83.19. How to configure a Remote Access Server (RAS)

83.19.1. How to configure a RAS using IPSEC VPN server

Enter into the Abilis control-program or open the configuration file with the Console configurator and type the following commands.

a res:ipsec

or

s act res:ipsec

Add the IPSEC resource.

or

If the resource already exists, set it active.

s p ipsec act:yesEnable the IPSEC runtime functionalities.
a res:ike

or

s act res:ike

Add the IKE resource.

or

If the resource already exists, set it active.

s p ike act:yesEnable the IKE runtime functionalities.
s p ip-3 ipsec:yesEnable the IPSEC functionality in the IP resource associate to the WAN connection (e.g. IP-3).
Add an entry in the IKE Host and IKE Client tables for each client that you want to enable.
a ike host:0 name:user_1Add an entry in the IKE Host table.
s ike host:0 loc-ip:80.80.80.80 rem-ip:*Configure the local and remote IP addresses.
s ike host:0 auth:psk hash:sha1 dh:modp1024 cipher:aes256Configure the authentication type.
s ike host:0 side:insideConfigure NAT settings.
s ike host:0 id-type:ip ip:80.80.80.80Configure the local ID.
s ike host:0 peer-id-type:ip peer-ip:192.168.200.1Configure the remote ID.
a ike cli:0 name:user_1Add an entry in the IKE Client table.
s ike cli:0 host-id:0 tunnel:yesConfigure the Host ID and enable the tunnel mode.
s ike cli:0 net-loc:192.168.1.0/24 net-rem:192.168.200.1/32Configure the local and remote addresses and masks.
a ipr net:192.168.200.1/32 ip:3Add a static route for remote host (if it's necessary).
 Repeat the previous commands for each client.
a ike psk:0 key:preshared_key id-type:anonymousAdd the Preshared Key.
save confSave the configuration.

On a working Abilis, a system restart is required to make the IPSEC and IKE resources running.

[Caution]Caution

The IPSEC connection works ONLY if the LAN, where the PC client is connected to, is different from the LAN of Abilis (e.g. In the previous case if the PC client IP address belongs to the 192.168.1.0/24 the IPSEC connection doesn't work!).

[Tip]Tip

To configure IPSEC clients refer to Chapter 90, IPsec clients.

83.19.2. How to configure a RAS using IPSEC VPN server with iPhone/iPad or Mac

Enter into the Abilis control-program or open the configuration file with the Console configurator and type the following commands.

a res:ipsec

or

s act res:ipsec

Add the IPSEC resource.

or

If the resource already exists, set it active.

s p ipsec act:yesEnable the IPSEC runtime functionalities.
a res:ike

or

s act res:ike

Add the IKE resource.

or

If the resource already exists, set it active.

s p ike act:yesEnable the IKE runtime functionalities.
s p ike nrty:5Set the maximum number of packet retransmissions.
s p ip-3 ipsec:yesEnable the IPSEC functionality in the IP resource associate to the WAN connection (e.g. IP-3).
Add an entry in the IKE Host and IKE Client tables for each client that you want to enable.
a ike host:0 name:testAdd an entry in the IKE Host table.
s ike host:0 loc-ip:80.80.80.80 rem-ip:*Configure the local and remote IP addresses.
s ike host:0 auth:psk hash:sha1 dh:modp1024 cipher:aes256Configure the authentication type.
s ike host:0 side:insideConfigure NAT settings.
s ike host:0 xauth:server xauth-user:test xauth-pwd:passwordSet host connection.
s ike host:0 mode-cfg:srv-requestSet the type of mode.
s ike host:0 dpd-action:restartSet the time interval of missing DPD replies after which peer is declared dead.
a ike cli:0 name:testAdd an entry in the IKE Client table.
s ike cli:0 host-id:0 tunnel:yes pfs:noConfigure the Host ID, enable the tunnel mode and disable Perfect Forward Secrecy
s ike cli:0 net-loc:0.0.0.0/0 net-rem:192.168.200.1/32Configure the local and remote addresses and masks.
a ipr net:192.168.200.1/32 ip:3Add a static route for remote host (if it's necessary).
 Repeat the previous commands for each client.
a ike psk:0 key:preshared_key id-type:anonymousAdd the Preshared Key.
save confSave the configuration.
[Tip]Tip

To configure iPhone/iPad native VPN IPsec client refer to Section 90.3, “iPhone/iPad native IPsec VPN client with Main Mode”.

83.19.3. How to configure a RAS using PPPoE connections with an Ethernet/WiFi network

Enter into the Abilis control-program or open the configuration file with the Console configurator and type the following commands.

a res:poeac-1Add a POEAC resource (e.g. POEAC-1).
s p poeac-1 act:yesEnable the POEAC-1 runtime functionalities.
s p poeac-1 ethres:eth-1Configure the Eth-1 as the POEAC-1 lower resource.
s p poeac-1 max-ipres:10Configure the maximum number of clients.
s p poeac-1 acname:wlan descr:wlan_usersConfigure the name of the Access Concentrator and the description of the POEAC-1 resource.
Add an IP over PPP resource and an user in the Users Table for each client that you want to enable.
a res:ip-101 subtype:pppAdd an “IP over PPP” resource (e.g. IP-101).
s p ip-101 lowres:poeac-1Configure the POEAC-1 as the IP-101 lower resource.
s p ip-101 ipadd:192.168.101.1Configure the PPPoE server IP address.
s p ip-101 neigh:192.168.101.11Configure the PPPoE client IP address.
s p ip-101 servicename:user_1Configure the PPPoE Service name.
s p ip-101 tcp-mss-clamp:yesActivate the TCP MSS clamping procedure.
s p ip-101 dns:provideProvide the DNS service to the client.
s p ip-101 local:none remote:chapConfigure the local and remote authentication protocol.
s p ip-101 descr:user_1Configure the description of the IP resource.
a user:user_1 pwd:user_1Add the user in the Users Table.
s user:user_1 ppp:yes ppp-res:ip-101Enable the user to PPP service and associate the user to the IP-101 resource.
 Repeat the previous commands for each client.
s p iprtr PPP-DNS-PRI:62.94.0.1 PPP-DNS-SEC:62.94.0.2Configure the DNS servers provided to the remote clients.
save confSave the configuration.

On a working Abilis, a system restart is required to make the POEAC-1 and IP resources running.

[Tip]Tip

Remember to configure NAT settings.

[Tip]Tip

To configure PPPoE clients refer to Chapter 91, PPPoE clients.

83.19.4. How to configure a RAS using ISDN network

Physical connections:

  • Verify that an ISDN card (QPRIX, PB44X, BRI-HFC4, BRI-HFC8) is installed in the Abilis. If the card isn't present, insert it in a free PCI slot.

  • Connect the ISDN card to NT devices.

  • The remote PC must be connected to an ISDN router or to a TA adapter able to generate ISDN calls.

Enter into the Abilis control-program or open the configuration file with the Console configurator and type the following commands.

 Add an “IP over PPP” resource for each client that you want to enable.
a res:ip-201 subtype:pppAdd an “IP over PPP” resource (e.g. IP-201).
s p ip-201 lowres:ctislinkConfigure the CtiSlink as the lower resource.
s p ip-201 dial-in:yes dial-out:noEnable the incoming calls and disable the outgoing calls.
s p ip-201 cgi:01765432Configure the calling number.
s p ip-201 ipadd:192.168.201.1Configure the server IP address and mask.
s p ip-201 neigh:192.168.201.11Configure the client IP address.
s p ip-201 username:provider_user password:provider_pwdConfigure the login information.
s p ip-201 tcp-mss-clamp:yesActivate the TCP MSS clamping procedure.
s p ip-201 dns:provideProvide the DNS service to the client.
s p ip-201 local:none remote:chapConfigure the local and remote authentication protocol.
s p ip-201 descr:user_1Configure the description of the IP resource.
Repeat the previous commands for each client.
s p iprtr PPP-DNS-PRI:62.94.0.1 PPP-DNS-SEC:62.94.0.2Configure the DNS servers provided to the remote clients.
save confSave the configuration.

On a working Abilis, a system restart is required to make the IP resources running.

[Tip]Tip

Remember to configure NAT settings.