In order to use GPRS dialin, there is some server-side infrastructure
needed:
Gateway GPRS Support Node
For the Computer labs, there are two GGSNs, owned and operated by
Vodafone, on their GPRS network. They gateway traffic from the GPRS
phone to the lab VPN.
VPN
Traffic from the GGSN is tunneled over an IPSec connection back to the
Lab's routers. Here is an excerpt from the Cicso configuration to
make that happen:
!
! Heathrow configuration file excerpt
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
! Key to use when talking to Vodafone peer
crypto isakmp key ******** address vvv.vvv.vvv.vvv
!
crypto ipsec transform-set vf-ts esp-des esp-md5-hmac
!
! Setup crypto map for Vodafone peer
crypto map vf-cmap local-address Loopback1
crypto map vf-cmap 1 ipsec-isakmp
set peer vvv.vvv.vvv.vvv
set security-association lifetime seconds 86400
set transform-set vf-ts
match address 191
!
access-list 191 permit ip any 128.232.98.0 0.0.1.255
!
! This is the address we tell our Vodafone IPSec peer about
! Using a Loopback interface address will let us move it later if necessary
interface Loopback1
ip address 128.232.XXX.XXX 255.255.255.255
no ip directed-broadcast
!
! The following is a hack to cause us to advertise a route to 128.232.98/23
! over OSPF, otherwise traffic may bypass us. (It must go down IPSec tunnel)
interface Loopback2
ip address 128.232.99.254 255.255.254.0
no ip directed-broadcast
ip ospf network point-to-point
crypto map vf-cmap
!
! This is our main external interface via the CUDN
interface Vlan99
description Vlan cudn-backbone 131.111.2.0/24
ip address 131.111.2.100 255.255.255.0
ip access-group vlan99-in in
ip access-group vlan99-out out
no ip redirects
no ip directed-broadcast
ip pim sparse-dense-mode
ip ospf cost 20
ip sdr listen
crypto map vf-cmap
!
! This is the heathrow-gatwick router link. We need the crypto map in
! case gatwick looses direct backbone connectivity and falls over to this link
interface Vlan191
description Vlan inter-router 128.232.96.32/28
ip address 128.232.96.36 255.255.255.240
no ip directed-broadcast
ip ospf cost 5
crypto map vf-cmap
!
ip access-list extended vlan99-in
permit ip 128.232.98.0 0.0.1.255 any
permit tcp any any established
...
ip access-list extended vlan99-out
...
RADIUS
The authentication data that your computer passes to
the phone over CHAP or PAP is used to authenticate against a RADIUS
server (mob.cl.cam.ac.uk). A sample configuration for radiusd is here.
This work is made possible by the support of
and
$Id$