328 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F
Using the CLI
Configure IPsec transport mode connection (a pre-shared-key based example shown below) from
REMOTE to SCADA router R1. It is assumed that REMOTE's cell IP address is 10.150.1.10 and R1's
is reachable over cell using 10.150.1.1
% set services vpn ike policy IKE-POLICY-PSK-R1 auth-method pre-shared-key
% set services vpn ike policy IKE-POLICY-PSK-R1 pre-shared-key test123
% set services vpn ike policy IKE-POLICY-PSK-R1 ciphersuite CS1 encryption-algo aes128-cbc
% set services vpn ike policy IKE-POLICY-PSK-R1 ciphersuite CS1 mac-algo sha256-hmac
% set services vpn ike policy IKE-POLICY-PSK-R1 ciphersuite CS1 dh-group dh14
% set services vpn ike peer R1 ike-policy IKE-POLICY-PSK-R1
% set services vpn ike peer R1 local-endpoint address 10.150.1.10
% set services vpn ike peer R1 local-identity default
% set services vpn ike peer R1 peer-endpoint address 10.150.1.1
% set services vpn ike peer R1 peer-identity default
% set services vpn ike peer R1 role initiator
% set services vpn ike peer R1 initiator-mode on-demand
% set services vpn ipsec policy IPSEC-POLICY ciphersuite CS1 encryption-algo aes128-cbc
% set services vpn ipsec policy IPSEC-POLICY ciphersuite CS1 mac-algo sha256-hmac
% set services vpn ipsec policy IPSEC-POLICY ciphersuite CS1 dh-group dh14
% set services vpn ipsec connection R1 ike-peer R1
% set services vpn ipsec connection R1 ipsec-policy IPSEC-POLICY
% set services vpn ipsec connection R1 host-to-host
% set services vpn ipsec connection R1 filter input IN_TRUSTED
% set services vpn ipsec connection R1 filter output OUT_TRUSTED
Configure GRE tunnel interface with mode = ip-over-gre, src-address = Local cell address and dst-
address = R1’s WAN address.
% set interfaces interface GRE1 type gre
% set interfaces interface GRE1 gre-config mode ip-over-gre
% set interfaces interface GRE1 gre-config src-address 10.150.1.10
% set interfaces interface GRE1 gre-config dst-address 10.150.1.1
% set interfaces interface GRE filter input IN_TRUSTED
% set interfaces interface GRE filter output OUT_TRUSTED
Configure a NETMON service icmp-echo-monitor operation named NX-LINK-CHECK that does a
periodic link check by pinging R1 over NX interface.
% set services netmon operation NX-LINK-CHECK enabled true
% set services netmon operation NX-LINK-CHECK icmp-echo-monitor dst-host 192.168.1.4
Configure primary route towards SCADA back-office network (10.10.1.0/24) with NX as the outgoing
interface and with address of R1’s interface on NX backhaul as the next-hop. Also, configure this
route with verify-reachability using NX-LINK-CHECK operation, which checks the reachability of the
back-office network via this route.
% set routing static-routes ipv4 route 1 dest-prefix 10.10.1.0/24
% set routing static-routes ipv4 route 1 next-hop 192.168.1.4
% set routing static-routes ipv4 route 1 outgoing-interface NxRadio
% set routing static-routes ipv4 route 1 verify-reachability operation NX-LINK-CHECK
Configure secondary route towards SCADA back-office network (10.10.1.0/24) with GRE1 as the
outgoing interface and preference value of 20.
% set routing static-routes ipv4 route 2 dest-prefix 10.10.1.0/24
% set routing static-routes ipv4 route 2 outgoing-interface GRE1
To Next Page
Loading...
