(security configuration guide)

7/17/2019 (Security Configuration Guide)

http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 1/60

User Manual - Configuration Guide (Volume 3)

Versatile Routing Platform Table of Contents

i

Table of Contents

Chapter 1 Configuration of AAA and RADIUS Protocol.. ........ ......... ........ ......... ........ ......... .. 1-1

1.1 Network Security Features Provided by VRP ......... ........ ......... ........ ......... ........ ......... .. 1-1

1.2 Introduction to AAA and RADIUS ........ ......... ......... ........ ......... ........ ......... ........ ......... .. 1-1

1.2.1 Overview to AAA............................................................................................. 1-1

1.2.2 Overview to RADIUS........ ........ ......... ......... ........ ......... ........ ......... ........ ......... .. 1-2

1.3 Configuration of AAA and RADIUS..... ......... ........ ......... ........ ......... ........ ......... ........ .... 1-2

1.3.1 AAA and RADIUS Configuration Task List ........ ......... ........ ......... ........ ......... ..... 1-2

1.3.2 Enabling/Disabling AAA............ ......... ......... ........ ......... ........ ......... ........ ......... .. 1-3

1.3.3 Configuring Authentication Method List for Login Users ........ ........ ......... ........ .... 1-3

1.3.4 Configure authentication method list for PPP Users........ ......... ........ ......... ........ . 1-4

1.3.5 Configuring the Local-First Authentication of AAA ......... ........ ......... ........ ......... .. 1-4

1.3.6 Configuring AAA Accounting Option ......... ........ ......... ........ ......... ........ ......... ..... 1-5

1.3.7 Configuring Local IP Address Pool ........ ........ ......... ......... ........ ......... ........ ........ 1-5

1.3.8 Assigning IP Address for PPP User ........ ......... ........ ......... ......... ........ ......... ...... 1-6

1.3.9 Configuring Local User Database........ ......... ......... ........ ......... ........ ......... ........ . 1-6

1.3.10 Configuring RADIUS Server............. ......... ........ ......... ........ ......... ........ ......... .. 1-8

1.4 Monitoring and maintenance of AAA and RADIUS ........ ........ ......... ........ ......... ........ .. 1-11

1.5 Examples of the Typical Configuration of AAA and RADIUS ........ ......... ........ ......... .... 1-11

1.5.1 Access User Authentication Case 1.......... ........ ......... ........ ......... ........ ......... ... 1-11

1.5.2 Access User Authentication Case 2.......... ........ ......... ........ ......... ........ ......... ... 1-12

1.5.3 Authentication of FTP User ......... ........ ......... ......... ........ ......... ........ ......... ....... 1-13

1.6 Fault Diagnosis and Troubleshooting of AAA and RADIUS ......... ........ ......... ........ ...... 1-14

Chapter 2 Configuration of Terminal Access Security........ ........ ......... ......... ........ ......... ...... 2-1

2.1 Terminal Access Security.......................................................................................... 2-1

2.1.1 Classification of Terminal Access Users ........ ......... ......... ........ ......... ........ ........ 2-1

2.1.2 Configuring EXEC Login Authentication..... ......... ........ ......... ........ ......... ........ .... 2-1

2.1.3 Security Features Provided by Command Line Interfaces for Terminal Users ...... 2-2

2.1.4 Modifying Privileged User Password......... ........ ......... ........ ......... ........ ......... ..... 2-2

2.2 Typical Configuration of EXEC........ ......... ........ ......... ........ ......... ......... ........ ......... ...... 2-2

2.2.1 Configuring EXEC Login Authentication from CONSOLE Port ......... ........ ......... .. 2-2

2.2.2 Configuring EXEC Login Authentication via Telnet ........ ........ ......... ........ ......... .. 2-3

Chapter 3 Configuration of Firewall .................................................................................... 3-1

3.1 Brief Introduction to Firewall.............. ........ ......... ........ ......... ........ ......... ........ ......... ..... 3-1

3.1.1 About Firewall................................................................................................. 3-1

3.1.2 Packet Filtering............................................................................................... 3-2

3.1.3 Access Control List ......................................................................................... 3-3

3.2 Configuring Firewall ..................................................................................................3-8




Versatile Routing Platform Table of Contents

ii

3.2.1 Firewall Configuration Task List ......... ......... ........ ......... ........ ......... ........ ......... .. 3-8

3.2.2 Enabling/Disabling Firewall ......... ........ ......... ......... ........ ......... ........ ......... ........ . 3-8

3.2.3 Configuring Standard Access Control List.... ........ ......... ........ ......... ........ ......... .. 3-8

3.2.4 Configuring Extended Access Control List ........ ......... ........ ......... ........ ......... ..... 3-9

3.2.5 Configuring the match sequence of access control list...... ........ ......... ........ ........ 3-9

3.2.6 Setting Default Firewall Filtering Mode.... ......... ........ ......... ......... ........ ......... .... 3-10

3.2.7 Configuring Special Timerange ......... ........ ......... ........ ......... ........ ......... ........ .. 3-10

3.2.8 Configuring Rules for Applying Access Control List on Interface...... ........ ......... 3-11

3.2.9 Specifying Logging Host................................................................................ 3-12

3.3 Monitoring and Maintenance of Firewall........... ........ ......... ......... ........ ......... ........ ...... 3-12

3.4 Typical Configuration of Firewall ........ ......... ........ ......... ........ ......... ........ ......... ........ .. 3-13

Chapter 4 Configuration of IPSec............ ........ ......... ........ ......... ......... ........ ......... ........ ........ 4-1

4.1 Brief Introduction to IPSec Protocol... ........ ......... ........ ......... ........ ......... ........ ......... ..... 4-1

4.2 Configuring IPSec..................................................................................................... 4-3

4.2.1 IPSec Configuration Task List..... ........ ......... ......... ........ ......... ........ ......... ........ . 4-3

4.2.2 Creating Encryption Access Control List ........ ......... ......... ........ ......... ........ ........ 4-3

4.2.3 Defining Transform Mode ................................................................................4-4

4.2.4 Selecting Encryption and Authentication Algorithm ........ ........ ......... ........ ......... .. 4-5

4.2.5 Creating Security Policy .................................................................................. 4-6

4.2.6 Applying Security Policy Group on Interface........ ........ ......... ........ ......... ........ .. 4-11

4.3 Maintenance and Monitoring of IPSec ......... ........ ......... ........ ......... ........ ......... ........ .. 4-12

4.4 Typical IPSec Configuration........ ........ ......... ......... ........ ......... ........ ......... ........ ......... 4-14

4.4.1 Creating SA Manually. ......... ........ ......... ........ ......... ......... ........ ......... ........ ...... 4-144.4.2 Creating SA in IKE Negotiation Mode.... ........ ......... ......... ........ ......... ........ ...... 4-16

Chapter 5 Configuration of IKE......... ........ ......... ........ ......... ........ ......... ......... ........ ......... ...... 5-1

5.1 Brief Introduction to IKE Protocol ........ ......... ......... ........ ......... ........ ......... ........ ......... .. 5-1

5.2 Configuring IKE ........................................................................................................ 5-2

5.2.1 IKE Configuration Task List ............................................................................. 5-2

5.2.2 Creating IKE Security Policy........ ......... ........ ......... ......... ........ ......... ........ ........ 5-2

5.2.3 Select Encryption Algorithm........ ........ ......... ......... ........ ......... ........ ......... ........ . 5-3

5.2.4 Select Authentication Algorithm.... ......... ........ ......... ......... ........ ......... ........ ........ 5-3

5.2.5 Set Pre-shared Key......................................................................................... 5-4

5.2.6 Select Hashing Algorithm.......... ......... ......... ........ ......... ........ ......... ........ ......... .. 5-4

5.2.7 Select DH Group ID........ ......... ......... ........ ......... ........ ......... ........ ......... ........ .... 5-4

5.2.8 Set Lifetime of IKE Association SA.... ........ ......... ........ ......... ........ ......... ........ .... 5-5

5.3 Monitoring and Maintenance of IKE.............. ......... ........ ......... ........ ......... ........ ......... .. 5-5

5.4 Typical Configuration of IKE............... ......... ........ ......... ........ ......... ........ ......... ........ .... 5-6

5.5 IKE Fault Diagnosis and Troubleshooting ........ ........ ......... ......... ........ ......... ........ ........ 5-7




Versatile Routing Platform

Chapter 1Configuration of AAA and RADIUS Protocol

1-1

Chapter 1 Configuration of AAA and RADIUS

Protocol

1.1 Network Security Features Provided by VRP

Before we begin introducing the configuration of AAA and RADIUS protocol, let’ s first

take a look at the new security features provided by VRP.

With the popularization of network applications, especially some security sensitive

applications (such as E-commerce), the issue of network security has become apressing demand nowadays. VRP provides the following network security

characteristics:l Network access security: AAA services, i.e. Authentication, Authorization and

Accounting. Secure server protocol: RADIUS is a distributed client-server system,realizing network access security through AAA, and preventing unauthorizedaccess.

l Authentication protocol: supporting CHAP and PAP authentication on PPP line.l Packet filtering: realized through access control list, enabling the designation of

packets that can pass (or can not pass) a router.

l Event log: it can be used to record system security events and trace illegal accessin real time.

l Address translation: hiding internal IP addresses.

l Adjacent router authentication: ensuring reliable route information to beexchanged.

l Terminal access user security mechanism: authentication for FTP users and EXECusers, by-level protection of command line, privileged user password, to preventillegal access of unauthorized users

l Techniques of encryption and key exchange: support standard layer-3 tunneling

encryption protocol IPSec and key exchange protocol IKE, as well as hardware andsoftware encryption algorithms.

In this chapter, RADIUS configuration, terminal access user security configuration,firewall configuration, IPSec and IKE configuration are described in detail.

1.2 Introduction to AAA and RADIUS

1.2.1 Overview to AAA

I. What is AAA?

AAA is short for authentication, authorization and accounting, providing an overall

configuration framework for the three security functions of authentication, authorization

and accounting. AAA configuration is actually a management over network security.Network security here refers mainly to access control, including:

l Which users can access network server?l Which services can the users with access authority obtain?l How to make accounting on users using network resources?

AAA can implement the following services:






1-2

l Authentication: to authenticate whether the user has the right of access. TheRADIUS protocol can be used.

l Authorization: to authorize the user with certain types of services.l Accounting: to record the information about network resources usage by users

AAA can be realized through the RADIUS (Remote Authentication Dial In User Service)protocol, which manages the large number of geographically dispersed users usingserial port and Modem.

II. Advantages of AAA

The following advantages are provided by AAA:

l Enhanced flexibility and control

l Standard authentication model Multiple standby systems

1.2.2 Overview to RADIUS

I. What is RADIUS?

RADIUS is abbreviated from Remote Authentication Dial-In User Service. It is a

distributed client/server system, which fends off the interference of unauthorizedaccess to the network. It is often used in various network environments, which requirehigher security and maintenance of remote user access (for example, the network used

to manage many sparse dialing users who are using serial ports and Modem). RADIUSclient runs on Quidway series routers, and sends authentication request to the centralRADIUS server, which consists of all user authentication and network service accessinformation.

II. RADIUS operation

The authentication of the user by RADIUS server often uses the agent authentication

function of the access server. Generally the whole operation procedure is as follows:

1) The Client sends the user name and encryption password to RADIUS server.

2) The user can receive one of the following response messages from RADIUSserver:

l ACCEPT: the user passes authentication.

l REJECT: the user fails authentication. The user is prompted to input user nameand password again, otherwise, his access will be rejected.

1.3 Configuration of AAA and RADIUS

1.3.1 AAA and RADIUS Configuration Task List

Configuration tasks of AAA and RADIUS are listed as follows:

l Enable AAAl Configure authentication method list for Login usersl Configure authentication method list for PPP users

l Configure AAA local-first authenticationl Configure AAA accounting optionl Configure local IP address pool

l Configure IP address to PPP user

l Configure user database






1-3

l Configure RADIUS server

1.3.2 Enabling/Disabling AAA

The following configurations can be conducted only after AAA is enabled.

Please perform the following tasks in the global configuration mode.

Table SC-1-1 Enable/disable AAA

Operation Command

Enable AAA aaa-enable

Disable AAA no aaa-enable

By default, AAA is disabled.

1.3.3 Configuring Authentication Method List for Login Users

An authentication method list defines the authentication methods, including the

authentication types, which can be executed, and their execution sequence. This list isused in sequence to authenticate users.

Login users are further divided into FTP users and EXEC users. EXEC means logging

on the router via telnet or other methods (such as Console port, asynchronous serialport, telnet, X.25 PAD calling) for router configuration. The two types of users have tobe authorized in local user database with the command user service-type. If RADIUS

server is used in authentication related user authorization (defining user name andpassword) should be set on RADIUS server, before starting RADIUS server.

Perform the following task in global configuration mode.

Table SC-1-2 Configure AAA login authentication

Operation Command

Configure login authentication method list of AAAaaa authentication login { default | list-name }

{method1} [method2 ... ]Delete login authentication method list of AAA no aaa authentication login {default | list-name }

By default, the Login method list is aaa authentication login default local.

If list-name is not defined by the user, the execution sequence of default method list

(default definition) will be used.

method is the authentication method, including the following 3:

l radius --- authentication with the RADIUS server l local --- local authentication

l none --- all users can have the access authority without authentication

While configuring the authentication method list, at least one authentication method

should be designated. If multiple authentication methods are designated, then in loginauthentication, only when there is no response to the preceding methods (when theserver is busy or the connection with server fails), can the subsequent methods be

used. If authentication fails after the preceding methods are used (i.e., the securityserver or the local user name database rejects access of the user), then the






1-4

authentication will be terminated, subsequent methods will not be used any more.Besides, the none method is meaningful only when it is the last item of the method lists.

Five combinations of the methods are legal as below:

l aaa authentication login default nonel aaa authentication login default local

l aaa authentication login default radiusl aaa authentication login default radius nonel aaa authentication login default radius local

FTP and EXEC are not standard attribute values in RADIUS protocol, so the following

two attribute value definitions should be added in the attribute login-service (standardattribute 15) of RADIUS server:

50 FTP; 51 EXEC

1.3.4 Configure authentication method list for PPP Users


Table SC-1-3 Configure PPP authentication method list of AAA

Operation Command

Configure PPP authentication method list of AAAaaa authentication ppp { default | list-name } {method1}[ method2 ... ]

Cancel PPP authentication method list of AAA no aaa authentication ppp {default | list-name }

method is the authentication method, including the following 3:

l radius --- authentication using the RADIUS server l local --- local authenticationl none -- all users can have the access authority without authentication

While configuring the authentication method list, at least one authentication method

should be designated. If multiple authentication methods are designated, then in PPP

authentication, only when there is no response to the preceding methods (when theserver is busy or the connection with server fails), can the subsequent methods beused. If authentication fails after the preceding methods are used (i.e., the security

server or the local user name database rejects access of the user), then theauthentication will be terminated, and subsequent methods will not be attempted anymore. Besides, the none method is meaningful only when it is the last item of themethod list.

Five combinations of the methods are legal as follows:

l aaa authentication ppp default none

l aaa authentication ppp default locall aaa authentication ppp default radiusl aaa authentication ppp default radius none

l aaa authentication ppp default radius local

Multiple PPP authentication method lists can be configured for different interfaces.

1.3.5 Configuring the Local-First Authentication of AAA

When local-first authentication is configured, the user will first be authenticated locally.

If local authentication fails, the authentication method configured in the method list will






1-5

be used instead. Once local-first authentication is configured, it is applied by all usersusing PPP and login.


Table SC-1-4 Configure AAA local-first authentication

Operation Command

Enable local-first authentication aaa authentication l ocal-first

Disable local-first authentication no aaa authentication local-first

By default, local-first authentication is disabled.

1.3.6 Configuring AAA Accounting Option

In case there is no available RADIUS accounting server, or the communication with theRADIUS accounting server fails, if aaa accounting optional command has been

configured, the user will still be able to use the network resources, and not bedisconnected.


Table SC-1-5 Configure AAA accounting option

Operation Command

Turn on accounting option switch aaa accounting optionalTurn off accounting option switch no aaa accounting optional

By default, the accounting option switch is turned off, i.e. accounting for the user is

compulsory. When the method list of none is designated by the user, accounting isunnecessary.

1.3.7 Configuring Local IP Address Pool

Local address pool is mainly used to assign IP address for users logging in remote PPP.

If the ending IP address is not designated when IP address pool is defined, there will beonly one IP address in the address pool.


Table SC-1-6 Configure local IP address pool

Operation Command

Configure local IP address pool ip local pool pool-number low-ip-address [high-ip-address ]

Cancel local IP address pool no ip local pool pool-number

By default, no address pool is defined by the system.

Here, the pool-number value ranges 0-99, i.e. the system can define at most 100 local

IP address pools. Addresses in each address pool must be consecutive, and eachaddress pool can have at most 256 addresses.






1-6

1.3.8 Assigning IP Address for PPP User

The user dialing to access with remote PPP will obtain an address defined by the local

designated address pool. To let the user dialing to access with remote PPP obtain anaddress defined by the local designated address pool, the serial number of addresspool or specific addresses to be assigned should be configured.

Perform the following task in interface configuration mode.

Table SC-1-7 Assign IP address for PPP user

Operation Command

Assign IP address for PPP user peer default ip address {ip-address |pool [pool-number ] }

Cancel IP address of PPP user no peer default ip address

By default, pool-number is 0 (assigning address in address pool 0 to PPP user).

1.3.9 Configuring Local User Database

When a user dials to access, according to the lookup in the local database, the

following may occur:

l There is information about the user in the local database, so login of the user is

permitted.l There is no information about the user in the local database. If RADIUS server

authentication is configured, the user information will be sent to RADIUS server for

authentication, and the one who has passed authentication can log in normally,otherwise, he will be rejected.

l There is no the user information in the local database, neither RADIUS server authentication is configured, so login of the user is denied.

Various configuration tasks conducted in the local user database can be nested or

combined, and all local user databases can be configured in one command.


I. Configure user and password

The user and the local authentication password can be configured in the local

database.

Table SC-1-8 Configuration of ordinary user and password

Operation Command

Configure the user and password user user-name [password { 0 |7 } password ]

Delete the user no user user-name

Here user-name is a user’ s name, and it can be the 1-32-bit character string or number. password is a user’ s password, and it can be the 1-16-bit character string or number.

II. Configure callback user

In the Callback technique, first the client (user side) originates a call and requires

Callback from the server. The server receives the call and decides whether to call back.






1-7

The Callback technique enhances security. In processing of a Callback, the server calls

the client according to the call number configured locally, so as to avoid security risks

caused by leakage of user name or password. Besides, the server can also classifycall-in requests according to its configuration: refuse call, accept call (no call back) or

accept Callback, so as to exert different limitations upon different clients, and takeinitiative in ensuring resource access when there are incoming calls.

Callback technique has the following advantages:

l Save communication expenses (when the call charge rates of two directions are

different)l Change the call charge bearer l Combine call charge lists

l Quidway series security devices support Callback technique, which is divided intoISDN caller authentication Callback and Callback participated by PPP.

ISDN caller authentication Callback, involving no PPP, directly authenticates whether

the call-in number matches with the number configured by the server, so only theserver end needs corresponding configuration, and the client needs no modification.

Table SC-1-9 Configuration of callback user and the callback number

Operation Command

Configure the Callback user and the Callback number user user-name [callback-dialstring telephone-

number ]

Delete the Callback user and the Callback number no user user-name

A RADIUS server can be configured with callback-number, equivalent to callback-

dialstring , which is defined locally. If aaa authentication ppp default radius isconfigured, then callback-dialstring which is configured locally is invalid, and thenumber to be transmitted to PPP will be decided by callback-number set on RADIUS

server. If aaa authentication ppp default radius local is configured, localauthentication is used only when the RADIUS server does not respond, and herecallback-dialstring defined locally can work. If aaa authentication ppp default none isconfigured, callback-dialstring defined locally does not work.

III. Configure user with caller number

After users with caller numbers are configured, the call-in caller numbers of users

calling in can be authenticated in order. And at present, only ISDN users can beconfigured to be such type of users.

Table SC-1-10 Configure user with caller number

Operation Command

Configure a user with caller number user user-name [calling-station-id telephone-number ][ :sub-

calling-station-id telephone-number ]

Delete a user with caller number no user user-name

IV. Configure FTP user and the usable directory

An FTP user and the usable FTP directory can be configured in the local database. The

function is reserved temporarily for future extension.






1-8

Table SC-1-11 Configure FTP user and the usable directory

Operation Command

Configure an FTP user and the usable directory user user-name [ ftp-directory directory]

Delete an FTP user and the usable directory no user user-name

V. Authorize a user with usable service types

The services which can be used by a user can be authorized in the local database.

Table SC-1-12 Configure authorizing a user with usable service types

Operation Command

Configure authorizing a user with usable services user user-name [service-type { [exec] [ ftp ] [ppp ] }]

Delete authorizing a user with usable services no user user-name

By default, users are authorized to use services of PPP type.

exec refers to the operation logging in a router via Telnet or other means (such as

Console port, AUX port and X.25 calling) for configuration.

ftp refers to logging in a router via the means of file transferring and being entitled withthe corresponding service.

ppp refers to the remote dialing service entitled to the user.

If the authentication method is radius, it must be defined at the RADIUS server (the two

attribute values are defined by Huawei.).

login-service (50) FTP or Login

login-service (51) EXEC

1.3.10 Configuring RADIUS Server


I. Configure IP address, authentication port number and accounting portnumber of the server host

At most 3 RADIUS servers can be configured for the user.

RADIUS follows the principles below to select authentication and accounting server:

l Servers are used in the sequence in which they are configured, i.e. first configured,first used.

l When the RADIUS server used first does not respond, the succeeding servers areused in sequence.

l When the authentication or accounting port number is configured to 0, the client will

not use the authentication or accounting function provided by the server.






1-9

Table SC-1-13 Configure IP address, authentication port number and accounting port number of the

server host

Operation Command

Configure IP address (or host name), authentication portnumber and accounting port number of RADIUS server host.

radius-server host {hostname | ip-address }

[ auth-port port-number ] [acct-port port-number ]

Cancel RADIUS server with designated host address or hostname

no radius-server host { hostname | ip-address }

The default authentication port number is 1812. When configured as 0, this server is

not used as an authentication server. The default accounting port number is 1813.When configured as 0, this server is not used as an accounting server.

II. Configure RADIUS server shared secret

The shared secret is used to encrypt user password and generate Response

Authenticator. When RADIUS sends authentication messages, MD5 encryption is

applied upon important information such as password, so the security of theauthentication information transmission in network can be ensured. To ensure theidentification validity of the two parties, the secret key of the router must be the same as

the one set by the RADIUS, so that it can pass the authentication of the RADIUSserver.

Table SC-1-14 Configure RADIUS server shared secret

Operation Command

Configure shared secret of RADIUS server radius-server key string

Delete shared secret of RADIUS server no radius-server key

III. Configure the time interval at which the request packet is sent beforeRADIUS server fails

To judge whether a RADIUS server fails, the router will send the authentication packet

periodically. So a timeout timer should be set, and the authentication request messagecan be sent again when the timer is timeout.

Table SC-1-15 Configure the time interval at which the request packet is sent before RADIUS server fails

Operation Command

Configure the time interval at which the authentication request packetis sent

radius-server t imeout seconds

Restore default value of the time interval at which the authenticationrequest packet is sent

no radius-server timeout

By default, the timeout interval is 10 seconds, range 1-65535 seconds.

IV. Configure the request retransmission times before RADIUS server fails

To judge whether a RADIUS server fails, the system will send the authentication

request packet periodically. If no RADIUS server response is received after the settimeout, the authentication request packet needs to be transmitted again. The user can

set the maximum times for the request retransmission, when the times of request






1-10

retransmission exceed it, the system will consider the server fails to work normally andset it to “ dead” .

Table SC-1-16 Configure the times of request retransmission before RADIUS server fails

Operation Command

Configure the times of request retransmission before RADIUS server fails radius-server retransmit retries

Restore default value of times of request retransmission no radius-server retransmit

By default, the times of request retransmission is 3, ranging 1-255.

V. Configure the time interval at which the inquiry packet is sent after RADIUSserver breaks down

After the first RADIUS server breaks down (such as line failure between NAS and the

server, or RADIUS process failure), the system will set this server to "dead", and query

whether it can work normally every certain time. If the server is found that it can worknormally, then after the currently used server breaks down, the system willautomatically use the first one.

Table SC-1-17 Configure the time interval at which the inquiry packet is sent after RADIUS server breaksdown

Operation Command

Configure the time interval at which the inquiry packet is sent after RADIUS server breaks down

radius-server dead-time minutes

Restore default value of time interval at which the inquiry packet is sent no radius-server dead-time

By default, the inquiry packet is sent at interval of 5 minutes after RADIUS server fails,and the interval ranges 1-255 minutes.

VI. Configure the time interval at which the real-time accounting packet is sentto RADIUS server

After a user passes authentication, NAS will send the user's real-time accounting

information to the RADIUS server every certain time. If the real-time accountingrequest fails, the user will be handled according to the configuration of the commandaccounting optional. if the command has been configured, the user can continue to usethe network services, otherwise, NAS will disconnect the user.

Usually, the server sends the accounting packet only according to the access time and

disconnection time. But for higher reliability, the time interval at which real-timeaccounting packet is sent to RADIUS server can be configured.

Table SC-1-18 Configure the time interval at which the real-time accounting packet is sent to RADIUSserver

Operation Command

Configure the time interval at which the real-timeaccounting packet is sent to RADIUS server

radius-server realtime-acct-timeout minutes

Restore default value of the time interval at which thereal-time accounting packet is sent

no radiu s-server realtime-acct-timeout






1-11

By default, the real-time accounting packet is sent to RADIUS server at interval of 0

seconds, indicating that real-time accounting is disabled. The interval ranges 0-32767seconds.

1.4 Monitoring and maintenance of AAA and RADIUS

Please use the following commands to perform the monitoring and maintenance in theprivileged user mode.

Table SC-1-19 Monitoring and maintenance of AAA and RADIUS

Operation Command

Show status of dial-in users show aaa user

View local user database show user

Enable RADIUS event debugging debug radius event

Enable RADIUS message debugging debug radius packet

Enable RADIUS primitive language debugging debug radius primitive

1) Show status of dial-in users

Quidway#show aaa user

UserName UserID UserType IPAddress AccountingTime CallingNumberliusongtao 2 PPP 10.110.10.100 00:48:10 1234567Total User: 1

The above information shows user name, user ID, user type, user IP address, user

accounting time and user calling number.

2) View local user database

Quidway#show user

No. username logintimes failed times------------------------------------------------------1 huawei 325 12

The information above shows the username, the times of successful authentication

with the correct username, as well as the times of the failed authentication resultedfrom password error.

1.5 Examples of the Typical Configuration of AAA andRADIUS

1.5.1 Access User Authentication Case 1

I. Networking requirements

RADIUS server is used for authentication. 129.7.66.66 acts as the first authentication

and accounting server, and 129.7.66.67 as the second authentication and accounting

server, both using default authentication port number 1812 and default accounting portnumber 1813.






1-12

II. Networking diagram

Figure SC-1-1 Networking diagram of typical AAA and RADIUS configuration

III. Configuration procedure

1) Enable AAA and configure default authentication method list of PPP user.

Quidway (config)#aaa-enable

Quidway (config)#aaa authentication ppp default radius

2) Configure IP address and port of RADIUS server.

Quidway (config)#radius-server host 129.7.66.66


3) Configure RADIUS server shared secret, retransmission times, and accounting

option

Quidway (config)#radius-server key this-is-my-secret

Quidway (config)#radius-server retransmit 2

Quidway (config)# aaa accounting optional

Quidway (config)#radius-server timeout 5

1.5.2 Access User Authentication Case 2


129.7.66.66 acts as the first authentication and accounting server, port numbers being

1000 and 1001 respectively.

129.7.66.67 acts as the second authentication and accounting server, port numbersbeing 1812 and 1813 respectively.

First use the local database for authentication, and if there is no response, use RADIUS

server.






1-13

Charge all users in real time. The real-time accounting packet is sent at the interval of 5

minutes.


Same as the diagram in the above case


1) Enable AAA and configure default authentication method list of PPP user.


Quidway (config)#aaa authentication ppp default radius

2) Configure local-first authentication

Quidway (config)#aaa authentication local-first

3) Configure RADIUS server

Quidway (config)#radius-server host 129.7.66.66 auth-port 1000 acct-port 1001


4) Configure RADIUS server shared secret, retransmission times, and time length of timeout timer



5) Configure real-time accounting with interval of 5 minutes

Quidway (config)#radius realtime-acct-timeout 5

1.5.3 Authentication of FTP User


The authentication server is 129.7.66.66, numbers of ports being 1812 and 1813.

Authenticate and charge FTP users using RADIUS server first, and if there is no

response, do not authenticate or charge them.


Same as the diagram in the above case


1) Enable AAA and configure default authentication method list of FTP user.


Quidway (config)#aaa authentication login default radius none

2) Configure RADIUS server IP address and port, using default port number


3) Configure RADIUS server shared secret, retransmission times, timeout and

RADIUS server dead time.








1-14

Quidway(config)#radius-server timeout 2

Quidway (config)#radius-server radius-server dead-time 1

4) Enable FTP server

Quidway(config)#ftp-server enable

1.6 Fault Diagnosis and Troubleshooting of AAA andRADIUS

Problem 1: Local user authentication is always rejected

Troubleshooting: please follow the steps below.

l Check whether correct password has been configured in user command.l Check whether the authorized service-type is correct.

l When RADIUS server accounting is used, and the command aaa accountingoptional is not configured, check whether the RADIUS server can be pingedthrough, and whether the address, port number and key of RADIUS server

configured on the router for accounting are identical with those on the RADIUSserver in use.

If the operation above does not work, use the radius-server host command to

reconfigure the RADIUS server. Because of the communication failure with the server just now, RADIUS server is considered by the system as unavailable. And as the

radius-server dead-time command has not been configured (defaulted as 5 minutes),or a relative long dead-time has been configured, the system does not know that theserver has recovered. Use no radius-server host command to delete the original

RADIUS server, and reconfigure it by radius-server host command to activate theserver immediately.

If none of the above operation can work, check whether the RADIUS server has been

configured correctly, and whether the modification has been activated

Problem 2: User’ s RADIUS authentication is always rejected


l Check whether the special attribute of Huawei has been added into the attribute

dictionary of the RADIUS server.l Check whether the user name, password and service type are set correctly on

RADIUS server.

l Check whether the RADIUS server can be pinged through, and whether the

address, port number and key of RADIUS server configured on the router areidentical with those of the RADIUS server in use.

l Use the radius-server host command to reconfigure the RADIUS server.Because of the communication failure with the server, RADIUS server may beconsidered by the system as unavailable by the system. And as the radius-server

dead-time command has not been configured (defaulted as 5 minutes), or arelative long dead-time has been configured, the system does not know that theserver has recovered. Use no radius-server host command to delete the original

RADIUS server, and reconfigure it by radius-server host command to activate theserver immediately.

l Check whether the RADIUS server has been configured correctly, and whether the

modification made just now has been activated.






1-15

Problem 3: A connected user can not be seen in show aaa user


l Check whether AAA has been enabled.

l Check whether the authentication methods contain "none", because users usingnone method will not be displayed in the command show aaa user .

Problem 4: No authentication is configured, yet users are still authenticated

AAA has been enabled, and the default authentication method in AAA default

authentication method list is "local". To disable the authentication, aaa authenticationppp default none should be configured. Meanwhile, it should be noted that no aaaauthentication ppp default can not delete the default method, it can only restore thelocal authentication.





Chapter 2Configuration of Terminal Access Securit

2-1

Chapter 2 Configuration of Terminal Access

Security

2.1 Terminal Access Security

2.1.1 Classification of Terminal Access Users

Quidway series routers adopt cascade protection for the command line interface, anddivide terminal access users into two types:

l Ordinary users

l Privileged users

An ordinary user can only view some simple running information of routers, but a

privileged user can not only view all the running information of a router, but alsoconfigure and debug the routers. Password is not necessary for ordinary users toaccess a router, but it is necessary for privileged users.

2.1.2 Configuring EXEC Login Authentication

All users accessing a router through various terminal means are called EXEC users.

Quidway series routers divide EXEC users into five types: asynchronous port terminalusers, X.25 PAD calling users, console port users, dumb terminal access users and

Telnet terminal users.

Quidway series routers now support the command line interpreters accessing terminals

from four types of interfaces:

l Accessing routers via remote X.25 PAD calling users

l Accessing routers via the asynchronous dialing port (working in Interactive mode)l Accessing routers via the local console portl Accessing routers via dumb terminal access mode

l Accessing routers via local/remote Telnet terminal

Please perform the following tasks in the global configuration mode.

Table SC-2-1 Configure EXEC login authentication

Operation Command

Configure login authentication of EXEC from asynchronous port login async

Cancel login authentication of EXEC from asynchronous port no login async

Configure login authentication of EXEC from Console port login con

Cancel login authentication of EXEC from Console port no login con

Configure EXEC login authentication to dumb terminal access server user login hwtty

Cancel EXEC login authentication to dumb terminal access server user no login hwtty

Configure login authentication to remote X.25 PAD calling user login padCancel login authentication to remote X.25 PAD calling user no login pad

Configure login authentication of EXEC via telnet login telnet

Cancel login authentication of EXEC via telnet no login telnet






2-2

2.1.3 Security Features Provided by Command Line Interfaces for TerminalUsers

A command line interface provides the following features for terminal users:l A terminal user will log in a router as an ordinary user by default. To become a

privileged user who can configure and manage the router, the enable commandshould be executed in the ordinary user mode and correct privileged user

password should be input.l For security, the privileged user password input will not be displayed on the

terminal screen.

l In case that illegal users attempt to enter different passwords times and again, theaccess will be disconnected automatically if wrong password has been input for three times.

l If a terminal user makes no keyboard input within 10 minutes, the access isdisconnected automatically (for Console port terminal users, this time limit is 3minutes). It is recommended that when a privileged user is away from a terminal for

a long time, it is recommended to exit to the ordinary user mode or disconnect therouter, so as to avoid illegal access to the router.

Table SC-2-2 Related operation of a privileged user

Operation Command

Privileged user password authentication enable

Exit from terminal user connection exit

Return from the privileged user mode to the ordinary user mode disable

Privileged user entering configuration mode configure

Disconnect the user upon timeout when nothing is input exec-timeoutDisable the disconnection of user when nothing is input no exec-timeout

2.1.4 Modifying Privileged User Password

No default privileged user password of a router is set at delivery, so when the router is

powered on for the first time, use the command enable password to modify theprivileged user password.

Table SC-2-3 Modify privileged user password

Operation Command

Modify privileged user password enable password password

2.2 Typical Configuration of EXEC

2.2.1 Configuring EXEC Login Authentication from CONSOLE Port

1) Enable AAA


2) Configure the login authentication of entering EXEC from Console port

Quidway (config)#login con

3) Configure the local authentication user name and password of EXEC user type.






2-3

Quidway (config)#user abc service-type exec password 0 hello

4) Configure the default authentication method list of EXEC users

Quidway (config)#aaa authentication login default radius local

5) Configure RADIUS server and the shared secretQuidway (config)#radius-server host 172.17.0.30 auth-port 1645 acct-port 1646

Quidway (config)#radius-server key quidway

In this example, the user name is abc, the password is hello. The user is first

authenticated by RADIUS server, then local authentication is used when the former authentication can not be carried out normally. When logging in the router connected

via the Console port, only the user whose user name is abc and password is hello canlog in successfully, otherwise, access to the router will be denied.

2.2.2 Configuring EXEC Login Authentication via Telnet

1) Enable AAA


2) Configure the login authentication of entering EXEC via Telnet port

Quidway (config)#login telnet

3) Configure the local authentication user name and password of EXEC user type.

Quidway (config)#user abc service-type exec password 0 hello

4) Configure the authentication method list of EXEC users

Quidway (config)#aaa authentication login default local

In this example, the user name is abc, the password is hello. Local authentication is

conducted directly and only users passing the local authentication can log insuccessfully. Otherwise, access to the router will be denied.





Chapter 3Configuration of Firewall

3-1

Chapter 3 Configuration of Firewall

3.1 Brief Introduction to Firewall

3.1.1 About Firewall

I. What is firewall

A firewall is used to control the network equipment, which will access the internal

network resource. It is located in the access point of the network. If a network has

multiple access points, then each of them should be configured with firewall for effective network access control. A firewall is usually located between the internalnetwork and the external network (such as Internet). After a firewall is used betweenthe network and Internet, communication flow from Internet must pass the firewallbefore entering the network.

A firewall is used not only to connect Internet, but also to control the access to some

special part of the internal network, such as to protect mainframes and importantresources (such as data) in the network. Access to the protected data must be filteredthrough the firewall, even if the access is from inside.

A firewall basically functions to monitor and filter communication flow. It can be simple

or sophisticated, which is up to the network requirement. A simple firewall is easy toconfigure and manage, but users may need sophisticated and flexible firewalls. At

present, many firewalls also have other characteristics, for example, to identify the user,and conduct security processing (encryption) for the information, etc.

After Quidway series routers are configured with firewall features, the routers become a

strong and effective firewall.

Ethernet

Internet

PC PC PC PCServer

Firewall

Figure SC-3-1 A firewall isolates the internal network from internet






3-2

II. Classification of firewalls

Usually firewalls are divided into two types: network layer firewalls and application layer

firewalls. A network layer firewall mainly obtains packet head information of data

packets, such as protocol number, source address, destination address anddestination port, or directly obtains the data of a packet head. But an application layer firewall will analyze the whole information stream.

Commonly used firewalls include the following:

l Application Gateway: check the application layer data of all data packets passingthrough this gateway. For example, the FTP application gateway will be a FTP

server to a connected Client end, but will be a FTP Client to the Server end. All FTPdata packets transmitted on the connection must pass through this FTP applicationgateway.

l Packet Filtering: filter each data packet using the user-defined items. For example,to check if the source address and destination address of a data packet meet therules. The packet filtering does not care about call status, nor does it analyze the

data. If data packets with port 21 or greater than/equal to 1024 are allowed to pass,then once a port meets this condition, the data packet can pass this firewall. If therules are configured practically, then many data packets with hidden security

troubles can be filtered out on this layer.l Proxy: normally refer to address proxy on a proxy server or a router. It replaces the

IP address and port of a host inside the network with the IP address and port of a

server or router. For example, the intranet address of an enterprise is 129.0.0.0network segment, and its formal external IP address is 02.38.160.2-202.38.160.6.When the internal host 129.9.10.100 accesses a certain external server in WWW

mode, the IP address and port might become 202.38.160.2:6080 after passingthrough the proxy server. An address mapping table is maintained in the proxyserver. When the external WWW server returns the result, the proxy server will

convert this IP address and port into the internal IP address and port 80 of the

network. The proxy server is used so that all the access between the externalnetwork hosts and the internal network will be realized through this proxy server. In

this way, the access to internal devices containing important resources can becontrolled.

III. Firewall features provided by VRP

With VRP firewall features a router can be configured to:

l Internet firewall or partial Internet firewalll Firewall between groups in the internal networkl Firewall providing secure connection with subsidiary departments

The firewall between the intranet of a company and the network of its partner also has

the following advantages:l Protect the internal networkl Monitor communication flow around the network

l Permit dealing on the network via WWW (World Wide Web)l VRP firewall is mainly applied for packet filtering and address translation.

Please see “ Network Protocol Configuration” in the chapter “ IP Address Configuration”in this manual for configuration of address translation.

3.1.2 Packet Filtering

Usually, packet filtering refers to filtering for IP data packets forwarded. For the data

packet which needs to be forwarded by a router, first the packet head information,including the number of the upper layer protocol carried by the IP layer, the packet's






3-3

source/destination address and source/destination port is obtained, then theinformation is compared with the set rules, and finally it is decided whether to transfer or discard the data packet according to the comparison result.

Packet filtering (for IP data packets) selects the following elements for judgment (in thefigure, the upper layer protocol carried by IP is TCP), as shown in the figure below.

Figure SC-3-2 Packet filtering schematic diagram

The following can be realized by data packet filtering:

l Prohibit logging on with telnet from outsidel Every E-mail is sent via SMTP (Simple Message Transfer Protocol).l One PC, rather than all other PCs, can send news to us via NNTP (Network News

Transfer Protocol).

Packet filtering of Quidway series security equipment features the following:

1) Based on access-list (Access Control List ACL): ACL is applied not only in packetfiltering but also in other features where data streams need to be classified, such

as address translation and IPSec.l

Support standard and extended ACL: set a simple address range with the standard ACL or set the specific protocol, source address range, destination address range,

source port range, destination port range, priority and service type with theextended ACL.

l Support time segment: set ACL functions in a specific period of time, such as

8:00-2:00 of every Monday, or it can be as specific as from a year/month/day toanother year/month/day.

2) Support ACL automatic sorting: you can select sorting ACLs of a specific category

to simplify the configuration and facilitate the maintenance.3) It can be as specific as indicating the input/output direction: for example, a special

packet filtering rule can be applied in the output direction of the interface that is

connected with WAN or another packet filtering rule is applied in the inputdirection.

4) Support interface based filtering: it can be set to prohibit or permit to forwardmessages from a specific interface in a specific direction of an interface.

5) Support creating log for message meeting the condition: record the relatedinformation of the message and provide a mechanism to guarantee that excessive

resources will not be consumed when a large number of logs are triggered in thesame way.

3.1.3 Access Control List

To filter data packet, some rules need to be configured.

The access control list is generally employed to configure the rules to filter data packet,

and the types of access control lists are as follows:

l Standard access control list






3-4

l Extended access control list

I. Standard access control list

access-list [ normal | special ] access-list-number { deny | permit } { any | source-addr [ source-wildcard-mask ] }

II. Extended access control list

access-list [ normal | special ] access-list-number { deny | permit } protocol { any |

source-addr source-wildcard-mask } { any | destination-addr destination-wildcard-mask } [ log ]

protocol is the type of the protocol carried by IP in the form of name or number. The

range of number is from 0 to 255, and the range of name is icmp, igmp, ip, tcp, udp, greand ospf.

The above command can also be written in following formats due to the different

protocol .

1) Command format when the protocol is ICMP:

access-list [ normal | special ] access-list-number { deny | permit } icmp { any

| source-addr source-wildcard-mask } { any | destination-addr destination-

wildcard-mask } [ icmp-type [ icmp-code ] ] [ log ]

2) Command format when the protocol is IGMP:

access-list [ normal | special ] access-list-number { deny | permit } igmp { any


wildcard-mask } [ log ]

3) Command format when the protocol is IP:

access-list [ normal | special ] access-list-number { deny | permit } ip { any |

source-addr source-wildcard-mask } { any | destination-addr destination-


4) Command format when the protocol is GRE:

access-list [ normal | special ] access-list-number { deny | permit } gre { any |

source-addr source-wildcard-mask } { any | destination-addr destination-


5) Command format when the protocol is OSPF:

access-list [ normal | special ] access-list-number { deny | permit }ospf { any



6) Command format when the protocol is TCP:

access-list access-list-number [ normal | special ] { deny | permit } tcp { any |

source-addr source-wildcard-mask } [ operator port-number ] { any |

destination-addr destination-wildcard-mask } [ operator port-number ] [ log ]

7) Command format when the protocol is UDP:






3-5

access-list access-list-number [ normal | special ] { deny | permit } udp { any

| source-addr source-wildcard-mask } [ operator port-number ] { any |

destination-addr destination-wildcard-mask } [ operator port-number ] [ log ]

Only the TCP and UDP protocols require specifying the port range. Listed below aresupported operators and their syntax.

Table SC-3-1 Operators of the extended access control list

Operator and Syntax Meaning

eq portnumber Equaling to ‘ portnumbe r’gt portnumber Greater than ‘ portnumber ’

l t portnumber Less than ‘ portnumber ’

neq portnumber Not equaling to ‘ portnumber ’

range portnumber1 portnumber2 Between ‘ portnumber1’’ and ‘ portnumber2’

In specifying the portnumber , following mnemonic symbols may be used to stand for

the actual meaning.






3-6

Table SC-3-2 Mnemonic symbol of the port number

Protocol Mnemonic Symbol Meaning and Actual Value

TCP

Bgp

ChargenCmdDaytime

DiscardDomainEchoExec

Finger Ftp

Ftp-dataGopher

Hostname IrcChat

1Klogin

KshellLoginLpd

NntpPop2Pop3

SmtpSunrpcSyslogTacacs

TalkTelnet

TimeUucp

WhoisWww

Border Gateway Protocol (179)

Character generator (19)Remote commands (rcmd, 514)Daytime (13)

Discard (9)Domain Name Service (53)Echo (7)Exec (rsh, 512)

Finger (79)File Transfer Protocol (21)

FTP data connections (20)Gopher (70)

NIC hostname server (101)Internet Relay Chat (194)

Kerberos login (543)

Kerberos shell (544)Login (rlogin, 513)Printer service (515)

Network News Transport Protocol (119)Post Office Protocol v2 (109)Post Office Protocol v3 (110)

Simple Mail Transport Protocol (25)Sun Remote Procedure Call (111)Syslog (514)TAC Access Control System (49)

Talk (517)Telnet (23)

Time (37)Unix-to-Unix Copy Program (540)

Nicname (43)World Wide Web (HTTP, 80)

UDP

biff bootpc

bootpsdiscard

dnsdnsixechomobilip-ag

mobilip-mn

Mail notify (512)Bootstrap Protocol Client (68)

Bootstrap Protocol Server (67)Discard (9)

Domain Name Service (53)DNSIX Securit Attribute Token Map (90)Echo (7)MobileIP-Agent (434)

MobilIP-MN (435)

UDP

nameserver netbios-dgmnetbios-ns

netbios-ssnntpripsnmp

snmptrapsunrpcsyslogtacacs-ds

talktftptimewho

Xdmcp

Host Name Server (42)NETBIOS Datagram Service (138)NETBIOS Name Service (137)

NETBIOS Session Service (139)Network Time Protocol (123)Routing Information Protocol (520)SNMP (161)

SNMPTRAP (162)SUN Remote Procedure Call (111)Syslog (514)TACACS-Database Service (65)

Talk (517)Trivial File Transfer (69)Time (37)Who(513)

X Display Manager Control Protocol (177)






3-7

The ICMP packet type can be specified for the ICMP protocol and the default type is the

ICMP packet. You can use a number (ranging 0 to 255) or a mnemonic symbol tospecify the packet type, see Table SC-3-3

Table SC-3-3 Mnemonic symbol of the ICMP message type

Operator and Syntax Meaning

echoecho-reply

fragmentneed-DFsethost-redirecthost-tos-redirecthost-unreachable

information-replyinformation-requestnet-redirect

net-tos-redirectnet-unreachable

parameter-problemport-unreachableprotocol-unreachablereassembly-timeout

source-quenchsource-route-failedtimestamp-replytimestamp-request

ttl-exceeded

Type=8, Code=0Type=0, Code=0

Type=3, Code=4Type=5, Code=1Type=5, Code=3Type=3, Code=1

Type=16,Code=0Type=15,Code=0Type=5, Code=0

Type=5, Code=2Type=3, Code=0

Type=12,Code=0Type=3, Code=3Type=3, Code=2Type=11,Code=1

Type=4, Code=0Type=3, Code=5Type=14,Code=0Type=13,Code=0

Type=11,Code=0

By configuring the firewall and adding appropriate access rules, the user can employ

the packet filtering function to check IP packets that are to pass the Router and deniesthe passing of those unexpected to pass. Actually, the packet filtering helps to protect

the network security.

3. Configure the match sequence of access control list

A access control rule can be composed of several “ permit/deny” statements, and the

range of the data packet specified by each statement varies. The match sequenceneeds to be configured when matching a data packet and access control rule.

The maximum number of rules configured under an access-list-number is 100 ( that is,

100 rules can be configured in normal timerange, and 100 rules can also be configuredin special timerange). When there is a conflict among several rules, the system willconfigure the match rules according to the following principle:

l Rules with the same serial number can be defined. If two rules with the same serial

number conflict, use the “ Depth-first Principle” to judge the source-addr, source-wildcard-mask, destination-addr, destination-wildcard-mask, protocol number andport number, then determine the sequence of the rule.

l If the ranges defined by the rules are the same, then determine the sequence of therules according to the time sequence of definition. The system will choose the ruledefined earlier.

“Depth-first Principle” means matching the access rules with the smallest definition

range of data packets. It can be achieved by comparing the wildcards of address. The

smaller the wildcards are, the smaller the range specified by the host is. For example,129.102.1.1.0.0.0.0 specifies a host (the address is 129.102.1.1), while129.102.1.1.0.0.255.255 specifies a network segment (the range of the address is from

129.102.1.1 to 129.102.255.255), obviously the former will be arranged in the front of

access control rule.






3-8

The special standard is the following:

As for the statement of standard access control rules, compare the wildcards of the

source addresses directly, and arrange according configuration sequence if thewildcards are the same.

As for the access control rules based on interface filtering, the rules configured with

“any” will be arranged behind, and the rest will be arranged according to theconfiguration sequence.

As for extended access control rules, compare the wildcards of source addresses. If

they are the same, then compare the wildcards of the destination address. If they arestill the same, compare the range of port numbers, and the rule with smaller range willbe arranged in the front. If the port numbers are the same, then match the rulesaccording the user’ s configuration sequence.

The command show access-list access-list-number can be used to view the

executive sequence of the system access rules, and the rules listed ahead will be

selected first.

3.2 Configuring Firewall

3.2.1 Firewall Configuration Task List

Firewall configuration task list is as follows:

l Enable/disable firewall

l Configure standard access listl Configure extended access listl

Configure the match sequence of access control listl Set default firewall filtering model Set special time rangel Configure rules for applying access control list on interface

l Specify logging host

3.2.2 Enabling/Disabling Firewall

Firewall should be enabled for filtering messages so as to set other configurations intoeffect.

Perform the following tasks in global configuration mode.

Table SC-3-4 Enable/Disable firewall

Operation Command

Enable firewall firewall enable

Disable firewall firewall disable

Firewall must be disabled by default.

3.2.3 Configuring Standard Access Control List

The value of the standard access control list is an integer from 1 to 99. Before

configuring the access control list, configure the match sequence of the access control






3-9

list first, then configure special access rules. If you do not configure the match order,auto mode will be adopted.


Table SC-3-5 Configure standard access control list

Operation Command

Configure standard access listaccess-list [ normal |special ] access-list-number {deny | permit } { any |

source-addr [ source-wildcard-mask ] }

Delete standard access list no access-list [normal |special ] { al l | access-list-number [ subitem ] }

normal indicates that the rule works within the normal time range. special indicates

that the rule works in some special time range. While using special, the user shallspecify the special time range. The rules with the same sequence number will bematched based on the principle of “ depth preference” .

By default, normal is adopted.

3.2.4 Configuring Extended Access Control List

The value of the extended access control list is an integer from 100 to 199. Before

configuring the access control list, configure the match sequence of the access controllist first, then configure special access rules. If you do not configure the match order,auto mode will be adopted.


Table SC-3-6 Configure extended access control list

Operation Command

Configure extended accesscontrol list of TCP/UDP protocol

access-list [normal |special ]access-list-number { deny |permit } { tcp |

udp } { any |source-addr source-wildcard-mask } [ operator port-number ]{ any |destination-addr destination-wildcard-mask } [ operator port-number ][ log ]

Configure extended accesscontrol list of ICMP protocol

access-list [normal |special ]access-list-number { deny |permit } icmp{ any |source-addr source-wildcard-mask } {any |destination-addr

destination-wildcard-mask } [ icmp-type [ icmp-code ] ] [ log ]

Configure extended accesscontrol list of other protocols

access-list [normal |special ]access-list-number {deny | permit }protocol {any |source-addr source-wildcard-mask } { any |destination-addr destination-wildcard-mask } [ log ]

Delete extended access list no access-list [normal |special ] { al l | access-list-number [ subitem ] }

normal indicates that the rule works within the normal time range. special indicates

that the rule works in some special time range. While using special, the user shallspecify the special time range. The rules with the same sequence number will bematched based on the principle of “ depth preference” .

By default, normal is adopted.

3.2.5 Configuring the match sequence of access control list







3-10

Table SC-3-7 Configure the match sequence of access control list

Operation Command

Configure the match sequence of

access control list

access-list [ normal |special ] access-list-number sort [auto |manual ]

By default, auto mode is adopted to match the access control list.

3.2.6 Setting Default Firewall Filtering Mode

The default firewall filtering mode means: when there is no suitable access rule to

determine whether a user data packet can pass through, the default firewall filteringmode set by the user will determine whether to permit or inhibit this data packet to pass.


Table SC-3-8 Set default firewall filtering mode

Operation Command

Set the default firewall filtering mode as message pass permitted firewall default permitSet the default firewall filtering mode as message pass inhibited firewall default deny

The default firewall filtering mode is message pass permitted by default.

3.2.7 Configuring Special Timerange

I. Enable/disable filtering according to timerange

Filtering according to timerange means in different timeranges the IP data packets are

filtered with different access rules. It is also called the special rules for special time.

The timeranges are classified into two types according to actual applications:

l Special timerange: time within the set timerange (specified by key word special)l Normal timerange: time beyond the specified timerange (specified by key word

normal)

Similarly, the access control rules are also classified into two types:

l Normal packet-filtering access rulesl Special timerange packet-filtering access rules

These two types of timeranges define different access control lists and access rules,which are not affected by each other. In actual applications, they can be considered as

two independent sets of rules, and the system will determine which one to use after viewing the current timerange (special or normal). For example, the current systemtime is in special timerange (which is defined by access-list special access-list-number ),

then the special timerange rules will be used for filtering. But when the current systemtime is switched to the normal timerange (which is defined by access-list normalaccess-list-number ), the normal timerange rules will be used for filtering.







3-11

Table SC-3-9 Enable/disable filtering according to timerange

Operation Command

Enable filtering according to timerange timerange enable

Disable filtering according to timerange timerange disable

Only when the switch of filtering according to timerange is enabled will the special

timerange access rules set by the user be effective. But when this switch is disabled,the normal timerange access rules will be applied.

II. Set special timerange

When the user selects Enable message-filtering according to timerange, firewall will

adopt user defined special timerange access rules for filtering during the timerangedefined by the user. The newly defined special timerange becomes valid about 1

minute after it is defined, and that defined last time will become invalid automatically.


Table SC-3-10 Set special timerange

Operation Command

Set special timerange settr begin-time end-time [ begin-time end-time...... ]

Cancel special timerange no settr

By default, the system adopts the access rules defined for normal timerange for

message filtering. The command settr can define 6 timeranges at the same time. The

format of the timerange is hh:mm. The value of hh is 0 - 23 hours and the value of mmis 0- - 59 minutes.

The command show route can be used to view the current clock status of the system.

3.2.8 Configuring Rules for Applying Access Control List on Interface

To apply access rules to specific interfaces to filter messages, it is necessary to apply

the access control list rules to the interfaces. Users can define different access controlrules for messages of both inbound and outbound directions at one interface.

Perform the following tasks in interface configuration mode.

Table SC-3-11 Configure rules for applying access control list on interface

Operation Command

Specify rule for filtering receive/send messages oninterface

ip access-group access-list-number [ i n | out ]

Cancel rule for filtering receive/send messages on

interfaceno ip access-group access-list-number [ in | out ]

By default, no rule for filtering messages on interface is specified.

In one direction of an interface (in or out), up to 20 access rules can be applied. That is

to say, 20 rules can be applied in ip access-group in, and 20 rules can be applied in ip

access-group out.






3-12

If two rules with different sequence numbers conflict, then the number with greater

access-list-number should be matched preferentially.

3.2.9 Specifying Logging Host

Firewall supports logging function. When an access rule is matched, and if the user has

specified to generate logging for this rule, logs can be sent to and recorded and savedby the logging host.


Table SC-3-12 Specify logging host

Operation Command

Specify logging host logging host unix-hostname ip-address

Cancel logging host no logging host

For detailed description about “ Logging host parameters” , please refer to the chapter “Logging Function” in “ Fundamental Configuration”.

3.3 Monitoring and Maintenance of Firewall

Please perform the monitoring and maintenance of firewall with the following

commands in privileged user mode.

Table SC-3-13 Monitoring and maintenance of firewall

Operation CommandShow firewall status show firewall

Show packet filtering rule and its application on interfaceshow access-lists { all |access-list-number

|interface interface-name }Show current timerange show timerange

Show whether the current time is within special timerange show isintr

Clear access rule counters clear access-list counters [ access-list-number ]

Enable the information debugging of firewall packet filtering debug filter { all | icmp | tcp |udp }

Disable the information debugging of firewall packet filtering no debug filter { all | icmp |tcp |udp }

1) Show relevant firewall statistics information of interface

Quidway#show firewall

Firewall is enable, default filtering method is 'permit'. TimeRange packet-filtering disable. InBound : 0 packets, 0 bytes, 0% permitted, 0 packets, 0 bytes, 0% denied, 52 packets, 3679 bytes, 88% permitted defaultly, 7 packets, 469 bytes, 11% denied defaultly; From 19:35:44 to 19:35:49 0 packets, 0 bytes, permitted, 0 packets, 0 bytes, denied, 0 packets, 0 bytes, permitted defaultly, 0 packets, 0 bytes, denied defaultly; OutBound: 0 packets, 0 bytes, 0% permitted, 7 packets, 588 bytes, 20% denied, 25 packets, 2100 bytes, 73% permitted defaultly, 2 packets, 168 bytes, 5% denied defaultly.

From 19:35:44 to 19:35:49 0 packets, 0 bytes, permitted,






3-13

0 packets, 0 bytes, denied, 0 packets, 0 bytes, permitted defaultly, 0 packets, 0 bytes, denied defaultly

The above information shows that firewall is enabled by the system, the default filtering

mode is data packet pass permitted, the timerange packet-filtering mode is disabled, aswell as the history statistics information about inbound/outbound messages in the

timerange from 19:35:44 to 19:35:49, such as how many packets are permitted to pass,how many are denied, how many are permitted by default and how many are denied bydefault.

2) Show packet filtering rule and its application on interface

Quidway#show access-list all

Normal time packet-filtering rules: 1 - 99 are empty. 100 deny icmp 10.10.1.1 0.0.0.255 10.10.1.3 0.0.0.255 (11 matches, 924bytes -- rule 1) 101 - 199 are empty.

TimeRange packet-filtering rules: 1 - 199 are empty.

The above information shows: Under normal time packet-filtering rules, the standard

access lists 1-99 and extended access lists 101-199 are empty (List 100 is used).Under special timerange packet-filtering rules, the access lists 1-199 are all empty.

To clear the counting information of access control list, the user can use the command

clear access-list counters to set the number of the matching data packets and thenumber of bytes to 0.

3) Show whether the current time is in the special timerange.

Quidway#show time-range

TimeRange packet-filtering enable. beginning of time range:

01:00 - 02:00 03:00 - 04:00 end of time range.

3.4 Typical Configuration of Firewall

The following is a sample firewall configuration in an enterprise.


This enterprise accesses the Internet via interface Serial 0 of one Quidway router, and

the enterprise provides www, ftp and telnet services to outside. The internal sub-

network of the enterprise is 129.38.1.0, the internal ftp server address 129.38.1.1,internal telnet server address 129.38.1.2, and the internal www server address129.38.1.3. The enterprise address to outside is 202.38.160.1.Address conversion hasbeen configured on the router so that the internal PC can access the Internet, and the

external PC can access the internal server. By configuring a firewall, the following areexpected:

l Only specific users from external network can access the internal server.l Only specific internal host can access the external network.

In this example, assume that the IP address of a specific external user is 202.39.2.3.






3-14


Enterprise Ethernet

Quidway router

www server

Specific internal PC

WAN

129.38.1.3Ftp server 129.38.1.1

Telnet server 129.38.1.2

129.38.1.4

129.38.1.5

202.38.160.1

Specific external PC

Figure SC-3-3 Sample networking of firewall configuration


1) Enable firewall

Quidway (config)#firewall enable

2) Configure firewall default filtering mode as packet pass permitted

Quidway (config)#firewall default permit

3) Configure access rules to inhibit passing of all packets

Quidway (config)#access-list 101 deny ip any any

4) Configure rules to permit specific host to access external network, to permitinternal server to access external network

Quidway (config)#access-list 101 permit ip 129.38.1.4 0 any




5) Configure rules to permit specific external user to access internal server

Quidway (config)#access-list 102 permit tcp 202.39.2.3 0 202.38.160.1 0

6) Configure rules to permit specific user to obtain data (only packets of port greater than 1024) from an external network

Quidway (config)#access-list 102 permit tcp any 202.38.160.1 0 gt 1024

7) Apply rule 101 on packets coming in from interface Ethernet0

Quidway (config-if-Ethernet0)#ip access-group 101 in

8) Apply rule 102 on packets coming in from interface Serial0

Quidway (config-if-Serial0)#ip access-group 102 in





Chapter 4Configuration of IPSec

4-1

Chapter 4 Configuration of IPSec

4.1 Brief Introduction to IPSec Protocol

I. IPSec

IPSec is the general name of a series of network security protocols, which is developed

by IETF (Internet Engineering Task Force to provide services such as access control,

connectionless integrity, data authentication, anti-replay, encryption and encryption of data flow classification for both communication parties.

With IPSec, it is unnecessary to worry about the data to be monitored, modified or

forged when they are transmitted in public network. And this enables secure access toVPN (Virtual Private Network), including internal, external networks and that betweenremote users.

1) IPSec can provide the following network security services:l Data confidentiality: IPSec sender encrypts the packets before they are transmitted

through network.l Data integrity: IPSec receiver authenticates the packets from the sender to make

sure the data are not modified during transmission.

l Data authentication: IPSec receiver authenticates the source address of IPSecpackets. This is a service based on data integrity.

l Anti-replay: IPSec receiver can detect and deny receiving timeout or repeated

messages.

2) IPSec components include AH (Authentication Header), ESP (EncapsulatingSecurity Payload), SA (Security Association), IKE (Internet Key Exchange),

encryption and authentication algorithm, etc.l AH (Authentication Header), a message authentication header protocol, can be

used under both transport mode and tunnel mode, to provide data integrity and

authentication services for IP packets. The data integrity check can be used to judge whether the data packets are modified during transmission. And theauthentication mechanism can be used for the terminal system or network

equipment to verify users and applications and filter communication traffic, and itcan also prevent address fraud attack and replay attack.

l ESP (Encapsulating Security Payload), a message encapsulation security payload

protocol, can be used under both transport mode and tunnel mode. With encryptionand authentication mechanism, it provides services such as data authentication,

data integrity, anti-replay and confidentiality security for IP packets.l AH and ESP can be used either separately or together. Both AH and ESP have

authentication functions with their own characteristics: ESP requires high-intensitycryptology algorithm, which is strictly restricted by policy in many countries; while

AH defines a series of authentication measures, so it can be used freely throughoutthe world. Besides, in most cases, many people use only authentication service.

l IKE, internet key exchange protocol, implements hybrid protocol of both Oakley

and SKEME keys exchanges through ISAKMP (Internet Security Association &Key Management Protocol). This protocol defines standards for automaticallyauthenticating IPSec peer end, negotiating security service and generating shared

key, so as to provide services such as automatic key exchange negotiation andsecurity association creation, thus simplifying the use and management of IPSec.

3) Both AH and ESP supports both message encapsulation modes: tunnel mode and

transport mode.






4-2

l Tunnel mode: encrypting or authenticating the whole IP messages, i.e., addingbefore the original IP message a new IP header, whose source and destination

addresses are respectively the IP addresses of both ends of security tunnel. Whenthis message encapsulation mode is adopted, the header message of AH or ESP is

inserted between internal and external IP headers.l Transport mode: directly encrypting or authenticating IP payload (i.e., TCP or UDP

data part) without protecting IP message header. When this messageencapsulation mode is adopted, the header message of AH or ESP is inserted

between IP header and upper-level protocol header (such as TCP or UDP).

II. IPSec processing on messages

IPSec can process messages as follows (with AH protocol as an example):

1) Add authentication header to messages: read out IP messages sent by the

module block from IPSec queue, then add AH header according to the configuredprotocol mode (transport or tunnel mode), then forward it via IP layer.

2) Cancel authentication header after messages are authenticated: the IP message

received at IP layer is analyzed as local host address with protocol number 51,then search corresponding protocol switch table item and call the correspondinginput processing function. This processing function authenticates the message to

make a comparison with the original authentication value. If the values are thesame, the added AH will be canceled, and original IP message will be restored,then IP input flow will be recalled for processing. Otherwise, this message will be

discarded.

III. IPSec related terms

l Data stream: a combination of a group of traffic, which is prescribed by source

address/mask, destination address/mask, encapsulation upper-level protocolnumber of IP message, source port number, destination port number, etc.

Generally, a data stream is defined by an access list, and all messages permittedby access list are called a data stream logically. A data stream can be a single TCPconnection between two hosts, or all the traffics between two subnets. IPSec canimplement different security protections for different data streams, for example, it

can use different security protocols for different data flow, algorithm and ciphering.l Security policy: which is configured manually by the user to define what security

measure to take for what data stream. The data stream is defined by configuring

multiple rules in an access list, and in security policy this access list is quoted todetermine to protect the data flow. A security policy is defined uniquely by “ Name”and “ Sequence number” together.

l Security policy group: the set of the security policies with the same name. Asecurity policy group can be applied or cancelled on an interface, applying multiplesecurity polices in the same security policy group to this interface, so as to

implement different security protection for different data streams. The securitypolicy with smaller sequence number in the same security policy group is of higher priority.

l SA (Security Association): IPSec provides security service for data streamsthrough security association, which includes protocol, algorithm, key and other contents and specifies how to process IP messages. An SA is a unidirectional

logical connection between two IPSec systems. Inbound data stream andoutbound data stream are processed separately by inbound SA and outbound SA.SA is identified uniquely by a triple (SPI, IP destination address and security

protocol number (AH or ESP). SA can be established through manual configurationor automatic negotiation. The manual mode to establish SA means establishing SAby the user setting at both ends manually some parameters, which should pass

matching and negotiation. Automatic negotiation mode is created and maintained






4-3

by IKE, i.e., both communication parties are matched and negotiated based ontheir own security policies without user’ s interface.

l SA update time: there are two SA update time modes: “ Time restricted” (i.e., SA isupdated at regular intervals) and “ Restrict by Traffic” (SA is updated whenever

certain bytes are transmitted).l SPI (Security Parameter Index): a 32-bit value, which is carried by each IPSec

message. The triple, i.e., SPI, IP destination address, security protocol number,identifies a specific SA uniquely. When SA is configured manually, SPI should also

be set manually. To ensure a unique SA, a different SPI must be used to configurean SA. When SA is generated with IKE negotiation, SPI will be generated atrandom.

l Transform mode: it includes security protocol, algorithm used by security protocol,and the mode how security protocol encapsulates messages, and prescribes howordinary IP messages are transformed into IPSec messages. In security policy, a

transform mode is quoted to prescribe the protocol and algorithm adopted by thissecurity policy.

4.2 Configuring IPSec

4.2.1 IPSec Configuration Task List

IPSec configuration task list is as follows:

l Create encryption access control listl Define transform model Select encryption algorithm and authentication algorithm

l Create security policyl Apply security policy group to interface

4.2.2 Creating Encryption Access Control List

I. Functions of encryption access control list

Encryption access list specifies which IP packets will be encrypted and which not

(these access control lists are different from the ordinary ones, because the ordinaryones only determine which data can pass an interface and which are stopped).Encryption access list is defined by extended IP access list.

For one kind of communication to accept one security protection mode (only

authentication, for instance), and another kind to accept a different one (bothauthentication and encryption, for instance), it is necessary to create two differentencryption access control lists and apply them to different security policies.

Encryption access control list can be used to judge both inbound communication and

outbound communication.

II. Create encryption access control list







4-4

Table SC-4-1 Create encryption access control list

Operation Command

Create encryption access control listaccess-list [normal | special ]access-list-number { deny |permit }

protocol { any | source-addr source-wildcard-mask } { any |destination-addr destination-wildcard-mask }

Delete encryption access control listno access-list {normal | special } { al l |access-list-number [ subitem ] }

The information transmitted between the source and destination addresses specifiedby key word permit is encrypted/decrypted by the peer router.

The key word deny stops the communication information from being

encrypted/decrypted by the peer router (that is to say not allowing the policy defined in

this security policy to be applied). If all the security policies on an interface are denied,this communication will not be protected by encryption.

When encryption access list is created, the key word any is not recommended for the

user to specify the source and destination addresses. This is because when the data

packet enters the router, and is sent to a router not configured with encryption, the keyword any will cause the router to try to establish encryption session with a router without encryption.

The encryption access list defined at local router must have a mirror encryption access

list defined by the remote router so that the communication contents encrypted locallycan be decrypted remotely.

When the user uses the show ip access-list command to browse the access lists of

the router, all extended IP access lists, including those for both communication filtering

and for encryption, will be displayed in the command outputs. That is to say, these two

kinds of extended access lists for different purposes are not distinguished in the screenoutput information.

4.2.3 Defining Transform Mode

Transform is a specific combination of security protocol and algorithm. When IPSec is

in SA negotiation, the peer end will use the same transform mode to protect the specificdata stream.

I. Defining Transform Mode

Multiple transform modes can be defined, then one or many of them can be quoted in

one security policy. For the SA created manually, there is no negotiation process of both ends, so both parties must specify the same transform mode.

If the definition of a transform mode is modified, this modification will only be applied to

the security policy that quotes this transform mode. The modified transform mode willbe applied not to the current SA at once, but to the one newly created later. To make the

new setting effective at once, it is necessary to use the command clear crypto sa toclear part or all of the SA database.







4-5

Table SC-4-2 Define transform mode

Operation Command

Define transform mode to enter the configuration

mode of security transform mode crypto ipsec transform transform-name

Delete transform mode no crypto ipsec transform transform-name

II. Setting the Mode for Security Protocol to Encapsulate IP Message

The IP message encapsulating mode selected by both ends of security tunnel must beconsistent.

Perform the following tasks in security transform configuration mode

Table SC-4-3 Set the mode for security protocol to encapsulate messages

Operation Command

Set the mode for security protocol to encapsulate messages mode { transport | tunnel }

Restore the default message encapsulating mode no mode

The default mode is tunnel-encapsulating mode.

III. Selecting Security Protocol

After the transport mode is defined, it is necessary to select the security protocol for the

transport mode. The security protocols available at present include AH and ESP, bothof which can also be used at the same time. Both ends of security tunnel must select

the same security protocols.

Perform the following tasks in security transform configuration mode.

Table SC-4-4 Select security protocol

Operation Command

Set security protocol used for transform mode transfor m { ah-new | esp-new | ah-esp-new }

Restore the default security protocol no transform

The authentication and encryption algorithm esp-new prescribed in RFC2406 is used

by default, and up to 50 kinds of transform modes can be configured.

4.2.4 Selecting Encryption and Authentication Algorithm

AH protocol can authenticate but not encrypt messages. ESP supports five securityencryption algorithms: 3des, des, blowfish, cast and skipjack.

The current security authentication algorithm includes MD5 (message digest Version 5)

and SHA (security hashing algorithm), both of which are HMAC variables. HMAC is a

hashing algorithm with key, which can authenticate data. The algorithm md5 uses128-bit key and the algorithm sha1 uses 160-bit key, and the former calculates faster than the latter while the latter is more secure than the former.

Both ends of security tunnel must select the same encryption algorithm and

authentication algorithm.






4-6

Perform the following tasks in security transform configuration mode.

Table SC-4-5 Select encryption algorithm and authentication algorithm

Operation Command

Set the encryption algorithm adopted by ESP protocolesp-new encryption { 3des | des | blowfish|cast |skipjack}

Restore the encryption algorithm adopted by ESP

protocolno esp-new encryption

Set the authentication algorithm adopted by ESPprotocol

esp-new hash {md5-hmac-96 | sha1-hmac-96}

Restore the authentication algorithm adopted by ESPprotocol

no esp-new hash

Set the authentication algorithm adopted by AH protocol ah-new hash {md5-hmac-96 | sha1-hmac-96}

Restore the authentication algorithm adopted by AHprotocol

no ah-new hash

By default, ESP protocol adopts des encryption algorithm and md5-hmac-96authentication algorithm, and AH protocol adopts md5-hmac-96 authenticationalgorithm.

4.2.5 Creating Security Policy

The following should be clear before a security policy is created:

l What communications should be protected by IPSecl How long should the data stream be protected by SAl What security policies should be applied for these communications

l Is the security policy created manually or through IKE negotiation

The following aspects require attention when a security policy is created:

l To create a security policy, it is necessary to specify its negotiation mode. But tomodify one, it is unnecessary. Once a security policy is created, its negotiation

mode can not be modified. To create a new security policy, the current one must bedeleted. For example, a security policy of manual mode can not be modified to theone of isakmp mode, that is to say, only after the current security policy of manual

mode is deleted can the one of isakmp mode be created.l The security policies with the same name together comprise a security policy group.

A security policy is defined uniquely by the name and the sequence number

together, and a security policy group can include at most 100 security policies. Thesecurity policy with smaller sequence number in the same security policy group isof higher priority. When a security policy group is applied on an interface, actually

multiple different security policies in this security policy group are applied on it atthe same time, so that different data streams are protected by different SAs.

I. Create security policy manually

1) Create security policy manually







4-7

Table SC-4-6 Create security policy manually

Operation Command

Create security policy manually to enter security

policy configuration mode crypto map map-name seq-num manual

Modify the created security policy manually crypto map map-name seq-numDelete the created security policy no crypto map map-name [ seq-num ]

By default, no security policy is created.

2) Configure access control list quoted in security policy

After a security policy is created, it is also necessary to specify the quoted encryption

access control list item for it so as to judge which inbound/outbound communicationsshould be encrypted and which should not.

Perform the following tasks in security policy configuration mode.

Table SC-4-7 Configure encryption access control list quoted in security policy

Operation Command

Configure encryption access control list quoted in security policy match address access-list-number

Cancel encryption access control list quoted in security policy no match address access-list-number

By default, no encryption access control list is quoted in the security policy.

3) Set start point and end point of security tunnel

The channel with security policy applied is usually called “ Security tunnel” . Security

tunnel is established between local gateway and peer gateway, so the local address

and the peer address must be set correctly for successfully establishing a securitytunnel.

For the security policy created manually, only one peer address can be specified. To set

a new peer address, the previously specified one must be deleted first. Only when bothlocal address and peer address are set correctly can a security tunnel be created.


Table SC-4-8 Set start point and end point of security tunnel

Operation Command

Set local address of security tunnel set local-address ip-address

Delete local address of security tunnel no set local-address ip-address

Set peer address of security tunnel set peer ip-addressDelete peer address of security tunnel no set peer ip-address

By default, the start point and the end point of the security tunnel are not specified.

4) Set transform mode quoted in security policy

When SA is created manually, a security policy can quote only one transform mode,

and to set new transform mode, the previously configured one must be deleted first. If the local transform mode can not match the peer one completely, then SA can not beestablished, then the messages that require protection will be discarded.

Security policy determines its protocol, algorithm and encapsulation mode by quoting

the transform mode. A transform mode must be established before it is quoted.






4-8


Table SC-4-9 Set transform mode quoted in security policy

Operation CommandSet transform mode quoted in security policy set transform transform-nameCancel transform mode quoted in security policy no set transform

By default, the security policy quotes no transform mode.

5) Set SPI of security policy association and its adopted key

In security policy association established manually, if AH protocol is included in the

quoted transform mode, it is necessary to set manually the SPI of AH SA and thequoted authentication key for the inbound/outbound communications. if ESP protocol isincluded in the quoted transform mode, it is necessary to set manually the SPI of ESP

SA and the quoted authentication key and ciphering key for the inbound/outbound

communications. At both ends of a security tunnel, the SPI and the key of the local inbound SA must be

the same as those of the peer outbound SA, and the SPI and the key of the localoutbound SA must be the same as those of the peer inbound SA.


(A) Set SPI parameters of security policy association

Table SC-4-10 Set SPI parameters of security policy association

Operation Command

Set SPI parameters of inbound SA of AH/ESP protocolset session-key inbound {ah |esp} spi spi-

number Delete SPI parameters of inbound SA of AH/ESP protocol no set session-key inbound {ah |esp} spi

Set SPI parameters of outbound SA of AH/ESP protocolset session-key outbound {ah |esp} sp i spi-number

Delete SPI parameters of outbound SA of AH/ESP protocol no set session-key outbound {ah |esp} spi

By default, no SPI value of inbound/outbound SA is set.

(B) Set key used by security policy association






4-9

Table SC-4-11 Set key used by security policy association

Operation Command

Set authentication key of AH protocol (input in

hexadecimal mode)

set session-key { inbound | outbound } ah hex-

key-string hex-key

Delete authentication key of AH protocol (inhexadecimal mode)

no set session-key { inbound | outbound } ah hex-key-string

Set authentication key of AH protocol (input in stringmode)

set session-key { inbound | outbound } { ahstring-key string-key

Delete authentication key of AH protocol (no set session-key { inbound | outbound } ahstring-key

Set authentication key of ESP protocol (input in

hexadecimal system)

set session-key { inbound | outbound } esp

authen-hex hex-key

Delete authentication key of ESP protocolno set session-key { inbound | outbound } espauthen-hex

Set ciphering key of ESP protocol (input in hexadecimalsystem)

set session-key { inbound | outbound } espcipher-hex hex-key

Delete ciphering key of ESP protocol no set session-key { inbound | outbound } espcipher-hex

Set both ciphering and authentication keys of ESP

protocol (input in string)

set session-key { inbound | outbound } esp

string-key string-key

Delete the ciphering and authentication keys of ESPprotocol

no set session-key { inbound | outbound } espstring-key

By default, no key is used by any security policy.

The keys input in string mode are of higher priority, that is to say, the keys are input in

two modes, those input in string mode will be preferred. At both ends of the securitytunnel, the keys should be input in the same mode. If the key is input at one end instring mode, but at the other end in hexadecimal mode, the security tunnel can not be

created correctly. To set a new key, the previous key must be deleted first.

II. Create security policy association with IKE

1) Create security policy association with IKE


Table SC-4-12 Create security policy association with IKE negotiation mode

Operation Command

Create security policy association with IKE to enter security

policy configuration mode.crypto map map-name seq-num isakmp

Delete the created security policy no crypto map map-name [ seq-num ]

By default, no security policy is created.

2) Set access control list quoted by security policy

After a security policy is created, it is also necessary to specify the quoted encryption

access control list item for it so as to judge which inbound/outbound communicationsshould be encrypted and which should not.







4-10

Table SC-4-13 Configure encryption access control list quoted in security policy.

Operation Command

Configure encryption access control list quoted in security policy match address access-list-number

Cancel encryption access control list quoted in security policy no match address access-list-number

By default, no encryption access control list is quoted in the security policy.

3) Set end point of security tunnel

For the security policy created with IKE negotiation mode, it is unnecessary to set local

address, for IKE can obtain local address from the interface that this security policy isapplied to


Table SC-4-14 Set end point of security tunnel

Operation Command

Set peer address of security tunnel set peer ip-address

Delete peer address of security tunnel no set peer ip-address

By default, the end point of the security tunnel are not specified.

4) Set transform mode quoted in security policy


Table SC-4-15 Set transform mode quoted in security policy

Operation Command

Set transform mode quoted in security policyset transform transform-name1 [transform-name2...transform-name6 ]

Cancel transform mode quoted in security policy no set transform

By default, the security policy quotes no transform mode.

When SA is created through IKE negotiation, a security policy can quote at most 6

transform modes, and IKE negotiation will search the completely matched transform

mode at both ends of the security tunnel. If IKE can not find completely matchedtransform mode, then SA can not be established, then the messages that requireprotection will be discarded.

Security policy determines its protocol, algorithm and encapsulation mode by quotingthe transform mode. A transform mode must be established before it is quoted

5) Set SA lifetime (optional)

(A) SA lifetime

There are two types of SA lifetime (or lifecycle) available at present: “ Time-based” and

“ Traffic-based” . SA will become invalid on the first expiration of either type of lifetime.

Before SA becomes invalid, IKE will establish new SA for IPSec negotiation, so a newSA is ready when the previous one becomes invalid. If the global lifetime is modifiedduring the valid period of the current SA, the new one will be applied not to the presentSA but to the later SA negotiation.

SA lifetime is only effective to SA established with IKE, and the SA establishedmanually does not involve the concept of lifetime.






4-11

(B) Operating mode of SA lifetime

If a security policy is not configured with lifetime value, when the router applies for new

SA, it will specify a global lifetime value in the application sent to peer end and use this

value as the lifetime of new SA. When the local end receives the negotiation applicationfrom the peer end, it will select the smaller one of the peer end recommended lifetimevalue and locally configured one as the new SA lifetime value.

SA (and its related key) is timeout based on the first expiration of the lifetime by

seconds (specified by the key word seconds) or kilobytes of communication traffic(specified by the key word kilobytes).

To ensure that the new SA is ready for use when the previous SA expires, new SA must

be negotiated before the previous one is timeout. New SA will be negotiated when

there is 30 seconds left before seconds lifetime expiration or when the communicationtraffic reaches only 256 kilobytes left to kilobytes lifetime expiration in this tunnel(depending on the first expiration).

(C) Configure global SA lifetimeThere are two types of SA global lifetime (or lifecycle) available at present: “ Time-

based” and “Traffic-based” . SA will become invalid on the first expiration of either typeof lifetime.


Table SC-4-16 Configure global SA lifetime

Operation Command

Set global SA “ Time-based” lifetime crypto ipsec sa lifetime seconds seconds

Restore the default value of the global SA “ Time-based” lifetime no crypto ipsec sa lifetime seconds

Set global SA “ Traffic-based” lifetime crypto ipsec sa lifetime kilobytes kilobytes

Restore the default value of the global SA “ Traffic-based” lifetime no crypto ipsec sa lifetime kilobytes

By default, “ Time-based” lifetime is 3600 seconds (a day),- and “Traffic-based” lifetimeis 1843200 kilobytes-.

(D) Configure separate SA lifetime (optional)

To be different from the global lifetime, SA should be configured with separate SA

lifetime. Perform the following tasks in global configuration mode.

Table SC-4-17 Configure separate SA lifetime

Operation Command

Set separate SA lifetime set sa lifetime {seconds seconds |kilobytes kilobytes }

Restore the default value of separate SA lifetime no set sa lifetime { seconds | kilobytes }

By default, the global SA lifetime is used.

4.2.6 Applying Security Policy Group on Interface

To put the defined SA into effective, it is necessary to apply a security policy to each

interface (logically or physically) that will encrypt site-out data and decrypt site-in data,

and this interface will provide encryption connection to the peer encrypting router.






4-12

When the security policy group is deleted from the interface, this interface will not haveIPSec security protection function.

When messages are transmitted via an interface, the security policies in the security

policy group will be searched one by one from the smaller sequence number to thegreater one. If a message is matched with an access list quoted by a security policy,then this security policy will be used for processing this message. If a message has no

matched access list quoted by a security policy, then it will go on looking for nextsecurity policy. If a message is matched with no access list quoted by the securitypolicy, then the message will be directly transmitted (IPSec will not protect themessage).

One interface can be applied with only one security policy group, and one securitypolicy group can be applied to only one interface.

Perform the following tasks in the interface configuration mode.

Table SC-4-18 Apply security policy group on interface

Operation Command

Apply security policy group on interface crypto map map-name

Delete the security policy group applied on interface no crypto map

By default, no security policy group is applied to the interface.

4.3 Maintenance and Monitoring of IPSec

Please perform the maintenance and monitoring with the following commands in

privileged user mode.

Table SC-4-19 Maintenance and monitoring of IPSec

Operation Command

Show all created SA show crypto i psec sa all

Show all SA information briefly show crypto ipsec sa brief

Show the specific SA informationshow crypto ip sec sa entry peer-address {ah |

esp } spi-number Show global SA lifetime show crypto ips ec sa lifetime

Show SA established with specific peer ends show crypto ipsec sa peer peer-address

Show all security policy base informationshow crypto i psec sa map map-name [ map-number ]

Show statistic information related to security message show crypto ipsec statistics

Show configured transform mode show crypto ipsec transform [ transform-name ]Show all security policy base information show crypto map all

Show brief security policy base information show crypto map brief Show all security policy base information by name show cryp to map namemap-name [ map-number ]

Clear all SA clear crypto sa all

Clear specific SA informationclear crypto sa entry peer-address {ah | esp } [ spi-number ]

Clear SA of the specified security policy base clear crypto sa mapmap-name [ map-number ]

Clear SA established with specified peer ends clear crypto s a peerpeer-address

Clear statistic information related to security messages clear crypto statistics

information debugging related to IPSec debug ipsec { sa | packet | misc }

1) Show all created SA






4-13

Quidway#show crypto ipsec sa all

Interface: Ethernet 0crypto map name: map1crypto map sequence: 100

negotiation mode: isakmpin use settings = {tunnel}local address: 10.1.1.1peer address: 10.1.1.2

inbound esp SAs:spi: 400 (0x190)transform: ESP-HARDWARE ESP-AUTH-MD5key id: 1sa timing: remaining key lifetime (kilobytes/seconds): 432018/90max received sequence-number: 358

outbound esp SAs:spi: 300 (0x12c)transform: ESP-HARDWARE ESP-AUTH-MD5key id: 2

sa timing: remaining key lifetime (kilobytes/seconds): 430257/90max sent sequence-number: 2341

The information above shows the interface to which the SA is applied, the name of the

SA and its sequence, negotiation mode, message encapsulation mode, the localaddress and remote address of the security tunnel, information related to inbound and

outbound ESP SA, such as SPI, transform mode, secret key, SA lifetime and themaximum receive or send sequence number, etc.

2) Show all SA information briefly

Quidway#show crypto ipsec sa brief

Src Address Dst Address SPI Protocol Algorithm10.1.1.1 10.1.1.2 300 NEW_ESP E:Hardware; A:HMAC-MD5-9610.1.1.2 10.1.1.1 400 NEW_ESP E:Hardware; A:HMAC-MD5-96

The information above shows the source and destination address of SA, SPI, securityprotocol, authentication algorithm and encryption algorithm, etc.

3) Show global SA lifetime

Quidway#show crypto ipsec sa lifetime

crypto ipsec sa lifetime: 1843200 kilobytes crypto ipsec sa lifetime: 3600 seconds

The information above shows the indexes related to SA lifetime, for example, the traffic

is 1843200 kilobytes, and the time is 1 hour.

4) Show statistic information related to security message

Quidway#show crypto ipsec statistics

the security packet statistics:

input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0can't find SA: 0queue is full: 0authen failed: 0invalid length: 0replay packet: 0too long packet:0invalid SA: 0

The information above shows the statistic information of input/output SA packet (such

as the total number of packets, total number of bytes, the number of dropped packets).

It also shows the statistic information of the dropped packets caused by failing to find






4-14

SA, full queue, failed authentication, valid length, replay packet, too long packet andinvalid SA, etc.

4.4 Typical IPSec Configuration

4.4.1 Creating SA Manually

I. Configuration requirements

Establish a security tunnel between Router-A and Router-B to perform security

protection for the data streams between PC-A represented subnet (10.1.1.x) and PC-

B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, algorithmadopts DES, and authentication algorithm adopts sha1-hmac-96.


PC A PC B

Internet

10.1.1.2

10.1.1.1

s0:202.38.163.1 s0:202.38.162.110.1.2.2

10.1.2.1

Router A Router B

Figure SC-4-1 Networking diagram of manually creating SA


Configuration of Router A:

! Configure an access list and define the data stream from Subnet 10.1.1x to Subnet

10.1.2x.

Quidway (config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255


! Create the transform mode named trans1

Quidway (config)#crypto ipsec transform tran1

! Adopt tunnel mode as the message-encapsulating form

Quidway (config-crypto-transform-tran1)#mode tunnel

! Adopt ESP protocol as security protocol

Quidway(config-crypto-transform-tran1)# transform esp-new

! Select authentication algorithm and encryption algorithm

Quidway(config-crypto-transform-tran1)# esp-new encrypt des

Quidway(config-crypto-transform-tran1)# esp-new hash sha1-hmac-96

! Create a security policy with negotiation mode as manual

Quidway(config)# crypto map map1 10 manual






4-15

! Quote access list

Quidway(config-crypto-map-map1-10)# match address 101

! Quote transform mode

Quidway(config-crypto-map-map1-10)# set transform tran1

! Set local and peer addresses

Quidway (config-crypto-map-map1-10)#set local-address 202.38.163.1

Quidway (config-crypto-map-map1-10)#set peer 202.38.162.1

! Set SPI

Quidway (config-crypto-map-map1-10)#set session-key outbound esp spi 12345

Quidway (config-crypto-map-map1-10)#set session-key inbound esp spi 54321

! Set session key

Quidway (config-crypto-map-map1-10)#set session-key outbound esp string-key

abcdefg

Quidway (config-crypto-map-map1-10)#set session-key inbound esp string-key

gfedcba

! Apply security policy group on serial interface

Quidway (config)#interface serial 0

Quidway (config-if-Serial0)#crypto map map1

Configuration of Router B:

! Configure an access list and define the data stream from Subnet 10.1.2x to Subnet10.1.1x.




Quidway(config)# crypto ipsec transform tran1








! Create a security policy with negotiation mode as manual

Quidway (config)#crypto map use1 10 manual

! Quote access list






4-16

Quidway (config-crypto-map-use1-10)#match address 101


Quidway(config-crypto-map-use1-10)# set transform tran1

! Set local and peer addresses

Quidway (config-crypto-map-use1-10)#set local-address 202.38.162.1

Quidway (config-crypto-map-use1-10)#set peer 202.38.163.1

! Set SPI

Quidway (config-crypto-map-use1-10)#set session-key outbound esp spi 54321

Quidway (config-crypto-map-use1-10)#set session-key inbound esp spi 12345

! Set session key

Quidway (config-crypto-map-use1-10)#set session-key outbound esp string-keygfedcba

Quidway (config-crypto-map-use1-10)#set session-key inbound esp string-key

abcdefg

! Exit to global configuration mode

Quidway (config-crypto-map-use1-10)#exit

! Enter serial interface configuration mode



Quidway (config-if-Serial0)#crypto map use1

After the above configurations are completed, the security tunnel between Router-A

and Router-B is established, the data stream between Subnet 10.1.1.x and Subnet10.1.2.x will be transmitted with encryption.

4.4.2 Creating SA in IKE Negotiation Mode

I. Configuration requirements

Establish a security tunnel between Router-A and Router-B to perform security

protection for the data streams between PC-A represented subnet (10.1.1.x) and PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, algorithmadopts DES, and authentication algorithm adopts sha1-hmac-96.


The same as the above example


Router-A is configured as follows:


10.1.2x.






4-17












! Create a security policy with negotiation mode as isakmp

Quidway (config)#crypto map map1 10 isakmp

! Set peer addresses

Quidway (config-crypto-map-map1-10)#set peer 202.38.162.1


Quidway(config-crypto-map-map1-10)# set transform tran1

! Quote access list

Quidway (config-crypto-map-map1-10)#match address 101

! Exit to global configuration mode

Quidway (config-crypto-map-map1-10)#exit

! Enter serial interface configuration mode


! Configure ip address of the serial interface

Quidway(config-if-Serial0)# ip address 202.38.163.1 255.255.255.0


Quidway (config-if-Serial0)# crypto map map1

! Configure corresponding IKE

Quidway (config)#crypto ike key abcde address 202.38.162.1

Router B is configured as follows:


10.1.1x.








4-18










! Create a security policy with negotiation mode as isakmp

Quidway (config)#crypto map use1 10 isakmp

! Quote access list

Quidway (config-crypto-map-use1-10)#match address 101

! Set peer address

Quidway (config-crypto-map-use1-10)#set peer 202.38.163.1


Quidway(config-crypto-map-use1-10)# set transform tran1

! Configure serial interface Serial0

Quidway(config-if-Serial0)# ip address 202.38.162.1 255.255.255.0


Quidway (config-if-Serial0)#crypto map use1

! Configure corresponding IKE

Quidway (config)#crypto ike key abcde address 202.38.163.1

After the above configurations are completed, if the messages between Subnet

10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be

triggered to negotiate to establish SA. After IKE negotiates successfully and SA isestablished, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be

transmitted with encryption.





Chapter 5Configuration of IKE

5-1

Chapter 5 Configuration of IKE

5.1 Brief Introduction to IKE Protocol

I. IKE

IKE, an Internet key exchange protocol, implements hybrid protocol of both Oakley and

SKEME key exchanges in ISAKMP network. This protocol defines standards for automatically authenticating IPSec peer end, negotiating security service andgenerating shared key, and provide services such as automatic key exchange

negotiation and security association creation, thus simplifying the use and

management of IPSec.

IKE has a set of self-protection mechanism, which enables to securely deliver keys,

authenticate ID and establish IPSec secure association in insecure network.

IKE uses ISAKMP at two stages:

l The first stage is to negotiate to create a communication channel and authenticateit, as well as to provide confidentiality, message integrity and message source

authentication services for further IKE communication between both parties.l The second stage is to use the created IKE SA to create IPSec SA.

The following figure shows the relationship between IKE and IPSec.

TCP/UD

P

IPSec

IKEIKE

IPSec

TCP/UDP SA SA

SA negotiation

Encrypted IP message

IP

Router Router B

Figure SC-5-1 Diagram of relationship between IKE and IPSec

II. IKE features

l Avoid specifying manually all IPSec security parameters in password mapping of both communication ends.

l Allow specifying the lifetime of IPSec SAl Allow exchanging ciphering key during IPSec sessionl Allow IPSec to provide anti-replay service

l Allow manageable and scalable IPSec to implement certificate authorizationsupport.

l Allow dynamic end-to-end authentication.






5-2

5.2 Configuring IKE

5.2.1 IKE Configuration Task List

IKE configuration task list is as follows:

l Create IKE security policy

l Select encryption algorithml Select authentication algorithml Configure pre-shared key

l Select hashing algorithml Select DH group IDl Set IKE negotiation SA lifetime

5.2.2 Creating IKE Security Policy

I. Why these policies should be created?

IKE negotiation must be protected, so each IKE negotiation begins when each terminal

comes to the public (shared) IKE policy, which describes which security parameter touse to protect subsequent IKE negotiation.

When two terminals come to a policy, the security parameters of this policy are

identified by SA established by each terminal, and these SAs apply to all subsequentIKE communication during negotiation. Multiple policies with priority must be createdon each terminal so as to ensure that at least one policy can match that of the remoteterminal.

II. Parameters to be defined in policy

l Encryption algorithm: at present, it includes only 56-bit DES-CBC (DES-Cipher Block Chaining)

l Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC anamorphosis)algorithm

l Authentication method: RSA signature or RSA real-time encryption

l Diffie-Hellman group IDl SA lifetime

III. How to form matched policy

When IKE negotiation begins, IKE looks for a kind of IKE policy, which is consistent at

both terminals. The terminal that originates negotiation sends all its policies to theremote terminal, and the latter will try to find a matched policy by comparing its policieswith highest priorities with those received from the former. When the policies from thetwo terminals include the same encryption, hashing, authentication and Diffie-Hellman

parameters and when the specified lifetime of the policy from the remote terminal isshorter than or equal to the compared policy lifetime, the matching selection is made (if no lifetime is specified, the shorter one of the remote terminal policy will be used). If no

acceptable matched policy is found, IKE refuses to negotiate and will not establishIPSec. If a matched policy is found, IKE will complete negotiation then create IPSecsecurity tunnel.

IV. Create IKE policy

The following should be clear before IKE configuration:






5-3

l Determine the intensity of authentication algorithm, encryption algorithm andDiffie-Hellman algorithm (i.e., the calculation resources consumed and the security

capability provided). Different algorithms are of different intensities, and the higher the algorithm intensity is, the more difficult it is to decode the protected data, but the

more the consumed resources are. The longer key usually has higher algorithmintensity.

l Determine the security protection intensity needed in IKE exchange (includinghashing algorithm, encryption algorithm, ID authentication algorithm and DH

algorithm).l Determine the authentication algorithm, encryption algorithm, hashing algorithm

and Diffie-Hellman group.

l Determine the pre-shared key of both parties.1) Create IKE policy

The user can create multiple IKE policies, but must allocate a unique priority value for

each created policy. Both parties in negotiation must have at least one matched policyfor successfully negotiation, that is to say, a policy and the one in the remote terminal

must have the same encryption, hashing, authentication and Diffie-Hellman

parameters (the lifetime parameters may be a little different). If it is found there aremultiple matching policies after negotiation, the one with higher priority will be matchedfirst.

Please perform the following tasks in global configuration mode.

Table SC-5-1 Create IKE policy

Operation Command

Create IKE policy and enter IKE policy configuration mode crypto ike policy priority

Delete IKE policy no crypto ike policy priority

No IKE security policy is created by default.

5.2.3 Select Encryption Algorithm

There is only one encryption algorithm: 56-bit DES-Cipher Block Chaining (DES-CBC).

Before being encrypted, each plain text block will perform exclusive-OR operation withan encryption block, thus the same plain text block will never map the same encryptionand the security is enhanced.

Please perform the following tasks in IKE policy configuration mode.

Table SC-5-2 Select encryption algorithm

Operation Command

Select encryption algorithm encryption d es-cbc

Set the encryption algorithm to the default value no encryption

By default, DES-CBC encryption algorithm (i.e. parameter des-cbc ) is adopted.

5.2.4 Select Authentication Algorithm

There is only one authentication algorithm: pre-share key







5-4

Table SC-5-3 Select authentication method

Operation Command

Select authentication method authentication p re-share

Restore the authentication method to the default value no authentication p re-share

By default, pre share key (i.e., pre-share) algorithm is adopted.

5.2.5 Set Pre-shared Key

If pre-shared key authentication method is selected, it is necessary to configure pre-

shared key.


Table SC-5-4 Configure pre-shared key

Operation Command

Configure pre-shared key crypto ike key keystring address peer-address

Delete pre-shared key to restore its default value no crypto i ke key keystring

By default, both ends of the security channel have no pre-shared keys.

5.2.6 Select Hashing Algorithm

Generally hashing algorithm uses HMAC framework to achieve its function. HMAC

algorithm adopts encryption hashing function to authenticate message, providingframeworks to insert various hashing algorithm, such as SHA-1 and MD5.

There are two hashing algorithm options: SHA-1 and MD5. Both algorithms provide

data source authentication and integrity protection mechanism. MD5 has less digest

information, so it is usually considered to be slightly faster than SHA-1. A kind of attacksubject to MD5 is proved successful (but it is very difficult), but HMAC anamorphosisused by IKE can stop such attacks.


Table SC-5-5 Select hashing algorithm

Operation Command

Select hashing algorithm hash { md5 | sha }

Set hashing algorithm to the default value no hash

By default SHA-1 hashing algorithm (i.e., parameter sha) is adopted.

5.2.7 Select DH Group ID

There are two DH (Diffie-Hellman) group ID options: 768-bit Diffie-Hellman group

(Group 1) or 1024-bit Diffie-Hellman group (Group 2). The 1024-bit Diffie-Hellmangroup (Group 2) takes longer CPU time







5-5

Table SC-5-6 Select DH group ID

Operation CommandSelect DH group ID grou p {1 | 2}Restore the default value of DH group ID no group

By default, 768-bit Diffie-Hellman group (Group 1) is selected.

5.2.8 Set Lifetime of IKE Association SA

Lifetime means how long IKE exists before it becomes invalid. When IKE begins

negotiation, the first thing for it to do is to make its security parameters of the twoparties be consistent. SA quotes the consistent parameters at each terminal, and each

terminal keeps SA until its lifetime expires. Before SA becomes invalid, it can benegotiated by the subsequent IKE to be reused. The new SA is negotiated before thecurrent SA becomes invalid.

The shorter the lifetime is (to a critical point), the more secure the IKE negotiation is.

But to save time for setting IPSec, the longer IKE SA lifetime should be configured.

If the policy lifetimes of two terminals are different, only when the lifetime of originating

terminal must be greater than or equal to that of the peer end can IKE policy can beselected, and the shorter lifetime should be selected as IKE SA lifetime.

Perform the following tasks in IKE policy configuration mode.

Table SC-5-7 Set lifetime of IKE negotiation SA

Operation Command

Set lifetime of IKE SA lifetime seconds

Set lifetime as the default value no lifetime

By default, SA lifetime is 86400 seconds (a day). It is recommended that the configured

seconds should be greater than 10 minutes.

5.3 Monitoring and Maintenance of IKE

Please perform the monitoring and maintenance in privileged user mode.

Table SC-5-8 Monitoring and maintenance of IKE

Operation Command

Show IKE security association parameter show crypto ike saShow IKE security policy show crypto ike policy

Clear an SA clear crypto ike sa connection-id

1) Show IKE SA parameter

Quidway# show crypto ike saconn-id peer flags phase doi1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC






5-6

Flag meaning:RD--Ready ST--Stayalive RT--Replaced FD--Fading

Execute the following command to clear security association 1.

Quidway# clear crypto ike sa 1Then the SA will show the following information:

Quidway# show crypto ike sa

conn-id peer flags phase doi2 202.38.0.2 RD|ST 2 IPSECFlag meaning:RD--Ready ST--Stayalive RT--Replaced FD--Fading

Table SC-5-9 Description about the command field show crypto ike sa

Operation Command

Security channel ID conn-id

Peer IP address of this SA peer

Show the status of this SANONE means this SA is being establishedREADY means this SA has been established successfully

STAYALIVE means that lifetime is negotiated, and this SA will be refreshedin fixed interval.REPLACED means that a timeout has happenedFADING means this SA has been replaced, and will be cleared

automatically after some time

Flags

Phase of SA phaseExplanation domain of SA doi

2) Show IKE security policy

Quidway# show crypto ike policyProtection suite priority 15 encryption algorithm: DES - CBC hash algorithm: MD5 authentication method: Pre-Shared Key Diffie-Hellman Group: MODP1024 Lifetime: 5000 seconds, no volume limitProtection suite priority 20 encryption algorithm: DES - CBC hash algorithm: SHA authentication method: Pre-Shared Key Diffie-Hellman Group: MODP768 lifetime: 10000 seconds, no volume limitDefault protection suite encryption algorithm: DES - CBC

hash algorithm: SHA authentication method: Pre-Shared Key Diffie-Hellman Group: MODP768 Lifetime: 86400 seconds, no volume limit

The information shows the protection priority, encryption algorithm, hashing algorithm,authentication algorithm, Diffie-Hellman group and IKE SA lifetime.

5.4 Typical Configuration of IKE


l Hosts A and B communicates securely, and a security channel is established with

IKE automatic negotiation between security gateways A and B.






5-7

l Configure an IKE policy on Gateway A, with Policy 10 is of highest priority and thedefault IKE policy is of the lowest priority.

l Pre-shared key authentication algorithm is adopted.


Host BHost A

Security Gateway

Internet

Security Gateway A

Serial 0202.38.160.1

Serial 0171.69.224.33

Figure SC-5-2 Networking diagram of IKE configuration example


Configuration on Security Gateway A.

! Configure a IKE Policy 10

Quidway (config)# crypto ike policy 10

! Specify the hashing algorithm used by IKE policy as MD5

Quidway (config-crypto-ike-policy-10)# hash md5

! Use pre-shared key authentication method

Quidway (config-crypto-ike-policy-10)# authentication pre-share

! Configure “ abcde” for peer 171.69.224.33

Quidway (config)# crypto ike key abcde address 171.69.224.33

! Configure IKE SA lifetime to 5000 seconds

Quidway (config-crypto-ike-policy-10)# lifetime 5000

Configuration on Security Gateway B.

! Use default IKE policy on Gateway B and configure the peer authentication word.

Quidway (config)# crypto ike key abcde address 202.38.160.1

The above are IKE negotiation configurations. To establish IPSec security channel for

secure communication, it is necessary to configure IPSec correspondingly. For detailedcontents, please refer to the configuration samples in the chapter IPSec Configuration.

5.5 IKE Fault Diagnosis and Troubleshooting

When configuring parameters to establish IPSec security channel, you can use the

debug ike error command to enable the Error debugging of IKE to help us findconfiguration problems. The command is as follows:






Problem 1: Invalid user ID information


User ID information is the data for the user originating IPSec communication to identify

itself. In practical applications we can use user ID to establish different security path for protecting different data streams. At present we use the user IP address to identify theuser.

got NOTIFY of type INVALID_ID_INFORMATION

or

drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION

Check whether ACL contents in cryptomap configured at interfaces of both ends are

compatible. It is recommended for the user to configure ACL of both ends to mirror each other.

Problem 2: Unmatched policy


Enable the debug ike error command, you can see the debugging information.

got NOTIFY of type NO_PROPOSAL_CHOSEN

or

drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN

Both parties of negotiation have no matched policy. Check the protocol used by crypto

map configured on interfaces of both parties to see whether the encryption algorithmand authentication algorithm are the same.

Problem 3: Unable to establish security channel


Check whether the network is stable and the security channel is established correctly.

Sometimes there is a security channel but there is no way to communicate, and ACL of both parties are checked to be configured correctly, and there is also matched policy. In

this case, the problem is usually cased by the restart of one router after the securitychannel is established.

Solution:

l Check whether the network is stable and whether the security channel has beenproperly established. You may encounter the situation as follows: the two partiescannot communicate via the existing security channel, while the access control list

of two parties have been properly configured and there is a matching policy. Thiscase is generally caused by restarting the router by a party after establishing the

security channel.l Use the command show crypto ike sa to check whether both parties have

established SA of Phase 1.l Use the command show crypto ipsec sa map to check whether the cryptomap on

interface has established IPSec SA.l If the above two results show that one party has SA but the other does not, then

use the command clear crypto ike sa to clear SA with error and re-originate

negotiation.

(security configuration guide)

Documents