[Top][Contents][Prev][Next][Last]Search

Setting Up Ascend Tunnel Management Protocol (ATMP)

This chapter covers the following topics:

Before you begin
Introducing ATMP 8-1
Overview of ATMP configuration tasks
Overview of ATMP attributes
Setting up an ATMP tunnel for an IP network
Tunneling ATMP between two IP networks
Setting up the MAX TNT as a multimode agent
Setting up ATMP to bypass a foreign agent

Before you begin

If the home agent or foreign agent has multiple interfaces into the IP cloud that separates the two units, you must specify a system IP address by means of the System-IP-Addr parameter. Otherwise, if a route changes within the IP cloud, you might see communication problems. For complete information, see the MAX TNT Network Configuration Guide.

Introducing ATMP

ATMP is a UDP/IP-based protocol that provides a tunneling mechanism between two Ascend units across the Internet or a Frame Relay network. Each Ascend unit can be a MAX TNT or a Pipeline 400. The protocol uses standard Generic Routing Encapsulation (GRE).

ATMP provides a Virtual Private Network (VPN) solution over the backbone resources of Internet Service Providers (ISPs) and carriers. Without ATMP, each mobile client and remote user has to dial directly into the network, resulting in long-distance charges. With ATMP, these users can make a local call and have the transmission securely tunneled across the Internet or Frame Relay network.

As described in RFC 1701, GRE hides packet contents and enables transmission of packets that the Internet would otherwise not accept. When you use ATMP with the MAX TNT, these include IP packets that use unregistered addresses.

How ATMP connections work

Figure 8-1 shows an ATMP tunnel between two MAX TNT units. The unit that authenticates the mobile client is the ATMP foreign agent. The unit that accesses the home network is the ATMP home agent. The home network is the destination network for mobile clients. For example, the mobile client might be a sales person who logs into an ISP (the foreign agent) to access his or her home network.

Figure 8-1. ATMP tunnel across the Internet

A mobile client dials into the foreign agent, where it is authenticated by means of a Connection profile or a RADIUS user profile. The foreign agent then establishes an IP connection to the home agent, and requests an ATMP tunnel on top of the established IP connection.

The home agent is the terminating part of the tunnel, where most of the ATMP intelligence takes place. It must be able to communicate with the home network through a direct connection, through another router, or across a nailed connection.

To establish an ATMP connection with the home network, a mobile client initiates the following sequence of events:

  1. The mobile client dials a connection to the foreign agent.

  2. The foreign agent authenticates the mobile client by means of a RADIUS user profile.

  3. The foreign agent locates a Connection profile or RADIUS user profile for the home agent.

  4. The foreign agent connects to the home agent through a regular IP connection. The MAX TNT authenticates the connection in the usual way (for example, by using CHAP).

  5. The foreign agent informs the home agent that the mobile client has connected, and requests a tunnel.

  6. The foreign agent sends up to ten RegisterRequest messages at two-second intervals, timing out and logging a message if it receives no response to the requests.

  7. The home agent requests authentication of the mobile client, by sending a challenge request to the foreign agent.

  8. The foreign agent sends back a challenge reply to the home agent. The reply includes an encrypted version of the Ascend-Home-Agent-Password value in the mobile client's RADIUS profile. This password must match the value of the home agent's Home-Agent-Password parameter in the ATMP profile.

  9. The home agent returns a RegisterReply with a number that identifies the tunnel. If registration fails, the home agent logs a message and the foreign agent disconnects the mobile client. If registration succeeds, the MAX TNT creates a tunnel between the foreign agent and the home agent. At this point, the mobile client connects to the home network as though it had dialed locally, and can transfer data across the tunnel.

  10. When the mobile client disconnects from the foreign agent, the foreign agent sends a DeregisterRequest to the home agent to close down the tunnel. The foreign agent can send its request a maximum of ten times, or until it receives a DeregisterReply. If the foreign agent receives packets for a mobile client whose connection has gone down, the foreign agent silently discards the packets.

ATMP router and gateway modes

 You can configure the home agent as a router or a gateway to the home network.

Router mode

A router home agent relies on packet routing to reach the home network. When you configure the home agent as a router, the home agent's routing module forwards packets it receives from the foreign agent onto the local network (Figure 8-2).

Figure 8-2. Now a router home agent works

The network can be the home network, or it can support another router that can connect to the home network. In either case, packet delivery relies on a routing mechanism, such as a static or dynamic route, and not on a WAN connection. When the router home agent receives tunneled data, it removes the GRE encapsulation and passes the packets to its router software. It also adds a route to the mobile client to its routing table.

Gateway mode

A gateway home agent delivers tunneled data to the home network without routing. When it receives tunneled data, it removes the GRE header and forwards the packets to the home router, as shown in Figure 8-3.

Figure 8-3. How a gateway home agent works

The WAN connection must be on line. The home agent does not bring up a WAN connection to the home network in response to a packet it receives through the tunnel. For this reason, the home agent must have a nailed-up WAN connection to the home network.

Overview of ATMP configuration tasks

To set up a basic ATMP tunnel across an IP connection, you must perform the tasks described in Setting up an ATMP tunnel for an IP network.

Depending on your configuration, you have the option of carrying out the following additional tasks:

Overview of ATMP attributes

The foreign agent must have a RADIUS user profile that authenticates the mobile client connections. Table 8-1 lists the attributes that the profile can contain.

Table 8-1. RADIUS attributes for ATMP connections

Attribute

Specifies

Possible values
Ascend-Home-Agent-Password (184)

 Password that the foreign agent sends to the home agent during ATMP operation. Must match the home agent's ATMP password.

 Text string of up to 20 characters. The default value is null.

Ascend-Home-Network-Name (185)

 Name of the Connection profile for the home agent's nailed-up connection to the home network (required only if the home agent is operating in gateway mode).

 Text string. The default value is null.

Ascend-Primary-Home-Agent (129)

 First home agent the foreign agent tries to reach when setting up an ATMP tunnel, and indicates the UDP port the foreign agent uses for the link. Both the home agent and the foreign agent must agree on the UDP port number. The home agent IP address should be the system address, not the IP address of the interface on which the home agent receives tunneled data.

 "hostname | ip_address [:udp_port]"

The hostname argument indicates the home agent's symbolic hostname. The default value is null.

The ip_address argument indicates the home agent's system IP address in dotted decimal notation. The default value is 0.0.0.0.

The optional udp_port argument indicates the UDP port on which the foreign agent communicates with the home agent. The default value is 5150.

The colon (:) separates the hostname or IP address from the UDP port specification.

Ascend-Secondary-Home-Agent (130)

 Secondary home agent the foreign agent tries to reach when the primary home agent (specified by Ascend-Primary-Home-Agent) is unavailable. Also indicates the UDP port the foreign agent uses for the link. The home agent IP address should be the system address, not the IP address of the interface on which the home agent receives tunneled data.

 Same values as Ascend-Primary-Home-Agent.

Setting up an ATMP tunnel for an IP network

A private IP network is a network with an unregistered IP address. An ATMP tunnel enables a remote user to log into a private IP network across the Internet through a local ISP connection.

Configuring the MAX TNT as a foreign agent

To configure the MAX TNT as the foreign agent for an IP tunnel, you must perform the following tasks:

Configuring the foreign agent's ATMP profile

 To configure the foreign agent's ATMP profile, perform the following tasks at the MAX TNT configuration interface. For complete information about setting each parameter, see the MAX TNT Network Configuration Guide.

  1. Open the ATMP profile.

  2. Set Agent-Mode=Foreign-Agent. When you change this parameter from its default of Tunnel-Disabled, you must reset the system for the new value to take effect.

  3. To control the time the foreign agent waits between retries when attempting to establish a tunnel, set the Retry-Timeout parameter, or accept the default of 3 seconds.

    The default is appropriate for most sites. However, if the link is a dial-up connection, you might want to increase the value to allow sufficient time to establish the session. Or, if the foreign agent and home agent are on the same Ethernet segment, you might want to reduce the value to provide a quicker response to the mobile client when the home agent is unavailable. If the tunnel is attempted via a secondary home agent, and the secondary home agent is also unavailable, the mobile client waits twice the specified period before being informed that the connection failed.

  4. To control the maximum number of times the foreign agent attempts to establish a tunnel before switching to an alternative home agent, set the Retry-Limit parameter, or accept the default of 10. The same considerations apply to the Retry-Limit parameter as the Retry-Timeout parameter.

  5. If you want to specify that the client software uses MTU discovery mechanisms to determine the maximum packet size, and fragments each packet before sending it, set the MTU-Limit parameter. Note that you must set MTU-Limit to 1472 if the home agent is a GRF switch.

  6. If the MAX TNT operates with clients that send packets larger than the MTU-Limit, set Force-Fragmentation=Yes.

  7. Save your changes.

Configuring the foreign agent to authenticate through RADIUS

 To configure the foreign agent to authenticate through RADIUS, follow the instructions in Configuring the MAX TNT to use the RADIUS server.

Configuring an outgoing RADIUS user profile to the home agent

For the foreign agent, you must create an outgoing user profile to the home agent. Some configuration steps are required. Some steps are optional, and depend upon the needs of your site. To set required attributes in the foreign agent's outgoing RADIUS user profile, proceed as follows:

  1. On the first line of the user profile, set the User-Name attribute to the name of the home agent, and append -Out to the user name.

  2. Next to the User-Name specification, set "ascend" as the Password value and User-Service=Dialout-Framed-User.

  3. On the second line, set the User-Name attribute to the name of the home agent.

  4. Set the Framed-Protocol attribute to the encapsulation type in use on the line.

  5. Set Ascend-Route-IP=Route-IP-Yes to enable IP routing.

  6. Set the Ascend-Dial-Number attribute to the phone number the MAX TNT dials to reach the home agent.

To set optional attributes in the foreign agent's outgoing RADIUS user profile, proceed as follows:

  1. Set the Framed-Address attribute to the home agent's IP address. If a subnet mask is in use, set the Framed-Netmask attribute as well.

  2. Set the Framed-Routing attribute to specify RIP behavior.

  3. Set the Ascend-Idle-Limit attribute to specify the number of seconds the MAX TNT waits before clearing a call when a session is inactive.

  4. Set the Ascend-PRI-Number-Type attribute to the type of phone number the MAX TNT dials.

  5. Set the Ascend-Send-Auth attribute to the authentication protocol the MAX TNT requests when initiating a PPP or MP+ connection. The answering side of the connection determines which authentication protocol, if any, the connection uses.

  6. If you request PAP or CHAP authentication, you must also specify a password with Ascend-Send-Secret or Ascend-Send-Passwd. (Use Ascend-Send-Passwd only if your version of the MAX TNT does not support Ascend-Send-Secret.)

Example of outgoing RADIUS user profile to the home agent
 In Figure 8-4, the MAX TNT dials the home agent at 1-800-555-5555.

Figure 8-4. Configuring an outgoing RADIUS profile to the home agent

In this example, you would configure the user profile as follows:

Alameda-Out Password="ascend", User-Service=Dialout-Framed-User

     User-Name="Alameda",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-5555,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Configuring an incoming RADIUS profile for the mobile client

 You must create a RADIUS users profile for the mobile client. Proceed as follows:

  1. Set the User-Name attribute to the name of the mobile client.

  2. Set the Password attribute to the mobile client's password.

  3. Set the Framed-Protocol attribute to the type of encapsulation in use for the call.

  4. Set the Ascend-Primary-Home-Agent attribute to the system IP address or hostname of the first home agent the foreign agent tries to reach when setting up the ATMP tunnel. You can also indicate the UDP port the foreign agent uses for the link. If you specify a nondefault UDP port number in one unit's configuration, make sure that the other end of the tunnel specifies the same number.

  5. Set the Ascend-Secondary-Home-Agent attribute.

  6. Set the Ascend-Home-Agent-Password attribute to the home agent's password. You must specify the same password indicated by the home agent's Home-Agent-Password parameter in the ATMP profile.

  7. Set Ascend-Route-IP=Route-IP-Yes to enable IP routing.

  8. Set the Framed-Address attribute to the mobile client's IP address.

  9. If a subnet mask is in use on the network, set the Framed-Netmask attribute.

  10. In gateway mode, set the Ascend-Home-Network-Name attribute to the home agent's resident Connection profile. The Connection profile must have the Profile-Type parameter set to Gateway-Profile in the Tunnel-Options subprofile.

Example of mobile client configuration for IP tunneling in router mode
 In Figure 8-5, the mobile client is in router mode and a single home agent resides at the system IP address 10.9.8.10.

Figure 8-5. A mobile client configuration

In this example, you would configure the user profile as follows:

Node1 Password="Top-secret"

      Framed-Protocol=PPP,

      Ascend-IP-Route=Route-IP-Yes,

      Framed-Address=200.1.1.2,

      Framed-Netmask=255.255.255.0,

      Ascend-Primary-Home-Agent=10.8.9.10,

      Ascend-Home-Agent-Password="private"
When the mobile client logs into the foreign agent with the password Top-secret, the foreign agent authenticates the mobile client. The foreign agent then looks for a profile with an IP address that matches the Ascend-Primary-Home-Agent value. When it finds such a profile, it brings up an IP connection to the home agent.

Example of mobile client configuration for IP tunneling in gateway mode
This example uses a configuration similar to the one in Figure 8-5, except that the mobile client is in gateway mode. The home agent uses the Homenet Connection profile to the home network. You would configure the user profile as follows:

Node1 Password="Top-secret"

      Framed-Protocol=PPP,

      Ascend-Route-IP=Route-IP-Yes,

      Framed-Address=200.1.1.2,

      Framed-Netmask=255.255.255.0,

      Ascend-Primary-Home-Agent=10.8.9.10,

      Ascend-Home-Agent-Password="private", 

      Ascend-Home-Network-Name="Homenet"
Note that for an ATMP gateway mode connection, you must set Ascend-Home-Network-Name to specify the name of the home agent's Connection profile to the home network.

Configuring the MAX TNT as a home agent

To configure the MAX TNT as a home agent, you must perform the following tasks:

Configuring the home agent's ATMP profile

 To configure the home agent's ATMP profile, perform the following tasks at the MAX TNT configuration interface. For complete information about setting each parameter, see the MAX TNT Network Configuration Guide.

  1. Open the ATMP profile.

  2. Set Agent-Mode=Home-Agent. When you change Agent-Mode from its default of Tunnel-Disabled, you must reset the system for the new value to take effect.

  3. For a home agent in router mode, set Agent-Type=Router-Home-Agent. For a home agent in gateway mode, set Agent-Type=Gateway-Home-Agent.

  4. Set Home-Agent-Password to the value of the Ascend-Home-Agent-Password attribute in the mobile client's RADIUS user profile. All mobile client profiles that access this home agent must specify the same password for Ascend-Home-Agent-Password.

  5. Set the UDP-Port parameter to specify a UDP port number, or accept the default of 5150. A system reset is required for the ATMP subsystem to recognize the new port number. All tunnel requests to the home agent must specify the UDP port number you specify.

  6. To control the time the home agent waits between retries when attempting to establish a tunnel, set the Retry-Timeout parameter, or accept the default of 3 seconds.

    The default is appropriate for most sites. However, if the link is a dial-up connection, you might want to increase the value to allow sufficient time to establish the session. Or, if the foreign agent and home agent are on the same Ethernet segment, you might want to reduce the value to provide a quicker response to the mobile client. If the tunnel is attempted via a secondary home agent, and the secondary home agent is also unavailable, the mobile client waits twice the specified period before being informed that the connection failed.

  7. To control the maximum number of times the home agent attempts to establish a tunnel, set the Retry-Limit parameter, or accept the default of 10. The same considerations apply to the Retry-Limit parameter as the Retry-Timeout parameter.

  8. If you want to specify that the client software uses MTU discovery mechanisms to determine the maximum packet size, and fragments each packet before sending it, set the MTU-Limit parameter.

  9. If the MAX TNT operates with clients that send packets larger than the MTU-Limit, set Force-Fragmentation=Yes.

  10. To specify the number of minutes that the home agent maintains an idle tunnel before disconnecting it, set the Idle-Timer parameter to a value from 1 to 65535, or accept the default of 0 (zero). A setting of 0 (zero) disables the timer, which means that established tunnels remain connected indefinitely. The Idle-Timer setting affects only tunnels created after you set the timer.

  11. Save your changes.

Configuring an outgoing RADIUS user profile to the foreign agent

 For the home agent, you must create an outgoing user profile with the foreign agent as its destination. Some steps are required, and some are optional. To set required attributes in the home agent's outgoing RADIUS user profile, proceed as follows:

  1. On the first line of the user profile, set the User-Name attribute to the name of the foreign agent, and append -Out to the user name.

  2. Next to the User-Name specification, set "ascend" as the Password value and User-Service=Dialout-Framed-User.

  3. On the second line, set the User-Name attribute to the name of the foreign agent.

  4. Set the Framed-Protocol attribute to the encapsulation type in use on the line.

  5. Set Ascend-Route-IP=Route-IP-Yes to enable IP routing.

  6. Set the Ascend-Dial-Number attribute to the phone number the MAX TNT dials to reach the foreign agent.

To set optional attributes in the home agent's outgoing RADIUS user profile, proceed as follows:

  1. Set the Framed-Address attribute to the foreign agent's IP address. If a subnet mask is in use, set the Framed-Netmask attribute as well.

  2. Set the Framed-Routing attribute to specify RIP behavior.

  3. Set the Ascend-Idle-Limit attribute to specify the number of seconds the MAX TNT waits before clearing a call when a session is inactive.

  4. Set Ascend-PRI-Number-Type to the type of phone number the MAX TNT dials.

  5. Set the Ascend-Send-Auth attribute to the authentication protocol the MAX TNT requests when initiating a PPP or MP+ connection. The answering side of the connection determines which authentication protocol, if any, the connection uses.

  6. If you request PAP or CHAP authentication, you must also specify a password with Ascend-Send-Secret or Ascend-Send-Passwd. (Use Ascend-Send-Passwd only if your version of the MAX TNT does not support Ascend-Send-Secret.)

Example of outgoing RADIUS user profile to the foreign agent
 In Figure 8-6, the home agent calls the foreign agent at 1-800-555-1111.

Figure 8-6. Configuring an outgoing RADIUS profile to the foreign agent

In this example, you would configure the profile as follows:

Boston-Out Password="ascend", User-Service=Dialout-Framed-User

     User-Name="Boston",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-1111,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Configuring a nailed-up connection to the home network

 The home agent must have a nailed-up connection to the home network, because it does not dial the WAN connection on the basis of packets it receives through the tunnel. To configure a nailed-up connection to the home network, set Connection profile parameters at the MAX TNT configuration interface as follows:

  1. Set the Station parameter to the name of the home agent. The value you enter must match the name specified by the Ascend-Home-Network-Name attribute in the mobile client's RADIUS user profile.

  2. Open the Tunnel-Options subprofile.

  3. For a gateway connection, set Profile-Type=Gateway-Profile. For a router connection, set Profile-Type=Mobile-Client.

  4. For a gateway connection, set Max-Tunnels to the maximum number of mobile clients that can tunnel into the home network at the same time through the connection. The default is 0 (zero), which sets no limit.

  5. Set IP-routing parameters as described in the MAX TNT Network Configuration Guide.

Tunneling ATMP between two IP networks

Typically, the mobile client at the remote end of an ATMP tunnel is a dial-in user. If the home network is an IP network, ATMP can also enable LAN-to-LAN connectivity through the tunnel. As shown in Figure 8-7, an IP router can connect as a mobile client.

Figure 8-7. ATMP tunnel between two IP networks

When configuring ATMP for LAN-to-LAN connectivity, you follow the same steps as when you configure ATMP for a dial-in user, keeping in mind the additional instructions in this section. For detailed information about configuring an ATMP tunnel, see Setting up an ATMP tunnel for an IP network.

The MAX TNT handles routes to and from the mobile client's LAN in different ways, depending on whether the home agent is in router mode or gateway mode.

Home agent in router mode

If the home agent connects directly to the home network, you must set Proxy-Mode=Always in the IP-Global profile so that the home agent can respond to ARP requests for the mobile client,

If the home agent does not connect directly to the home network, the situation is the same as for any remote network. You must enable the router to learn about routes through dynamic updates, or you must configure static routes. The mobile client always requires static routes to the home agent as well as to other networks it reaches through the home agent. (It cannot learn routes from the home agent.)

Home agent in gateway mode

If the home agent forwards packets from the mobile client across a nailed-up WAN link to the home IP network, the answering unit on the home network must have a static route to the mobile client's LAN. In addition, because the mobile client and the home agent do not exchange routing information, the mobile client's LAN can only support local subnets that fall within the network specified in the RADIUS entry.

For example, a mobile-node router at the address 10.168.6.21/28 could support two subnets with a subnet mask of 255.255.255.248. One subnet is at the 10.168.6.16 address, and the other is at the 10.168.6.24 address. The answering unit on the home network would have only one route to the router itself (10.168.6.21/28).

Setting up the MAX TNT as a multimode agent

You can configure the MAX TNT to act as a home agent or a foreign agent on a tunnel-by-tunnel basis. Figure 8-8 shows a typical network topology.

Figure 8-8. MAX TNT acting as both home agent and foreign agent

To configure the MAX TNT to act as a foreign agent and home agent on a tunnel-by-tunnel basis, you set up RADIUS as described in Setting up an ATMP tunnel for an IP network. When setting up the ATMP profile, however, you must perform the following tasks at the MAX TNT configuration interface:

  1. Open the ATMP profile.

  2. Set Agent-Mode=Home-and-Foreign-Agent to specify that the MAX TNT will function as both a home agent and foreign agent on a tunnel-by-tunnel basis.

  3. Set the Agent-Type parameter to Router-Home-Agent or Gateway-Home-Agent, as appropriate.

  4. Set the Home-Agent-Password parameter to the password the mobile client must specify when the unit acts as its home agent.

  5. Set the Retry-Limit, Retry-Timeout, UDP-Port, MTU-Limit, Force-Fragmentation, and Idle-Timer parameters, as appropriate. For more information, see Configuring the foreign agent's ATMP profile and Configuring the home agent's ATMP profile.

  6. Save your changes.

Setting up ATMP to bypass a foreign agent

If a home agent MAX TNT has the appropriate RADIUS entry for a mobile client, the mobile client can connect directly to the home agent, bypassing the foreign agent entirely.

An ATMP-based RADIUS entry local to the home agent enables the mobile client to bypass a foreign agent connection, but it does not preclude a foreign agent. If both the home agent and the foreign agent have local RADIUS entries for the mobile client, the node can choose between a direct connection or a tunneled connection through the foreign agent, as illustrated in Figure 8-9.

Figure 8-9. Bypassing a foreign agent

Following is an example of how to configure a RADIUS user profile that authenticates a mobile NetWare client connecting directly to a home agent in gateway mode:

Mobile-IP Password="unit"

        User-Service=Framed-User,

        Ascend-Route-IP=Route-IP-Yes,

        Framed-Address=10.0.100.1,

        Framed-Netmask=255.255.255.0,

        Framed-Protocol=PPP,

        Ascend-Primary-Home-Agent=200.168.6.18,

        Ascend-Home-Network-Name="Dave's MAX TNT",

        Ascend-Home-Agent-Password="Pipeline"
If the home agent were in router mode, you would not include the line containing Ascend-Home-Network-Name in the user entry. The Ascend-Home-Network-Name attribute specifies the name of the answering unit across the WAN on the home network.


[Top][Contents][Prev][Next][Last]Search

techpubs@eng.ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.