How to configure ST510 to access IPSEC server via ADSL
This is a step by step guide for anyone who has an internet connection over ADSL using the SpeedTouch
510 modem/router to allow you to network PCs on a LAN and also access an IPSEC gateway for
corporate intranet access (in my case via a Nortel Contivity server).
NOTE :
1. You need to view this doc in MS-Word to be able to view the embedded attachments and save them
to your hard disk.
2. You need to be able to telnet to your ST510 and know how to use some basic CLI commands for
NAT, there is a CLI userguide available from www.speedtouch.com support page (as well as other
sources).
Here is the hardware config I have :
Phone Line
ADSL
Filter
ADSL
SpeedTouch 510 ethernet
ethernet
10BaseT Hub
In my case, the ISP is Wanadoo with ADSL line from FT at 512kbps. The ST510 is delivered by
Wanadoo with a default bridging configuration, if you backup this config of the ST510, this is what you get
(double click the below icon to open the file, use Save As to save on your hard disk if you want to):
With this config you can use a hub as in the above config but you must use PPPoE and use Network
Connections in Windows to create a connection specifying the "Broadband" option and then Windows
creates a PPPoE connection that you use to activate the link to Wanadoo. Either PC conx to the hub can
do it but ONLY ONE AT A TIME and whichever PC activates the link has access to internet but the other
does not. Note that this config should allow you to access your VPN over an IPSec connection (but pay
attention to the VPI/VCI explanation in the next paragraphs), this has been confirmed to me by
Speedtouch technical assistance and is basically because the router does not use NAT for this type of
config. The problem is that without NAT it is not possible to have multiple PCs accessing the internet via a
LAN network connected to the ST510, only one PC at a time can activate the PPPoE connection.
I wanted to have a configuration where several PCs could access internet and after much research I found
that to do this you must use instead a PPPoA configuration. Eventually I was able to download from the
internet http://www.dslsupport.co.uk/networks.asp a config profile (the first downloadable default profile on
this web page – “Single / Multi User - NApT with Auto DHCP and DNS (default profile)”). However, this
profile would not work and I eventually found out after much searching that I needed to change the VPI
and VCI parameters from the UK ones (0*38) to the French one (8*35) and also put in the Wanadoo
userid and password in the correct places and then the profile worked for internet use. I had the same
hardware config as above but now the ST510 would establish the internet connection to Wanadoo, the
DHCP in the ST510 assigned IP addresses to both PCs and both could access the internet. Here is the
modified profile with French VPI/VCI values (find it in the line --> set var="DSLAD" value="8*35") :
Here is a table of some European VPI/VCI values :
Country
Network
Encapsulation
Belgium
Belgacom
PPPoA VCmux
VPI VCI
8
35
Finland
Sonera
RFC1483 bridge LLc
0
100
France
FT
PPPoA VCmux
8
35
Germany
DT
PPPoE LLc
1
32
Hungary
Matav
PPPoE LLc
1
32
Italy
Telecom Italia PPPoA VCmux
8
35
Netherlands
KPN
PPPoA VCmux
8
48
Poland
TPSA
PPPoA VCmux
0
35
Portugal
PT
PPPoE LLc
0
35
Spain
Telefonica
RFC 1483 routed Vcmux or PPPoE LLc
8
32
Spain
Retevision
PPPoA VCmux
8
35
Sweden
Telia
RFC1483 bridge LLc
8
35
UK
BT
PPPoA VCmux
0
38
The problem then was that access to the company VPN would not work, when you try to login to the
Contivity server it just hangs and times out.
More researching on the internet and I discovered another type of PPPoA configuration called DHCP
spoofing, this effectively turns off NAT and the ST510 uses PPPoA and passes the IP address from the
ISP to the PC. This does allow access to the VPN, but the problem again is that only one PC in the LAN
has access to the internet. Here is the DHC Spoof config profile :
I now was pretty sure that NAT was the problem and I wondered if there was a version of the Contivity
client that worked with NAT, I searched the company intranet and discovered that there was a new version
4.65 that supported something called "IPSEC NAT Traversal". I sent an email to the department
supporting IPSEC asking for a copy and a guy called Denis replied saying that v4.15 should already
support NAT Traversal and he also offered to help. I reloaded the wanadoo_PPPoA_NAT_DHCP_DNS
profile and Denis was able to monitor the server while I tried to connect and he saw that my PC was trying
to communicate on the wrong port. He told me what were the correct ports and I established a telnet
session with the ST510 to use CLI, the first thing that I did was to "list" the current NAT entries and I could
see that the IPSEC related entries did not correspond to the values that Denis had given me, here is a
copy of the list output (the 81 addrs is the IP addrs assigned by the ISP, the 57 addrs is the addrs of
server, the 10 addrs is the PCs IP addrs assigned by DHCP in the ST510) :
Indx
Prot
Inside-address:Port
Outside-address:Port
1
50
10.0.0.1:1
81.xxx.xxx.xxx:1
Protocol 50 is ESP (Encapsulated Security Payload)
2
17
10.0.0.1:1547
81.xxx.xxx.xxx:10002
6
17
81.xxx.xxx.xxx:53
81.xxx.xxx.xxx:10000
11
17
10.0.0.1:500
81.xxx.xxx.xxx:500
Protocol 17 is UDP and port 500 is ISAKMP
Foreign-address:Port
57.xxx.xxx.xxx:1
57.xxx.xxx.xxx:500
193.252.19.3:53
57.xxx.xxx.xxx:500
This is typically a static NAT associated with Level 4 protocol. I don't know why this configuration didn't
worked (maybe a bug), but as you already know, implementation of IPsec with NAT is tricky without NAT
Traversal.
(the text in blue are comments from Denis)
While I was waiting for feedback from Denis, I deleted the NAT table using the "flush" command and then
tried again to conect to the Contivity server and was very surprised to find that it worked !
Straight away I listed the NAT entries :
Indx
Prot
Inside-address:Port
Outside-address:Port Foreign-address:Port
1
17
81.xxx.xxx.xxx:53
81.xxx.xxx.xxx:10003 193.252.19.3:53
UDP port 53 is DNS. Created when you did the name resolution of the ERA gateway.
2
17
10.0.0.1:1561
81.xxx.xxx.xxx:10005 57.xxx.xxx.xxx:500
UDP Port 500 is ISAKMP
6
17
10.0.0.1:1562
81.xxx.xxx.xxx:10006 57.xxx.xxx.xxx:10001
UDP Port 10001 is used for NAT Traversal
By removing the static NAT entry from the config file, you have fixed your problem. The only protocol used
by IPsec with NAT Traversal are ISAKMP and UDP 10001 and they are now dynamically defined in the
NAT/PAT table.
(the text in blue are the comments from Denis)
I also made a backup of the config of the ST510 at this point :
When I compare it with the wanadoo_PPPoA_NAT_DHCP_DNS profile, I see that :
+ the ppp.ini section does not have - "encaps=$DSLEN"
+ the nat.ini section contains only the line - "enable addr=81.xxx.xxx.xxx type=pat" (where 81.xxx.xxx.xxx
was the IP address assigned by Wanadoo during this session)
It seems that the NAT is being dynamically configured for whatever IP address is assigned by the ISP.
Final word; I don’t think it will be possible to make the above PPPoA_nat-trav_wanadoo profile work for
any given situation (except for my own ST510) because the ST510 seems to encrypt the password and
substituting the unencrypted password in the appropriate fields does not seem to work (maybe someone
knows different ?). I suggest that you start with the wanadoo_PPPoA_NAT_DHCP_DNS profile and
recreate the steps as described above, i.e. flush the NAT and afterwards backup the config and you
should end up with a working configuration profile.
Refer also to the document about pinholing the ST510.
---------------------------------------------------------------------------------------Pete Bannigan
wanadoo@petebannigan.mailshell.com
__________________________________________________