Netzwerk-Konfiguration

Netzwerk-Übersicht

SIM-Karte aktivieren

Telekom M2M-Portal

https://portal-m2m.telekom.de

SIM-Verwaltung >> SIM auswählen >> Aktion >> SIM aktivieren

Standort eindeutig bennenen!

Ethernet-Schnittstelle

interface.eth.0.ip.static.0.ipv4=<Erste IP des Stations-Netzwerks/30>
interface.eth.0.name=eth0

WWAN Verbindung (LTE)

hardware.wwan.0.name=wwan0
interface.wwan.0.apn=internet.m2mportal.de
interface.wwan.0.ip.auto.ipv4.enable=true
interface.wwan.0.name=wwan0-0

LTE Diagnose (Signalstärke):

show hardware wwan wwan0 information

router-ISE# show hardware wwan wwan0 information
Link quality (RSSI):  -70 dBm (excellent)
    Aux:              -91 dBm (good)
Ref power (RSRP):     -96 dBm (medium)
    Aux:              -119 dBm (poor)
Ref quality (RSRQ):   -6 dB (good)
Signal/Noise (SINR):  10 dB (medium)
Band:                 1800+ (B3 20MHz)
Use technology:       LTE
Current technology:   LTE
Network offers:       LTE
Modem supports:       LTE
PIN status:           disabled; up

WWAN Diagnose (IP-Verbindung)

Interface-Informationen

show interface wwan

router-ISE# show interface wwan
--------------------------------------------------------------------------------
 Description   Value                                         Reference
--------------------------------------------------------------------------------
 Name          wwan0-0
 Hardware      wwan0
 Description
 HW addr.      ca:29:98:72:3f:0a
 APN           internet.m2mportal.de
 Username      ------
 State         UP
 Up for        15m:38s
 Auto IPv4     10.39.50.243/32                               auto.ipv4

Ping ins Internet

ping 1.1.1.1

router-ISE# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_req=1 ttl=54 time=185 ms
64 bytes from 1.1.1.1: icmp_req=2 ttl=54 time=28.1 ms
64 bytes from 1.1.1.1: icmp_req=3 ttl=54 time=29.1 ms
64 bytes from 1.1.1.1: icmp_req=4 ttl=54 time=28.6 ms
64 bytes from 1.1.1.1: icmp_req=5 ttl=54 time=28.4 ms

--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 28.175/60.041/185.771/62.865 ms

Externe Internet-IP (GCNAT) ermitteln:

linux-shell öffnen und "curl ifconfig.me" aufrufen
mit "exit" die linux-shell verlassen

router-ISE# linux-shell

router-ISE[~]# curl ifconfig.me
80.187.64.212router-ISE[~]#

exit

Wenn keine Internetverbindung möglich, Reset der SIM-Karte im M2M-Portal!

SIM auswählen (SIM-Details) >> Diagnose >> Status zurücksetzen

IPsec-Tunnel Konfiguration

Fortigate-Einstellungen auf SWILMFWEEG:

Neuen Ipsec-Tunnel mit Option "Custom" erstellen

Network

Authentication

PSK und PEER ID für Station eindeutig generieren und in NLT-Keepass speichern!

PSK entspricht auf Garderos Router der Option tunnel.ipsec.0.auth.psk.psk

Peer ID entspricht tunnel.ipsec.0.auth.psk.my-id

Phase 1 Proposal

Local ID entspricht auf Garderos-Router tunnel.ipsec.0.auth.psk.peer-id

Phase 2 Selectors

Zwei "Phase 2 Selectors" anlegen, für NLT-Netz und ADMIN-Netz:

Stationsnetz vorher unter "Policy&Objects/Addresses" anlegen

IPSec Tunnel wird von der Fortigate-Firewall nur akzeptiert, wenn er in mindestens einer Firewall-Policy verwendet wird!

Firewall Policies

Das zur VPN-Verbindung gehörende Tunnel-Interface in die markierten Firewall-Regeln als "From" bzw "To" Interface einfügen

Garderos Router Einstellungen:

tunnel.ipsec.0.auth.psk.my-id=EEGPVISE
tunnel.ipsec.0.auth.psk.my-id-type=fqdn
tunnel.ipsec.0.auth.psk.peer-id=ILMEEGISE
tunnel.ipsec.0.auth.psk.peer-id-type=fqdn
tunnel.ipsec.0.auth.psk.psk={enc3}ln2Nw9Scob9DXnKPdOtagrHmaQZl5uvDF2993/ZRY/FTNdV+6Ejn29t0c8zo/NTaNgjt7S2gwPcMUyiJhkcoKg==
tunnel.ipsec.0.auto-start=true
tunnel.ipsec.0.compression=false
tunnel.ipsec.0.connect-timeout=30
tunnel.ipsec.0.description=Tunnel to ILM Process Firewall
tunnel.ipsec.0.dpd.enable=true
tunnel.ipsec.0.dpd.interval=30
tunnel.ipsec.0.dpd.timeout=60
tunnel.ipsec.0.esp.0.encryption-algorithm=aes256
tunnel.ipsec.0.esp.0.hash-algorithm=sha512
tunnel.ipsec.0.esp-lifetime=14400
tunnel.ipsec.0.esp-pfs-group=ecp512bp
tunnel.ipsec.0.ike.0.dh-group=ecp512bp
tunnel.ipsec.0.ike.0.encryption-algorithm=aes256
tunnel.ipsec.0.ike.0.hash-algorithm=sha512
tunnel.ipsec.0.ike-lifetime=86400
tunnel.ipsec.0.ike-version=ikev2
tunnel.ipsec.0.name=SWI
tunnel.ipsec.0.peer.name=<öffentl.IP Prozess-FW>
tunnel.ipsec.0.policy.0.local-network=<Stations-Netzwerk>
tunnel.ipsec.0.policy.0.remote-network=<FWK-Netzwerk>
tunnel.ipsec.0.policy.1.local-network=<Stations-Netzwerk>
tunnel.ipsec.0.policy.1.remote-network=<ADMIN-Netzwerk>
tunnel.ipsec.0.source-ip=wwan0-0:auto.ipv4
tunnel.ipsec.0.type=tunnel

IPsec Diagnose

Tunnel-Zustand anzeigen:

Pro "Policy" wird ein Tunnel angezeigt, alle sollten Status "UP" haben:

router-ISE# show tunnel
--------------------------------------------------------------------------------------------------------
IPsec tunnels:
--------------------------------------------------------------------------------------------------------
                                               Source <-> Peer
 State                               Local network ========= Remote network
--------------------------------------------------------------------------------------------------------
SWI
                                         10.39.50.243 <-> 80.146.160.227
 UP                               192.168.37.84/30 ========= 192.168.37.0/30
                                         10.39.50.243 <-> 80.146.160.227
 UP                               192.168.37.84/30 ========= 192.168.36.216/29

Zur Fehlersuche Logging aktivieren
Am besten nur mit "do commit" bestätigen, nicht in startup-config schreiben!:

system.logging.0.component=net.ipsec
system.logging.0.level=debug

Logbuffer ausgeben:

show logbuffer

Ereignisse sofort im Terminal anzeigen / beenden:

terminal monitor enable
terminal monitor disable

ACL (Firewall-Regeln)

acl.ipv4.forward.0.action=DROP
acl.ipv4.forward.0.connection.0.state=invalid
acl.ipv4.forward.0.description=drop invalid packets
acl.ipv4.forward.10.action=ACCEPT
acl.ipv4.forward.10.connection.0.state=established
acl.ipv4.forward.10.connection.1.state=related
acl.ipv4.forward.10.description=allow established and related
acl.ipv4.forward.20.action=ACCEPT
acl.ipv4.forward.20.bidirectional=true
acl.ipv4.forward.20.dest-network=<Stations-Netz>
acl.ipv4.forward.20.protocol=icmp
acl.ipv4.forward.20.source-network=<FWK-Netz>
acl.ipv4.forward.30.action=ACCEPT
acl.ipv4.forward.30.description=NTP Verbindung zum FWK
acl.ipv4.forward.30.dest-network=<FWK-Netz>
acl.ipv4.forward.30.dest-ports=123
acl.ipv4.forward.30.protocol=udp
acl.ipv4.forward.30.source-network=<Stations-Netz>
acl.ipv4.forward.40.action=ACCEPT
acl.ipv4.forward.40.description=Allow 104 protocol
acl.ipv4.forward.40.dest-network=<FWK-Netz>
acl.ipv4.forward.40.dest-ports=2404
acl.ipv4.forward.40.protocol=tcp
acl.ipv4.forward.40.source-network=<Stations-Netz>
acl.ipv4.forward.41.action=ACCEPT
acl.ipv4.forward.41.dest-network=<Stations-Netz>
acl.ipv4.forward.41.dest-ports=2404
acl.ipv4.forward.41.protocol=tcp
acl.ipv4.forward.41.source-network=<FWK-Netz>
acl.ipv4.forward.100.action=DROP
acl.ipv4.forward.100.description=last rule, drop everything else
acl.ipv4.input.0.action=ACCEPT
acl.ipv4.input.0.connection.0.state=established
acl.ipv4.input.0.connection.1.state=related
acl.ipv4.input.10.action=ACCEPT
acl.ipv4.input.10.description=Allow ICMP
acl.ipv4.input.10.protocol=icmp
acl.ipv4.input.20.action=ACCEPT
acl.ipv4.input.20.description=Allow SSH
acl.ipv4.input.20.dest-ports=22
acl.ipv4.input.20.protocol=tcp
acl.ipv4.input.20.source-network=<ADMIN-Netz>
acl.ipv4.input.100.action=DROP
acl.ipv4.input.100.description=Drop everything else

Ping-Diagnose

Beim Ping die IP-Adresse von eth0 verwenden!

ping 192.168.37.1 "-I 192.168.37.85"

Netzwerk-Dienste

service.ntp.server.0.name=172.16.1.211
service.ntp.server.0.source-ip=192.168.37.85
service.ntp.server.1.name=172.16.1.212
service.ntp.server.1.source-ip=192.168.37.85

service.ssh.enable=true

Test der Einstellungen

Ping vom Garderos-Router zu den Fernwirkköpfen