Network Setup Name: VPN-SITEA-83 Name: VPN-SITEB-81 LAN: 18.104.22.168/24 LAN: 22.214.171.124/24 WAN: 126.96.36.199 WAN: 188.8.131.52 PSK: VPNorbitdemo PSK: VPNorbitdemo
This guide will walk you through the secure setup of the Orbit device and creating a single P2P IKE/IPSEC Tunnel. The above diagram shows two remote tunnels and using this guide you should be able to easily duplicate a second tunnel or more if necessary.
*When implementing a live tunnel, I do not recommend you use the 172.x.x.x addressing referenced in this guide.
This guide was written by Phillip A. Yancey of BCI Technologies.
If you have any issues or need support, call me at 407.847.8848 X 204
Setup IPsec Conn.
Secure Orbit Setup
System/User Authentication/Actions/Change Password
When setting up a cellular device it’s important to change the default password.
Since in this example our device will be using a public static IP address once active the default firewall allows https access.
*Make sure you type everything correctly and don’t forget your password. There are no back doors and if you forget your password the unit must go back to GE for re-flashing.
System/User Authentication/Basic Config/General
Consider decreasing login attempts and lockout time for added security.
Expand Password Options to further tighten password requirements.
*By default, non-admin users are already disabled.
Setup a device name that helps identify your device better. Site A and WAN IP ending in 83.
Disable the Run First time web wizard to keep it from popping up when logging in.
Setup a pre-login banner to show warnings or identification indicators when on the login page.
Example of Login banner and Device name.
Example of Login Banner.
Example of previously entered Device “name” field.
Services/DHCP Server/Basic Config/General
Make sure to disable DHCP by unchecking the enable box. (If not being used)
You may want to also delete the default DHCP policy to remove unnecessary configurations and avoid confusion later.
Having accurate time is important for accurate alarm and events logging. While the device will update from the cellular network it’s also wise to set a Timezone Location just in case.
The bridge is a layer2 MAC (media access control) linking other bridge devices together. By default, all interfaces inside Bridge are trusted and connected via MAC locally. Cell interfaces are never inside the bridge and therefore not trusted by default.
When outside the bridge an interface becomes a layer3 routed interface.
In this example we have changed the default Orbit IP address of 192.168.1.1/24 to our SITE_A address of 184.108.40.206/24
*Remember when changing a device IP we must also change our local machines IP. In this case our computer is using 220.127.116.11/24
Cellular Interface Setup
*SIM Cards should only be inserted into the Orbit when it’s powered off.
Once the device is setup, configured and secure, let’s move onto the Cellular Interface.
Check the Cellular status to see if your device and SIM are provisioning on the network properly.
Look at MDN or Mobile Device Number
*If a MDN doesn’t appear, you need to call provider support.
Look for APN or Access Point Name
*If APN doesn’t show you may need to wait longer, check antenna signal, or manually configure.
*It may work but if the IP address doesn’t match, you’re static then it’s being dynamically assigned and may keep changing.
Interfaces/Cell/Basic Config/Cellular/Connection Profile
Verizon uses the following APN's per region.
ne01.vzwstatic (North East)
nw01.vzwstatic (North West)
At&t uses the following APN,Type,& Usage.
broadband Laptops and tablets
nxtgenphone Voice over LTE
m2m.com.attz IoT Devices
wap.cingular Legacy APN
i2gold Mobility, Uses static IP addresses.
IPSEC tunnels are great for small or test cellular applications but we recommended you consider a Private APN when scaling Cellular Networks. This is enclosed and encrypted non-internet routed networking.
Example: This unit is not pulling correct APN so we’ve manually configured to ensure it obtains the correct Static IP address.
Older Orbit Firmware may not automatically enable certain Cellular settings. Make sure to verify the following settings and ensure they are already configured.
Enable IPV4 On Cellular Interface
Enable DHCP On Cellular Interface
Enable Point to Point Connection on Cellular Interface
IPV4 will allow the Cellular interface to be configured.
DHCP will ensure a static or dynamic address is assigned.
Point to Point Connection will change how the devices routes traffic and must be disabled or un-checked.
Make sure IN/OUT_UNTRUSTED firewall rules are configured to ensure (GE default) we do not trust traffic from the Cellular interface.
IN/OUT_UNTRUSTED policies will allow DNS, HTTPS, and NAT Masquerade “MASQ” for immediate Internet access.
*Changing the default password is important, but also consider disabling the Cellular interface when not being used during testing.
NAT is not used on the Cellular Interface when adding tunnels. Remove MASQ if showing under NAT Source.
REMOVE by deleting and committing changes.
*If MASQ is enabled once the tunnel is in operation you won’t be able to access remote LAN devices. MASQ is good to treat WAN address as local addresses. In the case of a tunnel, this breaks our IKE/IPSEC endpoint exchanges which use WAN addressing.
In this example, we compare dynamically assigned IP verses static IP addressing.
Since our device did not automatically receive the correct Static APN the device received a dynamic IP of 10.128.158.194
Once our APN was manual configured, we received the correct IP of 18.104.22.168
In this Example we should be able to access https://22.214.171.124 (Use your static here) via the internet.
*Your ISP should provide any static or static range assignments in advanced.
*The goal here is to make sure we can hit our correct WAN address. Verify your unit is online by using your phone or a separate internet accessible device to access its WAN IP.
Easy CLI Import
Using the CLI button on the device manager menu will open access to the Orbit Router CLI or Command line interface. This isn’t necessary for setting up the firewall.
This is useful for entering script configurations that offer speedy deployment for complex configurations.
Type Config <hit enter>
Paste Script <hit enter>
Type Commit <hit enter>
Let’s review a BCI Firewall policy and compare with the Default GE Firewall policies. The BCI Firewall CLI Script used in this document can be found at the bottom of the guide.
Services/Firewall/Filter (Access Control list)
Here are policy comparison of the Default Firewall verses BCI’s Alternative firewall.
*The reference field indicates which Interface the filter is active on.
IN_TRUSTED - BCI Policy:
DROP all if source or destination is a DROP_LIST address.
ACCEPT ICMP if source is a LOCAL-NETS address.
ACCEPT TCP from all sources if port range is 502-503.
ACCEPT TCP from LOCAL-NETS for services HTTPS & SSH
DROP ALL from ALL.
* 502-503 is Modbus protocols, if you are using a different protocol you’ll want to modify or remove this rule.
IN_TRUSTED – GE Default Policy:
ACCEPT all from all.
IN_UNTRUSTED - BCI Policy:
DROP all if source or destination is a DROP_LIST address.
ACCEPT UDP DNS if source to all Destinations.
ACCEPT ICMP Echo Reply from CELL-IP sources to all destinations.
ACCEPT ICMP Echo Request from CELL-IP sources to all destinations.
ACCEPT TCP from CELL-IP for services to HTTPS, Netconf, SSH ports.
ACCEPT UDP from CELL-IP for services to dns, ike, ntp.
ACCEPT esp from CELL-IP for all destinations.
DROP all from all.
IN_UNTRUSTED – GE Default Policy:
ACCEPT ICMP form all to all.
ACCEPT UDP DNS service to all destinations.
ACCEPT TCP all sources to HTTPS, Netconf, ssh destination ports.
DROP all to all.
OUT_TRUSTED - BCI Policy:
1. DROP all address sources or destinations on DROP_LIST
2. ACCEPT all from all.
OUT_TRUSTED – GE Default Policy:
1. ACCEPT all from all.
OUT_UNTRUSTED - BCI Policy:
1. ACCEPT all address on CELL-IP to all destinations. (Add interface address True)
2. DROP GRE from all from all.
3. DROP all to all.
OUT_UNTRUSTED – GE Default Policy:
1. ACCEPT all address on CELL-IP to all destinations.
2. DROP all from all.
3. DROP all from all.
Services/Firewall/address set (IPV4)
Address Sets allow you to use a group name in firewall policies where you can add multiple address separately.
CELL-IP address set
Setup all cellular IP address that will be used within the VPN and that are trusted.
Example: I’ve included our local WAN (126.96.36.199) as well.
*By adding your WAN IP, it ensures only your location can access the router interface via public internet.
DROP-LIST address set
Use to add an untrusted device address. Adding an IP to this policy will ensure it’s traffic is dropped off all interfaces.
This is ideal blocking devices that shouldn’t or do not need to be accessing our local or cellular network.
LOCAL-NETS address set
Setup for all trusted local networks. All VPN network address should be included added here.
Example: If we were going to add a 3rd VPN site or SITE_C we would want to include it’s IP of 188.8.131.52/24 also.
Once our device is secured and our firewall properly configured, we are ready to move forward with the VPN setup.
Site to Site VPN Setup
Services/VPN Service/Basic Config/ Enabled
By default, the VPN Service is disabled. Enabling before your policies are configured will result in an error.
Once you’ve setup both IKE and IPSEC policies you’ll need to ensure you enable the service.
Click the Enable Box to Turn on the VPN Service.
Services/VPN Service/Basic Config/ IKE
Click the check box for IKE to Enable this feature.
Click ADD Button on Policy Details.
Setup a Policy NAME that helps identify the tunnel.
In this example our first tunnel will be to SITE B so I’m using the name: IKE_Policy_Site_B
Click ADD to save the Policy Name and to Expand additional IKE Policy setup.
*Use any scheme you want but I prefer to name to connection point.