3com® switch 8800 family ipsec configuration and command reference guideh20628. · 2019-01-17 ·...

3Com® Switch 8800 Family IPsec Configuration and Command Reference Guide

Switch 8807Switch 8810Switch 8814

www.3Com.com Part No. 10015597, Rev. AA Published: January 2007

3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064

Copyright © 2006-2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.

3Com and the 3Com logo are registered trademarks of 3Com Corporation.

Cisco is a registered trademark of Cisco Systems, Inc.

Funk RADIUS is a registered trademark of Funk Software, Inc.

Aegis is a registered trademark of Aegis Group PLC.

Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.

All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:

Establishing environmental performance standards that comply with national legislation and regulations.

Conserving energy, materials and natural resources in all operations.

Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products.

Ensuring that all products can be recycled, reused and disposed of safely.

Ensuring that all products are labelled according to recognized environmental standards.

Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.

CONTENTS

ABOUT THIS GUIDE

Conventions 7Related Documentation 8

1 SWITCH 8800 IPSEC MODULE

2 IPSEC MODULE CONFIGURATION

IPsec Module Configuration 13Displaying Information about the IPsec module 15

3 NETWORK SECURITY CONFIGURATION

Introduction to the Network Security Features Provided by Comware 17Hierarchical Command Line Protection 18RADIUS-Based AAA 18Packet Filter and Firewall 18Security Authentication before Route Information Exchange 21

4 AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION

Overview 23Configuring AAA 30Configuring the RADIUS Protocol 37Configuring HWTACACS Protocol 46Displaying and Debugging AAA and RADIUS/HWTACACS Protocols 51AAA and RADIUS/HWTACACS Protocol Configuration Example 52Troubleshooting AAA and RADIUS/HWTACACS Protocols 62

5 ACL CONFIGURATION

Introduction to ACL 65Configuring an ACL 76Configuring Time Range 78Displaying and Debugging ACL 79Typical Configuration Examples of ACL 79

6 NAT CONFIGURATION

NAT Overview 81Functions Provided by NAT 82

NAT Configuration 86Displaying and Debugging NAT 91NAT Configuration Example 91Troubleshooting NAT Configuration 94

7 VPN OVERVIEW

VPN Overview 97Fundamental Technology of VPN 98Classification of VPN 101

8 CONFIGURATION OF L2TPIntroduction to L2TP Protocol 103LAC Configuration 108LNS Configuration 115Displaying and Debugging L2TP 122L2TP Configuration Example 123L2TP Troubleshooting 127

9 CONFIGURATION OF GREBrief Introduction to GRE 129GRE Configuration 132Displaying and Debugging GRE 136GRE Configuration Example 136GRE Troubleshooting 140

10 IPSEC CONFIGURATION

IPsec Overview 143IPsec Configuration 148Displaying and Debugging IPsec 164IPsec Configuration Example 167IPsec Troubleshooting 170

11 IKE CONFIGURATION

IKE Overview 171IKE Configuration 173Displaying and Debugging IKE 180Typical Configuration of IKE 181IKE Fault Diagnosis and Troubleshooting 185

12 PKI CONFIGURATION

PKI Overview 187Certificate Request Configuration 188Certificate Validation Configuration 197Displaying and Debugging 199

PKI Configuration Example 200Troubleshooting Certificates 203

13 DVPNIntroduction to DVPN 205DVPN Configuration 211DVPN Configuration Example 222

14 RELIABILITY OVERVIEW

Introduction to Reliability 229

15 VRRP CONFIGURATIONS

Introduction to VRRP 231Configuring VRRP 232Displaying and Debugging VRRP 237VRRP Configuration Examples 237VRRP Troubleshooting 247

16 IPSEC MODULE CONFIGURATION COMMANDS

IPsecModule Configuration Commands 249

17 AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS

AAA Configuration Commands 255RADIUS Protocol Configuration Commands 271HWTACACS Configuration Commands 297

18 ACCESS CONTROL LIST CONFIGURATION COMMANDS

ACL Configuration Commands 315Time-range Configuration Commands 322

19 NAT CONFIGURATION COMMANDS

NAT Configuration Commands 325

20 L2TP CONFIGURATION COMMANDS

21 GRE CONFIGURATION COMMANDS

22 IPSEC CONFIGURATION COMMANDS

IPsec Configuration Commands 363Encryption Card Configuration Commands 397

23 IKE CONFIGURATION COMMANDS

IKE Configuration Commands 407

24 PKI CONFIGURATION COMMANDS

PKI Domain Configuration Commands 425PKI Entity Configuration Commands 432PKI Certificate Operation Commands 436PKI Displaying and Debugging Commands 440

25 DVPN CONFIGURATION COMMANDS

26 VRRP CONFIGURATION COMMANDS

VRRP Configuration Commands 473

Conventions 7

ABOUT THIS GUIDE

This guide describes the 3Com® Switch 8800 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch.

This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches. It assumes a working knowledge of local area network (LAN) operations and familiarity with communication protocols that are used to interconnect LANs.

nAlways download the Release Notes for your product from the 3Com World Wide Web site and check for the latest updates to software and product documentation:

http://www.3com.com

Conventions Table 1 lists icon conventions that are used throughout this guide.

Table 2 lists text conventions that are used throughout this guide.

Table 1 Notice Icons

Icon Notice Type Description

nInformation note Information that describes important features or

instructions.

cCaution Information that alerts you to potential loss of data

or potential damage to an application, system, or device.

wWarning Information that alerts you to potential personal

injury.

Table 2 Text Conventions

Convention Description

Screen displays This typeface represents information as it appears on the screen.

Keyboard key names If you must press two or more keys simultaneously, the key names are linked with a plus sign (+), for example:

Press Ctrl+Alt+Del

The words “enter” and “type” When you see the word “enter” in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says “type.”

8 ABOUT THIS GUIDE

Related Documentation

The following manuals offer additional information necessary for managing your Switch 8800:

■ Switch 8800 Command Reference Guide — Provides detailed descriptions of command line interface (CLI) commands, that you require to manage your Switch 8800.

■ Switch 8800 Configuration Guide— Describes how to configure your Switch 8800 using the supported protocols and CLI commands.

■ Switch 8800 Release Notes — Contains the latest information about your product. If information in this guide differs from information in the release notes, use the information in the Release Notes.

These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the 3Com World Wide Web site:

http://www.3com.com/

Words in italics Italics are used to:

Emphasize a point.

Denote a new term at the place where it is defined in the text.

Identify menu names, menu commands, and software button names.

Examples:

From the Help menu, select Contents.

Click OK.

Words in bold Boldface type is used to highlight command names. For example, “Use the display user-interface command to...”

Table 2 Text Conventions

Convention Description

1
SWITCH 8800 IPSEC MODULE
This chapter describes the IPsec Module (3CR1754766), which is available for the Switch 8800

The IPsec Module is a high performance encryption VPN module designed for enterprises requiring support for multiple VPN applications, and hardware-based encryption processing. It provides hardware based encrypting of data with a maximum encryption rate of 512-bit. The module supports DES, 3DES and AES types of encryption. The Module provides the following capabilities:

■ On board operating system and custom hardware designed for high speed encryption

■ Occupies any open I/O slot in the chassis and is fully hot swappable

■ Interfaces to the SW8800 high capacity backplane and fully utilizes the internal crossbar switching capabilities of the system

■ The Module has (8) 1Gbps Ethernet (SFP) front panel ports for switching/routing (these ports can be utilized as regular switching ports)

The module provides multiple VPN functions (such as L2TP VPN, GRE VPN, IPsec VPN, and Dynamic VPN (DVPN), and supports IPsec hardware encryption for DES, 3DES, and AES. The IPsec Module supports multiple authentication modes, including Radius, TACACS+, RSA SecureID and PKI/X.509 based certificate authentication. In addition, it supports simple packet filter and firewall status features. Customers must download the SW8800 Encrypted Software from 3Com’s Website (at no charge), using an approved encrypting license to run this module.

Table 1 IPsec Module Function

Attribute Description

Network security

Authentication, authorization and accounting service

RADIUS

HWTACACS

CHAP authentication

PAP authentication

Domain authentication

Firewall

Packet filtering

Access control list on the basis of interface

Access control list on the basis of time period

10 CHAPTER 1: SWITCH 8800 IPSEC MODULE

VPN

L2TP VPN

Initiating connection to the specified LNS according to the full user name and domain name of the VPN user

Distributing addresses for VPN users

LCP re-negotiation and CHAP re-authentication

IPsec/IKE

AH and ESP protocols

Supporting to automatically establish security association manually or through IKE

ESP supports DES, 3DES and AES encryption algorithms

Authentication MD5 and SHA-1 algorithms

IKE main mode and aggressive mode

NAT traversal

GRE VPN Use Tunnel technology to encapsulate and decapsulate data packets at both sides of the Tunnel

DVPN

Supporting the technology to automatically establish a tunnel

Supporting to establish a tunnel in UDP mode

Supporting client access authentication and encryption authentication between nodes

Supporting to use dynamical IP addresses to create VPNs.

The same node can belong to different VPN domains.

Multiple VPN domains

NAT traversal

The DVPN tunnel can bear IPsec encryption.

Dynamically creating tunnels can save server bandwidth.

Network interconnection

LAN protocol

Ethernet_II

Ethernet_SNAP

VLAN

Link layer protocolPPP

PPPoE



11

Network protocol

IP service

ARP

Static domain name resolution

Borrowing IP addresses

DHCP relay

DHCP server

DHCP client

IP route

Static route management

RIP-1/RIP-2

OSPF

BGP

Rout policy

Policy route

Network reliability

Supporting virtual router redundancy protocol to implement device backup

Configuration management

Command line interface

Local configuration through the Console interface

Remote configuration through the AUX interface

Local or remote configuration through Telnet or SSH

Configuring the IPsec module through the Switch 8800 Family switch

Configuring hierarchical protection commands to make sure non-authenticated users cannot configure the device

Providing detailed debugging information to diagnose network failure

Providing network test tools such as the Tracert and Ping commands to rapidly diagnose whether the network is normal

You can use the Telnet command to directly log into and manage other network devices.

FTP Server/Client; you can use FTP to load and download configuration files and applications.

Supporting TFTP to load and download files

Log function

File system management

Configure the user-interface to provide multiple authentication and authorization functions for login users

Supporting standard network management SNMPv3 and being compatible with SNMPv2C and SNMPv1

Supporting NTP time synchronization



12 CHAPTER 1: SWITCH 8800 IPSEC MODULE

2
IPSEC MODULE CONFIGURATION
IPsec Module Configuration

To make the Switch 8800 Family routing switch and IPsec module work together, you need to configure the IPsec module on the switch by:

■ “Configuring the Interface Aggregation”

■ “Creating the IPsec Module”

■ “Specifying the Layer 3 Interface Connecting the Switch and IPsec module”

■ “Specifying the VLAN Protected by the IPsec module”

■ “Mapping the IPsec module to a slot”

■ “Logging into the IPsec module”

■ “Configuring Default Login User Function” (Optional)

Configuring the Interface Aggregation

Two internal GigabitEthernet interfaces connect the IPsec module to the switch. You can aggregate these two interfaces into a logical interface to provide broader interface bandwidth. Perform the following configuration in switch system view.

By default, the interface is not aggregated. Only one GigabitEthernet interface can be used.

c CAUTION: When you use the secblade aggregation slot command to configure aggregation of IPsec module interfaces, the IPsec module will occupy the resources occupied by other aggregation groups if aggregation resources are not enough.

Creating the IPsec Module

To make the IPsec module and Switch 8800 Family switch work together, first create a IPsec module to enter IPsec module view.

Perform the following configuration in switch system view.

Table 2 Configure the IPsec module interface aggregation

Operation Command

Configure aggregation of two GE interfaces secblade aggregation slot slot-number

Cancel the configuration undo secblade aggregation slot slot-number

Table 3 Create the IPsec module

Operation Command

Create the IPsec module Secblade sec-mod-name

Remove the IPsec module undo secblade sec-mod-name

14 CHAPTER 2: IPSEC MODULE CONFIGURATION

By default, the IPsec module is not created.

Specifying the Layer 3 Interface Connecting the Switch and IPsec module

To make the IPsec module and Switch 8800 Family switch communicate at Layer 3, you must specify the Layer 3 interface connecting the switch and the IPsec module.

Perform the following configuration in IPsec module view of the switch.

By default, the Layer 3 interface connecting the switch and IPsec module is not configured.

Specifying the VLAN Protected by the IPsec

module

To make the IPsec module protect the data stream of the specific VLAN, you need to specify the protected VLAN.


By default, no VLAN is protected.

Mapping the IPsec module to a slot

After implementing the above configuration on the IPsec module, you need to map this module to the slot to apply the configuration.


By default, the IPsec module is not mapped to the IPsec module.

Logging into the IPsec module

You can directly log into the IPsec module card through the Switch 8800 to configure and manage the card.

Perform the following configuration in switch user view

Table 4 Specify the Layer 3 interface connecting the switch and the IPsec module

Command Command

Specify the Layer 3 interface connecting the switch and the IPsec module secblade-interface vlan-interface

Cancel the configuration undo secblade-interface vlan-interface interface-number

Table 5 Specify the VLAN protected by the IPsec module

Operation Command

Specify the protected VLAN security-vlan vlan-range

Cancel the VLAN protection undo security-vlan vlan-range

Table 6 Map the IPsec module to the IPsec module

Operation Command

Map the IPsec module to the IPsec module map to slot slot-number

Cancel the configuration undo map to slot slot-number

Displaying Information about the IPsec module 15

Configuring Default Login User Function

For login convenience, a user whose name and password are both secblade is created in the IPsec module. You can use this user name and password to log into the IPsec module.

Perform the following configuration in IPsec module system view.

By default, default login user function is enabled. That is, the user created in the IPsec module is allowed to log into the IPsec module.

Displaying Information about the IPsec module

After the above configuration, execute the following command in any view to display information about the IPsec module to verity the effect of the configuration.

Table 7 Log into the IPsec module

Operation Command

Log into the IPsec module secblade slot slot-number

Table 8 Configure default login user function

Operation Command

Enable default login user function default-login-user

Disable default login user function undo default-login-user

Table 9 Display information about the IPsec module

Operation Command

Display information about the IPsec module display secblade [sec-mod-name ]

16 CHAPTER 2: IPSEC MODULE CONFIGURATION

3
NETWORK SECURITY CONFIGURATION
n The content below applies to the IPsec module, so the command views in this document apply to the module and not the Switch 8800 Family switches.

Introduction to the Network Security Features Provided by Comware

A security gateway must be able to withstand the various malicious attacks from the public network. On the other hand, the accidental but destructive access of the user may also result in significant performance decrease and even the operation failure.

Comware provides the following network security characteristics:

■ AAA services based on Remote Authentication Dial-In User Service (RADIUS) provide the security services of Authentication, Authorization, and Accounting on accessing users for preventing illegal accessing.

■ Authentication protocol supports CHAP and PAP authentication on PPP line.

■ Packet filter implemented through access control list (ACL) specifies the type of packets that the security gateway will permit or deny.

■ Application specific packet filter (ASPF), or status firewall, is an advanced communication filtering approach that checks the application layer information and monitors connection-oriented application layer protocol state, maintain the state information of each connection, and dynamically makes decision in permitting or deny a packet.

■ IP security (IPsec): it guarantees the privacy, integrity and validity of the data packets while transmitted on the Internet through encryption and data source authentication on the IP layer.

■ Internet key exchange (IKE) provides the services of auto-negotiated key exchange and security association (SA) establishment to simplify the use and management of IPsec.

■ Event log is used to record system security events and trace illegal access in real time.

■ Address translation provided by NAT Gateway (GW), which separates the public network from the intranet, makes the IP addresses of the internal devices unknown to the public network and hence prevents the attacks initiated from it.

■ Dynamic routing protocol authentication: ensuring reliable route information to be exchanged.

■ Hierarchical view protection divides users into four levels, each assigned with a configuration right, and a user cannot access the view of a higher level.

18 CHAPTER 3: NETWORK SECURITY CONFIGURATION

The following chapters describe how to configure AAA and RADIUS, user password, firewall and packet filtering. Refer to the VPN part of this manual for IPsec/IKE configuration; refer to “NAT Configuration” for address translation configuration.

Hierarchical Command Line Protection

The system command lines are protected in a hierarchical way. In this approach, the command lines are divided into four levels: visit, monitor, system, and manage. You will be unable to use the corresponding levels of commands unless you have provided the correct login password.

RADIUS-Based AAA AAA is used for user access management. It can be implemented via multiple protocols but the AAA discussed here is RADIUS-based.

AAA provides the functions of:

■ Hierarchical user management. The users are allowed to perform the operations like managing and maintaining the system configuration data, and monitoring and maintaining the equipment that are crucial to the normal operation of the system. Therefore, it is necessary to strictly manage the users by classifying them into different levels and granting each with a specific right. In this case, a low-level user is allowed to perform but only some viewing operations and only a high-level user can modify data, maintain the equipment, and perform some other sensitive operations.

■ PPP authentication. With it, user name authentication will be performed before the setup of a PPP connection is allowed.

■ PPP address management and allocation. When setting up a PPP connection, the system may assign the pre-specified IP address to the PPP user.

The next chapter will cover the details of RADIUS protocol and its configurations, user password configuration, and PPP user address configuration. For PPP authentication protocols, refer to the User Access module of this manual.

Packet Filter and Firewall

Firewall Concept Firewall can prevent unauthorized or unauthenticated users on the Internet from accessing a protected network while allowing the users on the internal network to access web sites on the Internet and send/receive E-mails. It can also work as an Internet access right control GW by permitting only some particular users inside the organization to access the Internet.

Packet Filter and Firewall 19

Figure 1 A firewall separating the intranet from the Internet

The firewall is not only applied to the Internet connection, but also used to protect the mainframe and crucial resources like data on the intranet of the organization. Access to the protected data should be permitted by the firewall, even if the access is initiated from the organization.

An external network user must pass through the firewall before it can access the protected network resources. Likewise, an intranet user must pass through the firewall before it can access the external network resources. Thus, the firewall plays the role of "guard" and discards the denied packets.

Firewall Classification Normally, firewalls are classified into two categories: network layer firewalls and application layer firewalls. Network layer firewalls mainly obtain the header information of packet, such as protocol, source address, destination address, and destination port. Alternatively, they can directly obtain a segment of header data. The application layer firewalls, however, analyze the whole information traffic.

Firewalls that you often meet are divided into the following categories:

■ Application gateway: It verifies all the application layer data in packets that will traverse it. Take a File Transfer Protocol (FTP) application GW as an example. From the perspective of the client of a connection, the FTP application GW is an FTP server. However, from the perspective of the server, it is an FTP client. All the FTP packets transmitted on the connection must pass this FTP application GW.

■ Circuit-Level Gateway: The "circuit" in this particular context refers to Virtual Circuit (VC). Before TCP or UDP is allowed to open a connection or VC, the session reliability must be verified. The packet transmission is allowed only if the handshake has been proved valid and accomplished. After a session is set up, its information will be written into the valid connection table maintained by the firewall. A packet can be permitted only if the session information carried by it matches an entry in the valid connection table. After the session is terminated, the session entry will be deleted from the table. Circuit-level GW authenticates a connection only at the session layer. If the authentication is passed, any application can be run on the connection. Take FTP as an example. A circuit-level GW only authenticates an FTP session at the TCP layer at the beginning of the session. If the authentication is passed, all the data can be transmitted on this connection until the session is terminated.

Ethernet

Internet

PC

Firewall

PC PC


■ Packet filter: Such a firewall filters each packet depending on the items that defined by the user. For example, it compares the packets with the defined rules in source and destination addresses for a match. A packet filter neither considers the status of sessions, nor analyzes the data. If the user specifies that the packets carrying port number 21 or a port number no less than 1024 are permitted, all the packets matching the condition will be able to pass through the firewall. If the configured rules are properly set for the actual applications, many packets that bring potential threat to the security can be filtered at this layer.

■ Network Address Translation (NAT): Also called address proxy, NAT makes it possible for a private network to access an external network. The NAT mechanism is to substitute an external network address and port of security gateway for the IP address and port of a host on a private network and vice versa. In other words, it fulfills the conversion between <Private address + Port number> and <Public address + Port number>. The private address discussed here refers to an internal network or host address, and public address refers to a globally unique IP address on the Internet. Internet assigned number authority (IANA) provisioned that that the following IP address ranges are reserved for private addresses:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255

In other words, the addresses in these three ranges will be used inside an organization or companies rather than assigned on the Internet. A company can select a proper internal network address ranges, taking into consideration the number of the internal hosts and networks in the near future. The internal network addresses of different companies can be the same. However, it will be very likely to cause chaos if a company selects a segment beyond the three ranges given above as the internal network address. NAT allows internal hosts to access the Internet resources while keeping their "privacy".

Packet Filter Function

Normally, a packet filter filters the IP packets. For the packets that the security gateway will forward, the filter will first obtain the header information of each packet, including upper protocol carried by the IP layer, source and destination addresses of the packet, and source and destination ports. Then, it compares them with the preset rules to determine whether the packet should be forwarded or discarded.

Figure 1-2 illustrates the elements selected by a packet filter for decision making (on IP packets), given the upper layer carried by IP is TCP/UDP.

Security Authentication before Route Information Exchange 21

Figure 2 Packet filtering elements

Most packet filter systems do not make any operations on data itself or make contents-based filtering.

ACL

Before the system can filter the packets, you should configure some rules in ACLs to specify the types of packets allowed or denied.

A user should configure an ACL according to the security policy and apply it to a particular interface or the whole equipment. After that, the security gateway will examine all the packets on the interface or all the interfaces based on the ACL and make forwarding/discard decision on the packets matching the rules. In this way, it plays the role of a firewall.

Security Authentication before Route Information Exchange

The maintenance of route forwarding table depends on the dynamic route information exchanging between neighboring security gateways.

Necessity of implementing security authentication before route information exchange

As the neighboring routers on a network need to exchange enormous route information, there is the likelihood for a security gateway to receive the network equipment attacking information sent from unreliable routers. If available with the route authentication function, a security gateway will be able to authenticate the switching route update packets received from the neighboring routers and hence make sure to receive only the reliable route information.

Authentication Implementation

The routers exchanging route information share the same password key that is sent along with the route information packets. The routers receiving the route information will authenticate the packets, and verify the password key carried by the packets. If the key carried by the packets is the same as the shared password key, the packets will be accepted. If not, they will be discarded.

Authentication implementations fall into simple text authentication and MD5 authentication. The former sends password keys in plain text providing lower security, whereas the latter sends encrypted password keys providing higher security.

4
AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Overview

Introduction to AAA Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.

The network security mentioned here refers to access control and it includes:

■ Which user can access the network server?

■ Which service can the authorized user enjoy?

■ How to keep accounts for the user who is using network resource?

Accordingly, AAA provides the following services:

Authentication

AAA supports the following authentication methods:

■ None authentication: All users are trusted and are not authenticated. Generally, this method is not recommended.

■ Local authentication: User information (including username, password, and attributes) is configured on the Broadband Access Server (BAS). Local authentication features high speed but low cost; the information can be stored in this approach is however limited depending on the hardware capacity.

■ Remote authentication: Supports both RADIUS and HWTACACS protocols. In this approach, the BAS acts as the client to communicate with the RADIUS or TACACS server. With respect to RADIUS, you can use the standard RADIUS protocol or 3Com extended RADIUS protocol to complete authentication in collaboration with devices like iTELLIN/CAMS.

Authorization

AAA supports the following authorization methods:

■ Direct authorization: All users are trusted and directly authorized to pass.

■ Local authorization: Users are authorized according to the attributes related to their accounts on the BAS.

■ HWTACACS authorization: Users are authorized using a TACACS server.

■ If-authenticated authorization: Users are authorized to pass if they are authenticated and using any allowed method other than none authentication.

■ RADIUS authorization following successful authentication: With RADIUS, users are authorized only after they pass authentication. In other words, you cannot perform RADIUS authorization without authentication.

24 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION

Accounting

AAA supports the following accounting methods:

■ None accounting: no accounting required.

■ Remote accounting: conducted through a RADIUS server or TACACS server.

n Currently, security gateway supports accounting of PPP users and Telnet users only, but it does not support real-time accounting of Telnet users.

AAA usually utilizes a Client/Server model, where the client controls user access and the server stores user information. The framework of AAA thus allows for good scalability and centralized user information management. Being a management framework, AAA can be implemented using multiple protocols. In Comware, AAA is implemented based on RADIUS or HWTACACS.

Introduction to the RADIUS Protocol

What is RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information switching protocol in Client/Server model. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments where both high security and remote user access are required. For example, it is often used for managing a large number of scattering dial-in users that use serial ports and modems. The RADIUS system is an important auxiliary part of a Network Access Server (NAS).

The RADIUS service involves three components:

■ Protocol: Based on the UDP/IP layer, RFC2865 and 2866 define the RADIUS frame format and the message transfer mechanism, and use 1812 as the authentication port and 1813 as the accounting port.

■ Server: RADIUS server runs on the computer or workstation at the center, and contains information on user authentication and network service access.

■ Client: Located at the Network Access Server (NAS) side. It can be placed anywhere in the network.

As the RADIUS client, the NAS (a switch or a router) is responsible for passing user information to a designated RADIUS server and acts on the response returned from the server (such as connecting/disconnecting users). The RADIUS server receives user connection requests, authenticates users, and returns the required information to the NAS.

In general, the RADIUS server maintains three databases, namely, Users, Clients and Dictionary, as shown in the following figure. "Users" stores user information such as username, password, applied protocols, and IP address; "Clients" stores information about RADIUS clients such as shared key; and "Dictionary" stores the information for interpreting RADIUS protocol attributes and their values.

Overview 25

Figure 3 Components of RADIUS server

In addition, RADIUS servers can act as the client of some other AAA server to provide the proxy authentication or accounting service. They support multiple user authentication methods, such as PPP-based PAP, CHAP and UNIX-based login.

Basic message exchange procedures in RADIUS

In most cases, user authentication using a RADIUS server always involves a device that can provide the proxy function, such as the NAS. Transactions between the RADIUS client and RADIUS server are authenticated through a shared key, and user passwords are sent encrypted over the network for the security sake. The RADIUS protocol combines the authentication and authorization processes by sending authorization information in the authentication response message. See the following figure.

Figure 4 The basic message interaction procedures of RADIUS

Following is how RADIUS operates:

1 The user enters the username and password.

2 Having received the username and password, the RADIUS client sends the authentication request (Access-Request) to the RADIUS server.

3 The RADIUS server compares the received user information against that in the Users database. If the authentication succeeds, it sends back an authentication

RADIUS Server

Users Clients Dictionary

PSTN/ISDN

RADIUS Server

The user enters the username and passwordAuthentication request (Access -request)

PC

Authentication accept (Access -accept)

Accounting -request (Start)

Accounting -response

Accounting -request (Stop)

Accounting -responseNotify the termination of the access

The user accesses the resources

Switch 8800RADIUS client


response (Access-Accept) containing the information of user’s right. If the authentication fails, it returns an Access-Reject message.

4 The RADIUS client acts on the returned authentication result to accept or deny the user. If it is allowed to accept the user, the RADIUS client sends an accounting start request (Accounting-Request) to the RADIUS server, with the value of Status-Type being "start".

5 The RADIUS server returns a start-accounting response (Accounting-Response).

6 The RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server, with the value of Status-Type being "stop".

7 The RADIUS server returns a stop-accounting response (Accounting-Response).

RADIUS packet structure

RADIUS uses UDP to transmit messages; with timer management, retransmission, and slave server mechanisms, it ensures the smooth message exchange between the RADIUS server and the client. The following figure shows the RADIUS packet structure.

Figure 5 RADIUS packet structure

The Identifier field is used for matching request packets and response packets. It varies with the Attribute field and the received valid response packets, but keeps unchanged during retransmission. The 16-byte Authenticator field is used to authenticate the request transmitted by the RADIUS server, and it also applies to the password hidden algorithm. There are two kinds of authenticators: Request and Response.

■ Request Authenticator is the random code of 16 bytes in length.

■ Response Authenticator is the result of applying the MD5 algorithm to Code, Identifier, Request Authenticator, Length, Attribute and shared-key.

1 The Code field decides the type of a RADIUS packet, as shown in the following table.

Code Identifier Length

Authenticator

Attribute

Table 10 Code values

Code Packet type Description

1 Access-Request

The packet carries user information and is transmitted by the client to the server to help the client determine whether the user can access the network. The packet carries the required attribute of User-Name and some other options, such as NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

The packet is transmitted by the server to the client. If all the attribute values carried in the Access-Request are acceptable, the server allows the user to pass authentication and sends back an Access-Accept response.

Overview 27

2 The Attribute field contains special authentication, authorization, and accounting information that provides the configuration details of a request or response. This field is represented by the triplet of Type and Length and Value. The following table lists the major standard attribute values defined by RFC:

3 Access-Reject

The packet is transmitted by the server to the client. If any attribute value carried in the Access-Request is unacceptable, the server rejects the user and sends back an Access-Reject response.

4 Accounting-Request

The packet carries user information and is transmitted by the client to the server to request the server to start accounting. The server can determine whether to start accounting according to the field of the Acct-Status-Type attribute. The attributes carried in this type of packet are basically the same as those carried by an Access-Request packet.

5 Accounting-Response

The packet is transmitted by the server to the client, notifying that the server has received the Accounting-Request and has correctly record the accounting information. The packet carries such information as input/output bytes and packets, and session duration.

Table 10 Code values

Code Packet type Description

Table 11 Attribute values

Type Attribute type Type Attribute type

1 User-Name 23 Framed-IPX-Network

2 User-Password 24 State

3 CHAP-Password 25 Class

4 NAS-IP-Address 26 Vendor-Specific

5 NAS-Port 27 Session-Timeout

6 Service-Type 28 Idle-Timeout

7 Framed-Protocol 29 Termination-Action

8 Framed-IP-Address 30 Called-Station-Id

9 Framed-IP-Netmask 31 Calling-Station-Id

10 Framed-Routing 32 NAS-Identifier

11 Filter-ID 33 Proxy-State

12 Framed-MTU 34 Login-LAT-Service

13 Framed-Compression 35 Login-LAT-Node

14 Login-IP-Host 36 Login-LAT-Group

15 Login-Service 37 Framed-AppleTalk-Link

16 Login-TCP-Port 38 Framed-AppleTalk-Network

17 (unassigned) 39 Framed-AppleTalk-Zone

18 Reply_Message 40-59 (reserved for accounting)

19 Callback-Number 60 CHAP-Challenge

20 Callback-ID 61 NAS-Port-Type

21 (unassigned) 62 Port-Limit

22 Framed-Route 63 Login-LAT-Port


The RADIUS protocol is extensible. The Attribute 26 (Vender-Specific) defined in it allows a user to define an extended attribute. The following figure illustrates the structure of a RADIUS packet:

Figure 6 A RADIUS packet segment containing the extended attribute

Features of RADIUS

RADIUS uses UDP as transfer protocol and has good capability for real-time applications. It also supports retransmission mechanism and backup server mechanism so that it boasts better reliability. RADIUS is easy to implement, and applicable to the multithreading structure of the server in the time of mass users. For all the advantages above, RADIUS protocol is used wildly.

Introduction to the HWTACACS Protocol

What is HWTACACS

HWTACACS is an enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS protocol, it implements AAA for different types of users (such as PPP/VPDN/login users) through communications with TACACS servers in the Server/Client model.

Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. The following table lists the primary differences between HWTACACS and RADIUS protocols.

In a typical HWTACACS application, a dial-up or terminal user needs to log onto the security gateway for operations. Working as the client of HWTACACS in this case, the security gateway sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user can log onto the security gateway to perform operations, as shown in the following figure.

Vendor-IDType Length

Vendor-ID length(specified)

type(specified)

specified attribute value¡−¡−

Table 12 Comparison between HWTACACS and RADIUS

HWTACACS RADIUS

Adopts TCP, providing more reliable network transmission. Adopts UDP.

Encrypts the entire packet except for the standard HWTACACS header.

Encrypts only the password field in authentication packets.

Separates authentication from authorization. For example, you can provide authentication and authorization on different TACACS servers.

Brings together authentication and authorization.

Suitable for security control. Suitable for accounting.

Supports to authorize the use of configuration commands. Not supports.

Overview 29

Figure 7 Network diagram for a typical HWTACACS application

Basic message exchange procedures in HWTACACS

For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user. The basic message exchange procedures are as follows:

1 A user requests access to the security gateway; the TACACS client sends a start-authentication packet to TACACS server upon receipt of the request.

2 The TACACS server sends back an authentication response requesting for the username; the TACACS client asks the user for the username upon receipt of the response.

3 The TACACS client sends an authentication continuance packet carrying the username after receiving the username from the user.

4 The TACACS server sends back an authentication response, requesting for the login password. Upon receipt of the response, the TACACS client requests the user for the login password.

5 After receiving the login password, the TACACS client sends an authentication continuance packet carrying the login password to the TACACS server.

6 The TACACS server sends back an authentication response indicating that the user has passed the authentication.

7 The TACACS client sends the user authorization packet to the TACACS server.

8 The TACACS server sends back the authorization response, indicating that the user has passed the authorization.

9 Upon receipt of the response indicating an authorization success, the TACACS client pushes the configuration interface of the security gateway to the user.

10 The TACACS client sends a start-accounting request to the TACACS server.

11 The TACACS server sends back an accounting response, indicating that it has received the start-accounting request.

12 The user logs off; the TACACS client sends a stop-accounting request to the TACACS server.

13 The TACACS server sends back a stop-accounting packet, indicating that the stop-accounting request has been received.

The following figure illustrates the basic message exchange procedures:

TACACS server129.7.66.66


ISDN\PSTN

Dialup user

Terminal user



ISDN\PSTN

Dialup user

Terminal user

Switch 8800


Figure 8 The AAA implementation procedures for a telnet user

n As the Comware 3.4 software is designed compatible with the configurations of LAN switches, you can probably see in the HyperTerminal some commands and parameters that are only supported by LAN switches when configuring your security gateway. These commands and parameters are beyond the scope of this manual.

Configuring AAA AAA configuration tasks include:

1 Create an ISP domain and set the related attributes

■ Create an ISP domain

■ Configure an AAA scheme

■ Configure the ISP domain state

■ Set an access limit

■ Enable accounting optional

■ Define a local IP pool and allocate IP addresses to PPP users

2 Create a local user and set the related attributes (for local authentication only)

UserHWTACACS

Client

HWTACACS

Server

User logs in Authentication Start Request packet

Authentication response packet, requesting for the user name

Request User for the user name

User enters the user name Authentication continuance packetcarrying the user name

Authentication response packet, requesting for the password

Request User for the password

User enters the password Authentication continuance packet carrying the password

Authentication success packet

Authorization request packet

Authorization success packet

User is permitted

Accounting start request packet

Accounting start response packet

User quitsAccounting stop packet

Accounting stop response packet

UserHWTACACS

Client

HWTACACS

Server

User logs in Authentication Start Request packet

Authentication response packet, requesting for the user name

Request User for the user name

User enters the user name Authentication continuance packetcarrying the user name

Authentication response packet, requesting for the password

Request User for the password

User enters the password Authentication continuance packet carrying the password

Authentication success packet

Authorization request packet

Authorization success packet

User is permitted

Accounting start request packet

Accounting start response packet

User quitsAccounting stop packet

Accounting stop response packet

Configuring AAA 31

Creating an ISP Domain and Setting the Related

Attributes

Creating an ISP domain

An Internet service provider (ISP) domain is a group of users that belong to the same ISP. For a username in the userid@isp-name format, [email protected] for example, the isp-name (3com163.net) following the @ sign is the ISP domain name. When receiving a connection request from a user named userid@isp-name, the security gateway system considers the userid part as the username for authentication and the isp-name part as the domain name.

The purpose of introducing ISP domain settings is to support the multi-ISP application environment, where one access device might access users of different ISPs. Because the attributes of ISP users, such as username and password formats, can be different, you must differentiate them through setting ISP domains. In ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, including an AAA scheme.

For 3Com Series Security Gateways, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system puts it into the default domain.

Perform the following configurations in system view.

By default, the default ISP domain in the system is system.

Configuring an AAA scheme

Users can configure authentication, authorization and charging schemes in the following two modes.

1 AAA binding mode

In this mode, you can use the scheme command to specify a scheme. If you choose the RADIUS or HWTACAS scheme, the corresponding RADIUS or HWTACAS server will perform the authentication, authorization and accounting tasks. That is, you cannot specify different schemes for authentication, authorization and accounting respectively. If you use the local scheme, only authentication and authorization but not accounting is implemented.

When the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local scheme applies as the first scheme, only local authentication is performed and the RADIUS, HWTACACS or none scheme cannot be adopted. If the none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.

Table 13 Create/delete an ISP domain

Operation Command

Create an ISP domain or enter the view of a specified domain.

domain { isp-name | default { disable | enable isp-name } }

Remove a specified ISP domain. undo domain isp-name


Perform the following configuration in ISP domain view.

The default AAA scheme is local.

c CAUTION:

■ An FTP user login cannot be authenticated in none mode because an FTP server implemented with Comware does not support anonymous login.

■ If the scheme none command is used, the priority level of a user logged into the system is level 0.

2 AAA separate mode

In this mode, you can use the authentication, authorization or accounting command to select schemes for the three tasks respectively. For example, you can specify the RADIUS scheme for authentication and authorization, and the HWTACACS scheme for optional accounting, so as to provide users with flexibility in scheme combination. Implementations of AAA services in this mode are listed below.

■ For terminal users

Use RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none for authentication;

Use HWTACACS or none for authorization;

Use RADIUS, HWTACACS or none for accounting.

You can custom an AAA scheme combination according to the above implementations.

■ For FTP users

Only authentication can be applied on FTP users.

Use RADIUS, HWTACACS, local, RADIUS-local or HWTACACS-local for authentication.

■ For PPP and L2TP users

Use RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none for authentication.

Use HWTACACS or none for authorization.

Use RADIUS, HWTACACS or none for accounting.

Table 14 Configure the related attributes of the ISP domain

Operation Command

Configure an AAA scheme for the domain.

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Restore the default AAA scheme. undo scheme [ radius-scheme | hwtacacs-scheme | none ]

Configuring AAA 33

You can custom an AAA scheme combination according to the above implementations.

■ For DVPN services

At present, only RADIUS, local and RADIUS-local support authentication and authorization, and only RADIUS supports accounting.


1 If separate AAA schemes are configured as well as the binding AAA scheme, the former ones are used.

2 The RADIUS and local schemes do not support separated authentication and authorization. Therefore, the following should be noted:

■ When the scheme radius-scheme or scheme local command is configured, and the authentication command is not configured: If authorization none is configured, the authorization data returned by the RADIUS or local scheme is still valid; If authorization hwtacacs is configured, the HWTACACS scheme is used for authorization.

■ If the scheme radius-scheme or scheme local command is configured as well as the authentication hwtacacs-scheme command, the HWTACACS scheme is used for authentication and no authorization is performed.

Configuring the ISP domain state

Every ISP has active/block states. If an ISP domain is in active state, the users in it can request for network service, while in block state, its users cannot request for any network service, which will not affect the users already online. An ISP is in the active state when it is first created. Users in the domain are allowed to request network service.


Table 15 Configure the related ISP domain attributes

Operation Command

Configure an authentication scheme for the domain.

authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Restore the default authentication scheme for the domain.

undo authentication

Configure an authorization scheme for the domain.

authorization { hwtacacs-scheme hwtacacs-scheme-name | none }

Restore the default authorization scheme for the domain. undo authorization

Configure an accounting scheme for the domain.

accounting { radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | none }

Restore the default accounting scheme for the domain. undo accounting


By default, an ISP domain is active when it is created.

Setting an access limit

You can specify the maximum number of users that an ISP domain can accommodate by setting an access limit.


By default, an ISP domain has no limit on the user number upon its creation.

Enabling accounting optional

If a user is configured with accounting optional, the device does not disconnect the user during the accounting even when it finds no available accounting server or fails to communicate with the accounting server.

Unlike the scheme none command, with the accounting optional command, the system sends accounting information to the accounting server but does not terminate the connection regardless of whether the accounting server responds or performs the accounting service. However, with the scheme none command, the system neither sends accounting information to the accounting server nor terminates the connection. If you specify RADIUS or HWTACACS in the scheme command without configuring accounting optional, the system sends accounting information to the accounting server and if the server does not respond or perform accounting service terminates the connection.


By default, when an ISP domain is created, accounting optional is disabled.

Defining an address pool and allocating IP addresses to PPP users

PPP users can obtain IP addresses from the device through PPP address negotiation. Three approaches are available for address allocation on an interface:

■ Directly allocate IP addresses on the interface without configuring an address pool.

Table 16 Configure the ISP domain state

Operation Command

Configure the ISP domain state. state { active | block }

Table 17 Configure an access limit

Operation Command

Set an access limit to limit the number of users that the domain can accommodate.

access-limit { disable | enable max-user-number }

Restore the default value. undo access-limit

Table 18 Enable/disable accounting optional

Operation Command

Enable accounting optional. accounting optional

Disable accounting optional. undo accounting optional

Configuring AAA 35

■ Define an address pool in system view and assign it (only one is allowed) to the interface in the view of this interface for assigning addresses to the connected ends.

■ Define address pools in domain view and directly allocate the addresses from the pools to the login domain PPP users.


By default, no address pool is configured.

The following are the principles of IP address allocation to PPP users in AAA:

1 For a domain user with a name either in the form of userid or userid@isp-name, the address is allocated as follows:

■ If RADIUS or TACACS authentication/authorization applies, the address that the server has issued to the user is allocated, if there is any.

■ If the server issues an address pool instead of an address, the device searches the address pool in domain view for an address.

■ In case no address can be allocated with the above two methods or local authentication is used, the device assigns the address configured on the interface to the user.

■ If the remote address ip-address command is issued on the interface and the specified address is not in use, the device assigns the address to the user.

■ If the remote address pool command is issued on the interface, the device searches for the address in the specified address pool in domain view and assigns the address to the user.

■ If the remote address command is not issued on the interface, the device searches for the address in all the address pools in domain view and assigns the address to the user.

2 For a user that is not to be authenticated, the device allocates address using the specified address pool (defined in system view) on the interface.

n For a user that is to be authenticated and is not assigned any address with the remote address ip-address command, you can still change how a PPP user is assigned an address.

Creating a Local User and Setting the Related

Attributes

Create a local user and configure the related attributes on the security gateway if you select the local authentication scheme in AAA.

n If you use a radius-scheme or hwtacacs-scheme to authenticate users, you must appropriately configure the RADIUS or TACACS server. The local configuration in this case does not take effect.

Table 19 Define an IP address pool for PPP domain users

Operation Command

Define an IP address pool for allocating addresses to PPP users.

ip pool pool-number low-ip-address [ high-ip-address ]

Delete the specified address pool. undo ip pool pool-number


Creating a local user

A local user is a group of users set on NAS (a security gateway). The username is the unique identifier of a user. A user requesting network service can pass local authentication as long as its information has been added to the local user database of NAS.

Perform the following configuration in system view

By default, there is no local user in the system.

Setting attributes of a local user

The attributes of a local user include user password display mode, user password, user state, and the type of service that is authorized to the user.

Perform the following configuration in system view.

Where, auto means that the password display mode will be the one specified by the user at the time of configuring password (see the password command in the following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text.

Perform the following configurations in local user view.

Table 20 Create/delete a local user and the relevant properties

Operation Command

Add a local user. local-user user-name

Delete a local user or the service type of the local user.

undo local-user user-name [ service-type | level ]

Delete all local users or all local users of a specific service type.

undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]

Table 21 Set the password display mode for local users

Operation Command

Set the password display mode for all local users.

local-user password-display-mode { cipher-force | auto }

Cancel the password display mode for local users. undo local-user password-display-mode

Table 22 Set/remove the attributes concerned with a specified user

Operation Command

Set a user password. password { simple | cipher } password

Remove the user password. undo password

Set the user state. state { active | block }

Remove the user state setting. undo state { active | block }

Set a service type available for the user. service-type { telnet | ssh | terminal | pad }

Cancel the service type available for the user. undo service-type { telnet | ssh | terminal | pad }

Set a priority level for the user. level level

Restore the default priority level. undo level

Configuring the RADIUS Protocol 37

By default, no service is authorized to users. The default user priority level is 0.

n If the configured authentication method requires username and password (including local, RADIUS, and HWTACACS authentication), your user priority determines which level of commands you can access after logging onto the system. If you adopt RSA authentication, your interface priority determines which level of commands you can access. If the authentication method is none or only requires password, your interface priority determines which level of commands you can access.

Configuring the RADIUS Protocol

The RADIUS protocol is configured scheme by scheme. In a real networking environment, a RADIUS scheme can comprise an independent RADIUS server or a pair of primary and secondary RADIUS servers with the same configuration but different IP addresses. Accordingly, attributes of every RADIUS scheme include IP addresses of primary and secondary servers, shared key, and RADIUS server type.

Actually, the RADIUS protocol configurations only define the parameters necessary for the information interaction between a NAS and a RADIUS server. To validate these parameter settings, you also need to reference the RADIUS scheme containing those parameter settings in ISP domain view. For more information about the configuration commands, refer to the section “Configuring AAA” “Configuring AAA”.

RADIUS protocol configuration includes:

■ Create a RADIUS scheme

■ Configure RADIUS authentication/authorization servers

■ Configure RADIUS accounting servers and the related attributes

■ Configure the shared key for RADIUS packet encryption

■ Set the maximum number of RADIUS request attempts

■ Set the supported RADIUS server type

■ Set RADIUS server state

■ Set the username format acceptable to the RADIUS server

■ Set the unit of data flows destined for the RADIUS server

Authorized DVPN service to the user service-type dvpn

Remove the DVPN service authorization undo service-type dvpn

Set the directory that can be accessed if the user is an FTP user. service-type ftp [ ftp-directory directory]

Restore the default directory that can be accessed if the user is an FTP user. undo service-type ftp [ ftp-directory ]

Set the attributes of callback number and call number of PPP users.

service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ subcall-number ] ]

Restore the default callback number and call number of PPP users.

undo service-type ppp [ callback-nocheck | callback-number | call-number ]

Table 22 Set/remove the attributes concerned with a specified user

Operation Command


■ Configure the source address in the RADIUS packets sent by NAS

■ Set timers regarding RADIUS server

■ Configure the RADIUS server to send a trap packet

Among these tasks, creating a RADIUS scheme and configuring RADIUS authentication/authorization servers are required, while other tasks are optional at your discretion.

Creating a RADIUS Scheme

As mentioned earlier, the RADIUS protocol is configured scheme by scheme. Therefore, before performing other RADIUS protocol configurations, you must create a RADIUS scheme and enter its view.

You can use the following commands to create/delete a RADIUS scheme.


A RADIUS scheme can be referenced by several ISP domains at the same time.

By default, the system has a RADIUS scheme named system whose attributes are all default values.

c CAUTION: FTP, terminal, and SSH are not standard attribute values of the RADIUS protocol, so you need to define them in the attribute login-service (the standard attribute 15):

login-service(50) = SSH

login-service(51) = FTP

login-service(52) = Terminal

After that, reboot the RADIUS server to validate them.

Configuring RADIUS Authentication/Authoriz

ation Servers

You can use the following commands to configure IP address and port number of RADIUS authentication/authorization servers.

Perform the following configuration in RADIUS view.

Table 23 Create/delete a RADIUS scheme

Operation Command

Create a RADIUS scheme and enter its view. radius scheme radius-scheme-name

Delete a RADIUS scheme. undo radius scheme radius-scheme-name

Table 24 Configure IP address and port number of RADIUS authentication/authorization servers

Operation Command

Configure IP address and port number of the primary RADIUS authentication/authorization server.

primary authentication ip-address [ port-number ]


As the authorization information from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server.

In real networking environments, you may specify two RADIUS servers as primary and secondary authentication/authorization servers respectively, or specify one server to function as both.

Configuring RADIUS Accounting Servers and

the Related Attributes

Configuring RADIUS accounting servers

You can use the following commands to configure IP address and port number of RADIUS accounting servers.


In practice, you can specify two RADIUS servers as the primary and the secondary accounting servers respectively; or specify one server to function as both.

For normal interaction between the NAS and a RADIUS server, you must ensure the connectivity of the routes between the RADIUS server and the NAS before configuring the IP address and UDP port of the RADIUS server. In addition, since RADIUS uses different UDP ports for authentication/authorization and accounting, you must assign different numbers to the authentication/authorization port and the accounting port, which are 1812 and 1813 respectively as recommended by RFC2138/2139. You can assign port numbers different from the two recommended in the RFC, however. (For example, in the early stage of RADIUS server implementation, 1645 and 1646 were often assigned to the

Restore IP address and port number of the primary RADIUS authentication/authorization server to the default values.

undo primary authentication

Configure IP address and port number of the secondary RADIUS authentication/authorization server.

secondary authentication ip-address [ port-number ]

Restore IP address and port number of the secondary RADIUS authentication/authorization server to the default values.

undo secondary authentication

Table 24 Configure IP address and port number of RADIUS authentication/authorization servers

Operation Command

Table 25 Configure IP address and port number of RADIUS accounting servers

Operation Command

Configure IP address and port number of the primary RADIUS accounting server.

primary accounting ip-address [ port-number ]

Restore the default IP address and port number of the primary RADIUS accounting server.

undo primary accounting

Configure IP address and port number of the secondary RADIUS accounting server.

secondary accounting ip-address [ port-number ]

Restore the default IP address and port number of the secondary RADIUS accounting server.

undo secondary accounting


authentication/authorization port and accounting port). When doing this, make sure that the port settings on the security gateway and the RADIUS server are consistent.

You can use the display radius command to view the IP addresses and port number of the primary and secondary accounting servers in the RADIUS scheme.

Configuring optional accounting

If a user is configured with the accounting optional command, the device does not disconnect the user during the accounting even when it finds no available accounting server or fails to communicate with the accounting server.

Perform the following configuration in RADIUS domain view.

By default, when an RADIUS scheme is created, optional accounting is disabled.

Enabling the stop-accounting packet buffer and retransmission

Since the stop-accounting packet affects the bill and eventually the charge to a user, it has importance for both users and the ISP. Therefore, the NAS should make its best effort to send every stop-accounting packet to the RADIUS accounting server. If the NAS receives no response from the RADIUS accounting server to a stop-accounting packet that it has sent for a specified period, it buffers and resends the packet until the RADIUS accounting server responds, or discards the packet if the number of transmission attempts reaches the configured limit. You can use the following commands to enable the NAS to buffer stop-accounting packets and set the maximum number of transmission attempts.


By default, the stop-accounting packet buffer is disabled and the maximum number of packet transmission attempts is 500.

Table 26 Enable/disable optional accounting

Operation Command

Enable optional accounting. accounting optional

Disable optional accounting. undo accounting optional

Table 27 Enable the stop-accounting packet buffer and set the maximum number of transmission attempts

Operation Command

Enable the stop-accounting packet buffer. stop-accounting-buffer enable

Disable the stop-accounting packet buffer. undo stop-accounting-buffer enable

Enable stop-accounting packet retransmission and specify the maximum number of transmission attempts.

retry stop-accounting retry-times

Restore the default maximum number of transmission attempts. undo retry stop-accounting


Configuring the maximum number of real-time accounting request attempts

A RADIUS server usually determines the online state of a user using the connection timeout timer. If the RADIUS sever receives no real-time accounting packets from the NAS for a long time, it considers that the line or device fails and stops user accounting. To work with this feature of the RADIUS server, the NAS is required to terminate user connections simultaneously with the RADIUS server when unpredictable faults occur. 3Com Series Security Gateways allow you to set the maximum number of continuous real-time accounting request attempts. The NAS terminates a user connection if it receives no response after the number of transmitted real-time accounting requests exceeds the configured limit.

You can use the following command to set the maximum number of real-time accounting request attempts.


By default, the maximum number of real-time accounting request attempts is 5.

Setting the Shared Key for RADIUS Packet

Encryption

The RADIUS client (the security gateway) and RADIUS server use the MD5 algorithm to hash the exchanged packets between them. The two ends verify the packets using a shared key. Only when the same key is used can they properly receive the packets and make responses.

Perform the following configurations in RADIUS view.

By default, the shared key 3com is used for RADIUS authentication/authorization and accounting packet encryption.

Setting the Maximum Number of RADIUS Request Attempts

Since RADIUS uses UDP packets to carry data, the communication process is not reliable. If the RADIUS server does not respond to the NAS before the response timer times out, the NAS should retransmit the RADIUS request. After the number

Table 28 Set the maximum number of real-time accounting request attempts

Operation Command

Set the maximum number of real-time accounting request attempts. retry realtime-accounting retry-times

Restore the default maximum number of real-time accounting request attempts. undo retry realtime-accounting

Table 29 Set the shared key for RADIUS packet encryption

Operation Command

Set the shared key for RADIUS authentication/authorization packet encryption.

key authentication string

Restore the default shared key for RADIUS authentication/authorization packet encryption.

undo key authentication

Set the shared key for RADIUS accounting packet encryption. key accounting string

Restore the default shared key for RADIUS accounting packet encryption. undo key accounting


of transmission attempts exceeds the specified retry-times, the NAS considers the communication with the current RADIUS server has been disconnected and turns to another RADIUS server.

You can use the following command to set the maximum number of allowed RADIUS request attempts.


By default, a RADIUS request can be sent up to three times.

Setting the Supported RADIUS Server Type

You can use the following command to set the supported RADIUS server type.


By default, in system scheme, the RADIUS server type is 3com; in the newly added RADIUS scheme, the RADIUS server type is standard.

n If a 3Com CAMS server is used, some parameters, such as service type, EXEC priority level, and FTP directory, take effect only after service-type is configured as 3com.

Setting RADIUS Server State

For primary and secondary servers (no matter they are authentication/authorization servers or accounting servers) in a RADIUS scheme, if the primary server is disconnected from the NAS due to some fault, the NAS automatically turns to the secondary server. However, after the primary one recovers, the NAS does not resume the communication with it at once; instead, the NAS continues communicating with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the primary server state to active.

When both primary and secondary servers are active or blocked, the NAS sends packets to the primary one only.


Table 30 Set the maximum number of RADIUS request attempts

Operation Command

Set the maximum number of RADIUS request attempts. retry retry-times

Restore the default maximum number of RADIUS request attempts. undo retry

Table 31 Set the supported RADIUS server type

Operation Command

Set the supported RADIUS server type. server-type { 3com | standard }

Restore the RADIUS server type to the default setting. undo server-type


You can use the display radius command to view the server state in the RADIUS scheme.

Setting Username Format Acceptable to

RADIUS Server

As mentioned above, the supplicants are generally named in userid@isp-name format. The part following "@" is the ISP domain name. 3Com Series Security Gateways will put the users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server. The security gateway provides the following command to specify whether the username to be sent to the RADIUS server carries ISP domain name or not.

n If a RADIUS scheme is configured not to allow usernames to include ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

By default, in system scheme, the NAS server sends user names without the ISP domain name to the RADIUS server; in the newly added RADIUS scheme, the NAS server sends user names with the ISP domain name to the RADIUS server.

Setting the Unit of Data Flows Destined for

RADIUS Server

3Com Series Security Gateways provide you with the following command to define the unit of the data flow sent to RADIUS servers.

In a RADIUS scheme, the default data unit is byte and the default data packet unit is one packet.

Table 32 Set RADIUS server state

Operation Command

Set the state of the primary RADIUS authentication/authorization server. state primary authentication { block | active }

Set the state of the primary RADIUS accounting server. state primary accounting { block | active }

Set the state of the secondary RADIUS authentication/authorization server. state secondary authentication { block | active }

Set the state of the secondary RADIUS accounting server. state secondary accounting { block | active }

Table 33 Set username format acceptable to RADIUS server

Operation Command

Set the username format transmitted to the RADIUS server.

user-name-format { with-domain | without-domain }

Table 34 Set the unit of data flows destined for RADIUS server

Operation Command

Set the unit of data flows transmitted to RADIUS server.

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega- packet | one-packet }

Restore the default unit. undo data-flow-format


Configuring Source Address for RADIUS

Packets Sent by NAS

Perform the following configuration in the specified views.

You can use either command to bind a source address with the NAS.

By default, no source address is specified and the source address of a packet is the address of the interface where it is sent.

Setting Timers Regarding RADIUS

Server

Setting the response timeout timer

If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS has to resend the request, thus ensuring the user can obtain the RADIUS service.

You can use the following commands to set the response timeout timer.


By default, the response timeout timer for the RADIUS server is set to three seconds.

Setting the quiet timer for the primary RADIUS server


By default, the primary RADIUS server must wait five minutes before it can resume the active state.

Setting a realtime accounting interval

The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting

Table 35 Configure source address for the RADIUS packets sent by the NAS

Operation Command

Configure the source address to be carried in the RADIUS packets sent by the NAS(RADIUS view).

nas-ip ip-address

Cancel the configured source address to be carried in the RADIUS packets sent by the NAS(RADIUS view).

undo nas-ip

Configure the source address to be carried in the RADIUS packets sent by the NAS(System view).

radius nas-ip ip-address

Cancel the configured source address to be carried in the RADIUS packets sent by the NAS(System view).

undo radius nas-ip

Table 36 Set the response timeout timer

Operation Command

Set the response timeout timer. timer response-timeout seconds

Restore the default response timeout timer. undo timer response-timeout

Table 37 Configure the quiet timer for the primary RADIUS server

Operation Command

Configure the quiet timer for the primary RADIUS server.

timer quiet minutes

Restore the default setting. undo timer quiet


information of online users to the RADIUS accounting server at intervals of this value.


In the command, minutes represents the interval for realtime accounting and it must be a multiple of three.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

The realtime accounting interval defaults to 12 minutes.

Configure the RADIUS Server to Send a trap

Packet


By default, the RADIUS server does not send a trap packet when it goes down.

Configuring Local RADIUS Authentication

Server

The security gateway provides the simple local RADIUS server function, including authentication and authorization, called RADIUS authentication server function.

Table 38 Set a real-time accounting interval

Operation Command

Set a real-time accounting interval. timer realtime-accounting minutes

Restore the default real-time accounting interval.

undo timer realtime-accounting

Table 39 Recommended ratio of interval to user number

User number Interval for realtime accounting (minute)

1 - 99 3

100 - 499 6

500 - 999 12

¬¶1000 ¬¶15

Table 40 Configure the RADIUS server to send a trap packet

Operation Command

Configure the RADIUS server to send a trap packet when it goes down.

radius trap { authentication-server-down | accounting-server-down }

Configure the RADIUS server not to send a trap packet when it goes down.

undo radius trap { authentication-server-down | accounting-server-down }

Table 41 Configure local RADIUS authentication server

Operation Command

Configure local RADIUS authentication server. local-server nas-ip ip-address key password

Cancel the local RADIUS authentication server configuration. undo local-server nas-ip ip-address


By default, a local RADIUS authentication server with the NAS-IP as 127.0.0.1 and key as 3com is created.

n When the local RADIUS authentication server function is enabled, the UDP port number for the authentication/authorization services must be 1645 and that for the accounting service must be 1646.

The packet key password configured here must be the same with the authentication/authorization packet key password configured in the key authentication command in RADIUS view.

The device supports 16 local RADIUS authentication servers at most, including default ones created by the system.

Configuring HWTACACS Protocol

The configuration tasks of HWTACACS include:

■ Create a HWTACACS scheme

■ Configure TACACS authentication servers

■ Configure TACACS authorization servers

■ Configure TACACS accounting servers

■ Configure a key for securing the communication with a TACACS server

■ Set the username format acceptable to a TACACS server

■ Set the unit of data flows destined for a TACACS server

■ Configure the source address to be carried by the HWTACACS packets sent by NAS

■ Set timers regarding TACACS server

n In contrast to the settings in RADIUS server, note the following points when configuring a TACACS server:

■ The system does not check whether users are using the current HWTACACS scheme when you change most of its attributes, except when you delete the scheme.

■ By default, the TACACS server has no key.

Among these configuration tasks, creating a HWTACAS scheme and configuring TACACS authentication/authorization server are mandatory, while others are arbitrary at your discretion.

Creating a HWTACAS scheme

As aforementioned, HWTACACS protocol is configured scheme by scheme. Therefore, you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks.


Table 42 Create a HWTACACS scheme

Operation Command

Create a HWTACACS scheme and enter HWTACACS view. hwtacacs scheme hwtacacs-scheme-name

Configuring HWTACACS Protocol 47

If the HWTACACS scheme you specify does not exist, the system creates it and enters HWTACACS view.

In HWTACACS view, you can configure the HWTACACS scheme.

The system supports up to 128 HWTACACS schemes. You can only delete the schemes that are not being used.

By default, no HWTACACS scheme exists.

Configuring TACACS Authentication Servers

Perform the following configuration in HWTACACS view.

The primary and secondary authentication servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.

If you execute this command repeatedly, the new settings will replace the old settings.

You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending authentication packets. This delete does not affect the packets sent before the operation.

Configuring TACACS Authorization Servers


Delete a HWTACACS scheme. undo hwtacacs scheme hwtacacs-scheme-name

Table 42 Create a HWTACACS scheme

Operation Command

Table 43 Configure TACACS authentication servers

Operation Command

Configure the TACACS primary authentication server. primary authentication ip-address [ port ]

Delete the TACACS primary authentication server. undo primary authentication

Configure the TACACS secondary authentication server. secondary authentication ip-address [ port ]

Delete the TACACS secondary authentication server. undo secondary authentication

Table 44 Configure TACACS authorization servers

Operation Command

Configure the primary TACACS authorization server. primary authorization ip-address [ port ]

Delete the primary TACACS authorization server. undo primary authorization

Configure the secondary TACACS authorization server. secondary authorization ip-address [ port ]

Delete the secondary TACACS authorization server. undo secondary authorization


n If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of its user type.

The primary and secondary authorization servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.


You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending authorization packets.

Configuring TACACS Accounting Servers and

the Related Attributes

Configuring TACACS accounting servers


The primary and secondary accounting servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.

The default IP address of TACACS accounting server is 0.0.0.0.


You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending accounting packets.

Enabling stop-accounting packet retransmission


By default, stop-accounting packet retransmission is enabled, and the allowed maximum number of transmission attempts is 100.

Table 45 Configure TACACS accounting servers

Operation Command

Configure the primary TACACS accounting server. primary accounting ip-address [ port ]

Delete the primary TACACS accounting server. undo primary accounting

Configure the secondary TACACS accounting server. secondary accounting ip-address [ port ]

Delete the secondary TACACS accounting server. undo secondary accounting

Table 46 Configure stop-accounting packet retransmission

Operation Command

Enable stop-accounting packet retransmission and set the allowed maximum number of transmission attempts.


Disable stop-accounting packet retransmission. undo retry stop-accounting

Configuring HWTACACS Protocol 49

Configuring Source Address for HWTACACS

Packets Sent by NAS

Perform the following configuration.

By default, no source address is specified and the source address to be carried in a packet is the address of the interface where the packet is sent.

Setting a Key for Securing the

Communication with TACACS Server

When using a TACACS server as an AAA server, you can set a key to improve the communication security between the security gateway and the TACACS server.


No key is configured by default.

Setting the Username Format Acceptable to

the TACACS Server

Username is usually in the "userid@isp-name" format, with the domain name following "@".

If a TACACS server does not accept the username with domain name, you can remove the domain name and resend it to the TACACS server.


By default, each username sent to a TACACS server contains a domain name.

Setting the Unit of Data Flows Destined for the

TACACS Server


Table 47 Configure the source address to be carried in HWTACACS packets sent by the NAS

Operation Command

Configure the source address to be carried in HWTACACS packets sent by the NAS(HWTACACS view). nas-ip ip-address

Delete the configured source address to be carried in the HWTACACS packets sent by the NAS (HWTACACS view). undo nas-ip

Configure the source address to be carried in the hwtacacs packets sent by the NAS(System view). hwtacacs nas-ip ip-address

Cancel the configured source address to be carried in the hwtacacs packets sent by the NAS(System view). undo hwtacacs nas-ip

Table 48 Set a key for securing the communication with the TACACS server

Operation Command

Configure a key for securing the communication with the TACACS accounting, authorization or authentication server.

key { accounting | authorization | authentication } string

Delete the configuration. undo key { accounting | authorization | authentication }

Table 49 Set the username format acceptable to the TACACS server

Operation Command

Send username with domain name. user-name-format with-domain

Send username without domain name. user-name-format without-domain


By default, data is sent in bytes. The packets are measured in the unit of one packet.

Setting Timers Regarding TACACS

Server

Setting the response timeout timer

Since HWTACACS is implemented based on TCP, server response timeout or TCP timeout may terminate the connection to the TACACS server.


The default response timeout timer is set to five seconds.

Setting the quiet timer for the primary TACACS server


By default, the primary TACACS server must wait five minutes before it can resume the active state.

Setting a realtime accounting interval

The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.


Table 50 Set the unit of data flows destined for the TACACS server

Operation Command

Set the unit of data flows destined for the TACACS server.

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

Restore the default unit of data flows destined for the TACACS server.

undo data-flow-format { data | packet }

Table 51 Set the response timeout timer

Operation Command

Set the response timeout time. timer response-timeout seconds

Restore the default setting. undo timer response-timeout

Table 52 Set the quiet timer for the primary TACACS server

Operation Command

Set the quiet timer for the primary TACACS server. timer quiet minutes

Restore the default setting. undo timer quiet


Operation Command

Set a real-time accounting interval. timer realtime-accounting minutes

Displaying and Debugging AAA and RADIUS/HWTACACS Protocols 51

The interval is in minutes and must be a multiple of 3.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

The real-time accounting interval defaults to 12 minutes.

Displaying and Debugging AAA and RADIUS/HWTACACS Protocols

After the above configuration, execute the display commands in any view to view the running of the AAA and RADIUS/HWTACACS configurations and to check the configuration effect. Execute the reset commands in user view to reset the configurations. Execute the debugging commands in user view for debugging.

Restore the default real-time accounting interval. undo timer realtime-accounting

Table 54 Recommended ratio of the interval to the number of users

User number Real-time accounting interval (in minutes)

1 - 99 3

100 - 499 6

500 - 999 12

¬¶1000 ¬¶15


Operation Command

Table 55 Display and debug the AAA protocol

Operation Command

Display the configuration information of the specified or all the ISP domains.

display domain [ isp-name ]

Display related information of user’s connection.

display connection [ domain isp-name | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | ucibindex ucib-index | user-name user-name ]

Display related information of the local user

display local-user [ domain isp-name | service-type { dvpn | telnet | ssh | terminal | ftp | ppp } | state { active | block } | user-name user-name ]

Table 56 Display and debug the RADIUS protocol

Operation Command

Display the specified or all the RADIUS schemes or display the statistics about RADIUS.

display radius [ radius-scheme-name | statistics ]

Display the statistics on RADIUS packets. display radius statistics

Display information on the stop-accounting packets in the buffer.

display stop-accounting-buffer { radius-scheme radius-server-name | session-id session-id | time-range start-time stop-time | user-name user-name }


AAA and RADIUS/HWTACACS Protocol Configuration Example

Telnet/SSH User Authentication/Accounting Using RADIUS Server

n Authentication configuration on the RADIUS server for SSH users and that for Telnet users is similar. The following uses the configuration for Telnet users as an example.

Network requirements

Configure the IPsec module to enable the RADIUS server to provide authentication and accounting services for Telnet users accessing the IPsec module (see the following figure).

Display the statistics on the local RADIUS authentication server. display local-server statistics

Enable RADIUS packet debugging. debugging radius packet

Disable RADIUS packet debugging. undo debugging radius packet

Enable local RADIUS authentication server debugging.

debugging local-server { all | error | event | packet }

Disable local RADIUS authentication server debugging.

undo debugging local-server { all | error | event | packet }

Clear stop-accounting packets from the buffer.

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Reset the statistics of RADIUS server. reset radius statistics

Table 57 Display and debug the HWTACACS protocol

Operation Command

Display the specified or all the HWTACACS schemes.

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

Display information on the stop-accounting packets in the buffer.

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Enable HWTACACS debugging. debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

Disable HWTACACS debugging. undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

Clear stop-accounting packets from the buffer.

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Reset the statistics about TACACS servers. reset hwtacacs statistics {accounting | authentication | authorization | all }

Table 56 Display and debug the RADIUS protocol

Operation Command

AAA and RADIUS/HWTACACS Protocol Configuration Example 53

Connect the IPsec module to the RADIUS server (functions as both authentication and accounting servers) whose IP address is 10.0.0.1/24. On the IPsec module, set the shared keys both for packet exchange with the authentication server and with the accounting server as "expert".

You can use a 3Com CAMS server as the RADIUS server. Set server-type in the RADIUS scheme to standard or 3com if a third-party RADIUS server is used and to 3com if a 3Com CAMS server is used. On the RADIUS server, set the shared key for packet exchange with the IPsec module as "expert"; set the authentication and accounting port numbers; add the usernames and login passwords of the Telnet users. If the IPsec module is configured in the RADIUS scheme not to remove the domain name from the user name but send the full username to the RADIUS server, the Telnet usernames added onto the RADIUS server are in the userid@isp-name format.

Network diagram

Figure 9 Network diagram for remote RADIUS authentication on Telnet users

Configuration procedure

1 Radius Server

IP address: 10.0.0.1/24.

Gateway: 10.0.0.254.

2 Telnet User

IP address: 50.0.0.1/24.

3 Switch 8807 (SecBlade)

# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30

SecBlade S850

Vlan 30

Vlan10

Vlan 50

Vlan 50

Radius Server

Telnet User

50.0.0.1/24

10.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24

SecBlade Swich 8800

Vlan 30

Vlan10

Vlan 50

Vlan 50

Radius Server

Telnet User

50.0.0.1/24

10.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24


[3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit

# Configure the IP address.

[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit

# Configure the static route.

[SW8800] ip route-static 0.0.0.0 0 30.0.0.254

# Configure aggregation of IPsec module interfaces (the module resides in slot 2).

[SW8800] secblade aggregation slot 2

# Create SecBlade test.

[SW8800] secblade test

# Specify the SecBlade interface VLAN.

[3Com-secblade-test] secblade-interface vlan-interface 30

# Configure the protected VLAN.

[3Com-secblade-test] security-vlan 50

# Map the IPsec module to the IPsec module of the specified slot.

[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit

# Log into the IPsec module of the specified slot.

<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view

# Create the sub-interface.

[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit

# Add the sub-interface of the internal network to the trust zone.


[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit

# Add the sub-interface of the external network to the untrust zone.

[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit


[secblade] ip route-static 10.0.0.0 24 30.0.0.1

# Configure the Telnet user to use AAA authentication mode.

[secblade] user-interface vty 0 4 [secblade-ui-vty0-4] authentication-mode scheme

# Configure the domain.

[secblade] domain cams [secblade-isp-cams] access-limit enable 10 [secblade-isp-cams] accounting optional [secblade-isp-cams] quit

# Configure a RADIUS scheme.

[secblade] radius scheme cams [secblade-radius-cams] primary authentication 10.0.0.1 1812 [secblade-radius-cams] primary accounting 10.0.0.1 1813 [secblade-radius-cams] key authentication expert [secblade-radius-cams] key accounting expert [secblade-radius-cams] server-type 3Com [secblade-radius-cams] user-name-format with-domain [secblade-radius-cams] quit

# Configure to associate the domain with the RADIUS.

[secblade] domain cams [secblade-isp-cams] scheme radius-scheme cams [secblade-isp-cams] quit

Telnet users use usernames in the userid@cams format to log onto the network and are to be authenticated as cams domain users.

# Quit IPsec module configuration view.

[secblade] quit <secblade> quit [SW8800]


Configuring FTP/Telnet User Local

Authentication

n Configuring local authentication for FTP users is similar to that for Telnet users. The following example is based on Telnet users.


Configure the IPsec module to authenticate the login Telnet users at the local (see the following figure).

Network diagram

Figure 10 Network diagram for Telnet user local authentication


1 Telnet User

IP address: 10.0.0.1/24.

Gateway: 10.0.0.254.


# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit


Switch 8800







# Create the SecBlade test.




# Set the protected VLAN.














[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 10.0.0.0 24 30.0.0.1

# Configure the Telnet user to use AAA authentication.


# Create the local user telnet.

[secblade] local-user telnet@system [secblade-luser-telnet@system] service-type telnet [secblade-luser-telnet@system] password simple 3com [secblade-luser-telnet@system] quit [secblade] domain system [secblade-isp-system] scheme local [secblade-isp-system] quit

Telnet users use usernames in the userid@system format to log onto the network and are to be authenticated as system domain users.



Enabling the TACACS Server to Employ

One-Time Authentication

/Accounting on Telnet Users


In the network environment as shown in the following figure, make proper configuration to enable the TACACS server to employ one-time password authentication /accounting on Telnet users.

One TACACS server host, serving as both authentication server and accounting server, is connected to an IPsec module . The IP address of the server host is 10.0.0.1/24. Set the shared keys both for packet exchange with the authentication server and with the accounting server as "expert". The TACACS server provides one-time password authentication, and the IPsec module does not remove the domain name from the user name but sends them together to the TACACS server, so the user name you add on the TACACS server should be "test@tacacs".


Network diagram

Figure 11 Network diagram for remote RADIUS authentication on the Telnet user


1 TACACS Server

IP address: 10.0.0.1/24.

Gateway: 10.0.0.254.

2 Telnet User

IP address: 50.0.0.1/24.


# Divide VLANs.





IPsec Switch 8800



# Configure aggregation IPsec module interfaces (the IPsec module resides in slot 2).


# Create the secblade test.

















[secblade] ip route-static 10.0.0.0 24 30.0.0.1


# Configure the Telnet user to use AAA authentication.


# Configure the domain.

[secblade] domain cams [secblade-isp-cams] access-limit enable 10 [secblade-isp-cams] accounting optional [secblade-isp-cams] quit

# Configure the RADIUS scheme.

[secblade] hwtacacs scheme system [secblade-hwtacacs-system] primary authentication 10.0.0.1 1812 [secblade-hwtacacs-system] primary accounting 10.0.0.1 1813 [secblade-hwtacacs-system] key authentication expert [secblade-hwtacacs-system] key accounting expert [secblade-hwtacacs-system] server-type 3Com [secblade-hwtacacs-system] user-name-format with-domain [secblade-hwtacacs-system] quit

# Configure to associate the domain with the TACACS.

[secblade] domain tacacs [secblade-isp-tacacs] scheme tacacs-scheme system

4 Configure the TACACS server

■ Configure the IP address

■ Configure the shared key

■ Add username test@ tacacs

■ Enable one-time authentication

5 Login procedure

Configure one-time password authentication for Telnet users as follows:

Figure 12 Telnet user login interface

Step 1: Type username test@tacacs.


Step 2: Choose to use the winkey.exe calculator to get the login password at the prompt "s/key 89 gf55236".

Figure 13 Calculate login password

In the above figure:

Type the prompt "89 gf55236" in the Challenge field.

Type the private password (test for example) in the Password field.

The Response field outputs the calculation result, that is, the password you need to type in the login interface.

Step 3: Type the calculated password in the login interface and you are authorized to access.

Troubleshooting AAA and RADIUS/HWTACACS Protocols

Troubleshooting the RADIUS Protocol

The RADIUS protocol of the TCP/IP protocol suite is located at the application layer. It mainly provisions how to exchange user information between a NAS and a RADIUS server of an ISP. So it is very likely to get invalid.

■ Symptom 1: User authentication/authorization always fails

Troubleshooting:

Check that:

1 The username is in the userid@isp-name format or a default ISP domain is specified on the NAS.

2 The user exists in the database on the RADIUS server.

3 The password input by the user is correct.

4 The same shared key is configured on both the RADIUS server and the NAS.

5 The NAS can communicate with the RADIUS server (by pinging the RADIUS server).

■ Symptom 2: RADIUS packets cannot reach the RADIUS server.

Troubleshooting:

Troubleshooting AAA and RADIUS/HWTACACS Protocols 63

Check that:

1 The communication links (at both physical and link layers) between the NAS and the RADIUS server work well.

2 The IP address of the RADIUS server is correctly configured on the NAS.

3 Authentication/Authorization and accounting UDP ports are set in consistency with the port numbers set on the RADIUS server.

■ Symptom 3: A user passes the authentication and gets an authorization already, but its charging bill cannot be sent to the RADIUS server.

Troubleshooting:

Check that:

1 The accounting port number is correctly set.

2 The authentication/authorization and accounting servers are correctly configured on the NAS. For example, the fault can occur in the situation where one server is configured on the NAS to provide all the services of authentication/authorization and accounting, despite the fact that different server devices are used to provide the services.

Troubleshooting the HWTACACS Protocol

See the previous section if you encounter a HWTACACS fault.

5
ACL CONFIGURATION
Introduction to ACL

ACL Overview In order to filter data packets, a series of rules need to be configured on the security gateway to decide which data packets can pass. These rules are defined by ACL (Access Control List), which are a series of sequential rules consisting of the permit and the deny statements. The rules are described by source address, destination address and port number of data packets. ACL classifies data packets through these security gateway interface applied rules, by which the security gateway decides which packets can be received and which should be rejected.

Classification of ACL According to application purpose, ACL falls into four groups:

■ Basic ACL

■ Advanced ACL

■ Interface-based ACL

■ MAC-based ACL

The application purpose of ACL is specified by the range of the number. Interface-based ACL ranges from 1,000 to 1,999; basic ACL ranges from 2,000 to 2,999; advanced ACL ranges from 3,000 to 3,999; and MAC-based ACL ranges from 4,000 to 4,999.

Match Order of ACL An access control rule may consist of several permit and deny statements, each statement specifying different rules. In this case, match order problem exists on matching a packet and access control rule.

There are two kinds of match orders:

■ Configuration sequence: match ACL rules according to their configuration order.

■ Automatic sequencing: follow the principle of "depth priority".

Depth priority" rule puts the statement that specifies the smallest packet range into first place. This can be realized by comparing address wildcard. The smaller the wildcard is, the smaller the specified host range. For example, 129.102.1.1 0.0.0.0 specifies a host: 129.102.1.1, while 129.102.1.1 0.0.255.255 specifies a network segment: from 129.102.1.1 to 129.102.255.255. Obviously, the former is put first in access control rule. The detailed standard is: for statements of basic access control rule, directly compare their source address wildcards. If the same wildcard is shared, arrange them according to configuration sequence. For interface-based access control rules, put the rule configured with "any" behind,

66 CHAPTER 5: ACL CONFIGURATION

and arrange others according to configuration sequence. For advance access control rules, compare their source address wildcards first. If they are the same, compare their destination address wildcards. If they are also the same, compare their ranges of port number. Put those with smaller ranges before others. If the ranges of port number are still the same, arrange then according to configuration sequence.

The display acl command can be used to verify which rule takes effect first. Upon the display, the rule that is listed first takes effect first.

ACL Creation An ACL is virtually a series of rule lists that consist of permit and deny statements. Several rule lists constitute an ACL. Before configuring the rule of ACL, you need to create an ACL first.

The following command can be used to create an ACL:

acl number acl-number [ match-order { config | auto } ]

The following command can be used to delete an ACL:

undo acl { number acl-number | all }

Parameter description:

■ number acl-number: Specify an ACL.

■ acl-number: Number of ACL. An interface-based ACL takes a value in the range 1000 to 1999, a basic ACL in the range 2,000 to 2,999, an advanced ACL in the range 3,000 to 3,999, and a MAC-based ACL in the range 4,000 to 4,999.

■ match-order config: Specify to match rules according to configuration sequence of the user.

■ match-order auto: Specify to match rules by system automatic sequencing, namely in "depth priority" sequence.

■ all: Delete all configured ACL.

By default, the match order is configuration sequence of the user, namely "config" is in use. Once the user specifies the match order of a certain ACL, he can never change it, unless he deletes all the contents in the ACL and specifies its match order again.

ACL view can be entered after an ACL is created. ACL view is classified according to the application purpose of ACL. For example, advanced ACL view can be entered by creating ACL 3000. The following is the security gateway prompt:

[secblade_FW-acl-adv-3000]

After entering the ACL view, you can configure ACL rules. The rules of different ACLs are different. The detailed configuration method of each ACL rule will be introduced respectively in the following sections.

Basic ACL Basic ACL can only adopt source address information to serve as element for defining ACL rule. A basic ACL can be created and basic ACL view be entered by

Introduction to ACL 67

the above-mentioned ACL command. In basic ACL view, the rule of basic ACL can be created.

The following command can be used to define a basic ACL rule:

rule [ rule-id ] { permit | deny } { source sour-addr sour-wildcard | any } ] [ time-range time-name ] [ logging ] [ fragment ]


■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.

■ permit: Permits qualified data packet.

■ deny: Discards qualified data packet.

■ source: Optional parameter, used to specify source address information of ACL rule. If it is not specified, it indicates any source address of the packet matches.

■ source-addr: Source address of data packet, in dotted decimal.

■ source-wildcard: Wildcard of source address, in dotted decimal.

■ any: Used to represent all source address. It is same with setting the source address as 0.0.0.0 and wildcard as 255.255.255.255.

■ time-range: Optional parameter, used to specify effective time range of ACL.

■ time-name: Name of ACL effective time range.

■ logging: Optional parameter, indicating whether to log qualified data packet. The log content includes sequence number of access control rule, data packet permitted or discarded and the number of data packets.

■ fragment: Optional parameter, used to specify whether the rule is only valid for non-first-fragment. When this parameter is included, it indicates the rule is only valid for non-first-fragment.

For existing ACL rule, if edit is performed with specified ACL rule number, the rest part will not be affected. For example:

First configure an ACL rule:

rule 1 deny source 1.1.1.1 0

Then edit the ACL rule:

rule 1 deny logging

Then, the ACL rule becomes:

rule 1 deny source 1.1.1.1 0 logging


The following command can be used to delete a basic ACL rule:

undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ]


■ rule-id: Number of ACL rule, which should be an existing ACL rule number. If there is no parameter followed, the entire ACL rule will be deleted. Otherwise, only part of information related to the ACL rule will be deleted.

■ source: Optional parameter. Only the source address information setting of ACL rule with corresponding number will be deleted.

■ time-range: Optional parameter. Only the specific effective time range setting of ACL rule with corresponding number will be deleted.

■ logging: Optional parameter. Only the logging qualified packet setting of ACL rule with corresponding number will be deleted.

■ fragment: Optional parameter. Only the validation setting solely for non-first-fragment of ACL rule with corresponding number will be deleted.

Advanced ACL Advanced ACL can define rules by using such contents of data packet as source address information, destination address information, IP carried protocol type and protocol oriented feature (for example, source port and destination port of TCP, type and code of ICMP). Advance ACL can be used to define more accurate, diversified and flexible rules than basic ACL.

An advanced ACL can be created and advanced ACL view be entered by the previously mentioned ACL command. In advance ACL view, the rules of advanced ACL can be created.

The following command can be used to define an advanced ACL rule:

rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]


■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.

■ deny: Discard qualified data packet.

■ permit: Permit qualified data packet.


■ protocol: IP carried protocol type represented by name or number. The number range is from 1 to 255. The name can be gre, icmp, igmp, ip, ipinip, ospf, tcp, and udp.

■ source: Optional parameter, used to specify source address information of ACL rule. If it is not configured, it indicates any source address of the packet matches.

■ source-addr: Source address of data packet, in dotted decimal.

■ destination: Optional parameter, used to specify destination address information of ACL rule. If it is not configured, it indicates any destination address of the packet matches.

■ dest-addr: Destination address of data packet, in dotted decimal.

■ dest-wildcard: Destination address wildcard, in dotted decimal.

■ any: used to represent all source or destination addresses. It is same with setting the source or destination address as 0.0.0.0 and wildcard as 255.255.255.255.

■ icmp-type: Optional parameter, used to specify type of ICMP packet and message code information, only valid when the packet protocol is ICMP. If it is not configured, it indicates any type of ICMP packet matches.

■ icmp-type: ICMP packet can be filtered according to the message type of ICMP. It is a number ranging from 0 to 255.

■ icmp-code: ICMP packet filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.

■ icmp-message: ICMP packets can be filtered according to the names of ICMP message types or the names of ICMP message types and ICMP message codes.

■ source-port: Optional parameter, used to specify source port information of UDP or TCP message, only valid when the specified protocol number is TCP or UDP. If it is not specified, it indicates any source port information of TCP/UDP packet matches.

■ destination-port: Optional parameter, used to specify destination port information of UDP or TCP packet, only valid when the protocol number specified by the rule is TCP or UDP. If it is not specified, it indicates any destination port information of TCP/UDP packet matches.

■ operator: Optional parameter. The port number operator, name and meaning of source/destination address are compared as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). Only "range" needs two port numbers as operator, others only need one port number as operator

■ port1, port2: Optional parameter, port number of TCP or UDP, represented by name or number, with the number ranging from 0 to 65535.

■ dscp dscp: Specifies a DSCP field (the DS byte in IP packets). This keyword is mutually exclusive with the precedence keyword and the tos keyword.

■ established: Compares all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets.

■ precedence: Optional parameter, according to which data packet can be filtered. A number ranging from 0 to 7 or a name. This keyword is mutually exclusive with the dscp keyword.


■ tos tos: Optional parameter. Data packet can be filtered according to service type field. A number ranging from 0 to 15 or a name. This keyword is mutually exclusive with the dscp keyword.

■ logging: Optional parameter, indicating whether to log qualified data packet. The log contents include sequence number of ACL, data packet permitted/discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and the number of data packets.

■ time-range time-name: The ACL rule is valid in the time range.

■ fragment: Used to specify whether the rule is only valid for non-first-fragment. When this parameter is included, it indicates the rule is only valid for non-first-fragment.

The ToS value is the forth bit to the seventh bit from left to right (four bits in all), in the range of 0 to 15, as shown in Figure 14. However, its real value is in the range of 0 to 30.

Figure 14 The ToS field in ACL

When you use the ToS value in the ping command, the ToS value must be twice the value configured in ACL (such as 1). Only in this way can you use the ping command to test the ToS value configured in the ACL.

For existing ACL rule, if edit is performed with specified ACL rule number, the rest part will not be affected. For example:

First configure an ACL rule:

rule 1 deny ip source 1.1.1.1 0

Then edit the ACL rule:

rule 1 deny ip destination 2.2.2.1 0

Then, the ACL rule becomes:

rule 1 deny ip source 1.1.1.1 0 destination 2.2.2.1 0

The following command can be used to delete an advanced ACL rule:

undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ dscp ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]



■ rule-id: Number of ACL rule, which should be an existing ACL rule number. If there is no parameter followed, the entire ACL rule will be deleted. Otherwise, only part of information related to the ACL rule will be deleted.

■ source: Optional parameter. Only the source address information setting of ACL rule with corresponding number will be deleted.

■ destination: Optional parameter. Only the destination address information setting of ACL rule with corresponding number will be deleted.

■ source-port: Optional parameter. Only source port information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is TCP or UDP.

■ destination-port: Optional parameter. Only the destination port information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is TCP or UDP.

■ icmp-type: Optional parameter. Only ICMP type and message code information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is ICMP.

■ dscp: Optional parameter. Only the DSCP setting in the ACL rule with corresponding number will be deleted.

■ precedence: Optional parameter. Only the precedence setting of ACL rule with corresponding number will be deleted.

■ tos: Optional parameter. Only the tos setting of ACL rule with corresponding number will be deleted.

■ time-range: Optional parameter. Only the specific effective time range setting of ACL rule with corresponding number will be deleted.

■ logging: Optional parameter. Only the logging qualified packet setting of ACL rule with corresponding number will be deleted.

■ fragment: Optional parameter. Only the validation setting solely for non-first-fragment of ACL rule with corresponding number will be deleted.

Only TCP and UDP protocols need to specify port range. The supported operators and grammar are listed below.

When specifying portnumber, part of common port numbers can use mnemonics to substitute actual numbers. The supported mnemonics are shown in the table below.

Table 58 Operator meaning of advanced ACL

Operator and grammar Meaning

eq portnumber Equal to port number

gt portnumber Greater than port number

lt portnumber Lower than port number

neq portnumber Not equal to port number

range portnumber1 portnumber2 Between portnumber1 and portnumber2


Table 59 Port number mnemonics

Protocol Mnemonics Meaning and actual value

TCP

Bgp

Chargen

Cmd

Daytime

Discard

Domain

Echo

Exec

Finger

Ftp

Ftp-data

Gopher

Hostname

Irc

Klogin

Kshell

Login

Lpd

Nntp

Pop2

Pop3

Smtp

Sunrpc

Syslog

Tacacs

Talk

Telnet

Time

Uucp

Whois

Www

Border Gateway Protocol (179)

Character generator (19)

Remote commands (rcmd, 514)

Daytime (13)

Discard (9)

Domain Name Service (53)

Echo (7)

Exec (rsh, 512)

Finger (79)

File Transfer Protocol (21)

FTP data connections (20)

Gopher (70)

NIC hostname server (101)

Internet Relay Chat (194)

Kerberos login (543)

Kerberos shell (544)

Login (rlogin, 513)

Printer service (515)

Network News Transport Protocol (119)

Post Office Protocol v2 (109)

Post Office Protocol v3 (110)

Simple Mail Transport Protocol (25)

Sun Remote Procedure Call (111)

Syslog (514)

TAC Access Control System (49)

Talk (517)

Telnet (23)

Time (37)

Unix-to-Unix Copy Program (540)

Nicname (43)

World Wide Web (HTTP, 80)


For ICMP, ICMP packet type can be specified. The default is all ICMP packets. When specifying ICMP packet type, it can be a number (ranging from 0 to 255) or a mnemonic.

UDP biff

bootpc

bootps

discard

dns

dnsix

echo

mobilip-ag

mobilip-mn

nameserver

netbios-dgm

netbios-ns

netbios-ssn

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

Xdmcp

Mail notify (512)

Bootstrap Protocol Client (68)

Bootstrap Protocol Server (67)

Discard (9)

Domain Name Service (53)

DNSIX Security Attribute Token Map (90)

Echo (7)

MobileIP-Agent (434)

MobilIP-MN (435)

Host Name Server (42)

NETBIOS Datagram Service (138)

NETBIOS Name Service (137)

NETBIOS Session Service (139)

Network Time Protocol (123)

Routing Information Protocol (520)

SNMP (161)

SNMPTRAP (162)

SUN Remote Procedure Call (111)

Syslog (514)

TACACS-Database Service (65)

Talk (517)

Trivial File Transfer (69)

Time (37)

Who(513)

X Display Manager Control Protocol (177)

Table 59 Port number mnemonics

Protocol Mnemonics Meaning and actual value


The user can add appropriate access rules by configuring firewall. IP packets passing the security gateway will be checked through packet filtering and the packets that the user does not want them to pass the security gateway will be ruled out. Thus, network security is protected.

Interface-Based ACL Interface-based ACL is a kind of special ACL, which specifies rules according to packet-receiving interface.

An interface-based ACL can be created and interface-based ACL view be entered by the previously mentioned ACL command. In interface-based ACL view, the rules of interface-based ACL can be created.

The following command can be used to define an interface-based ACL rule:

rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]


■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the

Table 60 Mnemonics of ICMP packet type

Mnemonic Meaning

echo

echo-reply

fragmentneed-DFset

host-redirect

host-tos-redirect

host-unreachable

information-reply

information-request

net-redirect

net-tos-redirect

net-unreachable

parameter-problem

port-unreachable

protocol-unreachable

reassembly-timeout

source-quench

source-route-failed

timestamp-reply

timestamp-request

ttl-exceeded

Type=8, Code=0

Type=0, Code=0

Type=3, Code=4

Type=5, Code=1

Type=5, Code=3

Type=3, Code=1

Type=16,Code=0

Type=15,Code=0

Type=5, Code=0

Type=5, Code=2

Type=3, Code=0

Type=12,Code=0

Type=3, Code=3

Type=3, Code=2

Type=11,Code=1

Type=4, Code=0

Type=3, Code=5

Type=14,Code=0

Type=13,Code=0

Type=11,Code=0


specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.

■ deny: Discards qualified data packet.

■ permit: Permits qualified data packet.

■ interface interface-type interface-number: Specifies the interface information of the packets. If no interface is specified, all interfaces can be matched. any represents all interfaces.

■ logging: Optional parameter, indicating whether to log qualified packet. Log contents include sequence number of ACL rule, packet permitted or discarded and the number of data packets.

■ time-range time-name: Optional, specifies the time range in which the rule is valid.

The following command can be used to delete an interface-based ACL rule:

undo rule rule-id [ logging ] [ time-range ]


■ rule-id: Number of ACL rule, which must be an existing ACL rule number.

■ logging: Optional, indicating whether to log matched packets. The log contents include sequence number of ACL rule, packets permitted or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets.

■ time-range: Optional, specifies the time range in which the rule is valid.

MAC-Based ACL MAC-based ACLs are numbered in the range 4,000 to 4,999.

You can use the following command to configure a MAC-based ACL rule:

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ] [ time-range time-name ] [ logging ]

The parameters are described as follows:

rule-id represents a rule number.

type-code is a hexadecimal number in the format of xxxx, used for matching the protocol type of the transmitted packets.

type-mask represents the wildcard for the protocol type. For type-code values, refer to the chapter that discusses bridge configuration in the link layer protocol part of this manual.

lsap-code is a hexadecimal number in the format of xxxx, used for matching the encapsulation format of bridged packet on an interface. lsap-wildcard represents the wildcard of protocol type.


sour-addr represents the source MAC address of a data frame in the format of xxxx-xxxx-xxxx. sour-mask represents the wildcard of the source MAC address.

dest-addr represents the destination MAC address in the format of xxxx-xxxx-xxxx. dest-mask represents the wildcard of the destination MAC address.

The following command can be used to delete a MAC-based ACL rule:

undo rule rule-id [ time-range time-name ] [ logging ]

The parameters are described as follows:

rule-id: ACL rule number, which must exist already.

ACL Supporting Fragment

Traditional packet filtering does not process all IP packet fragments. Rather, it only performs matching processing on the first fragment and releases all the follow-up fragments. Thus, security dormant trouble exists, which makes attackers able to construct follow-up segments to realize traffic attack.

Packet filtering of 3Com security gateway provides fragment filtering function, including: performing Layer3 (IP Layer) matching and filtering on all fragments; at the same time, providing two kinds of matching, normal matching and exact matching, for ACL rule entries containing advanced information (such as TCP/UDP port number and ICMP type). Normal matching is the matching of Layer3 information and it omits non-Layer3 information. Exact matching matches all ACL entries, which requires firewall should record the state of first fragment so as to obtain complete matching information of follow-up fragments. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface. The default function mode is normal matching.

The keyword fragment is used in the configuration entry of ACL rule to identify that the ACL rule is only valid for non-first fragments. For non-fragments and first fragment, this rule is omitted. In contrast, the configuration rule entry not containing this keyword is valid for all packets.

For example:

[3Com-acl-basic-2000] rule deny source 202.101.1.0 0.0.0.255 fragment [3Com-acl-basic-2000] rule permit source 202.101.2.0 0.0.0.255 [3Com-acl-adv-3001] rule permit ip destination 171.16.23.1 0 fragment [3Com-acl-adv-3001] rule deny ip destination 171.16.23.2 0

In above rule entries, all entries are valid for non-first fragments. The first and the third entries are omitted for non-fragments and first fragment, only valid for non-first fragments.

Configuring an ACL ACL configuration includes:

■ Configure a basic ACL

■ Configure an advanced ACL

■ Configure an interface-based ACL

■ Configure a MAC-based ACL

Configuring an ACL 77

■ Add description to an ACL

■ Add comment to an ACL rule

■ Delete an ACL

Configuring a Basic ACL Perform the following configuration.

For detailed introduction to parameters, refer to basic ACL.

Configuring an Advanced ACL


Configuring an Interface-Based ACL


You can specify an interface by specifying its type and number or all interfaces by specifying the any keyword.

Configuring a MAC-Based ACL


Table 61 Configure a basic ACL

Operation Command

Create a basic ACL in system view. acl number acl-number [ match-order { config | auto } ]

Configure/delete an ACL rule in basic ACL view.

rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ]


Table 62 Configure an advanced ACL

Operation Command

Create an advanced ACL in system view. acl number acl-number [ match-order { config | auto } ]

Configure/delete an ACL rule in advanced ACL view.

rule [ rule-id ] { permit | deny } protocol [ source {sour-addr sour-wildcard | any ] [ destination dest-addr dest-wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type {icmp-type icmp-code| icmp-message} ] [ precedence precedence ] [ dscp dscp ] [ established ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]


Table 63 Configure an interface-based ACL

Operation Command

Create an interface-based ACL in system view. acl number acl-number [ match-order { config | auto } ]

Configure/delete an ACL rule in interface-based ACL view.

rule { permit | deny } interface { interface-type interface-number 1 any } [ time-range time-name ] [ logging ]

undo rule rule-id [ time-range ] [ logging ]*


Adding Description to an ACL

You can add description to an ACL for reminding purpose.

Perform the following configuration in ACL view.

An ACL description contains up to 127 characters.

Adding Comment to an ACL Rule

You can add comment to an ACL rule for reminding purpose.

Perform the following configuration in ACL view.

The Comment of an ACL rule contains up to 128 characters.

Deleting an ACL Perform the following configuration in system view.

Configuring Time Range

Time range configuration includes:

■ Create/Delete a time range

Creating/Deleting a Time Range

The configuration task is used to create a time range or many time ranges with the same name.


Table 64 Configure a MAC-based ACL

Operation Command

Create a MAC-based ACL in system view. acl number acl-number

Configure/delete an ACL rule in MAC-based ACL view.

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-wildcard ] [ dest-mac dest-addr dest-mask ] [ time-range time-name ]

undo rule rule-id

Table 65 Add description to an ACL

Operation Command

Add description to an ACL. description text

Remove the description. undo description

Table 66 Add comment to an ACL rule

Operation Command

Add comment to an ACL rule. rule rule-id comment text

Remove the comment of an ACL rule. undo rule rule-id comment

Table 67 Delete an ACL

Operation Command

Delete ACL undo acl { number acl-number | all }

Displaying and Debugging ACL 79

Displaying and Debugging ACL

After the above configuration, execute the display command in all views to display the running of the ACL configuration, and to verify the effect of the configuration. Execute the reset command in user view to rest ACL counters.

Typical Configuration Examples of ACL

Refer to the typical configuration examples in the part about packet filtering firewall.

Table 68 Configure time range

Operation Command

Create a time range time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

Delete a time range. undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

Table 69 Display and debug ACL

Operation Command

Display the configured ACL rules. display acl { all | acl-number }

Display information on time ranges. display time-range { all | time-name }

Reset ACL counters. reset acl counter { all | acl-number }

6
NAT CONFIGURATION
NAT Overview

Introduction to NAT As described in RFC1631, Network Address Translation (NAT) is to translate the IP address in IP data packet header into another IP address, which is mainly used to implement private network accessing external network in practice. NAT can reduce the depletion speed of IP address space via using several public IP addresses to represent multiple private IP addresses.

n Private address denotes the address of network or host on intranet, whereas public address denotes the universal unique IP address on Internet.

IP addresses that RFC1918 reserves for private and private use are.

Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)

Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)

Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)

IP addresses in the above three ranges will not be assigned in the Internet, so they can be used in the intranet by a company or enterprise with no need for requesting ISP or register center.

A basic NAT application is shown in the following figure.

Figure 15 Network diagram for basic processes of address translation

NAT server such as the security gateway is located at the joint between private network and public network. When the internal PC at 192.168.1.3 sends the data packet1 to the external server at 202.120.10.2, the data packet will traverse the NAT server. The NAT server checks the contents in the packet header. If the

192.168.1.3

PC

Internet

192.168.1.2

Server

PC

Server

202.120.10.2

202.120.10.3

192.168.1.1 202.169.10.1

Data packet 1:Source: 192.168.1.3Destination: 202.120.10.2

Data packet 1:

Source: 202.169.10.1Destination:202.120.10.2

Data packet 2:Source: 202.120.10.2Destination:192.168.1.3


192.168.1.3

PC

Internet

192.168.1.2

Server

PC

Server

202.120.10.2

202.120.10.3

192.168.1.1 202.169.10.1


Data packet 1:

Source: 202.169.10.1Destination:202.120.10.2

Data packet 2:Source: 202.120.10.2Destination:192.168.1.3


82 CHAPTER 6: NAT CONFIGURATION

destination address in the header is an extranet address, the server will translate the source address 192.168.1.3 into a valid public address on the Internet 202.169.10.1, then forward the packet to the external server and record the mapping in the network address translation list. The external server sends the response packet2 (The destination is 202.169.10.1) to the NAT server. After inquiring the network address translation list, the NAT server replaces the destination address in packet2 header with the original private address 192.168.1.3 of the internal PC.

The above mentioned NAT process is transparent for terminals such as the PC and server in the above figure. NAT "hides" the private network of an enterprise because the external server regards 202.169.10.1 as the IP address of the internal PC without the awareness of the existence of 192.168.1.3.

The main benefit NAT offers is the easy access to the outside resources for the intranet hosts while maintaining the privacy of the inner hosts.

■ Since it is necessary to translate the IP address translation of data packets, the header of the data packet related to IP address cannot be encrypted. For example, encrypted FTP connection is forbidden to be used. Otherwise, FTP port cannot be correctly translated.

■ Network debugging becomes more difficult. For instance, while a certain internal network host attempts to attack other networks, it is hard to point out which computer is malicious, for the host IP address is shielded.

Functions Provided by NAT

Many-to-Many Address Translation and Address

Translation Control

As shown in Figure 15, the source address of the intranet will be translated into an appropriate extranet address (the public address of the outbound interface on the NAT server in the above figure) via NAT. In this way, all the hosts in the intranet share one extranet address when they access the external network. In other words, only one host can access the external network at a time when there are many access requirements, which is called "one-to-one address translation".

An extended NAT implements the concurrent access, that is, multiple public IP addresses are assigned to a NAT server. The NAT server assigns a public address IP1 to a requesting host, keeps a record in the address translation list and forwards the data packet, then assigns another public address IP2 to another request host and so on. This is called "many-to-many address translation".

n The number of public IP addresses on the NAT server is far less than the number of hosts in the intranet because not all hosts will access the extranet at one time. The public IP address number is determined based on the maximum number of intranet hosts at the rush hour of the network.

In practice, it may be required that only some intranet hosts can access the Internet (external network). In other words, the NAT server will not translate source IP addresses of those unauthorized hosts, which is called address translation control.

Functions Provided by NAT 83

Security gateway implements many-to-many address translation and address translation control via address pool and ACL respectively.

■ Address pool: A set of public IP addresses for address translation. A client should configure an appropriate address pool according to its valid IP address number, internal host number as well as the actual condition. An address will be selected from the pool as the source address during the translation process.

■ ACL-based address translation: Only the data packet matching the ACL rule can be translated, which effectively limits the address translation range and allows some specific hosts to access Internet.

NAPT There is another way to implement the concurrent access, that is, Network Address Port Translation (NAPT), which allows the map from multiple internal addresses to an identical public address. Therefore, it can be called as "many-to-one address translation" or address multiplex informally.

NAPT maps IP addresses and port numbers of data packets form various internal addresses to an identical public address with different port numbers. In this way, different internal addresses can share an identical public address.

The fundamentals of NAPT are shown in the following figure.

Figure 16 NAPT allowing multiple internal hosts to share a public address

As shown in the above figure, four data packets from internal addresses arrive at the NAT server. Among them, packet1 and packet2 come from the same internal address with different source port number; pakcet3 and packet4 come from different internal addresses with an identical source port number. After the NAT mapping, all the 4 packets are translated into an identical public address with different source port numbers, so they are still different from each other. As for the response packets, the NAT server can also differentiate these packets based on their destination addresses and port numbers and forward the response packets to the corresponding internal hosts.

Static Network Address Translation

This new static NAT approach converts the internal host addresses in a specified range to the specified public network addresses (only the network part is

192.168.1.3

PC

Internet

192.168.1.2

Server

PCServer

202.120.10.2

202.120.10.3

192.168.1.1 202.169.10.1

Data packet 1:Source IP:192.168.1.3Source port:1537




Source IP:192.168.1.1Source port:1111

Data packet 4:Source IP:192.168.1.2Source port: 1111

Source IP:202.169.10.1Source port:1111



converted and the host part is unchanged). When internal hosts access the outside network, their internal addresses are converted to public network addresses if their internal addresses are in the specified range. Accordingly, outside hosts can use the public network address to access directly internal hosts if the internal host addresses which are converted from the public network addresses are in the specified range.

Static NAT function creates direct mapping between internal host addresses and public network addresses, and implement the function similar to NAT server.

However, static NAT function requires a large IP address space since it holds the one-to-one mapping between internal host addresses and public network addresses. You can combine the static and dynamic NAT function, as long as the addresses are not in conflict.

Bidirectional Network Address Translation

Traditional NAT function converts only the packet source or destination address, but directional NAT function converts both. This function is used in the case where internal host addresses and public network addresses overlap. As shown in Figure 17, the addresses of the internal host PC1 and the host PC3 on the public network overlap. Then if the internal host PC1 or PC2 sends a packet to PC3, the packet will not be forwarded to PC3, but by mistake to PC1. Bidirectional NAT function can guarantee correct packet forwarding by configuring the mapping from overlap address pool to temporary address pool on 3ComA (traditional NAT function is also implemented) to convert the overlap address to a unique temporary address.

Figure 17 Bidirectional NAT implementation

For example, to configure bidirectional NAT function on 3ComA, you can:

Step 1: Configure traditional NAT (many-to-many address conversion).

Configure the NAT address pool containing 200.0.0.1 to 200.0.0.100, and assign it to the WAN interface.

Step 2: Configure the mapping between a group of overlap and temporary addresses.

10.0.0.0 ←→ 3.0.0.0, with 24-bit subnet mask.

One overlap address pool corresponds to one temporary address pool. The conversion rule is as follows:

Intranet Switch 8800A

PC1

www.web.com

10.0.0.1/24

10.1.1.1/24

PC2 10.0.0.1/24

DNS Server

PC3

Functions Provided by NAT 85

Temporary address = Start address of the temporary address pool + (overlap address - start address of the overlap address pool)

Overlap address = Start address of the overlap address pool + (temporary address - start address of the temporary address pool)

When PC2 accesses PC3 with the domain name, packets are processed as follows:

1 PC2 sends a DNS request for resolving www.web.com; the DNS server on the public network resolves the address; 3ComA receives the response packet from the DNS server. 3ComA checks the address 10.0.0.1 resolved from the response packet, and finds it is an overlap address, so it converts the overlap address to the 3.0.0.1 temporary address. 3ComA converts the destination address of the DNS response packet (traditional DNS processing) and sends the DNS response packet to PC2.

2 PC2 originates an access request with the temporary address 3.0.0.1, which corresponds to www.web.com. Upon receiving the packet, 3ComA first converts the source address of the packet (traditional DNS processing), and then converts the destination address (or temporary address) to the 10.0.0.1 overlap address.

3 3ComA sends the packet to its outgoing WAN interface, and the packet is forwarded over the WAN hop by hop to PC3.

4 When receiving the packet returned from PC3 to PC2, 3ComA checks the 10.0.0.1 source address, and finds it is an overlap address (listed in the overlap address pool), so it converts the overlap address to the 3.0.0.1 temporary address. 3ComA converts the destination address of the returned packet (traditional DNS processing) and sends the packet to PC2.

Internal Server NAT can "shield" internal hosts via hiding the architecture of the intranet. However, there always the times that you want to permit some hosts on external networks to access some hosts on the intranet, such as a WWW server or a FTP server. You can flexibly add servers on the intranet via NAT, for example, you can use 202.169.10.10 as the external address of the WWW server and 202.110.10.11 as the external address of the FTP server. Even 202.110.10.12:8080 can be used as the external address of the WWW server. Moreover, NAT can provide multiple identical servers such as WWW servers for external clients.

The NAT function on the security gateway provides some servers on the intranet for some hosts on external networks. When a client on an external network accesses a server on the intranet, the NAT device translates the destination address in the request packet into a private address on the internal server and translates the source address (a private address) in the response packet into a public address.

Easy IP Easy IP is to use the public IP address of an interface as the source address after the address translation. It also controls the address translation based on ACL.

NAT Application Level Gateway

NAT may cause anomaly to many NAT-sensitive protocols, so you must make special processing to them. Some packets for NAT-sensitive protocols carry IP addresses or port numbers in their payload, and lack of special processing will affect the subsequent protocol exchange.


NAT application level gateway (ALG), a common solution to special protocol traversal, replaces the IP addresses and port numbers in payload based on NAT rules, and achieves transparent protocol relay. Currently, NAT ALG supports PPTP, DNS, FTP, ILS, NBT, H.323 and other protocols.

NAT Configuration NAT configuration includes:

■ Configure address pool.

■ Configure Easy IP

■ Configure static NAT

■ Configure many-to-many NAT

■ Configure NAPT

■ Configure internal server support

■ Configure NAT effective time (Optional)

Configuring Address Pool

The address pool is a collection of some consecutive IP addresses, while internal data packet needs to access external network via NAT, a certain address in the address pool will be chosen as the source address. Perform the following configurations in the system view.

c CAUTION: An address pool is irremovable while this address pool has set up the association with a certain access control list for NAT.

n If Easy IP is the one and only function supported by the security gateway, the address of the interface will be used plainly as the translated IP address, no NAT pool needed.

Configuring NAT The NAT is accomplished by associating address pool with ACL. The association creates a relationship between such IP packets, characterized in the ACL, and that addresses, defined in the address pool. When a packet is transferred from inner network to outer network, first, the packet is filtered by the ACL to let it out, then the association between the ACL and address pool is used to find an address, which will later serve actually as the translated address.

The configuration of ACL is discussed in “ACL Configuration”.

The configuration varies from kinds to kinds of NAT.

Easy IP

The NAT command without the address-group parameter functions as the nat outbound acl-number command, implementing the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the

Table 70 Configure address pool

Operation Command

Define an address pool nat address-group group-number start-addr end-addr

Delete an address pool undo nat address-group group-number

NAT Configuration 87

translated address and the ACL can be used to control which addresses can be translated.

Perform the following configuration under the interface view.

Associating ACL with Loopback interface address

Perform the following configuration in interface view.

The source address of the data packets that match the ACL will be replaced with the IP specified address of the Loopback interface.

Configuring static NAT table

1 Configuring static one-to-one NAT table


2 Configuring static inside ip NAT table

Static NAT function only converts the network addresses and remains the host addresses unchanged.


Table 71 Configure Easy IP

Operation Command

Add association for access control list and address pool nat outbound acl-number

Delete association for access control list and address pool undo nat outbound acl-number

Table 72 Associate ACL with Loopback interface address

Operation Command

Associate the ACL with the specified Loopback interface address

nat outbound acl-number interface interface-type interface-number

Remove the association between the ACL and Loopback interface address

undo nat outbound acl-number interface interface-type interface-number

Table 73 Configure a one-to-one private-to-public address binding

Operation Command

Configure a one-to-one private-to-public address binding. nat static ip-addr1 ip-addr2

Delete an existing one-to-one private-to-public address binding. undo nat static ip-addr1 ip-addr2

Table 74 Configure static inside ip NAT table

Operation Command

Configure a static inside ip NAT table

nat static inside ip inside-start-address inside-end-address global global-address mask

Remove the existing static inside ip NAT table

undo nat static inside ip inside-start-address inside-end-address global global-address mask


The nat static inside ip and nat static commands create two different types of static NAT entries. Note that the two types cannot be in conflict.

c CAUTION: When configuring static inside ip NAT, you must make sure that the addresses after translation are not used by other devices in the network topology.

3 Applying static NAT entries on the interface


Configuring many-to-many NAT

The many-to-many NAT is accomplished by associating the ACL with the NAT pool. ACL based address translation; only the data packet matching the ACL rule can be translated, which effectively limits the address translation range and allows some specific hosts to access the internet.

Perform the following configuration under the interface view.

Configuring NAPT

While associating the ACL and NAT pool, the selected no-pat parameter denotes that only the IP address but the port information is translated, i.e. not using NAPT function; whereas the omit of the no-pat parameter denotes using the NAPT function.

By default, the NAPT function is active.


Configure Bidirectional NAT Table


Table 75 Apply static NAT entries on the interface

Operation Command

Apply the configured static NAT entries on the interface nat outbound static

Disable the configured static entries on the interface undo nat outbound static

Table 76 Configure many-to-many NAT

Operation Command

Add association for access control list and address pool

nat outbound acl-number [ address-group group-number [ no-pat ] ]

Delete association for access control list and address pool

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

Table 77 Configure NAPT

Operation Command

Add association for access control list and address pool

nat outbound acl-number [ address-group group-number ]

Delete association for access control list and address pool

undo nat outbound acl-number [ address-group group-number ]

NAT Configuration 89

Configuring Internal Server

By configuring internal server, the related external address and port can be mapped into the internal server, thus enabling the function of external network accessing the internal server.

The mapping table for internal server and external network is configured by the nat server command.

The information user needs to provide includes external address, external port, internal server address, internal server port and the protocol type of the service.

Perform the following configuration in the interface view.

n ■ While either of global-port and inside-port is defined as "any", the other one

must either be defined as "any" or not be defined.

■ TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.

Enabling NAT ALG Perform the following configuration in system view.

By default, NAT ALG is enabled.

Table 78 Configure bidirectional NAT table

Operation Command

Configure the mapping from the overlap address pool to the temporary address pool

nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }

Remove the mapping from the overlap address pool to the temporary address pool

undo nat overlapaddress number

Table 79 Configure internal server

Operation Command

Add an internal server

nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

nat server [ acl-number ] protocol pro-type global global-addr global-port 1 global-port2 inside host-addr1 host-addr2 host-port

Delete an internal server

undo nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

undo nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port

Table 80 Enable NAT ALG

Operation Command

Enable NAT ALG (application level gateway) nat alg { dns | ftp | h323 | ils | msn | nbt | pptp | sip }

Disable NAT ALG undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp | sip }


Configuring Domain Name Mapping

If the internal network does not have the DNS server, but does have several different internal servers (such as FTP and WWW). Internal hosts want to use different domain names to differentiate the servers and access them. You can use this command to match the requirements.


Up to 16 domain name mapping entries can be defined.

Configuring Address Translation Lifetimes

Since the Hash table used by NAT will not exist forever, the user can configure the lifetime of the Hash table for protocols such as TCP, UDP and ICMP respectively. If the Hash table is not used in the set time, the connection as well as the table it uses will be outdated.

For example, the user with the IP address 10.110.10.10 sets up an external TCP connection using port 2000, and NAT assigned corresponding address and port for it, but in a defined time, this TCP connection is not in use, the system will delete this connection.

Perform the following configuration in the system view.

If the nat aging-time default command is configured, the default address translation lifetime values of the system apply.

Following are the default address translation lifetime values for different protocols:

■ DNS: 60 seconds

■ FTP control link: 7,200 seconds

■ FTP data link: 240 seconds

■ PPTP: 86,400 seconds

■ TCP: 86,400 seconds

■ TCP FIN, RST or SYN connection: 60 seconds

■ UDP: 300 seconds

■ ICMP: 60 seconds

The default ALG aging time depends on the specific applications. To effectively prevent attacks, you can set the aging time of first packet to five seconds.

Table 81 Configure domain name mapping

Operation Command

Configure a mapping entry from a domain name to the external IP address, port number and protocol type

nat dns-map domain-name global-addr global-port [ tcp | udp ]

Remove the domain name mapping entry undo nat dns-map domain-name

Table 82 Configure address translation lifetime values

Operation Command

Configure address translation lifetime values.

nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }

Displaying and Debugging NAT 91

Displaying and Debugging NAT

After the above configuration, execute the display command in all views to display the running of the NAT configuration, and to verify the effect of the configuration.

Execute the reset command in user views to clear the running.

Execute the debugging command in user view for the debugging of NAT.

NAT Configuration Example


As shown in Figure 18, an enterprise is connected to WAN by the address translation function of the IPsec module. It is required that the enterprise can access the Internet via the IPsec module, and provide www, ftp and smtp services to the outside. The address of the internal ftp server is 10.0.1.2/24. The address of the internal www server is 10.0.1.1/24. The address of the internal smtp server is 10.0.1.3/24. It is expected to provide uniform server IP address to the outside. Internal network segment 10.0.0.0/24 may access Internet, but PC on other segments cannot access Internet. External PC may access internal server. The enterprise has six legal IP addresses from 202.38.160.100 to 202.38.160.105. Choose 202.38.160.100 to be the external IP address of the enterprise.

Table 83 Display and debug NAT

Operation Command

Check NAT status display nat { address-group | aging-time | all | outbound | server | statistics | session [ source { global global-addr | source inside inside-addr } ] }

Enable the debugging of NAT debugging nat { alg | event | packet [ interface { interface-type interface-number ] }

Disable the debugging of NAT undo debugging nat { alg | event | packet [ interface interface-type interface-number ] }

Clear NAT mapping table reset nat{ log-entry | session slot slot-number }


Network diagram

Figure 18 Network diagram for NAT configuration


1 For the PC, the IP address is 10.0.0.1/24 and gateway address is 10.0.0.254.

For the WWW Server, the IP address is 10.0.1.1/24 and gateway address is 10.0.1.254.

For the FTP Server, the IP address is 10.0.1.2/24 and gateway address is 10.0.1.254.

For the SMTP Server, the IP address is 10.0.1.3/24 and gateway address is 10.0.1.254.

2 Switch 8800 (IPsecModule)

# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 20 [3Com-vlan20] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit


Switch 8800

NAT Configuration Example 93

[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 20 [3Com-Vlan-interface20] ip address 10.0.1.254 24 [3Com-Vlan-interface20] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit













# Log into the IPsec moduleof the specified slot.











# Configure the address pool and ACL.

[secblade] nat address-group 1 202.38.160.101 202.38.160.105 [secblade] acl number 2001 [secblade-acl-basic-2001] rule permit source 10.0.0.0 0.0.0.255

# All 10.0.0.0/24 network segment to translation addresses.

[secblade-acl-basic-2001] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] nat outbound 2001 address-group 1

# Set the internal ftp server.

[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.2 ftp

# Set the internal WWW server.

[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.1 www

# Set the internal smtp server.

[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.3 smtp

Troubleshooting NAT Configuration

Fault 1: address translation abnormal

Troubleshooting: enable the debug for NAT, and refer to debugging nat in the debugging command for specific operation. According to the Debugging information displayed on the security gateway, initially locate the failure, and then use other commands for further check. Observe the source address after translation carefully, and make sure that it is the expected address. Otherwise, it is possible the configuration of address pool is wrong. Meanwhile, make sure that there is route in the accessed network to return to the address segment defined in the address pool. Take into consideration the influence onto the NAT by the ACL of firewall and address conversion itself, and also route configuration.

Fault 2: internal server abnormal

Troubleshooting NAT Configuration 95

Troubleshooting: if an external host can not access the internal server normally, check the configuration on the internal server host, or the internal server configuration on the security gateway. It is possible that the internal server IP address is wrong, or that the firewall has inhibited the external host to access the internal network. Use the command display acl for further check. Refer to the document entitled “Switch 8800 Firewall Module Configuration and Command Reference Guide.”

7
VPN OVERVIEW

VPN Overview Along with the increasingly wide application of the Internet, Virtual Private Network (VPN) emerged to construct private networks on public networks. "Virtual" here mainly indicates that VPN is a kind of logical networks.

Employees travel around on business more and more frequently; foreign services and customers are scattered more widely; cooperation is conducted with a growing number of partners. More and more companies therefore turn to the Internet for market promotion, sales, after-sales services, and also for conducting training and other activities. This provides a broad market for the application of VPN.

Features of VPN ■ Different from a traditional network, VPN does not exist physically. It is a kind of logical network, a virtual network formed through resources collocation employing the current public network.

■ Each VPN is only for a particular enterprise or group of users. For VPN users, VPN is just like any traditional private network. As a kind of private network, VPN keeps resources independent of the underlying network, meaning resources of each VPN are normally inaccessible for other VPNs over the underlying network and users outside this VPN. It also delivers adequate security, safeguarding the internal information of VPN against external invasion.

■ VPN is a kind of upper layer service but not simple. It establishes network interconnection between private network users, including network topology inside VPN, route calculation, joining and leaving of members, etc. Thus, VPN technology is much more complicated, compared to common point-to-point applications alike.

Benefits of VPN VPN allows you to:

■ Establish reliable and safe connection between remote users, oversea agencies, partners, suppliers and company headquarters, ensuring security of data transmission. This advantage is of special significance to the amalgamation of E-business or financial network with communication network.

■ Provide information communication over public networks, thus allowing enterprises to connect with remote offices, staff traveling on business and business partners at a low cost, while improving utility of network resources. This will help Internet Service Providers (ISPs) increase profits.

98 CHAPTER 7: VPN OVERVIEW

■ Add or delete users through software configuration rather than changing hardware facilities, thus delivering great flexibility.

■ Support mobile access of VPN users at any time in any place, thus meeting growing mobile service demands.

Structure of VPN Network

VPN comprises a group of sites. A site might join one or more VPNs, but any two sites are IP reachable only if they belong to the same VPN. According to its standard definition, VPN with all its Sites coming from a single enterprise is called Intranet, and cross-enterprise VPN is by contrast called Extranet.

Figure 19 The composition of VPN

The above chart demonstrates the relationship between five sites and three VPNs.

■ VPN1---Site2, Site4

■ VPN2---Site1, Site3, Site4

■ VPN3---Site1, Site5

Fundamental Technology of VPN

Basic Networking Application of VPN

Take an enterprise as an example. Its intranet through VPN is shown in following figure.

Site 1

VPN 1VPN 3

VPN 2

Site 5

Site 3

Site 4

Site 2

Fundamental Technology of VPN 99

Figure 20 Diagram for VPN application

It can be seen that enterprise internal resource sharers can access local ISP at its POP (Point of Presence) server via PSTN/ISDN network or local network and access the internal resources of the company. With traditional WAN networking technology, however, they need to be connected using dedicated lines to achieve the same purpose. VPN allows remote end users and clients in other cities to access enterprise internal resources without being authorized by their local ISPs, which is of great significance for staffs on business trip and geographically scattered clients.

An enterprise can deploy VPN services simply by setting up a VPN-supported server for resource sharing (e.g. a Windows NT server or a router supporting VPN). The resource sharers connect to local POP server via PSTN/ISDN or LAN before they directly call the remote server (VPN server) of the enterprise. The call process is completed by ISP Network Access Server (NAS) and VPN server together.

Mechanism of VPN Figure 21 Diagram for accessing VPN

As shown in the above figure, through PSTN/ISDN network, a subscriber accesses ISP NAS (Network Access Server). After NAS server recognizes that this is a VPN user by checking user name or access number, it establishes a connection, which is called Tunnel, to the user’s destination VPN server. Then NAS encapsulates the user data into IP packets and transmits it to the VPN server through this Tunnel. Upon the receipt of this IP packet, VPN server removes the encapsulation to get the original data. In the opposite direction, the packet is handled likewise. On both sides of the Tunnel, packets can be encrypted to make other users on the Internet unable to access them, so they are safe and authentic. For users, Tunnels are only the logical extension of their PSTN/ISDN links and thus can be operated like the physical links.

Tunnels are implemented using Tunneling protocols. Tunneling protocols are divided into layer 2 Tunneling protocols and layer 3 Tunneling protocols depending on at which layer of OSI model Tunnel is implemented.

POP

POPPOPPC

PSTN/ISDN

Cooperator

RemoteSubscriber

InternetISP IPFrame RelayATM Corporate

Headquarter

Internal Server

VPNSubscriber

PSTN/ISDN

NAS VPN Server


Layer 2 Tunneling protocols

Layer 2 Tunneling protocols encapsulate PPP frames entirely into internal Tunnels. The existing layer 2 Tunneling protocols include:

■ PPTP (Point to Point Tunneling Protocol): Supported by companies like Microsoft, Ascend, and 3COM and in OS of Windows NT 4.0 and its later versions. This protocol supports Tunneling encapsulation of PPP in IP networks. As a call control and management protocol, PPTP uses an enhanced Generic Routing Encapsulation (GRE) technology to provide the encapsulation service with flow control and congestion control for transmitted PPP packets.

■ L2F (Layer 2 Forwarding): Supported by Nortel and some other companies. It supports the Tunnel encapsulation for the higher-level link layer and physically separates dial-up server and dial-up connection.

■ L2TP (Layer 2 Tunneling Protocol): Drafted by IETF, Microsoft and other companies. Absorbing the advantages of above two protocols, it is accepted by most companies and has become a standard RFC. L2TP provides both dial-up VPN service and leased line VPN service.

Layer 3 Tunneling protocols

Both start point and end point of layer 3 Tunneling protocol are in ISP. PPP session terminates at NAS. Only layer 3 packets are carried in Tunnels. The existing layer 3 Tunneling protocols include:

■ GRE (Generic Routing Encapsulation), which is used to encapsulate a network layer protocol into another one.

■ IPsec (IP Security), which provides a complete architecture of data security on IP networks by using several protocols rather than a single one, such as AH (Authentication Header), ESP (Encapsulating Security Payload), and IKE (Internet Key Exchange).

GRE and IPsec mainly apply in private line VPN.

Contrast between layer 2 Tunneling protocols and layer 3 Tunneling protocols

Compared with layer 2 Tunneling protocols, the advantages of layer 3 Tunneling protocols are their security, scalability and reliability. In terms of security, layer 2 Tunnel imposes great challenges to security of user networks and firewall technologies while layer 3 Tunnel does not, because layer 2 Tunnel generally terminates at customer premise equipment and layer 3 Tunnel at ISP gateway.

Concerning scalability, layer 2 Tunnel is not as efficient as layer 3 Tunnel in transmission due to the encapsulation of entire PPP frames. Besides, its PPP session runs through the entire Tunnel and terminates at customer premise equipment, and thus requires the user-side gateway to store a large amount of PPP session status and information, which may not only overload the system but also decrease the scalability. The introduction of Tunneling latency may incur such problems as PPP session timeout in time sensitive LCP and NCP negotiations of PPP. On the contrary, layer 3 Tunnel terminates within ISP gateway, and PPP session terminates at NAS; thus user gateway needs not to manage and maintain status of each PPP session, and thereby reduces system load.

Classification of VPN 101

Normally, layer 2 Tunneling protocols and layer 3 Tunneling protocols are used separately. The reasonable combination of two types of protocols, however, may deliver better security and functions (e.g. using L2TP and IPsec together).

Classification of VPN IP VPN means emulating private line service of WAN (e.g. remote dial-up, DDN, etc.) over IP networks (including the Internet or dedicated IP backbone). IP VPN is classified as follows:

Classified by operation mode

1 CPE-based VPN (Customer Premises Equipment based VPN)

Users not only have to install expensive devices and special authentication tools, but also maintain complex VPN (e.g. channel maintenance, bandwidth management, etc.). Networking in this way features both high complexity and low service scalability.

2 NBIP-VPN (Network-based VPN)

The maintenance of VPN (permitting users to conduct service management and control to some extent) is conducted by ISP, and all functions are implemented at network device side, so as to reduce users’ investment, reinforce the flexibility and scalability of services, and bring new incomes to ISP.

Classified by service application

1 Intranet VPN

Intranet VPN interconnects points distributed inside an enterprise by making use of public network. It is an extended or substitute form of traditional private network or other enterprise network.

2 Access VPN

Access VPN allows remote users like staff traveling on business and remote small offices to establish private network connections with the intranet and extranet of their enterprise over a public network. Access VPN provides two types of connections: client-initiated VPN connection and NAS-initiated VPN connection.

3 Extranet VPN

Extranet VPN extends an enterprise network to suppliers, cooperators and clients by using VPN, allowing different enterprises to construct VPN over public networks.

Classified by networking model

1 VLL

Virtual Leased Line (VLL) is emulation to traditional leased line services. By emulating leased line over IP networks, it provides asymmetric and low cost "DDN" service. From the view of end users of VLL, it is similar to traditional leased lines.

2 VPDN


Virtual Private Dial Network (VPDN) means implementing virtual private network by employing the dial-up function of public networks (e.g. ISDN and PSTN) and access networks, to provide access service for enterprises,, small ISPs, and mobile businesspersons.

3 VPLS service

Virtual Private LAN Segment (VPLS) interconnects LANs via virtual private network segments in virtue of IP public networks. It is an extension of LANs on IP public networks.

4 VPRN

Virtual Private Routing Network (VPRN) interconnects headquarters, branches and remote offices via network management virtual router in virtue of IP public networks. There are two kinds of VPRN services: VPRN implemented using traditional VPN protocol (IPsec, GRE, etc.) and VPRN by means of MPLS.

Classified by working layer

1 L3VPN: including BGP/MPLS VPN, IPsec VPN, GRE VPN, etc.

2 L2VPN: including MPLS L2VPN in Martini mode, MPLS L2VPN in Kompalla mode, MPLS L2VPN in SVC mode, VPLS and static CCC configuration.

3 VPDN: including L2TP, PPTP, etc.

8
CONFIGURATION OF L2TP
Introduction to L2TP Protocol

VPDN Overview Virtual Private Dial Network (VPDN) means implementing virtual private network by employing the dial-up function of public networks (e.g. ISDN and PSDN) and access networks, thus providing access service for enterprises, small ISPs and mobile businessmen.

VPDN sets up safe virtual private networks in public networks for enterprises by making use of special network encryption protocols. In this way, overseas agencies and traveling staff of an enterprise can access the headquarters’ network by making use of encrypted virtual Tunnels over public networks, while other users in public networks have no access to internal resources of the enterprise network through virtual Tunnels.

There are two VPDN implementation approaches:

1 NAS sets up Tunnel with VPDN gateway by making use of a Tunneling protocol. In this way, users’ PPP connections are directly connected to enterprise’s gateway. Protocols available now are L2F and L2TP. This approach has a great deal of advantages: transparent Tunnel setup process from the perspective of users, network access with one login, user authentication and address assignment by enterprise network without occupying public addresses, and support to a wide range of platforms for network access. It requires however: a) NAS supporting the VPDN protocol, and b) authentication system supporting VPDN attributes, and c) router or special VPN server working as gateway.

2 Client sets up Tunnel with VPDN gateway. In this way, client first creates connection with the Internet, and then sets up a Tunnel with gateway by using the special client software (e.g. L2TP client supported by Win2000). This approach allows users to access network by whatever available means and wherever they are without the intervention of ISP. The bad news is the limitation in platform, meaning users need to install special software (usually Win2000 platform).

There are three types of VPDN Tunneling protocols: PPTP, L2F, and L2TP, with L2TP being most popular.

Introduction to L2TP Protocol

Protocol background

PPP provisioned a kind of encapsulation technology that allows the transmission of various kinds of data packets on layer 2 point-to-point links. Meanwhile, PPP is performed between users and NAS, with endpoint of layer 2 link and PPP session sticking on the same hardware.

104 CHAPTER 8: CONFIGURATION OF L2TP

L2TP provides Tunnel transmission for PPP link layer packets. It extents PPP model in that it permits link endpoint of layer 2 and PPP session point staying at different devices and allows information interaction by using packet switching network technologies. It combines the advantages of PPTP and L2F. Therefore, it becomes the industrial standard of IETF in layer 2 Tunneling.

Typical L2TP networking application

Figure 22 shows a typical network where VPDN is constructed using L2TP:

Figure 22 Network diagram for typical VPDN application created by L2TP

In this figure, LAC stands for L2TP Access Concentrator, a switching network device with the capability to process PPP and L2TP requests. Usually, LAC functions as Network Access Server (NAS) to provide access service to users by making use of PSTN/ISDN. LNS stands for L2TP Network Server, a device functioning in the PPP system as L2TP server.

LAC lies between LNS and remote system (remote users and remote branches) to transmit packets between them, encapsulate packets from remote system in L2TP protocol and send the encapsulated packets to LNS, and decapsulate packets from LNS and send the remaining part to remote system. Local connection or PPP link can be adopted between LAC and remote system, but PPP link is always involved in VPDN applications. As one end of the L2TP Tunnel, LNS is the peer device of LAC, and also is the logic terminating point of PPP session transmitted in Tunnel by LAC.

Technology details of L2TP protocol

1 Architecture of L2TP protocol

Figure 23 Architecture of L2TP protocol

The architecture of L2TP protocol shown above describes the relationship between PPP frame, control Tunnel and data Tunnel. PPP frame is transmitted in unreliable

PC

PSTN/ISDN

Remote users

NAS

Remote users

Internal server

Internetbackbone network

L2TP channel

LAC LNSPC

PSTN/ISDN

Remote users

NAS

Remote users

Internal server

Internetbackbone network

L2TP channel

LAC LNS

Packet transmission packet (UDP, )

L2TP Data message(unreliable)

L2TP Data message

PPP Frame

L2TP Control tunnel(reliable)

L2TP Control message

Introduction to L2TP Protocol 105

L2TP data channel. Control message is transmitted in reliable L2TP control channel.

Usually L2TP data is carried in UDP packets for transmission. L2TP registers the UDP port 1701, but this port is only used for the Tunnel setup at the early stage. L2TP Tunnel initiator selects an arbitrary port from available ones (unnecessarily being 1701) and forwards packets to 1701 port of the receiver. After the receiver receives the packets, it also selects a free port randomly (unnecessarily being 1701) and forwards packets again to the specified port of the initiator. Thus, ports of the two sides are determined. They will remain unchanged until the Tunnel connection is disconnected.

2 Definitions of Tunnel and session

There are two kinds of connections between LNS-LAC pairs: Tunnel connection and Session connection. Tunnel connections define pairs of LNS and LAC while Session connections are multiplexed in a Tunnel connection to present PPP sessions in it. Several L2TP Tunnels can be created between a LNS-LAC pair, which consist of a control connection, and one or several Sessions. Session connections can be set up only after Tunnels are created successfully (including such information exchange as ID protection, L2TP version, frame type, hardware transmission type, etc.). Each session connection corresponds to a PPP data stream between LAC and LNS. Both control messages and PPP data packets are transmitted in the Tunnels.

L2TP uses Hello packets to check the connectivity of a Tunnel. LAC and LNS forward Hello packets to peer ends at regular intervals. If no response to Hello packet is received in a certain period of time, the session will be cleared.

3 Definitions of control message and data message

There are two kinds of messages in L2TP: control messages and data messages. Control messages are used for the setup, maintenance and transmission control of Tunnel and session connections, while data messages are for PPP frame encapsulation and transmission in Tunnels. The transmission of control messages is reliable, delivering flow and congestion control. On the contrary, the transmission of data messages is unreliable, meaning it lacks mechanisms of retransmission, flow control, and congestion control.

Control messages and data messages share the same type of packet headers. Tunnel ID and Session ID are included in L2TP packet header, to identify different Tunnels and sessions. The packets with the same Tunnel ID but different Session IDs will be multiplexed in the same Tunnel. Tunnel ID and Session ID in the packet header are assigned by peer ends.

Two typical L2TP Tunnel modes

The following figure shows the Tunnel modes available between remote system or LAC clients (hosts running L2TP) and LNS:


Figure 24 Two typical L2TP Tunnel modes

1 Initiated by remote dial-up user. Remote system dials in LAC via PSTN/ISDN. LAC sends Tunnel setup request to LNS through the Internet. Dial-up users’ addresses are assigned by LNS. The authentication and accounting of remote dial-up users can be accomplished either by LAC side as an agent or by LNS side directly.

2 Initiated directly by LAC users (local users who support L2TP). Once assigned a public network address, an LAC user can send Tunnel setup request directly to LNS, without requiring an additional LAC device. In this case, the private network address of an LAC user is assigned by LNS.

Call setup flow of L2TP Tunnel

Typical L2TP application network is as follows:

Figure 25 Typical L2TP application network

Call setup flow of L2TP Tunnel is shown in the following figure:

Internet

Remote system

PSTN/ISDN Internal server

LAC

LNS

Frame Relayor ATMLAC

LNS

LAC client

Internal server

Internet

Remote system

PSTN/ISDN Internal server

LAC

LNS

Frame Relayor ATMLAC

LNS

LAC client

Internal server

PC

PSTN/ISDN WAN

IP network

RADIUS Server

IP network

RADIUS Server

PC

PC

Switch8800ALAC

Switch8800BLNS

Introduction to L2TP Protocol 107

Figure 26 Call setup flow of L2TP channel

The following is the call setup process using L2TP Tunnel:

1 The PC at user side initiates setup request;

2 The PC and LAC equipment negotiate PPP LCP parameters;

3 LAC performs PAP or CHAP authentication based on the information provided by the PC, where a VPN user resides;

4 LAC sends access request including VPN user’s name and password to RADIUS server for authentication;

5 RADIUS server authenticates this user and sends back access accept, such as LNS address, after authentication is passed successfully; LAC is ready for initiating a new Tunnel request;

6 LAC initiates a Tunnel request to the LNS specified by RADIUS server;

7 LAC informs LNS of "CHAP challenge" information, LNS sends back CHAP response and its own CHAP challenge, and LAC sends back CHAP response;

8 Authentication passes successfully;

9 LAC transmits the information of CHAP response, response identifier and PPP negotiation parameters to LNS;

10 LNS sends the access request to RADIUS server for authentication;

11 RADIUS server authenticates this access request and sends back a response if authentication is successful;

LACRADIUS Server

LNSRADIUS ServerLAC LNS

(5) access accept

(4) access request

PC

(1) Call Setup

(2) PPP LCP Setup(3) PAP or CHAP authentication

(6) Tunnel establishment(7) PAP or CHAP authentication

(challenge/response)(8) authentication passes

(9) user CHAP response, pppnegotiation parameter (10) access request

(11) access accept

(12) CHAP authentication twice(challenge/response)

(15) authentication passes

(13) access request

(14) access accept


12 If local mandatory CHAP authentication is configured at LNS, LNS will authenticate the VPN user by sending CHAP challenge and the VPN user at PC sends back responses;

13 LNS resends this access request to RADIUS for authentication;

14 RADIUS server re-authenticates this access request and sends back a response if authentication is successful;

15 The authentication passes and the VPN user can use the internal resources of the enterprise.

LAC Configuration Concerning L2TP configuration, configuration of LAC side differs from that of LNS side. This section mainly covers the configuration of LAC side. In configuration task list, L2TP must be enabled and L2TP group must be created before any other functions can be configured. For detailed introduction to related PPP configuration commands, refer to the chapters and sections for them.

Configuration tasks at LAC side include:

■ Enable L2TP (required)

■ Create L2TP group (required)

■ Set the condition triggering L2TP Tunnel setup request and LNS addresses (required)

■ Set local name (optional)

■ Set Tunnel authentication and password (optional)

■ Set the transmission mode of AVP data (optional)

■ Set Hello interval in the Tunnel.(optional)

■ Set user name and password and configure user authentication (required)

■ Disconnect Tunnel by force (optional)

■ Enable/disable the flow control function of the Tunnel (optional)

■ Set L2TP session idle-timeout timer (optional)

■ Configure the Tunnel-hold function of L2TP (optional)

■ Set the LAC to function as client (optional)

Enabling L2TP Only after L2TP is enabled can L2TP functions on the security gateway work normally. If L2TP is disabled, the security gateway cannot provide related functions even if parameters of L2TP have been configured.

These configurations are compulsory on LAC side.


Table 84 Enable/disable L2TP

Operation Command

Enable L2TP l2tp enable

Disable L2TP undo l2tp enable

LAC Configuration 109

By default, L2TP is disabled.

Creating L2TP Group L2TP group needs to be created in order to fulfill related parameter configurations of L2TP. It allows you not only to configure L2TP functions as needed but also to implement one-to-one and one-to-many networking applications between LAC and LNS. L2TP groups are numbered separately on LAC and LNS, so LAC and LNS only need to keep consistent in the configurations of the involved L2TP groups (e.g. remote name of Tunnel, start L2TP and LNS address, etc.).



After a L2TP group is created, other configurations related to the L2TP group can be performed in L2TP group view, for example, name of peer end, condition triggering L2TP Tunnel setup request and LNS address.

By default, no L2TP group is created.

Setting Condition Triggering L2TP Tunnel Setup Request and LNS

Address

A security gateway will not send L2TP Tunnel setup request to some other devices unless certain conditions are met. By configuring decision making rule based on user information and specifying IP address of LNS, you may allow the security gateway to determine whether a user is a VPN user and initiate connection with the LNS. Up to five LNS addresses can be configured, meaning LNS backup is allowed. In normal operations, local security gateway (LAC) sends Tunnel setup request to the peer end (LNS) in the order in which LNS addresses are configured until some LNS accepts the request. This LNS becomes the peer end of L2TP Tunnel. An L2TP Tunnel setup request can be triggered by full user name and domain name.

Perform the following configuration in L2TP group view.

The parameters above have no default values and they can be configured as needed. But at least one triggering condition must be configured for initiating L2TP Tunnel setup request.

When the L2TP LAC starts a L2TP Tunnel connection, the system checks whether the L2TP group specified according to the complete user name exists. If the system

Table 85 Create/delete L2TP group

Operation Command

Create L2TP group l2tp-group group-number

Delete L2TP group undo l2tp-group group-number

Table 86 Set condition triggering L2TP Tunnel setup request and LNS address

Operation Command

Configure to check if the user is VPN user and set IP address of LNS

start l2tp { ip ip-addr [ ip ip-addr] [ ip ip-addr] ... } { domain domain-name | fullusername user-name }

Cancel the Tunnel setup request configuration undo start


does not find the required L2TP group, the system continues to search for the required L2TP group according to the domain name.

Setting Tunnel Name A user can configure local Tunnel name on LAC side. The Tunnel name of LAC side must keep in line with the remote name of Tunnel configured on LNS side.

These configurations are optional on LAC side.

Perform the following configuration inL2TP group view.

By default, local Tunnel name is the hostname of the security gateway.

Setting Tunnel Authentication and

Password

As needed, a user can decide whether to start Tunnel authentication before creating Tunnel connection. Tunnel authentication request can be sent by either LAC side or LNS side. If one end of a Tunnel starts Tunnel authentication, the other end must also start Tunnel authentication in order to set up the Tunnel connection. In addition, both ends must use the same password, which cannot be void. Otherwise, the local end will disconnect the Tunnel automatically. If Tunnel authentication is disabled on both ends, the consistency of password will be insignificant.



By default, Tunnel authentication is enabled, with password of Tunnel authentication being null. For the sake of Tunnel security, it is not suggested to disable Tunnel authentication.

Setting Transfer Mode of AVP Data

Attribute Value Pair (AVP) is adopted in L2TP to move and negotiate some attribute parameters of L2TP. By default, AVP is transferred in plain text. For security, users can hide AVP data in transmission by using the following configuration. The function of hidden VAP only works when both of the two ends use Tunnel authentication.


Table 87 Set local Tunnel name

Operation Command

Set local Tunnel name tunnel name name

Restore the default local Tunnel name undo tunnel name

Table 88 Set Tunnel authentication and authentication password

Operation Command

Start Tunnel authentication tunnel authentication

Disable Tunnel authentication undo tunnel authentication

Set the password of Tunnel authentication tunnel password { simple | cipher } password

Restore the password of Tunnel authentication to the default undo tunnel password



By default, AVP is transferred in plain text.

Setting Hello Interval in Tunnel

In order to check the connectivity of the Tunnel between LAC and LNS, LAC and LNS send Hello packets to each other periodically and the receiver will respond upon the receipt of the packets. If LAC or LNS does not receive response from the peer end in a specified interval, it will resend Hello packet and will regard the L2TP Tunnel connection has been disconnected if receiving no response after making three transmission attempts. In this case, LAC and LNS need to set up a new Tunnel connection.

This configuration is optional on LAC side.


By default, Hello interval is 60 seconds. If this configuration is not performed on LAC side, LAC will send Hello packet to the peer end at intervals of the default value.

Setting Username, Password and Local User

Authentication

If you have configured local authentication when configuring AAA authentication on LAC side, you also need to configure local username and password on this side.

LAC performs user authentication to determine whether a user is a valid VPN user by comparing remote dial-in username and password with usernames and passwords registered at the local end. It originates Tunnel setup request only upon successful authentication. Otherwise, the user will be diverted to other kinds of services.


Configuring user name and password

Table 89 Set transfer mode of AVP data

Operation Command

Configure to transfer AVP data in the hidden mode tunnel avp-hidden

Restore default transfer mode of AVP undo tunnel avp-hidden

Table 90 Set Hello interval in a Tunnel

Operation Command

Set Hello interval in a Tunnel tunnel timer hello hello-interval

Restore the default Hello interval undo tunnel timer hello

Table 91 Configure a username and password

Operation Command

Configure a user name and password (in system view) local-user username

Delete the current setting (in system view) undo local-user username


By default, no local username and password are configured at the LAC side.

Configuring PPP user authentication mode

Perform the following configuration in virtual template interface view.

User authentication is not configured by default. The interface where you configure local authentication must be the one connected to users.

Configuring a PPP domain user and an authentication scheme

Disconnecting an L2TP Connection

A connection can be disconnected for one of these reasons: no user is present, fault occurs on the network, or the administrator requests to do so.

Both LAC side and LNS side can start Tunnel disconnection. After a Tunnel is disconnected, the control connection and sessions on it are cleared. This Tunnel can be set up when a new user dials in.


Perform the following configurations in user view.

Setting Flow Control Function of Tunnel

This configuration can enable/disable the flow control function on a Tunnel.

Configure local user password (in local user view) password { simple | cipher } password

Table 92 Configure/Cancel PPP user authentication mode

Operation Command

Configure a PPP user authentication mode

ppp authentication-mode { chap | pap } [ call-in ] [ domain isp-name ]

Disable PPP user authentication undo ppp authentication-mode

Table 93 Configure a PPP domain user and an authentication scheme

Operation Command

Create an ISP domain and enter its view (in system view)

domain { isp-name | default { disable | enable isp-name } }

Delete the specified ISP domain (in system view undo domain isp-name

Configure the local authentication scheme for the PPP domain user. (in ISP domain view) scheme local

Table 91 Configure a username and password

Operation Command

Table 94 Disconnect a connection

Operation Command

Disconnect a Tunnel reset l2tp tunnel {name remote-name | id tunnel-id }

Disconnect a session reset l2tp session session-id

Disconnect a user reset l2tp user user-name user-name



By default, the flow control function of Tunnels is disabled.

Setting the L2TP Session Idle-Timeout Timer

An L2TP session is disconnected automatically if the session is idle or no data is transmitted or received on it for a specified period of time. You may set a session idle-timeout timer to specify this idle period. This period can be 0 seconds; that is, the timer never expires.


By default, L2TP session idle-timeout timer never expires.

Configuring the Tunnel-Hold Function of

L2TP

Normally, the LAC sets up a Tunnel with the LNS only when receiving an L2TP session request from a PPP user. This Tunnel is automatically torn down after all PPP sessions are disconnected.

For some applications that require fast connection setup, however, a Tunnel must be available beforehand so that the system can set up a session immediately after receiving a PPP session request. To this end, the LAC and the LNS must always maintain a Tunnel connection even when no session is present on it.


By default, the Tunnel-hold function of L2TP is disabled.

n To have the Tunnel-hold function take effect, you must configure it on both LAC and LNS.

After you configure the Tunnel-Tunnel function of L2TP, you can execute the start l2tp Tunnel command to start a Tunnel connection.


Table 95 Set flow control function of a Tunnel

Operation Command

Enable flow control function of a Tunnel tunnel flow-control

Disable flow control function of a Tunnel undo tunnel flow-control

Table 96 Set the L2TP session idle-timeout timer

Operation Command

Set the L2TP session idle-timeout timer session idle-time time

Disable the L2TP session idle-timeout timer undo session idle-time

Table 97 Configure the Tunnel-hold function of L2TP

Operation Command

Enable the Tunnel-hold function of L2TP tunnel keepstanding

Disable the Tunnel-hold function of L2TP undo tunnel keepstanding


Setting LAC to Function as Client

Normally, the L2TP client is the host that dials to the LAC, where the connection between the user and the LAC is always PPP connection.

If the LAC is functioning as the client, the connection between the host and the LAC can be an IP connection allowing the LAC to forward the IP packets from the host to the LNS. This is equivalent to creating a virtual PPP user associated with multiple actual users on the LAC and maintaining a permanent connection for it. The IP packets of all these actual users are forwarded to the LNS through this virtual user.

To use the LAC as the client, you must add the following configurations in addition to other LAC configurations:

■ Create a virtual template interface

■ Configure the parameters of the virtual template interface, including IP address, PPP authentication mode, and username and password for PPP authentication

■ Enable the LAC client to set up L2TP Tunnel

n When the LAC is functioning as the L2TP client, you must set the L2TP session idle-timeout timer to 0 or disable it, preventing the session of the virtual user is disconnected when no data is transmitted or received.

Creating a virtual template interface


Configuring the parameters of the virtual template interface


Table 98 Start an L2TP Tunnel connection

Operation Command

Start an L2TP Tunnel connection start l2tp tunnel

Table 99 Create/delete a virtual template interface

Operation Command

Create a virtual template interface interface virtual-template virtual-template-number

Delete a virtual template interface undo interface virtual-template virtual-template-number

Table 100 Configure the parameters of the virtual template interface

Operation Command

Assign an IP address to the virtual template interface

ip address { address mask | ppp-negotiate | unnumbered interface interface-type interface-number }

Configure a PPP authentication mode ppp authentication-mode { pap | chap }

Configure the username for CHAP authentication ppp chap user user-name

Configure the password for CHAP authentication ppp chap password { simple | cipher } password

LNS Configuration 115

Enabling/disabling the LAC client to set up L2TP Tunnel


By default, the LAC client is disabled to set up L2TP Tunnel.

LNS Configuration In LNS configuration task list, L2TP must be enabled and L2TP group must be created before any other functions can be configured. Regarding the configuration of L2TP supporting multi-domain, no configurations can become valid unless the L2TP multi-domain function is enabled. For detailed introduction to related commands of PPP and Virtual-Template interfaces, refer to corresponding chapters and sections.

The major configuration tasks on LNS side include:

■ Enable L2TP (required)

■ Enable/disable the L2TP multi-domain function (optional)

■ Create L2TP group (required)

■ Create virtual template interface (required)

■ Set the parameters for call receiving (required)

■ Set local name (optional)

■ Set Tunnel authentication and password (optional)

■ Set the transmission mode of AVP data (optional)

■ Set Hello interval in the Tunnel (optional)

■ Configure mandatory local CHAP authentication (optional)

■ Configure mandatory LCP renegotiation (optional)

■ Set local address and assigned address pool (optional)

■ Set user name and password and configure user authentication (optional)

■ Disconnect Tunnel by force(optional)

■ Set the flow control function of Tunnel (optional)

■ Set the L2TP session timeout timer (optional)

Enabling L2TP Only after L2TP is enabled can L2TP functions on the security gateway work normally. If L2TP is disabled, the security gateway cannot provide related functions even if parameters of L2TP have been configured.

Configure the username and password for PAP authentication

ppp pap local-user user-name password { simple | cipher } password

Table 101 Enable/disable the LAC client to set up L2TP Tunnel

Operation Command

Enable the LAC client to set up L2TP Tunnel l2tp-auto-client enable

Disable the LAC client to set up L2TP Tunnel undo l2tp-auto-client enable

Table 100 Configure the parameters of the virtual template interface

Operation Command


These configurations are compulsory on LNS side.


By default, L2TP is disabled.

Enabling/Disabling the L2TP Multi-Domain

Function

A security gateway can function as LNS for multiple enterprises only when the L2TP multi-domain function is enabled. The L2TP multi-domain function can be implemented to diversify VPN networking modes.

In L2TP multi-domain applications, these configurations are compulsory at LNS side.


By default, the L2TP multi-domain function is disabled.

Creating L2TP Group L2TP group needs to be created in order to fulfill related parameter configurations of L2TP. It allows you not only to configure L2TP functions on the security gateway as needed but also to implement one-to-one and one-to-many networking applications between LAC and LNS easily. L2TP groups are numbered separately on LAC and LNS, so LAC and LNS only need to keep consistent in the configurations of the involved L2TP groups such as remote name of Tunnel, start L2TP and LNS address.



After L2TP group is created, other configurations related to the L2TP group can be performed in L2TP group view, for example, local name and remote name of Tunnel.


Table 102 Enable/disable L2TP

Operation Command

Enable L2TP l2tp enable

Disable L2TP undo l2tp enable

Table 103 Enable/disable the L2TP multi-domain function

Operation Command

Enable the L2TP multi-domain function l2tpmoreexam enable

Disable the L2TP multi-domain function undo l2tpmoreexam enable

Table 104 Create/delete L2TP group

Operation Command

Create L2TP group l2tp-group group-number

Delete L2TP group undo l2tp-group group-number


Creating Virtual Template Interface

Virtual template interface is mainly used to configure parameters of virtual interface created dynamically by the security gateway in operation, e.g. MP logical interface and L2TP logical interface, etc.



By default, no virtual template interface is created.

Setting Parameters for Call Receiving

LNS can adopt different virtual template interfaces for receiving Tunnel setup request from different LACs. When receiving a Tunnel setup request from an LAC, LNS needs to check that the name of LAC is a valid remote name of Tunnel before allowing it to create the Tunnel.



When the group number of L2TP is 1 (the default L2TP group number), you do not need to specify remote-name. If remote-name is specified in L2TP group view 1, L2TP group 1 will not be regarded as the default L2TP group.

n ■ Only L2TP group 1 can be set as default group.

■ Any device can initiate a Tunnel setup request when the L2TP group number is the default L2TP group number 1.

■ The start command and the allow command are mutually exclusive to each other. After one is configured, another one goes invalid automatically.

■ When the PPPoE client is used to trigger the Tunnel connection from LAC to LNS, you are recommended to decrease the MTU value of the virtual template interface on the side of LNS to 1,480 bytes.

Setting Local Name A user can configure local Tunnel name on LNS side.

Table 105 Create/delete virtual template interface

Operation Command

Create a virtual template interface interface virtual-template virtual-template-number

Delete the virtual template interface undo interface virtual-template virtual-template-number

Table 106 Set parameters for call receiving

Operation Command

Set remote name of Tunnel (L2TP group not being 1)

allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ]

Set remote name of Tunnel (L2TP group being 1)

allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ]

Remove remote name of Tunnel undo allow


These configurations are optional on LNS side.


By default, local name is the hostname of the security gateway.

Setting Tunnel Authentication and

Password

As needed, a user can decide whether to start Tunnel authentication before creating Tunnel connection. Tunnel authentication request can be sent by either LAC side or LNS side. If one end of a Tunnel starts Tunnel authentication, the other end must also start Tunnel authentication in order to set up the Tunnel connection. In addition, both ends must use the same password, which cannot be void. Otherwise, the local end will disconnect the Tunnel automatically. If Tunnel authentication is disabled on both ends, the consistency of password will be insignificant.



By default, Tunnel authentication is enabled, with the password being null. For the sake of Tunnel security, you are not recommended to disable Tunnel authentication.

Setting Transfer Mode of AVP Data

AVP is adopted in L2TP protocol to move and negotiated some attribute parameters of L2TP. By default, AVP is transferred in plain text. For security, users can hide these AVP in transmission by using the following configuration. The function of hidden VAP only works when both of the two ends use Tunnel authentication.



Table 107 Set local name

Operation Command

Set local name tunnel name name

Restore the default value of local name undo tunnel name

Table 108 Set Tunnel authentication and authentication password

Operation Command

Start Tunnel authentication tunnel authentication

Disable Tunnel authentication undo tunnel authentication

Set a password for Tunnel authentication tunnel password { simple | cipher } password

Remove the password for Tunnel authentication undo tunnel password

Table 109 Set the transfer mode of AVP data

Operation Command

Configure to transfer AVP data in the hidden mode tunnel avp-hidden


By default, AVP is transferred in plain text.

Setting Hello Interval in Tunnel

In order to check the connectivity of the Tunnel between LAC and LNS, LAC and LNS send Hello packets to each other periodically and the receiver will respond upon the receipt of the packets. If LAC or LNS does not receive response from the peer end in a specified interval, it will resend Hello packet and will regard the L2TP Tunnel connection has been disconnected if receiving no response after making three transmission attempts. In this case, LAC and LNS need to set up a new Tunnel connection.

This configuration is optional on LNS side.


By default, Hello interval is 60 seconds. If this configuration is not performed on LNS side, LNS will adopt this default value to send Hello packet to the peer end periodically.

Enabling Mandatory Local CHAP

Authentication

After LAC performs agent authentication on a user, LNS can authenticate the user again. The user therefore undergoes authentication twice: once on LAC side and once on LNS side. Only after both the two authentications succeed, can L2TP Tunnel be created.

In an L2TP network, LNS side authenticates users in three ways: agent authentication, mandatory CHAP authentication, and LCP re-negotiation.

Among these three authentication approaches, LCP re-negotiation is of the first priority. If both LCP re-negotiation and mandatory CHAP authentication are configured on LNS side, L2TP will choose the former, adopting the authentication mode configured in the associated virtual template interface.

If only CHAP authentication is configured, LNS will perform CHAP authentication on users.

To perform mandatory CHAP authentication on LNS side, you must configure username, password and user authentication and enable AAA on this side. Mandatory local CHAP authentication is optional on LNS side.


Restore default transfer mode of AVP undo tunnel avp-hidden

Table 109 Set the transfer mode of AVP data

Operation Command

Table 110 Set Hello interval

Operation Command

Set Hello interval tunnel timer hello hello-interval

Restore the default value of Hello interval undo tunnel timer hello


If neither LCP re-negotiation nor mandatory CHAP authentication is configured, LNS will perform agent authentication on the user. In this case, LAC sends LNS all authentication information received from the user as well as authentication mode configured on LAC side. If you do not configured authentication mode for the virtual template interface, the LNS side will accept the authentication result on LAC side.

When LNS adopts agent authentication, session is allowed to be created if authentication mode configured on virtual template interface is PAP and the authentication succeeds. If authentication mode configured in virtual template interface is CHAP and that configured on LAC side is PAP, authentication fails and session cannot be correctly created as the CHAP authentication level demanded by LNS is higher than PAP authentication supplied by LAC.

Local end does not perform CHAP authentication by default.

Forcing LCP to Re-negotiate

For NAS-Initialized VPN, the user first performs PPP negotiation with NAS when PPP session starts. If the negotiation passes, NAS initializes L2TP Tunnel connection, and transmits user information to LNS so that LNS can judge whether the user is legal or not according to the received agent authentication information,

But in some cases (e.g. authentication and accounting need performing on LNS side simultaneously), required re-negotiation needs to be created between LNS and the user, and agent authentication information on NAS side will be ignored.

The configuration of mandatory LCP re-negotiation is optional on LNS side.


By default, LCP re-negotiation is not performed.

Despite LCP re-negotiation is enabled, LNS will not perform authentication on the user if authentication is not configured in the associated virtual template interface. In this case, the user is only authenticated once on LAC side, and the address from the global address pool is assigned to the client directly.

Setting Local Address and Assigning Address

Pool

After the L2TP Tunnel connection between LAC and LNS is created, LNS should assign IP addresses for VPN users from address pool. Before address pool is specified, you must use the ip pool command in system view or domain view to define an address pool. For detailed description about the ip pool command, refer to the "Security" part of this manual. If LNS adopts agent authentication or

Table 111 Enable mandatory local CHAP authentication

Operation Command

Enable mandatory local CHAP authentication mandatory-chap

Disable local CHAP authentication undo mandatory-chap

Table 112 Enable/disable mandatory LCP re-negotiation

Operation Command

Enable mandatory LCP re-negotiation mandatory-lcp

Disable mandatory LCP re-negotiation undo mandatory-lcp


mandatory CHAP authentication, the system uses the address pool configured in domain view for address assignment; if LNS adopts mandatory LCP re-negotiation, the system uses the global address pool for address assignment.

These configurations are required on LNS side.


If you do not assign a value to the pool-number parameter behind the keyword pool when specifying an address pool, the system will use the default address pool for assignment.

By default, addresses will be assigned to the peer end from address pool 0 (default address pool).

Setting Username, Password and User

Authentication

On LNS side, if mandatory CHAP authentication has been configured, it needs to configure local registered username and password on LNS side.

LAC performs user authentication to determine whether a user is a valid VPN user by comparing remote dial-in username and password with usernames and passwords registered at the local end. If the authentication passes, the VPN user is allowed to communicate with LNS; if it fails, L2TP will be notified to clear the L2TP connection.

These configurations are optional on LNS side. For more information on how to configure them, refer to the section “Setting Username, Password and Local User Authentication” “Setting Username, Password and Local User Authentication”.

Disconnecting an L2TP Connection

A connection can be disconnected for one of these reasons: no user is present, fault occurs on the network, or the administrator requests to do so.

Both LAC side and LNS side can start disconnection. After a Tunnel is disconnected, the control connection and sessions on it are cleared. This Tunnel can be set up when a new user dials in.


Perform the following configurations in user view.

Table 113 Set local address and assigned address pool

Operation Command

Set local IP address ip address X.X.X.X netmask

Remove the local IP address undo ip address X.X.X.X netmask

Specify an address pool for remote address assignment

remote address { pool pool-number | X.X.X.X }

Delete the address pool for remote address assignment undo remote address

Table 114 Disconnect a connection by force

Operation Command

Disconnect a Tunnel reset l2tp tunnel { name remote-name | id tunnel-id }


Enabling/Disabling Flow Control Function of

Tunnel

This configuration can enable/disable the simple flow control function on a Tunnel.



By default, the flow control function of Tunnels is disabled.

Setting the L2TP Session Timeout Timer

An L2TP session is disconnected automatically if the session is idle or no data is transmitted or received on it for a specified period of time. You may set a session timeout timer to specify this idle period. This period can be 0 seconds; that is, the timer never expires.


By default, L2TP session timeout timer never expires.

Displaying and Debugging L2TP

After performing the above configuration tasks, execute display commands in any view to view the running status of L2TP configurations, and to verify the configuration effect. The debugging commands can be used in user view.

Disconnect a session reset l2tp session session-id

Disconnect a user reset l2tp user-name user-name

Table 114 Disconnect a connection by force

Operation Command

Table 115 Enable/disable flow control function of a Tunnel

Operation Command

Enable flow control function of a Tunnel tunnel flow-control

Disable flow control function of a Tunnel undo tunnel flow-control

Table 116 Set the L2TP session timeout timer

Operation Command

Set the L2TP session timeout timer session idle-time time

Disable the L2TP session timeout timer undo session idle-time

Table 117 Display and debug L2TP

Operation Command

Display information about the current L2TP users display l2tp user

Display information about the current L2TP Tunnels display l2tp tunnel

Display information about the current L2TP sessions display l2tp session

Enable all L2TP information debugging debugging l2tp all

Disable all L2TP information debugging undo debugging l2tp all

Enable L2TP control packet debugging debugging l2tp control

Disable L2TP control packet debugging undo debugging l2tp control

Enable PPP packet debugging debugging l2tp dump

L2TP Configuration Example 123

L2TP Configuration Example


As shown in Figure 27, a VPN user accesses the headquarter as follows:

■ The L2TP user implements dial-up access.

■ The narrowband access server (NAS) authenticates this user. The NAS sends a request to the LNS for establishing a Tunnel.

■ After the Tunnel between the NAS and LNS is established, the NAS sends back the packet about the negotiation with the VPN user to the LNS.

■ The LNS determines whether to receive this connection according to pre-negotiated content.

■ The user and headquarter communicates through the Tunnel between the NAS and LNS.

Disable PPP packet debugging undo debugging l2tp dump

Enable L2TP error debugging debugging l2tp error

Disable L2TP error debugging undo debugging l2tp error

Enable L2TP event debugging debugging l2tp event

Disable L2TP event debugging undo debugging l2tp event

Enable hidden AVP debugging debugging l2tp hidden

Disable hidden AVP debugging undo debugging l2tp hidden

Enable L2TP payload debugging debugging l2tp payload

Disable L2TP payload debugging undo debugging l2tp payload

Enable L2TP time stamp debugging debugging l2tp time-stamp

Disable L2TP time stamp debugging undo debugging l2tp timestamp

Table 117 Display and debug L2TP

Operation Command


Network diagram

Figure 27 Network diagram for L2TP


1 PC

IP address: 10.0.0.1/24

Gateway: 10.0.0.254

2 NAS

# Set a system user.

<NAS> system-view [NAS] local-user vpdnuser [NAS-luser-vpdnuser] password simple Hello [NAS-luser-vpdnuser] service-type ppp [NAS-luser-vpdnuser] quit

# Configure a virtual template interface.

[NAS] interface Virtual-Template 0 [NAS-Virtual-Template0] ppp authentication-mode pap [NAS-Virtual-Template0] quit

# Bind the virtual template interface to the Ethernet interface.

[NAS] interface GigabitEthernet 0/0 [NAS-GigabitEthernet0/0] pppoe-server bind virtual-template 0 [NAS-GigabitEthernet0/0] quit

# Configure the Ethernet interface connected to the LNS.

10.0.0.1/24

Switch 8800

L2TP Configuration Example 125

[NAS] interface GigabitEthernet 0/1 [NAS-GigabitEthernet0/1] ip address 50.0.0.1 24 [NAS-GigabitEthernet0/1] quit

# Enable L2TP service.

[NAS] l2tp enable

# Set an L2TP group.

[NAS] l2tp-group 1 [NAS-l2tp1] Tunnel authentication [NAS-l2tp1] Tunnel password simple secblade [NAS-l2tp1] Tunnel name LAC [NAS-l2tp1] start l2tp ip 50.0.0.254 fullusername l2tp [NAS-l2tp1] quit

# Configure a static route.

[NAS] ip route-static 0.0.0.0 0 50.0.0.254

3 Switch 8800 Family switches (SecBlade)

# Divide VLANs.






# Configure aggregation of IPsec module interfaces ( the IPsec module resides in slot 2).




# Specify a IPsec module interface VLAN.



# Set the VLAN to be protected.


# Map the IPsec module to the IPsec module in the specified slot.


# Log into the IPsec module in the specified slot.


# Create a sub-interface.


# Add the sub-interface to the corresponding zone (applicable to the firewall card only).

[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade -zone-trust]quit [secblade]firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit

# Configure the firewall to permit packets to pass (applicable to the firewall card only).

[secblade] firewall packet-filter default permit

# Set a system user.

[secblade] local-user vpdnuser [secblade-luser-vpdnuser] password simple Hello [secblade-luser-vpdnuser] service-type ppp [secblade-luser-vpdnuser] quit

# Configure a virtual template interface.

[secblade] interface Virtual-Template 0 [secblade-Virtual-Template0] ip address 100.0.0.254 24 [secblade-Virtual-Template0] remote address 100.0.0.1 [secblade-Virtual-Template0] ppp authentication-mode pap [secblade-Virtual-Template0] quit

L2TP Troubleshooting 127

# Enable L2TP service.

[secblade] l2tp enable

# Set an L2TP group.

[secblade-l2tp1] Tunnel authentication [secblade-l2tp1] Tunnel password simple secblade [secblade-l2tp1] Tunnel name LNS [secblade-l2tp1] allow l2tp virtual-template 0 remote LAC [secblade-l2tp1] quit



# Quit the IPsec module configuration view.

[secblade] quit <secblade> quit

L2TP Troubleshooting The VPN Tunnel setup process is quite complicated; only several common cases are analyzed here. Before debugging VPN, please confirm that both LAC and LNS are connected to a public network, and are connected correctly.

Symptom 1: User’s login fails.

Troubleshooting:

Failure causes are as follows:

■ Fail to establish a Tunnel because:

1 On LAC side, LNS addresses are improperly set.

2 On LNS side (usually is a security gateway, or a router), L2TP group that can receive the remote end of the Tunnel is not configured. For details, refer to the description of the allow command.

3 Tunnel authentication fails. If authentication is configured, make sure that the same Tunnel authentication password is configured at both sides.

4 If the local end compulsorily disconnects the connection but the opposite end fails to receive the "Disconnect" packet due to some network transmission problem, originating Tunnel setup request without delay will fail in this case. The reason is that both sides cannot detect the disconnected link within certain time, and the Tunnel connections originated by two opposite ends with the same IP address are not allowed.

■ PPP negotiation fails because :

1 Error occurs to username or password set on LAC side, or the corresponding users are not set on LNS side.

2 LNS cannot assign addresses, e.g. because the address pool is too small or no address pool is set at all.


3 The types of Tunnel password authentication are inconsistent. The default authentication type of VPN connection created by Windows 2000 is MSCHAP. If the peer end does not support MSCHAP, CHAP is recommended for substitution.

Symptom 2: Data transmission fails. After the connection is established, no data can be transmitted, e.g. the peer end cannot be pinged.

Troubleshooting: Possible causes are as follows:

■ The address set by the user is wrong: Generally, it is up to LNS to assign addresses, but a user can also designate his own address. If the designated address and the address assigned by LNS are not in the same network segment, this problem occurs. It is recommended that LNS assign addresses completely.

■ Network congestion: Congestion occurs to the Internet backbone and packet loss is serious. L2TP uses User Datagram Protocol (UDP) for transmission. Because UDP lacks in error control mechanism, applying L2TP on an unstable line will result in ping failures.

9
CONFIGURATION OF GRE
Brief Introduction to GRE

GRE overview

Generic Routing Encapsulation protocol (GRE) can encapsulate datagrams of some network layer protocols (e.g. IP and IPX) and allow these encapsulated datagrams to be transferred in another network layer protocol (e.g. IP). GRE is a layer 3 Tunnel protocol of VPN, adopting a technique called Tunnel between protocol layers. Each Tunnel is a virtual point-to-point connection and can be regarded as a virtual interface only supporting point-to-point connection in actual situation. The interface provides a Tunnel where encapsulated datagrams can be transmitted. And it can also encapsulate and de-encapsulate datagrams at both ends of the Tunnel.

To move in a Tunnel, a packet must undergo the processes of encapsulation and decapsulation, which are illustrated in Figure 28:

Figure 28 IPX network interconnection through GRE Tunnel

1 The process of encapsulation

After receiving an IPX packet, the interface connected to Novell group1 first sends it to IPX for processing. IPX decides how to route it by examining the destination address field in its IPX header. If IPX finds that the packet should pass the network 1f (virtual network number of the Tunnel) in order to reach the destination, it delivers the packet to the Tunnel interface with the network number of 1f. After receiving the packet, the Tunnel interface performs GRE encapsulation before forwarding it to the IP module for processing. After the IP header is encapsulated, the packet will be forwarded to the appropriate network interface according to its destination address and the routing table.

2 The process of decapsulation

The process of decapsulation is contrary to that of encapsulation. The system examines the destination address of each IP packet received from the Tunnel interface; if it is this security gateway, the system removes the IP header of the packet and sends it to the GRE module for processing (verifying key, checksum, and serial number of the packet, etc.). After completing all the works, the GRE module removes the GRE header of the packet and sends it to the IPX module where it is handled just as a common one.

InternetNovell IPX

ProtocolGroup1

Novell IPXProtocolGroup2

Tunnel

InternetNovell IPX

ProtocolGroup1

Novell IPXProtocolGroup2

TunnelSwitch 8800 A Switch 8800 B

130 CHAPTER 9: CONFIGURATION OF GRE

When receiving a datagram needed encapsulating and routing, called payload, the system first add a GRE header to the datagram to form a GRE packet. This GRE packet is then encapsulated into an IP packet, thus allowing the IP layer to take full charge of the forwarding of the packet. The IP protocol in this particular case is called Delivery Protocol or Transport Protocol.

The format of an encapsulated Tunnel packet is shown as follows:

Figure 29 Format of encapsulated Tunnel packets

For instance, an IPX Delivery packet encapsulated in IP Tunnel is as follows:

Figure 30 Format of Delivery packets in Tunnel

Application scope

GRE mainly provides services below:

1 Allowing a multi-protocol local network to make transmission through a single-protocol backbone

Figure 31 Multi-protocol local network that makes transmission through a single-protocol backbone

In the above figure, Group1 and Group2 are the local networks employing the Novell IPX protocol; Term1 and Term2 are the local networks running IP. By setting up a GRE Tunnel between 3Com A and 3Com B, you can allow Group1 to

Delivery Header£¨ Transport Protocol £©

GRE Header£¨ Encapsulation Protocol £©

Payload Packet£¨ Passenger Protocol £©

IP GRE IPX

Passenger Protocol

Carrier ProtocolEncapsulation Protocol

Transport Protocol

Internet

Novell IPXprotocolGroup1

IP protocolTerm 1


IP protocolTerm 2

Tunnel

Internet


IP protocolTerm 1


IP protocolTerm 2

TunnelSwitch 8800 A

Switch 8800 B

Brief Introduction to GRE 131

communicate with Group2 and Term1 with Term2 without interfering with each other.

2 Expanding the operating area of networks running hop-limited protocols (e.g. IPX)

Figure 32 Expanding network operating area

If the hop count between two terminals in the above figure is more than 15, the two terminals cannot communicate with each other. By setting up a Tunnel across the network, some hops can be hidden, thus expanding the operating area of the network.

3 Connecting some discontinuous sub-networks to establish VPN

Figure 33 Tunnel connecting discontinuous sub-networks

Sub-networks group1 and group2 running Novell IPX are in different cities but they can form a VPN over WAN by using a Tunnel.

4 The use in conjunction with IPsec

Figure 34 GRE-IPsec Tunnel application

As illustrated in the above figure, GRE can encapsulate multicast data and transmit the data through the GRE Tunnel. As provisioned, IPsec can only protect unicast data at present. When transmitting such multicast data as routing protocol, voice and image in an IPsec Tunnel, you can set up a GRE Tunnel, encapsulate the

Router

r r

Tunnel Switch8800A

Router

Switch8800B

IP network IP network

PC PC IP network

Tunnel

group2

novell l

Switch8800A Switch8800B

group 1

novell IP network

VLAN

Internet

IPSec Tunnel GRE Tunnel

Remote office

network

Corporate intranet

Switch8800A Switch8800B


multicast data with GRE, and then encrypt the encapsulated data using IPsec. Thus, data secrecy in transmission can be achieved.

In addition, GRE also supports users to select and record identification key of Tunnel interface, and supports the end-to-end check of encapsulated message.

Due to the influence of such factors as encapsulation and decapsulation between GRE sender and receiver and data increase caused by encapsulation, the use of GRE may somewhat decrease the data forwarding efficiency of security gateways.

GRE Configuration Among all the configuration tasks, virtual Tunnel interface must be created first before other function features can be configured on it. Deleting a virtual Tunnel interface deletes all configurations on it.

GRE configuration tasks include:

■ Create virtual Tunnel interface (required)

■ Set encapsulation mode (optional)

■ Specify source end of Tunnel (required)

■ Specify destination end of Tunnel (required)

■ Set network address of Tunnel interface (required)

■ Configure end-to-end verification on both ends of Tunnel (optional)

■ Set identification key of Tunnel interface (optional)

■ Configure routing via Tunnel (optional)

Creating Virtual Tunnel Interface

Virtual Tunnel interface should be created so that other parameters of GRE can be configured on it. These configurations are required to be performed on both ends of the Tunnel.


By default, no virtual Tunnel interface is created.

The device adopts distributed structure, on which interfaces are represented in a three-dimension way; namely, slot/card/port. The parameter slot represents slot number of the specified universal interface module; card represents the number of the installed card, which can take on the value of 0 or 1; port represents the number of the specified interface, ranging from 0 to 1023, but the actual number of created Tunnels depends on the total number of interfaces and available memory.

On creating Tunnel interface, it is recommended that the parameter slot should keep in line with the slot of source end interface configured by the source command. In other words, slot number specified by slot is the same as that of the

Table 118 Create virtual Tunnel interface

Operation Command

Create a virtual Tunnel interface interface tunnel number

Delete a virtual Tunnel interface undo interface tunnel number

GRE Configuration 133

actual physical interface forwarding GRE packets, thus improving the forwarding efficiency.

Setting Encapsulation Mode

Encapsulation protocol and delivery protocol are to be configured on Tunnel interface. You may choose not to configure them on both ends of the Tunnel, but if you do configure them, make sure to use the same encapsulation mode on both ends (by far, only GRE is available).

Perform the following configuration in Tunnel interface view.

By default, encapsulation protocol is GRE, and delivery protocol is IP.

Specifying Tunnel Source

After the creation of a Tunnel interface, the source address of the Tunnel, that is, the actual interface address where GRE packets are forwarded also needs to be specified. A Tunnel is uniquely identified by one source address and one destination address. These configurations are required on both ends of the Tunnel, with the source address at one end being the destination address at the other end and vice versa.


n ■ The same source address and destination address cannot be configured on two

or more Tunnel interfaces encapsulated with the same protocol.

■ The source command configures actual physical interface address or actual physical interface. The network address of Tunnel interface also needs configuring by using the ip address command in Tunnel interface view.

Specifying Tunnel Destination

After the creation of a Tunnel interface, the destination address of the Tunnel, that is, IP address of the actual physical interface receiving GRE packets, also needs to be specified. A Tunnel is uniquely identified by one source address and one destination address. These configurations are required on both ends of the Tunnel, with the source address at one end being the destination address at the other end and vice versa.


Table 119 Set encapsulation mode

Operation Command

Set encapsulation mode on the Tunnel interface tunnel-protocol gre

Delete the encapsulation mode on the Tunnel interface undo tunnel-protocol

Table 120 Specify source address of the Tunnel

Operation Command

Specify source address of the Tunnel source { ip-addr | interface-type interface-num }

Delete the source address of the Tunnel undo source


n The destination command sets IP address of actual physical interface. In order to support dynamic routing protocols, network address of Tunnel interface also needs configuring.

Assigning Network Address to Tunnel

Interface

You must assign addresses to the interfaces at the ends of a Tunnel. The assigned addresses can be private ones but they must belong to the same network segment.


By default, network address of Tunnel interface is not configured.

Configuring End-to-End Verification on Both

Ends of Tunnel

As RFC1701 provisioned, if the Checksum Present bit in GRE header is set to 1, then the checksum field is present and contains valid information. The sender calculates the checksum according to GRE header and payload information and sends the packet containing the checksum information to the peer end. The receiver calculates the checksum of the received packet and compares it with the one in the packet. If they are consistent, the packet that may be discarded otherwise will be further processed.

Checksum can be enabled or disabled on the two ends of a Tunnel as needed. If checksum is enabled only at the local end, the local end will calculate the checksum of each transmitted packet but will ignore the checksum of received packets; on the contrary, if checksum is enabled only at the remote end, the local end will verify the checksum of each received packet but will ignore the checksum of transmitted packets.


By default, end-to-end verification is disabled on both ends of Tunnel.

Setting Identification Key of Tunnel Interface

RFC1701 provisions that if the Key Present bit in the GRE header of a packet is set to 1, the Tunnel identification key carried by the packet will be verified between

Table 121 Specify destination address of the Tunnel

Operation Command

Set destination address of the Tunnel destination ip-addr

Delete the destination address of the Tunnel undo destination

Table 122 Assign network address to a Tunnel interface

Operation Command

Assign an IP address to the Tunnel interface ip address ip-addr mask

Delete the IP address of the Tunnel interface undo ip address

Table 123 Enable/disable end-to-end verification on both ends of a Tunnel

Operation Command

Enable end-to-end verification on both ends of the Tunnel gre checksum

Disable end-to-end verification on both ends of the Tunnel undo gre checksum

GRE Configuration 135

the sender and the receiver. The verification will fail if different identification keys are used, and the packet will be discarded.


The key-number parameter is an integer in the range 0 to 4294967295.

By default, Tunnel does not use KEY.

Configuring Routing via Tunnel

Tunnel route, either static or dynamic, must exist on both the source and destination ends, so that GRE packets can be forwarded properly.

Configuring static routing

You may manually configure a route to the destination address, which is the destination address of the packet without GRE encapsulation rather than the destination address of the Tunnel, with the next hop being the address of the remote Tunnel interface address. This configuration is required at both ends of the Tunnel. For details about this configuration, refer to the Routing Protocol module of this manual. For detailed descriptions on the configuration commands, refer to the Command Manual accompanying this manual.

Configuring dynamic routing

If dynamic routing protocol is running on the security gateway, you may simply enable this protocol on both the Tunnel interface and the interface of the security gateway directly connected to the private network. This configuration is required on both ends of the Tunnel. For details about this configuration, refer to the Routing Protocol module of this manual. For detailed descriptions on the configuration commands, refer to the Command Manual accompanying this manual.

Configuring the Keepalive Function


By default, the keepalive function of GRE is disabled; the seconds argument is set to 10 and times to 3.

After the GRE keepalive function is enabled, the IPsec module will send GRE keepalive packets to the Tunnel interface periodically. If the remote end does not respond within the timeout time, the local end IPsec module will send keepalive packets again. If the remote end still does not respond after the maximum retries, the protocol state of the local Tunnel interface will become down.

Table 124 Set identification key of the Tunnel interface

Operation Command

Set identification key of the Tunnel interface gre key key-number

Cancel the identification key of Tunnel interface undo gre key

Table 125 Configure the keepalive function

Operation Command

Enable the keepalive function of GRE keepalive [ seconds ] [ times ]

Disable the keepalive function of GRE undo keepalive [ seconds ] [ times ]


Displaying and Debugging GRE

Upon the completion of the above configurations, execute the display command in any view to view their running state and to verify the effect of the configurations. The debugging command can be used in user view.

GRE Configuration Example


A GRE Tunnel is established between SecBlade_A and SecBlade_B so that PC_A and PC_B can be connected.

Network diagram

Figure 35 Network diagram for GRE


1 PC A

IP address: 10.0.0.1/24

Gateway: 10.0.0.254

2 PC B

IP address: 20.0.0.1/24

Gateway: 20.0.0.254

3 Router

Table 126 Display and debug GRE

Operation Command

Display operating state of Tunnel interfaces display interface tunnel number

Enable Tunnel information debugging debugging tunnel

Switch 8800A Switch 8800B

GRE Configuration Example 137

# Configure the interface address.

<Router> system-view [Router] interface GigabitEthernet 0/0 [Router-GigabitEthernet0/0] ip address 50.0.0.1 24 [Router-GigabitEthernet0/0] quit [Router] interface GigabitEthernet 0/1 [Router-GigabitEthernet0/1] ip address 60.0.0.1 24 [Router-GigabitEthernet0/1] quit

4 3Com_A (SecBlade_A)

# Divide VLANs.

<3Com_A> system-view [3Com_A] vlan 10 [3Com_A-vlan10] quit [3Com_A] vlan 30 [3Com_A-vlan30] quit [3Com_A] vlan 50 [3Com_A-vlan50] quit


[3Com_A] interface vlan-interface 10 [3Com_A-Vlan-interface10] ip address 10.0.0.254 24 [3Com_A-Vlan-interface10] quit [3Com_A] interface vlan-interface 30 [3Com_A-Vlan-interface30] ip address 30.0.0.1 24 [3Com_A-Vlan-interface30] quit


[3Com_A] ip route-static 0.0.0.0 0 30.0.0.254


[3Com_A] secblade aggregation slot 2

# Establish a SecBlade configuration module test.

[3Com_A] secblade module test


[3Com_A-secblade-test] secblade-interface vlan-interface 30


[3Com_A-secblade-test] security-vlan 50


[3Com_A-secblade-test] map to slot 2 [3Com_A-secblade-test] quit [3Com_A] quit

# Log into the IPsec module card of the specified slot.


<3Com_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_A> system-view


[secblade_A] interface g0/0.1GigabitEthernet 0/0.1 [secblade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade_A-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade_A-GigabitEthernet0/0.1] quit [secblade_A] interface GigabitEthernet 0/0.2 [secblade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_A-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade_A-GigabitEthernet0/0.2] quit

# Create the Tunnel interface.

[secblade_A] interface Tunnel 0

# Configure the Tunnel IP address.

[secblade_A-Tunnel0] ip address 100.0.0.1 24

# Configure Tunnel encapsulation mode.

[secblade_A-Tunnel0] tunnel-protocol gre

# Configure the source address of the Tunnel.

[secblade_A-Tunnel0] source 50.0.0.254

# Configure the destination address of the Tunnel.

[secblade_A-Tunnel0] destination 60.0.0.254 [secblade_A-Tunnel0] quit

# Add the virtual interface to the Trust zone (applicable to only the firewall card).

[secblade_A] firewall zone untrust [secblade_A-zone-untrust] add interface Tunnel 0 [secblade_A-zone-untrust] quit

# Configure the static route passing by the Tunnel.

[secblade_A] ip route-static 20.0.0.0 24 Tunnel 0 [secblade_A] ip route-static 10.0.0.0 24 30.0.0.1 [secblade_A] ip route-static 0.0.0.0 0 50.0.0.1


[secblade_A] quit <secblade_A> quit [3Com_A]

5 3Com_B(secblade_B)

GRE Configuration Example 139

# Divide VLANs.

<3Com_B> system-view [3Com_B] vlan 20 [3Com_B-vlan20] quit [3Com_B] vlan 40 [3Com_B-vlan40] quit [3Com_B] vlan 60 [3Com_B-vlan60] quit

# Configure the IP addresses.

[3Com_B] interface vlan-interface 20 [3Com_B-Vlan-interface20] ip address 20.0.0.254 24 [3Com_B-Vlan-interface20] quit [3Com_B] interface vlan-interface 40 [3Com_B-Vlan-interface40] ip address 40.0.0.1 24 [3Com_B-Vlan-interface40] quit


[3Com_B] ip route-static 0.0.0.0 0 40.0.0.254


[3Com_B] secblade aggregation slot 2


[3Com_B] secblade test


[3Com_B-secblade-test] secblade-interface vlan-interface 40


[3Com_B-secblade-test] security-vlan 40


[3Com_B-secblade-test] map to slot 2 [3Com_B-secblade-test] quit [3Com_B] quit


<3Com_B> secblade slot 2 (Both user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_B> system-view


[secblade_B] interface g0/0.1 [secblade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 40 [secblade_B-GigabitEthernet0/0.1] ip address 40.0.0.254 24 [secblade_B-GigabitEthernet0/0.1] quit


[secblade_B] interface g0/0.2 [secblade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 60 [secblade_B-GigabitEthernet0/0.2] ip address 60.0.0.1 24 [secblade_B-GigabitEthernet0/0.2] quit

# Create the Tunnel interface.

[secblade_B] interface Tunnel 0

# Configure the Tunnel IP address.

[secblade_B-Tunnel0] ip address 100.0.0.2 24

# Configure Tunnel encapsulation mode.

[secblade_B-Tunnel0] tunnel-protocol gre

# Configure the source address of the Tunnel.

[secblade_B-Tunnel0] source 60.0.0.254

# Configure the destination address of the Tunnel.

[secblade_B-Tunnel0] destination 50.0.0.254 [secblade_B-Tunnel0] quit

# Add the virtual interface to the Trust zone (applicable to only the firewall card).

[secblade_A] firewall zone untrust [secblade_A-zone-untrust] add interface tunnel 0 [secblade_A-zone-untrust] quit

# Configure the static route passing by the Tunnel.

[secblade_B] ip route-static 10.0.0.0 24 Tunnel 0 [secblade_B] ip route-static 20.0.0.0 24 40.0.0.1 [secblade_A] ip route-static 0.0.0.0 0 60.0.0.1


[secblade_B] quit <secblade_B> quit [3Com_B]

GRE Troubleshooting GRE configuration is relatively simple, except that you should pay more attention to the consistency. Most errors can be located by executing the debugging tunnel command. Here, only one type of error is analyzed, as shown in the following figure:

GRE Troubleshooting 141

Figure 36 Troubleshooting example of GRE

Symptom 1: The interfaces at both ends of the Tunnel are correctly configured and both ends of the Tunnel can "ping" each other successfully, but PC A and PC B fail to do so.

Troubleshooting: Perform the following steps:

■ In user view, perform the display ip route command on 3Com1 and 3Com2 respectively, making sure there is the route from interface Tunnel1/0/0 to 10.2.0.0/16 on 3Com1, and the route from interface Tunnel 2/0/0 to 10.1.0.0/16 on 3Com2.

■ If the needed static route do not exist in the output information of the above step, perform the ip route command in system view to add it. Taking 3Com1 for example, make the following configuration:

<3Com1> system-view [3Com1] ip route-static 10.2.0.0 255.255.0.0 Tunnel 0

PC A 10.1.1.1/16

PC B 10.2.1.1/16

Ethernet1/0/0 Ethernet2/0/1 Tunnel

Switch88001 Switch88003 Switch88002

Tunnel1/0/0 Tunnel2/0/0

10
IPSEC CONFIGURATION
IPsec Overview

IPsec IP Security (IPsec) protocol family is a series of protocols defined based on IETF. It provides high quality, interoperable and cryptology-based security for IP data packets. The two sides of communication perform encryption and data source authentication on IP layer to assure confidentiality, data integrity, data origin authentication and anti-replay for packets when they are being transmitted on networks.

n Confidentiality is to encrypt a client data and then transmit it in cipher text.

Data integrity is to authenticate the received data so as to determine whether the packet has been modified.

Data origin authentication is to authenticate the data source to make sure that the data is sent from a real sender.

Anti-replay is to prevent some malicious client from repeatedly sending a data packet. In other words, the receiver will deny old or repeated data packets.

IPsec implements the above aims via authentication header (AH) security protocol and encapsulating security payload (ESP) security protocol. Moreover, Internet key exchange (IKE) provides auto-negotiation key exchange and security association (SA) setup and maintenance services for IPsec so as to simplify the use and management of IPsec.

■ AH mainly provides data source authentication, data integrity authentication and anti-replay. However, it cannot encrypt the packet.

■ ESP provides encryption function besides the above functions that AH provides. However, its data integrity authentication does not include IP header.

n AH and ESP can be used either independently or corporately. There are two types of working modes for AH and ESP: transport mode and Tunnel mode, which will be introduced later.

■ IKE is to negotiate the cryptographic algorithm applied in AH and ESP and to put the necessary key in the algorithm to the proper place.

n IPsec policy and algorithm can also be negotiated manually. So IKE negotiation is not necessary. The comparison of these two negotiation modes will be introduced later.

144 CHAPTER 10: IPSEC CONFIGURATION

Overview of Encryption Card

IPsec may use ESP or AH protocol to process packets. For high security purpose, complicated encryption/decryption/authentication algorithms are often used. The IPsec on a security gateway uses many CPU resources for encryption/decryption algorithm, so the overall performance may be degraded. To solve this problem, you can insert an encryption card for a modularized security gateway, on which IPsec operations are processed by hardware. This can improve IPsec processing efficiency, as well as overall performance of a security gateway.

1 Encryption/decryption process on the encryption card: The security gateway sends data to be encrypted or decrypted to the encryption card. The card runs encryption/decryption operations and add/delete encryption headers to/from data, and then sends the processed data back to the security gateway for forwarding.

2 For the IPsec SA implemented by the encryption card, if the card is faulty, backup function is enabled on the card and the selected encryption/authentication algorithms for the SA are supported by the IPsec module on Comware platform, IPsec shall be implemented by the IPsec module on Comware platform. But you cannot use one encryption card as the backup to another card.

n The encryption card processes data in the same mechanism as the IPsec module on the Comware platform. The only difference is that the card uses hardware, while the IPsec module uses software.

IPsec Basic Concepts Security association

IPsec provides security communication between two ends, which are called as IPsec peers.

IPsec allows systems, network subscribers or administrators to control granularity of security services between peers. For instance, IPsec policies of some group prescribe that data flow from some subnet should be protected over AH and ESP and be encrypted over Triple Data Encryption Standard (3DES) simultaneously. Moreover, the policies prescribe that data flow from another site should be protected over ESP only and be encrypted via DES only. IPsec can provide security protection in various levels for different data flows based on SA.

SA is essential to IPsec. It is the standard for some elements of communication peers. For example, it determines which protocol should be applied (AH, ESP or both) as well as the working mode (transport mode or Tunnel mode), encryption algorithm (DES and 3DES), shared protecting key in some stream and SA duration.

SA is unidirectional. So at least two SAs are needed to protect data flow from two directions in a bi-directional communication. Moreover, if both AH and ESP are applied to protect data flow between peers, still two SAs are needed for AH and ESP respectively.

SA is identified by a triplet uniquely, including Security Parameter Index (SPI), destination IP address and security protocol ID (AH or ESP). SPI is a 32-bit number generated for uniquely identifying SA. It is transmitted in AH/ESP header.

SA has duration. It is calculated as follows:

■ Time-based duration is to update SA at a specific interval;

■ Traffic-based duration is to update SA after certain data (bytes) transmission.

IPsec Overview 145

Working mode of IPsec protocol

IPsec protocol falls into two working modes: transport mode and Tunnel mode. They are specified in SA.

In the transport mode, AH/ESP is inserted after the IP header but before all transmission layer protocols or all other IPsec protocols. In the Tunnel mode, AH/ESP is inserted before the original IP header but after the new header. The data encapsulation format for various protocols (taking the transmission protocol TCP as an example) in the transmission/Tunnel mode is shown in the following figure:

Figure 37 Data encapsulation format for security protocols

The Tunnel mode is safer than the transport mode. It can authenticate and encrypt original IP data packets completely. Moreover, it can hide the client IP address via the IPsec peer IP address. On the other hand, the Tunnel mode occupies more bandwidth than the transport mode because it has an extra IP header. Therefore, you can select a proper mode according to the practical need on security or performance.

Authentication algorithm and encryption algorithm

1 Authentication algorithm

Both AH and ESP can authenticate integrity for an IP packet so as to determine whether the packet is modified. The authentication algorithm is implemented via hybrid function. The hybrid function is a kind of algorithm that does not limit the length of inputting messages and outputs messages in a certain length. The output message is called as message summary. IPsec peers calculate the packet via the hybrid function respectively. If they get identical summaries, the packet is integrated and not modified.

Generally speaking, there are two types of IPsec authentication algorithms.

■ MD5: Input a message in any length and generate a 128-bit message summary.

■ SHA-1: Input a message less than 264-bit and generate a 160-bit message summary.

Because the SHA-1 summary is longer than that of MD5, SHA-1 is safer than MD5.

2 Encryption algorithm

ESP can encrypt IP packets so that the contents of the packets will not let out during the transmission. Encryption algorithm is implemented by encrypting or

ModeProtocol

transport tunnel

AH

ESP

AH-ESP

ESP data ESPTail

IPHeader

ESPAuth data

TCPHeader

IPHeader AH dataTCP

Header

ESP data ESPTail

IPHeader

ESPAuth data

TCPHeaderAH

AH datanew IPHeader

raw IPHeader

TCPHeader

ESP data ESPTail

new IPHeader

ESPAuth data

TCPHeader

raw IPHeader

ESP data ESPTail

new IPHeader

ESPAuth data

TCPHeader

raw IPHeaderAH

ModeProtocol

transport tunnel

AH

ESP

AH-ESP

ESP data ESPTail

IPHeader

ESPAuth data

TCPHeader

IPHeader AH dataTCP

Header

ESP data ESPTail

IPHeader

ESPAuth data

TCPHeaderAH

AH datanew IPHeader

raw IPHeader

TCPHeader

ESP data ESPTail

new IPHeader

ESPAuth data

TCPHeader

raw IPHeader

ESP data ESPTail

new IPHeader

ESPAuth data

TCPHeader

raw IPHeaderAH


decrypting data with identical key via symmetric key system. IPsec in Comware implements three types of encryption algorithms:

■ DES (Data Encryption Standard): Encrypt a 64-bit clear text via a 56-bit key.

■ 3DES (Triple DES): Encrypt a clear text via three 56-bit keys (168 bits key).

■ AES (Advanced Encryption Standard): 128-bit 192-bit and 256-bit AES algorithm, conforming to IETF standards, can be implemented on Comware.

Negotiation mode

There are two negotiation modes to establish SA: manual mode (manual) and IKE auto-negotiation mode (isakmp). The former is a bit complex because all information about SA has to be configured manually. Moreover, it does not support some advanced features of IPsec, such as key update timer. However, its advantage is that it can implement IPsec independent of IKE. The latter one is much easier because SA can be established and maintained by IKE auto-negotiation as long as security policies of IKE negotiation are configured.

Manual mode is feasible in the case of few peer devices or in a small-sized static environment. For middle/big-sized dynamic environment, IKE auto-negotiation mode is recommended.

IPsec DPD

IPsec dead peer detection (IPsec DPD) is a function that allows on-demand IKE peer liveliness detection on IPsec/IKE Tunnels.

The idea of DPD is that when an IKE peer receives no packets from its peer for a specified period, a DPD query is triggered. The IKE peer sends a query to its peer detecting the liveliness asking for proof of liveliness.

Compared with other keepalive mechanisms available with IPsec, DPD generates less traffic, but allows more prompt detection and quicker Tunnel recovery.

In the scheme using internet security association and key management protocol security association (ISAKMP SA) established between a router address and a virtual address of a virtual router redundancy protocol (VRRP) backup group, DPD can recover rapidly and automatically security Tunnels when the master and slave switchover in a virtual router redundancy protocol (VRRP) backup group. DPD avoids security Tunnels from interrupting when the master and slave switchover, expands the IPsec application scope, and makes the IPsec protocol more robust.

DPD is implemented in compliance with RFC3706 and RFC2408.

1 Timers

IPsec DPD uses the following two timers to control sending and receipt of DPD packets:

■ Interval-time: specifies the idle interval for triggering a DPD query. If an IKE peer receives no IPsec packet from its peer when this timer times out, DPD query is triggered.

■ Time_out: specifies the time waiting for a DPD acknowledgement.

2 Operating mechanism

IPsec Overview 147

The following describers how DPD operates after being enabled:

■ At the sender side

An IKE peer does not receive IPsec packets from its peer when interval-time timer expires and now, it wants to send IPsec packets to its peer. Before that, the IKE peer sends a DPD query to its peer for proof of liveliness. At the same time, a time_out timer is started. If no acknowledgement is received upon expiration of this timer, DPD records one failure event. When the number of failure events reaches three, the involved ISAKMP SAs and IPsec SAs are deleted.

The same applies to the IPsec SAs set up between a router and the virtual address of a VRRP standby group: when the failure count reaches three, the security Tunnel between them is deleted. The setup of this security Tunnel is triggered only when a packet matching the IPsec policy is present.

The failover duration depends on the setting of time_out timer. A shorter timer setting means a shorter communication interruption period but increased overheads.

You are recommended to use the default setting in normal cases.

■ At the responder end

The peer of the sender sends an acknowledgement after receiving the query.

IPsec on Comware Comware implements the said aspects of IPsec.

Via IPsec, peers (here refer to the security gateway where Comware locates as well as its peer) can perform various security protections (authentication, encryption or both) on different data flows, which are differentiated based on ACL. Security protection elements, such as security protocol, authentication algorithm, encryption algorithm and operation mode, are defined in IPsec proposal. The association between data flows and IPsec proposal (namely, apply a certain protection on a certain data flow) together with SA negotiation mode, peer IP address configuration (i.e., the start/end of protection path), the required key as well as the duration of SA are defined in IPsec policies. Finally, IPsec policies are applied on interfaces of the security gateway. This is the process of IPsec configuration.

Following is the detailed description:

1 Defining data flows to be protected

A data flow is an aggregation of a series of traffics, regulated by source address/mask, destination address/mask, number of protocol over IP, source port number and destination port number. An ACL rule defines a data flow, that is, traffic that matches an ACL rule is a data flow logically. A data flow can be a single TCP connection between two hosts or all traffics between two subnets. IPsec can apply different security protections on different data flows. So the first step of IPsec configuration is to define data flows.

2 Defining IPsec proposal


IPsec proposal prescribes security protocol, authentication algorithm and encryption algorithm as well as operation mode (namely, the packet encapsulation mode) for data flows to be protected.

AH and ESP supported by Comware can be used either independently or corporately. AH supports MD5 and SHA-1 authentication algorithms. ESP supports MD5 and SHA-1 authentication algorithms as well as DES and 3DES encryption algorithms. Working mode supported by Comware includes transport mode and Tunnel mode.

As for a data flow, peers should be configured with identical protocol, algorithm and working mode. Moreover, if IPsec is applied on two security gateways (such as between Comware security gateways), the Tunnel mode is recommended so as to hide the real source and destination addresses.

Therefore, you should define an IPsec proposal based on requirements so that you can associate it with data flows.

3 Defining IPsec policy or IPsec policy group

IPsec policy specifies a certain IPsec proposal for a certain data flow. An IPsec policy is defined by "name" and "sequence number" uniquely. It falls into two types, manual IPsec policy and IKE negotiation IPsec policy. The former one is to configure parameters such as key, SPI as well as IP addresses of two ends in the Tunnel mode manually. As for the latter one, these parameters are automatically generated by IKE negotiation.

An IPsec policy group is an aggregation of IPsec policies with identical name but different sequence numbers. In an IPsec policy group, the smaller the sequence number is, the higher the priority is.

4 Applying IPsec policies on an interface

Apply all IPsec policies in a group on an interface so as to perform different security protections on different data flows passing the interface.

IPsec Configuration Configuring IPsec

1 Configure ACL

2 Configure a security proposal

■ Create a security proposal (IPsec proposal or card SA proposal)

■ Specify the encryption card used in the card SA proposal (only applies to encryption cards)

■ Select security protocol

■ Select security algorithm

■ Select packet encapsulation mode

3 Create IPsec policy (manually or by using IKE)

For manual mode:

■ Create IPsec policy

IPsec Configuration 149

■ Import ACL into IPsec policy

■ Configure starting and end points for Tunnel

■ Configure SPI for SA

■ Configure SA keys

For IKE mode:

■ Create IPsec policy using IKE

■ Import card SA proposal into IPsec policy

■ Import ACL into IPsec policy

■ Import IKE peer into IPsec policy

■ Configure SA duration (optional)

■ Configure PFS feature for negotiation (optional)

An IPsec policy can reference an IPsec proposal or card SA proposal as needed.

4 Configure IPsec policy template (optional)

5 Apply IPsec policy on the interface

6 Disable next-payload field checking (optional)

Configuring the encryption card (optional)

Enable the encryption card

1 Enable Comware main software backup

2 Configure the fast forwarding function of the encryption card

3 Configure the simple network management operations for the encryption card

Defining ACL IPsec uses advanced ACLs to determine the packets needing to be protected. The roles of advanced ACLs in IPsec is different from those introduced in firewalls. Normally, advanced ACLs are used for determining which data can be permitted and which must be denied on which interface. Advanced ACLs in IPsec, however, are used by IPsec to determine which packet needs security protection and which does not. For this reason, an advanced ACL applied in IPsec is in fact encryption ACL. Packets permitted by Encryption ACL will be in protection, while packets denied by the ACL will not be protected. An encryption ACL can apply on both input interfaces and output interfaces.

For more information about the detailed configuration of ACL, see the Security part in this manual.

Encryption ACLs defined at the local and peer security gateways should be in consistency (i.e., they can mirror each other), thus allowing either side to decrypt the data encrypted at the other side. Otherwise, one end cannot decrypt data sending from the other end. For example,

Local end:

acl number 3101 rule 1 permit ip source 173.1.1.0 0.0.0.255 destination 173.2.2.0 0.0.0.255


Peer end:

acl number 3101 rule 1 permit ip source 173.2.2.0 0.0.0.255 destination 173.1.1.0 0.0.0.255

n ■ IPsec protects the data flow permitted in the ACL, therefore, the users are

recommended to configure the ACL accurately, that is, configure permit only to the data flow needing IPsec protection so as to avoid the excessive use of the key word any.

■ The users are recommended to configure the ACLs of local and peer ends as the mirror of each other. Otherwise, one end cannot decrypt data sending from the other end.

Executing the display acl all command will display all the ACLs, including all the advanced IP ACLs regardless of whether they are for communications filtering or for encryption.

Defining an IPsec Proposal

An IPsec proposal saves the particular security protocol and the encryption/authentication algorithms applied in IPsec, intending for providing security parameters for IPsec to make SA negotiation. To ensure the success of a negotiation, the two ends involved in the negotiation must use the same IPsec proposal.

Perform the following tasks to configure a security proposal.

■ Create an IPsec or card SA proposal

■ Specify the encryption card in the card SA proposal (only applied when an encryption card is involved)

■ Select a security algorithms

■ Set the mode adopted by the security protocol in IP datagram encapsulation

■ Select a security protocol

■ Select a security algorithm

Creating an IPsec or card SA proposal

An IPsec proposal is a set of security protocol, algorithms and packet encapsulation format used to implement IPsec protection. An IPsec policy can determine the adopted security protocol, algorithms, and encapsulation mode by referencing one or more IPsec proposals. Before an IPsec proposal is referenced by IPsec policy, this IPsec proposal must be established.

You are allowed to modify an IPsec proposal, but such modifications cannot take effect at all if the modified proposal is applied to an SA that has been setup between the two sides after negotiation - unless you execute the reset ipsec sa (or reset encrypt-card sa) command to reset the SA. New security proposals can only apply to new SAs.



By default, no IPsec proposal is configured.

Specifying the encryption card to be used by a security proposal (only applied when an encryption card is involved)

When an encryption card is used, you must specify its slot number in card SA proposal view. Each modular security gateway can accommodate up to two encryption cards; each can be assigned to multiple encryption card security proposals. In system view, use the ipsec card-proposal proposal-name command to enter encryption card SA proposal view, and then specify the encryption card to be used by a security proposal in this view.

By default, no encryption card is used in the card SA proposal.

Selecting packet encapsulation mode

You MUST specify encapsulation mode in a security proposal. In addition, the same encapsulation mode MUST be adopted at the two ends of a security Tunnel.

Perform the following configurations in IPsec proposal or card SA proposal view.

Normally, Tunnel mode is always adopted between two security GWs (routers). Transport mode is always preferred, however, with respect to the communication between two hosts or between a host and a security GW.

By default, Tunnel mode is adopted.

Table 127 Configure an IPsec proposal

Operation Command

Create an IPsec proposal and access the IPsec proposal view (for IPsec module) ipsec proposal proposal-name

Delete the IPsec proposal (for IPsec module) undo ipsec proposal proposal-name

Create a card SA proposal and access its view (for encryption cards only ) ipsec card-proposal proposal-name

Delete the card SA proposal (for encryption card) undo ipsec card-proposal proposal-name

Table 128 Assign an encryption card to the card SA proposal

Operation Command

Enter the encryption card SA proposal view ipsec card-proposal proposal-name

Assign an encryption card to the card SA proposal use encrypt-card slot-id

Remove the configuration undo use encrypt-card

Table 129 Select a packet encapsulation mode

Operation Command

Set the IP datagram encapsulation mode adopted by the security protocol encapsulation-mode { transport | tunnel }

Restore the default encapsulation mode undo encapsulation-mode


Selecting security protocol

The security protocol needs specifying in the IPsec proposal and by far AH and ESP are the only two options. You are allowed to use AH, ESP, or both, but the choice must be the same as that at the remote end of the security Tunnel.

Perform the following configuration in the IPsec proposal or card SA proposal view.

By default, use esp, i.e. RFC2406 specified ESP.

Selecting security algorithm

Different security protocols may use different authentication and encryption algorithms. Currently AH supports the MD5 and SHA-1 authentication algorithms, while ESP supports the MD5 and SHA-1 authentication algorithms and the DES, 3DES and AES encryption algorithms.

Perform the following configuration in the IPsec proposal or card SA proposal view.

ESP will allow encryption and authentication process for packet at the same time, or encryption only or process authentication only. Attention, undo esp authentication-algorithm command will not restore authentication method to the default, but configure authentication method as null, i.e., undo authentication-method. When encryption algorithm is null, undo esp authentication-algorithm command is invalid. AH protocol has no encrypting function and can only perform authentication for packets. undo ah authentication-algorithm command is used to restore AH protocol default authentication method as md5. On both ends of security Tunnel, the IPsec proposals referenced by IPsec policy must be configured with the same authentication method and encryption algorithm.

Table 130 Select security protocol

Operation Command

Configure security protocol used by IPsec proposal transform { ah | ah-esp | esp }

Restore default security protocol undo transform

Table 131 Select security algorithm

Operation Command

Configure encryption algorithm used by ESP esp encryption-algorithm { 3des | des | aes }

Configure undo packet encrypting for ESP undo esp encryption-algorithm

Configure authentication method used by ESP esp authentication-algorithm { md5 | sha1 }

Configure undo packet authentication for ESP undo esp authentication-algorithm

Configure authentication method used by AH protocol ah authentication-algorithm { md5 | sha1 }

Restore AH protocol default authentication method undo ah authentication-algorithm


ESP protocol supports three types of encryption algorithms: des, 3des and aes, and two authentication algorithms: hmac-md5 and hmac-sha1.

AH protocol supports two types of authentication algorithms: hmac-md5 and hmac-sha1.

By default, encryption algorithm used by ESP is des and authentication method used is md5. Authentication method used by AH protocol is md5.

n Only when the desired security protocol is selected with the transform command, can security algorithm be configured. For example, if you can select ESP, you can only configure those security algorithms particular to ESP, excluding those for AH.

Creating IPsec Policy IPsec policy specifies a certain IPsec proposal for a certain data flow. An IPsec policy is defined by "name" and "sequence number" uniquely. It falls into two types, manual IPsec policy and IKE negotiation IPsec policy. The former one is to configure parameters such as key, SPI and SA duration as well as IP addresses of two ends in the Tunnel mode manually. As for the latter one, these parameters are automatically generated by IKE negotiation.

n This section introduces configurations about IPsec policy in detail, including manual configuration and IKE negotiation configuration. Configuration for one mode will be followed by a special description. Otherwise, the configuration should be performed in both manual mode and IKE negotiation mode.

Manually creating an IPsec policy

1 Manually creating an IPsec policy

You are not allowed to modify the negotiation mode of an IPsec policy that has been created. For example: If manual IPsec policy is established, it cannot be revised into isakmp mode, and you have to delete this IPsec policy before establishing a new one.


IPsec policies with the same name and different sequence numbers can compose an IPsec policy group. In one IPsec policy group, up to 500 IPsec policies can be configured. However, the maximum number of all IPsec policies in all IPsec policy groups is 500. In an IPsec policy group, the smaller the sequence number is, the higher the priority will be.

By default, there is no IPsec policy.

2 Referencing IPsec proposal in IPsec policy

Table 132 Establish IPsec policy

Operation Command

Manually create an IPsec policy for an SA ipsec policy policy-name seq-number manual

Modify the IPsec policy of the SA ipsec policy policy-name seq-number manual

Delete the IPsec policy undo ipsec policy policy-name [ seq-number ]


IPsec policy will specify security protocol algorithm and packet encapsulation format by referencing IPsec proposal. Before an IPsec proposal is referenced, this IPsec proposal must be configured.


The Security Association can be established through manual mode. One IPsec policy can reference only one IPsec proposal. If IPsec proposal has been configured, the former IPsec proposal must be removed so as to configure new IPsec proposal. On both ends of security Tunnel, IPsec proposals referenced by the IPsec policy must be configured by using the same security protocol, algorithm and packet encapsulation mode.

3 Configuring ACL referenced in IPsec policy

IPsec policy will reference access control list. IPsec will specify which packet needs security protection and which does not according to the rules in this access control list. Packets permitted by ACL will be in protection, while packets denied by ACL will not be protected.

Perform the following configuration in IPsec policy view.

One IPsec policy can reference only one access control list. If the IPsec policy has referenced more than one access control lists, only the last configured list is valid.

4 Configuring Tunnel start/end point

Generally, Tunnels applying IPsec policies are called "security Tunnels". A security Tunnel is set up between the local and the peer GWs. To ensure the success in security Tunnel setup, you must configure correct local and peer addresses.


Table 133 Use IPsec proposal in IPsec policy

Operation Command

Configure IPsec proposal referenced by IPsec policy

proposal proposal-name1 [ proposal-name2... proposal-name6 ]

Remove IPsec proposal referenced by IPsec policy undo proposal [ proposal-name ]

Table 134 Configure access control list referenced by IPsec policy

Operation Command

Configure access control list referenced by IPsec policy security acl acl-number

Remove access control list referenced by IPsec policy undo security acl

Table 135 Configure Tunnel start/end point

Operation Command

Configure local address in the IPsec policy tunnel local ip-address

Delete the local address configured in the IPsec policy undo tunnel local

Configure peer address in the IPsec policy tunnel remote ip-address


With respect to an IPsec policy set up manually, only if both local and peer addresses are correctly configured, can a security Tunnel be set up. (As ISAKMP SA can automatically obtain local and peer addresses, it does not require the configuration of local or peer address.

5 Configuring SA SPI

This configuration task only applies to a manually created IPsec policy. Use the following command to configure SA SPI for manually creating an SA. An isakmp-mode IPsec policy does not need manual configuration and IKE will automatically negotiate SPI and create SA.


When configuring an SA for the system, you must set the parameters in the inbound and outbound directions separately.

The SA parameters set at both ends of the security Tunnel must be fully matched. The SPI and key in the inbound SA at the local must be the same as those in the outbound SA at the remote. Likewise, the SA SPI and key in the outbound SA at the local must be the same as those in the inbound SA at the remote.

6 Configuring key for SA

This configuration is used only for manual mode IPsec policy. Security association key can be input manually by using the following commands. (For isakmp negotiation IPsec policy, manual configuration for key is not required. IKE will automatically negotiate security association key.)


Delete the peer address configured in the IPsec policy undo tunnel remote [ ip-address ]

Table 135 Configure Tunnel start/end point

Operation Command

Table 136 Configure an SA SPI

Operation Command

Configure an SA SPI sa spi { inbound | outbound } { ah | esp } spi-number

Delete the SA SPI undo sa spi { inbound | outbound } { ah | esp }

Table 137 Configure key used by security association

Operation Command

Configure AH protocol authentication key

(input in hex form) sa authentication-hex { inbound | outbound } { ah | esp } hex-key

Configure protocol key

(input in character string) sa string-key { inbound | outbound } { ah | esp } string-key

Configure ESP encryption key

(input in hex form) sa encryption-hex { inbound | outbound } esp hex-key


On both ends of security Tunnel, configured Security Association parameters must be consistent. Security association SPI and shared secret input on local end must be the same as peer output Security Association SPI and shared secret. Security association SPI and shared secret output on local end must the same as those input on peer end.

For the character string key and hex string key, the last configured one will be adopted. On both ends of security Tunnel, shared secret should be input in the same form. If shared secret is input in character string on one end and in hex on the other end, the security Tunnel cannot be correctly established.

Creating IPsec Policies by using IKE

Following are the configuration tasks for creating an IPsec policy by using IKE.

■ Create IPsec policies by using IKE

■ Reference an IPsec proposal in the IPsec policy

■ Configure ACL referenced by the IPsec policy

■ Referencing an IKE peer in the IPsec policy

■ Configure the lifetime of an SA (optional)

■ Configure the PFS feature in negotiation (optional)

■ Configure IPsec DPD (optional)

1 Creating an IPsec policy by using IKE


If you want to create a dynamic IPsec policy by making use of an IPsec policy template, you must first define the policy template. For more information about defining a policy template, see "Section “Configuring IPsec Policy Template” “Configuring IPsec Policy Template”.

2 Referencing an IPsec proposal in the IPsec policy

Delete configured security association parameter

undo sa string-key { inbound | outbound } { ah | esp }

undo sa authentication-hex { inbound | outbound } { ah | esp }

undo encryption-hex { inbound | outbound } esp

Table 137 Configure key used by security association

Operation Command

Table 138 Create an IPsec policy

Operation Command

Create an IPsec policy by using IKE and access the IPsec policy view ipsec policy policy-name seq-number isakmp

Dynamically create an IPsec policy by using IKE and an IPsec policy template

ipsec policy policy-name seq-number isakmp [ template template-name ]

Modify an IPsec policy that has been established by using IKE negotiation ipsec policy policy-name seq-number isakmp

Delete the specified IPsec policy undo ipsec policy policy-name [ seq-number ]


An IPsec proposal is referenced in an IPsec policy to specify IPsec protocol, algorithms, and packet encapsulation mode. Before an IPsec proposal can be referenced, it must have been created.

Perform the following configurations in IPsec policy view.

In the event of manually creating SA, each IPsec policy can reference only one IPsec proposal. If an IPsec proposal has been referenced, it must be removed before the configuration of a new IPsec proposal is allowed. At both ends of a security Tunnel, IPsec proposals referenced by the IPsec policy must adopt the same security protocol, algorithms and packet encapsulation mode.

3 Referencing ACL in the IPsec policy

IPsec policy will reference an ACL to specify which packet needs security protection and which does not according to the rules in this access control list. Packets permitted by ACL will be in protection, while packets denied by ACL will not be protected.


One IPsec policy can reference only one access control list. If the IPsec policy has referenced more than one ACLs, only the one configured last is valid.

In the event of setting up an SA by making use of IKE (isakmp) negotiation, each IPsec policy can reference up to six IPsec proposals. When making an IKE negotiation, the systems at the two ends of the security Tunnel will look up the configured IPsec proposals for a match. If no match is found, the setup attempt of SA will fail and the packets requiring protection will be dropped.

4 Referencing an IKE peer in the IPsec policy

In IKE negotiation mode, these parameters such as peer, SPI and key can be obtained through negotiation, so you only need to associate IPsec policy with IKE peer. The IKE peer must be established before being referenced.


Table 139 Reference an IPsec proposal in the IPsec policy

Operation Command

Reference an IPsec proposal in the IPsec policy proposal proposal-name1 [ proposal-name2... proposal-name6 ]

Remove the IPsec proposal referenced by the IPsec policy undo proposal [ proposal-name ]

Table 140 Reference ACL in the IPsec policy

Operation Command

Reference an ACL in the IPsec policy security acl acl-number

Remove the ACL referenced by the IPsec policy undo security acl


n This section only discusses importing IKE peer for IPsec, but in practice other parameters also need to be configured in IKE Peer view, including IKE negotiation mode, ID type, NAT traversal, shared key, peer IP address, peer name etc. Refer to the next chapter for such details.

5 Configuring SA duration (lifetime) (optional)

■ Configuring global SA lifetime

All the SAs that have not been configured separately with a lifetime in IPsec policy view adopt the global lifetime. In the SA negotiation via IKE, the lifetime configured at the local or at the peer will be adopted, whichever is smaller.

There are two types of lifetime: "time-based" lifetime and "traffic-based" lifetime. The expiration of either type of lifetime will render an SA useless. Before it goes invalid, IKE will negotiate to set up a new SA for IPsec. Thus, when the old SA becomes fully invalid, a new one is available.


Changing the configured global lifetime does not affect the IPsec policies that have separate lifetimes or the SAs that have been set up. The changed global lifetime will apply to the IKE negotiation initiated later.

Lifetime is not significant to manually established SAs but isakmp mode SAs. In other words, a manually established SA will maintain permanently.

■ Configuring SA lifetime in IPsec policy view

You can configure a separate SA lifetime for an IPsec policy. If such a lifetime is not available, the global SA lifetime will apply.

In the SA negotiation via IKE, the lifetime configured at the local or at the peer will be adopted, whichever is smaller.


Table 141 Reference an ACL in the IPsec policy

Operation Command

Reference an IKE peer in the IPsec policy ike peer peer-name

Remove the referenced IKE peer from the IPsec policy undo ike peer [peer-name ]

Table 142 Configure a global SA lifetime

Operation Command

Configure a global SA lifetime ipsec sa global-duration { traffic-based kilobytes | time-based seconds }

Restore the default global SA lifetime undo ipsec sa global-duration { traffic-based | time-based }


Changing the configured global lifetime does not affect the SAs that have been set up. The changed global lifetime will apply to the IKE negotiation initiated later.

6 Configuring the PFS feature in negotiation

Perfect Forward Secrecy (PFS) is a security feature. With it, keys are not derivative, so the compromise of a key will not threaten the security of other keys. This feature is implemented by adding the process of key exchange in the stage-2 negotiation of IKE. This command is only significant to isakmp mode SAs.


When IKE initiates a negotiation by using an IPsec policy configured with the PFS feature, it will make a key exchange operation. In the event that the local adopts PFS, the peer must also adopt PFS. The local and the peer must specify the same Diffie-Hellman (DH) group; otherwise, the negotiation between them will fail.

The group2 provides a security level higher than group1 (the group5 provides a security level higher than group2, and the rest may be deduced by analogy),, but it needs longer time for calculation.

By default, the PFS feature is not used.

7 Configuring IPsec DPD (optional)

■ Creating a DPD structure


A DPD data structure, or a DPD structure, contains DPD query parameters, such as interval-time timer and time_out timer. A DPD structure can be referenced by multiple IKE peers. Thus, you need not to configure one DPD structure for each interface. If a DPD structure has been referenced by an IKE peer, it cannot be deleted.

Table 143 Configure an SA lifetime

Operation Command

Configure an SA lifetime for the IPsec policy sa duration { traffic-based kilobytes | time-based seconds }

Adopt the configured global SA lifetime undo sa duration { traffic-based | time-based }

Table 144 Set the PFS feature used in negotiation

Operation Command

Configure the PFS feature used in negotiation

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

Disable PFS in negotiation undo pfs

Table 145 Create a DPD structure and enter its view

Operation Command

Create a DPD structure and enter its view ike dpd dpd-name

Delete the specified DPD structure undo ike dpd dpd-name


■ Configuring timers

Perform the following configuration in DPD structure view.

By default, the interval for triggering a DPD query is 10 seconds, and the time waiting for a DPD acknowledgment is five seconds.

■ Specifying a DPD structure for an IKE peer

Perform the following configuration in IKE peer view.

Configuring IPsec Policy Template

Uncertain factors may exist in some networks, e.g., IP address allocated for a dial-up mobile user is not fixed, so, the endpoint address of IPsec Tunnel and the data flow to be protected cannot be decided. Such condition makes the implement of IPsec difficult.

IPsec policy template can meet such requirement. It is a policy template that specifies only part of parameters and adopts the settings of the initiator for the rest of the parameters.

The configuration of IPsec policy template is similar to common IPsec policy: first, you need create a policy template, then, template parameters can be specified.


Using IPsec policy-template command, you will enter the IPsec policy template view, in which you can specify the policy template related parameters.

n The parameters configurable in an IPsec policy template are the same as those of IPsec policy in isakmp mode, except that most are optional. Only IPsec proposal and IKE peer (for an IKE peer, there is no need to configure the IP address for its

Table 146 Configure timers

Operation Command

Configure the interval for triggering a DPD query interval_time seconds

Restore the default interval for triggering a DPD query undo interval_time

Configure the time waiting for a DPD acknowledgment time_out seconds

Restore the default time waiting for a DPD acknowledgment undo time_out

Table 147 Specify a DPD structure for an IKE peer

Operation Command

Specify a DPD structure for the IKE peer dpd dpd-name

Remove the referenced DPD structure undo dpd

Table 148 Configure IPsec policy template

Operation Command

Create/Modify IPsec policy template ipsec policy-template template-name seq-number

Delete an IPsec policy template undo ipsec policy-template template-name [ seq-number ]


peer) are mandatory, while the configuration of the data stream to be protected and the PFS feature are optional. Note that, if IPsec policy template is used for policy matching, the configured parameters must be matched in IKE negotiation.

After the configuration of policy template, the following command must be executed to apply the policy template just defined.

c CAUTION: The policy of IPsec policy template cannot initiate the negotiation of security association, but is can response a negotiation.

Applying IPsec Policy Group to Interface

In order to validate a defined SA, you must apply an IPsec policy group at the interface (logical or physical) where the outgoing data or incoming data needs encryption or decryption. Data encryption on the interface will be made based on the IPsec policy group and in conjunction with the peer security gateway. Deleting the IPsec policy group from the interface will disable the protection function of IPsec on the interface.

Perform the following configuration in the interface view.

An interface can only use one IPsec policy group. Only ISAKMP IPsec policy group can be used on more than one interface. A manually configured IPsec policy group can only be used on one interface.

When packet transmitted from an interface, each IPsec policy in the IPsec policy group will be searched according to sequence numbers in ascending order. If an access control list referenced by the IPsec policy permits a packet, the packet will be processed by this IPsec policy. If the packet is not permitted, keep on searching the next IPsec policy. If the packet is not permitted by any access control list referenced by the IPsec policy, it will be directly transmitted (IPsec does not protect the packet).

3Com’s IPsec policy implementation can not only apply on practical physical ports such as serial ports and Ethernet ports, but also on virtual interfaces such as Tunnel and Virtual Template. In this way, IPsec can be applied on Tunnels like GRE and L2TP according to the practical networking requirement.

Disabling Next-Payload Field Checking

An IKE negotiation packet comprises multiple payloads; the next-payload field is in the generic header of the last payload. According to the protocol, this field should be set to 0. It however may vary by vendor. For compatibility sake, you can use the following commands to ignore this field during IPsec negotiation.

Table 149 Reference IPsec policy template

Operation Command

Reference an IPsec policy template ipsec policy policy-name seq-number isakmp template template-name

Table 150 Use IPsec policy group

Operation Command

Use the IPsec policy group ipsec policy policy-name

Remove the IPsec policy group in use undo ipsec policy [ policy-name ]


By default, the system checks the next-payload field in the last payload of the IKE negotiation packet during IPsec negotiation.

Configuring the Encryption Card

(Optional)

The basic configurations of an encryption card are the same as those of IPsec; refer to the previous sections.

The following are the optional configurations for the encryption card.

Entering encryption card interface view and enabling the card

When a security gateway is fitted with multiple encryption cards, you may use the undo shutdown and shutdown commands to enable or disable them. The undo shutdown command can reset and initialize an encryption card that is disabled.

Before you can shut down/enable the encryption card in a specified slot, you must use the interface encrypt command to enter the view of the encryption card.


Perform the following configuration in encryption card interface view.

By default, all the fitted encryption cards are up.

Enabling IPsec module backup function

For the IPsec SA implemented by the encryption card, if the card is normal, IPsec is processed by the card. If the card fails, backup function is enabled on the card and the selected encryption/authentication algorithms for the SA are supported by the IPsec module on Comware platform, IPsec shall be implemented by the IPsec module on Comware platform. In the event that the selected algorithms are not supported by the IPsec module, the system drops packets.


Table 151 Disable to check the next-payload field

Operation Command

Disable to check the next-payload field in the last payload of the IKE negotiation packet during IPsec negotiation

ike next-payload check disabled

Remove the default undo ike next-payload check disabled

Table 152 Enter encryption card interface view

Operation Command

Enter encryption card interface view interface encrypt slot-id

Table 153 Enable or shut down the encryption card

Operation Command

Turn up the encryption card undo shutdown

Shut down the encryption card shutdown


By default, IPsec module backup function is disabled.

Configuring the fast forwarding function of the encryption card

For the packets that have the same [SourIP, SourPort, DestIP, DestPort, Prot] quintuple, the security gateway creates a fast forwarding entry when it receives the first packet. Then, the subsequent packets, rather than processed packet by packet, are sent directly to the encryption card, where they are sent to the destination after being encrypted or decrypted. This is how the fast forwarding function of the encryption card expedites packet processing.


By default, the fast forwarding function of the encryption card is disabled.

c CAUTION: After the fast forwarding function is enabled on the encryption card, no more ACL statistics will be performed on the packets fast-forwarded by the encryption card.

Setting simple network management configuration on encryption cards

You can manage the encryption cards on the security gateway remotely by using SNMP. With the NM function on the security gateway, you can query the card status and monitor trap information, which includes information about card rebooting, status transition and packet loss processing.


By default, the trap function is not enabled on the encryption card.

Table 154 Configure IPsec module backup function

Operation Command

Enable IPsec module backup function encrypt-card backuped

Disable IPsec module backup function undo encrypt-card backuped

Table 155 Configure the fast forwarding function of the encryption card

Operation Command

Enable the fast forwarding function of the encryption card encrypt-card fast-switch

Disable the fast forwarding function of the encryption card undo encrypt-card fast-switch

Table 156 Configure trap function on Encryption card

Operation Command

Enable trap function on Encryption card snmp-agent trap enable encrypt-card

Disable trap function on Encryption card undo snmp-agent trap enable encrypt-card


Displaying and Debugging IPsec

Displaying and Debugging over IPsec Module on Comware

Platform

Displaying and debugging IPsec configuration

After the above configuration, execute display command in any view to display the running of the IPsec configuration, and to verify the effect of the configuration.

Execute debugging command in user view for the debugging of IPsec configuration.

Clearing IPsec packet statistical information

This command clears IPsec packet statistical information. All statistical information is set to zero.

Perform the following configuration in the user view.

Deleting SA

The configuration is used to delete the established SA (either manually or through IKE negotiation). If no parameter is specified, all the SAs will be deleted.

Perform the following configuration in user view.

Table 157 Display and debug IPsec

Operation Command

Display Security Association related information

display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]

Display the information about IPsec Tunnel display ipsec Tunnel

Display statistical information on IPsec processed packet display ipsec statistics

Display IPsec proposal display ipsec proposal [ proposal-name ]

Display IPsec policy display ipsec policy [ brief | name policy-name [ seq-number ] ]

Display the configuration of DPD display ike dpd [ dpd-name ]

Delete Security Association display ipsec policy-template [ brief | name policy-name [ seq-number ] ]

Enable IPsec debugging function debugging ipsec { all | sa | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] | misc }

Disable IPsec debugging function undo debugging ipsec { all | sa | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] | misc }

Enable the debugging for DPD debugging ike dpd

Disable the debugging for DPD undo debugging ike dpd

Table 158 Clear IPsec packet statistics

Operation Command

Clear IPsec packet statistical information reset ipsec statistics

Displaying and Debugging IPsec 165

If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is deleted, IKE will reestablish an SA through negotiation.

If an SA set up manually is deleted, the system will automatically set up a new SA according to the parameter manually set up.

The keyword parameters will take effect only after the spi of the outbound SA is defined. Because SAs appear in pairs, the inbound SA will also be deleted after the outbound SA is deleted.

Displaying and Debugging Encryption

Card Information

Displaying and debugging IPsec information on encryption cards

You can view the IPsec configurations, including SA information, statistics, log, interface information and IPsec module backup function, on the encryption card using display commands.

Execute the debugging command in user view for the debugging of IPsec configuration.

Clearing statistics on encryption card

Use this command to clear statistics of the encryption cards.

Perform the following configuration in the user view.

Table 159 Delete SA

Operation Command

Delete SA reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ]

Table 160 Display and debug encryption card configuration

Operation Command

Display interface information on the encryption card display interface encrypt slot-id

Display information about the fast forwarding cache for the encryption cards display encrypt-card fast-switch

Enable to information, packet, SA, command, error and other message debugging on the encryption card

debugging encrypt-card { {all | command | error | misc | packet | sa} [slot-id ]

Disable to information, packet, SA, command, error and other message debugging on the encryption card

undo debugging encrypt-card {{all | command | error | misc | packet | sa} slot-id

Enable Comware test software debugging on the encryption card

debugging encrypt-card host { all | packet | sa | command | error | misc }

Disable Comware test software debugging on the encryption card

undo debugging encrypt-card host { all | packet | sa | command | error | misc }

Table 161 Clear statistics on encryption card(s)

Operation Command

Clear statistics on encryption card reset counters interface encrypt slot-id


Deleting SA on encryption card

Use this command to clear the established SAs (either manually or through IKE negotiation) of the encryption cards on the security gateway.


n Currently this command is not supported on the encryption card.

Clearing packet statistics on encryption card

You can reset all counters on the encryption card, including those for data packets, byte counting, lost packets, failed authentication, faulty SAs, invalid SA proposals, invalid protocols, and so on.



Clearing system log on encryption card

You can clear the system log, which records all key operations to it, on the encryption card.



Clearing the fast forwarding information on encryption card


Table 162 Delete SA

Operation Command

Delete SAs on the encryption cared reset encrypt-card sa slot-id

Table 163 Clear packet statistics on encryption card

Operation Command

Clear packet statistics on encryption card reset encrypt-card statistics slot-id

Table 164 Clear system log on encryption card

Operation Command

Clear system log on encryption card reset encrypt-card syslog slot-id

Table 165 Clear the fast forwarding information on encryption card

Operation Command

Clear the fast forwarding information on the encryption card reset encrypt-card fast-switch

IPsec Configuration Example 167

IPsec Configuration Example


An IPsec Tunnel is established between the IPsec module and the Router. Therefore the data stream between PC_A and PC_B is protected when it is transferred by a unsecured network.

Network diagram

Figure 38 Network diagram for IPsec


1 PC_A

IP address: 10.0.0.1/24

Gateway: 10.0.0.254

2 PC_B

IP address: 20.0.0.1/24

Gateway: 20.0.0.254

3 Router

# Configure the interface IP address.

<Router> system-view [Router] interface GigabitEthernet 0/0 [Router-GigabitEthernet0/0] ip address 50.0.0.1 24 [Router-GigabitEthernet0/0] quit [Router] interface GigabitEthernet 0/1 [Router-GigabitEthernet0/0] ip address 20.0.0.254 24 [Router-GigabitEthernet0/0] quit

# Configure ACL rules.

Switch 8800


[Router] acl number 3000 [Router-acl-adv-3000] rule permit ip source 20.0.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255 [Router-acl-adv-3000] quit

# Configure the IPsec IKE.

[Router] ike peer same [Router-ike-peer-same] pre-shared-key 3com [Router-ike-peer-same] remote-address 50.0.0.254 [Router] quit

# Configure the IPsec proposal.

[Router] ipsec proposal tran [Router-ipsec-proposal-tran] encapsulation-mode Tunnel [Router-ipsec-proposal-tran] transform esp [Router-ipsec-proposal-tran] esp encryption-algorithm des [Router-ipsec-proposal-tran] esp authentication-algorithm sha1 [Router-ipsec-proposal-tran] quit

# Configure the IPsec policy.

[Router] ipsec policy auto 1 isakmp [Router-ipsec-policy-isakmp-auto-1] ike-peer same [Router-ipsec-policy-isakmp-auto-1] proposal tran [Router-ipsec-policy-isakmp-auto-1] security acl 3000 [Router-ipsec-policy-isakmp-auto-1] quit

# Apply the IPsec policy to the sub-interface of the external network.

[Route] interface GigabitEthernet 0/0 [Router-GigabitEthernet0/0] ipsec policy auto [Router-GigabitEthernet0/0] quit


[Router] ip route-static 0.0.0.0 0 50.0.0.254

4 3Com (IPsecModule)

# Divide VLANs.



[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30

IPsec Configuration Example 169

[3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit













# Log into the IPsec module of the specified slot (Both user name and password are secblade by default).

<SW8800> secblade slot 2 user: SecBlade password: SecBlade <secblade> system-view



# Configure the ACL rule.

[secblade] acl number 3000 [secblade-acl-adv-3000] rule permit ip source 10.0.0.0 0.0.0.255 destination 20.0.0.0 0.0.0.255 [secblade-acl-adv-3000] quit

# Configure the IPSEC IKE.


[secblade] ike peer same [secblade-ike-peer-same] pre-shared-key 3com [secblade-ike-peer-same] remote-address 50.0.0.1 [secblade-ike-peer-same] quit

# Configure the IPsec proposal.

[secblade] ipsec proposal tran [secblade-ipsec-proposal-tran] encapsulation-mode tunnel [secblade-ipsec-proposal-tran] transform esp [secblade-ipsec-proposal-tran] esp encryption-algorithm des [secblade-ipsec-proposal-tran] esp authentication-algorithm sha1

# Configure the IPsec policy.

[secblade] ipsec policy auto 1 isakmp [secblade-ipsec-policy-isakmp-auto-1] ike-peer same [secblade-ipsec-policy-isakmp-auto-1] proposal tran [secblade-ipsec-policy-isakmp-auto-1] security acl 3000 [secblade-ipsec-policy-isakmp-auto-1] quit

# Apply the IPsec policy to the sub-interface of the external network.

[secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] ipsec policy auto [secblade-GigabitEthernet0/0.2] quit





IPsec Troubleshooting Symptom: When apply the IPsec policy on an interface for the first time, the receive/send end can encrypt and decrypt the data flow; after disabling the IPsec function, the receive/send end can communicate normally; when apply the IPsec policy for the second time, packets cannot perform the IPsec process, and the peer end cannot be pinged successfully.

Troubleshooting: This problem usually appears when the originator configures the IPsec policy directly in the IPsec policy view, and connected end creates IPsec policy by importing IPsec policy template. When apply the IPsec policy for the first time, the communication is normally. However, when you disable the function, a fast switching entry is established at the connected end. So when you enable the IPsec policy for the second time, the presence of the fast switching entry causes the fail of IPsec process to the packets. If you use the reset ip fast-forwarding cache command to clear the fast switching buffer before enable the IPsec policy for the second time, the problem will be solved.

11
IKE CONFIGURATION
IKE Overview

Brief Introduction to IKE Internet key exchange (IKE) is internet shared secret exchange protocol. It is a mixed protocol, configured in a framework specified by Internet security association and key management protocol (ISAKMP). IKE will provide automatic negotiation and exchange of shared key for IPsec and configure Security Association, thus to simplify IPsec application and management.

Network security has 2 meanings: one is internal LAN security, the other is external data exchange security. The former is implemented by means of Firewall, network address translation (NAT) etc. Emerging IPsec (IP Security) implements the latter. IPsec Security Association can be established by manual configuration, but when nodes increase in the network, manual configuration will be very difficult, and hard to ensure security. In this case, the IKE automatic negotiation can be used to establish Security Association and exchange shared secret.

IKE has a series of self-protection mechanisms to safely distribute shared key, authenticate identity, and establish IPsec Security Association etc. in unsecured network.

IKE security mechanism includes:

■ Diffie-Hellman (DH) exchange and shared key distribution

Diffie-Hellman algorithm is a shared key algorithm. The both parties in communication can exchange some data without transmitting shared key and find the shared key by calculation. The pre-condition for encryption is that the both parties must have shared key. The merit of IKE is that it never transmits shared key directly in the unsecured network, but calculates the shared key by exchanging a series data. Even if the third party (e.g. Hackers) captured all exchange data used to calculate shared key for both parties, he cannot figure out the real shared key.

■ Perfect Forward Secrecy (PFS)

PFS feature is a security feature. When a shared key is decrypted, there will be no impact on the security of other shared keys, because these secrets have no derivative relations among them. IPsec is implemented by adding one key exchange during IKE negotiation phase II.

■ Identity authentication

Identity authentication will authenticate identity for both parties in communication. Authentication key can input to generate shared secret. It is impossible for different authentication keys to generate the same shared secret

172 CHAPTER 11: IKE CONFIGURATION

between the two parties. Authentication key is the key in identity authentication for both parties.

■ Identity protection

After shared secret is generated, identity data will be encrypted and transmitted, thus implementing identity data protection.

IKE using 2 stages to implement shared secret negotiation for IPsec and creating Security Association. In the first stage, parties involved in the communication will establish a channel for identity authentication and security protection. An ISAKMP Security Association (ISAKMP SA) is established by the exchange in this stage. In the second stage, security channel established in phase 1 will be used to negotiate specific Security Association for IPsec and establish IPsec SA. IPsec SA will be used for final IP data security transmission.

The relation between IKE and IPsec is shown in the following figure.

Figure 39 Relation between IKE and IPsec

IKE aggressive mode

ADSL and dial-up mode are two solutions widely adopted at present in VPN construction. In these two solutions, there is an exceptional case where IP addresses of the devices at central office end are static and the IP addresses of the devices at subscriber end are dynamic. In order to support the application in this special case, aggressive mode is introduced in IKE negotiation. This mode allows IKE to search for the pre-shared key of the negotiation initiator by the IP address or ID of the negotiation initiator to accomplish the negotiation. Compared to the main mode, IKE aggressive mode allows of more flexibility and supports IKE negotiation even when the IP address of the initiator is dynamic.

NAT traversal

If there is a NAT GW on the VPN Tunnel set up via IPsec/IKE and if this GW performs NAT on the VPN service data, you must configure the NAT traversal function for IPsec/IKE. With this function, the IKE negotiation will not authenticate the UDP port number. At the same time, traversal allows NAT GW discovery on the VPN Tunnel. If a NAT GW is discovered, UDP encapsulation will be used in the subsequent IPsec data transmission, i.e., encapsulating IPsec packets in the UDP

Encrypted IP packet

TCP/UDP

IPSec

TCP/UDP

IPSecIP

IKE IKE

SA SA

SA negotiation

Encrypted IP packet

TCP/UDP

IPSec

TCP/UDP

IPSecIP

IKE IKE

SA SA

SA negotiation

Switch 8800 BSwitch 8800 A

IKE Configuration 173

connection Tunnel for IKE negotiation), to prevent the NAT GW from modifying the IPsec packets. That is, the NAT GW will change the outermost IP and UDP headers but leave the IPsec packets encapsulated in the UDP packets intact, thus ensuring the integrity of the IPsec packets. The authentication process of an IPsec data encryption/decryption requires the IPsec packet to arrive at the destination intact. Currently only the aggressive mode supports NAT traversal (the main mode does not support NAT traversal).

Usually the two features described above are used together in the ADSL + IPsec networking to solve the problems resulted from dynamic IP addresses on broadband-access enterprise networks and NAT traversal on the public network. The combination of these two features provides a security solution for substituting the ADSL broadband access for the original leased line access.

Preparation for IKE Configuration

Prior to IKE configuration, user needs to specify following subjects, so as to smooth the configuration process:

■ Make clear of algorithm strength for IKE exchange process, i.e., security protection strength (including identity authentication method, encryption algorithm, and authentication-algorithm algorithm, DH algorithm). There are different algorithm strengths. The higher strength the algorithm has, the harder it is to decrypt the protected data, but more calculation resource will be consumed. Generally, the longer the shared secret is, the higher the algorithm strength is.

■ Make sure of the identity authentication key of both sides in communication.

IKE Configuration

Introduction to IKE Configuration

IKE configuration includes:

1 Set a name for the local security GW

2 Define IKE proposal

■ Establish IKE Proposal

■ Select encryption algorithm

■ Select authentication method

■ Select authentication algorithm

■ Select Diffie-Hellman Group ID

■ Set lifetime of ISAKMP SA (optional)

3 Configure IKE peer

■ Create an IKE peer

■ Configure IKE negotiation mode

■ Configure identity authentication key (pre-shared key)

■ Configure ID type in IKE negotiation

■ Configure IP address in IKE negotiation

■ Configure NAT traversal


■ Configure subnet type of the IKE peer

4 Configure the parameters of Keepalive timer

■ Configure interval for Keepalive transmission

■ Configure timeout time for Keepalive

Setting a Name for the Local Security GW

If the initiator uses the GW name in IKE negotiation (that is, id-type name is used), you must configure the ike local-name command on the local device.


Defining IKE Proposal Establishing IKE proposal

IKE proposal defines a set of attributes describing how IKE negotiation conducts security communications. Configuring an IKE proposal includes the tasks of IKE proposal creation, selection in encryption algorithm, authentication mode, authentication algorithm, and Diffie-Hellman group ID, and SA lifetime duration setting.

The user may create multiple IKE proposals on the basis of precedence, but the negotiation parties should have at least one matched IKE proposal in order to reach an agreement.

This configuration is used to define an IKE proposal. The IKE proposal configured is used to establish the security channel.

Perform the following configuration in the system view.

Execute the ike proposal command to enter the IKE proposal view, where you can configure the encryption algorithm, authentication algorithm, Diffie-Hellman group ID, sa duration, and authentication method.

The parameter proposal-number is the IKE proposal number, ranging from 1 to 100. This parameter also stands for the priority. A smaller number stands for a higher priority. You can create multiple IKE proposals for each side of the negotiation. Both side in the negotiation matches the proposal from the one with the highest priority. There must be at least one matched policy for successful negotiation, that is, both side must have the same encryption and authentication algorithm, some authentication method and Diffie-Hellman group ID.

Table 166 Configure name of the local security GW

Operation Command

Configure name of the local security GW ike local name name

Restore the default name of the local security GW undo ike local id

Table 167 Establish IKE proposal

Operation Command

Create IKE proposal ike proposal proposal-number

Delete IKE proposal undo ike proposal proposal-number


The system provides a default IKE proposal, which has the lowest priority and has the default encryption algorithm, authentication algorithm, Diffie-Hellman group ID, SA duration, and authentication method. The parameters needed by an IKE proposal are as follows.

Selecting encryption algorithm

This configuration is used to specify an encryption algorithm used by an IKE proposal.

Perform the following configuration in IKE proposal view.

By default, the 56-bit DES algorithm in CBC mode is adopted.

Selecting authentication method

This configuration is used to specify an authentication method used by an IKE proposal.

IKE authentication has two algorithms: pre-share-key and PKI (rsa-signature).

The authentication key must be configured when using the authentication method of pre-shared key. (Refer to the part of "Configuring pre-shared key")


By default, pre-share key algorithm is adopted.

Selecting authentication algorithm

This configuration is used to specify the authentication algorithm used by an IKE proposal.


By default SHA-1 authentication algorithm is adopted.

Table 168 Select encryption algorithm

Operation Command

Select encryption algorithm encryption-algorithm { des-cbc | 3des-cbc }

Set the encryption algorithm to the default value undo encryption-algorithm

Table 169 Specify authentication method

Operation Command

Specify authentication method authentication-method { pre-share | rsa-signature }

Restore the authentication method to the default value undo authentication-method

Table 170 Select authentication algorithm

Operation Command

Select authentication algorithm authentication-algorithm { md5 | sha }

Set authentication algorithm to the default value undo authentication-algorithm


Selecting Diffie-Hellman group ID

This configuration is used to specify the Diffie-Hellman group ID used by an IKE proposal.


By default, 768-bit Diffie-Hellman group (group 1) is selected.

Configuring lifetime of ISAKMP SA (optional)

This configuration is used to specify the lifetime of ISAKMP SA used by an IKE proposal.


If sa duration expires, the ISAKMP SA will automatically update. The SA lifetime can be set as one number between 60 and 604800 seconds. Because the IKE negotiation needs to perform DH algorithm, which will take a longer period of time. For the purpose that the update of ISAKMP SA does not affect the security communication, it is recommended to set the sa duration greater than 10 minutes.

The SA will negotiate another one to replace the old SA before the set SA duration is exceeded. It is called soft timeout. The starting time of the soft timeout is 90% of the SA duration timeout. The old SA will be cleared automatically when the SA duration is exceeded, which can be called hard timeout.

By default, the ISAKMP SA duration is 86400 seconds (a day).

Configuring IKE Peer Creating an IKE peer


Configuring IKE negotiation mode

Perform the following configuration in IKE-peer view.

Table 171 Select Diffie-Hellman group ID

Operation Command

Select Diffie-Hellman group ID dh { group1 | group2 | group5 | group14 }

Restore the default value of Diffie-Hellman group ID undo dh

Table 172 Set sa duration of IKE SA

Operation Command

Configure lifetime of IKE SA sa duration seconds

Restore the default lifetime undo sa duration

Table 173 Configure IKE peer

Operation Command

Configure an IKE peer and access the IKE peer view ike peer peer-name

Delete the IKE peer undo ike peer peer-name


By default, the main mode is adopted.

n ■ If the IP address of one end of a security Tunnel is dynamic, you must adopt the

aggressive mode for IKE negotiation.

■ After accepting a negotiation request from the initiator by using a policy template, the responder end selects the negotiation mode according to the negotiation mode of the initiator.

Configuring pre-shared key


Configuring ID type in IKE negotiation


By default, IP address is taken as the ID in IKE negotiation.

In main mode, only IP address can be taken as the ID in IKE negotiation. In aggressive mode, however, you may use either IP address or name as the ID in IKE negotiation.

Specifying name of the remote device

If the initiator uses its GW name in IKE negotiation (that is, id-type name is used), it sends the name to the peer as its identity, whereas the peer uses the username configured using the remote-name name command to authenticate the initiator. To pass authentication, this remote name must be the same one configured using the ike local-name command on the gateway at the initiator end.


Table 174 Configure negotiation mode

Operation Command

Configure IKE negotiation mode exchange-mode { aggressive | main }

Restore the default IKE negotiation mode undo exchange-mode

Table 175 Configure pre-shared key

Operation Command

Configure a pre-shared key for IKE negotiation pre-shared-key key

Remove the pre-shared key used in IKE negotiation undo pre-shared-key

Table 176 Configure ID type in IKE negotiation

Operation Command

Select ID type in the IKE negotiation id-type { ip | name }

Restore the default ID type in the IKE negotiation

undo id-type

Table 177 Specify name of the remote device

Operation Command

Specify the name of a remote device remote-name name


Configuring IP addresses of the local security GW and remote device

If the initiator uses its IP address in IKE negotiation (that is, id-type ip is used), it sends its IP address to the peer as its identity, whereas the peer uses the address configured using the remote-address ip-address command to authenticate the initiator. To pass authentication, this address must be the same one configured using the local-address command on the initiator.


Generally speaking, you do not need to configure the local-address command unless you want to specify a special address for the local GW (such as the address of loopback interface).

Configuring NAT traversal

The NAT traversal function must be configured so long as there is a NAT IPsec device on the VPN Tunnel constructed using IPsec/IKE.


To save IP address space, ISPs often add NAT gateways to public networks, so as to allocate private IP addresses to users. This may lead to IPsec/IKE Tunnel having public network address and network address at both ends respectively. Hence you must enable NAT traversal at both ends of the Tunnel, so as to ensure normal negotiation and establishment for the Tunnel.

Configuring subnet type of the IKE peer

You can use these two commands only when your security gateway is interoperable with a Netscreen device.

Perform the following configuration in IKE-peer view:

Remove the name of the remote device undo remote-name

Table 178 Configure IP address of the local security GW and remote device

Operation Command

Configure IP address of the local security GW local-address ip-address

Delete IP address of the local security GW undo local-address

Configure IP address of the remote device remote-address ip-address

Delete the IP address of the remote device undo remote-address

Table 179 Configure the NAT traversal function of IPsec/IKE

Operation Command

Enable the NAT traversal function of IPsec/IKE nat-traversal

Disable the NAT traversal function of IPsec/IKE undo nat-traversal

Table 177 Specify name of the remote device

Operation Command


By default, the subnet type of both the local end and the remote end is single-subnet.

Configuring Keepalive Timer

Configuring keepalive interval

Configure time interval for ISAKMP SA to transmit hold packet to the peer.


IKE will maintain the ISAKMP SA link state through this packet. Generally, if the peer has used the ike sa keepalive-timer timeout command to configure timeout time, this Keepalive interval must be configured on local end. When the peer did not receive this Keepalive packet within configured timeout time, this ISAKMP SA and its corresponding IPsec SA will be deleted. Therefore, the configured timeout time should be longer than Keepalive packet transmission time.

By default, this function is invalid.

Configuring keepalive timeout time

Configure timeout time for ISAKMP SA waiting for Keepalive packet.


IKE maintains this ISAKMP SA link status through this packet. If the peer Keepalive packet is not received within configured timeout time, the ISAKMP SA and its corresponding IPsec SA will be deleted. Therefore, configured timeout time should be longer than Keepalive packet transmission time.

Table 180 Configure subnet type of the IKE peer

Operation Command

Configure subnet type of the local GW local { multi-subnet | single-subnet }

Restore the default subnet type of the local GW undo local

Configure subnet type of the peer GW peer { multi-subnet | single-subnet }

Restore the default subnet type of the peer GW undo peer

Table 181 Configure time interval for Keepalive packet transmission

Operation Command

Configure time interval for ISAKMP SA to transmit Keepalive packet to the peer ike sa keepalive-timer interval seconds

Disable the above function undo ike sa keepalive-timer interval

Table 182 Configure timeout waiting time for Keepalive packet

Operation Command

Configure ISAKMP SA timeout time for waiting Keepalive packet ike sa keepalive-timer timeout seconds

Disable this function undo ike sa keepalive-timer timeout


On the network, packet loss will rarely exceed 3 times, so timeout time can be configured to be 3 times as long as Keepalive packet transmission time interval of the peer.

By default, this function is invalid.

Configuring Keepalive sending interval


The default NAT Keepalive time interval is 20 seconds.

The NAT gateway sends NAT Keepalive packets to maintain dynamic mapping between IKE peers, but not to detect the status of the peers. When defining the time interval, ensure that the time interval is less than the timeout time for NAT translation.

Displaying and Debugging IKE

After the above configuration, execute display command in all views to display the running of the IKE configuration, and to verify the effect of the configuration.

Execute the debugging and reset commands in user view.

You can delete a specified security channel by specifying SA connection-id which can be displayed by executing the display ike sa command. So far as the same security channel (that is, the same remote end) is concerned, the connection-id information includes the information at stage 1 and the information at stage 2.

If the ISAKMP SA at stage 1 still exists when you deleting the local SA, the system will send the DELETE message in the protection mode of the ISAKMP SA to notify the peer to clear the SA database.

Table 183 Configure Keepalive sending interval

Operation Command

Define the time interval for the IKE peer to send NAT Keepalive packets ike sa nat-keepalive-timer interval seconds

Restore the default NAT Keepalive time interval undo ike sa nat-keepalive-timer interval

Table 184 Display and debug IKE

Operation Command

Display the current established security channel

display ike sa [ verbose [ connection-id id | remote-address ip-address ] ]

Display the parameters of each IKE proposal configuration display ike proposal

Display the configuration of IKE peers display ike peer [ peer-name ]

Display the authentication key of the pre-shared key authentication display ike pre-share-key

Delete a security channel reset ike sa [ connection-id ]

Enable the information debugging of IKE debugging ike { all | error | exchange | message | misc| transport }

Disable the information debugging of IKE undo debugging ike { all | error | exchange | message | misc| transport }

Typical Configuration of IKE 181

If no connection-id is specified, all the SAs at stage 1 will be removed.

Security channel and SA are totally different concepts. Security channel is a channel via which its two endpoints can make bidirectional communications but IPsec SA is just a unidirectional connection. In other words, security channel comprises a pair or several pairs of SAs.

Typical Configuration of IKE

Typical IKE Configuration Example

Networking requirement

■ Hosts 1 and 2 communicate securely, and a security channel is established with IKE automatic negotiation between security GWs A and B.

■ Configure an IKE proposal assigned with the priority level 10 on the security GW A and apply the default IKE proposal on the security GW B.

■ Configure authentication key for the proposal using the pre-shared key authentication method.

Networking diagram

Figure 40 Networking diagram of IKE configuration example


1 Make the following configurations on the security GW A:

# Configure an IKE peer.

[SW8800] ike peer peer [3Com-ike-peer-peer] pre-shared-key abcde [3Com-ike-peer-peer] remote-address 171.69.224.33

# Configure an IKE proposal 10.

[SW8800] ike proposal 10

# Set the authentication algorithm used by the IKE proposal to MD5.

[3Com-ike-proposal-10] authentication-algorithm md5

EthernetEthernet

Host 1

2/0/1202.38.160.1

Host 2

Internet

Ethernet 2/0/1171.69.224.33


# Apply the pre-shared key authentication mode.

[3Com-ike-proposal-10] authentication-method pre-share

# Set the lifetime duration of ISAKMP SA to 5000 seconds.

[3Com-ike-proposal-10] sa duration 5000

2 Make the following configurations on the security GW B:


[SW8800] ike peer peer [3Com-ike-peer-peer] pre-shared-key abcde [3Com-ike-peer-peer] remote address 202.38.160.1

The configurations made above can ensure the proper IKE negotiation between GWs A and B. As GW A is configured with proposal 10 and authentication-algorithm md5 but GW B is configured with only a default IKE proposal and authentication-algorithm sha, GW B will not have a proposal matching the IKE proposal 10 configured on GW A. For this reason, the system will find only a match, that is, the default IKE proposal for the both parties when it makes the match operation in proposals starting from the one with the highest priority. In addition, no match operation will be done on duration in the proposal matching process, as the lifetime is decided by the initiator of IKE negotiation.

For more information about IPsec configurations, see "Typical IPsec Configuration Examples" in Chapter 5.

Typical IKE Aggressive Mode and NAT Traversal

Configuration Example

Networking requirement

■ The Ethernet0/0/0 interface of 3Com A has a fixed IP address in public network and 3Com B obtains IP address dynamically.

■ Since 3Com B can only access public network through NAT devices of service provider, so a company branch has to obtain IKE aggressive mode and NAT traversal function to set up IP Sec connection.

■ To ensure information security, IPsec/IKE is adopted to create a security Tunnel.

Networking diagram

Figure 41 Networking for the application of IKE aggressive mode and NAT traversal


1 Configure 3Com A:

# Set a name for the local security GW.

[3ComA] ike local-name 3ComA

Internet

GW B GW A

Branch HeadquartersE0/0/0 E0/0/0

Internet

GW B GW A

Branch HeadquartersE0/0/0 E0/0/0

Typical Configuration of IKE 183

# Configure ACL.

[3ComA] acl number 3101 match-order auto [3ComA-acl-adv-3101] rule permit ip source any destination any


[3ComA] ike peer peer [3ComA-ike-peer-peer] exchange-mode aggressive [3ComA-ike-peer-peer] pre-shared-key abc [3ComA-ike-peer-peer] id-type name [3ComA-ike-peer-peer] remote-name 3ComB [3ComA-ike-peer-peer] nat traversal

# Create an IPsec proposal "prop".

[3ComA] ipsec proposal prop [3ComA-ipsec-proposal-prop] encapsulation-mode tunnel [3ComA-ipsec-proposal-prop] transform esp [3ComA-ipsec-proposal-prop] esp encryption-algorithm des [3ComA-ipsec-proposal-prop] esp authentication-algorithm sha1

# Create an IPsec policy and establish an SA through IKE negotiation.

[3ComA] ipsec policy policy 10 isakmp

# Configure the IPsec policy and quote the IKE peer in the policy.

[3ComA-ipsec-policy-isakmp-policy-10] ike-peer peer

# Quote the ACL 3101 in the IPsec policy.

[3ComA-ipsec-policy-isakmp-policy-10] security acl 3101

# Quote the IPsec proposal "prop" in the IPsec policy.

[3ComA-ipsec-policy-isakmp-policy-10] proposal prop

# Access the interface E0/0/0 and configure its IP address.

[3ComA] interface Ethernet0/0/0 [3ComA-Ethernet0/0/0] ip address 10.0.0.1 255.255.0.0

# Apply the IPsec policy group "policy" on the interface E0/0/0.

[3ComA-Ethernet0/0/0] ipsec policy policy

2 Configure 3Com B:

# Set a name for the local security GW.

[3ComB] ike local-name 3ComB

# Configure ACL.

[3ComB] acl number 3101 match-order auto [3ComB-acl-adv-3101] rule permit ip source any destination any



[3ComB] ike peer peer [3ComB-ike-peer-peer] exchange-mode aggressive [3ComB-ike-peer-peer] pre-shared-key abc [3ComB-ike-peer-peer] id-type name [3ComB-ike-peer-peer] remote-name 3ComA [3ComB-ike-peer-peer] remote-address 10.0.0.1 [3ComB-ike-peer-peer] nat traversal

# Create an IPsec proposal "prop".

[3ComB] ipsec proposal prop [3ComB-ipsec-proposal-prop] encapsulation-mode tunnel [3ComB-ipsec-proposal-prop] transform esp [3ComB-ipsec-proposal-prop] esp encryption-algorithm des [3ComB-ipsec-proposal-prop] esp authentication-algorithm sha1

# Create an IPsec policy and specify to set up SA by means of IKE negotiation.

[3ComB] ipsec policy policy 10 isakmp

# Quote the IKE peer in the IPsec policy.

[3ComB-ipsec-policy-isakmp-policy-10] ike-peer peer

# Quote the ACL 3101 in the IPsec policy.

[3ComB-ipsec-policy-isakmp-policy-10] security acl 3101

# Quote the IPsec proposal "prop" in the IPsec policy.

[3ComB-ipsec-policy-isakmp-policy-10] proposal prop

# Access the interface E0/0/0 and assign a dynamic IP address to the interface.

[3ComB-Ethernet0/0/0] pppoe-client dial-bundle-number 1

# Configure dial-up port

[3ComB] dialer-rule 1 ip permit [3ComB] interface dialer 1 [3ComB-Dialer1] link-protocol ppp [3ComB-Dialer1] ppp pap local-user aaa password simple aaa [3ComB-Dialer1] mtu 1450 [3ComB-Dialer1] ip address ppp-negotiate [3ComB-Dialer1] dialer user 12 [3ComB-Dialer1] dialer-group 1 [3ComB-Dialer1] dialer bundle 1

# Apply the IPsec policy group "policy" on the interface Dialer 1.

[3ComB-Dialer1] ipsec policy policy

IKE Fault Diagnosis and Troubleshooting 185

IKE Fault Diagnosis and Troubleshooting

When configuring parameters to establish IPsec security channel, you can enable the Error debugging of IKE to help us find configuration problems. The command is as follows:

<SW8800> debugging ike error

Symptom 1: Invalid user ID information

Troubleshooting: User ID is the data that the user initiating the IPsec communication uses to identify itself. In actual applications, you can make use of user ID to set up different security channels for various types of data traffic for the sake of protection. In the implementation of 3Com Corporation, a user is so far identified by its IP address.

Following is the debugging information you may view on the screen:

got NOTIFY of type INVALID_ID_INFORMATION

Or

drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION

Check whether the ACLs of the IPsec policies configured on the interfaces at both ends of the negotiation are compatible. The user is recommended to configure the ACLs to mirror each other. For more information about ACL mirror, refer to Section Configure ACL in IPsec Configuration.

Symptom 2: Proposal mismatch

Troubleshooting:

Following is the debugging information you may view on the screen:

got NOTIFY of type NO_PROPOSAL_CHOSEN

Or

drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN

The two parties of the negotiation have no matched proposal. For the negotiation at stage 1, you can look up the IKE proposals for a match. For the negotiation at stage 2, you can check whether the parameters of the IPsec polices applied on the interfaces are matched, and whether the referenced IPsec proposals have a match in protocol, encryption and authentication algorithms.

Symptom 3: Unable to establish security channel

Troubleshooting: Check whether the network is stable and the security channel is established correctly. Sometimes there is a security channel but there is no way to communicate, and ACL of both parties are found correctly configured, and there is also matched policy.

In this case, the problem is usually cased by the restart of one security gateway after the security channel is established. Solution:


■ Use the command display ike sa to check whether both parties have established SA of Phase 1.

■ Use the command display ipsec sa to check whether the IPsec policy on interface has established IPsec SA.

■ If the above two results display that one party has SA but the other does not, then use the command reset ike sa to clear SA with error and re-originate negotiation.

12
PKI CONFIGURATION
PKI Overview

Introduction Public key infrastructure (PKI) is a system that uses public key technology and digital certificate to protect system security and authenticates digital certificate users. It provides a whole set of security mechanism by combining software/hardware systems and security policies together. PKI uses certificates to manage public keys: It binds user public keys with other identifying information through a trustworthy association, so that online authentication is possible. PKI provides safe network environment and enables an easy use of encryption and digital signature technologies under many application environments, to assure confidentiality, integrity and validity of online data. The confidentiality of data means that data cannot be snooped by the unauthorized users during transmission; the integrity of data means that data cannot be altered illegally during transmission; the validity of data means that data cannot be denied.

A PKI system consists of public key algorithm, certificate authority, registration authority, digital certificate, and PKI repository.

Figure 42 PKI components block diagram

Certificate authority issues and manages certificates. Registration authority authenticates user identity and manages certificate revocation list. PKI repository stores and manages such information as certificates and logs, and provides query function. Digital certificate, also called Public Key Certificate (PKC), underlies the security of PKI system and the trust in application. Adopting an authentication technology based on public key technology, it is a file duly signed by certificate authority that contains public key and owner information. It can be used as an identity proof for online information exchange and commercial activities. A certificate has its lifetime, which is specified in issuing. Of course, certificate authority can revoke a certificate before its expiration date.

PKI application

CA RA PKI repository

Digital certificate

188 CHAPTER 12: PKI CONFIGURATION

Terminology ■ Public key algorithm: Key algorithm that involves different encryption key and decryption key. A pair of keys is generated for each user; one is publicized as public key; the other is reserved as private key. The information encrypted by one key has to be decrypted by the other; the key pair therefore is generally used in signature and authentication. In communication, if the sender signs with its private key, the receiver needs to authenticate this signature with the sender’s public key. If the sender encrypt the information with the receiver’s public key, then only the receiver’s private is capable of decryption.

■ Certificate authority (CA): Trustworthy entity issuing certificates to persons, PCs or any other entities. CA deals with certificate requests, and checks applicant information according to certificate management policy. Then it signs the certificate with its private key and issues the certificate.

■ Registration authority (RA): Extension of CA. It forwards the entities’ certificate requests to CA, and digital certificates and certificate revocation list to directory server, for directory browsing and query.

■ Light-weight directory access protocol (LDAP) server: LDAP provides a means to access PKI repository, with the purpose of accessing and managing PKI information. LDAP server supports directory browsing and enlists the user information and digital certificates from a RA server. Then the user can get his or others’ certificates when accessing the LDAP server.

■ Certificate revocation list (CRL): A certificate has its lifetime, but CA can revoke a certificate before its expiration date if the private key leaks or if the service ends. Once a certificate is revoked, a CRL is released to announce its invalidity, where lists a set of serial numbers of invalid certificates. CRL, stored in LDAP server, provides an effective way to check the validity of certificates, and offers centralized management of user notification and other applications.

Applications PKI includes a set of security services provided using the technologies of public key and X.509 certification in distributed computing systems. It can issue certificates for various purposes, such as Web user identity authentication, Web server identity authentication, secure Email using secure/multipurpose internet mail extensions (S/MIME), VPN (virtual private network), IP Security, IKE, and secure sockets layer/transport layer security (SSL/TLS). One CA can issue certificates to another CA, to establish certification hierarchies.

Configuration Task List PKI configuration includes applying to CA for a local certificate for a designated device and authenticating validity of the certificate. The configuration involves:

■ PKI certificate request

■ PKI certificate validation

■ Display and debug

Certificate Request Configuration

Certificate Request Overview

Certificate request is a process when an entity introduces itself to CA. The identity information the entity provides will be contained in the certificate issued later. CA uses a set of criteria to check applicant creditability, request purpose and identity reliability, to ensure that certificates are bound to correct identity. Offline and

Certificate Request Configuration 189

non-auto out-of-band (phone, storage disk and Email, for example) identity checkup may be required in this process. If this process goes smooth, CA issues a certificate to the user and displays it along with some public information on the LDAP server for directory browsing. The user can then download its own public-key digital certificate from the notified position, and obtain those of others through the LDAP server. The request process proceeds with:

■ Entering PKI domain view

■ Specifying a trustworthy CA

■ Configuring servers for certificate request

■ Configuring entity name space

■ Creating a local public - private key pair

■ Setting request polling interval and count

■ Configuring certificate request mode

■ Delivering a certificate request manually

■ Retrieving a certificate

Entering PKI Domain View

A PKI domain manages in a unified way a group of PKI users who trust the same third trustworthy organization. That means, it suffices with the trust each member lays on CA; no trust between the group members is required. It serves a lot in relieving system load and extending the capability of PKI certificate system.

For the configuration of domain parameters, you should enter the PKI domain view.


By default, no PKI domain is specified.

n Typically, a device may belong to two or more PKI domains. Then independent configuration information is required for each domain. Parameter configuration in PKI domain view is for this purpose. But currently, one device supports only one PKI domain; therefore, if two PKI domains exist and you wan to add a new one, you need to use the corresponding undo command to delete an existing one first.

Specifying a Trustworthy CA

When a subject applies for a certificate, a trustworthy CA which provides guarantees for the subject registers and issues the certificate. A trustworthy CA is the base for PKI. Only when a CA trusted by everyone is available, can users enjoy the security services with public key technology.

Perform the following configuration in PKI domain view.

Table 185 Enter PKI domain view

Operation Command

Enter a designated PKI domain view pki domain name

Delete a designated PKI domain and its relative information undo pki domain name


By default, no trustworthy CA is specified.

n The standard set that CA uses in request processing, certificate issuing and revoking, and CRL releasing is called CA policy. In general, CA uses files, called certification practice statements (CPS), to advertise its policy. CA policy can be obtained in out-of-band or other mode. You are recommended to understand CA policies before choosing a CA, for different CAs may use different methods to authenticate the public key -- subject binding.

Configuring Servers for Certificate Request

Configuring the entity used to apply for a certificate

When you send a certificate application request to the CA, an entity name must be specified to indicate you identity.

Perform the following configurations in PKI domain view.

By default, no entity is specified to apply for a certificate.

n For more information about entities (entity-name), see “Configuring Entity Name Space” “Configuring Entity Name Space”.

Specifying a registration organization

Registration management is often implemented by an independent registration authority (RA), which is responsible for coping with certificate request, examining entity qualification and determining for CA whether or not to issue the digital certificate. It does not issue the certificate, as is performed by CA. Instead, it just exams the qualification of the users. Sometimes no independent RA is set. It does not mean that registration function of PKI is disabled, since CA takes over the registration management.


By default, no registration organization is specified.

Table 186 Specify trustworthy CA

Operation Command

Specify a trustworthy CA ca identifier name

Delete the trustworthy CA undo ca identifier

Table 187 Configure the entity used to apply for a certificate

Operation Command

Configure the entity used to apply for a certificate certificate request entity entity-name

Cancel the configured entity used to apply for a certificate undo certificate request entity

Table 188 Specify a registration organization

Operation Command

Choose between CA and RA as the registration organization certificate request from { ca | ra }

Delete the registration organization undo certificate request from


PKI IPsec policy recommends using RA as the registration organization.

n For details about the entity-name argument, refer to “Configuring Entity Name Space” “Configuring Entity Name Space”.

Configuring registration server location

The registration server location (i.e., URL) needs to be specified. Then entities can present to this server the certificate request using simple certification enrollment protocol (SCEP), a protocol to communicate with certification authority.


By default, no registration server location is specified.

Configuring the IP address of the LDAP server

In PKI system, it is a core problem to store the user certificates and CRLs. Generally, LDAP directory server is used to distribute certificates and CRLs.


By default, no IP address or port is specified for the LDAP server. Currently it is LDAP version 2.

Configuring fingerprint for root certificate authentication

When the IPsec module gets an identity certificate from the CA, it will need the CA root certificate to make sure that the identity certificate is true and legal. In addition, when the IPsec module obtains CA root certificate, it needs to validate its fingerprint, that is, the hash value of the root certificate contents, which is unique for each certificate. If the fingerprint is different with that configured with the command below, the IPsec module denies the root certificate. The fingerprint can be MD5 or SHA1 format.

Perform the following configurations in PKI domain view.

Table 189 Specify registration server location

Operation Command

Specify the location of a registration server certificate request url string

Delete the location setting undo certificate request url

Table 190 Specify the IP address of the LDAP server

Operation Command

Specify the IP address of the LDAP server ldap-server ip ip-address [ port port-num ] [ version version-number ]

Delete the IP address of the LDAP server undo ldap-server

Table 191 Configure the fingerprint for root certificate authentication

Operation Command

Configure the fingerprint for root certificate authentication

root-certificate fingerprint { md5 | sha1 } string


By default, no fingerprint is configured for root certificate authentication.

When an MD5 fingerprint is adopted, the string argument must contain 32 hexadecimal characters. When an SHA1 fingerprint is adopted, the string argument must contain 40 hexadecimal characters.

Configuring Entity Name Space

Name space overview

Entity name space should be taken into account when setting up PKI. In a certificate, the public key and owner name must be consistent. Each CA details about an entity with the information it considers important. A unique identifier (also called DN-distinguished name) can be used to identify an entity. It consists of several parts, such as user common name, organization, country and owner name. It must be unique among the network.

The entity DN configuration in PKI entity view comprises the configuration of:

■ PKI entity name

■ Entity FQDN

■ Country code

■ State name

■ Geographic locality

■ Organization name

■ Organization unit name

■ Common name of the entity

■ IP address of the entity

n Entity configuration information must comply with CA certificate issue policy to determine the DN configuration tasks, for example, in determining mandatory and optional parameters. Otherwise, certificate request may be rejected.

Specifying a PKI entity name

In PKI entity view, you can configure the attributes of entity DN.


By default, no entity name is given.

Cancel the configured fingerprint for root certificate authentication undo root-certificate fingerprint

Table 191 Configure the fingerprint for root certificate authentication

Operation Command

Table 192 Specify an entity name

Operation Command

Specify an entity name and enter the entity view pki entity name-str

Delete the entity name and relative parameters undo pki entity name-str


n The entity name must be consistent with the entity-name argument specified by the registration organization in the certificate request entity-name command. Otherwise, the certificate request fails. The name-str argument is just for the convenience in referencing, and appears not as a certificate field.

Configuring the entity FQDN

Fully qualified domain name (FQDN) is the unique identifier of the entity among the network, for example, Email address. It is often in the format of user.domain and can be resolved to IP address. FQDN is equivalent to IP address in function. This configuration is optional.

Perform the following configuration in PKI entity view.

By default, no FQDN is configured for the entity.

Configuring the country code for the entity


By default, no country code is specified for the entity.

n Country code uses two standard characters, for example, CN for China and US for the United States.

Configuring the state name for the entity


By default, no state name is specified for the entity.

Configuring the geographic locality for the entity


Table 193 Configure the entity FQDN

Operation Command

Configure the entity FQDN fqdn name-str

Delete the entity FQDN undo fqdn

Table 194 Configure the country code for the entity

Operation Command

Configure the country code for the entity country country-code-str

Delete the country code for the entity undo country

Table 195 Configure the state name for the entity

Operation Command

Configure the state name for the entity state state-str

Delete the state name for the entity undo state

Table 196 Configure the geographic locality for the entity

Operation Command

Configure the geographic locality for the entity locality locality-str

Delete the geographical locality for the entity undo locality


By default, no geographic locality is specified for the entity.

Configuring the organization name for the entity


By default, no organization name is specified for the entity.

Configuring the organizational unit name for the entity

This optional field specifies to which of the many units of an organization this entity belongs.


By default, no organizational unit name is specified for the entity.

Configuring the common name for the entity


By default, no common name is specified for the entity.

Configuring the IP address for the entity

Like the function of specifying the entity FQDN, this function is optional.


By default, no IP address is specified for the entity.

Table 197 Configure the organization name for the entity

Operation Command

Configure the organization name for the entity organization org-str

Delete the organization name for the entity undo organization

Table 198 Configure the organizational unit name for the entity

Operation Command

Configure the organizational unit name for the entity organizational-unit org-unit-str

Delete the organizational unit name for the entity undo organizational-unit

Table 199 Configure the common name for the entity

Operation Command

Configure the common name for the entity common-name name-str

Delete the common name for the entity undo common-name

Table 200 Configure the IP address for the entity

Operation Command

Configure the IP address for the entity ip ip-address

Delete the IP address for the entity undo ip


Creating a Public - Private Key Pair

A pair of keys is generated during certificate request: one public and the other private. The private key is held by the user, while the public key and other information are transferred to CA center for signature and then the generation of the certificate. Each CA certificate has a lifetime that is determined by the CA issuing certificates. When the private key leaks or the current certificate is about to expire, you have to delete the old key pair. Then another key pair can be generated for a new certificate.

This configuration is used to generate local key pairs. If an RSA key pair already exists, the system prompts whether to replace it. The naming mode of key pairs: IPsec module name + host. The minimum length of a host key is 512 bits and the maximum length is 2,048 bits.


By default, there is no existing local RSA key pair. You have to create an RSA key pair by yourself.

c CAUTION:

■ If a local certificate already exists, you are not recommended to create another key pair in order to keep the key consistent with the existing certificate. You should first delete the existing certificate and then create a new key pair.

■ If a local RSA key pair exists, the newly-generated key pair will overwrite the existing one.

■ The key pairs are originally for the use in SSH. Local server regularly updates local server key pair. However, the host key pair used in certificate request remains unchanged.

Configuring Polling Interval and Count

If CA examines certificate request in manual mode, then a long time may be required before the certificate is issued. In this period, you need to query the request status periodically, so that you may get the certificate right after it is issued.


By default, the request polling message is sent for 50 times at an interval of 20 minutes.

Table 201 Create and destroy an RSA key pair

Operation Command

Create a local RSA key pair rsa local-key-pair create

Destroy a local RSA key pair rsa local-key-pair destroy

Table 202 Configure polling interval and count

Operation Command

Configure polling interval and count certificate request polling { interval minutes | count count }

Restore the default values undo certificate request polling { interval | count }


Configuring Certificate Request Mode

Request mode can be manual or auto. Auto mode enables the automatic request for a certificate through SCEP when there is none and for a new one when the old one is about to expire. For manual mode, all the related operations need to be carried out manually.


By default, manual mode is selected.

Delivering a Certificate Request Manually

A certificate request completes with user public key and other registered information. When all the configuration above is completed, you can deliver the certificate request to a PKI RA.

Perform the following configuration in any view.

c CAUTION:

■ If a local certificate already exists, you should delete it and all the CA certificates locally stored using the pki delete certificate command first before applying for another one. Otherwise, inconsistency between the certificate and registered information may occur.

■ If you cannot send certificate request to CA using SCEP, you can select the pem keyword to print out the request information, copy it and send one to CA in out-of-band mode.

■ Before you deliver the certificate request, make sure the clocks of entity and CA are synchronous. Otherwise, fault occurs to the certificate validation period.

■ If you use Windows CA server to obtain a certificate, the RA identifier (also known as DN-distinguished name) and the CA identifier must be different when you install Windows CA server; otherwise, no CA certificate or local certificate will be obtained.

■ This operation will not be saved in the configuration.

Retrieving a Certificate Manually

Certificate retrieval serves for two purposes: store locally the certificates related to local security domain to improve the query efficiency and reduce the times of query request for PKI repository; prepare for the certificate validation.

Table 203 Configure certificate request mode

Operation Command

Configure certificate request mode certificate request mode { manual | auto [ key-length key-length | password { simple | cipher } password ]* }

Restore the default request mode undo certificate request mode

Table 204 Deliver a certificate request

Operation Command

Deliver a certificate request pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

Certificate Validation Configuration 197

When downloading a digital certificate, select the local keyword for a local certificate and ca keyword for a CA certificate.


c CAUTION:

■ If a CA certificate already exists, you should delete it and all the local certificates using the pki delete certificate command before retrieving another one. Otherwise, inconsistency between the certificate and the registered information may occur.

■ This operation will not be saved in the configuration.

Importing Certificates You can import existing certificate or CA certificate with the commands below.


Deleting Certificates You can delete existing local certificate or CA certificate with the command below.


Certificate Validation Configuration

Configuration Task List At every stage of data communication, both parties should verify the validity of corresponding certificates, including issue time, issuer and certificate validity. The core is to verify the signature of CA and to make sure the certificate is still valid. It is believed that CA never issues fake certificates, so every certificate with an authentic CA signature will pass the verification. For example, if you receive an Email, which contains a certificate with public key and is encrypted with private key, then you should verify the validity of this certificate, to determine whether it is valid and trustworthy.

For certificate validation, you need to:

Table 205 Retrieve a certificate

Operation Command

Retrieve a certificate and download it locally pki retrieval-certificate { local | ca } domain domain-name

Table 206 Import a certificate

Operation Command

Import a certificate pki import-certificate { local | ca } domain domain-name { der | p12 | pem } [ filename filename ]

Table 207 Delete a certificate

Operation Command

Delete a certificate pki delete-certificate { local | ca } domain domain-name


■ Specify CRL distribution point location

■ Configure CRL update period

■ Enable/Disable CRL check

■ Retrieve CRL

■ Verify certificate validity

Specifying CRL Distribution Point

location


By default, no CRL distribution point location is specified.

Configuring CRL Update Period

CRL update period refers to the interval to download CRLs from CRL access server to a local machine.


By default, CRLs are updated according to their validity period.

n CRL update period configured here takes priority of that specified in CRLs.

Enabling/Disabling CRL Check

CRL check is optional for certificate validation. If it is enabled, you must check CRL to decide on the certificate validity. The validation can be carried out directly in CA center or locally with CRL downloaded.

Perform the following configuration in PKI domain view

By default, CRL check is enabled.

Retrieving a CRL Having finished the above configuration tasks, you can retrieve CRL in any view. The purpose of downloading CRL is to verify the validity of the certificates on a local device.


Table 208 Configure CRL distribution point location

Operation Command

Specify CRL distribution point location crl url url-string

Delete the location setting undo crl url

Table 209 Configure CRL update period

Operation Command

Specify CRL update period crl update-period hours

Restore the default period undo crl update-period

Table 210 Enable/disable CRL check

Operation Command

Enable CRL check crl check enable

Disable CRL check crl check disable

Displaying and Debugging 199

n This operation will not be saved in configuration.

Verifying Certificate Validity

You can verify the validity of a local certificate using the local keyword; or a CA certificate using the ca keyword.


n This operation will not be saved in configuration.

Displaying and Debugging

Displaying certificates

If the certificate retrieval succeeds, you can display the fields of the certificates locally downloaded. Certificate format and fields comply with X.509 standard. All kinds of identifying information about user and CA are included, such as user email address; public key of the certificate holder; issuer, serial number, and validity (period) of the certificate, etc.


Displaying CRL

The fields of a CRL that is retrieved and locally downloaded can be displayed by the following operation. CRL complies with X.509 standard, covering version, signature (algorithm), issuer name, this update, next update, user public key, signature value, serial number, and revocation date, etc.


Table 211 Retrieve a CRL

Operation Command

Retrieve a CRL and download it locally pki retrieval crl domain domain-name

Table 212 Verify certificate validity

Operation Command

Verify the validity of a local certificate pki validation certificate { local | ca } domain domain-name

Table 213 Display certificates

Operation Command

Displaying certificates display pki certificate { { local | ca } domain domain-name | request-status }

Table 214 Display CRLs

Operation Command

Displaying CRLs display pki crl [ domain domain-name ]


Displaying and debugging configuration

Using the display current-configuration command, you can view current PKI configuration. You can enable PKI debugging to monitor and diagnose relevant certificate implementation.


By default, all PKI debugging is disabled.

PKI Configuration Example

IKE Authentication with PKI Certificate


IKE automatic negotiation mode is used to create a security association on the IPsec module. The IKE authentication policy uses PKI certificate system to authenticate identity.

Network diagram

Figure 43 Network diagram for IKE authentication with PKI certificate


3Com (IPsecModule)

# Divide VLANs.

Table 215 Display and debug PKI information

Operation Command

Enable PKI debugging debugging pki { verify | request | retrieval | error }

Disable PKI debugging undo debugging pki { verify | request | retrieval | error }

Switch 8800

PKI Configuration Example 201









[SW8800] secblade module test

# Specify an IPsec module interface VLAN.







<SW8800> secblade slot 2 (Both the default user name and password are secblade) Username:secblade Password:secblade <secblade> system-view


[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50


[secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit



# Use the default IKE policy on the IPsec module and configure PKI (rsa-signature) algorithm for identity authentication.

[secblade_VPN] ike proposal 1 [secblade_VPN-ike-proposal-1] authentication-method rsa-signature [secblade_VPN-ike-proposal-1] quit

# Configure parameters for the PKI domain.

[secblade_VPN] pki domain 1 [secblade_VPN-pki-domain-1] ca identifier CA [secblade_VPN-pki-domain-1] certificate request url http://201.1.1.1/certsrv/mscep/mscep.dll [secblade_VPN-pki-domain-1] certificate request from ra[secblade_VPN-pki-domain-1] certificate request entity en [secblade_VPN-pki-domain-1] ldap-server ip 201.1.1.2

# Specify CRL distribution point location (you need not to specify it if CRL check is disabled).

[secblade_VPN-pki-domain-1] crl url ldap://201.1.1.2

# Configure the entity DN.

[secblade_VPN] pki entity en [secblade_VPN-pki-entity-en] ip 50.0.0.254 [secblade_VPN-pki-entity-en] common-name secblade

# Use the RSA algorithm to generate the local key pair.

[secblade_VPN] rsa local-key-pair create

# Apply for the certificate.

[secblade_VPN-pki-entity-en] pki retrieval certificate ca domain 1 [secblade_VPN] pki request certificate 1

n The above section describes IKE negotiation configuration with PKI certificate. If you want to establish an IPsec security channel for secure communication, you need to configure IPsec. For details, refer to “IPsec Configuration”.

Troubleshooting Certificates 203

Troubleshooting Certificates

Symptom 1: Failure to retrieve certificates

Solution: the following reasons may cause failure to deliver CA certificate requests manually;

1 Software

■ No trustworthy CA name is set.

■ URL of the registration server is wrong or not configured. You can use the ping command to test the server’s connectivity.

■ No RA is specified.

2 Hardware

■ Check whether there is something wrong with the network connection, such as the cable is broken or the connectors are loose.

Symptom 2: Failure to Apply for Local

Certificates

Solution: the following reasons may cause the failure to send manual certificate requests after configuring PKI domain parameters and entity DN for the security gateway and creating new RSA key pairs.

1 Software

■ You do not have CA/RA certificates before certificate requests.

■ No key pair is created or the current key pair has already had its certificate.

■ No trustworthy CA name is specified.

■ URL of the registration server is wrong or not configured. You can use the ping command to test the server’s connectivity.

■ No RA is specified.

■ The required attributes for entity DN are not configured. You can select the related attributes through checking the CA/RA registration policy and then configure them.

2 Hardware


Symptom 3: Failure to Retrieve CRL

Solution: the following reasons may cause failure to retrieve CRL.

1 Software

■ You do no have local certificates before retrieving CRL.

■ The IP address of the LDAP server is not set.

■ CRL distribution point location is not specified.

■ The version of LDAP server is wrong.

2 Hardware


13
DVPN
Introduction to DVPN

Overview Dynamic virtual private network (DVPN) technology is a kind of technology that establishes virtual private networks (VPN) by dynamically acquiring the information about the peers. DVPN adopts a NBMA-type Tunnel mechanism, which enables devices to encapsulate and transmit packets with Tunnel interfaces as the end points of DPVN Tunnels and enables devices to learn routes of private networks through Tunnel interfaces dynamically. (NBMA: non-broadcast multiple access)

DVPN technology also adopts a client-server model to overcome the drawbacks that the traditional VPN technology suffers from. By registering with a server, clients store their information on the server. So a registered client can then acquire information about other registered clients through the redirecting function the server provides to establish separate sessions with corresponding clients. By registering with the same server, multiple DVPN-enabled access devices can form a DVPN domain to have VPNs connected to these access devices interconnected.

Basic DVPN Elements DVPN domain

A set of private networks and their security gateways and routers that are interconnected using DVPN.

DVPN access device

Routers or security gateways in a network that are used to form DVPN domains. Any router or security gateway that supports DVPN technology can be a DVPN access device.

DVPN Server

DVPN access device that operates as the server in a DVPN domain. DVPN access devices must register with the DVPN server before they can access a DVPN domain. Functions of DVPN severs are as follows.

■ Storing and maintaining registering information about DVPN clients

■ Authenticating clients that apply for accessing the DVPN domain

■ Forwarding packets between clients with no sessions established in between, and sending redirecting packets to source clients

■ Encrypting packets using IPsec

DVPN Client

DVPN access device that operates as client in a DVPN domain. A device must successfully register with the DVPN server to access a DVPN domain. Functions of DVPN client are as follows.

206 CHAPTER 13: DVPN

■ Registering with the DVPN server to join a DVPN domain

■ Establishing sessions with DVPN servers for data transmission

■ Establishing sessions with other DVPN clients in the DVPN domain

■ Encrypting packets using IPsec

DVPN ID

Identifier of a DVPN domain. For a DVPN access device, different DVPN domains have different DVPN IDs.

Map

Channel established between a DVPN client and a DVPN server when the DVPN client attempts to register with the DVPN server. A map remains after the client successfully registers with the DVPN server until the DVPN client exit the DVPN domain or the network. The information a map holds, such as the ID of the DVPN domain, the private IP address of the peer, the public IP address of the peer, the UDP port number used, the state of the map, and the control ID, is stored in both the client side and the DVPN server side.

Session

DVPN Tunnel for data transmission. In a DVPN domain, sessions are established between pairs of DVPN access devices and are used to connect private networks. Packets in a DVPN domain are transmitted through sessions. The information a session contains is similar to that of a map, such as the ID of the DVPN domain, the private and public IP address of the peer, UDP port number used, the state of the session, and the type of the session.

Redirect

Redirecting mechanism. For two clients with no session in between, communications between them are carried out by the DVPN server. When forwarding packets between these two clients, the DVPN server sends redirecting packets to the source client if the DVPN server determines a separate session can be established between the two clients. Redirecting packets contain information about the destination clients and enable sessions to be established between clients.

Active side and passive side

The two sides of a session must be either an active side or a passive side. A session can have only one active side and one passive side. For a session established between a client and a server, the client operates as the active side and the server operates as the passive side. If a session is established between two clients, the one that initiates the session is the active side and the other is the passive side.

Implementation To implement DVPN, DVPN access devices must have DVPN proprietary protocol employed, through which the DVPN server holds information about all successfully registered clients, and the clients hold information about all sessions they establish, such as the private IP addresses of destination devices (the IP addresses of Tunnel interfaces), the public IP addresses of destination devices (the IP addresses of WAN interfaces), the UDP port numbers of the destination devices (when employing UDP), the identifiers of session state. Following is the descriptions of phases undergone when implementing DVPN to transmit data.

Introduction to DVPN 207

Register

After a client is configured with proper interface properties and the server address and its interfaces are up, the client negotiates with the DVPN server for algorithm, key, authentication (optional), information registering, policy issuing, and so on.

Registers are carried out through maps established between the clients and the servers. A map remains after the client registers and accesses the DVPN domain. It is removed only when the client exits the DVPN domain. If you remove a map through which a client registers, the client releases all resources it occupies (including all sessions it establishes) and resumes the initial state.

Figure 44 demonstrates the registering workflow. Any error during the workflow results in the registering being aborted and cause the client resume the initial state.

Figure 44 DVPN registering workflow

1 The client sends algorithm negotiation request messages to the server.

2 The server sends algorithm negotiation response messages to the client.

3 The client sends key negotiation request messages and server authentication request messages to the server.

4 The server sends key negotiation response messages, client authentication messages, and server authentication response messages to the client.

5 The client sends authentication messages to the server.

6 The server sends authentication result to the client.

7 The client sends register request messages to the server, where all information about the client is included.

8 The server sends register response messages to the client, where information such as data encrypting policies, key, and the ID of the DVPN domain is included.

Establishing session

Upon successfully registered, a client establishes a session with the DVPN server immediately to transmit its packets using DVPN.

Client Server(1)

(2)

(3)

( 5)

( 7)

(4)

(6)

(8)

Client Server(1)

(2)

(3)

( 5)

( 7)

(4)

(6)

(8)


If the packets the server receives are destined for other networks instead of the local private network, the server forwards the packets and sends next hop redirecting messages to the source client to inform it of the information about the destination. The client then sends session Setup requests to the peer client to negotiate with it for establishing a separate session and the IPsec SA (security association). After the session is established, the two clients can communicate with each other without the server.

When removing a session, the server checks to see if it is coupled with a registered map. If the map does not exist, the session is removed directly. Otherwise, you need to remove the coupled map first.

Transmitting data

You can transmit data between entities (clients and servers) after the sessions between them are established. The data being transmitted is encrypted using IPsec, with DES as the encryption algorithm and MD5 as the authentication algorithm.

The encryption method mentioned above is employed by default and need not manual configuration.

Basic Network Structure DVPN adopts a Client/Server modal. Among all the access devices in a DVPN domain, only one can be the server and uses a fixed public IP address, whereas others operate as clients. You need to configure information about the server manually on each client to enable the clients to register with the server. A session is automatically established between a client and the server after the client successfully registers with the server. By sending redirecting packets, the server can provide information about other clients to a client to enable sessions being established between clients, through which the DVPN domain can be fully connected.

When transmitted in a DVPN domain, DVPN packets are encapsulated using UDP, that is, DVPN control packets and other DVPN packets to be forwarded are encapsulated using UDP. As UDP packets are capable of traversing NAT gateways, sessions can be established between DVPN clients even though they use private IP addresses.

Figure 45 A simple DVPN network diagram

Introduction to DVPN 209

Traditional VPN versus DVPN

Drawbacks of traditional VPN

Current network solutions commonly use generic routing encapsulation (GRE) or multi-protocol label switching/border gateway protocol (MPLS/BGP) to form Layer 3 VPNs. Both of these two kinds of VPNs suffer from the following drawbacks:

■ Complicated in networking and configuration. Layer 3 VPNs communicate through point-to-point Tunnels. So, to form a fully connected VPN with number of access points of N, the number of point-to-point VPN Tunnels to be manually configured is N * (N-1) / 2.

■ Inconvenient in maintenance and expansion. For an established VPN, you must reconfigure all other nodes if you add a node to the VPN or reconfigure an existing node in the VPN, which results in high maintaining cost.

■ Unable to traverse NAT gateways. For VPN Tunnels that are established using GRE and with NAPT (network address port translation) gateways deployed at the egresses, you must map each private IP address to a unique public IP address to transmit packets along the VPN Tunnel. So large amount of public IP addresses are needed for this kind of VPNs. So GRE is not applicable in NAT gateways. (VPNs that are established using early versions of IPsec cannot traverse NAT gateways either. This problem is resolved by encapsulating IPsec packets as UDP packets.)

■ Not applicable for dynamic IP addresses. VPN Tunnels that are established using GRE are based on fixed IP addresses. So you cannot establish VPNs for dial-up subscribers using GRE.

■ Not secure. L2TP (Layer 2 Tunnel protocol) and GRE do not encrypt packets. Whereas IPsec provides satisfactory security for packets forwarded across IPsec VPNs.

■ IPsec does not support dynamical routes. VPN Tunnels that are established using GRE and L2TP are interface-based, whereas those that are established using IPsec are data stream-oriented, so route learning is not applicable between these two kinds of private networks interconnected with IPsec VPN Tunnels, which is contradictory to network dynamically planning.

Advantages of DVPN

DVPN has all advantages that traditional VPN benefits from. It also overcomes lot of problems that traditional VPN faces. It provides an easy way to configure and plan networks and is more powerful. It is more suitable for modern and future networks. It features the following:

■ Ease of configuration. Instead of configuring logic interfaces as the Tunnel ends for each Tunnel, only one logic Tunnel interface is needed for a DVPN access device to establish sessions with multiple other DVPN access devices, which simplifies DVPN configuration remarkably and improves maintainability and extensibility. To add a private network to an existing DVPN domain, you need only to configure information about the DVPN server of the DVPN domain on the DVPN access device of the private network.

■ Capable of NAT traversal. UDP-encapsulated DVPN packets are capable of traversing NAT gateways. This enables VPN connections to be established between internal network DVPN access devices and public network DVPN access devices and enables VPNs that contain both internal private networks and external private networks to be established.


■ Capable of establishing dynamic IP address-based VPN. You need only to provide the IP address of the DVPN server to establish a Tunnel in a DVPN domain. So DVPN is applicable to subscribers that use dynamic IP addresses, such as dial-up and xDSL.

■ Capable of establishing Tunnels automatically. A DVPN server maintains information about all DVPN access devices in the DVPN domain. The redirecting function enables the DVPN clients acquire information about any other DVPN clients in the DVPN domain from the DVPN server to establish sessions. A DVPN client is only needed to be configured with information about itself and the DVPN server, so the work load of network administration can be remarkably eased.

■ Encrypted registration. When registering with a DVPN server, a client first negotiates with the server for the algorithm suite and keys, and then encrypts the key registering information (such as user name and password) using the negotiated algorithm. They can also validate the registering packets to secure the key registering information.

■ Authentication. When registering with a DVPN server, a client can authenticate the server using a pre-shared-key to make sure the DVPN server is valid. The DVPN server, in turn, can identify the clients that want to access the DVPN domain using AAA to ensure DVPN clients are authenticated.

■ Centralized policy management. Policies applied to sessions in a DVPN domain are the same. A DVPN server issues the policy of the DVPN domain to each registered client, including the algorithm suite used in session negotiations, the keepalive time of sessions, the idle timeout time of sessions, the IPsec encryption algorithm, the renegotiation time of IPsec SA, and so on.

■ Encryption during session negotiation. In the course of session negotiation, all the control packets are IPsec-encrypted using the algorithm suite the DVPN server issues. The client negotiates with the DVPN server for the IPsec SA of the session using the encryption and authentication algorithm issued by the DVPN server. DH (Diffie-Hellman) is used for negotiating the key of the IPsec SA. Data that are to be encrypted and transmitted through this session are encrypted using the IPsec SA negotiated in the course of the session establishment and then are transmitted through the DVPN domain. The IPsec SA of a session can be renegotiated. You can specify an IPsec SA renegotiation interval to improve security.

■ Support for multiple DVPN domains. A single DVPN device can accommodate multiple DVPN domains. That is, a security gateway can belong to both DVPN domain A and DVPN domain B simultaneously, and a DVPN device can be a client in DVPN domain A and the DVPN server in DVPN domain B at same time. A DVPN device can accommodate up to 200 DVPN domains and can be the DVPN server of up to 200 DVPN domains. This improves network flexibility remarkably and protects user investment efficiently, and enables you to make full use of network device resource. When multiple DVPN domains are configured on one DVPN device, you can isolate these DVPN domains using private network routes.

■ Support for dynamic routes. In a DVPN domain, route packets that need to be transmitted through Tunnel interfaces can be broadcast over all sessions to enable route learning in DVPN domains. When accompanied with dynamic routing protocols, DVPN can simplify planning of private networks that are to

DVPN Configuration 211

access a DVPN domain and the configuration of the entire network, improve network maintainability and automation.

DVPN Configuration DVPN configuration comprises client configuration and server configuration.

Client configuration

As for DVPN clients, you need to perform basic configuration, Tunnel interface configuration, and DVPN class configuration.

1 Basic configuration

Basic configuration includes the following:

■ Enable/Disable DVPN

■ Configure the registering retries

■ Configure the dumb interval

2 Tunnel interface configuration

Tunnel interface configuration includes the following:

■ Encapsulate the Tunnel interface using UDP DVPN

■ Configure the Tunnel interface to client type

■ Configure the source address or source interface of the Tunnel interface

■ Configure the DVPN class to be applied to the Tunnel interface

■ Configure the DVPN domain the Tunnel interface belongs to

■ Configure register type (optional)

■ Configure IPsec-encrypted data stream

3 DVPN class configuration

DVPN class configuration refers to configuring parameters that are necessary for a client to register with a DVPN server and providing information used in negotiation in a DVPN class view, it mainly includes the following:

■ Create a DVPN class and enter its view

■ Assign a public IP address to the DVPN server

■ Assign a private IP address to the DVPN server (optional)

■ Configure the register algorithm suite (optional. The default registering algorithm suite is DES-MD5-DH1.)

■ Specify how the client authenticates the DVPN server (optional)

■ Configure the pre-shared-key used when the client authenticates the DVPN server (optional)

■ Configure user information used when the client registers with the DVPN server (optional)


DVPN server configuration

As for a DVPN server, you need to perform basic configuration, Tunnel interface configuration, and DVPN policy suite configuration (DVPN policies are configured in DVPN policy views), which are described as follows.

1 Basic configuration

Basic configuration includes the following:

■ Enable/Disable DVPN

■ Configure the map aging time

■ Configure how to authenticate the clients

■ Configure the pre-shared-key

2 Tunnel interface configuration

Tunnel interface configuration includes the following:

■ Encapsulate the Tunnel interface with UDP DVPN

■ Configure the Tunnel interface to server

■ Configure the DVPN domain the Tunnel interface belongs to

■ Configure the source address or source interface of the Tunnel interface

■ Configure the DVPN policy the Tunnel interface uses (optional)

■ Configure IPsec-encrypted data stream

3 DVPN policy suite configuration

DVPN policy suite configuration includes the following:

■ Create and enter a DVPN policy view

■ Configure how the DVPN server authenticates the clients (optional and is NONE by default)

■ Configure the algorithm suite for a specified session (optional and is des-md5-dh1 by default)

■ Configure the timeout time for a specified session (optional and is 300 seconds by default)

■ Configure the interval for sending keepalive packets (optional and is 10 seconds by default)

■ Configure the interval for sending requests to establish a session (optional and is 10 seconds by default)

■ Configure the IPsec algorithm suite (optional and is des-md5-dh1 by default)

■ Configure the time out time to renegotiate a specified IPsec SA (optional and is 3600 seconds by default)

To correspond to the configurations mentioned above, following sections describe how to configure DVPN in terms of basic configuration, Tunnel interface configuration, DVPN class configuration, and DVPN policy configuration.


Basic DVPN Configuration

Enabling/Disabling DVPN

Perform these operations to enable/disable DVPN. If you disable DVPN on a DVPN server, the existing DVPN sessions are removed after they time out.

Perform the following configuration in system view on a client or a DVPN server.

DVPN is enabled by default.

Configuring the pre-shared-key

Perform these operations to configure/remove authentication information (pre-shared-key) on a DVPN server. If a client authenticates using a pre-shared-key, it specifies the pre-shared-key the DVPN server to be accessed uses. The specified pre-shared-key must be identical to the one the DVPN server owns.

Perform the following configuration in system view on a DVPN server.

Pre-shared-keys are not configured by default.

Configuring how to authenticate a client

At present, PAP (password authentication protocol) and CHAP (challenge authentication protocol) are available for a DVPN server to authenticate a clients that attempt to access the DVPN domain. After you perform this operation to specify how a DVPN server authenticates a client, a DVPN server authenticates clients in the specified way if it has no DVPN policy applied.

Perform the following configuration in system view on a DVPN server.

A DVPN server does not authenticate clients by default.

Configuring the map age time

You can limit the number of maps by configuring the map age time. For clients that cannot successfully register with the DVPN server, the related maps are removed when the map age time expires.


Table 216 Enable/Disable DVPN

Operation Command

Enable DVPN dvpn service enable

Disable DVPN undo dvpn service enable

Table 217 Configure the pre-shared-key for a DVPN server

Operation Command

Configure a pre-shared-key dvpn server pre-shared-key key

Remove a pre-shared-key undo dvpn server pre-shared-key

Table 218 Configure how to authenticate a client

Operation Command

Configure how to authenticate a client dvpn server authentication-client method { none | { chap | pap } [ domain isp-name ] }


The default map age time is 30 seconds.

Configuring the registering interval for a client

If a client fails to register with a DVPN server, it registers with the DVPN server again after a specified interval. You can configure the register interval on a client.

Perform the following configuration in system view on a client.

The default register interval is 10 seconds.

Configuring the register retries for a client

A client turns to dumb state if it fails to register with a DVPN server for specified times. You can configure the maximum retries during a register round by performing this operation.

nA client in dumb state does not register with a DVPN server.


The default register retries for the client is 3.

Configuring the dumb interval for a client

A client in dumb state registers with the DVPN server again after a specified interval. You can specify the interval by performing this operation.


The default dumb interval for the client is 300 seconds.

Table 219 Configure the map age time

Operation Command

Configure the map age time dvpn server map age-time time

Revert the map age time to the default undo dvpn server map age-time

Table 220 Configure the registering interval for a client

Operation Command

Configure the register interval for the client dvpn client register-interval time-interval

Revert to the default register interval for the client

undo dvpn client register-interval

Table 221 Configure the registering retries for a client

Operation Command

Configure the register retries for the client dvpn client register-retry times

Revert to the default register retries for the client undo dvpn client register-retry

Table 222 Configure the dumb interval for a client

Operation Command

Configure the dumb interval for the client dvpn client register-dumb time

Revert to the default dumb interval for the client undo dvpn client register-dumb


Configuring the Tunnel Interface

Configuring the encapsulation format

Before configuring other DVPN parameters, be sure to encapsulate the Tunnel interface with UDP DVPN.

Perform the following configuration in Tunnel interface view on a client or a DVPN server.

A Tunnel interface is encapsulated using GRE by default.

Configuring the type of the Tunnel interface

Configure the Tunnel interface as server or client type according to its location (server side or client side).


A Tunnel interface is of client type by default.

Configuring register type for a DVPN client

You can only use the dvpn register-type command on the client. When registering with the server, the client can ask the server to the data packet from this client and notify the server not to send the registering information about this client to other clients.

Perform the following configuration in Tunnel interface view on the client.

By default, the register type for the DVPN client is not configured.

Configuring the DVPN domain the Tunnel interface belongs to

You can configure the ID of the DVPN domain the Tunnel interface belongs to by performing this operation. (Tunnel interfaces that belong to the same DVPN domain have the same DVPN ID.)

Table 223 Configure the encapsulation format

Operation Command

Encapsulate the Tunnel interface with UDP DVPN tunnel-protocol udp dvpn

Table 224 Configure the type of the Tunnel interface

Operation Command

Configure the type of the Tunnel interface dvpn interface-type { client | server }

Restore the default type of Tunnel interfaces undo dvpn interface-type

Table 225 Configure register type for a DVPN client

Operation Command

Configure register type for the DVPN client dvpn register-type { forward | undistributed } *

Remove the configuration undo dvpn register-type { forward | undistributed } *



A Tunnel interface is not configured with a DVPN ID.

Configuring the source end address of the Tunnel interface

The source address or source interface refers to address of the interface DVPN packets sourced from. The source end address along with the destination address, which must be configured on both the server end and the client end respectively, uniquely identify a Tunnel. The two addresses are source and destination addresses mutually.


Configuring the DVPN class to be applied to the Tunnel interface (client side only)

After configuring the DVPN server in a DVPN class view on the client side, perform the following operations to apply the DVPN class.

Perform the following configuration in Tunnel interface view on the client side.

A Tunnel interface does not have a DVPN class applied by default.

Configuring the DVPN policy to be applied to the Tunnel interface (server side only)

After configuring the policy in a DVPN policy view on the server side, perform the following operations to apply it to the DVPN domain.

Perform the following configuration in Tunnel interface view on the server side.

Table 226 Configure the DVPN domain the Tunnel interface belongs to

Operation Command

Configure the DVPN domain the Tunnel interface belongs to dvpn dvpn-id dvpn-id

Revert the Tunnel interface to the default undo dvpn dvpn-id

Table 227 Configure the source end address of the Tunnel interface

Operation Command

Configure the source end address or source interface of the Tunnel interface

source { ip-address | interface-type interface-number }

Remove the source end address or the source interface of the Tunnel interface undo source

Table 228 Configure/Remove the DVPN class to be applied to the Tunnel interface

Operation Command

Configure the DVPN class to be applied to the Tunnel interface dvpn server dvpn-class-name

Remove the DVPN class applied to the Tunnel interface undo dvpn server dvpn-class-name


A Tunnel interface does not have a DVPN policy applied by default.

Configuring IPsec-encrypted data stream

Packets forwarded in a DVPN domain are processed by using the corresponding ACL. The packets matching the ACL will be IPsec encrypted, while others will not.


All packets that pass through the Tunnel interface are IPsec-encrypted by default.

Configuring a DVPN class

After configuring parameters of a specified DVPN server used for clients to register with the DVPN server in a DVPN class view (such as private IP address, public IP address, and user name), you need to perform corresponding configuration on the client side, as described in the following sections.

Creating a DVPN class and enter its view

You can create a DVPN class and enter its view, or remove an existing DVPN class by performing the following operations. A DVPN class that is in use cannot be removed.


No DVPN class is configured by default.

Assigning a public IP address to a DVPN server

The IP address here refers to the fixed public IP address assigned to the DVPN server.

Perform the following configuration in a DVPN class view.

Table 229 Configure/Remove the DVPN policy to be applied to the Tunnel interface

Operation Command

Configure the DVPN policy to be applied to the Tunnel interface dvpn policy dvpn-policy-name

Remove the DVPN policy applied to the Tunnel interface undo dvpn policy dvpn-policy-name

Table 230 Configure IPsec-encrypted data stream

Operation Command

Configure an ACL to specify packets that are not IPsec-encrypted dvpn security acl acl-number

Remove all configured ACLs undo dvpn security acl

Table 231 Create/Remove a DVPN class

Operation Command

Create and enter a DVPN class dvpn class dvpn-class-name

Remove a DVPN class view undo dvpn class dvpn-class-name


A DVPN server is not assigned a public IP address by default.

Assigning a private IP address to a DVPN server

The IP address here refers to the IP address of the Tunnel interface through which the DVPN server accesses a DVPN domain and is optional. When a client configured with the private IP address of the DVPN server registers, the response information contains the private IP address of the DVPN server. And the client tears down the connection if the two private IP address are not the same.


A DVPN server is not assigned a private IP address by default.

Configuring the register algorithm suite

DVPN register control packets must be encrypted for security. The encryption algorithm, authentication algorithm, and key negotiation algorithm are determined by the register algorithm suite.


The suite-number parameter is 1 by default, which stands for DES-MD5-GROUP1. Refer to Command Manual for the meanings of other values.

Specifying how the client authenticates the DVPN server

A client can authenticate the DVPN server to be accessed using a pre-shared-key. The configured pre-shared-key must be identical to the one the DVPN server holds for the client to successfully register with the DVPN server.


Table 232 Assign a public IP address to the DVPN server

Operation Command

Assign a public IP address to the DVPN server public-ip ip-address

Remove a public IP address undo public-ip

Table 233 Assign a private IP address to a DVPN server

Operation Command

Assign a private IP address to a DVPN server private-ip ip-address

Remove the private IP address undo private-ip

Table 234 Configure the register algorithm suite

Operation Command

Configure the register algorithm suite algorithm-suite suite-number

Revert to the default register algorithm suite undo algorithm-suite

Table 235 Specify how the client authenticates the DVPN server

Operation Command

Specify to authenticate the DVPN server using the pre-shared-key authentication-server method pre-share


A client does not authenticate a DVPN server by default.

A DVPN server is not configured with a pre-shared-key by default.

Configuring the user name and password for a client

User names and passwords are used when clients register with DVPN servers. You must configure the user name and password in a DVPN class view for a client if it is to register with a DVPN server that authenticates registering clients.


A client is not configured with a user name and password by default.

Configuring a DVPN policy

Parameters about DVPN policy, such as session algorithm, IPsec algorithm for data, time parameters, are configured in DVPN policy views. A DVPN server issues DVPN policies applied in the DVPN domain to clients that successfully register with it.

Creating a DVPN policy view

You can create and enter a DVPN policy view, or remove an existing DVPN policy by performing the following operations. To remove a DVPN policy that is applied in a DVPN domain, you must disable it first.


No DVPN policy is configured by default.

Specify not to authenticate the DVPN server authentication-server method none

Table 236 Configure a pre-shared-key for a DVPN server

Operation Command

Configure a pre-shared-key for a DVPN server pre-shared-key key

Remove the configured pre-shared-key undo pre-shared-key

Table 237 Configure the user name and password for a client

Operation Command

Configure the user name and password for a client

local-user username password { simple | cipher } password

Remove the user name and password of a client undo local-user username

Table 235 Specify how the client authenticates the DVPN server

Operation Command

Table 238 Create a DVPN policy view

Operation Command

Create a DVPN policy view and enter its view dvpn policy dvpn-policy-name

Remove a DVPN policy undo dvpn policy dvpn-policy-name


Configuring how a DVPN server authenticates clients

You can configure a DVPN server to authenticate clients that are to access the DVPN domain. At present, you can specify to authenticate using PAP and CHAP.

Perform the following configuration in a DVPN policy view.

A DVPN server does not authenticate clients by default.

Configuring the encryption algorithm suite for a session

You can apply DES, 3DES, and AES encryption algorithms, MD5 and SHA1 authentication algorithms, and DH-GROUP1 and DH-GROUP2 key negotiation algorithms to control packets transmitted during DVPN session negotiation by performing the following operations.


The suite-number parameter is 1 by default, which stands for DES (for encryption), MD5 (for authentication) and DH-GROUP1 (for key negotiation).

Configuring the idle time out time for a session

A session is torn down if no packet passes through it during a specified interval known as the idle time out time.


The default idle time out time is 300 seconds.

Configuring the interval for sending keepalive packets

After a session is established, the active side sends keepalive packets regularly to check the connection state of the session if no packet passes through the session. A session is regarded as disconnected if the active side receives no keepaliveack packet after it sends three successive keepalive packets.

Table 239 Configure how a DVPN server authenticates clients

Operation Command

Configure how a DVPN server authenticates clients

authentication-client method { none | { chap | pap } [ domain isp-name ] }

Table 240 Configure the encryption algorithm suite for a session

Operation Command

Configure the encryption algorithm suite for a session session algorithm-suite suite-number

Revert to the default encryption algorithm suite undo session algorithm-suite

Table 241 Configure the idle time out time for a session

Operation Command

Configure the idle time out time for a session session idle-time time-interval

Revert to the default idle time out time undo session idle-time



The default interval for sending keepalive packets is 10 seconds.

Configuring the interval for sending requests to establish a session

If a session is not successfully established, the initiator sends a request again to try to establish the session after a specific interval. The initiator fails to establish a session if the session is not established after the initiator sends three successive requests.


The default interval for sending requests to establish a session is 10 seconds.

Configuring the IPsec algorithm suite

Packets transmitted in a DVPN domain are IPsec-encrypted for security. At present, DES, 3DES, and AES encryption algorithms and MD5, SHA1 authentication algorithms are available. You can specify the algorithm suite used when an IPsec SA forwards packets by performing the following operations.


The suite-number parameter is 1 by default, which stands for DES (for encryption) and MD5 (for authentication).

Configuring the time out time to renegotiate a specified IPsec SA


Table 242 Configure the interval for sending keepalive packets

Operation Command

Configure the interval for sending keepalive packets session keepalive-interval time-interval

Revert to the default interval for sending keepalive packets undo session keepalive-interval

Table 243 Configure the interval for sending requests to establish a session

Operation Command

Configure the interval for sending requests to establish a session session setup-interval time-interval

Revert to the default interval for sending requests to establish a session undo session setup-interval

Table 244 Configure the IPsec algorithm suite

Operation Command

Configure the IPsec algorithm suite data algorithm-suite suite-number

Revert to the default IPsec algorithm suite undo data algorithm-suite


The default time out time to renegotiate a specified IPsec SA is 3600 seconds.

Displaying and Debugging DVPN

Execute the display command in any view to display how DVPN operates.

Execute the reset command in user view to clear sessions, maps, statistics information, or initiate a DVPN domain.

Execute the debugging command in user view to debug DVPN.

n If you wan to use a new policy after changing the dvpn policy, you must reboot the switch or the Tunnel interface. The new policy cannot be used by using the reset command.

DVPN Configuration Example


As Figure 46 shows, Branch A and Branch B establish DVPN connections with the headquarters respectively. Detailed requirements are as follows:

■ Use the default algorithm suite (algorithm suite 1) for register and sessions, that is, use DES for encryption, MD5 for authentication, and DH-GROUP1 for key negotiation.

■ Data is IPsec-encrypted for security using algorithm suite 6. That is, use 3DES for encryption, MD5 for authentication, and DH-GROUP2 for key negotiation.

Table 245 Configure the time out time to renegotiate a specified IPsec SA

Operation Command

Configure the time out time to renegotiate a specified IPsec SA

data ipsec-sa duration time-based time-interval

Revert to the default time out time to renegotiate a specified IPsec SA undo data ipsec-sa duration time-based

Table 246 Display and debug DVPN

Operation Command

Enable/Disable debugging for DVPN

[undo] debugging dvpn { all | error | event { all | register | session | misc } | hexadecimal | packet { all | control | data | ipsec } }

Display global information about DVPN in a system or information about a DVPN domain

display dvpn info { dvpn-id dvpn-id | global }

Display information about maps in a DVPN domain

display dvpn map {all | dvpn-id dvpn-id | public-ip public-ip }

Display information about sessions in a DVPN domain

display dvpn session { all | dvpn-id dvpn-id [ private-ip private-ip ] }

Display information about IPsec SAs in a DVPN domain

display dvpn ipsec-sa { all | dvpn-id dvpn-id [ private-ip private-ip ] }

Display information about online DVPN users display dvpn online-user

Initiate a DVPN domain reset dvpn all dvpn-id

Clear a specified map reset dvpn map public-ip port [ control-id ]

Clear a specified session reset dvpn session dvpn-id private-ip

Clear DVPN statistics information reset dvpn statistics

DVPN Configuration Example 223

n After session is established between server and client 1 and client 2, transmitted data is IPsec-encrypted by default using algorithm suite 1. That is, use DES for encryption, MD5 for authentication, and DH-GROUP1 for key negotiation.

Network diagram

Figure 46 Network diagram for DVPN


1 Configure server

3Com (IPsecModule)

# Divide VLANs.






Tunnel0 : 192.168.0.254/24

Tunnel0: 192.168.0.2/24

Server

Client2

Tunnel0:192.168.0.1/24

Client1

Internet

Vlan10:10.0.0.0/24

SecBlade_A Switch8800_A

Vlan 30

Vlan 50

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24

Vlan20:20.0.0.0/24

g0/0.2:50.0.0.254/24 g0/0.2:60.0.0.254/24

Vlan10:10.0.0.254/24 Vlan20:20.0.0.254/24

g0/0.2:90.0.0.254/24

Vlan70:70.0.0.254/24

SecBlade_A Switch8800_A

Vlan 8 0

Vlan 9 0

8 0.0.0.254/24

9 0 .0.0.254/24

8 0.0.0.1/24

7 0.0.0.254/24

Secblade-BSwitch8800_B

Vlan 40

Vlan 60 60.0.0.254/24

40.0.0.1/24

20.0.0.254/24

40.0.0.254/24


# Configure aggregation of two GigabitEthernet interfaces of the IPsec module (IPsec module slot number is 2).











<SW8800> secblade slot 2 (Both user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_Srv> system


[secblade_Srv] interface g0/0.1 [secblade_Srv-GigabitEthernet0/0.1] vlan-type dot1q vid 80 [secblade_Srv-GigabitEthernet0/0.1] ip address 80.0.0.254 24 [secblade_Srv-GigabitEthernet0/0.1] quit [secblade_Srv] interface g0/0.2 [secblade_Srv-GigabitEthernet0/0.2] vlan-type dot1q vid 90 [secblade_Srv-GigabitEthernet0/0.2] ip address 90.0.0.254 24 [secblade_Srv-GigabitEthernet0/0.2] quit


[secblade_Srv] ip route-static 70.0.0.0 24 80.0.0.1

# Enable DVPN function.

[secblade_Srv] dvpn service enable

# Create a DVPN policy and configure IPsec algorithm-suite as 5.

[secblade_Srv] dvpn policy 1 [secblade_Srv-dvpn-policy-1] data algorithm-suite 5

# Configure Tunnel 0 interface.


[secblade_Srv] interface tunnel 0 [secblade_Srv-Tunnel0] tunnel-protocol udp dvpn [secblade_Srv-Tunnel0] dvpn interface-type server [secblade_Srv-Tunnel0] ip address 192.168.0.254 255.255.255.0 [secblade_Srv-Tunnel0] source GigabitEthernet0/0.2 [secblade_Srv-Tunnel0] dvpn dvpn-id 1 [secblade_Srv-Tunnel0] dvpn policy 1 [secblade_Srv-Tunnel0] quit

# Configure route information.

[secblade_Srv] ip route-static 10.0.0.0 255.255.255.0 192.168.0.1 [secblade_Srv] ip route-static 20.0.0.0 255.255.255.0 192.168.0.2

2 Configure client 1

Switch 8800 Family switches

# Divide VLANs.






# Configure aggregation of two GigabitEthernet interfaces of the IPsec module (the IPsec module slot number is 2).












<SW8800> secblade slot 2 (Both user name and password are SecMBlade) user: SecBlade password: SecBlade <secblade_Clnt1> system-view


[secblade_Clnt1] interface g0/0.1 [secblade_Clnt1-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade_Clnt1-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade_Clnt1-GigabitEthernet0/0.1] quit [secblade_Clnt1] interface g0/0.2 [secblade_Clnt1-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_Clnt1-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade_Clnt1-GigabitEthernet0/0.2] quit


[secblade_Clnt1] ip route-static 10.0.0.0 24 30.0.0.1


[secblade_Clnt1] dvpn service enable

# Configure dvpn-class.

[secblade_Clnt1] dvpn class testserver [secblade_Clnt1-dvpn-class-testserver] public-ip 90.0.0.254 [secblade_Clnt1-dvpn-class-testserver] quit

# Configure attribute for Tunnel 0 interface.

[secblade_Clnt1] interface tunnel 0 [secblade_Clnt1-Tunnel0] ip address 192.168.0.1 255.255.255.0 [secblade_Clnt1-Tunnel0] tunnel-protocol udp dvpn [secblade_Clnt1-Tunnel0] source GigabitEthernet0/0.2 [secblade_Clnt1-Tunnel0] dvpn interface-type client [secblade_Clnt1-Tunnel0] dvpn server testserver [secblade_Clnt1-Tunnel0] dvpn dvpn-id 1 [secblade_Clnt1-Tunnel0] quit


[secblade_Clnt1] ip route-static 70.0.0.0 255.255.255.0 192.168.0.254 [secblade_Clnt1] ip route-static 20.0.0.0 255.255.255.0 192.168.0.2

3 Configure client 2

Switch 8800 Family switches


# Divide VLANs.






# Configure aggregation of two GigabitEthernet interfaces of the IPsec module (the IPsec module slot number is 2).











<SW8800> secblade slot 2 (Both user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_Clnt2> system-view


[secblade_Clnt2] interface g0/0.1 [secblade_Clnt2-GigabitEthernet0/0.1] vlan-type dot1q vid 40


[secblade_Clnt2-GigabitEthernet0/0.1] ip address 40.0.0.254 24 [secblade_Clnt2-GigabitEthernet0/0.1] quit [secblade_Clnt2] interface g0/0.2 [secblade_Clnt2-GigabitEthernet0/0.2] vlan-type dot1q vid 60 [secblade_Clnt2-GigabitEthernet0/0.2] ip address 60.0.0.254 24 [secblade_Clnt2-GigabitEthernet0/0.2] quit


[secblade_Clnt2] ip route-static 20.0.0.0 24 40.0.0.1


[secblade_Clnt2] dvpn service enable

# Configure dvpn-class.

[secblade_Clnt2] dvpn class testserver [secblade_Clnt2-dvpn-class-testserver] public-ip 90.0.0.254 [secblade_Clnt2-dvpn-class-testserver] quit

# Configure attribute for interface Tunnel 0.

[secblade_Clnt2] interface tunnel 0 [secblade_Clnt2-Tunnel0] ip address 192.168.0.2 255.255.255.0 [secblade_Clnt2-Tunnel0] tunnel-protocol udp dvpn [secblade_Clnt2-Tunnel0] source GigabitEthernet0/0.2 [secblade_Clnt2-Tunnel0] dvpn interface-type client [secblade_Clnt2-Tunnel0] dvpn server testserver [secblade_Clnt2-Tunnel0] dvpn dvpn-id 1 [secblade_Clnt2-Tunnel0] quit


[secblade_Clnt2] ip route-static 70.0.0.0 255.255.255.0 192.168.0.254 [secblade_Clnt2] ip route-static 10.0.0.0 255.255.255.0 192.168.0.1

14
RELIABILITY OVERVIEW

Introduction to Reliability

During communication, any software or hardware error, network device or line fault for example, may disrupt the connection, causing transmission failure. To avoid these situations, Comware provides, virtual router redundancy protocol (VRRP) and hot backup technologies to ensure availability of a backup scheme when faults occur. This guarantees smooth communication, and makes the network more robust and reliable.

VRRP improves reliability of connections to the outside networks and as such, is well suited to multicast or broadcast LANs such as Ethernet. Multiple routers can form a standby group or a virtual router, acting as the only egress gateway for the local network. These routers, however, are transparent to the local network. In the standby group, a router is engaged in packet forwarding, a backup router is ready for replacing the active router, and the other routers are listening. In case the active router fails, the backup router would take over and the other routers would elect from them a new backup router. This improves reliability, allowing the local hosts to continue their operation without any modification.

230 CHAPTER 14: RELIABILITY OVERVIEW

15
VRRP CONFIGURATIONS
Introduction to VRRP Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. Normally, you can configure a default route for the hosts on a network, for example, 10.100.10.1 in the following figure. All packets destined to the external network are sent over this default route to Router to gain access to the external networks. When Router fails, all the hosts using Router as the default next-hop router are isolated from the external network.

Figure 47 Network diagram for a LAN

VRRP was designed to address this problem on multicast and broadcast LANs such as Ethernet.

The following figure illustrates how VRRP is implemented.

VRRP combines a group of routers on a LAN (including a master and multiple backups) into a virtual router called standby group.

232 CHAPTER 15: VRRP CONFIGURATIONS

Figure 48 VRRP networking diagram

This virtual router has its own IP address: 10.100.10.1 (it can be the interface address on a router in the standby group). The routers in the standby group also have their own IP addresses: 10.100.10.2 for the master and 10.100.10.3 for a backup router for example.

The hosts on the LAN, however only know the IP address of this virtual router or 10.100.10.1 and as such, use this IP address as the address of the default next-hop router when communicating with the external network.

When the master in the standby group fails, the backup routers in the standby group elects a new master to take over, allowing the hosts on the network to communicate with the external network without interruption.

For more information about VRRP, refer to RFC 2338.

Configuring VRRP The basic VRRP configuration tasks are described in the following sections:

■ “Adding or Deleting a Virtual IP Address”

■ “Configuring Priority in a Standby Group”

■ “Configuring Preemption Mode and Preemption Delay”

The advanced VRRP configuration tasks are described in the following sections:

■ “Configuring Authentication Mode and Authentication Key”

■ “Configuring the Adver_Timer of VRRP”

■ “Configuring Interface Tracking”

■ “Enabling/Disabling Virtual IP Address Pinging”

■ “Enabling/Disabling TTL Check for VRRP Packets”

Configuring VRRP 233

Adding or Deleting a Virtual IP Address

You may assign an IP address on this network segment to a virtual router or standby group or delete the specified or all virtual IP address from the virtual address list.


The standby group number virtual-router-ID is in the range 1 to 255. The virtual IP address can be an unassigned address on the network segment to which the standby group belongs, or the IP address of an interface in the standby group. In the latter case, the security gateway with the IP address is called IP address owner.

The system creates a standby group the first time that you assign an IP address to it. When you assign virtual IP addresses to the group after that, the system only adds the addresses to the virtual IP address list of this standby group. You can assign an interface to 14 standby groups, while one standby group can accommodate up to 16 virtual IP addresses.

Note that before you can configure a standby group, you must create it by assigning an IP address to it. Deleting the last virtual IP address from the standby group also deletes the standby group. After that, all its configurations become invalid.

Configuring Priority in a Standby Group

In VRRP, the role that a security gateway plays in a standby group depends on its priority. The security gateway with the highest priority becomes the master.

The priority is in the range 0 to 255, with a larger number indicating a higher priority. However, the configurable range is 1 to 254. The priority 0 is reserved for special use and 255 for the IP address owner.


The priority is 100 by default.

n The IP address owner has two priorities: configurable and operating. The configurable priority is the one assigned using the vrrp vrid command and the operating priority is always 255 and not configurable.

Table 247 Add/delete a virtual IP address

Operation Command

Add a virtual IP address. vrrp vrid virtual-router-ID virtual-ip virtual-address

Delete the specified or all virtual IP addresses. undo vrrp vrid virtual-router-ID virtual-ip virtual-address

Table 248 Configure the priority of the interface in the standby group

Operation Command

Configure the priority of the interface in the standby group.

vrrp vrid virtual-router-ID priority priority-value

Restore the default value. undo vrrp vrid virtual-router-ID priority


Configuring Preemption Mode and Preemption

Delay

In non-preemption mode, once a security gateway in the standby group becomes the master and operates well, other security gateways, even assigned higher priority later, cannot preempt it. A security gateway working in preemption mode however, can preempt a lower priority master. Accordingly, the existing master becomes a backup.

When enabling preemption in a standby group, you can configure a delay by using the vrrp vrid command to have the backup wait for a while before preempting the existing master. This is to prevent frequent state transitions on an unstable network where the backup group security gateways cannot receive packets from the master regularly due to network congestion.

The delay is in the range 0 to 255 seconds.


The default mode is preemption without delay.

n After you disable preemption, the preemption delay automatically becomes to 0 seconds.

Configuring Authentication Mode

and Authentication Key

VRRP provides two authentication modes: simple (simple text authentication) and MD5.

On a secure network, you can use the default where no authentication key is required. It this way, the security gateway will authenticate neither VRRP packets to be sent nor those received.

On a network where potential threats are present, you can set the authentication mode to simple, where the authentication key must not be greater than eight bytes. When the security gateway sends a VRRP packet, it fills the authentication key into the VRRP packet. When the security gateway receives a VRRP packet, it compares the authentication key in the packet with the one that it retains. If they are the same, the packet is considered genuine and legitimate. Otherwise, the packet is considered illegitimate and is discarded.

On an unsafe network, you can set the authentication mode to MD5, where the authentication key must not be greater than eight bytes. This allows the security gateway to authenticate VRRP packets using the authentication method provided by authentication header (AH) and the MD5 algorithm. The length of the authentication key can be either less than eight characters or 24 characters. If you input in plain text, the length ranges from one to eight characters, such as 1234567; if you input in encrypted text, the length must be 24 characters, such as (TT8F]Y5SQ=^Q‘MAF4<1!!.

The security gateway discards the packets that fail authentication and sends traps.

Table 249 Configure the preemption mode and preemption delay for a standby group

Operation Command

Enable preemption and configure preemption delay for a standby group.

vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]

Disable preemption in the standby group. undo vrrp vrid virtual-router-ID preempt-mode

Configuring VRRP 235


By default, the security gateway does not authenticate VRRP packets.

n For the standby groups on the same interface, you must set the same authentication mode and authentication key.

Configuring the Adver_Timer of VRRP

In a VRRP standby group, the master security gateway tells other security gateways that it is alive by sending VRRP packets regularly. If no VRRP packets are received after a specified period, the backup assumes the master has failed and changes its state to master. The VRRP packet sending interval and the state transition of the backup are controlled by two timers: Adver_Timer and Master_Down_Timer.

The Master_Down_Timer is about three times that of the Adver_Timer. Either enormous traffic or difference of the timer settings on the security gateways can result in abnormal timeout of the Master_Down_Timer, causing state transition. One solution to this problem is to set Adver_Timer (in seconds) to a greater value and/or configure preemption delay.


The adver_interval argument is in the range of 1 to 255 seconds and defaults to 1 second.

Configuring Interface Tracking

The interface tracking function expands the backup functionality of VRRP. It provides backup not only when the interface to which a standby group is assigned fails but also when other interfaces on the security gateway become unavailable. This is achieved by tracking interfaces. When a monitored interface goes down, the priority of the security gateway owning this interface automatically decreases by the value specified by value-reduced, allowing a higher priority security gateway in the standby group to take over as the master.


Table 250 Configure the authentication mode and authentication key

Operation Command

Configure the authentication mode and authentication key.

vrrp authentication-mode { md5 key | simple key }

Restore the default. undo vrrp authentication-mode

Table 251 Configure the Adver_Timer of VRRP

Operation Command

Configure the Adver_Timer of VRRP. vrrp vrid virtual-router-ID timer advertise adver-interval

Restore the default. undo vrrp vrid virtual-router-ID timer advertise


The priority-reduced argument defaults to 10.

n You cannot configure interface tracking on the security gateway that is IP address owner.

Enabling/Disabling Virtual IP Address

Pinging

This configuration enables the users to ping the virtual IP addresses of the standby groups. According to VRRP, users cannot ping the virtual IP addresses of standby groups. In this case, users cannot determine whether an IP address is assigned to a standby group by using the ping command. If a host on the network uses the same IP address of a standby group coincidently, all packets in this network will be forwarded to the host, so that the data in this network segment cannot be forwarded properly.

However, you can use the following configuration to enable users to ping the virtual IP addresses of standby groups.


By default, virtual IP address pinging is disabled.

Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.

Enabling/Disabling TTL Check for VRRP Packets

This configuration disables the backup switch from checking TTL values for VRRP packets. According to VRRP, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup switch will drop the packet.

You can use the following configuration to disable TTL check for VRRP packets.

Perform the following configuration in VLAN interface view.

Table 252 Configure interface tracking

Operation Command

Configure the interface to be tracked. vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]

Disable to track the specified interface. undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]

Table 253 Enable/disable virtual IP address pinging

Operation Command

Enable virtual IP address pinging. vrrp ping-enable

Disable virtual IP address pinging. undo vrrp ping-enable

Table 254 Enable/Disable TTL check for VRRP packets

Operation Command

Disable TTL check for VRRP packets vrrp un-check ttl

Restore TTL check for VRRP packets undo vrrp un-check ttl

Displaying and Debugging VRRP 237

By default, the backup switch checks the TTL value for VRRP packets.

Displaying and Debugging VRRP

After completing the above configurations, you may execute the display command in any view to view the operating state about VRRP after VRRP configuration, and to verify the effect of the configurations.

Execute the debugging command in user view.

You may enable/disable VRRP packet debugging and VRRP state debugging to check VRRP debugging state.

By default, the debugging for VRRP is disabled.

VRRP Configuration Examples

VRRP Single Standby Group Example 1


As shown in Figure 49, insert two IPsec modules into an Switch 8807. Two IPsec modules run VRRP and a virtual IP address is provided for the switch to implement redundant backup. In normal case, the data stream to the Internet passes by secblade_A. When secblade_A fails, all data stream to the Internet passes by secblade_B.

Table 255 Display and debug VRRP

Operation Command

Display state information about VRRP. display vrrp [ interface type number [ virtual-router-ID ] ]

Enable VRRP packet debugging. debugging vrrp packet

Disable VRRP packet debugging. undo debugging vrrp packet

Enable VRRP state debugging. debugging vrrp state

Disable VRRP state debugging. undo debugging vrrp state


Network diagram

Figure 49 VRRP network diagram


1 PC A

IP address: 10.0.0.1/24.

Gateway address: 10.0.0.254.

2 PC B

IP address: 20.0.0.1/24.

Gateway address: 20.0.0.254.

3 Switch 8807

# Divide VLANs.

<Switch 8807> system-view [Switch 8807] vlan 10 [Switch 8807-vlan10] quit [Switch 8807] vlan 20 [Switch 8807-vlan20] quit [Switch 8807] vlan 30 [Switch 8807-vlan30] quit [Switch 8807] vlan 50 [Switch 8807-vlan50] quit


SecBlade_A

8800

Vlan10

Vlan 50

Internet

PC_A 10.0.0.1/24

PC_B 20.0.0.1/24

Vlan20

10.0.0.254/24

20.0.0.254/24

Vlan30

Vlan 50

Vlan 50

SecBlade_B 50.0.0.2/24

50.0.0.1/24

30.0.0.254/24

30.0.0.1/24

30.0.0.2/24

Virtual IP 30.0.0.100/24

VRRP Configuration Examples 239

[Switch 8807] interface vlan-interface 10 [Switch 8807-Vlan-interface10] ip address 10.0.0.254 24 [Switch 8807-Vlan-interface10] quit [Switch 8807] interface vlan-interface 20 [Switch 8807-Vlan-interface20] ip address 20.0.0.254 24 [Switch 8807-Vlan-interface20] quit [Switch 8807] interface vlan-interface 30 [Switch 8807-Vlan-interface30] ip address 30.0.0.254 24 [Switch 8807-Vlan-interface30] quit

# Configure the static route. The next hop is the virtual IP address of the VRRP standby group.

[Switch 8807] ip route-static 0.0.0.0 0 30.0.0.100

# Configure aggregation of interfaces on the secblade_A card (the IPsec modules resides in slot 1).

[Switch 8807] secblade aggregation slot 1

# Create module test1 for SecBlade_A.

[Switch 8807] secblade test1


[Switch 8807-secblade-test1] secblade-interface vlan-interface 30


[Switch 8807-secblade-test1] security-vlan 50

# Map module test1 for SecBlade_A to the IPsec modules of slot 1.

[Switch 8807-secblade-test1] map to slot 1 [Switch 8807-secblade-test1] quit [Switch 8807] quit

# Configure aggregation of interfaces on the SecBlade_B card (the IPsec modules resides in slot 2).

[Switch 8807] secblade aggregation slot 2

# Create module test2 for SecBlade_B.

[Switch 8807] secblade test2

# Specify the SecBlade_B interface VLAN.

[Switch 8807-secblade-test2] secblade-interface vlan-interface 30


[Switch 8807-secblade-test2] security-vlan 50

# Map the SecBlade_B module to the IPsec modules of slot 2.


[Switch 8807-secblade-test2] map to slot 2 [Switch 8807-secblade-test2] quit [Switch 8807] quit

4 SecBlade_A

# Log into the SecBlade_A card of slot 1.

<Switch 8807> secblade slot 1 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_A> system-view


[secblade_A] interface GigabitEthernet0/0.1 [secblade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade_A-GigabitEthernet0/0.1] ip address 30.0.0.1 24 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [secblade_A-GigabitEthernet0/0.1] quit [secblade_A] interface GigabitEthernet0/0.2 [secblade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [secblade_A-GigabitEthernet0/0.2] quit


[secblade_A] quit <secblade_A> quit [Switch 8807_A]

5 SecBlade_B

# Log into the SecBlade_B card of slot 2.

<Switch 8807> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_B> system


[secblade_B] interface GigabitEthernet0/0.1 [secblade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade_B-GigabitEthernet0/0.1] ip address 30.0.0.2 24 [secblade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100 [secblade_B-GigabitEthernet0/0.1] quit [secblade_B] interface GigabitEthernet0/0.2 [secblade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [secblade_B-GigabitEthernet0/0.2] quit



[secblade_B] quit <secblade_B> quit [Switch 8807_B]

VRRP Single Standby Group Example 2


The VRRP standby group consisting of SecBlade_A and SecBlade_B serves as the default gateway of hosts in VLAN 10. Hosts in Vlan10 access the Internet through their gateway.

About the VRRP standby group: the standby group number is 1; the virtual IP address is 10.0.0.254; SecBlade_A functions as the Master, while SecBlade_B as the Backup. Preemption is enabled.

Network diagram

Figure 50 Network diagram for VRRP configuration

Network procedure

1 PC A

IP address: 10.0.0.50/24.

Gateway address: 10.0.0.254 (the virtual IP address of the standby group)

2 PC B

IP address: 10.0.0.60/24.

Vlan 50

SecBlade_A

_

Vlan 50

Vlan 50

Vlan 10

50.0.0.1/24 10.0.0.1/24

SecBlade_B

_

Vlan 50

Vlan 10

Vlan 10

50.0.0.2/242

The Internet

10.0.0.2/24

Vlan 10

Trunk

Virtual IP address

10.0.0.254/24

PC A

PC B

S8800_BS8800_A


Gateway address: 10.0.0.254 (the virtual IP address of the standby group)

3 Switch 8807_A (SecBlade_A)

# Divide VLANs.

<Switch 8807_A> system-view [Switch 8807_A] vlan 10 [Switch 8807_A-vlan10] quit [Switch 8807_A] vlan 50 [Switch 8807_A-vlan50] quit

# Configure aggregation of IPsec module interfaces (the IPsec module interface resides in slot 2).

[Switch 8807_A] secblade aggregation slot 2


[Switch 8807_A] secblade test


[Switch 8807_A-secblade-test] security-vlan 10 50


[Switch 8807_A-secblade-test] map to slot 2 [Switch 8807_A-secblade-test] quit [Switch 8807_A] quit


<Switch 8807_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_A> system-view


[secblade_A] interface g0/0.1 [secblade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [secblade_A-GigabitEthernet0/0.1] ip address 10.0.0.1 24 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [secblade_A-GigabitEthernet0/0.1] quit [secblade_A] interface g0/0.2 [secblade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [secblade_A-GigabitEthernet0/0.2] quit




4 Switch 8807_B (SecBlade_B)

# Divide VLANs.

<Switch 8807_B> system-view [Switch 8807_B] vlan 10 [Switch 8807_B-vlan10] quit [Switch 8807_B] vlan 50 [Switch 8807_B-vlan50] quit


[Switch 8807_B] secblade aggregation slot 2


[Switch 8807_B] secblade test


[Switch 8807_B-secblade-test] security-vlan 10 50


[Switch 8807_B-secblade-test] map to slot 2 [Switch 8807_B-secblade-test] quit [Switch 8807_B] quit


<Switch 8807_B> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecMBlade <secblade_B> system-view


[secblade_B] interface g0/0.1 [secblade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [secblade_B-GigabitEthernet0/0.1] ip address 10.0.0.2 24 [secblade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254 [secblade_B-GigabitEthernet0/0.1] quit [secblade_B] interface g0/0.2 [secblade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [secblade_B-GigabitEthernet0/0.2] quit



In normal cases, SecBlade_A is responsible for gateway work, unless it is switched off or malfunctioning. And then SecBlade_B shall take the charge. The preemption


mode is configured for SecBlade_A to resume its gateway function as the Master when it recovers.

Multi-Standby Group Configuration Example


Such a multi-standby configuration can implement load sharing. SecBlade_A serves as the Master of standby group 1 and simultaneously a backup of standby group 2, while SecBlade_B is quite the contrary, serving as the Master of standby group 2 but a backup of standby group 1. PC A shall take standby group 1 as its gateway, and PC B takes standby group 2 as its gateway. In this way, both purposes of data stream balancing and mutual standby are achieved.

Network diagram

Figure 51 Network diagram for VRRP configuration


1 PC A

IP address: 10.0.0.50/24.

Gateway address: 10.0.0.253 (the virtual IP address of standby group 1)

2 PC B

IP address: 10.0.0.60/24.

SecBlade

Vlan10

Vlan 50

Internet

PC_A 10.0.0.1/24

PC_B 20.0.0.1/24

Vlan20

10.0.0.254/24

20.0.0.254/24

Vlan30

Vlan 50

Vlan 50

_A

SecBlade _B 50.0.0.2/24

50.0.0.1/24

30.0.0.254/24

30.0.0.1/24

30.0.0.2/24

Virtual IP 30.0.0.100/24

Switch 8800


Gateway address: 10.0.0.254 (the virtual IP address of standby group 2)

3 Switch 8807_A (SecBlade_A)

# Divide VLANs.

<Switch 8807_A> system-view [Switch 8807_A] vlan 10 [Switch 8807_A-vlan10] quit [Switch 8807_A] vlan 50 [Switch 8807_A-vlan50] quit


[Switch 8807_A] secblade aggregation slot 2


[Switch 8807_A] secblade test


[Switch 8807_A-secblade-test] security-vlan 10 50


[Switch 8807_A-secblade-test] map to slot 2 [Switch 8807_A-secblade-test] quit [Switch 8807_A] quit


<Switch 8807_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_A> system-view


[secblade_A] interface g0/0.1 [secblade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [secblade_A-GigabitEthernet0/0.1] ip address 10.0.0.1 24 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [secblade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [secblade_A-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254 [secblade_A-GigabitEthernet0/0.1] quit [secblade_A] interface g0/0.2 [secblade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [secblade_A-GigabitEthernet0/0.2] quit




4 Switch 8807_B (SecBlade_B)

# Divide VLANs.

<Switch 8807_B> system-view [Switch 8807_B] vlan 10 [Switch 8807_B-vlan10] quit [Switch 8807_B] vlan 50 [Switch 8807_B-vlan50] quit


[Switch 8807_B] secblade aggregation slot 2


[Switch 8807_B] secblade test


[Switch 8807_B-secblade-test] security-vlan 10 50


[Switch 8807_B-secblade-test] map to slot 2 [Switch 8807_B-secblade-test] quit [Switch 8807_B] quit


<Switch 8807_B> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade_B> system-view


[secblade_B] interface g0/0.1 [secblade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [secblade_B-GigabitEthernet0/0.1] ip address 10.0.0.2 24 [secblade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253 [secblade_B-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254 [secblade_B-GigabitEthernet0/0.1] vrrp vrid 2 priority 120 [secblade_B-GigabitEthernet0/0.1] vrrp vrid 2 preempt-mode [secblade_B-GigabitEthernet0/0.1] quit [secblade_B] interface g0/0.2 [secblade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [secblade_B-GigabitEthernet0/0.2] quit


VRRP Troubleshooting 247


VRRP Troubleshooting The configuration of VRRP is simple. You can locate most of the problems by checking the output of the display command and the debugging command. The following present some troubleshooting cases.

Symptom 1:

The console screen displays error prompts frequently.

Solution:

Check that the received VRRP packets are correct.

The security gateway may receive an incorrect VRRP packet for two reasons: its configuration is inconsistent with that on another security gateway in the standby group; a device is attempting to send illegitimate VRRP packets. In the first case, modify the configuration. In the second case, you must resort to non-technical measures.

Symptom 2:

Multiple master security gateways are present in the same standby group.

Solution:

If presence of multiple masters lasts a short period, this is normal and requires no manual intervention. If it lasts long, you must check that these masters can receive VRRP packets and the received packets are legitimate.

Do the following:

Have these masters ping each other.

If they can be pinged, check that their configurations are consistent, making sure that the same number of virtual IP addresses, the configured virtual IP addresses, timer setting and authentication mode are configured for the same VRRP standby group.

If they cannot be pinged, check for other reasons.

Symptom 3:

Frequent VRRP state transition is present.

Solution:

Set the Adver_Timer of the standby group to a larger value or configure a preemption delay.

16
IPSEC MODULE CONFIGURATION COMMANDS
IPsecModule Configuration Commands

default-login-user Syntax

default-login-user

undo default-login-user

View

SecBlade system view

Parameter

None

Description

Use the default-login-user command to enable default SecBlade login user function.

Use the undo default-login-user command to disable default SecBlade login user function.

For login convenience, a user whose name and password are both SecBlade is created in the SecBlade.

By default, default SecBlade login user function is enabled. That is, the user created internally in the SecBlade is allowed to log into the SecBlade.

n This command is configured on the SecBlade card.

Example

# Disable default SecBlade login user function.

[SecBlade_FW] undo default-login-user

display secblade module Syntax

display secblade module [sec-mod-name ]

View

Any view of the switch

250 CHAPTER 16: IPSEC MODULE CONFIGURATION COMMANDS

Parameter

sec-mod-name: The module name.

Description

Use the display secblade module command to view the SecBlade module information.

Example

# Display the SecBlade module information.

[SW8800]display secblade module newsec module newsec: security-vlan: 10,20,30 secblade-interface: Vlan-interface192 vlan passing: 10,20,30,192 map to slot: 5

map to slot Syntax

map to slot slot-number

undo map to slot slot-number

View

SecBlade module view of the switch

Parameter

slot-number: The number of the slot where the SecBlade card is located.

Description

Use the map to slot command to map the current module to the SecBlade card corresponding to the slot number.

Use the undo map to slot command to cancel the mapping relation.

By default, no module is mapped to any card.

Example

# Map the current module to the SecBlade card in slot 2.

[3Com-secblade-newsec] map to slot 2

secblade aggregation slot

Syntax

secblade aggregation slot slot-number

undo secblade aggregation slot slot-number

View

System view of the switch

Parameter

slot-number: The number of slot where the SecBlade card is located.


Description

Use the secblade aggregation slot command to configure SecBlade interface aggregation.

Use the undo secblade aggregation slot command to cancel the configuration.

Two internal GigabitEthernet interfaces connect the SecBlade card to the switch. You can aggregate these two interfaces into a logical interface to provide broader interface bandwidth.

By default, the interface is not aggregated. Only one GigabitEthernet interface can be used.

n When you use the secblade aggregation slot command to configure SecBlade interface aggregation, the SecBlade will occupy the resources occupied by other aggregation groups if aggregation resources are not enough.

Example

# Set interface aggregation for the SecBlade card of slot 2.


secblade module Syntax

secblade module sec-mod-name

undo secblade module sec-mod-name

View

System view of the switch

Parameter

sec-mod-name: SecBlade module name, which must start with letters or numbers.

Description

Use the secblade module command to create an SecBlade module and enter SecBlade module view to configure SecBlade module attribute.

Use the undo secblade module command to remove the SecBlade module. You cannot remove the module if it has been mapped to a SecBlade card.

Example

# Enter SecBlade module view.

[SW8800] secblade module newsec [3Com-secblade-newsec]

secblade slot Syntax

secblade slot slot-number

View

User view of the switch


Parameter

slot-number: The number of slot where the SecBlade card is located.

Description

Use the secblade slot command to log into the SecBlade card.

Example

# Log into the SecBlade card in slot 2.

<SW8800> secblade slot 2

secblade-interface Syntax

secblade-interface vlan-interface interface-number

undo secblade-interface vlan-interface interface-number

View


Parameter

interface-number: Number of the specified interface.

Description

Use the secblade-interface command to set an interface as a Layer 3 interface connecting the switch and SecBlade.

Use the undo secblade-interface command to cancel the configuration.

By default, the Layer 3 interface connecting the switch and SecBlade is not configured.

The VLAN which the specified VLAN interface corresponds to cannot belong to the security-vlan.

Example

# Set the VLAN interface 40 of the switch as the Layer 3 interface connecting the switch and SecBlade module.

[3Com-secblade-newsec] secblade-interface vlan-interface 40

security-vlan Syntax

security-vlan vlan-range

undo security-vlan vlan-range

View


Parameter

vlan-range: VLAN range.


Description

Use the security-vlan command to specify all VLANs in the VLAN range are protected by SecBlade.

Use the undo security-vlan command to cancel the configuration.

By default, no VLAN is protected.

Example

# Set 10, 20 and 30 VLANs to be protected by SecBlade.

[3Com-secblade-newsec] security-vlan 10 20 30

17
AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
n All the contents below are about SecBlade cards, so the views of the commands in this manual are the views corresponding to SecBlade cards instead of the Switch 8800 Family switches.

AAA Configuration Commands

access-limit Syntax

access-limit { disable | enable max-user-number }

undo access-limit

View

ISP domain view

Parameter

disable: No limit to the supplicant number in the current ISP domain.

enable max-user-number: Specifies the maximum supplicant number in the current ISP domain, ranging from 1 to 1048.

Description

Use the access-limit command to configure a limit to the amount of supplicants in the current ISP domain.

Use the undo access-limit command to restore the limit to the default setting.

By default, there is no limit to the amount of supplicants in the current ISP domain.

This command limits the amount of supplicants contained in the current ISP domain. The supplicants may compete for the network resources. So setting a suitable limit to the amount will guarantee the reliable performance to the existing supplicants.

Example

# Set a limit of 500 supplicants for the ISP domain 3com163.net.

[SecBlade_FW-isp-3com163.net] access-limit enable 500

accounting Syntax

accounting { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name | none }

256 CHAPTER 17: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS

undo accounting

View

ISP domain view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme used for accounting.

radius-scheme radius-scheme-name: Specifies the RADIUS scheme used for accounting.

none: Indicates that no accounting scheme is adopted.

Description

Use the accounting command to configure the accounting scheme adopted by the current ISP domain.

Use the undo accounting command to delete the accounting scheme adopted by the current ISP domain.

By default, the system does not adopt any accounting scheme.

The adopted RADIUS/HWTACACS scheme which is specified by the accounting command for the current ISP domain must have been configured already.

If you configure the accounting command in domain view, the accounting scheme specified by this command will be adopted. Otherwise, the accounting scheme specified by the scheme command is adopted.

Related command: scheme, radius scheme, and hwtacacs scheme.

Example

# Specify the current ISP domain, h3c163.net, to adopt the RADIUS accounting scheme radius.

[SecBlade_FW-isp-h3c163.net] accounting radius-scheme radius

# Specify the current ISP domain, h3c, to adopt the HWTACACS accounting scheme hwtac.

[SecBlade_FW-isp-h3c] accounting hwtacacs-scheme hwtac

accounting optional Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameter

None

AAA Configuration Commands 257

Description

Use the accounting optional command to enable optional accounting.

Use the undo accounting optional command to disable it.

By default, optional accounting is disabled.

With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting.

Example

# Enable optional accounting for users in the domain 3com163.net.

[SecBlade_FW] domain 3com163.net [SecBlade_FW-isp-3com163.net] accounting optional

authentication Syntax

authentication { hwtacacs-scheme hwtacacs-scheme-name [ local ] | radius-scheme radius-scheme-name [ local ] | local | none }

undo authentication

View

ISP domain view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme adopted for authentication.

radius-scheme radius-scheme-name: Specifies the RADIUS scheme adopted for authentication.

local: Local authentication scheme.

none: Indicates that no authentication scheme is adopted.

Description

Use the authentication command to configure the authentication scheme adopted by the current ISP domain.

Use the undo authentication command to restore the default authentication scheme.

By default, the local authentication scheme is adopted.

The adopted RADIUS/HWTACACS scheme which is specified by the authentication command for the current ISP domain must have been configured already.


If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.

When the authentication radius-scheme radius-scheme-name local command or the authentication hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local authentication scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local or none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.

If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.

Related command: scheme, radius scheme, hwtacacs scheme.

Example

# Specify the current ISP domain, h3c163.net, to adopt the RADIUS authentication scheme radius.

[SecBlade_FW-h3c163.net] authentication radius-scheme radius

# Specify the ISP domain, h3c, to adopt the RADIUS authentication scheme rd and the local scheme to be the backup scheme.

[SecBlade_FW-isp-h3c] authentication radius-scheme rd local

# Specify the ISP domain, h3c, to adopt the HWTACACS authentication scheme hwtac and the local scheme to be the backup scheme.

[SecBlade_FW-isp-h3c] authentication hwtacacs-scheme hwtac local

authorization Syntax

authorization { hwtacacs-scheme hwtacacs-scheme-name | none }

undo authorization

View

ISP domain view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme adopted for authorization.

none: Indicates that no authorization scheme is adopted.

Description

Use the authorization command to configure the authorization scheme adopted by the current ISP domain.


Use the undo authorization command to restore the default authorization scheme.

By default, the local authorization scheme is adopted.

The adopted RADIUS/HWTACACS scheme which is specified by the authorization command for the current ISP domain must have been configured already.

If you configure the authorization command in domain view, the authorization scheme specified by this command will be adopted. Otherwise, the authorization scheme specified by the scheme command is adopted.

Related command: scheme, radius scheme, hwtacacs scheme.

Example

# Specify the ISP domain h3c to adopt the HWTACACS authorization scheme hwtac.

[SecBlade_FW-isp-h3c] authorization hwtacacs-scheme hwtac

display connection Syntax

display connection [ domain isp-name ip ip-address | mac mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | ucibindex ucib-index | user-name user-name ]

View

Any view

Parameter

domain isp-name: Displays all the user connections belonging to the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must an existing one.

ip ip-address: Displays all the user connections related to the specified IP address.

mac mac-address: Displays a user connection by specifying its hexadecimal MAC address in the format of x-x-x.

radius-scheme radius-scheme-name: Displays all the user connections of the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections of the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.

ucibindex ucib-index: Displays information on a user connection by specifying its connection index number, that is, ucib-index ranging from 0 to 7,071.

user-name user-name: Displays the connection information of a specific user. user-name are in the format of pure-username@domain. pure-username comprises up to 55 characters and domain is the domain name, consisting of up to 24 characters.


Description

Use the display connection command to view the relevant information on the specified user connection or all the connections. The output can help you troubleshoot user connections.

By default, information about all user connections is displayed.

Related command: cut connection.

Example

# Display information on the connections of the user system.

<SecBlade_FW> display connection domain system Index=0 ,Username=hfx@system IP=188.188.188.3 Total 1 connections matched, 1 listed.

display domain Syntax

display domain [ isp-name ]

View

Any view

Parameter

isp-name: Specifies the ISP domain name, with a string of up to 24 characters. The specified ISP domain must be an existing one.

Description

Use the display domain command to view the configuration of a specified ISP domain or display the summary information of all ISP domains.

If the domain name is not specified, the summary information of all ISP domains is displayed.

This command is used to output the configuration of a specified ISP domain or display the summary information of all ISP domains. If an ISP domain is specified, the configuration information will be displayed exactly the same, concerning the content and format, as the displayed information of the display domain command. The output information can help with ISP domain diagnosis and troubleshooting.

Related command: access-limit, domain, scheme, state, display domain.

Example

# Display the summaries of all ISP domains in the system.

Table 256 Description on the fields of the display connection command

Field Description

Index Index number

Username User name

IP IP address of the user


<SecBlade_FW> display domain 0 Domain = system State = Active Scheme = LOCAL Access-limit = Disable Domain User Template: Default Domain Name: system Total 1 domain(s).1 listed.

display local-user Syntax

display local-user [ domain isp-name | service-type { telnet | ssh | terminal | dvpn | ftp | ppp } | state { active | block } | user-name user-name ]

View

Any view

Parameter

domain isp-name: Displays all the local users in the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must be an existing one.

service-type: Displays local users by specifying service type, which can be telnet for Telnet users, ssh for SSH users, terminal for terminal users logging on from Console, or AUX port, ftp for FTP users, ppp for PPP users, or dvpn for DVPN users.

state { active | block }: Displays local users by specifying user state, where active means users allowed to request for network services and block means the opposite.

user-name user-name: Displays a user by specifying its user-name, a string of up to 80 characters. It must exclude forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be present once in a user name. The user name without domain name (the part before @, namely the user ID) cannot exceed 55 characters.

Description

Use the display local-user command to view the relevant information on the specified local user or all the local users. The output can help you troubleshoot faults related to local user.

By default, information on all local users is displayed.

Related command: local-user.

Table 257 Description on the fields of the display domain command

Field Description

Domain Domain name and sequence number

State State of the domain user (active/block)

Scheme Authentication scheme for the domain user (local/RADIUS/TACACS)

Access-limit Whether to limit the number of accessed users (disable/enable)


Example

# Display the relevant information of all the local users.

<SecBlade_FW> display local-user The contents of local user admin: State: Active ServiceType Mask: T Idle-cut: Disable Access-limit: Disable Current AccessNum: 0 Bind location: Disable Vlan ID: Disable IP address: Disable MAC address: Disable User Privilege: 3 The contents of local user ftpuser: State: Active ServiceType Mask: F Idle-cut: Disable Access-limit: Disable Current AccessNum: 0 Bind location: Disable Vlan ID: Disable IP address: Disable MAC address: Disable FTP Directory: flash: Total 2 local user(s) Matched, 2 listed. ServiceType Mask Meaning: A--PAD C--Terminal D--DVPN F--FTP P--PPP S--SSH T-Telnet

domain Syntax

domain [ isp-name | default { disable | enable isp-name } ]

undo domain isp-name

View

System view

Parameter

isp-name: Specifies an ISP domain name. It comprises up to 24 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).

default: Configures the default ISP domain. The system-default ISP domain is system.

Table 258 Description on the fields of the display local-user command

Field Description

State User state (active/block)

ServiceType Mask Abbreviation for service type

Idle-cut Idle-cut switch

Access-Limit Limit of user connections

Current AccessNum Number of the current login users

Bind location Indicates if it is bound with the port

VLAN ID VLAN for the user

IP address User IP address

MAC address User MAC address

FTP Directory Directory authorized to FTP users

User Privilege User level


disable: Disables the configured default ISP domain. It results in refusal of the usernames that are sent excluding domain names. If you configure user names to be sent to RADIUS servers without domain names, these user names will not be rejected.

enable: Enables the configured default ISP domain. It is to be appended to the usernames that are received without domain name before they are sent to the intended AAA servers. If you configure user names to be sent to RADIUS servers without domain names, these user names will not appended with the default domain name.

Description

Use the domain command to configure an ISP domain or enter the view of an existing ISP domain.

Use the undo domain command to cancel a specified ISP domain.

By default, the system uses the domain named system. You cannot delete it, but you are allowed to modify its configuration. In addition, you can view its settings using the display domain command.

ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, [email protected] for example, the isp-name ("3com163.net" in the example) following the "@" is the ISP domain name. When an AAA server controls user access, for an ISP user whose username is in userid@isp-name format, the system takes the part "userid" as username for identification and takes the part "isp-name" as domain name.

The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of ISP domain attributes for each ISP domain, including an AAA scheme (the RADIUS scheme applied).

For a security gateway, each supplicant belongs to an ISP domain. The system supports to configure up to 16 ISP domains.

When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

Related command: access-limit, scheme, state, and display domain.

Example

# Create a new ISP domain, 3com163.net, and enters its view.

[SecBlade_FW] domain 3com163.net New Domain added. [SecBlade_FW-isp-3com163.net]

ip pool Syntax

ip pool pool-number low-ip-address [ high-ip-address ]


undo ip pool pool-number

View

System view, ISP domain view

Parameter

pool-number: Address pool number, ranging from 0 to 99.

low-ip-address and high-ip-address: The start and end IP addresses of the address pool. The number of in-between addresses cannot exceed 1024. If end IP address is not specified, there will be only one IP address in the pool, namely the start IP address.

Description

Use the ip pool command to configure a local address pool for assigning addresses to PPP users.

Use the undo ip pool command to delete the specified local address pool.

By default, no local IP address pool is configured.

You can configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users.

You can also configure an IP address pool in ISP domain view for assigning IP addresses to PPP users in the current ISP domain. This applies to the case where an interface serves a great amount of PPP users but with inadequate address resources for allocation. For example, an Ethernet interface running PPPoE can accommodate 4095 users at most. However, only one address pool with up to 1024 addresses can be configured on its Virtual Template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to their PPP users.

Related command: remote address.

Example

# Configure the local IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.

[SecBlade_FW] domain 3com163.net [SecBlade_FW-isp-3com163.net] ip pool 0 129.102.0.1 129.102.0.10

level Syntax

level level

undo level

View

Local user view

Parameter

level: Specifies user priority level, an integer ranging from 0 to 3.


Description

Use the level command to configure user priority level.

Use the undo level command to restore the default user priority level.

By default, user priority level is 0.

Related command: local user.

n If the configured authentication mode is none authentication or password authentication, the command level that a user can access after login depends on the priority of user interface. For the users employing RAS authentication, the accessible command level depends on the priority of user interface. In the case of authentication requiring both username and password, however, the accessible command level depends on user priority level.

Example

# Set the priority level of the 3com user to 3.

[SecBlade_FW-luser-3com] level 3

local-user Syntax

local-user user-name

undo local-user user-name [ service-type | level ]

undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]

View

System view

Parameter

user-name: Specifies a local username with a string of up to 80 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 55 characters. user-name is case-insensitive, so UserA and usera are the same.

service-type: Service type.

all: All the users.

ftp: FTP service type.

ppp: PPP service type.

ssh: SSH service type.

telnet: Telnet service type.

terminal: Terminal service type.


Description

Use the local-user command to add a local user and enter the local user view.

Use the undo local-user user-name command to remove the specified local user or the related attributes of the specified local user.

Use the undo local-user all command to remove all local users or all local users of a specific service type.

By default, no local user is configured.

Related command: display local-user.

Example

# Add a local user named 3com1.

[SecBlade_FW] local-user 3com1 [SecBlade_FW-luser-3com1]

local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameter

cipher-force: Forced cipher mode specifies that the passwords of all the accessed users must be displayed in cipher text.

auto: The auto mode specifies that a user is allowed to use the password command to set a password display mode.

Description

Use the local-user password-display-mode command to configure the password display mode of all the local users.

Use the undo local-user password-display-mode command to restore the default password display mode of all the local users.

If cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless.

By default, auto applies when displaying passwords of local users.

Related command: display local-user and password.

Example

# Force all the local users to have passwords displayed in cipher text.

[SecBlade_FW] local-user password-display-mode cipher-force


password Syntax

password { simple | cipher } password

undo password

View

Local user view

Parameter

simple: Specifies to display passwords in simple text.

cipher: Specifies to display passwords in cipher text.

password: Defines a password. For the simple keyword, the password is a string of 1 to 16 characters in simple text; for the cipher keyword, the password can be a string of 1 to 16 characters in simple text, 1234567 for example, or a string of 24 characters in cipher text, (TT8F]Y5SQ=^Q‘MAF4<1!! for example.

Description

Use the password command to configure a password for a local user.

Use the undo password command to cancel the password of the local user.

If local-user password-display-mode cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless.

Related command: display local-user.

Example

# Display the password of the user 3com1 in simple text, with the password being 20030422.

[SecBlade_FW-luser-3com1] password simple 20030422

scheme Syntax

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo scheme [ radius-scheme | hwtacacs-scheme | none ]

View

ISP domain view

Parameter

radius-scheme-name: RADIUS scheme, a string of up to 32 characters

hwtacacs-scheme-name: HWTACACS scheme, a string of up to 32 characters

local: Local authentication

none: No authentication


Description

Use the scheme command to configure the AAA scheme to be referenced by the current ISP domain.

Use the undo scheme command to restore the default AAA scheme.

The default AAA scheme in the system is local.

With this command the current ISP domain can reference a RADIUS/HWTACACS scheme that has been configured.

When the radius-scheme radius-scheme-name local command or the hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme if the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local scheme applies as the first scheme, only the local authentication is adopted, and no RADIUS or HWTACACS scheme can be adopted.

If the none scheme applies as the first scheme, no authentication is adopted, and no RADIUS or HWTACACS scheme can be adopted.

An FTP user login cannot be authenticated in none mode because an FTP server implemented with Comware does not support anonymous login.

If the scheme none command is used, the priority level of a user logged into the system is level 0.

Related command: radius scheme and hwtacacs scheme.

Example

# Specify the current ISP domain, 3com163.net, to use the RADIUS scheme 3Com.

[SecBlade_FW-isp-3com163.net] scheme radius 3Com

# Set the authentication scheme referenced by the ISP domain 3Com to radius-scheme "rd", using the local scheme as the backup.

[SecBlade_FW-isp-3com] scheme radius-scheme rd local

# Set the authentication scheme referenced by the ISP domain 3Com to hwtacacs-scheme "hwtac", using the local scheme as the backup.

[SecBlade_FW-isp-3com] scheme hwtacacs-scheme hwtac local

service-type Syntax

service-type { telnet | ssh | terminal }* [ level level ]

undo service-type { telnet | ssh | terminal }*

View

Local user view


Parameter

telnet: Authorizes the user to use the Telnet service.

ssh: Authorizes the user to use the SSH service.

terminal: Authorizes the user to use the terminal service (login from the Console, or AUX port).

level level: Specifies user priority. level is a integer in the range of 0 to 3.

Description

Use the service-type command to configure a service type for a particular user.

Use the undo service-type command to delete one or all service types configured for the user.

By default, no service is available for the user.

Related command: service-type ppp and service-type ftp.

Example

# Authorize the user to use the Telnet service.

[SecBlade_FW-luser-3com1] service-type telnet

service-type dvpn Syntax

service-type dvpn

undo service-type dvpn

View

Local user view

Parameter

None

Description

Use the service-type dvpn command to authorize DVPN service to a particular user.

Use the undo service-type dvpn command to remove DVPN service authorization.

By default, DVPN service is not authorized to users.

Example

# Authorize DVPN service the user.

[SecBlade_FW-luser-3com1] service-type dvpn

service-type ftp Syntax

service-type ftp [ ftp-directory directory]


undo service-type ftp [ ftp-directory ]

View

Local user view

Parameter

ftp-directory directory: Specifies a directory accessible for the FTP user.

Description

Use the service-type ftp command to authorize the user to use FTP service and specify a directory accessible for the FTP user.

Use the undo service-type ftp command to forbid the use to use FTP service and restore the default directory accessible for the FTP user.

By default, no services of any type are authorized to any user and access of anonymous FTP users is not allowed, but a user that is granted the FTP service is authorized to access the root directory "flash:/".

Example

# Authorize the user to use the FTP service.

[SecBlade_FW-luser-3com1] service-type ftp

service-type ppp Syntax

service-type ppp

undo service-type ppp

View

Local user view

Parameter

None

Description

Use the service-type command to authorize the user to use the PPP service.

Use the undo service-type command to forbid the user to use the PPP service.

By default, no service of any type is authorized to any user.

Example

# Allow PPP users to use the PPP service.

[3Com-luser-3com1] service-type ppp

state Syntax

state { active | block }

View

ISP domain view, local user view

RADIUS Protocol Configuration Commands 271

Parameter

active: Configured to allow users in the current ISP domain or the current local user to request for network services.

block: Configured to block users in the current ISP domain or the current local user to request for network services.

Description

Use the state command to configure the state of the current ISP domain or local user.

By default, both ISP domain (in ISP domain view) and local user (in local user view) are in the active state upon their creation (in ISP domain view).

Every ISP domain can be active or blocked. If an ISP domain is configured to be active, the supplicants in it can request for network services; whereas in the block state, its users are disallowed to request for any network service, which does not affect the users currently online. This is also applies to local users.

Related command: domain.

Example

# Set the state of the current ISP domain "3com163.net" to block. The supplicants in this domain cannot request for network services.

[SecBlade_FW-isp-3com163.net] state block

# Set the state of the user "3com1" to block.

[SecBlade_FW-luser-3com1] state block

RADIUS Protocol Configuration Commands

accounting optional Syntax

accounting optional

undo accounting optional

View

RADIUS domain view

Parameter

None

Description

Use the accounting optional command to enable optional accounting.

Use the undo accounting optional command to disable it.

By default, the optional accounting is disabled.


With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting.

Example

# Enable the optional accounting of the RADIUS scheme 3com.

[SecBlade_FW-radius-3com] accounting optional

data-flow-format Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format

View

RADIUS view

Parameter

data: Sets data unit.

byte: Data flows are sent in bytes.

giga-byte: Data flows are sent in gigabytes.

kilo-byte: Data flows are sent in kilobytes.

mega-byte: Data flows are sent in megabytes.

packet: Sets data packet unit.

giga-packet: Data packets are sent in giga-packets.

kilo-packet: Data packets are sent in kilo-packets.

mega-packet: Data packets are sent in mega-packets.

one-packet: Data packets are sent in the units of one-packet.

Description

Use the data-flow-format command to configure the unit in which data flows are sent to a RADIUS Server.

Use the undo data-flow-format command to restore the unit to the default setting.

By default, data flows are sent in bytes and data packets in the units of one-packet.

Related command: display radius.


Example

# Send data flows and packets destined for the RADIUS server "3Com" in kilobytes and kilo-packets.

[SecBlade_FW-radius-3com] data-flow-format data kilo-byte packet kilo-packet

debugging local-server Syntax

debugging local-server { all | error | event | packet }

undo debugging local-server { all | error | event | packet }

View

User view

Parameter

all: All debugging.

error: Error debugging.

event: Event debugging.

packet: Packet debugging.

Description

Use the debugging local-server command to enable the debugging for the local RADIUS authentication server.

Use the undo debugging local-server command to disable the debugging for the local RADIUS authentication server.

By default, the debugging for the local RADIUS authentication server is disabled.

Example

# Enable the debugging for the local RADIUS authentication server.

[SecBlade_FW] debugging local-server all *0.9045238 3Com LS/8/EVENT-MSG:Message received. MessageType = 1 *0.9045238 3Com LS/8/PACKET:Packet Received,Code = 1 *0.9045239 3Com LS/8/PACKET:Packet Send auth pkt ,Code =

debugging radius Syntax

debugging radius packet

undo debugging radius packet

View

User view

Parameter

packet: Enables packet debugging.


Description

Use the debugging radius command to enable RADIUS debugging.

Use the undo debugging radius command to disable RADIUS debugging.

By default, RADIUS debugging is disabled.

Example

# Enable RADIUS debugging.

<SecBlade_FW> debugging radius packet

display local-server statistics

Syntax

display local-server statistics

View

All views

Parameter

None

Description

Use the display local-server statistics command to display the statistics of the local RADIUS authentication server.

Related command: local-server.

Example

# Display the statistics of the local RADIUS authentication server.

<SecBlade_FW> display local-server statistics The localserver packet statistics: Receive: 82 Send: 61 Discard: 21 Receive Packet Error: 0 Auth Receive: 82 Auth Send: 61 Acct Receive: 0 Acct Send: 0

display radius Syntax

display radius [ radius-scheme-name ]

View

Any view

Parameter

radius-scheme-name: Specifies a RADIUS scheme with a string of up to 32 characters. If no scheme is specified, all RADIUS schemes are displayed.

Description

Use the display radius command to view the configuration information about the specified or all RADIUS schemes or to view statistics about RADIUS.

By default, the configuration information about all RADIUS schemes is displayed.


Related command: radius scheme.

Example

# Display the configurations of all RADIUS schemes.

<SecBlade_FW> display radius ------------------------------------------------------------------ SchemeName = system Index=0 Type=3com Primary Auth IP =127.0.0.1 Port=1645 State=active Primary Acct IP =127.0.0.1 Port=1646 State=active Second Auth IP =0.0.0.0 Port=1812 State=block Second Acct IP =0.0.0.0 Port=1813 State=block Auth Server Encryption Key= 3com Acct Server Encryption Key= 3com Accounting method = required TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-PKT =500 Quiet-interval(min) =5 Username format =without-domain Data flow unit =Byte Packet unit =one packet ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed

display radius statistics Syntax

display radius statistics

Table 259 Information about RADIUS server configuration

Field Description

SchemeName RADIUS scheme name

Index Index number of the RADIUS scheme

Type Type of the RADIUS scheme

Primary Auth IP/ Port/ State IP address/access port number/current state of the primary authentication server

Primary Acct IP/ Port/ State IP address/access port number/current state of the primary accounting server

Second Auth IP/ Port/ State IP address/access port number/current state of the secondary authentication server

Second Acct IP/ Port/ State IP address/access port number/current state of the secondary accounting server

Auth Server Encryption Key Shared key of the authentication server

Acct Server Encryption Key Shared key of the accounting server

TimeOutValue (seconds) Duration of the RADIUS server timeout timer

Permitted send realtime PKT failed counts

The maximum number of realtime-accounting packet transmission attempts

Retry sending times of noresponse acct-stop-PKT

The maximum number of retries allowed when sending a buffered stop-accounting packet

Quiet-interval(min) The interval for the primary server to resume the active state.

Username format Format of username

Data flow unit Unit of data flows

Packet unit Unit of packets


View

Any view

Parameter

None

Description

Use the display radius statistics command to view the statistics information on RADIUS packets. The displayed packet information can help you troubleshoot RADIUS faults.


Example

# Display the statistics information on RADIUS packets.

<SecBlade_FW> display radius statistics state statistic(total=1048): DEAD=1047 AuthProc=0 AuthSucc=0 AcctStart=0 RLTSend=0 RLTWait=1 AcctStop=0 OnLine=1 Stop=0 StateErr=0 Received and Sent packets statistic: Sent PKT total :38 Received PKT total:2 Resend Times Resend total 1 12 2 12 Total 24 RADIUS received packets statistic: Code= 2,Num=1 ,Err=0 Code= 3,Num=0 ,Err=0 Code= 5,Num=1 ,Err=0 Code=11,Num=0 ,Err=0 Running statistic: RADIUS received messages statistic: Normal auth request , Num=13 , Err=0 , Succ=13 EAP auth request , Num=0 , Err=0 , Succ=0 Account request , Num=1 , Err=0 , Succ=1 Account off request , Num=0 , Err=0 , Succ=0 PKT auth timeout , Num=36 , Err=12 , Succ=24 PKT acct_timeout , Num=0 , Err=0 , Succ=0 Realtime Account timer , Num=0 , Err=0 , Succ=0 PKT response , Num=2 , Err=0 , Succ=2 EAP reauth_request , Num=0 , Err=0 , Succ=0 PORTAL access , Num=0 , Err=0 , Succ=0 Update ack , Num=0 , Err=0 , Succ=0 PORTAL access ack , Num=0 , Err=0 , Succ=0 Session ctrl pkt , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept , Num=0 Auth reject , Num=0 EAP auth replying , Num=0 Account success , Num=0 Account failure , Num=0 Cut req , Num=0 RecError_MSG_sum:0 SndMSG_Fail_sum :0 Timer_Err :0 Alloc_Mem_Err :0 State Mismatch :0 Other_Error :0


No-response-acct-stop packet =0 Discarded No-response-acct-stop packet for buffer overflow =0

Table 260 Description on the fields for the display radius statistics command

Field Description

state statistic(total=1048)

DEAD=1047 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=1

AcctStop=0 OnLine=1 Stop=0

StateErr=0

Packet statistics:

Total outbound packets: 38 Total inbound packets: 2

Retransmission number: Total packets retransmitted:

1 12

2 12

Total 24

Statistics on the packets that the RADIUS server receives:

Code = 2, Num = 1 ,Err = 0

One authentication response packet received, no error packet

Code = 3, Num = 0 ,Err = 0

One authentication reject packet received, no error packet

Code= 5, Num = 1 ,Err = 0

One accounting response packet received, no error packet

Code = 11, Num = 0 ,Err = 0

One Access-Challenge (for EAP authentication) packet received, no error packet


Received and Sent packets statistic:

Sent PKT total :38 Received PKT total:2

Resend Times Resend total

1 12

2 12

Total 24

RADIUS received packets statistic:

Code= 2,Num=1 ,Err=0



Code=11,Num=0 ,Err=0

Statistics on the information the RADIUS server receives:

Normal authentication request

Count = 13, Error = 0, Success = 0

EAP authentication request


Accounting request


Accounting stop request


Authentication timeout


Accounting timeout


Number of real-time accounting attempts


Response packet


EAP re-authentication request


PORTAL access authentication request


Upgrade packet


Session control packet

Authentication request


Statistics on the information the RADIUS server sends:

Authentication succeeds, Count = 0

Authentication rejected, Count = 0

Accounting succeeds, Count = 0

Accounting fails, Count = 0

EAP authentication response, Count = 0

Accounting succeeds, Count = 0

Accounting fails, Count = 0

Delete request, Count = 0

Number of error packets received: 0

Number of failed send attempts: 0

Time error: 0 Memory allocation error: 0

State mismatch error: 0 Other error: 0


Field Description


display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=13 , Err=0 , Succ=13

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=1 , Err=0 , Succ=1

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=36 , Err=12 , Succ=24

PKT acct_timeout , Num=0 , Err=0 , Succ=0

Realtime Account timer , Num=0 , Err=0 , Succ=0

PKT response , Num=2 , Err=0 , Succ=2

EAP reauth_request , Num=0 , Err=0 , Succ=0

PORTAL access , Num=0 , Err=0 , Succ=0

Update ack , Num=0 , Err=0 , Succ=0

PORTAL access ack , Num=0 , Err=0 , Succ=0

Session ctrl pkt , Num=0 , Err=0 , Succ=0

RADIUS sent messages statistic:

Auth accept , Num=0

Auth reject , Num=0

EAP auth replying , Num=0

Account success , Num=0

Account failure , Num=0

Cut req , Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

-

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

-


Field Description


View

Any view

Parameter

radius-scheme radius-scheme-name: Displays information on buffered stop-accounting requests related to the RADIUS scheme specified by radius-scheme-name. It is a string not exceeding 32 characters and excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).

session-id session-id: Displays information on the buffered stop-accounting requests related to the session ID specified by session-id, a string of up to 50 characters.

time-range start-time stop-time: Displays the buffered stop-accounting requests by the time range of requests. It is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.

user-name user-name : Displays information on the buffered stop-accounting requests by user name.

Description

Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the security gateway by RADIUS scheme, session ID, or time range. The displayed packet information can help you troubleshoot RADIUS faults.

If receiving no response after sending a stop-accounting request to a RADIUS server, the security gateway buffers the request packet and retransmits it. The number of allowed transmission attempts can be set using the retry stop-accounting command.

Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.

Example

# Display information on the buffered stop-accounting requests between 0:0:0 and 23:59:59 on August 31, 2002.

<SecBlade_FW> display stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002 Total find 0 record

key Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS view


Parameter

accounting: Sets/Deletes a shared key for encrypting RADIUS accounting packets.

authentication: Sets/Deletes a shared key for encrypting RADIUS authentication/authorization packets.

string: Shared key, a string of up to 16 characters.

Description

Use the key command to configure a shared key for encrypting RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default shared key.

The RADIUS client (that is, the security gateway) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the security gateway and the RADIUS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.

By default, the key for authentication/authorization packets and accounting packets is "3com".

Related command: primary accounting, primary authentication, and radius scheme.

Example

# In the RADIUS scheme "3com", set the shared key used for encrypting authentication/authorization packets to "hello".

[SecBlade_FW-radius-3com] key authentication hello

# In the RADIUS scheme "3com", set the shared key for encrypting accounting packets to "ok".

[SecBlade_FW-radius-3com] key accounting ok

local-server Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameter

nas-ip ip-address: NAS-IP address of the access server, in dotted decimal format.

key password: Shared key of the access server, with a character string of up to 16 characters.


Description

Use the local-server command to configure related parameters of the local RADIUS authentication server.

Use the undo local-server command to delete some configured NAS-IP address.

By default, the system creates a local RADIUS authentication server with the NAS-IP address being 127.0.0.1 and the shared key being 3com.

Note the following:

■ The device not only can serve as the RADIUS client to perform authentication management on users through the authentication/authorization server and the accounting server, but also can function as a simple RADIUS server (including authentication and authorization).

■ If the local RADIUS authentication server function is adopted, the UDP port used for authentication/authorization must be 1645, and the UDP port used for accounting must be 1646.

■ The key configured by this command must be consistent with the key used for authentication/authorization which is configured by the key authentication command in RADIUS scheme view.

■ The device supports up to 16 network access servers, including the local RADIUS authentication server created by the system.

Related command: radius scheme, state.

Example

# For the local RADIUS authentication server, set the IP address to be 10.110.1.2 and the login password to be aabbcc.

[SecBlade_FW] local-server nas-ip 10.110.1.2 key aabbcc

nas-ip Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS view

Parameter

ip-address: IP address in dotted decimal format.

Description

Use the nas-ip command to set the source IP address of the network access server (NAS, the security gateway in this manual), so that all packets destined for the RADIUS server carry the same source IP address.

Use the undo nas-ip command to cancel the configuration.


Specifying a source address for the RADIUS packets to be transmitted can avoid the situation where the packets sent back by the RADIUS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address.

By default, the source IP address of packets is the IP address of the output port.


Example

# Set the source IP address that is carried in the RADIUS packets sent by the NAS (the security gateway) to 10.1.1.1.

[SecBlade_FW] radius scheme test1 [SecBlade_FW-radius-test1] nas-ip 10.1.1.1

primary accounting Syntax

primary accounting ip-address [ port-number ]


View

RADIUS view

Parameter

ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary accounting server is 127.0.0.1; in the newly added RADIUS scheme, the IP address of the primary accounting server is 0.0.0.0.

port-number: UDP port number of the primary accounting server, which is ranging from 1 to 65535. By default, in system scheme, the UDP port of the primary accounting server is 1646; in the newly added RADIUS scheme, the UDP port of the primary accounting server is 1813.

Description

Use the primary accounting command to configure IP address and port number of the primary RADIUS accounting server.

Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server.

After creating a RADIUS scheme, you are supposed to configure IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the security gateway are consistent with the port settings on the RADIUS servers.

Related command: key, radius scheme, and state.


Example

# Set the IP address of the primary accounting server in the RADIUS scheme "3com" to 10.110.1.2 and use the UDP port 1813 to provide the RADIUS accounting service.

[SecBlade_FW-radius-3com] primary accounting 10.110.1.2 1813

primary authentication Syntax

primary authentication ip-address [ port-number ]


View

RADIUS view

Parameter

ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary authentication/authorization server is 127.0.0.1; in the newly added RADIUS scheme, the IP address of the primary authentication/authorization server is 0.0.0.0.

port-number: UDP port number of the primary authentication/authorization server, which is ranging from 1 to 65535. By default, in system scheme, the UDP port of the primary authentication/authorization server is 1645; in the newly added RADIUS scheme, the UDP port of the primary authentication/authorization server is 1812.

Description

Use the primary authentication command to configure IP address and port number of the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization server.

After creating a RADIUS scheme, you are supposed to configure IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the security gateway are consistent with the port settings on the RADIUS servers.


Example

# Set IP address of the primary authentication/authorization server in the RADIUS scheme "3com" to 10.110.1.1 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.

[SecBlade_FW-radius-3com] primary authentication 10.110.1.1 1812


radius scheme Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameter

radius-scheme-name: RADIUS scheme name, a string of up to 32 characters.

Description

Use the radius scheme command to configure a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, the RADIUS scheme named system exists in the system, with all attributes being the defaults that are not configurable. You can use the display radius command to view the settings of the system scheme.

RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify IP address and UDP port number of RADIUS authentication/authorization/accounting server and the parameters necessary for the RADIUS client (a security gateway) to interact with the servers. You must first create a RADIUS scheme and enter its view before you can perform RADIUS protocol configurations.

A RADIUS scheme can be referenced by several ISP domains at the same time.

The undo radius scheme command can be used to delete any RADIUS scheme except for the default one. Note that a RADIUS scheme currently being used by any online users cannot be removed.

Related command: key, retry realtime-accounting, scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius and display radius statistics.

Example

# Create a RADIUS scheme named "3com" and enter its view.

[SecBlade_FW] radius scheme 3com [SecBlade_FW-radius-3com]

radius nas-ip Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view


Parameter

ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, or class D address, or network address, or an address starting with 127.

Description

Use the radius nas-ip command to specify the source address of the RADIUS packet sent from NAS.

Use the undo radius nas-ip command to restore the default setting..

By specifying the source address of the RADIUS packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.

Example

# Configure the security gateway to send RADIUS packets from 129.10.10.1.

[SecBlade_FW] radius nas-ip 129.10.10.1

radius trap Syntax

radius trap { authentication-server-down | accounting-server-down }

undo radius trap { authentication-server-down | accounting-server-down }

View

System view

Parameter

authentication-server-down: RADIUS authentication server goes down.

accounting-server-down: RADIUS accounting server goes down.

Description

Use the radius trap command to configure the RADIUS server to send a trap packet when it goes down.

Use the undo radius trap command to configure the RADIUS server not to send a trap packet when it goes down.

By default, the RADIUS server does not send a trap packet when it goes down.

Example

# Configure the RADIUS server to send a trap packet when it goes down.

[SecBlade_FW] radius trap authentication-server-down


reset radius statistics Syntax

reset radius statistics

View

User view

Parameter

None

Description

Use the reset radius statistics command to clear the statistic information related to the RADIUS protocol.


Example

# Clear the RADIUS protocol statistics.

<SecBlade_FW> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

System view

Parameter

radius-scheme radius-scheme-name: Clears the buffered stop-accounting requests related to the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.

session-id session-id: Clears the buffered stop-accounting requests related to the session ID specified by session-id, a string of up to 50 characters.

time-range start-time stop-time: Clears the buffered stop-accounting requests by the time range of requests. The time range is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.

user-name user-name: Clears the buffered stop-accounting requests by user name.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that have no responses.

If receiving no response after sending a stop-accounting request to a RADIUS server, the security gateway buffers the request packet and retransmits it. The number of allowed transmission attempts can be set using the retry stop-accounting command.


You can clear the buffered stop-accounting requests by RADIUS scheme, session ID, username, or time range.

Related command: stop-accounting-buffer enable, retry stop-accounting, and display stop-accounting-buffer.

Example

# Clear the buffered stop-accounting requests related to the user "[email protected]".

<SecBlade_FW> reset stop-accounting-buffer user-name [email protected]

# Clear the buffered stop-accounting requests in the time range 0:0:0 to 23:59:59 on August 31, 2002.

<SecBlade_FW> reset stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002

retry Syntax

retry retry-times

undo retry

View

RADIUS view

Parameter

retry-times: The maximum number of request attempts, which is ranging from 1 to 20.

Description

Use the retry command to configure the number of RADIUS request attempts.

Use the undo retry command to restore the default.

In the RADIUS protocol, UDP applies to provide unreliable transmission. If the NAS receives no response from the current RADIUS server when the response timeout timer expires, it has to retransmit the RADIUS request. If the number of request attempts exceeds the specified retry-times, the NAS considers that the current RADIUS server is disconnected and turns to another RADIUS server.

Appropriately set the retry-times parameter to maintain an acceptable system response speed.

The default retry times is 3.


Example

# With the RADIUS scheme "3com", a RADIUS request can be sent up to five times.

[SecBlade_FW-radius-3com] retry 5


retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS view

Parameter

retry-times: The maximum number of real-time accounting request attempts that have no responses. It is in the range 1 to 255.

Description

Use the retry realtime-accounting command to configure the maximum number of real-time accounting request attempts allowed to have no responses.

Use the undo retry realtime-accounting command to restore the default.

RADIUS server usually checks whether a user is online using a timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS, it will consider that there is line or device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unexpected failure occurs. 3Com Series Security Gateways support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.

Suppose the response timeout timer of the RADIUS server is T and the real-time accounting interval of NAS is t. Set T to 3, t to 12, and the maximum number of real-time request retries to 5. With these values being configured, the NAS generates an accounting request every 12 minutes, and retries if no response is received within 3 minutes. If no response is received after five attempts, the NAS assumes that this accounting fails. Normally, the result of retry-times multiple by T is smaller than t.

The default realtime accounting retry times is 5.

Related command: radius scheme and timer realtime-accounting.

Example

# Configure the RADIUS scheme "3com" to allow up to ten real-time accounting request attempts.

[SecBlade_FW-radius-3com] retry realtime-accounting 10

retry stop-accounting Syntax


undo retry stop-accounting

View

RADIUS view


Parameter

retry-times: Specifies the maximal retransmission times after stop-accounting request,. ranging from 10 to 65535.

Description

Use the retry stop-accounting command to configure the maximal retransmission times after stop-accounting request.

Use the undo retry stop-accounting command to restore the retransmission times to the default value.

Because the stop-accounting request concerns account balance and will affect the amount of charge, which is very important for both the user and ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from the security gateway to RADIUS accounting server has not been responded, the security gateway shall save it in the local buffer and retransmit it until the server responds or discard the messages after transmitting for specified times.

Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

The default maximal retransmission times after stop-accounting request is 500.

Example

# Indicate that, when stop-accounting request for the server in the RADIUS scheme "3com", the security gateway system will retransmit the packets for up to 1000 times.

[SecBlade_FW-radius-3com] retry stop-accounting 1000

secondary accounting Syntax

secondary accounting ip-address [ port-number ]


View

RADIUS view

Parameter

ip-address: IP address, in dotted decimal format. By default, the IP address of secondary accounting server is at 0.0.0.0.

port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the accounting service is provided through UDP 1813.

Description

Use the secondary accounting command to configure the IP address and port number for the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the IP address and port number to the defaults.


For detailed information, refer to the description of the primary accounting command.


Example

# Set the IP address of the secondary accounting server of RADIUS scheme, 3com, to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.

[SecBlade_FW-radius-3com] secondary accounting 10.110.1.1 1813

secondary authentication

Syntax

secondary authentication ip-address [ port-number ]


View

RADIUS view

Parameter


port-number: UDP port number, ranging from 1 to 65535. By default, the authentication/authorization service is provided through UDP 1812

Description

Use the secondary authentication command to configure the IP address and port number of the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the IP address and port number to the defaults.

For detailed information, refer to the description of the primary authentication command.

By default, the IP address of the secondary authentication/authorization server is 0.0.0.0.


Example

# Set IP address of the secondary authentication/authorization server in the RADIUS scheme "3com" to 10.110.1.2 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.

[SecBlade_FW-radius-3com] secondary authentication 10.110.1.2 1812

server-type Syntax

server-type { 3com | standard }

undo server-type


View

RADIUS view

Parameter

3com: Specifies the RADIUS server of 3Com type (generally CAMS), which requires the RADIUS client (security gateway) and RADIUS server to interact according to the procedures and packet format provisioned by the private RADIUS protocol of 3Com Corporation.

standard: Specifies the RADIUS server of Standard type, which requires the RADIUS client end (security gateway) and RADIUS server to interact according to the regulation and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).

Description

Use the server-type command to configure the RADIUS server type supported by the security gateway.

Use the undo server-type command to restore the default type of the RADIUS server.

By default, in system scheme, the RADIUS server type is 3com; in the newly added RADIUS scheme, the RADIUS server type is standard.


Example

# Set RADIUS server type of RADIUS scheme 3com to 3com.

[SecBlade_FW-radius-3com] server-type 3com

state Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS view

Parameter

primary: Sets the state of the primary RADIUS server.

secondary: Sets the state of the secondary RADIUS server.

accounting: Sets the state of RADIUS accounting server.

authentication: Sets the state of RADIUS authentication/authorization server.

block: Sets state of the RADIUS server to block.

active: Sets state of the RADIUS server to active, namely the normal operation state.


Description

Use the state command to configure the state of a RADIUS server.

By default, in system scheme, the primary authentication/authorization and accounting servers are in active state, and the secondary authentication/authorization and accounting servers are in block state; in the newly added RADIUS scheme, all RADIUS servers are in block state.

When the primary server (accounting or authentication) in a RADIUS scheme becomes unavailable, the NAS automatically turns to the secondary server. After the primary one recovers however, the NAS does not resume the communication with it at once; instead, the NAS continues the communication with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the state of the primary server to active.

When both the primary and secondary servers are active or blocked, the NAS only sends packets to the primary server.

Related command: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Example

# Set the state of the secondary authentication server in the RADIUS scheme "3com" to active.

[SecBlade_FW-radius-3com] state secondary authentication active

stop-accounting-buffer enable

Syntax


undo stop-accounting-buffer enable

View

RADIUS view

Parameter

None

Description

Use the stop-accounting-buffer enable command to enable the security gateway to buffer the stop-accounting requests that have no responses.

Use the undo stop-accounting-buffer enable command to disable the security gateway to buffer the stop-accounting requests that have no responses.

By default, the security gateway is enabled to buffer the stop-accounting requests that have no responses.

Since the stop-accounting packet affects the charge to a user, it has importance for both users and ISPs. Therefore, the NAS makes its best effort to send every stop-accounting request to RADIUS accounting servers. If receiving no response after a specified period of time, the NAS buffers and resends the packet until


receiving a response or discards the packet when the number of transmission retries reaches the configured limit.

Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Example

# In the RADIUS scheme "3Com", enable the security gateway to buffer the stop-accounting requests that have no responses.

[SecBlade_FW-radius-3com] stop-accounting-buffer enable

timer quiet Syntax

timer quiet minutes

undo timer quiet

View

RADIUS view

Parameter

minutes: Ranges from 1 to 255.

Description

Use the timer quiet command to set the duration that the primary server must wait before it can resume the active state.

Use the undo timer quiet command to restore the default (five minutes).

By default, the primary server must wait five minutes before it can resume the active state.


Example

# Set the quiet timer for the primary server to ten minutes.

[SecBlade_FW] radius scheme test1 [SecBlade_FW-radius-test1] timer quiet 10

timer realtime-accounting

Syntax

timer realtime-accounting minutes


View

RADIUS view

Parameter

minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.


Description

Use the timer realtime-accounting command to configure a real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

By default, the interval of realtime accounting is 12 minutes.

Related command: retry realtime-accounting and radius scheme.

Example

# Set the real-time accounting interval in the RADIUS scheme "3com" to 51 minutes.

[SecBlade_FW-radius-3com] timer realtime-accounting 51

timer response-timeout Syntax

timer seconds

undo timer

timer response-timeout seconds

undo timer response-timeout

View

RADIUS view

Parameter

seconds: RADIUS server response timeout timer, ranging from 1 to 10 seconds.

Table 261 Recommended ratio of minutes to the number of users

Number of users Real-time accounting interval (minute)

1 - 99 3

100 - 499 6

500 - 999 12

Š1000 Š15


Description

Use the timer response-timeout command and the timer command to configure the RADIUS server response timer.

Use the undo timer command and the undo timer response-timeout command to restore the default.

If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS resends the request, thus ensuring the user can obtain the RADIUS service. You can specify this period by setting the RADIUS server response timeout timer using the timer command and the timer response-timeout command, taking into consideration the network condition and the desired system performance.

By default, the response timeout timer of the RADIUS server is three seconds.

Related command: radius scheme and retry.

Example

# Set the response timeout timer in the RADIUS scheme 3com to 5 seconds.

[SecBlade_FW-radius-3com] timer response-timeout 5

user-name-format Syntax


View

RADIUS view

Parameter

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to configure the format of the username to be sent to a RADIUS server.

By default, in system scheme, the NAS server sends user names without the ISP domain name to the RADIUS server; in the newly added RADIUS scheme, the NAS server sends user names with the ISP domain name to the RADIUS server.

The supplicants are generally named in the userid@isp-name format, of which isp-name is used by the security gateway to decide the ISP domain to which a supplicant belongs. Some earlier RADIUS servers however, cannot recognize usernames including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the security gateway must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

HWTACACS Configuration Commands 297

n If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domains, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.


Example

# Send the username without the domain name to the RADIUS servers in the RADIUS scheme "3com".

[SecBlade_FW-radius-3com] user-name-format without-domain

HWTACACS Configuration Commands

data-flow-format Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format { data | packet }

View

HWTACACS view

Parameter

data: Sets data unit.

byte: Sets ’byte’ as the unit of data flow.

giga-byte: Sets ’giga-byte’ as the unit of data flow.

kilo-byte: Sets ’kilo-byte’ as the unit of data flow.

mega-byte: Sets ’mega-byte’ as the unit of data flow.

packet: Sets data packet unit.

giga-packet: Sets ’giga-packet’ as the unit of packet flow.

kilo-packet: Sets ’kilo-packet’ as the unit of packet flow.

mega-packet: Sets ’mega-packet’ as the unit of packet flow.

one-packet: Sets ’one-packet’ as the unit of packet flow.

Description

Use the data-flow-format command to configure the unit of data flows sent to the TACACS server.


Use the undo data-flow-format command to restore the default.

By default, the data unit is byte and the data packet unit is one-packet.

Related command: display hwtacacs.

Example

# Set the unit of data flow destined for the HWTACACS server "3com" to be kilo-byte and the data packet unit be kilo-packet.

[SecBlade_FW-hwtacacs-3com] data-flow-format data kilo-byte packet kilo-packet

debugging hwtacacs Syntax

debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

View

User view

Parameter

all: Specifies all HWTACACS debugging.

error: Specifies error debugging.

event: Specifies event debugging.

message: Specifies message debugging.

receive-packet: Specifies incoming packet debugging.

send-packet: Specifies outgoing packet debugging.

Description

Use the debugging hwtacacs command to enable HWTACACS debugging.

Use the undo debugging hwtacacs command to disable HWTACACS debugging.

By default, HWTACACS debugging is disabled.

Example

# Enable the event debugging of HWTACACS.

<SecBlade_FW> debugging hwtacacs event

display hwtacacs Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]


View

Any view

Parameter

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 case-insensitive characters. If no HWTACACS scheme is specified, the system displays the configuration of all HWTACACS schemes.

statistics: Displays complete statistics about HWTACACS packets.

Description

Use the display hwtacacs command to view configuration information of one or all HWTACACS schemes.

Without any parameter, the command displays the configuration information of all HWTACACS schemes.

Related command: hwtacacs scheme.

Example

# View all configuration information of HWTACACS schemes gy.

<SecBlade_FW> display hwtacacs gy -------------------------------------------------------------------- HWTACACS-server template name : gy Primary-authentication-server : 172.31.1.11:49 Primary-authorization-server : 172.31.1.11:49 Primary-accounting-server : 172.31.1.11:49 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 172.31.1.11:49 Current-authorization-server : 172.31.1.11:49 Current-accounting-server : 172.31.1.11:49 Source-IP-address : 0.0.0.0 key authentication : 790131 key authorization : 790131 key accounting : 790131 Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : No Traffic-unit : B Packet traffic-unit : one-packet

Table 262 Description on the fields of the display stop-accounting-buffer command

Field Description

HWTACACS-server template name HWTACACS server template name (that is, HWTACACS scheme name)

Primary-authentication-server IP address and port number of the primary authentication server

Primary-authorization-server IP address and port number of the primary authorization server

Primary-accounting-server IP address and port number of the primary accounting server


display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests related to the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.

Secondary-authentication-server IP address and port number of the secondary authentication server

Secondary-authorization-server IP address and port number of the secondary authorization server

Secondary-accounting-server IP address and port number of the secondary accounting server

Current-authentication-server IP address and port number of the current authentication server

Current-authorization-server IP address and port number of the current authorization server

Current-accounting-server IP address and port number of the current accounting server

Source-IP-address Source IP address used by the router to send HWTACACS packets

key authentication Shared key of the HWTACACS authentication server

key authorization Shared key of the HWTACACS authorization server

key accounting Shared key of the HWTACACS accounting server

Quiet-interval(min) Time period for the primary server to restore its active state

Response-timeout-Interval(sec) Response timeout of the TACACS server

Domain-included Format of the user name which is sent to the TACACS server with the domain name included

Traffic-unit

Traffic unit:

B: Data are sent in bytes.

GB: Data are sent in gigabytes.

KB: Data are sent in kilobytes.

MB: Data are sent in megabytes.

Packet traffic-unit

Packet unit:

giga-packet: Data packets are sent in giga-packets.

kilo-packet: Data packets are sent in kilo-packets.

mega-packet: Data packets are sent in mega-packets.

one-packet: Data packets are sent in one-packets.


Field Description


Description

Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the security gateway.

Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.

Example

# Display information on the buffered stop-accounting requests related to the HWTACACS scheme "3com".

<SecBlade_FW> display stop-accounting-buffer hwtacacs-scheme 3com ------------------------------------------------------------- NO. SendTime IP Address Template 1 10 172.31.1.27 3com ------------------------------------------------------------- Whole accounting stop packet to resend:1

hwtacacs nas-ip Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameter

ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, r class D address, or network address, or an address starting with 127.

Description

Use the hwtacacs nas-ip command to specify the source address of the hwtacacs packet sent from NAS.

Use the undo hwtacacs nas-ip command to restore the default setting.

By specifying the source address of the hwtacacs packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.


Filed Description

NO. Sequence number of the accounting stop request packet

SendTime Number of the accounting stop request packets

IP Address IP address of the TACACS server

Template Name of the HWTACACS authentication scheme


Example

# Configure the security gateway to send hwtacacs packets from 129.10.10.1.

[SecBlade_FW] hwtacacs nas-ip 129.10.10.1

hwtacacs scheme Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameter

hwtacacs-scheme-name: Specifies an HWTACACS server scheme, with a character string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to enter HWTACACS Server view. If the specified HWTACACS server scheme does not exist, you can create a new HWTACACS scheme.

Use the .undo hwtacacs scheme command to delete an HWTACACS scheme.

Example

# Create an HWTACACS scheme named "test1" and enter the relevant HWTACACS scheme view.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1]

key Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS view

Parameter

accounting: Shared key of the accounting server.

authentication: Shared key of the authentication server.

authorization: Shared key of the authorization server.

string: The shared key, a string up to 16 characters.

Description

Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting.


Use the undo key command to delete the configuration.

By default, no key is set for any TACACS server.

The TACACS client (the security gateway) and TACACS server use the MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the security gateway and the TACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.


Example

# Use hello as the shared key for HWTACACS accounting.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] key accounting hello

nas-ip Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS view

Parameter


Description

Use the nas-ip command to have all the HWTACACS packets sent by the NAS (the security gateway) carry the same source address.

Use the undo nas-ip command to delete the setting.

Specifying a source address for the HWTACACS packets to be transmitted can avoid the situation where the packets sent back by the TACACS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address.

By default, the source IP address of a HWTACACS packet sent by the NAS is the IP address of the output port.


Example

# Set the source IP address carried in the HWTACACS packets that are sent by the NAS to 10.1.1.1.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] nas-ip 10.1.1.1


primary accounting Syntax

primary accounting ip-address [ port ]


View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the primary accounting command to configure a primary TACACS accounting server.

Use the undo primary accounting command to delete the configured primary TACACS accounting server.

By default, IP address of TACACS accounting server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

You can configure only one primary accounting server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Example

# Configure a primary accounting server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary accounting 10.163.155.12 49

primary authentication Syntax

primary authentication ip-address [ port ]


View

HWTACACS view

Parameter



port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to configure a primary TACACS authentication server.

Use the undo primary authentication command to delete the configured authentication server.

By default, IP address of TACACS authentication server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure a primary authentication server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary authentication 10.163.155.13 49

primary authorization Syntax

primary authorization ip-address [ port ]

undo primary authorization

View

HWTACACS view

Parameter


port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to configure a primary TACACS authorization server.

Use the undo primary authorization command to delete the configured primary authorization server.


By default, IP address of TACACS authorization server is 0.0.0.0.

If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of any user type.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure a primary authorization server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary authorization 10.163.155.13 49

reset hwtacacs statistics Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameter

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.


Example

# Clear all HWTACACS protocol statistics.

<SecBlade_FW> reset hwtacacs statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name


View

User view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a string of up to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the security gateway.

Related command: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Example

# Delete the buffered stop-accounting requests that are related to the HWTACACS scheme "3com".

<SecBlade_FW> reset stop-accounting-buffer hwtacacs-scheme 3com

retry stop-accounting Syntax


undo retry stop-accounting

View

HWTACACS view

Parameter

retry-times: The maximum number of real-time accounting request attempts. It is in the range 1 to 300.

Description

Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop-accounting packet retransmission is enabled and up to 100 packets are allowed to be transmitted for each request.

Related command: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.

Example

# Enable stop-accounting packet retransmission and allow up to 50 packets to be transmitted for each request.

[SecBlade_FW-hwtacacs-test] retry stop-accounting 50


secondary accounting Syntax

secondary accounting ip-address [ port ]


View

HWTACACS view

Parameter



Description

Use the secondary accounting command to configure a secondary TACACS accounting server.

Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.

By default, IP address of TACACS accounting server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

You can configure only one secondary accounting server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Example

# Configure a secondary accounting server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary accounting 10.163.155.12 49

secondary authentication

Syntax

secondary authentication ip-address [ port ]


View

HWTACACS view

Parameter




Description

Use the secondary authentication command to configure a secondary TACACS authentication server.

Use the undo secondary authentication command to delete the configured secondary authentication server.

By default, IP address of TACACS authentication server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure a secondary authentication server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary authentication 10.163.155.13 49

secondary authorization Syntax

secondary authorization ip-address [ port ]

undo secondary authorization

View

HWTACACS view

Parameter

ip-address: IP address of the server, a legal unicast address in dotted decimal format.

port: Port number of the server, ranging from 1 to 65535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary TACACS authorization server.

Use the .undo secondary authorization command to delete the configured secondary authorization server.

By default, IP address of TACACS authorization server is 0.0.0.0.


You are not allowed to assign the same IP address to both primary and secondary authorization servers.

You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure the secondary authorization server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary authorization 10.163.155.13 49


Syntax


undo stop-accounting-buffer enable

View

HWTACACS view

Parameter

None

Description

Use the stop-accounting-buffer enable command to buffer the stop-accounting request packets with no response on the security gateway.

Use the undo stop-accounting-buffer enable command to forbid buffering the stop-accounting request packets with no response on the security gateway.

By default, the stop-accounting request packets with no response can be buffered on the security gateway.

For the detailed description, refer to the stop-accounting-buffer enable command in the RADIUS scheme.

Example

# For the server in the HWTACACS scheme named "3com", allow the stop-accounting request packets with no response to be buffered on the security gateway system.

[3Com-hwtacacs-test] stop-accounting-buffer enable

timer quiet Syntax

timer quiet minutes


undo timer quiet

View

HWTACACS view

Parameter

minutes: Ranges from 1 to 255 minutes.

Description

Use the timer quiet command to set the duration that a primary server must wait before it can resume the active state.

Use the undo timer quiet command to restore the default (five minutes).

By default, the primary server must wait five minutes before it resumes the active state.


Example

# Set the quiet timer for the primary server to ten minutes.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] timer quiet 10

timer realtime-accounting

Syntax

timer realtime-accounting minutes


View

HWTACACS view

Parameter

minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.

Description

Use the timer realtime-accounting command to configure a real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

Real-time accounting interval is necessary for real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the TACACS accounting server at intervals of this value.

The setting of real-time accounting interval depends somewhat on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval


when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

By default, the real-time accounting interval is 12 minutes.

Related command: retry realtime-accounting and radius scheme.

Example

# Set the real-time accounting interval in the HWTACACS scheme "3com" to 51 minutes.

[SecBlade_FW-hwtacacs-3com] timer realtime-accounting 51

timer response-timeout Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS view

Parameter

seconds: Ranges from 1 to 300 seconds.

Description

Use the timer response-timeout command to set the response timeout timer of the TACACS server.

Use the .undo timer response-timeout command to restore the default (five seconds).

By default, the response timeout timer of the TACACS server is five seconds.

n As the HWTACACS is based on TCP, either the server response timeout and or the TCP timeout may cause disconnection to the TACACS server.


Example

# Set the response timeout time of the TACACS server to 30 seconds.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] timer response-timeout 30

Table 264 Recommended ratio of minutes to the number of users

Number of users Real-time accounting interval (minute)

1 - 99 3

100 - 499 6

500 - 999 12

Š1000 Š15


user-name-format Syntax


View

HWTACACS view

Parameter

with-domain: Specifies to send the username with domain name to the TACACS server..

without-domain: Specifies to send the username without domain name to the TACACS server.

Description

Use the user-name-format command to configure the username format sent to the TACACS server.

By default, HWTACACS scheme acknowledges that the username sent to it includes ISP domain name.

The supplicants are generally named in userid@isp-name format. The part following the @ sign is the ISP domain name, according to which the security gateway assigns a user to the corresponding ISP domain. However, some earlier TACACS servers reject the user name including ISP domain name. In this case, the user name is sent to the TACACS server after its domain name is removed. Accordingly, the security gateway provides this command to decide whether the username is sent to the TACACS server, carrying ISP domain name or not.

n If a HWTACACS scheme is configured to reject usernames including ISP domain names, the TACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the TACACS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

Related command: hwtacacs scheme.

Example

# Specify to send the username without domain name to the HWTACACS scheme "3com".

[SecBlade_FW-hwtacacs-3com] user-name-format without-domain

18
ACCESS CONTROL LIST CONFIGURATION COMMANDS
ACL Configuration Commands

acl Syntax

acl number acl-number [ match-order { config | auto } ]

undo acl { number acl-number | all }

View

System View

Parameter

number: Defines a numbered access control list (ACL).

acl-number: ACL number, with the range 1000 to 1999 for interface-based ACLs, 2000 to 2999 for basic ACLs, 3000 to 3999 for advanced ACLs, and 4000 to 4999 for MAC-based ACLs.

match-order: Indicates the order in which rules are configured.

config: Indicates to match the rule according to configuration order that the user configured them.

auto: Indicates to match the rule in automatic order (in accordance with "Depth first" principle.)

all: Deletes all ACLs.

Description

Use the acl command to create an access control list and enter ACL view.

Use the undo acl command to delete an access control list.

An access control list consists of a list of rules that are described by a series of permit or deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for an access control list, you should create the access control list first.

Example

# Create an ACL numbered 2000.

[SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000]

316 CHAPTER 18: ACCESS CONTROL LIST CONFIGURATION COMMANDS

description Syntax

description text

undo description

View

ACL view

Parameter

text: ACL description, a string of up to 127 characters.

Description

Use the description command to add description to an ACL.

Use the undo description command to delete the description of the ACL.

Example

# Add description to ACL 2001.

[SecBlade_FW-acl-basic-2001] description Deny HTTP from host 10.0.0.1

display acl Syntax

display acl { all | acl-number }

View

Any view

Parameter

all: All ACL rules.

acl-number: ACL expressed by number.

Description

Use the display acl command to view the rules of access control list.

The rule match order defaults to config or the configuration order. If it applies, the display command does not show information on the match order. If the match order auto applies, the display command shows that.

Example

# Display the contents of ACL 2000 rule.

[SecBlade_FW-acl-basic-2000] display acl 2000 Basic ACL 2000, 2 rules, rule 1 permit (0 times matched) rule 2 permit source 1.1.1.1 0 (0 times matched)

reset acl counter Syntax

reset acl counter { all | acl-number }

View

User View

ACL Configuration Commands 317

Parameter

acl-number: ACL expressed by number.

all: All ACL rules.

Description

Use the reset acl counter command to clear the statistics of access control list.

Example

# Reset the statistics of access control list 1000.

<SecBlade_FW> reset acl counter 1000

rule Syntax

1 Create or delete a rule of a basic access control list.

rule [ rule-id ] { permit | deny } [ source sour-addr sour-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ]


2 Create or delete a rule of an advanced access control list.

rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]


3 Create or delete a rule of an interface-based ACL rule.

rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]

undo rule rule-id [ time-range | logging ] *

4 Add/delete a MAC-based ACL rule

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ]

undo rule rule-id

View

ACL view

Parameter

In the rule command:


rule-id: ID of an ACL rule, optional, ranging from 0 to 65534. If you specify a rule-id, and the ACL rule related to the ID already exists, the newly defined rule will overwrite the existing rule, just as editing the existing ACL rule. If the rule-id you specify does not exist, a new rule number with the specified rule-id will be created. If you do not specify the rule-id, A new rule will be created and the system will assign a rule-id to the ACL rule automatically.

deny: Discards matched packets.

permit: Permits matched packets.

protocol: Protocol type over IP expressed by name or number. The number range is from 0 to 255, and the name range covers GRE, ICMP, IGMP, IP, IPINIP, OSPF, TCP and UDP.

source: Optional, specify source address information of ACL rule. If it is not configured, it indicates that any source address of the packets matches.

sour-addr: Source IP address of packets in dotted decimal format.

sour-wildcard: Source address wildcard in dotted decimal format.

destination: Optional, specify destination address information of ACL rule. If it is not configured, it indicates that any destination address of the packets matches.

dest-addr: Destination IP address of packets in dotted decimal format.

dest-wildcard: Destination address wildcard in dotted decimal format.

any: Represents the source or destination address 0.0.0.0 with the wildcard 255.255.255.255.

icmp-type: Optional, specify ICMP packet type and ICMP message code, only valid when packet protocol is ICMP. If it is not configured, it indicates any ICMP packet matches.

icmp-type: ICMP packet can be filtered according to ICMP message type. It is a number ranging from 0 to 255.

icmp-code: ICMP packets that can be filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.

icmp-message: ICMP packets can be filtered according to ICMP message type or ICMP message code.

source-port: Optional, specify source port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any source port information of TCP/UDP packets matches.

destination-port: Optional, specify destination port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any destination port information of TCP/UDP packets matches.


operator: Optional, comparison between port numbers of source and destination addresses. Their names and meanings are as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). If the operator is range, two port numbers should follow it. Others only need one port number.

port1, port2: Optional, port number of TCP or UDP, expressed by name or number. The number range is from 0 to 65535.

dscp dscp: Specifies a DSCP field, the DS byte in IP packets.

established: Compares all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets. This option can compare the traffic of the established TCP session, that is, filtering out initial TCP session requests.

precedence: Optional, a number ranging from 0 to 7, or a name. Packets can be filtered according to precedence field.

tos tos: Optional, a number ranging from 0 to 15 or a name. Packets can be filtered according to type of service.

logging: Optional, indicating whether to log qualified packets. The log contents include sequence number of ACL rule, packets passed or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets.

time-range time-name: Specifies that the ACL is valid in this time range.

fragment: Specifies that this rule is only valid for the fragment packets that are not the first fragment. When this parameter is contained, it indicates that the rule is only valid for the fragment packets that are not the first fragment.

interface interface-type interface-number: Specifies the interface information of the packets. If no interface is specified, all interfaces can be matched. any represents all interfaces.

In the undo rule command:

rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the command is not followed by other parameters, this ACL rule will be deleted completely; otherwise, only part of information related to this ACL rule will be deleted.

source: Optional. Only the information settings related to the source address part of the ACL rule number will be deleted.

destination: Optional. Only the information setting related to the destination address part of the ACL rule number will be deleted.

source-port: Optional. Only the information setting related to the source port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.


destination-port: Optional. Only the information setting related to the destination port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.

icmp-type: Optional. Only the information setting related to ICMP type and message code part of the ACL rule number will be deleted, valid only when the protocol is ICMP.

precedence: Optional. Only the setting of precedence configuration of the ACL rule will be deleted.

tos tos: Optional. Only related tos setting corresponding to the ACL rule will be deleted.

time-range time-name: Optional, specifies that the ACL is valid in this time range.

logging: Optional. Only the setting corresponding to the logging part of the ACL rule will be deleted.

fragment: Optional. Only the setting corresponding to the validity of non-first packets fragmentation of the ACL rule will be deleted.

type-code: Type of the Data frame, a 16-bit hexadecimal number corresponds to the type-code field in Ethernet_II and Ethernet_SNAP frames.

type-mask: A 16-bit hexadecimal number used for specifying the mask bits.

lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.

lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.

sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the source address of a packet.

sour-mask: Source MAC address mask.

dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, Used to match the destination address of a packet.

dest-mask: Destination MAC address mask.

Description

Use the rule command to add a rule in current ACL view.

Use the undo rule command to delete a rule.

The rule ID is needed when you try to delete a rule. If you do not know the ID, using the display acl command to find it out.

Example

# Create ACL 3001 and add a rule to deny RIP packets.

[SecBlade_FW] acl number 3001 [SecBlade_FW-acl-adv-3001] rule deny udp destination-port eq rip


# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet to hosts in the network segment 202.38.160.0.

[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255. 255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0 to the host in network segment 202.38.160.0, and log events that violate the rule.

[SecBlade_FW-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255. 255 destination 202.38.160. 0 0.0.0.255 eq www logging

# Add a rule to permit the WWW access (80) from the host in network segment 129.9.8.0 to the host in network segment 202.38.160.0.

[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0. 255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host with the IP address 202.38.160.1.

[SecBlade_FW-acl-adv-3001] rule deny tcp destination 202.38.160.1 0 destination-port eq telnet

# Add a rule to prohibit create UDP connections with port number greater than 128 from the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0

[SecBlade_FW-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port gt 128

rule comment Syntax

rule rule-id comment text

undo rule rule-id comment

View

ACL view

Parameter

rule-id: ID of an existing ACL rule.

comment text: Comment of an ACL rule, a string of up to 128 characters.

Description

Use the rule comment command to add comment to an ACL rule.

Use the undo rule comment command to remove the comment of the ACL rule.

Example

# Add comment to ACL rule 7.


[SecBlade_FW-acl-adv-3001] rule 7 comment Allow FTP from any source to host 172.16.0.1

Time-range Configuration Commands

display time-range Syntax

display time-range { all | time-name }

View

Any view

Parameter

time-name: Name of the time range.

all: Displays all the configured time ranges.

Description

Use the display time-range command to view the configuration and the status of time range. For the active time range at present, it displays "active" and for the inactive time range, it displays "inactive".

Since there is a time deviation when the system updates acl status, which is about 1 minute, but display time-range will display the information of time range at the current time exactly. Thus, the following case may happen: use the command display time-range to find that a time range is activated but the acl that should be active in the time range is inactive. This case is normal.

Example

# Display all time ranges.

[SecBlade_FW] display time-range all

# Display the time range named trname.

[SecBlade_FW] display time-range trname Current time is 02:49:36 2/15/2003 Saturday Time-range : trname ( Inactive ) 14:00 to 16:00 off-day from 00:00 12/1/2002 to 00:00 12/1/2003

time-range Syntax

time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

View

System view

Time-range Configuration Commands 323

Parameter

time-name: Name of time range, which consists of 32 characters at most and must start with a letter of a-z or A-Z.

start-time: Start time of a time range, in the format of HH:MM.

end-time: End time of a time range, in the format of HH:MM.

days: Indicates on which day of a week the time range is valid or from which day in a week the time range is valid. It is represented by numbers 0 through 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday.

Working-day includes Monday through Friday;

Off-day includes Saturday and Sunday;

Daily includes the seven days of a week.

from time1 date1: Optional, which is used to indicate the start time and date. The input format of time is hh:mm, which is shown in 24-hour notation. The range of hh is from 0 to 23 and the range of mm is from 0 to 59. The input format of date is MM/DD/YYYY. DD can be in the value range from 1 to 31. MM is one number in the range form 1 to 12 and YYYY is a 4-digit number and in the range of 1970 to 2100. If no start time is set, it means that there is no restriction on start time and only the end time should be considered.

to time2 date2: Optional. It is used to indicate the end time and date. In addition, the input format of time and date is the same with that of the start time. The end time must be greater than the start time. If the end time is not set, it will be the maximum time that the system can set.

Description

Use the time-range command to specify a time range.

Use the undo time-range command to delete a time range.

A time range consists of 2 parts, the first is the periodic time range within one week described by the parameters start-time and end-time, depending on the parameter days to specify on which day it is valid; the second is the time range specified by from and to, which can be used to emphasize in what time range the periodical time range is valid.

You can configure multiple time ranges with the same time-name, which are in "OR" relationship.

Example

# Configure the time range valid at 0:0 on Jan. 1, 2003, always valid.

[SecBlade_FW] time-range test from 0:0 1/1/2003

# Configure the time range valid between 14:00 and 16:00 in every weekend from 20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.


[SecBlade_FW] time test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00 12/10/2003

# Configure the time range valid between 8:00 and 18:00 in each working day.

[SecBlade_FW] time-range test 8:00 to 18:00 working-day

# Configure the time range valid between 14:00 and 18:00 in each weekend day.

[SecBlade_FW] time-range test 14:00 to 18:00 off-day

19
NAT CONFIGURATION COMMANDS
NAT Configuration Commands

debugging nat Syntax

debugging nat { alg | event | packet } [ interface { interface-type interface-number ]

undo debugging nat { alg | event | packet } [ interface interface-type interface-number ]

View

User view

Parameter

alg: Enables the application level gateway NAT debugging information.

event: Enables NAT event debugging information.

packet: Enables NAT data packet debugging information.

interface: Enables NAT packet debugging for a special interface.

Description

Use the debugging nat command to enable the NAT debugging function.

Use the undo debugging nat command to disable the NAT debugging function.

Example

# Enable the NAT event debugging.

<SecBlade_FW> debugging nat event

display nat Syntax

display nat { address-group | aging-time | all | outbound | server | statistics | session [ source { global global-addr | inside inside-addr } ]

View

Any view

Parameter

address-group: Displays the information of the address pool.

326 CHAPTER 19: NAT CONFIGURATION COMMANDS

aging-time: Displays the effective time for NAT connection.

all: Displays all the information about NAT.

outbound: Displays the information of the outbound NAT.

server: Displays the information of the internal server.

statistics: Displays the statistics of current NAT records.

session: Displays the information of the currently activated connection.

source global global-addr: Only displays the NAT entry with address as global-addr after NAT.

source inside inside-addr: Only displays the NAT entry with internal address as inside-addr.

destination ip-addr: Displays the NAT table items of a special IP destination.

Description

Use the display nat command to display the configuration of address translation. Users can verify if the configuration of address translation is correct according to the output information after execution of this command. When address translation connection information is displayed, the parameters of global-addr and inside-addr can be specified for the display nat session command simultaneously.

Example

# Display all the information about address translation.

<SecBlade_FW> display nat all NAT address-group Information: 1: from 11.1.1.1 to 11.1.1.20 2: from 22.1.1.1 to 22.1.1.20 NAT outbound information: GigabitEthernet0/0.1: acl(2011)-NAT address-group(1) [no-pat] GigabitEthernet0/0.1: acl(2022)-NAT address-group(2) [no-pat] Server in private network information: Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro GigabitEthernet0/0.1 201.119.11.3 8080 5.5.5.5 80(www) 6(tcp) GigabitEthernet0/0.1 201.119.11.3 2121 5.5.5.5 21(ftp) 6(tcp) NAT aging-time value information: tcp ---- aging-time value is 86400 (seconds) udp ---- aging-time value is 300 (seconds) icmp ---- aging-time value is 60 (seconds) pptp ---- aging-time value is 86400 (seconds) dns ---- aging-time value is 60 (seconds) tcp-fin ---- aging-time value is 60 (seconds) tcp-syn ---- aging-time value is 60 (seconds) ftp-ctrl ---- aging-time value is 7200 (seconds) ftp-data ---- aging-time value is 300 (seconds)

The information above indicates:

Two address pools are configured: Address pool 1 ranges from 11.1.1.1 to 11.1.1.20, and address tool 2 ranges from 22.1.1.1 to 22.1.1.20.


Two address translation associations are configured at GigabitEthernet0/0.1: ACL 2011 is associated with address pool 1 and one-to-one address translation is performed; and ACL 2022 is associated with address pool 2, and one-to-one address translation is performed.

GgiabitEthernet0/0.1 is configured with 2 internal servers: the www server of http://202.119.11.3:8080, whose internal address is 5.5.5.5; and the ftp server of ftp://202.119.11.3:2121, whose internal address is 5.5.5.5.

# Display NAT information.

<SW8800> display nat session There are currently 40001 NAT sessions: Protocol GlobalAddr Port InsideAddr Port DestAddr Port - 192.168.100.10 --- 192.168.1.5 --- --- --- status: NOPAT, TTL: 00:04:00, Left: 00:04:00 6 192.168.100.10 1024 192.168.1.5 1024 192.168.100.1 1025 status: NOPAT, TTL: 00:01:00, Left: 00:00:59 6 192.168.100.10 2048 192.168.1.5 2048 192.168.100.1 2049 status: NOPAT, TTL: 00:01:00, Left: 00:01:00 6 192.168.100.10 1025 192.168.1.5 1025 192.168.100.1 1026 status: NOPAT, TTL: 00:01:00, Left: 00:00:59

n In No-PAT address translation, when you use the display nat session command to display NAT entries, you can see that multiple No-PAT entries correspond to multiple connection translations initiated by each internal network address, as shown above. This ensures that only the connections initiated from the internal network to the external network will be translated and no connection initiated from the external network will be translated, thereby enhancing network security.

nat address-group Syntax

nat address-group group-number start-addr end-addr

undo nat address-group group-number

View

System view

Parameter

group-number: Address pool number, an integer ranging from 0 to 31.

start-addr: Starting IP address in the address pool.

end-addr: Ending IP address in the address pool.

Description

Use the nat address-group command to configure an address pool.

Use the undo nat address-group command to delete an IP address pool.

Address pool indicates the cluster of some outside IP addresses. If start-addr and end-addr are the same, it means that there is only one address.


c CAUTION:

■ The length of an address pool (numbers of all addresses contained in an address pool) cannot exceed 255.

■ The address pool cannot be deleted, if it has been correlated to some certain access control list to perform the address translation.

Example

# Configure an address pool from 202.110.10.10 to 202.110.10.15, with its NAT pool ID being 1.

[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.15

nat aging-time Syntax

nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }

View

System view

Parameter

default: Sets the address translation lifetime values to the defaults.

dns: Sets the address translation lifetime for DNS, which defaults to 60 seconds.

ftp-ctrl: Sets the address translation lifetime for FTP control links, which defaults to 7200 seconds.

ftp-data: Sets the address translation lifetime for FTP data links, which defaults to 300 seconds.

icmp: Sets the address translation lifetime for ICMP, which defaults to 60 seconds.

pptp: Sets the address translation lifetime for PPTP, which defaults to 86400 seconds.

tcp: Sets the address translation lifetime for TCP, which defaults to 86400 seconds.

tcp-fin: Sets the address translation lifetime for TCP FIN or TCP RST connections, which defaults to 60 seconds.

tcp-syn: Sets the address translation lifetime for TCP SYN connections, which defaults to 60 seconds.

udp: Sets the address translation lifetime for UDP, which defaults to 300 seconds.

seconds: Time value, in the range 10 to 86400 (24 hours).

Description

Use the nat aging-time command to set the lifetime of NAT connections.

This command is used to set the lifetime of address translation connection in seconds, and different time values are set for different types of protocols. The


default ALG aging time depends on the specific application type. To effectively prevent attacks, you can set the aging time of first packet to five seconds.

Example

# Set the valid connection time of TCP to 240 seconds.

[SecBlade_FW] nat aging-time tcp 240

nat alg Syntax

nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }

undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }

View

System view

Parameter

dns: Supports the DNS protocol.

ftp: Supports the FTP protocol.

h323: Supports the H.323 protocol.

ils: Supports the ILS protocol.

msn: Supports the MSN protocol.

nbt: Supports the NBT protocol.

pptp: Supports the PPTP protocol.

Description

Use the nat alg command to enable the application level gateway (ALG) function of NAT.

Use the undo nat alg command to disable the ALG function of NAT.

By default, the ALG function of NAT is enabled.

Example

# Enable the ALG function of NAT, allowing it to support FTP.

[SecBlade_FW] nat alg ftp

nat dns-map Syntax

nat dns-map domain-name global-addr global-port [ tcp | udp ]

undo nat dns-map domain-name

View

System view


Parameter

domain-name: Valid domain name that can be correctly translated by external DNS servers.

global-addr: IP address (a valid one) that outside hosts can access.

global-port: Port number of the services that outside hosts can access.

tcp: Indicates that TCP protocol is borne by the IP protocol.

udp: Indicates that UDP protocol is borne by the IP protocol.

Description

Use the nat dns-map command to configure a mapping entry from a domain name to the external IP address, port number and protocol type.

Use the undo nat dns-map command to remove the mapping entry from a domain name to the external IP address, port number and protocol type.

If an internal host does not have any DNS server configured, the host can differentiate various internal servers and access them with the domain names after you configure the mapping entries with this command.

By default, no mapping entry is configured. Then the domain name request of the internal host can be mapped only to one internal server after being resolved by the external DNS server to get the external IP address.

Up to 16 mapping entries can be added.

Example

# Configure a mapping entry from the domain name to the external IP address, port number and protocol type.

[SecBlade_FW] nat dns-map www.abc.com 202.112.0.1 80 tcp

nat outbound Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ]

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

View

Interface view

Parameter

address-group: Configures address translation by means of address pool. If the address pool is not specified, use the IP address of the interface as the translated address, i.e., the "easy-ip" feature.

no-pat: Uses simple address translation, which means only to translate the address of the packet but not use port information.

acl-number: ACL index in the range of 2000 to 3999 (the advanced ACL can be used).


group-number: The number of a defined address pool.

Description

Use the nat outbound command to associate an ACL with an address pool, indicating that the address specified in the acl-number can be translated by using address pool group-number.

Use the undo nat outbound command to remove the corresponding address translation.

Translation of the source address of the packet that conforms to the ACL is accomplished by configuring the association between the ACL and the address pool. The system performs address translation by selecting one address in the address pool or by directly using the IP address of the interface. Users can configure different address translation associations at the same interface. The corresponding undo form of the command can be used to delete the related address translation association. Normally, this interface is connected to ISP, and serves as the exit interface of the inside network.

The command without the address-group parameter implements the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated.

Example

# Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface GigabitEthernet0/0.1 connects to ISP.

[SecBlade_FW] acl number 2001 [SecBlade_FW-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255 [SecBlade_FW-acl-basic-2001] rule deny

# Configure the address pool.

[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.12

# Allow address translation and use the addresses of address pool 1 for address translation. During translation, the information of TCP/UDP port is used.

[SecBlade_FW-GigabitEthernet0/0/0] nat outbound 2001 address-group 1

# Delete the corresponding configuration.

[SecBlade_FW-GigabitEthernet0/0/0] undo outbound 2001 address-group 1

# Configuration of simple address translation (Not using the TCP/UDP port information to perform the address translation)

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001 address-group 1 no-pat


[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001 address-group 1 no-pat


# The configuration that can be used when performing address translation by using the IP address of interface GigabitEthernet0/0.1 directly.

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001


[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001

nat outbound interface Syntax

nat outbound acl-number interface interface-type interface-number

undo nat outbound acl-number interface interface-type interface-number

View

Interface view

Parameter

acl-number: ACL index, in the range of 2000 to 3999.

interface interface-type interface-number: Specified interface type and interface number, Currently, only the loopback interface is supported.

Description

Use the nat outbound interface command to associate an ACL with a specific interface and to set the interface address as the converted address (that is, to replace the source address of the data packets with the IP address of the specified interface).

Use the undo nat outbound interface command to remove the configuration.

Currently, only the loopback interface address can be specified as the converted address.

Example

# Set the IP address of the loopback0 interface as the converted address.

[SecBlade_FW]interface loopback0 [SecBlade_FW-LoopBack0] ip address 202.38.160.106 [SecBlade_FW-LoopBack0] quit [SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000] rule permit source 10.110.12.0 0.0.0.255 [SecBlade_FW-acl-basic-2000] quit [SecBlade_FW] interface GigabitEthernet0/0.3 [SecBlade_FW- GigabitEthernet0/0.3] nat outbound 2 interface loopback 0

nat outbound static Syntax

nat outbound static

undo nat outbound static

View

Interface view


Parameter

None

Description

Use the nat outbound static command to apply on the interface the static NAT entries configured using the nat static command.

Use the undo nat outbound static command to disable the static NAT entries on the interface.

Example

# Apply the static NAT entries on the interface GigabitEthernet0/0.1.

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound static

nat overlapaddress Syntax

nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }

undo nat overlapaddress number

View

System view

Parameter

number: Sequence number of the address pool pair, in the range of 0 to 7.

overlappool-startaddress: Start address of the overlap address pool. Note that no intersection is allowed between overlap address pools.

temppool-startaddress: Start address of the temporary address pool. Note that no intersection is allowed between temporary address pools. Temporary addresses cannot be the existing internal or external addresses, so you are recommended to choose private network addresses as temporary addresses.

pool-length: Length of the address pool, in decimal format. The associated overlap and temporary address pools must be configured in the same length, with one overlap address corresponding to one temporary.

mask: Subnet mask of the address pool.

Description

Use the nat overlapaddress command to configure the mapping entry from an overlap address pool to a temporary address pool.

Use the undo nat overlapaddress command to remove the mapping configuration.

n One overlap address pool corresponds to one temporary address pool. The conversion rule is as follows:

Temporary address = Start address of the temporary address pool + (overlap address - start address of the overlap address pool)


Overlap address = Start address of the overlap address pool + (temporary address - start address of the temporary address pool)

Example

# Configure a mapping entry from 171.69.100.0 to 192.168.0.0, with address pool pair number as 0.

[SecBlade_FW] nat overlapaddress 0 171.69.100.0 192.168.0.0 address-mask 24

nat server Syntax

nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port

nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

undo nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port

undo nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

View

Interface view

Parameter

acl-number: Basic or advanced ACL number, in the range of 2000 to 3999.

global-addr: An IP address provided for the outside to access (a legal IP address).

global-port: A service port number provided for the outside to access. If ignored, its value shall be the same with the host-port’s value.

host-addr: IP address of the server in internal LAN.

host-port: Service port number provided for a server in the range of 0 to 65535, and the common used port numbers are replaced by key words. For example, www service port number is 80, which can also be represented by www. ftp service port number is 21, and ftp can also stands for it. If the inside-port is 0, it indicates that all the types of services can be provided and the key word any can be used to stand for it in this situation. If the parameter is not configured, it is considered as the case of any, which is the same as that there is a static connection between global-addr and host-addr. When the host-port is configured as any, the global-port also should be any, otherwise the configuration is illegal.

global-port1, global-port2: Specifies a port range through two port numbers, forming a corresponding relation with the internal host address range. global-port2 must be larger than global-port1.

host-addr1, host-addr2: Defines a group of consecutive address ranges, which respectively one-to-one matches the port ranges defined above. host-addr2 must be bigger than host-addr1. The number of the address ranges should be the same as the number of ports defined by global-port1 and global-port2.


pro-type: The protocol type carried by IP, possibly being a protocol ID, or a key word as a substitution. For example: icmp (its protocol ID is 1), tcp (its protocol ID is 6), udp (its protocol ID is 7).

Description

Use the nat server command to define the mapping table of an internal server. Users can access the internal server with the address and port as host-addr and host-port respectively through the address port defined by global-addr and global-port.

Use the undo nat server command to remove the mapping table.

Through this command, you can configure some internal network servers for outside use. The internal server can locate in the ordinary private network. For example, www, ftp, telnet, pop3, dns and so on.

Up to 256 internal server conversion commands can be configured on one interface and at most 4096 internal servers can be configured on one interface. Up to 1024 internal server conversion commands can be configured in one system. If the nat servers are configured in the form of port range (i.e., specify a port range through configuring global-port1 and global-port2, forming a corresponding relation with the address range of the internal hosts), then the number of internal servers will be the same as that of the ports configured, and the max number of them are also 4096.

TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.

The interface on which this command is configured is interconnected with ISP and serves as the gateway of the internal network.

Example

# Specify the IP address of the interior www server of the LAN as 10.110.10.10, the IP address of the interior ftp server as 10.110.10.11. It is expected that the outside can access WEB through http:// 202.110.10.10:8080 and connect FTP web site through ftp://202.110.10.10. Suppose that GigabitEthernet0/0.1 is connected to ISP.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp

# Specify one interior host 10.110.10.12, expecting that the host of the exterior network can ping it with ping 202.110.10.11 command.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

# Delete the www server.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.10 8070 inside 10.110.10.10 www


# By the command below, the internal ftp server of VPN vrf10 can be removed.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.11 8070 inside 10.110.10.11 ftp

# Specify an outside address as 202.110.10.10, and map the ports ranging from 1001 to 1100 to the addresses of 10.110.10.1 to 10.110.10.100 respectively to access ftp service inside VPN vrf10. 202.110.10.10:1001 accesses 10.110.10.1 and 202.110.10:1002 accesses 10.110.10.2, etc.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

nat static Syntax

nat static ip-addr1 ip-addr2

undo nat static ip-addr1 ip-addr2

View

System view

Parameter

ip-addr1: Private IP address of an internal host.

ip-addr2: Public IP address.

Description

Use the nat static command to configure a one-to-one private-to-public address binding.

Use the undo nat static command to delete an existing one-to-one private-to-public address binding.

Example

# Bind an internal private IP address with a public IP address for one-to-one address translation.

[SecBlade_FW] nat static 192.168.1.1 2.2.2.2

nat static inside ip Syntax

nat static inside ip inside-start-address inside-end-address global global-address mask

undo nat static inside ip inside-start-address inside-end-address global global-address mask

View

System view

Parameter

inside-start-address: Start internal address that the specified static NAT entry will convert.


inside- end -address: End internal address that the specified static NAT entry will convert.

global-address: Public network address converted by the specified static NAT entry.

mask: Subnet address of the public network segment address.

Description

Use the nat static inside ip command to configure the static NAT entry. Then in the conversion with the static NAT entry, only the network address is converted and the host address remains unchanged.

Use the undo nat static inside ip command to delete the existing static NAT entry.

The global-address can be any address. Then it will be calculated by combining with the mask and the length of the mask.

The nat static inside ip and nat static commands create two different types of static NAT entries. Note that the two types of addresses cannot be in conflict.

By default, no static NAT entry is configured.

Example

# Configure the static NAT entry, which can convert the network addresses of 10.1.1.1 to 10.1.1.100 to 211.1.1.0 and remains their host addresses unchanged.

[SecBlade_FW] nat static inside ip 10.1.1.1 10.1.1.100 global 211.1.1.0 255.255.255.0

reset nat Syntax

reset nat { log-entry | session }

View

User view

Parameter

log-entry: Clears NAT log buffer.

session: Clears the information of the address translation table.

Description

This command is used to clear up the mapping tables of address translation in the memory and release all the memory dynamically allocated to store the mapping tables.

Example

# Clear NAT log buffer.

<SecBlade_FW> reset nat log-entry

# Clear information of the address translation table.

<SecBlade_FW> reset nat session

20
L2TP CONFIGURATION COMMANDS
n The content below applies to the IPsec module, so the command views in thi document apply to the module and not the Switch 8800 Family switches.

allow l2tp Syntax

allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ]

undo allow

View

L2TP group view

Parameter

virtual-template-number: Specifies the virtual template interface used when creating new virtual access interface, an integer ranging from 0 to 1023.

remote-name: Specifies the name of the peer end of the tunnel that initiates the connection request, a case sensitive character string with length ranging from 1 to 30.

domain-name: Specifies the name of enterprise with length ranging from 1 to 30.

Description

Use the allow l2tp command to specify the name of the peer end of the tunnel on receiving call and the Virtual-Template it uses.

Use the undo allow command to remove the name of the peer end of the tunnel and the Virtual-Template it uses.

By default, call receiving is disabled.

This command is used on LNS side.

For multi-instance applications of L2TP, the domain-name parameter must be configured.

When L2TP group number1 (the default L2TP group number) is used, the name of the peer end of the tunnel remote-name can be unspecified. When configured in the view of L2TP group 1, the format of the command is as follows:

allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ]

340 CHAPTER 20: L2TP CONFIGURATION COMMANDS

If a peer end name is specified in L2TP group 1 configuration, L2TP group 1 will not serve as the default L2TP group. For example, given the environment of Windows 2000 beta 2, the local name of VPN connection is NONE, so the peer end name that the security gateway receives is NONE. In order to allow the security gateway to receive tunnel connection requests sent by this kind of unknown peer ends, or for the test purpose, a default L2TP group can be configured.

The allow l2tp command is used on LNS side. If the peer end name of the tunnel is configured, it must be the name of the local end configured on LAC side.

Related command: l2tp-group.

Example

# Receive L2TP tunnel connection requests sent by the peer end AS8010 (LAC side), and creates a virtual-access interface on virtual-template 1.

[SecBlade_VPN-l2tp2] allow l2tp virtual-template 1 remote AS8010

# Use L2TP group 1 as the default L2TP group, receiving L2TP tunnel connection requests sent by any peer end, and creates a virtual-access interface according to virtual-template 1.

[SecBlade_VPN] l2tp-group 1 [SecBlade_VPN-l2tp1] allow l2tp virtual-template 1

debugging l2tp Syntax

debugging l2tp { all | control | dump | error | event | hidden | payload | time-stamp }

undo debugging l2tp { all | control | dump | error | event | hidden | payload | time-stamp }

View

System view

Parameter

all: Enables all L2TP debugging.

control: Enables control packet debugging.

dump: Enables PPP packet debugging.

error: Enables error debugging.

event: Enables event debugging.

hidden: Enables hidden AVP debugging.

payload: Enables L2TP payload debugging.

time-stamp: Enables time-stamp debugging.

341

Description

Use the debugging l2tp command to enable L2TP debugging.

Use the undo debugging l2tp command to disable L2TP debugging.

Example

# Enable all L2TP debugging.

<SecBlade_VPN> debugging l2tp all

display l2tp session Syntax

display l2tp session

View

Any view

Parameter

None

Description

Use the display l2tp session command to view the current L2TP sessions.

The output information of the command facilitates the user to learn information of the current L2TP sessions.

Related command: display l2tp tunnel.

Example

# Display current L2TP sessions.

<SecBlade_VPN> display l2tp session LocalSID RemoteSID LocalTID IdleTimeLeft 1 1 2 600 Total session = 1

display l2tp tunnel Syntax

display l2tp tunnel

View

Any view

Parameter

None

Table 265 Description on the fields of the display l2tp session command

Field Description

Total session Number of sessions

LocalSID The number uniquely identifies the local session.

RemoteSID The number uniquely identifies the peer session.

LocalTID The local ID number of the tunnel

Idle-Time-Left The residual time before the session is disconnected due to timing out


Description

Use the display l2tp tunnel command to display information of the current L2TP tunnels.

The output information of the command facilitates the user to learn information of the current L2TP tunnels.

Related command: display l2tp session.

Example

# Display information of the current L2TP tunnels.

<SecBlade VPN> display l2tp tunnel LocalTID RemoteTID RemoteAddress Port Sessions RemoteName keepstanding 2 22849 11.1.1.1 1701 1 lns YES Total tunnel = 1

n When the security gateway is used as LNS and domain users and non-domain users exist, wrong L2TP information may be displayed on the device for a tunnel triggered by a non-domain user.

display l2tp user Syntax

display l2tp user

View

Any view

Parameter

None

Description

Use the display l2tp user command to display information about current L2TP users.

Related command: display l2tp tunnel, display l2tp session.

Example

# Display information about current L2TP users.

Table 266 Description on the fields of the display l2tp tunnel command

Field Description

Total tunnels Number of tunnels

LocalTID The number uniquely identifies the local tunnel

RemoteTID The number uniquely identifies the peer tunnel

Remote Name Name of the peer end

RemoteAddress IP address of the peer end

Port Port number of the peer end

Sessions Number of sessions on the tunnel

Remote Name Name of the peer

KeepStanding State of the tunnel-hold function

343

<SecBlade VPN> display l2tp user User Name LocalSID RemoteSID LocalTID w@h3c 1 1 2 Total user = 1

interface virtual-template

Syntax

interface virtual-template virtual-template-number

undo interface virtual-template virtual-template-number

View

System view

Parameter

virtual-template-number: Number of a virtual template interface, an integer in the range 0 to 1023.

Description

Use the interface virtual-template command to create a virtual template interface.

Use the undo interface virtual-template command to delete the virtual template interface.

By default, no virtual template interface is created.

Virtual template interfaces are mainly used to configure the operation parameters for the virtual interfaces dynamically created by the security gateway, such as MP interfaces (bundled logical interfaces) and L2TP logical interfaces.

Related command: allow l2tp.

Example

# Create virtual template interface 1 and enter its view.

[SecBlade VPN] interface virtual-template 1

l2tp enable Syntax

l2tp enable

undo l2tp enable

Table 267 Description on the fields of the display L2tp user command

Field Description

User Name User name

LocalSID Local identifier of the session

RemoteSID Remote identifier of the session

LocalTID Local identifier of the tunnel

Total user Total number of the users


View

System view

Parameter

None

Description

Use the l2tp enable command to enable the L2TP function.

Use the undo l2tp enable command to disable the L2TP function.

By default, the L2TP function is disabled.

Related command: l2tp-group.

Example

# Enable the L2TP function on the security gateway.

[SecBlade VPN] l2tp enable

l2tp-auto-client enable Syntax

l2tp-auto-client enable

undo l2tp-auto-client enable

View

Virtual template interface view

Parameter

None

Description

Use the l2tp-auto-client enable command to enable the LAC client to set up L2TP tunnel.

Use the undo l2tp-auto-client enable command to disable the LAC client to set up L2TP tunnel.

Example

# Enter virtual template interface view.

[SecBlade VPN] interface virtual-template 1

# Enable the LAC client to set up L2TP tunnel.

[SecBlade VPN-Virtual-Template1] l2tp-auto-client enable

l2tp-group Syntax

l2tp-group group-number

undo l2tp-group group-number

345

View

System view

Parameter

group-number: Number of L2TP group, an integer ranging from 1 to 1000.

Description

Use the l2tp-group command to create an L2TP group.

Use the undo l2tp-group command to delete the L2TP group.


Deleting an L2TP group using the undo l2tp-group command will also delete its all configuration information. (L2TP group 1 can be the default L2TP group).

Related command: allow l2tp and start l2tp.

Example

# Create L2TP group 2 and enter L2TP group 2 view.

[SecBlade VPN] l2tp-group 2 [SecBlade VPN-l2tp2]

l2tpmoreexam enable Syntax

l2tpmoreexam enable

undo l2tpmoreexam enable

View

System view

Parameter

None

Description

Use the command at the LNS side.

Use the l2tpmoreexam enable command to enable the L2TP multi-domain function.

Use the undo l2tpmoreexam enable command to disable the L2TP multi-domain function.

By default, the L2TP multi-domain function is disabled.

L2TP multi-domain services can be deployed only after you enable the L2TP multi-domain function by using the l2tpmoreexam enable command.

Related command: l2tp enable.


Example

# Enable the L2TP multi-domain function on the security gateway (the LNS side).

[SW8800] l2tpmoreexam enable

mandatory-chap Syntax

mandatory-chap

undo mandatory-chap

View

L2TP group view

Parameter

None

Description

Use the mandatory-chap command to force LNS to perform CHAP authentication again with the client.

Use the undo mandatory-chap command to disable CHAP re-authentication.

By default, CHAP re-authentication is not performed.

After LAC performs agent authentication on clients, LNS can perform authentication on them again for enhancing security. If the mandatory-chap command is used, each VPN client whose tunnel connection is initialized by access server will undergo authentication both on access server side and on LNS side. Some PPP clients may not support the second authentication. In this case, local CHAP authentication will fail.

Related command: mandatory-lcp.

Example

# Perform mandatory CHAP authentication.

[SecBlade VPN-l2tp1] mandatory-chap

mandatory-lcp Syntax

mandatory-lcp

undo mandatory-lcp

View

L2TP group view

Parameter

None

Description

Use the mandatory-lcp command to allow LNS and client to renegotiate Link Control Protocol (LCP) between them.

347

Use the undo mandatory-lcp command to disable LCP renegotiation.

By default, LCP is not renegotiated.

Concerning NAS-Initialized VPN client, PPP negotiation will be first performed with Network Access Server (NAS) at the beginning of a PPP session. If the negotiation is successful, the access server will initiate the tunnel connection and transmit the information collected during the negotiation to LNS. LNS will judge whether the user is legal based on the information. The mandatory-lcp command can be used to force LNS and client to renegotiate LCP. In this case, NAS agent authentication information is ignored. If PPP clients do not support LCP renegotiation, LCP renegotiation will fail.

Related command: mandatory-chap.

Example

# Enable LCP renegotiation.

[SecBlade VPN-l2tp1] mandatory-lcp

reset l2tp session Syntax

reset l2tp session session-id

View

User view

Parameter

session-id: Local identifier of a session.

Description

Use the reset l2tp session command to force down a session, which can be reset up when the user calls in again.

Related command: reset l2tp tunnel.

Example

# Force down an L2TP session.

<SecBlade VPN> reset l2tp session 1

reset l2tp tunnel Syntax

reset l2tp tunnel { name remote-name | id tunnel-id }

View

User view

Parameter

remote-name: Name of the peer end of the tunnel.

tunnel-id: ID of the local end of the tunnel.


Description

Use the reset l2tp tunnel command to clear the specified tunnel connection and all sessions on the tunnel.

The tunnel connection compulsorily disconnected by the reset l2tp tunnel command can be reestablished again when the remote user calls in again. You may specify tunnel connections to be disconnected by specifying remote name. If no such tunnel connections exist, the current tunnel connections will not be affected. If there are several tunnel connections (with the same name but different IP addresses), all of them will be cleared. When tunnel-id is specified, only the corresponding tunnel connection will be disconnected.

Related command: display l2tp tunnel.

Example

# Clear the tunnel connection with the peer name of AS8010.

<SecBlade VPN> reset l2tp tunnel name AS8010

reset l2tp user Syntax

reset l2tp user user-name

View

User view

Parameter

user-name: L2TP user name.

Description

Use the reset l2tp user command to force down the L2TP connection of the specified user. When the user calls in again, the connection can be reset up.

Related command: reset l2tp tunnel, reset l2tp session.

Example

# Force down the connection of current L2TP user.

<SecBlade VPN> reset l2tp user sw8800@3com

session idle-time Syntax

session idle-time time

undo session idle-time

View

L2TP group view

Parameter

time: Idle-timeout time in the range from 0 to 10000 seconds.

349

Description

Use the session idle-time command to set the L2TP session idle-timeout time and enable the timeout disconnection function.

Use the undo session idle-time command to disable timeout disconnection.

By default, L2TP session never expires.

Example

# Enter L2TP group view.

[SecBlade VPN] l2tp-group 1

# Set the L2TP session idle-timeout time to 600 seconds.

[SecBlade l2tp1] session idle-time 600

start l2tp Syntax

start l2tp { ip ip-addr [ ip ip-addr ] [ ip ip-addr ] ... } { domain domain-name | fullusername user-name }

undo start l2tp

View

L2TP group view

Parameter

ip ip-addr: Specifies the IP address of the peer end of the tunnel (LNS). Up to five IP addresses can be set that provide LNS backup for one another.

domain-name: Domain name triggering connection requests, a string of 1 to 30 characters.

user-name: Full username triggering connection requests, a string of 1 to 32 characters.

Description

Use the start l2tp command to specify conditions triggering the local end to place calls when it works as L2TP LAC.

Use the undo start l2tp command to delete the specified triggering conditions.

This command is used on LAC side to specify IP address of LNS; it can support several connection request triggering conditions, specifically,

■ Initiating tunnel connection request according to the user’s domain name. For example, if domain name of user’s company is 3Com.com, the user with this domain name can be specified as a VPN user.

■ Specifying a user to be a VPN user by directly specifying full username.

For a VPN user, the local end (LAC) will send L2TP tunnel connection request to a certain LNS according to the configured LNS priority or order. If receiving response


from the LNS within the specified period, LAC will take it as the peer end of the tunnel. If not, LAC will send tunnel connection request to the next LNS.

Conflicts may exist between these VPN user judgment ways. For example, LNS address specified according to full username is 1.1.1.1, while that according to domain name is 1.1.1.2. To avoid situations like this, a user searching order is necessary to be specified. The system always starts a search by looking for the specified L2TP group by full username; if finding no match, it continues the search by domain name.

Example

# Specify the users using the domain name of "3Com.com" to be VPN users, with IP address of the L2TP access server of the headquarters being 202.38.168.1.

[SecBlade VPN-l2tp1] start l2tp ip 202.38.168.1 domain 3com.com

start l2tp tunnel Syntax

start l2tp tunnel

View

L2TP group view

Parameter

None

Description

Use the start l2tp tunnel command to enable the L2TP LAC to start a L2TP tunnel connection.

This command is used only on LAC side.

Related command: tunnel keepstanding.

Example

# Enable the LAC to start a L2TP tunnel connection in the input order of the LNSs. Let the LAC request the LNS at 1.1.1.1 first and then the LNS at 2.2.2.2 if no response is received.

[SecBlade VPN-l2tp1] start l2tp ip 1.1.1.1 ip 2.2.2.2 fullusername vpdnuser [SecBlade VPN-l2tp1] start l2tp tunnel

c CAUTION: You must use this command in conjunction with the tunnel keepstanding command. Otherwise, the tunnel will be torn down immediately after it is set up.

tunnel authentication Syntax

tunnel authentication

undo tunnel authentication

View

L2TP group view

351

Parameter

None

Description

Use the l2tp tunnel authentication command to enable L2TP tunnel authentication.

Use the undo l2tp tunnel authentication command to disable L2TP tunnel authentication.

By default, L2TP tunnel authentication is performed.

L2TP tunnel authentication is permitted by default. Normally, authentication needs to be performed on both ends of the tunnel for security’s sake. In case of network connectivity test or receiving connection sent by nameless peer end, tunnel authentication is not required.

Example

# Set not to authenticate the peer end of the tunnel.

[SecBlade VPN-l2tp1] undo tunnel authentication

tunnel avp-hidden Syntax

tunnel avp-hidden

undo tunnel avp-hidden

View

L2TP group view

Parameter

None

Description

Use the tunnel avp-hidden command to configure Attribute Value Pair (AVP) data to be transmitted in hidden format.

Use the undo tunnel avp-hidden command to restore the default transmission way of AVP data.

By default, the tunnel transmits AVP data in plain text.

Some parameters of L2TP protocol are transmitted by AVP data. If high data security is desired, this command can be used to configure AVP data to be transmitted in hidden format.

Example

# Set AVP data to be transmitted in hidden format.

[SecBlade VPN-l2tp1] tunnel avp-hidden


tunnel flow-control Syntax

tunnel flow-control

undo tunnel flow-control

View

L2TP group view

Parameter

None

Description

Use the tunnel flow-control command to enable L2TP tunnel flow-control.

Use the undo tunnel flow-control command to disable the flow-control function.

By default, the L2TP tunnel flow-control function is not performed.

Example

# Enable the flow-control function.

[SecBlade VPN-l2tp1] tunnel flow-control

tunnel keepstanding Syntax

tunnel keepstanding

undo tunnel keepstanding

View

L2TP group view

Parameter

None

Description

Use the tunnel keepstanding command to enable the tunnel-hold function of L2TP, to prevent tunnel from being disconnected when no session is present.

Use the undo tunnel keepstanding command to disable the tunnel-hold function of L2TP.

c CAUTION: To have this command take effect on a tunnel, you must configure it at both ends of the tunnel.

Example

# Enter L2TP group view.

[SecBlade VPN] l2tp-group 1

# Enable the tunnel-hold function of L2TP.

[SecBlade VPN-l2tp1] tunnel keepstanding

353

tunnel name Syntax

tunnel name name

undo tunnel name

View

L2TP group view

Parameter

name: Local name of the tunnel, a character string with the length ranging from 1 to 30.

Description

Use the tunnel name command to specify local name of a tunnel.

Use the undo tunnel name command to restore the local name to the default.

By default, local name is the name of the security gateway.

When creating an L2TP group, the system initiates local name into the name of the security gateway.

Related command: sysname.

Example

# Set local name of the tunnel to itsme.

[SecBlade VPN-l2tp1] tunnel name itsme

tunnel password Syntax

tunnel password { simple | cipher } password

undo tunnel password

View

L2TP group view

Parameter

simple: Password in plain text.

cipher: Password in ciphertext.

password: Password used for tunnel authentication, a character string with the length ranging from 1 to 16.

Description

Use the tunnel password command to specify a password for tunnel authentication.

Use the undo l2tp tunnel password command to remove the tunnel authentication password.


By default, tunnel authentication password is null.

Example

# Set tunnel authentication password to yougotit displayed in cipher text.

[SecBlade VPN-l2tp1] tunnel password cipher yougotit

tunnel timer hello Syntax

tunnel timer hello hello-interval

undo tunnel timer hello

View

L2TP group view

Parameter

hello-interval: Forwarding interval of Hello packet when LAC or LNS has no packet to receive, an integer in seconds, ranging from 60 to 1000.

Description

Use the tunnel timer hello command to set a Hello packet forwarding interval.

Use the undo tunnel timer hello command to restore Hello packet forwarding interval in the tunnel to the default.

By default, Hello packet is forwarded every 60 seconds.

Different Hello packet time intervals can be configured on LNS and LAC sides.

Example

# Set Hello packet forwarding interval to 99 seconds.

[SecBlade VPN-l2tp1] tunnel timer hello 99

21
GRE CONFIGURATION COMMANDS
debugging tunnel Syntax

debugging tunnel

undo debugging tunnel

View

User view

Parameter

None

Description

Use the debugging tunnel command to enable the debugging for tunnel.

Use the undo debugging tunnel command to disable the debugging output.

Example

# Enable the debugging for tunnel.

<SecBlade_VPN> debugging tunnel

destination Syntax

destination ip-addr

undo destination

view

Tunnel interface view

Parameter

ip-addr: IP address of the physical interface used by the peer end of the tunnel.

Description

Use the destination command to specify the destination IP address to be filled in the added IP header at the time of tunnel interface encapsulation.

Use the undo destination command to delete the defined destination address.

By default, destination address of tunnel is not specified in the system.

The specified tunnel destination address is IP address of the real physical interface receiving GRE packets, which should be the same as the specified source address

356 CHAPTER 21: GRE CONFIGURATION COMMANDS

at the opposite tunnel interface, and the route to the opposite physical interface should be ensured reachable.

The same source address and destination address cannot be configured on two or more tunnel interfaces using the same encapsulation protocol.

Related command: interface tunnel and source.

Example

# Set up tunnel connection between the interface GigabitEthernet0/0.1 of SecBlade_VPN1 (with IP address of 193.101.1.1) and the interface GigabitEthernet0/0.2 of the SecBlade_VPN2 (with IP address of 192.100.1.1).

[SecBlade_VPN1-Tunnel0] source 193.101.1.1 [SecBlade_VPN1-Tunnel0] destination 192.100.1.1 [SecBlade_VPN2-Tunnel1] source 192.100.1.1 [SecBlade_VPN2-Tunnel1] destination 193.101.1.1

display interface tunnel Syntax

display interface tunnel [number ]

view

Any view

Parameter

number: Tunnel interface number, in the range of 0 to 1,023.

Description

Use the display interface tunnel command to view the working status of tunnel interface.

Executing the display interface tunnel command displays such information about the tunnel interface as source address, destination address (the real physical interface address receiving/sending GRE packet), encapsulation mode, identification keyword and end-to-end check, etc.

Related command: source, destination, gre key, gre checksum, and tunnel-protocol.

Example

# Display the current tunnel interface.

<SecBlade_VPN> display interface tunnel 2 Tunnel2 current state :UP Line protocol current state :DOWN Description : Tunnel0 Interface The Maximum Transmit Unit is 64000 Internet Address is 192.168.2.1/24 Encapsulation is TUNNEL, loopback not set Tunnel source 192.168.0.1 (GigabitEthernet0/0.1), destination 202.38.16.188 Tunnel keepalive disable Tunnel protocol/transport GRE/IP, key disabled Checksumming of packets disabled Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 0 bytes/sec, 0 packets/sec 0 packets input, 0 bytes

357

0 input error 0 packets output, 0 bytes 0 output error

gre checksum Syntax

gre checksum

undo gre checksum

view


Parameter

None

Description

Use the gre checksum command to configure the two ends of a tunnel to perform end-to-end check, verifying the correctness of packets and discard those that do not pass the verification.

Use the undo gre checksum command to cancel the check.

By default, end-to-end check of the two ends of tunnel is disabled.

You may enable or disable checksum at each end of a tunnel as needed. If checksum is enabled at the local end but not at the opposite end, the local end will perform checksum on the transmitted packets but not on the received

Table 268 Description on the fields of the display interface tunnel 2 command

Field Description

Tunnel2 current state Current state of the tunnel interface

Line protocol current state Current state of the protocol on the tunnel interface

Description The description information of the tunnel interface

The Maximum Transmit Unit The MTU value of the tunnel interface

Encapsulation The tunnel formed by encapsulated GRE protocol

Loopback Enable/Disable loopback test

Tunnel source Source address of the tunnel

destination Destination address of the tunnel

Tunnel keepalive Enable/Disable the keepalive function

Tunnel protocol/transport Encapsulation protocol and transport protocol of the tunnel

key Identification keyword of the tunnel interface

Checksumming of packets End-to-end check of the tunnel

Last 300 seconds input The number of input bytes and packets in the last five minutes

Last 300 seconds output The number of output bytes and packets in the last five minutes

packets input, bytes Total number of input packets and bytes

packets output, bytes Total number of output packets and bytes

input error Number of error packets among all input packets

output error Number of error packets among all output packets


packets. If checksum is disabled at the local end but enabled at the opposite end, the local end will perform do the opposite.

Related command: interface tunnel.

Example

# Set up a tunnel between the SecBlade_VPN1 interface and SecBlade_VPN2 interface and enable checksum on both ends of the tunnel.

[SecBlade_VPN1-Tunnel3] gre checksum [SecBlade_VPN2-Tunnel2] gre checksum

gre key Syntax

gre key key-number

undo gre key

view


Parameter

key-number: Identification keyword of the two ends of the tunnel, an integer ranging from 0 to 4294967295.

Description

Use the gre key command to set identification keyword of the tunnel interface, and by this feeble security mechanism avoid incorrectly identifying or receiving packets from undesired places.

Use the undo gre key command to delete this configuration.

By default, the system does not assign identification keyword to the tunnel.

Regarding the setting of key-number, you are required either to specify the same key-number at both ends of the tunnel or to specify it at neither of the two ends.


Example

# Set up a tunnel between SecBlade_VPN1 and SecBlade_VPN2 and set the identification keyword of the tunnel.

[SecBlade_VPN1-Tunnel3] gre key 123 [SecBlade_VPN2-Tunnel2] gre key 123

interface tunnel Syntax

interface tunnel number

undo interface tunnel number

view

System view

359

Parameter

number: Tunnel interface number to be set, in the range from 0 to 1023.

Description

Use the interface tunnel command to create a tunnel interface and enter the view of this tunnel interface.

Use the undo interface tunnel command to delete the specified tunnel interface.

By default, there is no tunnel interface in the system.

The interface tunnel command is used to enter interface view of the specified tunnel. If the tunnel interface does not exist, the system will create it before entering tunnel interface view.

Tunnel interface numbers have only local significance. The two ends of a tunnel can use the same or different interface numbers.

Related command: source, destination, gre key, gre checksum, tunnel-protocol.

Example

# Create interface Tunnel 3.

[SecBlade_VPN] interface tunnel 3

keepalive Syntax

keepalive [ seconds [ times ] ]

undo keepalive

View


Parameter

seconds: Internal for sending keepalive messages in seconds. It is in the range 1 to 32767 and defaults to 10.

times: The maximum number of keepalive message sending attempts. It is in the range 1 to 255 and defaults to 3.

Description

Use the keepalive command to enable the keepalive function of GRE and configure the interval for sending keepalive messages and the maximum number of sending attempts as well.

Use the undo keepalive command to disable the keepalive function.

By default, the keepalive function of GRE is disabled.

After you configure the keepalive command, the SecBlade sends GRE keepalive packets regularly. If no response is received for a keepalive packet that it has sent


upon the expiration of a specified period, the SecBlade resends the keepalive packet. If no response is received yet after the number of resending attempts exceeds the specified limit, the protocol of the local tunnel interface goes down.


Example

# Configure the security gateway to send GRE keepalive messages up to five times at intervals of 20 seconds.

[SecBlade_VPN-Tunnel0] keepalive 20 5

source Syntax

source { ip-addr | interface-type interface-num }

undo source

View


Parameter

ip-addr: Specifies IP address of the real interface sending GRE packets in the address format of A.B.C.D.

interface-type interface-num: Specifies the real interface sending packets by specifying its interface name and number.

Description

Use the tunnel source command to specify the source IP address to be filled in the added IP header at the time of tunnel interface encapsulation.

Use the undo tunnel source command to delete the defined source address.

By default, source address of tunnel is not specified in the system.

The specified source address of the tunnel is the real interface address sending GRE packets, which should keep accordance with the specified destination address at the opposite tunnel interface.

The same source address and destination address cannot be configured on two or more tunnel interfaces using the same encapsulation protocol.

Related command: interface tunnel, destination.

Example

# Configure the interface Tunnel5 on SecBlade_VPN1, on which the physical output interface of the encapsulated packet is GigabitEthernet0/0.1 (with the IP address of the interface being 192.100.1.1).

[SecBlade_VPN1-Tunnel5] source 192.100.1.1

Alternatively, you may specify the actual physical interface:

[SecBlade_VPN1-Tunnel5] source GigabitEthernet0/0.1

361

tunnel-protocol gre Syntax

tunnel-protocol gre

undo tunnel-protocol

View


Parameter

gre: Encapsulation protocol of the tunnel.

Description

Use the tunnel mode command to set encapsulation mode of the tunnel interface to GRE.

By default, the encapsulation protocol of tunnel interface is GRE. Under the GRE mode, users can execute and view the GRE related commands, whereas other relevant commands are available under other modes.


Example

# Create a tunnel between SecBlade_VPN1 and SecBlade_VPN2, with encapsulation protocol being GRE and transport protocol being IP.

[SecBlade_VPN1-Tunnel3] tunnel-protocol gre [SecBlade_VPN2-Tunnel2] tunnel-protocol gre

22
IPSEC CONFIGURATION COMMANDS
IPsec Configuration Commands

ah authentication- algorithm

Syntax

ah authentication-algorithm { md5 | sha1 }

undo ah authentication-algorithm

View

IPsec proposal view

Parameter

md5: MD5 algorithm is adopted.

sha1: SHA1 algorithm is adopted.

Description

Use the ah authentication-algorithm command to set the authentication algorithm adopted by Authentication Header protocol in IPsec proposal.

Use the undo ah authentication-algorithm command to restore the default setting.

By default, the md5 authentication algorithm is adopted by Authentication Header protocol in IPsec proposal.

AH proposal cannot be used to encrypt, but to authenticate.

MD5 algorithm uses the 128-bit key, and SHA1 uses the 160-bit key. By comparison, MD5 is faster than SHA1, while SHA1 is securer than MD5.

The IPsec proposal adopted by the IPsec policy at both ends of the security tunnel must be set as using the same authentication algorithm.

Can the AH authentication algorithm be configured only if AH or AH-ESP security protocol was selected by executing the transform command.

Related command: ipsec proposal, proposal, sa sip and transform.

Example

# Set IPsec proposal using AH and SHA1.

364 CHAPTER 22: IPSEC CONFIGURATION COMMANDS

[SecBlade_VPN] ipsec proposal prop1 [SecBlade_VPN-ipsec-proposal- prop1] transform ah [SecBlade_VPN-ipsec-proposal- prop1] ah authentication-algorithm sha1

debugging ike dpd Syntax

debugging ike dpd

undo debugging ike dpd

View

User view

Parameter

None

Description

Use the debugging ike dpd command to enable IKE DPD debugging.

Use the undo debugging ike dpd command to disable IKE DPD debugging.

Example

# Enable IKE DPD debugging.

<SecBlade_VPN> debugging ike dpd

debugging ipsec Syntax

debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] }

undo debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] }

View

User view

Parameter

all: Displays all debugging information.

sa: Displays debugging information of SA.

packet: Displays debugging information of IPsec packets.

policy policy-name: Displays debugging information of IPsec policy whose name is policy-name.

seq-number: Displays debugging information of IPsec policy whose sequence number is seq-number.

parameters: Displays debugging information of a SA whose remote address is ip-address, Security protocol is protocol, and SPI is spi-number.

misc: Displays other debugging information of IPsec.

IPsec Configuration Commands 365

Description

Use the debugging ipsec command to enable the debugging for IPsec.

Use the undo debugging ipsec command to disable the debugging out.

By default, the debugging for IPsec is disabled.

Example

# Enable IPsec SA debugging function.

<SecBlade_VPN> debugging ipsec sa

display ike dpd Syntax

display ike dpd [ dpd-name ]

View

Any view

Parameter

dpd-name: DPD structure name.

Description

Use the display ike dpd command to display the information about the configured DPD structure.

Example

# Display information about all the configured DPD structures.

[SecBlade_VPN] display ike dpd --------------------------- IKE dpd: aaa references: 0 interval-time: 10 time_out: 5 --------------------------- --------------------------- IKE dpd: xhy references: 1 interval-time: 10 time_out: 5

display ipsec policy Syntax

display ipsec policy [ brief | name policy-name [ seq-number ] ]

Table 269 Description on the fields of the display ike dpd command

Field Description

IKE dpd IKE DPD structure name

references DPD structure reference count

interval-time Interval for triggering DPD queries

time_out Timeout time for a DPD query


View

Any view

Parameter

brief: Displays brief information about all the IPsec policies.

name: Displays information of the IPsec policy with the name policy-name and sequence number seq-number.

policy-name: Name of an IPsec policy.

seq-number: Sequence number of an IPsec policy.

If no argument has been specified, the details of all the IPsec policies will be displayed. If name policy-name has been specified but seq-number has not, the information of the specified IPsec policy group will be listed out.

Description

Use the display ipsec policy command to view information about the IPsec policy.

The brief keyword is used for displaying brief information about all the IPsec policies, whose display format is the brief format (see the following example). The brief keyword can be used for quick display of all the IPsec policies. Brief information includes: name and sequence number, negotiation mode, access control list, proposal, local address, and remote address.

The other command words are used to display the detailed information about the IPsec policy, whose display format is the detailed format (refer to the following example).

Related command: ipsec policy (system view).

Example

# View brief information about all the IPsec policies.

<SecBlade_VPN> display ipsec policy brief IPsec-Policy-Name Mode acl Local-Address Remote-Address ------------------------------------------------------------------------ policy1-1 isakmp 3000 172.16.2.1 policy2-1 manual 3001 172.16.2.1 172.16.2.2

# View information about all the IPsec policies

Table 270 Description on the fields of the display ipsec policy command

Field Description

IPsec-Policy-Name Name and sequence number of an IPsec policy (the name and the sequence number are separated by "-")

Mode negotiation method used by an IPsec policy

acl access control list used by an IPsec policy

Local Address local IP address

Remote Address remote IP address

ike-peer name In ISAKMP negotiation mode, the name of the IKE peer used by an IPsec policy (the name is not displayed in the manual mode)


[SecBlade_VPN] display ipsec policy =========================================== IPsec Policy Group: "policy1" Using interface: {GigabitEthernet0/0.1} =========================================== ----------------------------- IPsec policy name: "policy1" sequence number: 1 mode: isakmp ----------------------------- security data flow : 3000 ike-peer name: ikepeer perfect forward secrecy: DH group 1 proposal name: proposal1 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes =========================================== IPsec Policy Group: "policy2" Using interface: {GigabitEthernet0/0.2} =========================================== ----------------------------- IPsec policy name: "policy2" sequence number: 1 mode: manual ----------------------------- security data flow : 3001 tunnel local address: 172.16.2.1 tunnel remote address: 172.16.2.2 proposal name: proposal2 inbound AH setting: AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: ESP string-key: ESP encryption hex key: ESP authentication hex key: outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: ESP string-key: ESP encryption hex key: ESP authentication hex key: :


Field Description

IPsec policy name Name of the IPsec policy

Sequence number Sequence number of the IPsec policy

Mode Negotiation mode of the IPsec policy: isakmp or manual


display ipsec policy-template

Syntax

display ipsec policy-template [ brief | name template-name [ seq-number ] ]

View

Any view

Parameter

Brief : Displays brief information about all the IPsec policy templates.

Name : Displays information of the IPsec policy template with the name template-name and sequence number seq-number.

template-name: Name of an IPsec policy template.

seq-number: Sequence number of an IPsec policy template. If seq-number is not specified, then the information about all the IPsec policy templates named template-name is shown.

If no parameter is specified, then the detail information about all the IPsec policy templates will be displayed. If name template-name has been specified but seq-number has not, the information of the specified IPsec policy template group will be listed out.

Description

Use the display ipsec policy-template command to view information about the IPsec policy template.

Parameter brief is for showing brief information about all the IPsec policy templates, whose display format is the brief format (see the following example). It can display information on all the IPsec policy templates quickly. Brief information includes: template name and sequence number, access control list, and remote address.

security data flow access control list used by an IPsec policy

Ike-peer name Name of the referenced IKE peer

perfect forward secrecy The configuration of perfect forward secrecy (PFS)

proposal name Name of the proposal referenced in the IPsec policy

IPsec sa local duration(time based) Time-based duration of the IPsec SA

IPsec sa local duration(traffic based) Traffic-based duration of the IPsec SA

tunnel local address IP address of the local end of the tunnel

tunnel remote address IP address of the remote end of the tunnel

inbound AH setting The setting of inbound AH protocol

inbound ESP setting The setting of inbound ESP protocol

outbound AH setting The setting of outbound AH protocol

outbound ESP setting The setting of outbound ESP protocol


Field Description


Any of the sub-commands can be used to display detail information of the IPsec policy template.

Related command: ipsec policy-template.

Example

# View brief information about all the IPsec policy templates.

[SecBlade_VPN] display ipsec policy-template brief Policy-template-Name acl Remote-Address ------------------------------------------------------ test-tplt300 2200

display ipsec proposal Syntax

display ipsec proposal [ proposal-name ]

View

Any view

Parameter

proposal-name: Name of the proposal.

Description

Use the display ipsec proposal command to view information about the proposal.

If the name of the proposal is not specified, then information about all the proposals will be shown.

Related command: ipsec proposal, display ipsec sa and display ipsec policy.

Example

# View all the proposals.

[SecBlade_VPN] display ipsec proposal Ipsec proposal name: prop2 encapsulation mode: tunnel transform: ah-new ah protocol: authentication-algorithm sha1-hmac-96 Ipsec proposal name: prop1 encapsulation mode: transport transform: esp-new esp protocol: authentication-algorithm md5-hmac96, encryption des

Table 272 Brief information of IPsec policy template

Field Description

Policy-template-Name name, sequence number of an IPsec policy template

acl access control list used by an IPsec policy template

Remote Address remote IP address

Table 273 IPsec proposal information

Field Description

Ipsec proposal name name of the proposal


display ipsec sa Syntax

display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]

View

Any view

Parameter

brief: Displays brief information about all the SAs.

remote: Displays information about the SA with remote address as ip-address.

ip-address: Specifies the remote address in dotted decimal format.

policy: Displays information about the SA created by the IPsec policy whose name is policy-name.

policy-name: Name of the IPsec policy.

seq-number: Specifies the sequence number of the IPsec policy.

duration: Global sa duration to be shown.

Description

Use the display ipsec sa command to view the relevant information about the SA.

The command with brief keyword shows brief information about all the SAs, whose display format is the brief format (refer to the following example). Brief information includes source address, destination address, SPI, protocol, and algorithm. A display beginning with "E" in the algorithm stands for the encryption algorithm and a display beginning with "A" stands for the authentication algorithm. The brief keyword can be used to display all the SAs already set up quickly.

The commands with remote and policy parameters both display the detailed information about the SA. The display mode: part of the information about the IPsec policy is shown first and then the detailed information of the SA in this IPsec policy.

The command with duration parameter shows the global sa duration, including "time-based" and "traffic-based" sa duration. Referring to the following examples.

encapsulation mode modes used by proposal, including two types: transport mode and tunnel mode

transform security protocols used by proposal, including two types: AH and ESP

ah protocol the authentication-algorithm used by AH: md5 | sha1

esp protocol the authentication-algorithm and encryption method used by ESP respectively: MD5 and DES

Table 273 IPsec proposal information

Field Description


Information of all the SAs will be shown when no parameter is specified.

Related command: reset ipsec sa, ipsec sa duration, display ipsec sa and display ipsec policy.

Example

# View brief information about all the SAs.

<SecBlade_VPN> display ipsec sa brief Src Address Dst Address SPI Protocol Algorithm 10.1.1.1 10.1.1.2 300 ESP E:DES; A:HMAC-MD5-96 10.1.1.2 10.1.1.1 400 ESP E:DES; A:HMAC-MD5-96

# View the global duration of SA.

[SecBlade_VPN] display ipsec sa duration Ipsec sa global duration (traffic based): 1843200 kilobytes Ipsec sa global duration (time based): 3600 seconds

# View information of all the SAs.

[SecBlade_VPN] display ipsec sa =============================== Interface: GigabitEthernet0/0.1 path MTU: 1500 =============================== ----------------------------- IPsec policy name: "1" sequence number: 1 mode: isakmp ----------------------------- Created by: "Encrypt-card" connection id: 5 encapsulation mode: tunnel perfect forward secrecy: None tunnel: local address: 2.1.1.1 remote address: 2.1.1.3 flow: (8 times matched) sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP [inbound AH SAs] spi: 1369228154 (0x519cc37a)

Table 274 Brief information of IPsec SA

Field Description

Src Address Local IP address

Dst Address Remote Ip address

SPI security parameter index

Protocol security protocol used by IPsec

Algorithm The authentication algorithm and encryption algorithm used by the security protocol. A display beginning with "E" in the algorithm stands for the encryption algorithm, and a display beginning with "A" stands for the authentication algorithm.


proposal: AH-SHA1HMAC96 sa remaining key duration (bytes/sec): 1887436256/3594 max received sequence-number: 4 udp encapsulation used for nat traversal: N [inbound ESP SAs] spi: 2673492781 (0x9f5a432d) proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436448/3594 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 1109683945 (0x42246ee9) proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436256/3594 max sent sequence-number: 5 udp encapsulation used for nat traversal: N [outbound AH SAs] spi: 3969283528 (0xec9675c8) proposal: AH-SHA1HMAC96 sa remaining key duration (bytes/sec): 1887436160/3594 max sent sequence-number: 5 udp encapsulation used for nat traversal: N

Table 275 Description on the fields of the display ipsec sa command

Field Description

Interface Interface using IPsec policy

path MTU Maximum IP packet length sent from the interface

IPsec policy IPsec policy used, including name, sequence number and negotiation method

Created by Encrypt-card" indicates that the data is encrypted by encryption card; "Host" indicates that the data is encrypted by software.

connection id security channel identifier

encapsulation mode IPsec mode, including two types: transport mode and tunnel mode

perfect forward secrecy Whether the perfect forward secrecy (PFC) feature is enabled

tunnel local local IP address

tunnel remote remote IP address

sour addr Source address of the ACL referenced by the IPsec policy

dest addr Destination address of the ACL referenced by the IPsec policy

inbound SA information of the inbound end

transform proposal used by the IPsec policy

sa remaining key duration rest sa duration of SA

max received sequence-number

maximum sequence number of the received packets (the anti-replay function provided by the security protocol)

udp encapsulation used for nat traversal

Whether IKE NAT traversal is used

outbound SA information of the outbound end

max sent sequence-number

maximum sequence number of the sent packets (the anti-replay function provided by the security protocol)


display ipsec statistics Syntax

display ipsec statistics

View

Any view

Parameter

None

Description

Use the display ipsec statistics command to view the IPsec packet statistics information, including the input and output security packet statistics, bytes, number of packets discarded and detailed description of discarded packets.

Related command: reset ipsec statistics.

Example

# View IPsec packet statistics.

<SecBlade_VPN> display ipsec statistics the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0 can’t find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0

display ipsec tunnel Syntax

display ipsec tunnel

View

Any view

Parameter

None

Table 276 Description on the fields of the display ipsec statistics command

Field Description

input/output security packets input/output packets under the security protection

input/output security bytes input/output bytes under the security protection

input/output discarded security packets

input/output packets under the security protection discarded by the security gateway


Description

Use the display ipsec tunnel command to display the information about IPsec tunnels.

Example

# Display the information about IPsec tunnels.

<SW8800> display ipsec tunnel ------------------------------------------------ Connection ID : 5 Perfect forward secrecy: None SA’s SPI : Inbound : 1369228154 (0x519cc37a) [AH] 2673492781 (0x9f5a432d) [ESP] Outbound : 1109683945 (0x42246ee9) [ESP] 3969283528 (0xec9675c8) [AH] Tunnel : Local Address: 2.1.1.1 Remote Address : 2.1.1.3 Flow : (8 times matched) Sour Addr : 0.0.0.0/0.0.0.0 Port: 0 Protocol : IP Dest Addr : 0.0.0.0/0.0.0.0 Port: 0 Protocol : IP

dpd Syntax

dpd dpd-name

undo dpd

View

ike-peer view

Parameter

dpd-name: DPD structure name.

Description

Use the dpd command to specify a DPD structure for the IKE Peer.

Use the undo dpd command to remove the DPD structure for the IKE Peer.

The DPD structure specified by an IKE peer must be one that has existed. Otherwise, the error information is returned back. When the dpd command is executed, the reference counter of the DPD structure increments by one; when the undo dpd command is executed, the reference counter of the DPD structure decrements by one.

Related command: ike dpd.

Example

# Specify the DPD structure aaa for IKE Peer1.

[SecBlade_VPN-ike-peer-peer1] dpd aaa

# Remove the DPD structure used by IKE peer 1.

[SecBlade_VPN-ike-peer-peer1] undo dpd


encapsulation-mode Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

View

IPsec proposal view

Parameter

transport: Sets that the encapsulation mode of IP packets is transport mode.

tunnel: Sets that the encapsulation mode of IP packets is tunnel mode.

Description

Use the encapsulation-mode command to set the encapsulation mode that the security protocol applies to IP packets, which can be transport or tunnel.

Use the undo encapsulation-mode command to restore it to the default.

By default, tunnel mode is used.

There are two encapsulation modes where IPsec is used to encrypt and authenticate IP packets: transport mode and tunnel mode. In transport mode, IPsec does not encapsulate a new header into the IP packet. The both ends of security tunnel is of source and destination of original packets. In tunnel mode, IPsec protects the whole IP packet, and adds a new IP header in the front part of the IP packet. The source and destination addresses of the new IP header are the IP addresses of both ends of the tunnel.

Generally, the tunnel mode is used between two security gateways (routers). A packet encrypted in a security gateway can only be decrypted in another security gateway. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added; the IP packet encapsulated in tunnel mode is sent to another security gateway before it is decrypted.

The transport mode is suitable for communication between two hosts, or for communication between a host and a security gateway. In transport mode, two devices responsible for encrypting and decrypting packets must be the original sender and receiver of the packet. Most of the data traffic between two security gateways is not of the security gateway’s own. So the transport mode is not often used between security gateways.

The proposal used by the IPsec policies set at both ends of the security tunnel must be set as having the same packet encapsulation mode.

Related command: ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, proposal, transform.

Example

# Set the proposal whose name is prop2 as using the transport mode to encapsulate IP packets.

[SecBlade_VPN] ipsec proposal prop2 [SecBlade_VPN-ipsec-proposal- prop2] encapsulation-mode transport


esp authentication- algorithm

Syntax

esp authentication-algorithm { md5 | sha1 }

undo esp authentication-algorithm

View

IPsec proposal configuration view

Parameter

md5: Use MD5 algorithm with the length of the key 128 bits.

sha1: Use SHA1 algorithm with the length of the key 160 bits.

Description

Use the esp authentication-algorithm command to set the authentication algorithm used by ESP.

Use the undo esp authentication-algorithm command to set ESP not to authenticate packets.

By default, MD5 algorithm is used.

MD5 is faster than SHA1, while SHA1 is securer than MD5.

ESP permits a packet to be encrypted or authenticated or both.

The encryption and authentication algorithm used by ESP cannot be set to vacant at the same time.

The undo esp authentication-algorithm command is not used to restore the authentication algorithm to the default; instead it is used to set the authentication algorithm to vacant, i.e. not authentication. When the encryption algorithm is not vacant, the undo esp authentication-algorithm command is valid.

The proposal used by the IPsec policies set at both ends of the security tunnel must be set as having the same authentication algorithm.

Related command: ipsec proposal, esp encryption-algorithm, proposal, sa encryption-hex, transform.

Example

# Set a proposal that adopts ESP, and uses SHA1.

[SecBlade_VPN] ipsec proposal prop1 [SecBlade_VPN-ipsec-proposal- prop1] transform esp [SecBlade_VPN-ipsec-proposal- prop1] esp authentication-algorithm sha1

esp encryption-algorithm

Syntax

esp encryption-algorithm { 3des | des | aes }

undo esp encryption-algorithm


View

IPsec proposal view

Parameter

des: Data Encryption Standard (DES), a universal encryption algorithm with the length of the key being 56 bits.

3des: 3DES (Triple DES), another universal encryption algorithm with the length of the key being 168 bits.

aes: AES (Advanced Encryption Standard), an encryption algorithm conforming to the IETF standards. 128-, 192- and 256-bit key can be implemented on Comware.

Description

Use the esp encryption-algorithm command to set the encryption algorithm adopted by ESP.

Use the undo esp encryption-algorithm command to set the ESP not to encrypt packets.

By default, DES algorithm is used.

3DES can meet the requirement of high confidentiality and security, but it is comparatively slow. And DES can satisfy the normal security requirements.

ESP permits a packet to be encrypted or authenticated or both.

The encryption and authentication methods used by ESP cannot be set to a vacant value at the same time. The undo esp encryption-algorithm command can take effect only if the authentication algorithm is not null.

Related command: ipsec proposal, esp authentication-algorithm, proposal, sa encryption-hex and transform.

Example

# Set ESP to use 3DES.

[SecBlade_VPN] ipsec proposal prop1 [SecBlade_VPN-ipsec-proposal-prop1] transform esp [SecBlade_VPN-ipsec-proposal-prop1] esp encryption-algorithm 3des

ike dpd Syntax

ike dpd dpd-name

undo ike dpd dpd-name

View

System view

Parameter

dpd-name: Name of dead peer detection (DPD) structure.


Description

Use the ike dpd command to create a DPD structure and enter its view.

Use the undo ike dpd command to delete the specified DPD structure.

If a DPD structure has been referenced by an IKE peer, it cannot be deleted.

Related command: dpd.

Example

# Create a DPD structure named aaa.

[SecBlade_VPN] ike dpd aaa

# Delete the DPD structure named aaa.

[SecBlade_VPN] undo ike dpd aaa

interval_time Syntax

interval_time seconds

undo interval_time

View

DPD structure view

Parameter

seconds: Interval for triggering DPD queries, in the range 1 to 300 seconds.

Description

Use the interval_time command to configure the interval for triggering DPD query.

Use the undo interval time command to restore the default.

By default, the interval is 10 seconds.

Example

# Set interval_time to 20 seconds.

[SecBlade_VPN-ike-dpd-aaa] interval_time 20

# Reset interval_time to 10 seconds.

[SecBlade_VPN-ike-dpd-aaa]undo interval_time

ipsec policy Syntax

ipsec policy policy-name

undo ipsec policy [ policy-name ]

View

Interface view


Parameter

policy-name: Specifies the name of an IPsec policy group applied at the interface. The IPsec policy group with name policy-name should be configured in system view.

Description

Use the ipsec policy (interface view) command to apply an IPsec policy group with the name policy-name at the interface.

Use the undo ipsec policy (interface view) command to cancel all or the specific IPsec policy group so as to disable the IPsec function of the interface.

At an interface, only one IPsec policy group can be applied. An IPsec policy group can be applied at multiple interfaces.

When a packet is sent from an interface, it searches for each IPsec policy in the IPsec policy group by number in an ascending order. If the packet matches an access control list used by an IPsec policy, then this IPsec policy is used to process the packet; otherwise it continues to search for the next IPsec policy. If the packet does not match any of the access control lists used by all the IPsec policies, it will be directly transmitted (that is, IPsec will not protect the packet).

To prevent transmitting any unencrypted packet from the interface, it is necessary to use the firewall together with IPsec; the firewall is for dropping all the packets that do not need to be encrypted.

Related command: ipsec policy (system view).

Example

# Apply an IPsec policy group whose name is pg1 to the interface GigabitEthernet0/0.1.

[SecBlade_VPN] interface Ethernet GigabitEthernet0/0.1 [SecBlade_VPN- GigabitEthernet0/0.1] ipsec policy pg1

ipsec policy Syntax

ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]

undo ipsec policy policy-name [ seq-number ]

View

System view

Parameter

policy-name: Name of the IPsec policy. The naming rule is: the length of the name is 1 to 15 characters, the name is case insensitive and the characters can be English characters or numbers, cannot include "-".

seq-number: Sequence number of the IPsec policy, ranging 1 to 10000, with lower value indicating higher sequence priority.

manual: Sets up SA manually.


isakmp: Sets up SA through IKE negotiation.

template: Dynamically sets up SA by using policy template. The policy-name discussed here will reference template-name which is a created policy template thus named.

template-name: Name of the template.

Description

Use the ipsec policy command to establish or modify an IPsec policy, and enter IPsec policy view.

Use the undo ipsec policy policy-name command to delete an IPsec policy group whose name is policy-name.

Use the undo ipsec policy policy-name seq-number command to delete an IPsec policy whose name is policy-name and sequence number is seq-number.

By default, no IPsec policy exists.

To establish an IPsec policy, it is necessary to specify the negotiation mode (manual or isakmp). To modify the IPsec policy, it is not necessary to specify a negotiation mode.

Once the IPsec policy is established, its negotiation mode cannot be modified. For example: if an IPsec policy is established in manual mode, it cannot be changed to isakmp mode--this IPsec policy must be deleted and then recreated, if appropriate, with the negotiation mode being isakmp.

Ipsec policies with the same name constitute an IPsec policy group. The name and sequence number are used together to define a unique IPsec policy. In an IPsec policy group, at most 500 IPsec policies can be set. In an IPsec policy, the smaller the sequence number of an IPsec policy is, the higher is its preference. Apply an IPsec policy group at an interface means applying all IPsec policies in the group simultaneously, so that different data streams can be protected by adopting different SAs.

Use the ipsec policy policy-name seq-number isakmp template template-name command to establish an IPsec policy according the template through IKE negotiation. Before using this command, the template should have been created. During the negotiation and policy matching, the parameters defined in the template should be compliant, the other parameters are decided by the initiator. The proposal must be defined in policy template, other parameters are optional.

Note that IKE will not use a policy with a template argument to initiate a negotiation. Rather, it uses such a policy to response the negotiation initiated by its peer.

Related command: ipsec policy (interface view), security acl, tunnel local, tunnel remote, sa duration, proposal, display ipsec policy, ipsec policy-template, ike-peer.


Example

# Set an IPsec policy whose name is newpolicy1, sequence number is 100, and negotiation mode is isakmp.

[SecBlade_VPN] ipsec policy newpolicy1 100 isakmp [SecBlade_VPN-ipsec-policy-isakmp-newpolicy1-100]

ipsec policy-template Syntax

ipsec policy-template template-name seq-number

undo ipsec policy-template template-name [ seq-number ]

View

System view

Parameter

template-name: Name of the IPsec policy template, an alphanumeric string of 1 to 15 characters, case insensitive, excluding minus signs (-).

seq-number: Number of the IPsec policy template, in the range 1 to 10000. In one IPsec policy template group, the smaller the serial number of an IPsec policy template, the higher its preference.

Description

Use the ipsec policy-template command to establish or modify an IPsec policy template, and enter IPsec policy template view.

Use the undo ipsec policy-template template-name command to delete the IPsec policy template group named template-name.

Use the undo ipsec policy-template template-name seq-number command to delete the IPsec policy template with the name of template-name and the serial number of seq-number.

By default, no IPsec policy template exists.

A policy template that has been created with the name of template-name can be referenced by the ipsec policy policy-name seq-number isakmp template template-name command to create an IPsec policy.

The IPsec policy template and the IPsec policy of IPsec IPSAMP negotiation share the same kinds of arguments, including the referenced IPsec proposal, the protected traffic, PFS feature, lifetime, and the address of the remote tunnel end. However, you should note that the proposal argument is compulsory to be configured whereas other arguments are optional. If an IPsec policy template is used for the policy match operation undertaken in an IKE negotiation, the configured arguments must be matched, and the settings of the initiator will be used if the corresponding arguments have not been configured.

Related command: ipsec policy, security acl, tunnel local, tunnel remote, proposal, display ipsec policy, ike-peer.


Example

# Establish an IPsec policy template with the name of template1 and the serial number of 100.

[SecBlade_VPN] ipsec policy-template template1 100 [SecBlade_VPN-ipsec-policy-template- template1-100]

ipsec proposal Syntax

ipsec proposal proposal-name

undo ipsec proposal proposal-name

View

System view

Parameter

proposal-name: Name of the specified proposal. The naming rule is: the length of the name is 1 to 15 characters, case insensitive.

Description

Use the ipsec proposal proposal-name command to establish or modify a proposal named proposal-name, and enter IPsec proposal view.

Use the undo ipsec proposal proposal-name command to delete the proposal named proposal-name.

By default, no proposal exists.

This proposal is a combination of the security protocol, encryption and authentication algorithm and packet encapsulation format for implementing IPsec protection.

An IPsec policy determines the protocol, algorithm and encapsulation mode to be adopted by the use of the proposal. Before the IPsec policy uses a proposal, this proposal must have already been set up.

After a new IPsec proposal is established by using the IPsec proposal command, the ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted by default.

Related command: ah authentication-algorithm, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode, proposal, display ipsec proposal and transform.

Example

# Establish a proposal named newprop1.

[SecBlade_VPN] ipsec proposal newprop1

ipsec sa global-duration Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }


View

System view

Parameter

time-based seconds: Time-based global SA duration in second, ranging 30 to 604800 seconds. It is 3600 seconds (1 hour) by default.

traffic-based kilobytes: Traffic-based global SA duration in kilobyte, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic reaches this value, the duration expires.

Description

Use the ipsec sa global-duration command to set a global SA duration.

Use the undo ipsec sa global-duration command to restore to the default setting of the global SA duration.

When IKE negotiates to establish a SA, if the adopted IPsec policy is not configured with its own duration, the system will use the global SA duration specified by this command to negotiate with the peer. If the IPsec policy is configured with its own duration, the system will use the duration of the IPsec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPsec, the smaller one of the lifetime set locally and that proposed by the remote is selected.

There are two types of SA duration: time-based (in seconds) and traffic-based (in kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is accounted according to the total traffic that can be processed by this SA,, and the SA is invalid when the set value is exceeded. No matter which one of the two types expires first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new SA for IPsec negotiation. So, a new SA is ready before the existing one gets invalid.

Modifying the global SA duration will not affect a map that has individually set up its own SA duration, or an SA already set up. But the modified global SA duration will be used to set up a new SA in the future IKE negotiation.

The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated.

Related command: sa duration and display ipsec sa duration.

Example

# Set the global SA duration to 2 hours.

[SecBlade_VPN] ipsec sa global-duration time-based 7200

# Set the global SA duration to 10M bytes transmitted.

[SecBlade_VPN] ipsec sa global-duration traffic-based 10000

pfs Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }


undo pfs

View

IPsec policy view, IPsec policy template view

Parameter

dh-group1: Specifies that the 768-bit Diffie-Hellman group is used.




Description

Use the pfs command to set the Perfect Forward Secrecy (PFS) feature for the IPsec policy to initiate the negotiation.

Use the undo pfs command to set not to use the PFS feature during the negotiation.

By default, no PFS feature is used.

The command is used to add a PFS exchange process when IPsec uses the IPsec policy to initiate a negotiation. This additional key exchange is performed during the phase 2 negotiation so as to enhance the communication safety. The DH group specified by the local and remote ends must be consistent, otherwise the negotiation will fail.

Can this command be used only when the security alliance is established through IKE style.

Related command: ipsec policy-template, ipsec policy (system view), ipsec policy(interface view), tunnel local, tunnel remote, sa duration and proposal.

Example

# Set that PFS must be used when negotiating through IPsec policy shanghai 200.

[SecBlade_VPN] ipsec policy shanghai 200 isakmp [SecBlade_VPN-ipsec-policy-isakmp-shanghai-200] pfs group1

proposal Syntax

proposal proposal-name1 [ proposal-name2...proposal-name6 ]

undo proposal [ proposal-name ]

View


Parameter

proposal-name1,..., proposal-name6: Name of the proposals adopted.


Description

Use the proposal command to set the proposal used by the IPsec policy.

Use the undo proposal command to cancel the proposal used by the IPsec policy.

By default, no proposal is used.

Before using this command, the corresponding IPsec proposal must has been configured.

If set up in manual mode, an SA can only use one proposal. And if a proposal is already set, it needs to be deleted by using the undo proposal command before a new one can be set.

If set up in isakmp mode, an SA can use six proposals at most. IKE negotiation will search for the completely matching proposal at both ends of the security tunnel.

If it is the IPsec template, each template can use six proposals at most, and the IKE negotiation will search for the completely matching proposal.

Related command: ipsec proposal, ipsec policy (system view), ipsec policy (interface view), security acl, tunnel local and tunnel remote.

Example

# Set a proposal with name prop1, adopting ESP and the default algorithm, and sets an IPsec policy as using a proposal name prop1.

[SecBlade_VPN] ipsec proposal prop1 [SecBlade_VPN-ipsec-proposal-prop1] transform esp [SecBlade_VPN-ipsec-proposal-prop1] quit [SecBlade_VPN] ipsec policy policy1 100 manual [SecBlade_VPN-ipsec-policy-manual-policy1-100] proposal prop1

reset ipsec sa Syntax

reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ]

View

User view

Parameter

remote ip-address: Specifies remote address, in dotted decimal format.

policy: Specifies the IPsec policy.

policy-name: Specifies the name of the IPsec policy. The naming rule is as follows: length is 1 to 15 characters, case sensitive, and the character can be English character or number.

seq-number: Optional parameter specifying the serial number of the IPsec policy. If no seq-number is specified, the IPsec policy refers to all the policies in the IPsec policy group named policy-name.


parameters: Defines a Security Association (SA) by the destination address, security protocol and SPI.

ip-address: Specifies the destination address in the dotted decimal IP address format.

protocol: Specifies the security protocol by inputting the key word ah or esp, case insensitive. ah indicates the Authentication Header protocol and esp indicates Encapsulating Security Payload.

Spi-number: Specifies the security parameter index (SPI), ranging 256 to 4294967295.

Description

Use the reset ipsec sa command to delete an SA already set up (manually or through IKE negotiation). If no parameter (remote, policy, parameters) is specified, all the SA will be deleted.

An SA is uniquely identified by a triplet of IP address, security protocol and SPI. A SA can be set up either manually or through Internet Key Exchange (IKE) negotiation.

If an SA set up manually is deleted, the system will automatically set up a new SA according to the parameter manually set up.

If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is deleted, IKE will reestablish an SA through negotiation.

The keyword parameters will take effect only after the spi of the outbound SA is defined. Because SAs appear in pairs, the inbound SA will also be deleted after the outbound SA is deleted.

Related command: display ipsec sa.

Example

# Delete all the SAs.

<SecBlade_VPN> reset ipsec sa

# Delete an SA whose remote IP address is 10.1.1.2.

<SecBlade_VPN> reset ipsec sa remote 10.1.1.2

# Delete all the SAs in policy1.

<SecBlade_VPN> reset ipsec sa policy policy1

# Delete the SA of the IPsec policy with the name policy1 and the serial number 10.

<SecBlade_VPN> reset ipsec sa policy policy1 10

# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is 10000


<SecBlade_VPN> reset ipsec sa parameters 10.1.1.2 ah 10000

reset ipsec statistics Syntax

reset ipsec statistics

View

User view

Parameter

None

Description

Use the reset ipsec statistics command to clear IPsec message statistics, and set all the statistics to zero.

Related command: display ipsec statistics.

Example

# Clear IPsec message statistics.

<SecBlade_VPN> reset ipsec statistics

sa authentication-hex Syntax

sa authentication-hex { inbound | outbound } { ah | esp } hex-key

undo sa authentication-hex { inbound | outbound } { ah | esp }

View

Manually-established IPsec policy view

Parameter

inbound: Configures the authentication-hex parameter for the inbound SA. IPsec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Configures the authentication-hex parameter for the outbound SA. IPsec uses the outbound SA for processing the packet in the outbound direction (sent).

ah: Sets the authentication-hex parameter for the SA using AH. If the IPsec proposal used by the IPsec policy adopts AH, the ah key word is used here to set the AH relevant parameter of the SA.

esp: Sets the authentication-hex parameter for the SA using ESP. If the IPsec proposal used by the IPsec policy adopts ESP, the esp key word is used here to set the ESP relevant parameter of the SA.

hex-key: Specifies a key for the SA input in the hex format. If MD5 is used, then input a 16-byte key; if SHA1 is used, input a 20-byte key.


Description

Use the sa authentication-hex command to set the SA authentication key manually for the IPsec policy of manual mode.

Use the undo sa authentication-hex command to delete the SA authentication key already set.

This command is only used for the IPsec policy in manual mode.

For the IPsec policy in isakmp mode, it is unnecessary to set the SA parameter manually. IKE will automatically negotiate the SA parameter and establish a SA.

When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately.

The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote.

There are two methods for inputting the key: hex and character string. For the character string key and hex string key, the last set one will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string at one end, and it is input in hex at the other end, then a security tunnel cannot be set up correctly.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl , tunnel local, tunnel remote, sa duration and proposal.

Example

# Set SPI of the inbound SA to 10000, key to 0x112233445566778899aabbccddeeff00; sets the SPI of the outbound SA to 20000, and its key to 0xaabbccddeeff001100aabbccddeeff00 in the IPsec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah [SecBlade_VPN-ipsec-proposal-prop_ah] transform ah [SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [SecBlade_VPN-ipsec-proposal-prop_ah] quit [SecBlade_VPN] ipsec policy tianjin 100 manual [SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa authentication-hex outbound ah aabbccddeeff001100aabbccddeeff00

sa duration Syntax

sa duration { traffic-based kilobytes | time-based seconds }

undo sa duration { traffic-based | time-based }

View



Parameter

time-based seconds: Time-based SA duration in second, ranging 30 to 604800 seconds. It is 3600 seconds (1 hour) by default.

traffic-based kilobytes: Traffic-based SA duration in kilobyte, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default.

Description

Use the sa duration command to set a SA duration of the IPsec policy.

Use the undo sa duration command to cancel the SA duration, i.e., restore the use of the global SA duration.

When IKE negotiates to establish a SA, if the adopted IPsec policy is not configured with its own duration, the system will use the global SA duration to negotiate with the peer. If the IPsec policy is configured with its own duration, the system will use the duration of the IPsec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPsec, the shorter one of the lifetime set locally and that proposed by the remote is selected.

There are two types of SA duration: time-based (in seconds) and traffic-based (in kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is accounted according to the total traffic that can be processed by this SA, and the SA is invalid when the set value is exceeded. No matter which one of the two types expires first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new SA for IPsec negotiation. So, a new SA is ready before the existing one gets invalid.

The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated.

Related command: ipsec sa global-duration, ipsec policy (system view), ipsec policy (interface view), security acl, tunnel local, tunnel remote and proposal.

Example

# Set the Sa duration for the IPsec policy shenzhen 100 to 2 hours, that is, 7200 seconds.

[SecBlade_VPN] ipsec policy shenzhen 100 isakmp [SecBlade_VPN-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200

# Set the Sa duration for the IPsec policy shenzhen 100 to 20M bytes, that is, the SA is overtime when the traffic exceeds 20000 kilobytes.

[SecBlade_VPN] ipsec policy shenzhen 100 isakmp [SecBlade_VPN-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000

sa encryption-hex Syntax

sa encryption-hex { inbound | outbound } esp hex-key

undo sa encryption-hex { inbound | outbound } esp


View


Parameter

inbound: Sets the encryption-hex parameter for the inbound SA. IPsec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Sets the encryption-hex parameter for outbound SA. IPsec uses the outbound SA for processing the packet in the outbound direction (sent).

esp: Sets the encryption-hex parameter for the SA using ESP. If the IPsec proposal used by the IPsec policy adopts ESP, the esp key word is used here to set the ESP relevant parameter of the SA.

hex-key: Specifies a key for the SA input in the hex format. When applied in ESP, if DES is used, then input a 8-byte key; if 3DES is used, then input a 24-byte key.

Description

Use the sa encryption-hex command to set the SA encryption key manually for the IPsec policy of manual mode.

Use the undo sa encryption-hex command to delete the SA parameter already set.

This command is only used for the IPsec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually.

For the IPsec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish a SA.




Example

# Set the SPI of the inbound SA to 10000, and the key to 0x1234567890abcdef; set the SPI of the outbound SA to 20000, and its key to 0xabcdefabcdef1234 in the IPsec policy using ESP and DES.

[SecBlade_VPN] ipsec proposal prop_esp [SecBlade_VPN-ipsec-proposal-prop_esp] transform esp [SecBlade_VPN-ipsec-proposal-prop_esp] ah encryption-algorithm des [SecBlade_VPN-ipsec-proposal-prop_esp] quit [SecBlade_VPN] ipsec policy tianjin 100 manual [SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_esp [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp


1234567890abcdef [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp abcdefabcdef1234

sa spi Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View


Parameter

inbound: Sets the spi parameter for the inbound SA. IPsec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Sets the spi parameter for outbound SA. IPsec uses the outbound SA for processing the packet in the outbound direction (sent).

ah: Sets the spi parameter for the SA using AH. If the IPsec proposal set used by the IPsec policy adopts AH, the ah key word is used here to set the spi relevant parameter of the SA.

esp: Sets the spi parameter for the SA using ESP. If the IPsec proposal set used by the IPsec policy adopts ESP, the esp key word is used here to set the spi relevant parameter of the SA.

spi-number: Security Parameter Index (SPI) in the triplet identification of the SA, ranging 256 to 4294967295. The triplet identification of the SA, which appears as SPI, destination address, and protocol number, must be unique.

Description

Use the sa spi command to set the SA SPI manually for the IPsec policy of manual mode.

Use the undo sa spi command to delete the SA SPI already set.







Example

# Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in the IPsec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah [SecBlade_VPN-ipsec-proposal-prop_ah] transform ah [SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [SecBlade_VPN-ipsec-proposal-prop_ah] quit [SecBlade_VPN] ipsec policy tianjin 100 manual [SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

sa string-key Syntax

sa string-key { inbound | outbound } { ah | esp } string-key

undo sa string-key { inbound | outbound } { ah | esp }

View


Parameter

inbound: Sets the string-key parameter for the inbound SA. IPsec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Sets the string-key parameter for the outbound SA. IPsec uses the outbound SA for processing the packet in the outbound direction (sent).

ah: Sets the string-key parameter for the SA using AH. If the IPsec proposal set used by the IPsec policy adopts AH, the ah key word is used here to set the string-key relevant parameter of the SA.

esp: Sets the string-key parameter for the SA using ESP. If the IPsec proposal set used by the IPsec policy adopts ESP, the esp key word is used here to set the string-key relevant parameter of the SA.

string-key: Specifies the key for an SA input in the character string format, with a length ranging 1 to 256 characters. For different algorithms, you can input character strings of any length in the specified range, and the system will generate keys meeting the algorithm requirements automatically according to the input character strings. As for ESP, the system will automatically generate the key for the authentication algorithm and that for the encryption algorithm at the same time.

Description

Use the sa string-key command to set the SA parameter manually for the IPsec policy of manual mode.

Use the undo sa string-key command to delete the SA parameter already set.




When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately


There are two methods for inputting the key: hex and character string. To input a hexadecimal key, use the sa authentication-hex command. For the character string key and hex string key, the last set one will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string at one end, and it is input in hex at the other end, then a security tunnel cannot be set up correctly.

Related command: ipsec policy(system view), ipsec policy(interface view), security acl , tunnel local, tunnel remote, sa duration, proposal.

Example

# Set the SPI of the inbound SA to 10000, and the key string to abcdef; sets the SPI of the outbound SA to 20000, and its key string to efcdab in the IPsec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah [SecBlade_VPN-ipsec-proposal-prop_ah] transform ah [SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [SecBlade_VPN-ipsec-proposal-prop_ah] quit [SecBlade_VPN] ipsec policy tianjin 100 manual [SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa string-key abcdef [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa string-key efcdab

security acl Syntax

security acl acl-number

undo security acl

View


Parameter

acl-number: Specifies the number of the access control list used by the IPsec policy, ranging 3000 to 3999.

Description

Use the security acl command to set an access control list to be used by the IPsec policy.


Use the undo security acl command to remove the access control list used by the IPsec policy.

By default, no ACL has been specified for the IPsec policies.

The data flow that will be protected by the IPsec policy is confined by the ACL in this command. According to the rules in the ACL, IPsec determines which packets need security protection and which do not. The packet permitted by the access control list will be protected, and a packet denied by the access control list will not be protected. The denied packets are sent out directly without IPsec protection.

Related command: ipsec policy (system view), ipsec policy (interface view), tunnel local, tunnel remote, sa duration, proposal.

Example

# Set the IPsec policy as using access control list 3001.

[SecBlade_VPN] acl number 3001 [SecBlade_VPN-acl-adv-3001] rule permit tcp source 10.1.1.1 0.0.0.255 destination 10.1.1.2 0.0.0.255 [SecBlade_VPN] ipsec policy beijing 100 manual [SecBlade_VPN-ipsec-policy-manual-beijing-100] security acl 3001

time_out Syntax

time_out seconds

undo time_out

View

DPD structure view

Parameter

seconds: Time waiting for a DPD acknowledgement, in the range 1 to 60 seconds.

Description

Use the time_out command to configure the time waiting for a DPD acknowledgement.

Use the undo time_out command to restore the default.

By default, the DPD acknowledgement timeout duration is 5 seconds.

Example

# Set time_out to two seconds.

[SecBlade_VPN-ike-dpd-aaa] time_out 2

# Reset time_out to five seconds.

[SecBlade_VPN-ike-dpd-aaa] undo time_out

transform Syntax

transform { ah | ah-esp | esp }


undo transform

View

IPsec proposal view

Parameter

ah: Uses AH protocol specified in RFC2402.

ah-esp: Uses ESP specified in RFC2406 to protect the packets and then use AH protocol specified in RFC2402 to authenticate packets.

esp: Uses ESP specified in RFC2406.

Description

Use the transform command to set a security protocol used by a proposal.

Use the undo transform command to restore the default security protocol.

By default, esp, that is, the ESP specified in RFC2406 is used.

If ESP is adopted, the default encryption algorithm is DES and the authentication algorithm is MD5.

If AH is adopted, the default authentication algorithm is MD5.

If the parameter ah-esp is specified, the default authentication algorithm for AH is MD5 and the default encryption algorithm for ESP is DES without authentication.

AH protocol provides data authentication, data integrity check and anti-replay function.

ESP protocol provides data authentication, data integrity check, anti-replay function and data encryption.

While establishing a SA manually, the proposals used by the IPsec policy set at both ends of the security tunnel must be set as using the same security protocol.

The following figure illustrates the data encapsulation formats of different security protocols in the transport mode and the tunnel mode.

Figure 52 Data encapsulation formats of security protocols

data" in the figure is the original IP datagram.

Site 1

VPN 1VPN 3

VPN 2

Site 5

Site 3

Site 4

Site 2


Related command: ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode and proposal.

Example

# Set a proposal using AH.

[SecBlade_VPN] ipsec proposal prop1 [SecBlade_VPN-ipsec-proposal-prop1] transform ah

tunnel local Syntax

tunnel local ip-address

undo tunnel local

View


Parameter

ip-address: Local address in dotted decimal format.

Description

Use the tunnel local command to set the local address of an IPsec policy.

Use the undo tunnel local command to delete the local address set in the IPsec policy.

By default, the local address of an IPsec policy is not configured.

It is not necessary to set a local address for an IPsec policy in isakmp mode, so this command is invalid in this situation. IKE can automatically obtain the local address from the interface where this IPsec policy is applied.

As for the IPsec policy in manual mode, it is necessary to set the local address before the SA can be established. A security tunnel is set up between the local and remote end, so the local address and remote address must be correctly configured before a security tunnel can be set up.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl , tunnel remote, sa duration and proposal.

Example

# Set the local address for the IPsec policy, which is applied at GigabitEthernet0/0.1 whose IP address is 10.0.0.1.

[SecBlade_VPN] ipsec policy guangzhou 100 manual [SecBlade_VPN-ipsec-policy-manual-guangzhou-100] tunnel local 10.0.0.1 [SecBlade_VPN-ipsec-policy-manual-guangzhou-100] quit [SecBlade_VPN] interface Ethernet 1/0/0 [SecBlade_VPN-Ethernet1/0/0] ipsec policy guangzhou

tunnel remote Syntax

tunnel remote ip-address

Encryption Card Configuration Commands 397

undo tunnel remote [ ip-address ]

View


Parameter

ip-address: Remote address in dotted decimal format.

Description

Use the tunnel remote command to set the remote address of an IPsec policy.

Use the undo tunnel remote command to delete the remote address in the IPsec policy.

By default, the remote address of an IPsec policy is not configured.

For the IPsec policy in manual mode, only one remote address can be set. If a remote address is already set, this existing address must be deleted before a new one can be set.

The security tunnel is established between the local and remote ends. The remote address must be set correctly on both ends of the security tunnel.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl , tunnel local, sa duration, proposal.

Example

# Set the remote address of the IPsec policy to 10.1.1.2.

[SecBlade_VPN] ipsec policy shanghai 10 manual [SecBlade_VPN-ipsec-policy-shanghai-10] tunnel remote 10.1.1.2

Encryption Card Configuration Commands

debugging encrypt-card Syntax

debugging encrypt-card {all | command | error | misc | packet | sa} slot-id

undo debugging encrypt-card {all | command | error | misc | packet | sa} slot-id

debugging encrypt-card host { all | command | error | misc | packet | sa }

undo debugging encrypt-card host { all | command | error | misc | packet | sa }

View

User view

Parameter

all: Enables all debugging on the encryption card.


command: Enables command debugging on the encryption card.

error: Enables error debugging on the encryption card.

misc: Enables other debugging on the encryption card.

packet: Enables packet debugging on the encryption card.

sa: Enables security association (SA) debugging on the encryption card.

host: Enables host debugging on the encryption card.

slot-id: Slot ID of an encryption card, whose range depends on the number of slots on the security gateway. It is in 3-dimentional format, for example, x/y/z, where x stands for a slot number, y and z are constant 0 for encryption cards.

Description

Use the debugging encrypt-card command to enable debugging on the encryption card.

Use the undo debugging encrypt-card command to disable debugging on the encryption card.

Example

# Enable command debugging on the encryption card at slot 5/0/0.

<SecBlade_VPN> debugging encrypt-card command 5/0/0

display encrypt-card fast-switch

Syntax

display encrypt-card fast-switch

View

Any view

Parameter

None

Description

Use the display encrypt-card fast-switch command to view the entries in the fast forwarding cache for the encryption cards.

Example

# Display the entries in the fast forwarding cache for the encryption cards.

[SecBlade_VPN] display encrypt-card fast-switch encrypt-card Fast-Forwarding cache: Index SourIP SourPort DestIP DestPort Prot TdbID Type 18 1.1.1.2 8 1.1.1.1 0 1 0x00000024 encrypt 130 1.1.1.1 0 1.1.1.2 0 50 0x00000023 decrypt

Table 277 Description on the fields of the display encrypt-card fast-switch command

Field Description

Index Index of the fast forwarding entry

SourIP Source IP address


display interface encrypt Syntax

display interface encrypt [ slot-id ]

View

Any view

Parameter

slot-id: Slot ID of an encryption card, whose range depends on the number of slots on the security gateway. It is in 3-dimentional format, for example, x/y/z, where x stands for a slot number on the security gateway, y and z are constant 0 for encryption cards.

Description

Use the display interface encrypt command to view the information about the encryption cards.

With this command, you can view the status of the encryption card, total number of packets transmitted or received on it, maximum number of packets dropped per second, and information during the last five seconds.

Related command: interface encrypt.

Example

# Display the port information on the encryption card at slot 5/0/0.

[SecBlade_VPN] display interface Encrypt 5/0/0 Description : Encrypt5/0/0 Interface Protocol Status: READY Driver Status : READY Total Statistics Packets sent to card : 10 Packets received from card : 9 Bytes sent to card : 1216 Bytes received from card : 584 Dropped packets : 0 Statistics during last 5 seconds Packets sent to card : 0 Packets received from card : 0 Bytes sent to card : 0 Bytes received from card : 0 Dropped packets : 0

SourPort Source port

DestIP Destination IP address

DestPort Destination port

Prot Protocol number

TdbID TDB ID for encrypting this flow

Type Two options are available: encrypt (in the outgoing direction) and decrypt (in the incoming direction)

Table 277 Description on the fields of the display encrypt-card fast-switch command

Field Description


encrypt-card backuped Syntax

encrypt-card backuped

undo encrypt-card backuped

View

System view

Parameter

None

Description

Use the encrypt-card backuped command to enable backup function for encryption card.

Use the undo encrypt-card backuped command to disable backup function for encryption card.

For the IPsec SA implemented by the encryption card, if the card is normal, IPsec is processed by the card. If the card fails, backup function is enabled on the card and the selected encryption/authentication algorithms for the SA are supported by the IPsec module on Comware platform, IPsec shall be implemented by the IPsec module on Comware platform. In the event that the selected algorithms are not supported by the IPsec module, the system drops packets.

Example

# Enable backup function for the encryption card.

[SecBlade_VPN] encrypt-card backuped

encrypt-card fast-switch Syntax

encrypt-card fast-switch

undo encrypt-card fast-switch

View

System view

Parameter

None

Description

Use the encrypt-card fast-switch command to enable the fast forwarding function of encryption card.

Use the undo encrypt-card fast-switch command to disable the fast forwarding function of encryption card.

By default, the fast forwarding function of the encryption card is disabled.

For the packets that have the same [SourIP, SourPort, DestIP, DestPort, Prot] quintuple, the security gateway creates a fast forwarding entry when it receives


the first packet. Then, the subsequent packets, rather than processed packet by packet, are sent directly to the encryption card, where they are sent to the destination after being encrypted or decrypted. This is how the fast forwarding function of the encryption card expedites packet processing.

c CAUTION: After the fast forwarding function is enabled on the encryption card, no more ACL statistics will be performed on the packets fast-forwarded by the encryption card.

Example

# Enable the fast forwarding function of the encryption card.

[SecBlade_VPN] encrypt-card fast-switch

interface encrypt Syntax

interface encrypt slot-id

View

System view

Parameter


Description

Use the interface encrypt command to enter an encryption card interface view.

In encryption card interface view, you only can the shutdown and undo shutdown commands, respectively to shut down the encryption card or turn the card up.

Example

# Enter the interface mode of the encryption card at slot 5/0/0.

[SecBlade_VPN] interface encrypt 5/0/0 [SecBlade_VPN-Encrypt5/0/0]

ipsec card-proposal Syntax

ipsec card-proposal proposal-name

undo ipsec card-proposal proposal-name

View

System view

Parameter

proposal-name: Name of the SA proposal for encryption card, a string up to 16 characters. It is not case-sensitive.


Description

Use the ipsec card-proposal command to create an SA proposal for encryption card and enter the corresponding view.

Use the undo ipsec card-proposal command to delete an SA proposal for encryption card.

This command is used in encryption card SA proposal view (the corresponding encryption/decryption/authentication are implemented on the encryption card), whereas the host software is also compatible with SA proposal view of the host itself (the ipsec proposal command), in which the encryption/decryption/authentication are implemented by the host. In encryption card SA proposal view, you can also specify the slot ID of the encryption card for the SA proposal, with the use encrypt card command, while other configurations are identical with the ipsec proposal command.

After completing SA proposal configuration, you need to return to system view using the quit command, so that you can initiate other configuration.

Example

# Create the SA proposal "card" using the encryption card at slot 5/0/0, configure security and encryption algorithm.

[SecBlade_VPN] ipsec card-proposal card [SecBlade_VPN-ipsec-card-proposal] use encrypt-card 5/0/0 [SecBlade_VPN-ipsec-card-proposal-card] transform ah-esp [SecBlade_VPN-ipsec-card-proposal-card] ah authentication-algorithm sha1 [SecBlade_VPN-ipsec-card-proposal-card] esp authentication-algorithm sha1 [SecBlade_VPN-ipsec-card-proposal-card] esp encryption-algorithm 3des [SecBlade_VPN-ipsec-card-proposal-card] quit [SecBlade_VPN]

reset counters interface encrypt

Syntax

reset counters interface encrypt slot-id

View

User view

Parameter


Description

Use the reset counters interface encrypt command to clear the statistics on an encryption card.

The statistics record all the information starting from normal operation of the encryption card, while system debugging requires statistics of a specific time period for fault analysis. Then you may need to reset the existing statistics and get the statistics of a required time period.

Related command: ipsec card-proposal and display encrypt-card sa.


Example

# Clear the statistics on the encryption card on the slot 5/0/0.

<SecBlade_VPN> reset counters interface encrypt-card 5/0/0

reset encrypt-card fast-switch

Syntax

reset encrypt-card fast-switch

View

User view

Parameter

None

Description

Use the reset encrypt-card fast-switch command to clear the fast forwarding information on the encryption card.

Example

# Clear the fast forwarding information on the encryption card.

<SecBlade_VPN> reset encrypt-card fast-switch

reset encrypt-card sa Syntax

reset encrypt-card sa [ slot-id ]

View

User view

Parameter


Description

Use the reset encrypt-card sa command to clear the SAs on an encryption card.

You may need to clear the SA database information stored on the encryption card, to output only the required information during debugging.

Related command: ipsec card-proposal.

n This command is not available on the current encryption cards.

Example

# Clear the SAs on the encryption card on the slot 5/0/0.

<SecBlade_VPN> reset encrypt-card sa 5/0/0


reset encrypt-card statistics

Syntax

reset encrypt-card statistics [ slot-id ]

View

User view

Parameter


Description

Use the reset encrypt-card statistics command to clear the processing statistics of an encryption card.

The statistics record all the protocol processing information from the last rebooting, including counts of incoming/outgoing ESP/AH packets, dropped packets, failed authentications, erroneous SAs, invalid SA proposals, invalid protocols.


Example

# Clear the processing statistics on the encryption card on the slot 5/0/0.

<SecBlade_VPN> reset encrypt-card statistic 5/0/0

reset encrypt-card syslog Syntax

reset encrypt-card syslog [ slot-id ]

View

User view

Parameter


Description

Use the reset encrypt-card syslog command to clear all the logging information on an encryption card.

The encryption card records all logging history information. And all the information (including those obsolete items) shall be reported for every query, which imposes somewhat difficulties to log monitoring and locating. Then you may need to clear the log buffer of the encryption card.



Example

# Clear all the logging information on the encryption card on the slot 5/0/0.

<SecBlade_VPN> reset encrypt-card syslog 5/0/0

snmp-agent trap enable encrypt-card

Syntax

snmp-agent trap enable encrypt-card

undo snmp-agent trap enable encrypt-card

View

System view

Parameter

None

Description

Use the snmp-agent trap enable encrypt-card command to enable SNMP agent trap function on encryption card.

Use the undo snmp-agent trap enable encrypt-card command to disable SNMP agent trap function on encryption card.


When combined with appropriate NM configuration, the trap function allow you to view the information about card rebooting, status transition and packet loss processing on the Console of the NM station or security gateway.

Example

# Enable the trap function on the encryption card.

[SecBlade_VPN] snmp-agent trap enable encrypt-card

use encrypt-card Syntax

use encrypt-card slot-id

undo use encrypt-card

View

Card SA proposal view

Parameter


Description

Use the use encrypt-card command to specify the SA proposal uses the encryption card at a designated slot.


Use the undo use encrypt-card command to remove the configuration.


One SA proposal can only be processed by a single encryption card, but one single encryption card can process different SA proposals.

Related command: ipsec card-proposal.

Example

# Configure the slot holding the encryption card used by the encryption card SA proposal named card.

[SecBlade_VPN] ipsec card-proposal card [SecBlade_VPN-ipsec-card-proposal] use encrypt-card 5/0/0

23
IKE CONFIGURATION COMMANDS
IKE Configuration Commands

authentication- algorithm

Syntax

authentication-algorithm { md5 | sha }

undo authentication-algorithm

View

IKE proposal view

Parameter

md5: Selects the authentication algorithm: HMAC-MD5.

sha: Selects the authentication algorithm: HMAC-SHA1.

Description

Use the authentication-algorithm command to select the authentication algorithm for an IKE proposal.

Use the undo authentication-algorithm command to restore the authentication algorithm for an IKE proposal to the default.

By default, HMAC-SHA1 authentication algorithm is used.

Related command: ike proposal, display ike proposal.

Example

# Set HMAC-MD5 as the authentication algorithm for IKE proposal 10.

[SecBlade_VPN] ike proposal 10 [SecBlade_VPN-ike-proposal-10] authentication-algorithm md5

authentication-method Syntax

authentication-method { pre-share | rsa-signature }

undo authentication-method

View

IKE proposal view

408 CHAPTER 23: IKE CONFIGURATION COMMANDS

Parameter

pre-share: Specifies the pre-shared key authentication as the Internet Key Exchange (IKE) proposal authentication method.

rsa-signature: specifies to authenticate through PKI digital signature.

Description

Use the authentication-method command to select the authentication method used by an IKE proposal.

Use the undo authentication-method command to restore the authentication method used by an IKE proposal to the default.

By default, the authentication method used by an IKE proposal is pre-shared key authentication.

You can specify an authentication method for an IKE policy. So far, two methods are available: pre-shared key and PKI (rsa-signature).

Authentication key must be configured to adopt the pre-shared key authentication method.

Related command: ike pre-shared-key, ike proposal, display ike proposal, pki domain, and pki entity.

n For more information on configuring PKI, refer to "PKI Configuration" in this manual.

Example

# Specify pre-shared key authentication as the authentication method for IKE proposal 10.

[SecBlade_VPN] ike proposal 10 [SecBlade_VPN-ike-proposal-10] authentication-method pre-share

debugging ike Syntax

debugging ike { all | error | exchange | message | misc | transport}

undo debugging ike { all | error | exchange | message | misc | transport}

View

User view

Parameter

all: All IKE debugging functions.

error: IKE error debugging information.

exchange: IKE exchange mode debugging information.

message: IKE message debugging information.

misc: All the other IKE debugging information.


transport: IKE transport debugging information.

Description

Use the debugging ike command to enable IKE debugging.

Use the undo debugging ike command to disable IKE debugging.

By default, IKE debugging is disabled.

Example

# Enable IKE error debugging.

<SecBlade_VPN> debugging ike error

dh Syntax

dh { group1 | group2 | group5 | group14 }

undo dh

View

IKE proposal view

Parameter

group1: Selects group1, that is, the 768-bit Diffie-Hellman group.




Description

Use the dh command to select the Diffie-Hellman group for an IKE proposal.

Use the undo dh command to restore the Diffie-Hellman group for an IKE proposal to the default.

By default, group1, that is, 768-bit Diffie-Hellman group is used.

Related command: ike proposal, display ike proposal.

Example

# Specify 768-bit Diffie-Hellman for IKE proposal 10.

[SecBlade_VPN] ike proposal 10 [SecBlade_VPN-ike-proposal-10] dh group1

display ike peer Syntax

display ike peer [ peer-name ]

View

Any view


Parameter

peer-name: Name of the IKE peer, a string up to 15 characters.

Description

Use the display ike peer command to view the configuration about the specified or all IKE peers.

Example

# Display the configuration about all IKE peers.

[SecBlade_VPN-ike-peer-good] display ike peer --------------------------- IKE Peer: good exchange mode: main on phase 1 pre-shared-key: peer id type: ip peer ip address: 0.0.0.0 ~ 255.255.255.255 peer name: nat traversal: disable ---------------------------

display ike proposal Syntax

display ike proposal

View

Any view

Parameter

None

Description

Use the display ike proposal command to view the parameters configured for each IKE proposal.

This command shows IKE proposals in the sequence of the priority.

Related command: authentication-method, ike proposal, encryption-algorithm, authentication-algorithm, dh, sa duration.

Example

# View the IKE proposal information after two IKE proposals are configured.

[SecBlade_VPN] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) -------------------------------------------------------------------------- 10 PRE_SHARED SHA DES_CBC MODP_1024 5000 11 PRE_SHARED MD5 DES_CBC MODP_768 50000 default PRE_SHARED SHA DES_CBC MODP_768 86400

display ike sa Syntax

display ike sa [ verbose [ connection-id id | remote-address ip-address ] ]


View

Any view

Parameter

verbose: Displays details about IKE SAs.

connection-id id: Displays connection IDs of IKE SAs.

remote-address ip-address: Displays peer IP addresses of IKE SAs.

Description

Use the display ike sa command to view the current security tunnels established by IKE.

Related command: ike proposal.

Example

# View the security tunnels established by IKE.

[SecBlade_VPN] display ike sa conn-id peer flag phase doi 1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.2 RD|ST 2 IPSEC flag meaning: RD--READY ST--STAYALIVE RL--REPLACED FD-FADING TO-TIMEOUT

The descriptions of the items displayed are listed in the following table.

Table 278 Description on the fields of the display ike sa command

Field Description

conn-id Security channel ID

peer Remote IP address of this SA

flag Display the status of this SA

RD (READY) means this SA has been established successfully

ST (STAYALIVE) means that SA duration is negotiated, and this SA will be refreshed in fixed interval.

RL (REPLACED) means that this SA has been replaced by a new one, and will be automatically deleted after a period of time.

FD (FADING) means this SA has been soft timeout, but is still in use, and will be deleted at the time of hard timeout.

TO (TIMEOUT) means this SA have not received any keepalive packet after previous keepalive timeout occurred. If this SA receives no keepalive packet till next keepalive timeout occurs, this SA will be deleted.

phase Phase of the SA:

Phase 1: a phase of establishing security channel to communicate, ISAKMP SA will be established in the phase;

Phase 2: a phase of negotiating security service, IPsec SA will be established in the phase.

doi Domain of Interpretation


encryption-algorithm Syntax

encryption-algorithm { des-cbc | 3des-cbc }

undo encryption-algorithm

View

IKE proposal view

Parameter

des-cbc: Selects the 56-bit DES-CBC encryption algorithm for an IKE proposal. DES algorithm adopts 56-bit keys for encryption.

3des-cbc: Sets the encryption algorithm to the 3DES algorithm in CBC mode. The 3DES algorithm uses 168-bit keys for encryption.

Description

Use the encryption command to specify the encryption algorithm for an IKE proposal.

Use the undo encryption command to restore to the default.

By default, 56-bit DES-CBC encryption algorithm is used.

Related command: ike proposal and display ike proposal.

Example

# Specify the 56-bit DES-CBC encryption algorithm for IKE proposal 10.

[SecBlade_VPN] ike proposal 10 [SecBlade_VPN-ike-proposal-10] encryption-algorithm des-cbc

exchange-mode Syntax

exchange-mode { aggressive | main }

undo exchange-mode

View

IKE-peer view

Parameter

aggressive: Aggressive mode

main: Main mode.

Description

Use the exchange-mode command to select an IKE negotiation mode.

Use the undo exchange-mode command to restore the default negotiation mode. By default, main mode is adopted.


In main mode, you can only use IP address to perform IKE negotiation and to create an SA. It is applicable to the situation in which both end of a tunnel have fixed IP addresses.

In IKE aggressive mode, you can use both IP addresses and name to perform IKE negotiation and to create an SA. If the user at one end of a security tunnel obtains IP address automatically (for example, a dial-up user), IKE negotiation mode must be set to aggressive. In this case, you can create an SA as long as the username and password are correct.

After accepting a negotiation request from the initiator by using a policy template, the responder will select the negotiation mode according to the negotiation mode of the initiator.

Related command: id-type.

Example

# Adopt the main mode for IKE negotiation.

[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer] exchange-mode main

id-type Syntax

id-type { ip | name }

undo id-type

View

IKE-peer view

Parameter

ip: Selects IP address as the ID used in IKE negotiation.

name: Selects name as the ID used in IKE negotiation.

Description

Use the id-type command to select the type of ID used in IKE negotiation.

Use the undo id-type command to restore the default setting. By default, IP address is the ID used in IKE negotiation.

In main mode, you can only use IP address to perform IKE negotiation and to create an SA.

In aggressive mode, you can use both IP address and name to perform Ike negotiation and to create an SA.

Related command: ike local-name.

Example

# Set name as the ID used in IKE negotiation.

[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer] id-type name


ike encrypt-card dh-computation

disabled

Syntax

ike encrypt-card dh-computation disabled

undo ike encrypt-card dh-computation disabled

View

System view

Parameter

None

Description

Use the ike encrypt-card dh-computation disabled command to enable DH switching through software, but not through hardware.

Use the undo ike encrypt-card dh-computation disabled command to enable DH switching through hardware.

By default, DH switching is implemented through hardware.

Example

# Disable DH switching through hardware.

[SW8800] ike encrypt-card dh-computation disabled

ike local-name Syntax

ike local-name name

undo ike local-name

View

System view

Parameter

name: Name of the local GW in IKE negotiation, which contains 1 to 32 characters.

Description

Use the ike local-name command to set the name of the local GW.

Use the undo ike local-name command to restore the default name of the local GW. By default, the name of the security gateway is used as the name of the local GW.

If the initiator uses the GW name to perform IKE negotiation (id-type name is used), you must configure the ike local-name command on the local device.

Related command: remote-name.

Example

# Identify the local GW by the configured name "beijing_VPN"


[SecBlade_VPN] ike local-name beijing_VPN


Syntax


undo ike next-payload check disabled

View

System view

Parameter

None

Description

Use the ike next-payload check disabled command to cancel the check of next-payload field in the last payload of the IKE negotiation packet during IPsec negotiation for compatibility with other vendors.

Use the undo ike next-payload check disabled command to restore the default, checking the next payload field.

An IKE negotiation packet comprises multiple payloads; the next-payload field is in the generic header of the last payload. According to the protocol, this field should be set to 0. It however may vary by vendor. For compatibility sake, you can use the ike next-payload check disabled command to ignore this field during IPsec negotiation.

Example

# Cancel the check of next-payload field in the last payload of the IKE negotiation packet during IPsec negotiation.

[SecBlade_VPN] ike next-payload check disabled

ike peer Syntax

ike peer peer-name

undo ike peer peer-name

View

System view

Parameter

peer-name: IKE peer name, which can be a string of up to 15 characters.

Description

Use the ike peer command to configure an IKE peer and access IKE-peer view.

Use the undo ike peer command to delete an IKE peer.

Example

# Configure an IKE peer "new_peer" and access its view.


[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer]

ike peer Syntax

ike peer peer-name

undo ike peer peer-name

View


Parameter

peer-name: IKE peer name, which is a string of up to 15 characters.

Description

Use the ike peer command to quote an IKE peer in an IPsec policy or IPsec policy template.

Use the undo ike peer command to remove the quoted IKE peer from the IPsec policy or IPsec policy template.

Related command: ipsec policy.

Example

# Quote an IKE peer in the IPsec policy.

[SecBlade_VPN-ipsec-policy-isakmp-policy-10] ike peer new_peer

ike proposal Syntax

ike proposal proposal-number

undo ike proposal proposal-number

View

System view

Parameter

proposal-number: IKE proposal number, ranging from 1 to 100. This value also stands for the priority. A smaller value stands for a higher priority. When perform an IKE negotiation, the system matches IKE proposals by the proposal number, the one with the smallest proposal number first.

Description

Use the ike proposal command to define an IKE proposal.

Use the undo ike proposal command to delete an IKE proposal.

The system provides a default IKE proposal with the lowest priority.

Executing this command in system view will enter the IKE proposal view, where you can set parameters such as authentication method, encryption algorithm, authentication algorithm, DH group ID, and sa duration for this IKE proposal using


the authentication-method, encryption-algorithm, dh, authentication-algorithm, and sa duration command.

The Default IKE proposal has the following default parameters:

Encryption algorithm: DES-CBC

Authentication algorithm: HMAC-SHA1

Authentication method: Pre-Shared Key

DH group ID: MODP_768

SA duration: 86400 seconds

These parameters will be used to establish a security tunnel once these parameters are confirmed by the both sides of the negotiation.

Both sides of the negotiation can be configured more then one IKE proposal. During the negotiation, the IKE proposals in both sides are selected to match one by one, by turns of their priority level. The parameters that must be same during the match are encryption algorithm, authentication algorithm, authentication method, and DH group. The sa duration is decided by the initiator of the negotiation, needing no agreement.

Related command: authentication-algorithm, encryption-algorithm,dh, authentication-algorithm, sa duration, display crypto isakmp policy.

Example

# Define IKE proposal 10.

[SecBlade_VPN] ike proposal 10 [SecBlade_VPN-ike-proposal-10] authentication-algorithm md5 [SecBlade_VPN-ike-proposal-10] authentication-method pre-share [SecBlade_VPN-ike-proposal-10] sa duration 5000

ike sa keepalive-timer interval

Syntax

ike sa keepalive-timer interval seconds

undo ike sa keepalive-timer interval

View

System view

Parameter

seconds: Specifies the interval for sending Keepalive packet to the remote end through ISAKMP SA. It can be set to a value in the range 20 to 28800.

Description

Use the ike sa keepalive-timer interval command to configure the interval for sending Keepalive packet to the remote end through ISAKMP SA.

Use the undo ike sa keepalive-timer interval command to disable the function.


By default, this function is disabled.

This command is used to configure the interval for sending Keepalive packet to the remote end through ISAKMP SA. IKE maintains the link state of the ISAKMP SA by using the Keepalive packet. In general, if a timeout is configured at the remote end by using the ike sa keepalive-timer timeout command, an interval for sending Keepalive packet must be configured at the local end. When the remote end in the configured timeout time does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPsec SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration.

Related command: ike sa keepalive-timer timeout.

Example

# Configure the interval as 20 seconds for the local end to send Keepalive packet to the remote end.

[SecBlade_VPN] ike sa keepalive-timer interval 20

ike sa keepalive-timer timeout

Syntax

ike sa keepalive-timer timeout seconds

undo ike sa keepalive-timer timeout

View

System view

Parameter

seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It can be set to a value in the range 20 to 28800.

Description

Use the ike sa keepalive-timer timeout command to configure a timeout for ISAKMP SA to wait for the Keepalive packet.

Use the undo ike sa keepalive-timer timeout command to disable the function.

By default, this function is disabled.

This command is used to configure the timeout for the remote end to send the Keepalive packet. IKE maintains the link state of the ISAKMP SA by using the Keepalive packet. When the remote end in the configured timeout does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPsec SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration.

Generally, packets will not be lost for more than three consecutive times in the network, so the timeout can be configured as three times of the interval set for the remote end to send Keepalive packets.


Related command: ike sa keepalive-timer interval.

Example

# Configure the timeout as 20 seconds for the local end to wait for the remote end to send the Keepalive packet.

[SecBlade_VPN] ike sa keepalive-timer timeout 20

ike sa nat-keepalive-timer

interval

Syntax

ike sa nat-keepalive-timer interval seconds

undo ike sa nat-keepalive-timer interval

View

System view

Parameter

seconds: Time interval for the IKE peer to send NAT Keepalive packets, in the range 5 to 300 (seconds).

Description

Use the ike sa nat-keepalive-timer interval command to define the time interval for the IKE peer to send NAT Keepalive packets.

Use the undo ike sa nat-keepalive-timer interval command to restore the default time interval for the IKE peer to send NAT Keepalive packets.

When configuring this command, make sure that the specified time interval is less than the timeout time for NAT traversal.

By default, the time interval for the IKE peer to send NAT Keepalive packets is 20 seconds.

Example

# Configure the IKE peer to send NAT Keepalive packets every 30 seconds.

[SecBlade_VPN] ike sa nat-keepalive-timer interval 30

local Syntax

local { multi-subnet | single-subnet }

undo local

View

IKE-peer view

Parameter

multi-subnet: Sets the subnet type to multiple.

single-subnet: Sets the subnet type to single.


Description

Use the local command to configure the subnet type in IKE negotiation.

Use the undo local command to restore the default subnet type. You can use this command to enable interoperability between the router and a Netscreen device.

The default is single-subnet.

Example

# Set the subnet type in IKE negotiation to multiple.

[SecBlade_VPN-ike-peer-xhy] local multi-subnet

local-address Syntax

local-address ip-address

undo local-address

View

IKE-peer view

Parameter

ip-address: IP address of the local GW in IKE negotiation.

Description

Use the local-address command to configure the IP address of the local GW in IKE negotiation.

Use the undo local-address command to delete the IP address of the local GW.

Normally, you do not need to configure the local-address command, unless you want to specify a special address for the local GW.

Example

# Set the IP address of the local GW to 1.1.1.1.

[SecBlade_VPN-ike-peer-xhy] local-address 1.1.1.1

nat traversal Syntax

nat traversal

undo nat traversal

View

IKE-peer view

Parameter

None

Description

Use the nat traversal command to configure the NAT traversal function of IKE/IPsec.


Use the undo nat traversal command to disable the NAT traversal function of IKE/IPsec.

This command fits for the application that the NAT GW functionality is included in the VPN tunnel constructed by IKE/IPsec.

To save IP address space, ISPs often add NAT gateways to public networks, so as to allocate private IP addresses to users. This may lead to IPsec/IKE tunnel having both public network address and private network address at both ends. Hence you must enable NAT traversal at the private network end, so as to ensure normal negotiation and establishment for the tunnel.

Example

# Enable the NAT traversal function.

[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer] nat traversal

peer Syntax

peer { multi-subnet | single-subnet }

undo peer

View

IKE-peer view

Parameter

multi-subnet: Sets the subnet type to multiple.

single-subnet: Sets the subnet type to single.

Description

Use the peer command to configure the subnet type in IKE negotiation.

Use the undo peer command to restore the default subnet type. You can use this command to enable interoperability between the router and a Netscreen device.

The default is single-subnet.

Example

# Set the subnet type in IKE negotiation to multiple.

[SecBlade_VPN-ike-peer-xhy] peer multi-subnet

pre-shared-key Syntax

pre-shared-key key

undo pre-shared-key

View

IKE-peer view


Parameter

key: Specifies a pre-shared key, which is a string of 1 to 128 characters.

Description

Use the pre-shared-key command to configure a pre-shared key to be used in IKE negotiation.

Use the undo pre-shared-key command to remove the pre-shared key used in IKE negotiation.

Example

# Set the pre-shared key used in IKE negotiation to "abcde".

[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer] pre-shared-key abcde

remote-address Syntax

remote-address low-ip-address high-ip-address

undo remote-address

View

IKE-peer view

Parameter

low-ip-address: Start IP address.

high-ip-address: End IP address.

Description

Use the remote-address command to configure IP address of the remote GW.

Use the undo remote-address command to delete IP address of the remote GW.

If the initiator uses its IP address in IKE negotiation (that is, id-type ip is used), it sends its IP address to the peer as its identity, whereas the peer uses the address configured using the remote-address ip-address command to authenticate the initiator. To pass authentication, this address must be the same one configured using the local-address command on the initiator.

Example

# Set IP address of the remote GW to 10.0.0.1.

[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer] remote-address 10.0.0.1

remote-name Syntax

remote-name name

undo remote-name


View

IKE-peer view

Parameter

name: Name to be specified for the peer in IKE negotiation. It is a string of 1 to 32 characters.

Description

Use the remote-name command to specify a name for the remote GW.

Use the undo remote-name command to remove the remote GW.

If the initiator uses its GW name in IKE negotiation (that is, id-type name is used), it sends the name to the peer as its identity, whereas the peer uses the username configured using the remote-name name command to authenticate the initiator. To pass authentication, this remote name must be the same one configured using the ike local-name command on the gateway at the initiator end.

Example

# Set the name of the remote GW to "beijing".

[SecBlade_VPN] ike peer new_peer [SecBlade_VPN-ike-peer-new_peer] remote-name beijing

reset ike sa Syntax

reset ike sa [ connection-id ]

View

User view

Parameter

connection-id: Specifies the SA to be deleted. If this parameter is not specified, all the SAs at phase 1 will be deleted.

Description

Use the reset ike sa command to delete the security tunnel set up by IKE.

If connection-id is not specified, all the SAs at phase 1 will be deleted. If ISAKMP SA at phase 1 exists when deleting the local security tunnel, a Delete Message notification will be sent to the remote under the protection of this security tunnel to notify the remote to delete the corresponding SA.

IKE uses ISAKMP of two phases: phase 1 or ISAKMP SA to establish SA, phase 2 or IPsec SA to negotiate and establish IPsec SA, using the former established SA.

Related command: display ike sa.

Example

# Delete the security tunnel to 202.38.0.2.

<SecBlade_VPN> display ike sa conn-id remote flag phase doi 1 202.38.0.2 RD|ST 1 IPSEC


2 202.38.0.2 RD|ST 2 IPSEC flag meaning: RD--READY ST--STAYALIVE RT--REPLACED FD--FADING <SecBlade_VPN> reset ike sa 2 <SecBlade_VPN> display ike sa conn-id remote flag phase doi 2 202.38.0.2 RD|ST 2 IPSEC flag meaning: RD--READY ST--STAYALIVE RT--REPLACED FD-FADING

c CAUTION: If the SA of phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when deleting the SA of phase 2.

sa duration Syntax

sa duration seconds

undo sa duration

View

IKE proposal view

Parameter

seconds: Specifies the ISAKMP Sa duration. When the sa duration expires, ISAKMP SA will update automatically. It can be set to a value in the range 60 to 604800 seconds.

Description

Use the sa duration command to specify the ISAKMP Sa duration for an IKE proposal.

Use the undo sa duration command to restore it to the default.

By default, the value of ISAKMP Sa duration is 86400 seconds (one day).

Before the sa duration for a SA expires, a new SA will be negotiated for replacing the existing SA, and the old SA will be automatically cleared when the Sa duration expires.

Related command: ike proposal and display ike proposal.

Example

# Specify the ISAKMP Sa duration for IKE proposal 10 as 600 seconds (10 minutes).

[SecBlade_VPN] ike proposal 10 [SecBlade_VPN-ike-proposal-10] sa duration 600

24
PKI CONFIGURATION COMMANDS
PKI Domain Configuration Commands

ca identifier Syntax

ca identifier name

undo ca identifier

View

PKI domain view

Parameter

name: CA identifier this device trusts, in the range of one character to 63 characters

Description

Use the ca identifier command to specify the CA this device trusts and have the "name" CA bound with this device.

Use the undo ca identifier command to delete the CA this device trusts.

By default, no trustworthy CA is specified.

Before the CA is deleted, the request, retrieval, revocation and polling of this certificate are all carried out through it.

Example

# Specify the name of the CA this device trusts

[SecBlade_VPN-pki-domain-1] ca identifier new-ca

certificate request entity Syntax

certificate request entity entity-name

undo certificate request entity

View

PKI domain view

426 CHAPTER 24: PKI CONFIGURATION COMMANDS

Parameter

entity-name: Entity name used to apply for certificate. It must be consistent with the name defined by the pki entity command. It can contain one character to 15 characters.

Description

Use the certificate request entity command to specify the entity name used to apply for certificate.

Using the undo certificate request entity command to cancel the entity name used to apply for certificate.

By default, no entity name is specified.

Related command: pki entity.

Example

# Specify that the device uses the entity "en" to apply for certificate.

[3ComCA-pki-domain-1] certificate request entity en

certificate request from Syntax

certificate request from { ca | ra }

undo certificate request from

View

PKI domain view

Parameter

ca: Indicates that the entity registers by CA for certificate request;

ra: Indicates that the entity registers by RA for certificate request;

Description

Use the certificate request from command to choose between CA and RA to register for certificate request.

Use the undo certificate request from command to undo the selected registration agent.

RA offers an extension to the CA certificate issue management. It takes charge of the input and verification of the applicant information as well as the certificate issuing. But it supports no signature function. Within some minor PKI systems, there is no RA and its functions are implemented through CA.

By default, no registration agent is specified. PKI IPsec policy recommends RA as registration agent.

Example

# Specify that the entity registers by CA for certificate request

[SecBlade_VPN-pki-domain-1] certificate request from ca

PKI Domain Configuration Commands 427

certificate request mode Syntax

certificate request mode { manual | auto [ key-length key-length | password { simple | cipher } password ]* }

undo certificate request mode

View

PKI domain view

Parameter

manual: Applies for the certificate manually.

auto: Applies for the certificate automatically.

key-length: Length of the specified RSA key, in the range of 512 bits to 2,048 bits.

simple: Sets to display passwords in plain text.

cipher: Sets to display password in cipher text.

password: Password for revoking certificates, in range of 1 to 31 characters.

Description

Use the certificate request mode command to decide between the manual and the auto request mode.

Use the undo certificate request mode command to restore the default request mode.

Auto mode enables the auto delivery of certificate request when there is no certificate or when the current certificate is about to expire. While manual mode requires manual operation in the request process.

By default, certificate request is carried out manually.

Related command: pki request-certificate.

Example

# Set the request mode to Auto

[SecBlade_VPN-pki-domain-1] certificate request mode auto

certificate request polling

Syntax

certificate request polling { interval minutes | count count }

undo certificate request polling { interval | count }

View

PKI domain view

Parameter

minutes: Interval between two polls in the range of five minutes to 60 minutes. It is 20 minutes by default.


count: Retry times, in the range of 1 to 100. It is 50 times by default.

Description

Use the certificate request polling command to specify the interval between two polls and the retry times.

Use the undo certificate request polling command to restore the default parameters.

When the request is delivered, if CA requires manual authentication, it takes a long time before the certificate issuing. The client therefore needs to periodically poll the request for the timely acquisition of the certificate after being authorized.

Related command: display pki certificate.

Example

# Specify the interval between two polls and the retry times.

[SecBlade_VPN-pki-domain-1] certificate request polling interval 15 [SecBlade_VPN-pki-domain-1] certificate request polling count 40

certificate request url Syntax

certificate request url string

undo certificate request url

View

PKI domain view

Parameter

string: Server URL of the registration authority, ranging from one character to 255 characters. It composes server location and CA CGI command interface script location in the format of http: //server_location /ca_script_location. Among them, the server_location argument is generally expressed as IP address. If the server_location argument is to be replaced by server name, DNS needs to be configured for the conversion match between IP addresses and server names.

Description

Use the certificate request url command to specify the server URL for certificate request through SCEP protocol. SCEP is a protocol specialized in the communication with authentication authorities.

Use the undo certificate request url command to delete the concerned location setting.

By default, no server URL is specified.

Example

# Specify the server location for certificate request

[SecBlade_VPN-pki-domain-1] certificate request url http: //169.254.0.100/ certsrv/mscep/mscep.dll


crl check disable Syntax

crl check disable

undo crl check disable

View

PKI domain view

Parameter

None

Description

Use the crl check disable command to disable CRL check.

Use the undo crl check disable command to enable CRL check.

By default, the CRL check is enabled.

Example

# Disable CRL check.

[SecBlade_VPN-pki-domain-1] crl check disable

crl update-period Syntax

crl update-period hours

undo crl update-period

View

PKI domain view

Parameter

hours: Update period, in hours.

Description

Use the crl update-period command to specify the update period of CRL, which is the interval between local downloads of CRLs from CRL access server.

Use the undo crl update-period command to restore the default CRL update period.

By default, it updates according to CRL validity period.

Example

# Specify CRL update period to 20 hours.

[SecBlade_VPN-pki-domain-1] crl update-period 20

crl url Syntax

crl url url-string

undo crl url


View

PKI domain view

Parameter

url-string: Distribution point location of CRL, ranging from 1 to 255 characters. It is in the format of ldap: //server_location. Among them, the server_location argument is generally expressed as IP address. If the server_location argument is to be replaced by server name, DNS needs to be configured for the match between IP addresses and server names.

Description

Use the crl url command to specify the distribution point URL for CRL.

Use the undo crl url command to remove the URL.

By default, no CRL distribution point URL is specified.

Example

# Specify the URL location of CRL database

[SecBlade_VPN-pki-domain-1] crl url ldap: // 169.254.0 30

ldap-server Syntax

ldap-server ip ip-address [ port port-num ] [ version version-number ]

undo ldap-server

View

PKI domain view

Parameter

ip-address: IP address of LDAP server;

port-num: Port number of LDAP server, ranging from 1 to 65,535. By default, it is 389.

version-number: LDAP version number, alternatively 2 or 3. By default, it is 2.

Description

Use the ldap-server ip command to configure the IP address and the port for the LDAP server.

Use the undo ldap-server ip command to cancel the related configuration.

By default, no IP address or port is configured for the LDAP server.

Example

# Specify the location of the LDAP server.

[SecBlade_VPN-pki-domain-1] ldap-server ip 169.254.0 30


pki domain Syntax

pki domain name

undo pki domain name

View

System view

Parameter

name: PKI domain name specified for the quotation of other commands, indicating the PKI domain to which this device belongs. It can contain one character to 15 characters.

Description

Use the pki domain command to enter PKI domain view, where you can configure the parameters of LDAP servers and for certificate request and authentication.

Use the undo pki domain command to delete the specified PKI domain.

By default, no PKI domain name is specified.

Example

# Enter PKI domain view.

[SecBlade_VPN] pki domain 1 [SecBlade_VPN-pki-domain-1]

root-certificate fingerprint

Syntax

root-certificate fingerprint { md5 | sha1 } string

undo root-certificate fingerprint

View

PKI domain view

Parameter

md5: Uses MD5 fingerprint.

sha1: Uses SHA1 fingerprint.

string: Fingerprint to be used. If the MD5 fingerprint is selected, the string argument must have 32 characters and be input in hexadecimal format. If the SHA1 fingerprint is selected, the string argument must have 40 characters and be input in hexadecimal format.

Description

Use the root-certificate fingerprint command to configure the footprint used for authenticating the CA root certificate.

Use the undo root-certificate fingerprint command to cancel the configured fingerprint.


By default, no fingerprint is configured.

Example

# Configure the footprint used for authenticating the CA root certificate to be MD5 fingerprint.

[SecBlade_VPN-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure the footprint used for authenticating the CA root certificate to be SHA1 fingerprint.

[SecBlade_VPN-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

PKI Entity Configuration Commands

fqdn Syntax

fqdn name-str

undo fqdn

View

PKI entity view

Parameter

name-str: FQDN of an entity, in the range of one character to 255 characters

Description

Use the fqdn command to specify the FQDN of an entity.

Use the undo fqdn command to delete the entity FQDN.

By default, no entity FQDN is specified.

Fully qualify domain name (FQDN) is the unique identifier an entity has in the network, like email address. It can be resolved into IP address, usually in the form of user.domain.

Example

# Configure the FQDN of an entity

[SecBlade_VPN-pki-entity-1] fqdn pki.3com-3com.com

common-name Syntax

common-name name-str

undo common-name

PKI Entity Configuration Commands 433

View

PKI entity view

Parameter

name-str: Common name of an entity, in the range of one character to 31 character

Description

Use the common-name command to specify the common name of an entity, such as user name.

Use the undo common-name command to delete the common name of this entity.

By default, no common name is specified for any entity.

Example

# Configure the common name of an entity

[SecBlade_VPN-pki-entity-1] common-name pki test

country Syntax

country country-code-str

undo country

View

PKI entity view

Parameter

country-code-str: Country code of 2 bytes

Description

Use the country command to specify the code of the country to which the entity belongs. It is a standard 2-byte code, e.g., CN for China.

Use the undo country command to delete the country code of this entity.

By default, no country code is specified for any entity.

Example

# Set the country code of an entity

[SecBlade_VPN-pki-entity-1] country CN

ip Syntax

ip ip-address

undo ip

View

PKI entity view


Parameter

ip-address: IP address of an entity in the form of dotted decimal like A.B.C.D

Description

Use the ip command to specify the IP address of an entity.

Use the undo ip command to delete the specified IP address.

By default, no entity IP address is specified.

Example

# Configure the IP address of an entity.

[SecBlade_VPN-pki-entity-1] ip 161.12.2.3

locality Syntax

locality locality-str

undo locality

View

PKI entity view

Parameter

locality-str: Name of the geographical locality of an entity, in the range of one character to 31 characters.

Description

Use the locality command to name the geographical locality of an entity, by a city for example.

Use the undo locality command to cancel the mentioned naming operation.

By default, no geographical locality is specified for any entity.

Example

# Configure the name of the city where the entity lies.

[SecBlade_VPN-pki-entity-1] locality bei jing

organization Syntax

organization org-str

undo organization

View

PKI entity view

Parameter

org-str: Organization name in the range of one character to 31 characters.

PKI Entity Configuration Commands 435

Description

Use the organization command to specify the name of the organization to which the entity belongs.

Use the undo organization command to delete that name.

By default, no organization name is specified for an entity.

Example

# Configure the name of the organization to which an entity belongs

[SecBlade_VPN-pki-entity-1] organization hua wei - 3com

organizational-unit Syntax

organizational-unit org-unit-str

undo organizational-unit

View

PKI entity view

Parameter

org-unit-str: Organization unit name in the range of one character to 31 characters.

Description

Use the organizational-unit command to specify the name of the organization unit to which this entity belongs.

Use the undo organizational-unit command to delete the specified organization unit name.

By default, no organization unit name is specified for any entity.

Example

# Configure the name of the organization unit to which an entity belongs

[SecBlade_VPN-pki-entity-1] organizational-unit soft plat

state Syntax

state state-str

undo state

View

PKI entity view

Parameter

state-str: State name in the range of one character to 31 characters.

Description

Use the state command to specify the name of the state where an entity lies.


Use the undo state command to cancel the previous operation.

By default, the state of an entity is not specified.

Example

# Specify the state where an entity lies

[SecBlade_VPN-pki-entity-1] state bei jing

pki entity Syntax

pki entity name-str

undo pki entity name-str

View

Any view

Parameter

name-str: Unique identification string for a device in the range of one character to 15 characters. This argument is specified when being quoted.

Description

Use the pki entity command to name a PKI entity and enter PKI entity view.

Use the undo pki entity command to delete the name and cancel all configurations under the name space.

A variety of attributes can be configured in PKI entity view. The name-str argument plays only for the convenience in being quoted by other commands. No field of certificate is concerned.

By default, the entity name is not specified.

Example

# Enter PKI entity view

[SecBlade_VPN] pki entity en [SecBlade_VPN-pki-entity-en]

PKI Certificate Operation Commands

pki delete-certificate Syntax

pki delete-certificate { local | ca } domain domain-name

View

System view

Parameter

local: Deletes all local certificates that are locally stored;

PKI Certificate Operation Commands 437

ca: Deletes all CA certificates that are locally stored.

domain-name: PKI domain for the certificate to be deleted.

Description

Use the pki delete-certificate command to delete the locally stored certificates.

Example

# Delete the local certificates in PKI domain cer.

[SecBlade_VPN] pki delete-certificate local domain cer

pki import-certificate Syntax

pki import-certificate { local | ca } domain domain-name { der | p12 | pem } [ filename filename ]

View

System view

Parameter

local: Local certificate.

ca: CA certificate.

domain-name: PKI domain where the certificate is located.

der: Specifies the format of the certificate to be DER code.

p12: Specifies the format of the certificate to be P12 code.

pem: Specifies the format of the certificate to be PEM code.

filename: File name of the certificate, a string of one character to 127 characters.

Description

Use the pki import-certificate command to import existing CA certificates or local certificates.

Related command: pki domain.

Example

# Import a CA certificate whose format is PEM code.

[SecBlade_VPN] pki import-certificate ca domain cer pem

pki request-certificate Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

View

System view


Parameter

domain-name: Domain name containing CA or RA related information. It is configured by using the pki domain command.

password: Password for revoking certificates, an optional string in the range of one character to 31 characters.

pkcs10: Displays on the terminal the request for PKCS#10 certificates in BASE64 codes. This information is used in the certificate requests in outband modes such as phone, disk, and e-mail.

filename: Target file to save the PKCS#10 certificate request.

Description

Use the pki request-certificate command to deliver certificate request through SCEP to CA for the generated RSA key pair. If SCEP fails to go through normal communication, you can print the local certificate request in base64 format using the optional parameter "pem", copy it, and send one to CA in an outband mode.

This operation is not saved within the configuration.


Example

# Manually apply for a certificate and display on the terminal the PKCS#10 certificate request.

[SecBlade_VPN] pki request-certificate domain 1 pkcs10

pki retrieval-certificate Syntax

pki retrieval-certificate { local | ca } domain domain-name

View

System view

Parameter

local: Downloads local certificates;

ca: Downloads CA certificates;


Description

Use the pki retrieval-certificate command to download a certificate from the certificate issuing server.


Example

# Retrieve a certificate

[SecBlade_VPN] pki retrieval-certificate ca domain 1

PKI Certificate Operation Commands 439

pki retrieval-crl Syntax

pki retrieval-crl domain domain-name

View

System view

Parameter


Description

Use the pki retrieval-crl command to obtain the latest CRL from CRL server for the verification of the validity of a current certificate.


Example

# Retrieve a CRL

[SecBlade_VPN] pki retrieval-crl domain 1

pki validate-certificate Syntax

pki validate-certificate { local | ca } domain domain-name

View

System view

Parameter

local: Validates a local certificate;

ca: Validates a CA certificate;

domain-name: Name of the domain the certificate to be validated belongs to. It is configured by using the pki domain command.

Description

Use the pki validate-certificate command to verify the validity of a certificate. The focus is to check the CA signature on the certificate, and to make sure that the certificate is still within the validity period and beyond revocation. All certificates with authentic signatures of CA can pass the validation, since it is believed that CA never issues fake certificates.


Example

# Verify the validity of a certificate.

[SecBlade_VPN] pki validate-certificate domain 1


PKI Displaying and Debugging Commands

debugging pki Syntax

debugging pki { all | request | retrieval | verify | error }

undo debugging pki { all | request | retrieval | verify | error }

View

User view

Parameter

all: Enables all debugging.

request: Enables debugging in certificate request.

retrieval: Enables debugging in certificate retrieval.

verify: Enables debugging in certification validation.

error: Enables debugging in case of errors.

Description

Use the debugging pki command to enable the debugging for PKI.

Use the undo debugging pki command to disable the debugging output.

Unexpected problems may occur during the device operation. Debugging commands enable the optional output and print of debugging information, facilitating the network monitor and fault diagnosis for the network operators and developers.

By default, all PKI debugging functions are disabled.

Example

# Enable the debugging in case of errors in PKI certificate operation.

[SecBlade_VPN] debugging pki error [SecBlade_VPN] pki delete-certificate ca domain 1 [SecBlade_VPN] pki request-certificate domain 1 Certificate enroll failed! Cannot get the CA/RA certificate when creating the x509 Request

# Enable the debugging function for PKI certificate retrieval.

[SecBlade_VPN] debugging pki retrieval [SecBlade_VPN] pki retrieval-certificate local domain 1 Retrievaling CA/RA certificates. Please wait a while...... We receive 3 certificates. The trusted CA’s finger print is: MD5 fingerprint:74C9 B71D 406B DDB3 F74A 96BC E05B 40E9 SHA1 fingerprint:770E 2937 4E32 ACD4 4ACC 7CF1 0FF0 6FB8 6C34 E24A

PKI Displaying and Debugging Commands 441

Is the finger print correct?(Y/N):y Saving the CA/RA certificate to flash.....................Done!

# Enable the debugging function for PKI certificate request.

[SecBlade_VPN] debugging pki request [SecBlade_VPN] pki request-certificate 1 Create PKCS#10 request: token seen: CN=pki test Create PKCS#10 request: CN=pki test added Create PKCS#10 request: subject dn set to ’/CN=pki test’ Certificate Request: ..... dir_name:certsrv/mscep/mscep.dll host_name:169.254.0.100 SCEP transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1 PKCS#7 envelope: creating inner PKCS#7 PKCS#7 envelope: data payload size: 297 bytes data payload: .... PKCS#7 envelope: successfully encrypted payload PKCS#7 envelope: size 667 bytes PKCS#7 envelope: creating outer PKCS#7 PKCS#7 envelope: signature added successfully PKCS#7 envelope: adding signed attributes PKCS#7 envelope: adding string attribute transId PKCS#7 envelope: adding string attribute messageType PKCS#7 envelope: adding octet attribute senderNonce PKCS#7 envelope: PKCS#7 data written successfully PKCS#7 envelope: applying base64 encoding PKCS#7 envelope: base64 encoded payload size: 2145 bytes SCEP send message:IP = 0xa9fe0064 SCEP send message: Server returned status code Valid response from server PKCS#7 develope: reading outer PKCS#7 PKCS#7 develope: PKCS#7 payload size: 1872 bytes PKCS#7 develope: PKCS#7 contains 1276 bytes of enveloped data PKCS#7 develope: verifying signature PKCS#7 develope: signature ok PKCS#7 develope: finding signed attributes PKCS#7 develope: finding attribute transId PKCS#7 develope: allocating 32 bytes for attribute PKCS#7 develope: reply transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1 PKCS#7 develope: finding attribute messageType PKCS#7 develope: allocating 1 bytes for attribute PKCS#7 develope: reply message type is good PKCS#7 develope: finding attribute senderNonce PKCS#7 develope: allocating 16 bytes for attribute PKCS#7 develope: senderNonce in reply: : a6341944 28d9b544 a4755d9a ba320d35 PKCS#7 develope: finding attribute recipientNonce PKCS#7 develope: allocating 16 bytes for attribute PKCS#7 develope: recipientNonce in reply: : b98da9c3 20b638c5 634f4924 65f804d9 PKCS#7 develope: finding attribute pkiStatus PKCS#7 develope: allocating 1 bytes for attribute PKCS#7 develope: pkistatus SUCCESS PKCS#7 develope: reading inner PKCS#7 PKCS#7 develope: decrypting inner PKCS#7 PKCS#7 develope: PKCS#7 payload size: 1003 bytes PKI Get the Signed Certificates: subject: / CN=pki test


issuer: /[email protected]/C=CN/ST=Beijing/L=Beijing/O=hw3c/OU=bjs/ CN=myca Key usage: general purpose

# Enable the debugging function for PKI certificate validation

[SecBlade_VPN] debugging pki verify [SecBlade_VPN] pki validate-certificate local domain 1 Verify certificate...... Serial Number: 101E266A 00000000 006B Issuer: [email protected] C=CN ST=Beijing L=Beijing O=hw3c OU=bjs CN=myca Subject: C=CN ST=bei jing O=hua wei - 3com CN=pki test Verify result: ok

Table 279 Description on the fields of the debugging pki command

Field Description

Create PKCS#10 request Encapsulation of entity request in PKCS#10 format

PKCS#7 envelope Data encapsulation in PKCS#7 encryption format

inner PKCS#7 PKCS#7 encryption of datagram

outer PKCS#7 Signing of PKCS#7 datagram

PKCS#7 develope De-encapsulation of PKCS#7 encrypted packet

host_name Host name of registration server

dir_name CGI script directory of the registration server

data payload Data payload

token seen DN information of an entity

pkistatus PKI certificate operation status

SUCCESS Succeeded

FAILURE Failed

PENDING Waiting for procession

fingerprint Usually the signature of CA

base64 encoded A data encoding mode

x509 Request Request for certificates in standard X509 format

Key usage Encryption, signature, and other common usages

Issuer Certificate issuer

Subject The entity that delivers certificate request

SCEP send message The entity sends a certificate operation packet to CA through SCEP

Signed Certificates Certificates signed by CA


display pki certificate Syntax

display pki certificate { local | ca } domain domain-name | request-status }

View

Any view

Parameter

local: Display all local certificates;

ca: Display all CA certificates;

request-status: Shows the status of the certificate request after being delivered;


Description

Use the display pki certificate command to display the certificate.

Related command: pki retrieval-certificate, pki domain, and certificate request polling.

Example

# Display the local certificates.

[SecBlade_VPN] display pki certificate local domain 1 Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: [email protected] C=CN ST=Beijing L=Beijing O=hw3c OU=bjs CN=new-ca Validity Not Before: Jan 13 08:57:21 2004 GMT Not After : Jan 20 09:07:21 2005 GMT Subject: C=CN ST=beijing L=beijing CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name:


DNS:hyf.3com-3com.com ... ... Signature Algorithm: md5WithRSAEncryption A3A5A447 4D08387D ...

display pki crl Syntax

display pki crl domain domain-name

View

Any view

Parameter


Description

Use the display pki crl command to view the locally saved CRL.

Related command: pki retrieval-crl, and pki domain.

Example

# Display a CRL

[SecBlade_VPN] display pki crl domain 1 Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN O=h3c OU=soft CN=A Test Root Last Update: Jan 5 08:44:19 2004 GMT Next Update: Jan 5 21:42:13 2004 GMT CRL extensions: X509v3 CRL Number: 2 X509v3 Authority Key Identifier: keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC Revoked Certificates:

Table 280 Description on the fields of the display pki certificate command

Field Description

Version Version number of the certificate

Serial Number Serial number of the certificate

Signature Algorithm Signature algorithm

Issuer Certificate issuer

Validity Validity period of the certificate

Subject Subject in the certificate request

Subject Public Key Info Public key information of the subject in the certificate request

X509v3 extensions Extension attributes of the X509v3 certificate

X509v3 CRL Distribution Points Distribution point of X509v3 CRL


Serial Number: 05a234448E... Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:...... Serial Number: 05a278445E... Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:...

Table 281 Description on the fields of the display pki crl command

Field Description

Version CRL version number

Signature Algorithm Signature algorithm adopted by CRL

Issuer CA that issues this CRL

Last Update Last update time

Next Update Next update time

CRL extensions Extension attributes of CRL

CRL Number Number of revoked certificates in the CRL list

Authority Key Identifier CA that issues this invalid certificate (that is, CRL)

Revoked Certificates Revoked certificates

Serial Number Serial number of the revoked certificate

Revocation Date Revocation date

25
DVPN CONFIGURATION COMMANDS
algorithm-suite Syntax

algorithm-suite suite-number

undo algorithm-suite

View

DVPN class views

Parameter

suite-number: Algorithm suite number ranging from 1 to 12, whose meanings are as follows:

1 DES_MD5_DHGROUP1

2 DES_MD5_DHGROUP2

3 DES_SHA1_DHGROUP1

4 DES_SHA1_DHGROUP2

5 3DES_MD5_DHGROUP1

6 3DES_MD5_DHGROUP2

7 3DES_SHA1_DHGROUP1


9 AES128_MD5_DHGROUP1


11 AES128_SHA1_DHGROUP1


Description

Use the algorithm-suite command to specify the algorithm suite used when a client registers.

Use the undo algorithm-suite command to revert to the default algorithm suite.

The default algorithm suite is numbered 1, which stands for DES (for encryption), MD5 (for authentication), and DH-GROUP1 (for key negotiation).

448 CHAPTER 25: DVPN CONFIGURATION COMMANDS

Example

# Specify to use AES for encryption, SHA1 for authentication, and DH-Group1 for key negotiation.

[SecBlade_VPN-dvpn-class-abc] algorithm-suite 11

authentication-client method

Syntax

authentication-client method { none | { chap | pap } [ domain isp-name ] }

View

DVPN policy views

Parameter

pap: Specifies the DVPN server to authenticate clients using PAP (password authentication protocol).

none: Specifies the DVPN server not to authenticate clients.

chap: Specifies the DVPN server to authenticate clients using CHAP (challenge authentication protocol).

domain isp-name: Specifies the DVPN server to authenticate clients using domain.

Description

Use the authentication-client method command to specify how the DVPN server that has the DVPN policy applied authenticates clients. CHAP and PAP are currently available.

By default, the client is not authenticated.

Example

# Configure a DVPN policy to specify to authenticate clients using CHAP.

[SecBlade_VPN-dvpn-policy-abc] authentication-client method chap

authentication-server method

Syntax

authentication-server method { none | pre-share }

View

DVPN class views

Parameter

none: Specifies the client not to authenticate the DVPN server.

pre-share: Specifies the client to authenticate the DVPN server using a pre-shared-key.

Description

Use the authentication-server method command to specify whether or not a client authenticates the DVPN server it accesses.

A client does not authenticate the DVPN server it accesses by default.


Example

# Specify the client to authenticate the DVPN server using a pre-shared-key.

[SecBlade_VPN-dvpn-class-abc] authentication-server method pre-share

data algorithm-suite Syntax

data algorithm-suite suite-number

undo data algorithm-suite

View

DVPN policy views

Parameter

suite-number: Algorithm suite number ranging from 1 to 12, whose meanings are as follows:

0 Without protection

1 DES_MD5_DHGROUP1

2 DES_MD5_DHGROUP2

3 DES_SHA1_DHGROUP1

4 DES_SHA1_DHGROUP2

5 3DES_MD5_DHGROUP1

6 3DES_MD5_DHGROUP2







Description

Use the data algorithm-suite command to specify the algorithm suite used by IPsec SAs (security association) to forward data.

Use the undo data algorithm-suite command to revert to the default algorithm suite.

The default algorithm suite used by IPsec SAs is numbered 1, which stands for DES (for encryption), MD5 (for authentication), and DH-GROUP1 (for key negotiation).


Example

# Specify not to encrypt packets.

[SecBlade_VPN-dvpn-policy-abc] data algorithm-suite 0

data ipsec-sa duration Syntax

data ipsec-sa duration time-based time-interval

undo data ipsec-sa duration time-based

View

DVPN policy views

Parameter

time-interval: Time out time to renegotiate the IPsec SA used to encrypt DVPN data. This argument ranges from 180 to 604,800 seconds.

Description

Use the data ipsec-sa duration time-based command to set the time out time to renegotiate the IPsec SA used to encrypt DVPN data.

Use the undo data ipsec-sa duration time-based command to revert to the default time out time to renegotiate the IPsec SA.

The default time out time to renegotiate the IPsec SA is 3600 seconds.

Example

# Set the time out time to renegotiate the IPsec SA to 86400 seconds.

[SecBlade_VPN-dvpn-policy-abc] data ipsec-sa duration time-based 86400

debugging dvpn Syntax

debugging dvpn { all | error | event { all | misc | register | session } | hexadecimal | packet { all | control | data | ipsec } }

undo debugging dvpn { all | error | event { all | register | session | misc } | hexadecimal | packet { all | control | data | ipsec } }

View

User view

Parameter

all: Enables all types of DVPN debugging.

error: Enables debugging for DVPN errors.

event: Enables debugging for DVPN events, such as register events, session events, and misc events.

hexadecimal: Enables debugging for hexadecimal packets.


packet: Enables debugging for DVPN packets, such as control packets, data, and IPsec packets.

Description

Use the debugging dvpn command to enable specified types of DVPN debugging.

Use the undo debugging dvpn command to disable specified types of DVPN debugging.

Debugging for DVPN is disabled by default.

Example

# Enable debugging for DVPN register events.

<SecBlade_VPN> debugging dvpn event register

display dvpn ipsec-sa Syntax

display dvpn ipsec-sa { all | dvpn-id dvpn-id [ private-ip private-ip ] }

View

Any view

Parameter

all: Specifies to display all information about IPsec SAs.

dvpn-id: ID of the DVPN domain in the range of 1 to 65535.

private-ip: Private IP address.

Description

Use the display dvpn ipsec-sa command to display information about IPsec SAs.

Example

# Display information about IPsec SAs in the DVPN domain with an ID of 1.

<SecBlade_VPN> display dvpn ipsec-sa dvpn-id 1 --------------------------- Session dvpn-id : 1 Session local : 10.0.0.3 Session remote : 10.0.0.2 sa mode : DVPN --------------------------- [Inbound ESP SAs] spi : 1549550209 (0x5c5c4281) authentication-algorithm : ESP-AUTH-MD5 encryption-algorithm : ESP-ENCRYPT-3DES life duration(bytes/sec): 0/180 remaining life duration(bytes/sec): 0/102 [Outbound ESP SAs]


spi : 2421434273 (0x905427a1) authentication-algorithm : ESP-AUTH-MD5 encryption-algorithm : ESP-ENCRYPT-3DES life duration(bytes/sec): 0/180 remaining life duration(bytes/sec): 0/102

display dvpn map Syntax

display dvpn map { all | dvpn-id dvpn-id | public-ip public-ip }

View

Any view

Parameter

all: Specifies to display information about all established maps.

dvpn-id dvpn-id: Specifies the ID of the DVPN domain. The dvpn-id argument ranges from 1 to 65535.

public-ip public-ip: Specifies the public IP address.

Description

Use the display dvpn map command to display information about maps in a DVPN domain, such as private IP address, public IP address, port number, DVPN connection state, DVPN connection type, and control ID.

Example

# Display information about all maps.

[SecBlade_VPN] display dvpn map all vpn-id private-ip public-ip port state type control-id -------------------------------------------------------------------- 1 10.0.0.2 211.1.1.2 9876 SUCCESS C->S 70433124 2 11.0.0.2 211.1.1.2 9876 SUCCESS C->S 70432548

display dvpn session Syntax

display dvpn session { all | dvpn-id dvpn-id [ private-ip private-ip ] }

View

Any view

Parameter

all: Specifies to display information about all established sessions.

dvpn-id dvpn-id: Specifies the ID of the DVPN domain. The dvpn-id argument ranges from 1 to 65535.

private-ip private-IP: Specifies the private IP address (the IP address of the tunnel interface).

Description

Use the display dvpn session command to display information about sessions the device owns.


Example

# Display information about all sessions in the DVPN domain with an ID of 2.

<SecBlade_VPN> display dvpn session dvpn-id 2 vpn-id private-ip public-ip port state type ------------------------------------------------------------- 2 11.0.0.2 211.1.1.2 9876 SUCCESS C->S 2 11.0.0.4 211.1.1.100 12289 SUCCESS C->C

display dvpn info Syntax

display dvpn info { dvpn-id dvpn-id | global }

View

Any view

Parameter

dvpn-id: ID of the DVPN domain ranging from 1 to 65535.

global: Specifies to display global configuration information about DVPN.

Description

Use the display dvpn info command to display configuration and runtime information about a specified DVPN domain. Use the display dvpn info global command to display global configuration and runtime information about DVPN.

Example

# Display information about the DVPN domain with an ID of 1.

[SecBlade_VPN] display dvpn info dvpn-id 1 --------------------------------------------------- DVPN Domain 1 Information --------------------------------------------------- type : client register type : Undistributed | Forward session number : 1 server : server0 server state : active server public IP : 211.1.1.2 algorithm suite : DES_MD5_DHGROUP1 session encryption flag : Need encryption data encryption flag : Need encryption authentication server method : none session algorithm suite : AES128_SHA1_DHGROUP1 session setup time : 10 session idle time : 300 session keepalive time : 10 data algorithm suite : 3DES_MD5_DHGROUP2 data ipsecsa duration time : 180 data ipsecsa duration byte : 0 input packets : 17160 input dropped packets : 0


output packets : 87 output direct send packets : 42 output error dropped packets : 3 output send ipsec packets : 42 output send ipsec fail packets : 0

# Display global configuration about DVPN.

[SecBlade_VPN] display dvpn info global DVPN Service Global information: Total dvpn number : 2 Total Server Dvpn number : 1 Total Client Dvpn number : 1 Total Dvpn Class number : 1 Total Dvpn Policy number : 1 Global Authenticate Client Type : NONE Global map agetime : 30 Global register interval : 10 Global register retry : 3 Global regoster dumb : 300 Total Map number : 0 Total Session number : 0 Total redirect number : 0 Total UDP input packets : 0 Total input drop packets : 0 Total output packets : 0 Total write to ipsec err : 0 Total output error : 0

display dvpn online-user Syntax

display dvpn online-user

View

Any view

Parameter

None

Description

Use the display dvpn online-user command to display information about online DVPN users. You can use this command to check users that pass AAA (authentication, authorization, and accounting) authentication and are accessing the DVPN domains.

Example

# Display information about online DVPN users.

<SecBlade_VPN> dis dvpn online-user username : dvpnuser@dvpn authen-type : CHAP DVPN total online-user count : 1

dvpn class Syntax

dvpn class dvpn-class-name


undo dvpn class dvpn-class-name

View

System view

Parameter

dvpn-class-name: Name of the DVPN class to be created, a string with no more than 31 characters in length.

Description

Use the dvpn class command to create a DVPN class and enter its view.

Use the undo dvpn class command to remove a DVPN class.

Parameters such as the IP address of the DVPN server and the user name and password for register are configured in DVPN class views. You cannot remove a DVPN class applied to a tunnel interface.

No DVPN class is configured by default.

Example

# Create a DVPN class named abc.

[SecBlade_VPN] dvpn class abc

dvpn client register-dumb

Syntax

dvpn client register-dumb time

undo dvpn client register-dumb

View

System view

Parameter

time: Interval after which a client attempts to register with the DVPN server again. This argument ranges from 60 to 3600 (in seconds).

Description

A Client turns to dumb state if it fails to register with a DVPN server for specified retries. Use the dvpn client register-dumb command to set the duration a client remains dumb state.

Use the undo dvpn client register-dumb command to revert to the default dumb interval.

By default, the interval for a client to remains dumb state is 300 seconds.

Example

# Set the dumb interval to 600 seconds.

[SecBlade_VPN] dvpn client register-dumb 600


dvpn client register-interval

Syntax

dvpn client register-interval time-interval

undo dvpn client register-interval

View

System view

Parameter

time-interval: Interval for the client to register, in the range of 3 to 60 (in seconds).

Description

Use the dvpn client register-interval command to set the interval for the client to register.

Use the undo dvpn client register-interval command to restore the default interval for the client to register.

The DVPN client initiates a request to register with the server. If the client fails to register within the specifies interval, the client initiates a request again. If the client fails to register for the maximum times, the DVPN client enters dumb state.

By default, the interval for the client to register is 10 seconds.

Example

# Set the interval for the client to register to 20 seconds.

[SecBlade_VPN] dvpn client register-interval 20

dvpn client register-retry Syntax

dvpn client register-retry times

undo dvpn client register-retry

View

System view

Parameter

times: Maximum retries for the client to register with a DVPN server continuously. This argument ranges from 1 to 6.

Description

Use the dvpn client register-retry command to set the maximum retries for a client to register with a DVPN server continuously.

Use the undo dvpn client register-retry command to revert to the default retries for a client to register with a DVPN server continuously.

By default, the maximum retries for a client to register with a DVPN server is 3.


Example

# Set the maximum retries for a client to register with a DVPN server continuously to 6.

[SecBlade_VPN] dvpn client register-retry 6

dvpn dvpn-id Syntax

dvpn dvpn-id dvpn-id

undo dvpn dvpn-id

View

Tunnel interface views

Parameter

dvpn-id: ID of the DVPN domain ranging from 1 to 65535.

Description

Use the dvpn dvpn-id command to specify the DVPN domain the tunnel interface belongs to. This command is valid when the tunnel interface is encapsulated as DVPN.

Use the undo dvpn dvpn-id command to remove the DVPN domain ID assigned to the tunnel interface.

No DVPN domain ID is assigned to a tunnel interface by default.

Related command: tunnel-protocol udp dvpn.

Example

# Specify the tunnel interface to belong to the DVPN domain with an ID of 100.

[SecBlade_VPN] interface tunnel 0 [SecBlade_VPN-Tunnel0] dvpn-protocol udp dvpn [SecBlade_VPN-Tunnel0] dvpn dvpn-id 100

dvpn interface-type Syntax

dvpn interface-type { client | server }

undo dvpn interface-type

View


Parameter

client: Specifies the tunnel interface to be of client type.

server: Specifies the tunnel interface to be of server type.

Description

Use the dvpn interface-type command to specify the type of a tunnel interface.


Use the undo dvpn interface-type command to restore the default type of the tunnel interface.

A tunnel interface is of client type by default.

Example

# Specify the tunnel interface to be of server type.

[SecBlade_VPN-Tunnel0] dvpn interface-type server

dvpn policy (system view)

Syntax

dvpn policy dvpn-policy-name

undo dvpn policy dvpn-policy-name

View

System view

Parameter

dvpn-policy-name: Name of the DVPN policy to be created, a string with no more than 31 characters in length.

Description

Use the dvpn policy command to create a DVPN policy and enter its view.

Use the undo dvpn policy command to remove a DVPN policy.

DVPN policies such as the way to authenticate clients, the encryption algorithm suite used by sessions, the algorithm suite for forwarding packets, and time settings are configured in DVPN policy views. If you want to remove a DVPN policy that is applied to a tunnel interface, you must disable it first.

No DVPN policy is configured by default.

Example

# Create a DVPN policy named abc.

[SecBlade_VPN] dvpn policy abc

dvpn policy Syntax

dvpn policy dvpn-policy-name

undo dvpn policy dvpn-policy-name

View


Parameter

policy-class-name: Name of the DVPN policy to be applied to the tunnel interface. A DVPN policy is a data structure that contains information such as algorithms used by sessions and time settings. You can use the dvpn policy command in system view to create DVPN policies.


Description

Use the dvpn policy command to apply a specified DVPN policy to a tunnel interface that is of server type.

Use the undo dvpn policy command to disable a DVPN policy applied to a tunnel interface.

A tunnel interface can have only one DVPN policy applied to it. Therefore, to apply another DVPN policy, you must disable the existing one first. You can apply a DVPN policy to multiple tunnel interfaces.

You can execute the dvpn-policy command only when the tunnel interface is of server type.

A tunnel interface does not have a DVPN policy applied to it by default.

Related command: dvpn interface-type.

Example

# Apply the DVPN policy with a name of abc to the tunnel interface.

[SecBlade_VPN-Tunnel0] dvpn interface-type server [SecBlade_VPN-Tunnel0] dvpn policy abc

dvpn register-type Syntax

dvpn register-type { forward | undistributed } *

undo dvpn register-type { forward | undistributed } *

View


Parameter

forward: Specifies the DVPN server to forward all packets sourced from the client.

undistributed: Specifies the DVPN server not to distribute registration information about the client to other clients.

Description

Use the dvpn register-type command to configure the type of the additional information when a client registers with a DVPN server.

Use the undo dvpn register-type command to remove the configuration.

The DVPN server determines whether or not to send redirecting packets according to the type of the additional information.

If the additional information is of forward type, the client can establish no session with any other clients in the DVPN domain. If the additional information is of undistributed type, the DVPN server notifies no client in the DVPN domain of the redirecting packets about the client. (But the DVPN server still notifies the client of redirecting packets about other clients. So the client can still establish sessions with other clients.)


You can execute the dvpn register-type command only when the tunnel interface is of client type.

Related command: dvpn interface-type.

The two flags are not set by default.

Example

# Prevent the DVPN server from distributing information about the client to other clients.

[SecBlade_VPN-tunnel0] dvpn register-type undistributed

dvpn security Syntax

dvpn security acl acl-number

undo dvpn security acl

View


Parameter

acl-number: ACL number ranging from 3000 to 3999. This argument identifies the ACL. Packets filtered by this ACL are not IPsec-encrypted.

Description

Use the dvpn security acl command to configure the ACL used to filter packets pass through the tunnel interface.

Use the undo dvpn security acl command to remove the ACL.

You can configure an ACL to filter packets transmitted in a DVPN domain. Those denied by the ACL are not IPsec-encrypted.

n This command needs to be accompanied by the acl and rule command. If you provide the deny keyword for the rule command and specify the corresponding ACL in the dvpn security acl command, then all packets that match the ACL are not IPsec-encrypted.

Example

# Specify packets denied by ACL 3100 are not IPsec-encrypted.

[SecBlade_VPN] acl number 3100 [SecBlade_VPN-acl-adv-3100] rule deny ip [SecBlade_VPN-acl-adv-3100] quit [SecBlade_VPN] interface tunnel 0 [SecBlade_VPN-Tunnel0] dvpn security acl 3100

dvpn server Syntax

dvpn server dvpn-class-name

undo dvpn server dvpn-class-name


View


Parameter

dvpn-class-name: Name of the DVPN class to be applied to the tunnel interface. A DVPN class is a data structure that contains information such as the public IP address of the DVPN server side of a tunnel interface, private IP address, user name and password. You can create a DVPN class by executing the dvpn class command in system view.

Description

Use the dvpn server command to configure the DVPN class to be applied to a tunnel interface.

Use the undo dvpn server command to disable the DVPN class applied to a tunnel interface.

At present, a tunnel interface can be the DVPN server of only one DVPN domain, and a DVPN class can only be applied to one tunnel interface at same time.

A tunnel interface is not configured with a DVPN class by default.

Example

# Apply the DVPN class with a name of abc to the tunnel interface.

[SecBlade_VPN-Tunnel0] dvpn server abc

Syntax

dvpn server authentication-client method { chap | none | pap }

View

System view

Parameter

none: Specifies not to authenticate clients.

pap: Specifies to authenticate clients using PAP (password authentication protocol).

chap: Specifies to authenticate clients using CHAP (challenge authentication protocol).

Description

Use the dvpn server authentication-client method command to specify the default way a DVPN server authenticates clients. If the DVPN domain to be accessed is not specified when a client registers with a DVPN server, the DVPN server authenticates the client in the default way. CHAP and PAP are available for authentication at present.

A DVPN server determines the way to authenticate clients according to the policy applied to the DVPN domain. If the policy does not exist, the DVPN adopts the one in global configuration to authenticate clients.


A DVPN authenticates clients using PAP by default.

Example

# Specify CHAP as the default way to authenticate clients.

[SecBlade_VPN] dvpn server authentication-client method chap

dvpn server authentication-client

method

Syntax

dvpn server authentication-client method { none | { chap | pap } [ domain isp-name ] }

View

System view

Parameter

none: Specifies the DVPN server not to authenticate clients.

pap: Specifies the DVPN server to authenticate clients using PAP.

chap: Specifies the DVPN server to authenticate clients using CHAP.

domain isp-name: Specifies the DVPN server to authenticate clients using domain.

Description

Use the dvpn server authentication-client method command to configure the DVPN server to authentication using the default mode. If the DVPN for the client to access is not specified during registering, the system uses the default mode to authenticate the client. Currently the supported authentication modes include none, chap and pap.

When the client registers with the server, the server determines how to authenticate the client according to the configured DVPN policy. If there is no corresponding policy, the server authenticates the client using the global authentication mode.

By default, the server authenticates the client using CHAP.

Example

Configure the DVPN server to authenticate the client using PAP.

[SecBlade_VPN] dvpn server authentication-client method chap

dvpn server map age-time

Syntax

dvpn server map age-time time

undo dvpn server map age-time

View

System view


Parameter

time: Map age time of a DVPN server. This argument ranges from 10 to 180 seconds.

Description

Use the dvpn server map age-time command to set the map age time of a DVPN server.

Use the undo dvpn server map age-time command to revert to the default map age time.

If a client does not register with the DVPN server successfully during the map age time, the map established is removed.

The default map age time is 30 seconds.

Example

# Set the map age time to 60 seconds.

[SecBlade_VPN] dvpn server map age-time 60

dvpn server pre-shared-key

Syntax

dvpn server pre-shared-key key

undo dvpn server pre-shared-key

View

System view

Parameter

key: Pre-shared-key of the DVPN server, a string no more than 127 bytes in length.

Description

Use the dvpn server pre-shared-key command to set a pre-shared-key for a DVPN server.

Use the undo dvpn server pre-shared-key command to remove the pre-shared-key of a DVPN server.

A DVPN server is not configured with a pre-shared-key by default.

Example

# Set the pre-shared-key of the DVPN server to 123.

[SecBlade_VPN] dvpn server pre-shared-key 123

dvpn service enable Syntax

dvpn service enable

undo dvpn service enable


View

System view

Parameter

None

Description

Use the dvpn service enable command to enable the DVPN feature on the device.

Use the dvpn service disable command to disable DVPN feature on the device.

By default, the DVPN feature is enabled on the device.

Example

# Enable the DVPN feature.

[SecBlade_VPN] dvpn service enable

local-user Syntax

local-user username password { simple | cipher } password

undo local-user username

View

DVPN class views

Parameter

username: User name of the client, a string no more than 80 characters in length.

password: Password of the client.

simple: Specifies to display the password in plain text form.

cipher: Specifies to display the password in cipher text form.

Description

Use the local-user command to configure the user name and password of a client.

Use the undo local-user command to remove the existing user name and password.

Example

# Configure the user name and password of a client to user and test respectively. and to display the password in plain text form..

[SecBlade_DVPN-class-abc] local-user user password simple test

public-ip Syntax

public-ip ip-address


undo public-ip

View

DVPN class views

Parameter

ip-address: Public IP address of a DVPN server.

Description

Use the public-ip command to assign a public IP address to a specified DVPN server.

Use the undo public-ip command to remove the public IP address assigned to a specified DVPN server.

A DVPN server is not assigned to a public IP address by default.

Example

# Assign a public IP address (61.18.3.66) to a DVPN server.

[SecBlade_VPN-dvpn-class-abc] public-ip 61.18.3.66

pre-shared-key Syntax

pre-shared-key key

undo pre-shared-key

View

DVPN class views

Parameter

key: Key of the server, a string of no more than 127 characters in length.

Description

Use the pre-shared-key command to set the pre-shared-key used when a client authenticates a DVPN server.

Use the undo pre-shared-key command to remove the pre-shared-key of the DVPN server configured on the client side.

Example

# Set the pre-shared-key of the DVPN server to 123 on a client side.

[SecBlade_VPN-dvpn-class-abc] pre-shared-key 123

private-ip Syntax

private-ip ip-address

undo private-ip

View

DVPN class views


Parameter

ip-address: Private IP address of a DVPN server (the IP address of a tunnel interface).

Description

Use the private-ip command to assign a private IP address to a specified DVPN server.

Use the undo private-ip command to remove the private IP address assigned to a specified DVPN server.

A DVPN server is not assigned to a private IP address by default.

Example

# Assign a private IP address (192.168.0.1) to a DVPN server. (That is, assign the private IP address to the tunnel interface.)

[SecBlade_VPN-Dvpn-class-abc] private-ip 192.168.0.1

reset dvpn all Syntax

reset dvpn all dvpn-id

View

User view

Parameter

dvpn-id: ID of a DVPN domain.

Description

Use the reset dvpn all command to clear all runtime information about a DVPN domain and to initiate the DVPN domain.

Example

# Initiate the DVPN domain with an ID of 2.

<SecBlade_VPN> reset dvpn all 2

reset dvpn map Syntax

reset dvpn map public-ip port [ client-id ]

View

User view

Parameter

public-ip: Public IP address.

port: Port number ranging from 1 to 65,535.

client-id: ID of the client, ranging from 1 to 4,294,967,295.


Description

Use the reset dvpn map command to clear a specified map. This command also clears the sessions corresponding to the map (if the sessions exist). If the map is what the client uses to register, this command clears all sessions established by the DVPN client who registers using the specified map.

Example

# Clear the map with an IP address of 10.0.0.2, a port number of 9876, and a client-id of 123456.

<SecBlade_VPN> reset dvpn map 10.0.0.2 9876 123456

reset dvpn session Syntax

reset dvpn session dvpn-id private-ip

View

User view

Parameter

dvpn-id: ID of a DVPN domain ranging from 1 to 65,535.

private-ip: Private IP address.

Description

Use the reset dvpn session command to clear a specified session. If the session is the one established when the client registers, then this command clears all sessions established by the DVPN client.

Example

# Clear the session with a private IP address of 10.0.0.2 in the DVPN domain with an ID of 2.

<SecBlade_VPN> reset dvpn session 2 10.0.0.2

reset dvpn statistics Syntax

reset dvpn statistics

View

User view

Parameter

None

Description

Use the reset dvpn statistics command to clear all statistics information a DVPN module generates.

Example

# Clear DVPN statistics information.

<SecBlade_VPN> reset dvpn statistics


session algorithm-suite Syntax

session algorithm-suite suite-number

undo session algorithm-suite

View

DVPN policy views

Parameter

suite-number: Algorithm suite number ranging from 0 to 12. This argument stands for the algorithm suite used to encrypt session control packets, whose available values are described as follows:

0 Without protection

1 DES_MD5_DHGROUP1

2 DES_MD5_DHGROUP2

3 DES_SHA1_DHGROUP1

4 DES_SHA1_DHGROUP2

5 3DES_MD5_DHGROUP1

6 3DES_MD5_DHGROUP2







Description

Use the session algorithm-suite command to specify the algorithm suite a session uses.

Use the undo session algorithm-suite command to revert to the default algorithm suite.

Algorithm suite 1 is used by session control packets by default, which stands for DES (for encryption), MD5 (for authentication), and DH-GROUP1 (for key negotiation).

Example

# Specify not to encrypt control packets (provide 0 for the suite-number argument).


[SecBlade_VPN-dvpn-policy-abc] session algorithm-suite 0

session idle-time Syntax

session idle-time time

undo session idle-time

View

DVPN policy views

Parameter

time: Idle timeout time ranging from 60 to 86,400 seconds.

Description

Use the session idle-time command to set the idle timeout time for sessions.

Use the undo session idle-time command to revert to the default idle timeout time.

If no packets pass through a session during a specific period, the session is removed automatically.

By default, the idle timeout time is 300 seconds.

Example

# Set the idle time out time to 180 seconds.

[SecBlade_VPN-dvpn-policy-abc] session idle-time 180

session keepalive-interval

Syntax

session keepalive-interval time-interval

undo session keepalive-interval

View

DVPN policy view

Parameter

time-interval: Keepalive interval ranging from 5 to 300 in seconds.

Description

Use the session keepalive-interval command to set the keepalive interval of sessions.

Use the undo session keepalive-interval command to revert to the default keepalive interval.

Keepalive packets are used to check the connection state of sessions. After a session is established, the active side sends keepalive packets regularly if no packet passes through the session, and the passive side responds with keepalive-ack packets.


By default, the keepalive interval is 10 seconds.

Example

# Set the keepalive interval to 30 seconds.

[SecBlade_VPN-dvpn-policy-abc] session keepalive-interval 30

session setup-interval Syntax

session setup-interval time-interval

undo session setup-interval

View

DVPN policy views

Parameter

time-interval: Interval for sending requests to establish a session. This argument ranges from 5 to 60 in seconds.

Description

Use the session setup-interval command to set the interval for sending requests to establish a session (Setup request). Setup request packets are sent regularly until the session is established.

Use the undo session setup-interval command to revert to the default setup interval.

A client takes count of the Setup request packets it sends. If it does not receive the response of the peer when the setup interval expires after it sends the last Setup request, it sends another Setup request packet.

By default, the interval of setup requests is 10 seconds.

Example

# Set the setup interval to 30 seconds.

[SecBlade_VPN-dvpn-policy-abc] session setup-interval 30

tunnel-protocol udp dvpn

Syntax

tunnel-protocol udp dvpn

View


Parameter

udp dvpn: Specifies to encapsulate the tunnel interface using UDP DVPN.

Description

Use the tunnel-protocol udp dvpn command to configure to encapsulate a tunnel interface using UDP DVPN. When encapsulated using UDP DVPN, a tunnel interface is of Multipoint attribute and NBMA (non-broadcast multiple access) type.


A tunnel interface is encapsulated using GRE by default.

Example

# Encapsulate a tunnel interface using UDP DVPN.

[SecBlade_VPN-Tunnel0] tunnel-protocol udp dvpn

26
VRRP CONFIGURATION COMMANDS
n All the contents below are about SecBlade cards, so the views of the commands in this manual are the views corresponding to SecBlade cards instead of the Switch 8800 Family switches.

VRRP Configuration Commands

n You can also use the following commands with SecBlade_VPN prompt character.

debugging vrrp Syntax

debugging vrrp { packet | state }

undo debugging vrrp { packet | state }

View

User view

Parameter

packet: Enables VRRP packet debugging.

state: Enables VRRP state debugging.

Description

Use the debugging vrrp command to enable VRRP debugging.

Use the undo debugging vrrp command to disable VRRP debugging.

By default, VRRP debugging is disabled.

Example

# Enable VRRP packet debugging.

[SecBlade_FW] debugging vrrp packet

display vrrp Syntax

display vrrp [ interface type number [ virtual-router-ID ] ]

View

Any view

474 CHAPTER 26: VRRP CONFIGURATION COMMANDS

Parameter

interface type number: Specifies an interface type and interface number.

virtual-router-ID: Standby group number.

Description

Use the display vrrp command to view current configuration and state information about VRRP.

If the interface and standby group number are not specified, the state information about all the standby groups is displayed. If only the interface is specified, the state information about all the standby groups on the interface is displayed. If both arguments are specified, the state information about the specified standby group is displayed.

Example

# Display information about all standby groups.

<SecBlade_FW> display vrrp Virtual Ip Ping : Disable GigabitEthernet0/0.1 | Virtual Router 1 state : Initialize Virtual IP : 22.2.2.2 Config Priority : 100 Run Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NONE GigabitEthernet0/0.2 | Virtual Router 1 state : Initialize Virtual IP : 1.1.11.1 Config Priority : 100 Run Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NONE

vrrp authentication-mode

Syntax

vrrp authentication-mode { md5 key | simple key }

undo vrrp authentication-mode

View

Interface view

Parameter

simple: Adopts plain text authentication.

md5: Adopts ciphertext authentication using the MD5 algorithm.

key: Authentication key. When simple authentication applies, the authentication key is in plain text with a length of 1 to 8 characters. When md5 authentication applies, the authentication key is in MD5 ciphertext and the length of the key


depends on its input format. If the key is input in plain text, its length is 1 to 8 characters, such as 1234567; if the key is input in ciphertext, its length must be 24 characters, such as _(TT8F]Y5SQ=^Q‘MAF4<1!!.

Description

Use the vrrp authentication-mode command to configure authentication mode and authentication key for the VRRP standby groups on the interface.

Use the undo vrrp authentication-mode command to disable authentication in the VRRP standby groups on the interface.

By default, authentication is disabled.

With this command, all standby groups on the interface share the same authentication type and authentication key.

Note that the members of the same standby group must use the same authentication mode and authentication key.

The authentication key is case sensitive.

Example

# Set the authentication mode and authentication key of all VRRP standby groups on GigabitEthernet0/0.1 sub-interface.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp authentication-mode simple aabbcc

vrrp ping-enable Syntax

vrrp ping-enable

undo vrrp ping-enable

View

System view

Parameter

None

Description

Use the vrrp ping-enable command to enable users to ping the virtual IP addresses of standby groups.

Use the undo vrrp ping-enable command to disable users to ping the virtual IP addresses of standby groups.

By default, users cannot ping the virtual IP addresses of standby groups.

Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.

Example

# Enable users to ping the virtual IP addresses of standby groups.


[SecBlade_FW] vrrp ping-enable

vrrp un-check ttl Syntax

vrrp un-check ttl

undo vrrp un-check ttl

View

Interface view

Parameter

None

Description

Use the vrrp un-check ttl command to disable time to live (TTL) check for VRRP packets.

Use the undo vrrp ping-enable command to enable TTL check for VRRP packets.

According to the VRRP protocol, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup security gateway drops the packet.

By default, the TTL value of VRRP packets will be checked.

Example

# Disable TTL check for VRRP packets.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp un-check ttl

vrrp vrid preempt-mode Syntax

vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]

undo vrrp vrid virtual-router-ID preempt-mode

View

Interface view

Parameter

virtual-router-ID: Virtual router ID or VRRP standby group number, in the range of 1 to 255.

delay-value: Delay in the range of 0 to 255 in seconds.

Description

Use the vrrp vrid preempt-mode command to enable preemption on the security gateway and configure its preemption delay in the specified standby group.

Use the undo vrrp vrid preempt-mode command to disable preemption on the security gateway in the specified standby group.


To allow a backup security gateway in a standby group to preempt the current master when it has a higher priority, you must enable preemption on it. If immediate preemption is not desired, you can set a preemption delay. The delay automatically changes to 0 seconds when preemption is disabled.

By default, the preemption mode is adopted with the delay of 0 seconds.

Example

# Enable preemption on the security gateway in standby group 1.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode

# Set the preemption delay to five seconds.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode timer delay 5

# Disable preemption on the security gateway in standby group 1.

[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 preempt-mode

vrrp vrid priority Syntax

vrrp vrid virtual-router-ID priority priority-value

undo vrrp vrid virtual-router-ID priority

View

Interface view

Parameter

virtual-router-ID: VRRP standby group number, in the range of 1 to 255.

priority-value: Priority value, in the range 1 to 254.

Description

Use the vrrp vrid priority command to configure the priority of the security gateway in the specified standby group.

Use the undo vrrp vrid priority command to restore the default.

In VRRP, the role that a SecBlade card plays in a standby group depends on its priority. A higher priority means that the security gateway is more likely to become the master. Note that priority 0 is reserved for special use and 255 for the IP address owner.

BY default, the priority is 100.

Example

# Set the priority of the security gateway in standby group 1 to 150.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 priority 150

vrrp vrid timer advertise Syntax

vrrp vrid virtual-router-ID timer advertise adver-interval


undo vrrp vrid virtual-router-ID timer advertise

View

Interface view

Parameter


adver-interval: Interval at which the master in the specified standby group sends VRRP packets. It is in the range of 1 to 255 in seconds.

Description

Use the vrrp vrid timer advertise command to configure the Adver_Timer of the specified standby group.

Use the undo vrrp vrid timer advertise command to restore the default.

The Adver_Timer controls the interval at which the master sends VRRP packets.

By default, the value of the timer is 1 second.

Example

# Set the master in standby group 1 to send VRRP packets at intervals of five seconds.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 timer advertise 5

vrrp vrid track Syntax

vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]

undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]

View

Interface view

Parameter


interface-type interface-number: Interface to be tracked.

priority-reduced: Value by which the priority is reduced. It is in the range of 1 to 255.

Description

Use the vrrp vrid track command to configure the interface to be tracked.

Use the undo vrrp vrid track command to disable tracking the specified interface.

The interface tracking function expands the backup functionality of VRRP. It provides backup not only when a security gateway fails but also when a network interface goes down.


When the monitored interface specified in this command goes down, the priority of the security gateway owning this interface automatically decreased by the value specified by value-reduced, allowing a higher priority member in the standby group to take over as the master. When the security gateway is the IP address owner, however, you cannot configure interface tracking on it.

By default, the priority is reduced by 10.

Example

# Track GigabitEthernet0/0.1 sub-interface.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 track GigabitEthernet0/0.300 reduced 50

# Disable the tracking of GigabitEthernet0/0.1 sub-interface.

[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 track GigabitEthernet0/0.300

vrrp vrid virtual-ip Syntax

vrrp vrid virtual-router-ID virtual-ip virtual-address

undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]

View

Interface view

Parameter


virtual-address: Virtual IP address.

Description

Use the vrrp vrid virtual-ip command to create a standby group the first time that you add a virtual IP address or add a virtual IP address to it after that.

Use the undo vrrp vrid virtual-ip virtual-router-ID command to remove a standby group.

Use the undo vrrp vrid virtual-router-ID virtual-ip virtual-address command to delete a virtual IP address from the specified standby group.

The system removes a standby group after you delete all the virtual IP addresses in it.

By default, no standby group exists.

Example

# Create a standby group.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.10

# Add a virtual IP address to the existing standby group.


[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.11

# Delete a virtual IP address.

[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 virtual-ip 10.10.10.10

3com® switch 8800 family ipsec configuration and command reference guideh20628. · 2019-01-17 ·...

Documents