How to configure ST510 to access IPSEC server via ADSL

This is a step by step guide for anyone who has an internet connection over ADSL using the SpeedTouch 510 modem/router to allow you to network PCs on a LAN and also access an IPSEC gateway for corporate intranet access (in my case via a Nortel Contivity server).

NOTE :

1.  You need to view this doc in MS-Word to be able to view the embedded attachments and save them to your hard disk.

2.  You need to be able to telnet to your ST510 and know how to use some basic CLI commands for NAT, there is a CLI userguide available from www.speedtouch.com support page (as well as other sources).

Here is the hardware config I have :

In my case, the ISP is Wanadoo with ADSL line from FT at 512kbps. The ST510 is delivered by Wanadoo with a default bridging configuration, if you backup this config of the ST510, this is what you get (double click the below icon to open the file, use Save As to save on your hard disk if you want to):

With this config you can use a hub as in the above config but you must use PPPoE and use Network Connections in Windows to create a connection specifying the "Broadband" option and then Windows creates a PPPoE connection that you use to activate the link to Wanadoo. Either PC conx to the hub can do it but ONLY ONE AT A TIME and whichever PC activates the link has access to internet but the other does not. Note that this config should allow you to access your VPN over an IPSec connection (but pay attention to the VPI/VCI explanation in the next paragraphs), this has been confirmed to me by Speedtouch technical assistance and is basically because the router does not use NAT for this type of config. The problem is that without NAT it is not possible to have multiple PCs accessing the internet via a LAN network connected to the ST510, only one PC at a time can activate the PPPoE connection.

I wanted to have a configuration where several PCs could access internet and after much research I found that to do this you must use instead a PPPoA configuration. Eventually I was able to download from the internet http://www.dslsupport.co.uk/networks.asp a config profile (the first downloadable default profile on this web page – “Single / Multi User - NApT with Auto DHCP and DNS (default profile)”). However, this profile would not work and I eventually found out after much searching that I needed to change the VPI and VCI parameters from the UK ones (0*38) to the French one (8*35) and also put in the Wanadoo userid and password in the correct places and then the profile worked for internet use. I had the same hardware config as above but now the ST510 would establish the internet connection to Wanadoo, the DHCP in the ST510 assigned IP addresses to both PCs and both could access the internet. Here is the modified profile with French VPI/VCI values (find it in the line --> set var="DSLAD" value="8*35") :

Here is a table of some European VPI/VCI values :

Country / Network / Encapsulation / VPI / VCI
Belgium / Belgacom / PPPoA VCmux / 8 / 35
Finland / Sonera / RFC1483 bridge LLc / 0 / 100
France / FT / PPPoA VCmux / 8 / 35
Germany / DT / PPPoE LLc / 1 / 32
Hungary / Matav / PPPoE LLc / 1 / 32
Italy / Telecom Italia / PPPoA VCmux / 8 / 35
Netherlands / KPN / PPPoA VCmux / 8 / 48
Poland / TPSA / PPPoA VCmux / 0 / 35
Portugal / PT / PPPoE LLc / 0 / 35
Spain / Telefonica / RFC 1483 routed Vcmux or PPPoE LLc / 8 / 32
Spain / Retevision / PPPoA VCmux / 8 / 35
Sweden / Telia / RFC1483 bridge LLc / 8 / 35
UK / BT / PPPoA VCmux / 0 / 38

The problem then was that access to the company VPN would not work, when you try to login to the Contivity server it just hangs and times out.

More researching on the internet and I discovered another type of PPPoA configuration called DHCP spoofing, this effectively turns off NAT and the ST510 uses PPPoA and passes the IP address from the ISP to the PC. This does allow access to the VPN, but the problem again is that only one PC in the LAN has access to the internet. Here is the DHC Spoof config profile :

I now was pretty sure that NAT was the problem and I wondered if there was a version of the Contivity client that worked with NAT, I searched the company intranet and discovered that there was a new version 4.65 that supported something called "IPSEC NAT Traversal". I sent an email to the department supporting IPSEC asking for a copy and a guy called Denis replied saying that v4.15 should already support NAT Traversal and he also offered to help. I reloaded the wanadoo_PPPoA_NAT_DHCP_DNS profile and Denis was able to monitor the server while I tried to connect and he saw that my PC was trying to communicate on the wrong port. He told me what were the correct ports and I established a telnet session with the ST510 to use CLI, the first thing that I did was to "list" the current NAT entries and I could see that the IPSEC related entries did not correspond to the values that Denis had given me, here is a copy of the list output (the 81 addrs is the IP addrs assigned by the ISP, the 57 addrs is the addrs of server, the 10 addrs is the PCs IP addrs assigned by DHCP in the ST510) :

Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port

1 50 10.0.0.1:1 81.xxx.xxx.xxx:1 57.xxx.xxx.xxx:1

Protocol 50 is ESP (Encapsulated Security Payload)

2 17 10.0.0.1:1547 81.xxx.xxx.xxx:10002 57.xxx.xxx.xxx:500

6 17 81.xxx.xxx.xxx:53 81.xxx.xxx.xxx:10000 193.252.19.3:53

11 17 10.0.0.1:500 81.xxx.xxx.xxx:500 57.xxx.xxx.xxx:500

Protocol 17 is UDP and port 500 is ISAKMP

This is typically a static NAT associated with Level 4 protocol. I don't know why this configuration didn't worked (maybe a bug), but as you already know, implementation of IPsec with NAT is tricky without NAT Traversal.

(the text in blue are comments from Denis)

While I was waiting for feedback from Denis, I deleted the NAT table using the "flush" command and then tried again to conect to the Contivity server and was very surprised to find that it worked !

Straight away I listed the NAT entries :

Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port

1 17 81.xxx.xxx.xxx:53 81.xxx.xxx.xxx:10003 193.252.19.3:53

UDP port 53 is DNS. Created when you did the name resolution of the ERA gateway.

2 17 10.0.0.1:1561 81.xxx.xxx.xxx:10005 57.xxx.xxx.xxx:500

UDP Port 500 is ISAKMP

6 17 10.0.0.1:1562 81.xxx.xxx.xxx:10006 57.xxx.xxx.xxx:10001

UDP Port 10001 is used for NAT Traversal

By removing the static NAT entry from the config file, you have fixed your problem. The only protocol used by IPsec with NAT Traversal are ISAKMP and UDP 10001 and they are now dynamically defined in the NAT/PAT table.

(the text in blue are the comments from Denis)

I also made a backup of the config of the ST510 at this point :

When I compare it with the wanadoo_PPPoA_NAT_DHCP_DNS profile, I see that :

+ the ppp.ini section does not have - "encaps=$DSLEN"

+ the nat.ini section contains only the line - "enable addr=81.xxx.xxx.xxx type=pat" (where 81.xxx.xxx.xxx was the IP address assigned by Wanadoo during this session)

It seems that the NAT is being dynamically configured for whatever IP address is assigned by the ISP.

Final word; I don’t think it will be possible to make the above PPPoA_nat-trav_wanadoo profile work for any given situation (except for my own ST510) because the ST510 seems to encrypt the password and substituting the unencrypted password in the appropriate fields does not seem to work (maybe someone knows different ?). I suggest that you start with the wanadoo_PPPoA_NAT_DHCP_DNS profile and recreate the steps as described above, i.e. flush the NAT and afterwards backup the config and you should end up with a working configuration profile.

Refer also to the document about pinholing the ST510.

------

Pete Bannigan

______