Embed Size (px)
Citation preview
GPRS / 3G Services: VPN solutions supported
An O2 White Paper
GPRS / 3G Services: VPN solutions supported
An O2 White Paper
Contents
1. Executive summary
2. O2 Bearer Service
2.1. Introduction
2.2. Datalink
2.3. Resilient Datalink
2.4. VPN support
3. O2 Mobile Web service
3.1. Introduction
3.2. VPN support
3.2.1. IPSec based VPN solutions
3.2.2. PPTP and SSL based VPN solutions
3.3. IP addresses allocated to Mobile Web users
4. O2 Mobile Web VPN service
4.1. Introduction
4.2. VPN support
4.2.1. Introduction
4.2.2. IPSec, PPTP and SSL Based VPN Solutions
4.3. IP addresses allocated to Mobile Web VPN users
5. Service comparison
6. Glossary of terms
3
4-6
4
5
6
6
7-10
7-8
9
9
9
10
11-14
11-12
13
13
13
14
15
16
Page No. Chapter No.
Virtual Private Network (VPN) technology has emerged
as one of the most effective and popular ways of
allowing remote users to securely access corporate email
and Intranet resources. Many organisations already
access their corporate network via fixed line technologies
(e.g. PSTN, ISDN or a broadband connection) and are
looking to capitalise on their existing investment in a
VPN infrastructure.
A VPN solution used in conjunction with O2’s GPRS/3G
services allows people to connect to the LAN
environment in a secure and simple manner whilst away
from the office or home environment.
Currently, O2’s GPRS/3G portfolio consists of three
service offerings:
• O2 Bearer Service: O2 provides private circuit(s) to
connect the customer network to O2’s network.
The customer can select between 2 bearer service
products:
– DataLink – consists of a single leased line and a
router installed on the Customer Premises
– Resilient DataLink – resilience is provided via the
use of two leased lines and two routers.
• O2 Mobile Web service: full Internet access
is provided and VPN solutions can be used in
conjunction with this service.
• O2 Mobile Web VPN service: this service was
specifically introduced to allow customers to access
their LAN environment via VPN technology.
This paper provides a brief description of the O2
GPRS/3G services and considers how VPN solutions can
be used in conjunction with each of these services.
3
1. Executive summary
4
2. O2 Bearer Service
O2’s Bearer Service offers business customers a high
quality private mobile data connection to their own
private domain.
O2’s Bearer Service can be used to support both GPRS
and 3G data traffic (e.g. the same infrastructure supports
both 3G and GPRS users).
The key aspects of O2’s Bearer Service are as follows:
• Each connection is defined by a unique, private
Access Point Name (APN).
• Connectivity is provided via a physical leased line that
connects the O2 network with the customer’s LAN.
• Customers can define which Subscriber Identification
Module (SIM) cards are able to access their APN.
• The service can be configured to precisely match a
customer’s requirements – in terms of security for
instance.
• The service does not provide any direct access to the
Internet.
• All private Bearer Services connect to resilient
GPRS Gateway Support Nodes (GGSN’s) in the O2
network.
The installation of this service offers customers the
opportunity to design the mobile data connectivity
service of their choice. Almost every aspect of the service
can be configured to the customer’s requirements as this
is a private service that connects customers to the O2
GPRS and 3G networks directly, using physical leased line
infrastructure.
Customer configuration choices include:
• APN name (normally the same as their Internet
registered Domain Name).
• Private (restricted) or Public (open) APN access.
• O2 or customer hosted RADIUS authentication.
• Dynamic or static mobile device IP allocation.
• Private or Public IP Addresses for the mobile devices.
This service is designed for customers that require a
private connection to their company LAN, which will
offer them the highest quality of service and most
consistent data communications performance.
O2’s Bearer Service is delivered and managed end-to-
end by O2 to ensure the smoothest service delivery and
shortest problem resolution timescales. O2 proactively
monitor the status of the service and produce detailed
usage reports to ensure suitable service levels are
maintained at all times.
The leased line infrastructure offers the highest level of
availability via two basic types of physical connection:
DataLink (refer to section 2.2) and Resilient DataLink
(refer to section 2.3).
Customers wishing to order O2 Bearer Services should
discuss their options with their O2 Account Manager in
the first instance. A detailed, ‘Application For Service’,
form is used to capture customer requirements and
service can be provided in 43 working days after this
form has been processed.
2.1. Introduction
5
Connectivity for Bearer Service customers is via a single
or multiple leased lines (128 kbit/s, 256 kbit/s, 512
kbit/s, 2 Mbit/s, 4 Mbit/s etc.), terminating on a single
router that is installed, at the customer’s premises. Once
installed, the router presents an Ethernet connection to
the customers LAN.
Figure 1 details, at a top level, a typical GPRS/3G Bearer
Service connection.
Each DataLink can support multiple APNs, each with
it’s own Bearer Service definition. This is useful where
customers wish to provide separacy of service to
different internal departments, external customers or
application user bases.
2.2. DataLink
Figure 1:
Top Level Overview of a typical GPRS/3G Bearer
Service connection.
O2 Data Network
Corporate Network
Remote User
Radius
Server
DHCP
Server
Leased Line
Firewall
GRE Tunnel
6
For those customers requiring the very highest levels of
availability, O2 offers a Resilient DataLink leased line
option to Bearer Service customers. Two links and routers
are provided as part of this solution.
The two links and routers can be terminated at the same
site. However, it is strongly recommended that they are
deployed in different computer rooms which are served
by different exchanges and duct routes.
LAN connectivity is required between the two O2 routers
and Hot Standby Routing Protocol (HSRP) provides
resilience against router failure by allowing two or more
routers to share the same virtual IP address (and MAC
address) on the same Ethernet LAN segment.
O2 does not impose any restrictions on the type of data
or ports that can be used for data transfer between the
mobile devices and the corporate network. Consequently,
it is straightforward to use any type of VPN solution with
O2’s bearer service.
2.3. Resilient DataLink 2.4. VPN support
7
3. O2 Mobile Web service
O2’s Mobile Web service allows customers to get onto
the Internet via GPRS and/or 3G (refer to Figure 2). In
this instance customers do not have their own APN. The
key aspects of the service are detailed below:
• Users can ‘surf’ the Internet, access FTP servers,
access e-mail and generally utilise Internet resources.
• This is a public service and can be used by any O2
pay monthly customer. The APN associated with
the service is mobile.o2.co.uk
• If customers have an Internet facing VPN gateway
then they might already support remote access via
the Internet. If this is the case they should be able
to use the Mobile Web service to allow people to
access their network via GPRS.
• By default Mobile Web users enjoy an optimised
experience when accessing Internet content at no
extra cost. This network hosted optimisation can
speed up the delivery of Web pages by optimising
graphic images and compressing text content. It can
however degrade the image quality in Web pages
and interfere with some other Internet applications. If
this is experienced, the optimisation platform can be
bypassed by changing the user name in the Mobile
Web settings of the handset/device, as follows:
– Default settings – includes optimisation:
– User name: o2web
– Password: password
– No optimisation required:
– User name: bypass
– Password: password
The Mobile Web APN is associated with all new O2 pay
monthly SIM cards. If customers do not wish this APN to
be available to users they should specify this requirement
prior to SIMs being provisioned.
The O2 Mobile Web service uses private IP addressing
and Port Address Translation (PAT) when users access
Internet resources. PAT was defined by the Internet
Engineering Task Force (IETF) as a way to convert private
IP addresses to public routable Internet addresses and
enables organisations to minimise the number of Internet
IP addresses they require e.g. by using PAT, companies
can connect thousands of systems/users to the Internet
via a few IP addresses.
The use of PAT has major implications as although PAT
provides many benefits, some applications, including
IPSec VPNs, can experience issues when PAT is being
used. The issues surround trying to ensure packet
integrity – when a packet passes through a PAT device,
in this instance the O2 firewall that is used in the Mobile
Web environment, the original IP address is modified.
This is not allowed when using IPSec VPN solutions,
because any modification of the packet will result in a
failed integrity check and will prevent the VPN tunnel
from being created. As a consequence IPSec and PAT
can function together only when PAT occurs before
the packet is encrypted. Whilst this will normally work
fine in gateway-to-gateway communications, remote
access solutions are problematic because the IPSec VPN
client on a remote laptop will encrypt the packet before
it travels to the PAT device, subsequently breaking the
IPSec VPN connection.
To enable IPSec VPNs to work with Network Address
Translation (NAT) or PAT devices, a solution called NAT
Traversal was developed – it should be noted that this
is sometimes also known as UDP encapsulation. The
main technology behind this solution is UDP (User Data
Protocol) encapsulation, wherein the IPSec packet is
encapsulated inside a UDP/IP header, allowing NAT or
PAT devices to change IP or port addresses without
modifying the IPSec packet.
In order for NAT Traversal to work properly the VPN
solution (e.g. client and server) must be configured for
NAT traversal working.
3.1. Introduction
8
Figure 2:
Top Level Overview of O2’s Mobile Web Service.
O2 Data Network
Internet
Remote User
Radius Server (allocates Private IP Addresses)
Firewall
O2 Mobile Web Service
9
3.2.1. IPSec based VPN solutions
Unless customers wish to support split tunnelling they
are recommended to use O2’s Mobile Web VPN service
in conjunction with their IPSec based VPN solution (refer
to section 4 for more information on O2’s Mobile Web
VPN solution).
Split tunnelling is the process of allowing a remote VPN
user to access the Internet at the same time that the user
is allowed to access resources on the corporate LAN via
the VPN solution. This method of network access enables
the user to access remote resources, such as e-mail, at
the same time as accessing the public network. An
advantage of using split tunnelling is that it alleviates
bottlenecks and conserves bandwidth as Internet traffic
does not have to pass through the VPN server. A
disadvantage of this method is that the corporate LAN
IP policy is not imposed on the user as they access the
Internet directly.
If IPSec VPN solutions are to be used in conjunction with
O2’s Mobile Web service NAT Traversal, sometimes
known as UDP encapsulation, must be utilised. NAT
Traversal allows IPSec based VPN solutions to be used
in situations where NAT and PAT are being utilised.
However, it is not without its issues – for example,
private address space can overlap and create routing
issues, and NAT Traversal is not supported with AH
(Authenticated Header) IPSec connections.
If customers are not sure whether their IPSec based VPN
solution supports NAT Traversal they should consult with
their VPN vendor or Systems Integrator.
3.2.2. PPTP and SSL based VPN solutions
Customers can use Point-to-Point Tunnelling Protocol
(PPTP) and SSL based VPN solutions in conjunction with
O2’s Mobile Web Service.
3.2. VPN support
10
3.3. IP addresses allocated to Mobile Web users
Users are allocated a dynamic, private unregistered IP
address when a data session is initiated. However, it
should be noted that users of O2’s Mobile Web service
will be allocated a public IP address, via an O2 Internet
facing firewall, when they access Internet resources. The
public IP addresses will be allocated from the following
ranges:
– 82.132.136.128 to 82.132.136.191
– 82.132.136.192 to 82.132.136.223
– 82.132.139.0 to 82.132.139.255
11
4. O2 Mobile Web VPN service
O2’s Mobile Web VPN service was specifically developed
to allow customers to use their VPN solutions with GPRS
and 3G – assuming the customers VPN solution can be
utilised via people connected to the Internet (refer to
Figure 3).
The key aspects of the service are as follows:
• Customers do not have their own APN.
• This is a public service and can be used by any O2
pay monthly customer. The APN associated with the
service is vpn.o2.co.uk and a user name of user and
password of password should be used.
• Users are allocated a public IP address and are on
the Internet.
• Users cannot directly ‘surf’ the Internet, access FTP
servers, access e-mail or utilise Internet resources:
– At the request of customers the service was
set-up so only VPN protocols can be used when
users first establish their GPRS or 3G connection
e.g. the firewall associated with the service will
block all other traffic.
– Once the VPN session is in place, users will be able
to browse the Intranet/Internet and access other
corporate resources – assuming the corporate
security policy allows such transactions to take
place.
– Split tunnelling will not work as users are not
able to access Internet resources directly.
• It is possible to confirm connectivity exists between
the VPN client and server via the ping command.
4.1. Introduction
Figure 3:
A VPN Tunnel Established between a
Remote User and the Corporate LAN.
O2 Data Network
Internet
Corporate Network
Remote User
VPN Tunnel
Radius Server (allocates Public
IP addresses)
VPN Server
Firewall
O2 Mobile Web VPN Service
12
The O2 Mobile Web VPN service does not include any
optimisation capability, delivers public registered IP
addresses to mobile devices and allows access only to
VPN applications. The service offers businesses the ability
to provide secure LAN access to their users via the Internet
and control their usage through the application of their
internal IT policy.
Access to Mobile Web VPN can be requested via O2
Customer Services and is usually provisioned within
24 hours.
13
4.2.1. Introduction
Unless customers wish to support split tunnelling (refer
to section 3.2.1 for a description of what is meant by the
term split tunnelling) they are recommended to use O2’s
Mobile Web VPN service in conjunction with their VPN
solution.
4.2.2. IPSec, PPTP and SSL Based VPN Solutions
As detailed in the following text IPSec, PPTP and SSL
based VPN solutions will work in conjunction with O2’s
Mobile Web VPN service.
The protocols supported by the Mobile Web VPN service
are as follows:
• Ping (allows people to confirm that connectivity
exists between their device, a laptop for instance,
and the VPN server).
• Protocol 50 (ESP).
• Protocol 51 (AH).
• Protocol 47 (GRE) (required to support PPTP)
• Layer 2 Tunnel Protocol (L2TP).
The Mobile Web VPN service allows the ports detailed
below to be used:
• UDP port 500 (IKE).
• TCP port 1723 (required to support PPTP).
• UDP port 4500 (required for NAT-T).
• UDP port 1701 (required to support: L2TP/IPSec).
• TCP port 259 (required to support: FW1_MEP –
Checkpoint NG FP3 MEP determines closest entry
point – only used if using NG FP3 Clients and more
than one entry point into the network)
• TCP port 264 (required to support: FW1_topo
– Check Point VPN-1 SecuRemote Topology
Requests.).
• UDP port 2746 (required to support: VPN1_IPSEC_
encapsulation – Check Point VPN-1 SecuRemote
IPSEC Transport Encapsulation Protocol).
• UDP port 50000: required for Barron McCann
X-Kryptor VPN solution.
• TCP port 50000: required for Barron McCann
X-Kryptor VPN solution.
• UDP port 10000: many VPN solutions use this port
when NAT traversal is being used.
• TCP port 10000: this is the default port used by
Cisco VPN solutions when the IPSec over TCP option
is selected.
• UDP 2233: used by the Shiva VPN solution.
• UDP 10025: used by the Shiva VPN solution.
• UDP 10026: used by the Shiva VPN solution.
• UDP 10027: used by the Shiva VPN solution.
• TCP 10027: used by the Shiva VPN solution.
• TCP 10028: used by the Shiva VPN solution.
• TCP port 389: used by AT&T’s VPN service.
• TCP port 709: used by AT&T’s VPN service.
• TCP port 5080: used by AT&T’s VPN service.
• TCP port 443 (SSL).
• UDP port 443 (some VPN solutions require that a
UDP port be used – this port has been opened up for
this purpose).
• UDP port 12000: used by Good Technology Mobile
Messaging solution.
• TCP port 15000: used by Good Technology Mobile
Messaging solution.
O2’s Mobile Web VPN Solution can be used in
conjunction with AT&T’s Global VPN Solution.
4.2. VPN support
14
Users will be allocated a public IP address from the
range 82.132.160.1 to 82.132.175.254.
4.3. IP addresses allocated to Mobile Web VPN users
15
5. Service comparison
Table 1 summarises the differences between the O2
GPRS/3G services.
1. Users are allocated a dynamic, private unregistered IP
address. However, it should be noted that users of O2’s
Mobile Web service will be allocated a public IP address,
via an Internet facing firewall, when they access Internet
resources. The public IP addresses will be allocated from
the following ranges:
– 82.132.136.128 to 82.132.136.191
– 82.132.136.192 to 82.132.136.223
– 82.132.139.0 to 82.132.139.255
2. Although O2 endeavour to provide the highest level
of service on all its GPRS/3G Services if problems are
experienced with the public services (i.e. Mobile Web or
Mobile Web VPN services) it is far more difficult to ascertain
what is happening and where the problem lies – for
instance a number of ISPs may lie between O2 and the
customer. Hence, the term, “best endeavours” is used in
the table.
Service Comparison Matrix
Metric Bearer Service Mobile Web Mobile Web VPN
APN Customers Choice mobile.o2.co.uk vpn.o2.co.uk
Access Type Public or Private Public Public
Number of devicessupported Unlimited Unlimited Unlimited
Direct InternetConnectivity
Internet Connectivity viacorporate LAN – subjectto IT policy
YesInternet Connectivity viacorporate LAN – subjectto IT policy
Mobile IP Addresses Customers Choice Private (PAT)1 Public
IP Address Allocation Customers Choice Dynamic Dynamic
Supported Protocols All Most Internet VPN Only
Bearer Optimisation Customers Choice Optional No
Content Optimisation Customers Choice Optional No
TCP Inactivity Timeout Customers Choice 60 minutes (normal operation)10 minutes (load conditions) 60 minute
UDP Inactivity Timeout Customers Choice 10 minutes (normal operation)15 seconds (load conditions) 15 minute
Access Lead Time 43 working days Immediate <24 hours
Service Reach End to End Gateway only Gateway only
Service Performance2
O2 pro-activelymonitors the status ofthe Bearer Service
Best endeavours Best endeavours
Table 1:
Service Comparison Matrix.
16
APN Access Point Name
DHCP Dynamic Host Configuration Protocol
FTP File Transfer Protocol
GPRS General Packet Radio Service
GSM Global System for Mobile Communications
IETF Internet Engineering Task Force
IP Internet Protocol
ISDN Integrated Service Digital Network
LAN Local Area Network
L2TP Layer 2 Tunnel Protocol
NAT Network Address Translation
PAT Port Address Translation
PPTP Point-to-Point Tunnelling Protocol
PSTN Public Switched Telephone Network
SIM Subscriber Identity Module
SSL Secure Sockets Layer
TCP Transmission Control Protocol
UDP User Datagram Protocol
URL Uniform Resource Locator
VPN Virtual Private Network
WAN Wide Area Network
All Rights Reserved. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic or machine readable form without the prior permission of Telefonica UK Limited.
6. Glossary of terms
