Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring 3G Wireless Modems for WAN Connections

 

The topics below discuss the overview and configuration of 3G Wireless Modem, dialer interface, and 3G Wireless Modem physical interface.

3G Wireless Modem Overview

3G refers to the third generation of mobile phone standards and technology based on the International Telecommunication Union (ITU) International Mobile Telecommunications-2000 (IMT-2000) global standard. 3G networks are wide area cellular telephone networks that have evolved to include high-data rate services of up to 3 Mbps. This increased bandwidth makes 3G networks a viable option as primary or backup wide area network (WAN) links for a branch office.

Juniper Networks security devices support 3G wireless interfaces (USB-based 3G modems). When used in a branch office, these devices can provide dial-out services to PC users and forward IP traffic through a service provider’s cellular network.

Figure 1 illustrates a basic setup for 3G wireless connectivity for two branch offices. Branch Office A has a T1 leased line as the primary wide area network (WAN) link and a 3G wireless modem connection as the failover link. Branch Office B uses the 3G wireless modem connection as the primary WAN link.

Figure 1: Wireless WAN Connections for Branch Offices
Wireless WAN Connections for Branch Offices

3G Wireless Modem Configuration Overview

Before you begin:

  1. Install your SRX Series device and establish basic connectivity for your device. For more information, see the SRX Series Hardware Guide for your device.
  2. Obtain a supported 3G wireless modem card for the device.
  3. Establish an account with a cellular network service provider. Contact your service provider for more information.
  4. With the services gateway powered off, insert the 3G wireless modem card into the ExpressCard slot (SRX320 devices) or 3G USB modems (SRX300 devices). Power on the device. The EXPCARD LED (for SRX320) and 3G LED (SRX320) on the front panel of the device indicates the status of the 3G wireless modem interface.Warning

    The device must be powered off before you insert the 3G wireless modem card in the ExpressCard slot (SRX320) or integrated 3G USB modem (SRX320). Do not insert or remove the card when the device is powered on.

To configure and activate the 3G wireless modem card:

  1. Configure a dialer interface. See Example: Configuring the Dialer Interface.
  2. Configure the 3G wireless modem interface. See Example: Configuring the 3G Wireless Modem Interface.
  3. Configure security zones and policies, as needed, to allow traffic through the WAN link. See Example: Creating Security Zones.

To use the 3G USB modems on the SRX210 device:

  1. Upgrade the BIOS software packaged inside the Junos OS image. For detailed information about BIOS upgrade procedures, see the Software Installation and Upgrade Guide. Note

    You need the BIOS version of 2.1 or higher to use the 3G USB modems on the SRX210 device.

  2. Configure the WAN port using the CLI command set chassis routing-engine usb-wwan port 1 to enable the USB port to use the U319 USB modem.
  3. Plug the 3G USB modem in to the appropriate USB slot (USB port 1) on the device.Note

    You can use the USB modem with a standard USB extension cable of 1.8288 meters (6 ft) or longer.

  4. Reboot the device to start using the 3G USB modem.

Understanding the Dialer Interface

The dialer interface, dln, is a logical interface for configuring properties for modem connections. You can configure multiple dialer interfaces on an SRX Series device. A dialer interface and a dialer pool (which includes the physical interface) are bound together in a dialer profile.

The dialer interface for 3G wireless modems is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

This topic contains the following sections:

Dialer Interface Configuration Rules

The following rules apply when you configure dialer interfaces for 3G wireless modem connections:

  • The dialer interface must be configured to use the default Point-to-Point Protocol (PPP) encapsulation. You cannot configure Cisco High-Level Data Link Control (HDLC) or Multilink PPP (MLPPP) encapsulation on dialer interfaces.

  • You cannot configure the dialer interface as a constituent link in a multilink bundle.

  • You cannot configure any dial-in options for the dialer interface.

You configure the following for a dialer interface:

  • A dialer pool to which the physical interface belongs.

  • Source IP address for the dialer interface.

  • Dial string (optional) is the destination number to be dialed.

  • Authentication, for GSM HSDPA 3G wireless modem cards.

  • Watch list, if the dialer interface is a backup WAN link.

With GSM HSDPA 3G wireless modem cards, you might need to configure PAP or CHAP for authentication with the service provider network. The service provider must supply the username and password, which you configure in an access profile. You then specify the access profile in a dialer interface.

Next you set the dialer interface as a backup WAN link to a primary interface. Then you create a dialer watch to enable the device to monitor the route to a head office router and set a dialer pool. Finally, you create a dialer filter firewall rule for traffic from the branch office to the main office router and associate the dialer filter with a dialer interface.

Dialer Interface Authentication Support for GSM HSDPA 3G Wireless Modems

For GSM HSDPA 3G wireless modems, you configure a dialer interface to support authentication through Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP).

CHAP is a server-driven, three-step authentication method that depends on a shared secret password that resides on both the server and the client. When you enable CHAP on a dialer interface, the device can authenticate its peer and be authenticated by its peer.

PAP allows a simple method for a peer to establish its identity using a two-way handshake during initial link establishment. After the link is established, an identification and password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated.

Dialer Interface Functions

The dialer interface can perform backup, dialer filter, and dialer watch functions, but these operations are mutually exclusive. You can configure a single dialer interface to operate in only one of the following ways:

  • As a backup interface for a single primary WAN connection. The dialer interfaces are activated only when the primary interface fails. The 3G wireless modem backup connectivity is supported on all interfaces except lsq-0/0/0.

  • As a dialer filter. The Dialer filter enables the 3G wireless modem connection to be activated only when specific network traffic is sent on the backup WAN link. You configure a firewall rule with the dialer filter option, and then apply the dialer filter to the dialer interface.

  • As a dialer watch interface. With dialer watch, the SRX Series device monitors the status of a specified route and if the route disappears, the dialer interface initiates the 3G wireless modem connection as a backup connection. To configure dialer watch, you first add the routes to be monitored to a watch list in a dialer interface; specify a dialer pool for this configuration. Then configure the 3G wireless modem interface to use the dialer pool.

Dialer Interface Operating Parameters

You can also specify optional operating parameters for the dialer interface:

  • Activation delay—Number of seconds after the primary interface is down before the backup interface is activated. The default value is 0 seconds, and the maximum value is 60 seconds. Use this option only if dialer watch is configured.

  • Deactivation delay—Number of seconds after the primary interface is up before the backup interface is deactivated. The default value is 0 seconds, and the maximum value is 60 seconds. Use this option only if dialer watch is configured.

  • Idle timeout—Number of seconds the connection remains idle before disconnecting. The default value is 120 seconds, and the range is from 0 to 4,294,967,295 seconds.

  • Initial route check—Number of seconds before the primary interface is checked to see if it is up. The default value is 120 seconds, and the range is from 1 to 300 seconds.

Example: Configuring the Dialer Interface

This example shows how to configure the dialer interface for 3G wireless modem connections.

The dialer interface for 3G wireless modems is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

Requirements

Before you begin, install your SRX Series device and establish basic connectivity for your device. See 3G Wireless Modem Configuration Overview.

Overview

In this example, you first configure the dialer interface as dl0, specify the PPP encapsulation dialer pool as 1, specify the dial string as 14691, and negotiate the address option for the interface IP address.

Configuration

Configuring a Dialer Interface

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

  1. Set the interface and specify the PPP encapsulation, dialer pool, and dial string.
  2. Set the negotiate address option for the interface IP address.

Results

From configuration mode, confirm your configuration by entering the show interfaces dl0 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring PAP on the Dialer Interface

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

  1. Configure a PAP access profile.
  2. Associate the PAP access profile with a dialer interface.

Results

From configuration mode, confirm your configuration by entering the show interfaces dl0 and show access profile pap-1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring CHAP on the Dialer Interface

CLI Quick Configuration

With GSM HSDPA 3G wireless modem cards, you may need to configure CHAP for authentication with the service provider network. The service provider must supply the username and password, which you configure in an access profile. You then specify this access profile in a dialer interface.

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

  1. Configure a CHAP access profile.
  2. Associate the CHAP access profile with a dialer interface.

Results

From configuration mode, confirm your configuration by entering the show access profile chap-1 and show interfaces dl0 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring the Dialer Interface as a Backup WAN Connection

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

  1. Set interface back up option.

Results

From configuration mode, confirm your configuration by entering the show interfaces ge-0/0/1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Dialer Watch for the 3G Wireless Modem Interface

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

  1. Create a dialer watch.
  2. Set a dialer pool.

Results

From configuration mode, confirm your configuration by entering the show interfaces dl0 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring a Dialer Filter for the 3G Wireless Modem Interface

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

  1. Associate the dialer filter with a dialer interface.
  2. Check your other changes to the configuration before committing.

Results

From configuration mode, confirm your configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Configuration

Purpose

Verify the configuration output.

Action

Verify the configuration output by entering the show interfaces command.

Understanding the 3G Wireless Modem Physical Interface

You configure two types of interfaces for 3G wireless modem connectivity—the physical interface and a logical dialer interface.

The physical interface for the 3G wireless modem uses the name cl-0/0/8. This interface is automatically created when a 3G wireless modem is installed in the device.

The 3G wireless modem physical interface is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

You configure the following properties for the physical interface:

  • A dialer pool to which the physical interface belongs and the priority of the interface in the pool. A physical interface can belong to more than one dialer pool. The dialer pool priority has a range from 1 to 255, with 1 designating the lowest-priority interfaces and 255 designating the highest-priority interfaces.

  • Modem initialization string (optional). These strings begin with AT and execute Hayes modem commands that specify modem operation.

  • GSM profile for establishing a data call with a GSM cellular network.

By default, the modem allows access to networks other than the home network.

Example: Configuring the 3G Wireless Modem Interface

This example shows how to configure the 3G wireless modem interface.

The 3G wireless modem physical interface is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

Requirements

Before you begin, configure a dialer interface. See Example: Configuring the Dialer Interface.

Overview

In this example, you configure the physical interface as cl-0/0/8 for the 3G wireless modem to use dialer pool 1 and set the priority for the dialer pool to 25. You also configure a modem initialization string to autoanswer after two rings.

Configuration

Step-by-Step Procedure

To configure the 3G wireless modem interface:

  1. Specify the dialer pool.
  2. Specify the modem options.
  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show interfaces cl-0/0/8 modem options command.

Understanding the GSM Profile

To allow data calls to a Global System for Mobile Communications (GSM) network, you must obtain the following information from your service provider:

  • Username and password

  • Access point name (APN)

  • Whether the authentication is Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP)

You configure this information in a GSM profile associated with the 3G wireless modem physical interface. You can configure up to 16 different GSM profiles, although only one profile can be active at a time.

Note

You also need to configure a CHAP or PAP profile with the specified username and password for the dialer interface.

Subscriber information is written to the Subscriber Identity Module (SIM) on the GSM HSDPA 3G wireless modem card. If the SIM is locked, you must unlock it before activation by using the master subsidy lock (MSL) value given by the service provider when you purchase the cellular network service.

Some service providers may preload subscriber profile information on a SIM card. The assigned subscriber information is stored in profile 1, while profile 0 is a default profile created during manufacturing. If this is the case, specify profile 1 for the GSM profile associated with the 3G wireless modem physical interface.

Configuring the information in a GSM profile associated with the 3G wireless modem physical interface is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

Example: Configuring the GSM Profile

This example shows how to configure the GSM profile for the 3G wireless modem interface with service provider networks such as AT&T and T-Mobile.

Note

Configuring the information in a GSM profile associated with the 3G wireless modem physical interface is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

Requirements

Before you begin:

Overview

In this example, you configure the following information provided by a service provider in a GSM profile called juniper99 that is associated with the 3G wireless modem physical interface cl-0/0/8:

  • Username—juniper99

  • Password—1@#6ahgfh

  • Access point name (APN)—apn.service.com

  • Authentication method—CHAP

Then you activate the profile by specifying the profile ID as profile-id 1.

Configuration

Step-by-Step Procedure

To configure a GSM profile for the 3G wireless modem interface:

  1. Create a GSM profile.
  2. Activate the profile.
  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show interfaces cl-0/0/8 command.

Unlocking the GSM 3G Wireless Modem

The subscriber identity module (SIM) in the GSM 3G wireless modem card is a detachable smart card. Swapping out the SIM allows you to change the service provider network, however some service providers lock the SIM to prevent unauthorized access to the service provider's network. If this is the case, you will need to unlock the SIM by using an personal identification number (PIN), a four-digit number provided by the service provider.

Note

Unlocking the SIM in a 3G wireless modem card is not supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.

Before you begin, obtain the PIN from the service provider.

Use the CLI operational mode command to unlock the SIM on the GSM 3G wireless modem card.

This example uses the PIN 3210 from the service provider.

To unlock the SIM on the GSM 3G wireless modem card:

user@host> request modem wireless gsm sim-unlock cl-0/0/8 pin 3210

A SIM is blocked after three consecutive failed unlock attempts; this is a security feature to prevent brute force attempts to unlock the SIM. When the SIM is blocked, you need to unblock the SIM with an eight-digit PIN unlocking key (PUK) obtained from the service provider.

To unlock the SIM automatically on reboot:

user@host# set interfaces cl-0/0/8 cellular-options gsm-options sim-unlock-code
user@host#
Note

On SRX300, SRX320 devices, when you power on or reboot the device, the Subscriber Identity Module (SIM) will be locked. If the SIM Personal Identification Number (PIN) or the unlock code is configured in the set interfaces cl-0/0/8 cellular-options gsm-options sim-unlock-code configuration command, then Junos OS attempts to unlock the SIM only once. This is to keep the SIM from being blocked. If the SIM is blocked, you must provide a PIN Unblocking Key (PUK) obtained from the service provider. If the wrong SIM PIN is configured, the SIM will remain locked, and the administrator can unlock it by using the remaining two attempts.

Use the CLI operational mode command to unblock the SIM.

This example uses the PUK 76543210 from the service provider.

To unblock the SIM:

user@host> request modem wireless gsm sim-unblock cl-0/0/8 puk 76543210
Note

If you enter the PUK incorrectly ten times, you will need to return the SIM to the service provider for reactivation.