encrypted Traffic

Review of IKE/IPSEC Exchange

Troubleshooting

Adding another Tunnel

BCI Firewall CLI Scripts




 

Secure Orbit Setup

 

System/User Authentication/Actions/Change Password

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Device Password Change

When setting up a cellular device it’s important to change the default password.

Since in this example our device will be using a public static IP address once active the default firewall allows https access.



*Make sure you type everything correctly and don’t forget your password. There are no back doors and if you forget your password the unit must go back to GE for re-flashing.



System/User Authentication/Basic Config/General

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Setup of Additional Password Settings

Consider decreasing login attempts and lockout time for added security.

Expand Password Options to further tighten password requirements.





*By default, non-admin users are already disabled.



System/General/Basic Config/Registration

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Device Name Setup

Setup a device name that helps identify your device better. Site A and WAN IP ending in 83.


Disable the Run First time web wizard to keep it from popping up when logging in.


Setup a pre-login banner to show warnings or identification indicators when on the login page.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Login Banner and Device Name

Example of Login banner and Device name.


Example of Login Banner.


Example of previously entered Device “name” field.





Services/DHCP Server/Basic Config/General

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of DHCP Disable and Removal

Make sure to disable DHCP by unchecking the enable box. (If not being used)




You may want to also delete the default DHCP policy to remove unnecessary configurations and avoid confusion later.







System/Time/Basic Config/Timezone

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Timezone Location Setup

Having accurate time is important for accurate alarm and events logging. While the device will update from the cellular network it’s also wise to set a Timezone Location just in case.







Interfaces/Bridge/Basic Config/IPV4

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Bridge IPV4 Setup

The bridge is a layer2 MAC (media access control) linking other bridge devices together. By default, all interfaces inside Bridge are trusted and connected via MAC locally. Cell interfaces are never inside the bridge and therefore not trusted by default.


When outside the bridge an interface becomes a layer3 routed interface.


In this example we have changed the default Orbit IP address of 192.168.1.1/24 to our SITE_A address of 172.1.1.1/24




*Remember when changing a device IP we must also change our local machines IP. In this case our computer is using 172.1.1.100/24





 

Cellular Interface Setup

 



*SIM Cards should only be inserted into the Orbit when it’s powered off.


Interfaces/Cell/Status/Cellular

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cellular Status

Once the device is setup, configured and secure, let’s move onto the Cellular Interface.


Check the Cellular status to see if your device and SIM are provisioning on the network properly.

  • Look at MDN or Mobile Device Number

*If a MDN doesn’t appear, you need to call provider support.

  • Look for APN or Access Point Name


*If APN doesn’t show you may need to wait longer, check antenna signal, or manually configure.

*It may work but if the IP address doesn’t match, you’re static then it’s being dynamically assigned and may keep changing.



Interfaces/Cell/Basic Config/Cellular/Connection Profile

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cell APN Setup

Verizon uses the following APN's per region.

ne01.vzwstatic (North East)

nw01.vzwstatic (North West)

so01.vzwstatic (south)

mw01.vzwstatic (Midwest)

we01.vzwstatic (West)

At&t uses the following APN,Type,& Usage.

phone Smartphones

broadband Laptops and tablets

nxtgenphone Voice over LTE

m2m.com.attz IoT Devices

wap.cingular Legacy APN

i2gold Mobility, Uses static IP addresses.


IPSEC tunnels are great for small or test cellular applications but we recommended you consider a Private APN when scaling Cellular Networks. This is enclosed and encrypted non-internet routed networking.

Example: This unit is not pulling correct APN so we’ve manually configured to ensure it obtains the correct Static IP address.

Interfaces/Cell/Basic Config/IPV4/

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IPV4 DHCP Enable Setup

Older Orbit Firmware may not automatically enable certain Cellular settings. Make sure to verify the following settings and ensure they are already configured.


Example:

  • Enable IPV4 On Cellular Interface

  • Enable DHCP On Cellular Interface

  • Enable Point to Point Connection on Cellular Interface

IPV4 will allow the Cellular interface to be configured.

DHCP will ensure a static or dynamic address is assigned.

Point to Point Connection will change how the devices routes traffic and must be disabled or un-checked.




Interfaces/Cell/Basic Config/Filter/

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cell Filter Setup

Make sure IN/OUT_UNTRUSTED firewall rules are configured to ensure (GE default) we do not trust traffic from the Cellular interface.


IN/OUT_UNTRUSTED policies will allow DNS, HTTPS, and NAT Masquerade “MASQ” for immediate Internet access.


*Changing the default password is important, but also consider disabling the Cellular interface when not being used during testing.

Interfaces/Cell/Basic Config/NAT

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cellular NAT Configuration

NAT is not used on the Cellular Interface when adding tunnels. Remove MASQ if showing under NAT Source.




REMOVE by deleting and committing changes.




*If MASQ is enabled once the tunnel is in operation you won’t be able to access remote LAN devices. MASQ is good to treat WAN address as local addresses. In the case of a tunnel, this breaks our IKE/IPSEC endpoint exchanges which use WAN addressing.




Interfaces/Cell/Status/IPV4/

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Static & Dynamic IP assignment

In this example, we compare dynamically assigned IP verses static IP addressing.


Since our device did not automatically receive the correct Static APN the device received a dynamic IP of 10.128.158.194


Once our APN was manual configured, we received the correct IP of 166.155.25.81


In this Example we should be able to access https://166.155.25.81 (Use your static here) via the internet.



*Your ISP should provide any static or static range assignments in advanced.


*The goal here is to make sure we can hit our correct WAN address. Verify your unit is online by using your phone or a separate internet accessible device to access its WAN IP.




 

Firewall Setup

 

Easy CLI Import


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of CLI Script Import

Using the CLI button on the device manager menu will open access to the Orbit Router CLI or Command line interface. This isn’t necessary for setting up the firewall.

This is useful for entering script configurations that offer speedy deployment for complex configurations.

  • Type Config <hit enter>

  • Paste Script <hit enter>

  • Type Commit <hit enter>


Let’s review a BCI Firewall policy and compare with the Default GE Firewall policies. The BCI Firewall CLI Script used in this document can be found at the bottom of the guide.


 


Services/Firewall/Filter (Access Control list)


Here are policy comparison of the Default Firewall verses BCI’s Alternative firewall.

*The reference field indicates which Interface the filter is active on.

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IN_TRUSTED BCI Filter


IN_TRUSTED - BCI Policy:


  1. DROP all if source or destination is a DROP_LIST address.

  2. ACCEPT ICMP if source is a LOCAL-NETS address.

  3. ACCEPT TCP from all sources if port range is 502-503.

  4. ACCEPT TCP from LOCAL-NETS for services HTTPS & SSH

  5. DROP ALL from ALL.

* 502-503 is Modbus protocols, if you are using a different protocol you’ll want to modify or remove this rule.


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IN_TRUSTED GE Default Filter

IN_TRUSTED – GE Default Policy:


  1. ACCEPT all from all.


*Comparison only.



 

GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IN_UNTRUSTED BCI Filter


IN_UNTRUSTED - BCI Policy:


  1. DROP all if source or destination is a DROP_LIST address.

  2. ACCEPT UDP DNS if source to all Destinations.

  3. ACCEPT ICMP Echo Reply from CELL-IP sources to all destinations.

  4. ACCEPT ICMP Echo Request from CELL-IP sources to all destinations.

  5. ACCEPT TCP from CELL-IP for services to HTTPS, Netconf, SSH ports.

  6. ACCEPT UDP from CELL-IP for services to dns, ike, ntp.

  7. ACCEPT esp from CELL-IP for all destinations.

  8. DROP all from all.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IN_UNTRUSTED GE Default Filter

IN_UNTRUSTED – GE Default Policy:

  1. ACCEPT ICMP form all to all.

  2. ACCEPT UDP DNS service to all destinations.

  3. ACCEPT TCP all sources to HTTPS, Netconf, ssh destination ports.

  4. DROP all to all.


*Comparison only.



 



GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of OUT_TRUSTED BCI Filter

OUT_TRUSTED - BCI Policy:

1. DROP all address sources or destinations on DROP_LIST

2. ACCEPT all from all.










GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of OUT_TRUSTED GE Default Filter

OUT_TRUSTED – GE Default Policy:

1. ACCEPT all from all.


*Comparison only.




 


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of OUT_UNTRUSTED BCI Filter

OUT_UNTRUSTED - BCI Policy:


1. ACCEPT all address on CELL-IP to all destinations. (Add interface address True)

2. DROP GRE from all from all.

3. DROP all to all.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of OUT_TRUSTED GE Default Filter

OUT_UNTRUSTED – GE Default Policy:

1. ACCEPT all address on CELL-IP to all destinations.

2. DROP all from all.

3. DROP all from all.


*Comparison only.



 


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Cell-IP Address Set

Services/Firewall/address set (IPV4)

Address Sets allow you to use a group name in firewall policies where you can add multiple address separately.


CELL-IP address set

Setup all cellular IP address that will be used within the VPN and that are trusted.

Example: I’ve included our local WAN (50.88.10.202) as well.



*By adding your WAN IP, it ensures only your location can access the router interface via public internet.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Drop-List Address Set

DROP-LIST address set

Use to add an untrusted device address. Adding an IP to this policy will ensure it’s traffic is dropped off all interfaces.


This is ideal blocking devices that shouldn’t or do not need to be accessing our local or cellular network.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of Local-Nets Address Set

LOCAL-NETS address set

Setup for all trusted local networks. All VPN network address should be included added here.


Example: If we were going to add a 3rd VPN site or SITE_C we would want to include it’s IP of 172.1.3.0/24 also.





Once our device is secured and our firewall properly configured, we are ready to move forward with the VPN setup.



 

Site to Site VPN Setup

 



GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of VPN Service Enabled Checkbox

Services/VPN Service/Basic Config/ Enabled


By default, the VPN Service is disabled. Enabling before your policies are configured will result in an error.


Once you’ve setup both IKE and IPSEC policies you’ll need to ensure you enable the service.


Click the Enable Box to Turn on the VPN Service.





GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IKE Enabled Checkbox

Services/VPN Service/Basic Config/ IKE

Click the check box for IKE to Enable this feature.








 




IKE POLICY

SETUP FOR

VPN-SITEA-83


GE MDS Orbit IPSEC VPN Tunnel setup and guide on securing, configurating, and troubleshooting your VPN cellular link
Example of IKE Site A Policy Setup

Click ADD Button on Policy Details.


Setup a Policy NAME that helps identify the tunnel.


In this example our first tunnel will be to SITE B so I’m using the name: IKE_Policy_Site_B

Click ADD to save the Policy Name and to Expand additional IKE Policy setup.


*Use any scheme you want but I prefer to name to connection point.