General information:
SwyxConnect is used by customers as VPN endpoint. It has a Telnet (standard) or alternatively an SSH interface for configuration.
With an appropriate license SwyxConnect can provide different data services, such as VPN, DHCP or DNS. These are configured via the CLI interface (command line interface) of the devices. In order to make configuration as easy as possible, Swyx provides you with some configuration scripts as templates with which specific settings have to be made to SwyxConnect.
Configuration is done via Telnet. There are several options to access SwyxConnect via Telnet. This article describes how to install the configuration script on SwyxConnect via the network interface without multiple configuration changes.
The following steps are necessary for commissioning:
- Preparing a PC with a terminal program
- Configuration of the script file for SwyxConnect
- Installing the script file on SwyxConnect
- Implementing SwyxConnect
Requirements:
- SwyxConnect with firmware 6.80A.365.002
- Putty or alternatively Kitty as a Telnet/SSH client
- Network access to the terminal
- Activated VPN functionality
- SBC license for SIP termination from the customer network Swyx Connect device, if applicable
1. Preparing a PC for configuration
SwyxConnect is configured via Telnet. We recommend using a terminal program to access SwyxConnect. In this article the program "Kitty" (http://kitty.9bis.net/) is used. This is available in a variant that does not require installation. Furthermore, the PC must have a network interface that receives its IP address via DHCP.
1.1 Variant A: Configuration with a USB stick
If you want to use an USB flash drive to install the configuration script, your USB flash drive must be formatted to the FAT32 file system.
1.2 Variant B: Configuration with a TFTP server
A TFTP server is required for this installation method. This article uses the free program "Tftpd32" (http://www.jounin.net/). This can also be done without installation on the PC.
2. Configuration of the script file for SwyxConnect
In the appendix of this article you will find a configuration script, which describes the configuration of SwyxConnect with a VPN client for an IPSEC tunnel and a fixed IP address for integration into an existing network.
The configuration file is divided into three sections. In the first part you configure the VPN client of SwyxConnect. In the second section the WAN interface of SwyxConnect is configured. The third part describes the configuration of the LAN interfaces.
In the first section of the configuration script you configure the local IP addresses and wildcards of the subnet masks for the participating sites. In this example, the local network uses the address range 192.168.100.0, the corresponding wildcard for the subnet is 0.0.0.255. In the remote location, the address range 172.16.248.0 is used, the wildcard for the subnet is also 0.0.0.255.
Furthermore, a key must be configured to encrypt the connection, here 1234567890, followed by the public IP address of the remote location 217.6.165.240.
The following lines describe configuration parameters for the VPN connection, such as the encryption algorithm, authentication parameters and timeouts. A detailed description of other configurable parameters and other VPN connection types can be found in the manufacturer's manual. You can get this from Knowledgebase article SwyxConnect 5xxx/8xxx Manuals (kb4530). With the "set peer" command, the public IP address of the remote location must be configured again.
access-list ACCESSLIST permit ip 192.168.100.0 0.0.0.255 172.16.248.0 0.0.0.255
crypto isakmp key 1234567890 address 217.6.165.240
crypto isakmp keepalive retry-interval 60
crypto isakmp policy 1
authentication pre-share
hash sha256
group 5
lifetime 86400
exit
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
exit
crypto map MAP 1 ipsec-isakmp
set peer 217.6.165.240
set transform-set SET
set pfs group5
set security-association lifetime seconds 3600
match address ACCESSLIST
exit
In the following section for the configuration of the WAN interface only the public IP address and corresponding subnet mask of SwyxConnect has to be specified. In this example, this is the IP address 217.6.165.241 and the subnet mask 255.255.255.0.
interface GigabitEthernet 0/0
ip address 217.6.165.241 255.255.255.0
mtu 1400
desc "WAN Copper"
speed auto
duplex auto
no service dhcp
no ip dns server
no napt
crypto map MAP
firewall enable
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/0 1
In the last section, the properties for the local network interfaces are configured. The IP address of SwyxConnect is 192.168.100.198 and the subnet mask of your local network 255.255.255.0. The command "ip name-server 192.168.100.216 192.168.100.205" configures primary and secondary DNS servers.
interface VLAN 1
ip address 192.168.100.198 255.255.255.0
mtu auto
desc "LAN switch VLAN 1"
no service dhcp
ip dns server static
ip name-server 192.168.100.216 192.168.100.205
no napt
no firewall enable
no link-state monitor
no shutdown
exit
exit
Important: In the default factory settings of SwyxConnect licensed for data services, a DHCP server is enabled on the LAN interfaces. Please don't connect the device to your network right away.
1. Connect the prepared PC to the first network interface of SwyxConnect.
2. Then connect SwyxConnect to the power supply. After booting, it will provide the connected PC with an IP address. Usually, the IP address is 192.168.0.3. SwyxConnect can be reached under the IP address 192.168.0.2.
3. Start the terminal program, configure the IP address of SwyxConnect and select the connection type Telnet.
Fig. 1: Terminal client
4. After clicking on "Open", please enter your user name into the command line. Both the user name and password are "Admin". Please note that entries are case-sensitive. In order to change the configuration, type the command "enable" and enter your password once again. This password is also "Admin".
Fig. 2: Telnet login
3.1 Version A: Installation with an USB flash drive
1. Copy the edited configuration script to the USB flash drive.
2. Plug your USB flash drive into the USB port of SwyxConnect.
3. Now copy the configuration script to SwyxConnect by typing the command:
copy cli-script from usb:///Swyx_AudioCodes_VPN_TemplateSha256.txt
Fig. 3: Copying the configuration script
reload now
Fig. 4: Save and Reboot
3.2 Version B: Installation with a TFTP server
1. Save the edited configuration script in the same directory as the TFTP server.
2. Start the TFTP server.
Fig. 5: TFTP Server
copy cli-script from tftp://192.168.0.3/Swyx_AudioCodes_VPN_TemplateSha256.txt
Fig. 6: Copying the configuration script
reload now
Fig. 7: Save and Reboot
4. Operating SwyxConnect
After rebooting, you may add SwyxConnect to your network. Connect the WAN interface to the network containing the configured public IP address. Your local network will be connected to the first LAN interface of SwyxConnect. You can now reach SwyxConnect via the configured IP address.
In order to send all required data from your network through the VPN tunnel to SwyxConnect, you have to create a routing entry on your standard gateway by entering the IP address of SwyxConnect as gateway. For the above example, this would be as follows:
Network destination Netmask Gateway Interface Metric
172.16.248.0 255.255.255.0 192.168.100.198 127.0.0.1 256
Important information: All required routes to different subnets must be explicitly added on the SwyxConnect device.
Please refer to the knowledge base article for the configuration of the gateway functionality.
Helpful VPN commands for debugging and monitoring
In a Telnet/SSH session, the following commands are useful for debugging purposes. Admin rights are required for this.
Check the status
1. show data crypto status --> shows the current status of the VPN connection
2. show running-config --> shows the complete configuration for the device
3. show running-config data --> shows the configuration for the VPN part
Create traces for debugging
A TFTP server is required for this.
1. Select inside and outside interface for tracing (as long as the device is not rebooted, the capture can be started and stopped on demand):
a. do debug capture data physical eth-wan
b. do debug capture data physical eth-lan
2. Start tracing for these interfaces:
a. do debug capture data physical start
3. Save the capture with:
a. do debug capture data physical stop <address of the TFTP server>
4. Clear the trace from the internal memory of the AudioCodes device
a. debug capture data physical clear
5. Turn on cycling of traces
a. debug capture data physical cyclic-buffer
6. Turn off cycling of traces
a. no debug capture dta physical cyclic-buffer
Create syslog for data feature
Please configure debug data-syslog in the CLI to add debug messages for the VPN connection to the syslog.
Enable enhanced console logging
1. debug rmx-serial tap
a. This outputs very datailed debug mesages to the terminal
b. Increase the option "Lines of scrollback" in putty to a high value (e.g. 20000000)
c. After this the output can be copied from the terminal window to a text file
Live debugging of the VPN connection
Sometimes it can be useful to perform a live debugging of the VPN connection.
Therefore following commands are helpful:
1. Show general information for the data connection (e.g. TX/RX packets)
a. show data crypto debug
2. Live monitoring of internal network interface. E.g. VPN is setup, but packets are not transferred to devices in the customer office network. This example is for ICMP packets.
a. debug capture data interface vlan 1 proto icmp host any
3. Determine if packets are encapsulated and sent via IPSEC
a. debug capture data interface gigabitehternet 0/0 ipsec proto all host any
4. Test, if the SwyxConnect Gateways can ping the remote SwyxServer in the datacentre. If this is the case, then the tunnel is setup and there may be a routinig issue.
a. ping SwyxServer IP in the data centre source data soure-address interface vl 1
Track historic downtimes
1. conf data
2. track 1 lcmpEcho SwyxON VPN Concentrator GigabitEthernet 0/0 interval 1 retries 0
3. sh d track 1 history
Example output:
| New state | Date and Time [MM-DD-YYYY@hh:mm:ss] | |
| Up | 01-01-2010@04:20:20 | |
| Down | 01-01-2010@04:20:46 | This indicates a downtime at the shown time |
| Up | 01-01-2010@04:20:56 |
Configuration Templates for different network scenarios including Dead Peer Detection (DPD)
Previously the DPD setting default was disabled due to connectivity issues. With the newer firmware these issues have been solved and the DPD should be enabled for all Audio Codes Gateways to ensure a fast VPN reconnect after unexpected CISCO downtimes.
The templates for the different scenarios can be downloaded on this page.
- Scenario 1: SwyxConnect has an own fixed PublicIP connected to GigabitEthernet 0/0. Please use Swyx_AudioCodes_VPN_TemplateSha256
- Scenario 2: SwyxConnect has no own fixed public IP and is connected to a modem with a public fixed IP via GigabitEthernet 0/0. Please use Swyx_AudioCodes_VPN_TemplateSha256_Nat_SameNet_DPD_ON
- Scenario 3: SwyxConnect has no own fixed public IP and is connected to a modem with a public fixed IP, via GigabitEthernet 0/0 but clients are located in a completely separated network (NAT). Please use Swyx_AudioCodes_VPN_TemplateSha256_Nat_SeparateNet _DPD_ON
- Scenario 4: SwyxConnect is the main internet router and terminates the pppoe connection. All users are connected to the device. Internet and VPN is running on the same device. NAPT is required. Please use Swyx_AudioCodes_VPN_TemplateSha256_NAPT_DPD_ON
How to enable DeadPeerDetection (DPD)
Activation Update Script
configure data crypto isakmp keepalive retry-interval 60 crypto isakmp keepalive threshold 100exitwrexitExample: DPD is enabled
Enable Debug for ipsec and data-syslog on Audio Codes. Details for debugging and logging are above in this article.
Comments
0 comments
Article is closed for comments.