Step 1: Prepare for Deployment

Before the deployment can begin, it is important to gather all needed hardware, software, and parameters in advance.

Prerequisites

  • Create a reference diagram that shows the logical topology.

  • Review the TNSR Zero-to-Ping documentation.

  • Whenever possible, get a static public IP address for the remote office TNSR.

  • If needed, set up DHCP pass-through (public IP) or set a DMZ host on the ISP Modem.

  • Management (web login, admin access) of the ISP modem.

Notes

  • IPsec tunnels work best on a static and public IP address.

  • NAT-T is not currently supported on TNSR.

  • Some dynamic ISP services may provide a relatively stable IP address but this will break the IPsec tunnel if the IP address changes.

Reference Diagram

Create and maintain a reference diagram to support the deployment, as shown in the example below:

TNSR remote office reference diagram

TNSR remote office reference diagram

Remote Office Deployment Parameters

Define and document the deployment parameters for the initial remote office setup, as shown in the example below:

Base Deployment Parameters

Parameter

Value

TNSR Hostname

siteX-rtr1

TNSR Outside Interface IP

192.168.0.53/24

TNSR Outside Public IP

203.0.113.65/24

Guest LAN Name

guest220

Guest LAN IP

192.168.220.1/24

Guest DHCP Range

100-199

Guest DNS IP

1.1.1.1,9.9.9.9

Corporate LAN Name

corp89

Corporate LAN IP

172.21.89.1/24

Corporate DHCP Range

100-199

Corporate DNS IP

10.10.10.75,1.1.1.1

In this example, the Remote Office is deployed behind an ISP cable modem performing NAT.

  • TNSR Outside IP is different than the ISP Modem Public IP address

  • ISP cable modem provides NAT for inside devices, which includes the TNSR outside inteface

  • IPsec uses IP Protocol 50 (ESP) to transfer encrypted payload

    • ISP cable modem may need to be configured for DMZ host set to TNSR outside IP address or inbound ESP traffic may be dropped

IPsec VPN Tunnel Parameters

Define and document the parameters for the corporate IPsec tunnel and IP routing configuration, as shown in the example below:

IPsec VPN Tunnel Parameters

Parameter

Value

TNSR Outside IP

192.168.0.53/24

TNSR Public IP

203.0.113.65/24

IPsec Tunnel Peer IP

198.51.100.120

IPsec Tunnel ID

108

IPsec IKEv2 Crypto

AES128/SHA1/DH14

IPsec IKEv2 Authen

PRE-SHARED-KEY

IPsec Child SA Crypto

AES128GCM16/DH14

IPsec Tunnel IP

172.21.254.30/30

IPsec Tunnel Next-hop

172.21.254.29

Corporate IP Block

10.0.0.0/8