Transcript
GPRS / 3G Services: GPRS / 3G VPN solutions supported VPN soluti
An O2 White Paper
An O2 White Paper
Contents
Page No. 3 4-6
Chapter No. 1. Executive summary 2. O2 Bearer Service
4
2.1. Introduction
5
2.2. Datalink
6
2.3. Resilient Datalink
6
2.4. VPN support
7-10
3. O2 Mobile Web service
7-8
3.1. Introduction
9
3.2. VPN support
9
3.2.1. IPSec based VPN solutions
9
3.2.2. PPTP and SSL based VPN solutions
10 11-14
3.3. IP addresses allocated to Mobile Web users 4. O2 Mobile Web VPN service
11-12
4.1. Introduction
13
4.2. VPN support
13
4.2.1. Introduction
13
4.2.2. IPSec, PPTP and SSL Based VPN Solutions
14
4.3. IP addresses allocated to Mobile Web VPN users
15
5. Service comparison
16
6. Glossary of terms
1. Executive summary
Virtual Private Network (VPN) technology has emerged as one of the most effective and popular ways of allowing remote users to securely access corporate email and Intranet resources. Many organisations already access their corporate network via fixed line technologies (e.g. PSTN, ISDN or a broadband connection) and are looking to capitalise on their existing investment in a VPN infrastructure. A VPN solution used in conjunction with O2’s GPRS/3G services allows people to connect to the LAN environment in a secure and simple manner whilst away from the office or home environment. Currently, O2’s GPRS/3G portfolio consists of three service offerings: •
O2 Bearer Service: O2 provides private circuit(s) to connect the customer network to O2’s network. The customer can select between 2 bearer service products: –
DataLink – consists of a single leased line and a
–
Resilient DataLink – resilience is provided via the
router installed on the Customer Premises use of two leased lines and two routers. •
O2 Mobile Web service: full Internet access is provided and VPN solutions can be used in conjunction with this service.
•
O2 Mobile Web VPN service: this service was specifically introduced to allow customers to access their LAN environment via VPN technology.
This paper provides a brief description of the O2 GPRS/3G services and considers how VPN solutions can be used in conjunction with each of these services.
3
2. O2 Bearer Service
2.1. Introduction O2’s Bearer Service offers business customers a high quality private mobile data connection to their own private domain. O2’s Bearer Service can be used to support both GPRS and 3G data traffic (e.g. the same infrastructure supports both 3G and GPRS users). The key aspects of O2’s Bearer Service are as follows: •
Each connection is defined by a unique, private Access Point Name (APN).
•
Connectivity is provided via a physical leased line that
•
Customers can define which Subscriber Identification
connects the O2 network with the customer’s LAN. Module (SIM) cards are able to access their APN. •
The service can be configured to precisely match a customer’s requirements – in terms of security for instance.
•
Dynamic or static mobile device IP allocation.
•
Private or Public IP Addresses for the mobile devices.
This service is designed for customers that require a private connection to their company LAN, which will offer them the highest quality of service and most consistent data communications performance. O2’s Bearer Service is delivered and managed end-toend by O2 to ensure the smoothest service delivery and shortest problem resolution timescales. O2 proactively monitor the status of the service and produce detailed usage reports to ensure suitable service levels are maintained at all times. The leased line infrastructure offers the highest level of availability via two basic types of physical connection: DataLink (refer to section 2.2) and Resilient DataLink (refer to section 2.3).
The service does not provide any direct access to the Internet.
•
•
All private Bearer Services connect to resilient GPRS Gateway Support Nodes (GGSN’s) in the O2 network.
The installation of this service offers customers the opportunity to design the mobile data connectivity service of their choice. Almost every aspect of the service can be configured to the customer’s requirements as this is a private service that connects customers to the O2 GPRS and 3G networks directly, using physical leased line infrastructure.
Customers wishing to order O2 Bearer Services should discuss their options with their O2 Account Manager in the first instance. A detailed, ‘Application For Service’, form is used to capture customer requirements and service can be provided in 43 working days after this form has been processed.
Customer configuration choices include: •
APN name (normally the same as their Internet registered Domain Name).
•
Private (restricted) or Public (open) APN access.
•
O2 or customer hosted RADIUS authentication.
4
2.2. DataLink Connectivity for Bearer Service customers is via a single or multiple leased lines (128 kbit/s, 256 kbit/s, 512 kbit/s, 2 Mbit/s, 4 Mbit/s etc.), terminating on a single router that is installed, at the customer’s premises. Once installed, the router presents an Ethernet connection to the customers LAN. Figure 1 details, at a top level, a typical GPRS/3G Bearer Service connection. Each DataLink can support multiple APNs, each with it’s own Bearer Service definition. This is useful where customers wish to provide separacy of service to different internal departments, external customers or application user bases.
Radius Server
DHCP Server
GRE Tunnel O2 Data Network Leased Line Firewall
Corporate Network
Remote User
Figure 1: Top Level Overview of a typical GPRS/3G Bearer Service connection. 5
2.3. Resilient DataLink
2.4. VPN support
For those customers requiring the very highest levels of availability, O2 offers a Resilient DataLink leased line option to Bearer Service customers. Two links and routers are provided as part of this solution.
O2 does not impose any restrictions on the type of data or ports that can be used for data transfer between the mobile devices and the corporate network. Consequently, it is straightforward to use any type of VPN solution with O2’s bearer service.
The two links and routers can be terminated at the same site. However, it is strongly recommended that they are deployed in different computer rooms which are served by different exchanges and duct routes. LAN connectivity is required between the two O2 routers and Hot Standby Routing Protocol (HSRP) provides resilience against router failure by allowing two or more routers to share the same virtual IP address (and MAC address) on the same Ethernet LAN segment.
6
3. O2 Mobile Web service
3.1. Introduction O2’s Mobile Web service allows customers to get onto the Internet via GPRS and/or 3G (refer to Figure 2). In this instance customers do not have their own APN. The key aspects of the service are detailed below: •
Users can ‘surf’ the Internet, access FTP servers, access e-mail and generally utilise Internet resources.
•
This is a public service and can be used by any O2 pay monthly customer. The APN associated with the service is mobile.o2.co.uk
•
If customers have an Internet facing VPN gateway then they might already support remote access via the Internet. If this is the case they should be able to use the Mobile Web service to allow people to access their network via GPRS.
•
Internet resources. PAT was defined by the Internet Engineering Task Force (IETF) as a way to convert private IP addresses to public routable Internet addresses and enables organisations to minimise the number of Internet IP addresses they require e.g. by using PAT, companies can connect thousands of systems/users to the Internet via a few IP addresses.
By default Mobile Web users enjoy an optimised experience when accessing Internet content at no extra cost. This network hosted optimisation can speed up the delivery of Web pages by optimising graphic images and compressing text content. It can however degrade the image quality in Web pages and interfere with some other Internet applications. If this is experienced, the optimisation platform can be bypassed by changing the user name in the Mobile Web settings of the handset/device, as follows:
The use of PAT has major implications as although PAT provides many benefits, some applications, including IPSec VPNs, can experience issues when PAT is being used. The issues surround trying to ensure packet integrity – when a packet passes through a PAT device, in this instance the O2 firewall that is used in the Mobile Web environment, the original IP address is modified. This is not allowed when using IPSec VPN solutions, because any modification of the packet will result in a failed integrity check and will prevent the VPN tunnel from being created. As a consequence IPSec and PAT can function together only when PAT occurs before the packet is encrypted. Whilst this will normally work fine in gateway-to-gateway communications, remote access solutions are problematic because the IPSec VPN client on a remote laptop will encrypt the packet before it travels to the PAT device, subsequently breaking the IPSec VPN connection.
– Default settings – includes optimisation: User name: o2web – Password: password – No optimisation required: – User name: bypass – Password: password –
The Mobile Web APN is associated with all new O2 pay monthly SIM cards. If customers do not wish this APN to be available to users they should specify this requirement prior to SIMs being provisioned. The O2 Mobile Web service uses private IP addressing and Port Address Translation (PAT) when users access
To enable IPSec VPNs to work with Network Address Translation (NAT) or PAT devices, a solution called NAT Traversal was developed – it should be noted that this is sometimes also known as UDP encapsulation. The main technology behind this solution is UDP (User Data Protocol) encapsulation, wherein the IPSec packet is encapsulated inside a UDP/IP header, allowing NAT or PAT devices to change IP or port addresses without modifying the IPSec packet. In order for NAT Traversal to work properly the VPN solution (e.g. client and server) must be configured for NAT traversal working. 7
O2 Data Network
O2 Mobile Web Service
Firewall Radius Server (allocates Private IP Addresses)
Remote User Internet
Figure 2: Top Level Overview of O2’s Mobile Web Service.
8
3.2. VPN support 3.2.1. IPSec based VPN solutions
3.2.2. PPTP and SSL based VPN solutions
Unless customers wish to support split tunnelling they are recommended to use O2’s Mobile Web VPN service in conjunction with their IPSec based VPN solution (refer to section 4 for more information on O2’s Mobile Web VPN solution).
Customers can use Point-to-Point Tunnelling Protocol (PPTP) and SSL based VPN solutions in conjunction with O2’s Mobile Web Service.
Split tunnelling is the process of allowing a remote VPN user to access the Internet at the same time that the user is allowed to access resources on the corporate LAN via the VPN solution. This method of network access enables the user to access remote resources, such as e-mail, at the same time as accessing the public network. An advantage of using split tunnelling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server. A disadvantage of this method is that the corporate LAN IP policy is not imposed on the user as they access the Internet directly. If IPSec VPN solutions are to be used in conjunction with O2’s Mobile Web service NAT Traversal, sometimes known as UDP encapsulation, must be utilised. NAT Traversal allows IPSec based VPN solutions to be used in situations where NAT and PAT are being utilised. However, it is not without its issues – for example, private address space can overlap and create routing issues, and NAT Traversal is not supported with AH (Authenticated Header) IPSec connections. If customers are not sure whether their IPSec based VPN solution supports NAT Traversal they should consult with their VPN vendor or Systems Integrator.
9
3.3. IP addresses allocated to Mobile Web users Users are allocated a dynamic, private unregistered IP address when a data session is initiated. However, it should be noted that users of O2’s Mobile Web service will be allocated a public IP address, via an O2 Internet facing firewall, when they access Internet resources. The public IP addresses will be allocated from the following ranges: – 82.132.136.128 to 82.132.136.191 – 82.132.136.192 to 82.132.136.223 – 82.132.139.0 to 82.132.139.255
10
4. O2 Mobile Web VPN service
4.1. Introduction – At the request of customers the service was set-up so only VPN protocols can be used when users first establish their GPRS or 3G connection e.g. the firewall associated with the service will block all other traffic. – Once the VPN session is in place, users will be able to browse the Intranet/Internet and access other corporate resources – assuming the corporate security policy allows such transactions to take place. – Split tunnelling will not work as users are not able to access Internet resources directly.
O2’s Mobile Web VPN service was specifically developed to allow customers to use their VPN solutions with GPRS and 3G – assuming the customers VPN solution can be utilised via people connected to the Internet (refer to Figure 3). The key aspects of the service are as follows: •
Customers do not have their own APN.
•
This is a public service and can be used by any O2 pay monthly customer. The APN associated with the service is vpn.o2.co.uk and a user name of user and password of password should be used.
•
Users are allocated a public IP address and are on
•
It is possible to confirm connectivity exists between the VPN client and server via the ping command.
the Internet. •
Users cannot directly ‘surf’ the Internet, access FTP servers, access e-mail or utilise Internet resources:
O2 Data Network
O2 Mobile Web VPN Service
Firewall Radius Server (allocates Public IP addresses)
Remote User
VPN Server
Internet
VPN Tunnel
Corporate Network
Figure 3: A VPN Tunnel Established between a Remote User and the Corporate LAN. 11
The O2 Mobile Web VPN service does not include any optimisation capability, delivers public registered IP addresses to mobile devices and allows access only to VPN applications. The service offers businesses the ability to provide secure LAN access to their users via the Internet and control their usage through the application of their internal IT policy. Access to Mobile Web VPN can be requested via O2 Customer Services and is usually provisioned within 24 hours.
12
4.2. VPN support 4.2.1. Introduction
•
UDP port 2746 (required to support: VPN1_IPSEC_ encapsulation – Check Point VPN-1 SecuRemote
Unless customers wish to support split tunnelling (refer to section 3.2.1 for a description of what is meant by the term split tunnelling) they are recommended to use O2’s Mobile Web VPN service in conjunction with their VPN solution.
4.2.2. IPSec, PPTP and SSL Based VPN Solutions As detailed in the following text IPSec, PPTP and SSL based VPN solutions will work in conjunction with O2’s Mobile Web VPN service. The protocols supported by the Mobile Web VPN service are as follows: •
Ping (allows people to confirm that connectivity exists between their device, a laptop for instance, and the VPN server).
•
Protocol 50 (ESP).
•
Protocol 51 (AH).
•
Protocol 47 (GRE) (required to support PPTP)
•
Layer 2 Tunnel Protocol (L2TP).
The Mobile Web VPN service allows the ports detailed below to be used:
IPSEC Transport Encapsulation Protocol). •
X-Kryptor VPN solution. •
UDP port 500 (IKE).
•
TCP port 1723 (required to support PPTP).
•
UDP port 4500 (required for NAT-T).
•
UDP port 1701 (required to support: L2TP/IPSec).
•
TCP port 259 (required to support: FW1_MEP –
TCP port 50000: required for Barron McCann X-Kryptor VPN solution.
•
UDP port 10000: many VPN solutions use this port when NAT traversal is being used.
•
TCP port 10000: this is the default port used by Cisco VPN solutions when the IPSec over TCP option is selected.
•
UDP 2233: used by the Shiva VPN solution.
•
UDP 10025: used by the Shiva VPN solution.
•
UDP 10026: used by the Shiva VPN solution.
•
UDP 10027: used by the Shiva VPN solution.
•
TCP 10027: used by the Shiva VPN solution.
•
TCP 10028: used by the Shiva VPN solution.
•
TCP port 389: used by AT&T’s VPN service.
•
TCP port 709: used by AT&T’s VPN service.
•
TCP port 5080: used by AT&T’s VPN service.
•
TCP port 443 (SSL).
•
UDP port 443 (some VPN solutions require that a UDP port be used – this port has been opened up for
this purpose). •
UDP port 12000: used by Good Technology Mobile Messaging solution.
• •
UDP port 50000: required for Barron McCann
TCP port 15000: used by Good Technology Mobile Messaging solution.
O2’s Mobile Web VPN Solution can be used in conjunction with AT&T’s Global VPN Solution.
Checkpoint NG FP3 MEP determines closest entry point – only used if using NG FP3 Clients and more than one entry point into the network) •
TCP port 264 (required to support: FW1_topo – Check Point VPN-1 SecuRemote Topology Requests.). 13
4.3. IP addresses allocated to Mobile Web VPN users Users will be allocated a public IP address from the range 82.132.160.1 to 82.132.175.254.
14
5. Service comparison
Table 1 summarises the differences between the O2 GPRS/3G services.
Service Comparison Matrix Metric
Bearer Service
Mobile Web
Mobile Web VPN
APN
Customers Choice
mobile.o2.co.uk
vpn.o2.co.uk
Access Type
Public or Private
Public
Public
Number of devices supported
Unlimited
Unlimited
Unlimited
Direct Internet Connectivity
Internet Connectivity via corporate LAN – subject to IT policy
Yes
Internet Connectivity via corporate LAN – subject to IT policy
Mobile IP Addresses
Customers Choice
Private (PAT)1
Public
IP Address Allocation
Customers Choice
Dynamic
Dynamic
Supported Protocols
All
Most Internet
VPN Only
Bearer Optimisation
Customers Choice
Optional
No
Content Optimisation
Customers Choice
Optional
No
TCP Inactivity Timeout
Customers Choice
60 minutes (normal operation) 10 minutes (load conditions)
60 minute
UDP Inactivity Timeout
Customers Choice
10 minutes (normal operation) 15 seconds (load conditions)
15 minute
Access Lead Time
43 working days
Immediate
<24 hours
Service Reach
End to End
Gateway only
Gateway only
Service Performance2
O2 pro-actively monitors the status of the Bearer Service
Best endeavours
Best endeavours
Table 1: Service Comparison Matrix. 1. Users are allocated a dynamic, private unregistered IP address. However, it should be noted that users of O2’s Mobile Web service will be allocated a public IP address, via an Internet facing firewall, when they access Internet resources. The public IP addresses will be allocated from the following ranges: – 82.132.136.128 to 82.132.136.191 – 82.132.136.192 to 82.132.136.223 – 82.132.139.0 to 82.132.139.255
2. Although O2 endeavour to provide the highest level of service on all its GPRS/3G Services if problems are experienced with the public services (i.e. Mobile Web or Mobile Web VPN services) it is far more difficult to ascertain what is happening and where the problem lies – for instance a number of ISPs may lie between O2 and the customer. Hence, the term, “best endeavours” is used in the table.
15
6. Glossary of terms
APN
Access Point Name
DHCP
Dynamic Host Configuration Protocol
FTP
File Transfer Protocol
GPRS
General Packet Radio Service
GSM
Global System for Mobile Communications
IETF
Internet Engineering Task Force
IP
Internet Protocol
ISDN
Integrated Service Digital Network
LAN
Local Area Network
L2TP
Layer 2 Tunnel Protocol
NAT
Network Address Translation
PAT
Port Address Translation
PPTP
Point-to-Point Tunnelling Protocol
PSTN
Public Switched Telephone Network
SIM
Subscriber Identity Module
SSL
Secure Sockets Layer
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
URL
Uniform Resource Locator
VPN
Virtual Private Network
WAN
Wide Area Network
All Rights Reserved. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic or machine readable form without the prior permission of Telefonica UK Limited.
16
