Mobile-Abo mit CAA-Option

Tthe Wanderer · Apr 2, 2019

Mobile-Abo mit CAA-Option

Good day

We use UMTS routers for business, to which we set up an OpenVPN tunnel from a Windows PC in order to be able to remotely maintain the technical devices that are connected to the LAN interface of the UMTS router. This requires a SIM card with a CAA option; the CAA option ensures that the UMTS router is assigned a dynamic, public IP address. In conjunction with a DynDNS service, the mobile UMTS router can be reached directly “from outside” (via the Internet), which is the prerequisite for the VPN tunnel to be set up.

We have now been informed by Swisscom that the CAA option is on the verge of extinction, that the service will be supported for a maximum of 2 years and that there is no successor solution.

Does anyone know this problem too?

Is there such a solution consisting of SIM cards with a public IP address from other telecom providers? (e.g. Sunrise).

I would be happy to receive feedback.

GrandDixence · Apr 2, 2019

It is commendable that an encrypted VPN tunnel is used for remote maintenance. However, the VPN tunnel is set up in the wrong direction. Today the Windows PC acts as a VPN client and the UMTS router as a VPN server. The VPN client sets up the VPN tunnel to the VPN server. This is only possible if the VPN server has a public IPv4 address OR the VPN tunnel is implemented entirely over IPv6.

I recommend installing a network component as a VPN server at the company headquarters and operating this VPN server with a public, fixed IPv4 address. The UMTS router is reconfigured so that it acts as a VPN client and automatically establishes the encrypted VPN tunnel to the VPN server as soon as there is an Internet connection via mobile communications. With this solution, the UMTS router can be operated with a private IPv4 address and the CAA option is no longer needed.

Ideally, a modern and secure VPN tunnel solution with IKEv2/IPSec compliant with BSI TR-02102-3 is implemented. For reasons of availability, the VPN server at the company headquarters should be set up redundantly. So two VPN servers on two different network components with different Internet connections. See also:

[https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/vpn-via-android-client-t17229.html#p97795](https://www.lancom-forum.de/ questions-on-the-topic-vpn-f14/vpn-via-android-client-t17229.html#p97795)

[https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/redundante-ipsec-ikev1-site2site-vpn-connection-mi-t17269.html#p97989] (https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/redundante-ipsec-ikev1-site2site-vpn-connection-mi-t17269.html#p97989)

[https://www.bsi.bund.de/DE/Publikationen/TechnischeRechtnischen/tr02102/index\_htm.html](https://www.bsi.bund.de/DE/Publikationen/Technische Directiven/tr02102/index_htm. html)

A Raspberry Pi can already function as a VPN server. See:

[https://www.lancom-forum.de/fragen-zur-lancom-systems-routern-und-gateways-f41/vdsl-umzug-glasfarben-neuer-router-t17926.html#p101750] (https://www.lancom-forum.de/fragen-zur-lancom-systems-routern-und-gateways-f41/vdsl-umzug-glasfarben-neuer-router-t17926.html#p101750)

In general on the topic of “security” when using the CAA option, see also:

[https://community.swisscom.ch/t5/Mobile/Corporate-Application-Access-Public-IP-auf-Mobile-Abo-sicherheit/m-p/716787#M10397] (https://community.swisscom.ch/t5/Mobile/Corporate-Application-Access-Public-IP-auf-Mobile-Abo-sicherheit/m-p/716787#M10397)

Tthe Wanderer · Apr 3, 2019

@Grand Dixance

First of all, I would like to thank you for your answer.

However, he doesn’t answer my question about the CAA option, which is a shame.

Just this much:

Configuring the UMTS router as a VPN client is not an option for us, as technicians (RoadWarriors) only set up an end-to-site VPN tunnel to the UMTS router and the network behind it with technical equipment for remote maintenance purposes if necessary .

But if anyone knows anything about the CAA option, please let me know!

Tthe Wanderer · Apr 16, 2019

So, I want to quickly tell you the end of the story.

The CAA option was no longer available through Swisscom, so we have now (and will continue to do so in the future…) purchased a mobile data subscription from Sunrise. Then we called Sunrise Business Support and asked them to enable the remote APN option so that a public IP address can be assigned to the mobile subscription that has been purchased.

After 5 minutes everything was done, VPN access to the remote LTE industrial router works perfectly.

Bye-bye Swisscom…

Tux0ne · Apr 16, 2019

@the Wanderer wrote:

Purchased a mobile data subscription from Sunrise. Then we called Sunrise Business Support and asked them to enable the remote APN option so that a public IP address can be assigned to the mobile subscription that has been purchased.

After 5 minutes everything was done, VPN access to the remote LTE industrial router works perfectly.

Bye-bye Swisscom…

Top performance Sunrise!

Selmau · Mar 23, 2020

Hello everyone

I have a similar problem, but it affects me semi-privately and not in a large business network. I have devices that I use externally from time to time and to which I would like to establish a remote desktop connection in an emergency.

Since I don’t have a large company network, I would like to solve this as simply as possible. I have a small 4g hotspot which I provide with my mobile device. There is a multi-SIM card from my Swisscom subscription on it.

Now I have read that due to the missing CAA option it is only possible to configure the external device as a VPN client. At home I have a normal Swisscom Internet Box 2. Should a VPN server configuration be possible there?

If everything works out that I configure the VPN server on the box at home and the client on the device, is it then also possible to access the client outside from a computer on my home network via remote desktop, i.e. in the opposite direction?

Thank you very much for your tips

Greeting

Samuel

Werner · Mar 23, 2020

@Selmau

If you configure the VPN server on the IB2 and store the correct associated L2TP access definitions on an external client, it can access your home network (whether from a third-party WLAN, the mobile network or via your provided 4G hotspot).

What won’t work is accessing the external VPN client from your home network, because this is not supported by a remote access VPN server.

The question may still be, why do you even want to access the VPN client?

If it’s about remote support for an external user, you might have to discuss other suitable tools such as AnyDesk or TeamViewer.

Selmau · Mar 24, 2020

The reason why is exactly that with remote access, in case there is a problem or I need to adjust something externally.

The problem is that the users who need the devices externally do not have much computer knowledge and a kind of kiosk system is running in the foreground, so I have to be able to access the device without the influence of those present on site.

Werner · Mar 24, 2020

@Selmau

If remote control of a Windows PC via the Internet would help you, take a closer look at the free AnyDesk software and the corresponding instructions.

You can also just do a few tests with it.

TToasti_Mosti · Feb 19, 2021

INFORMATION! THE CAA OPTION IS STILL AVAILABLE IN 2021!

See pictures

Screenshot_20210219-232410_My Swisscom.jpg

Tthe Wanderer · Feb 20, 2021

But not with new subscriptions anymore, as far as I know.

Or to put it another way, when did you get your subscription with the CAA option?

Thanks in advance for your feedback.

Prezeimpe89 · Feb 20, 2021

Had contact with Swisscom today. At first they didn’t want to know about this CAA option and only when they pointed out that this is often mentioned in their forum did the following come up:

“Officially” only works with pure data subscriptions or with an SME subscription… Probably not all customers are treated equally…

Even if you’ve been a customer for almost 20 years, you should take out a new subscription. Well, I’ll probably do the same, but I don’t think I’m with Swisscom anymore… So much for this topic…

Tthe Wanderer · Feb 20, 2021

Thanks for your answer.

Aha, that no longer sounds like a complete rejection.

We used around 5 pure data subscriptions including the CAA option for business purposes, but when we wanted to purchase 2 additional business data subscriptions around 2 years ago, we were rejected with the words: “This service will only be continued with existing contracts , but can no longer be subscribed to with new subscriptions.”

We then recommended that our customers switch to Sunrise, where this option is called “Remote APN”.

Maybe I need to talk to our Swisscom contact again to see whether there has been a slight rethink at Swisscom in the meantime…

Mmbernasocchi · Aug 3, 2021

Today I got CAA switched on without any problems on my inOne SME with multi sim

FFionteusild24 · Dec 31, 2021

The CAA service is still available. I started using a VPN service (Windows / IOS and TP-Link LTE router with multi-device card) today (December 31, 2021). Subscribing to the service was super quick via the Swisscom hotline; the service (CHF 5.00 for main and all multi-device cards) was activated and usable after 10 minutes and also works with data roaming abroad.

TTiesiestald25 · May 20, 2022

Does the CAA option really work with Multi Device option SIM?

hed · May 20, 2022

@Tiesiestald25 wrote:

Does the CAA option really work with Multi Device option SIM?

@Tiesiestald25

Yes, according to this post here:

Solved: CAA option on Multi Device | Swisscom Community

cybi · Jul 22, 2022

I was just in contact with Swisscom Chat and they wanted to tell me that a public IPV4 address was not necessary for VPN access according to their experts.

Great experts, dear Swisscom. 😂

hed · Jul 22, 2022

@cybi

Remain stubborn and ask for 2nd level support if necessary.

Werner · Jul 22, 2022

@cybi wrote:

I was just in contact with Swisscom Chat and they wanted to tell me that a public IPV4 address was not necessary for VPN access according to their experts.

Great experts, dear Swisscom. 😂

By the way, he’s not entirely wrong, because assuming you have the full native dual stack with IPv6 on the Internet box and Swisscom’s handling of IPv6 native, it would also be transparent for the customer and you would have a VPN server available. which also supports IPv6, and the whole thing would actually work in practice in combination of all components on a Swisscom Anschluss, then and only then do you actually not need a public IPv4 address.

What your chat contact said is absolutely correct if you replace one simple problem with three complicated problems.

It’s all a question of context.

P.S.:

By the way, it’s still a laboratory project for myself at the moment, but so far I’m still looking for internal Swisscom technical details…

Somehow the internal IPv6 specialists, who will certainly exist somewhere either at Swisscom directly or at their software suppliers, simply do not want to reveal themselves to private customers yet…