HP ProCurve Threat Management Services zl Module Management and Configuration Guide
HP ProCurve Threat Management Services zl Module March 2010 ST.1.1.
© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Contents 1 Overview Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Internal Ports . .
Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Use Models for Access Control with Authentication . . . . . . . . . . . . . 1-29 Deployment Location for Access Control with Authentication . . . . . 1-30 Deployment Tasks for Access Control with Authentication . . . . . . . 1-30 Deployment Models for Monitor Mode—Threat Detection . . . . . . . . . . . . 1-32 Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-65 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Initial Setup in Routing Mode Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 Configure Initial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42 Firefox 3.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 Internet Explorer 7 or 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-90 Back Up the Startup-Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-90 Restore to a Previously Saved Configuration . . . . . . . . . . . . . . . . . . . . . . 2-91 Erase the Startup-Config and Return to Defaults . . . . . . . . . . . . . . . . . . . 2-92 Erase the Startup Configuration from the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . .
Boot the TMS zl Module to the Product OS . . . . . . . . . . . . . . . . . . . . . . . 3-20 Access the TMS zl Module Product OS Context . . . . . . . . . . . . . . . . . . . 3-21 Configure Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23 Configure Initial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23 Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25 Firefox 3.x . . . . . .
Erase the Startup-Config and Return to Defaults . . . . . . . . . . . . . . . . . . . 3-63 Erasing the Startup Configuration from the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-63 Erasing the Startup Configuration from the CLI Product OS . . . . . . 3-63 Restore to Factory Default Settings (Including IDS/IPS Signatures) . . . . 3-64 Update the Module Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guidelines for Managing Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . 4-33 Modifying an Existing Access Policy . . . . . . . . . . . . . . . . . . . . . . . . 4-33 Adding an Overlapping, Higher-Position Policy . . . . . . . . . . . . . . . . 4-37 Deleting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39 Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40 Unicast Access Policy . . . . . .
pptp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-94 rtsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-95 sql . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-95 tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-96 Enable and Disable ALGs . . . . . . . . . . . . . . . . . . . .
5 Network Address Translation Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 NAT Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Intrusion Detection and Prevention Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 IDS/IPS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28 Download Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28 Configure IDS/IPS Session Inspection . . . . . . . . . . . . . . . . . . . . . . . . 6-30 View Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31 Enable or Disable Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24 How NAT Traversal Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25 Maximum Segment Size (MSS) for TCP Connections . . . . . . . . . . . . . . . 7-26 Configure an IPsec Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27 Create an IKE Policy for a Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . 7-28 Install Certificates for IKE . .
Create an IPsec Policy for an L2TP over IPsec VPN . . . . . . . . . . . . . . . 7-153 Configure L2TP User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-162 Configure Local L2TP Authentication . . . . . . . . . . . . . . . . . . . . . . . 7-162 Configure L2TP Authentication to an External RADIUS Server . . 7-167 Create Access Policies for an L2TP over IPsec VPN . . . . . . . . . . . . . . . 7-174 Verify Routes for the L2TP over IPsec VPN . . . . . . . . . . . . . . . . . . . . .
Create an IPsec Policy for a GRE over IPsec VPN That Uses IKE . . . . 7-247 Create Access Policies for a GRE over IPsec VPN That Uses IKE . . . . 7-256 Unicast Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-258 Multicast Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-263 Configure a GRE over IPsec VPN with Manual Keying . . . . . . . . . . . . . 7-265 Create Named Objects (Optional) . . . . . . . . . . . . . . . . . . . . . . . . .
Redundant GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create the Primary GRE Tunnel for Site A . . . . . . . . . . . . . . . . . . . Create the Secondary GRE tunnel for Site A . . . . . . . . . . . . . . . . . . Create Named Objects for Site A . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Firewall Access Policies for Site A . . . . . . . . . . . . . . . . . Configure Routes for Site A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 High Availability Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Active-Standby Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Failover Process . . . .
RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 RIP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 RIP Updates, v1 and v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16 Passive Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example OSPF Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49 TMS zl Module A Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50 TMS zl Module B Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50 TMS zl Module C Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-51 TMS zl Module D Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-52 Viewing Unicast Routes .
Using Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Enabling Logging for an Access Policy . . . . . . . . . . . . . . . . . . . . . . 10-27 Changing the Log Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Checking the Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Viewing Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Interpreting Log Messages . . .
Troubleshooting the TMS zl Module in Monitor Mode . . . . . . . . . . . . . 10-106 Troubleshooting Problems Accessing the Web Browser Interface . . . . 10-106 Resolve Specific Issues Related to Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107 Using Log Messages to Troubleshoot Problems . . . . . . . . . . . . . . . . . . 10-109 Changing the Log Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 usb . . . . . . . . . . . . . . . . . . . . . . .
logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-39 no connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-39 nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-40 page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-40 ping . . . . . . . . . . . . . . . . . . . . . . . . . .
gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-66 no gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-66 gre disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-66 gre enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-66 gre ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
l2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-83 l2tp radius-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-83 l2tp local-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-86 lldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-86 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-108 snmpv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-108 snmpv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-109 time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-110 traceroute . . . . . . . . . . . . . . . . . . . . . . . .
preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-130 traffic-selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-131 IPsec Policy Apply Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-132 advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-134 apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RIP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-171 default metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-172 poison-reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-172 redistribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-172 restrict . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-187 show high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-188 show ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-188 show ip rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-188 show ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-199 show vlans mac-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-199 show vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-199 show vpn-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-200 show zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Access System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Client . . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Server . . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: NTP Client . . . . . . . . . . . . . . . . . . . . . . . C-19 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Overview Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Internal Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Hardware Specifications . . . .
Overview Contents Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Use Models for Access Control with Authentication . . . . . . . . . 1-29 Deployment Location for Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Deployment Tasks for Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview Contents Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-65 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview Overview Overview The HP ProCurve Threat Management Services (TMS) zl Module detects and mitigates threats from both internal and external sources. The module supports multiple capabilities for managing threats, which you can enable in various combinations.
Overview Hardware Overview Installation The TMS zl Module is installed in an HP ProCurve 5400zl or 8200zl Switch Series using software K.13.55 or above. On the 5400zl switches and the 8212zl switch, you can install up to four TMS zl Modules in the same chassis as long as no more than two are in an HA cluster. (If you attempt to install a fifth module, that module will not boot.) On the 8206zl switch, you can install up to two TMS zl Modules in the same chassis.
Overview Licensing Hardware Specifications The TMS zl Module has the following hardware specifications: ■ CPU—Intel 2.2 GHz ■ RAM—4 GB ■ Hard drive—250 GB, including 38 GB for image storage Performance Consult the data sheet for the TMS zl Module at www.hp.com/go/procurve/ library.
Overview Operating Modes Operating Modes The TMS zl Module supports two operating modes: ■ Routing mode ■ Monitor mode Routing Mode In routing mode, the TMS zl Module routes all traffic that needs to be secured. As it routes the traffic, it applies the security features that you have configured—IPS policies, firewall attack checks, firewall access policies, NAT policies, and VPN policies (IPsec and L2TP policies).
Overview Operating Modes Figure 1-1. Logical Operation of the TMS zl Module in Routing Mode You must set up your network infrastructure so that the TMS zl Module acts as a router for all VLANs on which you want to manage threats. You assign the module an IP address on these VLANs so that it can route and filter their traffic; these VLANs are then called TMS VLANs. Generally, the TMS zl Module acts as the default router for all endpoints in a TMS VLAN.
Overview Operating Modes Figure 1-2. Traffic Managed by the TMS zl Module In this example, you can see that traffic between the server in VLAN 10 and the Internet passes through the module, as does traffic between VLAN 30 and VLAN 40. In addition, traffic from the Internet to the server in VLAN 10 is filtered by the module. However, traffic between the two nodes in VLAN 20 is forwarded directly by the switch at Layer 2, thereby bypassing the module.
Overview Operating Modes Internal Ports in Routing Mode As mentioned earlier, the TMS zl Module has two internal ports. If you select routing mode, the two internal ports operate as follows: ■ Port 1—This port sends and receives all network traffic that is being filtered by the TMS zl Module. It also sends and receives all management traffic. ■ Port 2—This port sends and receives traffic related to an HA cluster (if one is configured on the TMS zl Module).
Overview Operating Modes Internal Ports in Monitor Mode In monitor mode, the two internal ports operate differently than they do in routing mode. ■ Port 1—This port is used for data that is to be analyzed for threats. When operating in monitor mode, the data that the TMS zl Module receives on this port is mirrored traffic. ■ Port 2—This port is used for management traffic.
Overview Zones The ProCurve 5400zl or 8200zl switch in which the module is installed also supports remote mirroring. If other switches in your network support remote mirroring as well, you can send traffic from these switches to be analyzed by the TMS zl Module. Zones In routing mode, the TMS zl Module uses zones to control traffic. Zones are logical groupings of TMS VLANs that have similar security needs or levels of trust.
Overview Zones Access Control Zones The TMS zl Module supports nine access control zones, which have the following names and intended purposes: ■ Internal—your private network ■ External—the Internet or other untrusted networks ■ DMZ—demilitarized zone; publicly-accessible servers that are logically located between the private network and the external network ■ Zone1 through Zone6—any user-defined purpose, as needed With the exception of the External zone, you can rename the access control zones ac
Overview Deployment Options for Routing Mode—Threat Protection However, if you plan to create many different policies for different TMS VLANs, it might be easier to associate the VLANs with different zones.
Overview Deployment Options for Routing Mode—Threat Protection control how users access the resources—for example, how much bandwidth is devoted to particular types of traffic or even when certain resources are accessed. According to your needs, you can enable either the IPS or the firewall or both. Internal VPN. You might implement a client-to-site VPN within the internal network when you have resources that require particularly strong protection.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-4. Internal Deployment of the TMS zl Module Deployment Tasks for Internal Threat Protection You must complete these tasks to deploy a TMS zl Module that provides internal threat protection: 1-16 1. As you deploy the TMS zl Module, you may cause network outages. You should complete these steps during a scheduled network outage at the network’s lowest utilization time. 2.
Overview Deployment Options for Routing Mode—Threat Protection 3. Verify that the host switch’s configuration includes every VLAN that you want to route through the module—whether you want to control traffic that is forwarded on that VLAN, that originates from that VLAN, or both. 4. Remove all IP addresses on the selected VLANs from the host switch except the switch’s management address.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-5. Plan for Zones 9. Select at least one zone from which you will manage the TMS zl Module. Add a VLAN to this zone and assign the module an IP address on the VLAN’s subnet. Enable management access for this zone. In Figure 1-5, the management station is on VLAN40 (subnet 10.1.40.0/24), which you have planned to place in Zone1. On the TMS zl Module, you would associate VLAN40 with Zone1 and assign the module the IP address 10.1.40.
Overview Deployment Options for Routing Mode—Threat Protection 10. Configure the default gateway for the module. The default gateway is usually one of these devices: the host switch, a core switch, or an external router. Follow these steps: a. Determine the TMS VLAN on which the TMS zl Module connects to its default gateway: Figure 1-6.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-7. External Router as Default Gateway – If an external router is the default gateway, this VLAN is the TMS VLAN on which the host switch connects to the external router. If this VLAN does not already exist on the host switch, extend the VLAN to the switch. b. On the TMS zl Module, associate this VLAN with a zone (External is recommended).
Overview Deployment Options for Routing Mode—Threat Protection 9. Later, you can associate other VLANs with this zone and manage the module from those TMS VLANs. You can also enable management access on other zones. 11. Add more TMS VLANs. That is, associate each VLAN with a zone and configure an IP address on the TMS zl Module for each TMS VLAN. When you associate a VLAN with a zone, the module’s data port (port 1) is automatically tagged for that VLAN. Figure 1-8.
Overview Deployment Options for Routing Mode—Threat Protection should also verify that DHCP scopes or pools on your network’s DHCP servers include the TMS zl Module’s IP addresses as the default gateways for endpoints on those TMS VLANs. The TMS zl Module in Figure 1-8 has the following IP addresses on its TMS VLANs, which are also the default gateway addresses for those VLANs: • VLAN20—10.1.20.99 • VLAN30—10.1.30.99 • VLAN40—10.1.40.99 • VLAN50—10.1.50.
Overview Deployment Options for Routing Mode—Threat Protection 15. Optionally, configure NAT to translate addresses between TMS VLANs. For example, you could follow these steps to configure NAT between TMS VLANs in the Internal zone and a guest TMS VLAN in Zone2: a. The guests have IP addresses in a private subnet that is not used in the rest of the private network. b. Configure a Zone2-to-Internal NAT policy that applies source NAT to guest IP addresses. c.
Overview Deployment Options for Routing Mode—Threat Protection to particular types of traffic. For example, you could limit the number of connections to your Web server to 300 and the number of connections to your FTP server to 50. Furthermore, you can configure policies to apply only during certain hours of the day. For example, you can configure a policy so that it applies only during office hours.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-9. Perimeter Deployment of the TMS zl Module Deployment Tasks for Perimeter Threat Protection You must complete these tasks to deploy your TMS zl Module to provide perimeter threat protection: 1. As you deploy the TMS zl Module, you may cause network outages. You should complete the following steps when the network is inactive. 2.
Overview Deployment Options for Routing Mode—Threat Protection 4. Note On the host switch, remove the IP address from the VLAN that connects to the external router. If the host switch is the router for the internal network, leave its other IP addresses intact. If you want the TMS zl Module to provide internal protection as well as perimeter protection, you should remove all IP addresses from the host switch except its management address and make the TMS zl Module the router for the internal network.
Overview Deployment Options for Routing Mode—Threat Protection 9. Configure the default gateway for the module. When the TMS zl Module provides perimeter protection, the default gateway is typically an external router: a. On the TMS zl Module, associate the VLAN on which the module connects to the default gateway with a zone (External is recommended). Assign the module an IP address on this VLAN—typically, assign the module the IP address that you removed from the host switch. b.
Overview Deployment Options for Routing Mode—Threat Protection • For perimeter and internal protection, route internal traffic on the TMS zl Module. i. Extend internal VLANs to the host switch but remove IP addresses on those VLANs from the switch. ii. Associate the internal VLANs with zones on the TMS zl Module (the Internal zone or Zone1 to Zone6) and assign the module a valid IP address on each VLAN. Typically, assign the module the IP addresses that you removed from the host switch. iii.
Overview Deployment Options for Routing Mode—Threat Protection 15. Optionally, configure the TMS zl Module as a VPN gateway. You can create site-to-site and client-to-site VPNs. See “Virtual Private Network (VPN)” on page 1-64 for an overview and Chapter 7: “Virtual Private Networks” for detailed instructions. 16. Optionally, configure the TMS zl Module as a member of an HA cluster with another TMS zl Module. See “Overview” in Chapter 8: “High Availability” for an overview and for detailed instructions.
Overview Deployment Options for Routing Mode—Threat Protection Local User Authentication. You could also have all internal users authenticate to the TMS zl Module (or to an external RADIUS server through the module). You could then apply different access policies to the users based on their identity. VPN User Authentication. Another use for the module’s authentication capability is to authenticate VPN users. The users log in with XAUTH or with L2TP.
Overview Deployment Options for Routing Mode—Threat Protection – Configure proxy to another RADIUS server. On that RADIUS server, add the TMS zl Module as a client. Create policies on the RADIUS server to authenticate the users and assign them to the correct groups. See “User Authentication” in Chapter 4: “Firewall” for detailed instructions. 3.
Overview Deployment Models for Monitor Mode—Threat Detection Deployment Models for Monitor Mode— Threat Detection In monitor mode, the TMS zl Module can detect known DoS attacks, exploits, worms, viruses, and other threats that are launched by external or internal users (users who have been allowed access to the network). It logs the attack internally and can forward the log to a syslog server, to an SNMP server, to an SNMP trap server, or as an email.
Overview Deployment Models for Monitor Mode—Threat Detection 2. Create a mirror session for which the TMS zl Module’s data port (port 1) is the destination exit port. For the session source, specify ports, trunks, or VLANs on the module’s switch. If you are using remote mirroring, configure a mirror session on each remote switch. The TMS zl Module’s host switch should be the destination.
Overview Named Objects Named Objects The TMS zl Module supports named objects for greater ease of configuration. A named object is a logical “container” that can be used in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors to represent one or more addresses, one or more services, or a schedule.
Overview Named Objects For example, rather than manually specify the IP address of your Web server in multiple policies, you can create an object named WebServer with the Web server’s IP address. You can then specify the WebServer object every time that you create a policy for controlling access to the Web server. If the IP address of the Web server changes you can edit the address object, and the change will propagate through all of the policies that include the object.
Overview IDS/IPS IDS/IPS The TMS zl Module can act as an IDS, which detects worms, denial of service (DoS) attacks, and other threats. In routing mode, the TMS zl Module can also function as an IPS, which mitigates these threats as well as detects them. Threat Detection When it functions as either an IDS or an IDS/IPS, the TMS zl Module detects threats in all traffic received on its data port (port 1).
Overview IDS/IPS IPS Subscription. The TMS zl Module requires a subscription to download and update IDS/IPS signatures.
Overview IDS/IPS By default, the TMS zl Module provides protocol-anomaly detection for the following applications: ■ ■ ■ HTTP • Check for URL decoding in the URL request • Check for directory traversal beyond the root directory • Check for NULL method • Check for evasion techniques • Check for the length of the URL request (user-configurable) • Check for a number of lines per header that exceeds the maximum limit (user-configurable) • Check for a MIME header size that exceeds the maximum li
Overview IDS/IPS ■ ■ SNMP • Malformed SNMP message with the wrong ASN.1 types • Check for ASN.
Overview IDS/IPS Table 1-5.
Overview IDS/IPS Note The TMS zl Module’s firewall ALGs also use the port map to identify traffic types. Threat Mitigation In routing mode, when the TMS zl Module acts as an IPS (a function that you must enable manually), it can mitigate threats. When the module detects a threat, it creates a log entry and takes one of these actions: ■ Terminate the session—The TMS zl Module closes the session with the offending traffic. It drops all traffic that is associated with the session.
Overview IDS/IPS ■ Which actions are taken—Each signature or protocol anomaly is assigned one of five severity levels: • Critical • Severe • Minor • Warning • Informational You choose the threat mitigation action for each severity level. See “Configuring IDS/IPS” on page 6-20 of Chapter 6: “Intrusion Detection and Prevention.
Overview Firewall Firewall In routing mode, the TMS zl Module firewall filters traffic that it routes between TMS VLANs. (A TMS VLAN is a VLAN that you have assigned to a zone.
Overview Firewall ■ The packet’s source and destination zones A packet’s source zone is the zone of the TMS VLAN on which the TMS zl Module receives the packet. This TMS VLAN might be the source device’s own VLAN, or it might be the VLAN of the router that routed the traffic to the module. The destination zone is the zone of the TMS VLAN on which the packet is forwarded (which the module determines using its routing table).
Overview Firewall Access Policy Settings In particular, an access policy includes these settings: ■ Permit (forward) or deny (drop) matching traffic ■ Source zone and destination zone ■ Header values against which the packet is matched: • Service (protocol or protocol and destination port) • Source IP address or source DNS name The TMS zl Module can resolve the IP address for a DNS name and match the policy to packets with that source address.
Overview Firewall If a packet matches a policy but the packet arrives at a time when the policy is inoperable, the packet is dropped. If an access policy does not have a schedule, the policy applies it at all times. Caution The TMS zl Module derives its time information from the host switch. If the time and date are not correct on the switch, scheduled access policies will not be properly applied.
Overview Firewall You can do so by forcing the MSS for the connection to be small enough that any additional headers added by the TMS zl Module do not cause the frame to exceed the MTU. Rate Limiting. Instead of simply permitting or denying all traffic that matches an access policy, the TMS zl Module can control the traffic in a more nuanced way. It can limit the number of sessions and the amount of bandwidth devoted to the permitted traffic.
Overview Firewall Within these policies, the module starts with the policy that has the highest position (lowest numerical value). For example, it will match a packet against Internal-to-External access policy 1 before it matches it to Internal -to-External access policy 2. The module takes the action that is specified in the first policy that the packet matches. It then stops processing policies. If the packet never matches a policy, the module drops it.
Overview Firewall Figure 1-11. Outbound Connection Reservation Connection reservations can also be for inbound connections from a zone, in which case they reserve connections for any source address in that zone to particular destinations and applications. For example, in Figure 1-12, 100 connections have been reserved for sessions between any user in Zone1 and the server at 10.1.2.22.
Overview Firewall Figure 1-12.
Overview Firewall Table 1-6.
Overview Firewall Connection Reservation Examples To better understand how connection reservations function, read the examples below. Outbound Example. In an outbound reservation, you are reserving connections from the specified IP address or addresses to the specified zone. Suppose that there are four zones, and each zone has a connection limit of 10,000. The global maximum connections limit is therefore 40,000 (4 x 10,000). Figure 1-13.
Overview Firewall The following is therefore true: Figure 1-14. Outbound Connection Reservation Implication ■ When the total active connection threshold of 39,500 (40,000 – 500) is reached, the module will not permit any more connections—unless the connections are initiated by hosts with IP addresses in the 10.1.1.11 to 10.1.1.60 range outbound to the External zone. Figure 1-15.
Overview Firewall Figure 1-16. Outbound Connection Reservation Implication ■ If the current connection count from Zone1 is 10,500 (500 connections of which are reserved), and 500 non-reserved connections are closed, then the Zone1 limit will revert to its original limit of 10,000. At this point the Zone1 maximum connection threshold (10,000) already provides for the reserved connections. Any other new connections from Zone1 will not be successful.
Overview Firewall Figure 1-17. Inbound Connection Reservation In this example, a connection reservation count of 100 has been configured for one IP address: 10.1.2.22. The reservation count is 100 (100 x 1) connections from Zone1 to the IP address 10.1.2.22.
Overview Firewall The following is therefore true: Figure 1-18. Inbound Connection Reservation Implication ■ When the total active connection threshold of 39,900 (40,000 – 100) is reached, the module will not permit any more connections unless the connections are destined for the server at 10.1.2.22 from Zone1. Figure 1-19.
Overview Firewall Figure 1-20. Inbound Connection Reservation Implication ■ If the current connection count from Zone1 is 10,100 (100 of which are to 10.1.2.22), and if 100 non-reserved connections in Zone1 are closed, then the Zone1 limit will revert to its original limit of 10,000. At this point the Zone1 maximum connections (10,000) includes the reserved connections. Any other new connections from Zone1 to any zone will not be successful.
Overview Firewall Table 1-7.
Overview Firewall Table 1-8.
Overview Firewall Firewall Troubleshooting You can troubleshoot the firewall from the CLI interface.
Overview Network Address Translation (NAT) Firewall Event Severity Each event has an associated severity level. From greatest to least severity, these levels are as follows: ■ Critical—Error may lead to failure ■ Major—Error may lead to failure or faulty functioning ■ Minor—Error may lead to faulty functioning ■ Warning—Error should be corrected ■ Information—Notification of significant events Network Address Translation (NAT) In routing mode, the TMS zl Module can apply NAT to network traffic.
Overview Network Address Translation (NAT) • Many-to-many The module assigns each local device that attempts to reach the destination network a separate IP address in that network. A range of new IP addresses is available. When every IP address in the range has been assigned to a local device, additional local devices cannot reach the destination network. ■ Destination NAT With destination NAT, the TMS zl Module translates the destination IP address of a packet to a new IP address.
Overview Network Address Translation (NAT) Note The information above is simply intended to inform you of the module’s capabilities. When you configure NAT, you do not need to determine the specific type of source or destination NAT that you require. Once you configure the source, destination, and NAT addresses, the Web browser interface handles the configuration. You can also configure NAT policies that exclude specific addresses. For example, you have configured source NAT for all traffic from 10.1.1.
Overview Virtual Private Network (VPN) Virtual Private Network (VPN) The TMS zl Module can act as a VPN gateway. You should use the VPN functionality when you want to protect traffic from eavesdropping and from tampering. Typically, such protection is necessary when the traffic passes through an untrusted network such as the Internet or a wireless network that does not offer encryption. You can also create VPNs inside your private network to protect sensitive information from all but authorized users.
Overview Virtual Private Network (VPN) L2TP over IPsec Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to establish VPN connections. The TMS zl Module can act as a gateway for these endpoints, allowing them remote access to the private network. L2TP users must authenticate to gain access. The module can authenticate the users locally or to an external RADIUS server. L2TP tunnels data, but it does not secure it.
Overview Virtual Private Network (VPN) The two gateways secure traffic and forward it over the tunnel on behalf of the endpoints that are behind each gateway. The traffic is only protected between the two gateways, not between an endpoint and its own gateway. Most commonly, a site-to-site VPN connects two sites (such as a main office and a branch office) through a public, untrusted network such as the Internet. The Internal zone traffic at each site is assumed not to require encryption.
Overview Routing Routing When it operates in routing mode, the TMS zl Module must be able to route the traffic that it is filtering and analyzing for threats. The module’s VPN capabilities also require the module to know the correct routes. The module supports these routing capabilities: ■ Static routing ■ Routing Information Protocol (RIP) ■ Open Shortest Path First (OSPF) The TMS zl Module supports up to 10,000 total route entries, including static and dynamic routes.
Overview Routing By default, the TMS zl Module does not redistribute routes to its own connected interfaces. In other words, the module only advertises routes to the interfaces on which you enable RIP. However, you can configure the module to redistribute connected routes as well as static routes and routes discovered through OSPF. You can configure the metric for redistributed routes, but all types of redistributed routes have the same metric.
Overview Routing Depending on your needs, the TMS zl Module can be configured to act in any of these roles: ■ Area Border Router (ABR) ■ The TMS zl Module has one or more interfaces in the backbone area as well as one or more interfaces in other areas. The module acts as the router for inter-area traffic. Internal router ■ The module has interfaces in one area only. Autonomous System Border Router (ASBR) The module is either an internal router or an ABR.
Overview HA Clusters Multicast Routing The TMS zl Module supports Internet Group Membership Protocol (IGMP), which allows endpoints to join multicast groups and receive traffic that is destined to specific multicast addresses. You enable IGMP per-interface. The TMS zl Module also supports routing multicast traffic between TMS VLANs and across GRE tunnels. You must select the interface on which multicast routing is enabled.
Overview HA Clusters The master manages the cluster, has an IP address on each TMS VLAN, and receives all traffic for data processing. The participant stands by in case the master fails. It has a virtual IP address on each TMS VLAN, which matches the real IP address for those VLANs on the master. HA VLAN HA cluster members communicate on the HA VLAN, which is configured on the each member’s internal port 2. Each member has its own IP address on the HA VLAN. The default HA VLAN is VLAN 1.
Overview HA Clusters Figure 1-21. Active-Standby Mode HA Cluster Operation Rules The TMS zl Modules in an HA cluster synchronize their connection state information by sending messages over the HA VLAN, which must be dedicated to HA traffic. The HA VLAN is configured on the modules’ internal port 2, which must be dedicated to HA traffic. The modules in an HA cluster can be installed in the same switch chassis or in different switch chassis.
Overview Feature Interaction Feature Interaction This section explains how the TMS zl Module’s various capabilities work together to protect your network from threats. Packet Flow on the TMS zl Module Understanding how packets flow through the TMS zl Module helps you to understand how features interact. Packet Flow in Routing Mode In routing mode, the TMS zl Module applies features in this order: 1. VPN (decrypting incoming traffic) 2. Firewall attack checks 3.
Overview Feature Interaction Figure 1-22. Simplified Packet Flow through the TMS zl Module in Routing Mode The complete process is as follows: 1. The TMS zl Module receives a packet on a VLAN that is tagged on its internal port 1. Remember how the packet is passed to the module: a. When an endpoint needs to send a packet to another subnet, it addresses the encapsulating frame to the MAC address of its default router, the TMS zl Module.
Overview Feature Interaction • If the module detects an attack, it drops the packet. • If the module does not detect an attack, the firewall continues to process the packet. See step 4. 4. The module determines whether the packet matches a pre-NAT port trigger or ALG. If the packet does, the module handles the packet as specified in the trigger or ALG. 5.
Overview Feature Interaction If the settings permit another connection, the module checks the connection limits for the packet’s zones. If these have been reached, the module drops the packet—unless a connection reservation has been made for it. If a connection is available for the packet, the module checks whether IPS is enabled for the policy. If IPS is enabled, the module forwards the packet to the IDS/IPS. See step step 8. If IPS is not enabled, the module determines whether to apply NAT. See step 9.
Overview Feature Interaction ii. • If a source NAT policy specifies multiple IP addresses for the NAT address, the module must assign the packet an IP address from that pool of addresses. If no addresses are available, the module drops the packet. The module then applies post-NAT checks. See step 10. If the packet does not match a policy, the module does not apply NAT. It creates a connection for the traffic, which specifies the source and destination IP addresses and ports.
Overview Feature Interaction • If the packet is part of such a tunnel (its forwarding interface is an L2TP PPP interface or the GRE tunnel interface), the module establishes the tunnel (if it has not yet been established). If the tunnel cannot be established, the module drops the packet. Otherwise, the module encapsulates the packet with a GRE or L2TP header. It then determines whether the packet must be sent over an IPSec tunnel as well. See step 13.
Overview Feature Interaction Figure 1-23. Traffic Flow in Routing Mode When Device A wants to send traffic to Device C, the following steps occur: 1. Device A sends the frame to a TMS zl Module MAC address because the traffic requires routing and the module IP address on VLAN_7 is the device’s default gateway. The TMS zl Module might or might not have a unique MAC address for this IP address. See “TMS VLANs Rules” on page 1-9. 2. The host switch receives the frame on C1, which is untagged for VLAN_7.
Overview Feature Interaction If the destination device were not in a TMS VLAN, the destination zone would be the zone for the forwarding interface in the route to the destination. 5. In this example, the packet is permitted, so the TMS zl Module routes the packet to Device C. In this example, the route is a directly connected TMS VLAN (VLAN_13). Therefore, the module places the Device C’s MAC address in the frame and forwards the frame on its data port, tagging it for VLAN 13.
Overview Default Operation Default Operation You should understand how the TMS zl Module operates at factory defaults: ■ Default management settings ■ Default enabled capabilities ■ Default firewall access policies Default Management Settings At factory default settings, the TMS zl Module has no IP address. You must access the TMS zl Module CLI through the host switch CLI. In the CLI, you can enable remote management access: ■ For a module that you want to deploy in routing mode: a.
Overview Default Operation You can then access the Web browser interface or the CLI through SSH. The default login settings for remote management access are: ■ Username = manager ■ Password = procurve ProCurve recommends that you change the passwords as soon as possible. Default Enabled Capabilities By default, the TMS zl Module functions in routing mode. The following capabilities are enabled: ■ ■ IDS • Protocol anomalies are detected with the default settings.
Overview Default Operation ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Zone1-to-Self • permit RIP any any • permit OSPFIGP any any Zone2-to-Self • permit RIP any any • permit OSPFIGP any any Zone3-to-Self • permit RIP any any • permit OSPFIGP any any Zone4-to-Self • permit RIP any any • permit OSPFIGP any any Zone5-to-Self • permit RIP any any • permit OSPFIGP any any Zone6-to-Self • permit RIP any any • permit OSPFIGP any any Self-to-Internal • permit RIP any any • permit OSPFIGP any any S
Overview Default Operation ■ ■ ■ ■ 1-84 Self-to-Zone3 • permit RIP any any • permit OSPFIGP any any Self-to-Zone4 • permit RIP any any • permit OSPFIGP any any Self-to-Zone5 • permit RIP any any • permit OSPFIGP any any Self-to-Zone6 • permit RIP any any • permit OSPFIGP any any
2 Initial Setup in Routing Mode Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Select the Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Perimeter Protection . . . . . . . .
Initial Setup in Routing Mode Contents Access the TMS zl Module Product OS Context . . . . . . . . . . . . . . . . . 2-31 Option 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Option 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Configure Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 Configure Initial Settings . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Routing Mode Contents Ping Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-87 Configure Firewall Access Policies to Allow ICMP Messages . . . . . 2-87 Sending a Ping from the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . 2-88 System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-90 Back Up the Startup-Config . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Routing Mode Overview Overview This chapter provides instructions for the initial setup of the TMS zl Module in routing mode. Later chapters provide instructions for configuring specific features such as the firewall, IDS/IPS, and VPN. At this point, you should have decided which operating mode you want to use. (See “Operating Modes” in Chapter 1: “Overview.
Initial Setup in Routing Mode Deploying the TMS zl Module When operating in this mode, the TMS zl Module has an IP address for each TMS VLAN, and endpoints in those VLANs use the TMS zl Module as their default gateway. In some TMS VLANs (such as those in the External zone), other routers might exist. These routers route traffic to the other TMS VLANs through the module.
Initial Setup in Routing Mode Deploying the TMS zl Module ■ Provide a site-to-site VPN tunnel between the corporate head office and branch offices ■ Provide a client-to-site VPN for the mobile workforce to connect to the corporate intranet Figure 2-1.
Initial Setup in Routing Mode Deploying the TMS zl Module Figure 2-2. Internal Deployment of the TMS zl Module Both Perimeter and Internal Protection A TMS zl Module can be deployed to provide both perimeter and internal security. Implementing both methods allows you to check both internal and external traffic.
Initial Setup in Routing Mode Deploying the TMS zl Module Figure 2-3. Perimeter and Inside Deployment of the TMS zl Module Plan the Zones Zones are logical groupings of VLANs that have the same trust levels or security needs. You can create common firewall policies that apply to all members of a zone or to selected members of a zone.
Initial Setup in Routing Mode Deploying the TMS zl Module Understanding TMS VLANs and Zones The module supports two types of zones: ■ ■ Self—The Self zone is a special zone inside the TMS zl Module that contains the module’s TMS VLAN IP addresses and addresses associated with destination NAT policies. All traffic that originates from the TMS zl Module comes from the Self zone. You cannot associate VLANs with the Self zone.
Initial Setup in Routing Mode Deploying the TMS zl Module Management-Access Zones You can enable management access on one zone, all zones, or no zones. Once you specify a zone as a management-access zone, the TMS zl Module automatically creates unicast access policies to permit management services between the selected zone and Self. Table 2-1. Services Permitted from a Management-Access Zone to Self ICMP/echo snmp bootpc snmptrap bootps ssh https Table 2-2.
Initial Setup in Routing Mode Deploying the TMS zl Module Zone Best Practices Which zones you use will depend on both the size and security needs of your network. The following are a few best practices: ■ Use the External zone for VLANs that handle traffic to the Internet or another untrusted network. ■ Use DMZ for VLANs that contain publicly available resources such as Web services and FTP. ■ For an extremely simple network configuration, put all VLANs in the LAN in the Internal zone.
Initial Setup in Routing Mode Deploying the TMS zl Module VLANs Not Assigned to a Zone Often, your plan for zones calls for assigning every VLAN in your LAN to a zone. However, you can choose to have non-TMS VLANs. The host switch would typically be the default router for these VLANs. If you want devices in TMS VLANs to be able reach these VLANs, choose one of them to be a TMS VLAN. Allow the switch to have an IP address on this VLAN.
Initial Setup in Routing Mode Deploying the TMS zl Module Example Zone Design Figure 2-5 shows some example zones as they might be configured on the TMS zl Module. Figure 2-5. Example Zones In Figure 2-5, VLAN_7 handles all of the wireless traffic, and it has been assigned to its own zone (Zone3). VLAN_3 and VLAN_5 are in the Internal zone, servers in VLAN_9 have been assigned to the DMZ zone, and the interface that handles all Internet and VPN traffic is in the External zone.
Initial Setup in Routing Mode Deploying the TMS zl Module Figure 2-6. Zones Inside the TMS zl Module Figure 2-6 shows the zones and VLANs from Figure 2-5 as they might be deployed in a network. Physical port 1, the data port, is tagged for all TMS VLANs. Port 2 will forward HA traffic to the other member of the cluster (if configured), but the IP address for port 2 is not in the Self zone. Port 2 is an untagged member of the HA VLAN.
Initial Setup in Routing Mode Deploying the TMS zl Module Ready the Host Switch After you install a TMS zl Module in a chassis slot in an HP ProCurve 5400zl or 8200zl Series switch, the switch recognizes the module by its ID. The switch names the modules two internal ports as follows: ■ 1 = the data port ■ 2 = the port used for HA For example, if the TMS zl Module is inserted into slot C, the ports will be called C1 and C2. By default, these ports are untagged for VLAN 1.
Initial Setup in Routing Mode Initial Setup 3. Determine whether to disable routing or not: • Disable routing if the switch only has an IP address on its management VLAN. • Leave routing enabled in these circumstances: – The switch must route traffic for non-TMS VLANs. – The switch will route external traffic for the TMS zl Module.
Initial Setup in Routing Mode Initial Setup Access the Host Switch’s CLI To begin the initial setup, you must first access the TMS zl Module through the host switch’s command-line interface (CLI), using one of the following access methods: ■ Console session ■ Telnet session ■ Secure Shell (SSH) session To establish a console connection with the switch, use the serial cable that was shipped with the switch to connect a workstation to the switch.
Initial Setup in Routing Mode Initial Setup NOTE The ONE Services zl Module is a hardware platform that supports multiple applications, or products (for a list of these applications, visit www.hp.com/ go/procurve). Recall that TMS also runs on a ONE zl Module even though the module is purchased as a TMS zl Module with the product software loaded at the factory. Table 2-3. CLI Display of Services Slot Index Description Name C, D, E 1. Services zl Module services-module C, E 2.
Initial Setup in Routing Mode Initial Setup ■ The index numbers assigned to products can change. For example, if a module is rebooted, the index number for the product or products that run on that module might change. Similarly, when a switch is rebooted or powered off and on, the index numbers can change. ■ A product is assigned only one index number even if more than one module runs that product. You can always check the product index numbers by entering the show services command.
Initial Setup in Routing Mode Initial Setup For now, you will access the Services OS context. Enter the following command from the switch’s manager-level or global configuration context: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with 1. The Services OS context is always assigned index number 1.
Initial Setup in Routing Mode Initial Setup 3. Install the product license key on the TMS zl Module. See “Install the Product License Key” on page 2-24. Obtain the Necessary IDs Before you begin to register the TMS zl Module, you should obtain the two IDs that you need to complete the process successfully: ■ Product registration ID ■ Activation hardware ID Product Registration ID.
Initial Setup in Routing Mode Initial Setup Activation Hardware ID. The TMS zl Module can have two hardware IDs, as shown in Table 2-6. The TMS-subscription hardware ID only exists if you have purchased an IDS/IPS signature subscription. Table 2-6.
Initial Setup in Routing Mode Initial Setup Register the TMS zl Module Once you have obtained the product registration ID and the activation hardware ID, you can complete the TMS zl Module registration process on the My ProCurve portal. 1. Open a Web browser and enter https://my.procurve.com in the address bar. Figure 2-8. My ProCurve Sign In Window Note 2. Type your My ProCurve ID and Password in the appropriate fields.
Initial Setup in Routing Mode Initial Setup Figure 2-9. Registering the TMS zl Module on the My ProCurve Portal 6. For Registration ID, type the product registration ID that is on the HP ProCurve Threat Management Services zl Module Registration and Licensing Card. Then, click Next. 7. For Enter Hardware ID, type the activation hardware ID and click Next. 8. Review the license agreement. Then select I agree to the license terms and click Next.
Initial Setup in Routing Mode Initial Setup 2. Install the product license key by typing the following command: Syntax: licenses install activation Installs the product license key on the switch. Replace with the product license key that was generated when you registered the TMS zl Module on the My ProCurve portal.
Initial Setup in Routing Mode Initial Setup To register the IDS/IPS signature subscription, complete the following tasks. (Step-by-step instructions for each task are provided in the sections that follow.) 1. Obtain the subscription registration ID and the TMS-subscription hardware ID. For step-by-step instructions, see “Obtain the Necessary IDs” on page 2-26. 2. Enter the subscription registration ID and the TMS-subscription hardware ID on the My ProCurve portal.
Initial Setup in Routing Mode Initial Setup Make sure you have the correct Registration Card Locate the subscription registration ID Figure 2-10. HP ProCurve Threat Management Services x-Year IDS/IPS Subscription Registration Card TMS-Subscription Hardware ID. To obtain the TMS-subscription hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2.
Initial Setup in Routing Mode Initial Setup You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# 3. Display the TMS-subscription hardware ID by entering the following command in the TMS zl Module’s Service OS CLI. Syntax: licenses hardware-id tms-subscription Displays the hardware ID for the IDS/IPS signature subscription. 4. Record the TMS-subscription hardware ID. (You may want to copy this hardware ID to a text file.
Initial Setup in Routing Mode Initial Setup 3. Click My Licenses. 4. Click Device Software License. 5. For Registration ID, type the subscription registration ID that is on the HP ProCurve Threat Management Services x-Year IDS/IPS Signature Subscription Registration Card. Then, click Next. Figure 2-12. My Licenses Window on the My ProCurve Portal 6. For Hardware ID, type the TMS-subscription hardware ID and click Next. 7. Review the license agreement.
Initial Setup in Routing Mode Initial Setup license key.) When your TMS zl Module attempts to download signatures, the ProCurve signature server will recognize that your module has a valid IDS/IPS signature subscription and allow it to download the signatures. You are now ready to boot the TMS zl Module to the Product OS, as described in the next section.
Initial Setup in Routing Mode Initial Setup For example, if the TMS zl Module is in slot C, you would enter: hostswitch# show services c hostswitch# repeat You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process. Status and Counters - Services Module C Status HP Services zl Module J9154A Versions : A.01.
Initial Setup in Routing Mode Initial Setup Option 1 You can access the Product OS by typing the index number associated with the TMS zl Module. Use the following command, entered from either the switch’s manager-level or global configuration context.: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Routing Mode Initial Setup The prompt should look like the following: hostswitch(tms-module-C)# You can now set up management access on the TMS zl Module so that you can begin to configure the product’s features. Option 2 Alternatively, you can access the Product OS context by specifying the product name for the TMS zl Module. This name never changes.
Initial Setup in Routing Mode Configure Management Access Configure Management Access This section explains how to configure management access on the TMS zl Module, as well as how to navigate the module’s Web browser interface. Configure Initial Settings Before you can access the Web browser interface and begin configuring the TMS zl Module, you must configure some initial settings. Specifically, you must access the CLI and complete these tasks: ■ Enable management access on a zone.
Initial Setup in Routing Mode Configure Management Access 4. Enable management access from a zone: Syntax: management zone Enables management access from a zone. Replace with the zone from which you want to permit management traffic to the module.
Initial Setup in Routing Mode Configure Management Access 5. Associate a VLAN with the management-access zone: Syntax: vlan zone Associates a VLAN with a zone. Replace with the number of a VLAN to associate with the zone. Replace with the name of a zone. When you first set up management access for the module, associate your management workstation’s VLAN with the management-access zone that you just enabled.
Initial Setup in Routing Mode Configure Management Access 6. Configure an IP address for the TMS zl Module on that VLAN: Syntax: vlan ip address Configures a static IP address for VLAN. Replace with the IP address for the module on that VLAN. Replace with the subnet mask in dotted-decimal format. For example: hostswitch(tms-module-C:config)# vlan 5 ip address 10.1.5.99 255.255.255.
Initial Setup in Routing Mode Configure Management Access Figure 2-14. Routing Internal-to-External Traffic through the Module • If the module’s host switch is the default gateway, this VLAN is typically the VLAN on which the host switch connects to the external router. Make sure that the switch has an IP address on that VLAN. For example, in Figure 2-15, the host switch connects to the external router on VLAN99 (subnet 10.1.99.0/24).
Initial Setup in Routing Mode Configure Management Access If necessary, configure the VLAN on the host switch so that the TMS zl Module can reach the default gateway on the correct VLAN. 9. If the default gateway is on the VLAN you have already added to the management-access zone, skip this step and continue with step 10. Otherwise, complete this step. a.
Initial Setup in Routing Mode Configure Management Access For example: hostswitch(tms-module-C:config)# vlan 99 ip address 10.1.99.99 255.255.255.0 10. Define a default gateway: Syntax: ip route 0.0.0.0/0 [metric ] [distance ] Sets a default gateway for the module. Replace with the IP address of the default gateway for the module. If you use the metric option, replace with the metric for the route (1 to 255).
Initial Setup in Routing Mode Configure Management Access For example, you might enter: hostswitch (tms-module-C:config)# ping 10.1.99.101 PING 10.1.99.101(10.1.99.101) 56(84) bytes of data. 64 bytes from 10.1.99.101: icmp_seq=1 ttl=255 time=1.54 ms 64 bytes from 10.1.99.101: icmp_seq=2 ttl=255 time=0.515 ms 64 bytes from 10.1.99.101: icmp_seq=3 ttl=255 time=0.526 ms b.
Initial Setup in Routing Mode Configure Management Access For example, you might enter: hostswitch (tms-module-C:config)# ping 10.1.99.101 PING 10.1.99.101 (10.1.99.101) 56(84) data. 64 bytes from 10.1.99.101: icmp_seq=1 time=1.54 ms 64 bytes from 10.1.99.101: icmp_seq=2 time=0.515 ms 64 bytes from 10.1.99.101: icmp_seq=3 time=0.526 ms bytes of ttl=255 ttl=255 ttl=255 12. Save the configuration on the TMS zl Module: Syntax: write memory Saves the running-config to the startup-config.
Initial Setup in Routing Mode Configure Management Access Note If you are running Firefox 3, ensure that you have an ActiveX plug-in; otherwise, some of the features in the Help Files will not function. The TMS zl Module has a self-signed digital certificate under the name ProCurve.
Initial Setup in Routing Mode Configure Management Access d. 2. Click OK. Type https:// followed by your module’s IP address in the address field. The following warning is displayed. Figure 2-17. Firefox 3 Certificate Security warning 2-44 3. Click I Understand the Risks. 4. Click Add Exception. The Add Security Exception window is displayed.
Initial Setup in Routing Mode Configure Management Access Figure 2-18. Add Security Exception Window 5. Click Get Certificate. The window updates to tell you that the certificate belongs to a different site. 6. Click Confirm Security Exception. The TMS zl Module login window is displayed. Internet Explorer 7 or 8 1. Enable JavaScript. a. In your browser, click Tools > Internet Options. b. Click the Security tab. c.
Initial Setup in Routing Mode Configure Management Access Figure 2-19. IE Internet Options Window d. 2-46 Click Custom Level. The Security Settings— Zone window is displayed.
Initial Setup in Routing Mode Configure Management Access Figure 2-20. IE Security Settings— Zone Window Scroll down to the Scripting section and click Enable for Active Scripting. 2. e. Then click OK. f. Click OK again. Type https:// followed by your module’s IP address in the address field. A warning is displayed. Figure 2-21.
Initial Setup in Routing Mode Configure Management Access 3. Click Continue to this website (not recommended). The TMS zl Module’s login window is displayed. Log in to the TMS zl Module Web Browser Interface When you gain access to the Web browser interface login window, you are prompted to enter a username and password. (See Figure 2-22.) Figure 2-22. Web Browser Interface Login Window For User Name, type manager. For Password field, type the default password: procurve.
Initial Setup in Routing Mode Configure Management Access When you use the Web browser interface to configure the TMS zl Module, your changes will apply to the modules’s running-config and startup-config as follows: ■ Running configuration—When the TMS zl Module loads the saved configuration, all of the settings become the running configuration, which is held in RAM. When you apply configuration changes in the Web browser interface, these changes become part of the running configuration as well.
Initial Setup in Routing Mode Configure Management Access When your changes are saved, you will see this message near the top of the window: Figure 2-24. Changes Saved to NVRAM Note If you click Save before applying the configuration changes, your changes may not be applied or saved. Make sure that you apply the configuration changes before you click Save.
Initial Setup in Routing Mode Configure Management Access Delete Edit Move Move Left Move Right Figure 2-25. Icons ■ Click the Delete icon to remove a policy or named object. ■ Click the Edit icon to edit a policy or named object. ■ Click the Move icon to change the priority of a policy. ■ Click the Move Left icon to remove an object from an object group. ■ Click the Move Right icon to add an object to an object group.
Initial Setup in Routing Mode Configure Management Access Table 2-9. Field Information in the Summary Tab on the TMS zl Module Dashboard Description How to Configure System Information Hostname User-defined module name (maximum of 30 System > Settings > General ASCII characters).
Initial Setup in Routing Mode Configure Management Access Field Description How to Configure Connections Number of connections into and out of the n/a zone. See the “Note” that follows this table. Limit Maximum number of connections permitted Firewall > Settings > Connection Allocations for that zone See “Connection Reservation Concepts” in Chapter 4: “Firewall.
Initial Setup in Routing Mode Configure Management Access Note The connections listed in the Firewall section include both passive and active connections. Passive connections are how the firewall reserves connections for ALGs and configured reservations.
Initial Setup in Routing Mode Configure Management Access Integrate with PCM+ You can manage the TMS zl Module through HP ProCure Manager Plus (PCM+) just as you can manage any other network device. To manage your module through PCM+, you must configure a few settings on the TMS zl Module first: 1. Associate the PCM+ server’s VLAN with a zone, preferably a managementaccess zone. (“Plan the Zones” on page 2-8.) 2.
Initial Setup in Routing Mode Configure Management Access Figure 2-26. Network > Zones > Management Access Window 2. Select the check boxes for the zones from which you want to permit management traffic to the module. Conversely, clear the check boxes for the zones where you want to deny management access. 3. Click Apply My Changes.
Initial Setup in Routing Mode Configure Management Access Table 2-11. Services Permitted from a Management-Access Zone to Self ICMP/echo snmp bootpc snmptrap bootps ssh https Table 2-12. Services Permitted from Self to a Management-Access Zone bootpc ftp radius snmptrap bootps http radius-acct ssh dns-tcp https smtp syslog dns-udp ICMP/echo snmp tftp You can delete or modify these policies to further restrict access to the module’s management interface.
Initial Setup in Routing Mode Configure Management Access Configure the Default Gateway The default gateway is typically an external router but can also be the host switch or a core switch. Typically, the TMS zl Module connects to its default gateway on a VLAN in the External zone because this zone provides special protections designed for untrusted Internet traffic. However, you can associate the VLAN of the TMS zl Module’s default gateway with any zone that you choose.
Initial Setup in Routing Mode Configure Management Access 6. For Metric, type the cost that you want to assign to the route (0 to 255). If you want this route to be less preferred than another default route, assign it a higher metric. 7. For Distance, type the administrative distance that you want to assign to this route (1 to 255). If you want this route to be less preferred than another default route, assign it a higher administrative distance.
Initial Setup in Routing Mode Configure Management Access • Click Reboot without saving to reboot the TMS zl Module without saving any changes that have not yet been saved. Whichever choice you make, the TMS zl Module reboots in the new operating mode with the last configuration made for that operating mode. If the module has not been configured in this operating mode before, it is booted at the factory default settings.
Initial Setup in Routing Mode Configure Management Access Note Note 2. From the User list, select manager (read/write) or operator (read only). 3. For Old password, type the current password. The default passwords are: manager = procurve; operator = operator. 4. For New password and Confirm new password, type a new password for the user. The new password cannot have more than 14 characters. 5. Click Apply My Changes. The operator cannot change passwords. Operator is read-only in all windows. 6.
Initial Setup in Routing Mode Configure Management Access You must also specify the external RADIUS server that will authenticate management users: 1. Click the RADIUS tab. Figure 2-31. Network > Authentication > RADIUS Window 2. Under RADIUS Settings, for Authentication Protocol, select the protocol that the TMS zl Module uses to communicate with all of your RADIUS servers. Options include: • 3. 2-62 MS-CHAPv1 • CHAP • PAP Click Add RADIUS Server. The Add RADIUS server window is displayed.
Initial Setup in Routing Mode Configure Management Access Figure 2-32. Add RADIUS server Window 4. In the Server Address field, type the IP address or FQDN of your RADIUS server. The port is always 1812. 5. In the Secret and Confirm Secret fields, type the shared secret for your RADIUS server. 6. In the NAS Identifier field, type the NAS ID associated with the module. The default NAS Identifier is the module’s hostname.
Initial Setup in Routing Mode Configure Management Access You may choose to leave this field blank. When you leave the Domain Name field blank, the TMS zl Module assigns the RADIUS server to the global domain. Then, when users log in using the TMS zl Module's login page, they simply enter their username. They do not need to include a domain name.
Initial Setup in Routing Mode Configure Management Access • ■ It sets the following AVP for the connection: Service-Type = Administrative. To authenticate operator users, the RADIUS server requires a policy that meets these criteria: • Note It selects RADIUS requests according to any of the attributes shown in Table 2-13; again, the group to which operators belong is a common choice for the criteria.
Initial Setup in Routing Mode Configure Management Access 3. Verify that for Cluster Scheme, None is selected. Figure 2-33. System > Settings > High Availability Window 4. 2-66 Under HA IP Configuration, configure the following: a. For VLAN ID, type the VLAN number of the unused VLAN that is not used. This VLAN must be configured on the host switch. b. For IP Address and Subnet Mask, type an IP address and subnet mask on that VLAN. 5. Click Apply My Changes. 6. Click Save.
Initial Setup in Routing Mode Configure Management Access Configure DNS To configure the DNS server settings, complete the following steps: 1. Click Network > Settings > General. 2. For Primary Server, type the IP address of your primary DNS server. 3. Optionally, for Secondary Server, type the IP address of your secondary DNS server. If you do not have a secondary DNS server, leave this field blank. 4. For Domain Suffix, type the suffix of your DNS domain name. Figure 2-34.
Initial Setup in Routing Mode Configure Management Access ■ SNMP traps—The module can forward SNMP traps to one or more SNMP servers, such as ProCurve Manager Plus (PCM+).
Initial Setup in Routing Mode Configure Management Access 2. Select is for the type of filter. 3. Select Minor for the filter severity. 4. Click Apply filter. Only events with minor severity are displayed on the window. 5. Under Table Columns, select or clear options that you want to include in the logging display. To export a copy of the local log, click the Export log link in the bar above the logged events. Your browser will save the .tgz file according to browser settings. The .
Initial Setup in Routing Mode Configure Management Access zl Module must devote more time to logging messages. The information setting is particularly processor-intensive and could degrade the module’s performance. As soon as you complete your troubleshooting, you should return the severity level to its default setting of critical. Log Throttling. Log throttling (which is enabled by default) prevents the module from logging duplicate messages for the same event.
Initial Setup in Routing Mode Configure Management Access 3. 4. Configure the throttling setting: • To suppress duplicate event logs, select the Enable Throttling check box. • To have the TMS zl Module log all events, including identical ones, clear the Enable Throttling check box. If you have enabled throttling, in the space provided, type the number of duplicate messages that you want to occur before a tally message is forwarded. Figure 2-37. Duplicate Message Text Box 5.
Initial Setup in Routing Mode Configure Management Access Configure Email Forwarding To forward event logs to email accounts, click System > Logging and click the Email Forwarding tab. Figure 2-39. System > Logging > Email Forwarding Window 1. Select the Enable email forwarding check box. 2. For Email Server, type the IP address or FQDN of the email server. 3. For From Email Address, type the email address that will appear in the From field of the email message.
Initial Setup in Routing Mode Configure Management Access Configure Syslog Forwarding To forward event logs to a syslog server, click System > Logging and click the Syslog Forwarding tab. You can add up to three entries. Figure 2-40. System > Logging > Syslog Forwarding Window 1. Select the Enable syslog forwarding check box. 2. Click Add Syslog Server. The Add Syslog Server window is displayed. Figure 2-41. Add Syslog Server Window 3. For Address, type the IP address or FQDN of the syslog server.
Initial Setup in Routing Mode Configure Management Access Configure SNMP Traps SNMP traps are unsolicited messages that are sent by managed devices to alert you about specific events. For example, you can use PCM+ to manage the TMS zl Module by specifying PCM+ as a trap destination. The TMS zl Module supports the standard MIB-II, the IF-MIB, and a proprietary MIB that is particular to the operation of the TMS zl Module.
Initial Setup in Routing Mode Configure Management Access Figure 2-43. Add SNMPv2 Destination Window 2. For Server Address, type the IP address or FQDN of the SNMP server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Community Name, type the read-write (unrestricted) community name. You must enter the read-write community name that is configured on the SNMP server. 4. Click OK. 5. Click Save.
Initial Setup in Routing Mode Configure Management Access Figure 2-44. Add SNMPv3 Destination Window 2. For Server Address, type the IP address or FQDN of an SNMPv3 server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Username, type a username for the SNMPv3 account that will be used with this trap destination. The username must match a username in an account on the SNMPv3 server.
Initial Setup in Routing Mode Configure Management Access If you want to add more SNMP v3 trap receivers, repeat these steps. Use the Edit and Delete icons in the Tools column to modify or remove a trap receiver. Configure SNMP The TMS zl Module allows some remote management through SNMPv1/v2c or SNMPv3. For example, you can configure SNMP so that the module can be managed by PCM+.
Initial Setup in Routing Mode Configure Management Access ■ Private • Role = Manager • Write Access = Unrestricted You change the names, roles, and write access of the default communities, or you can add new communities. Editing and adding a community are much the same process. Follow these steps: 1. Complete one of these two steps: • To edit one of the default communities, click the Edit icon in the Tools column for the community that you want to edit. Figure 2-46.
Initial Setup in Routing Mode Configure Management Access 5. Click OK. 6. Click Save. If you want to add more SNMPv1/v2 communities, repeat these steps. Note Remember: if you choose to add new communities rather than edit the default communities, the default communities will continue to allow access unless you delete them. To delete a community, click the Delete (X) icon in the Tools column for that community. SNMPv3 To configure SNMPv3 settings, complete the following steps: 1.
Initial Setup in Routing Mode Configure Management Access 5. For Authentication Protocol, select the protocol specified for the account on the SNMPv3 server: MD5 or SHA-1. 6. For Authentication Passphrase, type the authentication passphrase for the account. The passphrase must be between 8 and 265 characters (special or alphanumeric). 7. For Privacy Protocol, select the privacy protocol used for the account: None, DES, or AES. For the manager role, you must configure privacy settings.
Initial Setup in Routing Mode Configure Management Access Configure Zones The TMS zl Module has 10 zones. (For information on zones, see “Plan the Zones” on page 2-8.) If you want, you can rename 8 of these zones according to your needs. See “Rename a Zone” on page 2-81. If you want the TMS zl Module to use a zone, you need to associate at least one VLAN with it. This VLAN then becomes a TMS VLAN. You can create up to 256 TMS VLANs. Each TMS VLAN is in one and only one zone.
Initial Setup in Routing Mode Configure Management Access Figure 2-49. Network > Zones > Names Window 3. Click Apply My Changes. 4. Click Save. Associate a VLAN with a Zone To associate a VLAN with a zone, follow these steps: 1. Click Network > Zones > VLAN Associations. Figure 2-50.
Initial Setup in Routing Mode Configure Management Access 2. Click Add VLAN Association. The Add VLAN Association window is displayed. Figure 2-51. Add VLAN Association Window 3. In the Select a VLAN section, select a VLAN. The TMS zl Module automatically detects the VLAN settings of its host switch. The VLANs in the list are VLANs that are configured on the host switch and that have not already been associated with a zone.
Initial Setup in Routing Mode Configure Management Access 6. Note If the host switch must have an IP address on this VLAN, select the Allow switch to have IP address check box. It is recommended that the host switch not have an IP address on a TMS VLAN if Layer 3 routing is enabled on the host switch. Inter-VLAN traffic must be routed through the TMS zl Module instead of being routed directly by the switch.
Initial Setup in Routing Mode Configure Management Access Follow these steps to configure DHCP relay: 1. Click Network > Settings and click the DHCP Relay tab. Figure 2-52. Network > Settings > DHCP Relay Window 2. For Message relay, select On. 3. Specify up to four DHCP servers. To start, type the IP address for DHCP Server 1. 4. The Relay messages for selected VLANs list displays all of your TMS VLANs. Select the check box next to each VLAN for which you want to enable DHCP relay.
Initial Setup in Routing Mode Configure Management Access 6. Click Save. If you enable DHCP relay, you may need to create firewall access policies to permit the DHCP traffic. The figure below shows that four access polices are needed to allow DHCP relay from one VLAN to another. (The access policies are necessary whether the client and server are in the same zone or different zones.) 1. Client to Self — Permit bootps 2. Self to server — Permit bootps 3. Server to Self — Permit bootps 4.
Initial Setup in Routing Mode Ping Utility Ping Utility Before you get your network up and running, you will likely want to check connectivity. This is most easily done by sending a ping from one workstation to another. you must configure firewall access policies to allow ICMP echo messages before you can use ping messages.
Initial Setup in Routing Mode Ping Utility Figure 2-54. Add Policy Window 10. Click Apply, and then click Close. Sending a Ping from the TMS zl Module To ping an IP address or hostname, complete the following steps: 1. Click System > Utilities > Ping. 2. For Hostname/IP Address, type the hostname or IP address of the device you are trying to reach. 3. For Repetitions, select the number of ping messages you want to the module to send.
Initial Setup in Routing Mode Ping Utility Figure 2-55. System > Utilities > Ping Window 5. Note Click Ping. The results of the ping are displayed in the Results field. When you have finished testing connectivity, you should delete the access policies that permit ICMP Echo traffic.
Initial Setup in Routing Mode System Maintenance System Maintenance This section teaches you how to complete these system maintenance tasks on the TMS zl Module: ■ Save the current startup-config to an external drive. See “Back Up the Startup-Config” on page 2-90. ■ Restore the startup-config to a previously saved configuration. See “Restore to a Previously Saved Configuration” on page 2-91. ■ Erase the startup-config and return to factory default settings (retaining any existing IDS/IPS signatures).
Initial Setup in Routing Mode System Maintenance Figure 2-56. System > Maintenance > Back Up/Restore Window 2. Note Click Back Up and follow the prompts to save the startup-config file to a selected directory. It is sometimes a good idea to name the configuration file after the date on which it was saved. For example, if the configuration was saved on November 3, 2009, name it 2009-11-03.cfg. The saved configuration file is encrypted.
Initial Setup in Routing Mode System Maintenance Erase the Startup-Config and Return to Defaults You can erase the startup configuration. This action erases your configuration changes and returns them to factory defaults. However, your IDS/IPS signatures are retained. You can erase the startup configuration from two places: ■ Web browser interface ■ CLI Product OS If you are unable to access the Web browser interface, you can use the CLI Product OS to restore the module’s IP settings.
Initial Setup in Routing Mode System Maintenance Erase the Startup Configuration from the CLI Product OS You can erase the startup configuration from the Product OS context by following these steps: 1. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii. Enter the Product OS context for the TMS zl Module: Syntax: services Moves you to an OS context on the module.
Initial Setup in Routing Mode System Maintenance Restore to Factory Default Settings (Including IDS/IPS Signatures) Instead of erasing the startup-config return to factory default settings, you can return to these settings by uninstalling then reinstalling the software image. With this method, you lose all of your IDS/IPS signatures as well as all of your settings. After restoring factory defaults, you will need to reconfigure your module settings and download the IDS/IPS signatures again.
Initial Setup in Routing Mode System Maintenance For example: hostswitch(services-module-C:HD)# show images --------Image Repository--------1) ST.3.2.090315 2) ST.3.3.090821 3) ST.3.4.091103 6. If the latest software image is not in the image repository, follow steps 1 through 9 in “Update the Software with a USB Drive” on page 2-101 to transfer the image folder to the module. 7. Uninstall the current product software: Syntax: uninstall product Uninstalls the current TMS zl Module software.
Initial Setup in Routing Mode System Maintenance 9. When the installation has finished, boot the Product OS: Syntax: boot product Boots the Product OS. For example: hostswitch# boot product System will be rebooted. Do you want to continue [y/n]? Rebooting The module is now restored to the factory default settings. In addition, any existing IDS/IPS signatures have been erased. Update the Module Software The software for the module can be updated through the Web browser interface or the CLI.
Initial Setup in Routing Mode System Maintenance d. File Name—Type the name of the image file, including the extension, for example, ST.3.2.091103.zip. Remember to include the path to the file if it is in a subdirectory. If you select TFTP: a. Server IP —Type the IP address of the TFTP server in dotted-decimal format. b. File Name — Type the name of the image file, including the extension, for example, ST.3.2.091103.zip. Remember to include the path to the file if it is in a subdirectory.
Initial Setup in Routing Mode System Maintenance ■ A USB drive See “Update the Software with a USB Drive” on page 2-101. Update the Software from an FTP or SCP Server. To update the module software using an FTP or SCP server, do the following: 1. Transfer the compressed image onto an FTP or SCP server. 2. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii.
Initial Setup in Routing Mode System Maintenance 3. Copy the image from the server and install it. Syntax: copy image user Copies and installs a TMS zl Module software image from an FTP or SCP server. Replace with the IP address of the server. Replace with the path and filename of the software image, including the .zip extension.
Initial Setup in Routing Mode System Maintenance ii. Enter the Product OS context for the TMS zl Module: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with the index number that your particular switch has assigned the TMS zl Module. • Through SSH: i. Open an SSH client on a management workstation in a management-access zone. ii.
Initial Setup in Routing Mode System Maintenance 4. The image is uploaded to the module, then automatically installed. When the prompt says that the installation is finished, reboot the module to complete the update. hostswitch(tms-module-C)# boot Update the Software with a USB Drive. To update the software image using a USB drive, do the following: Note 1. Extract the compressed software image. 2. Transfer the extracted image folder onto a USB drive in a directory called /services/images.
Initial Setup in Routing Mode System Maintenance For example, if the image directory name is ST.3.2.090311, you would type: hostswitch(services-module-C:HD)# usb copyfrom ST.3.2.090311 You can type the first few letters of the directory name, then press [Tab] to complete the name. You might need to add the last few characters of the directory name if the USB drive contains more than one image. 10. Update the software. Syntax: update product Updates the module software.
3 Initial Setup in Monitor Mode Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Deployment in Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 On the Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Inside the LAN . . . . . . . . . . . . . .
Initial Setup in Monitor Mode Contents Configure the Module’s Management Settings . . . . . . . . . . . . . . . . . . 3-39 Configure the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40 Select the Operating Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 Change the Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42 Configure RADIUS Authentication for Management Users (Optional) . . . . . . . . . . . .
Initial Setup in Monitor Mode Overview Overview This chapter provides instructions for the initial setup in monitor mode. At this point, you should have decided which operating mode you want to use. (See “Operating Modes” in Chapter 1: “Overview.
Initial Setup in Monitor Mode Overview Figure 3-1. Logical Remote Mirroring Operation of the TMS zl Module in Monitor Mode When a 5400zl or 8200zl switch receives traffic that has been selected for mirroring (whether by its port or VLAN), it both forwards the traffic toward its destination and sends a copy of the traffic in a mirror session to the module’s host switch.
Initial Setup in Monitor Mode Deploying the TMS zl Module Deploying the TMS zl Module This section includes guidelines for deploying your TMS zl Module: ■ Selecting the deployment location ■ Readying the host switch Selecting the Deployment Location In monitor mode, the module operates as a traditional offline IDS, which analyzes traffic that is mirrored to it.
Initial Setup in Monitor Mode Deploying the TMS zl Module The sections below present several typical deployments of a TMS zl Module operating in monitor mode. At the Perimeter The TMS zl Module in monitor mode can be deployed at the perimeter to monitor traffic routed to and from an external network, such as the Internet or a remote office. The key reason to deploy the TMS zl Module in monitor mode at the perimeter is to detect attacks from the Internet.
Initial Setup in Monitor Mode Initial Setup Ready the Host Switch After you install a TMS zl Module in a chassis slot in an HP ProCurve 5400zl or 8400zl Series switch, the switch recognizes the module by its ID. The switch names the modules two internal ports as follows: ■ Port 1—This port is used for data, which, in monitor mode, is mirrored traffic that is to be analyzed by the module’s IDS. ■ Port 2—This port is used for management traffic.
Initial Setup in Monitor Mode Initial Setup To establish a serial connection with the switch, use the serial cable that was shipped with the switch to connect a workstation to the switch.
Initial Setup in Monitor Mode Initial Setup At this point, you should take note of the following information, which you will need to access the TMS zl Module CLI: ■ The slot for your TMS zl Module In this example, two TMS zl Module are in installed, one in slot C and one in slot E, as you can see in the Slot column for the row with Threat Management Services zl Module for the Index Description.
Initial Setup in Monitor Mode Initial Setup Table 3-3 shows another example of the output for the show services command. In this example, two TMS zl Modules and a ONE Services zl Module running Data Center Connection Manager (DCM) are installed on the switch. The module running DCM booted first so it was assigned index number 2. The TMS zl Modules booted later, so they were assigned index number 3. Table 3-3. Slot CLI Display of Services Example 2 Index Description Name C,D, E 1.
Initial Setup in Monitor Mode Initial Setup You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# The “HD” indicates that you are in the Services OS context and that the TMS zl Module is booted to the Services OS. The TMS zl Module can be booted to either the Services OS or the Product OS.
Initial Setup in Monitor Mode Initial Setup Product Registration ID. When you purchased the TMS zl Module, an HP ProCurve Threat Management Services zl Module Registration and Licensing Card was included in the box. As shown in Figure 3-3, a product registration ID is printed on the front of this Registration and Licensing Card. You will need this product registration ID when you register the TMS zl Module.
Initial Setup in Monitor Mode Initial Setup Activation Hardware ID. The TMS zl Module has two hardware IDs, as shown in Table 3-4. Table 3-4. Hardware IDs Hardware ID Purpose Activation hardware ID Used to register the TMS zl Module and generate a product license key TMS-subscription hardware ID Used to register an IDS/IPS signature subscription (if you have purchased a subscription) To activate the TMS zl Module, you need the activation hardware ID.
Initial Setup in Monitor Mode Initial Setup Register the TMS zl Module Once you have obtained the product registration ID and the activation hardware ID, you can complete the TMS zl Module registration process on the My ProCurve portal. 1. Open a Web browser and enter https://my.procurve.com in the address bar. 2. Type your My ProCurve ID and Password in the appropriate fields.
Initial Setup in Monitor Mode Initial Setup • Boot the TMS zl Module to the Product OS so that you can begin configuring the product. (You can register the IDS/IPS signature license later.) See “Boot the TMS zl Module to the Product OS” on page 3-20.
Initial Setup in Monitor Mode Initial Setup Obtain the Necessary IDs Before you begin to register an IDS/IPS signature subscription, you should obtain the subscription registration ID and the TMS-subscription hardware ID you need to complete the process successfully. Subscription Registration ID. If you purchased an IDS/IPS signature subscription, you received an HP ProCurve Threat Management Services x-Year IDS/IPS Subscription Registration Card.
Initial Setup in Monitor Mode Initial Setup 2. From the host switch’s manager-level context, enter the TMS zl Module’s Services OS context: Syntax: services 1 Moves you to the Services OS context. Replace with the letter of the chassis slot in which the module is installed. You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# 3.
Initial Setup in Monitor Mode Initial Setup Enter the IDs on the My ProCurve Portal To activate your license and registeran IDS/IPS signature subscription, complete the following steps. 1. Open a Web browser and type https://my.procurve.com in the address bar. Figure 3-5. My ProCurve Sign In Window Note 3-18 2. Type your My ProCurve ID and Password in the appropriate fields and click Sign In. 3. Click My Licenses.
Initial Setup in Monitor Mode Initial Setup Figure 3-6. My Licenses Window on the My ProCurve Portal 6. For Hardware ID, type the TMS-subscription hardware ID and click Next. 7. Review the license agreement. Then select I agree to the license terms and click Next. 8. Configure your license expiration notification setting, which determines when ProCurve will notify you when your subscription is due to expire. You can select one or more of the following settings: 9.
Initial Setup in Monitor Mode Initial Setup setup, installing the license is sufficient. You will learn how to download signatures in “Download Signatures” in Chapter 6: “Intrusion Detection and Prevention.” Boot the TMS zl Module to the Product OS You are now ready to boot the TMS zl Module to the Product OS. Complete the following steps: 1. From the Services OS context, enter: Syntax: boot product Boots the Product OS. 2. When asked if you would like to reboot the module, type y.
Initial Setup in Monitor Mode Initial Setup You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process. Status and Counters - Services Module C Status HP Services zl Module J9154A Versions : A.01.
Initial Setup in Monitor Mode Initial Setup Option 1. You can access the Product OS by typing the index number associated with the TMS zl Module. Use the following command, entered from either the switch’s manager-level or global configuration context.: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Monitor Mode Configure Management Access Option 2. Alternatively, you can access the Product OS context by specifying the product name for the TMS zl Module. This name never changes. Enter the following command from either the switch’s manager-level or global configuration context: Syntax: services name tms-module Moves you to the product OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Monitor Mode Configure Management Access 2. Enter the configuration context for the module: Syntax: configure terminal Enters the configuration context for the module. hostswitch(tms-module-C)# configure terminal 3. Set the operating mode to monitor: Syntax: operating-mode monitor Enters the configuration context for the module. You will be prompted to confirm that you want to change operating modes and asked if you want to save the current configuration.
Initial Setup in Monitor Mode Configure Management Access For example: hostswitch(tms-module-C:config)# management ip address 10.1.5.111 255.255.255.0 Note The management IP address should be static. Do not use DHCP to obtain this address. 6. To set the default gateway, enter the following command: Syntax: ip route 0.0.0.0/0 Sets a default gateway for the module. Replace with the IP address of the default gateway for the module.
Initial Setup in Monitor Mode Configure Management Access The TMS zl Module has a self-signed digital certificate under the name ProCurve. This certificate is not created or signed by a well-known, trusted entity (such as VeriSign), so Internet Explorer and Firefox will display a warning when accessing the TMS zl Module’s Web browser interface through HTTPS for the first time.
Initial Setup in Monitor Mode Configure Management Access Figure 3-8. Firefox 3 Certificate Security warning 3. Click I Understand the Risks. 4. Click Add Exception. The Add Security Exception window is displayed.
Initial Setup in Monitor Mode Configure Management Access Figure 3-9. Add Security Exception Window 5. Click Get Certificate. The window updates to tell you that the certificate belongs to a different site. 6. Click Confirm Security Exception. The TMS zl Module’s login window is displayed. Internet Explorer 7 or 8 1. 3-28 Enable JavaScript. a. In your browser, click Tools > Internet Options. b. Click the Security tab. c.
Initial Setup in Monitor Mode Configure Management Access Figure 3-10. IE Internet Options Window d. Click Custom Level. The Security Settings— Zone window is displayed.
Initial Setup in Monitor Mode Configure Management Access Figure 3-11. IE Security Settings— Zone Window Scroll down to the Scripting section and click Enable for Active Scripting. 2. e. Then click OK. f. Click OK again. Type https:// followed by your module’s IP address in the address field. A warning is displayed. Figure 3-12.
Initial Setup in Monitor Mode Configure Management Access 3. Click Continue to this website (not recommended). The TMS zl Module’s login window is displayed. Log in to the TMS zl Module Web Browser Interface When you gain access to the Web browser interface login window, you are prompted to enter a username and password. (See Figure 3-13.) Figure 3-13. Web Browser Interface Login Window In the User Name field, type manager, and in the Password field, type the default password: procurve.
Initial Setup in Monitor Mode Configure Management Access When you use the Web browser interface to configure the TMS zl Module, these changes will affect one of two sets of configuration files, depending on whether you apply or save changes: ■ Running configuration—When the TMS zl Module loads the saved configuration, all of the settings become the running configuration, which is held in RAM.
Initial Setup in Monitor Mode Configure Management Access When your changes are saved, you will see this message near the top of the window: Figure 3-15. Changes Saved to the Startup Configuration Note If you click Save before applying the configuration changes, some of your changes may not be applied or saved. Make sure that you apply the configuration changes before you click Save.
Initial Setup in Monitor Mode Configure Management Access ■ Click the Delete icon to remove an object. ■ Click the Edit icon to edit an object. The Delete and Edit icons are called “Tools.” Dashboard The TMS zl Module’s dashboard displays module settings and real-time statistics. The refresh rate (nonconfigurable) for the dashboard is four seconds. Table 3-7.
Initial Setup in Monitor Mode Configure Management Access Field Description How to Configure List of alerts with the severity level of n/a; See all alerts on System > Logging > View Log Latest Critical Alerts Critical, with the most recent alert at the top Network Interfaces Name Name of the TMS zl Module physical port. See “Ready the Host Switch” on page 3-7.
Initial Setup in Monitor Mode Configure Management Access Configure the Module’s Management Settings To access the Web browser interface, you configured a set of management settings. You assigned a management VLAN and IP address, as well as a default gateway. But you can change these settings in the Web browser interface. To view or change the module’s management settings, complete the following steps. 1. Select System > Settings and click the General tab. Figure 3-17.
Initial Setup in Monitor Mode Configure Management Access Configure the Default Gateway Typically, you should configure the default gateway as part of the initial set up from the CLI; however, you can also configure the default gateway from the Web browser interface. You can also add a second default gateway. In this case, the metric and administrative distance for the two default routes will determine which is preferred. Follow these steps: To set the default gateway, follow these steps: 1.
Initial Setup in Monitor Mode Configure Management Access When the TMS zl Module determines the preference for two identical routes, it first checks the administrative distance. If this value is the same, it checks the metric. 7. Click OK. 8. Click OK. 9. Click Save. Create a Static Route Typically, its default gateway can perform all the routing that a monitor mode TMS zl Module requires. However, if you need, you can create a static route to a specific network or host through a different gateway.
Initial Setup in Monitor Mode Configure Management Access 6. For Metric, type a value to represent the distance to the destination address. Typically, the metric for a static route is 0. 7. For Distance, type the administrative distance. Typically, the distance for a static route is 1. 8. Click OK. The route is now displayed in the Network > Routing > Static Routes window.
Initial Setup in Monitor Mode Configure Management Access Whichever choice you make, the TMS zl Module reboots in the new operating mode with the last configuration made for that operating mode. If the module has not been configured in this operating mode before, it is booted at the factory default settings.
Initial Setup in Monitor Mode Configure Management Access Note Note 2. From the User list, select manager (read/write) or operator (read only). 3. For Old password, type the current password. The default passwords are: manager = procurve; operator = operator. 4. For New password and Confirm new password, type a new password for the user. The new password cannot have more than 14 characters. 5. Click Apply My Changes. The operator cannot change passwords. Operator is read-only in all windows. 6.
Initial Setup in Monitor Mode Configure Management Access Figure 3-22. Network > Authentication > Management Users Window 2. Select the Enable RADIUS for management user authentication check box. The setting is applied as soon as you select the check box. You must also specify the external RADIUS server that will authenticate management users: 1. Click the RADIUS tab. Figure 3-23.
Initial Setup in Monitor Mode Configure Management Access 2. 3. Under RADIUS Settings, for Authentication Protocol, select the protocol that the TMS zl Module uses to communicate with all of your RADIUS servers. Options include: • MS-CHAPv1 • CHAP • PAP Click Add RADIUS Server. The Add RADIUS server window is displayed. Figure 3-24. Add RADIUS server Window 4. In the Server Address field, type the IP address or FQDN of your RADIUS server. The port is always 1812. 5.
Initial Setup in Monitor Mode Configure Management Access When the TMS zl Module authenticates users to an external RADIUS server, it selects the authentication server based on the domain name. Therefore, when management users attempt to log in to the TMS zl Module, they should type @ and their password on the Web login page. You may choose to leave this field blank. When you leave the Domain Name field blank, the TMS zl Module assigns the RADIUS server to the global domain.
Initial Setup in Monitor Mode Configure Management Access Note Again, it is best practice to add Service-Type = NAS-Prompt-User to the selection criteria for the management access policy. • It sets the following AVP for the connection: Service-Type = NAS Prompt. Table 3-8.
Initial Setup in Monitor Mode Configure Management Access 3. Optional: For Secondary Server, type the IP address of your secondary DNS server. If you do not have a secondary DNS server, leave this field blank. 4. For Domain Suffix, type the suffix of your DNS domain name. 5. Click Apply My Changes. 6. Click Save.
Initial Setup in Monitor Mode Configure Management Access Figure 3-26. System > Logging > View Log Window In this window, you can see a real-time list of events for the TMS zl Module’s operation. The events that are displayed are those at or above the severity selected in the System > Logging > Settings window (the default is Critical). To filter the logs that are displayed in this window, select and clear the appropriate check boxes under Filter.
Initial Setup in Monitor Mode Configure Management Access To export a copy of the local log, click the Export log link in the bar above the logged events. Your browser will save the .tgz file according to browser settings. The .tgz file is a compressed archive that contains a space-delimited .tar file that you can read with Windows Notepad or an equivalent text reader. You can also import the .tar file into a spreadsheet application such as Microsoft Excel.
Initial Setup in Monitor Mode Configure Management Access To configure log settings, follow these steps: 1. Select System > Logging and click the Settings tab. Figure 3-27. System > Logging > Log Settings Window 2. 3. 4. From the list, select the lowest severity level of the events that you want the module to log. Configure the throttling setting: • To suppress duplicate event logs, select the Enable Throttling check box.
Initial Setup in Monitor Mode Configure Management Access 7. Click Save. Configure Email Forwarding To forward event logs to email accounts, click System > Logging and click the Email Forwarding tab. Figure 3-30. System > Logging > Email Forwarding Window 1. Select the Enable email forwarding check box. 2. For Email Server, type the IP address or FQDN of the email server. 3. For From Email Address, type the email address from which event logs will be sent.
Initial Setup in Monitor Mode Configure Management Access Configure Syslog Forwarding To forward event logs to a syslog server, click System > Logging and click the Syslog Forwarding tab. You can add up to three entries. Figure 3-31. System > Logging > Syslog Forwarding Window 1. Select the Enable syslog forwarding check box. 2. Click Add Syslog Server. The Add Syslog Server window is displayed. Figure 3-32. Add Syslog Server Window 3. For Address, type the IP address or FQDN of the syslog server.
Initial Setup in Monitor Mode Configure Management Access Configure SNMP Traps SNMP traps are unsolicited messages that are sent by managed devices to alert you about specific events. For example, you can use PCM+ to manage the TMS zl Module by specifying the device running PCM+ as a trap destination. The TMS zl Module supports the standard MIB-II, the IF-MIB, and a proprietary MIB that is particular to the operation of the TMS zl Module.
Initial Setup in Monitor Mode Configure Management Access Figure 3-34. Add SNMPv2 Destination Window 2. For Server Address, type the IP address or FQDN of an SNMP server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Community Name, type the read-write (unrestricted) community name.You must enter the read-write community name that is configured on the SNMP server. 4. Click OK. 5. Click Save.
Initial Setup in Monitor Mode Configure Management Access Figure 3-35. Add SNMPv3 Destination Window 2. For Server Address, type the IP address or FQDN of an SNMPv3 server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Username, type a username for the SNMPv3 account that will be used with this trap destination. The username must match a username in an account on the SNMPv3 server.
Initial Setup in Monitor Mode Configure Management Access If you want to add more SNMP v3 trap receivers, repeat these steps. Use the Edit and Delete icons in the Tools column to modify or remove a trap receiver. Configure SNMP The TMS zl Module allows some remote management through SNMPv1/v2c or SNMPv3. For example, you can configure SNMP so that the module can be managed by PCM+.
Initial Setup in Monitor Mode Configure Management Access ■ Private • Role = Manager • Write Access = Unrestricted You change the names, roles, and write access of the default communities, or you can add new communities. Editing and adding a community are much the same process. Follow these steps: 1. Complete one of these two steps: • To edit one of the default communities, click the Edit icon in the Tools column for the community that you want to edit. Figure 3-37.
Initial Setup in Monitor Mode Configure Management Access 5. Click OK. 6. Click Save. If you want to add more SNMPv1/v2 communities, repeat these steps. Note Remember: if you choose to add new communities rather than edit the default communities, the default communities will continue to allow access unless you delete them. To delete a community, click the Delete (X) icon in the Tools column for that community. SNMPv3 To configure SNMPv3 settings: 1.
Initial Setup in Monitor Mode Configure Management Access 4. For Authentication Protocol, select the protocol specified for the account on the SNMPv3 server: MD5 or SHA-1. 5. For Authentication Passphrase, type the authentication passphrase for the account. The passphrase must be between 8 and 265 characters (special or alphanumeric). 6. For Privacy Protocol, select the privacy protocol used for the account: None, DES, or AES. For the manager role, you must configure privacy settings.
Initial Setup in Monitor Mode Ping Utility Ping Utility You might want to check the TMS zl Module’s connectivity with devices such as SNMP trap servers, PCM+/NIM, or a syslog server. To ping an IP address or hostname, complete the following steps: 1. Click System > Utilities > Ping. 2. For Hostname/IP Address, type the hostname or IP address of the device you are trying to reach. 3. For Repetitions, select the number of ping messages you want to the module to send.
Initial Setup in Monitor Mode Ping Utility Figure 3-40. System > Utilities > Ping Window 5. 3-60 Click Ping. The results of the ping are displayed in the Results field.
Initial Setup in Monitor Mode System Maintenance System Maintenance This section teaches you how to complete these system maintenance tasks on the TMS zl Module: ■ Save the current startup-config to an external drive. See “Back Up the Startup-Config” on page 3-61. ■ Restore the startup-config to a previously saved configuration. See “Restore to a Previously Saved Configuration” on page 3-62. ■ Erase the startup-config and return to factory default settings (retaining any existing IDS/IPS signatures).
Initial Setup in Monitor Mode System Maintenance Figure 3-41. System > Maintenance > Back Up/Restore Window 2. Note Click Back Up and follow the prompts to save the startup configuration file to a selected directory. If possible, it is best to name the configuration file after the date on which it was saved. For example, if the configuration was saved on November 03, 2009, name it 2009-11-03.cfg. The saved configuration file is encrypted.
Initial Setup in Monitor Mode System Maintenance Erase the Startup-Config and Return to Defaults You can erase the startup configuration. This action erases your configuration changes and returns them to factory defaults. However, your IDS/IPS signatures are retained. You can erase the startup configuration from two places: ■ Web browser interface ■ CLI Product OS If you are unable to access the Web browser interface, you can use the CLI Product OS to restore the module’s IP settings.
Initial Setup in Monitor Mode System Maintenance 1. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii. Enter the Product OS context for the TMS zl Module: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Monitor Mode System Maintenance You cannot uninstall and reinstall software from the Web browser interface. To restore the module to the factory default configuration from the Services OS context, complete the following steps: 1. Access the Services OS context: Syntax: services 1 Enters the Services OS context on the module. Replace with the letter for the chassis slot in which the module is installed. 2.
Initial Setup in Monitor Mode System Maintenance 7. Uninstall the current product software: Syntax: uninstall product Uninstalls the current TMS zl Module software. Press [Enter] or [y] for any prompts that are displayed. For example: hostswitch(services-module-C:HD)# uninstall product 8. Reinstall the product software: Syntax: install product Installs the latest software version on the TMS zl Module. Replace with the name of the directory that contains the new software image.
Initial Setup in Monitor Mode System Maintenance Update the Module Software The software for the module can be updated through the Web browser interface or the CLI. Update Software with the Web Browser Interface You can use the Web browser interface to update the software image, but if you need to uninstall and reinstall an image, see “Restore to Factory Default Settings (Including IDS/IPS Signatures)” on page 3-64. 1. Download the new software image from the HP ProCurve Web site. 2.
Initial Setup in Monitor Mode System Maintenance d. File Name—Type the name of the image file, including the extension, for example, ST.3.2.091103.zip. Remember to include the path to the file if it is in a subdirectory. Note 5. Click Download and install to download the software to the module and install it. 6. You can track the process of the download and installation in the Latest Status section. After the software has been installed, you must reboot the module to complete the installation.
Initial Setup in Monitor Mode System Maintenance Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with the index number that your particular switch has assigned the TMS zl Module. • Through SSH: i. Open an SSH client on a management workstation in a management-access zone. ii. Establish a connection to a TMS zl Module IP address. iii. If prompted, accept the module’s key. iv.
Initial Setup in Monitor Mode System Maintenance 4. After you press [Enter], the module prompts you for a password. Enter the password for the user that you specified in the command. For example: Password: procurve 5. The image is copied to the module, then automatically installed. When the prompt says that the installation is finished, reboot the module to complete the update. hostswitch(tms-module-C)# boot Update the Software from a TFTP Server.
Initial Setup in Monitor Mode System Maintenance 3. Copy the image from the TFTP server and install it. Syntax: copy tftp image Copies and installs a TMS zl Module software image from a TFTP server. Replace with the IP address of the server. Replace with the path and filename of the software image, including the .zip extension. For example, you have copied the software image to a TFTP server with these parameters: • • IP address—192.168.1.13 Filename—ST.
Initial Setup in Monitor Mode System Maintenance hostswitch(services-module-C:PR)# boot services 6. When the module comes back online, enter the Services OS again. For example: hostswitch# services c 1 7. Insert the USB drive in the USB port on the TMS zl Module. 8. Wait a few seconds, then mount the USB drive. hostswitch(services-module-C:HD)# usb mount 9. Copy the image from the drive to the module. Syntax: usb copyfrom Copies a file from the USB drive to the module.
4 Firewall Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 General Firewall Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Advantages of an Integrated Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Packet-Filtering Firewall . . . . . . . . . . . . . . . .
Firewall Contents Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unicast Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scheduled Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rate-Limiting Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40 4-40 4-42 4-44 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewall Contents Port Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Example Port Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-100 Attack Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-102 Attack Check Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-103 ICMP Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewall Overview Overview This chapter covers the configuration of the TMS zl Module firewall, including these features: ■ “Named Objects” on page 4-9 ■ “Firewall Access Policies” on page 4-22 ■ “User Authentication” on page 4-47 ■ “Application-Level Gateways (ALGs)” on page 4-87 ■ “Attack Checking” on page 4-102 ■ “Connection Timeouts” on page 4-112 ■ “Resource Allocation” on page 4-115 ■ “IP Reassembly” on page 4-126 It is best practice to configure named objects before you set up firewa
Firewall General Firewall Concepts Today’s networks have changed, however. As companies have adapted their networks to meet the ever-changing face of business, the boundaries between private and public networks have blurred. The Internet has become a critical work tool for nearly every company, and companies have opened parts of their private network to guests—such as partners and customers—allowing temporary and permanent accounts with varying levels of access.
Firewall General Firewall Concepts Stateful Firewall The TMS zl Module has a stateful firewall, which examines packet content at several OSI layers. It combines aspects of: ■ A packet-filtering firewall ■ A circuit-level gateway ■ An application-level gateway Packet-Filtering Firewall A packet-filtering firewall is a router, switch, or computer that runs firewall software that has been configured to screen incoming and outgoing packets.
Firewall General Firewall Concepts Valid but illogical handshakes and packets with invalid IP addresses are often a sign that an attacker is attempting to infiltrate or gain information about a private network. The TMS zl Module automatically recognizes the flags that mark common attacks and drops packets that contain them. (See “Enable and Disable Optional Attack Checks” on page 4-110 for instructions.
Firewall General Firewall Concepts ALGs are covered in more detail in “Application-Level Gateways (ALGs)” on page 4-87 and “Enable and Disable ALGs” on page 4-96. The TMS zl Module includes ALGs for several specific applications. In keeping with best security practices, however, only one ALG—the FTP ALG—is enabled by default. You must explicitly enable any other ALGs that your organization might need.
Firewall Named Objects Named Objects A named object is a logical “container” that is used in firewall access policies, NAT policies, and port triggers to represent a logical name for one or more addresses, services, or schedules. The advantage to using named objects is that you can create the object once, then if the parameters of the object change, you can edit the object without needing to change the parameters in each policy.
Firewall Named Objects Table 4-1.
Firewall Named Objects ■ Note Domain—Contains one or more URLs or FQDNs You cannot combine address types in a one address object. For example, you cannot combine address ranges with network addresses. To create a named object with more than one address type, create an address group (see “Address Groups” on page 4-13).
Firewall Named Objects Figure 4-3. Add Address Object Window (IP Type) 3. Note Type a name for the object in the Name field. When specifying a Name, you can use up to 32 alphanumeric characters and the following special characters: exclamation point (!), asperand (@), hash sign (#), dollar sign ($), asterisk (*), hyphen (-), and underscore (_). 4. Do one of the following: • Create an IP address object: i. Select IP from the Type list. ii. Select an entry type. iii.
Firewall Named Objects • • iii. In space provided, type an IP address range, each in dotteddecimal format. For multiple-entry objects type each entry on its own line. Example: 192.168.1.1-192.168.1.100 10.12.1.1-10.13.255.255 You can add up to 100 IP address ranges to a single address object. Create a domain address object: i. Select Domain name from the Type list. ii. In the Entries field, type one or more URLs or FQDNs, each on its own line. Example: www.procurve.com production.eng.procurve.
Firewall Named Objects Figure 4-4. Firewall > Access Policies > Address Groups Window 2. Click Add Address Group. Figure 4-5. Add Address Group Window 3. Note 4-14 For Name, specify a name for the address group. When specifying a Name, you can use alphanumeric characters and the following special characters: exclamation point (!), asperand (@), hash sign (#), dollar sign ($), asterisk (*), hyphen (-), and underscore (_) 4. From the Available Addresses list, select an address object. 5.
Firewall Named Objects Service Objects A service object is a named object that contains a type of service. You can have up to 500 service objects. Some common service objects are included with the TMS zl Module, as shown in Table 4-2. You can use service objects in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors. Table 4-2.
Firewall Named Objects Service Transport Protocol Port Description ident TCP 113 Identification Authentication Protocol imap4 TCP 143 Internet Message Access Protocol ipsec-nat-t-tcp TCP 4500 NAT traversal for IPsec over TCP ipsec-nat-t-udp UDP 4500 NAT traversal for IPsec over UDP irc TCP 194 Internet Relay Chat Protocol isakmp UDP 500 Internet Security Association and Key Management Protocol kerberos-tcp TCP 750 Kerberos protocol over TCP kerberos-udp UDP 750 Kerberos pr
Firewall Named Objects Service Transport Protocol Port Description radius UDP 1812 Remote Authentication Dial-In User Service radius-acct UDP 1813 Remote Authentication Dial-In User Service (accounting) rip UDP 520 Routing Information Protocol secureid-udp UDP 5510 SecureID handshaking protocol over UDP smtp TCP 25 Simple Mail Transfer Protocol snmp UDP 161 Simple Network Management Protocol snmptrap UDP 162 Simple Network Management Protocol Trap sqlnet TCP 1521 Structure
Firewall Named Objects Figure 4-6. Firewall > Access Policies > Services Window (Partial) 2. Click Add Service. Figure 4-7. Add Service Window 3. Note 4-18 In the Name field, type the name of the service. When specifying a Name, you can use alphanumeric characters and the following special characters: exclamation point (!), asperand (@), hash sign (#), dollar sign ($), asterisk (*), hyphen (-), and underscore (_) 4. From the Protocol list, select a protocol. 5.
Firewall Named Objects 7. Add another service object or click Close. 8. Click Save. Service Groups Service groups are user-defined groupings of service objects. Any number of service objects can be placed in a service group, and a service object can be in more than one service group. You can create up to 500 service groups, each with up to 500 service objects. To add a service group, follow these steps: 1.
Firewall Named Objects 3. Note For Name, specify a name for the service group. When specifying a Name, you can use alphanumeric characters and the following special characters: exclamation point (!), asperand (@), hash sign (#), dollar sign ($), asterisk (*), hyphen (-), and underscore (_). 4. From the Available Services list, select a service. 5. Click the Move Right button to move the service into the Group Members list. 6.
Firewall Named Objects Figure 4-11. Add Schedule Window 3. Note You can use only letters, numbers, and the underscore character (_) in this field. 4. Select each day that you want to include in the schedule. 5. Under Time, select one of the following: Note Note Specify name for the schedule object in the Name field. • All day, to apply the schedule from midnight to midnight on the selected day(s). • Starts, to specify a starting and ending time for the schedule.
Firewall Firewall Access Policies Firewall Access Policies This section covers the TMS zl Module firewall access policies, which control all traffic routed in and out of TMS VLANs: ■ For detailed information about access policies, see “Access Policy Concepts” on page 4-22. ■ To learn how to create access policies, see “Create Firewall Access Policies” on page 4-29.
Firewall Firewall Access Policies Access Policy Parameters More specifically, policies include the following parameters, which determine which traffic is selected: ■ Source and Destination Zones Firewall access policies are grouped by the source and destination zones. A policy may designate any of the 10 zones as the source or destination zone or both. ■ Traffic Type Firewall access policies can be applied to two basic types of traffic: ■ • Unicast—A packet has one sender and one receiver.
Firewall Firewall Access Policies ■ TCP MSS When you set this value (available only for unicast access policies), the TMS zl Module forces the device involved in the connection to use the specified maximum segment size (MSS). The MSS determines the maximum size for TCP data in each packet. Generally, devices can set their MSS on their own. Typically, they set the MSS to the maximum transmit unit (MTU) of the outgoing interface minus 40 bytes (the length of a standard IP and TCP header).
Firewall Firewall Access Policies Table 4-3.
Firewall Firewall Access Policies Table 4-5. Self to [Zone] bootpc ftp radius snmptrap bootps http radius-acct ssh dns-tcp https smtp syslog dns-udp ICMP/echo snmp tftp You can modify or delete these policies as desired. These policies are automatically deleted when you remove the management-access designation from a zone.
Firewall Firewall Access Policies Orphaned Policies With the module in routing mode (Layer 3), only the traffic that crosses TMS VLAN boundaries can be filtered by the TMS zl Module. If you configure a policy to affect traffic that originates in and is destined for the same TMS VLAN, the policy will not take effect because the traffic is not routed through the module. Figure 4-12.
Firewall Firewall Access Policies When host 10.10.0.56 tries to contact server 10.5.0.220, however, the traffic must cross a VLAN (subnet) boundary, which requires the services of a Layer 3 routing device. Because the TMS zl Module is the default router for VLAN_10, it receives the traffic. The TMS zl Module can therefore block the traffic from 10.10.0.56 with a firewall access policy.
Firewall Firewall Access Policies Create Firewall Access Policies To configure a firewall policy, complete the following steps: 1. Create a unicast access policy or a multicast access policy: • To add a unicast access policy, click Firewall > Access Policies > Unicast. • To add a multicast access policy, click Firewall > Access Policies > Multicast. 2. From the User Group list, select the user group to which you want to apply the policy. 3. Click Add a Policy.
Firewall Firewall Access Policies 7. Under Matching Criteria, configure the criteria for selecting traffic that is controlled by this policy. For any of the fields, you can accept the default values (Any Service or Any Address) or you can configure a specific value: a. Note If your network runs a well-known service on an alternative port, you might need to add a port-to-service association to allow ALGs and the IDS/IPS to function correctly. See “Port Mapping” on page 4-84. Note b.
Firewall Firewall Access Policies 10. Optionally, select the Enable logging on this Policy check box to log access policy activities. Note It is not recommended that you enable logging permanently because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. 11. Optionally, in the Insert Position field, specify the priority of this access policy. 12. Click Apply. 13. Optionally, click the Advanced tab to set a schedule, TCP MSS, or connection limits.
Firewall Firewall Access Policies Typically, devices can determine their MSS for the connection on their own. However, you often need to set the MSS for access policies that permit traffic that will be sent over a GRE tunnel or a VPN connection. This requirement arises from the fact that GRE, IPsec, and L2TP add headers that increase a packet’s size without the knowledge of the device that sent the packet. For more information, see the introduction to firewall access policies on page 22.
Firewall Firewall Access Policies Caution The TMS zl Module automatically applies an implicit deny to traffic that is not selected by another access policy. Therefore, you do not have to create a final access policy to deny all other traffic. In fact, you should not configure such a policy because it might interfere with the proper functioning of any ALGs that are enabled.
Firewall Firewall Access Policies Figure 4-15.
Firewall Firewall Access Policies If you modify access policy 2 to permit only traffic from 10.1.5.5–10.1.5.30, the connection will be reevaluated against the modified policy. The modified policy permits the traffic, so the session is continued. Figure 4-16 shows that the connection is still permitted by Internal-to-DMZ policy 2. Figure 4-16.
Firewall Firewall Access Policies If you modify access policy 2 to permit only HTTPS traffic, the connection will be reevaluated against the modified policy. The modified policy does not permit the traffic, so the connection is dropped. When the endpoint in the Internal zone attempts to reconnect, the connection request is evaluated against all of the Internal-to-DMZ policies. In Figure 4-17, you can see that the traffic is now permitted by Internal-to-DMZ policy 3. Figure 4-17.
Firewall Firewall Access Policies Adding an Overlapping, Higher-Position Policy If you add a policy that overlaps an existing policy, and the new policy is a higher priority, then traffic in the overlapping address set that was allowed by the original policy will be dropped and reevaluated. In Figure 4-18, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-18.
Firewall Firewall Access Policies If you add the new policy with priority 2 that is shown in Figure 4-19, the connection is dropped because it is within the address space that overlaps between the current policy and the new policy with a higher priority. When the connection attempts to reinitiate, it is reevaluated against all of the Internal-to-DMZ policies. Figure 4-19 shows that the connection is permitted by Internal-to-DMZ policy 3, which used to be policy 2. Figure 4-19.
Firewall Firewall Access Policies Deleting a Policy If you delete the policy that allowed an endpoint to send or receive traffic, the the connections will be dropped and reevaluated. In Figure 4-20, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-20.
Firewall Firewall Access Policies If you delete Internal-to-DMZ policy 2, the connection is dropped and then reevaluated against all of the Internal-to-DMZ policies. Figure 4-21 shows that the connection is now permitted by Internal-to-DMZ policy 2,which used to be policy 3. Figure 4-21.
Firewall Firewall Access Policies To create the example unicast access policy, follow these steps: 1. Create a multiple-entry IP address object named DMZ_Servers with the server addresses: 10.1.10.10, 10.1.10.21, and 10.1.10.35. (See “Named Objects and Their Uses” on page 4-10 for instructions.) 2. Click Firewall > Access Policies > Unicast. 3. From the User Group list, select None. 4. Click Add a Policy. 5. From the Action list, select Permit Traffic. 6. From the From list, select EXTERNAL. 7.
Firewall Firewall Access Policies 12. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 13. Optionally, select the Enable logging on this Policy check box. Note It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. 14. Click Apply. 15. Click Save. The policy should appear as shown in Figure 4-23. Figure 4-23.
Firewall Firewall Access Policies Figure 4-24. Add Policy Window 12. Select the Enable this Policy check box. 13. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 14. Optionally, select the Enable logging on this Policy check box. Note It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. 15. Click the Advanced tab.
Firewall Firewall Access Policies Figure 4-25. Add Policy Window 16. From the Schedule list, select Thurs_Mtg. 17. Click Apply, then Close. 18. Click Save. The policy should appear as in Figure 4-26. Figure 4-26. Zone1-to-External Zone Firewall Access Policy Rate-Limiting Access Policy In this example, a policy will be created to limit outgoing connections from all users in the guest user group to 500. To create this policy, follow these steps: 4-44 1. Click Firewall > Access Policies > Unicast. 2.
Firewall Firewall Access Policies 5. From the From list, select INTERNAL. 6. From the To list, select EXTERNAL. 7. From the Service list, select Any Service. 8. From the Source list, select Any Address. 9. From the Destination list, select Any Address. Figure 4-27. Add Policy Window 10. Select the Enable this Policy check box. 11. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 12. Optionally, select the Enable logging on this Policy check box.
Firewall Firewall Access Policies Figure 4-28. Add Policy Window 14. For Maximum connections, type 500. 15. Click Apply, then Close. 16. Click Save. The policy should be displayed as in Figure 4-29. Figure 4-29.
Firewall User Authentication User Authentication Beyond firewalls, VPNs, and intrusion prevention and detection systems, the TMS zl Module can enforce user authentication. Users are forced to authenticate to the network before they can access any network resources. When they are authenticated, they are authorized for the correct resources and services according to their identity. Users authenticate by entering their login credentials on a Web page (for which you can customize the banner).
Firewall User Authentication rization. Rather, you must either integrate the RADIUS server with the existing system or transfer all authentication information to the RADIUS server, essentially replacing the legacy authentication server. Additionally, using a RADIUS server for authentication enables you to create multiple manager and operator accounts for the TMS zl Module with customized names. With separate accounts for each user, you can easily track when a particular user logs in.
Firewall User Authentication Table 4-7.
Firewall User Authentication The steps of the handshake are as follows: 1. The client sends a request for access to the NAS, which translates it into an Access-Request packet and sends it to the RADIUS server. An Access-Request packet has the following fields: Note • Username (up to 64 characters on the TMS zl Module) • Password (up to 64 characters on the TMS zl Module) • NAS port • NAS ID The field NAS-Identifier is only sent for CHAP and MS-CHAP authentication requests (not for PAP requests).
Firewall User Authentication Table 4-8. Advantages and Disadvantages of CHAP Advantages Disadvantages • Prevents playback attacks by • The shared secret must be in plain text, so incrementally changing the identifier and you cannot use irreversibly encrypted challenge values. passwords. • Both the client and the server must know the secret, but the secret is never sent over the line. MS-CHAP.
Firewall User Authentication 2. The RADIUS server determines if the credentials are valid. If the credentials are invalid, the RADIUS server sends an Access-Reject packet. The NAS denies network access to the user. If the credentials are valid, the RADIUS server sends an Access-Accept packet. The NAS permits the user to access the network. PAP is a weaker protocol than CHAP and should only be used if the RADIUS server does not support CHAP.
Firewall User Authentication An ACL may contain as many or as few entries as you like. You can configure these manually or use a third-party program such as HP ProCurve Identity Driven Manager (IDM). (See “Using HP ProCurve IDM with RADIUS Servers” on page 4-53.) Rate Limits. Rate limits ensure that each user shares network resources, and they prevent an infected endpoint from monopolizing all bandwidth.
Firewall User Authentication Figure 4-32. Two Networks Merged with a Router That NATs Traffic This type of network design should not be used in conjunction with the user authentication feature. Once a Web-authenticated firewall user has provided a valid username/password, the TMS zl Module uses the source IP address to map subsequent packets from that address to the user.
Firewall User Authentication 2. Create a group-specific, rate-limiting access policy that allows HTTPS traffic from the zone in which you will require authentication. See “Configure the Access Policy to Permit Log in Traffic” on page 4-56. 3. Configure authentication, either: • Configure authentication to the local database. See “Configure Authentication to the Local Database” on page 4-60. • Configure authentication to an external RADIUS server.
Firewall User Authentication Figure 4-33. System > Settings > General Window 2. If you want to use HTTP or HTTPS ports other than the well-known ports, configure the settings under Web Sessions. These port numbers will apply to both the authenticating users and management users. You also might need to configure a port map for the new HTTP port. See “Port Mapping” on page 4-84.) a. For HTTP Port, type the new port for HTTP authentication traffic. b.
Firewall User Authentication 2. For User Group, select the group name that you have configured on the local database (see “Configure Authentication to the Local Database” on page 4-60). 3. Click Add Policy. The Add Policy window is displayed. 4. From the Action list, select Permit Traffic. 5. From the From list, select the zone for which you want to require authentication. 6. From the To list, select SELF. 7.
Firewall User Authentication Figure 4-34. Add Policy Window 12. Optionally, in the Insert Position field, specify the priority of this access policy. 13. Click Apply, and then click the Advanced tab. 14. Specify the number of connections and interval by which you want to limit traffic. In this example, the limit is 800 connections per second.
Firewall User Authentication Figure 4-35. Add Policy Window 15. Click Apply. 16. Click Close. 17. Click Save. The access policy or policies that you have created should be the only access policies for the users’ zone (or IP addresses) that have no user group setting. When a user authenticates, the TMS zl Module maps his or her device’s source IP address to the correct user group. The module then applies the firewall access policies configured for that group. You must now configure authentication.
Firewall User Authentication Configure Authentication to the Local Database Rather than use an external server, you can use the module to authenticate users. The TMS zl Module has just one default user group, the guest user group. However, you can configure up to 16 user groups and up to 100 users. Users submit their credentials to the module, and the module checks its local database to see if the credentials match. If they do, the module authenticates users to the user group configured in its database.
Firewall User Authentication ■ Group—This column lists every user group configured on the TMS zl Module ■ Username—This column lists the username for every local user in each group ■ Inactivity Timeout—This column lists the number of seconds of inactivity allowed to this user before the connection times out and the user must log in again. The module has one default user group, guest. You can add users to this group, or create groups of your own and add users to them. Create a User Group.
Firewall User Authentication Figure 4-39. Add user Window (guest group) 3. For Username, type the username for the user that you are adding. 4. For Password and Verify password, type the password for the user. 5. For Inactivity Timeout, type the number of seconds that you want an inactive session to remain open. 6. Click OK. The user is now displayed in the Network > Authentication > Firewall/XAUTH Users window. 7. Click Save.
Firewall User Authentication ■ SLES 11 with latest SuSE supported FreeRADIUS server To set up authentication to the RADIUS server, complete the following tasks: 1. Specify the RADIUS server. See “Specify the RADIUS Server” on page 4-63. 2. Create user groups. See “Create User Groups” on page 4-65. 3. Set up the RADIUS server. See “Set Up a RADIUS Server to Work with the TMS zl Module” on page 4-67.
Firewall User Authentication You can configure up to three RADIUS servers in each domain. If you configure more than one RADIUS server in a single domain, the TMS zl Module treats these RADIUS servers as a pool, rather than assigning primary and backup servers. When processing authentication requests, the TMS zl Module uses a round robin approach to contacting the RADIUS servers you have configured. To configure the settings for an external RADIUS server, complete the following steps. 1.
Firewall User Authentication 2. In the Server Address field, type the IP address or FQDN of your RADIUS server. The port is always 1812. 3. In the Secret and Confirm Secret fields, type the shared secret for your RADIUS server. 4. In the NAS Identifier field, type the NAS ID associated with the module. The default NAS Identifier is the module’s hostname. Note The field NAS-Identifier is only sent for CHAP and MS-CHAP authentication requests (not for PAP requests). 5.
Firewall User Authentication in a RADIUS server policy.) The user group must be added to the TMS zl Module so that you can create firewall access policies that control the traffic of users in that group. Any group that is configured on the TMS zl Module will work with the external RADIUS server as long as it has exactly the same name as the one in the FilterID attribute. Valid groups include the default group (guest) and any groups that have been configured for local users in the Firewall/XAUTH Users tab.
Firewall User Authentication 5. Click Save. If your RADIUS server places users in multiple groups, repeat these steps to add more groups. Set Up a RADIUS Server to Work with the TMS zl Module. This section provides guidelines for setting up a RADIUS server so that it can provide authentication for users who log in through the TMS zl Module. You should refer to your server’s documentation for precise instructions. You must complete the following on your RADIUS server: ■ Add the TMS zl Module as a client.
Firewall User Authentication Table 4-10. RADIUS Attributes Required for RADIUS Access-Accept Messages Attribute Value Service-Type Not defined or any value except: • Administrative-User • NAS-Prompt • Framed Those three values are reserved for other types of users. Additional Guidelines Filter-ID Name of a user group on the TMS zl Module The value must match exactly a name that you configured in “Create User Groups” on page 4-65.
Firewall User Authentication Figure 4-44. Windows Server 2003—Internet Authentication Service Window 4. Right-click RADIUS Clients, and then click New > RADIUS Client. The New RADIUS Client Wizard is launched. Figure 4-45.
Firewall User Authentication 5. For Friendly name, type a name for the TMS zl Module. 6. For Client address (IP or DNS), type the IP address or domain name of the module. 7. Click Next. Figure 4-46. Windows Server 2003—New RADIUS Client Wizard 8. For Client Vendor, accept the default, RADIUS Standard. 9. For Shared secret and Confirm shared secret, type a shared secret for the RADIUS server. 10. Clear the Request must contain the Message Authenticator attribute check box and click Finish. 11.
Firewall User Authentication Figure 4-47. Windows Server 2003—New Remote Access Policy Wizard 13. Select Set up a custom policy. 14. For Policy name, type the name of the policy. 15. Click Next.
Firewall User Authentication Figure 4-48. Windows Server 2003—New Remote Access Policy Wizard 16. Click Add. The Select Attribute window is displayed.
Firewall User Authentication Figure 4-49. Windows Server 2003—New Remote Access Policy Wizard (Select Attribute) 17. Select Windows-Groups and click Add. 18. In the Groups window, click Add. The Select Groups window is displayed. Figure 4-50.
Firewall User Authentication 19. In the Select Groups window, type the name of the group that you want to authenticate to the module using a RADIUS server. 20. Click OK twice, and then click Next. 21. Select Grant Remote Access and click Next. 22. Click Edit Profile. 23. In the window that is displayed, click the Authentication tab. 24. Select the check box or boxes for the type of RADIUS authentication used on your network. 25. Click the Advanced tab. 26.
Firewall User Authentication Figure 4-51. Network > Authentication > RADIUS Window 38. For Authentication Protocol, select the authentication protocol that your RADIUS server uses. Be sure to select the same protocol here that you did in step 24. 39. Click Apply My Changes. 40. Click Add RADIUS Server. The Add RADIUS Server window is displayed. Figure 4-52.
Firewall User Authentication 41. For Server Address, type the address of your IAS. 42. For Secret and Confirm Secret, type the shared secret for your RADIUS server. Be sure to set the same secret here that you did in step 9. 43. For NAS Identifier, type the NAS ID of your module. Be sure to set the same identifier here that you did in step 6. 44. For Domain Name, type the name of the domain to which your server belongs. 45. Click OK. 46. Now add the user group to which the RADIUS server assign these users.
Firewall User Authentication Note The user group access policies do not have an implicit deny at the end. Instead, a packet that does not match one of the user group policies is matched against the global (user group None) policies. Then, if none of those policies select the traffic, the global implicit deny takes effect and the packet it dropped. Windows NPS.
Firewall User Authentication 2. Expand RADIUS Clients and Servers. 3. Right-click RADIUS Clients, and then click New RADIUS Client. The New RADIUS Client window is displayed. Figure 4-55. Windows Server 2008—New RADIUS Client Window 4-78 4. For Friendly name, type a name for the TMS zl Module. 5. For Address (IP or DNS), type the IP address or domain name of the module. 6. For Vendor name, accept the default, RADIUS Standard.
Firewall User Authentication 7. For Shared secret and Confirm shared secret, type the shared secret for the RADIUS server. 8. Leave the Request must contain the Message Authentication attribute and RADIUS client is NAP-capable check boxes clear and click OK. 9. In the Network Policy Server window, expand Policies. 10. Right-click Network Policies, and then click New. The New Network Policy wizard is launched. 11. For Policy name, type the name of the policy. 12. Click Next. Figure 4-56.
Firewall User Authentication Figure 4-57. Windows Server 2008—New Network Policy Wizard (Select Attribute) 14. Select Windows Groups and click Add. 15. In the Windows Groups window, click Add Groups. Figure 4-58. Windows Server 2008—New Remote Access Policy Wizard (Select Groups) 16. In the Select Groups window, type the names of the groups that you want to authenticate to the module using a RADIUS server.
Firewall User Authentication 17. Click OK twice, and then click Next. 18. Select Access Granted and click Next. 19. Select the check box or boxes for the type of RADIUS authentication used on your network. 20. Review the policy settings, and then click Finish. 21. Double-click the policy. 22. In Settings, select Filter-ID. 23. Type the name of the user group to which users who authenticate with the policy are assigned. For example, type the name of the users’ Windows group. 24. Click OK. 25.
Firewall User Authentication 30. Click Add RADIUS Server. The Add RADIUS Server window is displayed. Figure 4-60. Add RADIUS server Window 31. For Server Address, type the address of your NPS. 32. For Secret and Confirm Secret, type the shared secret for your RADIUS server. Be sure to set the same secret here that you did in step 7. 33. For NAS Identifier, accept the default, which is the NAS ID of your module, or if you specified another ID in step 5, type that ID. 34.
Firewall User Authentication Figure 4-61. Add user group Window 38. For Group Name, type the same string that is configured in the Filter-ID attribute in step 31. 39. Click OK. 40. Click Save. The module can now authenticate the users you specified in step 16 to the network when the users browse to the TMS zl Module’s login page (the module’s IP address) and type @ and their password on the login window.
Firewall Port Mapping Port Mapping A port map is a port-to-service (or application) association. The firewall ALGs draw on the port maps to learn which application to expect on a particular TCP or UDP port. For example, if you add a port map that associates FTP with TCP 55555, the TMS zl Module will treat traffic on TCP 55555 as FTP traffic— any ALGs that apply to FTP will be applied to traffic on TCP 55555. You can map a service to more than one protocol or port.
Firewall Port Mapping Service IAX2 Protocol Port UDP 4569 IMAP TCP 143 MGCPCA UDP 2727 MGCPGW UDP 2427 NNTP TCP 119 POP3 TCP 110 RTSP TCP 554 RTSP TCP 7070 SMTP TCP 25 SNMP UDP 162 SNMP UDP 161 TCPDNS TCP 53 TCPRPC TCP 111 TCPRPC TCP 1025 TCPSIP TCP 5060 TELNET TCP 23 UDPDNS UDP 53 UDPRPC UDP 111 UDPRPC UDP 1024 UDPRPC UDP 369 UDPSIP UDP 5060 Mapping Ports If you suspect that an attacker is more likely to attack a certain service, you may want
Firewall Port Mapping Figure 4-62. Firewall > Settings > Port Maps Window To configure a port map, complete the following steps: 1. Click Add Port Map. The Add Port Map window is displayed. Figure 4-63. Add Port Map Window 4-86 2. For Service, select a service from the list. The protocol that is used with that service will automatically populate the Protocol field. 3. Type the port number that you want to assign to the service in the Port field. 4. Click OK. 5. Click Save.
Firewall Application-Level Gateways (ALGs) Application-Level Gateways (ALGs) The TMS zl Module supports ALGs for several common applications that can experience difficulties when they run through a firewall. These ALGs help the applications to run smoothly through the TMS zl Module firewall without compromising security. For example, some applications open data-transfer connections dynamically by negotiating IP addresses and service ports.
Firewall Application-Level Gateways (ALGs) To learn more about each specific ALG, see “ALG Descriptions” on page 4-90. Table 4-12.
Firewall Application-Level Gateways (ALGs) ■ The control port enables the TMS zl Module to recognize sessions that need to be handled by the ALG. For example, when the module detects that a packet destined to TCP port 21 has opened a session, it knows to apply the FTP ALG to that session. Port maps help the TMS zl Module link ports to applications. In Table 412, a section mark (§) means that a port map is configured for that service.
Firewall Application-Level Gateways (ALGs) As you can see in Table 4-12 on page 4-88, most of the ALGs on the TMS zl Module provide firewall support. ALG NAT Support. NAT can interfere with applications that embed IP information within the application data. Because NAT changes IP addresses (and sometimes ports) in the IP header, the IP information within the application data is no longer valid, and the application fails to function correctly.
Firewall Application-Level Gateways (ALGs) ■ ■ then the ALG verifies that FTP commands are allowed or denied by the application-control record and takes action based on the status of the command in the record. • attack checks — The ALG checks for the following attacks – FTP bounce — When the ALG detects a PORT command, the ALG verifies that the IP address in the PORT command is the same as the IP address of the client that initiated the connection. If the IPs do not match, the connection is closed.
Firewall Application-Level Gateways (ALGs) Note If you are having trouble with this application, make sure that you have permitted the DNS service (UDP 53) for endpoints that use ILS. irc Internet Relay Chat (IRC) is a chat system that enables people that are connected from anywhere on the Internet to join in live discussions.
Firewall Application-Level Gateways (ALGs) Scenario 1. The L2TP ALG creates a new association when it receives a Start-Control-Connection-Request (SCCRQ) message from the L2TP Access Concentrator (LAC), which results in two associations in the firewall: ■ the association that is originally created by the firewall, which handles data that arrives on the port where the client initiated the connection. If NAT is used, this association permits data that arrives on the NAT port.
Firewall Application-Level Gateways (ALGs) pptp PPTP uses TCP 1723 for its control connection and Generic Routing Encapsulation (GRE) for its data connection. The PPTP ALG helps PPTP to open up the necessary GRE tunnels though the TMS zl Module. The PPTP ALG: ■ ■ ■ ■ 4-94 processes all packets that arrive on TCP 1723.
Firewall Application-Level Gateways (ALGs) ■ removes the session information when it receives a Call-Clear-Request or Call-Disconnect-Notify message. rtsp RTSP controls a stream that might be sent over a separate protocol. For example, RTSP control may occur on a TCP connection while the data flows via UDP. In this protocol, the client initiates a connection to the server on TCP 554. Both the client and server exchange the series of request and responses.
Firewall Application-Level Gateways (ALGs) tftp The TFTP ALG: Note ■ supports both write and read requests ■ when it sees a write/read request from the client on the control connection, it opens the correct port to allow the data transfer from server to client If you are having trouble with this application, make sure that you have permitted the DNS service (UDP 53) for endpoints that use TFTP.
Firewall Port Triggers Caution An explicit firewall access policy that denies the ports that an ALG attempts to open dynamically can interfere with the ALG. Therefore, when you create access policies you should simply permit the ports that you want to open permanently. Then allow the TMS zl Module to deny all other traffic implicitly, which is the module’s automatic behavior. Do not create an explicit policy to deny all other traffic.
Firewall Port Triggers To configure port trigger policies, follow these steps: 1. Click Firewall > Port Triggers > Policies. Figure 4-65. Firewall > Port Triggers > Policies Window 2. Click Add a port trigger. The Add Port Trigger window is displayed. Figure 4-66. Add Port Trigger Window 3. Type a name in the Policy Name field. It is a good practice to specify a policy name that reflects the services involved in the trigger.
Firewall Port Triggers 4. 5. Note For Source, specify a device that is behind the firewall by doing one of the following: • Select Any or an address object from the list. Only single-entry IP address objects are in this list. • Click Options, select Enter custom IP address, and type one IP address in the space provided. From the Protocol/Ports list, specify the port on which the application makes its control connection by doing one of the following: • Select a service object from the list.
Firewall Port Triggers Caution An explicit firewall access policy that denies the ports that a port trigger attempts to open dynamically can interfere with the port trigger. Therefore, when you create access policies you should simply permit the ports that you want to open permanently. Then allow the TMS zl Module to deny all other traffic implicitly, which is the module’s automatic behavior. Do not create an explicit policy to deny all other traffic.
Firewall Port Triggers To perform this task, follow these steps: 1. Click Firewall > Port Triggers > Policies. 2. Click Add a port trigger. 3. In the Policy Name field, type VoIP. 4. From the Source list, select Any. 5. For Protocol/Ports, select Options and select Enter custom Protocol/Ports. 6. 7. a. Select TCP. b. Type 1584 and 1585. Under Allow Inbound Connections to Source, do the following: • Select TCP and type 51200 and 51210 in the Ports fields.
Firewall Attack Checking 10. Click OK and Close. 11. Click Save. 12. Configure a firewall access policy with the following parameters: • Action—Permit Traffic • From—INTERNAL • To—EXTERNAL • Service—TCP 1584–1585 • Source—Any Address • Destination—172.19.55.0/24 and 172.23.11.0/24 (create a multipleentry network address object as shown in “Named Objects and Their Uses” on page 4-10). 13. Configure another access policy to permit the reverse traffic.
Firewall Attack Checking ■ WinNuke ■ Sequence number prediction ■ Sequence number out of range ■ Pre-connection ACK ProCurve periodically updates the TMS zl Module software to check for and block new attacks. For more information about downloading new software and upgrading it on your TMS zl Module, see “Update the Module Software” on page 2-96 or “Update the Module Software” in Chapter 3: “Initial Setup in Monitor Mode.
Firewall Attack Checking An attacker can launch an ICMP error message attack by impersonating an end or intermediate device and repeatedly replaying an error message. Because the TCP protocol includes fault recovery responses for ICMP messages, replaying the messages causes the transfer protocol to perpetually try to correct the error, which results in a DoS.
Firewall Attack Checking A small Path Maximum Transmission Unit (small PMTU) message urges the server to send the data in smaller packets. An attacker can forge a small PMTU attack to force the sender to send large amounts of data using very small packets, which overloads the server and severely reduces server performance. Enable the ICMP Error Messages attack check to drop all ICMP error messages. SYN Flooding SYN flood attacks exploit the process of establishing a TCP/IP session.
Firewall Attack Checking Because SYN packets are a legitimate part of establishing a session, the TMS zl Module cannot simply screen out these packets. However, when you enable the SYN Flooding attack check, the firewall filters forged requests when 80% of allocated connections have been consumed. Source Routing A source-routing attack is used to access private network devices. Typically, data packets sent over a network are surrendered to network devices for routing.
Firewall Attack Checking WinNuke Attacks The WinNuke attack is launched by sending out-of-band (OOB) data to port 139. Windows NT 3.51 and 4.0 systems crash in response to this attack, whereas Windows 95 and Windows 3.11 systems display the blue error screen. The WinNuke attack does not usually cause permanent damage, although network connectivity is lost and any open applications crash. To recover, the user can reboot the PC.
Firewall Attack Checking Figure 4-71. Session Hijacked with Sequence Number Prediction If an attacker successfully guesses an ISN, the attacker may feasibly access your full network. Therefore, it is important that the ISN be generated randomly, making it significantly harder to guess. When the sequence-numberprediction attack check is enabled, the TMS zl Module will general pseudorandom ISNs.
Firewall Attack Checking In Figure 4-72, as bytes are acknowledged by the server, the window “slides” to the right. That is why it is called a sliding window. The TMS zl Module allows you to set the range of bytes within the window, called the sequence range. The advantages and disadvantages of the sequence range sizes are discussed in the following table. Table 4-13.
Firewall Attack Checking ■ In the RST Range field, type a number between 1 and 65535. This value controls how far outside of the TCP window the packets are allowed to be. Select or clear the Drop packets outside the range check box as desired. Pre-Connection ACK By default, the firewall on the TMS zl Module blocks ACK packets that are not preceded by a valid SYN and SYN+ACK.
Firewall Attack Checking Figure 4-73. Firewall > Settings > Attacks Window 2. Select (or clear) a check box to enable (or disable) an attack check. 3. Click Apply My Changes. 4. Click Save.
Firewall Connection Timeouts Connection Timeouts In addition to screening TCP and UDP packets for attacks, the TMS zl Module monitors all ICMP, TCP, and UDP sessions. One of the advantages of a stateful firewall is that it monitors sessions to ensure that they proceed in a valid and logical fashion. To maintain secure sessions, the firewall times out inactive sessions after a specified time.
Firewall Connection Timeouts ■ Trust level Long, intermittent idle times may be common among some trusted users. Imposing a timeout limit could hamper their productivity. Nonetheless, setting a long timeout for all users is a considerable security risk and can drain network resources. ■ Risk tolerance Timeout settings are proportional to risk tolerance. They should increase as risk tolerance increases. For example, a network with low risk tolerance should have short timeout values.
Firewall Connection Timeouts 4. After you have updated all the timeouts, click Apply my changes. 5. Click Save. Configure Timeout Settings for Services To configure a custom timeout, complete the following steps: 1. Click Add Custom Timeout. The Add Custom Timeout window is displayed. Figure 4-75. Add Custom Timeout 4-114 2. Type the name of the service in the Name field. 3. Choose either TCP or UDP from the Protocol list.
Firewall Resource Allocation Resource Allocation With any network, it is important to ensure that every user is able to access resources. Additionally, there may be some users who need priority over others. The TMS zl Module allows you to set connection limits for each zone as well as reserve firewall connections for specific addresses or address ranges. Refer to these sections: ■ To learn how to set zone limits, see “Zone Limits” on page 4-115.
Firewall Resource Allocation Connection Reservation Concepts When you set a connection reservation, you ensure that a particular IP address or range of addresses has connectivity regardless of how much traffic is passing through the TMS zl Module.
Firewall Resource Allocation Figure 4-76. Outbound Connection Reservation In this example, a connection reservation count of 10 has been configured for 50 IP addresses: 10.1.1.11–10.1.1.60. Therefore, 500 (10 x 50) connections are reserved from IP addresses 10.1.1.11–10.1.1.60 into the DMZ zone.
Firewall Resource Allocation The following is therefore true: Figure 4-77. Outbound Connection Reservation Implication ■ When the total active connection threshold of 39,500 (40,000 – 500) is reached, the module will not permit any more connections unless the connections are initiated by hosts with IP addresses in the 10.1.1.11– 10.1.1.60 range. Figure 4-78.
Firewall Resource Allocation Figure 4-79. Outbound Connection Reservation Implication ■ If the current connection count in Zone1 is 10,500 (500 connections of which are reserved), and 500 non-reserved connections are closed, then the Zone1 limit will revert to its limit of 10,000. At this point the Zone1 maximum connection threshold (10,000) already provides for the reserved connections. Any other new connections from Zone1 to any zone will not be successful.
Firewall Resource Allocation Figure 4-80. Inbound Connection Reservation In this example, a connection reservation count of 100 has been configured for one IP address: 10.1.2.22. Therefore, 100 (100 x 1) connections are reserved from Zone1 to the IP address 10.1.2.22. The following is therefore true: Figure 4-81.
Firewall Resource Allocation ■ When the total active connection threshold of 39,900 (40,000 – 100) is reached, the module will not permit any more connections unless the connections are from Zone1 and destined for the server at 10.1.2.22. Figure 4-82.
Firewall Resource Allocation ■ If the current connection count in Zone1 is 10,100 (100 of which connections are to 10.1.2.22), and if 100 non-reserved connections are closed, then the Zone1 limit will revert to its zone limit of 10,000. At this point the Zone1 maximum connections (10,000) includes the reserved inbound connections. Any other new connections from Zone1 to any zone will not be successful.
Firewall Resource Allocation Figure 4-85. Add Connection Reservation Window 3. From the Zone list, select a zone that will be either the source or destination of the reserved connections. For inbound connections, this is the source zone. For outbound connections, this is the destination zone. You cannot select EXTERNAL. 4. From the Direction list, select one of the following: • Inbound if the reserved IP addresses are the destination • Outbound if the reserved IP addresses are the source 5.
Firewall Resource Allocation To make the reservations shown in the figure above, follow these steps: 1. Click Firewall > Settings and click the Connection Allocations tab. 2. Click Add Connection Reservation. 3. From the Zone list, select Zone1. 4. From the Direction list, select Outbound. 5. In the Reserved for IP Addresses fields, type 10.1.1.100 and 10.1.1.102.
Firewall Resource Allocation Figure 4-87. Add Connection Reservation Window Figure 4-88. Firewall > Settings > Connection Allocations (with Connections Configured) 14. Click Save.
Firewall IP Reassembly IP Reassembly The maximum transmission unit (MTU) determines the size of the largest packet that can pass through the Data-Link Layer (Layer 2) of a connection. If a packet is larger than the MTU for that device, it will be broken into fragments. Fragments from one intermediate device may be further fragmented by another intermediate device.
Firewall IP Reassembly Figure 4-90. Packet Reassembly Configure MTU The default setting for the MTU is 1500, but the TMS zl Module allows you to adjust this setting to between 1500 and 9220. The MTU is global and applies to all TMS VLANs. To adjust the MTU, complete the following steps: 1. Click Network > Settings > General. Figure 4-91. Network > Settings > General Window 2. Under General Settings, for MTU, type the desired MTU value.
Firewall IP Reassembly 3. Click Apply My Changes. 4. Click Save. Configure IP Reassembly The default settings for IP reassembly are in Table 4-14. Consult the product literature for your routing devices to see the optimum settings for your network. Table 4-14.
Firewall IP Reassembly ■ If the Maximum time to receive all fragments limit is set too low, standard network latency may cause the transfer to be abandoned too soon. Conversely, if the limit is set too high, the device will wait too long before reporting missing packets, which will degrade performance. Click Apply My Changes, and then click Save.
Firewall IP Reassembly 4-130
5 Network Address Translation Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 NAT Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 One-to-One . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Many-to-One . . . . .
Network Address Translation Overview Overview Network Address Translation (NAT) is the process of translating network IP addresses in a way that is transparent to the end users. It has traditionally been a method of translating internal, private IP addresses into public IP addresses. Companies typically choose to translate internal IP addresses for address conservation.
Network Address Translation NAT Operations NAT Operations In routing mode the TMS zl Module can apply NAT to network traffic. (Monitor mode does not support NAT.) While the module’s firewall provides the NAT capability, the NAT policies are entirely separate from the firewall access policies for increased flexibility. This section describes the types of NAT that the TMS zl Module can perform. This information is only intended to inform you of the module’s capabilities.
Network Address Translation NAT Operations Figure 5-1. Source NAT Note Source NAT is often referred to as just NAT. This guide will always refer to it as source NAT. One-to-One With one-to-one source NAT, each local device receives its own new IP address for the destination network. The source IP address is replaced with the NAT IP address, but the source port remains the same. The TMS zl Module will perform one-to-one NAT if the number of source addresses and the number of NAT addresses is identical.
Network Address Translation NAT Operations Many-to-One With many-to-one source NAT, many local devices share the same IP address in the destination network. That is, the module translates each source IP address to the same new IP address. However, each local device retains its own source port. Return traffic to the local devices is all destined to the same IP address but to different ports. Thus the module can forward return traffic to the correct device.
Network Address Translation NAT Operations The source and destination IP address (SA, DA) and port fields (SP, DP) in five outbound IP packet headers are shown in Table 5-3. The translated fields are shown with shading. Table 5-3. Many-to-Many Source NAT Before NAT After NAT SA1 SP1 DA1 DP1 SA2 SP2 DA2 DP2 10.1.1.10 50055 172.16.122.63 80 192.168.5.22 50055 172.16.122.63 80 10.1.1.11 50056 192.168.2.77 21 192.168.5.23 50056 192.168.2.77 21 10.1.1.12 50057 172.16.222.
Network Address Translation NAT Operations Note For the sake of simplicity, the explanations of destination NAT will refer to public and private IP addresses. You might choose to apply NAT between two network segments, neither of which you define as public or private. (Note also that all IP addresses used in the examples, whether labelled “public” or “private,” are technically private IP addresses. They are used only to illustrate the examples.
Network Address Translation NAT Operations The TMS zl Module will perform many-to-one destination NAT if you specify multiple destination addresses, one NAT address, and no NAT port. The source and destination IP addresses (SA, DA) and port fields (SP, DP) in five inbound IP packet headers are shown in Table 5-5. The translated fields are shown with shading. Table 5-5. One-to-Many Destination NAT Before NAT SA1 SP1 After NAT DA1 DP1 SA2 SP2 DA2 DP2 172.16.122.63 51005 192.168.5.23 80 172.16.
Network Address Translation NAT Operations Table 5-6. Destination NAT with Port Forwarding Before NAT SA1 After NAT SP1 DA1 DP1 172.16.122.63 50005 192.168.5.23 80 10.1.5.48 50006 192.168.5.23 21 10.100.148.77 50007 192.168.5.23 172.20.222.8 50008 172.25.121.75 50009 SA2 SP2 DA2 DP2 172.16.122.63 50005 10.1.1.10 80 10.1.5.48 50006 10.1.1.11 21 80 10.100.148.77 50007 10.1.1.10 80 192.168.5.23 80 172.20.222.8 50008 10.1.1.10 80 192.168.5.23 21 172.25.121.
Network Address Translation NAT Operations Table 5-7. Port Forwarding with PAT Before NAT SA1 SP1 DA1 After NAT DP1 SA2 SP2 DA2 DP2 172.16.122.63 50005 192.168.5.23 80 172.16.122.63 50005 10.1.1.10 8088 10.1.5.48 50006 192.168.5.23 21 10.1.5.48 50006 10.1.1.11 2102 10.100.148.77 50007 192.168.5.23 80 10.100.148.77 50007 10.1.1.10 8088 172.20.222.8 50008 192.168.5.23 80 172.20.222.8 50008 10.1.1.10 8088 172.25.121.75 50009 192.168.5.23 21 172.25.121.
Network Address Translation NAT Operations Figure 5-3. NAT packet flow The packet flow for the source NAT step is shown in more detail in Figure 5-4.
Network Address Translation NAT Operations Figure 5-4. Source NAT packet flow The packet flow for the destination NAT step is shown in more detail in Figure 5-5.
Network Address Translation NAT Operations Figure 5-5.
Network Address Translation Configuring NAT Policies Configuring NAT Policies The TMS zl Module requires you to specify the following parameters for each NAT policy: ■ NAT type (source, destination, or exclusion) ■ Source and destination zones ■ Services to which NAT is applied ■ Source address(es) ■ Destination address(es) ■ New IP address(es) and port(s) When configuring NAT policies, follow these guidelines: ■ Along with the NAT policy, you must configure a firewall access policy that permi
Network Address Translation Configuring NAT Policies Sometimes you might also want to exclude traffic that is sent over a GRE tunnel from translation. The exclusion policy’s destination addresses should match the subnets behind the remote tunnel endpoint. The source addresses should be local addresses allowed to send traffic over the tunnel. ■ The relationship between the original number of IP addresses and the number of NAT addresses helps determine the NAT operation that the TMS zl Module performs.
Network Address Translation Configuring NAT Policies Source NAT Policies To add a source NAT policy, follow these steps: 1. Click Firewall > NAT Policies > Policies. 2. Click Add Policy. 3. For Translate, select Source. Figure 5-6. Add NAT Policy Window 5-16 4. For From Zone, select the zone where traffic originates. (See “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.”) 5. For To Zone, select the zone where traffic is destined. 6.
Network Address Translation Configuring NAT Policies 7. For Source, do one of the following: • From the list, select an address object. (See “Named Objects and Their Uses” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter custom IP, IP/mask or IP-Range. ii. In the space provided, type an IP address in dotted-decimal format, an IP address with network mask in CIDR format, or an IP address range. Examples: 192.168.5.23 172.16.56.100/24 10.1.1.10-10.1.1.50 • 8. 9.
Network Address Translation Configuring NAT Policies • Select Use IP of routed VLAN interface to have the TMS zl Module translate each source address to an IP address on one of its TMS VLANs. The module uses the IP address on the TMS VLAN that is the forwarding interface for each packet’s destination. In this way, source addresses are always translated to a valid IP address in the destination address. 10. Optionally, for Insert Position (Optional), type a priority for the policy. 11. Click OK. 12.
Network Address Translation Configuring NAT Policies Figure 5-7. Add NAT Policy Window 4. For From Zone, select the zone where traffic originates. (See “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.”) 5. The To Zone field is automatically populated with Self. 6. For Service, do one of the following: • From the list, select a service object. (See “Service Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter Custom Protocol/Port. ii. Select a Protocol from the list.
Network Address Translation Configuring NAT Policies 7. For Source, do one of the following: • From the list, select an address object. (See “Named Objects and Their Uses” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter custom IP, IP/mask or IP-Range. ii. In the space provided, type an IP address in dotted-decimal format, an IP address with network mask in CIDR format, or an IP address range. Examples: 192.168.5.23 172.16.56.100/24 10.1.1.10-10.1.1.50 • 8.
Network Address Translation Configuring NAT Policies 12. Click OK. 13. If necessary, create a firewall access policy with the same source and destination zones as the NAT policy you just created and that permits the same services and addresses. (See “Firewall Access Policies for NAT” on page 5-23.) 14. Click Save. Exclusion NAT Policies To add an exclusion NAT policy, follow these steps: 1. Click Firewall > NAT Policies > Policies. 2. Click Add Policy. 3. Select None for translation type.
Network Address Translation Configuring NAT Policies 6. 7. For Service, do one of the following: • From the list, select a service object. (See “Service Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter Custom Protocol/Port. ii. Select a Protocol from the list. iii. In the space provided, type a Port (range). • Leave the default, Any Service, when you want to exclude all types of traffic (that matches other criteria in the policy) from NAT.
Network Address Translation Configuring NAT Policies 11. If necessary, create a firewall access policy with the same source and destination zones as the NAT policy you just created and that permits the same services and addresses. (See “Firewall Access Policies for NAT,” below.) 12. Click Save. Firewall Access Policies for NAT Because the firewall checks traffic against its access policies before applying NAT, you need to configure a firewall access policy for each NAT policy.
Network Address Translation Configuring NAT Policies Table 5-9. Firewall Access Policy for Source NAT Parameter Source NAT Policy Firewall Access Policy From Internal Internal To Zone4 Zone4 Service Any Service Any Service Source Address(es) 172.16.45.0/24 172.16.45.0/24 Destination Address(es) 10.1.154.101-10.1.154.254 10.1.154.101-10.1.154.254 NAT IP Address(es) 192.168.154.1–192.168.154.
Network Address Translation NAT Examples Table 5-10. Firewall Access Policy for Destination NAT Parameter Source NAT Policy Firewall Access Policy From EXTERNAL EXTERNAL To SELF SELF Service Any Service Any Service Source Address(es) Any Address Any Address Destination Address(es) 192.168.5.177 192.168.5.177 NAT IP Address(es) 10.1.1.222 n/a NAT Examples This section contains examples of NAT implementations with step-by-step configuration instructions.
Network Address Translation NAT Examples Figure 5-11. Source NAT—Network Merger Example Follow these steps to configure the first module (illustrated in the lower segment of the figure): 1. 5-26 Create a NAT policy to translate source addresses on traffic from Zone1 to the shared data center (Zone 3). a. Click Firewall > NAT Policies > Policies. b. Click Add Policy. c. For Translate, select Source. d. For From Zone, select ZONE1. e. For To Zone, select ZONE3. f.
Network Address Translation NAT Examples i. Select Use IP of routed VLAN interface. The module will translate all source Address(es) to its own IP address on the VLAN interface to which the NATed traffic is routed—in this example, 10.1.1.1. . Figure 5-12. Add NAT Policy Window—Module 1 j. 2. Click OK. Create a firewall access policy to permit the traffic from Zone5 to the data center. a. Click Firewall > Access Policies > Unicast. b. Click Add a Policy. c. For Action, select Permit Traffic. d.
Network Address Translation NAT Examples g. For Source, click Options, select Enter custom IP, IP/mask or IP-Range, and type 192.168.8.0/21. h. For Destination, click Options, select Enter custom IP, IP/mask or IPRange, and type 10.1.1.0/24. i. Select the Enable this Policy check box to enable the access policy. j. Select the Enable IPS for this Policy check box if you want to enable IPS to check packets on this policy. k.
Network Address Translation NAT Examples Follow these steps to configure the second module (illustrated at the top of the figure): 1. Create a NAT policy to translate source addresses on traffic from Zone1 to the shared data center (Zone 3). a. Click Firewall > NAT Policies > Policies. b. Click Add Policy c. For Translate, select Source. d. For From Zone, select ZONE1. e. For To Zone, select ZONE3. f. For Service, accept the default: Any Service. g.
Network Address Translation NAT Examples . Figure 5-14. Add NAT Policy Window—Module 2 j. 2. Click OK. Create a firewall access policy to permit the traffic from Zone1 to Zone3. a. Click Firewall > Access Policies > Unicast. b. Click Add a Policy. c. For Action, select Permit Traffic. d. For From, select ZONE1. e. For To, select ZONE3. f. For Service, accept the default, Any Service. You can, of course, limit the firewall policy to allow only certain services. 5-30 g.
Network Address Translation NAT Examples j. Select the Enable IPS for this Policy check box if you want to enable IPS to check packets on this policy. k. Optionally, select the Enable logging on this Policy check box to log access policy activities. Note It is not recommended that you enable logging permanently because policy logging is processor intensive. Use policy logging for troubleshooting and testing only. l.
Network Address Translation NAT Examples is the module’s IP address on the VLAN associated with the DMZ. On this network the DMZ is a Web server farm, so those devices do not need to initiate contact with the devices in the Internal zone. Figure 5-16. Source NAT—Single Internet Address Example Figure 5-16 shows the translation of the source addresses of the devices in Internal to a single address for DMZ. To implement this plan, follow these steps: 5-32 1.
Network Address Translation NAT Examples Note In this example, you could also select Any Address because VLAN 10 is the only VLAN in the zone. h. From Destination, select VLAN20. i. For NAT IP address, select Use IP of routed VLAN interface. The TMS zl Module will translate the traffic to 10.1.2.107, which is the TMS zl Module’s IP address on VLAN 20, the VLAN on which the traffic will be forwarded. Figure 5-17. Add NAT Policy Window 4. j. Click OK. k. Click Save.
Network Address Translation NAT Examples f. For Service, accept the default: Any Service. You could also limit the internal devices to accessing certain services. Note g. For Source, select VLAN10. h. For Destination, select VLAN20. i. Select the Enable this Policy check box to enable the access policy. j. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. k.
Network Address Translation NAT Examples You could also create a more general firewall access policy. This might permit you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy. Limited NAT Pool In this type of source NAT there is a limited pool of NAT address for Internal devices to use when accessing resources in Zone5.
Network Address Translation NAT Examples 2. Create another single-entry network address object named VLAN2 that contains 10.10.2.0/24. 3. Create a NAT policy to translate source addresses for traffic from Internal to Zone5. a. Select Firewall > NAT Policies > Policies. b. Click Add Policy. c. Select Source for translation type. d. For From Zone, select INTERNAL. e. For To Zone, select ZONE5. f. For Service, accept the default: Any Service. g. For Source, select VLAN10. h.
Network Address Translation NAT Examples 4. Note Create a firewall access policy to permit the NAT traffic. a. Select Firewall > Access Policies > Unicast. b. Click Add Policy. c. For Action, select Permit Traffic. d. For From, select INTERNAL. e. For To, select ZONE5. f. For Service, accept the default: Any Service. g. For Source, select VLAN10. h. For Destination, select VLAN2. i. Select the Enable this Policy check box to enable the access policy. j.
Network Address Translation NAT Examples l. Click Apply. m. Click Close. n. Click Save. You could also create a more general firewall access policy. This might allow you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy. Destination NAT This section includes one example of a destination NAT configuration.
Network Address Translation NAT Examples To set up this example, follow these steps: 1. Create a single-entry IP address object named Web_Services that contains 172.16.100.100. (See “Named Objects and Their Uses” in Chapter 4: “Firewall“ for instructions.) 2. Configure a NAT policy to translate FTP traffic. a. Click Firewall > NAT Policies > Policies. b. Click Add Policy. Figure 5-23. Add NAT Policy Window c. Select Destination for the translation type. d. For From Zone, select INTERNAL.
Network Address Translation NAT Examples 3. Configure a NAT policy to translate HTTP traffic. a. Click Add Policy again. Figure 5-24. Add NAT Policy Window 4. 5-40 b. Select Destination for the translation type. c. For From Zone, select INTERNAL. d. To Zone is automatically set to Self. e. For Service, select http. f. For Source, select Any Address. g. For Destination, select Web_Services. h. For NAT IP address, type 10.1.1.12. i. For NAT Port (Optional), type 8088. j. Click OK. k.
Network Address Translation NAT Examples Figure 5-25. Add Policy Window c. For Action, select Permit Traffic. d. For From, select INTERNAL. e. For To, select SELF. f. For Service list, accept the default: Any Service. Note You can also narrow the scope of this access policy by creating and selecting a service group that contains http and ftp. (See “Service Groups” in Chapter 4: “Firewall.”) g. For Source, accept the default: Any Address. h. For Destination, select Web_Services. i.
Network Address Translation NAT Examples Note It is not recommended that you enable logging permanently because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. l. Click Apply. m. Click Close. n. Click Save. You could also apply a more general firewall access policy. This might allow you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy.
Network Address Translation NAT Examples Figure 5-26. Using an Exclude NAT Policy In this example, the IPsec policy traffic selector for a site-to-site VPN specifies traffic between VLAN 20 and a remote network (192.168.4.0/22). An existing NAT policy selects all internal traffic that is destined to the External zone and translates the source address to the TMS zl Module’s external address (172.19.44.44). Because the remote network is reached through the External zone, the two policies overlap.
Network Address Translation NAT Examples 3. Create a NAT policy to exclude traffic that should be sent over the VPN from translation. a. Select Firewall > NAT Policies > Policies. b. Click Add Policy. c. Select None for the translation type. d. For From Zone, select INTERNAL. e. For To Zone, select EXTERNAL. f. For Service, select Any Service. g. For Source, select VLAN20. h. For Destination, select RemoteClients. i. For Insert Position (Optional), type 1. Figure 5-27.
6 Intrusion Detection and Prevention Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 IDS/IPS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion Detection and Prevention Contents Register the IDS/IPS Signature Subscription . . . . . . . . . . . . . . . . . . . . 6-22 Obtain the Subscription Registration ID and TMS-Subscription Hardware ID . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Entering the Registration and TMS-Subscription Hardware ID on the My ProCurve Portal . . . . . . . . . . . . . . . . . . . 6-26 Configuring Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28 Download Signatures .
Intrusion Detection and Prevention Overview Overview Networks today are increasingly vulnerable to attacks not only from without but also from within. Company often offer access to guests, contractors, partners, and other less trusted users. In addition, network users are increasingly mobile, working from home or on the road and roaming between rooms and even buildings at their company offices.
Intrusion Detection and Prevention IDS/IPS Concepts Then, this chapter discusses several common network attack types. Though these attack types are by no means comprehensive, learning about them will greatly increase your understanding of the ways that attackers can infiltrate or damage your network so that you can protect it accordingly.
Intrusion Detection and Prevention IDS/IPS Concepts External Unintentional Attacks. External unintentional attacks are those that originate outside your network but that are not necessarily intended to harm the network.
Intrusion Detection and Prevention IDS/IPS Concepts You can implement the HP ProCurve Threat Management Services zl Module both at the perimeter of or within your trusted network to provide more comprehensive protection against both external and internal attacks. Attack Types In addition to understanding attack vectors, you should also understand some of the specific types of attacks that can endanger your network.
Intrusion Detection and Prevention IDS/IPS Concepts ■ Non-persistent (Type 1) A non-persistent XSS attack is executed on pages that prompt the user for information each time they visit the Web page. For example, search engines require the user to type a word or phrase into a search field each time they visit the Web page. Attackers can launch XSS attacks on these pages to attack the search engine user.
Intrusion Detection and Prevention IDS/IPS Concepts ■ Polymorphic/Metamorphic viruses and worms Some viruses and worms are designed to use self-encryption and selfalteration to disguise themselves to antivirus software. This is done using metamorphic code: the code changes itself so that no part remains the same after the worm or virus replicates. Because the code continually changes, it is impossible to develop a signature file that can recognize the mutated virus or worm.
Intrusion Detection and Prevention IDS/IPS Concepts Protocol Anomalies It is possible to generate packets that follow a protocol’s specifications but have no legitimate purpose. These packets are referred to as protocol anomalies because the protocol is being used in a way that is inconsistent with common practice, not because the packet causes network traffic to deviate from normal behavior.
Intrusion Detection and Prevention IDS/IPS Concepts Unauthorized Access Unauthorized access attacks occur when an unauthorized user accesses your network either by guessing or stealing a password or by finding insecure network access points. Some methods used to gain unauthorized access are: ■ Brute force In a brute force attack, an attacker systematically attempts all possible password combinations, in order to discover a password and gain access to the network.
Intrusion Detection and Prevention IDS/IPS Concepts Exploits Unlike protocol anomaly attacks that exploit protocol weaknesses, these attacks exploit weaknesses or vulnerabilities in software and hardware. Attackers use these vulnerabilities to gain control of a computer system in order to access confidential information or data or degrade network performance.
Intrusion Detection and Prevention IDS/IPS Concepts Backdoors Rootkits are often disguised as attachments to emails or files on the internet or by Trojan horses. When the victim of the rootkit attack clicks the link or downloads the file or program, a backdoor is installed. These backdoors can be exploited by attackers to gain access to a network.
Intrusion Detection and Prevention Threat Detection and Prevention Threat Detection and Prevention In monitor mode, the TMS zl Module can provide Intrusion Detection System (IDS) functionality. An IDS detects intrusions but does not take action to stop or prevent them. An IDS is offline, and its only role is to detect threats and log them, as shown in Figure 6-1.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-2. IDS Packet Flow in Monitor Mode A packet that is mirrored to the TMS zl Module in monitor mode is examined by the IDS. If the IDS detects a threat, it creates a log entry. IDS sessions are based on several factors: ■ Protocol ■ Source zone ■ Source IP ■ Source port ■ Destination zone ■ Destination IP ■ Destination port However, the IDS depends on sessions, and if the sessions run out, the IDS will drop packets.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-3. IDS/IPS Packet Flow in Routing Mode Routing Mode A packet that is routed to the TMS zl Module in routing mode is passed first to the firewall, then to the IDS. If the IDS does not detect a threat, it returns the packet to the firewall, which sends it to its destination.
Intrusion Detection and Prevention Threat Detection and Prevention Protocol Anomaly Detection Protocol anomaly detection involves looking for irregularities in protocol payloads when they go through the network. Protocol anomalies target an application, so the attack indicators are hidden in the packet payload. It requires buffering the packets, decoding the protocol, and maintaining some basic state about a given flow, such as open, authenticated, and so on.
Intrusion Detection and Prevention Threat Detection and Prevention ■ IMAP • ■ POP3 • ■ ■ ■ Check for malformed requests (without proper tag, command, and so on, in the command line) Ensure that the command line does not exceed 512 bytes DNS • Check for a DNS reply without a valid request • Check for unknown DNS operation flags • Check for a domain name greater than 255 bytes • Check for a label size greater than 63 bytes • Check for an invalid DNS label offset • Check the resource record
Intrusion Detection and Prevention Threat Detection and Prevention Traffic that passes through ports not on this map will be assumed to be the services that are associated with the IANA well-known ports. If no application is assigned to the port by the TMS zl Module or IANA, the traffic will be treated as generic TCP/UDP traffic. Signature Detection The IDS/IPS on the TMS zl Module can use signatures to detect known attacks that have well-defined attack patterns.
Intrusion Detection and Prevention Threat Detection and Prevention ■ ■ ■ ■ ■ ■ ■ ■ ■ XSS • HREF and XML entity XSS injections • Advanced XSS with script and constructors SQL injection • Classic SQL injection • Blind SQL injection attempt • MySQL SPACE or Keyword injection Virus • AIM Bot • BugBear • Trojan Haxdoor • VBS.
Intrusion Detection and Prevention Configuring IDS/IPS ■ ■ DoS • AnalogX Web server Denial of Service Vulnerability • Apache scoreboard shared memory and DoS attacks • mstream agent to handler DDOS • mstream handler ping to agent DDOS Backdoor • Acid Battery • Meet the Lamer • Back Orifice • AOL Admin • Alvgus • Ruler Configuring IDS/IPS When you use the TMS zl Module as an IDS (required for monitor mode), you can configure: ■ Protocol anomaly detection settings ■ Port maps ■ IDS signatur
Intrusion Detection and Prevention Configuring IDS/IPS Configure Protocol Anomaly Detection The TMS zl Module provides default settings for performing anomaly detection. You can modify these default settings as needed for your environment, but before making such changes, you should consult the documentation for your company’s servers to identify their limitations and capacities.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-4. Add Port Map Window 3. From the Service list, select a service. 4. The Protocol field will be automatically populated. 5. In the Port field, type the new port number. 6. Click OK. 7. Click Save. Register the IDS/IPS Signature Subscription To begin using an IDS/IPS signature subscription, you must first register it on the My ProCurve portal (https://my.procurve.com). You can register the IDS/ IPS signature subscription at any time.
Intrusion Detection and Prevention Configuring IDS/IPS Obtain the Subscription Registration ID and TMSSubscription Hardware ID Before you begin to register an IDS/IPS signature subscription, you should obtain the subscription registration ID and the TMS-subscription hardware ID you need to complete the process successfully. Subscription Registration ID. When you purchase an IDS/IPS signature subscription, you receive an HP ProCurve Threat Management Services xYear IDS/IPS Subscription Registration Card.
Intrusion Detection and Prevention Configuring IDS/IPS TMS-Subscription Hardware ID. If you have booted the TMS zl Module to the Product OS, you can obtain the TMS-subscription hardware ID from: ■ Product OS context of the CLI ■ Web browser interface To obtain the TMS-subscription hardware ID from the Product OS context of the CLI, you must first access the host switch’s CLI. Then, from the managerlevel context of the host switch’s CLI, complete the following steps: 1.
Intrusion Detection and Prevention Configuring IDS/IPS The host switch assigns index numbers based on: ■ The number of TMS zl Modules and HP ProCurve ONE Services zl Module that are installed in the host switch ■ The order in which each product boots on the host switch Keep in mind that each time the host switch boots, the products could potentially boot in a different order, and the index numbers assigned to each product would change.
Intrusion Detection and Prevention Configuring IDS/IPS Entering the Registration and TMS-Subscription Hardware ID on the My ProCurve Portal To register the IDS/IPS signature subscription, follow these steps: 1. Open a Web browser and type https://my.procurve.com in the address bar. Figure 6-6. My ProCurve Sign In Window 6-26 2. Type your My ProCurve ID and Password in the appropriate fields and click Sign In. 3. Click My Licenses. 4. Click Device Software License. 5.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-7. My Licenses Window on the My ProCurve Portal 6. For Hardware ID, type the TMS-subscription hardware ID and click Next. 7. Review the license agreement. Then select I agree to the license terms and click Next. 8. Configure your license expiration notification setting, which determines when ProCurve will notify you when your subscription is due to expire. You can select one or more of the following settings: 9.
Intrusion Detection and Prevention Configuring IDS/IPS key.) When your TMS zl Module attempts to download signatures, the ProCurve signature server will recognize that your module has a valid IDS/IPS signature subscription and allow it to download the signatures.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-8. Intrusion Prevention > Signatures > Download Window 4. If you want to learn more about the latest signatures available, click the Signature Release Notes and Catalog at hp.com link. 5. If you use a proxy server to connect to the Internet, select the Use a proxy server check box. • In the Address field, type the IP address or FQDN of the proxy server. • In the Port field, type the port number to access the proxy server.
Intrusion Detection and Prevention Configuring IDS/IPS Resolving Problems in Downloading Signatures. If you encounter problems while downloading signatures, try the following troubleshooting tips: 1. Ensure that your IDS/IPS signature subscription is still valid. 2. If the TMS zl Module is operating in routing mode, ensure the appropriate access policy has been added. 3.
Intrusion Detection and Prevention Configuring IDS/IPS Figure 6-9. Intrusion Prevention > Signatures > Preferences Window 2. Select the Full Session Inspection check box. 3. Click Apply My Changes. 4. Click Save. View Signatures To view the signatures, complete the following steps: 1. Click Intrusion Detection > Signatures and click the View tab or click Intrusion Prevention > Signatures and click the View tab. Figure 6-10.
Intrusion Detection and Prevention Configuring IDS/IPS The Intrusion Prevention (Detection) > Signatures > View windows lists the following information about each signature: 2. • Name—Name of the attack, usually an industry-standard name • Threat Level—A preconfigured indicator of the attack’s severity level • Action—The action that is taken when the attack is detected (routing mode only). (See “Configuring IPS Actions (Routing Mode Only)” on page 6-33.
Intrusion Detection and Prevention Configuring IDS/IPS The signature detection is applied to all traffic, regardless of zone. Figure 6-12. Intrusion Prevention > Signatures > View Window Note If you disable a signature, the IDS/IPS, the TMS zl Module will no longer check packets against that signature, leaving you network vulnerable to known attacks.
Intrusion Detection and Prevention Configuring IDS/IPS Note These actions apply to threats detected by signatures. The action taken in response to protocol anomalies is set at the factory and cannot be changed. ■ Terminate the session—The TMS zl Module closes the session with the offending traffic. It drops all traffic that is associated with the session.
Intrusion Detection and Prevention Configuring IDS/IPS Note When signature and protocol anomaly detection is enabled, a log entry is generated for each instance in which suspect packets or traffic is found, regardless of the Action setting. 3. For each threat severity level, select the actions that you want the TMS zl Module to take. 4. Click Apply My Changes. 5. Click Save.
Intrusion Detection and Prevention Integration with HP ProCurve Network Immunity Manager Integration with HP ProCurve Network Immunity Manager TMS zl Modules can be configured and managed from one central location using HP ProCurve Manager (PCM+) and HP ProCurve Network Immunity Manager (NIM). Because the TMS zl Module can detect and mitigate threats from both internal and external sources, the TMS zl Module is the perfect companion to NIM.
7 Virtual Private Networks Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 IPsec Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 IPsec Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 IPsec Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 Tunnel Mode . . .
Virtual Private Networks Contents Configure an IPsec Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27 Create an IKE Policy for a Client-to-Site VPN . . . . . . . . . . . . . . . . . . . 7-28 Install Certificates for IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35 Install Certificates Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36 Install Certificates Using SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Networks Contents Configure L2TP User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 7-162 Configure Local L2TP Authentication . . . . . . . . . . . . . . . . . . . . . 7-162 Configure L2TP Authentication to an External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-167 Create Access Policies for an L2TP over IPsec VPN . . . . . . . . . . . . 7-174 Verify Routes for the L2TP over IPsec VPN . . . . . . . . . . . . . . . . . .
Virtual Private Networks Contents Create an IPsec Policy for a GRE over IPsec VPN That Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-247 Create Access Policies for a GRE over IPsec VPN That Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-256 Unicast Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-258 Multicast Access Policies . . . . . . . . . . . .
Virtual Private Networks Contents Redundant GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create the Primary GRE Tunnel for Site A . . . . . . . . . . . . . . . . . Create the Secondary GRE tunnel for Site A . . . . . . . . . . . . . . . Create Named Objects for Site A . . . . . . . . . . . . . . . . . . . . . . . . . Configure Firewall Access Policies for Site A . . . . . . . . . . . . . . Configure Routes for Site A . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Networks Introduction Introduction The Threat Management Services (TMS) zl Module supports virtual private networks (VPNs), which are tunnels that connect two trusted endpoints through an untrusted network. The tunnel typically provides data integrity and data privacy for traffic transmitted over the tunnel.
Virtual Private Networks Introduction VPN Type Configuration Instructions Concepts Site-to-site—GRE over IPsec with IKE v1 “Configure a GRE over IPsec VPN with IKE” on page 7-208 • “IPsec Concepts” on page 7-8 • “Generic Routing Encapsulation (GRE) Concepts” on page 7-183 Site-to-site—GRE over “Configure a GRE over IPsec VPN with IPsec with manual keying Manual Keying” on page 7-265 For guidelines on selecting a VPN, see Table 7-2, which shows the correct VPN type for various types of VPN clients or
Virtual Private Networks IPsec Concepts Remote VPN Gateway or Clients VPN Type Configuration Instructions for the TMS zl Module Configuration Instructions for the Remote Client or Gateway TMS zl Module IPsec with IKEv1 site-to-site “Configure an IPsec Site-to-Site VPN with IKE” on page 7-76 VPN IPsec with manual keying site-to-site VPN *Not generally recommended “Configure an IPsec Site-to-Site VPN with Manual Keying” on page 7-122 GRE tunnel *Not recommended when high security is required “Configur
Virtual Private Networks IPsec Concepts IPsec Headers Operating on the Network Level of the Open Systems Interconnection (OSI) model, IPsec secures IP packets by encapsulating them with an IPsec header, which is either an AH or ESP header. As explained in the next section, the placement of the header depends on the mode. IPsec Modes The TMS zl Module supports both tunnel mode and transport mode.
Virtual Private Networks IPsec Concepts Transport Mode In transport mode, a packet is encapsulated with an IPsec header before the IP header is added, which reduces overhead. However, because the header must be applied before the traffic is ever transmitted, both ends of the tunnel must be the ultimate originators of the traffic. You can use transport mode to secure traffic for sessions that terminate on the module itself.
Virtual Private Networks IPsec Concepts The TMS zl Module supports these authentication algorithms for both AH and ESP: ■ Message Digest 5 (MD5) ■ Secure Hash Algorithm (SHA) ■ Advanced Encryption Standard (AES) with Extended Cipher Block Chaining (XCBC) The TMS zl Module supports these encryption algorithms for ESP: ■ Data Encryption Standard (DES) ■ Triple DES (3DES) ■ Advanced Encryption Standard (AES) with 128, 192, or 256-bit keys IPsec Security Associations (SAs) The IPsec VPN tunnel itself is calle
Virtual Private Networks IPsec Concepts The TMS zl Module can establish SAs in two ways: ■ Manually ■ Using IKEv1 Defining an SA Manually You can define the IPsec SA yourself. In this case, you must specify: ■ The SA’s SPI ■ The authentication and encryption algorithms ■ The authentication and encryption keys, both inbound and outbound ■ The traffic selector Because this method of configuration is relatively unsecure and complex, ProCurve Networking does not generally recommend it.
Virtual Private Networks IPsec Concepts IKE version 1 IKEv1 follows a set process to negotiate the IPsec SA and passes through two phases. The first phase establishes a preliminary tunnel, or IKE SA. The second phase establishes the IPsec SA. When you understand this process, you will find it much easier to configure VPNs on your TMS zl Module.
Virtual Private Networks IPsec Concepts You will specify these proposals in an IKE policy. Figure 7-3. IKE Phase 1: Security Parameters Exchange The remote endpoint searches its IKE policies for one that specifies the other endpoint and that includes an identical security proposal. When it finds a match, the remote endpoint returns these security parameters to the original endpoint. If the remote endpoint cannot find a match, the VPN connection fails.
Virtual Private Networks IPsec Concepts Figure 7-4. IKE Phase 1: Key Generation Exchange The final IKE phase 1 exchange and all IKE phase 2 exchanges will be secured by these keys. In this way, IKE provides an additional layer of security; endpoints transmit their authentication information in secured packets, and secured packets negotiate the IPsec SA itself. Exchange 3: Authentication.
Virtual Private Networks IPsec Concepts The tunnel endpoints also check each other’s IDs. When you set up an IKE policy, you specify the TMS zl Module’s local ID and the remote ID that it expects from the remote VPN gateway or client. The ID can be one of these: ■ An IP address A local ID of this type should be the IP address for the interface that handles incoming VPN traffic. Similarly, a remote ID of this type should specify the remote interface to which VPN traffic is destined.
Virtual Private Networks IPsec Concepts Figure 7-6. IKE Aggressive Key Exchange Mode Aggressive mode condenses the process into three total messages—two from the initiator and one from the respondent. Aggressive mode is quicker than main. However, it requires endpoints to send identifying information before exchanges are encrypted, so it is less secure. IKE Phase 2 The goal of IKE phase 2 is to negotiate the IPsec SA.
Virtual Private Networks IPsec Concepts Figure 7-7. IKE Phase 2: Security Proposal When negotiating the IPsec SA, IKE follows much the same process it did in IKE phase 1.
Virtual Private Networks IPsec Concepts ■ Traffic selectors—the traffic that is allowed over the IPsec SA (VPN tunnel) The traffic selector specifies local and remote IP addresses (the local addresses on one endpoint must match the remote addresses on the other). Optionally, the selector can select a specific IP protocol or a specific TCP or UDP service. ■ Other advanced options The respondent searches its IPsec policies for a match. When it finds a match, it returns the policy to the initiator.
Virtual Private Networks IPsec Concepts The remote client requests an IP address and default gateway from the IPsec Remote Access Server (IRAS) on the TMS zl Module between IKE phase 1 and phase 2 negotiations. It may also request addresses for DNS and WINS servers that will resolve domain names or the user while on the private network. The users appear as internal users on the network once they have received the IKE mode config parameters. When configuring IKE mode config, follow these guidelines.
Virtual Private Networks IPsec Concepts Advanced IPsec Features The TMS zl Module supports these advanced features: ■ IP compression ■ Customizable anti-replay window size ■ Extended sequence number ■ Re-key on sequence number overflow ■ Persistent tunnels ■ Fragmentation before IPsec ■ The copying of values from the original IP header The section below describes these features. Table 7-3 indicates which features are enabled by default and other default settings. Table 7-3.
Virtual Private Networks IPsec Concepts For example, suppose that the anti-replay window size is at the default, 32. If the highest sequence number that the TMS zl Module has received is 120, the module will accept any packet with a sequence number of 88 or greater. If your VPN users complain of poor performance, you might increase the window size.
Virtual Private Networks IPsec Concepts The Copying of Values from the Original IP Header In tunnel mode, a delivery IP header encapsulates the original IP header.
Virtual Private Networks IPsec Concepts NAT Traversal VPN users may be behind a device that performs NAT on packets that are destined for the other end of the VPN tunnel. If NAT is performed on packets before they are encrypted, then the packets pass over the VPN connection without difficulty. However, sometimes a device in between the two endpoints of a VPN tunnel performs NAT on packets that have already been encapsulated for the tunnel.
Virtual Private Networks IPsec Concepts Figure 7-8. NAT Traversal How NAT Traversal Works NAT-T uses UDP encapsulation to address this incompatibility between NAT and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header. The NAT device changes the address in this header without tampering with the IPsec packet. Peers agree to use NAT-T during IKE negotiations by exchanging a predetermined, known value that indicates that they support NAT-T.
Virtual Private Networks IPsec Concepts The NAT-T feature on the TMS zl Module automatically detects one or more NAT devices between IPsec hosts and negotiates the UDP encapsulation of the IPsec packets through NAT. The TMS zl Module implements NAT-T under any of the following circumstances: ■ The remote endpoint or endpoints are behind one or more NAT devices. ■ TMS zl Module is behind a NAT device. ■ Both are behind a NAT device.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Configure an IPsec Client-to-Site VPN To configure an IPsec client-to-site VPN, you must complete these tasks: 1. Create an IKE policy. See “Create an IKE Policy for a Client-to-Site VPN” on page 7-28. 2. If you are using certificates, install the correct certificates on the TMS zl Module. Do not complete this step if your IKE policy specifies preshared key authentication. See “Install Certificates for IKE” on page 7-35. 3.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Create an IKE Policy for a Client-to-Site VPN Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate VPN connections with remote clients: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IKEv1 Policies tab. Figure 7-9. VPN > IPsec > IKEv1 Policies Window 3. Click Add IKE Policy. 4. For IKE Policy Name, type a string that is unique to this policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-10. Add IKE Policy Window—Step 1 of 3 Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages. Note Later you will configure firewall access policies to allow the IKE messages from the remote endpoints. Refer to Figure 7-11 for help configuring the next settings.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-11. Example IPsec Client-to-Site VPN 6. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway (indicated by 1 in the example figure). You have two options: • Select IP Address and type an IP address in the box. The IP address must be an IP address that is already configured on the TMS zl Module and that the remote endpoints can reach.
Virtual Private Networks Configure an IPsec Client-to-Site VPN – – – – b. IP Address Domain Name Email Address Distinguished Name For Value, type the correct value. If you select IP Address for Type, the address that you specify in the Value box must match the IP address that you specified for the local gateway. Table 7-4 shows the format for each ID type. Table 7-4. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.procurve.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-12. Add IKE Policy Window—Step 2 of 3 10. Under IKE Authentication, configure the authentication method for the IKE proposal: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on remote endpoints. See “IKE modes” on page 7-16 for guidelines. b.
Virtual Private Networks Configure an IPsec Client-to-Site VPN The string (which is case-sensitive) must match the string that is configured on the remote endpoints. 11. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA (the IKE policy on remote endpoints must match): a.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-13. Add IKE Policy Window—Step 3 of 3 i. For Authentication Type, select Generic or CHAP. To complete the configuration, you must follow these steps as well: i. If you have not already done so, configure a group or groups for the remote users. Configure the user group in the Network > Authentication > Firewall/XAUTH Users window. ii.
Virtual Private Networks Configure an IPsec Client-to-Site VPN • Select TMS acts as XAUTH Client: i. For Authentication Type, select Generic or CHAP. ii. For Username, type a username accepted by the remote gateway’s authentication server. iii. For Password, type the password associated with that username. 14. Click Finish. The IKE policy is displayed in the VPN > IPsec > IKEv1 Policies window. Figure 7-14.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Install Certificates Manually Follow these steps to install a certificate manually: 1. In the left navigation bar of the Web browser interface, click VPN > Certificates. 2. Click the IPsec Certificates tab. Figure 7-15. VPN > Certificates > IPsec Certificates Window 3. 4. Add a private key. You have two options: • Generate the private key on the TMS zl Module. See step 4. • Import a private key generated elsewhere. See step 5.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-16. Generate Private Key Window b. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key. c. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method (see step 11b on page 7-32). Match this setting. d.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-17. VPN > Certificates > IPsec Certificates Window (Private Key Added) f. 5. Go to step 6. Import a private key that was generated elsewhere: a. Transfer the private key to your management workstation. Make sure that all copies of the private key are stored in secure locations. Otherwise, the certificate could be compromised. b. Click Import Private Key. Figure 7-18. Import Private Key Window c.
Virtual Private Networks Configure an IPsec Client-to-Site VPN d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6. Delete the private key from your management workstation. Next, create a certificate request. In the VPN > Certificates > IPsec Certificates window, click Generate Certificate Request.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 9. For Private Key Identifier, select the private key that you added in step 3 on page 7-36. 10. For Subject Name, type the FQDN of the TMS zl Module. Use the format . For example, type TMS.procurve.com. The certificate request will store this name as a distinguished name, automatically adding /CN= to the name that you type. 11.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-20. VPN > Certificates > IPsec Certificates Window (Certificate Request Added) 13. Click the Edit icon in the Tools column for the certificate request. Figure 7-21.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15. Submit the certificate request file to your CA. Request that certificate files be returned to you in PEM or DER format. 16.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-24. VPN > Certificates > Certificate Authorities Window Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-26. Import IPsec Certificate Window 24. Under Select IPsec certificate, type the path and filename for the TMS zl Module’s certificate. Alternatively, click Browse and navigate to the certificate file. 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-27. VPN > Certificates > IPsec Certificates (Certificate Installed) 26.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-28. VPN > Certificates > CRL Window 27. Click Import CRL. Figure 7-29. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-30. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-53.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Install Certificates Using SCEP Before you begin to configure the settings for using SCEP to install certificates, make sure that the TMS zl Module has the correct time. If the module does not have the correct time, the SCEP process may fail. The TMS zl Module takes its time from the host switch, so if you need to adjust the time, you will need to configure the switch. Follow these steps to install certificates automatically using SCEP: 1.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 8. Click Save. 9. Next, you must import the CA certificate. Click the Certificate Authorities tab. Figure 7-32. VPN > Certificates > Certificate Authorities Window 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3.) Figure 7-33.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-34. VPN > Certificates > IPsec Certificates Window 12. Click Retrieve Certificate through SCEP under Certificates. Figure 7-35. Retrieve IPsec Certificate through SCEP Window 13. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 14. For Trusted Certificate to verify Certificate, select the CA root certificate that you installed in step 10. 15. For Certificate Type, select RSA-MD5 or RSA-SHA-1. This setting determines the algorithm for the private key. You should have selected RSA Signature for Authentication Method in the IKE policy. 16. For Encryption Algorithm, select 3DES or DES. 17. For Challenge Password, type the password that your CA has given you.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 21. Next, you should install the CRL. Ask your CA administrator if you need a particular CGI path to the CRL distribution point. If you do, follow these steps: a. Click the SCEP tab. b. For CGI-Path, type the new path given to you by your CA. For example, for a Windows 2008 CA, you might type /CertEnroll/ .crl. c. Click Apply My Changes. 22. Click the CRL tab. Figure 7-37. VPN > Certificates > CRL Window 23.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-39. VPN > Certificates > CRL Window (CRL Added) Move to the next task: “Create an IPsec Proposal.” Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 7-6. For your reference, this table includes the location where you would specify these named objects. However, later configuration instructions will indicate when you actually need to specify each object.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Example Figure Reference Named Object Description Named Object Type 3 The actual IP addresses of remote VPN clients Single-entry or multiple-entry IP, • Source or Destination for range, or network address object firewall access policies that permit IKE traffic *If IKE mode config is not used and you want to use this object in • If IKE mode config is not used: an IPsec policy, the object must – Remote Address in the be single-entry.
Virtual Private Networks Configure an IPsec Client-to-Site VPN You can, of course, configure other objects that are appropriate for your environment. And you might choose not to configure some of the objects. For example, you might not know the actual IP address of every remote VPN client, particularly when remote users connect through the Internet. Or the IP addresses might not be contiguous, preventing you from placing them in a single-entry object (which required for address objects used in VPNs).
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-42. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, typically select Tunnel Mode. Tunnel mode allows remote endpoints to reach services behind the TMS zl Module.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9. • MD5 • SHA-1 • AES-XCBC Click OK. The IPsec proposal is displayed in the VPN > IPsec > IPsec Proposals window. Figure 7-43. VPN > IPsec > IPsec Proposals Window (Proposal Added) 10. Click Save.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-44. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. Figure 7-45. Add IPsec Policy Window—Step 1 of 4 4. 7-56 For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, select how the TMS zl Module treats traffic that is selected for this policy (which you will configure in step 8): • Apply—Traffic is forwarded to its destination and is secured by the IPsec SA. This is the typical selection.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Caution If your traffic selector will include management traffic to the TMS zl Module itself, you first must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. If you do lock yourself out, reboot the module, but DO NOT SAVE the configuration.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed over the VPN: – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a local port to allow remote clients to access only specific services in the local network.
Virtual Private Networks Configure an IPsec Client-to-Site VPN If you will not use IKE mode config, you must match the exact value that the remote clients send for their local IP address (indicated by 3 in the example figure). Some clients always send their actual IP address. In this case, you must specify this single address and create a separate IPsec policy for each remote client. Other clients (such as the Mac IPSecuritas) can send an entire subnet.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-47. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously configured IKEv1 policy. You must select a policy of the client-to-site type. 13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-48. Add IPsec Policy Window—Step 3 of 4 17. Configure the IP addresses and other settings assigned to remote endpoints through IKE mode config. Note It is generally recommended that you use IKE mode config. However, if your clients do not support this feature, clear the Enable IP Address Pool for IRAS (Mode Config) check box and move to step 18. a. The Enable IP Address Pool for IRAS (Mode Config) check box should be selected. b.
Virtual Private Networks Configure an IPsec Client-to-Site VPN c. For Firewall Zone, select the zone for remote clients after they establish the VPN connection.When you configure firewall access policies for the IKE mode config addresses, use this zone. d. For IP Address Ranges, type one or more ranges of IP addresses in the same subnet as the IRAS. Type each range on its own line, using this format: -. For example, type 172.16.100.50172.16.100.74.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-49. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure an IPsec Client-to-Site VPN b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Create Access Policies for an IPsec Client-to-Site VPN Before you begin configuring firewall access policies, determine the zone on which traffic from the remote endpoints arrives. This is the zone associated with the TMS VLAN on which local VPN gateway address is configured. Often, this is the External zone, but it could be another zone. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Table 7-7 lists the necessary access policies; the numbers in the Source and Destination columns refer to the example figure above. For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. (The remote client will set the MSS correctly on its own; however, your local devices, which are unaware of the VPN, might not.
Virtual Private Networks Configure an IPsec Client-to-Site VPN When Required User Group No IKE mode config • No IKE mode config • Local endpoints initiate sessions with remote From Zone To Zone Service Source Destination TCP MSS Number of policies XAUTH Remote user groups or None SELF Any you choose 3 2 1356 As many as you choose None (or Local local user groups) Remote Any you choose 2 3 1356 As many as you choose When NAT-T is None used Remote SELF NAT-T (ipsec-natt-udp) 3 or
Virtual Private Networks Configure an IPsec Client-to-Site VPN You can use a previously configured address object or specify the address manually. Alternatively, leave Any Address. Figure 7-52. Add Policy Window g. Note It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. h. 4. 7-70 Optionally, select the Enable logging on this Policy check box if you want to view log messages for this policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN f. For Destination, accept the default, Any Address. If you know the public addresses of all of your remote endpoints and have created a named object with those addresses, you can specify that object here. However, allowing any IP address is the easiest way to set up the VPN. g. Note Optionally, select the Enable logging on this Policy check box if you want to view log messages for this policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN d. For Service, leave Any Service. This is the most basic configuration. You could create access policies that permit only certain types of traffic. e. For Source, specify the IKE mode config addresses (either manually or with a previously configured named object). In the example figure, these addresses are indicated with the number 4. Note If you did not configure IKE mode config, specify the remote endpoints actual IP addresses.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the remote endpoints and the module), you must create two access policies to allow the NAT-T traffic: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select ipsec-nat-t-udp. e. For Source, specify Any Address.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Verify Routes for the IPsec Client-to-Site VPN In the Network > Routing > View Routes window, verify that your TMS zl Module knows a route or routes to the remote endpoints. These routes can be a default route, static routes, or routes discovered through a dynamic routing protocol. The routes’ forwarding interface must be the interface with the IP address that you specified as the local gateway address in the IKE policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-54.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Configure an IPsec Site-to-Site VPN with IKE To configure an IPsec site-to-site VPN that uses IKE, you must complete these tasks: 1. Optionally, create named objects, which you can use in IPsec policies as well as corresponding firewall access policies. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects for the VPN (Optional)” on page 7-77. 2. Create an IKE policy.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 7-8. (You can, of course, configure other objects that are appropriate for your environment.) For your reference, this table includes the location where you would specify these named objects. However, the configuration instructions will indicate when you actually need to specify each object.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-55. Example IPsec Site-to-Site VPN Create an IKE Policy for a Site-to-Site IPsec VPN Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate a site-to-site VPN: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IKEv1 Policies tab. Figure 7-56. VPN > IPsec > IKEv1 Policies Window 3. 7-78 Click Add IKE Policy. The Add IKE Policy window is displayed.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-57. Add IKE Policy Window—Step 1 of 3 4. For IKE Policy Name, type a string that is unique to this policy. The string can include 1 to 32 alphanumeric characters. 5. For IKE Policy Type, select Site-to-Site (Initiator & Responder). The TMS zl Module will respond to IKE messages from the gateway at the remote site.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-58. Example IPsec Site-to-Site VPN 6. For Local Gateway, specify an IP address on this module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address configured on the TMS zl Module. Type an address that the remote gateway can reach (indicated by 1 in the example figure). • Select Use VLAN IP Address and select a VLAN from the list.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note Later you will configure firewall access policies to allow the IKE messages from the remote gateway. 8. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. For more information about ID types, see “IKE Phase 1” on page 7-13. a.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-59. Add IKE Policy Window—Step 2 of 3 11. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See “IKE modes” on page 7-16 for guidelines. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 12. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman exchange: – Group 1 (768) – Group 2 (1024) – Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-60. Add IKE Policy Window—Step 3 of 3 14. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 15. You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote gateway): • 7-84 Select TMS acts as XAUTH Server.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-61. Add IKE Policy Window—Step 3 of 3 (XAUTH Server Enabled) • For Authentication Type, select Generic or CHAP. At some point, you must configure the username and password for the remote gateway in one of these locations: – An external RADIUS server—Remember, to add the RADIUS server in the Network > Authentication > RADIUS window.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-62. Add IKE Policy Window—Step 3 of 3 (XAUTH Client Enabled) For Authentication Type, select Generic or CHAP. CHAP offers greater security. ii. For Username, type a username accepted by the remote gateway’s authentication server. iii. For Password, type the password associated with that username. i. 15. Click Finish. The IKE policy is displayed in the VPN > IPsec > IKEv1 Policies window. Figure 7-63.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Move to the next task: ■ If you selected DSA or RSA signatures for the authentication method, “Install Certificates for IKE” on page 7-87. ■ If you selected pre-shared key for the authentication method, “Create an IPsec Proposal” on page 7-102. Install Certificates for IKE If you selected DSA or RSA signatures for the authentication method in the IKEv1 policy, you must install certificates on the TMS zl Module.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-64. VPN > Certificates > IPsec Certificates Window 3. 4. Add a private key. You have two options: • Generate the private key on the TMS zl Module. See step 4. • Import a private key generated elsewhere. See step 5. Generate the private key on the TMS zl Module a. In the Private Keys section, click Generate Private Key. Figure 7-65. Generate Private Key Window b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE c. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method (see step 11b on page 7-82). Match this setting. d. For Key Size, select 512, 1024, or 2048, which determines the length of the key in bits. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. Figure 7-66.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-67. Import Private Key Window c. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key. d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 7. For Certificate Name, type a descriptive alphanumeric string. The name must be unique for this request. 8. For Signature Algorithm, select the algorithm used to sign the certificate: • MD5 with RSA • SHA-1 with RSA • SHA-1 with DSA You must select the same algorithm that is used by the private key. That is, select MD5 with RSA or SHA-1 with RSA for an RSA key; select SHA-1 with DSA for a DSA key. 9.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note The subject name or one of the subject alternate names must match these settings: • The local ID in your IKE policies that use this certificate • The remote ID in IKE policies on remote tunnel endpoints that verify this certificate The name must match in both type and value. For example, if you have typed TMS.procurve.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-70. Certificate Request Data Window 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15. Submit the certificate request file to your CA.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-71. VPN > Certificates > Certificate Authorities Window 19. Click Import Certificate. Figure 7-72. Import Certificate Window 20. Under Select global trusted certificate, type the path and filename for the CA root certificate. Alternatively, click Browse and navigate to the CA root certificate file. 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-73.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22. Next, you must import the module’s certificate. Click the IPsec Certificates tab. Figure 7-74. VPN > Certificates > IPsec Certificates Window 23.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-76. VPN > Certificates > IPsec Certificates (Certificate Installed) 26. Finally, you must install the CRL. Click the CRL tab. Figure 7-77. VPN > Certificates > CRL Window 27. Click Import CRL.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-78. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-79. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-102.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-80. VPN > Certificates > SCEP Window 3. For SCEP Server IP Address/Domain Name, type either the IP address or FQDN of your CA server. The CA must, of course, support SCEP. 4. For SCEP Server Port, type the port number on which your CA server listens for SCEP messages. The default port is 80. 5. For CGI-Path, type the correct path to the program on the CA server that executes SCEP functions.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3 on page 7-98.) Figure 7-82. VPN > Certificates > Certificate Authorities Window 11. Next, you must import the TMS zl Module’s certificate.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-84. Retrieve IPsec Certificate through SCEP Window 13. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint. You should also specify this name for the local ID value in the IKE policy (the type is Distinguished Name). 14.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-85. VPN > Certificates > IPsec Certificates (Certificate Installed) 21. Next, you should install the CRL. Ask your CA administrator if you need a particular CGI path to the CRL distribution point. If you do, follow these steps: a. Click the SCEP tab. b. For CGI-Path, type the new path given to you by your CA. For example, for a Windows 2008 CA, you might type /CertEnroll/ .crl. c. Click Apply My Changes.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-87. Retrieve CRL through SCEP Window 24. For Trusted Certificate, select the CA certificate that you imported with SCEP. 25. Click Apply. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-88. VPN > Certificates > CRL Window (CRL Added) Move to the next task: “Create an IPsec Proposal.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Proposals tab. Figure 7-89. VPN > IPsec > IPsec Proposals Window 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure 7-90. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE • Transport Mode—In transport mode, the tunnel endpoints must originate all traffic sent on the VPN. In other words, the VPN only supports traffic originated by the TMS zl Module itself or by the remote endpoint. This mode is typically used when you are creating a proposal for GRE over IPsec site-to-site VPNs or L2TP over IPsec client-to-site VPNs. 6. For Security Protocol, select AH or ESP. 7.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 10. Click Save. Create an IPsec Policy for a Site-to-Site VPN that Uses IKE This section explains how to configure an IPsec policy for an IPsec SA that is established between two gateway devices using IKE. The IPsec policy includes the settings that are negotiated during IKE phase 2 and also selects traffic for the VPN connection. Follow these steps to create the IPsec policy: 1.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-93. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE To learn about creating Bypass and Deny policies, see “Configure Bypass and Deny IPsec Policies” on page 7-352. 7. For Position, type a number. The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2). The position matters most when policies have overlapping traffic selectors.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-94. Example IPsec Site-to-Site VPN 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed on the VPN: – Any—Any IP protocol. Select this option when you want to allow all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a remote port to allow local traffic destined for specific services in the remote network.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note Typically, the local addresses are internal addresses on your private network while the local gateway address (which you configured in the IKE policy) is the TMS zl Module’s public or external address. If, however, for whatever reason the set of local addresses specified here includes the local gateway address, you must create a Bypass policy to exclude IKE traffic to and from the module from the VPN.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-95. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously configured IKEv1 policy. Select the IKEv1 policy that specifies the remote gateway for the remote addresses configured in this policy’s traffic selector. 13.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-96. Add IPsec Policy Window—Step 3 of 4 17. The Step 3 of 4 window allows you to configure settings for IKE mode config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-97. Add IPsec Policy Window—Step 4 of 4 18. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Move to the next task: configuring firewall access policies that permit traffic associated with the VPN. Create Access Policies for an IPsec Site-to-Site VPN that Uses IKE Before you begin configuring firewall access policies, determine the zone on which traffic from the remote gateway arrives. Typically, this is the External zone, but it could be another zone. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE might make the packets too large to be transmitted. Table 7-10 suggests a conservative value for the TCP MSS when the MTU is 1500. For more information on the TCP MSS, see the introduction to “Firewall Access Policies” on page 4-22 of Chapter 4: “Firewall.” Note The value for TCP MSS in the table is only a suggestion. You should determine the best MSS for your environment. Table 7-10.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE You can select a previously configured address object or type the IP address manually (click Options and select Enter custom IP, IP/mask or IP-Range). f. For Destination, specify the IP address that you configured for the local gateway in the IKE policy. You can specify the address manually or select a previously configured address object. Alternatively, select Any Address. Figure 7-100. Add Policy Window g. 6. Click Apply.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE f. For Destination, specify the remote gateway IP address (either manually or by specifying a previously configured address object). Figure 7-101. Add Policy Window g. 7. Click Apply. Permit traffic from the local endpoints to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the remote zone. d. For Service, leave Any Service.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE f. For Destination, specify the remote IP addresses which the local users are allowed to access. In the most basic setup, these are the same IP addresses configured as remote addresses in the IPsec traffic selector. You can specify the IP addresses manually or by selecting a previously configured address object. Figure 7-102. Add Policy Window 8. g. Click the Advanced tab. h.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 9. e. For Source, specify the remote IP addresses allowed to send traffic on the VPN (either manually or by specifying a previously configured address object). f. For Destination, specify the local addresses which the remote users are allowed to access (either manually or by specifying a previously configured address object). g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Verify Routes for an IPsec Site-to-Site VPN In the Network > Routing > View Routes window, verify that the following routes exist. These routes can be static routes or routes discovered through a dynamic routing protocol: ■ A route to the remote VPN gateway The route’s forwarding interface must be the interface with the IP address that you specified as the local gateway address in the IKE policy. This can be a default route.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Configure an IPsec Site-to-Site VPN with Manual Keying To configure an IPsec VPN connection, you must complete these tasks: 1. Optionally, create named objects, which you can use in IPsec policies as well as corresponding firewall access policies. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects for the VPN (Optional)” on page 7-122. 2. Create an IPsec proposal.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying See “Named Objects” in Chapter 4: “Firewall” for step-by-step instructions for configuring objects. Table 7-11.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy. The algorithm or algorithms in that proposal will secure traffic that is part of IPsec tunnels (VPN connections) that are established with that policy. Follow these steps to configure an IPsec proposal: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Proposals tab.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Tunnel mode allows endpoints behind the TMS zl Module and the remote gateway to forward traffic over the VPN. In transport mode, traffic must be originated by the TMS zl Module itself or by the remote gateway. This mode is typically used when you are creating a proposal for GRE over IPsec site-to-site VPNs or L2TP over IPsec client-to-site VPNs. 6. For Security Protocol, select AH or ESP. 7.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying 10. Click Save. Create an IPsec Policy That Uses Manual Keying This section explains how to configure an IPsec policy for an IPsec SA that is established with manual keys. The advantages and disadvantages of using manual keying are listed below: ■ ■ Advantages • Manual keying does not depend on the IKE protocol, so less processing is used initially to negotiate the SA.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-109. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, keep the default, Apply. 7.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic is selected by the policy. For example, the selector might specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24 (a remote network).
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed over the VPN: – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a remote port to allow local traffic destined for specific services in the remote network.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Do one of the following to specify addresses: – Select Any to permit any IP address. – Select the single-entry IP, range, or network address object that you configured for remote endpoints. – Manually type an IP address, IP address range, or network address in CIDR format. 9. e. Remote Port is present if you selected TCP or UDP for Protocol.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-112. Example IPsec Site-to-Site VPN 12. For Local Gateway, specify an IP address on the TMS zl Module that will act as the local VPN gateway (indicated by 1 in the figure). You have two options: • Select IP Address and type an IP address on the module in the box. The IP address must be an IP address already configured on the TMS zl Module. Type the address that the remote gateway can reach.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-113. Add IPsec Policy Window—Step 2 of 4 (Bottom Section) 14. Next, set the SPI and keys for the protocol that you selected in the IPsec proposal (ESP, in the example displayed in Figure 7-113). The correct number of characters for a key depends on the algorithm that you selected in the IPsec proposal and is indicated to the right of the box.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-114. Add IPsec Policy Window—Step 3 of 4 16. The Step 3 of 4 window allows you to configure settings for IKE Mode Config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-115. Add IPsec Policy Window—Step 4 of 4 17. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 7-21. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying – The TMS zl Module copies the DF bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 7-23 for more information. d. Under DSCP Options, choose how the TMS zl Module assigns DSCP values to IPsec packets.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Create Access Policies for an IPsec Site-to-Site VPN with Manual Keying Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. Typically, this is the External zone, but it could be another zone. The instructions below will refer to this zone as the “remote zone.” You should also determine the zone for local endpoints allowed on the VPN.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Note The value for TCP MSS in the table is only a suggestion. You should determine the best MSS for your environment. Table 7-12.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-118. Add Policy Window 5. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1356. i. Click the Basic tab. j. Click Apply. Permit traffic from the remote endpoints to the local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. c. For To, select the local zone. d.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying You can specify the addresses manually or select a previously configured address object. 6. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1356. i. Click the Basic tab. j. Click Apply. In the Add Policy window, click Close.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-119.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to establish VPN connections. The TMS zl Module can act as a gateway for these endpoints, allowing them remote access to the private network. L2TP is a session-layer protocol (Layer 5) that mimics a data-link protocol (Layer 2).
Virtual Private Networks Configure an L2TP over IPsec VPN Configure an L2TP over IPsec VPN You must complete these tasks to establish a client-to-site VPN that uses L2TP over IPsec: 1. Create named objects (optional). 1. Create a client-to-site IKE policy. Only one IKE policy can specify the client-to-site type, main mode, and preshared keys. Therefore, if you are using pre-shared key authentication, you must configure a single policy that is valid for all of your remote L2TP users.
Virtual Private Networks Configure an L2TP over IPsec VPN Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 7-13. For your reference, this table includes the location where you would specify these named objects. However, configuration instructions will indicate when you actually need to specify each object. The table also includes a reference to numbers in Figure 7-120.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-120. Example L2TP over IPsec VPN You can, of course, configure other objects that are appropriate for your environment. And you might choose not to configure some of the objects. For example, you might not know the actual IP address of every remote VPN client, particularly when remote users connect through the Internet.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-121. VPN > IPsec > IKEv1 Policies Window 3. Click Add IKE Policy. 4. For IKE Policy Name, type a string that is unique to this policy. For example, type ClientVPN. The string can include 1 to 15 alphanumeric characters. 5. For IKE Policy Type, select Client-to-Site (Responder). Figure 7-122. Add IKE Policy Window—Step 1 of 3 Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages.
Virtual Private Networks Configure an L2TP over IPsec VPN Note Later you will configure firewall access policies to allow the IKE messages from the remote endpoints. Refer to Figure 7-123 for help configuring the next setting. Figure 7-123. Example L2TP over IPsec VPN 6. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway (indicated by 1 in the figure). You have two options: • Select IP Address and type an IP address in the box.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. (For more information about ID types, see “IKE Phase 1” on page 7-13.) a. For Type, select the ID type: – IP Address – Domain Name – Email Address – Distinguished Name b. For Value, type the correct value. You can select any type.
Virtual Private Networks Configure an L2TP over IPsec VPN Table 7-15. Valid Remote IDs for an L2TP over IPsec VPN to Windows Clients Remote ID Type Remote ID Value for Preshared Key IP Address 0.0.0.0 Domain Name Example: procurve.com Email not applicable Distinguished Name not applicable 9. Click Next. Figure 7-124. Add IKE Policy Window—Step 2 of 3 10. Under IKE Authentication, configure the authentication method for the IKE proposal: a. For Key Exchange Mode, select Main Mode.
Virtual Private Networks Configure an L2TP over IPsec VPN The string (which is case-sensitive) must match the string that is configured on the remote endpoints. 11. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA. A Windows XP client sends five IKE security proposals, four of which are compatible with the TMS zl Module. See Table 7-16 for a list of these proposals; you must configure the Security Parameters Proposal to match one.
Virtual Private Networks Configure an L2TP over IPsec VPN c. For Authentication Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – MD5 – SHA-1 d. For SA Lifetime in Seconds, leave the default, 28800. Remember that this setting applies to the IKE SA, which is a temporary tunnel used only to establish the IPsec SA. 12. Click Next. 13. Under XAUTH Configuration (Optional), leave the default, Disable XAUTH. Figure 7-125.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-126. VPN > IPsec > IKEv1 Policies (Client-to-Site Policy Added) Create an IPsec Proposal for an L2TP over IPsec VPN Each IPsec proposal specifies the following: ■ IPsec mode (tunnel or transport) ■ IPsec security protocol: • AH and a single authentication algorithm • ESP, a single authentication algorithm, and a single encryption algorithm You can configure multiple IPsec proposals.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-128. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select Transport Mode.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. Select one of the following for Encryption Algorithm, referring to Table 7-17: • NULL If you select this option, traffic will not be encrypted. • DES • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8.
Virtual Private Networks Configure an L2TP over IPsec VPN Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-130. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. Figure 7-131.
Virtual Private Networks Configure an L2TP over IPsec VPN 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure an L2TP over IPsec VPN Caution For this policy, you will specify a local TMS zl Module IP address. Be very careful to specify UDP for the protocol and 1701 for the local and remote ports. Otherwise, you might select management traffic for the VPN and lock yourself out of the Web browser interface. If you do lock yourself out, reboot the module, but DO NOT SAVE the configuration.
Virtual Private Networks Configure an L2TP over IPsec VPN b. For Local Address, type the IP address configured as the local gateway in the IKE policy (indicated by 1 in the figure). c. For Local Port, type 1701. d. For Remote Address, select Any. Alternatively, you could specify a specific IP address, range of IP addresses, or subnet (indicated by 3 in the figure).
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-133. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select the previously configured IKEv1 policy. You must select a policy of the client-to-site type. 13. Leave the Enable PFS (Perfect Forward Secrecy) for keys check box clear. 14. For SA Lifetime in Seconds, leave the default 28800 (8 hours). 15. For SA Lifetime in Kilobytes, leave the default, 0.
Virtual Private Networks Configure an L2TP over IPsec VPN 16. Click Next. 17. Clear the Enable IP Address Pool for IRAS (Mode Config) check box. Figure 7-134. Add IPsec Policy Window—Step 3 of 4 18. Click Next.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-135. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure an L2TP over IPsec VPN c. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. d. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure an L2TP over IPsec VPN Configure L2TP User Authentication The TMS zl Module can force an L2TP user to authenticate in one of two ways: ■ Locally See “Configure Local L2TP Authentication” on page 7-162. ■ To an external RADIUS server. See “Configure L2TP Authentication to an External RADIUS Server” on page 7-167. Configure Local L2TP Authentication When authenticating users to the local database, you must: Note 1. Create a user group for the L2TP over IPsec users.
Virtual Private Networks Configure an L2TP over IPsec VPN 3. Click Add user group. Figure 7-138. Add user group Window 4. For Group Name, type a string to identify the L2TP user group. 5. Click OK. If you want, add other groups for your L2TP users. This will allow you to assign different rights to different remote users when you create firewall access policies. Add L2TP Users. When the TMS zl Module authenticates L2TP users locally, you must configure one account for each remote user.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-139. Network > Authentication > L2TP Users Window 3. Under Local Authentication, click Add L2TP User. Figure 7-140.
Virtual Private Networks Configure an L2TP over IPsec VPN 1. For User, type the username that the remote client will use to log on to the VPN connection. The name can be 1 to 16 alphanumeric characters. 2. For Password, type the password for the username. 3. For User Group, select one of the user groups that you configured on the TMS zl Module. When you configure firewall access policies that control this L2TP user’s traffic, you will configure them for this user group. 4.
Virtual Private Networks Configure an L2TP over IPsec VPN 6. Under Tunnel Configuration, for Server IP Address, type the IP address and subnet prefix length of the TMS zl Module in its capacity as L2TP Network Server (LNS). For example, type 172.16.80.1/24. This is a virtual IP address in an unused subnet (the subnet must not be configured as a TMS VLAN or a VLAN on the host switch). The subnet will be automatically placed in the External zone. 7.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-142. Network > Authentication > L2TP Users Window (Dial-in User Added) Move on to the next task: “Create Access Policies for an L2TP over IPsec VPN” on page 7-174. Configure L2TP Authentication to an External RADIUS Server When authenticating users to an external RADIUS server, you must: 1. Create user groups. See “Create a User Group” on page 7-168. 2.
Virtual Private Networks Configure an L2TP over IPsec VPN Create a User Group. When the RADIUS server authenticates an L2TP user, it can send the name of a group to the TMS zl Module (in the Filter-ID attribute). If you have configured that same group on the module, the module will then apply the firewall access policies associated with that group to that user.
Virtual Private Networks Configure an L2TP over IPsec VPN If you want to assign L2TP users to multiple groups, add the other groups now. For more information about user groups, see “Configure User Authentication” in Chapter 4: “Firewall.” Specify a RADIUS Server. This section includes the basic steps for specifying a RADIUS server. See “Configure Authentication to an External RADIUS Server” in Chapter 4: “Firewall” for more detailed instructions. 1.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. If you want, configure optional domain settings. The value that you configure for Domain Name determines the domain for L2TP users. If you do not want L2TP users to include a domain with their usernames when they authenticate, do not complete this setting. 8. Select the Strip domain from user name in RADIUS request check box if you want the TMS zl Module to remove the user’s domain name from the username submitted to the RADIUS server. 9.
Virtual Private Networks Configure an L2TP over IPsec VPN This IP address cannot be on a subnet that is already configured on the TMS zl Module. It must be a virtual IP address in the same subnet as the virtual IP addresses that will be assigned to L2TP users. 5. Click Apply My Changes. 6. Click Save. The domain names of RADIUS servers configured on the module are listed in the RADIUS Domain field of the table below. L2TP users must be within one of these domains in order to be authenticated.
Virtual Private Networks Configure an L2TP over IPsec VPN If your RADIUS server does not provide dial-in addresses for authenticated L2TP clients, you must edit the RADIUS domain to create an IP address pool so that the TMS zl Module can assign the appropriate addresses. You can also specify DNS and WINS servers for the authenticated clients. Complete the following steps: 1. Click the Edit icon for the domain you are configuring. The Edit RADIUS domain window is displayed. Figure 7-148.
Virtual Private Networks Configure an L2TP over IPsec VPN Set Up a RADIUS Server to Work with the TMS zl Module. This section provides guidelines for setting up a RADIUS server so that it can provide L2TP authentication for the TMS zl Module. You should refer to your server’s documentation for precise instructions. You must complete the following on your RADIUS server: ■ Add the TMS zl Module as a client.
Virtual Private Networks Configure an L2TP over IPsec VPN Table 7-19. RADIUS Attributes Required for L2TP RADIUS Access-Accept Messages Attribute Value Service-Type Framed Filter-ID Name of a user group on the TMS zl Module The value must match exactly a name that you configured in “Create a User Group” on page 7-168. When a user authenticates with this policy, the firewall access policies configured for this group on the module will control the user’s access.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-149 shows these zones in the example figure for an L2TP over IPsec VPN. Figure 7-149. Example L2TP over IPsec VPN (with Zones) Finally, you must note the user group (or groups) to which L2TP users are assigned. Users are assigned to these groups by local L2TP user accounts or by an external RADIUS server.
Virtual Private Networks Configure an L2TP over IPsec VPN For access policies that permit the traffic sent over the VPN, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the L2TP, IP delivery, and IPsec headers might make the packets too large to be transmitted. Table 7-20 suggests a conservative value for the TCP MSS when the MTU is 1500.
Virtual Private Networks Configure an L2TP over IPsec VPN The exact steps for configuring these policies are given below: 1. In the left navigation bar of the Web browser interface, select Firewall > Access Policies. The Unicast tab should be selected. 2. Click Add a Policy. The Add Policy window is displayed. 3. Allow IKE messages from the remote endpoints. a. For Action, leave the default Permit Traffic. b. For From, select the remote zone. c. For To, select SELF. d.
Virtual Private Networks Configure an L2TP over IPsec VPN g. 4. 5. 7-178 Click Apply. Allow IKE messages to the remote endpoints. a. For Action, leave the default, Permit Traffic. b. For From, select SELF. c. For To, select the remote zone. d. For Service, select isakmp. e. For Source, leave Any Address or specify the IP address for the local VPN gateway. f. For Destination, leave Any Address or specify the address object for remote endpoints.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-151. Add Policy Window g. 6. Click Apply. Permit L2TP traffic from the module to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, select l2tp-udp. e. For Source, leave Any Address or specify the local gateway IP address. f. For Destination, leave Any Address or specify the address object for remote endpoints. g.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. 8. If L2TP users are assigned to user groups, follow these steps: a. Click Close. b. In the Firewall > Access Policies > Unicast window, for User Group, select the group to which L2TP users are assigned. c. Click Add a Policy. Permit traffic from the remote endpoints to local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select External. c. For To, select the local zone. d.
Virtual Private Networks Configure an L2TP over IPsec VPN e. For Source, specify Any Address. If you know the public addresses of all of your remote endpoints, you could create a named object with those addresses and specify that object here. f. For Destination, leave Any Address or specify the local gateway IP address. g. Click Apply. h. For From, select Self. i. For To, select the remote zone. j. For Service, select ipsec-nat-t-udp. k.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-152 shows an L2TP over IPsec VPN in which the remote clients are on the subnets 172.22.3.0/24 and 10.78.15.0/24. For this VPN, a default route through 192.168.115.1 would work. However, to better illustrate the necessary routes, the figure shows two specific routes: one to each remote subnet. For both routes, the gateway is 192.168.115.1.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts Generic Routing Encapsulation (GRE) Concepts GRE is a Layer 2 protocol that can encapsulate any protocol that Ethernet can encapsulate. GRE tunneling establishes a virtual point-to-point connection between two devices across an intervening network. For example, you could use GRE to tunnel FTP or HTTP traffic between two networks across an intervening network.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts In fact, a GRE tunnel will indicate that it is up before the other side of the tunnel is configured. This means that the local tunnel endpoint routes packets across the GRE tunnel even when the other endpoint is unreachable and the packets are lost. The TMS zl Module supports a GRE tunnel keepalive mechanism, which enables each GRE tunnel endpoint to verify that the other tunnel endpoint is reachable.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts Figure 7-153. Redundant GRE Figure 7-153 shows redundant GRE tunnels between the TMS zl Module at Site A and the Secure Routers at Site B. The tunnels allow the workstations in VLAN10 at Site A to access the servers in VLAN8 at Site B. The primary GRE tunnel has the TMS zl Module’s address in VLAN99 as the local gateway and one Secure Router's public IP address as the remote gateway.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts Similarly, when you configure a redundant GRE tunnel, you must configure routes to remote networks through the redundant tunnel interface as well.
Virtual Private Networks Configure a GRE Tunnel Configure a GRE Tunnel To configure a GRE tunnel, complete the following tasks: 1. Optionally, create named objects, which you can use in firewall access policies related to the GRE tunnel. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects (Optional)” on page 7-187. 2. Create the GRE tunnel. See “Create a GRE Tunnel” on page 7-188. 3. Verify that there is a route to the remote tunnel gateway.
Virtual Private Networks Configure a GRE Tunnel See “Named Objects” in Chapter 4: “Firewall” for step-by-step instructions for configuring objects. Table 7-21.
Virtual Private Networks Configure a GRE Tunnel Figure 7-155. VPN > GRE > GRE Tunnels Window 3. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed. Figure 7-156. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5.
Virtual Private Networks Configure a GRE Tunnel Refer to Figure 7-157 for help configuring the next settings. Figure 7-157. Example GRE Tunnel (Including Tunnel Interface) 6. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 7.
Virtual Private Networks Configure a GRE Tunnel 10. For Destination IP Address, type an accessible IP address on the remote tunnel gateway (indicated by 3 in the figure and different from the address configured on the subnet reserved for the tunnel). 11. To enable the keepalive feature for the GRE tunnel, select Enable Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b.
Virtual Private Networks Configure a GRE Tunnel Figure 7-159. VPN > GRE Window (Tunnel Added) 13. Click Save. If you want, repeat these steps to create a redundant tunnel. Verify that a Route to the Remote Tunnel Gateway Exists To establish the GRE tunnel, the TMS zl Module requires a route to the tunnel’s destination address (indicated by 3 in the example figure). The route can be to the specific address or any network that includes that address.
Virtual Private Networks Configure a GRE Tunnel Figure 7-160. Example GRE Tunnel Configure Routes that Use the GRE Tunnel Interface In order for the TMS zl Module to send traffic over the GRE tunnel, it must have routes to the appropriate subnets that use the GRE tunnel interface. You can: ■ Create static routes See “Configure Static Routes” on page 7-193 ■ Set up RIP on the GRE tunnel interface See “Configure RIP on a GRE Tunnel Interface” on page 7-195.
Virtual Private Networks Configure a GRE Tunnel Figure 7-161. Add static route Window 3. For Destination Type, select the destination type. You can select any type, including Default Gateway. The TMS zl Module supports multiple default routes, so this is a valid option even when you are configuring a floating static route for a redundant tunnel. Refer to Figure 7-162 for help configuring the next settings. Figure 7-162.
Virtual Private Networks Configure a GRE Tunnel 4. If you have selected Network or Host, type the Destination Address, which depends on the destination type that you chose: • Network—type the IP address and subnet mask of the destination network (behind the remote tunnel gateway). • Host—type the IP address of the host (behind the remote tunnel gateway). The correct address corresponds to 4 in the example figure. 5.
Virtual Private Networks Configure a GRE Tunnel Figure 7-163. Network > Routing > RIP Window 7-196 2. Select the Enable RIP check box. 3. Click Apply My Changes. 4. Click Enable RIP on an interface. The Enable RIP on Interface window is displayed.
Virtual Private Networks Configure a GRE Tunnel Figure 7-164. Enable RIP on Interface Window 5. For Interface, select the GRE tunnel interface, which is listed by the name that you assigned to it. 6. For Version, select the version used by the remote tunnel gateway. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates. Therefore, you must select the version to match the remote gateway device or select both versions. 7.
Virtual Private Networks Configure a GRE Tunnel • MD5—The module and the remote tunnel gateway authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 10. Click OK. 11. Click Save. Move on to the next task: “Create Access Policies for a GRE Tunnel” on page 7-200.
Virtual Private Networks Configure a GRE Tunnel 1. Select the Enable OSPF check box. 2. Click Apply My Changes. 3. Click Enable OSPF on an interface. The Enable OSPF on a VLAN window is displayed. Figure 7-166. Enable OSPF on a Interface Window 4. For Interface, select the GRE tunnel interface which is listed by the name that you assigned to it. 5. For Area ID, type the number of the area to which you want to assign the GRE tunnel interface. 6. For Cost, type the cost (metric) of this route. 7.
Virtual Private Networks Configure a GRE Tunnel 9. Configure Authentication settings. These settings must match those on the remote tunnel gateway exactly. Do one of the following: • For Type, select None. • For Type, select Simple. i. For Password, type a password. • For Type, select MD5. i. For Key ID, type the authentication key ID (1-255). ii. For Key, type the 16-digit md5 key. 10. Click OK. 11. Click Save. Move on to the next task: creating access policies.
Virtual Private Networks Configure a GRE Tunnel Figure 7-167. Example GRE Tunnel (with Zones) Table 7-22 lists the necessary access policies; the numbers in the Source and Destination columns refer to the example figure above. (Note that all of these policies are typically configured for the None User group. However, if local users log in through the module, then the access policies with the local zone as the source zone would use that user group.
Virtual Private Networks Configure a GRE Tunnel Table 7-22.
Virtual Private Networks Configure a GRE Tunnel When Required Type From Zone • Dynamic r Multicast SELF outing over the tunnel • Default policies disable d To Zone Service Source Destination MSS Tunnel OSPF or RIP 5 Any Address — or multicast address Number of policies 1 Exact steps for configuring these policies are given in the sections below. Unicast Access Policies 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies. You are at the Unicast tab.
Virtual Private Networks Configure a GRE Tunnel Figure 7-168. Add Policy Window g. Note Optionally, select the Enable logging on this Policy check box if you want to view log messages for this policy. It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. h. 4. Click Apply. Allow GRE traffic from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default, Permit Traffic.
Virtual Private Networks Configure a GRE Tunnel f. For Destination, specify the actual IP address of the remote tunnel endpoint. This is the Destination IP Address that you specified in the GRE tunnel. It is different from the address configured on the subnet reserved for the tunnel. g. 5. Click Apply. Permit local traffic that is sent across the tunnel (before it is encapsulated by GRE): a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c.
Virtual Private Networks Configure a GRE Tunnel g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1436. i. Click the Basic tab. j. Click Apply. 6. If necessary, repeat step 5 to permit other traffic. 7. Permit remote traffic that arrives on the tunnel (after it is unencapsulated from GRE): a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d.
Virtual Private Networks Configure a GRE Tunnel g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1436. i. Click the Basic tab. 8. Click Apply. 9. If you enabled a dynamic routing protocol (RIP or OSPF) on the tunnel, ensure that access policies permit this traffic between SELF and the tunnel zone. (This is the default setting.) 10. In the Add Policy window, click Close. 11. Click Save.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE d. For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic. e. For Source, specify the IP addresses of remote endpoints that are allowed to send traffic on the tunnel. f. For Destination, specify the appropriate multicast address. If you have selected a specific service, you can also leave Any Address if you choose. g. Click Apply. 3.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 5. Create an IKEv1 policy. See “Create an IKE Policy for a GRE over IPsec VPN” on page 7-221. 6. Install certificates for IKE (optional). See “Install Certificates for IKE” on page 7-229. 7. Create an IPsec proposal. The mode is typically transport mode because the TMS zl Module generates the GRE packets, but you can also use tunnel mode.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Table 7-23.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-172. VPN > GRE > GRE Tunnels Window 3. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed. Figure 7-173. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Refer to Figure 7-174 for help configuring the next settings. Figure 7-174. Example GRE over IPsec VPN (Including Tunnel Interface) 6. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 7.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 11. To enable the keepalive feature for the GRE tunnel, select Enable Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b. For Retries, type the number of keepalives that the TMS zl Module will send before declaring the tunnel “down” (1-255). Figure 7-175. Add GRE Tunnel Window 12. Click OK.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 13. Click Save. If you want, repeat these steps to create a redundant tunnel. Verify that a Route to the Remote Tunnel Gateway Exists To establish the GRE tunnel, the TMS zl Module requires a route to the tunnel’s destination address (indicated by 3 in the example figure). The route can be to the specific address or any network that includes that address. The route can be a static route or a route discovered with a routing protocol.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Configure Routes that Use the GRE Tunnel Interface In order for the TMS zl Module to send traffic over the GRE tunnel, it must have routes to the appropriate subnets that use the GRE tunnel interface. You can: ■ Create static routes See “Configure Static Routes” on page 7-215 ■ Set up RIP on the GRE tunnel interface See “Configure RIP on a GRE Tunnel Interface” on page 7-217.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 3. For Destination Type, select the destination type. You can select any type, including Default Gateway. The TMS zl Module supports multiple default routes, so this is a valid option even when you are configuring a floating static route for a redundant tunnel. Refer to Figure 7-179 for help configuring the next settings. Figure 7-179. Example GRE over IPsec VPN 4.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Typically, the distance for a static route is 1. However, if this is a route over a backup GRE tunnel, type a higher value than that for the primary route. For example, if the primary tunnel runs OSPF, type a value higher than OSPF’s administrative distance (by default, 110). 8. Click OK. The route is now displayed in the Network > Routing > Static Routes window. 9. Click Save.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 4. Click Enable RIP on an interface. The Enable RIP on Interface window is displayed. Figure 7-181. Enable RIP on Interface Window 5. For Interface, select the GRE tunnel interface, which is listed by the name that you assigned to it. 6. For Version, select the version used by the remote tunnel gateway. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE • MD5—The module and the remote tunnel gateway authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 10. Click OK. 11. Click Save. Move on the next task: “Create an IKE Policy for a GRE over IPsec VPN” on page 7-221.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 1. Select the Enable OSPF check box. 2. Click Apply My Changes. 3. Click Enable OSPF on an interface. The Enable OSPF on a VLAN window is displayed. Figure 7-183. Enable OSPF on a Interface Window 7-220 4. For Interface, select the GRE tunnel interface which is listed by the name that you assigned to it. 5. For Area ID, type the number of the area to which you want to assign the GRE tunnel interface. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 9. Configure Authentication settings. These settings must match those on the remote tunnel gateway exactly. Do one of the following: • For Type, select None. • For Type, select Simple. i. For Password, type a password. • For Type, select MD5. i. For Key ID, type the authentication key ID (1-255). ii. For Key, type the 16-digit md5 key. 10. Click OK. 11. Click Save. Move on the next task: creating an IKE policy.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-185. Add IKE Policy Window—Step 1 of 3 4. For IKE Policy Name, type a string that is unique to this policy. The string can include 1 to 32 alphanumeric characters. 5. For IKE Policy Type, select Site-to-Site (Initiator & Responder). The TMS zl Module will respond to IKE messages from the gateway at the remote site.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-186. Example GRE over IPsec VPN 6. For Local Gateway, specify the same IP address configured as the source IP address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). You have two options: • Select IP Address and type the IP address in the box. • Select Use VLAN IP Address and select a VLAN from the list.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note Later you will configure firewall access policies to allow the IKE messages from the remote gateway. 8. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. For more information about ID types, see “IKE Phase 1” on page 7-13. a.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-187. Add IKE Policy Window—Step 2 of 3 11. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See “IKE modes” on page 7-16 for guidelines. b.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 12. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman exchange: – Group 1 (768) – Group 2 (1024) – Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. b.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-188. Add IKE Policy Window—Step 3 of 3 14. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 15. You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote gateway): • Select TMS acts as XAUTH Server.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-189. Add IKE Policy Window—Step 3 of 3 i. For Authentication Type, select Generic or CHAP. At some point, you must configure the username and password for the remote gateway in one of these locations: – An external RADIUS server—Remember, to add the RADIUS server in the Network > Authentication > RADIUS window.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-190. VPN > IPsec > IKEv1 Policies Window (Policy Added) Move to the next task: ■ If you selected DSA or RSA signatures for the authentication method, “Install Certificates for IKE” on page 7-229. ■ If you selected pre-shared key for the authentication method, “Create an IPsec Proposal” on page 7-244.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-191. VPN > Certificates > IPsec Certificates Window 3. 4. Add a private key. You have two options: • Generate the private key on the TMS zl Module. See step 4. • Import a private key generated elsewhere. See step 5. Generate the private key on the TMS zl Module a. In the Private Keys section, click Generate Private Key. Figure 7-192. Generate Private Key Window b.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE c. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method (see step 11b on page 7-225). Match this setting. d. For Key Size, select 512, 1024, or 2048, which determines the length of the key in bits. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. Figure 7-193.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-194. Import Private Key Window c. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key. d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 7. For Certificate Name, type a descriptive alphanumeric string. The name must be unique for this request. 8. For Signature Algorithm, select the algorithm used to sign the certificate: • MD5 with RSA • SHA-1 with RSA • SHA-1 with DSA You must select the same algorithm that is used by the private key. That is, select MD5 with RSA or SHA-1 with RSA for an RSA key; select SHA-1 with DSA for a DSA key. 9.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note The subject name or one of the subject alternate names must match these settings: • The local ID in your IKE policies that use this certificate • The remote ID in IKE policies on remote tunnel endpoints that verify this certificate The name must match in both type and value. For example, if you have typed TMS.procurve.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 13. Click the Edit icon in the Tools column for the certificate request. Figure 7-197. Certificate Request Data Window 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-198. VPN > Certificates > Certificate Authorities Window 19. Click Import Certificate. Figure 7-199. Import Certificate Window 20. Under Select global trusted certificate, type the path and filename for the CA root certificate. Alternatively, click Browse and navigate to the CA root certificate file. 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-200.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22. Next, you must import the module’s certificate. Click the IPsec Certificates tab. Figure 7-201. VPN > Certificates > IPsec Certificates Window 23. Click Import Certificate under Certificates.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-203. VPN > Certificates > IPsec Certificates (Certificate Installed) 26. Finally, you must install the CRL. Click the CRL tab. Figure 7-204. VPN > Certificates > CRL Window 27. Click Import CRL.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-205. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-206. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-244.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-207. VPN > Certificates > SCEP Window 3. For SCEP Server IP Address/Domain Name, type either the IP address or FQDN of your CA server. The CA must, of course, support SCEP. 4. For SCEP Server Port, type the port number on which your CA server listens for SCEP messages. The default port is 80. 5. For CGI-Path, type the correct path to the program on the CA server that executes SCEP functions.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3 on page 7-240.) Figure 7-209. VPN > Certificates > Certificate Authorities Window 11. Next, you must import the TMS zl Module’s certificate.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-211. Retrieve IPsec Certificate through SCEP Window 13. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint. You should also specify this name for the local ID value in the IKE policy (the type is Distinguished Name). 14.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-212. VPN > Certificates > IPsec Certificates (Certificate Installed) 21. Next, you should install the CRL. Ask your CA administrator if you need a particular CGI path to the CRL distribution point. If you do, follow these steps: a. Click the SCEP tab. b. For CGI-Path, type the new path given to you by your CA. For example, for a Windows 2008 CA, you might type /CertEnroll/ .crl. c. Click Apply My Changes. 22.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-214. Retrieve CRL through SCEP Window 24. For Trusted Certificate, select the CA certificate that you imported with SCEP. 25. Click Apply. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-215. VPN > Certificates > CRL Window (CRL Added) Move to the next task: “Create an IPsec Proposal.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Follow these steps to configure an IPsec proposal: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Proposals tab. Figure 7-216. VPN > IPsec > IPsec Proposals Window 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure 7-217. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 7. If you selected ESP in the previous step, select one of the following for Encryption Algorithm: • NULL • DES • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) If you select this option, VPN traffic will not be encrypted. The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Create an IPsec Policy for a GRE over IPsec VPN That Uses IKE This section explains how to configure an IPsec policy for an IPsec SA that is established for a GRE tunnel using IKE. The IPsec policy includes the settings that are negotiated during IKE phase 2 and also selects traffic for the VPN connection. Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-220. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE To learn about creating Bypass and Deny policies, see “Configure Bypass and Deny IPsec Policies” on page 7-352. 7. For Position, type a number. The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2). The position matters most when policies have overlapping traffic selectors.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-221. Example GRE over IPsec VPN 8. 9. For Traffic Selector, configure these settings: a. For Protocol, specify 47 (GRE). b. For Local Address, specify the local gateway address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). c. For Remote Address, specify the remote gateway address for the GRE tunnel (indicated by 3 in the figure and not the IP address on the tunnel subnet).
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-222. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously configured IKEv1 policy. Select the IKEv1 policy that specifies the remote tunnel endpoint as the remote gateway. 13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). You must match the settings on the remote tunnel endpoint. This setting determines how long the IPsec SA remains open.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-223. Add IPsec Policy Window—Step 3 of 4 17. The Step 3 of 4 window allows you to configure settings for IKE mode config, which is not valid for this type of VPN. Click Next.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-224. Add IPsec Policy Window—Step 4 of 4 18. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Create Access Policies for a GRE over IPsec VPN That Uses IKE Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s source IP address is configured. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the GRE and IP delivery headers might make the packets too large to be transmitted. Table 7-25 suggests a value for the TCP MSS when the MTU is 1500.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE When Required Type From Zone To Zone Service Source Destination MSS Number of policies • Dynamic routing over the tunnel • Default policies disabled Unicast SELF Tunnel OSPF or RIP 5 6 — 1 • Dynamic routing over the tunnel • Default policies disabled Multicast Tunnel SELF OSPF or RIP 6 Any Address — or multicast address 1 • Dynamic routing over the tunnel • Default policies disabled Multicast SELF Tunnel OSPF or RIP
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 4. 5. Allow GRE messages from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, specify GRE. e. For Source, leave Any Address or specify the IP address that you configured for the local endpoint IP address. f. For Destination, specify the public IP address of the remote tunnel endpoint. g. Click Apply.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-227. Add Policy Window g. 6. 7-260 Click Apply. If you are using IKE, permit IKE messages from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, select isakmp. e. For Source, leave Any Address or specify the IP address configured for the local gateway in the IKE policy. f.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-228. Add Policy Window g. 7. Click Apply. Permit local traffic that is sent across the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the tunnel zone. d. For Service, leave Any Service. This is the most basic configuration. You could also permit only certain types of traffic. e.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-229. Add Policy Window 8. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1388. i. Click the Basic tab. j. Click Apply. Permit remote traffic that arrives on the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d. For Service, leave Any Service.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 9. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1388. i. Click the Basic tab. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the gateways), you must create access policies to allow the NAT-T traffic between the remote gateway and the module and vice versa: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE f. For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic. g. For Source, specify the local IP addresses that are allowed to send traffic on the tunnel. h. For Destination, specify the appropriate multicast address. If you specified a particular service, you can also leave Any Address if you choose. i. 2. Click Apply.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Configure a GRE over IPsec VPN with Manual Keying You must complete these tasks to configure GRE over IPsec with manual keying: 1. Optionally, create named objects, which you can use in VPN and firewall access policies related to the GRE tunnel. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects (Optional)” on page 7-266. 2.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 8. Configure global IPsec settings (optional). See “Configure Global IPsec Settings” on page 7-349. 9. Configure the remote GRE over IPsec gateway with compatible settings. See you gateway device’s configuration guide for instructions. Create Named Objects (Optional) You might want to configure the named objects indicated in Table 7-26.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-230. Example GRE over IPsec VPN Create a GRE Tunnel Follow these steps to create a GRE tunnel: 1. In the left navigation pane of the Web browser interface, select VPN > GRE. 2. You are at the GRE Tunnels tab. Figure 7-231. VPN > GRE > GRE Tunnels Window 3. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-232. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5. By default, the Enable this tunnel check box is selected, which allows the GRE tunnel to be established as soon as you finish configuring it.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-233. Example GRE over IPsec VPN (Including Tunnel Interface) 6. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 7.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 11. To enable the keepalive feature for the GRE tunnel, select Enable Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b. For Retries, type the number of keepalives that the TMS zl Module will send before declaring the tunnel “down” (1-255). Figure 7-234. Add GRE Tunnel Window 12. Click OK.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 13. Click Save. If you want, repeat these steps to create a redundant tunnel. Verify that a Route to the Remote Tunnel Gateway Exists To establish the GRE tunnel, the TMS zl Module requires a route to the tunnel’s destination address (indicated by 3 in the example figure). The route can be to the specific address or any network that includes that address.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-236. Example GRE VPN Configure Routes that Use the GRE Tunnel Interface In order for the TMS zl Module to send traffic over the GRE tunnel, it must have routes to the appropriate subnets that use the GRE tunnel interface. You can: ■ Create static routes See “Configure Static Routes” on page 7-272 ■ Set up RIP on the GRE tunnel interface See “Configure RIP on a GRE Tunnel Interface” on page 7-274.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 2. Click Add static route. The Add static route window is displayed. Figure 7-237. Add static route Window 3. For Destination Type, select the destination type. You can select any type, including Default Gateway. The TMS zl Module supports multiple default routes, so this is a valid option even when you are configuring a floating static route for a redundant tunnel. Refer to Figure 7-238 for help configuring the next settings.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 4. If you selected Network or Host, type a Destination Address, which depends on the destination type that you chose: • Network—type the IP address and subnet mask of the destination network (behind the remote tunnel gateway). • Host—type the IP address of the host (behind the remote tunnel gateway). The correct address corresponds to 4 in the example figure. 5.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-239. Network > Routing > RIP Window 2. Select the Enable RIP check box. 3. Click Apply My Changes. 4. Click Enable RIP on an interface. The Enable RIP on Interface window is displayed.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-240. Enable RIP on Interface Window 5. For Interface, select the GRE tunnel interface, which is listed by the name that you assigned to it. 6. For Version, select the version used by the remote tunnel gateway. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying • MD5—The module and the remote tunnel gateway authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 10. Click OK. 11. Click Save. Move on the next task: “Create an IPsec Proposal” on page 7-279.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 1. Select the Enable OSPF check box. 2. Click Apply My Changes. 3. Click Enable OSPF on an interface. The Enable OSPF on a VLAN window is displayed. Figure 7-242. Enable OSPF on a Interface Window 7-278 4. For Interface, select the GRE tunnel interface which is listed by the name that you assigned to it. 5. For Area ID, type the number of the area to which you want to assign the GRE tunnel interface. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 9. Configure Authentication settings. These settings must match those on the remote tunnel gateway exactly. Do one of the following: • For Type, select None. • For Type, select Simple. i. For Password, type a password. • For Type, select MD5. i. For Key ID, type the authentication key ID (1-255). ii. For Key, type the 16-digit md5 key. 10. Click OK. 11. Click Save. Move on the next task: creating an IPsec proposal.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure 7-244. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select Transport Mode.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9. • MD5 • SHA-1 • AES-XCBC Click OK. The IPsec proposal is displayed in the VPN > IPsec > IPsec Proposals window. Figure 7-245. VPN > IPsec > IPsec Proposals Window (Proposal Added) 10.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying ■ Disadvantages • Keys can be leaked, and overall the tunnel is less secure. • Lengthy keys can be mistyped. • Keys can be difficult to manage with multiple remote sites. • Manual keying cannot be used to create a site-to-site IPsec VPN with the HP ProCurve Secure Router 7000dl series. • Manual keying cannot be used to configure a client-to-site VPN or with IKE mode config. Follow these steps to create the IPsec policy: 1.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-247. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, keep the default, Apply. 7.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic will use the VPN tunnel. For a GRE over IPsec VPN, the traffic selector must specify the GRE traffic between the TMS zl Module and the remote tunnel endpoint.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying c. 9. For Remote Address, specify the remote gateway address for the GRE tunnel (indicated by 3 in the figure and not the IP address on the tunnel subnet). For Proposal, select a previously configured IPsec proposal. The IPsec proposal specifies the IPsec mode, IPsec protocol, and the authentication and encryption algorithms that secure the VPN connection. See “Create an IPsec Proposal” on page 7-279. 10. Click Next. 11.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-250. Add IPsec Policy Window—Step 2 of 4 (Bottom Section) 14. Next, set the SPI and keys for the protocol that you selected in the IPsec proposal (ESP, in the example displayed in Figure 7-250). The correct number of characters for a key depends on the algorithm that you selected in the IPsec proposal and is indicated to the right of the box. Note also that if you selected AH, you will not see boxes for encryption keys: a.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 15. Click Next. Figure 7-251. Add IPsec Policy Window—Step 3 of 4 16. The Step 3 of 4 window allows you to configure settings for IKE Mode Config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-252. Add IPsec Policy Window—Step 4 of 4 17. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 7-21. b.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying – The TMS zl Module copies the DF bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 7-23 for more information. d. Under DSCP Options, choose how the TMS zl Module assigns DSCP values to IPsec packets.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Create Access Policies for a GRE over IPsec VPN That Uses Manual Keying Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s source IP address is configured. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the GRE and IP delivery headers might make the packets too large to be transmitted. Table 7-27 suggests a value for the TCP MSS when the MTU is 1500.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying When Required Type From Zone To Zone Service Source Destination MSS Number of policies • Dynamic routing over the tunnel • Default policies disabled Unicast SELF Tunnel OSPF or RIP 5 6 — 1 • Dynamic routing over the tunnel • Default policies disabled Multicast Tunnel SELF OSPF or RIP 6 Any Address — or multicast address 1 • Dynamic routing over the tunnel • Default policies disabled Multicast SELF Tunnel OS
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 4. 5. Allow GRE messages from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, specify GRE. e. For Source, leave Any Address or specify the IP address that you configured for the local endpoint IP address. f. For Destination, specify the public IP address of the remote tunnel endpoint. g.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-255. Add Policy Window 6. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1388. i. Click the Basic tab. j. Click Apply. Permit remote traffic that arrives on the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d. For Service, leave Any Service.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying h. For TCP MSS, type the value that you determined is best for your system. For example, type 1388. i. Click the Basic tab. j. Click Apply. 7. If you enabled a dynamic routing protocol (RIP or OSPF) on the tunnel, ensure that access policies permit this traffic between SELF and the tunnel zone. (This is the default setting.) 8. In the Add Policy window, click Close. 9. Click Save.
Virtual Private Networks GRE Examples f. For Source, specify the remote IP addresses that are allowed to send traffic on the tunnel. g. For Destination, specify the appropriate multicast address. If you specified a particular service, you can also leave Any Address if you choose. h. Click Apply. 3. If you enabled a dynamic routing protocol (RIP or OSPF) on the tunnel, ensure that access policies permit this traffic between SELF and the tunnel zone. (This is the default setting.) 4. Click Close.
Virtual Private Networks GRE Examples The IP address of the VLAN that connects each site to the Internet will serve as the gateway address for each module (172.23.99.99 and 192.168.33.22). Each TMS zl Module treats GRE traffic as traffic between the Self zone and the zone used to connect to the remote module (the External zone), so you must configure firewall access policies to allow GRE traffic between these zones.
Virtual Private Networks GRE Examples Figure 7-256. OSPF over GRE Example Network Figure 7-257.
Virtual Private Networks GRE Examples Table 7-28. Configuration Parameters for GRE with OSPF Example Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Tunnel Name toVLAN70 toVLAN40 Tunnel IP Address 10.8.8.1 10.8.8.2 Peer IP Address 10.8.8.2 10.8.8.1 Firewall Zone Association Zone4 Zone4 Source IP Address 172.23.99.99 192.168.33.22 Destination IP Address 192.168.33.22 172.23.99.99 Destination type Host Host Destination address 192.168.33.22 172.23.99.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings To Self Self Service (47) GRE (47) GRE Source 192.168.33.22 172.23.99.99 Destination 172.23.99.99 192.168.33.22 Unicast Access Policy to permit OSPF messages to the remote gateway. Action Permit Permit From Self Self To Zone4 Zone4 Service (89) OSPFIGP (89) OSPFIGP Source 10.8.8.1 10.8.8.2 Destination 10.8.8.2 10.8.8.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Multicast Access Policy to permit OSPF traffic to the remote gateway. Action Permit Permit From Self Self To Zone4 Zone4 Service (89) OSPFIGP (89) OSPFIGP Source 10.8.8.1 10.8.8.2 Destination Any Address Any Address Multicast Access Policy to permit OSPF traffic from the remote gateway.
Virtual Private Networks GRE Examples Create the GRE Tunnel for Site A 1. In the left navigation pane of the Web browser interface, click VPN > GRE. You are at the GRE Tunnels tab. Figure 7-258. VPN > GRE > GRE Tunnels Window 2. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed. 3. For Tunnel Name, type toVLAN40. 4. For Tunnel IP Address, type 10.8.8.1. 5. For Peer IP Address, type 10.8.8.2. 6. For Firewall Zone Association, select Zone4.
Virtual Private Networks GRE Examples Figure 7-259. Add GRE Tunnel Window 12. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Figure 7-260. VPN > GRE Window (Tunnel Added) 13. Click Save. Create a Route to the Remote Tunnel Gateway The TMS zl Module requires a route to the destination address for the GRE tunnel. In this example, you will create a static route. 1. Click Network > Routing and click the Static Routes tab. 2. Click Add static route.
Virtual Private Networks GRE Examples Figure 7-261. Add static route Window 3. For Destination Type, select Host. 4. For Destination Address, type 192.168.33.22. 5. For Gateway Address, type 172.23.99.1. 6. For Metric, leave the default, 0. 7. For Distance, type 1. 8. Click OK. Enable OSPF on the Site A Tunnel Interface 1. 7-304 Click Network > Routing and click the OSPF tab.
Virtual Private Networks GRE Examples Figure 7-262. Network > Routing > OSPF Window 2. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 3. For Interface, select toVLAN40 (toVLAN40). 4. For Area ID, type 0.
Virtual Private Networks GRE Examples Figure 7-263. Enable OSPF on a Interface Window 5. Accept the default values for the remaining options. 6. Click OK. 7. Click Save. Configure Other OSPF Settings for Site A If you have not configured other OSPF settings, you must do so now. Enable OSPF, set a unique router ID, and redistribute any routes that you want the module to advertise through the tunnel.
Virtual Private Networks GRE Examples Follow these steps to configure the OSPF settings: 1. To enable OSPF, click Network > Routing and click the OSPF tab. Figure 7-264. Network > Routing > OSPF Window 1. Select the Enable OSPF check box. 2. For Router Identifier, type 0.0.0.99. 3. Leave other settings at their defaults. 4. Click Apply My Changes. You should also configure any STUB or NSSA areas that you require. In this example, the local network at site A is a stub area. 5.
Virtual Private Networks GRE Examples Figure 7-265. Add Area Window 6. For Area ID, type 2. 7. For Area Type, select STUB. 8. For Metric, type 5. 9. Click OK. Finally, enable OSPF on the VLAN interface for the local network. 10. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 11. For Interface, select VLAN 70 (VLAN70). 12. For Area ID, type 2. 13. Accept the default values for the remaining options. 14. Click OK. 15. Click Save.
Virtual Private Networks GRE Examples ■ Permit unicast and multicast OSPF messages to the remote gateway. ■ Permit unicast and multicast OSPF messages from the remote gateway. To configure the necessary policies, complete the following steps: 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies. You are at the Unicast tab. 2. Click Add a Policy. The Add Policy window is displayed. 3. Permit GRE messages to the remote gateway. a.
Virtual Private Networks GRE Examples 4. Permit GRE messages from the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select EXTERNAL. c. For To, select SELF. d. For Service, click Options and click Enter custom Protocol/Port. Then select (47) GRE for Protocol. e. For Source, specify the remote module’s actual IP address: 192.168.33.22. f. For Destination, specify the local IP address that acts as the tunnel gateway: 172.23.99.99. Figure 7-267.
Virtual Private Networks GRE Examples f. For Destination, specify the remote module’s tunnel IP address: 10.8.8.2. Figure 7-268. TMS zl Module—Add Policy Window g. 6. Click Apply. Permit OSPF messages from the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the remote module’s tunnel IP address: 10.8.8.2. f.
Virtual Private Networks GRE Examples Figure 7-269. TMS zl Module—Add Policy Window g. 7. 7-312 Click Apply. Permit traffic from the local endpoints to the remote endpoints. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE6. c. For To, select ZONE4. d. For Service, accept the default, Any. e. For Source, specify the network 10.1.70.0/24. f. For Destination, specify the network 10.1.40.0/24.
Virtual Private Networks GRE Examples Figure 7-270. TMS zl Module—Add Policy Window 8. g. Click Apply. h. Click the Advanced tab. i. For TCP MSS, type 1436. Permit traffic from the remote endpoints to the local endpoints. a. Click the Basic tab. b. For Action, accept the default, Permit Traffic. c. For From, select ZONE4. d. For To, select ZONE6. e. For Service, accept the default, Any. f. For Source, specify the network 10.1.40.0/24. g. For Destination, specify the network 10.1.70/24.
Virtual Private Networks GRE Examples Figure 7-271. TMS zl Module—Add Policy Window 9. h. Click the Advanced tab. i. For TCP MSS, type 1436. j. Click Apply. Click Close. 10. Select the Multicast tab. 11. Click Add a Policy. 12. Permit multicast OSPF messages on the local tunnel interface: a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select ZONE4. d. For Service, specify (89) OSPFIGP. e.
Virtual Private Networks GRE Examples a. For Action, accept the default, Permit Traffic. b. For From, select ZONE4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the module IP address on the tunnel interface: 10.8.8.2. f. For Destination, leave the default, Any Address. g. Click Apply. 14. Click Close. 15. Click Save. Create the GRE Tunnel for Site B 1. In the left navigation pane of the Web browser interface, click VPN > GRE.
Virtual Private Networks GRE Examples Figure 7-273. Add GRE Tunnel Window 11. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Figure 7-274. VPN > GRE Window (Tunnel Added) 12. Click Save. Create a Route to the Remote Tunnel Gateway The TMS zl Module requires a route to the destination address for the GRE tunnel. In this example, you will create a static route. 7-316 1. Click Network > Routing and click the Static Routes tab. 2. Click Add static route.
Virtual Private Networks GRE Examples Figure 7-275. Add static route Window 3. For Destination Type, select Host. 4. For Destination Address, type 172.23.99.99. 5. For Gateway Address, type 192.168.33.1. 6. For Metric, leave the default, 0. 7. For Distance, type 1. 8. Click OK. Enable OSPF on the Tunnel for Site B 1. Click Network > Routing and click the OSPF tab.
Virtual Private Networks GRE Examples Figure 7-276. Network > Routing > OSPF Window 7-318 2. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 3. For Interface, select toVLAN70. 4. For Area ID, type 0.
Virtual Private Networks GRE Examples Figure 7-277. Enable OSPF on a Interface Window 5. Accept the default values for the remaining options. 6. Click OK. 7. Click Save. Configure Other OSPF Settings for Site B Again, If you have not configured other OSPF settings, you must do so now. Enable OSPF, set a unique router ID, and redistribute any routes that you want the module to advertise through the tunnel. You should also configure any STUB or NSSA areas that you require.
Virtual Private Networks GRE Examples Follow these steps to configure the OSPF settings: 1. Click Network > Routing and click the OSPF tab. Figure 7-278. Network > Routing > OSPF Window 7-320 1. Select the Enable OSPF check box. 2. For Router Identifier, type 0.0.0.22. 3. Leave other settings at their defaults. 4. Click Apply My Changes. 5. In the Network > Routing > OSPF window, click Add NSSA or STUB Area.
Virtual Private Networks GRE Examples Figure 7-279. Add Area Window 6. For Area ID, type 1. 7. For Area Type, select STUB. 8. For Metric, type 5. 9. Click OK. 10. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 11. For Interface, select VLAN 40 (VLAN40). 12. For Area ID, type 1. 13. Accept the default values for the remaining options. 14. Click OK. 15. Click Save.
Virtual Private Networks GRE Examples To configure the necessary policies, complete the following steps: 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies. You are at the Unicast tab. 2. Click Add a Policy. The Add Policy window is displayed. 3. Permit GRE messages to the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select EXTERNAL. d. For Service, specify (47) GRE. e.
Virtual Private Networks GRE Examples e. For Source, specify the IP address 192.168.33.22. f. For Destination, specify the tunnel’s source IP address, 172.23.99.99. Figure 7-281. TMS zl Module—Add Policy Window g. 5. Click Apply. Permit OSPF messages to the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select ZONE4. d. For Service, specify (89) OSPFIGP. e. For Source, specify the tunnel interface IP address, 10.8.8.2. f.
Virtual Private Networks GRE Examples Figure 7-282. TMS zl Module—Add Policy Window g. 6. 7-324 Click Apply. Permit OSPF messages from the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the remote tunnel gateway’s IP address on the tunnel interface, 10.8.8.1. f. For Destination, specify the TMS zl Module’s IP address on the tunnel interface, 10.8.8.2.
Virtual Private Networks GRE Examples Figure 7-283. TMS zl Module—Add Policy Window g. 7. Click Apply. Permit traffic from the local endpoints to the remote endpoints. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE2. c. For To, select ZONE4. d. For Service, accept the default, Any. e. For Source, specify the network 10.1.40.0/24. f. For Destination, specify the network 10.1.70.0/24.
Virtual Private Networks GRE Examples Figure 7-284. TMS zl Module—Add Policy Window 8. 7-326 g. Click the Advanced tab. h. For TCP MSS, type 1436. i. Click Apply. Permit traffic from the remote endpoints to the local endpoints. a. Click the Basic tab. b. For Action, accept the default, Permit Traffic. c. For From, select ZONE4. d. For To, select ZONE2. e. For Service, accept the default, Any. f. For Source, specify the IP address 10.1.40.0/24. g.
Virtual Private Networks GRE Examples Figure 7-285. TMS zl Module—Add Policy Window 9. h. Click the Advanced tab. i. For TCP MSS, type 1436. j. Click Apply. Click Close. 10. Select the Multicast tab. 11. Click Add a Policy. 12. Permit multicast OSPF messages on the local tunnel interface: a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select Zone4. d. For Service, specify (89) OSPFIGP. e.
Virtual Private Networks GRE Examples 13. Permit multicast OSPF messages that arrive from the remote tunnel endpoint: a. For Action, accept the default, Permit Traffic. b. For From, select Zone4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the module IP address on the tunnel interface: 10.8.8.1. f. For Destination, leave the default, Any Address. g. Click Apply. 14. Click Close. 15. Click Save.
Virtual Private Networks GRE Examples In this example, the devices that need to communicate are in VLAN 10, which is in ZONE1 at Site A, and in VLAN65, which is in ZONE2 at Site B. Figure 7-286 shows all of the IP addresses and zones that will be used for this configuration. Table 7-30 lists the configuration parameters that will be used for this configuration. Notice that for many of the parameters the local setting on one module is the same as the remote setting on the other module. Figure 7-286.
Virtual Private Networks GRE Examples Table 7-30. Configuration Parameters for Redundant GRE Example Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Tunnel Name toVLAN65 toVLAN10 Tunnel IP Address 10.8.8.1 10.8.8.2 Peer IP Address 10.8.8.2 10.8.8.1 Firewall Zone Association Zone5 Zone5 Source IP Address 172.23.20.99 192.168.55.22 Destination IP Address 192.168.55.22 172.23.20.99 Tunnel Name backupto65 backupto10 Tunnel IP Address 10.9.9.1 10.9.9.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Type Network (IP/mask) Network (IP/mask) Single-entry Value 10.1.10.0/24 10.1.10.0/24 Name VLAN65 VLAN65 Type Network (IP/mask) Network (IP/mask) Single-entry Value 10.1.65.0/24 10.1.65.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Access Policy to permit traffic from the remote endpoints to the local endpoints. Action Permit Permit From Zone5 Zone5 To Zone1 Zone2 Service Any Any Source VLAN65 VLAN10 Destination VLAN10 VLAN65 Static Route the Remote Primary GRE Tunnel Endpoint Destination Type Network Network Destination Address 192.168.55.0/24 172.23.20.0/24 Gateway Address 172.23.20.1 192.168.55.
Virtual Private Networks GRE Examples Table 7-31 shows the tasks that you must complete to configure the TMS zl Module at each site for this example configuration. Table 7-31. Configuration Tasks for Redundant GRE Example Configuration task Steps for Module A Steps for Module B Create the primary GRE See “Create the Primary GRE Tunnel for Site tunnel. A” on page 7-333. See “Create the Primary GRE Tunnel for Site B” on page 7-343. Create the secondary GRE tunnel.
Virtual Private Networks GRE Examples 11. For Retries, accept the default setting, 3. Figure 7-288. Add GRE Tunnel Window 12. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Create the Secondary GRE tunnel for Site A 7-334 1. Click Add GRE Tunnel.The Add GRE Tunnel window is displayed. 2. For Tunnel Name, type backupto65. 3. For Tunnel IP Address, type 10.9.9.1. 4. For Peer IP Address, type 10.9.9.2. 5. For Firewall Zone Association, select ZONE5. 6.
Virtual Private Networks GRE Examples Figure 7-289. Add GRE Tunnel Window 9. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Figure 7-290. VPN > GRE Window (Tunnel Added) 10. Click Save.
Virtual Private Networks GRE Examples Create Named Objects for Site A 1. Click Firewall > Access Policies > Addresses. 2. Click Add an Address. 3. Create a single-entry network address object for VLAN10. a. For Name, type VLAN10. b. For Type, select Network (IP/mask). c. Select Single-entry and type 10.1.10.0/24. Figure 7-291. Add Address Window d. 4. 7-336 Click Apply. Create a single-entry network address object for VLAN65. a. For Name, type VLAN65. b. For Type, select Network (IP/mask).
Virtual Private Networks GRE Examples Figure 7-292. Add Address Window d. 5. 6. Click Apply. Create single-entry IP address objects for the local endpoints of the primary and secondary GRE tunnels. a. For Name, type siteAinterPrimary. b. For Type, select IP. c. Select Single-entry and type 172.23.20.99. d. Click Apply. e. For Name, type siteAinter2nd. f. For Type, select IP. g. Select Single-entry and type 172.23.21.99. h. Click Apply.
Virtual Private Networks GRE Examples 7. e. For Name, type siteBinter2nd. f. For Type, select IP. g. Select Single-entry and type 192.168.56.22. h. Click Apply. Click Close. Figure 7-293. Firewall > Access Policies > Addresses Window 8. 7-338 Create address groups for the GRE tunnel endpoints at each site. a. Click the Address Groups tab. b. Click Add Address Group. c. For Group Name, type siteAinterfaces. d. From the Available Addresses list, select siteAinterPrimary. e.
Virtual Private Networks GRE Examples Figure 7-294. Add Address Group Window h. Click Apply. i. For Group Name, type siteBinterfaces. j. From the Available Addresses list, select siteBinterPrimary. k. Click the Move Right button to move the object into the Group Members list. l. From the Available Addresses list, select siteBinter2nd. m. Click the Move Right button to move the object into the Group Members list. n. Click Apply. o. Click Close. Figure 7-295.
Virtual Private Networks GRE Examples Configure Firewall Access Policies for Site A You must configure the following policies: ■ Permit GRE messages to the remote gateway. ■ Permit GRE messages from the remote gateway. ■ Permit traffic from the local endpoints to the remote endpoints. ■ Permit traffic from the remote endpoints to the local endpoints. To configure the necessary policies, complete the following steps: 1.
Virtual Private Networks GRE Examples Figure 7-296. TMS zl Module—Add Policy Window g. 5. Permit traffic from the local endpoints to the remote endpoints. a. b. c. d. e. f. g. 6. Click Apply. For Action, accept the default, Permit Traffic. For From, select Zone1. For To, select Zone5. For Service, accept the default, Any. For Source, specify the network VLAN10. For Destination, specify the network VLAN65. Click Apply. Permit traffic from the remote endpoints to the local endpoints. a. b. c. d. e. f. g.
Virtual Private Networks GRE Examples Configure Routes for Site A 1. Click Network > Routing > Static Routes. 2. Create routes to the remote GRE tunnel endpoints: a. Click Add static route. b. For Destination Type, select Network. c. For Destination Address, type 192.168.55.0/24. d. For Gateway Address, type 172.23.20.1. e. For Metric, leave 0. f. For Distance, type 1. Figure 7-297. Add static route Window 3. 7-342 g. Click OK. a. Click Add static route. b.
Virtual Private Networks GRE Examples 4. d. For Gateway Address, type 10.8.8.2. e. For Metric, leave 0. f. For Distance, type 1. g. Click OK. Create a floating static route to VLAN65 through the secondary GRE tunnel: a. Click Add static route. b. For Destination Type, select Network. c. For Destination Address, type 10.10.65.0/24. d. For Gateway Address, type 10.9.9.2. e. For Metric, leave 2. f. For Distance, type 1. g. Click OK. h. Click Save.
Virtual Private Networks GRE Examples 11. For Retries, accept the default setting, 3. Figure 7-299. Add GRE Tunnel Window 12. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Create the Secondary GRE tunnel for Site B 7-344 1. In the left navigation pane of the Web browser interface, click VPN > GRE. You are at the GRE Tunnels tab. 2. Click Add GRE Tunnel.The Add GRE Tunnel window is displayed. 3. For Tunnel Name, type backupto10. 4. For Tunnel IP Address, type 10.9.
Virtual Private Networks GRE Examples Figure 7-300. Add GRE Tunnel Window 10. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. 11. Click Save. Create Named Objects for Site B 1. Click Firewall > Access Policies > Addresses. 2. Click Add an Address. 3. Create a single-entry network address object for VLAN10. 4. a. For Name, type VLAN10. b. For Type, select Network (IP/mask). c. Select Single-entry and type 10.1.10.0/24. d. Click Apply.
Virtual Private Networks GRE Examples 5. 6. 7-346 Create single-entry IP address objects for the remote endpoints of the primary and secondary GRE tunnels. a. For Name, type siteAinterPrimary. b. For Type, select IP. c. Select Single-entry and type 172.23.20.99. d. Click Apply. e. For Name, type siteAinter2nd. f. For Type, select IP. g. Select Single-entry and type 172.23.21.99. h. Click Apply.
Virtual Private Networks GRE Examples l. From the Available Addresses list, select siteBinter2nd. m. Click the Move Right button to move the object into the Group Members list. n. Click Apply. o. Click Close. Configure Firewall Access Policies for Site B You must configure the following policies: ■ Permit GRE messages to the remote gateway. ■ Permit GRE messages from the remote gateway. ■ Permit traffic from the local endpoints to the remote endpoints.
Virtual Private Networks GRE Examples 5. 6. 7. Permit traffic from the local endpoints to the remote endpoints. a. For Action, accept the default, Permit Traffic. b. For From, select Zone2. c. For To, select Zone5. d. For Service, accept the default, Any. e. For Source, specify the network VLAN65. f. For Destination, specify the network VLAN10. g. Click Apply. Permit traffic from the remote endpoints to the local endpoints. a. For Action, accept the default, Permit Traffic. b.
Virtual Private Networks Configure Global IPsec Settings 3. 4. Create a route to VLAN65 through the primary GRE tunnel: a. Click Add static route. b. For Destination Type, select Network. c. For Destination Address, type 10.1.10.0/24. d. For Gateway Address, type 10.8.8.1. e. For Metric, leave 0. f. For Distance, type 1. g. Click OK. Create a floating static route to VLAN65 through the secondary GRE tunnel: a. Click Add static route. b. For Destination Type, select Network. c.
Virtual Private Networks Configure Global IPsec Settings Follow these steps to configure global IPsec settings: 1. In the Web browser interface left navigation bar, click VPN > IPsec. 2. Click the Settings tab. 3. By default, the Enable IPsec VPN check box is selected: • Clear the check box to disable IPsec VPN functionality on the entire TMS zl Module.
Virtual Private Networks Configure Global IPsec Settings • Select the Handle ICMP error messages check box to have the TMS zl Module accept incoming ICMP error messages. By default, this check box is selected. 5. For Maximum SA per Policy, type the maximum number of SAs that can be established using each IPsec policy. The valid range is 2 to 10000. The default is 10000. Each connection to a remote client requires 2 SAs (one inbound and one outbound).
Virtual Private Networks Configure Bypass and Deny IPsec Policies Configure Bypass and Deny IPsec Policies Bypass and Deny IPsec policies allow the TMS zl Module to select a subset of the traffic in a VPN for different handling. Bypass Policies The TMS zl Module forwards traffic that matches Bypass policies but it does not secure it with an IPsec SA. By default, the module has a Bypass policy that selects all traffic, allowing non-VPN traffic that the firewall permits to reach its destination.
Virtual Private Networks Configure Bypass and Deny IPsec Policies Configuration Steps Follow these steps to create a Bypass or Deny IPsec policy: 1. In the left navigation bar of the Web browser interface, select VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-302. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5.
Virtual Private Networks Configure Bypass and Deny IPsec Policies Note that you can specify a position that is already used by another policy. The new policy is inserted above the former policy. You can use the arrow icons in the Tools column in the VPN > IPsec > IPsec Policies window to rearrange policies. Remember the policy at the top of the display is the first policy processed.
Virtual Private Networks Manage VPN Connections and GRE Tunnels d. Remote Port is present if you selected TCP or UDP for Protocol. Type the port number for the service that you want to select. Leave the box empty to select all ports. e. If you selected ICMP for the protocol, for ICMP Type, select Any, Echo, or Timestamp. 10. Click Finish.
Virtual Private Networks Manage VPN Connections and GRE Tunnels Figure 7-303.
Virtual Private Networks Manage VPN Connections and GRE Tunnels Figure 7-304. Status ( - ) Window These details are displayed: ■ Peer Address—the IP address of the remote tunnel endpoint or client with which the module has established the SA ■ State—the current state of the IKE SA The state for an active IKE SA is SA_Mature.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Remote Gateway—the remote IP addresses in the traffic selector for this policy ■ Status—click the View status link to see more details. The Status window for that SA is displayed. Figure 7-305.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Bytes Processed—the number of bytes received or transmitted by this SA ■ NAT Status—whether the SA is using NAT-T ■ IP Compression Status—whether the SA supports IP compression Clear SAs Sometimes you might want to clear a VPN connection before the SA lifetime expires. Clearing a connection closes the associated SA or tunnel on the TMS zl Module.
Virtual Private Networks Manage VPN Connections and GRE Tunnels 4. To clear an IPsec tunnel, follow these steps: a. Select the SA from the list in the IPsec VPN Tunnels section. b. Click Flush above. View IP Address Pools You can view information about the pools that you have created for IKE Mode Config as well as addresses currently assigned to remote endpoints. In the left navigation bar, click VPN > IPsec. Click the IP Address Pool tab. Figure 7-307.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ IKE Policy—the IKE policy associated with the pool (through the IPsec policy) The Active IP Address Pool Sessions section displays the IP addresses currently assigned to remote endpoints: ■ Assigned IP Address—the IP address assigned to the remote endpoint through IKE Mode Config ■ Peer Address—the remote endpoint’s actual IP address (as it appears on the network through which it connects to the TMS zl Module) ■ Remote ID Type—the type
Virtual Private Networks Manage VPN Connections and GRE Tunnels View GRE Tunnels You can view information about your GRE tunnels. Click VPN > GRE. Figure 7-309.
Virtual Private Networks Manage VPN Connections and GRE Tunnels Figure 7-310. Example GRE Tunnel (with Zones) ■ Status Tunnels that do not use keepalives can have one of two statuses: • Enabled—The tunnel is enabled, and the TMS zl Module will send traffic across the tunnel (as specified by routes in the routing table). However, the remote tunnel gateway may or may not be able to actually receive this traffic. • Disabled—The tunnel is disabled.
Virtual Private Networks Manage VPN Connections and GRE Tunnels • Enabled/Down—The tunnel is enabled; however, the TMS zl Module has failed to receive a response to its keepalives. (The number of keepalives that must fail in a row is specified by the Retries setting in the tunnel configuration.) The module does not send traffic across this tunnel, and routes that use this tunnel as the forwarding interface are removed from the routing table.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Changes—The number of times that the status has changed since the TMS zl Module’s last reboot If this tunnel uses keepalives, the Keepalive Stats (since last change) area displays this information: ■ Sent—The number of keepalives sent since the last time the tunnel’s status has changed (for example, from up to down or from down to up) ■ Received—The number of those keepalives for which the module has received a response from the remote t
Virtual Private Networks Configure an HP ProCurve VPN Client Configure an HP ProCurve VPN Client This section includes step-by-step instructions for configuring a ProCurve VPN Client to establish an IPsec connection to the TMS zl Module. For the configuration to work, you must configure client-to-site IPsec settings on the module as described in “Configure an IPsec Client-to-Site VPN” on page 7-27.
Virtual Private Networks Configure an HP ProCurve VPN Client 3. Right-click the My Connections folder and click Add > Connection. 4. Type a meaningful name for the new connection. 5. If you desire, under Connection Security, select the Only Connect Manually check box. Figure 7-313. Security Policy Editor Window (Connection Added) 6. Under Remote Party Identity and Addressing, you specify the addresses in the internal network that the remote client can reach.
Virtual Private Networks Configure an HP ProCurve VPN Client b. Boxes are displayed depending on the ID Type that you selected. Type a string that exactly matches the value in the Local Address of the module’s IPsec policy traffic selector. c. For Protocol, match the protocol selected in the module’s IPsec policy traffic selector. d. If you selected TCP or UDP for Protocol, for Port, select a service that matches the Local Port in the TMS zl Module’s IPsec policy traffic selector.
Virtual Private Networks Configure an HP ProCurve VPN Client 10. In the left navigation pane, expand the connection and click My Identity. Figure 7-315. ProCurve VPN Client—Security Policy Editor—New Connection > My Identity Window 11.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-316. ProCurve VPN Client—Security Policy Editor— Pre-Shared Key Window iii. Click Enter Key and type the preshared key that you specified in the module’s IKE policy. iv. Click OK. 12. For ID Type, match the remote ID type in TMS zl Module’s IKE policy. 13. If you selected None for Select Certificate and Domain Name or E-mail Address for ID Type, you must configure the ID value.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-317. ProCurve VPN Client—Security Policy Editor—My Identity Note that the module’s IKE policy might use wildcards, which allows multiple values to match the policy. For example, the remote ID type and value in the module’s IKE policy might be Email Address and *@procurve.com. In the My Identity window, you would select E-mail Address for ID Type. You could then type, for example, user1@procurve.com in the box below.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-318. ProCurve VPN Client—Security Policy Editor—Authentication Proposal Window 16. In the right pane, configure security settings to match those in the TMS zl Module’s IKE policy: a. For Encrypt Alg, select the encryption algorithm specified on the module. b. For Hash Alg, select the authentication algorithm specified on the module. c. For SA Life, select Seconds. Then type the number of seconds configured on the module. d.
Virtual Private Networks Configure an HP ProCurve VPN Client Table 7-32. Default TMS zl Module IKE Settings Parameter Default Setting Authentication Algorithm MD5 Encryption Algorithm 3DES SA Life 28800 seconds Diffie-Hellman (DH) Group 1 17. If you enabled the XAUTH server in the module’s IKE policy, for Authentication, select Preshared Key; Extended Authentication. 18. In the left navigation pane, expand Key Exchange (Phase 2) and click Proposal 1. Figure 7-319.
Virtual Private Networks Configure an HP ProCurve VPN Client – – If the setting for kilobytes on the module is 0, select Seconds. In the Seconds box, type the number of seconds configured on the module. If the module has a non-zero setting for both seconds and kilobytes, select Both. Match the seconds and kilobytes settings on the module in the Seconds and KBytes boxes. b. If the module’s IPsec proposal specifies ESP for the protocol, select the Encapsulation Protocol (ESP) check box.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-320. ProCurve VPN Client—Security Policy Editor—Security Policy 21. For Select Phase 1 Negotiation Method, match the Key Exchange Mode setting in the TMS zl Module’s IKE policy. Select either Main Mode or Aggressive Mode. 22. If you enabled PFS in the module’s IPsec policy, select the Enable Perfect Forward Secrecy (PFS) check box. For PFS Key Group, match the group setting in the module’s IPsec policy. 23. Click the Save button. 24.
Virtual Private Networks Configure an HP ProCurve VPN Client sary routes should be in place on the TMS zl Module. In this configuration, the TMS zl Module reaches remote clients on a VLAN in the External zone (which is a typical configuration). Table 7-34.
Virtual Private Networks Configure an HP ProCurve VPN Client Parameter Valid Settings IPsec policy Configuration Window Add IPsec Policy—Step 1 of 4 Action Apply Position Any position Protocol Matches the setting configured in step 6c on page 7-368 Local Address Matches the settings configured in step 6a and b on page 7-368 Local Port Matches the settings configured in step 6d on page 7-368 Remote Address Any Remote Port Empty Proposal IPsec proposal that you created for the IPsec connect
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Parameter Valid Settings Configuration Window • Permit Self External isakmp Any Any • Permit External Self isakmp Any Any • Other access policies that control traffic from the remote client Add Policy Firewall access policies User Group None If XAUTH is enabled, Access policies that control traffic from the remote client User Group Add Policy Configure IPSecuritas (Macintosh VPN Client) This
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-321. IPSecuritas—Certificate Manager > Certificates Tab b. Create a certificate request for the IPSecuritas client: i. Click the Requests tab.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-322. IPSecuritas—Certificate Manager > Requests Tab ii. Click the icon to add a request. iii. For Request name, type a meaningful name. iv. For Common name, type the name (often, the client’s FQDN). When the TMS zl Module’s IKE policy remote ID is set to Distinguished Name for type, the remote ID value must match what you type here. For example, if you type user1.procurvebranch.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-323. IPSecuritas—Certificate Manager (Create Request) vii. Click OK. c. Submit the certificate request to the CA that signed the TMS zl Module’s certificate. d. After you receive the certificate from the CA, import it into IPSecuritas: i. Copy the certificate file to the Macintosh endpoint. ii. Open IPSecuritas and the Certificate Manager.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-324. IPSecuritas—Certificate Manager > Certificates Tab (Import a Certificate Icon) iii. In the Certificates tab, click the Import Certificate from a File icon. iv. Browse to the certificate file. v. For Certificate type, select PEM/DER encoded certificate without private key.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-325. IPSecuritas—Certificate Manager (Import Client Certificate) vi. Click Import. vii. You should see a message indicating that the import was successful. Figure 7-326. IPSecuritas—Matching Request Found Window e. Install the TMS zl Module’s certificate: i. Copy the certificate to the Macintosh endpoint. ii. In the Certificates tab of the IPSecuritas Certificate Manager, click the Import Certificate from a File icon. iii.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) v. Click Import. vi. You should see a message indicating that the certificate imported successfully. 3. In the IPSecuritas menu, click Connections > Edit Profiles to open the Profile Manager. Figure 7-327. IPSecuritas—Profile Manager 4. Click the Add Profile icon. Figure 7-328.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) 5. Specify a meaningful name, for example, VPN–MainCampus. 6. Close the Profile Manager. Figure 7-329. IPSecuritas 7. For Profile, select the profile that you just created. Figure 7-330. IPSecuritas—Connections > Edit Connections 8. Click Connections > Edit Connections.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-331. IPSecuritas—Connections > General Tab 9. Click the Add Connections icon. 10. Specify a significant name for the connection, such as Main Campus.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-332. IPSecuritas—Connections > General Tab 11. Click the General tab. 12. For Remote IPSec Device, type the IP address at which the client reaches the TMS zl Module. Often, this is the same address that the module’s IKE policy specifies as the local gateway. However, if NAT is performed on this module IP address, you must specify the NAT address. 13.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) These settings must match the Remote Address in the module’s traffic selector exactly. For example, if the module’s traffic selector indicates an entire subnet, you must select Network on the IPSecuritas client. b. For Remote Side, select the Endpoint Mode: – Host — Specifies one IP address on the internal network that the client is permitted to access. Type the address in the IP Address field.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-333. IPSecuritas—Connections > Phase 1 Tab 15. Accept the remaining defaults and click the Phase 2 tab. 16. Configure the following settings, which must match settings in the TMS zl Module’s IPsec proposal and IPsec policy: a. For Lifetime, select Seconds and type a value in the box. b. For PFS Group, select one of the following: – 768 (1) — DH group 1 – 1024 (2) — DH group 2 – 1536 (5) — DH group 5 c.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-334. IPSecuritas—Connections > Phase 2 Tab 17. Click the ID tab and configure the following settings, which correspond to the identities and authentication method in the TMS zl Module IKE policy: 7-390 a. Local Identifier—Select the identity type for the local endpoint (remote ID on the module) and type the value in the box provided, if any: i. User FQDN—Specify an email address in the box. ii.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) c. Authentication Method—Configure one of these options: – Select Preshared Key. In the Preshared Key box that is displayed, type the key that you specified in the TMS zl Module IKE policy. – Select Certificates. For Local Certificate, select the certificate that you installed for the client. For Remote Certificate, select the certificate that you installed for the TMS zl Module. Figure 7-335. IPSecuritas—Connections > ID Tab 18.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-336. IPSecuritas—Connections > Options Tab 21. If you are using certificates for authentication, you must select these check boxes: • Request Certificate • Verify Certificate • Send Certificate 22. Close the Connections window. Figure 7-337.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) 23. In the IPSecuritas main menu, click Preferences. Figure 7-338. IPSecuritas—Preferences Window 24. Ensure that the Randomize and Exclusive Trail check boxes are selected. Accept the rest of the defaults and close the Preferences window. Figure 7-339.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) 25. To connect, select the profile that you just created. Then select the connection that you just configured. 26. Click Start. TMS zl Module Settings with the IPSecuritas Client For this configuration to work, you must configure IPsec settings on the module as described in “Configure an IPsec Client-to-Site VPN” on page 7-27. Valid settings are displayed in Table 7-35. The table also displays necessary firewall policies.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Parameter Valid Settings Key Exchange Mode Main or Aggressive, as configured in step 14e on page 7-388 Authentication Method Preshared Key Preshared Key Same key as configured in step 17 on page 7-390 Diffie-Hellman (DH) Group Matches the setting configured in step 14b on page 7-388 Configuration Window Add IKE Policy—Step 2 of 3 Encryption Algorithm Matches the setting configured in step 14c on page 7-388 Authentication Algorith
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Enable IP Address Pool for IRAS (Mode Config) Check box is cleared. IPSecuritas does not support the TMS zl Module’s implementation of IKE mode config.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec For this method, see “Manual Windows XP Client Configuration” on page 7-411. On the TMS zl Module, you must configure L2TP over IPsec settings as described in “Configure an L2TP over IPsec VPN” on page 7-142. See “TMS zl Module Settings with a Windows XP Client (Manual Configuration)” on page 7-443 for a table that shows all necessary settings.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-341. Windows XP—New Connection Wizard 7. Click Next. 8. For Company Name, type a meaningful name. Figure 7-342.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 9. Click Next. Figure 7-343. Windows XP—New Connection Wizard 10. If the Public Network page is displayed, specify whether the client needs to make a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 11. Click Next. 12.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-344. Windows XP—New Connection Wizard 13. Click Next. 14. If the Smart Cards page is displayed, complete these steps: a. Select Do not use my smart card. Figure 7-345.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec b. Click Next. Figure 7-346. Windows XP—New Connection Wizard 15. If prompted, select whether only the current user can make this connection or all users on this workstation. Click Next. Figure 7-347.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 16. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 17. The Connect window should be displayed. Figure 7-348. Connect Window 18. Click Properties to open the Properties window. 19. Click the Networking tab. 20. For Type of VPN, select L2TP IPSec VPN.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-349. Windows XP— Properties Window > Networking Tab 21. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 22. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit. 23.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-350. Windows XP— Properties Window > Security Tab 25. Click Settings next to Advanced (custom settings).
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-351. Windows XP—Advanced Security Settings 26. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. 27. Select Allow these protocols. 28. Clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box. If it is not already selected, select the check box for the authentication protocol specified in the TMS zl Module L2TP dial-in user account.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-352. Windows XP—IPSec Settings Window b. Select the Use pre-shared key for authentication check box. c. For Key, type the preshared key that you specified in the IKE policy on the TMS zl Module and click OK. 31. Click OK to close the Properties window and return to the Connect window. Figure 7-353. Connect Window 32.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 33. For Password, type the password specified for this user either in the module L2TP user account or on the external RADIUS server. 34. Click Connect. After a minute or so, you should see a message that informs you that the connection was successful.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Security Parameters Proposal Select one of these combinations: • DH Group = 2 Encryption Algorithm = 3DES Authentication Algorithm = MD5 SA Lifetime in Seconds = 28800 • DH Group = 2 Encryption Algorithm = 3DES Authentication Algorithm = SHA-1 SA Lifetime in Seconds = 28800 • DH Group = 1 Encryption Algorithm = DES Authentication Algorithm = MD5, SA Lifetime in Seconds = 28800 • D
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Action Apply Position Any position Add IPsec Policy— Step 1 of 4 Protocol UDP Local Address TMS zl Module’s public IP address Matches the IP address set in 12 on page 7-399 Local Port 1701 Matching Setting on the Windows XP Client IPsec policy Remote Address Any Remote Port 1701 Proposal IPsec proposal that you created for the L2TP connection IKEv1 Policy IKE poli
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Server IP Address Any IP address in a private subnet not in use in your Add L2TP User—Step network 2 of 2 User IP Address Any IP address that is: • In the same subnet as the server IP address • Not assigned to another dial-in user Matching Setting on the Windows XP Client • Primary DNS IP addresses of your network’s servers (to which Server TMS firewall access policies permit
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client Firewall access policies User Group None • Permit Self UDP 1701 Add Policy Any Any • Permit Self UDP 1701 Any Any • Permit Self isakmp Any Any • Permit Self isakmp Any Any User Group None • Permit External
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-354. Windows XP Registry Editor > HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters 4. Right-click the Parameters folder and click New > DWORD Value. 5. A new entry appears in the right panel. Name it ProhibitIpSec. Use the same spelling and capitalization as shown in Figure 7-355. Figure 7-355.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 6. Right-click ProhibitIpSec and click Modify. 7. For Value, type 1. Figure 7-356. Windows XP—Edit DWORD Value Window 8. Close the registry editor and restart the computer. 9. Click Start > Run. 10. Type secpol.msc and click OK. 11. Click IP Security Policies on Local Computer in the left pane. Figure 7-357. Windows XP—Local Security Settings Window 12. Click Action > Create IP Security Policy.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-358. Windows XP—IP Security Policy Wizard 13. In the IP Security Policy Wizard, click Next. Figure 7-359. Windows XP—IP Security Policy Wizard > IP Security Policy Name Page 14. For name, type a meaningful name such as TMS Remote Access. 15. Click Next. 16. Clear the Activate the default response rule check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-360. Windows XP—IP Security Policy Wizard > Requests for Secure Communication Page 17. Click Next. Figure 7-361. Windows XP—IP Security Policy Wizard > Completing the IP Security policy wizard Page 18. Leave the Edit properties check box selected and click Finish. 19. The Properties window is displayed. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-362. Windows XP— Properties Window 20. Click Add. Figure 7-363.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 21. In the New Rule Properties window, click Add on the IP Filter Lists tab. 22. In the IP Filter List window, for Name, type a meaningful string such as TMS L2TP Traffic. Figure 7-364. Windows XP—IP Filter List Window 23. Clear the Use Add Wizard check box. 24. Click Add.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-365. Windows XP—Filter Properties Window > Addressing Tab 25. In the Filter Properties window, the Addressing tab should be selected. 26. For Source address, select Any IP Address. Often, you want the TMS zl Module to use a single IPsec policy to negotiate connections to multiple remote clients. In this case, you would specify Any for the Remote Address in the IPsec policy traffic selector.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-366. Windows XP—Filter Properties Window > Addressing Tab (Addresses Configured) 29. Select the Protocol tab. 30. For Select a protocol, select UDP. 31. In the Set the IP protocol port section, select From this port. 32. Type 1701 in the box below. 33. In the Set the IP protocol port section, select To this port. 34. Type 1701 in the box below.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-367. Windows XP—Filter Properties Window > Protocol Tab 35. Click OK to close the Filter Properties window. 36. Click OK to close the IP Filter List window. 37. In the New Rule Properties window, select the IP filter list that you just created.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-368. Windows XP—New Rule Properties Window (IP Filter Selected) 38. Click the Filter Action tab. 39. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-369. Windows XP—New Rule Properties Window > Filter Action Window 40. Click Add.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-370. Windows XP—New Filter Action Properties Window 41. In the New Filter Action Properties window, click Add. 42. In the New Security Method window, select Custom.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-371. Windows XP—New Security Method Window 43. Click Settings. Figure 7-372.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 44. In the Custom Security Method Settings window, select settings that match the IPsec proposal and IPsec policy settings on the TMS zl Module: a. Select the Data integrity and encryption (ESP) check box. b. For Integrity algorithm, match the authentication algorithm in the module’s IPsec proposal. c. For Encryption algorithm, match the encryption algorithm in the module’s IPsec proposal. d.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-373. Windows XP—Custom Security Method Settings Window (Match Module’s Default Settings) 45. Click OK to close the Custom Security Settings window. 46. Click OK to close the New Security Method window. 47. In the New Filter Action Properties window, click the General tab.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-374. Windows XP—New Filter Action Properties Window > General Tab 48. For Name, type a meaningful string such as TMS IPsec Negotiation. 49. Click OK to close the New Filter Action Properties window. 50. In the New Rule Properties window, select the Filter Action that you just created.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-375. Windows XP—New Rule Properties Window > Filter Action Tab (Action Selected) 51. Click the Authentication Methods tab.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-376. New Rule Properties Window > Authentication Methods Tab 52. Click Edit. Figure 7-377.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 53. Select Use this string (preshared key). Then type the preshared key specified in the module’s IKE policy. Figure 7-378. Windows XP—Edit Authentication Method Properties Window (Preshared key selected) 54. Click OK. 55. Click Close to close the New Rule Properties window. 56. In the Properties window, click the General tab.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-379. Windows XP— Properties Window > General Tab 57. Click Advanced. Figure 7-380. Windows XP—Key Exchange Settings Window 58. If the TMS zl Module IPsec policy enables PFS, select the Master key perfect forward secrecy (PFS) check box. Then select the group that matches the DH group in the module’s IPsec policy.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 59. In the minutes box under Authenticate and generate a new key after every, type a value that corresponds to the SA lifetime in the TMS zl Module’s IKE policy. Note that setting on the Windows client is in minutes while the setting on the TMS zl Module is in seconds. Make sure to divide the number on the module by 60. For example, if you left the default setting on the module (28800 seconds), type 480 in the minutes box. 60.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-382. Windows XP—IKE Security Algorithms Window 63. Configure settings to match the settings in the TMS zl Module’s IKE policy: a. For Integrity algorithm, match the module’s IKE authentication algorithm setting. b. For Encryption algorithm, match the module’s IKE encryption algorithm setting. c. For Diffie-Hellman Group, match the module’s DH group setting.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-383. Windows XP—Local Security Settings Window (Assign the Policy) 68. Open the Network Connections window. 69. Click New Connection Wizard. 70. The wizard is launched. Click Next. 71. Select Connect to the network at my workplace. Figure 7-384.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 72. Click Next. Figure 7-385. Windows XP—New Connection Wizard > Network Connection Page 73. Select Virtual Private Network connection. 74. Click Next.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-386. Windows XP—New Connection Wizard > Connection Name Page 75. For Company Name, type a meaningful name. 76. Click Next. Figure 7-387.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 77. If the Public Network page is displayed, specify whether the VPN connection should use a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 78.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-389. Windows XP—New Connection Wizard b. Click Next. Figure 7-390. Windows XP—New Connection Wizard 81. If prompted, select whether only the current user can make this connection or all users on this workstation. Click Next. 82. Click Next.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-391. Windows XP—New Connection Wizard > Completing the New Connection Wizard Page 83. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 84. The Connect window should display. Figure 7-392.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 85. Click Properties to open the Properties window. 86. Click the Networking tab. 87. For Type of VPN, select L2TP IPSec VPN. Figure 7-393. Windows XP— Properties Window > Networking Tab 88. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 89.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-394. Windows XP— Properties Window > Security Tab 92. Click Settings next to Advanced (custom settings).
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-395. Windows XP—Advanced Security Settings 93. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. 94. Select Allow these protocols. 95. Clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box. If it is not already selected, select the check box for the authentication protocol specified in the TMS zl Module L2TP dial-in user account.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 99. For Password, type the password specified for this user either in the module L2TP user account or on the external RADIUS server. 100.Click Connect. After a minute or so, you should see a message that informs you that the connection was successful.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Table 7-39.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) XAUTH Configuration Disable XAUTH Add IKE Policy—Step 3 of 3 Encapsulation Mode Transport Add IPsec Proposal Protocol ESP Custom Security Method Settings for the filter action (step 44 on page 7425) Encryption Algorithm • DES • 3DES Encryption algorithm in Custom Security Method Settings for the filter action (st
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) Action Apply Position Any position Add IPsec Policy— Step 1 of 4 Protocol UDP Protocol in the IP filter (step 30 on page 7-419) Local Address TMS zl Module’s public IP address Matches the IP address set in step 78 on page 7437 Destination address in the IP filter (step 27 on page 7-418) Local Port 1701 To this
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) User Matches the username submitted by the remote client Add L2TP User—Step User name configured in 1 of 2 step 85 on page 7-440 Password Match the string submitted by the remote client Password configured in step 99 on page 7-443 User Group The group on the TMS zl Module that has been configured with access policies
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) Firewall access policies User Group None • Permit Self UDP 1701 Add Policy Any Any • Permit Self UDP 1701 Any Any • Permit Self isakmp Any Any • Permit Self isakmp Any Any User Group None • Permit External Any
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Before you configure the VPN connection, make sure to uninstall any other third-party VPN client; these clients can interfere with the Windows Vista client. Then follow these steps: Figure 7-396. Windows Vista — Start > Run 1. On the Windows Vista client, click Start > Run. If your Start menu does not include the run command, you must customize the menu: a. Right-click Start and click Properties. b. Click Customize. c.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 2. In the Run window, type regedit and click OK. 3. Navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. Figure 7-398. Registry Editor — HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters 4. Click Edit > New > DWORD (32-bit) Value. Figure 7-399. Registry Editor — Edit > New > DWORD (32-bit) Value 5. 7-450 A new entry appears in the right panel.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-400. Registry Editor — Name REG_DWORD ProhibitIpSec 6. Right-click ProhibitIpSec and click Modify. Figure 7-401. Registry Editor — Modify ProhibitIpSec 7. In the Edit DWORD (32-bit) Value window, type 1 in the Value data box and click OK.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-402. Edit DWORD (32-bit) Value 8. Close the registry editor and restart the computer. 9. Click Start > Run. 10. Type secpol.msc and click OK. 11. Click IP Security Policies on Local Computer in the left pane. Figure 7-403. Windows Vista—Local Security Settings Window 12. Click Action > Create IP Security Policy.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-404. Windows Vista—IP Security Policy Wizard 13. In the IP Security Policy Wizard, click Next. Figure 7-405. Windows Vista—IP Security Policy Wizard—IP Security Policy Name Page 14. For Name, type a meaningful name such as TMS Remote Access.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 15. Click Next. Figure 7-406. Windows Vista—IP Security Policy Wizard— Requests for Secure Communication Page 16. Make sure that the Activate the default response rule check box is not selected. 17. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-407. Windows Vista—IP Security Policy Wizard— Completing the IP Security policy wizard Page 18. Leave the Edit properties check box selected and click Finish. 19. The Properties window is displayed. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-408. Windows Vista— Properties Window 20. Click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-409. Windows Vista—New Rule Properties Window 21. In the New Rule Properties window, click Add in the IP Filter Lists section. 22. In the IP Filter List window, for Name, type a meaningful string such as TMS L2TP Traffic. 23. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-410. Windows Vista—IP Filter List Window 24. Click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-411. Windows Vista—Filter Properties Window > Addressing Tab 25. In the Filter Properties window, the Addressing tab should be selected. 26. For Source address, typically, leave Any IP Address selected. Often, you want the TMS zl Module to use a single IPsec policy to negotiate connections to multiple remote clients. In this case, you would specify Any for the Remote Address in the IPsec policy traffic selector.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec This IP address must be the Local Gateway IP Address in the IKE policy configured on the TMS zl Module. It must also be the Local Address in the module’s IPsec policy traffic selector. Often, it is the IP address on a VLAN in the External zone. Figure 7-412. Windows Vista—Filter Properties Window > Addressing Tab (Addresses Configured) 29. Click the Protocol tab. 30. For Select a protocol, select UDP. 31.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-413. Windows Vista—Filter Properties Window > Protocol Tab 33. Click OK to close the Filter Properties window. 34. Click OK to close the IP Filter List window. 35. In the New Rule Properties window, select the IP filter list that you just created.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-414. Windows Vista—New Rule Properties Window (IP Filter Selected) 36. Click the Filter Action tab.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-415. Windows Vista—New Rule Properties Window > Filter Action Window 37. Clear the Use Add Wizard check box and click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-416. Windows Vista—New Filter Action Properties Window 38. In the New Filter Action Properties window, click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-417. Windows Vista—New Security Method Window 39. In the New Security Method window, select Custom. 40. Click Settings.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-418. Windows Vista—Custom Security Method Settings Window 41. In the Custom Security Method Settings window, select settings that match the IPsec proposal and IPsec policy settings on the TMS zl Module: a. Select the Data integrity and encryption (ESP) check box. b. For Integrity algorithm, match the authentication algorithm in the module’s IPsec proposal. c.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Table 7-40. Default TMS zl Module IPsec Settings Parameter Default Setting Protocol ESP Encryption Algorithm 3DES Authentication Algorithm MD5 SA Lifetime in Seconds 28800 SA Lifetime in Kilobytes 0 (None) Figure 7-419. Windows Vista—Custom Security Method Settings Window (Match Module’s Default Settings) 42. Click OK to close the Custom Security Settings window.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-420. Windows Vista—New Filter Action Properties Window > General Tab 45. For Name, type a meaningful string such as TMS IPsec Negotiation. 46. Click OK to close the New Filter Action Properties window. 47. In the New Rule Properties window, select the filter action that you just created.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-421. Windows Vista—New Rule Properties Window > Filter Action Tab (Action Selected) 48. Click the Authentication Methods tab.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-422. Windows Vista—New Rule Properties Window > Authentication Methods Tab 49. Click Edit.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-423. Windows Vista—Edit Authentication Method Properties Window 50. Select Use this string (preshared key). Then type the preshared key specified in the module’s IKE policy.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-424. Windows Vista—Edit Authentication Method Properties Window (Preshared Key Selected) 51. Click OK. 52. Click Close to close the New Rule Properties window.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-425. Windows Vista— Properties Window > General Tab 53. In the Properties window, click the General tab. 54. Click Settings.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-426. Windows Vista—Key Exchange Settings Window 55. If the TMS zl Module IPsec policy enables PFS, select the Master key perfect forward secrecy (PFS) check box. Then select the group that matches the DH group in the module’s IPsec policy. 56. In the minutes box under Authenticate and generate a new key after every, type a value that corresponds to the SA lifetime in the TMS zl Module’s IKE policy.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-427. Windows Vista—Key Exchange Security Methods Window 58. To prevent the VPN client from sending unsupported parameters, remove the default security methods. Select each method and click Remove. (Click Yes to confirm the deletion). 59. Click Add. Figure 7-428.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 60. Configure settings to match the settings in the TMS zl Module’s IKE policy: a. For Integrity algorithm, match the module’s IKE authentication algorithm setting. b. For Encryption algorithm, match the module’s IKE encryption algorithm setting. c. For Diffie-Hellman Group, match the module’s DH group setting. Table 7-41 displays the default settings for a TMS zl Module IKE policy. Table 7-41.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-430. Windows Vista—Control Panel 66. Double-click Network and Sharing Center.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-431. Windows Vista—Control Panel > Network and Sharing Center 67. In the left navigation bar, click Set up a connection or network. 68. Select Connect to a workplace.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-432. Windows Vista—Set up a connection or network > Choose a connection option Page 69. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-433. Windows Vista—Connect to a workplace > How do you want to connect Page 70. Click Use my Internet connection (VPN). 71. For Internet address, type the TMS zl Module’s public IP address. This IP address must be the Local Gateway IP Address in the IKE policy configured on the TMS zl Module. Often, it is the IP address on a VLAN in the External zone. 72. For Destination name, type a meaningful name for the connection.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-434. Windows Vista—Connect to a workplace > Type the Internet address to connect to Page 74. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-435. Windows Vista—Connect to a workplace > Type your username and password Page 75. For User Name, type the username specified either in a TMS zl Module L2TP user account or on an external RADIUS server. If the TMS zl Module attaches a specific domain name to the external RADIUS server, make sure to include that domain name in the username (for example, user1@procurve.com). 76.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-436. Windows Vista—Connect to a workplace > The connection is ready to use Page 79. Leave The connection is ready to use page open and return to the Network and Sharing Center window.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-437. Windows Vista—Control Panel > Network and Sharing Center 80. In the left navigation bar, click Manage network connections.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-438. Windows Vista—Network Connections Window 81. Double-click the connection that you just created. Figure 7-439.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 82. Click Properties. 83. Click the Security tab. 84. Select Advanced (custom settings). Figure 7-440. Windows Vista— Properties Window > Security Tab 85. Click Settings. 86. Select Allow these protocols and clear the Microsoft CHAP Version 2 (MSCHAP v2) check box. Select the check box for the authentication protocol configured in the TMS zl Module’s dial-in user account.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-441. Windows Vista—Advanced Security Settings 87. Click OK. 88. Click the Networking tab. 89. For Type of VPN, select L2TP IPSec VPN.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-442. Windows Vista— Properties Window > Networking Tab 90. Select Internet Protocol Version 4 (TCP/IPv4) in the This connection uses the following items box and click Properties. 91. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit. 92.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Finally, when you authenticate L2TP users to an external RADIUS server, remember to check your RADIUS server’s set up (see “Set Up a RADIUS Server to Work with the TMS zl Module” on page 7-173). Table 7-42.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Key Exchange Mode Main Mode Add IKE Policy—Step 2 of 3 Matching Setting on the Windows Vista Client Authentication Meth- • Preshared Key od • RSA Signature • DSA Signature Setting in the Edit Authentication Methods window (step 50 on page 7-471) Preshared Key Matches the string configured on the remote client String in the Edit Authentication Methods window (step 50 on page
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client Action Apply Position Any position Add IPsec Policy—Step 1 of 4 Protocol UDP Protocol in the IP filter (step 30 on page 7-460) Local Address TMS zl Module’s public IP address Matches the IP address set in step 71 on page 7-480 Destination address in the IP filter (step 28 on page 7-459) Local Port 1701 To this port in the IP
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client L2TP User account (one user for each client if used) User Matches the username submitted by the Add L2TP User—Step 1 of User name configured in remote client 2 step 75 on page 7-482 Password Match the string submitted by the remote client User Group The group on the TMS zl Module that has been configured with access policies for the
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client L2TP RADIUS Authentication settings (if used) L2TP Server IP Address Any IP address in a private subnet not in Network > Authentication use in your network > L2TP Users Domain name The domain to which your users belong (or global = no name) Domain Name setting in Add RADIUS server window IP Pool Range of IP addresses that are in th
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 7-494
8 High Availability Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Active-Standby Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Failover Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Boot Order . . . . . . . . . . . . . .
High Availability Overview Overview High availability (HA) is a strategy for minimizing network downtime so that users can access the network with minimal interruption in the event that a network device fails. The best approach for providing HA for the Threat Management Services (TMS) zl Module is to implement an HA cluster—a group of modules that can take over the workload of another module if it fails. Two TMS zl Modules can be clustered for HA.
High Availability Overview Figure 8-1. Active-Standby Mode In active-standby mode, the master handles all network traffic, so the participant does not have any IP addresses on the TMS VLANs; therefore, you cannot access the Web browser interface for the participant. Any configuration changes must be made to the master and then synchronized to the participant. When you remove the master from an active-standby cluster, it will lose all of its TMS VLAN IP addresses.
High Availability Overview If the cluster members are in different host switches, you must ensure the following: ■ The same VLANs are configured on both host switches. ■ There are redundant Layer 2 connections between the host switches. See “Boot Order” on page 8-4 for more information. Failover Process The failover process for each HA mode is detailed below: 1. The master fails. 2.
High Availability Overview 3. The TMS VLAN settings that were configured on the cluster participant before becoming a cluster member are permanently erased. 4. When the cluster master fails, the cluster participant becomes the cluster master without significant interruption. 5. When the former cluster master comes back online, it uploads the startupconfig of the current cluster master and becomes the cluster participant.
High Availability Overview has gone offline, so it assumes the role of master and begins to transmit gratuitous ARP messages over the network to associate the cluster’s IP addresses with the participant’s MAC addresses. In the meantime, the master continues to respond to ARP requests by associating its MAC addresses with the cluster’s IP addresses.
High Availability Overview IDS/IPS and HA If you use the intrusion detection/prevention (IDS/IPS) signatures on an HA cluster, it is recommended that you purchase one subscription for each cluster member, even though it is technically possible to operate the HA cluster if you register the master module only. ■ If you purchase one IDS/IPS subscription for the cluster master, you will be able to download the signature updates as long as the master is active.
High Availability Configuring High Availability Configuring High Availability Before you configure HA, review this summary of HA behavior and functionality: 8-8 ■ Only one HA cluster (two modules) is supported in a single switch chassis. ■ You cannot install HA cluster members that are members of different clusters in the same switch chassis. ■ All cluster members must be running the same software version.
High Availability Configuring High Availability To configure HA settings, complete the following: 1. 2. Back up the startup-config on the cluster master. Should you need to restore the startup-config, remember that it does not include the HA settings. a. On the cluster master, select System > Maintenance. Then click the Back Up/Restore tab. b. Click Back Up and save the configuration to your workstation. Select System > Settings and click the High Availability tab. Figure 8-2.
High Availability Configuring High Availability Both cluster members must use the same HA VLAN, and different clusters on the same subnet can also use the same HA VLAN or a different HA VLAN. Note It is highly recommended that you change the HA VLAN to a dedicated VLAN that does not carry general data traffic, even if you are not implementing HA. If you do not change the HA VLAN, general broadcast traffic will be received by the module on VLAN 1 and then dropped by the firewall.
High Availability Configuring High Availability Managing the Cluster On the master of an HA cluster, the Sync Configuration Now button is active. Figure 8-3. System > Settings > High Availability on the Cluster Master ■ Click Sync Configuration Now to propagate HA changes that you made to the master to the other cluster members. If the members of the cluster have different configurations when you synchronize the configuration, the participant will be rebooted with the new startup-config.
High Availability Updating Cluster Software Updating Cluster Software Caution This operation will cause you to lose network connectivity for 15–30 minutes; therefore, you should plan these software updates for a low network-utilization time.
High Availability Updating Cluster Software 2. Click the Back Up/Restore tab. 3. Click Back Up. A window is displayed that prompts you to save the file to your workstation. 4. Select Save File and click OK. Remove the Participant from the Cluster In this step you will remove the participant from the cluster. You must do this to prevent the modules from attempting to establish (or maintain) the cluster while the two modules are using different software versions 1.
High Availability Updating Cluster Software 5. Save the current configuration and reboot the module. Syntax: boot Reboots the module When asked if you would like to reboot the module and if you want to save the current configuration, type [y]. For example: hostswitch(services-module-C:PR)# boot service Device will be rebooted, do you want to continue [y/n]? y Do you want to save the current configuration [y/n]? y Saving running config... Performing user initiated reboot.
High Availability Updating Cluster Software 1. When the participant finishes rebooting, access the host switch’s CLI and enter the Product OS context: hostswitch# services 2 Replace with the letter of the chassis slot in which the module is installed. The prompt should look like the following: hostswitch(tms-module-C)# 2. Enter the global configuration context for the module: Syntax: configure terminal Enters the configuration context for the module.
High Availability Updating Cluster Software Rejoin the Participant to the Cluster In this section, you will reconfigure the high-available settings on the participant and reestablish a cluster with the master. Perform these steps on the participant. 1. When the module has finished rebooting, access its Web browser interface. 2. Select System > Settings, then click the High Availability tab. 3. For Cluster Scheme, select Active-Standby. 4. For VLAN ID, type the cluster’s VLAN ID.
High Availability Updating Cluster Software 16. When the participant finishes rebooting, confirm that it has rejoined the cluster. a. Access the Web browser interface for the cluster master. b. Select System > Settings, then click High Availability. c. Verify that the participant is visible in the Cluster Devices table. Figure 8-4.
High Availability Updating Cluster Software 8-18
9 Routing Contents Routing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Floating Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Configuring a Default Gateway . . . . . . . . . .
Routing Contents OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 OSPF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 LSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28 Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 Stub Areas and Stub Routers . .
Routing Routing Overview Routing Overview This chapter provides instructions for the module’s routing configuration.
Routing Static Routing If the module learns about more than 10,000 total routes as a result of either RIP or OSPF, routes after the 10,000th route will not be added to the routing table. The excess routes will be “floating” routes, which means that they exist but are not in the routing table. However, both routes in the routing table and floating routes are shown in the Web browser interface and the CLI. See “Viewing Unicast Routes” on page 9-53.
Routing Static Routing Floating Static Routes As mentioned, a floating route is a route that the module knows but does not currently exist in the module’s active routing table. Floating routes can be created when the module learns too many routes. You can also create floating routes deliberately. A floating static route is generally used in conjunction with redundant GRE tunnels. In this use model, two GRE tunnels offer a connection to the same remote network.
Routing Static Routing Configuring Static Routes To configure static routes, you must configure the following parameters: ■ Destination Type The TMS zl Module allows three destination types: ■ • Network—select this option if the destination is a subnet. • Host—select this option if the destination is a specific device. • Default Gateway—select this option when creating a default route. See “Configuring a Default Gateway” on page 9-9.
Routing Static Routing For network routes, you should typically make the destination address as general as possible for the gateway address to still be valid for all matching packets. For example, instead of configuring separate routes to network 10.1.3.0/24 and network 10.1.2.0/24 on the TMS zl Module shown in Figure 9-1, you could enter a route to the entire 10.1.0.0/16 network through Router A. Router A knows more specific routes and forwards the traffic toward the correct destination.
Routing Static Routing To view your current static routes, click Network > Routing > Static Routes. Figure 9-2. Network > Routing > Static Routes Window When you use static routing in exclusion of other routing protocols, the router will not share its routing table with other routers. This means that the hosts serviced by this router will only be able to reach a destination if you add an entry for that destination. To add a static route to your network, complete the following steps: 1.
Routing Static Routing 4. The Destination Address depends on the destination type that you chose: • Network—type the IP address and subnet mask of the destination. • Host—type the IP address of the host. 5. For Gateway Address, type IP address of the next-hop router. 6. For Metric, type a value to represent the distance to the destination address. Typically, the metric for a static route is 0. 7. For Distance, type the administrative distance. Typically, the distance for a static route is 1. 8.
Routing Static Routing Figure 9-4. Add Default Static Route Window Note 4. For Destination Type, select Default Gateway. 5. For Gateway Address, type the next-hop address. 6. For Metric, type 0. 7. For Distance, type 1. 8. Click OK. The route is now displayed in the Network > Routing > Static Routes window. The TMS zl Module can know multiple default routes.
Routing Dynamic Routing Dynamic Routing As a network becomes larger and more complicated, manually configuring every route on every router becomes infeasible. Even when you use default routes and hub routers to minimize the number of routes individual routers must know, manually configuring routes for an expanding a network can be time consuming.
Routing Dynamic Routing so that you can select the best routing protocol (or protocols) for your network environment. If necessary, you can change which routes are chosen by altering the default metrics that a protocol assigns certain routes. ■ What information routers include in routing updates—With some routing protocols, routers exchange their entire routing tables. With other routing protocols, routers exchange only portions of the routing table.
Routing Dynamic Routing Table 9-2. RIP and OSPF Comparison Option RIP OSPF Metric computation and route selection Number of hops to the destination. • Inverse bandwidth • Type of service (ToS) (rarely used) Information in updates Routers send the complete RIP routing table.
Routing Dynamic Routing On the other hand, routing protocols consume bandwidth as routers exchange updates and CPU processes as routers calculate the best routes. In addition, a router that has been carelessly configured may send updates to unauthorized devices, creating a security vulnerability. However, a well-designed network eliminates many of these problems. Table 9-3 lists some advantages and disadvantages of RIP and OSPF. As you can see, each protocol provides different best uses.
Routing RIP RIP RIP is a well-known and commonly used distance-vector routing protocol. RIP is simple to configure but can be slow to converge. Because route selection relies purely on hop count, RIP may not always generate the best routes. For example, WANs usually include links of varying bandwidth, so the lowest hop count is not always the fastest or best route. RIP Overview Read this section if you are interested in learning more about how RIP functions on the TMS zl Module.
Routing RIP ■ A different neighbor advertises a route with a lower metric. The module changes the route to list this neighbor as the next-hop address and enters the new metric. ■ The module does not receive information about the route for the entire length of the invalid interval. The module marks the route for deletion. RIP Updates, v1 and v2 RIP update packets contain different information, depending on whether the RIP version is 1 or 2.
Routing RIP When the module discovers a new or better route to a destination from a RIPv2 packet, it enters the route with the next-hop IP address specified in the packet. If the next-hop IP address field is all zeros, the module assumes that the source of the packet is the next-hop IP address. (This assumption provides some backward compatibility with RIPv1.) RIPv1 interfaces broadcast their routing updates to the entire subnet. RIPv2 routers join the group for the RIPv2 multicast address (224.0.0.
Routing RIP Authentication with MD5 is more secure than simple password authentication. Attackers can intercept a valid RIP packet and read the simple password. However, message digests are unique to each packet and impossible to generate without the secret key. Simple password authentication is most useful for ensuring routers do not send messages into networks in the wrong area. Just configure a different simple password for each interface.
Routing RIP Poison Reverse The TMS zl Module supports poison reverse, in which, when the module receives a route to a network from a neighbor, it advertises a poison route (metric 16) to that network back to the neighbor. This feature is intended to prevent convergence problems by ensuring that routers do not advertise routes back to the routers from which they received them. Poison reverse is enabled by default, but you can disable it if you choose.
Routing RIP Figure 9-5. Network > Routing > RIP Window 2. Select the Enable RIP check box. 3. Leave the Poison Reverse check box selected or clear it based on whether you want the TMS zl Module to use poison reverse. Poison reverse is a feature that helps RIP routers to speed convergence. It specifies that when a router receives a route from a neighbor, it sends a “poison update” for that route (a route with a metric of 16, indicating unreachable) back to that neighbor.
Routing RIP – You must select this check box if you want the TMS zl Module to advertise routes to its TMS VLANs even if RIP is enabled on these VLANs. Static – Select this check box to advertise routes that were manually added to the routing table. OSPF Select this check box if your system uses both OSPF and RIP, and you want the TMS zl Module to include routes discovered by OSPF in RIP updates. 5. Click Apply My Changes. 6. Click Enable RIP on an interface.
Routing RIP 8. For Version, select the version used by other routers on this subnet. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates. Therefore, you must select the version to match the version on the existing network or select both versions. 9. For Metric, type the metric added for routes advertised on this interface. 10.
Routing RIP Figure 9-7. Example RIP Router Setup with TMS zl Modules Below is a sample of the settings and routing tables on each module after all routes have been communicated.
Routing RIP TMS zl Module A Settings This module must redistribute static and connected routes. Table 9-6. Module A RIP Settings Interface IP Passive Metric 2 no 1 10.1.2.1 Table 9-7. 9-24 Module A Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 172.16.1.2 0 vlan16 static 10.1.1.0/24 10.1.1.1 1 vlan1 connected 10.1.2.0/24 10.1.2.1 1 vlan2 connected 10.1.3.0/24 10.1.2.2 3 vlan2 rip 10.1.4.0/24 10.1.4.1 1 vlan4 connected 10.1.5.0/24 10.1.2.
Routing RIP TMS zl Module B Settings This module must redistribute connected routes. Table 9-8. Module B RIP Settings VLAN IP Passive Metric 2 10.1.2.1 no 1 5 10.1.5.1 no 1 Table 9-9. Module B Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.2.2 3 vlan2 rip 10.1.1.0/24 10.1.2.1 3 vlan2 rip 10.1.2.0/24 10.1.2.2 1 vlan2 connected 10.1.3.0/24 10.1.3.1 1 vlan3 connected 10.1.4.0/24 10.1.2.1 3 vlan2 rip 10.1.5.0/24 10.1.5.
Routing RIP Table 9-11. Module C Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.5.1 5 vlan5 rip 10.1.1.0/24 10.1.5.1 5 vlan5 rip 10.1.2.0/24 10.1.5.1 3 vlan5 rip 10.1.3.0/24 10.1.5.1 3 vlan5 rip 10.1.4.0/24 10.1.5.1 5 vlan5 rip 10.1.5.0/24 10.1.5.2 1 vlan5 connected 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.6.2 3 vlan6 rip 172.16.1.0/30 10.1.5.
Routing OSPF Destination Gateway Metric VLAN Type 10.1.7.0/24 10.1.7.1 1 vlan7 connected 172.16.1.0/30 10.1.6.1 7 vlan6 rip OSPF OSPF is a sophisticated routing protocol designed for large networks. Read the section below if you are interested in learning more about OSPF and how it functions on the TMS zl Module. If you are interested only in configuring OSPF on the module, move directly to “Enable OSPF” on page 9-40.
Routing OSPF Because OSPF routers send each other more messages than RIP routers send, OSPF can consume more bandwidth. However, OSPF minimizes the number of packets routers must send in several ways. In point-to-point networks, only neighboring routers fully exchange their databases. In multicast networks, only one router (the DR) floods LSAs. Also, OSPF interfaces only send updates on their own link states rather than sending all routes discovered by the protocol, as RIP interfaces do.
Routing OSPF OSPF defines specific rules for synchronizing databases with a minimum of traffic between routers. Any two routers running OSPF on the same interface are neighbors that could potentially send each other LSAs. However, not all neighbors establish full adjacency—that is, exchange LSAs. OSPF institutes protocols by which all routers can synchronize their databases without all of them exchanging LSAs.
Routing OSPF a non-local area network to the ABR that advertised the summary for that area.When this traffic arrives in Area 0, the ABRs route it toward the correct area. When the traffic arrives in the new area, internal routers use intra-area routing to direct it to its destination. Autonomous system border routers (ASBRs) support external traffic (in networks with one area or with multiple areas.) An ASBR connects to an external network and runs both OSPF and the external network’s routing protocol.
Routing OSPF Internal routers in a stub area are stub routers. At least one router in the area communicates with an ABR in Area 0. The network that the two routers have in common is defined as part of the stub area, making the Area 0 router part of both Area 0 and the stub area. This topology prevents routers from processing superfluous information. Routers in the stub area deal primarily with intra-area LSAs.
Routing OSPF an ASBR. Typically, OSPF would not permit the external routes to be distributed into the stub area. However, internal routers in an NSSA can receive specially defined LSAs for external routes. LSA Types Routers within an area exchange LSAs Type 1 and 2 to synchronize their databases. Routers can also transmit LSAs Type 3, 4, and 5 between areas so that they can learn how to route inter-area traffic. Table 9-14 summaries the different LSA types. Table 9-14.
Routing OSPF All routers generate Type 1 LSAs, which they use to advertise their own links.
Routing OSPF Depending on the type of LSAs that the router receives, the database can also include: ■ Links to ranges of networks in other areas ■ Links to external networks The router would use this information to generate inter-area and external routes. A router applies Dijkstra’s algorithm to its topological database to generate a routing tree with itself as the root. This action is also called performing the shortest path first (SPF) calculation.
Routing OSPF Note When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly. Otherwise, the peer may wrongly decide the interface is down. You can determine how many times longer the dead interval should be than the hello interval according to how reliable your network is.
Routing OSPF With MD5 authentication, a router uses a secret key and the MD5 algorithm to generate a message digest for a packet. Routers that receive the packet dehash the message digest using the same key. If the dehashed message digest matches the packet, the packet is authentic. Authentication with MD5 is more secure than simple password authentication. Attackers can intercept a valid OSPF packet and read the simple password.
Routing OSPF One common topology for a network is a headquarters, defined as Area 0, that connects to stub areas at one or more remote sites. In this topology, the headquarters’ routers that connect to the remote sites are ABRs. The routers at the remote sites are internal routers. If a router connects to a public or other external network, such as an ISP, it is an ASBR. (See Figure 9-9.) Figure 9-9.
Routing OSPF Figure 9-10. OSPF Network with WAN as Area 0 If these routers are the only routers at the remote sites or if the remote sites are quite small, you could leave the network undivided. (A general rule is that an area should include fewer than 50 routers.) In this case, all networks would be defined as part of Area 0. (See Figure 9-11.) Figure 9-11. OSPF Network with One Area When you configure a router to run OSPF, you should also consider the type of network.
Routing OSPF Table 9-16.
Routing OSPF ■ Define NSSA, stub, and total stub areas Enable OSPF To enable OSPF, click Network > Routing and click the OSPF tab. Figure 9-12. Networking > Routing > OSPF Window 1. Select the Enable OSPF check box. 2. Click Apply My Changes. Set the Router ID When OSPF routers exchange certain types of messages, they include their router ID. Routers piece messages together into a coherent network topology.
Routing OSPF Note 1. For Router Identifier, type the IP address that will uniquely identify the router. 2. Click Apply My Changes. You will briefly lose your connection with the module if you change the Router ID while connecting to the module through an OSPF-learned route. Once the module’s new router ID is propagated through the network, you will be able to reconnect. Set RFC 1583 Compatibility With RFC 1583, some configurations cause a problem with routing loops.
Routing OSPF Redistribute Routes Discovered by Other Methods Many networks use more than one routing protocol. Routing protocols discover routes in different ways. They provide overlapping, but not identical, services. For example, OSPF is an interior gateway protocol that cannot discover external routes. You can run two protocols on your TMS zl Module and redistribute routes from one protocol into the others. You can also redistribute directly connected routes and static routes. Redistributing RIP Routes.
Routing OSPF Enable OSPF on an Interface You must enable OSPF on each TMS VLAN or GRE tunnel that you want to participate in sending and receiving OSPF messages. When you enable OSPF on a TMS zl Module interface, you will also define the interface’s area and other settings. You can place more than one interface in the same OSPF area, and you can configure multiple OSPF areas. To place a enable OSPF on an interface and add it to an area, complete the following steps: 1.
Routing OSPF Figure 9-14. Enable OSPF on an Interface Window 3. For Interface, select an interface from the list. The interfaces listed are TMS VLANs and GRE tunnels (on which OSPF has not already been enabled). To learn how to create TMS VLANs, see “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.” To learn how to create GRE tunnel interfaces, see, “Configure a GRE Tunnel” in Chapter 7: “Virtual Private Networks.” 4. For Area ID, type the area to which you want to assign the interface.
Routing OSPF Note When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly. Otherwise, the peer may wrongly decide the interface is down. You can determine how many times longer the dead interval should be than the hello interval according to how reliable your network is.
Routing OSPF To configure an NSSA or stub area, complete the following: 1. Select Network > Routing and click the OSPF tab. Figure 9-15. Network > Routing > OSPF Window 2. Click Add NSSA or Stub Area. Figure 9-16.
Routing OSPF 3. For Area ID, type an identification number for the area. For Area ID, you can use integer or dotted-decimal (x.x.x.x) notation. On the OSPF routing window, the area ID will always be displayed in dotteddecimal notation. For example, 0.0.0.1 will be displayed if you type 1 as the area ID and 0.0.1.0 will be displayed if you type 256 as the area ID. 4. From the Area Type list, select the type of area you want to configure: NSSA or STUB. 5.
Routing OSPF To edit an existing OSPF firewall access policy, complete the following: 1. Click one of the following: • Firewall > Access Policies > Unicast • Firewall > Access Policies and click the Multicast tab. 2. Find the OSPF policy that you want to edit and click the Edit icon. 3. Edit the fields that you want to change. 4. Click Apply, then click Close. You can also add another OSPF firewall access policy. For example, if you wanted to deny unicast LSAs from network 10.18.154.
Routing OSPF 11. In the Position field, specify the priority of this access policy. Be sure that you set the position of this policy above the position of the policy that allows all Zone1-to-Internal zone OSPF traffic. 12. Click Apply. Then you can optionally click the Advanced tab to further narrow the policy. For more information about the Advanced tab, see “Create Firewall Access Policies” in Chapter 4: “Firewall.” 13. Click Close.
Routing OSPF Below is a sample of the settings and routing tables of the modules after all routes have been communicated. TMS zl Module A Settings OSPF Settings ■ Router ID — 9.9.9.9 ■ Administrative Distance — 110 ■ Default Metric — 10 ■ Redistribute—Static and connected routes Table 9-17. Module A VLAN and Area Settings VLAN IP Area ID Cost 2 10.1.2.1 0.0.0.1 1 Table 9-18. Module A Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 172.16.1.2 0 vlan16 static 10.1.1.
Routing OSPF Table 9-19. Module B VLAN and Area Settings VLAN IP Area ID Cost 2 10.1.2.2 0.0.0.1 1 5 10.1.5.1 0.0.0.0 1 Table 9-20. Module B Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.2.1 1 vlan2 ospf 10.1.1.0/24 10.1.2.1 1 vlan2 ospf 10.1.2.0/24 10.1.2.2 1 vlan2 connected 10.1.3.0/24 10.1.3.1 1 vlan3 connected 10.1.4.0/24 10.1.2.1 2 vlan2 ospf 10.1.5.0/24 10.1.5.1 1 vlan5 connected 10.1.6.0/24 10.1.5.2 2 vlan5 ospf 10.1.7.0/24 10.
Routing OSPF Table 9-22. Module C Stub Area Settings ID Area Type Metric 0.0.0.2 STUB 1 Metric Type Table 9-23. Module C Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.5.1 2 vlan5 ospf 10.1.1.0/0 10.1.5.1 2 vlan5 ospf 10.1.2.0/24 10.1.5.1 2 vlan5 ospf 10.1.3.0/24 10.1.5.1 1 vlan5 ospf 10.1.4.0/24 10.1.5.1 2 vlan5 ospf 10.1.5.0/24 10.1.5.2 1 vlan5 connected 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.6.2 2 vlan6 ospf 172.16.
Routing Viewing Unicast Routes Table 9-25. Module D Stub Area Settings ID Area Type Metric 0.0.0.2 STUB 1 Metric Type Table 9-26. Module D Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.6.1 2 vlan6 ospf 10.1.2.0/24 10.1.6.1 3 vlan6 ospf 10.1.5.0/24 10.1.6.1 2 vlan6 ospf 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.7.
Routing Viewing Unicast Routes Figure 9-19. Network > Routing > View Routes Window The columns are as follows: ■ Destination Address — The route's destination, either a host or a network; the default gateway shows 0.0.0.0/0. ■ Gateway Address — The address of the gateway for that destination ■ Metric — The route’s metric; the default gateway is always 0. ■ Interface — The route’s VLAN or GRE tunnel.
Routing Multicast Multicast Many emerging applications rely on delivering the same information to many hosts. LAN TV, video conferencing, collaborative computing, and desktop conferencing all involve transmitting a great deal of information from a source, or many sources, to many hosts. Email systems can more efficiently deliver mail to multiple servers simultaneously rather than one by one.
Routing Multicast It is not hard to imagine the challenges broadcast messages pose for packet containment. A malfunctioning or misconfigured device can congest an entire network. Even properly functioning devices must flood all hosts with unnecessary information just to send a message to the hosts that do need it. IP multicasting addresses these problems by allowing a host to send a message to a select group. Figure 9-21.
Routing Multicast points can join and leave a group. They can belong to more than one group at once, and groups can contain any number of endpoints at any location in the network. IGMP IGMP is the protocol that allows endpoints to join and leave multicast groups. The TMS zl Module uses IGMP to determine which multicast groups have members in which interfaces so that it can properly forward multicast messages.
Routing Multicast Figure 9-23. Multicasting with IGMP You should enable IGMP on each interface (TMS VLAN or GRE tunnel) that includes endpoints that might need to join a multicast group. Multicast Routing Protocol, PIM-SM PIM-SM, which is a multicast routing protocol, which enables TMS zl Module to route multicast traffic that arrives on one interface (TMS VLAN or GRE tunnel) into other interfaces. PIM-SM creates trees for each multicast group. The tree includes a rendezvous point (RP).
Routing Multicast Configuring Multicast Routing To configure the TMS zl Module to receive multicasts, you complete these steps: 1. Enable IP multicast routing. 2. Configure IP multicast routing on each interface that uses multicast traffic. By default, multicast routing is disabled. To enable it, complete the following steps: 1. Click Network > Routing and click the Multicast tab. Figure 9-24. Network > Routing > Multicast Window 2.
Routing Multicast Figure 9-25. Enable Multicast on Interface Window 5. For Interface, select an interface from the list. The interfaces listed are TMS VLANs and GRE tunnels (on which multicast routing has not already been enabled). To learn how to create TMS VLANs, see “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.” To learn how to create GRE tunnel interfaces, see, “Configure a GRE Tunnel” in Chapter 7: “Virtual Private Networks.” 6. For IGMP Enabled, select yes or no.
Routing Multicast 2. Select Multicast from the Show routes list. Figure 9-27. Network > Routing > View Routes Window (Multicast Routes) As you can see, multicast routes are different from unicast routes. Traffic destined to a multicast address is usually destined to many different devices. Therefore the TMS zl Module may need to copy a multicast packet and forward it on several interfaces. Therefore, instead of a gateway address, the route lists interfaces.
Routing Multicast 9-62
10 Troubleshooting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Basic Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 nslookup . . . . . . . . .
Troubleshooting Contents Strategy for Resolving Firewall Problems . . . . . . . . . . . . . . . . . 10-38 Troubleshooting Specific Problems Related to the Firewall . . 10-47 Troubleshooting NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-49 Troubleshooting Port Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50 Troubleshooting IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50 Ensure That IPS Is Enabled Globally . . . . . . .
Troubleshooting Overview Overview This appendix provides some guidance for troubleshooting the HP ProCurve Threat Management Services (TMS) zl Module.
Troubleshooting Basic Troubleshooting Tools ping The ping command is perhaps the most commonly used troubleshooting tool. You can use it to verify that traffic from one endpoint can reach another endpoint. Remember that when the TMS zl Module is operating in routing mode, you must perform an additional step to use the ping utility. You must create an access policy that permits ICMP echo packets (pings) from one endpoint— the source—to another—the destination.
Troubleshooting Basic Troubleshooting Tools From the TMS zl Module’s CLI, enter the following command from either the manager-level context or the global configuration context: Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination. Replace with the host name of the ping destination. The module displays the number of pings sent and the number of responses received. For example, to ping a device with the IP address of 192.168.1.
Troubleshooting Basic Troubleshooting Tools You can set extended options for tracing a route by typing additional keywords after the IP address. You can specify any combination of the extended options shown in Table 10-1, and you can enter the options in any order. Table 10-1.
Troubleshooting Basic Troubleshooting Tools For example, if you want to know the IP address for router5, enter: hostswitch(tms-module-C)# nslookup router5 show commands The TMS zl Module provides a number of helpful show commands, some of which are listed in Figure 10-2. (For more information about any of these commands, see Appendix A, “Command-Line Reference.”) Table 10-2.
Troubleshooting Basic Troubleshooting Tools Command Syntax Description show snmp show snmpv2 server Displays the Simple Network Management Protocol (SNMP) v2 server settings that are configured on the module. Displays the SNMP v3 server settings that are configured on the module. show snmpv3 server show system-information show system-information Displays all globally configured and operational system parameters.
Troubleshooting Basic Troubleshooting Tools Figure 10-3. Output for the show system-information Command Table 10-3 lists some useful show commands for the TMS zl Module when it is operating in routing mode. (For a complete list of show commands, see Appendix A, “Command-Line Reference.”) Table 10-3.
Troubleshooting Basic Troubleshooting Tools Command Syntax Description • • • • Displays information about OSPF on the network: • General information • Areas • Area link-states • External link-states show ip ospf • • • • • show ip ospf general show ip ospf area show ip ospf area-link-state show ip ospf external-link-state [router-id ] show ip ospf interface [ | vlan ] show ip ospf neighbor show ip ospf data grace-link-state show ip ospf redistribute show ip ospf restri
Troubleshooting Basic Troubleshooting Tools If you want to capture packets on a VLAN, include the vlan option and specify a VLAN ID. If you want to capture packets on a GRE tunnel, include the gre option and specify the tunnel name. If you want to capture packets for a high-availability (HA) interface, include the ha option. If you want to capture all packets, include the any option. You can set extended options for capturing an interface by typing additional keywords after the network interface.
Troubleshooting Basic Troubleshooting Tools For example, you might enter: hostswitch(tms-module-C)# capture terminal vlan 1 ip udp You would then see output similar to the following: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:24:10.280038 IP 192.168.115.61.51936 > 192.168.115.255.51936: UDP, length 38 20:24:12.280098 IP 192.168.115.61.51936 > 192.168.115.255.51936: UDP, length 38 20:24:14.
Troubleshooting Basic Troubleshooting Tools Figure 10-4. Using a Protocol Analyzer to View Output from the TMS zl Module’s capture Command If you are troubleshooting a virtual private network (VPN), on the other hand, you can install a protocol analyzer on the client and then view the packets that are being sent from the client. You can then determine if the client is sending the correct packet types.
Troubleshooting Troubleshooting Problems with the Installation and Boot Process Troubleshooting Problems with the Installation and Boot Process This section describes how to: ■ Monitor the front-panel LEDs to ensure that the TMS zl Module boots and functions properly ■ View or monitor the TMS zl Module’s status from the CLI ■ Resolve specific issues related to the installation and boot process Monitor the Front-Panel LEDs After you install the TMS zl Module, you should monitor the front-panel LEDs to
Troubleshooting Troubleshooting Problems with the Installation and Boot Process ■ Ensure that you installed the TMS zl Module according to the installation guidelines. You can install the TMS zl Module in an HP ProCurve 5400zl or 8200zl Switch Series. Depending on if you install the module in a right slot or a left slot, you must ensure that the switch chassis does not exceed the following temperatures: • Any module in a right slot—The chassis temperature must not exceed 40° C (104° F).
Troubleshooting Troubleshooting Problems with the Installation and Boot Process ■ If the TMS zl Module is not listed, check the switch software version. If the show services command does not list all the TMS zl Modules that are installed in the switch, ensure that you are running a version of switch software that supports the TMS zl Module (K.13.55 or above).
Troubleshooting Troubleshooting Problems with the Installation and Boot Process You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process. Status and Counters - Services Module E Status HP Services zl Module J9154A Versions : A.01.
Troubleshooting Troubleshooting Problems with the Installation and Boot Process Resolve Specific Issues Related to the Installation and Boot Process This section lists issues that you may encounter when installing or booting a TMS zl Module and provides a possible solution. ■ Problem updating the Services OS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • Install the product license key on the TMS zl Module. For routing mode, see “Install the Product License Key” in Chapter 2: “Initial Setup in Routing Mode.” For monitor mode, see “Install the Product License Key” in Chapter 3: “Initial Setup in Monitor Mode.” Troubleshooting the TMS zl Module in Routing Mode This section explains how to troubleshoot the TMS zl Module when it is operating in routing mode.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Management Interface Issues If you cannot access the TMS zl Module through a Secure Shell (SSH), Telnet, or HTTPS connection, use the suggestions outlined in this section to isolate the problem and fix it. ■ Ensure that you are using HTTPS, rather than HTTP. If you try to access the TMS zl Module’s Web browser interface through HTTP, you will not be successful. By default, the TMS zl Module supports only HTTPS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode e. Verify that your management station’s VLAN has been configured correctly. In particular, make sure the VLAN has the right IP address and is assigned to the right zone: hostswitch(tms-module-C)# show vlan Replace with the VLAN on which you are attempting to access the TMS zl Module. You will see output similar to the following: Internet (IP) Service IP routing: enabled Default gateway: 10.1.32.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Ensure that your management workstation is in a managementaccess zone. If the management workstation is not in a management-access zone, you must either enable management access on its zone or create an access policy to enable SSH, Telnet, or HTTPS access. Because you cannot access the Web browser interface, you must enable management access or create these policies from the TMS zl Module’s CLI.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If IPS is blocking your management station’s traffic, you can disable IPS for the access policy that permits management access. To view the access policies between the management station’s zone and self, enter: hostswitch(tms-module-C)# show access-policy filter self Replace with the management station’s zone, such as internal.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Move to the module’s global configuration mode and remove this policy, using the following command: hostswitch(tms-module-C:config)# no access-policy self Replace with the number listed at the beginning of the access policy. For the example below, you would type 7.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check the network infrastructure. If all the settings on the TMS zl Module seem to be correct, you should check the network to ensure that traffic from the workstation can reach the TMS zl Module. To check connectivity, you can ping the module from the management workstation.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you are using Internet Explorer, complete the following steps: ■ a. Click Tools > Internet Options > Privacy. b. Click Sites. c. Type the module’s interface address and click Allow. d. Click OK to close each window. You receive an Invalid Login! error message. If you receive an Invalid Login! error, check the following: • Ensure that the username and password are entered correctly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Clicking Help does not have any effect. If you cannot access the TMS zl Module’s online help, disable pop-up blockers in your Web browser. Using Log Messages The main tool you will use to resolve problems is the TMS zl Module’s log messages. Enabling Logging for an Access Policy When the TMS zl Module is operating in routing mode, you must enable logging on the access policies that you want to monitor.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-5. Edit Policy Window 5. Click OK. The TMS zl Module will then begin to log messages related to this access policy. Changing the Log Level After you enable logging, you should lower the logging level to information so that the TMS zl Module will log all events. Complete the following steps: 10-28 1. Click System > Logging. 2. Click Settings. 3. Under Log Severity, select the most basic message level—Information.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-6. System > Logging > Settings Window 4. You may also want to disable throttling, so that you can see all messages. 5. Click Apply My Changes. Checking the Time Settings The TMS zl Module synchronizes its time from the host switch. You should ensure that the host switch has the correct time so that the module also has the correct time. The time stamps on your log messages will then be accurate.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-7. System > Logging > View Log Window 3. Note Use filters to display only the log messages that are helpful to you. If you have used a named object in an access policy, the log will show the name of the object instead of the values that the object contains. For example, you can use the Keyword field to perform specialized searches. You may want to use the following fields in your keyword searches.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ id=[log family] The log messages are divided into families and subfamilies. See Appendix C, “Log Messages” for a list of log family names. ■ mid=[integer] The message ID can help you find specific messages. Message IDs are unique within their log family, so you will need to search for both the log family (id=[log family]) and the message ID.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Interpreting Log Messages As you view log messages, you must learn to identify which ones are related to the firewall and which are related to IPS. Log messages related to the firewall begin with fw, such as fw_access_control or fw_l2l3_attack. For example, Figure 10-7 on page 10-30 shows log messages that include fw_1213_attack. Log messages related to IPS begin with ips, such as ips_attack_family or ips_protocol_anomaly_family.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Email. If you configure email logging, but there are still no logs reaching the mail server, check the following. 1. Verify the email logging settings by completing one of the following: • From the Web browser interface, click System > Logging > Email Forwarding. • From the CLI, enter: hostswitch(tms-module-C)# show logging email 2.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Ensure that the appropriate access policy is added to allow the TMS zl Module to send SNMP traps. The access policy should allow SNMP traffic between the Self zone and the zone that contains the SNMP trap receiver. • From the Web browser interface, click Firewall > Access Policies > Unicast. • From the CLI, enter: hostswitch(tms-module-C)# show access-policy All of your access policies will be listed.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Workstations Cannot Receive an IP Address If workstations cannot receive a dynamic IP address, you must check two different settings: First, check the DHCP relay settings. Make sure that DHCP is enabled on the VLAN and that the DHCP server settings are correct. Second, check the access policies to ensure that DHCP traffic is allowed from each workstation’s zone to the DHCP server.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting the Firewall When you are configuring and troubleshooting the firewall, you should review how the firewall operates. With these guidelines in mind, you can then apply the strategy outlined in this section to isolate your problem and fix it. Reviewing How the Firewall Operates Keep in mind the following general principles for the TMS zl Module’s firewall: ■ All traffic is denied by default.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode A Regular Access Policy Has a Higher Priority Than a User-Based Access Policy. A normal access policy (which applies to any user group) has a higher priority than a user-based access policy. This means that the TMS zl Module will process the normal access policy first. Some Traffic Must Be Transmitted to the Self Zone.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Strategy for Resolving Firewall Problems The advantage of using access policies is that you can tailor them to your company’s unique environment. Access policies can be as complex or as simple as your company needs. Once your access policies are in place, you must ensure that you have configured them correctly so that traffic is being handled appropriately.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Define the Problem. When you define the problem, you should determine exactly what traffic is being handled incorrectly. List the source and destination addresses, the VLANs, the zones, and the type of traffic (both protocol and port). Then, list the exact problem, as you understand it at this point. As you begin to troubleshoot, you will gather additional information about the problem—clarifying it even further—until you find a solution.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Check the logs and answer the following questions: ■ Does the traffic match an access policy? ■ If the traffic matches an access policy, does it match the intended access policy? ■ If the traffic matches the intended access policy, does it reach its destination? The answers to these questions will help you narrow the cause of the problem so you can implement a solution.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Create a temporary access policy to allow ICMP echo messages (pings) from the endpoint. Because the TMS zl Module firewall denies all traffic that is not explicitly permitted, it can be difficult to distinguish between misconfigured access policies and other Layer 3 problems such as missing routes. Therefore, you might want to open the firewall temporarily to eliminate misconfigured access policies from the equation.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Log Message Shows That Traffic Did Not Match Any Access Policy. Filter the TMS zl Module’s log by the source IP address (or named object) of the device that is sending the traffic. If you see the following text in a log message, the firewall does not have an access policy that permits the traffic. In this case, the firewall drops the traffic: id=fw_access_control ruleid=0 msg=”FW: no access policy found, packets dropped.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check to see if the intended access policy or one above it contains a domain name that cannot be resolved. If the traffic does not match an access policy and the access policy seems to be correct, check to see if this policy or one that is processed before this policy contains a domain name.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode c. Ensure proper connectivity between the TMS zl Module and the DNS server by completing one of the following: – In the Web browser interface, click System > Utilities > Ping and enter the DNS server’s IP address for the Hostname/IP Address. – At the CLI, enter: hostswitch (tms-module-C)# ping d.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ If user authentication is enabled, ensure that it is set up correctly, and the user authenticates successfully. Finally, you may want to see if user authentication is enabled. If it is, make sure it is set up correctly. For example, you must set up the appropriate access policies and ensure that the user authenticated successfully.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode that ALGs offer. For example, if an upper-layer protocol carries IP addresses within its data segment, an ALG knows where the IP address is held and can handle the traffic appropriately even when NAT is applied. Port triggers, on the other hand, check only the IP header. ■ Ensure that the traffic is not being blocked by the IPS. When traffic flows through the TMS zl Module, the firewall passes permitted packets to the IPS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check NAT to ensure that it is configured correctly. See “Troubleshooting NAT” on page 10-49. ■ Troubleshoot VPN settings if applicable. See “Troubleshooting VPNs” on page 10-55.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode stealth mode. If an access policy denies a connection, the TMS zl Module denies the connection request by dropping the packet without sending such a message. You Receive Multiple “IPROUTE: packet spoof detected” Log Messages. This log message is generated by the internal TMS zl Module packet spoof detection. When a packet with a source IP address cannot be reached through any of the TMS routes, this log message will be generated.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • Source: Host that is running the application • Destination: Any • Service: Any 2. Enable logging on this access policy. 3. Lower the logging level to information and check the log for messages related to the host. 4. Create or modify the permanent access policy based on the connectivity information provided by the logs.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode The following are commonly asked questions about the TMS zl Module’s NAT functionality: ■ How does multicast NAT work on the TMS zl Module? The TMS zl Module does not support NAT with multicast traffic. When you configure a NAT policy, the TMS zl Module will not apply that policy to any multicast traffic.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-9. Intrusion Prevention > Settings > Actions Window 4. If necessary, click Apply My Changes. You can also check the IPS setting from the CLI. Enter: hostswitch(tms-module-C)# show ips You will see output similar to the following. (The output of some commands will use IPDS, which refers to the IPS.) IPDS: Enabled Last Signature Status: Error occurred during last update.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note the problem indicated: the TMS zl Module was not able to resolve the domain name and download updated signatures. If you see this error, you should check your DNS settings and make sure your access policies allow DNS traffic. If you are using a proxy server, make sure your access policies allow traffic to this server. Enable IPS on an Access Policy By default, IPS is enabled for access policies.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Signature Is Triggered Too Frequently If an IPS signature is triggered, you should always investigate and find out if network security is being threatened. This is especially true if the IPS signature is triggered excessively. When an IPS signature is triggered frequently by the same device, you may sometimes find that a particular system behaves in a way that seems suspicious or mirrors the behavior of a known security problem.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. Locate the signature in the list and clear the Enable option. 4. Click Save. You can also disable a signature from the CLI.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting VPNs The following sections help you to troubleshoot a VPN connection. The first section, “VPN Troubleshooting Tools” on page 10-55, provides you with some basic troubleshooting tools.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Use the CLI capture Command to Troubleshoot the VPN.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note If the packet trace does not give enough detailed information, you can try setting the VPN key exchange mode to aggressive (in both the module’s and the client’s IKE policy). Aggressive mode transmits more data in plain text than main mode does. This can make it easier to identify mismatches in the configuration.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode For example, if the remote clients connect through the Internet, you should assign the switch port to the VLAN on which the TMS zl Module connects to the Internet router. 3. Assign the endpoint an IP address in the subnet associated with this VLAN and configure the TMS zl Module as its default gateway. 4. On the test client, configure the same VPN settings that are used by your remote users. 5. Attempt to initiate a VPN connection.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ No IKE SA or IPsec tunnel If you do not see either an IKE SA or an IPsec tunnel for the connection, then IKE is not initiating or is failing to complete. If this is the case, begin by troubleshooting IKE. (See “Troubleshoot IKE for a Client-to-Site IPsec Connection” on page 10-59.) ■ IKE SA but no IPsec tunnel If you see an IKE SA, click the Check status link. If the status indicates “SA_Mature,” the IKE SA is fully established.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-7. IKE capture Messages Example capture Messages Problem No messages The module is not receiving or Step 1 on page 10-60 not accepting the remote client’s IKE messages. Begin Troubleshooting IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 The module and the remote Step 7 on page 10-63 I ident client’s IKE security settings do IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 not match. R inf IP tms1.isakmp > tms2.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit isakmp Any 172.16.1.254 Permit ipsec-nat-t-udp Any 172.16.1.254 Self to External Permit isakmp 172.16.1.254 Any Permit ipsec-nat-t-udp 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note When you create new access policies, enable logging on them for the purposes of troubleshooting. Your access policies might specify particular IP addresses for remote endpoints. If so, create temporary access policies that permit IKE and NAT-T traffic to and from any IP address. Assign these access policies the top priority. If the IKE SA is established, your original access policies are misconfigured.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 7. Check IKE settings on the TMS zl Module against settings on the remote clients. To establish an IKE SA, the TMS zl Module and the remote clients must agree on a number of settings. Table 10-8 displays those settings and how they should match up between the module and the remote device. Most settings must match exactly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you make any corrections to the IKE policy, try to send VPN traffic from the test device. Then re-evaluate. If you must continue troubleshooting, leave any changes to the IKE policy that you are confident are corrections. However, if you experiment with a change and the experiment does not solve the problem, you should revert to your original settings. 8. In the previous step, you checked the general IKE policy.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode b. If the IKE SA comes up, you know that certificates were causing the problem. Look for these common errors: – Certificates are not properly loaded on the TMS zl Module. The module requires a certificate authority (CA) certificate and an IPsec certificate. If you cannot load the module’s IPsec certificate, verify that you have already loaded the CA certificate for the CA that issued the module’s certificate.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN. This section includes tips for troubleshooting IPsec settings. It is best practice to clear the IKE SA and attempt to establish the VPN connection from the test client after making each change. Then re-evaluate the connection: ■ If the traffic can reach its destination, you can stop troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you do not want to enter the capture command and view the output, try these tips in this order. (Use the Web browser interface to check these settings.) 1. Check the IPsec traffic selector, which is configured in the IPsec policy: The protocol, local addresses, and local ports (if configured) must match exactly the protocol, addresses, and ports configured for the remote network on the remote client.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode device. Note that some settings are configured in the IPsec proposal and some are configured in the IPsec policy. The table also indicates where the setting is configured. Table 10-10.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Protocol = Any (or the same protocol in the traffic selector) ■ Source addresses = IKE mode config addresses ■ Source port = Any (or the remote port in the traffic selector) ■ Destination addresses = Local address in the traffic selector ■ Destination port = Any (or the local port in the traffic selector) If you can do so securely, try configuring this policy and determining whether your traffic can reach its destination.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Check the module’s routes and verify that it has a route to the remote clients (which may not be directly connected to a TMS VLAN as the test client is). ■ The firewall access policies do not permit NAT-T traffic. A device between the TMS zl Module and the remote clients may perform NAT on the clients’ traffic, which can interfere with the VPN.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > IPsec > VPN connections window, you can plan which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ If you can successfully send traffic over the connection, you can stop troubleshooting. ■ If the VPN connection on the client comes up but traffic cannot reach its destination, continue with “Troubleshoot Access Policies for a Client-toSite L2TP over IPsec VPN” on page 10-81.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note • IKE • NAT-T (in case an intervening NAT device translates the clients’ or the module’s IP address) • L2TP traffic These policies must be configured for the None user group. Access policies External to Self Permit isakmp Any 172.16.1.254 Permit ipsec-nat-t Any 172.16.1.254 Permit l2tp-udp Any 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode TMS zl Module receives traffic from the remote endpoints. If the remote endpoints are in multiple zones, you must create access policies to and from each zone. If you are missing any of these access policies, add them now. You might also try configuring access policies that permit this traffic to and from each zone and the Self zone (in case you have mistaken the remote clients’ zone).
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note Check all network objects used in IPsec policies and verify that they are up-to-date and accurate. 4. Check the local gateway address in the IKE policy. Verify that this address is the module IP address that the clients contact. 5. Check the IKE policy on the TMS zl Module and verify that it uses Main for the key exchange mode. 6.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-13. IKE Security Settings Proposed by Windows XP Clients Proposal Encryption Algorithm Authentication Algorithm Diffie-Hellman Group SA Lifetime in Seconds 1 3DES SHA-1 2 28800 2 3DES MD5 2 28800 3 DES SHA-1 1 28800 4 DES MD5 1 28800 Common errors include: • Note The local or remote ID has been miskeyed, or the remote device uses a different ID type.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 8. If the IKE policy specifies DSA Signature or RSA Signature for the Authentication mode, you should troubleshoot certificates: a. If possible, configure both ends of the VPN connection to use preshared keys instead of certificates and configure the same key on both devices. If the IKE SA still does not come up, change the authentication mode back to its original setting. The problem may be on the other side of the connection. b.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot IPsec Settings for a Client-to-Site L2TP over IPsec VPN. This section includes tips for troubleshooting IPsec settings. It is best practice to clear the IKE SA and attempt to re-establish the VPN connection after making each change. Then re-evaluate the connection: ■ If the traffic can reach its destination, you can stop troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-14. IPsec Security Settings Proposed by Windows XP Clients Proposal Protocol Encryption Algorithm Authentication Algorithm 1 ESP 3DES SHA-1 2 ESP 3DES MD5 3 ESP DES SHA-1 4 ESP DES MD5 In the module’s IPsec policy, disable Perfect Forward Secrecy (PFS) and set the lifetime to the default settings. Troubleshoot L2TP Local User Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode h. Click the Security tab. Figure 10-15. Windows XP— Properties Window > Security Tab i. 10-80 Select Advanced (custom settings) and click Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-16. Windows XP—Advanced Security Settings 2. j. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. k. Select Allow these protocols. l. Select the check box for the authentication protocol that is configured on the module. Clear all other check boxes.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode lated and encrypted. It processes incoming VPN traffic after it has been deencapsulated and deencrypted. In other words, the access policies must permit the inner IP traffic that is sent over the VPN. These access policies should be configured for the user group that you assigned to the users’ dial-in policies. Note The TMS zl Module automatically accepts IPsec traffic for which it is the gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot a Site-to-Site IPsec VPN This section outlines a process for troubleshooting a failed site-to-site IPsec VPN. Set up a Test Device. As you troubleshoot the VPN, you must periodically attempt to establish the VPN to determine whether you have fixed the problem. To test the site-to-site connection, you must attempt to send allowed traffic over the VPN from a local endpoint to a remote endpoint.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-17.View VPN Connections This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > IPsec > VPN connections window, you can plan which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ IKE SA but no IPsec tunnel If you see an IKE SA, click the Check status link. If the status indicates “SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel has not come up; the connection has failed partway through the process. In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN” on page 10-66.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-15. IKE capture Messages Example capture Messages Problem Begin Troubleshooting At: No messages IKE is not initiating. Step 1 on page 10-86 IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 The module and the remote Step 7 on page 10-91 I ident gateway’s IKE security settings IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 do not match. R inf IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident IP tms2.isakmp > tms1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit isakmp 172.16.24.253 172 .16.1.254 Permit ipsec -nat-t-udp 172.16.24.253 172.16.1.254 Self to External Permit isakmp 172.16.1.254 172.16.24.253 Permit ipsec -nat-t-udp 172.16.1.254 172 .16.24.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Check NAT policies and look for interference. The module applies NAT before it selects traffic for the VPN. Therefore, it might translate the source address of traffic that should be sent over the VPN to an address that is not specified in the IPsec traffic selector— preventing the connection from initiating. If you have implemented NAT on the TMS zl Module, you should make sure that NAT does not interfere with the VPN: a.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode c. When you see such a policy, you must create a higher-priority NAT exclusion policy. This policy should specify exactly the same traffic that is configured in the IPsec policy traffic selector, and its setting for Translate should be None. To configure a policy to correct the problem in this example, complete these steps: i. In the Firewall > NAT > NAT Policies window, click Add Policy. ii. For Translate, select None. iii.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Check routes in the Network > Routing > Static Routes window and verify that the correct routes are in place. 3. In a site-to-site VPN, the TMS zl Module must have a route to: • The endpoints behind the remote gateway • The remote gateway If the module uses a default route to reach the remote gateway, that route suffices for the remote endpoints as well.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 5. Check the local gateway address in the IKE policy. Verify that this address is the module IP address that the remote gateway contacts. 6. Check the IKE policies on the TMS zl Module and the remote gateway (if possible). Ensure that both specify the same key exchange mode (main or aggressive). 7. Check IKE settings on the TMS zl Module against settings on the remote gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • The security settings (encryption algorithm, authentication algorithm, Diffie-Hellman group, and SA lifetime) do not match exactly. If you are troubleshooting a VPN between TMS zl Modules, set the security parameters to their default settings. If this change allows the connection to come up, you can try changing the settings on both sides of the connection to the settings that you want to use.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If the TMS zl Module was acting as an XAUTH client, look for these problems: 9. – A misconfigured password – A mismatch between the authentication protocol and the protocol on the remote gateway – Problems with the remote gateway’s local database or RADIUS server c. After you make a configuration change, re-enable XAUTH in the IKE policy and on the remote gateway. d.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode c. After you have found and corrected the error, change the IKE policy Authentication mode setting back its original setting. d. Clear the IPsec tunnel and IKE SA and try to establish the VPN. e. Check the status of the VPN connection and determine your next step. 10. At this point, at least the IKE SA should be up. If you were using XAUTH and have disabled it, re-enable this setting now.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode The connection will fail for several reasons: Note • The local addresses on the local module do not match the remote addresses on the remote module, and vice versa. The modules do not consider the addresses to match even though the Any setting includes the necessary addresses within it. • The Local port setting on the local module does not match the Remote port setting on the remote gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode device. Note that some settings are configured in the IPsec proposal and some are configured in the IPsec policy. The table also indicates where the setting is configured. Table 10-17.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you can do so securely, try configuring these most basic policies and see if the traffic can reach its destination. Remember to enable logging on the policies in question so that you can see when traffic matches a policy. It is possible that the module is permitting the traffic but another security device is dropping it. Once you get traffic flowing across the tunnel, you can experiment with more restrictive policies.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Attempt to send traffic to a remote endpoint from the local test device: ■ If the traffic cannot reach its destination, you must troubleshoot the GRE tunnel (see “Troubleshoot the GRE Tunnel” on page 10-98). ■ If the traffic can reach its destination, the GRE tunnel is functioning correctly. Re-enable the IPsec policy. You must troubleshoot IKE and IPsec.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit gre 172.16.24.1 172.16.1.254 Internal to Zone 1 Permit any 10.1.0.0/16 10.2.0.0/16 Self to External Permit gre 172.16.1.254 172.16.24.1 Zone1 to Internal Permit any 10.2.0.0/16 10.1.0.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Check routes in the Network > Routing > Static Routes window and verify that these routes exist: • A route to the remote gateway The TMS zl Module requires this route to set up the GRE tunnel. • A route through the GRE tunnel to the remote network Troubleshooting Routing When the TMS zl Module is operating in routing mode, routing is always enabled.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode OSPF When you enable OSPF, the TMS zl Module uses version 2. Again, your access policies must allow the appropriate multicast and unicast traffic for OSPF.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Resolve Common Issues with an HA Cluster The following suggestions explain how to resolve common problems with setting up an HA cluster. If the specific problem you are experiencing is not listed in this section, see “Use the capture Command to Resolve Issues with an HA Cluster” on page 10-104. ■ After you configure a TMS zl Module and then set up an HA cluster, the configuration on the master was lost.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If the modules in the cluster are in different switches, you should also ensure that the HA VLAN and all TMS VLANs are configured on both switches. Figure 10-24. Sample HA Configuration ■ The master is down, but a failover does not occur. Check the following: ■ • Ensure that the ports that connect the host switches are tagged members of the HA VLAN.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ The logs show numerous broadcast messages on VLAN 1, but you have not configured VLAN 1 as a TMS VLAN. HA cluster members communicate on the HA VLAN, which is configured on each member’s internal port 2, and by default, the HA VLAN is VLAN 1. The TMS zl Module receives broadcast traffic on the HA VLAN whether or not you configure HA.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-18.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode Troubleshooting the TMS zl Module in Monitor Mode This section provides some guidelines for troubleshooting the TMS zl Module when it operates in monitor mode.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode You should also configure a default gateway: hostswitch(tms-module-C:config)# ip route 0.0.0.0/0 ■ The module’s management port is a tagged member of the management VLAN. When the TMS zl Module operates in monitor mode, its internal data 1 port is used to receive mirrored traffic. Its internal data 2 port is the management port. When you configure a management VLAN, port 2 is automatically tagged on that VLAN.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode If you are using Internet Explorer, complete the following steps: ■ a. Click Tools > Internet Options > Privacy. b. Click Sites. c. Type the module’s interface address and click Allow. d. Click OK to close each window. You receive an Invalid Login! error message. If you receive an Invalid Login! error, check the following: • Ensure that the username and password are entered correctly.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode ■ Clicking Help does not have any effect. If you cannot access the TMS zl Module’s online help, disable pop-up blockers in your Web browser. Using Log Messages to Troubleshoot Problems The main tool you will use to resolve problems is the TMS zl Module’s log messages.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode Checking the Time The TMS zl Module synchronizes its time from the host switch. You should ensure that the switch has the correct time so that the module also has the correct time. The time stamps on your log messages will then be accurate. Viewing Log Messages To use the log messages to monitor the TMS zl Module, complete the following steps. Note 1. Click System > Logging. 2. Click View Log. 3.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode ■ fw=[hostname] If you are reading logs that have been collected from several network devices (such as with SNMP traps or a syslog server), replace [hostname] with the name of a module to select only the messages that the module generated. ■ username=[manager | operator | userid] Search for the username to see when someone logged on to the module with that name or role.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode SNMP. If you configure an SNMP trap destination but no logs reach the SNMP trap receiver, verify the settings by completing one of the following: ■ From the Web browser interface, click System > Logging > SNMP Traps.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode want to disable that signature. The first option is generally preferred so that the TMS zl Module can continue to protect your network from the attack that is detected by that particular signature. To disable a signature, complete the following steps: 1. Click Intrusion Detection > Signatures. 2. Click View. Figure 10-26.Intrusion Detection > Signatures > View Window 3. Locate the signature in the list and clear the Enable option. 4.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode 10-114
A Command-Line Reference Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11 CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12 List Available Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12 List Options for a Command . . . . . . . . . . .
Command-Line Reference Contents Services OS Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 show assigned-mac-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 show images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-24 show ip . . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41 write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42 Global Configuration Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43 aaa . . . . . . . . . . . .
Command-Line Reference Contents high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-70 high-availability active-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . A-71 high-availability multicast-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-71 high-availability ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-72 high-availability synchronize . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents logging snmpv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 logging syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-88 logging threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-90 logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 91 management . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-112 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-112 vlan ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-112 vlan ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-113 vlan ip pim-sparse . . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-136 proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-136 traffic-selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-136 IPsec Auto Keys Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-138 IPsec Manual Keys Context . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-174 area nssa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-174 area stub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-175 area virtual-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-175 no area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents show ip-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-191 show ip-reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-192 show ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-192 show ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-192 show l2tp . . . . . . . . . . . . . . .
Command-Line Reference Overview Overview This chapter describes the commands provided by the command line interface (CLI). The TMS zl Module CLI is context-based; different commands are available from different contexts. When you are managing the TMS zl Module and you try to use a command that is not supported from the current context, you will receive an error message. The following sections introduce groups of commands that are available from various CLI contexts.
Command-Line Reference Overview Figure A-1. CLI Context Command Groups Command Syntax Statements Syntax: copy [event-log | startup-config | snapshot | pcap] [tftp | scp] Vertical bars ( | ) separate alternative, mutually exclusive elements. Square brackets ( [ ] ) indicate optional elements.
Command-Line Reference Overview Braces ( < > ) enclose required elements. Vertical bars or braces within square brackets ( [ < > ] ) indicate a required element within an optional choice. Vertical bars or braces within braces ( < < > > ) indicate a required element within a required choice. All italics indicate variables for which you must supply a value when executing the command. For example, in the command above, you must provide the destination server location and the destination filename.
Command-Line Reference Overview List Options for a Command You can also use the ? to view the options for a particular command. For example, you might enter: ProCurve(tms-module-)# capture ? Command Completion You can also use the Tab key to quickly complete the current word in a command. To do so, type one or more consecutive characters in a command and then press [Tab] (with no spaces allowed).
Command-Line Reference Services OS Operator Context Commands Services OS Operator Context Commands The Services OS operator context allows restricted access to some troubleshooting commands on the Services OS of the module. To access this context, enter the following command from the host switch’s operator-level context: Syntax: services < | name > Moves you to an OS context on the module.
Command-Line Reference Services OS Operator Context Commands Figure A-2. Services OS Operator Context The following sections describe commands that are available from the operator context of the Services OS. exit To leave a specific interface or configuration context, enter exit. The exit command moves you back one mode level. For example, if you were in the HA configuration context and entered exit, you would return to the global configuration context.
Command-Line Reference Services OS Operator Context Commands Note This command is not available unless the TMS zl Module is booted to the Services OS. For example: ProCurve(tms-module-)> ping 10.1.1.1 When you send ICMP echoes, the module displays the ping statistics to describe the types of responses the router receives. For example, Figure A-5 shows a successful ping: Figure A-3. Sending a Ping If you need to halt a ping operation, press Ctrl+Z.
Command-Line Reference Services OS Manager Context Commands Services OS Manager Context Commands The Services OS manager context allows restricted access to the Services OS of the module, providing only a limited number of commands. From this mode, you can download and install software and licenses. CLI access to the Services OS is designed primarily for blade maintenance, not for configuring the module. The Services OS context is used to complete basic setup and maintenance tasks.
Command-Line Reference Services OS Manager Context Commands The commands in this section are the Services OS CLI commands with the Services OS booted. Figure A-4. Services OS To access all commands in the Services OS manager context, you must boot the module in the Services OS using the boot command. Until the module is booted in the Services OS, you can access a limited set of commands, including boot, licenses, exit, and some show commands.
Command-Line Reference Services OS Manager Context Commands delete This command deletes images from the module. To delete an image, enter the following command: Syntax: delete Replace with the filename of the image you want to delete. download This command downloads an image to the module’s blade.
Command-Line Reference Services OS Manager Context Commands ip This is the only configuration command available from the Services OS manager context. It allows you to configure the module’s IP address and default gateway. To configure the module’s IP address, enter the following command: Syntax: [no] ip < dhcp | address > Use the dhcp option to configure the module to receive a dynamic IP address.
Command-Line Reference Services OS Manager Context Commands ping Use this command to send an ICMP echo to a specified destination. Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination. Replace with the hostname of the ping destination. The module displays the number of pings sent and responses received. For example: ProCurve(tms-module-)# ping 10.1.1.
Command-Line Reference Services OS Manager Context Commands ■ Services OS ■ CF Services OS, chainloader, and tools ■ Chainloader ■ Tools To perform the update, enter the following command: Syntax: update < product | tools | Services_OS | chainloader | CF_chainloader | CF_Service_OS | CF_tools > Replace with the filename of the updated image. usb The usb commands allow you to upload and download files to and from a USB drive hardware device.
Command-Line Reference Services OS Show Commands Services OS Show Commands The Services OS show commands allow you to view information about the blade and to troubleshoot. These commands are available at both the operator and the manager level. The show commands available in the Services OS are described below. Figure A-6. CLI Services OS Context show assigned-mac-address This command shows the MAC address assigned to the module by the switch.
Command-Line Reference Services OS Show Commands show images This command shows the images in the images repository. Syntax: show images [details] show ip This command shows the IP settings of the module (IP address and default gateway). Syntax: show ip show licenses This command shows the license status for services. Syntax: show licenses [uninstalled] Enter the optional uninstalled keyword to view uninstalled licenses. show logging This command shows all of the logging information.
Command-Line Reference Product OS Operator Context Commands show version This command shows the software version. Syntax: show version [details] Product OS Operator Context Commands The Product OS operator context features a limited number of commands that allow an operator to collect troubleshooting information. To access the Product OS operator context, enter the operator context of the CLI of the switch in which the TMS zl Module.
Command-Line Reference Product OS Operator Context Commands The product index number is assigned to the TMS zl Module by the switch. This product index number varies, depending on whether or not any HP ProCurve ONE Services zl Modules are also installed in the host switch. The ONE Services zl Module is a hardware platform that supports multiple products—such as the HP ProCurve Data Center Connection Manager (DCM).
Command-Line Reference Product OS Operator Context Commands ■ TMS zl Module On this host switch, DCM was installed and booted first, so the host switch assigned it index number 2. It then assigned the TMS zl Module index number 3. Table A-3. CLI Display of Services Slot Index Description Name C,D, E 1. Services zl Module services-module D 2. Data Center Connection Manager dcm C,E 3.
Command-Line Reference Product OS Operator Context Commands Syntax: capture < file | terminal > [vlan | gre | ha | any] If you want to capture packets on a VLAN, include the vlan option and specify an ID. If you want to capture packets on a GRE tunnel, include the gre option and specify the tunnel name. If you want to capture packets for a high-availability (HA) interface, include the ha option. If you want to capture packets on all interfaces, include the any option.
Command-Line Reference Product OS Operator Context Commands Extended Command Option Purpose ip Specifies the transport protocol of the packet to be captured: • • • • • • • tcp udp icmp igmp eigrp gre lt2p • • • • • • pim ah esp vrrp ospf multicast For example: ProCurve(tms-module-)# capture terminal any pktcount 20 enable This command enables you to access the manager context level, from which you can access all other contexts.
Command-Line Reference Product OS Operator Context Commands Replace with the hostname you want to resolve. For example, if you wanted to know the IP address for router5, you would enter: ProCurve(tms-module-)> nslookup router5 page This command enables and disables page mode. In page mode, the terminal output will pause when it fills the screen and wait for a keystroke such as space or Ctrl+C. Syntax: [no] page ping This command sends an ICMP echo to a specified destination.
Command-Line Reference Product OS Operator Context Commands Note If you cannot ping a device, check that an access policy allows ICMP/Echo traffic from the Self zone to the zone you are trying to ping. snapshot This command creates a restore point for your network.
Command-Line Reference Product OS Manager Context Commands Table A-5.
Command-Line Reference Product OS Manager Context Commands The SSH client must be able to contact a TMS zl Module IP address.When the TMS zl Module operates in routing mode, the SSH client must also be in a management zone. TMS zl Module Product Index and Product Name To enter the TMS zl Module CLI’s Product OS, you must either specify the module’s product name or product number. The product name for the TMS zl Module is always tms-module.
Command-Line Reference Product OS Manager Context Commands To view the product index numbers, product names, and their associated chassis slots, enter the following command from the host switch’s CLI: hostswitch# show services Table A-6 shows an example output for this command. In this example, the host switch has assigned the TMS zl Module the index number 2. Table A-6. CLI Display of Services Slot Index Description Name C,E 1. Services zl Module services-module C,E 2.
Command-Line Reference Product OS Manager Context Commands Figure A-9. Product OS Context The following sections describe commands that are available from the manager context of the Product OS. batch This command enables and disables batch, or scripting, mode. Syntax: [no] batch This command is also available from the global configuration context. boot This command exits the current session and reboots the module. You will be asked to confirm that you want to reboot the module.
Command-Line Reference Product OS Manager Context Commands If you want to capture packets on a GRE tunnel, include the gre option and specify the tunnel name. If you want to capture packets for a high-availability (HA) interface, include the ha option. If you want to capture packets on all interfaces, include the any option. You can use the extended options to capture certain types of traffic, based on protocol, source IP address, destination IP address, source port, or destination port.
Command-Line Reference Product OS Manager Context Commands For example: ProCurve(tms-module-)# capture terminal vlan 100 pktcount 20 This command is also available from the global configuration context. configure The command moves you to the Product OS CLI’s global configuration context. Syntax: configure [terminal] copy The copy commands are used to move various file types to and from the TMS zl Module. The copy command supports FTP, SCP, and TFTP transfer protocols.
Command-Line Reference Product OS Manager Context Commands To upload a configuration file from an external TFTP, FTP, or SCP server to the module’s startup-config, enter one of the following commands: Syntax: copy tftp < startup-config | image > Syntax: copy < ftp | scp > < startup-config | image > user Replace with the IP address of your TFTP or SCP server.
Command-Line Reference Product OS Manager Context Commands Note All of your signatures will be lost if you restore your module to a previous configuration or to factory default settings. exit To leave a specific interface or configuration mode, enter exit. The exit command moves you back one mode level. For example, if you were in the HA configuration context and entered exit, you would return to the global configuration context. Syntax: exit This command is available from all contexts.
Command-Line Reference Product OS Manager Context Commands nslookup This command is used to learn a device’s IP address according to its hostname. Syntax: nslookup Replace with the hostname you want to resolve. For example, if you wanted to know the IP address for router5, you would enter: ProCurve(tms-module-)# nslookup router5 page This command enables and disables page mode.
Command-Line Reference Product OS Manager Context Commands Figure A-10. Sending a Ping If you need to halt a ping operation, press Ctrl+Z. This command is also available from the global configuration mode context. Note If you cannot ping a device, check that you have configured an access policy to allow ICMP/Echo traffic from the Self zone to the zone you are trying to ping. snapshot This command creates a restore point for your network.
Command-Line Reference Product OS Manager Context Commands Replace with the IP address of the final destination to which you want to trace the route. The module will display a route to a destination up to 255 hops away. You can end the traceroute process at any time by pressing Ctrl+Z. You can set extended options for tracing a route by typing additional keywords after the IP address.
Command-Line Reference Global Configuration Context Global Configuration Context From the global configuration context, you can make configuration changes that apply to the entire module. You can configure the system’s global parameters such as the hostname, passwords, and banners. You can also configure other features: ■ Firewall ■ NAT ■ VPN ■ IDS/IPS ■ Routing Which of these options is available depends on the operating mode.
Command-Line Reference Global Configuration Context Some commands are not available when the TMS zl Module is in monitor operating mode. See Table A-10. Table A-10.
Command-Line Reference Global Configuration Context Command Routing mode Monitor mode nat X nslookup X X operating-mode X X page X X password X X ping X X port-map X X port-trigger X radius-server X rate-limit X router X schedule X service X service-group X snapshot X X snmpv2 X X snmpv3 X X time X X traceroute X X user X vlan X vpn X write X zone X show X X X X aaa This command configures how the TMS zl Module authenticates management users:
Command-Line Reference Global Configuration Context Recall that, on the TMS zl Module, you can assign a domain name to a RADIUS server. If you do so, users must submit their username followed by @ when authenticating to that server. access-policy You use the access-policy command to configure all of your firewall access policies.
Command-Line Reference Global Configuration Context Table A-11. Access-policy Command Options Parameter Options source zone • • • • • • • • • • • internal external dmz zone1 zone2 zone3 zone4 zone5 zone6 self destination zone • • • • • • • • • • • internal external dmz zone1 zone2 zone3 zone4 zone5 zone6 self action • permit • deny • move to The module checks the policies according to their priority.
Command-Line Reference Global Configuration Context Parameter Options protocol • • • • • • • • • • • • • service See “Services Available” on page A-96 for a table of the default service objects.
Command-Line Reference Global Configuration Context Parameter Options extended options • schedule This command must be entered before all other extended options commands. • log • ips-off • enable • disable • insert-at • update-at < position | id > • mss You can use any combination of the extra options—as many or as few as you like. Table A-12.
Command-Line Reference Global Configuration Context For example, if you want to allow a multicast policy for all FTP traffic between Zone3 and Zone5, you would enter the following command: ProCurve(tms-module-:config)# access-policy multicast zone3 zone5 permit service ftp any any address This command creates (or deletes) an address object. With this command you can create either single-entry or multi-entry objects.
Command-Line Reference Global Configuration Context Syntax: [no] address-group [add
Command-Line Reference Global Configuration Context attack-setting This command enables (or disables) the firewall’s attack checks. Syntax: [no] attack-setting Replace with the attack against which you want the firewall to check. Available attacks are listed in Table A-14. Table A-14. Available Attack Checks Option Definition See Chapter 4: “Firewall.
Command-Line Reference Global Configuration Context banner Set the banner that is displayed on the Web browser interface login page. Syntax: [no] banner motd Replace with the text that you want to display on the Web browser interface login page. This text cannot contain any spaces or special characters. batch This command enables or disables batch, or scripting, mode. Syntax: [no] batch This command is also available from the Product OS manager context.
Command-Line Reference Global Configuration Context If you want to capture packets for a high-availability (HA) interface, include the ha option. If you want to capture packets on all interfaces, include the any option. You can use the extended options to capture certain types of traffic, based on protocol, source IP address, destination IP address, source port, or destination port.
Command-Line Reference Global Configuration Context certificates If you use DSA or RSA signatures for the authentication method in an IKEv1 policy, you must install certificates on the TMS zl Module.
Command-Line Reference Global Configuration Context You can set extended options for capturing an interface by typing additional keywords after the network interface. You can specify several combinations of the extended options shown in Table A-8, and you can enter the options in almost any order. Table A-16. Extended Options Extended Command Option Purpose ip-addr-1 Specifies an IP addresses that the module uses to identify itself.
Command-Line Reference Global Configuration Context certificates import Use this command to use FTP, TFTP, or SCP to install the certificates on the TMS zl Module. (These certificates are necessary for the module to use DSA or RSA signatures for the IKE authentication method.
Command-Line Reference Global Configuration Context Enter the following command to configure the SCEP Server: Syntax: certificates scep server < | domain-name > port [cgi-path ] [ca-identifier ] Replace with the IP address of your CA server. If you select the domain-name option instead, replace with the FQDN of your CA server. Replace with the port number on which your CA server listens for SCEP messages (1 to 65535).
Command-Line Reference Global Configuration Context Replace with the name of the CA root certificate that you installed with the certificates scep retrieve ca command. Replace with the challenge password that your CA has given you. A challenge password is typically used to revoke a certificate, but your CA may also require you to enter a challenge password to request a certificate. Replace with a string between 1 and 31 alphanumeric characters.
Command-Line Reference Global Configuration Context connection-settings The connection-settings command allows you to set various restrictions on connections to your network: ■ Absolute number of connections limits ■ Timeout limits ■ Resource allocation limits Table A-17 gives the available options for the connection-settings command. Table A-17.
Command-Line Reference Global Configuration Context Zone Default connection-settings Limits zone4* 21428 zone5* 21428 zone6* 21428 *Zone may be renamed., but original connection limit will remain For example, to set an absolute maximum of 3000 connections for the external zone, enter the following command: ProCurve(tms-module-:config)# connectionsettings limit external 3000 connection-settings timeout Set a limit for the amount of time and inactive connection can stay open.
Command-Line Reference Global Configuration Context To create (or delete) a custom service and timeout, enter the following command: Syntax: [no] connection-settings timeout < tcp | udp > Replace with a custom service name. Replace with the TCP or UDP port for the service. Replace with the number of seconds that you want an inactive session to remain open.
Command-Line Reference Global Configuration Context Replace with the number of connection reservations you want to create for the zone. Replace with a comment string to define the connection reservation. Replace with ID of the rule that you are updating. For example, network administrators at ProCurve University want to create a connection reservation for the research faculty members in Zone1.
Command-Line Reference Global Configuration Context Replace with the IP address of your TFTP or SCP server. Replace with the name of the file you are uploading from your server. Replace with the username on the account on your FTP or SCP server. These commands are also available in the Product OS manager context.
Command-Line Reference Global Configuration Context Note You cannot delete a VLAN association if DHCP relay is enabled on the VLAN, even if DHCP is disabled globally. end To return to the manager context, enter end. The end command moves you back to the manager context, regardless of the context where you enter the command. Syntax: end This command is available from all contexts. erase This command exits the current session and reboots the router with the factory default startup-configuration.
Command-Line Reference Global Configuration Context gre With this command you can configure GRE tunnels.
Command-Line Reference Global Configuration Context gre ip rip. This command enables (or disables) RIP on the GRE tunnel interface and configures RIP options for the interface.
Command-Line Reference Global Configuration Context The options available for the command are shown in Table A-21. Table A-21. OSPF on GRE Command Options Command Option Purpose area Specifies the area to which you want to assign the GRE tunnel. For , you can use integer or dotted-decimal (x.x.x.x) notation. However, the show ip ospf area command will always display the area ID in dotted-decimal notation. For example, 0.0.0.1 will be displayed if you type 1 as the area ID and 0.0.1.
Command-Line Reference Global Configuration Context When you enter the command and enable PIM, enter the PIM context of the GRE tunnel interface context. In this context, you can set the DR priority on the GRE tunnel. The prompt is ProCurve(tms-module-:gre-pim-sparse)#. See “GRE PIM Context” on page A-117. gre keepalive This command enables the GRE tunnel keepalive mechanism.
Command-Line Reference Global Configuration Context Replace with an IP address that does not exist on a subnet in your system and is not part of a TMS VLAN. This address is the IP address assigned the tunnel interface. Replace with a virtual address that is not already used by the device on the other end of the GRE tunnel. This will be the gateway address for routes that use the tunnel as the forwarding interface.
Command-Line Reference Global Configuration Context Table A-22.
Command-Line Reference Global Configuration Context Replace with the multicast IP address. (The default address is 224.0.0.18). high-availability ip This command specifies the IP address of the TMS zl Module on the HA VLAN. To set the HA interface IP address, type the following command: Syntax: high-availability ip Replace with the IP address and subnet mask you want to assign to the module.
Command-Line Reference Global Configuration Context hostname It is often useful to give the router a name that helps to distinguish it from other routers in your network. To change the router’s hostname, enter the following command: Syntax: hostname Replace with the hostname you want to assign to the module. This name can only include alphanumeric characters.
Command-Line Reference Global Configuration Context ip route This command creates static routes for the module, including the default route. To create (or delete) a static route, enter the following command: Syntax: [no] ip route < | > [metric ] [distance ] Replace with the IP address and subnet mask of the route’s destination. For a default route, type 0.0.0.0 0.0.0.0.
Command-Line Reference Global Configuration Context Syntax: [no] ip-reassembly [reassembly options] You can specify any of the extended options shown in Table A-23, but you can enter only one option at a time. Table A-23.
Command-Line Reference Global Configuration Context ips full-inspection By default, the TMS zl Module inspects only the first the first few kilobytes of each connection in each direction. However, you can specify that every packet in every session be inspected by the IDS/IPS. This option consumes more system resources but it also provides the best security effectiveness.
Command-Line Reference Global Configuration Context Syntax: ips protocol-anomaly mime [ header-size | boundaries ] Replace with the maximum header size in bytes (100–2048). Replace with the maximum number of boundaries allowed per message (1–10). SMTP.
Command-Line Reference Global Configuration Context To set the update interval for signatures or update your signatures immediately, enter the following command: Syntax: ips signatures update < interval < 4-hours | 12-hours | 24-hours | 48-hours | 1week | 2-weeks > | now > For example, if you want to update your signatures now, enter the following command: ProCurve(tms-module-)# ips signatures update now ips threat-level This command is available only when the TMS zl Module is in routing mode.
Command-Line Reference Global Configuration Context ipsec The ipsec command includes many options. It contains all of the commands you need to create an IPsec VPN, including the IKEv1 policy, the IPsec proposal, and the IPsec policy itself. For this reason, documentation of this command will be separated into several sections.
Command-Line Reference Global Configuration Context Syntax: [no] ipsec enable ipsec icmp ICMP error messages may not be allowed by the traffic selectors that select traffic for the VPN tunnel. However, these error messages are often necessary for a session. When you enable the TMS zl Module to send ICMP messages, it will return an ICMP error message when it receives bad or inconsistent data. When you enable the module to handle ICMP messages the module will accept incoming ICMP error messages.
Command-Line Reference Global Configuration Context ipsec proposal To create or edit an IPsec proposal, enter the following command from the global configuration context: Syntax: ipsec proposal encapsulation security auth | ah auth > Replace with the unique name of the proposal you are creating or editing (1–32 alphanumeric characters).
Command-Line Reference Global Configuration Context To delete an IPsec proposal, enter the following: Syntax: no ipsec proposal Replace with the name of the IPsec proposal that you want to delete. ipsec policy To create or edit (or delete) an IPsec policy, enter the following command: Syntax: [no] ipsec policy Replace with the unique name of the policy you are creating or editing (1–32 alphanumeric characters).
Command-Line Reference Global Configuration Context l2tp The l2tp command contains all of the commands you need to create the L2TP settings for an L2TP over IPsec VPN (you must also use the ipsec commands to configure the IPsec settings). Documentation for this command is separated into the following sections. ■ l2tp radius-auth—these commands allow you to configure a RADIUS server to authenticate L2TP dial-in users. (See “l2tp radius-auth” on page A-83.
If you choose to enter the domain-name option, replace with the domain name associated with your RADIUS server. See “radius-server” on page A-102 for complete information. To use a RADIUS server to authenticate L2TP clients and to specify the TMS zl Module’s virtual L2TP server IP address, enter the following command: Syntax: l2tp radius-auth Replace with the IP address that the TMS zl Module will use in its role as L2TP server.
Command-Line Reference Global Configuration Context Syntax: no l2tp radius-auth To clear the IP settings that you have configured for a domain, enter the following command: Syntax: no l2tp radius-auth domain-config Replace with the name of the domain for which you want to clear the settings. Example L2TP RADUS Authentication.
Command-Line Reference Global Configuration Context l2tp local-user To create or edit (or delete) a local L2TP user account and enter the L2TP User context, enter the following command: Syntax: [no] l2tp local-user Replace with the name for this user (1 to 16 alphanumeric characters). After entering this command, you will be moved to the CLI’s L2TP User context. See “L2TP User Context” on page A-159. lldp This command enables (or disables) Layer Link Discovery Protocol.
Command-Line Reference Global Configuration Context Replace with an email address, which will be used as the source of the emails containing logs. The email address does not need to be a real address, but it must be in valid email address format. Enter the user option to configure an account used access the email server. Replace with the username of the account. Replace with the password for the account.
Command-Line Reference Global Configuration Context Replace with the IP address of the SNMPv2 server. Replace with the name of the SNMPv2 community. For example: ProCurve(tms-module-:config)# logging snmpv2 enable ProCurve(tms-module-:config)# logging snmpv2 172.16.2.35 private logging snmpv3 SNMP traps are unsolicited messages that are sent by managed devices to alert you about specific events.
Command-Line Reference Global Configuration Context This command enables SNMPv2 forwarding. Syntax: [no] logging syslog facility This command specifies the SNMPv2 community to which you are forwarding logs. Replace with the IP address of the syslog server. Replace with port number that the syslog server uses. Replace with the facility code that represents where the message originates. Table A-25 shows the facility options. Table A-25.
Command-Line Reference Global Configuration Context For example: ProCurve(tms-module-:config)# logging syslog enable ProCurve(tms-module-:config)# logging syslog 172.16.2.240 514 facility user logging threshold Table A-26 displays the available options for the logging threshold command. Table A-26.
Command-Line Reference Global Configuration Context After log throttling is enabled, you can configure the count and seconds parameters. Enter the following command: Syntax: logging threshold duplicates time Replace with the number of duplicate events that you want to occur before the module logs a tally message (1–2147483647). The default number is 500.
Command-Line Reference Global Configuration Context management zone. To add a zone to the set of management zones, type the following command: Syntax: management zone Replace with the zone from which you want to manage the module. The available zones are: ■ internal ■ external ■ dmz ■ zone1 ■ zone2 ■ zone3 ■ zone4 ■ zone5 ■ zone6 ■ Monitor Mode In monitor mode, this command configures your dedicated management interface VLAN and IP address. management ip.
Command-Line Reference Global Configuration Context Replace with the VLAN ID number. The IP address that you assigned to the module must be part of a subnet associated with this VLAN. For example, to assign the module’s management VLAN to VLAN 3, enter the following command: ProCurve Switch 5406zl(tms-module-:config)# management vlan 3 nat You use the nat command to configure all of your NAT policies.
Command-Line Reference Global Configuration Context The available parameters and options are shown in Table A-27. At the end of the access-policy command, you can append various optional keywords, which are listed in Table A-27 as .
Command-Line Reference Global Configuration Context Table A-27. nat Command Options Parameter Options source zone • • • • • • • • • • • internal external dmz zone1 zone2 zone3 zone4 zone5 zone6 self destination zone • • • • • • • • • • • internal external dmz zone1 zone2 zone3 zone4 zone5 zone6 self protocol • • • • • • • • • • • • • any <0-255> tcp udp ah esp ip icmp igmp gre l2tp ospf pim service • See Table A-28 on page A-96.
Command-Line Reference Global Configuration Context Parameter Options source address • • • • • any host network IP address/prefix length ip-range address destination address • • • • • any host network IP address/prefix length ip-range address destination port • • range address after translation • IP address • ip-range
Command-Line Reference Global Configuration Context snmp snmptrap sqlnet ssh syslog tacacs-tcp tacacs-udp talk-tcp talk-udp telnet tftp time uucp who whois xdmcp user configured service objects To move a policy’s position, enter the following command: Syntax: nat < source | destination | no-nat > move to Replace with the source zone of the policy that you want to move.
Command-Line Reference Global Configuration Context To set the operating mode, enter the following command: Syntax: operating-mode < monitor | routing > Changing the operating mode will cause the module to reboot. You will be prompted to confirm the change. page This command enables and disables page mode. In page mode, the terminal output will pause when it fills the screen and wait for a keystroke such as space or Ctrl+C.
Command-Line Reference Global Configuration Context For example: ProCurve(tms-module-)# ping 10.1.1.1 When you send ICMP echoes, the module displays the ping statistics to describe the types of responses the router receives. For example, Figure A-12 shows a successful ping: Figure A-12. Sending a Ping If you need to halt a ping operation, press Ctrl+Z. This command is also available from the Product OS manager context.
Command-Line Reference Global Configuration Context Table A-29. Services Available FTP HTTP IMAP NNTP POP3 RSTP SMTP TCPDNS TCPRPC TCPSIP TELNET UDPDNS UDPRPC UDPSIP For example, to add a port map for HTTP over TCP through port 9000, enter the following command: ProCurve(tms-module-)# port-map http tcp 9000 port-trigger Use this command to create policies that enable the module’s firewall to monitor dynamically negotiated ports.
Command-Line Reference Global Configuration Context Replace with the name assigned to the policy. To add or remove ports to an existing policy, type the following command: Syntax: port-trigger < add | remove > < inbound | outbound > < tcp | udp > < port |[range > Replace with the name of the policy that you are editing. Table A-30.
Command-Line Reference Global Configuration Context radius-server Use this command to specify the TMS zl Module’s RADIUS server.
Command-Line Reference Global Configuration Context For example, to add a RADIUS server with the IP address 10.10.10.10 and to specify “procurve” as the secret key, TMS as the NAS ID, and a domain name of “hp.com,” enter the following command: ProCurve(tms-module-)# radius-server host 10.10.10.10 secret procurve nas-id tms domain-name hp.
Command-Line Reference Global Configuration Context Replace with the name of the group to which the firewall policy applies. This parameter is optional. Replace with the rule ID of the firewall access policy. This rule ID is specific to the group and type of policy. Table A-31.
Command-Line Reference Global Configuration Context router ospf To configure OSPF settings, enter the following command: Syntax: router ospf The available options for the command are shown in Table A-32. Table A-32. OSPF Command Options Command Option Purpose distance Specifies the administrative distance for OSPF routes (1–255). The default administrative distance is 110.
Command-Line Reference Global Configuration Context router pim For PIM, you can configure PIM’s Static Rendezvous Points (static RPs). To configure (or delete) static RPs, enter the following command: Syntax: [no] router pim rp-address Replace with the IP address of the static RP. Replace with the IP address and prefix length of the multicast group for which you are configuring the RP.
Command-Line Reference Global Configuration Context All parameters are mandatory. service This command creates (or deletes) a service object. Syntax: [no] service For type the name that you want to give the service object. Other options for this command are displayed in the following table. Table A-33.
Command-Line Reference Global Configuration Context Replace with the name of the service group object you are creating. Replace
Command-Line Reference Global Configuration Context To configure SNMPv2 communities and set access rights, enter the following command: Syntax: [no] snmpv2 server community [ < operator | manager > | ] Replace with the name that you want to assign to the SNMPv2 community.
Command-Line Reference Global Configuration Context Type privacy and select aes or des. Replace with the privacy passphrase for the user. For the manager role, you must configure privacy settings. For the operator role, you may optionally configure privacy settings, but are not required to do so. For example: ProCurve(tms-module-:config)# snmpv3 server nick manager auth md5 procurve time This command displays the module’s time only.
Command-Line Reference Global Configuration Context For example, to trace the route to 1.1.1.1, set the timeout to 30 seconds, and specify 10 as the maximum number of hops, enter the following command: ProCurve(tms-module-)# traceroute 10.1.1.1 timeout 30 maxttl 10 If you need to halt a traceroute operation, press Ctrl+Z. This command is also available in the Product OS manager context.
Command-Line Reference Global Configuration Context Note For the group name, you can use up to 14 alphanumeric characters and the following special characters: space, period, comma, hyphen, (-), exclamation point (!), dollar sign($), asperand sign (@), asterisk (*), hash sign (#), and underscore (_). When creating a group name that includes spaces, you must surround the group name with quotation marks (“).
Command-Line Reference Global Configuration Context Replace with the VLAN ID. The dhcp option configures the module to request a DHCP address on this VLAN. Replace with the static IP address and prefix length of the VLAN. Note A VLAN is automatically set to DHCP until you specify a static address. vlan ip igmp To enable IGMP on the VLAN, enter the following command: Syntax: vlan ip igmp Replace with the VLAN ID of a TMS VLAN.
Command-Line Reference Global Configuration Context Table A-35. RIP Command Options Command Option Purpose metric Specifies the cost number to routes advertised on this VLAN (1-16). [v1-only | v2-only | v1-and-v2] Specifies the RIP version used by routers on this subnet. The TMS zl Module does not support RIP compatibility mode, so all routers on this VLAN must use the same version or enable both versions.
Command-Line Reference Global Configuration Context Command Option Purpose transmit-delay Specifies the number of seconds assumed for an LSA to reach a peer (1– 3600). [authentication-key ] Optionally, sets the authentication type to simple authentication and specifies the simple password that the module will use to authenticate itself to other OSPF routers. This can include up to 8 alphanumeric characters.
Command-Line Reference Global Configuration Context ■ zone3 ■ zone4 ■ zone5 ■ zone6 ■ The allow-switch-ip option allows the switch to also have an IP address on this VLAN. The unique-mac option configures a unique MAC address for the TMS VLAN (otherwise, every TMS VLAN shares a MAC address). vpn This command is a VPN management command that clears an IKE or IPsec SA (VPN tunnel) before the SA lifetime expires.
Command-Line Reference GRE PIM Context Note By press Tab when a zone name should be entered, you will see a complete list of the all the static and dynamic zone names that have been configured. Also, when the first part of a zone name has been entered, pressing Tab will display all of the zone names that match the letters typed. GRE PIM Context Figure A-13.
Command-Line Reference IKEv1 Context IKEv1 Context The IKEv1 context includes the commands for creating and editing an IKEv1 policy. The commands that you enter in the IKEv1 context do not take effect until you apply them. If you exit before applying your commands, your settings are lost. This context is available only when the TMS zl Module is in routing mode. Figure A-14.
Command-Line Reference IKEv1 Context From the IKEv1 context, you can: Note ■ Set the IKEv1 type, local gateway, and (for a site-to-site policy) remote gateway (page A-122) ■ Set the local and remote IDs (page A-120) ■ Set the IKEv1 mode and authentication method (page A-119) ■ Set the security parameters proposal (page A-122) ■ Configure XAUTH (page A-123) ■ Preview your IKE policy (page A-121) ■ Apply the policy (page A-119) You must configure the IKEv1 type and local gateway before you ca
Command-Line Reference IKEv1 Context For example: ProCurve(tms-module-:ikev1)# authentication exchange-mode main method preshared-key Preshared Key:********** Confirm Preshared Key:********** identities To configure the local ID that the TMS zl Module sends to authenticate itself and the remote ID that the remote gateway or clients sends to authenticate, type the following command: Syntax: identities local type remote For and specify one of the option
Command-Line Reference IKEv1 Context For example: ProCurve(tms-module-:ikev1)# identities local type ip-addr 172.16.2.1 remote type email-addr user@procurve.com preview Before you apply the IKEv1 policy, you should preview it to make sure that everything is correct. The preview displays the settings that you have configured even if they have not yet been applied.
Command-Line Reference IKEv1 Context security-proposal To configure the security settings proposed by the TMS zl Module for the IKE SA, enter the following command: Syntax: security-proposal dh-group encryption auth sa-lifetime Replace with one of the following Diffie-Hellman groups: ■ group1-768 ■ group2-1024 ■ group5-1536 Replace with one of the following encryption algorithms: ■ des ■ 3d
Command-Line Reference IKEv1 Context type site-to-site To configure a site-to-site IKE policy, enter the following command: Syntax: type site-to-site local-gateway > remotegateway > Replace with the IP address of the local or remote gateway. Replace with the ID of the VLAN on which the remote endpoint reaches the TMS zl Module. Replace with the remote gateway’s fully qualified domain name (FQDN).
Command-Line Reference IKEv1 Context To configure the module to act as an XAUTH client, enter the following command: Syntax: xauth client auth-type username Replace with the username accepted by the remote gateway’s authentication server (which can include alphanumeric and special characters). After you enter the command, you will be prompted to enter a password.
Command-Line Reference IKEv1 Context ProCurve(tms-module-:ikev1)# type site-to-site local-gateway vlan 50 remote-gateway 172.15.16.2 Success: Policy type and local and remote gateway were set successfully. ProCurve(tms-module-:ikev1)# identities local type ip-addr 10.10.50.54 remote type ip-addr 172.15.16.2 Success: Local and remote identities were set.
Command-Line Reference IKEv1 Context *IKE Authentication Key Exchange Mode: Main Mode Authentication Method: Preshared Key Preshared Key: ************ Security Parameters Proposal Diffie-Hellman (DH) Group: Encryption Algorithm: Authentication Algorithm: SA Lifetime in Seconds: Group 1 (768) 3DES MD5 28800 XAUTH Configuration XAUTH: disabled ProCurve(tms-module-:ikev1)#apply Success: IKEv1 policy was committed successfully.
Command-Line Reference IPsec Policy Context IPsec Policy Context Figure A-15. IPsec Policy Context The IPsec policy context includes commands for creating (or editing) an IPsec policy.
Command-Line Reference IPsec Policy Context Therefore, it is very important that you are ready to complete the IPsec policy before entering the IPsec policy context. Otherwise, you will have to exit the IPsec policy context without entering the apply command, causing you to lose any configurations that you have made to your policy.
Command-Line Reference IPsec Policy Context Use the apply option for a policy that selects traffic to be secured and sent over a VPN connection. Use the bypass option for a policy that selects traffic that is not secured by a VPN connection but is forwarded to its destination. Use the deny option to select traffic that should be dropped entirely. After entering this command, you move to the action context with the available commands.
Command-Line Reference IPsec Policy Context Note that you can specify a position that is already used by another policy. The new policy is inserted above the former policy, and the former policy’s position (as well as policies below that policy) is modified accordingly. preview Before you apply the IPsec policy, you should preview it to make sure that everything is correct.
Command-Line Reference IPsec Policy Context Advanced Settings IP compression: Anti-Replay Window Size: Extended sequence number: Re-key on sequence number overflow: Persistent tunnel: Fragment before IPsec: Copy DSCP value from clear packet: DSCP Value: DF Bit Handling: Disabled 32 Disabled Enabled Disabled Enabled Disabled 9 Clear DF bit. traffic-selector With this command, you configure the VPN traffic selector, which determines the traffic to which this policy is applied.
Command-Line Reference IPsec Policy Context Table A-39.
Command-Line Reference IPsec Policy Context Figure A-16. IPsec Policy Apply Context To enter the IPsec policy apply context, enter the following: Syntax: action apply To verify your location in the CLI, check the prompt. In the IPsec policy apply context, the prompt is ProCurve(tms-module-:ipsec:apply)#. From the IPsec policy apply context, you can access the commands necessary to create an IPsec policy that is actively applied to all traffic.
Command-Line Reference IPsec Policy Context advanced The TMS zl Module supports these advanced features: ■ IP compression ■ Extended sequence number ■ Re-key on sequence number overflow ■ Persistent tunnels ■ Fragmentation before IPsec ■ Customizable anti-replay window size ■ The copying of values from the original IP header The following command allows you to enable (or disable) the IPsec policy’s advanced settings.
Command-Line Reference IPsec Policy Context Extended Command Option Purpose Default setting anti-replay-win-size TMS zl Module accepts packets with out-of- Default size, 32 order sequence numbers within the range specified by the anti-replay window (32– 1024, must be a multiple of 32). copy-dscp [enable | disable ] df-bit-handling < copy | set | clear > Specifies how the TMS zl Module handles • Copying the DSCP value is the DSCP value and the DF bit.
Command-Line Reference IPsec Policy Context preview Before you apply the IPsec policy, you should preview it to make sure that everything is correct. To preview your policy, enter the following command from any IPsec policy context: Syntax: preview The command is also available from other contexts accessed through the IPsec policy context. proposal The IPsec proposal specifies the IPsec mode, IPsec protocol, and the authentication and encryption algorithms that secure the VPN connection.
Command-Line Reference IPsec Policy Context Caution If your traffic selector will include management traffic to the TMS zl Module itself, you first must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. If you do lock yourself out, reboot the module, but DO NOT SAVE the configuration.
Command-Line Reference IPsec Policy Context Parameter Options address • • • • • any host network address/prefix length ip-range address *If you use TCP or UDP for the traffic selector, you must enter port and specify a port after both the local address and the remote address. **If you select echo or timestamp, the tunnel must use manual keying instead of IKE in your IPsec policy.
Command-Line Reference IPsec Policy Context To enter the IPsec auto keys context, enter the following command from the IPsec policy apply context: Syntax: key-exchange-method auto To verify your location in the CLI, check the prompt. In the Manual Key Exchange context, the prompt is ProCurve(tms-module-:ipsec:apply:auto)#.
Command-Line Reference IPsec Policy Context preview. Before you apply the IPsec policy, you should preview it to make sure that everything is correct. To preview your policy, enter the following command from any IPsec policy context: Syntax: preview The command is also available from other contexts accessed through the IPsec policy context. pfs. Using PFS (Perfect Forward Secrecy) for keys forces the tunnel endpoints to generate new keys for the IPsec SA.
Command-Line Reference IPsec Policy Context ProCurve(tms-module-:ipsec:apply:auto)# salifetime seconds 28800 kilobytes 500000 IPsec Manual Keys Context This context includes the commands specific for configuring an IPsec policy that uses manual keying. (It is available only when the TMS zl Module is in routing mode.) Figure A-18. IPsec Manual Keys Context The IPsec Manual Keys context includes the commands that are specific to configuring an IPsec policy that uses manual keying.
Command-Line Reference IPsec Policy Context To verify your location in the CLI, check the prompt. In the IPsec manual keys context, the prompt is ProCurve(tms-module-:ipsec:apply:manual)#.
Command-Line Reference IPsec Policy Context Replace with the IP address of the remote gateway. You must type the IP address that the remote gateway specifies for its local gateway address. This is the IP address at which the TMS zl Module can reach the remote gateway (typically, a public IP address). For example: ProCurve(tms-module-:ipsec:apply:manual)# remote-gateway 172.16.23.1 keys. This command sets the keys that the IPsec policy uses to secure the SA.
Command-Line Reference IPsec Policy Context preview. Before you apply the IPsec policy, you should preview it to make sure that everything is correct. To preview your policy, enter the following command from any IPsec policy context: Syntax: preview The command is also available from other contexts accessed through the IPsec policy context. spi. This command sets the decimal number that uniquely identifies this IPsec SA. You must match the SPI on the remote gateway.
Command-Line Reference IPsec Policy Context You enter the IPsec IRAS context from the IPsec policy apply context.
Command-Line Reference IPsec Policy Context The command is also available from other contexts accessed through the IPsec policy context. ip. To set the address that will be the clients’ remote gateway while visiting the local network, enter the following command: Syntax: ip < | host > Replace with the IP address (including the subnet mask) that the TMS zl Module will use to route traffic from the remote clients.
Command-Line Reference IPsec Policy Context ip-range. This command sets the IP address pool for remote clients. Each remote client will be assigned an address from this pool while visiting your private network. You can configure several address ranges. To configure (or delete) an address range, enter the following: Syntax: [no] ip-range Replace and with the first IP address and the last IP address for the address range, respectively.
Command-Line Reference IPsec Policy Context Figure A-20. IPsec Policy Bypass Context To enter the IPsec bypass context, enter the following command from the IPsec policy context: Syntax: action bypass To verify your location in the CLI, check the prompt. In the IPsec policy bypass context, the prompt is ProCurve(tms-module-:ipsec:bypass)#.
Command-Line Reference IPsec Policy Context apply Once you have configured all parts of the IPsec policy, you must apply the policy. The apply command verifies that all required settings are configured and then adds or edits the IPsec policy. (If the requirements are not met, the command does not take effect, and an error message indicates which settings are missing.
Command-Line Reference IPsec Policy Context Table A-42.
Command-Line Reference IPsec Policy Context ProCurve(tms-module-:ipsec:bypass)# preview IPsec policy ------------------------------------------------------*Policy Name: testpol Status: Enabled Action: Bypass Direction: Both Position: 1 Traffic Selector *Protocol: *Local Address: *Local Port: *Remote Address: *Remote Port: TCP 192.168.2.0/26 Any 2.2.2.0/24 443 IPsec Policy Deny Context The IPsec policy deny context includes the commands specific to configuring a deny IPsec policy.
Command-Line Reference IPsec Policy Context To verify your location in the CLI, check the prompt. In the IPsec policy deny context, the prompt is ProCurve(tms-module-:ipsec:deny)#. To exit the IPsec policy deny context, enter the following: Syntax: exit If you have not set all of the necessary configurations, you will be prompted to do so and asked whether you actually want to exit. The sections below document the commands available in the IPsec policy deny context.
Command-Line Reference IPsec Policy Context traffic-selector With this command, you configure the VPN traffic selector, which determines the traffic to which this policy is applied. For a policy with the deny action, this traffic is dropped. To set the traffic selector, enter the following command: Syntax: traffic-selector protocol local remote address [port ] The available options for the command are shown in Table A-39. Table A-43.
Command-Line Reference IPsec Policy Context For example: ProCurve(tms-module-:ipsec:bypass)# trafficselector protocol tcp local 10.1.2.0/24 port 20 remote ip-range 192.168.2.1 192.168.2.12 port 21 preview Before you apply the IPsec policy, you should preview it to make sure everything is correct.
Command-Line Reference IPsec Policy Context Parameter TMS zl Module Setting Key exchange mode Main Authentication method Pre-shared key—procurvetestvpn Diffie-Hellman group Group 1 (768) Encryption algorithm 3DES Authentication algorithm MD5 SA lifetime (SA life) 28800 XAUTH Disabled IPsec Proposal—testprop Encapsulation mode Tunnel mode Security protocol ESP Encryption algorithm 3DES Authentication algorithm MD5 IPsec Policy—policytest Position 1 Action Apply Protocol Any Loca
Command-Line Reference IPsec Policy Context ProCurve(tms-module-:ikev1)# type site-to-site local-gateway vlan 20 remote-gateway 172.16.40.99 ProCurve(tms-module-:ikev1)# identities local type ip-addr 172.16.20.103 remote type ip-addr 172.16.40.
Command-Line Reference IPsec Policy Context XAUTH Configuration XAUTH: disabled ProCurve(tms-module-:ikev1)#apply ProCurve(tms-module-:ikev1)#exit ProCurve(tms-module-:config)# ipsec proposal testprop encapsulation tunnel security esp encryption 3des auth md5 ProCurve(tms-module-:config)# ipsec policy policytest ProCurve(tms-module-:ipsec)# action apply ProCurve(tms-module-:ipsec:apply)# trafficselector protocol any local 10.1.5.0/24 remote 10.2.15.
Command-Line Reference IPsec Policy Context ProCurve(tms-module-:ipsec:apply)# no advanced persistent-tunnel enable ProCurve(tms-module-:ipsec:apply)# advanced fragment-before-ipsec enable ProCurve(tms-module-:ipsec:apply)# advanced copy-dscp enable df-bit-handling clear ProCurve(tms-module-:ipsec:apply)# preview IPsec policy ------------------------------------------------------*Policy Name: policytest Status: Enabled Action: Apply Direction: Both Position: 1 Traffic Se
Command-Line Reference L2TP User Context ProCurve(tms-module-:ipsec:apply)# apply ProCurve(tms-module-:ipsec)# exit ProCurve(tms-module-:config)# exit L2TP User Context The L2TP user context provides the commands for configuring L2TP authentication either to the TMS zl Module’s local database. It also enables you to configure the IP settings assigned to L2TP clients. The commands that you enter in the L2TP user context do not take effect until you apply them.
Command-Line Reference L2TP User Context To create or edit a local L2TP user account and to enter the L2TP user context, enter the following command from the global configuration context: Syntax: [no] l2tp local-user Replace with the name for this user. The name can be 1 to 16 alphanumeric characters. (Use the no option to delete an existing L2TP user account.) To verify your location in the CLI, check the prompt.
Command-Line Reference L2TP User Context Replace with the name of the user group for this user. The group must already be configured on the TMS zl Module. (When you configure firewall access policies that control this L2TP user’s access, you will configure them for this user group.) After entering this command, you will be prompted to input the user’s password. For the password, enter a case-sensitive string.
Command-Line Reference L2TP User Context Tunnel Configuration Server IP Address/Mask: User IP Address: 10.2.3.1/24 10.2.3.2 Primary DNS Server: Secondary DNS Server: Primary WINS Server: Secondary WINS Server: [not [not [not [not set] set] set] set] tunnel When L2TP clients authenticate locally, you must specify the IP settings that the client and the TMS zl Module use for the L2TP connection.
Command-Line Reference L2TP User Context Example L2TP over IPsec VPN with Local Authentication The following is the complete command set to create the L2TP over IPsec VPN with the parameters detailed in Table A-45. In this example, L2TP users authenticate to local accounts on the TMS zl Module. Note that these commands do not include those for creating necessary routes or firewall access policies. Table A-45.
Command-Line Reference L2TP User Context Parameter TMS zl Module Setting IPsec proposal TransESP IKE exchange method Auto IKE policy L2tpIke Perfect Forward Secrecy Disabled* SA lifetime in seconds (SA life) 28800* SA lifetime in kilobytes 0* Mode config address pool Disabled* L2TP User—l2tpuser Tunnel server IP address 10.100.1.1/24 Tunnel user IP address 10.100.1.
Command-Line Reference L2TP User Context ProCurve(tms-module-:ikev1)# preview Preview IKEv1 policy --------------------------------------------*Policy Name: )L2tpIke *Policy Type: Client-to-Site *Local Gateway: VLAN 20 (VLAN20) *Local ID Type: Value: *Remote ID Type: Value: IP Address 172.16.20.103 IP Address 0.0.0.
Command-Line Reference L2TP User Context ProCurve(tms-module-:ipsec:apply)# proposal TransESP ProCurve(tms-module-:ipsec:apply)# keyexchange-method auto ProCurve(tms-module-:ipsec:apply:auto)# ikev1 L2tpIke ProCurve(tms-module-:ipsec:apply:auto)# exit ProCurve(tms-module-:ipsec:apply)# preview IPsec policy ------------------------------------------------------*Policy Name: L2tpIpsec Status: Enabled Action: Apply Direction: Both Position: 1 Traffic Selector *Prot
Command-Line Reference L2TP User Context Copy DSCP value from clear packet: DSCP Value: DF Bit Handling: Disabled 0 Copy DF bit from clear packet. ProCurve(tms-module-:ipsec:apply)# apply ProCurve(tms-module-:ipsec:apply)# exit ProCurve(tms-module-:ipsec)# exit ProCurve(tms-module-:config)# l2tp local-user l2tpuser ProCurve(tms-module-:l2tp-user)# tunnel 10.100.1.1/24 user 10.100.1.
Command-Line Reference L2TP User Context Example L2TP over IPsec VPN with RADIUS Authentication The following is the complete command set to create the L2TP over IPsec VPN with the parameters detailed in Table A-46. In this example, L2TP users authenticate an external RADIUS server. Note that these commands do not include those for creating necessary routes or firewall access policies. Table A-46.
Command-Line Reference L2TP User Context Parameter TMS zl Module Setting IKE policy l2tpIke Perfect Forward Secrecy Disabled* SA lifetime in seconds (SA life) 28800* SA lifetime in kilobytes 0* Mode config address pool Disabled* L2TP Policy—l2tptest IKE policy l2tpIke IPsec proposal l2tpProp SA lifetime in seconds (SA life) 28800 SA lifetime in kilobytes 0 RADIUS Server RADIUS server IP address 172.16.22.55 Secret key procurve NAS ID tms-module Domain name hp.
Command-Line Reference L2TP User Context ProCurve(tms-module-:ikev1)# authentication exchange-mode main method preshared-key Preshared Key: procurvetestvpn Confirm Preshared Key: procurvetestvpn ProCurve(tms-module-:ikev1)# security-proposal dh-group group2-1024 encryption 3des auth md5 sa-lifetime 28800 ProCurve(tms-module-:ikev1)#apply ProCurve(tms-module-:ikev1)#exit ProCurve(tms-module-:config)# ipsec proposal l2tpProp encapsulation transport security esp en
Command-Line Reference RIP Context ProCurve(tms-module-:config)# l2tp radius-auth 10.2.2.1 ProCurve(tms-module-:config)# l2tp radius-auth domain-config hp.com ip-pool 10.2.2.2 10.2.2.200 dns primary 192.168.12.200 RIP Context The RIP context provides commands for configuring global RIP settings. It is available only when the TMS zl Module is in routing mode. Figure A-23.
Command-Line Reference RIP Context To exit the RIP context, enter the following command: Syntax: exit default metric To set the default metric, which is the cost assigned to all RIP routes by default, enter the following command: Syntax: default-metric Replace with the new default metric for RIP routes (1–15). The default setting is 1.
Command-Line Reference OSPF Context OSPF Context The OSPF context includes commands for configuring global OSPF settings. It is available only when the TMS zl Module is in routing mode. Figure A-24. OSPF Context To enable OSPF and access the OSPF context, enter the following from the global configuration context: Syntax: router ospf To verify your location in the CLI, check the prompt. In the OSPF context, the prompt is ProCurve(tms-module-:ospf)#.
Command-Line Reference OSPF Context rfc1583-compatibility To enable (or disable) RFC 1583 compatibility, enter the following command: Syntax: [no] rfc1583-compatibility For more information on this feature, see “OSPF” on page 9-27 in Chapter 9: “Routing.
Command-Line Reference OSPF Context Replace with the ID for the area, which can be either a number (1–4294967294) or an IP address. Replace with the metric that will be assigned to the advertisements of routes to this area (1–65535). The metric-type option specifies the type for routes redistributed into OSPF. If you choose to use this option, select type1 (to add internal costs to the external cost as the route is advertised) or type2 (to advertise only the external cost).
Command-Line Reference VLAN Context For md5, replace with the ID used in this area (1–255). Replace with the MD5 key, which is a string of up to 16 characters. For simple, replace with the password used in this area, a string of up 8 characters. For the hello-interval option, replace with the number of seconds between sending hellos to the neighbor (1–65535).
Command-Line Reference VLAN Context Figure A-25. VLAN Context To enter the VLAN context, enter the following: Syntax: vlan Replace with the VLAN ID. To verify your location in the CLI, check the prompt. In the VLAN context, the prompt is ProCurve(tms-module-:vlan-)#.
Command-Line Reference VLAN Context ip igmp To enable (or disable) IGMP on a VLAN, enter the following command: Syntax: [no] ip igmp ip ospf From the VLAN context, you can configure the following OSPF settings: ■ area ■ cost ■ hello interval and dead interval ■ priority ■ retransmit interval ■ transmit delay ■ authentication To configure OSPF on a VLAN, enter the following command: Syntax: ip ospf The options available for the command are shown in Table A-47. Table A-47.
Command-Line Reference VLAN Context Command Option Purpose [md5 ] Optionally sets the authentication type to MD5 authentication and specifies the key ID and key that the module will use to authenticate itself to other OSPF routers. • Replace with the authentication key ID (1-255). • Replace with the 16-digit MD5 key. no ip ospf You can use the no option with the ip ospf command to complete several tasks.
Command-Line Reference VLAN Context Syntax: [no] ip rip The options available for the command are shown in Table A-48. Use the no option with any of these options to disable the associated feature. Table A-48. RIP Command Options Command Option Purpose metric Specifies the cost number to routes advertised on this VLAN (116). [v1-only | v2-only | v1-and-v2] Specifies the RIP version used by routers on this subnet.
Command-Line Reference VLAN PIM Context VLAN PIM Context Figure A-26. VLAN PIM Context To enter the VLAN PIM context, which is available only when the TMS zl Module is in routing mode, enter the following command from the VLAN context: Syntax: ip pim-sparse To verify your location in the CLI, check the prompt. In the VLAN context, the prompt is ProCurve(tms-module-:vlan--pimsparse)#. From this context, you can set the TMS zl Module’s DR priority on the VLAN.
Command-Line Reference Product OS Show Commands Product OS Show Commands The Product OS show commands allow you to view information about, or the current status of, an interface or feature. They help you to troubleshoot. The show commands available in the Product OS are described in the sections below. Most show commands are available with either operator or manager access; however manager access is required for a couple commands.
Command-Line Reference Product OS Show Commands Command Manager Routing Mode Operator Routing Mode Manager Monitor Operator Monitor Mode Mode show logging X X X X show management X X X X show nat X X show operating-mode X X X X show port-map X X X X show port-trigger X X show radius-server X X X X show rate-limit X X show running-config X show schedule X X show service X X show service-group X X show snmpv2 X X X X show snmpv3 X X X X show system-in
Command-Line Reference Product OS Show Commands show access-policy This command shows the firewall access policies currently configured on the module. You can view policies by type of policy (multicast or unicast) or by user group. Additionally, you can filter the results by source zone and destination zone.
Command-Line Reference Product OS Show Commands show address-group This command shows all or one of your address groups. The groups and their members are displayed. To view your address group or groups, enter the following command: Syntax: show address-group show alg This command shows the ALGs on the module and whether they are enabled or disabled. Syntax: show alg show arp This command shows the TMS zl Module’s ARP cache entries.
Command-Line Reference Product OS Show Commands Syntax: show certificates Use the scep option to view the settings configured for SCEP, including the SCEP server’s IP address or domain name, the server’s port, the CGI path, and the unique CA identifier. Use the ca option to view the subject name, issuer name, serial number, and expiry time of your CA certificates.
Command-Line Reference Product OS Show Commands ■ Policy ID To view the active connections on your network, enter the following command: Syntax: show connections [sip ] [dip ] [szone ] [dzone ] [pid ] Replace with the source zone. Replace with the destination zone. Replace with the source IP address. Replace with the destination IP address.
Command-Line Reference Product OS Show Commands show high-availability This command shows the HA configuration. Syntax: show high-availability show ip This command shows interface information as well as routing information.
Command-Line Reference Product OS Show Commands Replace with the VLAN ID. To view RIP peer information, enter the following command: Syntax: show ip rip peer [IP address] Replace with the IP address of the peer router. To view restricted addresses, enter the following command: Syntax: show ip rip restrict show ip ospf The show ip ospf command shows information about OSPF on the network.
Command-Line Reference Product OS Show Commands To view OSPF on a particular interface, enter the following command: Syntax: show ip ospf interface [ | vlan ] Replace with the interface IP address. Replace with the VLAN ID.
Command-Line Reference Product OS Show Commands ■ Group Address—Each multicast group for which the module knows a route ■ Source Address—The IP address of the multicast source for that group ■ Neighbor—The IP address of the next router in the path to that source ■ VLAN—the VLANs out which the module forwards multicast traffic for this group show ip pim To view PIM settings (such as the VLANs on which PIM is enabled and the TMS zl Module’s DR priority), enter the following command: Syntax: show ip pi
Command-Line Reference Product OS Show Commands show ip-reassembly This command shows the IP reassembly constraints. Syntax: show ip-reassembly show ips This command shows your IPS settings.
Command-Line Reference Product OS Show Commands The global settings that are displayed are: ■ whether IPsec is enabled globally ■ whether sending ICMP error messages is enabled ■ whether handling ICMP error messages is enabled ■ the maximum SAs per policy ■ whether auto SA revalidation is enabled ■ the minimum packet size for IP compression You can also add additional parameters to the show ipsec command to view additional information about your IPsec settings, such as: ■ IKEv1 policies Enter
Command-Line Reference Product OS Show Commands show l2tp Use this command to view information about L2TP authentication.
Command-Line Reference Product OS Show Commands To view the local logging information, enter the following command: Syntax: show logging local [reverse] [filter options] This command will display the local log with the most recent first. Optionally, enter reverse to display the most recent log last. You can set filter options for refining the logging information that is displayed by typing additional keywords at the end of the command.
Command-Line Reference Product OS Show Commands Syntax: show management show nat This command shows your NAT policies. Syntax: show nat show operating-mode Use this command to view your operating mode. Syntax: show operating-mode show port-map This command shows all of your port-maps. Syntax: show port-map show port-trigger This command shows your port trigger policies. Syntax: show port-trigger [trigger name] show radius-server This command shows information about your RADIUS server.
Command-Line Reference Product OS Show Commands Replace with the rule ID. show running-config This command shows the module’s running-configuration. For general troubleshooting, you should enter the show running-config (or just show run) command. Syntax: show running-config [display-credentials] Optionally, use the display-credentials option to display hidden credentials, such as the RADIUS server secret. show schedule This command shows the module’s schedule objects.
Command-Line Reference Product OS Show Commands show snmpv3 This command shows your SNMPv3 server settings. Syntax: show snmpv3 server show system-information This command shows all globally configured and operational system parameters. Syntax: show system-information show tech This command shows all of the information you will need for troubleshooting. Syntax: show tech show time This command displays the module’s time and date.
Command-Line Reference Product OS Show Commands show vlans This command shows information about the TMS VLANs. This command shows the IP address of the VLAN and the zone to which it belongs. Syntax: show vlans [unassociated] The unassociated option shows VLANs that the module has detected on the host switch but that have not been added to a zone. show vlans mac-addresses This command shows the MAC addresses that are associated with the TMS VLANs.
Command-Line Reference Product OS Show Commands Without any options, this command displays a list of all IKE SAs that are currently open. Optionally, replace [policy name] and [SA number] with the name of the IKEv1 policy and the SA number associated with the IKE SA that you want to view. In this case you will see more details about that specific SA. Type the following command to view your the IPsec VPN tunnels.
B Glossary Numeric 3DES Triple DES. A version of DES in which three encryption phases are applied. A AAA Authentication, Authorization, and Accounting. Processes that are used to control network access and enforce security policies. For more information, see RFC 2989 at http://www.ietf.org/rfc/rfc2989.txt. See also authentication, authorization, and accounting. ABR Area Border Router. A router that is attached to more than one OSPF area. access policy See firewall access policy.
Glossary AF Assured Forwarding. A Differentiated Services PBH group comprised of four classes that allows a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. aggressive mode Aggressive mode uses three total messages during IKE phase 1—two from the initiator and one from the responder. AH Authentication Header. A part of the IPsec protocol suite that guarantees connectionless integrity and data origin authentication of IP packets.
Glossary ASN.1 Abstract Syntax Notation One. A standard notation to describe data structures for representing, encoding, transmitting, and decoding data. DER is an example of ASN.1 encoding rules. assured See AF. forwarding authenticated Network access that was granted after the user submitted credentials to an network access authentication server.
Glossary CA certificate A certificate that is issued by a CA that validates all other certificates that are issued by the CA. Also called a “CA root certificate.” You store CA certificates in VPN > Certificates > CA Certificates. certificate An electronic document that contains a public key and is digitally signed by a third-party issuer such as a CA. Digital certificates are used for network authentication.
Glossary Classless Inter- See CIDR. Domain Routing clear DF bit An option that permits you to set the DF bit to 0, which means that the packet can be fragmented in an IPsec SA. cleartext Data that is immediately comprehensible to a human being--a message that is transmitted or stored without encryption. CLI Command-Line Interface. An interface that requires that the user manually type commands at a command prompt, one line at a time. A CLI is usually accessed via Telnet, SSH, or a serial connection.
Glossary convergence The time that it takes all routers on a network to receive the same information about network topology and the best routes to use to reach a particular destination. copy DF bit The IPsec option to copy the DF bit from the original IP header to the delivery header. In this way, it ensures the correct handling for the packet. copy DSCP value The IPsec option to copy the DSCP value from the original IP header to the delivery header, which marks the packet for a particular QoS.
Glossary default gateway The next-hop router to which a device sends all traffic that is destined to a different network or subnet. default metric The metric that is assigned to redistributed routes. defragmentation The reassembly of fragmented packets, often performed by a router or by the TMS zl Module. demilitarized zone See DMZ. denial of service See DoS. deny An action for an IPsec policy.
Glossary Differentiated Also known as DiffServ, a class of service model that enhances the best-effort Services services of the Internet by differentiating traffic according to user, service requirements, and other criteria. Differentiated See DSCP. Services code point Differentiated The IP header field (DS) that is used as a codepoint to select the PHB. Services field Diffie-Hellman Determines the length of the base prime number used during a Diffie-Hellman group key exchange.
Glossary domain name An address object that contains between one and 10 URLs or FQDNs. address object domain name See DNS. system DoS Denial of Service. A type of attack that monopolizes a system's resources so that other users cannot access it. DR Designated Router. The only router in an OSPF area that floods LSAs to other routers in the area. DR priority The priority of a router during DR election.
Glossary endpoint A device that connects to a network, such as a desktop computer, a laptop computer, or a server. ESP Encapsulating Security Protocol. A part of the IPsec protocol suite that provides origin authenticity, integrity, and confidentiality protection for packets. exchange method See key exchange method. exchange mode See key exchange mode. expedited See EF. forwarding extended ACL extended Access Control List. On the TMS zl Module, the extended ACL is called the traffic selector.
Glossary firewall priority The order in which the firewall compares an incoming packet to a policy group. The highest priority is 1, which is the first policy that is compared to the packet. firewall zone One of 11 pre-defined zones, which are logical groupings of VLANs for which you can configure similar firewall access policies. The Self zone filters all traffic to or from the module itself.
Glossary H HA High Availability. The provision of nearly constant services or connectivity. It is achieved through redundancy and hot failover. HA cluster Two TMS zl Modules that are configured for HA. HA control A Layer 2 protocol to manage data flow, such as number of sessions per protocol module, between the master and the participant in an HA cluster. HA data protocol A Layer 2 protocol to send data from the cluster master to the participant.
Glossary I IANA Internet Assigned Numbers Authority. The organization that oversees the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. IANA IP protocols Protocols for which the IANA has assigned a unique identifier. For example, TCP is identified by the number 6. IAS Internet Authentication Services. The Microsoft implementation of RADIUS. ICMP Internet Message Control Protocol.
Glossary IE Microsoft’s Internet Explorer browser. IETF Internet Engineering Task Force. An organization that promotes LAN and other networking standards. See www.ietf.org. IGMP Internet Group Management Protocol. A protocol used by hosts and multicast routers to establish and manage IP multicast groups. IGP Interior Gateway Protocol. Routing protocols such as RIP and OSPF that are designed to operate in a single AS. IKE Internet Key Exchange.
Glossary inter-VLAN Between different VLANs. Internal The Internal zone. A zone on the internal network. intra-chassis A failover scheme in which the members of an HA cluster fail over to other failover members in the same host chassis. intra-VLAN Within the same VLAN. intrusion See IDS. detection intrusion See IPS. prevention IP address object An address object that contains up to 100 individual, non-contiguous IP addresses.
Glossary IPsec certificate See certificate. IPsec The process by which an AH or ESP header is added to a packet to be sent over encapsulation an IPsec VPN. IPsec policy The policy that the TMS zl Module uses to carry out IKE phase 2 when negotiating an IPsec SA. IPsec proposal This is the TMS zl Module's equivalent of a transform set, which is the combination of security protocols, algorithms, and other settings applied to IPsec VPN traffic. IPsec remote See IRAS.
Glossary L L2TP Layer 2 Tunneling Protocol. A protocol that is used in VPNs. For more information, see RFC 2661 at http://www.ietf.org/rfc/rfc2661.txt. L2TP access See LAC. concentrator L2TP network See LNS. server L2TP remote Remote access that uses L2TP. access LAC L2TP Access Concentrator. A device that virtually extends an Internet connection to an LNS, which is located at the corporate network.
Glossary M main mode Main mode uses six total messages during IKE phase 1—three from both initiator and the responder. malware Software designed to infiltrate or damage a computer system. The term encompasses computer viruses, worms, Trojans, spyware, and adware. In law, malware is sometimes known as a computer contaminant. Malware is not defective software that has a legitimate purpose but contains errors or bugs. management- A zone from which management access is permitted to Self.
Glossary to check a message’s data integrity as well as authenticate the sender. Some protocols, such as EAP-MD5, require passwords to be transmitted as hashes rather than in plaintext. For more information, see RFC 1321 at http:// www.ietf.org/rfc/rfc1321.txt. member A module that is part of an HA cluster. metric A value between 0 and 15 that indicates the distance to the destination address. The further a router is from the destination, the higher the metric. MIB Management Information Base.
Glossary multicast flooding The process used to deliver multicast packets. Packets are “flooded” to all members of an IGMP group. multicast packet A single packet that is delivered simultaneously to a group of destinations. multiple-entry An address object that contains more than one address entry. address object My ProCurve The Web page from which you generate license keys for TMS zl Module products. N name server A server that implements name services protocols.
Glossary NAT address The IP address assigned by the NAT operation. For example, if 10.10.10.10 is translated into 192.168.2.1, then 192.168.2.1 is the NAT address. NAT policy A policy on the TMS zl Module that determines which traffic needs to be translated, how it should be translated, and under what circumstances. NAT pool A set of IP addresses that are reserved for NAT. These addresses are not used on the network, but will instead be used as the NAT address of a packet that is translated.
Glossary out-of-sequence An attack check performed by the TMS zl Module that drops packets that are packets received out of order. outbound The manual authentication key that a remote device expects to receive from authentication a local device when establishing a VPN. key outbound The manual encryption key that a remote device expects to receive from a encryption key local device when establishing a VPN. P packet flow The logical path of a packet through a device, such as the TMS zl Module.
Glossary PEM Privacy Enhanced Mail. An IETF proposal to secure emails with public keys. PEM depends on prior distribution of a hierarchical PKI with a single root. For more information, see RFCs 1421–1424 at http://www.ietf.org/rfc.html. per-hop behavior See PHB. perfect forward See PFS. secrecy persistent tunnel An IPsec SA configured as a persistent tunnel always remains open. It is renewed even if it remains inactive longer than the tunnel lifetime. PFS Perfect Forward Secrecy.
Glossary port trigger A process that allows the TMS zl Module to dynamically and automatically forward traffic on particular ports. Port triggers are configured on ports for applications that require dynamically negotiated ports. position The position of a policy among other policies. The firewall checks packets against policies in the order in which they are listed, so a policy with a higher position (value closer to 1) is checked first. PR Problem report.
Glossary R RADIUS Remote Authentication Dial-In User Service. An AAA protocol that allows a server to store all of the security information for a network in a single, central database. The server stores and manages end-user information so that it can authenticate the end-users. The server also maps end-users to the services that they are allowed to access. For more information, see RFC 2865 at http:// www.ietf.org/rfc/rfc2865.txt. RADIUS server A common type of AAA server.
Glossary RIP Routing Information Protocol. A protocol that allows routers to tell other routers which routers they can reach and how far away those routers are. For more information, see RFC 1058 for version 1 at http://www.ietf.org/rfc/ rfc1058.txt or RFC 2453 for version 2 at http://www.ietf.org/rfc/rfc2453.txt. route computation The process of adding route costs in OSPF to find the shortest route to an arbitrary destination. route The process of using routes discovered by a different protocol.
Glossary schedule object A named object that specifies the days and times of day that a specific firewall access policy applies. scheduled policy A firewall access policy to which a schedule object has been applied. SCEP Simple Certificate Enrollment Protocol. A PKI communication protocol to provide secure issuance of certificates in a scalable manner. For more information, see the Internet Draft at http://www.ietf.org/internet-drafts/draftnourse-scep-15.txt. SCP Secure Copy Protocol.
Glossary signature A preset definition that specifies characteristics that are indicative of a particular attack. signature-based Attack detection that compares audit data with known attack signatures that IDS are stored in a signature database. signature family A grouping of signatures that detect similar kinds of attacks, for example, DoS, XSS, backdoor, gain access, and so on. signature server The HP ProCurve server from which the latest signature files are downloaded.
Glossary source zone The firewall zone from which a packet is sent. SPF Shortest Path First. An algorithm used in OSPF to determine which route to a destination is the fastest. SPI Security Parameters Index. One of the three factors that identifies an SA. An SPI identifies the session key and algorithm used to protect the data being transported.
Glossary SYN flood A DoS attack in which the attacker sends a rapid succession of SYN (synchronize) packets to the targeted system. The attack is intended to disrupt the normal TCP three-way handshake in which a SYN packet sent by a client is followed by a SYN-ACK (acknowledge) packet from the server, to which the client should respond with an ACK packet. When the server does not receive the ACK packet, its connections remain half-opened, which prevents legitimate clients from making a connection.
Glossary transform set On the TMS zl Module, the transform set is called IPsec proposal. The term transform set is used by the HP ProCurve Secure Router 7000dl series. transport mode The IPsec mode in which a packet is encapsulated with an IPsec header before the IP header is added. Therefore, both ends of the tunnel must be the ultimate originators of the traffic. Triple DES See 3DES. tunnel A virtual path through another network.
Glossary virtual IP address An IP address associated with a cluster rather than an individual member of a cluster. The cluster will still receive packets in the event that a specific network device fails. virus A computer program that can copy itself and damage a computer system. A virus cannot self-propagate as a worm can but is spread via infected removable media (floppy disks, zip drives, USB drives) or by sending it over a network.
Glossary X XAUTH eXtended AUTHentication. An IKE extension that permits the use of legacy protocols such as RADIUS, SecurID, and OTP. For more information, see the Internet Draft at http://www.vpnc.org/ietf-xauth/draft-beaulieu-ike-xauth02.txt. Z zero-day attack Any new and previously unknown attack. Zero-day attacks are especially dangerous because no signature exists that can detect them. zone Logical groupings of VLANs that can be created when the TMS zl Module is in routing mode.
Glossary B-34
C Log Messages Contents Reading the Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 Finding the Log Message Family and ID . . . . . . . . . . . . . . . . . . . . . . . . C-4 Log Message Formats and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall: Access Control . . . . . . . . . . . . . . . . . . . . . .
Log Messages Contents Network Access System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Client . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Server . . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: IGMP Proxy . . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: NTP Client . . . . . . . . . . . . . . . . . . . . . . . C-19 Routing . . . . . . . . . . . . . . . . . . . . . . . . .
Log Messages Reading the Log Messages Reading the Log Messages All log messages begin with the following fields, in this order: ■ time=[YYYY-MM-DD HH:MM:SS] The timestamp for the log message is derived from the host switch. ■ severity=[critical | major | minor | warning | info] One of five severity levels that is pre-assigned to each log message type. ■ pri=[0–7] Priority of the message.
Log Messages Reading the Log Messages • Configuration – • User Authentication – • • user_statistics Layer 2 Bridge – • config_configuration l2br_bridge Intrusion Detection/Protection System – ips_attack_family – ips_traffic_anomaly_family – ips_application_detection_family – session_open_logs_family – session_close_logs_family Network Access – netacc_dhcp_client – netacc_dhcp_server – netacc_igmp_proxy – netacc_ntp_client • IP Reassembly • Threat Management Services • RADI
Log Messages Reading the Log Messages Figure C-1. Finding Log Message Families and Message IDs. You can use this information to filter the log messages. For example, in the Web browser interface, on System > Logging > View Logs, you can type id=vpn_ in the Keyword field to find all of the messages that the VPN engine has generated. You can also use the log family names and message IDs to filter log messages that have been exported and opened in a text editor or a spreadsheet program.
Log Messages Log Message Formats and Fields Log Message Formats and Fields The format for a log message varies according to the system that generated the message. Some types of log messages contain only the fields shown in “Reading the Log Messages” on page C-3 plus message texts. Others contain several other fields, which are included or omitted depending on the type of message. Listed below are the fields that each type of log message might contain, plus values and value types for some of the fields.
Log Messages Log Message Formats and Fields Field Name Value Format Description rcvdsc integer Total number of bytes received from the server to the client ruleaction [permit | deny] The value in the Action field of the access policy ruledsc [rule position] accesspolicy [source zone] [destination zone] [permit | deny] service [service] [source address] [destination address] (ID:[rule ID]) Description of the access policy in the format shown, which is the same format as in the CLI.
Log Messages Log Message Formats and Fields Firewall: Application Filters Log messages in the application filters family (id=fw_application_filters) may contain the following fields in addition to firewall access control fields, listed in alphabetical order: Table C-2.
Log Messages Log Message Formats and Fields High Availability Cluster: VSRP Messages from the VSRP (HA control) protocol (id=hacl_vsrp) may contain the following fields in addition to the HA cluster fields: Table C-4. High Availability VSRP Message Family Fields Field Name Value Format Description masterid [1 | 2] Identifier of the cluster master from the Device ID field mgmt_ipaddress [x.x.x.
Log Messages Log Message Formats and Fields VPN Log messages from the VPN engine (id=vpn_...) contain these fields, in this order: Table C-5. VPN Message Family Fields Field Name Value Format Description msg text Text of the message src [x.x.x.x] Source IP address in the IP packet header srcport 0–65535 Source port number in the IP packet header dst [x.x.x.
Log Messages Log Message Formats and Fields VPN: IPsec Log messages from IPsec version 4 (id=vpn_ipsecipv4) may contain these fields in addition to the VPN fields: Table C-6.
Log Messages Log Message Formats and Fields VPN: IKEv1 Log messages from IKE version 1 (id=vpn_ikev1) may contain these fields in addition to the VPN fields: Table C-7.
Log Messages Log Message Formats and Fields VPN: IKEv2 Log messages from IKE version 2 (id=vpn_ikev2) may contain these fields in addition to or instead of the VPN and IKEv1 fields: Table C-8.
Log Messages Log Message Formats and Fields System System errors (id=system_system_error) contain these fields: ■ srczone=SELF dstzone=SELF System messages always apply to the Self zone only. ■ errortype=[memory_allocation | socket | file_system | driver | resource_allocation] Type of error. Configuration Log messages from the configuration (id=config_configuration) may contain these fields, in this order: Table C-10.
Log Messages Log Message Formats and Fields Figure C-2. Finding the Signature Family and Signature ID Figure C-2 shows a log message that shows that rule 30091 of the DOS signature family was activated. Log messages from the IPS attack family (id=ips_attack_family) may also contain these fields: Table C-11.
Log Messages Log Message Formats and Fields Field Name Value Format Description rulefam [general | backdoor | DOS The signature family of the rule that was triggered exploits | gain | access | traffic | info | traffic | anomaly | protocol anomaly | reconnaissance | malware | virus | inappropriate | botnet | spamhaus] rulename text rulethreat [Critical | Severe | Minor | warning | Information] tcpoptions integer TCP options timetolive integer The time to live of the packet that triggered the IP
Log Messages Log Message Formats and Fields IPS: IPS Application Detection Family Log messages from the IPS application detection family (id=ips_application_detection_family) may also contain these fields: Table C-12.
Log Messages Log Message Formats and Fields Layer 2 Bridge Log messages from the Layer 2 bridge (id=l2br_bridge) contain these fields: ■ destination_macaddress=[aa:bb:cc:dd:ee:ff] The destination MAC address of the packet that triggered this log message ■ portname=[text] The name of the port (interface) on which the packet that triggered this log message was received or was being sent ■ packetlength=[integer] The length of the packet that triggered this log message Network Access System Log messages
Log Messages Log Message Formats and Fields Network Access System: DHCP Server Log messages from the DHCP server (id=netacc_dhcp_server) may contain these fields: Table C-15. DHCP Server Family Fields Field Name Value Format interfacename Description The interface on which the server has been enabled leaseinterval integer The lease interval in seconds leaseip [x.x.x.
Log Messages Log Message Formats and Fields ■ msg=[text of the message] ■ severity=[critical | major | minor | warning | info] ■ mid=message ID CLI Log messages from the command line interface (CLI) (id=cli) contain these fields: ■ date=[YYYY-MM-DD] ■ ■ time=[HH:MM:SS] msg=[text of the message] ■ severity=[critical | major | minor | warning | info] ■ mid=message ID SSH Log messages from the open source secure shell (SSH) daemon (id = ssh) are primarily generated when network administrators log
Log Messages Log Message Abbreviations Log Message Abbreviations Table C-16 lists abbreviations that may be found in the log messages. For an explanation of the log message fields, see “Log Message Formats and Fields” on page C-6. Table C-16.
Log Messages Log Message Abbreviations C-22 Abbreviation Definition DIM dynamic interface management DOI domain of interpretation DPLB data plane load-balancing ESN extended sequence number ESP Encapsulation Security Protocol EXCP exception EXTN external FD file descriptor FIN finish FSM finite state machine FW firewall FW-TRPX firewall transparent proxy FWAR firewall association reservation FWCS firewall comp stats FWD forward(ing) FWHA firewall high availability FWILP
Log Messages Log Message Abbreviations Abbreviation Definition IPCP Internet Protocol Control Protocol IPFRAG IP fragmentation IPRATE IP rate IPROUTE IP routing IPS intrusion prevention system IRC Internet Relay Chat ISAKMP Internet Security Association and Key Management Protocol KE key exchange L2 Layer 2 L2FW Layer 2 firewall L2TP Layer 2 Transport Protocol L3 Layer 3 LB load-balancing LCP Link Control Protocol MACDB Media Access Control database MCAST multicast MD5 Mes
Log Messages Log Message Abbreviations C-24 Abbreviation Definition NONCE random number used during IKE negotiation PAC PPTP access concentrator PAP Password Authentication Protocol PFS Perfect Forward Secrecy PMTU path maximum transmission unit PNS PPTP network server POLGRP policy group PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol PRF preferences PRTSCN port scan PXTR proxy transport RADIUS Remote Access Dial-In User Service REJ reject RIP Routing Inf
Log Messages Log Message Abbreviations Abbreviation Definition Tx transmit UDP User Datagram Protocol UPN user principal name USERDB user database USERGRP user group VSRP Virtual Switch Redundancy Protocol XAUTH eXtended AUTHentication XMAS Christmas tree scan C-25
Log Messages Log Message Abbreviations C-26
Index A access policies … 1-43, 4-22, 4-29, 9-47 advanced … 4-31 basic … 4-29 default access policies … 4-25 delete … 4-39 examples rate-limiting … 4-44 schedule-based … 4-42 unicast … 4-40 for NAT … 5-23 OSPF … 9-47 XAUTH … 7-71 implied deny … 1-48, 4-28 intra-VLAN … 4-27 modify … 4-33 multicast … 1-44 orphaned policies … 4-27 overlapping … 4-37 parameters … 1-45, 4-23 perimeter deployment, for … 1-28 policy groups … 4-22 position … 1-48, 4-28 processing … 1-47, 4-28 rate limiting … 1-47 reevaluate … 4-33
C D certificate CA dashboard … 2-51, 3-34 deep packet inspection … 1-36 default gateway … 1-19, 1-21, 1-24, 1-27, 2-5 configure … 2-58, 3-37 VLAN … 1-27, 2-37 default router … 1-8 defaults … 1-81 access policies … 1-82 management settings … 1-81 denial of service … 6-11 deployment … 1-14 combination monitor mode … 3-6 routing mode … 2-8 internal … 1-14, 1-22 authentication … 1-30 IPS … 1-14 location … 1-15 monitor mode … 3-6 NAT … 1-15 routing mode … 2-7 VPN … 1-15 monitor mode … 3-5 perimeter … 1-22, 1-
E H email forwarding See logging encryption IKE policy … 7-33, 7-83, 7-149, 7-226 keys for manual IPsec … 7-132, 7-286 exploits … 6-11 extended sequence number … 7-22 HA … 1-70 cluster … 8-2 management … 8-11 configure … 8-8 failover … 8-3 IDS/IPS, and … 8-7 operation … 1-72, 8-3 port … 8-2 priority … 8-4 remove member … 8-3 sync … 8-11 VLAN … 1-71 high availability See HA HTTP protocol anomaly … 6-16 F firewall … 1-43, 4-4 ALGs … 4-7, 4-87 attack checking … 4-6, 4-102 circuit-level gateway … 4-6 events
protocol anomaly checks … 6-16 detection … 1-37 sessions … 6-14 signature detection … 1-36, 6-18 download signatures … 6-28 subscription license … 1-37 threat levels … 1-42, 6-33 threats … 1-32 IGMP … 9-57 See also multicast IKE … 7-13 authentication method … 7-32, 7-82, 7-148, 7-225 local gateway client-to-site … 7-30, 7-146 site-to-site … 7-80, 7-223 local ID client-to-site … 7-30, 7-147 site-to-site … 7-81, 7-224 mode … 7-32, 7-82, 7-148, 7-225 phase 1 … 7-13 phase 2 … 7-17 policy configuration L2TP, for
policy client-to-site … 7-55, 7-153 L2TP, for … 7-142 proposal … 7-53, 7-102, 7-123, 7-151, 7-244, 7-279 rekey on overflow … 7-22 SA lifetime … 7-62, 7-111, 7-158, 7-252 view … 7-357 site-to-site firewall access policies for … 7-115 traffic selector … 7-108, 7-129, 7-250, 7-284 L L2TP access policies for … 7-174, 7-411, 7-448, 7-493 authentication protocol … 7-165 configuration tasks … 7-142 dial-in user … 7-163 user group … 7-165 username … 7-165 LED Fault … 10-14 HDD and CF Status … 10-14 Module Status …
NAT … 1-61, 5-2 access policies … 5-14, 5-23, 5-24, 5-25 address objects … 5-14 address pool … 5-2 destination … 1-62, 5-6 configure … 5-18 IP address … 5-7 one-to-one … 1-62, 5-15 packet flow … 5-13 dropped packets … 5-6 examples … 5-25 destination policy … 5-38 exclusion policy … 5-42 inside the LAN … 5-25 limited pool … 5-35 many-to-one source policy … 5-31 network merger … 5-25 port forwarding … 5-38 port translation … 5-38 single internet address … 5-31 source policy … 5-25, 5-31, 5-35 exclusion … 5-10
packet fragmentation See IP reassembly passwords dial-in user … 7-165 L2TP … 7-165 management … 2-60, 3-40 SCEP … 7-49, 7-100, 7-242 SNMPv1/v2c … 2-78, 3-56 SNMPv3 … 2-80, 3-58 user … 4-62 XAUTH … 7-84, 7-227, A-123 PAT See NAT PCM+, integration with … 2-55 persistent tunnel … 7-22 PIM-SM See routing ping … 2-87, 3-59 policy violations … 6-6 polymorphism … 1-39 POP3 protocol anomaly … 6-17 port address translation See NAT port maps … 1-39, 4-84, 6-17 configure … 4-85, 4-86, 6-21 default mappings … 1-40, 4-8
RIP … 1-67, 9-15 See also OSPF See also RIP static … 1-67, 9-4 switch, on the … 1-17 tables … 9-53, 9-60 to an external network with the host switch … 2-38 with the module … 2-37 routing mode … 1-7, 2-4 deployment … 2-5 features … 2-4 IPS … 6-15 packet flow … 1-73, 4-8 ports … 1-10, 2-15 traffic flow … 1-78 RPC protocol anomaly … 6-17 running configuration file … 2-49, 3-32 S SA … 7-11 flush … 7-359 lifetime, IKE … 7-33, 7-83, 7-150, 7-226 lifetime, IPsec … 7-62, 7-111, 7-158, 7-252 maximum per policy … 7-
V Z viruses … 6-7 VLANs associate with zone … 1-21, 1-26, 2-8 best practices … 1-28 guest … 2-11 host switch … 1-17 management … 3-24 non-TMS … 2-12 OSPF … 9-43 VPN … 1-64 certificate for … 7-35, 7-87, 7-229 client HP ProCurve … 7-366 Macintosh … 7-378 Windows Vista … 7-448 Windows XP … 7-396 GRE over IPsec … 7-208, 7-265 internal … 1-15 IPsec … 7-27, 7-76, 7-122 L2TP … 7-142 perimeter deployment … 1-24 remote access … 1-15 routing for … 7-121, 7-139 See also GRE See also IPsec See also L2TP type client-t
10 – Index
HP ProCurve Datacenter Connection Manager Controller Management and Configuration Guide
Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
