HP Firewalls and UTM Devices VPN Configuration Guide Part number: 5998-4168 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring GRE ·························································································································································· 1 Overview············································································································································································ 1 GRE encapsulation format ··························································································································
Configuring a tunnel interface ······································································································································ 69 Configuration prerequisites ·································································································································· 69 Configuration guidelines ······································································································································ 69 Configuration proc
Relationship between IKE and IPsec ·················································································································· 108 Protocols and standards ····································································································································· 108 Configuring IKE in the Web interface························································································································ 108 Recommended configuration procedure
IKE-based IPsec tunnel for IPv4 packets configuration example ····································································· 190 IPsec with IPsec tunnel interfaces configuration example················································································ 192 IPsec for RIPng configuration example ·············································································································· 196 IPsec RRI configuration example ··················································
Retrieving and displaying a CRL························································································································ 277 Certificate request from a Windows 2003 CA server configuration example············································· 278 Certificate request from an RSA Keon CA server configuration example ····················································· 284 IKE negotiation with RSA digital signature configuration example ···········································
AFT modes ··························································································································································· 391 AFT operation ······················································································································································ 392 DNS64 function ··················································································································································· 394 AFT li
Support and other resources ·································································································································· 490 Contacting HP ······························································································································································ 490 Subscription service ············································································································································ 490 Relate
Configuring GRE 1B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Overview 14B Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate multiple network layer protocols into virtual point-to-point tunnels over an IP network. Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end.
• GRE over IPv6—The transport protocol is IPv6, and the passenger protocol is any network layer protocol. In the Web interface, you can configure only GRE over IPv4 tunnels. GRE encapsulation and de-encapsulation 93B The following sections uses Figure 3 to describe how an X protocol packet traverses an IP network through a GRE tunnel. 6H Figure 3 X protocol networks interconnected through a GRE tunnel Encapsulation process 32B 1.
calculates a checksum for the received packet and compares it with that carried in the packet. If the checksums are the same, the receiver considers the packet intact and continues to process the packet. Otherwise, the receiver discards the packet.
Figure 6 Network diagram Operating with IPsec 327B As shown in Figure 7, GRE can be encapsulated into IPsec to improve transmission security for routing protocol packets, voice data, and video data. 670H Figure 7 Network diagram For more information about IPsec, see Security Configuration Guide.
Recommended configuration procedure 98B Step 1. Remarks Creating a GRE over IPv4 tunnel interface 671H Required. Create a tunnel interface and configure GRE over IPv4 tunnel related parameters. Optional. 2. Configuring a route for packet forwarding through the tunnel Each end of the tunnel must have a route (static or dynamic) for packet forwarding through the tunnel to the other end. This makes sure GRE encapsulated packets can be forwarded normally.
Figure 9 Adding a GRE over IPv4 tunnel interface 3. Configure the GRE over IPv4 tunnel interface as described in Table 1. 4. Click Apply. 672H Table 1 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface. IP/Mask IMPORTANT: When configuring a static route on the tunnel interface, make sure the destination IP address of the static route is not in the subnet of the tunnel interface.
Item Description Enable or disable the GRE keepalive function. With the GRE keepalive function enabled on a tunnel interface, the device sends GRE keepalive packets from the tunnel interface periodically. If no response is received from the peer within the specified interval, the device retransmits the keepalive packet.
Figure 11 Creating a GRE tunnel interface 3. Configure a static route from Firewall A through interface Tunnel0 to Group 2: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 10.1.3.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
2. Create a GRE tunnel interface: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 10.1.2.2/24. e. Select Trust from the Zone list. (Select a security zone according to your network configuration.) f. Enter the source end IP address 2.2.2.2, the IP address of GigabitEthernet 0/1. g. Enter the destination end IP address 1.1.1.1, the IP address of GigabitEthernet 0/1 on Firewall A. h. Click Apply. 3.
Figure 13 Status information and statistics of interface Tunnel0 2. From Firewall B, ping the IP address of GigabitEthernet 0/2 on Firewall A. ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.1.1.
• Tunnel interfaces using the same encapsulation protocol must have different source addresses and destination addresses. • If you configure a source interface for a tunnel interface, the tunnel interface takes the primary IP address of the source interface as its source address. • You can enable or disable the checksum function at both ends of a tunnel.
Step 7. 8. Command Remarks Enable GRE keepalive and set the interval and the maximum number of transmission attempts. keepalive [ seconds [ times ] ] Enable the GRE packet checksum function. gre checksum Optional. Disabled by default. Optional. Disabled by default. Optional. 9. Configure the key for the GRE tunnel interface. By default, no key is configured for a GRE tunnel interface. gre key key-number The two ends of a tunnel must have the same key or have no key at the same time. Optional.
• Deleting a tunnel interface also deletes the functions configured on this tunnel interface. • The source address and destination address of a tunnel uniquely identify a path. You must configure the tunnel source address and destination address at both ends of a tunnel and the tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
Step 7. 8. 9. Command Remarks Configure the destination address for the tunnel interface. destination ipv6-address By default, no destination address is configured for a tunnel interface. Set the maximum number of encapsulations in the tunnel. encapsulation-limit [ number ] Enable the GRE packet checksum function. gre checksum Optional. 4 by default. Optional. Disabled by default. Optional. 10. Configure the key for the GRE tunnel interface.
For more information about commands display interface tunnel and display ipv6 interface tunnel, see VPN Command Reference. GRE over IPv4 tunnel configuration examplel 104B Network requirements 38B As shown in Figure 14, Firewall A and Firewall B are interconnected through the Internet. Two private IPv4 subnets Group 1 and Group 2 are interconnected through a GRE tunnel between the two firewalls.
system-view [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] ip address 10.1.3.1 255.255.255.0 [FirewallB-GigabitEthernet0/1] quit # Configure an IPv4 address for interface GigabitEthernet 0/2, the physical interface of the tunnel. [FirewallB] interface gigabitethernet 0/2 [FirewallB-GigabitEthernet0/2] ip address 2.2.2.2 255.255.255.0 [FirewallB-GigabitEthernet0/2] quit # Create a tunnel interface named Tunnel0.
0 output error [FirewallB] display interface tunnel 0 Tunnel0 current state: UP Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1476 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 2.2.2.2, destination 1.1.1.
Hardware Example applicable U200-A Yes U200-S No Network requirements 340B As shown in Figure 15, two IPv4 subnets Group 1 and Group 2 are connected to an IPv6 network. Create a GRE over IPv6 tunnel between Firewall A and Firewall B so the two IPv4 subnets can communicate with each other through the GRE tunnel over the IPv6 network. 67H Figure 15 Network diagram Configuration procedure 341B Before the configuration, make sure Firewall A and Firewall B can reach each other. 1.
[FirewallA] ip route-static 10.1.3.0 255.255.255.0 tunnel 0 2. Configure Firewall B: system-view # Enable IPv6. [FirewallB] ipv6 # Configure an IPv4 address for interface GigabitEthernet 0/1. [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] ip address 10.1.3.1 255.255.255.0 [FirewallB-GigabitEthernet0/1] quit # Configure an IPv6 address for interface GigabitEthernet 0/2, the physical interface of the tunnel).
Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 10 packets input, 0 bytes/sec, 0 packets/sec 840 bytes 0 input error 10 packets output, 840 bytes 0 output error [FirewallB] display interface Tunnel 0 Tunnel0 current state: UP Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1456 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set.
Figure 16 Network diagram Tunnel0 Tunnel0 IP network GRE Tunnel IP network Firewall A Host A IP network Firewall C Host B Firewall B 10.1.1.1/16 10.2.1.1/16 Symptom 342B The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other. Solution 34B 1. Execute the display ip routing-table command on Firewall A and Firewall C to view whether Firewall A has a route over tunnel 0 to 10.2.0.
Configuring a point-to-multipoint GRE tunnel 2B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Feature and hardware compatibility 18B Hardware P2MP GRE tunnel compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 19B Figure 17 P2MP GRE tunnel application scenario A traditional GRE tunnel is a point to point connection.
The point-to-multipoint (P2MP) GRE tunnel technology solves this problem. It is very applicable to enterprise networks with a lot of branches. In a P2MP GRE tunnel application, you only need to configure the tunnel interface on the headquarters node to operate in P2MP GRE tunnel mode and that on each branch node to operate in traditional P2P GRE tunnel mode. Then, a GRE tunnel will be established dynamically between the headquarters and each branch.
GRE tunnel backup at a branch 107B Figure 19 Backing up a GRE tunnel at a branch As shown in Figure 19, for higher network reliability, a branch can use multiple gateway devices so that a GRE tunnel is established between the headquarters and each gateway of the branch for GRE tunnel backup. 680H When creating a GRE tunnel on a gateway of the branch, you can configure the GRE key.
gateway (for example, Tunnel 1), to implement headquarters node backup and GRE tunnel backup. If the link between the main gateway and the branch gateway goes down, the main tunnel interface will soon lose the matching tunnel entry for forwarding packets to the branch. In this case, the main tunnel interface will forward the packets to the backup interface, which will then forward the packets to the branch. You need to configure the GRE over IPv4 mode on the backup interface.
Configuring a P2MP GRE tunnel in the Web interface 20B Configuration prerequisites 10B Before configuring a P2MP GRE tunnel, configure an IP address for the interface (such as a VLAN interface, an Ethernet interface, or a Loopback interface) to be used as the source interface of the tunnel interface. Recommended configuration procedure 1B Task Remarks Configuring a P2MP GRE tunnel interface. 1. 682H Required. Create a P2MP GRE tunnel interface and configure the related parameters. Required.
Figure 21 P2MP GRE tunnel interface management page 2. Click Add to add a P2MP GRE tunnel interface. Figure 22 Adding a P2MP GRE tunnel interface 3. Configure the P2MP GRE tunnel interface as described in Table 2. 4. Click Apply. 684H Table 2 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface.
Item Description Specify the source IP address for the tunnel interface. Tunnel Source IP/Interface You can input an IP address or select an interface. In the latter case, the primary IP address of the interface will be used as the tunnel source address. You must configure a source address on a P2MP GRE tunnel interface. Two or more P2MP GRE tunnel interfaces cannot share the same source address.
Figure 23 Tunnel list Table 3 Field description Field Description Tunnel Interface Name of the tunnel interface. Tunnel Dest Address IP address of the tunnel destination. Branch Network Address/Mask IP address and mask of the branch network. GRE Key GRE key of the tunnel, used to identify the priority of the tunnel entry. If the tunnel peer device is not configured with a GRE key, nothing will be displayed for this field.
Figure 24 Network diagram Configuring Firewall A 345B 1. Configure an IPv4 address for each interface and assign the interfaces to security zones. (Details not shown.) 2. Create a P2MP GRE tunnel interface: a. Select VPN > GRE > P2MP from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field, and enter IP address/mask 192.168.22.1/24. d. Select Management from the Zone list. (Select a security zone according to your network configuration.) e.
b. Click Add. c. Enter 192.168.12.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply. Figure 26 Adding a static route from Firewall A through interface Tunnel0 to the branch network Configuring Firewall B 346B 1. Configure an IPv4 address for each interface and assign the interfaces to security zones. (Details not shown.) 2. Create a GRE over IPv4 tunnel interface: a. Select VPN > GRE > GRE from the navigation tree. b.
Figure 27 Adding a GRE over IPv4 tunnel interface 3. Configure a static route from Firewall B through interface Tunnel0 to the headquarters node: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.11.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
2. Ping Host A from Host B. The ping operation succeeds. 3. On Firewall A, click Refresh under the tunnel entry list. The P2MP GRE tunnel entry should have been installed. Figure 29 Verifying the configuration result Configuration example for P2MP GRE tunnel backup at the headquarters 15B Network requirements 348B As shown in Figure 54, the headquarters uses two gateways at the egress of the internal network, with Firewall B for backup.
Figure 30 Network diagram Headquarters Firewall A GE0/3 Host A GE0/1 Tunnel0 Branch GE0/2 Tunnel1 Tunnel0 Firewall C GE0/1 IPv4 network GE0/2 Tunnel1 Tunnel1 Host C GE0/2 GE0/3 GE0/1 Tunnel0 GRE P2MP tunnel Firewall B (Backup gateway) Host B GRE over IPv4 tunnel Device Interface IP address Device Interface IP address Firewall A GE0/1 11.1.1.1/24 Firewall B GE0/1 11.1.1.2/24 Firewall C GE0/2 10.1.1.1/24 GE0/2 10.1.1.2/24 GE0/3 192.168.11.1/24 GE0/3 192.168.11.
Figure 31 Adding a GRE over IPv4 tunnel interface (Tunnel 1) 3. Create a P2MP GRE tunnel interface, with the tunnel interface number being 0: a. Select VPN > GRE > P2MP from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field, and enter IP address/mask 172.168.1.1/24. d. Select Management from the Zone list. (Select a security zone according to your network configuration.) e. Enter 11.1.1.
Figure 32 Adding a P2MP GRE tunnel interface (Tunnel0) 4. Configure a static route from Firewall A through interface Tunnel0 to the branch network: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.12.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
c. Enter 0 in the Tunnel Interface field, and enter IP address/mask 172.168.2.2/24. d. Select Management from the Zone list. (Select a security zone according to your network configuration.) e. Enter 11.1.1.2 as the tunnel source address, 24 as the branch network address mask, and 10 as the tunnel entry aging time. f. Click Apply. Figure 34 Adding a P2MP GRE tunnel interface (Tunnel0) 3. Create a GRE over IPv4 tunnel interface, with the tunnel interface number being 1: a.
Figure 35 Adding a GRE over IPv4 tunnel interface (Tunnel1) 4. Configure a static route from Firewall B through interface Tunnel0 to the branch network: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.12.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
2. Create a GRE over IPv4 tunnel interface, with the tunnel interface number being 0: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 172.168.1.3/24. e. Select Management from the Zone list. (Select a security zone according to your network configuration.) f. Enter the tunnel source IP address 11.1.1.3 and the tunnel destination IP address 11.1.1.1. g. Click Apply.
Figure 38 Adding a GRE over IPv4 tunnel interface (Tunnel1) 4. Configure a static route from Firewall C through interface Tunnel0 to the headquarters node, with the routing priority being 1: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.11.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Enter priority 1. g. Click Apply.
This makes the priority of this route lower than that of the static route of interface Tunnel0, making sure Firewall C prefers the tunnel between Firewall A and Firewall C for packet forwarding. a. On the static route management page, click Add. b. Enter 192.168.11.0 as the destination IP address. Select mask 255.255.255.0. c. d. Select Tunnel1 as the outbound interface. e. Enter priority 10. Click Apply. f.
Figure 41 Verifying the configuration result on Firewall A 4. Cut off the tunnel link between Firewall A and Firewall C: a. On Firewall C, select Device Management > Interface from the navigation tree and then click the icon of interface Tunnel0. b. Click the Disable button to shut down interface Tunnel0. 5. After the tunnel aging time (10 seconds in this example) elapses, refresh and view the tunnel entry information on Firewall A. There should be no tunnel entry any more. 6.
allowing Firewall A to establish two GRE tunnels to the branch network, one for connecting Firewall B and the other for connecting Firewall C. Firewall A decides which GRE tunnel to use to send packets to the hosts on the branch network. To meet the previous requirements, you need to configure different GRE keys for the GRE tunnels on Firewall B and Firewall C, so that Firewall A can choose a tunnel according to the GRE key values.
Figure 44 Adding a P2MP GRE tunnel interface 3. Configure a static route from Firewall A through interface Tunnel0 to the branch network: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.1.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply. Figure 45 Adding a static route from Firewall A through interface Tunnel0 to the branch network Configuring Firewall B 35B 1.
c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 192.168.22.2/24. e. Select Management from the Zone list. (Select a security zone according to your network configuration.) f. Enter the tunnel source IP address 11.1.1.2, the tunnel destination IP address 11.1.1.1, and the GRE key 1. g. Click Apply. Figure 46 Adding a GRE over IPv4 tunnel interface 3. Configure a static route from Firewall B through interface Tunnel0 to the headquarters node: a.
Figure 47 Adding a static route from Firewall B through interface Tunnel0 to the headquarters node Configuring Firewall C 356B 1. Configure an IPv4 address for each interface and assign the interfaces to security zones. (Details not shown) 2. Create a GRE over IPv4 tunnel interface: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 192.168.22.3/24. e. Select Management from the Zone list.
Figure 48 Adding a GRE over IPv4 tunnel interface 3. Configure a static route from Firewall C through interface Tunnel0 to the headquarters node: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 172.17.17.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
On Firewall A, select VPN > GRE > P2MP from the navigation tree and then click the Tunnel List tab. You can see information about the P2MP GRE tunnels established on Firewall A. 3. Figure 50 Verifying the configuration result on Firewall A (1) 4. On Host B, specify Firewall B as the default gateway. 5. Ping Host A from Host B. The ping operation succeeds. Click the Refresh button under the tunnel list of Firewall A. 6. You can see that another P2MP tunnel entry is generated on Firewall A.
Figure 52 Verifying the configuration result on Firewall A (3) Configuring a P2MP GRE tunnel at the CLI 21B Configuring a P2MP GRE tunnel 17B Follow these guidelines when you configure a P2MP GRE tunnel: • Two or more P2MP GRE tunnel interfaces cannot share the same source address. • If you specify a source interface for a P2MP GRE tunnel interface, the tunnel interface takes the primary IP address of the source interface as its source address.
Step 2. 3. Command Remarks Create a tunnel interface and enter tunnel interface view. interface tunnel interface-number By default, a device has no tunnel interface. Configure an IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } By default, a tunnel interface has no IPv4 address. The default tunnel mode is GRE over IPv4. 4. Set the tunnel mode to P2MP GRE.
Displaying and maintaining P2MP GRE tunnels 18B Task Command Remarks Display the tunnel entry information of a P2MP GRE tunnel interface. display gre p2mp tunnel-table interface tunnel number [ | { begin | exclude | include } regular-expression ] Available in any view. Clear the tunnel entry information of a P2MP GRE tunnel interface. reset gre p2mp tunnel-table [ interface tunnel number [ dest-address tunnel-dest-address] ] Available in user view.
[FirewallA] interface gigabitethernet 0/1 [FirewallA–GigabitEthernet0/1] ip address 11.1.1.1 255.255.255.0 [FirewallA–GigabitEthernet0/1] quit # Configure an IP address for interface GigabitEthernet 0/2. [FirewallA] interface gigabitethernet 0/2 [FirewallA–GigabitEthernet0/2] ip address 192.168.11.1 255.255.255.0 [FirewallA–GigabitEthernet0/2] quit # Create a tunnel interface named Tunnel0 and configure an IP address for it. [FirewallA] interface tunnel 0 [FirewallA-Tunnel0] ip address 192.168.22.1 255.
3. Verify the configuration: # Display the tunnel entry information on Firewall A. The output shows that no tunnel entry exists. [FirewallA] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr Gre Key # Ping Host A from Host B. The operation succeeds. # View tunnel entry information on Firewall A again.
Figure 54 Network diagram Headquarters Firewall A GE0/3 Host A GE0/1 Tunnel0 Branch GE0/2 Tunnel1 Tunnel0 Firewall C GE0/1 IPv4 network GE0/2 Tunnel1 Tunnel1 Host C GE0/2 Tunnel0 GE0/1 GRE P2MP tunnel GE0/3 Host B Firewall B (Backup gateway) GRE over IPv4 tunnel Device Interface IP Address Device Interface IP Address Firewall A GE0/1 11.1.1.1/24 Firewall B GE0/1 11.1.1.2/24 Firewall C GE0/2 10.1.1.1/24 GE0/2 10.1.1.2/24 GE0/3 192.168.11.1/24 GE0/3 192.168.11.
# Set the tunnel entry aging time to 20 seconds. [FirewallA-Tunnel0] gre p2mp aging-time 20 # Configure the source IP address of the tunnel interface Tunnel0. [FirewallA-Tunnel0] source 11.1.1.1 # Configure the tunnel interface Tunnel1 as the backup interface of the tunnel interface Tunnel0. [FirewallA-Tunnel0] gre p2mp backup-interface tunnel 1 [FirewallA-Tunnel0] quit # Configure a static route to the branch network with the outgoing interface being the tunnel interface Tunnel0.
[FirewallC-Tunnel0] destination 11.1.1.1 [FirewallC-Tunnel0] quit # Configure a static route to the headquarters network with the outgoing interface being the tunnel interface Tunnel0 and priority value being 1. [FirewallC] ip route-static 192.168.11.0 255.255.255.0 tunnel 0 preference 1 # Create a tunnel interface named Tunnel1 and configure an IP address for it. [FirewallC] interface tunnel 1 [FirewallC-Tunnel1] ip address 172.168.2.3 255.255.255.
Dest Addr Mask Tunnel Dest Addr Gre Key # Ping Host A from Host C. View tunnel entries on Firewall B: [FirewallB] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr 192.168.12.0 255.255.255.0 11.1.1.3 Gre Key Then, Host A can ping Host C. The verification process indicates that: { { { After the link between Firewall A and Firewall C went down, the tunnel entry aging timer started to work. After the timer expired, the tunnel entry on Firewall A was removed.
Configuration procedure 365B 1. Configure IP addresses and masks for interfaces according to Figure 55. (Details not shown.) 2. Configure Firewall A: 694H # Create a tunnel interface named Tunnel0 and configure an IP address for it. system-view [FirewallA] interface tunnel 0 [FirewallA-Tunnel0] ip address 192.168.22.1 255.255.255.0 # Configure the tunnel encapsulation mode of the tunnel interface Tunnel0 as P2MP GRE.
[FirewallC-Tunnel0] source 11.1.1.3 [FirewallC-Tunnel0] destination 11.1.1.1 # Set the GRE key of the tunnel interface Tunnel0 to 2. [FirewallC-Tunnel0] gre key 2 [FirewallC-Tunnel0] quit # Configure a static route to the headquarters network with the outgoing interface being the tunnel interface Tunnel0. [FirewallC] ip route-static 172.17.17.0 255.255.255.0 tunnel 0 5. Verify the configuration: # On Host B, specify Firewall C as the default gateway. Ping Host A from Host B. The ping operation succeeds.
Configuring tunneling 3B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Tunneling can be configured only at the CLI. Overview 2B Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
Figure 56 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets as follows: 1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source. 2. After determining according to the routing table that the packet needs to be forwarded through the tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel.
Tunnel type Automatic tunnel 1. Tunnel mode Tunnel source/destination address Tunnel interface address type Automatic IPv4-compatible IPv6 tunneling The source IPv4 address is manually configured. The destination IPv6 address is automatically obtained. IPv4-compatible IPv6 address, in the format of ::IPv4-source-addres s/96 6to4 tunneling The source IPv4 address is manually configured. The destination IPv4 address is automatically obtained.
As shown in Figure 57, 6to4 network Site 1 communicates with IPv6 network Site 3 over a 6to4 tunnel. A static route must be configured on the border router (Device A) in the 6to4 network and the next-hop address must be the 6to4 address of the 6to4 relay router (Device C). Device A forwards all packets destined for the IPv6 network over the 6to4 tunnel and Device C then forwards them to the IPv6 network. 69H Figure 57 Principle of 6to4 tunneling and 6to4 relay 4.
Figure 59 Principle of IPv4 over IPv4 tunneling Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 59. 697H • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. c.
Figure 60 Principle of IPv4 over IPv6 tunneling The encapsulation and de-encapsulation processes illustrated in Figure 60 are described as follows: 698H • Encapsulation: a. Upon receiving a IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the output interface. If the output interface is the tunnel interface, the IPv4 protocol stack delivers the packet to the tunnel interface. c.
Figure 61 DS-lite network diagram Subscriber network DS-lite host Private IPv4 network ISP core network Internet DS -lit et un ne l IPv6 network IPv4 network DS-lite tunnel AFTR CPE IPv4 host IPv4 host As shown in Figure 61, a DS-lite network involves the following parts: 69H { Customer Premises Equipment (CPE) Resides at the customer's premise, connects the customer's network to an Internet Service Provider (ISP) network, and usually serves as the gateway of the customer's network.
Figure 62 Packet forwarding process in DS-lite When a gateway serves as the CPE, the changes of source and destination IP addresses and port numbers are illustrated in Figure 62. The entire process is summarized as follows: 70H { The CPE and AFTR encapsulate and de-encapsulate packets. { The AFTR performs NAT. When a host serves as the CPE, the process is similar and therefore is not shown.
Hardware IPv6 over IPv6 tunneling compatible Firewall module Yes U200-A Yes U200-S No IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other.
• RFC 3056, Connection of IPv6 Domains via IPv4 Clouds • RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Tunneling configuration task list 23B Task Remarks Configuring a tunnel interface N/A 703H Configuring an IPv6 manual tunnel 704H Configuring an IPv6 over IPv4 tunnel Configuring an automatic IPv4-compatible IPv6 tunnel Optional. Configuring a 6to4 tunnel Use one as needed. 705H 706H Configuring an ISATAP tunnel 70H Configuring an IPv4 over IPv4 tunnel Optional.
Step Command Remarks Optional. • Set the MTU for IPv4 packets 4. Set the MTU of the tunnel interface. sent over the interface: mtu mtu-size • Set the MTU for IPv6 packets sent over the interface: ipv6 mtu mtu-size 5. Set the intended bandwidth for the tunnel interface. tunnel bandwidth bandwidth-value 6. Restore the default setting. default 7. Shut down the tunnel interface. shutdown Use either command as needed. By default, the MTU of the tunnel interface is 64000.
Configuration procedure 132B To configure an IPv6 manual tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 By default, the IPv6 packet forwarding function is disabled. 3. Enter tunnel interface view. interface tunnel number N/A • Configure a global unicast IPv6 address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface.
Figure 64 Network diagram Configuration procedure 371B Make sure Firewall A and Firewall B can reach each other through IPv4. • Configure Firewall A: # Enable IPv6. system-view [FirewallA] ipv6 # Configure an IPv4 address for GigabitEthernet 0/2. [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] ip address 192.168.100.1 255.255.255.0 [FirewallA-GigabitEthernet0/2] quit # Configure an IPv6 address for GigabitEthernet 0/1.
[FirewallB] interface tunnel 0 [FirewallB-Tunnel0] ipv6 address 3001::2/64 [FirewallB-Tunnel0] source gigabitethernet 0/2 [FirewallB-Tunnel0] destination 192.168.100.1 [FirewallB-Tunnel0] tunnel-protocol ipv6-ipv4 [FirewallB-Tunnel0] quit # Configure a static route to IPv6 Group 1 through Tunnel 0 on Firewall B. [FirewallB] ipv6 route-static 3002:: 64 tunnel 0 Verifying the configuration 372B # Display the status of the tunnel interfaces on Firewall A and Firewall B, respectively.
... # Ping the IPv6 address of GigabitEthernet 0/1 at the peer end from Firewall A.
• No destination address needs to be configured for an automatic IPv4-compatible IPv6 tunnel. Because the destination address of the tunnel is embedded in the destination IPv4-compatible IPv6 address of packets. • The tunnel interfaces using the same encapsulation protocol cannot use the same source IP address. Configuration procedure 136B To configure an automatic IPv4-compatible IPv6 tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2.
Figure 65 Network diagram Configuration procedure 374B Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure Firewall A and Firewall B can reach each other through IPv4. • Configure Firewall A: # Enable IPv6. system-view [FirewallA] ipv6 # Configure an IPv4 address for GigabitEthernet 0/1. [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ip address 192.168.100.1 255.255.255.
FF02::1:FFA8:6401 FF02::1:FF00:0 FF02::2 FF02::1 MTU is 1480 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 65 ... [FirewallB-Tunnel0] display ipv6 interface tunnel 0 Tunnel0 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::C0A8:3201 Global unicast address(es): ::192.168.50.
Configuring a 6to4 tunnel 27B The following matrix shows the feature and hardware compatibility: Hardware 6to4 tunnel compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Configuration prerequisites 138B Configure an IP address for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.
Step Command Remarks • Configure an IPv6 global unicast address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface. { ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 • Configure an IPv6 link-local address: { { ipv6 address auto link-local ipv6 address ipv6-address link-local The IPv6 link-local address configuration is optional.
Configuration considerations 37B To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 firewalls and hosts in the 6to4 networks. • The IPv4 address of GigabitEthernet 0/2 on Firewall A is 2.1.1.1/24, and the corresponding 6to4 prefix is 2002:0201:0101::/48. Assign interface Tunnel 0 to subnet 2002:0201:0101::/64 and GigabitEthernet 0/1 to subnet 2002:0201:0101:1::/64. • The IPv4 address of GigabitEthernet 0/2 on Firewall B is 5.1.1.
# Configure a 6to4 tunnel. [FirewallB] interface tunnel 0 [FirewallB-Tunnel0] ipv6 address 2002:0501:0101::1/64 [FirewallB-Tunnel0] source gigabitethernet 0/2 [FirewallB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4 [FirewallB-Tunnel0] quit # Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel interface. [FirewallB] ipv6 route-static 2002:: 16 tunnel 0 Verifying the configuration 379B # Ping either host from the other, and the ping operation succeeds.
Configuration procedure 381B Make sure Firewall A and Firewall B can reach each other through IPv4. The configuration on a 6to4 relay firewall is similar to that on a 6to4 firewall. However, to enable communication between the 6to4 network and the IPv6 network, you must configure a route to the IPv6 network on the 6to4 firewall. • Configure Firewall A: # Enable IPv6. system-view [FirewallA] ipv6 # Configure an IPv4 address for GigabitEthernet 0/2.
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel interface. [FirewallB] ipv6 route-static 2002:: 16 tunnel 0 Verifying the configuration 382B # Ping Host B from Host A. The ping operation succeeds.
as the next hop of the route. For more configuration, see Network Management Configuration Guide. The automatic tunnel interfaces using the same encapsulation protocol cannot use the same source IP address. • Configuration procedure 145B To configure an ISATAP tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 By default, the IPv6 forwarding function is disabled. 3. Enter tunnel interface view.
Figure 68 Network diagram Configuration procedure 384B Make sure GigabitEthernet 0/1 on the ISATAP firewall and the ISATAP host can reach each other through IPv4. • Configure the firewall: # Enable IPv6. system-view [Firewall] ipv6 # Configure addresses for interfaces. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ipv6 address 3001::1/64 [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 1.1.1.1 255.0.
does not use Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 0.0.0.0 router link-layer address: 0.0.0.0 preferred link-local fe80::5efe:2.1.1.2, life infinite link MTU 1280 (true link MTU 65515) current hop limit 128 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # A link-local address (fe80::5efe:2.1.1.2) in the ISATAP format has been automatically generated for the ISATAP interface.
Minimum = 1ms, Maximum = 1ms, Average = 1ms Verifying the configuration 385B After the configuration, the ISATAP host can access the host in the IPV6 network. Configuring an IPv4 over IPv4 tunnel 29B Configuration prerequisites 147B Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.
Step Command Remarks 5. Configure a source address or interface for the tunnel interface. source { ip-address | interface-type interface-number } By default, no source address or interface is configured for the tunnel. 6. Configure a destination address for the tunnel interface. destination ip-address By default, no destination address is configured for the tunnel.
# Configure the destination address for interface Tunnel 1 (IP address of GigabitEthernet 0/2 of Firewall B). [FirewallA-Tunnel1] destination 3.1.1.1 [FirewallA-Tunnel1] quit # Configure a static route destined for the IP network Group 2 through interface Tunnel 1. [FirewallA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 • Configure Firewall B: # Configure an IPv4 address for GigabitEthernet 0/1.
Last 300 seconds output: 4 packets input, 2 bytes/sec, 0 packets/sec 256 bytes 0 input error 12 packets output, 768 bytes 0 output error [FirewallB] display interface tunnel 2 Tunnel2 current state: UP Line protocol current state: UP Description: Tunnel2 Interface The Maximum Transmit Unit is 64000 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set Tunnel source 3.1.1.1, destination 2.1.1.
Hardware IPv4 over IPv6 manual tunnel compatible Firewall module Yes U200-A Yes U200-S No Configuration prerequisites 15B Configure an IPv6 addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.
Step 7. Configure the destination address for the tunnel interface. Command Remarks destination ipv6-address By default, no destination address is configured for the tunnel. Configuration example 31B Network requirements 389B As shown in Figure 70, configure an IPv4 over IPv6 manual tunnel between Firewall A and Firewall B so the two IPv4 networks can reach each other over the IPv6 network.
[FirewallA-Tunnel1] destination 2002::2:1 [FirewallA-Tunnel1] quit # Configure a static route from Firewall A through interface Tunnel 1 to Group 2. [FirewallA] ip route-static 30.1.3.0 255.255.255.0 tunnel 1 • Configure Firewall B: # Enable IPv6. system-view [FirewallB] ipv6 # Configure an IPv4 address for GigabitEthernet 0/1. [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] ip address 30.1.3.1 255.255.255.
Last 300 seconds output: 152 packets input, 0 bytes/sec, 0 packets/sec 9728 bytes 0 input error 168 packets output, 10752 bytes 0 output error [FirewallB] display interface tunnel 2 Tunnel2 current state: UP Line protocol current state: UP Description: Tunnel2 Interface The Maximum Transmit Unit is 64000 Internet Address is 30.1.2.
Hardware DS-lite tunnel compatible Firewall module Yes U200-A Yes U200-S No The following section describes the DS-lite tunnel configuration on the CPE and on the AFTR. Configuration prerequisites 154B Configure IPv6 addresses for interfaces (such as the VLAN interface, Ethernet interface, and loopback interface). One of the interfaces is used as the source interface of the tunnel.
Step Configure an IPv4 address for the tunnel interface. 4. Command Remarks ip address ip-address { mask | mask-length } [ sub ] By default, no IPv4 address is configured for the tunnel interface. 5. Specify the DS-lite- CPE tunnel mode. tunnel-protocol ipv4-ipv6 dslite-cpe 6. Configure the source interface for the tunnel interface. source interface-type interface-number The default tunnel mode is GRE over IPv4 mode. The tunnel mode at the other end of the tunnel should be DS-lite AFTR.
Configuration example 157B Network requirements 392B As shown in Figure 71, a private IPv4 network and a public IPv4 network are separated by an IPv6 network. 721H Build a DS-lite tunnel between CPE (Firewall A) and AFTR (Firewall B) and configure NAT on AFTR's interface connecting to the public IPv4 network, so that hosts in the private IPv4 network can access the public IPv4 network and hosts from different private IPv4 networks can use the same IPv4 addresses.
# Configure a source interface for Tunnel 1 [FirewallA-Tunnel1] source gigabitethernet 0/2 [FirewallA-Tunnel1] quit # Configure a static route to the public IPv4 network. [FirewallA] ip route-static 20.1.1.0 255.255.255.0 tunnel 1 • Configure Firewall B (the AFTR): # Enable IPv6. system-view [FirewallB] ipv6 # Configure an IPv6 address for interface GigabitEthernet 0/1 (the physical interface of the tunnel).
# Configure the IPv6 address of interface GigabitEthernet 0/1. [FirewallC] interface gigabitethernet 0/1 [FirewallC-GigabitEthernet0/1] ipv6 address 1::3 64 # Apply address pool 1 to the interface.
# Ping the IPv4 host on the public network from the IPv4 host on the private network: [FirewallA] ping –a 10.0.0.2 20.1.1.2 PING 20.1.1.2: 56 data bytes, press CTRL_C to break Reply from 20.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 20.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 20.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 20.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 20.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 20.1.1.
• The IPv6 address of the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface. • The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface. • Two or more tunnel interfaces using the same encapsulation protocol must have different source and destination addresses.
Step 9. Return to system view. 10. Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses. Command Remarks quit N/A Optional. tunnel discard ipv4-compatible-packet The default setting is disabled. Configuration example 16B Network requirements 395B As shown in Figure 72, configure an IPv6 over IPv6 tunnel between Firewall A and Firewall B so the two IPv6 networks can reach each other without disclosing their IPv6 addresses.
# Configure a destination address for interface Tunnel 1 (IP address of GigabitEthernet 0/2 of Firewall B). [FirewallA-Tunnel1] destination 2002::22:1 [FirewallA-Tunnel1] quit # Configure a static route destined for the IPv6 network Group 2 through interface Tunnel 1. [FirewallA] ipv6 route-static 2002:3:: 64 tunnel 1 • Configure Firewall B: # Enable IPv6. system-view [FirewallB] ipv6 # Configure an IPv6 address for GigabitEthernet 0/1.
FF02::1 MTU is 1460 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: ...
Displaying and maintaining tunneling configuration 34B Task Display information about tunnel interfaces. Command display interface [ tunnel ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface tunnel number [ brief ] [ | { begin | exclude | include } regular-expression ] Remarks Available in any view. Display IPv6 information on tunnel interfaces.
Configuring IKE 4B Overview 36B Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically. Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them, and calculate shared keys respectively.
2. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 73 IKE exchange process in main mode As shown in Figure 73, the main mode of IKE negotiation in phase 1 involves three pairs of messages: 723H • SA exchange—Used for negotiating the security policy. • Key exchange—Used for exchanging the DH public value and other values like the random number. Key data is generated in this stage.
Relationship between IKE and IPsec 167B Figure 74 Relationship between IKE and IPsec Figure 74 illustrates the relationship between IKE and IPsec: 724H • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
Step Remarks Required when IKE peers need to specify an IKE proposal. An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You may create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented by its sequence number, and the smaller the sequence number, the higher the preference. 2. Configuring an IKE proposal 726H Two peers must have at least one pair of matched IKE proposals for successful IKE negotiation.
Figure 75 IKE global configuration page 2. Configure global IKE parameters, as described in Table 5. 3. Click Apply. 730H Table 5 Configuration items Item Description Enter a name for the local security gateway. IKE Local Name If the local device acts as the IKE negotiation initiator and uses the ID type of FQDN or the user FQDN of the security gateway for IKE negotiation, you must configure this parameter on the local device.
Figure 77 Adding an IKE proposal 3. Configure the IKE proposal parameters, as described in Table 6. 4. Click Apply. 731H Table 6 Configuration items Item Description Enter the IKE proposal number. IKE Proposal Number The number also stands for the priority of the IKE proposal, with a smaller value meaning a higher priority. During IKE negotiation, the system matches IKE proposals in order of proposal number, starting from the smallest one.
Item Description Enter the ISAKMP SA lifetime of the IKE proposal. Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it takes effect immediately and the old one will be cleared automatically when it expires. SA Lifetime IMPORTANT: If the SA lifetime expires, the system automatically updates the ISAKMP SA. DH calculation in IKE negotiation takes time, especially on low-end devices.
Figure 80 IKE peer list 2. Click Add to enter the IKE peer configuration page. Figure 81 Adding an IKE peer 3. Configure the IKE peer parameters, as described in Table 8. 4. Click Apply. 73H Table 8 Configuration items Item Description Peer Name Enter a name for the IKE peer.
Item Description Select the IKE negotiation mode in phase 1, which can be Main or Aggressive. IMPORTANT: • If you configure one end of an IPsec tunnel to obtain an IP address IKE Negotiation Mode dynamically, the IKE negotiation mode must be Aggressive. In this case, SAs can be established as long as the username and password are correct. • The specified negotiated mode is used when the local peer is the negotiation initiator. When acting as the responder, the negotiation mode of the initiator is used.
Item Description To use the authentication method of pre-shared key, select Pre-Shared Key and enter consistent pre-shared keys in the Key and Confirm Key fields. Pre-Shared Key To use the authentication method of RSA signature, select PKI Domain and then select the PKI domain to which the certificate belongs in the following list. Available PKI domains are those configured on the page you enter by selecting VPN > Certificate Manager > Domain from the navigation tree.
Field Description Status of the SA. Possible values include: • RD—Ready. The SA has already been established and is ready for use. • ST—Stayalive. The local end is the tunnel negotiation initiator. • RL—Replaced. The tunnel has been replaced and will be cleared soon. • FD—Fading. The soft lifetime expires but the tunnel is still in use. The tunnel will be deleted when the hard lifetime expires. • TO—Timeout. The SA has received no keepalive packets after the last keepalive Flag timeout.
d. Click Apply. Figure 84 Creating ACL 3101 3. Create a rule for ACL 3101 to allow packets from subnet 10.1.1.0/24 to subnet 10.1.2.0/24: a. From the ACL list, click the icon for ACL 3101. b. Click Add. c. Select Permit from the Operation list. Select the Source IP Address box and enter 10.1.1.0 and 0.0.0.255 as the source subnet address and mask, respectively. Select the Destination IP Address box and enter 10.1.2.0 and 0.0.0.255 as the destination subnet address and mask, respectively. d.
b. Click Add. c. Enter the peer name peer. Select the negotiation mode Main. Enter the remote gateway IP address 2.2.2.2. Select Pre-Shared Key and enter the pre-shared key abcde in the Key and Confirm Key fields. d. Click Apply. Figure 86 Configuring an IKE peer named peer 5. Create an IKE proposal numbered 10: a. Select VPN > IKE > Proposal from the navigation tree. b. Click Add. c.
Figure 87 Creating an IKE proposal numbered 10 6. Create an IPsec proposal named tran1: a. Select VPN > IPSec > Proposal from the navigation tree. b. Click Add. c. From the IPSec Proposal Configuration Wizard page, select Custom mode. d. Enter the IPsec proposal name tran1, and select the packet encapsulation mode Tunnel, security protocol ESP, authentication algorithm SHA1, and encryption algorithm DES. e. Click Apply. Figure 88 Creating an IPsec proposal named tran1 7.
Figure 89 Creating an IPsec proposal named map1 8. Apply the IPsec policy to interface GigabitEthernet 0/1: a. Select VPN > IPSec > IPSec Application from the navigation tree. b. Click the c. 无法显示链接的图像。该文 件可能已被移动、重命名或 删除。请验证该链接是否指 向正确的文件和位置。 icon for interface GigabitEthernet0/1. Select policy map1. d. Click Apply. Figure 90 Applying the IPsec policy to interface GigabitEthernet 0/1 9. Configure a static route to Host B: a.
c. Enter 10.1.2.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 2.2.2.2 as the next hop. d. Click Apply. Figure 91 Configuring a static route to Host B Configuring Device B 403B 1. Configure interface IP addresses and assign interfaces to security zones. (Details not shown.) 2. Create ACL 3101. a. Select Firewall > ACL from the navigation tree. b. Click Add. c. Enter the ACL number 3101, and select the match order Config. d. Click Apply. 3.
d. Enter the IPsec proposal name tran1, and select the packet encapsulation mode Tunnel, security protocol ESP, authentication algorithm SHA1, and encryption algorithm DES. e. Click Apply. 6. Create an IPsec policy named map1: a. Select VPN > IPSec > Policy from the navigation tree. b. Click Add. c. Enter the IPsec policy name map1. Enter the sequence number 10. Select the IKE peer peer. Select the IPsec proposal tran1 from the Available Proposal list, and click <<. Enter the ACL number 3101. d.
Task Remarks Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional.
Step 2. Create an IKE proposal and enter its view. Command Remarks ike proposal proposal-number N/A Optional. 3. 4. 5. Specify an encryption algorithm for the IKE proposal. encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } Specify an authentication method for the IKE proposal. authentication-method { pre-share | rsa-signature } Specify an authentication algorithm for the IKE proposal. authentication-algorithm { md5 | sha } In non-FIPS mode, the default is 56-bit DES.
If you do not specify any IKE proposals, the local end initiates IKE negotiation by using the following guidelines: { { If the IKE negotiation mode in phase 1 is main, the local end sends the first 100 supported IKE proposals to the remote end for IKE negotiation. If the IKE negotiation mode in phase 1 is aggressive, the local end sends the IKE proposal with the smallest sequence number to the remote end for IKE negotiation.
Step 6. Command Select the ID type for IKE negotiation phase 1. id-type { ip | name | user-fqdn } Remarks Optional. By default, the ID type is IP. Optional. 7. Configure a name for the local security gateway. local-name name By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used. Optional. 8. Specify the name of the remote security gateway. 9.
NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. Setting keepalive timers 179B IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello. 4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA. DPD enables an IKE entity to check the liveliness of its peer only when necessary.
Task Command Remarks Display IKE proposal information. display ike proposal [ | { begin | exclude | include } regular-expression ] Available in any view. Clear SAs established by IKE. reset ike sa [ connection-id | active | standby ] Available in user view.
# Create IKE peer peer. [FirewallA] ike peer peer # Set the pre-shared key. [FirewallA-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [FirewallA-ike-peer-peer] remote-address 2.2.2.2 [FirewallA-ike-peer-peer] quit # Create an IKE proposal numbered 10. [FirewallA] ike proposal 10 # Set the authentication algorithm to MD5. [FirewallA-ike-proposal-10] authentication-algorithm md5 # Set the authentication method to pre-shared key.
# Set the packet encapsulation mode to tunnel. [FirewallB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use security protocol ESP. [FirewallB-ipsec-transform-set-tran1] transform esp # Specify encryption and authentication algorithms. [FirewallB-ipsec-transform-set-tran1] esp encryption-algorithm des [FirewallB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [FirewallB-ipsec-transform-set-tran1] quit # Create IKE peer peer. [FirewallB] ike peer peer # Set the pre-shared key.
method algorithm algorithm group (seconds) --------------------------------------------------------------------------default PRE_SHARED SHA DES_CBC MODP_768 86400 Firewall A and Firewall B has only one pair of matching IKE proposals. Matching IKE proposals do not necessarily use the same ISAKMP SA lifetime setting. # Send traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. Firewall A starts IKE negotiation with Firewall B when receiving the first packet.
anti-replay window size: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 89389742 (0x553faae) transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3590 max sequence-number sent: 5 udp encapsulation used for nat traversal: N Configuring aggressive mode IKE with NAT traversal 185B Network requirements 407B As shown in Figure 93, the branch and the headquarters connect to an ATM network through a router a
[Firewall-ike-proposal-1] authentication-algorithm sha [Firewall-ike-proposal-1] authentication-method pre-share [Firewall-ike-proposal-1] encryption-algorithm 3des-cbc [Firewall-ike-proposal-1] dh group2 # Configure an IKE peer.
[Router-acl-adv-3101] rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255 [Router-acl-adv-3101] quit # Configure an IKE proposal. [Router] ike proposal 1 [Router-ike-proposal-1] authentication-algorithm sha [Router-ike-proposal-1] authentication-method pre-share [Router-ike-proposal-1] encryption-algorithm 3des-cbc [Router-ike-proposal-1] dh group2 # Configure an IKE peer.
[Router-Dialer0] quit # Configure a static route to the headquarters LAN. [Router] ip route-static 172.16.0.0 255.255.255.0 dialer 0 # Configure interface GigabitEthernet 0/1. [Router] interface gigabitethernet 0/1 [Router-GigabitEthernet0/1] tcp mss 1450 [Router-GigabitEthernet0/1] ip address 192.168.0.1 255.255.255.0 [Router-GigabitEthernet0/1] quit # Create a virtual Ethernet interface, and create a PPPoE session that uses dialer bundle 1 on the interface.
Analysis 41B The following is the debugging information: got NOTIFY of type NO_PROPOSAL_CHOSEN Or drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN The two parties in the negotiation have no matched proposals. Solution 415B For the negotiation in phase 1, look up the IKE proposals for a match.
Solution 421B When a device has multiple peers, configure ACLs on the device to distinguish different data flows and try to avoid configuring overlapping ACL rules for different peers. If it is unavoidable, the subrules in fine granularity should be configured with higher preferences.
Configuring IPsec 5B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Overview 40B IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.
Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 94 shows the format of IPsec packets. 746H Security association 423B A security association is an agreement negotiated between two communicating parties called IPsec peers.
Authentication algorithms and encryption algorithms 425B • Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
• Flexible service application—You can apply a service such as NAT or QoS to packets before or after they are encrypted by IPsec. To handle packets prior to IPsec encryption, apply the service to the IPsec tunnel interface. To handle IPsec encrypted packets, apply the service to the physical outbound interface. Operation of the IPsec tunnel interface 428B IPsec encapsulation and de-encapsulation occur on IPsec tunnel interfaces.
6. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation. 7. The IPsec tunnel interface de-encapsulates the packet, and then delivers the resulting clear text packet back to the forwarding module. 8.
Figure 97 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway.
Figure 98 IPsec stateful failover LAN Virtual router 2 Master Backup Failover link Device A Device B el Virtual router 1 IP se c tu nn Internet Device C LAN As shown in Figure 98, Device A and Device B form an IPsec stateful failover system and Device A is elected the master in the VRRP group. When Device A works normally, it establishes an IPsec tunnel to Device C, and synchronizes its IPsec service data to Device B.
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction may be discarded, resulting in packet loss. When using IPsec together with QoS, make sure that they use the same classification rules. IPsec classification rules depend on the referenced ACL rules.
Step Remarks Required. Configure an IPsec policy by specifying the parameters directly or using a created IPsec policy template. The device supports only IPsec policies that use IKE. Configuring an IPsec policy 4. 75H An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. The smaller the sequence number, the higher the priority of the IPsec policy in the policy group.
Figure 99 An ACL referenced in an IPsec policy • In the outbound direction, if a permit statement is matched, IPsec considers the packet as requiring protection and continues to process it. If a deny statement is matched or no match is found, IPsec considers the packet as not requiring protection and delivers it to the next function module. • In the inbound direction, if the packet is an IPsec packet and matches a permit statement, IPsec receives and processes the packet.
Figure 100 ACL 3000 configuration on Device A Figure 101 ACL 3001 configuration on Device A Figure 102 IPsec policy configuration on Device A The configurations on Device B are shown in Figure 103 and Figure 104.
Figure 104 IPsec policy configuration on Device B Mirror image ACLs 430B To make sure that SAs can be set up and the traffic protected by IPsec locally can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer. As shown in Figure 126, ACL rules on Device B are mirror images of the rules on Device A.
Figure 106 Non-mirror image ACLs Protection modes 431B Data flows can be protected in two modes: • Standard mode, in which one tunnel is used to protect one data flow. The data flow permitted by each ACL rule is protected by one tunnel that is established separately for it. • Aggregation mode, in which one tunnel is used to protect all data flows permitted by all the rules of an ACL. This mode applies to only scenarios that use IKE for negotiation.
3. Click Suite mode to configure an IPsec proposal that uses a pre-defined encryption suite. Figure 109 IPsec proposal configuration in suite mode 4. Enter a name for the IPsec proposal. 5. Select an encryption suite for the proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used.
Table 10 Configuration items in custom mode Item Description Proposal Name Enter a name for the IPsec proposal. Encapsulation Mode Select an IP packet encapsulation mode for the IPsec proposal. Options include: • Tunnel—Uses the tunnel mode. • Transport—Uses the transport mode. Select a security protocol setting for the proposal. Options include: Security Protocol • AH—Uses the AH protocol. • ESP—Uses the ESP protocol. • AH-ESP—Uses ESP first and then AH.
Figure 111 IPsec policy template list 2. Click Add to enter the IPsec policy template configuration page. Figure 112 IPsec policy template configuration page 3. Configure an IPsec policy template, as described in Table 11. 4. Click Apply. 71H Table 11 Configuration items Item Description Template Name Enter a name for the IPsec policy template.
Item Description Enter a sequence number for the IPsec policy template. Sequence Number In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Select an IKE peer for the IPsec policy template. IKE Peer You configure IKE peers by selecting VPN > IKE > Peer from the navigation tree. Select up to six IPsec proposals for the IPsec policy template.
Item Description Specify a next hop for the static routes. Next Hop If you do not specify any next hop, the remote tunnel endpoint's address learned during IPsec SA negotiation is used. Change the preference of the static routes. Priority Change the route preference for equal-cost multipath routing or route backup. If multiple routes to the same destination have the same preference, traffic is balanced among them.
Figure 114 IPsec policy configuration page 3. Configure an IPsec policy, as described in Table 12. 4. Click Apply. 72H Table 12 Configuration items Item Description Policy Name Enter a name for the IPsec policy. Enter a sequence number for the IPsec policy. Sequence Number In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. Select an IPsec policy template.
Item Description Select up to six IPsec proposals for the IPsec policy. IPSec Proposal IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be established and the packets that need to be protected are discarded. Enable and configure the PFS feature or disable the feature. Options include: • dh-group1—Uses the 768-bit Diffie-Hellman group. • dh-group2—Uses the 1024-bit Diffie-Hellman group.
Item Description Change the preference of the static routes. Priority Change the route preference for equal-cost multipath routing or route backup. If multiple routes to the same destination have the same preference, traffic is balanced among them. If multiple routes to the same destination have different preference values, the route with the highest preference forwards traffic and all other routes are backup routes. Applying an IPsec policy group 20B 1.
Figure 117 IPsec SAs Table 13 Field description Field Description Source IP IP address of the local end of the IPsec SA. Destination IP IP address of the remote end of the IPsec SA. SPI SPI of the IPsec SA. Security Protocol Security protocol that the IPsec SA uses. Authentication Algorithm Authentication algorithm that the security protocol uses. Encryption Algorithm Encryption algorithm that the security protocol uses.
• Configure an IPsec tunnel between Device A and Device B to protect traffic between the headquarters subnet 10.1.1.0/24 and the branch subnet 10.1.2.0/24. • Configure the tunnel to use the security protocol ESP, encryption algorithm DES, and authentication algorithm SHA-1. • Enable IPsec RRI on Device A, so Device A can automatically create a static route from the headquarters to the branch when the IPsec SA is established. Specify the next hop as 2.2.2.2.
Figure 121 Configuring a rule to permit packets from 10.1.1.0/24 to 10.1.2.0/24 3. Configure an IPsec proposal named tran1: a. Select VPN > IPSec > Proposal from the navigation tree. b. Click Add. c. On the page that appears, select Custom mode. d. On the page that appears, enter the IPsec proposal name tran1, select the packet encapsulation mode Tunnel, security protocol ESP, authentication algorithm SHA1, and encryption algorithm DES, and click Apply. Figure 122 Configuring IPsec proposal tran1 4.
c. Enter the peer name peer, select the negotiation mode Main, enter the remote gateway IP address 2.2.3.1, and select the Pre-Shared Key box and then enter abcde for both the Key and Confirm Key fields. d. Click Apply. Figure 123 Configuring an IKE peer 5. Configure an IPsec policy: a. Select VPN > IPSec > Policy from the navigation tree. b. Click Add to enter the IPsec policy configuration page. c.
Figure 124 Configuring an IPsec policy 6. Apply the IPsec policy to interface GigabitEthernet 0/1: a. Select VPN > IPSec > IPSec Application from the navigation tree. b. Click the c. icon of interface GigabitEthernet 0/1 to enter the IPsec application page. Select the policy of map1. d. Click Apply.
Configuring Device B 436B The configuration steps on Device B are similar to those on Device A. The configuration pages are not shown. 1. Assign IP addresses for the interfaces and then add them to the target zones. (Details not shown.) 2. Define an ACL to permit traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24: a. Select Firewall > ACL from the navigation tree. b. Click Add. c. On the page that appears, enter the ACL number 3101, select the match order Config, and click Apply. d.
g. Enter the ACL number 3101. h. Click Apply. 7. Apply IPsec policy map1 to GigabitEthernet 0/1: a. Select VPN > IPSec > IPSec Application from the navigation tree. b. Click the c. icon of interface GigabitEthernet 0/1. Select the policy of map1. d. Click Apply. Verifying the configuration 437B After you complete the configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 triggers the negotiation of SAs by IKE.
Task Remarks Configuring an ACL 7H Configuring an IPsec transform set Required. Configuring an IPsec policy Basic IPsec configuration. 78H 79H Applying an IPsec policy group to an interface 780H Enabling the encryption engine Optional. Enabling ACL checking for de-encapsulated IPsec packets Optional. Configuring the IPsec anti-replay function Optional. Configuring packet information pre-extraction Optional. Enabling invalid SPI recovery Optional. Configuring IPsec RRI Optional.
• Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be careful with its matching scope and matching order relative to permit statements. The policies in an IPsec policy group have different match priorities. ACL rule conflicts between them are prone to cause mistreatment of packets.
makes sure that SAs can be created successfully for the traffic between Host A and Host C and the traffic between Network 1 and Network 2. Figure 126 Mirror image ACLs If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met: • The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer.
Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one tunnel established solely for it. This mode is configurable only in IPsec policies that use IKE negotiation. • For more information about ACL configuration, see Access Control Configuration Guide. To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS classification rules.
Step Command Remarks • Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } * In non-FIPS mode, the default is DES. In FIPS mode, 3DES and DES are not supported and AES-128 is default encryption algorithm. • Specify the authentication 4. Specify the security algorithms. algorithm for ESP: esp authentication-algorithm { md5 | sha1 } * In non-FIPS mode, the default is MD5. Configure at least one command.
IPsec policy that uses IKE—The parameters are automatically negotiated through IKE. • Configuring a manual IPsec policy 41B To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies at the two ends of an IPsec tunnel: • The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
Step 4. 5. 6. 7. Command Assign an IPsec transform set to the IPsec policy. Remarks By default, an IPsec policy references no IPsec transform set. transform-set transform-set-name A manual IPsec policy can reference only one IPsec transform set. To change an IPsec transform set for an IPsec policy, you must remove the reference first. Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications.
Configuring an IPsec policy that uses IKE 42B To configure an IPsec policy that uses IKE, use one of the following methods: • Directly configure it by configuring the parameters in IPsec policy view. • Configure it by referencing an existing IPsec policy template with the parameters to be negotiated configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA negotiation but can respond to a negotiation request.
Step Command Remark Optional. Set the anti-replay information synchronization intervals in IPsec stateful failover mode. 9. synchronization anti-replay-interval inbound inbound-number outbound outbound-number 10. Enable the IPsec policy. policy enable 11. Return to system view. quit By default, the inbound anti-replay window information is synchronized whenever 1000 packets are received, and the outbound anti-replay sequence number is synchronized whenever 100000 packets are sent. Optional.
Step Command Remark Optional. 6. Enable and configure the perfect forward secrecy feature for the IPsec policy. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } By default, the PFS feature is not used for negotiation. The dh-group1 keyword is not available for FIPS mode. For more information about PFS, see "Configuring IKE." 7. Configure the SA lifetime. sa duration { time-based seconds | traffic-based kilobytes } Optional. By default, the global SA lifetime settings are used. Optional. 8.
Table 14 Hardware compatibility for the "synchronization anti-replay-interval" command Hardware Feature compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Applying an IPsec policy group to an interface 43B An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
Step 2. Command Enable the encryption engine. Remarks Optional. cryptoengine enable By default, the encryption engine is enabled. Enabling ACL checking for de-encapsulated IPsec packets 45B In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might be out of protection of the ACL specified in the IPsec policy. Such packets bring threats to the network security. You can enable ACL checking for de-encapsulated IPsec packets, so all packets failing the checking are discarded.
Step 2. 3. Command Enable IPsec anti-replay checking. ipsec anti-replay check Set the size of the IPsec anti-replay window. ipsec anti-replay window width Remarks Optional. Enabled by default. Optional. 32 by default. Configuring packet information pre-extraction 47B If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated packets.
Step Command Enable invalid SPI recovery. 2. ipsec invalid-spi-recovery enable Remarks Optional. Disabled by default. Configuring IPsec RRI 49B IPsec RRI operates in static mode or dynamic mode. 1. Static IPsec RRI Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec policy references. The next hop address of the route is a user specified remote peer address, or the IP address of the remote tunnel endpoint.
Step Command Remarks Disabled by default. 3. Enable IPsec RRI. reverse-route [ remote-peer ip-address [ gateway | static ] | static ] To enable static IPsec RRI, specify the static keyword. If the keyword is not specified, dynamic IPsec RRI is enabled. 4. Change the preference of the static routes created by IPsec RRI. reverse-route preference preference-value Optional. Set a tag for the static routes created by IPsec RRI. reverse-route tag tag-value 5. 60 by default. Optional. 0 by default.
Configuring an IPsec profile 450B An IPsec policy is uniquely identified by its name and sequence number. An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
Step Command Remarks Optional. 5. Enable and configure the PFS feature for the IPsec profile. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } By default, the PFS feature is not used. The dh-group1 keyword is not available for FIPS mode. For more information about PFS, see "Configuring IKE." Optional. 6. Set the SA lifetime. sa duration { time-based seconds | traffic-based kilobytes } By default, the SA lifetime of an IPsec profile equals the current global SA lifetime. Optional. 7.
To configure an IPsec tunnel interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a tunnel interface and enter its view. interface tunnel number By default, no tunnel interface exists on the device. 3. Assign a private IPv4 address to the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] Set the tunnel mode of the tunnel interface to IPsec over IPv4. tunnel-protocol ipsec ipv4 4. 5. 6. 7.
This method is much more explicit and flexible than the QoS implementation method of enabling packet information pre-extraction on the IPsec tunnel interface, which requires applying a QoS policy to the physical outbound interface. To apply a QoS policy to an IPsec tunnel interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter tunnel interface view. interface tunnel number N/A 3. Apply a QoS policy to the IPsec tunnel interface.
• VRRP must operate in the standard protocol mode. • IPsec stateful failover supports only the active/standby failover mode. • RSA signature authentication is not supported in IKE negotiation. • The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported.
Configuration procedure 45B To implement IPsec stateful failover on two devices, you must enable IPsec stateful failover on both devices. To configure IPsec stateful failover on a device: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPsec stateful failover. ipsec synchronization enable By default, IPsec stateful failover is enabled. Displaying and maintaining IPsec 21B Task Command Remarks Display IPsec policy information.
Manual mode IPsec tunnel for IPv4 packets configuration example 21B Network requirements 45B As shown in Figure 128, configure an IPsec tunnel between Firewall A and Firewall B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96. 802H Figure 128 Network diagram Firewall A GE0/2 2.2.2.1/24 Firewall B Internet GE0/2 2.2.3.1/24 GE0/1 10.1.1.
[FirewallA-ipsec-policy-manual-map1-10] transform-set tran1 # Configure the remote IP address of the tunnel. [FirewallA-ipsec-policy-manual-map1-10] tunnel remote 2.2.3.1 # Configure the local IP address of the tunnel. [FirewallA-ipsec-policy-manual-map1-10] tunnel local 2.2.2.1 # Configure the SPIs. [FirewallA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [FirewallA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the keys.
[FirewallB-ipsec-policy-manual-use1-10] tunnel local 2.2.3.1 # Configure the SPIs. [FirewallB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [FirewallB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the keys. [FirewallB-ipsec-policy-manual-use1-10] sa string-key outbound esp gfedcba [FirewallB-ipsec-policy-manual-use1-10] sa string-key inbound esp abcdefg [FirewallB-ipsec-policy-manual-use1-10] quit # Configure the IP address for GigabitEthernet 0/2.
[FirewallA-ike-peer-peer] pre-shared-key abcde [FirewallA-ike-peer-peer] remote-address 2.2.3.1 [FirewallA-ike-peer-peer] quit # Create an IPsec policy that uses IKE for IPsec SA negotiation. [FirewallA] ipsec policy map1 10 isakmp # Apply the IPsec transform set. [FirewallA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Apply the ACL. [FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IKE peer.
# Apply the IPsec transform set. [FirewallB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Apply the IKE peer. [FirewallB-ipsec-policy-isakmp-use1-10] ike-peer peer [FirewallB-ipsec-policy-isakmp-use1-10] quit # Configure the IP address for GigabitEthernet 0/2. [FirewallB] interface gigabitethernet 0/2 [FirewallB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0 # Apply the IPsec policy group to the interface. [FirewallB-GigabitEthernet0/2] ipsec policy use1 3.
[FirewallA] ike peer atob [FirewallA-ike-peer-atob] exchange-mode aggressive [FirewallA-ike-peer-atob] pre-shared-key simple aabb [FirewallA-ike-peer-atob] id-type name [FirewallA-ike-peer-atob] remote-name firewallb [FirewallA-ike-peer-atob] quit # Create an IPsec transform set named method1. This IPsec transform set uses the default settings: the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5.
# Configure an IKE peer named btoa. As the remote peer obtains the IP address automatically, set the IKE negotiation mode to aggressive. [FirewallB] ike peer btoa [FirewallB-ike-peer-btoa] exchange-mode aggressive [FirewallB-ike-peer-btoa] pre-shared-key simple aabb [FirewallB-ike-peer-btoa] id-type name [FirewallB-ike-peer-btoa] remote-name firewalla [FirewallB-ike-peer-btoa] quit # Create an IPsec transform set named method1.
Link: ADM - administratively down; Stby – standby Protocol: (s) – spoofing Interface Link Protocol Main IP Tun1 UP UP Description 10.1.1.2 # Execute the display ike sa command on Firewall B. You can see that the SAs of two phases are established. [FirewallB] display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------2 1.1.1.2 RD 2 IPSEC 1 1.1.1.
transform-set: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3503 max sequence-number sent: 6 udp encapsulation used for nat traversal: N # On Firewall B, ping the IP address of the interface on Firewall A that connects to the branch. [FirewallB] ping -a 192.168.1.1 172.17.17.1 PING 172.17.17.1: 56 data bytes, press CTRL_C to break Reply from 172.17.17.1: bytes=56 Sequence=1 ttl=255 time=15 ms Reply from 172.17.17.
Figure 130 Network diagram Configuation considerations 463B Perform the following configuration tasks: • Configure basic RIPng parameters. • Configure a manual IPsec policy. • Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface to protect RIPng packets traveling through the interface. Configuration procedure 46B 1. Configure Firewall A: # Assign an IPv6 address to each interface. (Details not shown.
2. Configure Firewall B: # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on GigabitEthernet 0/1 and GigabitEthernet 0/2.
[FirewallC] ipsec transform-set tran1 [FirewallC-ipsec-transform-set-tran1] encapsulation-mode transport [FirewallC-ipsec-transform-set-tran1] transform esp [FirewallC-ipsec-transform-set-tran1] esp encryption-algorithm des [FirewallC-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [FirewallC-ipsec-transform-set-tran1] quit # Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs as 123456, and the keys for the inbound and
sequence number: 10 acl version: ACL4 mode: manual ----------------------------connection id: 1 encapsulation mode: transport perfect forward secrecy: tunnel: flow: [inbound ESP SAs] spi: 123456 (0x3039) transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 123456 (0x3039) transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa Similarly, you can view the information on Firewall B and Firewall C. (Details not shown.
2. Configure Firewall A: # Configure ACL 3101 to identify traffic from subnet 10.4.4.0/24 to subnet 10.5.5.0/24. system-view [FirewallA] acl number 3101 [FirewallA-acl-adv-3101] rule permit ip source 10.4.4.0 0.0.0.255 destination 10.5.5 0 0.0.0.255 [FirewallA-acl-adv-3101] quit # Create IPsec transform set tran1. [FirewallA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
[FirewallB-acl-adv-3101] quit # Configure a static route to subnet 10.4.4.0/24. [FirewallB] ip route-static 10.4.4.0 255.255.255.0 1.1.1.1 # Create IPsec transform set tran1. [FirewallB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [FirewallB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use ESP as the security protocol. [FirewallB-ipsec-transform-set-tran1] transform esp # Use DES as the encryption algorithm and SHA1-HMAC-96 as the authentication algorithm.
2.2.2.0/24 Static 60 0 1.1.1.2 GE0/1 10.4.4.0/24 Direct 0 0 10.4.4.1 GE0/2 10.4.4.4/32 Direct 0 0 127.0.0.1 InLoop0 10.5.5.0/24 Static 60 0 1.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 The output shows that IPsec RRI has created a static route to subnet 10.5.5.0/24 with the next hop 1.1.1.2. # Delete the IPsec SAs. The static route is automatically deleted.
Figure 132 Network diagram Host A IP:10.1.1.2/24 Gateway:10.1.1.1 Virtual IP address 1: 10.1.1.1/24 GE0/1 10.1.1.10/24 Firewall A GE0/1 10.1.1.20/24 Backup link GE0/3 GE0/3 GE0/2 192.168.0.5/24 Firewall B GE0/2 192.168.0.6/24 Virtual IP address 2: 192.168.0.1/24 Headquarters Branch GE0/1 192.168.0.2./24 Firewall C GE0/2 10.2.2.1/24 Host B IP:10.2.2.2/24 Gateway:10.2.2.1 Assigning IP addresses to interfaces 468B Assign IP addresses to the interfaces on the firewalls according to Figure 132.
Figure 133 Configuring a backup interface Figure 134 Configuring stateful failover 2. Configure VRRP: # Create VRRP group 1 and assign a virtual IP address to the group. system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 10.1.1.1 # Set the priority of Firewall A in VRRP group 1 to 150.
# Configure Firewall A to monitor the status of the uplink interface GigabitEthernet 0/2 and, when the interface becomes unavailable, reduce its own priority in VRRP group 1 to a value lower than the priority value of Firewall B so Firewall B can become the master. In this example, the priority value decrement is 60.
# Create an IPsec policy that use IKE, naming it map1 and setting its sequence number to 10. [FirewallA] ipsec policy map1 10 isakmp # Reference IPsec transform set tran1. [FirewallA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Reference ACL 3101. [FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer branch. [FirewallA-ipsec-policy-isakmp-map1-10] ike-peer branch [FirewallA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy group map1 to interface GigabitEthernet0/2.
[FirewallB-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255 [FirewallB-acl-adv-3101] quit # Configure a static route to Host B. [FirewallB] ip route-static 10.2.2.0 255.255.255.0 192.168.0.2 # Create IPsec transform set tran1. [FirewallB] ipsec transform-set tran1 # Configure the IPsec transform set to use the tunnel encapsulation mode.
# Create IPsec transform set tran1. [FirewallC] ipsec transform-set tran1 # Configure the IPsec transform set to use the tunnel encapsulation mode. [FirewallC-ipsec-transform-set-tran1] encapsulation-mode tunnel # Configure the IPsec transform set to use the ESP security protocol. [FirewallC-ipsec-transform-set-tran1] transform esp # Configure ESP to use the DES encryption algorithm and the SHA1 authentication algorithm.
acl version: ACL4 mode: isakmp ----------------------------connection id: 20000 encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 192.168.0.1 remote address: 192.168.0.2 flow: sour addr: 10.1.1.0/0.0.0.255 port: 0 protocol: IP dest addr: 10.2.2.0/0.0.0.
sequence number: 10 mode: isakmp ----------------------------connection id: 20000 encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 192.168.0.1 remote address: 192.168.0.2 flow: sour addr: 10.1.1.0/0.0.0.255 port: 0 protocol: IP dest addr: 10.2.2.0/0.0.0.
Using a wizard to configure an IPsec VPN 6B IPsec VPN policy can be configured only in the Web interface. The IPsec VPN policy configuration wizard provides a way to easily configure IPsec VPNs. For more information about IPsec and IKE, see "Configuring IPsec" and "Configuring IKE." IPsec VPN supports two networking modes: center-branch mode and peer-peer mode. • Center-branch mode applies to one-to-many networks as shown in Figure 135.
Figure 137 IPsec VPN policy configuration wizard: 1/4 (center node) 4. Click Next. Figure 138 IPsec VPN policy configuration wizard: 2/4 (center node) 5. Perform configuration as described in Table 15.
Table 15 Configuration items Item Description Enter the name for the IPsec VPN. IMPORTANT: If you enter abc here, the wizard creates an IKE peer named abc_peer, an IPsec proposal named abc_prop, an IPsec template named abc_temp and numbered 1, and an IPsec policy named abc_poli and numbered 1. The IKE peer and IPsec proposal are referenced in the IPsec template, and the template is referenced in the IPsec policy.
Table 16 Configuration items Item Description Select the encryption suite for the IPsec proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used. Options include: • TUNNEL-ESP-SHA1-3DES—Uses the tunnel mode for IP packet encapsulation, ESP for packet protection, SHA1 for authentication, and 3DES for encryption.
Figure 140 IPsec VPN policy configuration wizard: 4/4 (center node) 9. Click Finish to complete the configuration. The system jumps to the page that you can enter by selecting VPN > IPSec > IPSec Application from the navigation tree. Configuring a branch node 45B 1. Select Wizard from the navigation tree to enter the Configuration Wizard page. 2. Click the IPSec VPN Deployment hyperlink to enter the first page of the IPsec VPN policy configuration page. 3.
Figure 141 IPsec VPN policy configuration wizard: 1/4 (branch node) 4. Click Next. Figure 142 IPsec VPN policy configuration wizard: 2/4 (branch node) 5. Perform configuration as described in Table 17.
Table 17 Configuration items Item Description Enter the name for the IPsec VPN. IMPORTANT: IPSec VPN Name If you enter abc here, the wizard creates an IKE peer named abc_peer, an IPsec proposal named abc_prop, and an IPsec policy named abc_poli and numbered 1. The IKE peer and IPsec proposal are referenced in the IPsec policy. IPSec Interface Select the interface to which you want to apply the IPsec policy. Enter the IP address of the center node, which is used during IKE negotiation.
Table 18 Configuration items Item Description Source IP Address/Wildcard Specify the traffic to be protected by giving the source IP address and wildcard, destination IP address and wildcard, and the protocol type. Destination IP Address/Wildcard Protocol Type IMPORTANT: Based on these configurations, the wizard creates an advanced ACL that permit packets matching these criteria and apply this ACL to the IPsec policy. The ACL number is the smallest, available number in the range 3000 to 3999.
Figure 144 IPsec VPN policy configuration wizard: 4/4 (branch node) 9. Click Finish to complete the configuration. The system jumps to the page that you can enter by selecting VPN > IPSec > IPSec Application from the navigation tree. Configuring a peer node 46B 1. Select Wizard from the navigation tree to enter the Configuration Wizard page. 2. Click the IPSec VPN Deployment hyperlink to enter the first page of the IPsec VPN policy configuration page. 3.
Figure 145 IPsec VPN policy configuration wizard: 1/4 (peer node) 4. Click Next. Figure 146 IPsec VPN policy configuration wizard: 2/4 (peer node) 5. Perform configuration as described in Table 19.
Table 19 Configuration items Item Description Enter the name for the IPsec VPN. IMPORTANT: IPSec VPN Name If you enter abc here, the wizard creates an IKE peer named abc_peer, an IPsec proposal named abc_prop, and an IPsec policy named abc_poli and numbered 1. The IKE peer and IPsec proposal are referenced in the IPsec policy. IPSec Interface Select the interface to which you want to apply the IPsec policy. Enter the remote IP address for IKE negotiation.
Table 20 Configuration items Item Description Source IP Address/Wildcard Specify the traffic to be protected by giving the source IP address and wildcard, destination IP address and wildcard, and the protocol type. Destination IP Address/Wildcard Protocol Type IMPORTANT: Based on these configurations, the wizard creates an advanced ACL that permit packets matching these criteria and apply this ACL to the IPsec policy. The ACL number is the smallest, available number in the range 3000 to 3999.
Figure 148 IPsec VPN policy configuration wizard: 4/4 (peer node) 9. Click Finish to complete the configuration. The system jumps to the page that you can enter by selecting VPN > IPSec > IPSec Application from the navigation tree.
Configuring L2TP 7B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Overview 47B A virtual private dialup network (VPDN) is a VPN utilizing the dial-up function of public networks such as ISDN or PSTN networks to provide access services for enterprises, small ISPs, and telecommuters. VPDN provides an economical and effective point-to-point method for remote users to connect to their home LANs.
An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system using L2TP and then sends the resulting packets to the LNS. It de-encapsulates packets received from the LNS and then sends the resulting packets to the intended remote system. Usually, a PPP link is used in a VPDN application. • LNS—An L2TP network server (LNS) functions as both the L2TP server and the PPP end system.
L2TP tunnel and session 20B The following types of connections are present between an LNS and an LAC: • Tunnel—A tunnel corresponds to a LNS-LAC pair, and comprises a control connection and one or more sessions. • Session—A session corresponds to one PPP data stream between an LNS and a LAC and is multiplexed on a tunnel. A session can be set up only after the tunnel is created. Multiple L2TP tunnels can be established between an LNS and an LAC.
network, the LAC forwards data through the L2TP tunnel. In this mode, the connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection. Figure 154 LAC-auto-initiated tunneling mode L2TP tunnel establishment process 47B Figure 155 Typical L2TP network Figure 156 shows an L2TP call's setup procedure in NAS-initiated mode.
Figure 156 L2TP call setup procedure Remote system Host A LAC Router A LAC RADIUS server LNS Router B LNS RADIUS server (1) Call setup (2) PPP LCP setup (3) PAP or CHAP authenticaion (4) Access request (5) Access accept (6) Tunnel setup (7) CHAP authentication (challenge/response) (8) Authentication passes (9) User CHAP response, PPP negotiation parameter (10) Access request (11) Acesss accept (12) CHAP authentication twice (challenge/response) (13) Access request (14) Acesss accept (15) Authentication
15. The LNS assigns an internal IP address to the remote user. The user can now access the internal resources of the enterprise network. L2TP features 2B • Flexible identity authentication mechanism and high security—L2TP by itself does not provide security for connections. However, it has all the security features of PPP and allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to guarantee data security, strengthening the resistance of tunneled data to attacks.
Step Remarks Required. Adding an L2TP group 2. 830H Create a L2TP group and configure L2TP group related parameters. By default, no L2TP group is created. 3. Displaying L2TP tunnel information 831H Optional. View the L2TP tunnel information. Enabling L2TP 25B 1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 157. 832H 2. Select the Enable L2TP box. 3. Click Apply.
NOTE: You cannot add an L2TP whose VT interface already exists. To add it, first delete the corresponding VT interface from Device Management > Interface Management. To add an L2TP group: 1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 157. 83H 2. Click Add on the L2TP configuration page to add an L2TP group. Figure 158 Adding an L2TP group 3. Configure L2TP group information, as described in Table 22. 4. Click Apply.
Item Description Enable or disable L2TP tunnel authentication in the group. If you enable tunnel authentication, you need to set the authentication password. Tunnel Authentication The tunnel authentication request can be initiated by the LAC or LNS. Once tunnel authentication is enabled on one end, a tunnel can be established if tunnel authentication is also enabled on the other end and the passwords configured on the two ends are the same and not null.
Item Description Specify the interval between sending hello packets. Hello Interval To check the connectivity of a tunnel, the LAC and LNS regularly send Hello packets to each other. When receiving a Hello packet, the LAC/LNS returns a response packet. If the LAC or LNS receives no Hello response packet from the peer within a specific period of time, it retransmits the Hello packet.
Item Description After the LAC authenticates the client, the LNS may re-authenticate the client for higher security. In this case, only when both the authentications succeed can an L2TP tunnel be set up. On an L2TP network, an LNS authenticates users in three ways: mandatory CHAP authentication, LCP re-negotiation, and proxy authentication.
Figure 159 Adding an ISP domain 2. Configure the ISP domain name, authentication/authorization/accounting methods, and maximum number of users, as described in Table 23. 83H 3. Click Apply. Table 23 Configuration items Item Description ISP Domain Specify the name of the ISP domain. Select the authentication server type for PPP users. • None—All users are trusted and no authentication is performed. This method is not recommended.
Item Description Scheme Backup Scheme for the primary authorization method, which is displayed when you select HWTACACS or RADIUS as the server type. The scheme is always system. Specify whether to enable the backup authorization method. Specify whether to enable the accounting optional function. • For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current accounting server fails, the user is disconnected.
Figure 160 Adding an address pool 2. Specify an address pool for assigning IP addresses to PPP users, as described in Table 24. 3. Click Apply. 840H Table 24 Configuration items Item Description Select the ISP domain for the IP address pool to be created. ISP Domain If no ISP domain is specified, the address pool is used to allocate IP addresses to PPP users that do not need authentication. IP Address Pool Number Specify the number of the IP address pool.
Item Description Peer Tunnel ID Peer ID of the tunnel. Peer Tunnel Port Peer port of the tunnel. Peer Tunnel IP Peer IP address of the tunnel. Session Count Number of sessions on the tunnel. Peer Tunnel Name Peer name of the tunnel. Client-initiated VPN configuration example 230B Network requirements 475B As shown in Figure 162, a VPN user and the corporate headquarters communicate in the following steps: 843H 1.
c. Enter vpdnuser as the user name, select PPP as the service type, enter Hello as the password, and enter Hello to confirm the password, as shown in Figure 163. 84H d. Click Apply. Figure 163 Adding a local user 4. Enable L2TP: a. Select VPN > L2TP > L2TP Config from the navigation tree. b. Select the Enable L2TP box, as shown in Figure 164. 845H c. Click Apply. Figure 164 Enable L2TP 5. Add an L2TP group: a. Click Add on the page in Figure 164. 846H b.
Figure 165 Configuring local authentication method for VPN users e. Enter 192.168.0.1/255.255.255.0 as the PPP server IP address/mask, and select Trust from the PPP Server Zone list. (Select a security zone according to your network configuration.) f. Click the Add button for User Address, select system as the ISP domain name, enter 1 as the IP address pool number, and enter the start IP address 192.168.0.2 and the end IP address 192.168.0.100. g.
Figure 167 L2TP group configurations Verifying the configuration 478B 1. On the user host, initiate an L2TP connection to the LNS. The host will get an IP address (192.168.0.2) and is able to ping the private address of the LNS (192.168.0.1). 2. On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information about the established L2TP tunnel appears, as shown in Figure 168.
1. Determine the network devices needed according to the networking environment. For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS. For client-initiated mode, you only need to configure the LNS. 2. Configure the devices accordingly based on the intended role (LAC or NAS) on the network.
Task Remarks Enabling L2TP for VPNs 86H Optional. Configuring L2TP tunnel authentication 870H Configuring L2TP connection parameters Setting the hello interval 869H 871H Optional. Enabling tunnel flow control 872H Disconnecting tunnels by force 873H Configuring basic L2TP capability 23B An L2TP group is intended to represent a group of parameters and corresponds to one VPN user or one group of VPN users.
Step Command 1. Enter system view. system-view 2. Enter L2TP group view. l2tp-group group-number 3. Enable the device to initiate tunneling requests to one or more IP addresses for one or more specified VPN users. start l2tp { ip ip-address }&<1-5> { domain domain-name | fullusername user-name } Configuring an LAC to transfer AVP data in hidden mode 480B With L2TP, some parameters are transferred as AVP data.
Step Command Remarks By default, no local user or password is configured on an LAC. 2. Create a local user and enter its view. local-user username 3. Configure a password for the local user. password [ { cipher | simple } password ] 4. Authorize the user to use the PPP service. service-type ppp N/A 5. Return to system view. quit N/A 6. Create an ISP domain and enter its view. domain isp-name N/A 7.
Step 3. 4. Command Assign an IP address to the VT interface or enable IP address negotiation so that the VT interface accepts the IP address negotiated with the peer. • ip address address mask • ip address ppp-negotiate Configure the authentication method for the LAC to use to authenticate the virtual PPP user. ppp authentication-mode { chap | pap } * [ domain isp-name ] Remarks Use either command. By default, no IP address is assigned by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VT interface and enter its view. interface virtual-template virtual-template-number By default, no VT interface exists. Configuring the local address and the address pool for allocation 48B After an L2TP tunnel is set up between an LAC and an LNS, the LNS needs to assign an IP address to a VPN user. For this purpose, you can directly specify an IP address, or specify an address pool.
Step Command Remarks • If the L2TP group number is 1 (the default): allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] Specify the VT interface for receiving calls, the tunnel name on the LAC, and the domain name. 3. • If the L2TP group number is not 1: allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] Use either command. By default, an LNS denies all incoming calls.
Step Configure mandatory CHAP authentication. 3. 2. Command Remarks mandatory-chap By default, CHAP authentication is not performed on an LNS. Configuring LCP renegotiation In a NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information to the LNS. The LNS then determines whether the user is valid according to the proxy authentication information received.
the LNS establishes a session according to the group configuration. Thus, different sessions can be established for VPN users of different domains. If multiple L2TP groups on the LNS are configured with the same remote tunnel name, make sure that their tunnel authentication settings are the same. Mismatching tunnel authentication keys will result in tunnel establishment failure. To enable L2TP for VPNs: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable L2TP for VPNs.
Step 3. Command Set the hello interval. Remarks tunnel timer hello hello-interval Optional. 60 seconds by default. Enabling tunnel flow control 491B The L2TP tunnel flow control function controls data packet transmission by buffering and adjusting data packets arriving out of order. To enable tunnel flow control: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter L2TP group view. l2tp-group group-number N/A 3. Enable the tunnel flow control function.
Configuration example for NAS-initiated VPN 237B Network requirements 493B As shown in Figure 169, a VPN user accesses the corporate headquarters in the following procedure: 876H 1. The user dials in to the NAS (LAC). 2. The NAS determines whether the user is a valid VPN client. If so, it initiates a tunneling request to the LNS. 3. After a tunnel is set up between the NAS and the LNS, the NAS transfers the results of its negotiation with the VPN user to the LNS. 4.
# Create a local user named vpdnuser, set the password, and enable the PPP service. The username and password must match those configured on the client. system-view [LNS] local-user vpdnuser [LNS-luser-vpdnuser] password simple Hello [LNS-luser-vpdnuser] service-type ppp [LNS-luser-vpdnuser] quit # Configure local authentication for the VPN user. [LNS] domain system [LNS-isp-system] authentication ppp local [LNS-isp-system] ip pool 1 192.168.0.2 192.168.0.100 [LNS-isp-system] quit # Enable L2TP.
Configuration example for client-initiated VPN 238B Network requirements 495B As shown in Figure 170, a VPN user accesses the corporate headquarters in the following procedure: 87H 1. Configure an IP address and route for the user host, making sure that the host is reachable to the LNS. 2. The user initiates a tunneling request to the LNS. 3. After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the VPN user. 4.
[LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 2. Configure the VPN user host: Configure the IP address of the user host as 2.1.1.1, and configure a route to the LNS (1.1.2.2). { Create a virtual private network connection by using the Windows system, or install the L2TP client software, such as WinVPN Client. { Complete the following configuration procedure (the procedure depends on the client software): { # Specify the VPN username as vpdnuser and the password as Hello.
Figure 171 Network diagram Configuration procedure 498B 1. Configure the LNS: # Configure IP addresses for interfaces. (Details not shown.) # Create a local user, configure a username and password for the user, and specify the service type as PPP. system-view [LNS] local-user vpdnuser [LNS-luser-vpdnuser] password simple Hello [LNS-luser-vpdnuser] service-type ppp [LNS-luser-vpdnuser] quit # Configure a VT interface. [LNS] interface virtual-template 1 [LNS-virtual-template1] ip address 192.168.0.
[LAC] l2tp enable [LAC] l2tp-group 1 # Configure the local tunnel name and specify the IP address of the tunnel peer (LNS). [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] start l2tp ip 3.3.3.2 fullusername vpdnuser # Enable tunnel authentication and configure the authentication key. [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password simple aabbcc [LAC-l2tp1] quit # Configure the PPP authentication method PAP, authentication username vpdnuser, and password Hello for the virtual PPP user.
PING 10.2.0.1: 56 data bytes, press CTRL_C to break Reply from 10.2.0.1: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.2.0.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
[LAC-luser-vpdn2] service-type ppp [LAC-luser-vpdn2] quit # Configure local authentication for the users. [LAC] domain aaa.net [LAC-isp-aaa.net] authentication ppp local [LAC-isp-aaa.net] quit [LAC] domain bbb.net [LAC-isp-bbb.net] authentication ppp local [LAC-isp-bbb.net] quit # Configure PPPoE servers on interface GigabitEthernet 0/1 and GigabitEthernet 0/3.
# Enable L2TP for VPNs. [LNS] l2tpmoreexam enable # Create two local users, set the passwords, and enable the PPP service. [LNS] local-user vpdn1 [LNS-luser-vpdn1] password simple 11111 [LNS-luser-vpdn1] service-type ppp [LNS-luser-vpdn1] quit [LNS] local-user vpdn2 [LNS-luser-vpdn2] password simple 22222 [LNS-luser-vpdn2] service-type ppp [LNS-luser-vpdn2] quit # Specify the IP address of GigabitEthernet 0/1, through which the LNS connects to the tunnel, as 1.1.2.2.
[LNS-l2tp4] tunnel password simple 12345 If RADIUS authentication is required on the LNS, modify the AAA configurations as needed. For AAA configuration details, see Access Control Configuration Guide. 3. Configure the users: Create a dial-up connection on each host: On Host A, enter vpdn1@aaa.net as the username and 11111 as the password in the dial-up terminal window. { On Host B, enter vpdn2@aaa.net as the username and 22222 as the password in the dial-up terminal window. { 4.
Analysis and solution 502B Possible reasons for login failure include: • Tunnel setup failure, which may occur in the following cases: { { { { • The address of the LNS is set incorrectly on the LAC. No L2TP group is configured on the LNS (usually a router) to receive calls from the tunnel peer. For details, see the description of the allow command. Tunnel authentication fails.
Managing certificates 8B Overview 51B The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email. Because different CAs might use different methods to examine the binding of a public key with an entity, make sure you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture 243B A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in Figure 173.
PKI operation 24B In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it works: 1. An entity submits a certificate request to the RA. 2. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. 3. The CA verifies the digital signature, approves the application, and issues a certificate. 4.
Configuring PKI in the Web interface 53B Recommended configuration procedure 246B The device supports the following PKI certificate request modes: • Manual—In manual mode, you need to manually retrieve the CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity.
Step Remarks Required. Obtain the CA certificate and save it locally. For more information, see "Retrieving and displaying a certificate." 84H Certificate retrieval serves the following purposes: • Locally store the certificates associated with the local security domain Retrieving the CA certificate 4. for improved query efficiency and reduced query count, • Prepare for certificate verification.
Recommended configuration procedure for automatic request 513B Step Remarks Required. Create a PKI entity and configure the identity information. Creating a PKI entity 1. 89H A certificate is the binding of a public key and the identity information of an entity, where the DN shows the identity information of the entity. A CA identifies a certificate applicant uniquely by an entity DN. The DN settings of an entity must be compliant to the CA certificate issue policy.
Figure 174 PKI entity list 2. Click Add. Figure 175 PKI entity configuration page 3. Configure the parameters, as described in Table 26. 4. Click Apply. 894H Table 26 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the FQDN for the entity. FQDN An FQDN is a unique identifier of an entity on the network.
Item Description Organization Unit Enter the unit name for the entity. Creating a PKI domain 248B 1. From the navigation tree, select VPN > Certificate Management > Domain. Figure 176 PKI domain list 2. Click Add. Figure 177 PKI domain configuration page 3. Configure the parameters, as described in Table 27. 4. Click Apply. 895H Table 27 Configuration items Item Description Domain Name Enter the name for the PKI domain.
Item Description Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query. CA Identifier IMPORTANT: • In offline mode, this item is optional. In other modes, this item is required. • The CA identifier is required only when you retrieve a CA certificate. It is not used during local certificate request. Select the local PKI entity.
Item Description Fingerprint Hash Specify the fingerprint used for verifying the CA root certificate. After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.
Hardware Maximum number of PKI domains U200-A 32 U200-S 32 Generating an RSA key pair 249B 1. From the navigation tree, select VPN > Certificate Management > Certificate. Figure 178 Certificate list 2. Click Create Key. Figure 179 RSA key pair generation page 3. Enter the key length. 4. Click Apply. Requesting a local certificate 250B 1. From the navigation tree, select VPN > Certificate Management > Certificate. 2. Click Request Cert.
Figure 180 Local certificate request page 3. Configure the parameters, as described in Table 28. 4. Click Apply. 896H Table 28 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Click this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.
Figure 182 RSA key pair destruction page Retrieving and displaying a certificate 25B You can retrieve an existing CA certificate or local certificate from the CA server and save it locally. To do so, you can use offline mode or online mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, email and then import it to the device. By default, the retrieved certificate is saved in a file under the root directory of the device, and the file name is domain-name_ca.
Item Description Password Enter the password for protecting the private key, which was specified when the certificate was exported. After retrieving the certificate, click View Cert for the certificate to display its information. Figure 184 Certificate information Retrieving and displaying a CRL 253B 1. From the navigation tree, select VPN > Certificate Management > CRL. 2. Click Retrieve CRL to retrieve the CRL of a domain.
Figure 186 CRL information Certificate request from a Windows 2003 CA server configuration example 254B Network requirements 514B As shown in Figure 187, configure the fireall to work as the PKI entity, so that: 89H • The firewall submits a local certificate request to the CA server, which runs Windows 2003 server operating system. • The firewall retrieves CRLs for certificate verification. Figure 187 Network diagram Configuring the CA server 51B 1. Install the CA server component: a.
2. Install the SCEP add-on: Because a CA server running Windows 2003 server operating system does not support SCEP by default, you must install the SCEP add-on to provide the firewall with automatic certificate registration and retrieval. After the add-on is installed, a prompt dialog box appears, displaying the URL of the registration server configured on the firewall. 3. Modify the certificate service properties: a.
Figure 188 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. In the upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA identifier, select aaa as the local entity, select RA as the authority for certificate request, enter http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must be in the format of http://host:port/certsrv/mscep/mscep.
Figure 189 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Create Key. c. Enter 1024 as the key length. d. Click Apply to generate an RSA key pair. Figure 190 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
Figure 191 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Request Cert. c. Select torsa as the PKI domain, and click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm. Figure 192 Requesting a certificate Verifying the configuration 517B 1. From the navigation tree, select VPN > Certificate Management > Certificate. 2.
Figure 193 Detailed information about the local certificate 283
Certificate request from an RSA Keon CA server configuration example 25B Network requirements 518B As shown in Figure 194, configure the firewall working as the PKI entity, so that: 90H • The firewall submits a local certificate request to the CA server, which runs the RSA Keon software. • The firewall retrieves CRLs for certificate verification. Figure 194 Network diagram Configuring the CA server 519B 1. Create a CA server named myca.
Figure 195 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. In the upper area of the page, enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.
Figure 196 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Create Key. c. Enter 1024 as the key length. d. Click Apply to generate an RSA key pair. Figure 197 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
Figure 198 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Request Cert. c. Select torsa as the PKI domain, select Password and then enter "challenge-word" as the password, and click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm. Figure 199 Requesting a certificate 6. Retrieve the CRL: a.
IKE negotiation with RSA digital signature configuration example 256B Network requirements 52B An IPsec tunnel is set up between Firewall A and Firewall B to secure the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet 11.1.1.0/24. Firewall A and Firewall B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI certificate system for identity authentication. Firewall A and Firewall B use different CAs. They may also use the same CA as required.
Figure 202 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. In the upper area of the page, enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity, select RA as the authority for certificate request, enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given here is just an example. Configure the RA URL as required), enter 1.1.1.
Figure 203 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Create Key. c. Enter 1024 as the key length. d. Click Apply to generate an RSA key pair. Figure 204 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Retrieve Cert. c. Select 1 as the PKI domain, select CA as the certificate type, and click Apply.
Figure 205 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Request Cert. c. Select 1 for the PKI domain, and click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm. Figure 206 Requesting a local certificate 6. Retrieve the CRL: a. From the navigation tree, sfter retrieving a local certificate, select VPN > Certificate Management > CRL. b.
Figure 208 Creating an IKE proposal 8. Configure an IKE peer and reference the configuration of the PKI domain for the IKE peer: a. From the navigation tree, select VPN > IKE > Peer. b. Click Add. c. Enter peer as the peer name, select PKI Domain and then select the PKI domain of 1, and click Apply.
Configuring Firewall B 524B The configuration for Firewall B is similar to that for Firewall A. 1. Create a PKI entity: a. From the navigation tree, select VPN > Certificate Management > Entity. b. Click Add. c. 2. Enter en as the PKI entity name, enter device-b as the common name, enter 3.3.3.1 as the IP address of the entity, and click Apply. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. The configuration page appears. d.
b. Click Retrieve CRL corresponding to PKI domain 1. 7. Configure IKE proposal 1, using RSA signature for identity authentication: a. From the navigation tree, select VPN > IKE > Proposal. b. Click Add. c. 8. Enter 1 as the IKE proposal number, select RSA Signature as the authentication method, and click Apply. Configure an IKE peer and reference the configuration of the PKI domain for the IKE peer: a. From the navigation tree, select VPN > IKE > Peer. b. Click Add. c.
• FQDN of the entity, a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www is a host name and whatever.com a domain name. • IP address of the entity. • Locality where the entity resides. • Organization to which the entity belongs. • Unit of the entity in the organization. • State where the entity resides.
Configuring a PKI domain 259B Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. The PKI domain configured on a device is invisible to the CA and other devices, and each PKI domain has its own parameters.
Step Command Remarks Optional. 7. Configure the polling interval and attempt limit for querying the certificate request status. certificate request polling { count count | interval minutes } The polling is executed for up to 50 times at the interval of 20 minutes by default. Specify the LDAP server. ldap-server ip ip-address [ port port-number ] [ version version-number ] Optional. 8. 9. Configure the fingerprint for root certificate verification.
To configure automatic certificate request: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view. pki domain domain-name N/A 3. Set the certificate request mode to auto. certificate request mode auto [ key-length key-length | password { cipher | simple } password ] * Manual by default. Requesting a certificate in manual mode 526B In manual mode, you must submit a local certificate request for an entity.
Step Command Remarks 5. Retrieve a CA certificate manually. See "Retrieving a certificate manually" N/A 6. Generate a local RSA key pair. public-key local create rsa No local RSA key pair exists by default. 7. Submit a local certificate request manually. pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] This command is not saved in the configuration file. 91H NOTE: In FIPS mode, you cannot import an MD5 certificate.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking, CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and CRLs to the local device before the certificate verification. If you disable CRL checking, you only need to retrieve the CA certificate. The CRL update period defines the interval at which the entity downloads CRLs from the CRL server.
Destroying the local RSA key pair 263B A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate is about to expire, you can destroy the old RSA key pair and then create a pair to request a new certificate. To destroy the local RSA key pair: Step Command 1. Enter system view. system-view 2. Destroy a local RSA key pair.
Displaying PKI 26B Task Command Remarks Display the contents or request status of a certificate. display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ] Available in any view. Display CRLs. display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about one or all certificate attribute groups.
After completing the configuration, perform CRL related configurations. In this example, select the local CRL distribution mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the firewall is synchronous to that of the CA, so that the firewall can request certificates and retrieve CRLs properly. Configuring the firewall 531B 1.
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success. # Retrieve CRLs and save them locally. [Firewall] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success! # Request a local certificate manually.
73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C 2B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.
b. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. c. Right-click the CA server in the navigation tree and select Properties > Policy Module. d. Click Properties and select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate. 4. Modify the Internet Information Services (IIS) attributes: a.
++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ 4. Apply for certificates: # Retrieve the CA certificate and save it locally. [Firewall] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while......
10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.
Figure 212 Network diagram Configuration procedure 538B 1. Configure Firewall A: # Configure the entity DN. system-view [FirewallA] pki entity en [FirewallA-pki-entity-en] ip 2.2.2.1 [FirewallA-pki-entity-en] common-name firewalla [FirewallA-pki-entity-en] quit # Configure the PKI domain. The URL of the registration server is for illustration only. [FirewallA] pki domain 1 [FirewallA-pki-domain-1] ca identifier CA1 [FirewallA-pki-domain-1] certificate request url http://1.1.1.
[FirewallA] pki retrieval-crl domain 1 [FirewallA] pki request-certificate domain 1 # Configure IKE proposal 1, using RSA signature for identity authentication. [FirewallA] ike proposal 1 [FirewallA-ike-proposal-1] authentication-method rsa-signature [FirewallA-ike-proposal-1] quit # Specify the PKI domain for the IKE peer. [FirewallA] ike peer peer [FirewallA-ike-peer-peer] certificate domain 1 2. Configure Firewall B: # Configure the entity DN.
Certificate attribute-based access control policy configuration example 270B Network requirements 539B The client accesses the remote Hypertext Transfer Protocol Secure (HTTPS) server through the HTTPS protocol. Configure SSL to make sure only legal clients log into the HTTPS server. Create a certificate attribute-based access control policy to control access to the HTTPS server.
[Firewall-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Firewall-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc [Firewall-pki-cert-attribute-group-mygroup2] quit 3.
Failed to request a local certificate 27B Symptom 54B Failed to request a local certificate. Analysis 54B Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved. • The current key pair has been bound to a certificate. • No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured.
5. Re-configure the LDAP version. 6. Configure the correct DNS server that can resolve the domain name of the CRL distribution point.
Managing public keys 9B Public keys can be configured only at the CLI. Overview 56B To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 214.
Task Remarks Creating a local asymmetric key pair Configuring a local asymmetric key pair on the local device 916H Displaying or exporting the local host public key 917H Destroying a local asymmetric key pair Choose one or more tasks.
If your local device functions to authenticate the peer device, you must specify the peer public key on the local device. For more information, see "Specifying the peer public key on the local device." 923H Displaying and recording the host public key information 60B Task Command Remarks Display the local RSA public keys display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local DSA host public key.
After you export a host public key in a specific format to a file, transfer the file to the peer device. Destroying a local asymmetric key pair 63B You may have to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the local certificate expires. For more information about the local certificate, see "Managing certificates.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a name for the public key and enter public key view. public-key peer keyname N/A 3. Enter public key code view. public-key-code begin N/A 4. Configure the peer public key. Type or copy the key Spaces and carriage returns are allowed between characters. 5. Return to public key view. public-key-code end When you exit public key code view, the system automatically saves the public key. 6. Return to system view.
[DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
[DeviceB-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100 D900 03FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E5 1E5E 353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62 DB12 5035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A 1020 3010001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B.
system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
[DeviceA-luser-ftp] service-type ftp [DeviceA-luser-ftp] authorization-attribute level 3 [DeviceA-luser-ftp] quit 3. On Device B, get the public key file of Device A: # From Device B, use FTP to log in to Device A, and get the public key file devicea.pub with the file transfer mode of binary. ftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1. 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in.
Configuring SSL VPN 10B Feature and hardware compatibility 67B Hardware SSL VPN compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module No U200-A Yes U200-S Yes Overview 68B SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application layer.
How SSL VPN works 69B SSL VPN works in the following procedure: 1. The administrator logs in to the Web interface of the SSL VPN gateway, and then creates resources to represent resources on the internal servers. 2. A remote user establishes an HTTPS connection to the SSL VPN gateway. The SSL VPN gateway and the remote user authenticate each other by using the certificate-based authentication function provided by SSL. 3.
Granular access control of network resources 57B On the SSL VPN gateway, you can configure multiple resources and users, add resources to resource groups, add users to user groups, and assign resource groups to user groups. After a user logs in, the SSL VPN gateway finds the user groups to which the user belongs, and checks the resource groups assigned to the user groups to determine which resources to provide for the user.
SSL VPN configuration example at the CLI 27B Network requirements 58B As shown in Figure 218, configure SSL and enable SSL VPN service on the SSL VPN gateway, so that users can log in to the Web interface of the SSL VPN gateway through HTTPS and then access the internal resources of the corporate network through the SSL VPN gateway. 928H In this configuration example: • The IP address of the SSL VPN gateway is 10.1.1.1/24. • The IP address of the Certificate Authority (CA) is 10.2.1.1/24.
# Retrieve the CA certificate. [Firewall] pki retrieval-certificate ca domain sslvpn # Apply for a certificate for the firewall. [Firewall] pki request-certificate domain sslvpn 2. Configure an SSL server policy for the SSL VPN service: # Configure an SSL server policy named myssl, and specify the policy to use PKI domain sslvpn. [Firewall] ssl server-policy myssl [Firewall-ssl-server-policy-myssl] pki-domain sslvpn [Firewall-ssl-server-policy-myssl] quit 3.
Recommended configuration procedure 560B Step Remarks Required. Configuring the SSL VPN service 1. Enable SSL VPN, and configure the port number for the SSL VPN service and the PKI domain to be used. 92H Configure the resources for users to access: 2. Configuring Web proxy server resources Configure at least one type of resources. Configuring TCP application resources By default, no resources are configured. { 930H { 931H Configuring IP network resources { 932H Required.
Step Remarks Optional. Configuring a security policy 9. 93H Configure the check items and protected resources for a security policy. Only user hosts that pass the security policy's check can access the configured resources. IMPORTANT: To perform security check for user hosts, you must also enable security check in the domain policy. 10. Customizing the SSL VPN user interface Optional. 940H Customize service interfaces for SSL VPN users.
A page that lists the Web proxy server resources appears, as shown in Figure 220. 942H Figure 220 Web proxy server resources list 2. Click Add to enter the page for adding a Web proxy server resource. Figure 221 Adding a Web proxy server resource 3. Configure the Web proxy server resource as described in Table 32. 943H Table 32 Configuration items Item Description Enter a name for the Web proxy server source. The resource name must be unique in the SSL VPN system.
Item Description Specify website matching patterns to determine which webpages a user can access through the website specified in the Website Address field. Website Matching Pattern Website matching supports fuzzy match based on wildcard *. Use vertical bars (|) to separate multiple matching patterns. Assume that you have specified a website address in the Website Address field. To allow access to specific webpages provided at the website, for example, the webpages www.domain1.com, www.domain2.com, www.
Item Description • When you select the IP network mode, this item specifies the path that the system submits during single login. If you leave this field blank, the system uses the address that is specified in the Website Address field. Login Request Path • When the IP network mode is not selected, this item specifies the relative path of the Web proxy website. If you leave this field blank, the SSL VPN system uses the default page specified in the Default Page field.
Figure 223 Remote access service resource list b. Click Add to enter the page for adding a remote access service. Figure 224 Adding a remote access service c. Configure the remote access service as described in Table 34. 948H d. Click Apply. Table 34 Configuration items Item Description Enter a name for the remote access service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Item Description Configure the Windows command for the resource. After you configure the command, users can start the related application to access the remote server by clicking the resource name on the SSL VPN service interface. Command 2. For example, you can configure the command for a Telnet service in the format telnet , such as telnet 127.0.0.1 2300.
Table 35 Configuration items Item Description Enter a name for the desktop sharing service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. IMPORTANT: Resource Name If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Figure 228 Adding an email service resource d. Configure the email service as described in Table 36. 952H e. Click Apply. Table 36 Configuration items Item Description Enter a name for the email service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Figure 229 Notes services c. Click Add to enter the page for adding a Notes service. Figure 230 Adding a Notes service resource d. Configure the Notes service as described in Table 37. 954H e. Click Apply. Table 37 Configuration items Item Description Enter a name for the Notes service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Item Description Configure the command for the resource. Command 5. Users must manually start the Notes service application. You do not need to configure this item. Configure a common TCP service resource: The common TCP service of SSL VPN is designed to support various client/server applications. It is widely used to access client/server TCP applications other than the ones previously mentioned.
Table 38 Configuration items Item Description Enter a name for the common TCP service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. IMPORTANT: Resource Name If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Task Remarks Optional. Configure a predefined domain name 960H 1. With a predefined domain name configured, the gateway sends the mapping between the predefined domain name and the IP address to clients. When accessing this domain, a client directly uses the corresponding IP address, eliminating the requirement for DNS resolution. Configure global parameters: a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
Item Description Specify how to display network services for online users. Show Network Services by • Description: Shows the description information of the network services that host resources allow users to access. • IP address: Shows the destination address, subnet mask, and protocol type of the network services that host resources allow users to access. 2. Configure host resources: a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. b.
e. Click Add under the Network Services list. The following dialog box appears: Figure 236 Adding an available network service f. Configure the network service as described in Table 40. 964H Table 40 Configuration items Item Description Destination IP Enter the destination address of the network service. Subnet Mask Enter the subnet mask of the network service. Protocol Specify the protocol type of the network service, IP, TCP, or UDP. Enter a description for the network service.
3. Configure a user-IP binding: a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. b. Click the User-IP Binding tab to view existing user-IP bindings, as shown in Figure 238. 965H Figure 238 User-IP bindings c. Click Add to enter the page for adding a user-IP binding. Figure 239 Adding a user-IP binding d. Configure the user-IP binding as described in Table 41. 96H e. Click Apply.
Figure 240 Predefined domain names c. Click Add to enter the page for adding a predefined domain name. Figure 241 Adding a predefined domain name d. Configure the predefined domain name as described in Table 42. 968H e. Click Apply. Table 42 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static.
Figure 242 Resource groups 2. Click Add to enter the page for adding a resource group. Figure 243 Adding a resource group 3. Configure the resource group as described in Table 43. 4. Click Apply. 970H Table 43 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Available Resources Specify resources for the resource group.
Configuring local users 56B Configure SSL VPN users for local authentication in the following methods: • Configure local users one by one in the SSL VPN system. In this method, you can configure all parameters for a user at the same time, including the username, password, the certificate and MAC addresses to be bound, public account settings, user status, and user groups. • Write the information of the users into a text file, and then import the users to the SSL VPN system.
Figure 245 Adding a local user c. Configure the local user as described in Table 44. 972H d. Click Apply. Table 44 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Confirm Password Certificate SN Specify a password for the local user and enter the password again to confirm the password. Specify a certificate sequence number for the local user.
Item Description Enable public account Max Number of Users Select this item to set the local user account as a public account. A public account can be concurrently used by multiple users to log in to the SSL VPN system. If you do not select this item, only one user can use the local user account to log in to the SSL VPN system at a time. Set the maximum number of concurrent users that can log in to the SSL VPN system by using the public account. The value range depends on the device model.
Figure 246 Batch import of local users Configuring a user group 567B 1. Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears, as shown in Figure 247. 976H Figure 247 User groups 2. Click Add to add a user group.
Figure 248 Adding a user group 3. Configure the user group as described in Table 46. 4. Click Apply. 97H Table 46 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group are able to access the resources in the selected resource groups. Available Resources Selected Local Users Available Local Users Select local users for the user group.
Viewing user information 568B 1. View online user information and logging out an online user: Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, showing the information of the current online users. Figure 249 Online users Table 47 Field description Field Description Login Time Time when the user logged in to the SSL VPN system. Username Username of the user, with the domain name. IP Address IP address of the user host. 2.
• Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from the SSL VPN system. • Bulletin management—Allows you to provide different information to different users. 1. Configure the domain policy: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 251. 97H Figure 251 Domain policy b.
Item Description Enable MAC address binding Select this item to enable MAC address binding. With MAC address binding enabled, the SSL VPN system obtains the MAC address of a user when the user logs in, for user identity authentication or MAC address learning. Select this item to enable automatic login.
Figure 252 Caching policy 3. Configure a bulletin: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. b. Click the Bulletin Management tab. The bulletin management page appears, as shown in Figure 253. 984H Figure 253 Bulletin management c. Click Add to add a new bulletin, as shown in Figure 254.
Figure 254 Adding a bulletin d. Configure the bulletin as described in Table 49. 986H e. Click Apply. Table 49 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Available User Groups Select the user groups that can view the bulletin.
• Password+Certificate—Authenticates a user's password and client certificate. • Certificate—Authenticates only a user's client certificate. RADIUS authentication supports only two authentication policies: password and password+certificate. 1. Configure local authentication: Local authentication authenticates users by using the user information saved on the SSL VPN gateway.
Figure 256 RADIUS authentication c. Configure the RADIUS authentication as described in Table 50. 98H d. Click Apply. Table 50 Configuration items Item Description Enable RADIUS authentication Select this item to enable RADIUS authentication. Authentication Mode Select an authentication mode for RADIUS authentication. Options include Password and Password+Certificate. Enable RADIUS accounting Select this item to enable RADIUS accounting.
Figure 257 LDAP authentication c. Configure the LDAP authentication as described in Table 51. 90H d. Click Apply. Table 51 Configuration items Item Description Enable LDAP authentication Select this item to enable LDAP authentication. LDAP Sever IP Specify the IP address of the LDAP server. Server Port Specify the TCP port number used by the LDAP server. Version Specify the supported LDAP protocol version. Authentication Mode Select an authentication mode for LDAP authentication.
4. Configure AD authentication: AD is a directory service provided by Windows 2000 Server and later versions. It saves information of objects on a network and allows administrators and users to query the information. AD uses structured data storage, which is the basis of the directory information logical structure. The SSL VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD authentication for users in the enterprise.
Item Description Admin Username Set an administrator account. It must be a user account that has the directory search right in the User directory in the AD domain. Password Confirm Password Username Format 5. Set a password for the administrator account, and enter the password again to confirm the password. Set the username format used to log in to the AD server. Options include Without the AD domain name, With the AD domain name, and Login name.
Item Ask password again on the second authentication Description With this item selected, the system provides the login page and asks a user for a password again after the user passes the first authentication. If you do not select this item, the system automatically uses the password for the first authentication for the second authentication. IMPORTANT: This function takes effect only when you enable full customization of the user interface and the customized user interface can provide a login page twice.
Figure 261 Adding a security policy 3. Configure the security policy as described in Table 54. 4. Click Apply. 96H Table 54 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. Level If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Item Description Set check rules for the security policy. Check rules fall into seven categories: operating system, browser, antivirus software, firewall, certificate, file, and process. Policy Configuration To pass the check of a category, a host needs to satisfy at least one rule of the category. To pass the check of a security policy, a host must satisfy all categories of the policy. Click the expansion button before a category to view the rule information.
Item Description Set an operator for antivirus software version check and virus definitions version check. • >=—The antivirus software and its virus definitions must be of the specified version or a later version. • >—The antivirus software and its virus definitions must have a version later Operator than the specified version. • =—The antivirus software and its virus definitions must be of the specified version.
• Full customization—You can edit a webpage file of your own to provide a fully customized user access interface. 1. Partially customize the SSL VPN interface: # Configure the text information: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. The Text Information tab appears. b. Configure the service page banner information, login page welcome information, and login page title on the page. c. Click Apply.
The picture is uploaded to the SSL VPN system and is used as the logo picture on the service page. Figure 264 Specifying a service page logo picture # Configure the service page background: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. b. Click the Service Page Background tab to enter the page shown in Figure 265. 10H c. Click Browse to select a local picture file. d. Set whether to directly overwrite the file with the same name on the device. e.
Figure 266 Full customization b. Configure the customization information as described in Table 56. 102H c. Click Apply. Table 56 Configuration items Item Description Enable full customization Select this item to enable the full customization function. Directory Enter the directory where the customized page files are saved on the SSL VPN gateway. Page File Enter the name of the customized login page file.
3. On the login page, enter the username and password, and select an authentication method. 4. Click Login to enter the SSL VPN service interface, as shown in Figure 267. 103H If you have specified TCP applications or IP network resources for the user, the system automatically runs the SSL VPN client software for the user, as shown in Figure 268.
Figure 268 SSL VPN client software Accessing SSL VPN resources 574B After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: • Clicking a resource name under Websites to access the website.
Figure 269 About SSL VPN Changing the login password 576B To change the login password, a user only needs to: 1. Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 270. 106H 2. Enter the new password, and confirm the new password. 3. Click Apply. When the user logs in again, the user must enter the new password.
Figure 270 Change login password SSL VPN configuration example in the Web interface 280B The following matrix shows the configuration example and hardware compatibility: Hardware Example applicable F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module No U200-A Yes U200-S Yes Network requirements 57B As shown in Figure 271, request a certificate and enable SSL VPN service on the SSL VPN gateway so that users can use HTTPS to log in to the SSL VPN gateway to access the internal reso
Figure 271 Network diagram Configuration prerequisites 578B Before performing the following configurations, make sure: • The SSL VPN gateway, the CA, and the hosts used by remote users can reach each other. • The CA is enabled with the CA service and can issue certificates to the SSL VPN gateway and the hosts. • The RADIUS server is properly configured to provide normal authentication function for users.
Figure 272 Configuring a PKI entity named en 2. Configure a PKI domain named sslvpn: a. Select VPN > Certificate Management > Domain from the navigation tree. b. Click Add to add a PKI domain. c. Enter the PKI domain name sslvpn and the CA identifier CA server. d. Select en as the local entity, and RA as the registration authority. e. Enter the certificate requesting URL http://10.2.1.1/certsrv/mscep/mscep.dll. f. Select Manual as the certificate request mode. g. Click Apply. h.
Figure 273 Configuring a PKI domain named sslvpn 3. Generate an RSA key pair: a. Select VPN > Certificate Management > Certificate from the navigation tree. b. Click Create Key to enter the key generation page. c. Set the key length to 1024. d. Click Apply. Figure 274 Generating an RSA key pair 4. Retrieve the CA certificate: a. After the key pair is generated, click the Retrieve Cert button on the certificate management page. b. Select sslvpn as the PKI domain and CA as the certificate type. c.
Figure 275 Retrieving the CA certificate to the local device 5. Request a local certificate: a. After the CA certificate retrieval operation is complete, click Request Cert on the certificate management page. b. Select sslvpn as the PKI domain. c. Click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm the operation.
Figure 277 Certificate management page 6. Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service; a. Select VPN > SSL VPN > Service Management from the navigation tree. b. Select the box before Enable SSL VPN. c. Set the port number to 443. d. Select sslvpn as the PKI domain. e. Click Apply. Figure 278 SSL VPN service management page Configuring SSL VPN resources 580B 1. Configure a Web proxy resource named tech for the internal technology website 10.153.1.223: a.
Figure 279 Configuring a Web proxy resource 2. Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. b. Click the Desktop Sharing Service tab. c. Enter the resource name desktop. d. Enter the remote host address 10.153.70.120. e. Set the remote port for the server to 3389. f. Enter the local host address 127.0.0.2. g. Set the local port for the service to 20000. h.
e. Enter the subnet mask 24. f. Enter the gateway IP address 192.168.0.101. g. Click Apply. Figure 281 Configuring global parameters for IP network resources 4. Configure a host resource named sec_srv for hosts in subnet 10.153.2.0/24 in IP network mode: a. Click the Host Configuration tab. b. Click Add. c. Enter the resource name sec_srv. d. Click the Add button under the Network Services list. e. Enter the destination IP address 10.153.2.
Figure 283 Adding a shortcut h. Click Apply on the Add Host Resource page as shown in Figure 284. 108H Figure 284 Configuring a host resource 5. Configure resource group res_gr1, and add resource desktop to it: a. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree. b. The resource group list page appears. c. Click Add. d. Enter the resource group name res_gr1. e.
Figure 285 Configuring resource group res_gr1 6. Configure resource group res_gr2, and add resources tech and sec_srv to it: a. Click Add on the resource group list page. b. Enter the resource group name res_gr2. c. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list. d. Click Apply.
Figure 286 Configuring resource group res_gr2 Configuring SSL VPN users 581B 1. Configure a local user account usera: a. Select VPN > SSL VPN > User Management > Local User from the navigation tree. b. Click Add. c. Enter the username usera, enter the password passworda, and confirm the password. d. Select the box before Enable public account. e. Set the maximum number of users for the public account to 1. f. Select Permitted as the user status. g. Click Apply.
Figure 287 Adding local user usera 2. Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: a. Select VPN > SSL VPN > User Management > User Group from the navigation tree. b. Click Add. c. Enter the user group name user_gr1. d. Select res_gr1 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list. e.
Figure 288 Configuring user group user_gr1 3. Configure user group user_gr2, and assign resource group res_gr2 to the user group: a. Click Add on the user group list page. b. Enter the user group name user_gr2. c. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list. d. Click Apply.
Figure 289 Configuring user group user_gr2 Configuring an SSL VPN domain 582B 1. Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. b. Select the box before Use verification code. c. Select RADIUS as the default authentication method. d. Click Apply.
Figure 290 Configuring the domain policy 2. Configure a RADIUS scheme named system: a. Select User > RADIUS from the navigation tree. b. Click Add. c. Enter the scheme name system, select Extended as the supported server type, and select Without domain name as the username format. d. Click the Add button in the RADIUS Server Configuration area. e. Select Primary Authentication Server as the server type, select IPv4 and enter IP address 10.153.10.
Figure 291 Configuring RADIUS scheme named system 3. Enable RADIUS authentication: a. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. b. Click the RADIUS Authentication tab. c. Select the box before Enable RADIUS authentication. d. Click Apply. Figure 292 Enabling RADIUS authentication Verifying the configuration 583B Launch a browser on a host, and enter https://10.1.1.
Change the authentication mode to Local. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 293. Click the resource name to access the shared desktop of the specified host, as shown in Figure 294.
Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, all hosts in subnet 10.153.2.0/24, and the security server. Click tech to access the technology website. Click shortcut ftp_security-server to access the security server through FTP.
Configuring AFT 1B AFT can be configured only at the CLI. Feature and hardware compatibility 73B Hardware AFT compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes Firewall module Yes U200-A No U200-S No Overview 74B Address Family Translation (AFT) is a transition technology for communication between IPv4 and IPv6 networks. As shown in Figure 297, the AFT router performs address and protocol translation between IPv4 and IPv6 networks.
DNS64 prefix 584B A DNS64 prefix is an IPv6 address prefix used to translate IPv4 addresses into IPv6 addresses. The length of a DNS64 prefix can be 32, 40, 48, 56, 64, or 96 bits, as shown in Figure 298. The address translation methods vary depending on the length of the DNS64 prefix. 104H • If the length of the DNS64 prefix is 32, 64, or 96 bits, the IPv4 address is added to the IPv6 address as a whole.
Stateless AFT uses DNS64 or IVI prefixes for address translation. The mappings between IPv4 and IPv6 addresses are fixed because the IPv4 address is embedded in the IPv6 address. • Stateful AFT Stateful AFT dynamically creates and maintains mappings between IPv4 addresses and IPv6 addresses. It translates the source IPv6 address of an IPv6 packet into an IPv4 address according to a configured 6to4 AFT policy. The mappings between IPv4 addresses and IPv6 addresses are not fixed.
address of the packet. If not, the AFT translates the source IPv6 address into an IPv4 address based on the 6to4 AFT policy. 3. Translates the destination IP address. The AFT extracts the embedded IPv4 address from the destination IPv6 address based on the length of the DNS64 prefix and uses the IPv4 address as the translated destination IPv4 address. 4. Forwards the packet and records the mapping.
4. Forwards the packet and records the mappings. The AFT performs protocol translation such as changing the IPv4 header to the IPv6 header, forwards the packet, and records the IPv4-IPv6 mappings. 5. Translate and forwards the response packet. Upon receiving a response from the IPv6 host, the AFT replaces the IPv6 addresses in the packet header with IPv4 addresses based on the recorded address mappings and forwards the packet to the IPv4 host.
AFT configuration task list 75B When communication is initiated by an IPv6 host 287B Task Remarks Enabling AFT Required. Configuring a DNS64 prefix Required. Configuring an IVI prefix Required. Configuring a 6to4 AFT policy Perform either one. 102H 102H 102H 1023H When communication is initiated by an IPv4 host 28B Task Remarks Enabling AFT Required. Configuring a DNS64 prefix Required. Configuring an IVI prefix Required. Configuring 4to6 AFT policies Required.
Configuring a DNS64 prefix 78B Follow these guidelines when you configure DNS64 prefix: • The DNS64 prefix cannot be in the same network segment as the connected IPv6 network. • The DNS64 prefix cannot be the same as the IVI prefix. To configure a DNS64 prefix: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure a DNS64 prefix. aft prefix-dns64 dns64-prefix prefix-length No DNS64 prefix is configured by default. Repeat the command to configure multiple DNS64 prefixes.
Type 3—Associate a DNS64 prefix with an address pool • If the prefix of the destination IPv6 address is the DNS64 prefix specified in the policy, the source address is translated into an IPv4 address in the address pool associated with the DNS64 prefix. If the no-pat keyword is specified, only the IP address is translated. Otherwise, both the IP address and the port number are translated to save the IPv4 addresses in the address pool.
AFT translates the address into an IPv6 address by using the first configured DNS64 prefix in system view. Policy for destination IPv4 address translation—If the destination IPv4 address matches the specified ACL, the AFT translates the address into an IPv6 address by using the specified IVI prefix. If not, the address is not translated and the packet is forwarded according to the destination IPv4 address. • To configure 4to6 AFT policy: Step Command Remarks 1. Enter system view. system-view N/A 2.
AFT configuration examples 83B An IPv6 host with an IVI address initiates communication with an IPv4 host 289B Network requirements 58B As shown in Figure 302, Host A is in an IPv6 network and has an address of 6:0:ff06:606:200::, and Host C is in an IPv4 network and has an address of 4.4.4.2. Host A wishes to communicate with Host B.
{ Configure a static route to network 2000::/32 (the DNS64 prefix) and the next hop address 6:0:ff06:606:100::. Configure Host B: 3. Perform the following configurations on Host B. (Details not shown.) { { Configure IPv4 address 4.4.4.2/24. Configure a static route to the IPv4 network (6.6.6.0/24) embedded in the IVI address and the next hop address 4.4.4.1. Verifying the configuration 591B Host B's IPv4 address 4.4.4.2 is translated to 2000:0:404:402:: by using the DNS64 prefix.
Configuration procedure 594B 1. Configure Firewall (the AFT): # Enable IPv6. system-view [Firewall] ipv6 # Configure IP addresses for the interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2 and enable AFT on the interfaces. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 6:0:ff06:606:100::/64 [Firewall-GigabitEthernet0/1] aft enable [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 4.4.4.
{ Configure a static route to IPv6 network 2000::/32 (the DNS64 prefix) and the next hop address 6:0:ff06:606:100::. Configure Host B: 3. Perform the following configurations on Host B. (Details not shown.) { { Configure IPv4 address 4.4.4.2/24. Configure a static route to the IPv4 network (6.6.6.0/24) embedded in the IVI address and the next hop address 4.4.4.1. Verifying the configuration 59B The IPv4 address embedded in the IPv6 address of Host A is 6.6.6.2. Use the ping 6.6.6.2 command on Host B.
Figure 304 Network diagram Configuration consideration 597B To meet the requirements, perform the following configurations: • On Firewall, enable AFT, and configure a DNS64 prefix and a 6to4 AFT policy because the address of Host A is not an IVI address. • On Host A, specify the IPv6 address 2000:0:303:305:: of the DNS server (which is translated from IPv4 address 3.3.3.5 by using the DNS64 prefix). Configuration procedure 598B 1. Configure Firewall (the AFT): # Enable IPv6.
# Create ACL 2000 to permit packets from network 4.4.4.0/24 where Host B resides (this step is optional). [Firewall] acl number 2000 [Firewall-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255 [Firewall-acl-basic-2000] quit # Configure a 4to6 AFT policy for source address translation so that if the resolved IPv4 address is in network 4.4.4.0/24, the address is translated into an IPv6 address by using DNS64 prefix 2000::/32 (this step is optional).
Start time: 2010-12-21 17:00:06 Root TTL: 52s Zone(in): Zone(out): Management Received packet(s)(Init): 1 packet(s) 77 byte(s) Received packet(s)(Reply): 2 packet(s) 183 byte(s) Initiator: Source IP/Port : 0006::0002/32768 Dest IP/Port : 2000:0:0404:0402::/44012 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 4.4.4.2/0 Dest IP/Port : 6.6.6.
406
Configuring DVPN 12B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. DVPN can be configured only at the CLI. Feature and hardware compatibility 85B Hardware DVPN compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Overview 86B DVPN enables enterprise branches that use dynamic public addresses to establish a VPN network.
implemented on DVPN nodes. Unless otherwise noted, the term "VAM client" refers to a hub or a spoke. • Hub—A hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing information. A hub in a hub-spoke network is also a data forwarding center. • Spoke—A spoke is a type of VAM client. Usually acting as the gateway of a branch office, a spoke does not forward data received from other DVPN nodes.
Figure 305 Full mesh DVPN • Hub-spoke DVPN—In a hub-spoke DVPN, no tunnel can be established between two spokes, and data between them has to be forwarded through the hub. The hub is used as both the routing information exchange center and the data forwarding center. As shown in Figure 306, each spoke establishes a permanent tunnel with the hub, and data between spokes is forwarded through the hub.
Connection initialization phase 60B When a client accesses the server for the first time, connection initialization is performed. During the initialization procedure, the two parties negotiate whether VAM protocol packets should be secured. If so, they negotiate the packet encryption and integrity verification algorithms, generate the keys, and acknowledge the negotiated result.
Registration phase 601B Figure 308 Registration process Client Server 1) Registration request 2) Identity authentication request 3) Identity information 4) Registration acknowledgement Figure 308 shows the registration process: 1034H 1. The client sends the server a registration request, which carries information about the client. 2. Upon receiving the registration request, the server first determines whether to authenticate the identity of the client.
{ To establish a hub-spoke tunnel: After a spoke registers itself successfully, it needs to establish a permanent tunnel with each hub in the VPN. Upon receiving the registered information of the hubs from the server, the spoke checks whether a tunnel is present to each hub. If no tunnel exists between the spoke and a hub, the spoke sends a tunnel establishment request to the hub.
Encryption of VAM protocol packets 607B VAM protocol packets can be encrypted by using AES-128, AES-256, DES, or 3DES. IPsec protection of data packets 608B Data packets in a DVPN tunnel can be protected by an IPsec profile, using security protocols ESP, AH, or AH-ESP (ESP first, and then AH) and negotiating security policies through IKE. Centralized management of policies 609B A VAM server manages all policies in a VPN domain centrally.
Step Remarks Required. To establish private networks across the public network by using DVPN, you must perform routing configuration for devices in the private networks. In a DVPN, route-related operations, such as neighbor discovery, route updating, routing table establishment, are done over DVPN tunnels. Routing information is exchanged between Hubs or between Hubs and Spokes. It is not exchanged between Spokes. DVPN clients support routing protocols OSPF and BGP.
Figure 310 VAM server configuration 2. Click Add to enter the Add VPN Domain page, as shown in Figure 311. 104H Figure 311 Adding a VPN domain 3. Configure the VPN domain as described in Table 59. 4. Click Apply.
Table 59 Configuration items Item Description VPN Domain Name Enter a name for the VPN domain. Identity Authentication Settings Authentication Method Select an authentication method that the VAM server uses to authenticate VAM clients. Options include PAP, CHAP, and None. None means no authentication. ISP Domain Name Specify the ISP domain for VAM client authentication. You can perform add, modify, or delete an ISP domain by using the buttons.
Item Description Hub 1 Pirate IP Hub 1 Public IP Hub 2 Pirate IP Hub Settings Hub 2 Public IP Configure IP addresses for Hubs. You can configure up to two Hubs in a VPN domain. IMPORTANT: The public IP address is optional. When a Hub registers, the VAM server gets the public address of the Hub and then sends the public-private address mapping to other clients.
Item Description Select the authentication server type for DVPN users. • None—All users are trusted and no authentication is performed. Generally, do not use this method. Server Type Authentication Method Primary Method • Local—Uses local authentication. • RADIUS—Uses RADIUS authentication. • If you do not select any authentication method, the default authentication method of the ISP domain is used. By default, the default authentication method is Local.
Item Description Specify the maximum number of users the ISP domain supports. If you do not specify the maximum number, the number of users of the ISP domain is not limited. Max Number of Users Users may compete for resources. Setting a proper limit on the number of users of an ISP domain helps guarantee performance for users of the ISP domain. Displaying VAM client information 304B 1. From the navigation tree, select VPN > DVPN > Server. 2. Click the VAM Client Info tab.
Figure 314 DVPN tunnel list 2. Click Add to enter the Add Tunnel page, as shown in Figure 315.
Figure 315 Adding a tunnel 421
3. Select the tunnel encapsulation mode, GRE or UDP. 4. Configure the tunnel interface as described in Table 62. 1049H Table 62 Configuration items Item Description Tunnel Encapsulation Mode Select the DVPN tunnel encapsulation mode, which can be GRE or UDP. Tunnel Interface Number Enter a sequence number for the tunnel interface. Specify the private IP address and mask for the tunnel interface.
Item Description Keepalive Interval Set the interval between sending keepalive packets and the maximum number of attempts for sending keepalive packets when there is no response. IMPORTANT: Keepalive Retries 7. In a VPN domain, the DVPN keepalive settings for all tunnel interfaces must be consistent. Specify whether to enable IPsec. An IPsec profile can be used to secure the transmission of data packets and control packets over a DVPN tunnel.
Item Description Authentication Algorithm Select the authentication algorithm to be used in IKE negotiation. • SHA1—Uses the HMAC-SHA1 algorithm for authentication. • MD5—Uses the HMAC-MD5 algorithm for authentication. Select the encryption algorithm to be used in IKE negotiation. • DES-CBC—Uses the DES algorithm in CBC mode and a 56-bit key for encryption. • 3DES-CBC—Uses the 3DES algorithm in CBC mode and a 168-bit key for Encryption Algorithm encryption.
Item Description Select the security protocols to be used. Security Protocol • ESP—Uses the ESP protocol. • AH—Uses the AH protocol. • AH-ESP—Uses ESP first and then AH. AH Authentication Algorithm Select an authentication algorithm for AH when you select AH or AH-ESP for Security Protocol. Available authentication algorithms include MD5 and SHA1. Select an authentication algorithm for ESP when you select ESP or AH-ESP for Security Protocol. ESP Authentication Algorithm You can select MD5 or SHA1.
Item Description Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature. • None: Disables PFS. • Diffie-Hellman Group1—Enables PFS and uses the 768-bit Diffie-Hellman group. • Diffie-Hellman Group2—Enables PFS and uses the 1024-bit Diffie-Hellman group. • Diffie-Hellman Group5—Enables PFS and uses the 1536-bit Diffie-Hellman group. PFS • Diffie-Hellman Group14—Enables PFS and uses the 2048-bit Diffie-Hellman group.
Figure 316 DVPN session list Figure 317 DVPN session details Table 66 Field description Field Description Interface of Session DVPN tunnel interface. Private Address of Tunnel Private IP address of the DVPN session peer. Public Address of Tunnel Public IP address of the DVPN session peer. Session Type Tunnel type of the DVPN session.
Field Description Session Status State of the DVPN tunnel, which can be SUCCESS (tunnel established), ESTABLISH (tunnel is being established), or DUMB (tunnel failed to be established and is now quiet). Holding time Period of time that the tunnel keeps in the current state. Input Statistics for received packets, including the counts of all packets, data packets, control packets, multicast packets, and error packets.
Figure 318 Network diagram Device Interface IP address Device Interface IP address Hub 1 GE0/1 192.168.1.1/24 Spoke 1 GE0/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 GE0/2 10.0.3.1/24 Tunnel2 10.0.2.1/24 Tunnel1 10.0.1.3/24 Hub 2 Spoke 3 GE0/1 192.168.1.2/24 GE0/1 192.168.1.4/24 Tunnel1 10.0.1.2/24 GE0/2 10.0.4.1/24 Tunnel2 10.0.2.2/24 GE0/3 10.0.6.1/24 GE0/1 192.168.1.5/24 Tunnel1 10.0.1.4/24 GE0/2 10.0.5.1/24 Tunnel2 10.0.2.4/24 Tunnel2 10.0.2.
Figure 319 Configuring a RADIUS scheme c. Enter the scheme name system, and select the server type Extended. d. In the RADIUS Server Configuration area, click Add. e. On the page that appears, select Primary Authentication as the server type, enter the IP address 192.168.1.11, enter the port number 1812, enter the key expert, enter expert to confirm the key, and then click Apply. The added primary authentication server appears on the RADIUS server list. f.
Figure 320 Configuring VPN domain vpn1 c. Enter vpn1 in the VPN Domain Name field, select CHAP as the authentication method, select system (the default ISP domain) as the ISP domain, and then click Modify. The ISP domain modification page appears.
Figure 321 Configuring the AAA method for the ISP domain d. Select RADIUS as the server type for the primary authentication, authorization, and accounting methods, and select Enable from the Accounting Optional list. Click Apply to finish the ISP domain configuration and return to the VPN domain configuration page. e. Enter the pre-shared key 123, enter 123 to confirm the key, enter the Hub 1 private IP 10.0.1.1, and the Hub 2 private IP 10.0.1.2, and then click Apply. 4.
Figure 322 Configuring tunnel interface Tunnel1 433
c. Select the tunnel encapsulation mode UDP, enter the tunnel interface number 1, enter the IP address/mask 10.0.1.1/24, select security zone Management for the tunnel interface, select the tunnel source interface GigabitEthernet0/1, enter the VPN domain name vpn1, the VAM server address 192.168.1.22, the secondary VAM server address 192.168.1.
Figure 324 OSPF configuration page c. In the Area Configuration area, click Add. Figure 325 Configuring OSPF area 0 d. Enter the area ID 0, select Normal as the area type. e. Enter the network address 192.168.1.0, select the network mask 0.0.0.255, and then click Add Network.
f. Enter the network address 10.0.1.0, select the network mask 0.0.0.255, and then click Add Network. g. Enter the network address 10.0.2.0, select the network mask 0.0.0.255, and then click Add Network. h. Click Apply. i. Click More>> to perform OSPF interface configuration. j. Click the icon of Tunnel1. Figure 326 Configuring OSPF interface k. Select Broadcast as the network type and click Apply. l. Repeat steps i through k to configure the same settings for interface Tunnel2.
f. 3. Click Apply. Configure tunnel interface Tunnel2 for VPN domain vpn2: a. From the navigation tree, select VPN > DVPN > Client, and then click Add. b. Select the tunnel encapsulation mode GRE, enter the tunnel interface number 2, enter the IP address/mask 10.0.2.2/24, select the security zone Management for the tunnel interface, select the tunnel source interface GigabitEthernet0/1, and enter the VPN domain name vpn2, the VAM server address 192.168.1.22, the secondary VAM server address 192.168.1.
Enter the password dvpn1spoke1 for confirmation. Enter the VAM client pre-shared key 123. Enter the key 123 for confirmation. c. Select Enable IPsec. d. Select the IPsec authentication method Pre-Shared Key and then enter abcde in the Key and Confirm Key fields. e. Select IP Address as both the remote ID type and the local ID type. f. 3. Click Apply. Configure OSPF: a. From the navigation tree, select Network > Routing Management > OSPF. b. Select Enable OSPF and click Apply. c.
a. From the navigation tree, select VPN > DVPN > Client, and then click Add. b. Select tunnel encapsulation mode GRE. Enter tunnel interface number 2. Enter IP address/mask 10.0.2.4/24. Select security zone Management for the tunnel interface. Select tunnel source interface GigabitEthernet0/1. Enter VPN domain name vpn2. Enter the VAM server address 192.168.1.22. Enter the secondary VAM server address 192.168.1.33. Enter the VAM client username dvpn2spoke2. Enter the VAM client password dvpn2spoke2.
username dvpn2spoke3. Enter the VAM client password dvpn2spoke3. Enter the password dvpn2spoke3 for confirmation. Enter the VAM client pre-shared key 456. Enter the key 456 for confirmation. c. Select Enable IPsec. d. Select the IPsec authentication method Pre-Shared Key and then enter abcde in the field. e. Select IP Address as both the remote ID type and the local ID type. f. 2. Click Apply. Configure OSPF: a. From the navigation tree, select Network > Routing Management > OSPF. b.
Figure 327 Viewing WAM client information on the primary VAM server 3. From the navigation tree of the secondary VAM server, select VPN > DVPN > Server. Click the VAM Client Info tab to view the address mapping information of all VAM clients that have registered with the secondary VAM server. 4. The figure shows that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the secondary VAM server.
Figure 329 Viewing DVPN session information on Hub 1 7. From the navigation tree of Spoke 2, select VPN > DVPN > Client. 8. Click the DVPN Session tab to view all DVPN session information. The figure shows that in VPN 1 and VPN 2, Spoke 2 has established two Spoke-Hub permanent tunnels, one with Hub 1 and the other with Hub 2. The session information on Spoke 1 and Spoke 3 is similar. Figure 330 Viewing DVPN session information on Spoke 2 9. From Spoke 2, ping the private address of Spoke 3 10.0.5.1.
Figure 331 Viewing DVPN session information on Spoke 2 Hub-Spoke DVPN configuration example 308B Network requirements 620B In the Hub-Spoke network shown in Figure 346, data is forwarded along Hub-Spoke tunnels. The primary and secondary VAM servers manage and maintain information about the nodes. The RADIUS server on IMC performs VAM client authentication and accounting. With each being the backup of the other, the two Hubs perform data forwarding and routing information exchange.
Figure 332 Network diagram Device Interface IP address Device Interface IP address Hub 1 GE0/1 192.168.1.1/24 Spoke 1 GE0/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 GE0/2 10.0.2.1/24 GE0/1 192.168.1.2/24 Tunnel1 10.0.1.2/24 Primary VAM server GE0/1 Secondary VAM server GE0/1 Hub 2 RADIUS server Tunnel1 10.0.1.3/24 GE0/1 192.168.1.4/24 192.168.1.22/24 GE0/2 10.0.3.1/24 192.168.1.33//24 Tunnel1 10.0.1.4/24 Spoke 2 192.168.1.11/24 Configuring the primary VAM server 621B 1.
Figure 333 Configuring a RADIUS scheme c. Enter the scheme name system, and select the server type Extended. d. In the RADIUS Server Configuration area, click Add. e. On the page that appears, select Primary Authentication as the server type, enter the IP address 192.168.1.11, enter the port number 1812, enter the key expert, enter expert to confirm the key, and then click Apply. f. The added primary authentication server appears on the RADIUS server list. g.
Figure 334 Configuring VPN domain vpn1 c. Enter vpn1 in the VPN Domain Name field, select CHAP as the authentication method, select system (the default ISP domain) as the ISP domain, and then click Modify. The ISP domain modification page appears.
Figure 335 Configuring the AAA method for the ISP domain d. Select RADIUS as the server type for the primary authentication, authorization, and accounting methods, and select Enable from the Accounting Optional list. Click Apply to finish the ISP domain configuration and return to the VPN domain configuration page. e. Enter the pre-shared key 123, enter 123 to confirm the key, enter the Hub 1 private IP 10.0.1.1, and the Hub 2 private IP 10.0.1.2, and then click Apply.
Figure 336 Configuring tunnel interface Tunnel1 448
3. Configure OSPF: a. From the navigation tree, select Network > Routing Management > OSPF. b. In the Global area, select Enable OSPF, and then click Apply. Figure 337 Enabling the OSPF protocol c. In the Area Configuration area, click Add. d. Enter the area ID 0. Select Normal as the area type. Enter the network address 192.168.1.0, select the network mask 0.0.0.255, and then click Add Network. Enter the network address 10.0.1.0, select the network mask 0.0.0.255, and then click Add Network.
Figure 339 Configuring OSPF on tunnel interface Configuring Hub 2 624B Hub 2 configuration pages are similar to Hub 1 configuration pages. See the figures for Hub 1 configuration. 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure tunnel interface Tunnel1 for VPN domain vpn1: a. From the navigation tree, select VPN > DVPN > Client, and then click Add. b. Select the tunnel encapsulation mode UDP. Enter the tunnel interface number 1. Enter the IP address/mask 10.0.1.2/24.
g. Enter the network address 10.0.1.0, select the network mask 0.0.0.255, and then click Add Network. h. Click Apply. i. Click More>> to perform OSPF interface configuration. j. Click the icon of interface Tunnel1. k. Select P2MP as the network type. l. Click Apply. Configuring Spoke 1 625B Spoke 1 configuration pages are similar to Hub 1 configuration pages. See the figures for Hub 1 configuration. 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
Configure Spoke 2 62B Spoke 2 configuration pages are similar to Hub 1 configuration pages. See the figures for Hub 1 configuration. 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure tunnel interface Tunnel1 for VPN domain vpn1. a. From the navigation tree, select VPN > DVPN > Client, and then click Add. b. Select the tunnel encapsulation mode UDP, enter the tunnel interface number 1, enter IP address/mask 10.0.1.
Figure 340 Viewing WAM client information on the primary VAM server 2. From the navigation tree of the secondary VAM server, select VPN > DVPN > Server. Click the VAM Client Info tab to view the address mapping information of all VAM clients that have registered with the secondary VAM server. The figure shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping information with the secondary VAM server. Figure 341 Viewing WAM client information on the secondary VAM server 3.
Figure 342 Viewing DVPN session information on Hub 1 4. From the navigation tree of Spoke 1, select VPN > DVPN > Client. Click the DVPN Session tab to view all DVPN session information. The previous figure shows that in VPN 1, Spoke 1 has established two Spoke-Hub permanent tunnels, one with Hub 1 and the other with Hub 2. The session information on Spoke 2 is similar. Figure 343 Viewing DVPN session information on Spoke 1 5. From Spoke 1, ping the private address of Spoke 2 10.0.3.1.
Configuring DVPN at the CLI 8B DVPN configuration task list 309B When configuring DVPN, perform configuration in this order: the VAM server, the hubs, the spokes. Complete the following tasks to configure DVPN: Task Remarks Configuring AAA Optional. Configuring the VAM server Required. Configuring a VAM client Required. Configuring an IPsec profile Optional. Configuring DVPN tunnel parameters Required. Configuring routing Required.
Enabling VAM server 629B Step 1. Enter system view. Command Remarks system-view N/A • (Approach 1) Enable VAM server for one or all VPN domains: vam server enable { all | vpn vpn-name } 2. Enable VAM server. • (Approach 2) Enable VAM server for a VPN domain: a. vam server vpn vpn-name Use either approach. By default, VAM server is disabled. b.
Step 3. Command Specify the algorithms for protocol packet authentication and their priorities. authentication-algorithm { none | { md5 | sha-1 } * } Specify the algorithms for protocol packet encryption and their priorities. encryption-algorithm { { 3des | aes-256 | aes-128 | des } * | none } Remarks Optional. By default, SHA-1 is used for protocol packet authentication. Optional. 4. By default, four encryption algorithms are available and preferred in this order: AES-128, AES-256, 3DES, and DES.
In the connection initialization process, the pre-shared key is used to generate the initial key for validating and encrypting connection requests and connection responses. If encryption and authentication is needed for subsequent packets, the pre-shared key is also used to generate the connection key for validating and encrypting the subsequent packets. To configure the pre-shared key of the VAM server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VPN domain view.
Task Remarks Specifying the primary VAM server Required. Specifying the secondary VAM server Specify a primary VAM server, a secondary VAM server, or both. Configuring the username and password Optional. Specifying the VPN domain of the VAM client Required. Configuring the pre-shared key of the VAM client Required. Enabling VAM client Required. 107H 1078H 1079H 108H 108H 1082H Creating a VAM client 63B Step Command Remarks 1. Enter system view. system-view N/A 2.
Specifying the secondary VAM server 639B Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VAM client view. vam client name client-name N/A 3. Specify the secondary VAM server. server secondary ip-address ip-address [ port port-number] Not specified by default. Configuring the username and password 640B A client needs a username and a password to be authenticated by the server. You can configure the username and password for a client by creating a local user.
Enabling VAM client 643B Step Enter system view. 1. Command Remarks system-view N/A • (Approach 1) Enable VAM client for all Enable VAM client. 2. VAM clients or a specific VAM client: vam client enable { all | name client-name } Use either approach. • (Approach 2) Enable VAM client for a Disabled by default. VAM client: a. vam client name client-name b.
Step Command Remarks 3. Specify the IPsec transform sets for the IPsec profile to reference. transform-set transform-set-name&<1-6> By default, an IPsec profile references no IPsec transform set. 4. Specify the IKE peer for the IPsec profile to reference. ike-peer peer-name By default, an IPsec profile references no IKE peer. Optional. Enable and configure perfect forward secrecy (PFS). 5. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } By default, PFS is not used for negotiation.
Step Command Remarks 2. Create a tunnel interface and enter its view. interface tunnel number No tunnel interface is created by default. 3. Configure a private IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] A tunnel interface has no private IPv4 address configured by default. 4. Configure the tunnel mode as DVPN, and specify the encapsulation mode of the DVPN tunnel.
Step Command Remarks Optional for a hub but required for a spoke, when OSPF is used. 11. Set the DR priority of the OSPF interface. By default, the interface DR priority is 1. ospf dr-priority priority The DR priority of a hub should be higher than that of a spoke. HP recommends setting the DR priority of a spoke to 0 to keep the spoke from participating in DR/BDR election. Optional. 12. Bind an IPsec profile to the DVPN tunnel interface.
For more information about OSPF, BGP, and routing policies, see Layer 3—IP Routing Configuration Guide. Displaying and maintaining DVPN 316B Task Command Remarks Display address mapping information about VAM clients registered with the VAM server. display vam server address-map { all | vpn vpn-name [ private-ip private-ip ] } [ | { begin | exclude | include } regular-expression ] Available in any view. Display statistics about VAM clients registered with the VAM server.
Figure 345 Network diagram Device Interface IP address Device Interface IP address Hub 1 GE0/1 192.168.1.1/24 Spoke 1 Eth1/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 Eth1/2 10.0.3.1/24 Tunnel2 10.0.2.1/24 Tunnel1 10.0.1.3/24 GE0/1 192.168.1.2/24 Eth1/1 192.168.1.4/24 Tunnel1 10.0.1.2/24 Eth1/2 10.0.4.1/24 Tunnel2 10.0.2.2/24 Eth1/3 10.0.6.1/24 Eth1/1 192.168.1.5/24 Tunnel1 10.0.1.4/24 Hub 2 Spoke 3 Spoke 2 Eth1/2 10.0.5.1/24 Tunnel2 10.0.2.4/24 Tunnel2 10.0.2.
[PrimaryServer-isp-domain1] authentication dvpn radius-scheme radsun [PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun [PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun [PrimaryServer-isp-domain1] quit [PrimaryServer] domain default enable domain1 3. Configure the VAM server: # Specify the listening address of the server. [PrimaryServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [PrimaryServer] vam server vpn 1 # Set the pre-shared key to 123.
# Create a local user named dvpn1hub1, setting the password as dvpn1hub1. [Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit # Create a VAM client named dvpn2hub1 for VPN 2. [Hub1] vam client name dvpn2hub1 [Hub1-vam-client-name-dvpn2hub1] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.
[Hub1-Tunnel2] tunnel-protocol dvpn gre [Hub1-Tunnel2] vam client dvpn2hub1 [Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0 [Hub1-Tunnel2] source gigabitethernet 0/1 [Hub1-Tunnel2] ospf network-type broadcast [Hub1-Tunnel2] ipsec profile vamp [Hub1-Tunnel2] quit 5. Configure OSPF: # Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks.
[Hub2-vam-client-name-dvpn2hub2] client enable [Hub2-vam-client-name-dvpn2hub2] quit 3. Configure the IPsec profile: # Configure the IPsec transform set. [Hub2] ipsec transform-set vam [Hub2-ipsec-transform-set-vam] encapsulation-mode tunnel [Hub2-ipsec-transform-set-vam] transform esp [Hub2-ipsec-transform-set-vam] esp encryption-algorithm des [Hub2-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Hub2-ipsec-transform-set-vam] quit # Configure the IKE peer.
# Configure OSPF for the private networks. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255 [Hub2-ospf-200-area-0.0.0.0] quit [Hub2] ospf 300 [Hub2-ospf-300] area 0 [Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255 Configuring Spoke 1 65B 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: system-view # Create a VAM client named dvpn1spoke1 for VPN 1.
[Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type broadcast [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.
3. Configure the IPsec profile # Configure the IPsec transform set. [Spoke2] ipsec transform-set vam [Spoke2-ipsec-transform-set-vam] encapsulation-mode tunnel [Spoke2-ipsec-transform-set-vam] transform esp [Spoke2-ipsec-transform-set-vam] esp encryption-algorithm des [Spoke2-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-transform-set-vam] quit # Configure the IKE peer.
# Configure OSPF for the private networks. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.4.1 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] quit [Spoke2] ospf 300 [Spoke2-ospf-300] area 0 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.6.1 0.0.0.255 Configuring Spoke 3 657B 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
# Configure tunnel interface Tunnel 2 for VPN 2. Tunnel 2 uses GRE for encapsulation. [Spoke3] interface tunnel 2 [Spoke3-Tunnel2] tunnel-protocol dvpn gre [Spoke3-Tunnel2] vam client dvpn2spoke3 [Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0 [Spoke3-Tunnel2] source ethernet 1/1 [Spoke3-Tunnel2] ospf network-type broadcast [Spoke3-Tunnel2] ospf dr-priority 0 [Spoke3-Tunnel2] ipsec profile vamp [Spoke3-Tunnel2] quit 5. Configure OSPF: # Configure OSPF for the public network.
10.0.1.2 192.168.1.2 hub 0H 50M 30S 10.0.1.3 192.168.1.3 spoke 0H 31M 24S 10.0.1.4 192.168.1.4 spoke 0H 22M 15S VPN name: 2 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.2.1 192.168.1.1 hub 0H 54M 43S 10.0.2.2 192.168.1.2 hub 0H 49M 44S 10.0.2.3 192.168.1.5 spoke 0H 14M 24S 10.0.2.4 192.168.1.
Interface: Tunnel2 VPN name: 2 Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: hub-Hub State: Total number: 3 SUCCESS Holding time: 0h 12m 10s Input: 183 packets, 182 data packets, 0 multicasts, Output: 186 packets, 185 data packets, 155 multicasts, 1 control packets 0 errors Private IP: 10.0.2.4 Public IP: 192.168.1.
Input: 381 packets, 380 data packets, 374 multicasts, Output: 384 packets, 376 data packets, 369 multicasts, 8 control packets 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: spoke-Hub State: 1 control packets 0 errors SUCCESS Holding time: 0h 21m 53s Input: 251 packets, 249 data packets, 230 multicasts, Output: 252 packets, 240 data packets, 224 multicasts, Interface: Tunnel2 7 control packets 0 errors VPN name: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.
--- 10.0.5.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms # Display the DVPN tunnel information of interface Tunnel 2 on Spoke 2. [Spoke2] display dvpn session interface tunnel 2 Interface: Tunnel2 VPN name: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.
charge of VAM client authentication and accounting. With each being the backup of the other, the two hubs perform data forwarding and routing information exchange. Create a permanent tunnel between each hub-spoke pair.
[PrimaryServer] domain domain1 [PrimaryServer-isp-domain1] authentication dvpn radius-scheme radsun [PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun [PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun [PrimaryServer-isp-domain1] quit [PrimaryServer] domain default enable domain1 3. Configure the VAM server: # Specify the listening address of the server. [PrimaryServer] vam server ip-address 192.168.1.22 # Create VPN domain 1.
[Hub1-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-vam] quit # Configure the IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] transform-set vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit 4.
2. Configure the VAM client: system-view # Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.
[Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source gigabitethernet 0/1 [Hub2-Tunnel1] ospf network-type p2mp [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255 [Hub2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network.
[Spoke1-ipsec-profile-vamp] transform-set vam [Spoke1-ipsec-profile-vamp] ike-peer vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 [Spoke1-ipsec-profile-vamp] quit 4. Configure the DVPN tunnel: # Configure tunnel interface Tunnel 1 for VPN 1.
# Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.
[Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255 [Spoke2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.
State: SUCCESS Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 87 multicasts, Output: 106 packets, 99 data packets, 87 multicasts, 7 control packets 10 errors Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: hub-spoke State: 1 control packets 0 errors SUCCESS Holding time: 0h 4m 32s Input: 36 packets, 18 data packets, 10 multicasts, Output: 35 packets, 17 data packets, 11 multicasts, 18 control packets 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.
230 multicasts, Output: 252 packets, 0 errors 240 data packets, 224 multicasts, 7 control packets 0 errors The output shows that in VPN 1, Spoke 1 has established a permanent hub-spoke tunnel with Hub 1 and Hub 2, respectively. The DVPN tunnel information of Spoke 2 is similar to that of Spoke 1. # On Spoke 1, ping private address 10.0.3.1 of Spoke 2. [Spoke1] ping 10.0.3.1 PING 10.0.3.1: 56 data bytes, press CTRL_C to break Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms Reply from 10.0.
Support and other resources 13B Contacting HP 89B For worldwide technical support information, see the HP support website: http://www.hp.
Conventions 91B This section describes the conventions used in this documentation set. Command conventions 67B Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ...
Network topology icons 670B Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples 671B The port numbers in this document are for illustration only and might be unavailable on your device.
Index 0B ACDEFHOPRST 31H 32H 3H 34H 35H 36H 37H 38H 39H 340H 341H Configuring L2TP at the CLI,242 A 18H Configuring L2TP in the Web interface,230 Advantages of SSL VPN,325 19H Configuring PKI at the CLI,294 1085H AFT configuration examples,399 120H Configuring PKI in the Web interface,267 1086H AFT configuration task list,395 12H Configuring SSL VPN at the CLI,326 1087H 12H C Configuring SSL VPN in the Web interface,328 123H Configuration example,92 Contacting HP,490 Configu
Overview,225 Related information,490 Overview,106 S 145H 154H 146H Overview,139 Specifying the peer public key on the local device,318 147H Overview,1 15H 148H Overview,324 T 149H Overview,390 Troubleshooting AFT,405 Overview,22 Troubleshooting GRE,20 P Troubleshooting IKE,136 150H 156H 15H 157H 158H Troubleshooting L2TP,262 PKI configuration guidelines,266 159H Troubleshooting PKI,312 152H Public key configuration examples,319 160H Troubleshooting tunneling configuration,1
