HP ProCurve Threat Management Services zl Module Management and Configuration Guide
HP ProCurve Threat Management Services zl Module October 2010 ST.1.2.
© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Contents 1 Overview Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Internal Ports . .
Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Use Models for Access Control with Authentication . . . . . . . . . . . . . 1-29 Deployment Location for Access Control with Authentication . . . . . 1-30 Deployment Tasks for Access Control with Authentication . . . . . . . 1-30 Deployment Models for Monitor Mode—Threat Detection . . . . . . . . . . . . 1-32 Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-65 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Initial Setup in Routing Mode Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Management Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41 Firefox 3.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41 Internet Explorer 7 or 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 Log in to the TMS zl Module Web Browser Interface . . . . . . . . . . . . . . .
Configure SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Configure SNMPv1/v2c Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Configure SNMPv3 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-88 Manage the TMS zl Module Through HP ProCurve Manager Plus and Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-89 Ping Utility . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Access the TMS zl Module’s CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Ensure That the Host Switch Recognizes the TMS zl Module . . . . . . . . . 3-10 Understanding Index Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 Access the TMS zl Module Services OS Context . . . . . . . . . . . . . . . . . . . 3-12 Activate the TMS zl Module . .
Configuring Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51 Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51 Log Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52 Log Threshold Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52 Log Throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Firewall Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 General Firewall Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Advantages of an Integrated Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Stateful Firewall . . . . . . . . . . . . . . .
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47 RADIUS Authentication Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52 Using HP IDM with RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . .
Attack Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-104 Attack Check Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-105 ICMP Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-105 ICMP Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-105 SYN Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 One-to-One Translation (IP Address Only) . . . . . . . . . . . . . . . . . . . . . 5-7 Many-to-One Translation (IP Address Only) . . . . . . . . . . . . . . . . . . . . 5-7 Port Forwarding (for One-to-One or Many-to-One) . . . . . . . . . . . . . . 5-8 Port Address Translation (PAT) (for One-to-One or Many-to-One) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 Policy Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Cross-Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Viruses and Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Virtual Private Networks Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 IPsec Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 IPsec Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure an IPsec Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27 Create an IKE Policy for a Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . 7-28 Install Certificates for IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36 Install Certificates Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36 Install Certificates Using SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure L2TP User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-165 Configure Local L2TP Authentication . . . . . . . . . . . . . . . . . . . . . . . 7-165 Configure L2TP Authentication to an External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-170 Create Access Policies for an L2TP over IPsec VPN . . . . . . . . . . . . . . . 7-177 Verify Routes for the L2TP over IPsec VPN . . . . . . . . . . . . . . . . . . . .
Create an IPsec Policy for a GRE over IPsec VPN That Uses IKE . . . . 7-249 Create Access Policies for a GRE over IPsec VPN That Uses IKE . . . . 7-258 Unicast Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-260 Multicast Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-265 Configure a GRE over IPsec VPN with Manual Keying . . . . . . . . . . . . . 7-267 Create Named Objects (Optional) . . . . . . . . . . . . . . . . . . . . . . . . .
Redundant GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-330 Create the Primary GRE Tunnel for Site A . . . . . . . . . . . . . . . . . . . 7-335 Create the Secondary GRE tunnel for Site A . . . . . . . . . . . . . . . . . . 7-336 Create Named Objects for Site A . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-338 Configure Firewall Access Policies for Site A . . . . . . . . . . . . . . . . . 7-342 Configure Routes for Site A . . . . . . . . . . . . . . . . .
Configure a Windows Vista Client for L2TP over IPsec . . . . . . . . . . . . . 7-452 TMS zl Module Settings for a Windows Vista Client . . . . . . . . . . . . . . . 7-493 Configure a Shrew Soft VPN Client for Windows . . . . . . . . . . . . . . . . . . . 7-498 TMS zl Module Settings for a Client-to-Site VPN with Shrew Soft VPN Clients 7-512 8 High Availability Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview . . . . . . . .
9 Routing Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Routing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Floating Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Configuring Static Routes . . . . .
OSPF Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . Enable OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Set the Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Problems with the Installation and Boot Process . . . . . 10-17 Monitor the Front-Panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17 View or Monitor the TMS zl Module’s Status from the CLI . . . . . . 10-18 Resolve Specific Issues Related to the Installation and Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21 Troubleshooting the TMS zl Module in Routing Mode . . . . . . . . . . . . . .
Troubleshooting Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-112 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-112 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-112 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-113 Troubleshooting High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Services OS Operator Context Commands . . . . . . . . . . . . . . . . . . . . . . . . A-14 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-15 page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-15 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-15 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-30 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-30 snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-31 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-31 Product OS Manager Context Commands . . . . . . . .
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-56 certificates generate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-56 certificates import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-58 certificates scep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-59 no certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-77 ips enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-77 ips disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-77 ips full-inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-78 ips inspection-depth . . . . . . . . . . . . . . . . . . . . . . . . . . . .
nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-96 nat destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-96 nat no-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-97 nat source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-97 no nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vlan ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-117 vlan zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-118 vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-119 write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-119 zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPsec Policy Bypass Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-152 apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-153 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-153 traffic-selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-154 preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-182 ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-183 ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-183 ip ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-183 no ip ospf . . . . . . . . . . . . . . . . . . . . . . . .
show ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-199 show l2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-200 show lldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-201 show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-201 show management . . . . . . . . . . . . . . . . . . . . . . . . . .
Log Message Formats and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall: Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall: Application Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-8 High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
1 Overview Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Internal Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Hardware Specifications . . . .
Overview Contents Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Use Models for Access Control with Authentication . . . . . . . . . 1-29 Deployment Location for Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Deployment Tasks for Access Control with Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview Contents Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64 L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-65 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview Overview Overview The HP Threat Management Services (TMS) zl Module detects and mitigates threats from both internal and external sources. The module supports multiple capabilities for managing threats, which you can enable in various combinations.
Overview Hardware Overview Installation The TMS zl Module is installed in an HP 5400zl or 8200zl Switch Series using software K.13.55 or above. On the 5400zl switches and the 8212zl switch, you can install up to four TMS zl Modules in the same chassis as long as no more than two are in an HA cluster. (If you attempt to install a fifth module, that module will not boot.) On the 5406zl and 8206zl switches, you can install up to two TMS zl Modules in the same chassis.
Overview Licensing Hardware Specifications The TMS zl Module has the following hardware specifications: ■ CPU—Intel 2.2 GHz ■ RAM—4 GB ■ Hard drive—250 GB, including 38 GB for image storage Performance Consult the data sheet for the TMS zl Module at www.hp.com/go/procurve/ library.
Overview Operating Modes Operating Modes The TMS zl Module supports two operating modes: ■ Routing mode ■ Monitor mode Routing Mode In routing mode, the TMS zl Module routes all traffic that needs to be secured. As it routes the traffic, it applies the security features that you have configured—IPS policies, firewall attack checks, firewall access policies, NAT policies, and VPN policies.
Overview Operating Modes Figure 1-1. Logical Operation of the TMS zl Module in Routing Mode You must set up your network infrastructure so that the TMS zl Module acts as a router for all VLANs on which you want to manage threats. You assign the module an IP address on these VLANs so that it can route and filter their traffic; these VLANs are then called TMS VLANs. Generally, the TMS zl Module acts as the default router for all endpoints in a TMS VLAN.
Overview Operating Modes Figure 1-2. Traffic Managed by the TMS zl Module In this example, you can see that traffic between the server in VLAN 10 and the Internet passes through the module, as does traffic between VLAN 30 and VLAN 40. In addition, traffic from the Internet to the server in VLAN 10 is filtered by the module. However, traffic between the two nodes in VLAN 20 is forwarded directly by the switch at Layer 2, thereby bypassing the module.
Overview Operating Modes Internal Ports in Routing Mode As mentioned earlier, the TMS zl Module has two internal ports. If you select routing mode, the two internal ports operate as follows: ■ Port 1—This port sends and receives all network traffic that is being filtered by the TMS zl Module. It also sends and receives all management traffic. ■ Port 2—This port sends and receives traffic related to an HA cluster (if one is configured on the TMS zl Module).
Overview Operating Modes Internal Ports in Monitor Mode In monitor mode, the two internal ports operate differently than they do in routing mode. ■ Port 1—This port is used for data that is to be analyzed for threats. When operating in monitor mode, the data that the TMS zl Module receives on this port is mirrored traffic. ■ Port 2—This port is used for management traffic.
Overview Zones The 5400zl or 8200zl switch in which the module is installed also supports remote mirroring. If other switches in your network support remote mirroring as well, you can send traffic from these switches to be analyzed by the TMS zl Module. Zones In routing mode, the TMS zl Module uses zones to control traffic. Zones are logical groupings of TMS VLANs that have similar security needs or levels of trust.
Overview Zones Access Control Zones The TMS zl Module supports nine access control zones, which have the following names and intended purposes: ■ Internal—your private network ■ External—the Internet or other untrusted networks ■ DMZ—demilitarized zone; publicly-accessible servers that are logically located between the private network and the external network ■ Zone1 through Zone6—any user-defined purpose, as needed With the exception of the External zone, you can rename the access control zones ac
Overview Deployment Options for Routing Mode—Threat Protection However, if you plan to create many different policies for different TMS VLANs, it might be easier to associate the VLANs with different zones.
Overview Deployment Options for Routing Mode—Threat Protection control how users access the resources—for example, how much bandwidth is devoted to particular types of traffic or even when certain resources are accessed. According to your needs, you can enable either the IPS or the firewall or both. Internal VPN. You might implement a client-to-site VPN within the internal network when you have resources that require particularly strong protection.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-4. Internal Deployment of the TMS zl Module Deployment Tasks for Internal Threat Protection You must complete these tasks to deploy a TMS zl Module that provides internal threat protection: 1-16 1. As you deploy the TMS zl Module, you may cause network outages. You should complete these steps during a scheduled network outage at the network’s lowest utilization time. 2.
Overview Deployment Options for Routing Mode—Threat Protection 3. Verify that the host switch’s configuration includes every VLAN that you want to route through the module—whether you want to control traffic that is forwarded on that VLAN, that originates from that VLAN, or both. 4. Remove all IP addresses on the selected VLANs from the host switch except the switch’s management address.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-5. Plan for Zones 9. Select at least one zone from which you will manage the TMS zl Module. Add a VLAN to this zone and assign the module an IP address on the VLAN’s subnet. Enable management access for this zone. In Figure 1-5, the management station is on VLAN40 (subnet 10.1.40.0/24), which you have planned to place in Zone1. On the TMS zl Module, you would associate VLAN40 with Zone1 and assign the module the IP address 10.1.40.
Overview Deployment Options for Routing Mode—Threat Protection 10. Configure the default gateway for the module. The default gateway is usually one of these devices: the host switch, a core switch, or an external router. Follow these steps: a. Determine the TMS VLAN on which the TMS zl Module connects to its default gateway: Figure 1-6.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-7. External Router as Default Gateway – If an external router is the default gateway, this VLAN is the TMS VLAN on which the host switch connects to the external router. If this VLAN does not already exist on the host switch, extend the VLAN to the switch. b. On the TMS zl Module, associate this VLAN with a zone (External is recommended).
Overview Deployment Options for Routing Mode—Threat Protection step 9. Later, you can associate other VLANs with this zone and manage the module from those TMS VLANs. You can also enable management access on other zones. 11. Add more TMS VLANs. That is, associate each VLAN with a zone and configure an IP address on the TMS zl Module for each TMS VLAN. When you associate a VLAN with a zone, the module’s data port (port 1) is automatically tagged for that VLAN. Figure 1-8.
Overview Deployment Options for Routing Mode—Threat Protection should also verify that DHCP scopes or pools on your network’s DHCP servers include the TMS zl Module’s IP addresses as the default gateways for endpoints on those TMS VLANs. The TMS zl Module in Figure 1-8 has the following IP addresses on its TMS VLANs, which are also the default gateway addresses for those VLANs: • VLAN20—10.1.20.99 • VLAN30—10.1.30.99 • VLAN40—10.1.40.99 • VLAN50—10.1.50.
Overview Deployment Options for Routing Mode—Threat Protection 15. Optionally, configure NAT to translate addresses between TMS VLANs. For example, you could follow these steps to configure NAT between TMS VLANs in the Internal zone and a guest TMS VLAN in Zone2: a. The guests have IP addresses in a private subnet that is not used in the rest of the private network. b. Configure a Zone2-to-Internal NAT policy that applies source NAT to guest IP addresses. c.
Overview Deployment Options for Routing Mode—Threat Protection to particular types of traffic. For example, you could limit the number of connections to your Web server to 300 and the number of connections to your FTP server to 50. Furthermore, you can configure policies to apply only during certain hours of the day. For example, you can configure a policy so that it applies only during office hours.
Overview Deployment Options for Routing Mode—Threat Protection Figure 1-9. Perimeter Deployment of the TMS zl Module Deployment Tasks for Perimeter Threat Protection You must complete these tasks to deploy your TMS zl Module to provide perimeter threat protection: 1. As you deploy the TMS zl Module, you may cause network outages. You should complete the following steps when the network is inactive. 2.
Overview Deployment Options for Routing Mode—Threat Protection 4. Note On the host switch, remove the IP address from the VLAN that connects to the external router. If the host switch is the router for the internal network, leave its other IP addresses intact. If you want the TMS zl Module to provide internal protection as well as perimeter protection, you should remove all IP addresses from the host switch except its management address and make the TMS zl Module the router for the internal network.
Overview Deployment Options for Routing Mode—Threat Protection 9. Configure the default gateway for the module. When the TMS zl Module provides perimeter protection, the default gateway is typically an external router: a. On the TMS zl Module, associate the VLAN on which the module connects to the default gateway with a zone (External is recommended). Assign the module an IP address on this VLAN—typically, assign the module the IP address that you removed from the host switch. b.
Overview Deployment Options for Routing Mode—Threat Protection • For perimeter and internal protection, route internal traffic on the TMS zl Module. i. Extend internal VLANs to the host switch but remove IP addresses on those VLANs from the switch. ii. Associate the internal VLANs with zones on the TMS zl Module (the Internal zone or Zone1 to Zone6) and assign the module a valid IP address on each VLAN. Typically, assign the module the IP addresses that you removed from the host switch. iii.
Overview Deployment Options for Routing Mode—Threat Protection 15. Optionally, configure the TMS zl Module as a VPN gateway. You can create site-to-site and client-to-site VPNs. See “Virtual Private Network (VPN)” on page 1-64 for an overview and Chapter 7: “Virtual Private Networks” for detailed instructions. 16. Optionally, configure the TMS zl Module as a member of an HA cluster with another TMS zl Module. See “Overview” in Chapter 8: “High Availability” for an overview and for detailed instructions.
Overview Deployment Options for Routing Mode—Threat Protection Local User Authentication. You could also have all internal users authenticate to the TMS zl Module (or to an external RADIUS server through the module). You could then apply different access policies to the users based on their identity. VPN User Authentication. Another use for the module’s authentication capability is to authenticate VPN users. The users log in with XAUTH or with L2TP.
Overview Deployment Options for Routing Mode—Threat Protection 2. Configure authentication: a. Create user groups. b. Configure the credential repository in one of these ways: – Create accounts on the local database. – Configure proxy to another RADIUS server. On that RADIUS server, add the TMS zl Module as a client. Create policies on the RADIUS server to authenticate the users and assign them to the correct groups. See “User Authentication” in Chapter 4: “Firewall” for detailed instructions. 3.
Overview Deployment Models for Monitor Mode—Threat Detection Deployment Models for Monitor Mode— Threat Detection In monitor mode, the TMS zl Module can detect known DoS attacks, exploits, worms, viruses, and other threats that are launched by external or internal users (users who have been allowed access to the network). It logs the attack internally and can forward the log to a syslog server, to an SNMP server, to an SNMP trap server, or as an email.
Overview Deployment Models for Monitor Mode—Threat Detection 3. Access the TMS zl Module’s CLI through the host switch’s CLI. 4. Install the HP TMS zl Module Product License and the HP IPS-subscription License. For more detailed instructions on this step, see “Activate the TMS zl Module” in Chapter 3: “Initial Setup in Monitor Mode.” 5. Set the TMS zl Module’s operating mode to monitor mode.
Overview Named Objects Named Objects The TMS zl Module supports named objects for greater ease of configuration. A named object is a logical “container” that can be used in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors to represent one or more addresses, one or more services, or a schedule.
Overview Named Objects For example, rather than manually specify the IP address of your Web server in multiple policies, you can create an object named WebServer with the Web server’s IP address. You can then specify the WebServer object every time that you create a policy for controlling access to the Web server. If the IP address of the Web server changes you can edit the address object, and the change will propagate through all of the policies that include the object.
Overview IDS/IPS IDS/IPS The TMS zl Module can act as an IDS, which detects worms, denial of service (DoS) attacks, and other threats. In routing mode, the TMS zl Module can also function as an IPS, which mitigates these threats as well as detects them. Threat Detection When it functions as either an IDS or an IDS/IPS, the TMS zl Module detects threats in all traffic received on its data port (port 1).
Overview IDS/IPS IPS Subscription. The TMS zl Module requires a subscription to download and update IDS/IPS signatures.
Overview IDS/IPS ■ ■ SMTP • Ensure that the command line does not exceed 512 bytes • Check the recursive boundary depth in SMTP data • Check for a header length that exceeds the maximum limit (userconfigurable) FTP • ■ IMAP • ■ ■ ■ 1-38 Check for malformed requests (the command line lacks the proper tag, command, and so forth) POP3 • ■ Ensure that the command line does not exceed 512 bytes Ensure that the command line does not exceed 512 bytes DNS • Check for a DNS reply without a valid
Overview IDS/IPS Unlike signature-based detection, protocol anomaly detection does not require a specific signature for each attack. Therefore, it can detect undocumented or zero-day attacks, which helps to eliminate the window of vulnerability during the first hours or days after an exploit is launched. In addition, signature-based detection can miss threats when an attacker varies the threat from the known pattern, using polymorphism or other evasion techniques.
Overview IDS/IPS Table 1-5.
Overview IDS/IPS Note The TMS zl Module’s firewall ALGs also use the port map to identify traffic types. Threat Mitigation In routing mode, when the TMS zl Module acts as an IPS (a function that you must enable manually), it can mitigate threats. When the module detects a threat, it creates a log entry and takes one of these actions: ■ Terminate the session—The TMS zl Module closes the session with the offending traffic. It drops all traffic that is associated with the session.
Overview IDS/IPS ■ Which actions are taken—Each signature or protocol anomaly is assigned one of five severity levels: • Critical • Severe • Minor • Warning • Informational You choose the threat mitigation action for each severity level. See “Configure IDS/IPS” on page 6-20 of Chapter 6: “Intrusion Detection and Prevention.
Overview Firewall Firewall In routing mode, the TMS zl Module firewall filters traffic that it routes between TMS VLANs. (A TMS VLAN is a VLAN that you have assigned to a zone.
Overview Firewall ■ The packet’s source and destination zones A packet’s source zone is the zone of the TMS VLAN on which the TMS zl Module receives the packet. This TMS VLAN might be the source device’s own VLAN, or it might be the VLAN of the router that routed the traffic to the module. The destination zone is the zone of the TMS VLAN on which the packet is forwarded (which the module determines using its routing table).
Overview Firewall Access Policy Settings In particular, an access policy includes these settings: ■ Permit (forward) or deny (drop) matching traffic ■ Source zone and destination zone ■ Header values against which the packet is matched: • Service (protocol or protocol and destination port) • Source IP address or source DNS name The TMS zl Module can resolve the IP address for a DNS name and match the policy to packets with that source address.
Overview Firewall If a packet matches a policy but the packet arrives at a time when the policy is inoperable, the packet is dropped. If an access policy does not have a schedule, the policy applies it at all times. Caution The TMS zl Module derives its time information from the host switch. If the time and date are not correct on the switch, scheduled access policies will not be properly applied.
Overview Firewall You can do so by forcing the MSS for the connection to be small enough that any additional headers added by the TMS zl Module do not cause the frame to exceed the MTU. Rate Limiting. Instead of simply permitting or denying all traffic that matches an access policy, the TMS zl Module can control the traffic in a more nuanced way. It can limit the number of sessions and the amount of bandwidth devoted to the permitted traffic.
Overview Firewall Within these policies, the module starts with the policy that has the highest position (lowest numerical value). For example, it will match a packet against Internal-to-External access policy 1 before it matches it to Internal -to-External access policy 2. The module takes the action that is specified in the first policy that the packet matches. It then stops processing policies. If the packet never matches a policy, the module drops it.
Overview Firewall Figure 1-11. Outbound Connection Reservation Connection reservations can also be for inbound connections from a zone, in which case they reserve connections for any source address in that zone to particular destinations and applications. For example, in Figure 1-12, 100 connections have been reserved for sessions between any user in Zone1 and the server at 10.1.2.22.
Overview Firewall Figure 1-12.
Overview Firewall Table 1-6.
Overview Firewall Connection Reservation Examples To better understand how connection reservations function, read the examples below. Outbound Example. In an outbound reservation, you are reserving connections from the specified IP address or addresses to the specified zone. Suppose that there are four zones, and each zone has a connection limit of 10,000. The global maximum connections limit is therefore 40,000 (4 x 10,000). Figure 1-13.
Overview Firewall The following is therefore true: Figure 1-14. Outbound Connection Reservation Implication ■ When the total active connection threshold of 39,500 (40,000 – 500) is reached, the module will not permit any more connections—unless the connections are initiated by hosts with IP addresses in the 10.1.1.11 to 10.1.1.60 range outbound to the External zone. Figure 1-15.
Overview Firewall Figure 1-16. Outbound Connection Reservation Implication ■ If the current connection count from Zone1 is 10,500 (500 connections of which are reserved), and 500 non-reserved connections are closed, then the Zone1 limit will revert to its original limit of 10,000. At this point the Zone1 maximum connection threshold (10,000) already provides for the reserved connections. Any other new connections from Zone1 will not be successful.
Overview Firewall Figure 1-17. Inbound Connection Reservation In this example, a connection reservation count of 100 has been configured for one IP address: 10.1.2.22. The reservation count is 100 (100 x 1) connections from Zone1 to the IP address 10.1.2.22.
Overview Firewall The following is therefore true: Figure 1-18. Inbound Connection Reservation Implication ■ When the total active connection threshold of 39,900 (40,000 – 100) is reached, the module will not permit any more connections unless the connections are destined for the server at 10.1.2.22 from Zone1. Figure 1-19.
Overview Firewall Figure 1-20. Inbound Connection Reservation Implication ■ If the current connection count from Zone1 is 10,100 (100 of which are to 10.1.2.22), and if 100 non-reserved connections in Zone1 are closed, then the Zone1 limit will revert to its original limit of 10,000. At this point the Zone1 maximum connections (10,000) includes the reserved connections. Any other new connections from Zone1 to any zone will not be successful.
Overview Firewall Table 1-7.
Overview Firewall Table 1-8.
Overview Firewall Firewall Troubleshooting You can troubleshoot the firewall from the CLI interface.
Overview Network Address Translation (NAT) Firewall Event Severity Each event has an associated severity level. From greatest to least severity, these levels are as follows: ■ Critical—Error may lead to failure ■ Major—Error may lead to failure or faulty functioning ■ Minor—Error may lead to faulty functioning ■ Warning—Error should be corrected ■ Information—Notification of significant events Network Address Translation (NAT) In routing mode, the TMS zl Module can apply NAT to network traffic.
Overview Network Address Translation (NAT) • Many-to-many The module assigns each local device that attempts to reach the destination network a separate IP address in that network. A range of new IP addresses is available. When every IP address in the range has been assigned to a local device, additional local devices cannot reach the destination network. ■ Destination NAT With destination NAT, the TMS zl Module translates the destination IP address of a packet to a new IP address.
Overview Network Address Translation (NAT) Note The information above is simply intended to inform you of the module’s capabilities. When you configure NAT, you do not need to determine the specific type of source or destination NAT that you require. Once you configure the source, destination, and NAT addresses, the Web browser interface handles the configuration. You can also configure NAT policies that exclude specific addresses. For example, you have configured source NAT for all traffic from 10.1.1.
Overview Virtual Private Network (VPN) Virtual Private Network (VPN) The TMS zl Module can act as a VPN gateway. You should use the VPN functionality when you want to protect traffic from eavesdropping and from tampering. Typically, such protection is necessary when the traffic passes through an untrusted network such as the Internet or a wireless network that does not offer encryption. You can also create VPNs inside your private network to protect sensitive information from all but authorized users.
Overview Virtual Private Network (VPN) L2TP over IPsec Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to establish VPN connections. The TMS zl Module can act as a gateway for these endpoints, allowing them remote access to the private network. L2TP users must authenticate to gain access. The module can authenticate the users locally or to an external RADIUS server. L2TP tunnels data, but it does not secure it.
Overview Virtual Private Network (VPN) The two gateways secure traffic and forward it over the tunnel on behalf of the endpoints that are behind each gateway. The traffic is only protected between the two gateways, not between an endpoint and its own gateway. Most commonly, a site-to-site VPN connects two sites (such as a main office and a branch office) through a public, untrusted network such as the Internet. The Internal zone traffic at each site is assumed not to require encryption.
Overview Routing Routing When it operates in routing mode, the TMS zl Module must be able to route the traffic that it is filtering and analyzing for threats. The module’s VPN capabilities also require the module to know the correct routes. The module supports these routing capabilities: ■ Static routing ■ Routing Information Protocol (RIP) ■ Open Shortest Path First (OSPF) The TMS zl Module supports up to 10,000 total route entries, including static and dynamic routes.
Overview Routing By default, the TMS zl Module does not redistribute routes to its own connected interfaces. In other words, the module only advertises routes to the interfaces on which you enable RIP. However, you can configure the module to redistribute connected routes as well as static routes and routes discovered through OSPF. You can configure the metric for redistributed routes, but all types of redistributed routes have the same metric.
Overview Routing Depending on your needs, the TMS zl Module can be configured to act in any of these roles: ■ Area Border Router (ABR) ■ The TMS zl Module has one or more interfaces in the backbone area as well as one or more interfaces in other areas. The module acts as the router for inter-area traffic. Internal router ■ The module has interfaces in one area only. Autonomous System Border Router (ASBR) The module is either an internal router or an ABR.
Overview HA Clusters Multicast Routing The TMS zl Module supports Internet Group Membership Protocol (IGMP), which allows endpoints to join multicast groups and receive traffic that is destined to specific multicast addresses. You enable IGMP per-interface. The TMS zl Module also supports routing multicast traffic between TMS VLANs and across GRE tunnels. You must select the interface on which multicast routing is enabled.
Overview HA Clusters The master manages the cluster, has an IP address on each TMS VLAN, and receives all traffic for data processing. The participant stands by in case the master fails. It has a virtual IP address on each TMS VLAN, which matches the real IP address for those VLANs on the master. HA VLAN HA cluster members communicate on the HA VLAN, which is configured on the each member’s internal port 2. Each member has its own IP address on the HA VLAN. The default HA VLAN is VLAN 1.
Overview HA Clusters Figure 1-21. Active-Standby Mode HA Cluster Operation Rules The TMS zl Modules in an HA cluster synchronize their connection state information by sending messages over the HA VLAN, which must be dedicated to HA traffic. The HA VLAN is configured on the modules’ internal port 2, which must be dedicated to HA traffic. The modules in an HA cluster can be installed in the same switch chassis or in different switch chassis.
Overview Feature Interaction Feature Interaction This section explains how the TMS zl Module’s various capabilities work together to protect your network from threats. Packet Flow on the TMS zl Module Understanding how packets flow through the TMS zl Module helps you to understand how features interact. Packet Flow in Routing Mode In routing mode, the TMS zl Module applies features in this order: 1. VPN (decrypting incoming traffic) 2. Firewall attack checks 3.
Overview Feature Interaction Figure 1-22. Simplified Packet Flow through the TMS zl Module in Routing Mode The complete process is as follows: 1. The TMS zl Module receives a packet on a VLAN that is tagged on its internal port 1. Remember how the packet is passed to the module: a. When an endpoint needs to send a packet to another subnet, it addresses the encapsulating frame to the MAC address of its default router, the TMS zl Module.
Overview Feature Interaction 3. The module’s firewall checks the packet for attacks. If the packet was received on a VPN tunnel, the packet is also sent back to the VPN for more VPN checks. • If the module detects an attack, it drops the packet. • If the module does not detect an attack, the firewall continues to process the packet. See step 4. 4. The module determines whether the packet matches a pre-NAT port trigger or ALG.
Overview Feature Interaction – If the action is permit, the module checks the rate limiting and other settings. If the settings do not permit another connection, the module drops the packet. If the settings permit another connection, the module checks the connection limits for the packet’s zones. If these have been reached, the module drops the packet—unless a connection reservation has been made for it. If a connection is available for the packet, the module checks whether IPS is enabled for the policy.
Overview Feature Interaction • If the packet matches a NAT policy, the module follows this process to apply NAT: i. The module translates the source or destination IP address and port of the packet according to the NAT policy. If a source NAT policy specifies multiple IP addresses for the NAT address, the module must assign the packet an IP address from that pool of addresses. If no addresses are available, the module drops the packet. ii. • The module then applies post-NAT checks. See step 10.
Overview Feature Interaction • If a NAT-capable ALG does not apply to the packet, the module simply creates the session and proceeds to step 12. 12. The TMS zl Module determines whether the packet is part of a GRE or L2TP tunnel. • If the packet is part of such a tunnel (its forwarding interface is an L2TP PPP interface or the GRE tunnel interface), the module establishes the tunnel (if it has not yet been established). If the tunnel cannot be established, the module drops the packet.
Overview Feature Interaction 14. The TMS zl Module forwards the packet to the next-hop router specified in the route to its destination IP address, tagging the frame for the forwarding VLAN of the route. Note that the destination IP address is the NAT destination for traffic to which destination NAT has been applied. The destination IP address is the destination in the delivery IP header for traffic that is part of an IPsec or GRE tunnel. Packet Flow from the Host Switch Perspective.
Overview Feature Interaction 2. The host switch receives the frame on C1, which is untagged for VLAN_7. 3. The switch forwards the frame on the TMS zl Module’s data port, which is tagged for VLAN_7, so the switch adds the tag. 4. The TMS zl Module filters the traffic as described in the section above, applying Zone1-to-DMZ access policies as well as other features. The module knows that the traffic’s source zone is Zone1 because the traffic arrived tagged for VLAN_7.
Overview Default Operation Figure 1-24. Packet Flow in Monitor Mode Default Operation You should understand how the TMS zl Module operates at factory defaults: ■ Default management settings ■ Default enabled capabilities ■ Default firewall access policies Default Management Settings At factory default settings, the TMS zl Module has no IP address. You must access the TMS zl Module CLI through the host switch CLI.
Overview Default Operation d. Configure the default gateway. If the default gateway is not on the VLAN that you added to the module, you must add the gateway’s VLAN first. Specify the VLAN’s zone and assign the module an IP address on the VLAN. Then configure the default gateway. ■ For a module that you want to deploy in monitor mode: a. Set the operating mode to monitor. b. Set the management IP address and VLAN. Best practice dictates that the management VLAN not be the default VLAN, VLAN 1. c.
Overview Default Operation Default Firewall Policies The TMS zl Module includes several default firewall access policies, which are intended to allow routing protocols between routers in any zone and the TMS zl Module (both unicast and multicast policies exist by default): ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Internal-to-Self • permit RIP any any • permit OSPFIGP any any External-to-Self • permit RIP any any • permit OSPFIGP any any DMZ-to-Self • permit RIP any any • permit OSPFIGP any any Zone1-to-Se
Overview Default Operation ■ ■ ■ ■ ■ ■ ■ ■ 1-84 Self-to-External • permit RIP any any • permit OSPFIGP any any Self-to-DMZ • permit RIP any any • permit OSPFIGP any any Self-to-Zone1 • permit RIP any any • permit OSPFIGP any any Self-to-Zone2 • permit RIP any any • permit OSPFIGP any any Self-to-Zone3 • permit RIP any any • permit OSPFIGP any any Self-to-Zone4 • permit RIP any any • permit OSPFIGP any any Self-to-Zone5 • permit RIP any any • permit OSPFIGP any any Self-t
2 Initial Setup in Routing Mode Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Select the Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Perimeter Protection . . . . . . . .
Initial Setup in Routing Mode Contents Access the TMS zl Module Product OS Context . . . . . . . . . . . . . . . . . 2-29 Option 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30 Option 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31 Configure Management Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Routing Mode Contents Configure SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-83 Add an SNMPv2 Trap Destination . . . . . . . . . . . . . . . . . . . . . . . . . 2-83 Add an SNMPv3 Trap Destination . . . . . . . . . . . . . . . . . . . . . . . . . 2-84 Configure SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-86 Configure SNMPv1/v2c Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Routing Mode Overview Overview This chapter provides instructions for the initial setup of the TMS zl Module in routing mode. Later chapters provide instructions for configuring specific features such as the firewall, IDS/IPS, and VPN. At this point, you should have decided which operating mode you want to use. (See “Operating Modes” in Chapter 1: “Overview.
Initial Setup in Routing Mode Deploying the TMS zl Module When operating in this mode, the TMS zl Module has an IP address for each TMS VLAN, and endpoints in those VLANs use the TMS zl Module as their default gateway. In some TMS VLANs (such as those in the External zone), other routers might exist. These routers route traffic to the other TMS VLANs through the module.
Initial Setup in Routing Mode Deploying the TMS zl Module ■ Provide a site-to-site VPN tunnel between the corporate head office and branch offices ■ Provide a client-to-site VPN for the mobile workforce to connect to the corporate intranet Figure 2-1.
Initial Setup in Routing Mode Deploying the TMS zl Module Figure 2-2. Internal Deployment of the TMS zl Module Both Perimeter and Internal Protection A TMS zl Module can be deployed to provide both perimeter and internal security. Implementing both methods allows you to check both internal and external traffic.
Initial Setup in Routing Mode Deploying the TMS zl Module Figure 2-3. Perimeter and Inside Deployment of the TMS zl Module Plan the Zones Zones are logical groupings of VLANs that have the same trust levels or security needs. You can create common firewall policies that apply to all members of a zone or to selected members of a zone.
Initial Setup in Routing Mode Deploying the TMS zl Module Understanding TMS VLANs and Zones The module supports two types of zones: ■ ■ Self—The Self zone is a special zone inside the TMS zl Module that contains the module’s TMS VLAN IP addresses and addresses associated with destination NAT policies. All traffic that originates from the TMS zl Module comes from the Self zone. You cannot associate VLANs with the Self zone.
Initial Setup in Routing Mode Deploying the TMS zl Module Management-Access Zones You can enable management access on one zone, all zones, or no zones. Once you specify a zone as a management-access zone, the TMS zl Module automatically creates unicast access policies to permit management services between the selected zone and Self. Table 2-1. Services Permitted from a Management-Access Zone to Self ICMP/echo snmp bootpc snmptrap bootps ssh https Table 2-2.
Initial Setup in Routing Mode Deploying the TMS zl Module Zone Best Practices Which zones you use will depend on both the size and security needs of your network. The following are a few best practices: ■ Use the External zone for VLANs that handle traffic to the Internet or another untrusted network. ■ Use DMZ for VLANs that contain publicly available resources such as Web services and FTP. ■ For an extremely simple network configuration, put all VLANs in the LAN in the Internal zone.
Initial Setup in Routing Mode Deploying the TMS zl Module VLANs Not Assigned to a Zone Often, your plan for zones calls for assigning every VLAN in your LAN to a zone. However, you can choose to have non-TMS VLANs. The host switch would typically be the default router for these VLANs. If you want devices in TMS VLANs to be able reach these VLANs, choose one of them to be a TMS VLAN. Allow the switch to have an IP address on this VLAN.
Initial Setup in Routing Mode Deploying the TMS zl Module Example Zone Design Figure 2-5 shows some example zones as they might be configured on the TMS zl Module. Figure 2-5. Example Zones In Figure 2-5, VLAN_7 handles all of the wireless traffic, and it has been assigned to its own zone (Zone3). VLAN_3 and VLAN_5 are in the Internal zone, servers in VLAN_9 have been assigned to the DMZ zone, and the interface that handles all Internet and VPN traffic is in the External zone.
Initial Setup in Routing Mode Deploying the TMS zl Module Figure 2-6. Zones Inside the TMS zl Module Figure 2-6 shows the zones and VLANs from Figure 2-5 as they might be deployed in a network. Physical port 1, the data port, is tagged for all TMS VLANs. Port 2 will forward HA traffic to the other member of the cluster (if configured), but the IP address for port 2 is not in the Self zone. Port 2 is an untagged member of the HA VLAN.
Initial Setup in Routing Mode Deploying the TMS zl Module Ready the Host Switch After you install a TMS zl Module in a chassis slot in an HP 5400zl or 8200zl Series switch, the switch recognizes the module by its ID. The switch names the modules two internal ports as follows: ■ 1 = the data port ■ 2 = the port used for HA For example, if the TMS zl Module is inserted into slot C, the ports will be called C1 and C2. By default, these ports are untagged for VLAN 1.
Initial Setup in Routing Mode Initial Setup 3. Determine whether to disable routing or not: • Disable routing if the switch only has an IP address on its management VLAN. • Leave routing enabled in these circumstances: – The switch must route traffic for non-TMS VLANs. – The switch will route external traffic for the TMS zl Module.
Initial Setup in Routing Mode Initial Setup Access the Host Switch’s CLI To begin the initial setup, you must first access the TMS zl Module through the host switch’s command-line interface (CLI), using one of the following access methods: ■ Console session ■ Telnet session ■ Secure Shell (SSH) session To establish a console connection with the switch, use the serial cable that was shipped with the switch to connect a workstation to the switch.
Initial Setup in Routing Mode Initial Setup Note The ONE Services zl Module is a hardware platform that supports multiple applications, or products (for a list of these applications, visit www.hp.com/ go/procurve). Recall that TMS also runs on a ONE Services zl Module even though the module is purchased as a TMS zl Module with the product software loaded at the factory. Table 2-3. CLI Display of Services Slot Index Description Name C, D, E 1. Services zl Module services-module C, E 2.
Initial Setup in Routing Mode Initial Setup ■ The index numbers assigned to products can change. For example, if a module is rebooted, the index number for the product or products that run on that module might change. Similarly, when a switch is rebooted or powered off and on, the index numbers can change. ■ A product is assigned only one index number even if more than one module runs that product. You can always check the product index numbers by entering the show services command.
Initial Setup in Routing Mode Initial Setup For now, you will access the Services OS context. Enter the following command from the switch’s manager-level or global configuration context: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with 1. The Services OS context is always assigned index number 1.
Initial Setup in Routing Mode Initial Setup 3. Install the product license key on the TMS zl Module. See “Install the Product License Key” on page 2-24. Obtain the Necessary IDs Before you begin to register the TMS zl Module, you should obtain the two IDs that you need to complete the process successfully: ■ Product registration ID ■ Activation hardware ID Product Registration ID.
Initial Setup in Routing Mode Initial Setup Activation Hardware ID. The TMS zl Module has two hardware IDs, as shown in Table 2-6. Table 2-6. Hardware IDs Hardware ID Purpose Activation hardware ID Used to register the TMS zl Module and generate a product license key TMS-subscription hardware ID Used to register an IDS/IPS signature subscription To activate the TMS zl Module, you need the activation hardware ID.
Initial Setup in Routing Mode Initial Setup Register the TMS zl Module Once you have obtained the product registration ID and the activation hardware ID, you can complete the TMS zl Module registration process on the My Networking portal. 1. Open a Web browser and enter http://hp.com/networking/ mynetworking in the address bar. Figure 2-8. My Networking Portal Sign In Window 2. Type your My Networking ID and Password in the appropriate fields.
Initial Setup in Routing Mode Initial Setup Install the Product License Key The final step in the TMS zl Module activation process is to install the product license key. Complete the following steps: 1. Access the Services OS of the TMS zl Module. For example, if the TMS zl Module is installed in slot C in the switch chassis, you would type the following: hostswitch# services c 1 2.
Initial Setup in Routing Mode Initial Setup Register the IDS/IPS Signature Subscription To receive IDS/IPS signatures, you can purchase an HP Threat Management Services zl Module with 1-Year IDS/IPS Subscription (J9156A).
Initial Setup in Routing Mode Initial Setup Figure 2-9. HP Threat Management Services x-Year IDS/IPS Subscription Registration Card TMS-Subscription Hardware ID. To obtain the TMS-subscription hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2. From the host switch’s manager-level context, enter the TMS zl Module’s Services OS context: Syntax: services 1 Moves you to the Services OS context.
Initial Setup in Routing Mode Initial Setup You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# 3. Display the TMS-subscription hardware ID by entering the following command in the TMS zl Module’s Service OS CLI. Syntax: licenses hardware-id tms-subscription Displays the hardware ID for the IDS/IPS signature subscription. 4. Record the TMS-subscription hardware ID. (You may want to copy this hardware ID to a text file.
Initial Setup in Routing Mode Initial Setup Note 3. Click Sign in. 4. Click My Licenses. 5. Follow the prompts on the My Networking Portal to register your subscription with the HP subscription server. Because this process does not require you to install a license on the module or reboot the module, your TMS zl Module is authorized to obtain the latest IDS/IPS signatures once you have completed the registration and configured the module to download the latest IDS/IPS signatures.
Initial Setup in Routing Mode Initial Setup Syntax: repeat Repeatedly executes the previous command you entered. For example, if the TMS zl Module is in slot C, you would enter: hostswitch# show services c hostswitch# repeat You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process.
Initial Setup in Routing Mode Initial Setup Option 1 You can access the Product OS by typing the index number associated with the TMS zl Module. Use the following command, entered from either the switch’s manager-level or global configuration context.: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Routing Mode Initial Setup The prompt should look like the following: hostswitch(tms-module-C)# You can now set up management access on the TMS zl Module so that you can begin to configure the product’s features. Option 2 Alternatively, you can access the Product OS context by specifying the product name for the TMS zl Module. This name never changes.
Initial Setup in Routing Mode Configure Management Access Settings Configure Management Access Settings Before you can access the Web browser interface and begin configuring the TMS zl Module, you must access the CLI and complete these tasks: ■ Enable management access on a zone. ■ Optionally, configure a priority VLAN. ■ Associate a VLAN with the zone. ■ Configure a static IP address for the VLAN. ■ Configure the default gateway. To begin configuring these settings, complete these steps. 1.
Initial Setup in Routing Mode Configure Management Access Settings 4. Enable management access from a zone: Syntax: management zone Enables management access from a zone. Replace with the zone from which you want to permit management traffic to the module.
Initial Setup in Routing Mode Configure Management Access Settings Note If you have configured a dedicated management VLAN on the module’s host switch, you may want to associate that management VLAN with the management-access zone.
Initial Setup in Routing Mode Configure Management Access Settings Note If you plan to do your initial setup on another VLAN, repeat the steps above. Initially, you will only be able to access the Web browser interface from the VLANs that you configure now in the CLI. 7. Optionally, you can configure a priority VLAN to ensure that you can always access the Web browser interface (even if the TMS zl Module is handling an extremely high volume of traffic).
Initial Setup in Routing Mode Configure Management Access Settings • If the module’s host switch is the default gateway, this VLAN is typically the VLAN on which the host switch connects to the external router. Make sure that the switch has an IP address on that VLAN. For example, in Figure 2-13, the host switch connects to the external router on VLAN99 (subnet 10.1.99.0/24). Both the host switch and the external router have IP addresses on this subnet (10.1.99.98 on the switch and 10.1.99.
Initial Setup in Routing Mode Configure Management Access Settings For the example in Figure 2-13, you would associate VLAN99 with the External zone: hostswitch(tms-module-C:config)# vlan 99 zone external Remember, if you want the host switch to have an IP address on that VLAN, you must include the allow-switch-ip option. Similarly, if you want the TMS VLAN to use a unique MAC address, include the uniquemac option. hostswitch (tms-module-C:config)# vlan 99 zone external allow-switch-ip unique-mac b.
Initial Setup in Routing Mode Configure Management Access Settings 10. Define a default gateway: Syntax: ip route 0.0.0.0/0 [metric ] [distance ] Sets a default gateway for the module. Replace with the IP address of the default gateway for the module. If you use the metric option, replace with the metric for the route (1 to 255). If you do not enter a metric, the route will be assigned the default metric value, 0.
Initial Setup in Routing Mode Configure Management Access Settings For example, you might enter: hostswitch (tms-module-C:config)# ping 10.1.99.101 PING 10.1.99.101(10.1.99.101) 56(84) bytes of data. 64 bytes from 10.1.99.101: icmp_seq=1 ttl=255 time=1.54 ms 64 bytes from 10.1.99.101: icmp_seq=2 ttl=255 time=0.515 ms 64 bytes from 10.1.99.101: icmp_seq=3 ttl=255 time=0.526 ms b.
Initial Setup in Routing Mode Configure Management Access Settings ii. Ping the default gateway. hostswitch (tms-module-C:config)# ping For example, you might enter: hostswitch (tms-module-C:config)# ping 10.1.99.101 PING 10.1.99.101 (10.1.99.101) 56(84) data. 64 bytes from 10.1.99.101: icmp_seq=1 time=1.54 ms 64 bytes from 10.1.99.101: icmp_seq=2 time=0.515 ms 64 bytes from 10.1.99.101: icmp_seq=3 time=0.526 ms bytes of ttl=255 ttl=255 ttl=255 12.
Initial Setup in Routing Mode Access the Web Browser Interface Access the Web Browser Interface Once you have configured the initial settings (as described in the previous section), you can access the TMS zl Module’s Web browser interface through a secure HTTPS session. You will need a supported Web browser: ■ Firefox 2.x or higher ■ Internet Explorer 7 or higher Additionally, JavaScript must be enabled on your Web browser. In the address bar, type https:// followed by your module’s IP address.
Initial Setup in Routing Mode Access the Web Browser Interface Figure 2-14. Firefox 3 Tools > Options > Content Window d. 2. Click OK. Type https:// followed by your module’s IP address in the address field. The following warning is displayed. Figure 2-15. Firefox 3 Certificate Security warning 3. 2-42 Click I Understand the Risks.
Initial Setup in Routing Mode Access the Web Browser Interface 4. Click Add Exception. The Add Security Exception window is displayed. Figure 2-16. Add Security Exception Window 5. Click Get Certificate. The window updates to tell you that the certificate belongs to a different site. 6. Click Confirm Security Exception. The TMS zl Module login window is displayed. Internet Explorer 7 or 8 1. Enable JavaScript. a. In your browser, click Tools > Internet Options. b. Click the Security tab. c.
Initial Setup in Routing Mode Access the Web Browser Interface Figure 2-17. IE Internet Options Window d. 2-44 Click Custom Level. The Security Settings— Zone window is displayed.
Initial Setup in Routing Mode Access the Web Browser Interface Figure 2-18. IE Security Settings— Zone Window Scroll down to the Scripting section and click Enable for Active Scripting. 2. e. Then click OK. f. Click OK again. Type https:// followed by your module’s IP address in the address field. A warning is displayed. Figure 2-19.
Initial Setup in Routing Mode Access the Web Browser Interface 3. Click Continue to this website (not recommended). The TMS zl Module’s login window is displayed. Log in to the TMS zl Module Web Browser Interface When you gain access to the Web browser interface login window, you are prompted to enter a username and password. (See Figure 2-20.) Figure 2-20. Web Browser Interface Login Window For User Name, type manager. For Password field, type the default password: procurve.
Initial Setup in Routing Mode Access the Web Browser Interface When you use the Web browser interface to configure the TMS zl Module, your changes will apply to the modules’s running-config and startup-config as follows: ■ Running configuration—When the TMS zl Module loads the saved configuration, all of the settings become the running configuration, which is held in RAM. When you apply configuration changes in the Web browser interface, these changes become part of the running configuration as well.
Initial Setup in Routing Mode Access the Web Browser Interface When your changes are saved, you will see this message near the top of the window: Figure 2-22. Changes Saved to NVRAM Note If you click Save before applying the configuration changes, your changes may not be applied or saved. Make sure that you apply the configuration changes before you click Save.
Initial Setup in Routing Mode Access the Web Browser Interface Delete Edit Move Move Left Move Right Figure 2-23. Icons ■ Click the Delete icon to remove a policy or named object. ■ Click the Edit icon to edit a policy or named object. ■ Click the Move icon to change the priority of a policy. ■ Click the Move Left icon to remove an object from an object group. ■ Click the Move Right icon to add an object to an object group.
Initial Setup in Routing Mode Access the Web Browser Interface Table 2-9. Field Information in the Summary Tab on the TMS zl Module Dashboard Description How to Configure System Information Hostname User-defined module name (maximum of 30 System > Settings > General ASCII characters).
Initial Setup in Routing Mode Access the Web Browser Interface Field Description How to Configure Zone Name of the firewall zones n/a Connections Number of connections into and out of the n/a zone. See the “Note” that follows this table. Limit Maximum number of connections permitted Firewall > Settings > Connection Allocations for that zone See “Connection Reservation Concepts” in Chapter 4: “Firewall.
Initial Setup in Routing Mode Access the Web Browser Interface Note The connections listed in the Firewall section include both passive and active connections. Passive connections are how the firewall reserves connections for Application Layer Gateways (ALGs) and configured reservations.
Initial Setup in Routing Mode Access the Web Browser Interface Field Description How to Configure Transmitted Number of kilobytes per second and n/a packets per second that are being sent on the interface Received + Transmitted Number total of kilobytes per second and n/a packets per second that are being sent and received on the interface Systems Graphs.
Initial Setup in Routing Mode Access the Web Browser Interface Figure 2-24. CPU Usage Graph Figure 2-25.
Initial Setup in Routing Mode Access the Web Browser Interface The resolution for the graphs is one sample per minute. That is, each data point on the graph represents one sample, which was taken at some point within a one-minute period. Such sampling provides meaningful information over a period of time but should not be used for short-term analysis. That is, you should not use one data point or even the data for one hour to make decisions regarding your module or your network.
Initial Setup in Routing Mode Modify Management Settings Modify Management Settings To access the Web browser interface, you configured a set of management settings. You enabled management access on a zone, added a VLAN to that zone, and configured a static IP address for the VLAN. The TMS zl Module allows you to manage the module from as many zones as you want, so you can specify additional zones as management-access zones.
Initial Setup in Routing Mode Modify Management Settings 4. Note Click Save. If you clear the check box for the zone from which you are currently connected to the module and click Apply My Changes, you will lose connectivity from the Web browser interface. Once disconnected, you will need to reconnect to the module from a zone that has management access enabled, or you will have to access the CLI through a serial console to the host switch and enable management access from at least one zone. Table 2-11.
Initial Setup in Routing Mode Modify Management Settings Select a Priority VLAN When you select a priority VLAN, management traffic from that VLAN to Self is guaranteed a connection even when connection limits have been reached and CPU cycles are at maximum. Typically, the priority VLAN should be in a management-access zone.
Initial Setup in Routing Mode Modify Management Settings Figure 2-27. Add Static Route Window 4. For Destination Type, select Default Gateway. 5. For Gateway Address, type the IP address of the default gateway. 6. For Metric, type the cost that you want to assign to the route (0 to 255). If you want this route to be less preferred than another default route, assign it a higher metric. 7. For Distance, type the administrative distance that you want to assign to this route (1 to 255).
Initial Setup in Routing Mode Modify Management Settings Figure 2-28. System > Settings > Operating Mode Window 2. Select Routing. See “Operating Modes” in Chapter 1: “Overview” for an explanation of the operating modes. 3. Click Apply My Changes. 4. A warning box is displayed, informing you that you must reboot the TMS zl Module to apply the change: • Click Save & reboot to save your configuration changes and reboot the TMS zl Module.
Initial Setup in Routing Mode Modify Management Settings To configure new passwords for local management users, follow these steps: 1. Click Network > Authentication and click the Management Users tab. Figure 2-29. Network > Authentication > Management Users Window Note Note 2. From the User list, select manager (read/write) or operator (read only). 3. For Old password, type the current password. The default passwords are: manager = procurve; operator = operator. 4.
Initial Setup in Routing Mode Modify Management Settings Configure RADIUS Authentication for Management Users (Optional) You can use an external RADIUS server to authenticate users who attempt to access the TMS zl Module's Web browser interface or the CLI using SSH. This feature allows you to create multiple users with manager rights and multiple users with operator rights. It also enables you to track management sessions. Follow these steps: 1.
Initial Setup in Routing Mode Modify Management Settings Figure 2-31. Network > Authentication > RADIUS Window 2. 3. Under RADIUS Settings, for Authentication Protocol, select the protocol that the TMS zl Module uses to communicate with all of your RADIUS servers. Options include: • MS-CHAPv1 • CHAP • PAP Click Add RADIUS Server. The Add RADIUS server window is displayed.
Initial Setup in Routing Mode Modify Management Settings Figure 2-32. Add RADIUS server Window 4. In the Server Address field, type the IP address or FQDN of your RADIUS server. The port is always 1812. 5. In the Secret and Confirm Secret fields, type the shared secret for your RADIUS server. 6. In the NAS Identifier field, type the NAS ID associated with the module. The default NAS Identifier is the module’s hostname.
Initial Setup in Routing Mode Modify Management Settings You may choose to leave this field blank. When you leave the Domain Name field blank, the TMS zl Module assigns the RADIUS server to the global domain. Then, when users log in using the TMS zl Module's login page, they simply enter their username. They do not need to include a domain name.
Initial Setup in Routing Mode Modify Management Settings ■ To authenticate operator users, the RADIUS server requires a policy that meets these criteria: • Note It selects RADIUS requests according to any of the attributes shown in Table 2-13; again, the group to which operators belong is a common choice for the criteria. Again, it is best practice to add Service-Type = NAS-Prompt-User to the selection criteria for the management access policy.
Initial Setup in Routing Mode Modify Management Settings 2. In the TMS zl Module Web browser interface navigation bar, click System > Settings > High Availability. 3. Verify that for Cluster Scheme, None is selected. Figure 2-33. System > Settings > High Availability Window 4. Under HA IP Configuration, configure the following: a. For VLAN ID, type the VLAN number of the unused VLAN that is not used. This VLAN must be configured on the host switch. b.
Initial Setup in Routing Mode Configure Zones Configure Zones The TMS zl Module has 10 zones. (For information on zones, see “Plan the Zones” on page 2-8.) If you want, you can rename 8 of these zones according to your needs. See “Rename a Zone” on page 2-68. If you want the TMS zl Module to use a zone, you need to associate at least one VLAN with it. This VLAN then becomes a TMS VLAN. You can create up to 256 TMS VLANs. Each TMS VLAN is in one and only one zone.
Initial Setup in Routing Mode Configure Zones Figure 2-34. Network > Zones > Names Window 3. Click Apply My Changes. 4. Click Save. Associate a VLAN with a Zone To associate a VLAN with a zone, follow these steps: 1. Click Network > Zones > VLAN Associations. Figure 2-35.
Initial Setup in Routing Mode Configure Zones 2. Click Add VLAN Association. The Add VLAN Association window is displayed. Figure 2-36. Add VLAN Association Window 3. In the Select a VLAN section, select a VLAN. The TMS zl Module automatically detects the VLAN settings of its host switch. The VLANs in the list are VLANs that are configured on the host switch and that have not already been associated with a zone. A VLAN that is not configured on the host switch cannot be associated with a zone.
Initial Setup in Routing Mode Configure Zones 6. Note If the host switch must have an IP address on this VLAN, select the Allow switch to have IP address check box. It is recommended that the host switch not have an IP address on a TMS VLAN if Layer 3 routing is enabled on the host switch. Inter-VLAN traffic must be routed through the TMS zl Module instead of being routed directly by the switch.
Initial Setup in Routing Mode Configure DHCP Relay and DNS Server Settings Configure DHCP Relay and DNS Server Settings This section explains how to configure the DHCP and DNS server settings that will enable users to access the network and the services that rely on domain name resolution. Configure DHCP Relay Settings If your network includes a DHCP server, the TMS zl Module can provide DHCP relay services to this server for endpoints in TMS VLANs.
Initial Setup in Routing Mode Configure DHCP Relay and DNS Server Settings Follow these steps to configure DHCP relay: 1. Click Network > Settings and click the DHCP Relay tab. Figure 2-37. Network > Settings > DHCP Relay Window 2. For Message relay, select On. 3. Specify up to four DHCP servers. To start, type the IP address for DHCP Server 1. 4. The Relay messages for selected VLANs list displays all of your TMS VLANs. Select the check box next to each VLAN for which you want to enable DHCP relay.
Initial Setup in Routing Mode Configure DHCP Relay and DNS Server Settings 6. Click Save. If you enable DHCP relay, you may need to create firewall access policies to permit the DHCP traffic. The figure below shows that four access polices are needed to allow DHCP relay from one VLAN to another. (The access policies are necessary whether the client and server are in the same zone or different zones.) 1. Client to Self — Permit bootps 2. Self to server — Permit bootps 3.
Initial Setup in Routing Mode Configure DHCP Relay and DNS Server Settings Configure DNS Server Settings To configure the DNS server settings, complete the following steps: 1. Click Network > Settings > General. 2. For Primary Server, type the IP address of your primary DNS server. 3. Optionally, for Secondary Server, type the IP address of your secondary DNS server. If you do not have a secondary DNS server, leave this field blank. 4. For Domain Suffix, type the suffix of your DNS domain name.
Initial Setup in Routing Mode Configure Event Logging Configure Event Logging The TMS zl Module logs events from the following sources: ■ Security systems (firewall, IPS, VPN, or high availability) ■ Open architecture system ■ Startup scripts (initialization or reboot) ■ Management systems (Web browser, CLI, or SNMP) ■ Common services (such as DHCP relay, DNS client, TFTP, SCP, RADIUS client, LDAP client, or others) These events can be logged locally or forwarded to an email account, syslog serve
Initial Setup in Routing Mode Configure Event Logging Log Severity The TMS zl Module automatically classifies events according to severity. Event severity levels are listed below from most severe to least severe: ■ Critical ■ Major ■ Minor ■ Warning ■ Information By default, the event severity is set to Critical, meaning that only critical messages are logged.
Initial Setup in Routing Mode Configure Event Logging Log Throttling Log throttling (which is enabled by default) prevents the module from logging duplicate messages for the same event. Instead, the module logs the first event but counts duplicate events without logging them. The module sends a tally message that shows the number of duplicate events after a certain count is reached or after a certain number of seconds have passed since the first event (whichever comes first).
Initial Setup in Routing Mode Configure Event Logging 2. Under Log Severity, select one of the following: • Critical • Major • Minor • Warning • Information Remember that the less severe the setting, the more events the TMS zl Module will log, thereby consuming more system resources. 3. 4. 5. Select Enable Log Threshold Monitoring if you want to ensure that logging will not adversely affect the TMS zl Module’s performance.
Initial Setup in Routing Mode Configure Event Logging Figure 2-43. System > Logging > View Log Window In this window, you can see a real-time list of events for the TMS zl Module’s operation. The events that are displayed are those at or above the severity selected in the System > Logging > Settings window (the default is Critical). To filter the logs that are displayed in this window, select and clear the appropriate check boxes under Filter.
Initial Setup in Routing Mode Configure Event Logging the .tar file into a spreadsheet application such as Microsoft Excel. It is a good idea to name the log file after the date on which it was created. For example, if the log was created on November 3, 2009, type 2009-11-03.tgz. Configure Email Forwarding To forward event logs to email accounts, click System > Logging and click the Email Forwarding tab. Figure 2-44. System > Logging > Email Forwarding Window 1.
Initial Setup in Routing Mode Configure Event Logging Configure Syslog Forwarding To forward event logs to a syslog server, click System > Logging and click the Syslog Forwarding tab. You can add up to three entries. Figure 2-45. System > Logging > Syslog Forwarding Window 1. Select the Enable syslog forwarding check box. 2. Click Add Syslog Server. The Add Syslog Server window is displayed. Figure 2-46. Add Syslog Server Window 3. For Address, type the IP address or FQDN of the syslog server. 4.
Initial Setup in Routing Mode Configure Event Logging Configure SNMP Traps SNMP traps are unsolicited messages that are sent by managed devices to alert you about specific events. For example, you can use PCM+ to manage the TMS zl Module by specifying PCM+ as a trap destination. The TMS zl Module supports the standard MIB-II, the IF-MIB, and a proprietary MIB that is specific to the operation of the TMS zl Module.
Initial Setup in Routing Mode Configure Event Logging Figure 2-48. Add SNMPv2 Destination Window 2. For Server Address, type the IP address or FQDN of the SNMP server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Community Name, type the read-write (unrestricted) community name. You must enter the read-write community name that is configured on the SNMP server. 4. Click OK. 5. Click Save.
Initial Setup in Routing Mode Configure Event Logging Figure 2-49. Add SNMPv3 Destination Window 2. For Server Address, type the IP address or FQDN of an SNMPv3 server. For example, if you are using PCM+, you would enter the IP address or FQDN of the server running PCM+. 3. For Username, type a username for the SNMPv3 account that will be used with this trap destination. The username must match a username in an account on the SNMPv3 server.
Initial Setup in Routing Mode Configure SNMP Settings Configure SNMP Settings The TMS zl Module allows remote management through SNMPv1/v2c or SNMPv3. For example, you can configure SNMP so that the module can be managed by PCM+. If you are going to allow remote management through SNMP, make sure that you configure the parameters on the TMS zl Module to match those configured on the SNMP server. (You can also configure the TMS zl Module to send SNMP traps. See “Configure SNMP Traps” on page 2-83.
Initial Setup in Routing Mode Configure SNMP Settings • 3. Private – Role = Manager – Write Access = Unrestricted You can change the names, roles, and write access of the default communities, or you can add new communities. Editing and adding a community are much the same process: • To edit one of the default communities, click the Edit icon in the Tools column for the community that you want to edit. Figure 2-51. Edit SNMPv1/v2 Community Window • To add a community, click Add another community.
Initial Setup in Routing Mode Configure SNMP Settings 8. Click Save. If you want to add more SNMPv1/v2 communities, repeat these steps. Note If you add new communities rather than edit the default communities, the default communities will continue to allow access unless you delete them. To delete a community, click the Delete (X) icon in the Tools column for that community. Configure SNMPv3 Settings To configure SNMPv3 settings, complete the following steps: 1.
Initial Setup in Routing Mode Configure SNMP Settings 5. For Role, select the role of the account: Manager (read/write) or Operator (read only). 6. For Authentication Protocol, select the protocol specified for the account on the SNMPv3 server: MD5 or SHA-1. 7. For Authentication Passphrase, type the authentication passphrase for the account. The passphrase must be between 8 and 265 characters (special or alphanumeric). 8.
Initial Setup in Routing Mode Configure SNMP Settings ■ Firewall, including NAT and port triggers as well as access policies ■ IDS/IPS operations With NIM, you can also view TMS zl Module logs. To enable management through PCM+/NIM, you must first configure a few settings on the TMS zl Module: 1. Associate the PCM+/NIM server’s VLAN with a zone, preferably a management-access zone. (“Plan the Zones” on page 2-8.) 2.
Initial Setup in Routing Mode Ping Utility Ping Utility Before you get your network up and running, you will likely want to check connectivity. This is most easily done by sending a ping from one workstation to another. you must configure firewall access policies to allow ICMP echo messages before you can use ping messages.
Initial Setup in Routing Mode Ping Utility Figure 2-54. Add Policy Window 10. Click Apply, and then click Close. Sending a Ping from the TMS zl Module To ping an IP address or hostname, complete the following steps: 1. Click System > Utilities > Ping. 2. For Hostname/IP Address, type the hostname or IP address of the device you are trying to reach. 3. For Repetitions, select the number of ping messages you want to the module to send.
Initial Setup in Routing Mode Ping Utility Figure 2-55. System > Utilities > Ping Window 5. Note Click Ping. The results of the ping are displayed in the Results field. When you have finished testing connectivity, you should delete the access policies that permit ICMP Echo traffic.
Initial Setup in Routing Mode System Maintenance System Maintenance This section teaches you how to complete these system maintenance tasks on the TMS zl Module: ■ Save the current startup-config to an external drive. See “Back Up the Startup-Config” on page 2-94. ■ Restore the startup-config to a previously saved configuration. See “Restore to a Previously Saved Configuration” on page 2-95. ■ Erase the startup-config and return to factory default settings (retaining any existing IDS/IPS signatures).
Initial Setup in Routing Mode System Maintenance Figure 2-56. System > Maintenance > Back Up/Restore Window 2. Note Click Back Up and follow the prompts to save the startup-config file to a selected directory. It is sometimes a good idea to name the configuration file after the date on which it was saved. For example, if the configuration was saved on November 3, 2009, name it 2009-11-03.cfg. The saved configuration file is encrypted.
Initial Setup in Routing Mode System Maintenance Erase the Startup-Config and Return to Defaults You can erase the startup configuration. This action erases your configuration changes and returns them to factory defaults. However, your IDS/IPS signatures are retained. You can erase the startup configuration from two places: ■ Web browser interface ■ CLI Product OS If you are unable to access the Web browser interface, you can use the CLI Product OS to restore the module’s IP settings.
Initial Setup in Routing Mode System Maintenance Erase the Startup Configuration from the CLI Product OS You can erase the startup configuration from the Product OS context by following these steps: 1. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii.
Initial Setup in Routing Mode System Maintenance Restore to Factory Default Settings (Including IDS/IPS Signatures) Instead of erasing the startup-config return to factory default settings, you can return to these settings by uninstalling then reinstalling the software image. With this method, you lose all of your IDS/IPS signatures as well as all of your settings. After restoring factory defaults, you will need to reconfigure your module settings and download the IDS/IPS signatures again.
Initial Setup in Routing Mode System Maintenance For example: hostswitch(services-module-C:HD)# show images --------Image Repository--------1) ST.1.1.100330 2) ST.1.1.100226 3) ST.1.0.090603 If the latest software image is not in the image repository, follow steps 1 through 9 in “Update the Software with a USB Drive” on page 2-105 to transfer the image folder to the module. 6. Uninstall the current product software: Syntax: uninstall product Uninstalls the current TMS zl Module software.
Initial Setup in Routing Mode System Maintenance 8. When the installation has finished, boot the Product OS: Syntax: boot product Boots the Product OS. For example: hostswitch# boot product System will be rebooted. Do you want to continue [y/n]? Rebooting The module is now restored to the factory default settings. In addition, any existing IDS/IPS signatures have been erased. Update the Module Software The software for the module can be updated through the Web browser interface or the CLI.
Initial Setup in Routing Mode System Maintenance d. File Name—Type the name of the image file, including the extension, for example, ST.1.1.100330.zip. Remember to include the path to the file if it is in a subdirectory. If you select TFTP: a. Server IP —Type the IP address of the TFTP server in dotted-decimal format. b. File Name — Type the name of the image file, including the extension, for example, ST.1.1.100330.zip. Remember to include the path to the file if it is in a subdirectory.
Initial Setup in Routing Mode System Maintenance ■ A USB drive See “Update the Software with a USB Drive” on page 2-105. Update the Software from an FTP or SCP Server. To update the module software using an FTP or SCP server, do the following: 1. Transfer the compressed image onto an FTP or SCP server. 2. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii.
Initial Setup in Routing Mode System Maintenance 3. Copy the image from the server and install it. Syntax: copy image user Copies and installs a TMS zl Module software image from an FTP or SCP server. Replace with the IP address of the server. Replace with the path and filename of the software image, including the .zip extension.
Initial Setup in Routing Mode System Maintenance ii. Enter the Product OS context for the TMS zl Module: Syntax: services < | name > Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with the product index assigned tot he TMS zl Module. See “Understanding Index Numbers” on page 2-18. Replace with tms-module.
Initial Setup in Routing Mode System Maintenance You would enter the following command: hostswitch(tms-module-C)# copy tftp image 192.168.1.13 ST.1.1.100330.zip 4. The image is uploaded to the module, then automatically installed. When the prompt says that the installation is finished, reboot the module to complete the update. hostswitch(tms-module-C)# boot Update the Software with a USB Drive. To update the software image using a USB drive, do the following: Note 1.
Initial Setup in Routing Mode System Maintenance 9. Copy the image from the drive to the module. Syntax: usb copyfrom Copies a file from the USB drive to the module. Replace with the name of the extracted directory. For example, if the image directory name is ST.1.1.100330, you would type: hostswitch(services-module-C:HD)# usb copyfrom ST.1.1.100330 You can type the first few letters of the directory name, then press [Tab] to complete the name.
3 Initial Setup in Monitor Mode Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Deploying the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Selecting the Deployment Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 At the Perimeter . . . . . . . . . . . .
Initial Setup in Monitor Mode Contents Log in to the TMS zl Module Web Browser Interface . . . . . . . . . . . . . 3-32 Navigating the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . 3-32 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35 Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39 Modify the Module’s IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Monitor Mode Contents Erase the Startup-Config and Return to Defaults . . . . . . . . . . . . . . . . 3-70 Erasing the Startup Configuration from the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-70 Erasing the Startup Configuration from the CLI Product OS . . . 3-71 Restore to Factory Default Settings (Including IDS/IPS Signatures) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Setup in Monitor Mode Overview Overview This chapter provides instructions for the initial setup in monitor mode. At this point, you should have decided which operating mode you want to use. (See “Operating Modes” in Chapter 1: “Overview.
Initial Setup in Monitor Mode Overview Figure 3-1. Logical Remote Mirroring Operation of the TMS zl Module in Monitor Mode When a 5400zl or 8200zl switch receives traffic that has been selected for mirroring (whether by its port or VLAN), it both forwards the traffic toward its destination and sends a copy of the traffic in a mirror session to the module’s host switch.
Initial Setup in Monitor Mode Deploying the TMS zl Module Deploying the TMS zl Module This section includes guidelines for deploying your TMS zl Module: ■ Selecting the deployment location ■ Readying the host switch Selecting the Deployment Location In monitor mode, the module operates as a traditional offline IDS, which analyzes traffic that is mirrored to it.
Initial Setup in Monitor Mode Deploying the TMS zl Module The sections below present several typical deployments of a TMS zl Module operating in monitor mode. At the Perimeter The TMS zl Module in monitor mode can be deployed at the perimeter to monitor traffic routed to and from an external network, such as the Internet or a remote office. The key reason to deploy the TMS zl Module in monitor mode at the perimeter is to detect attacks from the Internet.
Initial Setup in Monitor Mode Deploying the TMS zl Module Ready the Host Switch After you install a TMS zl Module in a chassis slot in an HP 5400zl or 8400zl Series switch, the switch recognizes the module by its ID. The switch names the modules two internal ports as follows: ■ Port 1—This port is used for data, which, in monitor mode, is mirrored traffic that is to be analyzed by the module’s IDS. ■ Port 2—This port is used for management traffic.
Initial Setup in Monitor Mode Initial Setup Initial Setup At this point, you should have planned your deployment, installed your TMS zl Module in an HP 5400zl or 8400zl Series switch, and made necessary configurations to this switch. This section teaches you how to access the CLI for the TMS zl Module Services OS, install licenses, and boot the TMS zl Module Product OS.
Initial Setup in Monitor Mode Initial Setup Ensure That the Host Switch Recognizes the TMS zl Module You should first ensure that the host switch recognizes that the TMS zl Module is installed in the switch by entering the following command: hostswitch# show services Table 3-1 shows an example output for this command. Notice that two items are listed for each TMS zl Module: Services zl Module and Threat Management Services zl Module. The Services zl Module is always displayed first with index number 1.
Initial Setup in Monitor Mode Initial Setup Understanding Index Numbers The host switch assigns index numbers to all TMS zl Module and HP ONE Services zl Module products according to these rules: ■ The host switch always assigns index number 1 to the Services OS that runs on ONE Services zl Modules and TMS zl Modules. ■ The host switch assigns index numbers to other products based on the order in which the products boot. The first to boot is assigned index number 2 and so forth.
Initial Setup in Monitor Mode Initial Setup Whenever you reboot the host switch, a TMS zl Module, or a ONE Services zl Module, you should enter the show services command to check the index numbers. Access the TMS zl Module Services OS Context The Services OS context is used to complete basic setup and maintenance tasks. You will configure the TMS zl Module itself from the Product OS context. (See “Access the TMS zl Module Product OS Context” on page 3-22.
Initial Setup in Monitor Mode Initial Setup Activate the TMS zl Module Before you begin configuring the TMS zl Module, you must activate the product by completing the following tasks. (Step-by-step instructions for each task are provided in the sections that follow.) 1. Obtain the product registration ID and the activation hardware ID. See “Obtain the Necessary IDs” on page 3-13. 2. Register the TMS zl Module on the My Networking portal (http://hp.
Initial Setup in Monitor Mode Initial Setup Figure 3-3. HP Threat Management Services zl Module Software Activation License Card Activation Hardware ID. The TMS zl Module has two hardware IDs, as shown in Table 3-4. Table 3-4. Hardware IDs Hardware ID Purpose Activation hardware ID Used to register the TMS zl Module and generate a product license key TMS-subscription hardware ID Used to register an IDS/IPS signature subscription To activate the TMS zl Module, you need the activation hardware ID.
Initial Setup in Monitor Mode Initial Setup To obtain the activation hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2. From the host switch’s manager-level context, enter the TMS zl Module’s Services OS context: Syntax: services 1 Moves you to the Services OS context. Replace with the letter of the chassis slot in which the module is installed.
Initial Setup in Monitor Mode Initial Setup Figure 3-4. My Networking Portal Sign In Window 2. Type your My Networking ID and Password in the appropriate fields. (If you do not have an ID, click Customer account or Partner account under Create an account and follow the prompts to set one up.) 3. Click Sign in. 4. Click My Licenses. 5. Follow the prompts on the My Networking Portal to generate a license key.
Initial Setup in Monitor Mode Initial Setup 2. Install the product license key by typing the following command: Syntax: licenses install activation Installs the product license key on the switch. Replace with the product license key that was generated when you registered the TMS zl Module on the My Networking portal.
Initial Setup in Monitor Mode Initial Setup Note Unlike the TMS zl Module activation process, the subscription registration process does not require you to install a license key on the module or reboot the module. To register the IDS/IPS signature subscription, complete the following tasks. (Step-by-step instructions for each task are provided in the sections that follow.) 1. Obtain the subscription registration ID and the TMS-subscription hardware ID.
Initial Setup in Monitor Mode Initial Setup Figure 3-5. HP Threat Management Services x-Year IDS/IPS Subscription Registration Card TMS-Subscription Hardware ID. To obtain the TMS-subscription hardware ID, complete the following steps: 1. Access the host switch’s CLI. 2. From the host switch’s manager-level context, enter the TMS zl Module’s Services OS context: Syntax: services 1 Moves you to the Services OS context.
Initial Setup in Monitor Mode Initial Setup You are now in the Services OS context, and you should see a prompt that is similar to the following: hostswitch(services-module-C:HD)# 3. Display the TMS-subscription hardware ID by entering the following command in the TMS zl Module’s Service OS CLI. Syntax: licenses hardware-id tms-subscription Displays the hardware ID for the IDS/IPS signature subscription. 4. Record the TMS-subscription hardware ID. (You may want to copy this hardware ID to a text file.
Initial Setup in Monitor Mode Initial Setup Note 3. Click Sign in. 4. Click My Licenses. 5. Follow the prompts on the My Networking Portal to register your subscription with the HP subscription server. Because this process does not require you to install a license on the module or reboot the module, your TMS zl Module is authorized to obtain the latest IDS/IPS signatures once you have completed the registration and configured the module to download the latest IDS/IPS signatures.
Initial Setup in Monitor Mode Initial Setup Syntax: repeat Repeatedly executes the previous command you entered For example, if the TMS zl Module is in slot C, you would enter: hostswitch# show services c hostswitch# repeat You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process.
Initial Setup in Monitor Mode Initial Setup Option 1. You can access the Product OS by typing the index number associated with the TMS zl Module. Use the following command, entered from either the switch’s manager-level or global configuration context.: Syntax: services Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Monitor Mode Initial Setup Option 2. Alternatively, you can access the Product OS context by specifying the product name for the TMS zl Module. This name never changes. Enter the following command from either the switch’s manager-level or global configuration context: Syntax: services name tms-module Moves you to the product OS context on the module. Replace with the letter for the chassis slot in which the module is installed.
Initial Setup in Monitor Mode Configure Initial Settings Configure Initial Settings Before you can access the Web browser interface and begin configuring the TMS zl Module, you must configure some initial settings. Specifically, you must access the CLI and complete these tasks: ■ Set the operating mode to monitor. ■ Specify a management VLAN. (The default is VLAN 1.) ■ Set a static IP address for the VLAN. ■ Set a default gateway for the module. To configure these settings, follow these steps: 1.
Initial Setup in Monitor Mode Configure Initial Settings For example: hostswitch(tms-module-C:config)# management vlan 2 Note You may want to set the management VLAN of the TMS zl Module to match the management VLAN of the switch, if any. The management VLAN, however, should not be the default VLAN: VLAN 1. 5. Set a static IP address for the module’s management interface: Syntax: management ip Sets a static IP address for the module’s management interface.
Initial Setup in Monitor Mode Access the Web Browser Interface Access the Web Browser Interface To access the Threat Management Services zl Module’s Web browser interface through a secure HTTPS session, you will need you will need a supported Web browser: ■ Firefox 2.x or higher ■ Internet Explorer 7 or higher Additionally, JavaScript must be enabled on your Web browser. In the address bar, type https:// followed by your module’s IP address. For example, if your module has the IP address 192.168.2.
Initial Setup in Monitor Mode Access the Web Browser Interface Figure 3-7. d. 2. Click OK. Type https:// followed by your module’s IP address in the address field. The following warning is displayed. Figure 3-8. 3. 3-28 Firefox 3 Tools > Options > Content Window Firefox 3 Certificate Security warning Click I Understand the Risks.
Initial Setup in Monitor Mode Access the Web Browser Interface 4. Click Add Exception. The Add Security Exception window is displayed. Figure 3-9. Add Security Exception Window 5. Click Get Certificate. The window updates to tell you that the certificate belongs to a different site. 6. Click Confirm Security Exception. The TMS zl Module’s login window is displayed. Internet Explorer 7 or 8 1. Enable JavaScript. a. In your browser, click Tools > Internet Options. b. Click the Security tab. c.
Initial Setup in Monitor Mode Access the Web Browser Interface Figure 3-10. IE Internet Options Window d. 3-30 Click Custom Level. The Security Settings— Zone window is displayed.
Initial Setup in Monitor Mode Access the Web Browser Interface Figure 3-11. IE Security Settings— Zone Window Scroll down to the Scripting section and click Enable for Active Scripting. 2. e. Then click OK. f. Click OK again. Type https:// followed by your module’s IP address in the address field. A warning is displayed. Figure 3-12.
Initial Setup in Monitor Mode Access the Web Browser Interface 3. Click Continue to this website (not recommended). The TMS zl Module’s login window is displayed. Log in to the TMS zl Module Web Browser Interface When you gain access to the Web browser interface login window, you are prompted to enter a username and password. (See Figure 3-13.) Figure 3-13. Web Browser Interface Login Window In the User Name field, type manager, and in the Password field, type the default password: procurve.
Initial Setup in Monitor Mode Access the Web Browser Interface When you use the Web browser interface to configure the TMS zl Module, these changes will affect one of two sets of configuration files, depending on whether you apply or save changes: ■ Running configuration—When the TMS zl Module loads the saved configuration, all of the settings become the running configuration, which is held in RAM.
Initial Setup in Monitor Mode Access the Web Browser Interface When your changes are saved, you will see this message near the top of the window: Figure 3-15. Changes Saved to the Startup Configuration Note If you click Save before applying the configuration changes, some of your changes may not be applied or saved. Make sure that you apply the configuration changes before you click Save.
Initial Setup in Monitor Mode Access the Web Browser Interface ■ Click the Delete icon to remove an object. ■ Click the Edit icon to edit an object. The Delete and Edit icons are called “Tools.” Dashboard When operating in monitor mode, the TMS zl Module has two Dashboard tabs: ■ Summary ■ System Graphs Summary Page. The System > Dashboard > Summary page displays module settings and real-time statistics, as shown in Table 3-7.
Initial Setup in Monitor Mode Access the Web Browser Interface Field Description How to Configure Memory Usage Percentage of real and cached memory n/a being used on the TMS zl Module. High memory usage during low activity periods does not necessarily signal a problem; the cache memory may not have flushed recently.
Initial Setup in Monitor Mode Access the Web Browser Interface ■ Data Interface—displays data received and transmitted in bits per second. You can view each graph by day, by week, by month, or by year. The following example graphs show usage by day. Figure 3-17.
Initial Setup in Monitor Mode Access the Web Browser Interface Figure 3-18. Data Interface Graph The resolution for the graphs is one sample per minute. That is, each data point on the graph represents one sample, which was taken at some point within a one-minute period. Such sampling provides meaningful information over a period of time but should not be used for short-term analysis.
Initial Setup in Monitor Mode Management Settings You can also use the system graphs to help diagnose the cause of a problem should one occur. For example, if you notice a general network slow down, you can check the system graphs—particularly the CPU Usage and Data Interface graphs—to determine if there is a sharp increase in either CPU usage or interface traffic. If there is no real change in either, you may want to check other devices to determine what is causing the network slowdown.
Initial Setup in Monitor Mode Management Settings Figure 3-19. System > Settings > General Window 2. Under Management IP Configuration, configure the following: a. For VLAN ID, type the management VLAN ID. b. For IP Address and Subnet Mask, type the management IP address and subnet mask. 3. Click Apply My Changes. 4. Click Save. Change the Management Users’ Passwords To protect your network, HP strongly recommends that you immediately change the passwords for the manager and operator accounts.
Initial Setup in Monitor Mode Management Settings Figure 3-20. Network > Authentication > Management Users Window Note Note 2. From the User list, select manager (read/write) or operator (read only). 3. For Old password, type the current password. The default passwords are: manager = procurve; operator = operator. 4. For New password and Confirm new password, type a new password for the user. The new password cannot have more than 14 characters. 5. Click Apply My Changes.
Initial Setup in Monitor Mode Management Settings Configure RADIUS Authentication for Management Users (Optional) You can use an external RADIUS server to authenticate users who attempt to access the TMS zl Module's Web browser interface or the CLI using SSH. This feature allows you to create multiple users with manager rights and multiple users with operator rights. It also enables you to track management sessions. Follow these steps: 1. Click Network > Authentication and click the Management Users tab.
Initial Setup in Monitor Mode Management Settings Figure 3-22. Network > Authentication > RADIUS Window 2. 3. Under RADIUS Settings, for Authentication Protocol, select the protocol that the TMS zl Module uses to communicate with all of your RADIUS servers. Options include: • MS-CHAPv1 • CHAP • PAP Click Add RADIUS Server. The Add RADIUS server window is displayed.
Initial Setup in Monitor Mode Management Settings Figure 3-23. Add RADIUS server Window 4. In the Server Address field, type the IP address or FQDN of your RADIUS server. The port is always 1812. 5. In the Secret and Confirm Secret fields, type the shared secret for your RADIUS server. 6. In the NAS Identifier field, type the NAS ID associated with the module. The default NAS Identifier is the module’s hostname.
Initial Setup in Monitor Mode Management Settings they simply enter their username. They do not need to include a domain name. When a user submits credentials without a domain name, the module checks the username first against the local manager and operator accounts, and then it checks the username against the RADIUS server in the global domain.
Initial Setup in Monitor Mode Default Gateway and Static Routes Table 3-8.
Initial Setup in Monitor Mode Default Gateway and Static Routes Figure 3-24. Add static route Window 3. For Destination Type, select Default Gateway. 4. For Gateway Address, type the IP address of the default gateway. 5. For Metric, type the cost that you want to assign to the route (0 to 255). If you want this route to be less preferred than another default route, assign it a higher metric. 6. For Distance, type the administrative distance that you want to assign to this route (1 to 255).
Initial Setup in Monitor Mode Default Gateway and Static Routes Create a Static Route Typically, the TMS zl Module’s default gateway can perform all the routing that the module requires in monitor mode. However, if you need, you can create a static route to a specific network or host through a different gateway. Follow these steps: 1. Access the Network > Routing > Static Routes window. 2. Click Add Static Route. The Add Static Route window is displayed. Figure 3-25. Add Static Route Window 3-48 3.
Initial Setup in Monitor Mode Change the Operating Mode Change the Operating Mode If you would like to change the operating mode, you can do it from the Web browser interface by completing the following steps. Remember, however, that the module will be rebooted and the last saved startup configuration from that mode will be loaded. 1. Select System > Settings and click the Operating Mode tab. Figure 3-26. System > Settings > Operating Mode Window 2. Select Routing or Monitor.
Initial Setup in Monitor Mode Configure DNS Server Settings Configure DNS Server Settings To configure the DNS server settings, complete the following steps: 1. Select Network > Settings > General. Figure 3-27. Network > Settings > General Window 3-50 2. For Primary Server, type the IP address of your primary DNS server. 3. Optional: For Secondary Server, type the IP address of your secondary DNS server. If you do not have a secondary DNS server, leave this field blank. 4.
Initial Setup in Monitor Mode Configuring Event Logging Configuring Event Logging The TMS zl Module logs events sent from the following sources: ■ Security systems (IDS) ■ Open architecture system ■ Startup scripts (initialization and reboot) ■ Management systems (Web browser, CLI, and SNMP) ■ Common services (TFTP, SCP, and others) There are four mechanisms for logging events that the TMS zl Module detects: ■ Local logging—The module keeps its own internal logs, which may be exported to a compr
Initial Setup in Monitor Mode Configuring Event Logging Log Severity The TMS zl Module automatically classifies events according to severity. Event severity levels are listed below from most severe to least severe: ■ Critical ■ Major ■ Minor ■ Warning ■ Information By default, the event severity is set to Critical, meaning that only critical messages are logged.
Initial Setup in Monitor Mode Configuring Event Logging Log Throttling Log throttling (which is enabled by default) prevents the module from logging duplicate messages for the same event. Instead, the module logs the first event but counts duplicate events without logging them. The module sends a tally message that shows the number of duplicate events after a certain count is reached or after a certain number of seconds have passed since the first event (whichever comes first).
Initial Setup in Monitor Mode Configuring Event Logging 2. Under Log Severity, select one of the following: • Critical • Major • Minor • Warning • Information Remember that the less severe the setting, the more events the TMS zl Module will log, thereby consuming more system resources. 3. 4. 5. Select Enable Log Threshold Monitoring if you want to ensure that logging will not adversely affect the TMS zl Module’s performance.
Initial Setup in Monitor Mode Configuring Event Logging View and Export Local Logs To view or export local logs, click System > Logging > View Log. Figure 3-31. System > Logging > View Log Window In this window, you can see a real-time list of events for the TMS zl Module’s operation. The events that are displayed are those at or above the severity selected in the System > Logging > Settings window (the default is Critical).
Initial Setup in Monitor Mode Configuring Event Logging 4. Click Apply filter. Only events with minor severity art displayed on the window. 5. Under Table Columns, select or clear options that you want to include in the logging display. 6. To export a copy of the local log, click the Export log link in the bar above the logged events. Your browser will save the .tgz file according to browser settings. The .tgz file is a compressed archive that contains a space-delimited .
Initial Setup in Monitor Mode Configuring Event Logging 4. For To Email Address, type up to three email addresses that will receive the event logs. 5. Optionally, for User Name and User Password, type the username and password of the administrator account of the email server. 6. Click Apply My Changes. 7. Click Save. Configure Syslog Forwarding To forward event logs to a syslog server, complete the following steps: 1. Click System > Logging and then click the Syslog Forwarding tab. Figure 3-33.
Initial Setup in Monitor Mode Configuring Event Logging 4. For Address, type the IP address or FQDN of the syslog server. 5. For Port, type the port number of the syslog server. The well-known port for syslog is 514. 6. From the Facility list, select the facility from which the events will be sent. 7. Click OK. 8. Click Save. Use the Edit and Delete icons in the Tools column to alter or remove a syslog server.
Initial Setup in Monitor Mode Configuring Event Logging To enable SNMP traps, do one or both of the following: ■ Select the Enable SNMPv2 traps check box. ■ Select the Enable SNMPv3 traps check box. Add an SNMPv2 Trap Destination To add an SNMPv2 trap destination (such as PCM+/NIM), complete the following steps: 1. Under Enable SNMPv2 traps, click Add another destination. The Add SNMPv2 Destination window is displayed. Figure 3-36. Add SNMPv2 Destination Window 2.
Initial Setup in Monitor Mode Configuring Event Logging Figure 3-37. Add SNMPv3 Destination Window 2. For Server Address, type the IP address or FQDN of an SNMPv3 server. For example, if you are using PCM+/NIM, you would enter the IP address or FQDN of the server running PCM+/NIM. 3. For Username, type a username for the SNMPv3 account that will be used with this trap destination. The username must match a username in an account on the SNMPv3 server.
Initial Setup in Monitor Mode SNMP Settings SNMP Settings The TMS zl Module supports SNMPv1/2 and v3, allowing you to manage it through an SNMP management console (such as PCM+/NIM). If you are going to allow remote management through SNMP, make sure that you configure the SNMP settings on the TMS zl Module to match those configured on the SNMP management console. (You can also configure the TMS zl Module to send SNMP traps. See “Configure SNMP Traps” on page 3-58.
Initial Setup in Monitor Mode SNMP Settings • Private – Role = Manager – Write Access = Unrestricted You change the names, roles, and write access of the default communities, or you can add new communities. Editing and adding a community are much the same process. Follow these steps: 3. Complete one of these two steps: • To edit one of the default communities, click the Edit icon in the Tools column for the community that you want to edit. Figure 3-39.
Initial Setup in Monitor Mode SNMP Settings 7. Click OK. 8. Click Save. If you want to add more SNMPv1/v2 communities, repeat these steps. Note If you add new communities rather than edit the default communities, the default communities will continue to allow access unless you delete them. To delete a community, click the Delete (X) icon in the Tools column for that community. Configure SNMPv3 Settings To configure SNMPv3 settings, complete the following steps: 1.
Initial Setup in Monitor Mode SNMP Settings 4. For Role, select the role of the account: Manager (read/write) or Operator (read only). 5. For Authentication Protocol, select the protocol specified for the account on the SNMPv3 server: MD5 or SHA-1. 6. For Authentication Passphrase, type the authentication passphrase for the account. The passphrase must be between 8 and 265 characters (special or alphanumeric). 7.
Initial Setup in Monitor Mode SNMP Settings To manage your module through PCM+/NIM, you must configure SNMPv1/2c with the PCM+ server’s community names or SNMPv3 with the user settings specified on PCM+. (See “SNMP Settings” on page 3-61.) For more information about managing the TMS zl Module through PCM+/NIM, see the HP ProCurve Manager Network Administrator’s Guide, version 3.10 or later.
Initial Setup in Monitor Mode Ping Utility Ping Utility You might want to check the TMS zl Module’s connectivity with devices such as SNMP trap servers, PCM+/NIM, or a syslog server. To ping an IP address or hostname, complete the following steps: 1. Click System > Utilities > Ping. 2. For Hostname/IP Address, type the hostname or IP address of the device you are trying to reach. 3. For Repetitions, select the number of ping messages you want to the module to send.
Initial Setup in Monitor Mode Ping Utility Figure 3-42. System > Utilities > Ping Window 5. Click Ping. The results of the ping are displayed in the Results field.
Initial Setup in Monitor Mode System Maintenance System Maintenance This section teaches you how to complete these system maintenance tasks on the TMS zl Module: ■ Save the current startup-config to an external drive. See “Back Up the Startup-Config” on page 3-68. ■ Restore the startup-config to a previously saved configuration. See “Restore to a Previously Saved Configuration” on page 3-69. ■ Erase the startup-config and return to factory default settings (retaining any existing IDS/IPS signatures).
Initial Setup in Monitor Mode System Maintenance Figure 3-43. System > Maintenance > Back Up/Restore Window 2. Note Click Back Up and follow the prompts to save the startup configuration file to a selected directory. If possible, it is best to name the configuration file after the date on which it was saved. For example, if the configuration was saved on November 03, 2009, name it 2009-11-03.cfg. The saved configuration file is encrypted.
Initial Setup in Monitor Mode System Maintenance Erase the Startup-Config and Return to Defaults You can erase the startup configuration. This action erases your configuration changes and returns them to factory defaults. However, your IDS/IPS signatures are retained. You can erase the startup configuration from two places: ■ Web browser interface ■ CLI Product OS If you are unable to access the Web browser interface, you can use the CLI Product OS to restore the module’s IP settings.
Initial Setup in Monitor Mode System Maintenance Erasing the Startup Configuration from the CLI Product OS You can erase the startup configuration from the Product OS context by following these steps: 1. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii.
Initial Setup in Monitor Mode System Maintenance Restore to Factory Default Settings (Including IDS/IPS Signatures) You can restore the module to the factory default settings by uninstalling then reinstalling the software image. When you uninstall and reinstall the software, you will lose all of your IDS/IPS signatures as well as all of your settings. After restoring factory defaults, you will need to reconfigure your module settings and download the IDS/IPS signatures again.
Initial Setup in Monitor Mode System Maintenance For example: hostswitch(services-module-C:HD)# show images --------Image Repository--------1) ST.1.1.100330 2) ST.1.1.100226 3) ST.1.0.090603 6. If the latest software image is not in the image repository, follow steps 1 through 9 in “Update the Software with USB Drive” on page 3-79 to transfer the image folder to the module. 7. Uninstall the current product software: Syntax: uninstall product Uninstalls the current TMS zl Module software.
Initial Setup in Monitor Mode System Maintenance For example: hostswitch# boot product System will be rebooted. Do you want to continue [y/n]? y Rebooting The module is now restored to the factory default settings. Update the Module Software The software for the module can be updated through the Web browser interface or the CLI.
Initial Setup in Monitor Mode System Maintenance b. File Name — Type the name of the image file, including the extension, for example, ST.1.1.100330.zip. Remember to include the path to the file if it is in a subdirectory. If you select SCP: a. Server IP—Type the IP address of the SCP server in dotted-decimal format. b. User Name—Type the user name for an SCP account that has access to the directory with the software image account. c.
Initial Setup in Monitor Mode System Maintenance Update the Software from an FTP or SCP Server. To update the module software using an FTP or SCP server, do the following: 1. Transfer the compressed image onto an FTP or SCP server. 2. Access the TMS zl Module Product OS in one of the following two ways: • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii.
Initial Setup in Monitor Mode System Maintenance 3. Copy the image from the server and install it. Syntax: copy image user Copies and installs a TMS zl Module software image from an FTP or SCP server. Replace with the IP address of the server. Replace with the path and filename of the software image, including the .zip extension.
Initial Setup in Monitor Mode System Maintenance • Through the host switch CLI: i. Access the host switch CLI and enter the manager context. ii. Enter the Product OS context for the TMS zl Module: Syntax: services < | name > Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with the product index assigned tot he TMS zl Module.
Initial Setup in Monitor Mode System Maintenance For example, you have copied the software image to a TFTP server with these parameters: • • IP address—192.168.1.13 Filename—ST.1.1.100330.zip (copied to the root directory) You would enter the following command: hostswitch(tms-module-C)# copy tftp image 192.168.1.13 ST.1.1.100330.zip 4. The image is uploaded to the module, then automatically installed. When the prompt says that the installation is finished, reboot the module to complete the update.
Initial Setup in Monitor Mode System Maintenance 9. Copy the image from the drive to the module. Syntax: usb copyfrom Copies a file from the USB drive to the module. Replace with the name of the extracted directory. For example, if the image directory name is ST.1.1.100330, you would type: hostswitch(services-module-C:HD)# usb copyfrom ST.1.1.100330 You can type the first few letters of the directory name, then press [Tab] to complete the name.
4 Firewall Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 General Firewall Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Advantages of an Integrated Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Packet-Filtering Firewall . . . . . . . . . . . . . . . .
Firewall Contents Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40 Unicast Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40 Scheduled Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-42 Rate-Limiting Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewall Contents Enable and Disable ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Port Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-98 Example Port Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-101 Attack Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-104 Attack Check Descriptions . . . . . . . . . . . . . . . . . . .
Firewall Overview Overview This chapter covers the configuration of the TMS zl Module firewall, including these features: ■ “Named Objects” on page 4-9 ■ “Firewall Access Policies” on page 4-22 ■ “User Authentication” on page 4-47 ■ “Application-Level Gateways (ALGs)” on page 4-88 ■ “Attack Checking” on page 4-104 ■ “Connection Timeouts” on page 4-113 ■ “Resource Allocation” on page 4-116 ■ “IP Reassembly” on page 4-127 It is best practice to configure named objects before you set up firewa
Firewall General Firewall Concepts Today’s networks have changed, however. As companies have adapted their networks to meet the ever-changing face of business, the boundaries between private and public networks have blurred. The Internet has become a critical work tool for nearly every company, and companies have opened parts of their private network to guests—such as partners and customers—allowing temporary and permanent accounts with varying levels of access.
Firewall General Firewall Concepts Stateful Firewall The TMS zl Module has a stateful firewall, which examines packet content at several OSI layers. It combines aspects of: ■ A packet-filtering firewall ■ A circuit-level gateway ■ An application-level gateway Packet-Filtering Firewall A packet-filtering firewall is a router, switch, or computer that runs firewall software that has been configured to screen incoming and outgoing packets.
Firewall General Firewall Concepts Valid but illogical handshakes and packets with invalid IP addresses are often a sign that an attacker is attempting to infiltrate or gain information about a private network. The TMS zl Module automatically recognizes the flags that mark common attacks and drops packets that contain them. (See “Enable and Disable Optional Attack Checks” on page 4-111 for instructions.
Firewall General Firewall Concepts ALGs are covered in more detail in “Application-Level Gateways (ALGs)” on page 4-88 and “Enable and Disable ALGs” on page 4-97. The TMS zl Module includes ALGs for several specific applications. In keeping with best security practices, however, only one ALG—the FTP ALG—is enabled by default. You must explicitly enable any other ALGs that your organization might need. (Enabling ALGs opens ports on the firewall and uses system resources.
Firewall Named Objects Named Objects A named object is a logical “container” that is used in firewall access policies, NAT policies, and port triggers to represent a logical name for one or more addresses, services, or schedules. The advantage to using named objects is that you can create the object once, then if the parameters of the object change, you can edit the object without needing to change the parameters in each policy.
Firewall Named Objects Table 4-1.
Firewall Named Objects Note You cannot combine address types in a one address object. For example, you cannot combine address ranges with network addresses. To create a named object with more than one address type, create an address group (see “Address Groups” on page 4-13).
Firewall Named Objects Figure 4-3. Add Address Object Window (IP Type) 3. Note Type a name for the object in the Name field. When specifying a Name, you can use up to 32 alphanumeric characters and the following special characters: exclamation point (!), asperand (@), hash sign (#), dollar sign ($), asterisk (*), hyphen (-), and underscore (_). 4. Do one of the following: • • 4-12 Create an IP address object: i. Select IP from the Type list. ii. Select an entry type. iii.
Firewall Named Objects • • iii. In space provided, type an IP address range, each in dotteddecimal format. For multiple-entry objects type each entry on its own line. Example: 192.168.1.1-192.168.1.100 10.12.1.1-10.13.255.255 You can add up to 100 IP address ranges to a single address object. Create a domain address object: i. Select Domain name from the Type list. ii. In the Entries field, type one or more URLs or FQDNs, each on its own line. Example: www.companyABC.com production.eng.company.
Firewall Named Objects To add an address group, follow these steps: 1. Click Firewall > Access Policies and click the Address Groups tab. Figure 4-4. Firewall > Access Policies > Address Groups Window 2. Click Add Address Group. Figure 4-5. Add Address Group Window 3. Note 4-14 For Name, specify a name for the address group.
Firewall Named Objects 8. Create another address group or click Close. 9. Click Save. Service Objects A service object is a named object that contains a type of service. You can have up to 500 service objects. Some common service objects are included with the TMS zl Module, as shown in Table 4-2. You can use service objects in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors. Table 4-2.
Firewall Named Objects Service Transport Protocol Port Description gopher TCP 70 Gopher protocol h323 TCP 1720 H.
Firewall Named Objects Service Transport Protocol Port Description pim-auto-rp-tcp TCP 496 Protocol Independent Multicast, reverse path flooding, dense mode over TCP pim-auto-rp-udp UDP 496 Protocol Independent Multicast, reverse path flooding, dense mode over UDP pop2 TCP 109 Post Office Protocol version 2 pop3 TCP 110 Post Office Protocol version 3 pptp TCP 1723 Point-to-Point Tunneling Protocol radius UDP 1812 Remote Authentication Dial-In User Service radius-acct UDP 1813
Firewall Named Objects To create a service object, follow these steps: 1. Click one of the following: • Firewall > Access Policies and click the Services tab • Firewall > NAT Policies and click the Services tab • Firewall > Port Triggers and click the Services tab Figure 4-6. Firewall > Access Policies > Services Window (Partial) 2. Click Add Service. Figure 4-7. Add Service Window 3.
Firewall Named Objects 5. If you selected TCP or UDP in step 4, in the Port(s) fields, type the port number range. If there is only one port number, type it in the first field. When creating a service object for a well-known service on an alternative port, you may also need to configure a port-to-service association. (See “Port Mapping” on page 4-85.) 6. Click Apply. 7. Add another service object or click Close. 8. Click Save.
Firewall Named Objects Figure 4-9. Add Service Group Window 3. Note For Name, specify a name for the service group. When specifying a Name, you can use alphanumeric characters and the following special characters: exclamation point (!), asperand (@), hash sign (#), dollar sign ($), asterisk (*), hyphen (-), and underscore (_). 4. From the Available Services list, select a service. 5. Click the Move Right button to move the service into the Group Members list. 6.
Firewall Named Objects Figure 4-10. Firewall > Access Policies > Schedules Window 2. Click Add Schedule. The Add Schedule window is displayed. Figure 4-11. Add Schedule Window 3. Note Specify name for the schedule object in the Name field. You can use only letters, numbers, and the underscore character (_) in this field. 4. Select each day that you want to include in the schedule. 5.
Firewall Firewall Access Policies 8. Note Click Save. The TSM zl Module gets its time and date information from the host switch. If the time has not been properly configured on the switch, then the schedules will not be applied at the right time. Firewall Access Policies This section covers the TMS zl Module firewall access policies, which control all traffic routed in and out of TMS VLANs: ■ For detailed information about access policies, see “Access Policy Concepts” on page 4-22.
Firewall Firewall Access Policies When the TMS zl Module receives traffic (that is not part of a current session), it matches the traffic to the group of policies that apply to it, beginning with the policy with the lowest index number. If the traffic does not match any of the policies, the module applies the implicit deny policy and drops the traffic.
Firewall Firewall Access Policies An access policy applies an action to selected traffic: ■ Permit—Permit the traffic ■ Deny—Drop the traffic When an access policy permits traffic, it can also apply the following access controls: ■ Rate You can impose rate limits on unicast access policies. ■ TCP MSS When you set this value (available only for unicast access policies), the TMS zl Module forces the device involved in the connection to use the specified maximum segment size (MSS).
Firewall Firewall Access Policies the standard 40 bytes for TCP and IP headers minus another 24 bytes for the GRE and IP delivery headers). If the path between your module and the connection’s destination includes a device with a smaller MTU, adjust the recommendations accordingly. For example, your smallest MTU is 1400, so you set the MSS for traffic sent over a GRE tunnel to 1336. Table 4-3.
Firewall Firewall Access Policies Table 4-4. [Zone] to Self ICMP/echo snmp bootpc snmptrap bootps ssh https Table 4-5. Self to [Zone] bootpc ftp radius snmptrap bootps http radius-acct ssh dns-tcp https smtp syslog dns-udp ICMP/echo snmp tftp You can modify or delete these policies as desired. These policies are automatically deleted when you remove the management-access designation from a zone.
Firewall Firewall Access Policies • In each zone where your users reside, create a new firewall access policy that permits HTTPS access from that zone to Self and set the maximum connections to 5 (See “Create Firewall Access Policies” on page 4-29.) The maximum connection limit does not limit how many authenticated user sessions are permitted; it limits how many requests to the HTTP server can be made at one time.
Firewall Firewall Access Policies For example, suppose you want to block all traffic that originates from the IP address 10.5.0.13 and is destined for 10.5.0.220. But because the two addresses belong to the same subnet (VLAN_5, 10.5.0.0/16), the switch automatically forwards the traffic at Layer 2, and the traffic never passes through the TMS zl Module. In this case, host 10.5.0.13 is able to contact server 10.5.0.220 with HTTP and HTTPS despite the existence of the “orphaned” firewall access policy.
Firewall Firewall Access Policies Caution The TMS zl Module automatically applies an implicit deny to traffic that is not selected by another access policy. Therefore, you do not have to create a final access policy to deny all other traffic. In fact, you should not configure such a policy because it might interfere with the proper functioning of any ALGs that are enabled. Create Firewall Access Policies To configure a firewall policy, complete the following steps: 1.
Firewall Firewall Access Policies 4. From the Action list, select Permit Traffic or Deny Traffic. 5. From the From list, select the source zone. 6. From the To list, select the destination zone. 7. Under Matching Criteria, configure the criteria for selecting traffic that is controlled by this policy. For any of the fields, you can accept the default values (Any Service or Any Address) or you can configure a specific value: a.
Firewall Firewall Access Policies 8. Select the Enable this Policy check box to enable the access policy. 9. Select the Enable IPS for this Policy check box to enable IPS to check sessions established with this policy. 10. Optionally, select the Enable logging on this Policy check box to log access policy activities. Note It is not recommended that you enable logging permanently because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. 11.
Firewall Firewall Access Policies 14. For TCP MSS (Optional), type the maximum segment size. Valid values are between 1 and 9200 bytes. If you want to allow devices to select their MSS on their own, leave this box empty. Typically, devices can determine their MSS for the connection on their own. However, you often need to set the MSS for access policies that permit traffic that will be sent over a GRE tunnel or a VPN connection.
Firewall Firewall Access Policies Continue adding access policies until you have created all of the policies for this type of traffic, user group, and source and destination zone. Caution The TMS zl Module automatically applies an implicit deny to traffic that is not selected by another access policy. Therefore, you do not have to create a final access policy to deny all other traffic.
Firewall Firewall Access Policies Figure 4-15.
Firewall Firewall Access Policies If you modify access policy 2 to permit only traffic from 10.1.5.5–10.1.5.30, the connection will be reevaluated against the modified policy. The modified policy permits the traffic, so the session is continued. Figure 4-16 shows that the connection is still permitted by Internal-to-DMZ policy 2. Figure 4-16.
Firewall Firewall Access Policies If you modify access policy 2 to permit only HTTPS traffic, the connection will be reevaluated against the modified policy. The modified policy does not permit the traffic, so the connection is dropped. When the endpoint in the Internal zone attempts to reconnect, the connection request is evaluated against all of the Internal-to-DMZ policies. In Figure 4-17, you can see that the traffic is now permitted by Internal-to-DMZ policy 3. Figure 4-17.
Firewall Firewall Access Policies Adding an Overlapping, Higher-Position Policy If you add a policy that overlaps an existing policy, and the new policy is a higher priority, then traffic in the overlapping address set that was allowed by the original policy will be dropped and reevaluated. In Figure 4-18, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-18.
Firewall Firewall Access Policies If you add the new policy with priority 2 that is shown in Figure 4-19, the connection is dropped because it is within the address space that overlaps between the current policy and the new policy with a higher priority. When the connection attempts to reinitiate, it is reevaluated against all of the Internal-to-DMZ policies. Figure 4-19 shows that the connection is permitted by Internal-to-DMZ policy 3, which used to be policy 2. Figure 4-19.
Firewall Firewall Access Policies Deleting a Policy If you delete the policy that allowed an endpoint to send or receive traffic, the the connections will be dropped and reevaluated. In Figure 4-20, the endpoint in the Internal zone has an established FTP session with the FTP server in the DMZ. This connection was permitted by Internal-to-DMZ policy 2. Figure 4-20.
Firewall Firewall Access Policies If you delete Internal-to-DMZ policy 2, the connection is dropped and then reevaluated against all of the Internal-to-DMZ policies. Figure 4-21 shows that the connection is now permitted by Internal-to-DMZ policy 2,which used to be policy 3. Figure 4-21.
Firewall Firewall Access Policies To create the example unicast access policy, follow these steps: 1. Create a multiple-entry IP address object named DMZ_Servers with the server addresses: 10.1.10.10, 10.1.10.21, and 10.1.10.35. (See “Named Objects and Their Uses” on page 4-10 for instructions.) 2. Click Firewall > Access Policies > Unicast. 3. From the User Group list, select None. 4. Click Add a Policy. 5. From the Action list, select Permit Traffic. 6. From the From list, select EXTERNAL. 7.
Firewall Firewall Access Policies 12. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 13. Optionally, select the Enable logging on this Policy check box. Note It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. 14. Click Apply. 15. Click Save. The policy should appear as shown in Figure 4-23. Figure 4-23.
Firewall Firewall Access Policies Figure 4-24. Add Policy Window 12. Select the Enable this Policy check box. 13. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 14. Optionally, select the Enable logging on this Policy check box. Note It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. 15. Click the Advanced tab.
Firewall Firewall Access Policies Figure 4-25. Add Policy Window 16. From the Schedule list, select Thurs_Mtg. 17. Click Apply, then Close. 18. Click Save. The policy should appear as in Figure 4-26. Figure 4-26. Zone1-to-External Zone Firewall Access Policy Rate-Limiting Access Policy In this example, a policy will be created to limit outgoing connections from all users in the guest user group to 500. To create this policy, follow these steps: 4-44 1. Click Firewall > Access Policies > Unicast. 2.
Firewall Firewall Access Policies 5. From the From list, select INTERNAL. 6. From the To list, select EXTERNAL. 7. From the Service list, select Any Service. 8. From the Source list, select Any Address. 9. From the Destination list, select Any Address. Figure 4-27. Add Policy Window 10. Select the Enable this Policy check box. 11. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. 12. Optionally, select the Enable logging on this Policy check box.
Firewall Firewall Access Policies Figure 4-28. Add Policy Window 14. For Maximum connections, type 500. 15. Click Apply, then Close. 16. Click Save. The policy should be displayed as in Figure 4-29. Figure 4-29.
Firewall User Authentication User Authentication Beyond firewalls, VPNs, and intrusion prevention and detection systems, the TMS zl Module can enforce user authentication. Users are forced to authenticate to the network before they can access any network resources. When they are authenticated, they are authorized for the correct resources and services according to their identity. Users authenticate by entering their login credentials on a Web page (for which you can customize the banner).
Firewall User Authentication rization. Rather, you must either integrate the RADIUS server with the existing system or transfer all authentication information to the RADIUS server, essentially replacing the legacy authentication server. Additionally, using a RADIUS server for authentication enables you to create multiple manager and operator accounts for the TMS zl Module with customized names. With separate accounts for each user, you can easily track when a particular user logs in.
Firewall User Authentication Table 4-7.
Firewall User Authentication The steps of the handshake are as follows: 1. The client sends a request for access to the NAS, which translates it into an Access-Request packet and sends it to the RADIUS server. An Access-Request packet has the following fields: Note • Username (up to 64 characters on the TMS zl Module) • Password (up to 64 characters on the TMS zl Module) • NAS port • NAS ID The field NAS-Identifier is only sent for CHAP and MS-CHAP authentication requests (not for PAP requests).
Firewall User Authentication Table 4-8. Advantages and Disadvantages of CHAP Advantages Disadvantages • Prevents playback attacks by • The shared secret must be in plain text, so incrementally changing the identifier and you cannot use irreversibly encrypted challenge values. passwords. • Both the client and the server must know the secret, but the secret is never sent over the line. MS-CHAP.
Firewall User Authentication 2. The RADIUS server determines if the credentials are valid. If the credentials are invalid, the RADIUS server sends an Access-Reject packet. The NAS denies network access to the user. If the credentials are valid, the RADIUS server sends an Access-Accept packet. The NAS permits the user to access the network. PAP is a weaker protocol than CHAP and should only be used if the RADIUS server does not support CHAP.
Firewall User Authentication Rate Limits. Rate limits ensure that each user shares network resources, and they prevent an infected endpoint from monopolizing all bandwidth. A rate limit sent by the RADIUS server would supersede any rate limit in a module firewall access control policy. Using HP IDM with RADIUS Servers You can use HP Identity Driven Manager (IDM), a plug-in to HP ProCurve Manager Plus (PCM+), to further refine user access policies when users log in through the TMS zl Module.
Firewall User Authentication Figure 4-32. Two Networks Merged with a Router That NATs Traffic This type of network design should not be used in conjunction with the user authentication feature. Once a Web-authenticated firewall user has provided a valid username/password, the TMS zl Module uses the source IP address to map subsequent packets from that address to the user.
Firewall User Authentication 2. Create a group-specific, rate-limiting access policy that allows HTTPS traffic from the zone in which you will require authentication. See “Configure the Access Policy to Permit Log in Traffic” on page 4-56. 3. Configure authentication, either: • Configure authentication to the local database. See “Configure Authentication to the Local Database” on page 4-60. • Configure authentication to an external RADIUS server.
Firewall User Authentication Figure 4-33. System > Settings > General Window 2. If you want to use HTTP or HTTPS ports other than the well-known ports, configure the settings under Web Sessions. These port numbers will apply to both the authenticating users and management users. You also might need to configure a port map for the new HTTP port. See “Port Mapping” on page 4-85.) a. For HTTP Port, type the new port for HTTP authentication traffic. b.
Firewall User Authentication 2. For User Group, select the group name that you have configured on the local database (see “Configure Authentication to the Local Database” on page 4-60). 3. Click Add Policy. The Add Policy window is displayed. 4. From the Action list, select Permit Traffic. 5. From the From list, select the zone for which you want to require authentication. 6. From the To list, select SELF. 7.
Firewall User Authentication Figure 4-34. Add Policy Window 12. Optionally, in the Insert Position field, specify the priority of this access policy. 13. Click Apply, and then click the Advanced tab. 14. Specify the number of connections and interval by which you want to limit traffic. In this example, the limit is 800 connections per second.
Firewall User Authentication Figure 4-35. Add Policy Window 15. Click Apply. 16. Click Close. 17. Click Save. The access policy or policies that you have created should be the only access policies for the users’ zone (or IP addresses) that have no user group setting. When a user authenticates, the TMS zl Module maps his or her device’s source IP address to the correct user group. The module then applies the firewall access policies configured for that group. You must now configure authentication.
Firewall User Authentication Configure Authentication to the Local Database Rather than use an external server, you can use the module to authenticate users. The TMS zl Module has just one default user group, the guest user group. However, you can configure up to 16 user groups and up to 100 users. Users submit their credentials to the module, and the module checks its local database to see if the credentials match. If they do, the module authenticates users to the user group configured in its database.
Firewall User Authentication ■ Group—This column lists every user group configured on the TMS zl Module ■ Username—This column lists the username for every local user in each group ■ Inactivity Timeout—This column lists the number of seconds of inactivity allowed to this user before the connection times out and the user must log in again. The module has one default user group, guest. You can add users to this group, or create groups of your own and add users to them. Create a User Group.
Firewall User Authentication Figure 4-39. Add user Window (guest group) 3. For Username, type the username for the user that you are adding. 4. For Password and Verify password, type the password for the user. 5. For Inactivity Timeout, type the number of seconds that you want an inactive session to remain open. 6. Click OK. The user is now displayed in the Network > Authentication > Firewall/XAUTH Users window. 7. Click Save.
Firewall User Authentication Configure Authentication to an External RADIUS Server The TMS zl Module supports the following RADIUS servers: ■ Microsoft IAS ■ Microsoft NPS ■ RHEL 5.3 with the latest RH supported FreeRADIUS server ■ SLES 11 with the latest SuSE supported FreeRADIUS server To set up authentication to the RADIUS server, complete the following tasks: 1. Specify the RADIUS server. See “Specify the RADIUS Server” on page 4-63. 2. Create user groups.
Firewall User Authentication This window displays each RADIUS server’s: ■ Address ■ NAS Identifier ■ Domain name ■ Setting for stripping the domain (enabled on not) You can configure up to three RADIUS servers in each domain. If you configure more than one RADIUS server in a single domain, the TMS zl Module treats these RADIUS servers as a pool, rather than assigning primary and backup servers.
Firewall User Authentication Figure 4-41. Add RADIUS server Window 2. In the Server Address field, type the IP address or FQDN of your RADIUS server. The port is always 1812. 3. In the Secret and Confirm Secret fields, type the shared secret for your RADIUS server. 4. In the NAS Identifier field, type the NAS ID associated with the module. The default NAS Identifier is the module’s hostname.
Firewall User Authentication page, they simply enter their username. They do not need to include a domain name. When a user submits credentials without a domain name, the module checks the username first against the local manager and operator accounts, and then it checks the username against the RADIUS server in the global domain.
Firewall User Authentication 2. Click Add user group. Figure 4-43. Add user group Window 3. For Group Name, type the same string that is configured in the Filter-ID attribute on the external RADIUS server policy for authenticating your users. 4. Click OK. 5. Click Save. If your RADIUS server places users in multiple groups, repeat these steps to add more groups. Set Up a RADIUS Server to Work with the TMS zl Module.
Firewall User Authentication Whichever attributes you use, it is best practice to also specify that Service-Type = NAS-Prompt-User. This allows you to distinguish a policy that authenticates users logging in through the TMS zl Module from a policy that authenticates remote L2TP users. Table 4-9.
Firewall User Authentication Microsoft IAS. This example shows the step-by-step configuration that allows the TMS zl Module to coordinate with Microsoft Internet Authentication Service (IAS) to authenticate users. This example requires you to have the following: ■ A Windows Server 2003 functioning at the Windows 2000 level or higher. ■ IAS installed on that server. ■ Users and user groups configured in Active Directory. For more information, see http://www.microsoft.com. 1.
Firewall User Authentication Figure 4-45. Windows Server 2003—New RADIUS Client Wizard 4-70 5. For Friendly name, type a name for the TMS zl Module. 6. For Client address (IP or DNS), type the IP address or domain name of the module. 7. Click Next.
Firewall User Authentication Figure 4-46. Windows Server 2003—New RADIUS Client Wizard 8. For Client Vendor, accept the default, RADIUS Standard. 9. For Shared secret and Confirm shared secret, type a shared secret for the RADIUS server. 10. Clear the Request must contain the Message Authenticator attribute check box and click Finish. 11. In the Internet Authentication Server window, right-click Remote Access Policies, and then click New > Remote Access Policies.
Firewall User Authentication Figure 4-47. Windows Server 2003—New Remote Access Policy Wizard 13. Select Set up a custom policy. 14. For Policy name, type the name of the policy. 15. Click Next.
Firewall User Authentication Figure 4-48. Windows Server 2003—New Remote Access Policy Wizard 16. Click Add. The Select Attribute window is displayed.
Firewall User Authentication Figure 4-49. Windows Server 2003—New Remote Access Policy Wizard (Select Attribute) 17. Select Windows-Groups and click Add. 18. In the Groups window, click Add. The Select Groups window is displayed. Figure 4-50.
Firewall User Authentication 19. In the Select Groups window, type the name of the group that you want to authenticate to the module using a RADIUS server. 20. Click OK twice, and then click Next. 21. Select Grant Remote Access and click Next. 22. Click Edit Profile. 23. In the window that is displayed, click the Authentication tab. 24. Select the check box or boxes for the type of RADIUS authentication used on your network. 25. Click the Advanced tab. 26.
Firewall User Authentication Figure 4-51. Network > Authentication > RADIUS Window 38. For Authentication Protocol, select the authentication protocol that your RADIUS server uses. Be sure to select the same protocol here that you did in step 24. 39. Click Apply My Changes. 40. Click Add RADIUS Server. The Add RADIUS Server window is displayed. Figure 4-52.
Firewall User Authentication 41. For Server Address, type the address of your IAS. 42. For Secret and Confirm Secret, type the shared secret for your RADIUS server. Be sure to set the same secret here that you did in step 9. 43. For NAS Identifier, type the NAS ID of your module. Be sure to set the same identifier here that you did in step 6. 44. For Domain Name, type the name of the domain to which your server belongs. 45. Click OK. 46. Now add the user group to which the RADIUS server assign these users.
Firewall User Authentication Note The user group access policies do not have an implicit deny at the end. Instead, a packet that does not match one of the user group policies is matched against the global (user group None) policies. Then, if none of those policies select the traffic, the global implicit deny takes effect and the packet it dropped. Microsoft NPS. This example shows the step-by-step configuration that allows the TMS zl Module to coordinate with Microsoft NPS to authenticate users.
Firewall User Authentication 2. Expand RADIUS Clients and Servers. 3. Right-click RADIUS Clients, and then click New RADIUS Client. The New RADIUS Client window is displayed. Figure 4-55. Windows Server 2008—New RADIUS Client Window 4. For Friendly name, type a name for the TMS zl Module. 5. For Address (IP or DNS), type the IP address or domain name of the module. 6. For Vendor name, accept the default, RADIUS Standard.
Firewall User Authentication 7. For Shared secret and Confirm shared secret, type the shared secret for the RADIUS server. 8. Leave the Request must contain the Message Authentication attribute and RADIUS client is NAP-capable check boxes clear and click OK. 9. In the Network Policy Server window, expand Policies. 10. Right-click Network Policies, and then click New. The New Network Policy wizard is launched. 11. For Policy name, type the name of the policy. 12. Click Next. Figure 4-56.
Firewall User Authentication Figure 4-57. Windows Server 2008—New Network Policy Wizard (Select Attribute) 14. Select Windows Groups and click Add. 15. In the Windows Groups window, click Add Groups. Figure 4-58. Windows Server 2008—New Remote Access Policy Wizard (Select Groups) 16. In the Select Groups window, type the names of the groups that you want to authenticate to the module using a RADIUS server.
Firewall User Authentication 17. Click OK twice, and then click Next. 18. Select Access Granted and click Next. 19. Select the check box or boxes for the type of RADIUS authentication used on your network. 20. Review the policy settings, and then click Finish. 21. Double-click the policy. 22. In Settings, select Filter-ID. 23. Type the name of the user group to which users who authenticate with the policy are assigned. For example, type the name of the users’ Windows group. 24. Click OK. 25.
Firewall User Authentication 30. Click Add RADIUS Server. The Add RADIUS Server window is displayed. Figure 4-60. Add RADIUS server Window 31. For Server Address, type the address of your NPS. 32. For Secret and Confirm Secret, type the shared secret for your RADIUS server. Be sure to set the same secret here that you did in step 7. 33. For NAS Identifier, accept the default, which is the NAS ID of your module, or if you specified another ID in step 5, type that ID. 34.
Firewall User Authentication Figure 4-61. Add user group Window 38. For Group Name, type the same string that is configured in the Filter-ID attribute in step 31. 39. Click OK. 40. Click Save. The module can now authenticate the users you specified in step 16 to the network when the users browse to the TMS zl Module’s login page (the module’s IP address) and type @ and their password on the login window.
Firewall Port Mapping Port Mapping A port map is a port-to-service (or application) association. The firewall ALGs draw on the port maps to learn which application to expect on a particular TCP or UDP port. For example, if you add a port map that associates FTP with TCP 55555, the TMS zl Module will treat traffic on TCP 55555 as FTP traffic— any ALGs that apply to FTP will be applied to traffic on TCP 55555. You can map a service to more than one protocol or port.
Firewall Port Mapping Service IAX2 Protocol Port UDP 4569 IMAP TCP 143 MGCPCA UDP 2727 MGCPGW UDP 2427 NNTP TCP 119 POP3 TCP 110 RTSP TCP 554 RTSP TCP 7070 SMTP TCP 25 SNMP UDP 162 SNMP UDP 161 TCPDNS TCP 53 TCPRPC TCP 111 TCPRPC TCP 1025 TCPSIP TCP 5060 TELNET TCP 23 UDPDNS UDP 53 UDPRPC UDP 111 UDPRPC UDP 1024 UDPRPC UDP 369 UDPSIP UDP 5060 Mapping Ports If you suspect that an attacker is more likely to attack a certain service, you may want
Firewall Port Mapping Figure 4-62. Firewall > Settings > Port Maps Window To configure a port map, complete the following steps: 1. Click Add Port Map. The Add Port Map window is displayed. Figure 4-63. Add Port Map Window 2. For Service, select a service from the list. The protocol that is used with that service will automatically populate the Protocol field. 3. Type the port number that you want to assign to the service in the Port field. 4. Click OK. 5. Click Save.
Firewall Application-Level Gateways (ALGs) Application-Level Gateways (ALGs) The TMS zl Module supports ALGs for several common applications that can experience difficulties when they run through a firewall. These ALGs help the applications to run smoothly through the TMS zl Module firewall without compromising security. For example, some applications open data-transfer connections dynamically by negotiating IP addresses and service ports.
Firewall Application-Level Gateways (ALGs) To learn more about each specific ALG, see “ALG Descriptions” on page 4-91. Table 4-12.
Firewall Application-Level Gateways (ALGs) ■ The control port enables the TMS zl Module to recognize sessions that need to be handled by the ALG. For example, when the module detects that a packet destined to TCP port 21 has opened a session, it knows to apply the FTP ALG to that session. Port maps help the TMS zl Module link ports to applications. In Table 412, a section mark (§) means that a port map is configured for that service.
Firewall Application-Level Gateways (ALGs) As you can see in Table 4-12 on page 4-89, most of the ALGs on the TMS zl Module provide firewall support. ALG NAT Support. NAT can interfere with applications that embed IP information within the application data. Because NAT changes IP addresses (and sometimes ports) in the IP header, the IP information within the application data is no longer valid, and the application fails to function correctly.
Firewall Application-Level Gateways (ALGs) ■ ■ then the ALG verifies that FTP commands are allowed or denied by the application-control record and takes action based on the status of the command in the record. • attack checks — The ALG checks for the following attacks – FTP bounce — When the ALG detects a PORT command, the ALG verifies that the IP address in the PORT command is the same as the IP address of the client that initiated the connection. If the IPs do not match, the connection is closed.
Firewall Application-Level Gateways (ALGs) Note If you are having trouble with this application, make sure that you have permitted the DNS service (UDP 53) for endpoints that use ILS. irc Internet Relay Chat (IRC) is a chat system that enables people that are connected from anywhere on the Internet to join in live discussions.
Firewall Application-Level Gateways (ALGs) Scenario 1. The L2TP ALG creates a new association when it receives a Start-Control-Connection-Request (SCCRQ) message from the L2TP Access Concentrator (LAC), which results in two associations in the firewall: ■ the association that is originally created by the firewall, which handles data that arrives on the port where the client initiated the connection. If NAT is used, this association permits data that arrives on the NAT port.
Firewall Application-Level Gateways (ALGs) pptp PPTP uses TCP 1723 for its control connection and Generic Routing Encapsulation (GRE) for its data connection. The PPTP ALG helps PPTP to open up the necessary GRE tunnels though the TMS zl Module. The PPTP ALG: ■ ■ ■ ■ processes all packets that arrive on TCP 1723. PPTP control message types are the following: • Control-connection management — The ALG does not process any of these messages; the packets are allowed to pass through without any processing.
Firewall Application-Level Gateways (ALGs) ■ removes the session information when it receives a Call-Clear-Request or Call-Disconnect-Notify message. rtsp RTSP controls a stream that might be sent over a separate protocol. For example, RTSP control may occur on a TCP connection while the data flows via UDP. In this protocol, the client initiates a connection to the server on TCP 554. Both the client and server exchange the series of request and responses.
Firewall Application-Level Gateways (ALGs) tftp The TFTP ALG: Note ■ supports both write and read requests ■ when it sees a write/read request from the client on the control connection, it opens the correct port to allow the data transfer from server to client If you are having trouble with this application, make sure that you have permitted the DNS service (UDP 53) for endpoints that use TFTP.
Firewall Port Triggers Caution An explicit firewall access policy that denies the ports that an ALG attempts to open dynamically can interfere with the ALG. Therefore, when you create access policies you should simply permit the ports that you want to open permanently. Then allow the TMS zl Module to deny all other traffic implicitly, which is the module’s automatic behavior. Do not create an explicit policy to deny all other traffic.
Firewall Port Triggers To configure port trigger policies, follow these steps: 1. Click Firewall > Port Triggers > Policies. Figure 4-65. Firewall > Port Triggers > Policies Window 2. Click Add a port trigger. The Add Port Trigger window is displayed. Figure 4-66. Add Port Trigger Window 3. Type a name in the Policy Name field. It is a good practice to specify a policy name that reflects the services involved in the trigger.
Firewall Port Triggers 4. 5. Note For Source, specify a device that is behind the firewall by doing one of the following: • Select Any or an address object from the list. Only single-entry IP address objects are in this list. • Click Options, select Enter custom IP address, and type one IP address in the space provided. From the Protocol/Ports list, specify the port on which the application makes its control connection by doing one of the following: • Select a service object from the list.
Firewall Port Triggers 11. Click Save. Caution An explicit firewall access policy that denies the ports that a port trigger attempts to open dynamically can interfere with the port trigger. Therefore, when you create access policies you should simply permit the ports that you want to open permanently. Then allow the TMS zl Module to deny all other traffic implicitly, which is the module’s automatic behavior. Do not create an explicit policy to deny all other traffic.
Firewall Port Triggers To perform this task, follow these steps: 1. Click Firewall > Port Triggers > Policies. 2. Click Add a port trigger. 3. In the Policy Name field, type VoIP. 4. From the Source list, select Any. 5. For Protocol/Ports, select Options and select Enter custom Protocol/Ports. 6. 7. a. Select TCP. b. Type 1584 and 1585. Under Allow Inbound Connections to Source, do the following: • Select TCP and type 51200 and 51210 in the Ports fields.
Firewall Port Triggers 10. Click OK and Close. 11. Click Save. 12. Configure a firewall access policy with the following parameters: • Action—Permit Traffic • From—INTERNAL • To—EXTERNAL • Service—TCP 1584–1585 • Source—Any Address • Destination—172.19.55.0/24 and 172.23.11.0/24 (create a multipleentry network address object as shown in “Named Objects and Their Uses” on page 4-10). 13. Configure another access policy to permit the reverse traffic.
Firewall Attack Checking Attack Checking The TMS zl Module automatically detects and blocks specific known attacks. It monitors TCP handshakes and drops packets with flags that signal known attacks. The TMS zl Module firewall checks for these attacks by default: Note ■ IP spoofing ■ Ping of death ■ Land attacks ■ IP reassembly attacks You cannot prevent the firewall from dropping packets that display the signs of these attacks.
Firewall Attack Checking Attack Check Descriptions This section includes a detailed description of each attack check. ICMP Replay In this attack, the attacker sends Internet Control Message Protocol (ICMP) messages to one or many ports, in hopes of mapping out open and closed ports. No response indicates that a port is open. The attacker can then use this information to launch many types of attacks, including a DoS attack. Enable this check to drop all duplicate ICMP messages.
Firewall Attack Checking Figure 4-69. ICMP Blind Connection-Reset Attack ■ Blind throughput-reduction attacks Source Quench messages are sent if a router or host does not have the buffer space needed to sequence the packets for the next network device or if they are sent too fast for the receiving device to process. This message is a request for the sender to slow the rate at which packets are sent. An attacker can forge a Source Quench message, which causes a significant decrease in throughput.
Firewall Attack Checking Figure 4-70. SYN Flood Attack A variation of this attack creates another victim, as well as the original target. Rather than using an unreachable source address, the attacker uses IP spoofing to include a source address from another legitimate source. The target host then begins sending SYN/ACK packets to the spoofed address, which did not send the SYN packets. The attacker can then create havoc on two, or even more, systems at once.
Firewall Attack Checking Generally, source routing use is limited to network administrators who are checking the connectivity of network devices. By forcing a packet to route through a particular device, the administrator confirms that a device is connected because the packet is not dropped. Source routing can also be used by an attacker to: ■ Map a network By specifying the exact route each packet must take, an attacker can eventually determine the location of the end device and all devices in between.
Firewall Attack Checking The two devices participating in the three-way handshake exchange initial sequence numbers (ISNs) in the first two steps of the three-way TCP handshake. An attacker can mount a sequence-number-prediction attack in two ways by: ■ Guessing the ISN and using a spoofed IP address, thereby securing a session with the targeted network device. ■ Hijacking a TCP session by predicting a packet’s sequence number and injecting a packet with that number.
Firewall Attack Checking Figure 4-72. TCP Sliding Window In Figure 4-72, as bytes are acknowledged by the server, the window “slides” to the right. That is why it is called a sliding window. The TMS zl Module allows you to set the range of bytes within the window, called the sequence range. The advantages and disadvantages of the sequence range sizes are discussed in the following table. Table 4-13.
Firewall Attack Checking The optimal sequence range is the product of these two elements. A correctly sized range allows data to be sent continuously (without the sender stopping to wait for acknowledgment) while enabling fast recovery times for lost data. After you select the Sequence Number Out of Range check box, configure the following: ■ In the Range field, type a number between 1 and 65535. The larger the TCP window size, the larger the range of sequence numbers that will be accepted.
Firewall Attack Checking Figure 4-73. Firewall > Settings > Attacks Window 4-112 2. Select (or clear) a check box to enable (or disable) an attack check. 3. Click Apply My Changes. 4. Click Save.
Firewall Connection Timeouts Connection Timeouts In addition to screening TCP and UDP packets for attacks, the TMS zl Module monitors all ICMP, TCP, and UDP sessions. One of the advantages of a stateful firewall is that it monitors sessions to ensure that they proceed in a valid and logical fashion. To maintain secure sessions, the firewall times out inactive sessions after a specified time.
Firewall Connection Timeouts ■ Trust level Long, intermittent idle times may be common among some trusted users. Imposing a timeout limit could hamper their productivity. Nonetheless, setting a long timeout for all users is a considerable security risk and can drain network resources. ■ Risk tolerance Timeout settings are proportional to risk tolerance. They should increase as risk tolerance increases. For example, a network with low risk tolerance should have short timeout values.
Firewall Connection Timeouts 4. After you have updated all the timeouts, click Apply my changes. 5. Click Save. Configure Timeout Settings for Services To configure a custom timeout, complete the following steps: 1. Click Add Custom Timeout. The Add Custom Timeout window is displayed. Figure 4-75. Add Custom Timeout 2. Type the name of the service in the Name field. 3. Choose either TCP or UDP from the Protocol list.
Firewall Resource Allocation Resource Allocation With any network, it is important to ensure that every user is able to access resources. Additionally, there may be some users who need priority over others. The TMS zl Module allows you to set connection limits for each zone as well as reserve firewall connections for specific addresses or address ranges. Refer to these sections: ■ To learn how to set zone limits, see “Zone Limits” on page 4-116.
Firewall Resource Allocation Connection Reservation Concepts When you set a connection reservation, you ensure that a particular IP address or range of addresses has connectivity regardless of how much traffic is passing through the TMS zl Module.
Firewall Resource Allocation Figure 4-76. Outbound Connection Reservation In this example, a connection reservation count of 10 has been configured for 50 IP addresses: 10.1.1.11–10.1.1.60. Therefore, 500 (10 x 50) connections are reserved from IP addresses 10.1.1.11–10.1.1.60 into the DMZ zone.
Firewall Resource Allocation The following is therefore true: Figure 4-77. Outbound Connection Reservation Implication ■ When the total active connection threshold of 39,500 (40,000 – 500) is reached, the module will not permit any more connections unless the connections are initiated by hosts with IP addresses in the 10.1.1.11– 10.1.1.60 range. Figure 4-78.
Firewall Resource Allocation Figure 4-79. Outbound Connection Reservation Implication ■ If the current connection count in Zone1 is 10,500 (500 connections of which are reserved), and 500 non-reserved connections are closed, then the Zone1 limit will revert to its limit of 10,000. At this point the Zone1 maximum connection threshold (10,000) already provides for the reserved connections. Any other new connections from Zone1 to any zone will not be successful.
Firewall Resource Allocation Figure 4-80. Inbound Connection Reservation In this example, a connection reservation count of 100 has been configured for one IP address: 10.1.2.22. Therefore, 100 (100 x 1) connections are reserved from Zone1 to the IP address 10.1.2.22. The following is therefore true: Figure 4-81.
Firewall Resource Allocation ■ When the total active connection threshold of 39,900 (40,000 – 100) is reached, the module will not permit any more connections unless the connections are from Zone1 and destined for the server at 10.1.2.22. Figure 4-82.
Firewall Resource Allocation ■ If the current connection count in Zone1 is 10,100 (100 of which connections are to 10.1.2.22), and if 100 non-reserved connections are closed, then the Zone1 limit will revert to its zone limit of 10,000. At this point the Zone1 maximum connections (10,000) includes the reserved inbound connections. Any other new connections from Zone1 to any zone will not be successful.
Firewall Resource Allocation Figure 4-85. Add Connection Reservation Window 3. From the Zone list, select a zone that will be either the source or destination of the reserved connections. For inbound connections, this is the source zone. For outbound connections, this is the destination zone. You cannot select EXTERNAL. 4. From the Direction list, select one of the following: • Inbound if the reserved IP addresses are the destination • Outbound if the reserved IP addresses are the source 5.
Firewall Resource Allocation To make the reservations shown in the figure above, follow these steps: 1. Click Firewall > Settings and click the Connection Allocations tab. 2. Click Add Connection Reservation. 3. From the Zone list, select Zone1. 4. From the Direction list, select Outbound. 5. In the Reserved for IP Addresses fields, type 10.1.1.100 and 10.1.1.102.
Firewall Resource Allocation Figure 4-87. Add Connection Reservation Window Figure 4-88. Firewall > Settings > Connection Allocations (with Connections Configured) 14. Click Save.
Firewall IP Reassembly IP Reassembly The maximum transmission unit (MTU) determines the size of the largest packet that can pass through the Data-Link Layer (Layer 2) of a connection. If a packet is larger than the MTU for that device, it will be broken into fragments. Fragments from one intermediate device may be further fragmented by another intermediate device.
Firewall IP Reassembly Figure 4-90. Packet Reassembly Configure MTU The default setting for the MTU is 1500, but the TMS zl Module allows you to adjust this setting to between 1500 and 9220. The MTU is global and applies to all TMS VLANs. To adjust the MTU, complete the following steps: 1. Click Network > Settings > General. Figure 4-91. Network > Settings > General Window 2. 4-128 Under General Settings, for MTU, type the desired MTU value.
Firewall IP Reassembly 3. Click Apply My Changes. 4. Click Save. Configure IP Reassembly The default settings for IP reassembly are in Table 4-14. Consult the product literature for your routing devices to see the optimum settings for your network. Table 4-14.
Firewall IP Reassembly ■ If the Maximum time to receive all fragments limit is set too low, standard network latency may cause the transfer to be abandoned too soon. Conversely, if the limit is set too high, the device will wait too long before reporting missing packets, which will degrade performance. Click Apply My Changes, and then click Save.
5 Network Address Translation Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 NAT Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 One-to-One . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Many-to-One . . . . .
Network Address Translation Overview Overview Network Address Translation (NAT) is the process of translating network IP addresses in a way that is transparent to the end users. It has traditionally been a method of translating internal, private IP addresses into public IP addresses. Companies typically choose to translate internal IP addresses for address conservation.
Network Address Translation NAT Operations NAT Operations In routing mode the TMS zl Module can apply NAT to network traffic. (Monitor mode does not support NAT.) While the module’s firewall provides the NAT capability, the NAT policies are entirely separate from the firewall access policies for increased flexibility. This section describes the types of NAT that the TMS zl Module can perform. This information is only intended to inform you of the module’s capabilities.
Network Address Translation NAT Operations Figure 5-1. Source NAT Note Source NAT is often referred to as just NAT. This guide will always refer to it as source NAT. One-to-One With one-to-one source NAT, each local device receives its own new IP address for the destination network. The source IP address is replaced with the NAT IP address, but the source port remains the same. The TMS zl Module will perform one-to-one NAT if the number of source addresses and the number of NAT addresses is identical.
Network Address Translation NAT Operations Many-to-One With many-to-one source NAT, many local devices share the same IP address in the destination network. That is, the module translates each source IP address to the same new IP address. However, each local device retains its own source port. Return traffic to the local devices is all destined to the same IP address but to different ports. Thus the module can forward return traffic to the correct device.
Network Address Translation NAT Operations The source and destination IP address (SA, DA) and port fields (SP, DP) in five outbound IP packet headers are shown in Table 5-3. The translated fields are shown with shading. Table 5-3. Many-to-Many Source NAT Before NAT After NAT SA1 SP1 DA1 DP1 SA2 SP2 DA2 DP2 10.1.1.10 50055 172.16.122.63 80 192.168.5.22 50055 172.16.122.63 80 10.1.1.11 50056 192.168.2.77 21 192.168.5.23 50056 192.168.2.77 21 10.1.1.12 50057 172.16.222.
Network Address Translation NAT Operations Note For the sake of simplicity, the explanations of destination NAT will refer to public and private IP addresses. You might choose to apply NAT between two network segments, neither of which you define as public or private. (Note also that all IP addresses used in the examples, whether labelled “public” or “private,” are technically private IP addresses. They are used only to illustrate the examples.
Network Address Translation NAT Operations The TMS zl Module will perform many-to-one destination NAT if you specify multiple destination addresses, one NAT address, and no NAT port. The source and destination IP addresses (SA, DA) and port fields (SP, DP) in five inbound IP packet headers are shown in Table 5-5. The translated fields are shown with shading. Table 5-5. One-to-Many Destination NAT Before NAT SA1 SP1 After NAT DA1 DP1 SA2 SP2 DA2 DP2 172.16.122.63 51005 192.168.5.23 80 172.16.
Network Address Translation NAT Operations Table 5-6. Destination NAT with Port Forwarding Before NAT After NAT SA1 SP1 DA1 DP1 SA2 SP2 DA2 DP2 172.16.122.63 50005 192.168.5.23 80 172.16.122.63 50005 10.1.1.10 80 10.1.5.48 50006 192.168.5.23 21 10.1.5.48 50006 10.1.1.11 21 10.100.148.77 50007 192.168.5.23 80 10.100.148.77 50007 10.1.1.10 80 172.20.222.8 50008 192.168.5.23 80 172.20.222.8 50008 10.1.1.10 80 172.25.121.75 50009 192.168.5.23 21 172.25.121.
Network Address Translation NAT Operations Table 5-7. Port Forwarding with PAT Before NAT SA1 SP1 DA1 After NAT DP1 SA2 SP2 DA2 DP2 172.16.122.63 50005 192.168.5.23 80 172.16.122.63 50005 10.1.1.10 8088 10.1.5.48 50006 192.168.5.23 21 10.1.5.48 50006 10.1.1.11 2102 10.100.148.77 50007 192.168.5.23 80 10.100.148.77 50007 10.1.1.10 8088 172.20.222.8 50008 192.168.5.23 80 172.20.222.8 50008 10.1.1.10 8088 172.25.121.75 50009 192.168.5.23 21 172.25.121.
Network Address Translation NAT Operations Figure 5-3. NAT packet flow The packet flow for the source NAT step is shown in more detail in Figure 5-4.
Network Address Translation NAT Operations Figure 5-4. Source NAT packet flow The packet flow for the destination NAT step is shown in more detail in Figure 5-5.
Network Address Translation NAT Operations Figure 5-5.
Network Address Translation Configuring NAT Policies Configuring NAT Policies The TMS zl Module requires you to specify the following parameters for each NAT policy: ■ NAT type (source, destination, or exclusion) ■ Source and destination zones ■ Services to which NAT is applied ■ Source address(es) ■ Destination address(es) ■ New IP address(es) and port(s) When configuring NAT policies, follow these guidelines: ■ Along with the NAT policy, you must configure a firewall access policy that permi
Network Address Translation Configuring NAT Policies Sometimes you might also want to exclude traffic that is sent over a GRE tunnel from translation. The exclusion policy’s destination addresses should match the subnets behind the remote tunnel endpoint. The source addresses should be local addresses allowed to send traffic over the tunnel. ■ The relationship between the original number of IP addresses and the number of NAT addresses helps determine the NAT operation that the TMS zl Module performs.
Network Address Translation Configuring NAT Policies Source NAT Policies To add a source NAT policy, follow these steps: 1. Click Firewall > NAT Policies > Policies. 2. Click Add Policy. 3. For Translate, select Source. Figure 5-6. Add NAT Policy Window 5-16 4. For From Zone, select the zone where traffic originates. (See “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.”) 5. For To Zone, select the zone where traffic is destined. 6.
Network Address Translation Configuring NAT Policies 7. For Source, do one of the following: • From the list, select an address object. (See “Named Objects and Their Uses” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter custom IP, IP/mask or IP-Range. ii. In the space provided, type an IP address in dotted-decimal format, an IP address with network mask in CIDR format, or an IP address range. Examples: 192.168.5.23 172.16.56.100/24 10.1.1.10-10.1.1.50 • 8. 9.
Network Address Translation Configuring NAT Policies • Select Use IP of routed VLAN interface to have the TMS zl Module translate each source address to an IP address on one of its TMS VLANs. The module uses the IP address on the TMS VLAN that is the forwarding interface for each packet’s destination. In this way, source addresses are always translated to a valid IP address in the destination address. 10. Optionally, for Insert Position (Optional), type a priority for the policy. 11. Click OK. 12.
Network Address Translation Configuring NAT Policies Figure 5-7. Add NAT Policy Window 4. For From Zone, select the zone where traffic originates. (See “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.”) 5. The To Zone field is automatically populated with Self. 6. For Service, do one of the following: • From the list, select a service object. (See “Service Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter Custom Protocol/Port. ii. Select a Protocol from the list.
Network Address Translation Configuring NAT Policies 7. For Source, do one of the following: • From the list, select an address object. (See “Named Objects and Their Uses” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter custom IP, IP/mask or IP-Range. ii. In the space provided, type an IP address in dotted-decimal format, an IP address with network mask in CIDR format, or an IP address range. Examples: 192.168.5.23 172.16.56.100/24 10.1.1.10-10.1.1.50 • 8.
Network Address Translation Configuring NAT Policies 12. Click OK. 13. If necessary, create a firewall access policy with the same source and destination zones as the NAT policy you just created and that permits the same services and addresses. (See “Firewall Access Policies for NAT” on page 5-23.) 14. Click Save. Exclusion NAT Policies To add an exclusion NAT policy, follow these steps: 1. Click Firewall > NAT Policies > Policies. 2. Click Add Policy. 3. Select None for translation type.
Network Address Translation Configuring NAT Policies 6. 7. For Service, do one of the following: • From the list, select a service object. (See “Service Objects” in Chapter 4: “Firewall.”) • Click Options. i. Select Enter Custom Protocol/Port. ii. Select a Protocol from the list. iii. In the space provided, type a Port (range). • Leave the default, Any Service, when you want to exclude all types of traffic (that matches other criteria in the policy) from NAT.
Network Address Translation Configuring NAT Policies 11. If necessary, create a firewall access policy with the same source and destination zones as the NAT policy you just created and that permits the same services and addresses. (See “Firewall Access Policies for NAT,” below.) 12. Click Save. Firewall Access Policies for NAT Because the firewall checks traffic against its access policies before applying NAT, you need to configure a firewall access policy for each NAT policy.
Network Address Translation Configuring NAT Policies Table 5-9. Firewall Access Policy for Source NAT Parameter Source NAT Policy Firewall Access Policy From Internal Internal To Zone4 Zone4 Service Any Service Any Service Source Address(es) 172.16.45.0/24 172.16.45.0/24 Destination Address(es) 10.1.154.101-10.1.154.254 10.1.154.101-10.1.154.254 NAT IP Address(es) 192.168.154.1–192.168.154.
Network Address Translation NAT Examples Table 5-10. Firewall Access Policy for Destination NAT Parameter Source NAT Policy Firewall Access Policy From EXTERNAL EXTERNAL To SELF SELF Service Any Service Any Service Source Address(es) Any Address Any Address Destination Address(es) 192.168.5.177 192.168.5.177 NAT IP Address(es) 10.1.1.222 n/a NAT Examples This section contains examples of NAT implementations with step-by-step configuration instructions.
Network Address Translation NAT Examples Figure 5-11. Source NAT—Network Merger Example Follow these steps to configure the first module (illustrated in the lower segment of the figure): 1. 5-26 Create a NAT policy to translate source addresses on traffic from Zone1 to the shared data center (Zone 3). a. Click Firewall > NAT Policies > Policies. b. Click Add Policy. c. For Translate, select Source. d. For From Zone, select ZONE1. e. For To Zone, select ZONE3. f.
Network Address Translation NAT Examples i. Select Use IP of routed VLAN interface. The module will translate all source Address(es) to its own IP address on the VLAN interface to which the NATed traffic is routed—in this example, 10.1.1.1. . Figure 5-12. Add NAT Policy Window—Module 1 j. 2. Click OK. Create a firewall access policy to permit the traffic from Zone5 to the data center. a. Click Firewall > Access Policies > Unicast. b. Click Add a Policy. c. For Action, select Permit Traffic. d.
Network Address Translation NAT Examples g. For Source, click Options, select Enter custom IP, IP/mask or IP-Range, and type 192.168.8.0/21. h. For Destination, click Options, select Enter custom IP, IP/mask or IPRange, and type 10.1.1.0/24. i. Select the Enable this Policy check box to enable the access policy. j. Select the Enable IPS for this Policy check box if you want to enable IPS to check packets on this policy. k.
Network Address Translation NAT Examples Follow these steps to configure the second module (illustrated at the top of the figure): 1. Create a NAT policy to translate source addresses on traffic from Zone1 to the shared data center (Zone 3). a. Click Firewall > NAT Policies > Policies. b. Click Add Policy c. For Translate, select Source. d. For From Zone, select ZONE1. e. For To Zone, select ZONE3. f. For Service, accept the default: Any Service. g.
Network Address Translation NAT Examples . Figure 5-14. Add NAT Policy Window—Module 2 j. 2. Click OK. Create a firewall access policy to permit the traffic from Zone1 to Zone3. a. Click Firewall > Access Policies > Unicast. b. Click Add a Policy. c. For Action, select Permit Traffic. d. For From, select ZONE1. e. For To, select ZONE3. f. For Service, accept the default, Any Service. You can, of course, limit the firewall policy to allow only certain services. 5-30 g.
Network Address Translation NAT Examples j. Select the Enable IPS for this Policy check box if you want to enable IPS to check packets on this policy. k. Optionally, select the Enable logging on this Policy check box to log access policy activities. Note It is not recommended that you enable logging permanently because policy logging is processor intensive. Use policy logging for troubleshooting and testing only. l.
Network Address Translation NAT Examples is the module’s IP address on the VLAN associated with the DMZ. On this network the DMZ is a Web server farm, so those devices do not need to initiate contact with the devices in the Internal zone. Figure 5-16. Source NAT—Single Internet Address Example Figure 5-16 shows the translation of the source addresses of the devices in Internal to a single address for DMZ. To implement this plan, follow these steps: 5-32 1.
Network Address Translation NAT Examples Note In this example, you could also select Any Address because VLAN 10 is the only VLAN in the zone. h. From Destination, select VLAN20. i. For NAT IP address, select Use IP of routed VLAN interface. The TMS zl Module will translate the traffic to 10.1.2.107, which is the TMS zl Module’s IP address on VLAN 20, the VLAN on which the traffic will be forwarded. Figure 5-17. Add NAT Policy Window 4. j. Click OK. k. Click Save.
Network Address Translation NAT Examples f. For Service, accept the default: Any Service. You could also limit the internal devices to accessing certain services. Note g. For Source, select VLAN10. h. For Destination, select VLAN20. i. Select the Enable this Policy check box to enable the access policy. j. Select the Enable IPS for this Policy check box to enable IPS to check packets on this policy. k.
Network Address Translation NAT Examples You could also create a more general firewall access policy. This might permit you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy. Limited NAT Pool In this type of source NAT there is a limited pool of NAT address for Internal devices to use when accessing resources in Zone5.
Network Address Translation NAT Examples 2. Create another single-entry network address object named VLAN2 that contains 10.10.2.0/24. 3. Create a NAT policy to translate source addresses for traffic from Internal to Zone5. a. Select Firewall > NAT Policies > Policies. b. Click Add Policy. c. Select Source for translation type. d. For From Zone, select INTERNAL. e. For To Zone, select ZONE5. f. For Service, accept the default: Any Service. g. For Source, select VLAN10. h.
Network Address Translation NAT Examples 4. Note Create a firewall access policy to permit the NAT traffic. a. Select Firewall > Access Policies > Unicast. b. Click Add Policy. c. For Action, select Permit Traffic. d. For From, select INTERNAL. e. For To, select ZONE5. f. For Service, accept the default: Any Service. g. For Source, select VLAN10. h. For Destination, select VLAN2. i. Select the Enable this Policy check box to enable the access policy. j.
Network Address Translation NAT Examples l. Click Apply. m. Click Close. n. Click Save. You could also create a more general firewall access policy. This might allow you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy. Destination NAT This section includes one example of a destination NAT configuration.
Network Address Translation NAT Examples To set up this example, follow these steps: 1. Create a single-entry IP address object named Web_Services that contains 172.16.100.100. (See “Named Objects and Their Uses” in Chapter 4: “Firewall“ for instructions.) 2. Configure a NAT policy to translate FTP traffic. a. Click Firewall > NAT Policies > Policies. b. Click Add Policy. Figure 5-23. Add NAT Policy Window c. Select Destination for the translation type. d. For From Zone, select INTERNAL.
Network Address Translation NAT Examples 3. Configure a NAT policy to translate HTTP traffic. a. Click Add Policy again. Figure 5-24. Add NAT Policy Window 4. 5-40 b. Select Destination for the translation type. c. For From Zone, select INTERNAL. d. To Zone is automatically set to Self. e. For Service, select http. f. For Source, select Any Address. g. For Destination, select Web_Services. h. For NAT IP address, type 10.1.1.12. i. For NAT Port (Optional), type 8088. j. Click OK. k.
Network Address Translation NAT Examples Figure 5-25. Add Policy Window c. For Action, select Permit Traffic. d. For From, select INTERNAL. e. For To, select SELF. f. For Service list, accept the default: Any Service. Note You can also narrow the scope of this access policy by creating and selecting a service group that contains http and ftp. (See “Service Groups” in Chapter 4: “Firewall.”) g. For Source, accept the default: Any Address. h. For Destination, select Web_Services. i.
Network Address Translation NAT Examples Note It is not recommended that you enable logging permanently because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. l. Click Apply. m. Click Close. n. Click Save. You could also apply a more general firewall access policy. This might allow you to create fewer firewall access policies overall because more than one of the NAT policies would be covered by a single firewall access policy.
Network Address Translation NAT Examples Figure 5-26. Using an Exclude NAT Policy In this example, the IPsec policy traffic selector for a site-to-site VPN specifies traffic between VLAN 20 and a remote network (192.168.4.0/22). An existing NAT policy selects all internal traffic that is destined to the External zone and translates the source address to the TMS zl Module’s external address (172.19.44.44). Because the remote network is reached through the External zone, the two policies overlap.
Network Address Translation NAT Examples 3. Create a NAT policy to exclude traffic that should be sent over the VPN from translation. a. Select Firewall > NAT Policies > Policies. b. Click Add Policy. c. Select None for the translation type. d. For From Zone, select INTERNAL. e. For To Zone, select EXTERNAL. f. For Service, select Any Service. g. For Source, select VLAN20. h. For Destination, select RemoteClients. i. For Insert Position (Optional), type 1. Figure 5-27.
6 Intrusion Detection and Prevention Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 IDS/IPS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion Detection and Prevention Contents Register the IDS/IPS Signature Subscription . . . . . . . . . . . . . . . . . . . . 6-22 Obtain the Subscription Registration ID and TMS-Subscription Hardware ID . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Enter the Registration and TMS-Subscription Hardware ID on the My Networking Portal . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 Configure Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion Detection and Prevention Overview Overview Networks today are increasingly vulnerable to attacks not only from without but also from within. Company often offer access to guests, contractors, partners, and other less trusted users. In addition, network users are increasingly mobile, working from home or on the road and roaming between rooms and even buildings at their company offices.
Intrusion Detection and Prevention IDS/IPS Concepts IDS/IPS Concepts Hacker attacks, employee threats, virus skirmishes, and battles with worms— to implement successful network security, you must first understand the types of attacks that threaten your network. In Chapter 4: “Firewall,” you learned about several specific attacks. While a list of every attack is beyond the scope of this (or any) guide, this chapter will explore some of the most common network attacks.
Intrusion Detection and Prevention IDS/IPS Concepts However, some external attacks use perfectly legitimate traffic to infiltrate, overwhelm, rob, cripple, or destroy your network. Because attackers use legitimate traffic, attacks cannot always be easily distinguished and stopped by perimeter protection methods, such as a traditional firewall. External Intentional Attacks. In most cases, external attackers will aim attacks at well-known network vulnerabilities.
Intrusion Detection and Prevention IDS/IPS Concepts Internal Intentional Attacks. Internal intentional attacks are caused by someone who already has some trusted access to your network. Perpetrators might include disgruntled employees, partners, or administrators who abuse their network access privileges to wreak havoc or deliberately open perimeter network security holes. Internal Unintentional Attacks. Internal attacks are largely the effect of uninformed users or administrators.
Intrusion Detection and Prevention IDS/IPS Concepts ■ Denial of service (DoS) ■ Backdoors Policy Violations An example of a policy violation attack is when a user leaves the password field empty while trying to access an FTP server. Cross-Site Scripting (XSS) Cross-site scripting is the most common type of publicly reported security vulnerability.
Intrusion Detection and Prevention IDS/IPS Concepts Viruses and Worms Viruses and worms can spread rampant through an unprotected network and cause enormous amounts of damage to vital files and network resources. Two categories of viruses and worms are listed below: ■ Zero-day viruses and worms Worm and virus attacks initially took days or weeks to spread over a geographical area, which gave developers time to distribute Cautions and signature files across the Internet.
Intrusion Detection and Prevention IDS/IPS Concepts Reconnaissance Reconnaissance attacks are internal or external and are intentional. Less straightforward than brute force or other unauthorized access attacks, reconnaissance attacks rely on several methods for detecting vulnerabilities in your network so that any discovered vulnerabilities can be exploited. For example, network administrators use network mapping and enumeration software to verify their network security.
Intrusion Detection and Prevention IDS/IPS Concepts Note Because protocol anomaly attacks exploit protocol specifications, they are sometimes referred to as protocol exploitation attacks. This guide will refer to them only as protocol anomaly attacks. Traffic Information Traffic information attacks affect the way network traffic travels through the network. The most common traffic information attack is the buffer overflow attack.
Intrusion Detection and Prevention IDS/IPS Concepts authorized wireless devices and analyzing the traffic with software that deciphers encryption keys. The encryption key can then be used as a password to access the network. ■ Wire tapping Wiretapping occurs when a device that intercepts and broadcasts information is placed on the physical network wire. Any intercepted or “tapped” traffic can then be recorded and analyzed.
Intrusion Detection and Prevention IDS/IPS Concepts In many DoS attack cases, the only way to regain occupied network resources is to trace the source of the attack and stop the triggers. Finding the source of a straightforward SYN flood can be somewhat difficult, but not impossible. However, the new, sophisticated techniques of distributed and reflected DoS attacks allow an attacker to better disguise the attack source.
Intrusion Detection and Prevention Threat Detection and Prevention Threat Detection and Prevention In monitor mode, the TMS zl Module can provide Intrusion Detection System (IDS) functionality. An IDS detects intrusions but does not take action to stop or prevent them. An IDS is offline, and its only role is to detect threats and log them, as shown in Figure 6-1.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-2. IDS Packet Flow in Monitor Mode A packet that is mirrored to the TMS zl Module in monitor mode is examined by the IDS. If the IDS detects a threat, it creates a log entry. IDS sessions are based on several factors: ■ Protocol ■ Source zone ■ Source IP ■ Source port ■ Destination zone ■ Destination IP ■ Destination port However, the IDS depends on sessions, and if the sessions run out, the IDS will drop packets.
Intrusion Detection and Prevention Threat Detection and Prevention Figure 6-3. IDS/IPS Packet Flow in Routing Mode Routing Mode A packet that is routed to the TMS zl Module in routing mode is passed first to the firewall, then to the IDS. If the IDS does not detect a threat, it returns the packet to the firewall, which sends it to its destination.
Intrusion Detection and Prevention Threat Detection and Prevention Protocol Anomaly Detection Protocol anomaly detection involves looking for irregularities in protocol payloads when they go through the network. Protocol anomalies target an application, so the attack indicators are hidden in the packet payload. It requires buffering the packets, decoding the protocol, and maintaining some basic state about a given flow, such as open, authenticated, and so on.
Intrusion Detection and Prevention Threat Detection and Prevention ■ IMAP • ■ POP3 • ■ ■ ■ Check for malformed requests (without proper tag, command, and so on, in the command line) Ensure that the command line does not exceed 512 bytes DNS • Check for a DNS reply without a valid request • Check for unknown DNS operation flags • Check for a domain name greater than 255 bytes • Check for a label size greater than 63 bytes • Check for an invalid DNS label offset • Check the resource record
Intrusion Detection and Prevention Threat Detection and Prevention Traffic that passes through ports not on this map will be assumed to be the services that are associated with the IANA well-known ports. If no application is assigned to the port by the TMS zl Module or IANA, the traffic will be treated as generic TCP/UDP traffic. Signature Detection The IDS/IPS on the TMS zl Module can use signatures to detect known attacks that have well-defined attack patterns.
Intrusion Detection and Prevention Threat Detection and Prevention ■ ■ ■ ■ ■ ■ ■ ■ • Blind SQL injection attempt • MySQL SPACE or Keyword injection Virus • AIM Bot • BugBear • Trojan Haxdoor • VBS.
Intrusion Detection and Prevention Configure IDS/IPS ■ Backdoor • Acid Battery • Meet the Lamer • Back Orifice • AOL Admin • Alvgus • Ruler Configure IDS/IPS When you use the TMS zl Module as an IDS (required for monitor mode), you can configure: ■ Protocol anomaly detection settings ■ Port maps ■ IDS signatures that are used to perform checks ■ Session inspection When you use the TMS zl Module as an IPS, you can configure: ■ Protocol anomaly detection settings ■ Port maps ■ IPS si
Intrusion Detection and Prevention Configure IDS/IPS The default settings are as follows: ■ HTTP headers • ■ ■ Maximum header size—4096 bytes • Maximum line size—3072 bytes • Maximum URL line size—3072 bytes • Maximum # of lines—50 per header MIME headers • Maximum header size—1024 bytes • Maximum boundaries—5 per message SMTP headers • Maximum header size—1024 bytes If you do choose to adjust the default settings, follow these steps: 1.
Intrusion Detection and Prevention Configure IDS/IPS 3. From the Service list, select a service. 4. The Protocol field will be automatically populated. 5. In the Port field, type the new port number. 6. Click OK. 7. Click Save. Register the IDS/IPS Signature Subscription To begin using an IDS/IPS signature subscription, you must first register it on the My Networking portal (http://hp.com/networking/mynetworking). You can register the IDS/IPS signature subscription at any time.
Intrusion Detection and Prevention Configure IDS/IPS Figure 6-5.
Intrusion Detection and Prevention Configure IDS/IPS TMS-Subscription Hardware ID. If you have booted the TMS zl Module to the Product OS, you can obtain the TMS-subscription hardware ID from: ■ Product OS context of the CLI ■ Web browser interface To obtain the TMS-subscription hardware ID from the Product OS context of the CLI, you must first access the host switch’s CLI. Then, from the managerlevel context of the host switch’s CLI, complete the following steps: 1.
Intrusion Detection and Prevention Configure IDS/IPS The host switch assigns index numbers based on: ■ The number of TMS zl Modules and HP ONE Services zl Module that are installed in the host switch ■ The order in which each product boots on the host switch Keep in mind that each time the host switch boots, the products could potentially boot in a different order, and the index numbers assigned to each product would change.
Intrusion Detection and Prevention Configure IDS/IPS Enter the Registration and TMS-Subscription Hardware ID on the My Networking Portal To register the IDS/IPS signature subscription, follow these steps: 1. Open a Web browser and type http://hp.com/networking/mynetworking in the address bar. Figure 6-6. My Networking Portal Sign In Window 2. Type your My Networking ID and Password in the appropriate fields and click Sign In. 3. Click My Licenses. 4.
Intrusion Detection and Prevention Configure IDS/IPS When your TMS zl Module attempts to download signatures, the HP signature server will recognize that your module has a valid IDS/IPS signature subscription and allow it to download the signatures.
Intrusion Detection and Prevention Configure IDS/IPS Figure 6-7. 6-28 Intrusion Prevention > Signatures > Download Window 4. If you want to learn more about the latest signatures available, click the Signature Release Notes and Catalog at hp.com link. 5. If you use a proxy server to connect to the Internet, select the Use a proxy server check box. • In the Address field, type the IP address or FQDN of the proxy server. • In the Port field, type the port number to access the proxy server.
Intrusion Detection and Prevention Configure IDS/IPS Resolving Problems in Downloading Signatures. If you encounter problems while downloading signatures, try the following troubleshooting tips: 1. Ensure that your IDS/IPS signature subscription is still valid. 2. If the TMS zl Module is operating in routing mode, ensure the appropriate access policy has been added. 3.
Intrusion Detection and Prevention Configure IDS/IPS Figure 6-8. Intrusion Prevention > Signatures > Preferences Window 2. Select the Full Session Inspection check box. 3. Click Apply My Changes. 4. Click Save. Advanced Control of IDS/IPS Inspection. The default optimized session inspection and the full session inspection will meet the needs of most network environments.
Intrusion Detection and Prevention Configure IDS/IPS To customize the inspection depth, enter the following command from the TMS zl Modules global configuration context: Host switch (config)# ips inspection-depth Replace with the number of bytes you want inspected. You can specify a number between 1 and 2147483647 (approximately 2 GB). Specify 0 for full session inspection. Replace with the number of bytes you want inspected.
Intrusion Detection and Prevention Configure IDS/IPS Figure 6-9. Intrusion Prevention > Signatures > View Window The Intrusion Prevention (Detection) > Signatures > View windows lists the following information about each signature: 6-32 • Name—Name of the attack, usually an industry-standard name • Threat Level—A preconfigured indicator of the attack’s severity level • Protection—The type of device the associated attack targets.
Intrusion Detection and Prevention Configure IDS/IPS • 2. Enable—Select or clear the Enable check box or clear it, to enable or disable a specific signature. See “Enable or Disable Signatures” on page 6-34. To find out more about a particular signature, click the name (which is underlined). A pop-up box is displayed, providing information about the signature’s capabilities. Figure 6-10. Additional Information about a Signature Click OK to close the information box. 3.
Intrusion Detection and Prevention Configure IDS/IPS Figure 6-11. Filters for Viewing Signatures Based on the Protection They Provide • Threat Level—Select Any to view all signatures, no matter what threat level they have, or select one of the following to view signatures with a specific threat level: Critical, Severe, Minor, Warning, or Information. For example, you might set the Status filter to All, the Protection filter to Servers, and the Threat Level filter to Critical.
Intrusion Detection and Prevention Configure IDS/IPS Figure 6-12. Intrusion Prevention > Signatures > View Window Note If you disable a signature, the IDS/IPS will no longer check packets against that signature, leaving your network vulnerable to known attacks.
Intrusion Detection and Prevention Configure IDS/IPS ■ Terminate the session—The TMS zl Module closes the session with the offending traffic. It drops all traffic that is associated with the session. For example, if the threat was detected in an HTTP session to a private server, the offender is blocked from sending any traffic to that server on the HTTP port. No TCP reset or similar message is returned.
Intrusion Detection and Prevention Configure IDS/IPS Note When signature and protocol anomaly detection is enabled, a log entry is generated for each instance in which suspect packets or traffic is found, regardless of the Action setting. 3. For each threat severity level, select the actions that you want the TMS zl Module to take. 4. Click Apply My Changes. 5. Click Save.
Intrusion Detection and Prevention Managing the TMS zl Module with HP Network Immunity Manager Managing the TMS zl Module with HP Network Immunity Manager Multiple TMS zl Modules can be configured and managed from one central location using HP ProCurve Manager (PCM+) and HP Network Immunity Manager (NIM). Because the TMS zl Module can detect and mitigate threats from both internal and external sources, the TMS zl Module is the perfect companion to NIM.
7 Virtual Private Networks Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 IPsec Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 IPsec Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 IPsec Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 Tunnel Mode . . .
Virtual Private Networks Contents Configure an IPsec Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27 Create an IKE Policy for a Client-to-Site VPN . . . . . . . . . . . . . . . . . . . 7-28 Install Certificates for IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36 Install Certificates Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36 Install Certificates Using SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Networks Contents Configure L2TP User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 7-165 Configure Local L2TP Authentication . . . . . . . . . . . . . . . . . . . . . 7-165 Configure L2TP Authentication to an External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-170 Create Access Policies for an L2TP over IPsec VPN . . . . . . . . . . . . 7-177 Verify Routes for the L2TP over IPsec VPN . . . . . . . . . .
Virtual Private Networks Contents Create an IPsec Policy for a GRE over IPsec VPN That Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-249 Create Access Policies for a GRE over IPsec VPN That Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-258 Unicast Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-260 Multicast Access Policies . . . . . . . . . . . .
Virtual Private Networks Contents Create Named Objects for Site A . . . . . . . . . . . . . . . . . . . . . . . . . Configure Firewall Access Policies for Site A . . . . . . . . . . . . . . Configure Routes for Site A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create the Primary GRE Tunnel for Site B . . . . . . . . . . . . . . . . . Create the Secondary GRE tunnel for Site B . . . . . . . . . . . . . . . Create Named Objects for Site B . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Private Networks Introduction Introduction The Threat Management Services (TMS) zl Module supports virtual private networks (VPNs), which are tunnels that connect two trusted endpoints through an untrusted network. A VPN tunnel can provide data integrity and data privacy for the traffic transmitted over the tunnel.
Virtual Private Networks Introduction If you know which type of VPN you want to configure, see Table 7-1 for the page at which the configuration instructions begin. (The table also indicates where you can find general background information on the technologies used.) Table 7-1.
Virtual Private Networks Introduction Table 7-2. Selecting a VPN Type Remote VPN Gateway or Clients VPN Type Configuration Instructions for the TMS zl Module Configuration Instructions for the Remote Client or Gateway HP ProCurve VPN Client v10.7.
Virtual Private Networks IPsec Concepts IPsec Concepts IPsec, which supports a variety of industry-standard authentication and encryption protocols, is a flexible, highly secure method of establishing a VPN. The TMS zl Module can act as the gateway device for the IPsec VPN—that is, the tunnel endpoint. The other end of the tunnel can be another VPN gateway (in a site-to-site VPN) or a remote endpoint (in a client-to-site VPN).
Virtual Private Networks IPsec Concepts Figure 7-1. Tunnel Mode In tunnel mode, an AH header authenticates both the payload (including the original IP header) and the delivery IP header. An ESP header authenticates only the payload (including the original IP header) but can also encrypt the payload. Transport Mode In transport mode, a packet is encapsulated with an IPsec header before the IP header is added, which reduces overhead.
Virtual Private Networks IPsec Concepts In transport mode, an AH header authenticates the entire packet including the IP header. The ESP header authenticates only the payload but can also encrypt the payload. Authentication and Encryption Algorithms To provide data integrity, an IPsec tunnel endpoint transforms packets with authentication algorithms.
Virtual Private Networks IPsec Concepts ■ Data authentication algorithm and unique authentication keys (optional if ESP encryption is used)—On the TMS zl Module, the algorithm can be MD5, SHA 1 or AES XCBC. ■ Traffic selector—Valid IP header values such as source and destination address for traffic that is carried by the SA When receiving inbound packets, the TMS zl Module first checks the packet for an IPsec header. If an IPsec header is present, the module uses the SPI to identify the packet’s SA.
Virtual Private Networks IPsec Concepts generate the unique keys used to secure packets. Using IPsec with IKE provides increased security because keys are randomly generated and periodically changed. IKE also eases configuration. Instead of configuring the SA manually, you configure IKE policies. (You must also set some security parameters and a traffic selector in the IPsec policy.
Virtual Private Networks IPsec Concepts ■ ■ Authentication method: • Preshared key • Certificates (Digital Signature Algorithm [DSA] or Rivest-ShamirAdleman [RSA] Signature) Diffie-Hellman group: • Group 1 (768) • Group 2 (1024) • Group 5 (1536) ■ SA lifetime in seconds ■ Other parameters such as whether XAUTH is required or NAT-T is supported You will specify these proposals in an IKE policy. Figure 7-3.
Virtual Private Networks IPsec Concepts The remote endpoint searches its IKE policies for one that specifies the other endpoint and that includes an identical security proposal. When it finds a match, the remote endpoint returns these security parameters to the original endpoint. If the remote endpoint cannot find a match, the VPN connection fails. This is why it is very important that you match IKE policies at both ends of the connection. Exchange 2: Key generation.
Virtual Private Networks IPsec Concepts ■ Certificates—The endpoints exchange certificates, which must be installed before IKE initiates. Each endpoint’s certificate must be signed by a CA that is trusted by the other endpoint. Figure 7-5. IKE Phase 1: Authentication The tunnel endpoints also check each other’s IDs. When you set up an IKE policy, you specify the TMS zl Module’s local ID and the remote ID that it expects from the remote VPN gateway or client.
Virtual Private Networks IPsec Concepts Note If you use certificates for IKE authentication, you must specify either the DN as the identity type, or you must specify the type and value of a subject alternate name in the certificate. IKE modes. IKE phase 1 can be initiated in one of two modes: ■ Main mode ■ Aggressive mode Main mode consists of the six messages (three exchanges) described above. Figure 7-6.
Virtual Private Networks IPsec Concepts Figure 7-7. IKE Phase 2: Security Proposal When negotiating the IPsec SA, IKE follows much the same process it did in IKE phase 1.
Virtual Private Networks IPsec Concepts ■ Traffic selectors—the traffic that is allowed over the IPsec SA (VPN tunnel) The traffic selector specifies local and remote IP addresses (the local addresses on one endpoint must match the remote addresses on the other). Optionally, the selector can select a specific IP protocol or a specific TCP or UDP service. ■ Other advanced options The respondent searches its IPsec policies for a match. When it finds a match, it returns the policy to the initiator.
Virtual Private Networks IPsec Concepts The remote client requests an IP address and default gateway from the IPsec Remote Access Server (IRAS) on the TMS zl Module between IKE phase 1 and phase 2 negotiations. It may also request addresses for DNS and WINS servers that will resolve domain names or the user while on the private network. The users appear as internal users on the network once they have received the IKE mode config parameters. When configuring IKE mode config, follow these guidelines.
Virtual Private Networks IPsec Concepts Advanced IPsec Features The TMS zl Module supports these advanced features: ■ IP compression ■ Customizable anti-replay window size ■ Extended sequence number ■ Re-key on sequence number overflow ■ Persistent tunnels ■ Fragmentation before IPsec ■ The copying of values from the original IP header The section below describes these features. Table 7-3 indicates which features are enabled by default and other default settings. Table 7-3.
Virtual Private Networks IPsec Concepts For example, suppose that the anti-replay window size is at the default, 32. If the highest sequence number that the TMS zl Module has received is 120, the module will accept any packet with a sequence number of 88 or greater. If your VPN users complain of poor performance, you might increase the window size.
Virtual Private Networks IPsec Concepts The Copying of Values from the Original IP Header In tunnel mode, a delivery IP header encapsulates the original IP header.
Virtual Private Networks IPsec Concepts NAT Traversal VPN users may be behind a device that performs NAT on packets that are destined for the other end of the VPN tunnel. If NAT is performed on packets before they are encrypted, then the packets pass over the VPN connection without difficulty. However, sometimes a device in between the two endpoints of a VPN tunnel performs NAT on packets that have already been encapsulated for the tunnel.
Virtual Private Networks IPsec Concepts Figure 7-8. NAT Traversal How NAT Traversal Works NAT-T uses UDP encapsulation to address this incompatibility between NAT and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header. The NAT device changes the address in this header without tampering with the IPsec packet. Peers agree to use NAT-T during IKE negotiations by exchanging a predetermined, known value that indicates that they support NAT-T.
Virtual Private Networks IPsec Concepts The NAT-T feature on the TMS zl Module automatically detects one or more NAT devices between IPsec hosts and negotiates the UDP encapsulation of the IPsec packets through NAT. The TMS zl Module implements NAT-T under any of the following circumstances: ■ The remote endpoint or endpoints are behind one or more NAT devices. ■ TMS zl Module is behind a NAT device. ■ Both are behind a NAT device.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Configure an IPsec Client-to-Site VPN To configure an IPsec client-to-site VPN, you must complete these tasks: 1. Create an IKE policy. See “Create an IKE Policy for a Client-to-Site VPN” on page 7-28. 2. If you are using certificates, install the correct certificates on the TMS zl Module. Do not complete this step if your IKE policy specifies preshared key authentication. See “Install Certificates for IKE” on page 7-36. 3.
Virtual Private Networks Configure an IPsec Client-to-Site VPN This chapter also includes instructions for clients that can be used in L2TP over IPsec client-to-site VPNs. For more information about L2TP over IPsec client-to-site VPNs, see “Configure an L2TP over IPsec VPN” on page 7-144. Create an IKE Policy for a Client-to-Site VPN Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate VPN connections with remote clients: 1.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 5. For IKE Policy Type, select Client-to-Site (Responder). Figure 7-10. Add IKE Policy Window—Step 1 of 3 Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages. Note Later you will configure firewall access policies to allow the IKE messages from the remote endpoints. Refer to Figure 7-11 for help configuring the next settings.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-11. Example IPsec Client-to-Site VPN 6. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway (indicated by 1 in the example figure). You have two options: • Select IP Address and type an IP address in the box. The IP address must be an IP address that is already configured on the TMS zl Module and that the remote endpoints can reach.
Virtual Private Networks Configure an IPsec Client-to-Site VPN a. For Type, select the ID type: – IP Address – Domain Name – Email Address – Distinguished Name b. For Value, type the correct value. If you select IP Address for Type, the address that you specify in the Value box must match the IP address that you specified for the local gateway. Table 7-4 shows the format for each ID type. Table 7-4. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Note When you are using wildcards to allow multiple clients to connect using this IKE policy, you must configure a unique ID on each client to allow clients to log in simultaneously. Both clients cannot have the same ID because if one client is logged in and a second client attempts to log in with the same ID, the first client is logged out. Each client’s unique ID must match the wildcard in the module’s remote ID.
Virtual Private Networks Configure an IPsec Client-to-Site VPN b. For Authentication Method, select one of the following: – Preshared Key – DSA Signature – RSA Signature If you want to use SCEP to install certificates, select RSA Signature rather than DSA Signature. If you select DSA Signature or RSA Signature, you can go directly to step 11. (After you finish the IKEv1 policy, you must install certificates as described in “Install Certificates for IKE” on page 7-36.) c.
Virtual Private Networks Configure an IPsec Client-to-Site VPN d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds and 86400 seconds (1 day). Remember that this setting applies to IKE SA, which is a temporary tunnel used only to establish the IPsec SA. 12. Click Next. 13. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 14.
Virtual Private Networks Configure an IPsec Client-to-Site VPN i. If you have not already done so, configure a group or groups for the remote users. Configure the user group in the Network > Authentication > Firewall/XAUTH Users window. ii. Configure usernames and passwords for the remote users in one of these locations: – An external RADIUS server—Remember, to add the RADIUS server in the Network > Authentication > RADIUS window.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Install Certificates for IKE If you selected DSA or RSA signatures for the authentication method in the IKEv1 policy, you must install certificates on the TMS zl Module.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 3. 4. Add a private key. You have two options: • Generate the private key on the TMS zl Module. See step 4. • Import a private key generated elsewhere. See step 5. Generate the private key on the TMS zl Module a. In the Private Keys section, click Generate Private Key. Figure 7-16. Generate Private Key Window b. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-17. VPN > Certificates > IPsec Certificates Window (Private Key Added) f. 5. Go to step 6. Import a private key that was generated elsewhere: a. Transfer the private key to your management workstation. Make sure that all copies of the private key are stored in secure locations. Otherwise, the certificate could be compromised. b. Click Import Private Key. Figure 7-18. Import Private Key Window c.
Virtual Private Networks Configure an IPsec Client-to-Site VPN d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6. Delete the private key from your management workstation. Next, create a certificate request. In the VPN > Certificates > IPsec Certificates window, click Generate Certificate Request.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 9. For Private Key Identifier, select the private key that you added in step 3 on page 7-37. 10. For Subject Name, type the FQDN of the TMS zl Module. Use the format . For example, type TMS.company.com. The certificate request will store this name as a distinguished name, automatically adding /CN= to the name that you type. 11.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-20. VPN > Certificates > IPsec Certificates Window (Certificate Request Added) 13. Click the Edit icon in the Tools column for the certificate request. Figure 7-21.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15. Submit the certificate request file to your CA. Request that certificate files be returned to you in PEM or DER format. 16.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-24. VPN > Certificates > Certificate Authorities Window Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-26. Import IPsec Certificate Window 24. Under Select IPsec certificate, type the path and filename for the TMS zl Module’s certificate. Alternatively, click Browse and navigate to the certificate file. 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-27. VPN > Certificates > IPsec Certificates (Certificate Installed) 26.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-28. VPN > Certificates > CRL Window 27. Click Import CRL. Figure 7-29. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-30. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-52.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Install Certificates Using SCEP Before you begin to configure the settings for using SCEP to install certificates, make sure the time and the time zone on the TMS zl Module match those set on the SCEP server. If the module does not have the same time and time zone as the SCEP server, the SCEP process may fail. The TMS zl Module takes its time from the host switch, so if you need to adjust the time, you will need to configure the switch.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 7. Click Apply My Changes. 8. Click Save. 9. Next, you must import the CA certificate. Click the Certificate Authorities tab. Figure 7-32. VPN > Certificates > Certificate Authorities Window 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3.) 11.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-34. VPN > Certificates > CRL Window 13. Click Retrieve CRL through SCEP. Figure 7-35. Retrieve CRL through SCEP Window 14. For Trusted Certificate, select the CA certificate that you imported with SCEP. 15. Click Apply. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-36. VPN > Certificates > CRL Window (CRL Added) 16. Next, you must import the TMS zl Module’s certificate.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-37. VPN > Certificates > IPsec Certificates Window 17. Click Retrieve Certificate through SCEP under Certificates. Figure 7-38. Retrieve IPsec Certificate through SCEP Window 18. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 19. For Trusted Certificate to verify Certificate, select the CA root certificate that you installed in step 10 on page 7-100. 20. For Certificate Type, select RSA-MD5 or RSA-SHA-1. This setting determines the algorithm for the private key. You should have selected RSA Signature for Authentication Method in the IKE policy. 21. For Encryption Algorithm, select 3DES or DES. 22. For Challenge Password, type the password that your CA has given you.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 7-6. For your reference, this table includes the location where you would specify these named objects. However, later configuration instructions will indicate when you actually need to specify each object. The table also includes a reference to numbers in Figure 7-40.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-40. Example IPsec Client-to-Site VPN You can, of course, configure other objects that are appropriate for your environment. And you might choose not to configure some of the objects. For example, you might not know the actual IP address of every remote VPN client, particularly when remote users connect through the Internet.
Virtual Private Networks Configure an IPsec Client-to-Site VPN You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy. The algorithm or algorithms in that proposal will secure traffic that is part of IPsec tunnels (VPN connections) that are established with that policy. Follow these steps to configure an IPsec proposal: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Proposals tab. Figure 7-41.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 5. For Encapsulation Mode, typically select Tunnel Mode. Tunnel mode allows remote endpoints to reach services behind the TMS zl Module. In transport mode, the VPN only supports traffic originated by the remote endpoint or by the TMS zl Module itself. Therefore, this mode is typically used when you are creating a proposal for GRE over IPsec siteto-site VPNs or L2TP over IPsec client-to-site VPNs. 6. For Security Protocol, select AH or ESP.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 10. Click Save. Create an IPsec Policy for a Client-to-Site VPN This section explains how to configure an IPsec policy for a basic client-tosite IPsec VPN. The IPsec policy selects traffic between local IP addresses that are accessible to the remote users and the remote users. It includes settings that will be negotiated during IKE phase 2. For client-to-site IPsec VPNs, it is generally recommended that you use IKE mode config.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-45. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure an IPsec Client-to-Site VPN • Deny—Traffic is discarded. For information on configuring Bypass and Deny policies, see “Configure Bypass and Deny IPsec Policies” on page 7-354. 7. For Position, type a number. The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2).
Virtual Private Networks Configure an IPsec Client-to-Site VPN Caution If your traffic selector will include management traffic, you must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. See “Configure Bypass and Deny IPsec Policies” on page 7-354.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-46. Example IPsec Client-to-Site VPN 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed over the VPN: – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a local port to allow remote clients to access only specific services in the local network.
Virtual Private Networks Configure an IPsec Client-to-Site VPN – Note The local addresses should be internal addresses on your private network. Select the single-entry IP, range, or network address object that you created earlier for local endpoints. An address object is not valid if you plan to configure IKE mode config. It is also invalid for a transport-mode VPN (but you should be using tunnel mode). – Select Any to permit any IP address. Any is not valid if you plan to configure IKE mode config.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Caution Take great care when specifying Any. You might inadvertently block necessary traffic. For example, if you select a local subnet for the local addresses, Any for the protocol, and Any for the remote addresses, the TMS zl Module will no longer allow endpoints on the local subnet to send any traffic except to remote VPN clients. You might need to create Bypass policies. See “Configure Bypass and Deny IPsec Policies” on page 7-354. e.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-47. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously configured IKEv1 policy. You must select a policy of the client-to-site type. 13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-48. Add IPsec Policy Window—Step 3 of 4 17. Configure the IP addresses and other settings assigned to remote endpoints through IKE mode config. Note It is generally recommended that you use IKE mode config. However, if your clients do not support this feature, clear the Enable IP Address Pool for IRAS (Mode Config) check box and move to step 18. a. The Enable IP Address Pool for IRAS (Mode Config) check box should be selected. b.
Virtual Private Networks Configure an IPsec Client-to-Site VPN c. For Firewall Zone, select the zone for remote clients after they establish the VPN connection.When you configure firewall access policies for the IKE mode config addresses, use this zone. d. For IP Address Ranges, type one or more ranges of IP addresses in the same subnet as the IRAS. Type each range on its own line, using this format: -. For example, type 172.16.100.50172.16.100.74.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-49. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure an IPsec Client-to-Site VPN b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Create Access Policies for an IPsec Client-to-Site VPN Before you begin configuring firewall access policies, determine the zone on which traffic from the remote endpoints arrives. This is the zone associated with the TMS VLAN on which local VPN gateway address is configured. Often, this is the External zone, but it could be another zone. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Table 7-7 lists the necessary access policies; the numbers in the Source and Destination columns refer to the example figure above. For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. (The remote client will set the MSS correctly on its own; however, your local devices, which are unaware of the VPN, might not.
Virtual Private Networks Configure an IPsec Client-to-Site VPN When Required User Group No IKE mode config • No IKE mode config • Local endpoints initiate sessions with remote From Zone To Zone Service Source Destination TCP MSS Number of policies XAUTH Remote user groups or None SELF Any you choose 3 2 1356 As many as you choose None (or Local local user groups) Remote Any you choose 2 3 1356 As many as you choose When NAT-T is None used Remote SELF NAT-T (ipsec- 3 or Any nat-t-
Virtual Private Networks Configure an IPsec Client-to-Site VPN You can use a previously configured address object or specify the address manually. Alternatively, leave Any Address. Figure 7-52. Add Policy Window g. Note Optionally, select the Enable logging on this Policy check box if you want to view log messages for this policy. It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. h. 4.
Virtual Private Networks Configure an IPsec Client-to-Site VPN f. For Destination, accept the default, Any Address. If you know the public addresses of all of your remote endpoints and have created a named object with those addresses, you can specify that object here. However, allowing any IP address is the easiest way to set up the VPN. g. Note Optionally, select the Enable logging on this Policy check box if you want to view log messages for this policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN d. For Service, leave Any Service. This is the most basic configuration. You could create access policies that permit only certain types of traffic. e. For Source, specify the IKE mode config addresses (either manually or with a previously configured named object). In the example figure, these addresses are indicated with the number 4. Note If you did not configure IKE mode config, specify the remote endpoints actual IP addresses.
Virtual Private Networks Configure an IPsec Client-to-Site VPN 9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the remote endpoints and the module), you must create two access policies to allow the NAT-T traffic: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c. For To, select Self. d. For Service, select ipsec-nat-t-udp. e. For Source, specify Any Address.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Verify Routes for the IPsec Client-to-Site VPN In the Network > Routing > View Routes window, verify that your TMS zl Module knows a route or routes to the remote endpoints. These routes can be a default route, static routes, or routes discovered through a dynamic routing protocol. The routes’ forwarding interface must be the interface with the IP address that you specified as the local gateway address in the IKE policy.
Virtual Private Networks Configure an IPsec Client-to-Site VPN Figure 7-54.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Configure an IPsec Site-to-Site VPN with IKE To configure an IPsec site-to-site VPN that uses IKE, you must complete these tasks: 1. Optionally, create named objects, which you can use in IPsec policies as well as corresponding firewall access policies. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects for the VPN (Optional)” on page 7-78. 2. Create an IKE policy.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 7-8. (You can, of course, configure other objects that are appropriate for your environment.) For your reference, this table includes the location where you would specify these named objects. However, the configuration instructions will indicate when you actually need to specify each object.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-55. Example IPsec Site-to-Site VPN Create an IKE Policy for a Site-to-Site IPsec VPN Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate a site-to-site VPN: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IKEv1 Policies tab. Figure 7-56. VPN > IPsec > IKEv1 Policies Window 3. Click Add IKE Policy. The Add IKE Policy window is displayed.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-57. Add IKE Policy Window—Step 1 of 3 4. For IKE Policy Name, type a string that is unique to this policy. The string can include 1 to 32 alphanumeric characters. 5. For IKE Policy Type, select Site-to-Site (Initiator & Responder). The TMS zl Module will respond to IKE messages from the gateway at the remote site.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-58. Example IPsec Site-to-Site VPN 6. For Local Gateway, specify an IP address on this module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address configured on the TMS zl Module. Type an address that the remote gateway can reach (indicated by 1 in the example figure). • Select Use VLAN IP Address and select a VLAN from the list.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note Later you will configure firewall access policies to allow the IKE messages from the remote gateway. 8. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. For more information about ID types, see “IKE Phase 1” on page 7-13. a.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-59. Add IKE Policy Window—Step 2 of 3 11. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See “IKE modes” on page 7-17 for guidelines. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 12. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman exchange: – Group 1 (768) – Group 2 (1024) – Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-60. Add IKE Policy Window—Step 3 of 3 14. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 15. You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote gateway): • Select TMS acts as XAUTH Server.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-61. Add IKE Policy Window—Step 3 of 3 (XAUTH Server Enabled) • For Authentication Type, select Generic or CHAP. Select Generic unless the client is configured to use CHAP. At some point, you must configure the username and password for the remote gateway in one of these locations: – An external RADIUS server—Remember, to add the RADIUS server in the Network > Authentication > RADIUS window.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-62. Add IKE Policy Window—Step 3 of 3 (XAUTH Client Enabled) i. For Authentication Type, select Generic or CHAP. Select Generic unless the server is configured to use CHAP. For Username, type a username accepted by the remote gateway’s authentication server. iii. For Password, type the password associated with that username. ii. 15. Click Finish. The IKE policy is displayed in the VPN > IPsec > IKEv1 Policies window.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Move to the next task: ■ If you selected DSA or RSA signatures for the authentication method, “Install Certificates for IKE” on page 7-88. ■ If you selected pre-shared key for the authentication method, “Create an IPsec Proposal” on page 7-104. Install Certificates for IKE If you selected DSA or RSA signatures for the authentication method in the IKEv1 policy, you must install certificates on the TMS zl Module.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-64. VPN > Certificates > IPsec Certificates Window 3. 4. Add a private key. You have two options: • Generate the private key on the TMS zl Module. See step 4. • Import a private key generated elsewhere. See step 5. Generate the private key on the TMS zl Module a. In the Private Keys section, click Generate Private Key. Figure 7-65. Generate Private Key Window b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE c. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method (see step 11b on page 7-83). Match this setting. d. For Key Size, select 512, 1024, or 2048, which determines the length of the key in bits. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. Figure 7-66.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-67. Import Private Key Window c. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key. d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 7. For Certificate Name, type a descriptive alphanumeric string. The name must be unique for this request. 8. For Signature Algorithm, select the algorithm used to sign the certificate: • MD5 with RSA • SHA-1 with RSA • SHA-1 with DSA You must select the same algorithm that is used by the private key. That is, select MD5 with RSA or SHA-1 with RSA for an RSA key; select SHA-1 with DSA for a DSA key. 9.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note The subject name or one of the subject alternate names must match these settings: • The local ID in your IKE policies that use this certificate • The remote ID in IKE policies on remote tunnel endpoints that verify this certificate The name must match in both type and value. For example, if you have typed TMS.company.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-70. Certificate Request Data Window 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15. Submit the certificate request file to your CA.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-71. VPN > Certificates > Certificate Authorities Window 19. Click Import Certificate. Figure 7-72. Import Certificate Window 20. Under Select global trusted certificate, type the path and filename for the CA root certificate. Alternatively, click Browse and navigate to the CA root certificate file. 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-73.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22. Next, you must import the module’s certificate. Click the IPsec Certificates tab. Figure 7-74. VPN > Certificates > IPsec Certificates Window 23.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-76. VPN > Certificates > IPsec Certificates (Certificate Installed) 26. Finally, you must install the CRL. Click the CRL tab. Figure 7-77. VPN > Certificates > CRL Window 27. Click Import CRL.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-78. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-79. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-104.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-80. VPN > Certificates > SCEP Window 3. For SCEP Server IP Address/Domain Name, type either the IP address or FQDN of your CA server. The CA must, of course, support SCEP. 4. For SCEP Server Port, type the port number on which your CA server listens for SCEP messages. The default port is 80. 5. For CGI-Path, type the correct path to the program on the CA server that executes SCEP functions.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3 on page 7-99.) Figure 7-82. VPN > Certificates > Certificate Authorities Window 11. You must install the CRL before you install the TMS zl Module’s IPsec certificate.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-84. Retrieve CRL through SCEP Window 14. For Trusted Certificate, select the CA certificate that you imported with SCEP. 15. Click Apply. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-85. VPN > Certificates > CRL Window (CRL Added) 16. Next, you must import the TMS zl Module’s certificate. Contact your CA’s representatives and make sure that the CA is ready to issue the module a certificate.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-86. VPN > Certificates > IPsec Certificates Window 17. Click Retrieve Certificate through SCEP under Certificates. Figure 7-87. Retrieve IPsec Certificate through SCEP Window 18. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 19. For Trusted Certificate to verify Certificate, select the CA root certificate that you installed in step 10 on page 7-100. 20. For Certificate Type, select RSA-MD5 or RSA-SHA-1. This setting determines the algorithm for the private key. You should have selected RSA Signature for Authentication Method in the IKE policy. 21. For Encryption Algorithm, select 3DES or DES. 22.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Create an IPsec Proposal Each IPsec proposal specifies the following: ■ IPsec mode (tunnel or transport) ■ IPsec security protocol: • AH and a single authentication algorithm • ESP, a single authentication algorithm, and a single encryption algorithm You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-90. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select one of the following: • Tunnel Mode—Select this mode for a site-to-site IPsec VPN.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE • DES • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-92. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. The Add IPsec Policy window is displayed. Figure 7-93.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Caution If your traffic selector will include management traffic, you must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. See “Configure Bypass and Deny IPsec Policies” on page 7-354.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-94. Example IPsec Site-to-Site VPN 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed on the VPN: – Any—Any IP protocol. Select this option when you want to allow all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a remote port to allow local traffic destined for specific services in the remote network.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Caution Take great care when specifying Any. You might inadvertently block necessary traffic. For example, if you select a local subnet for the local addresses, Any for the protocol, and Any for the remote addresses, the TMS zl Module will no longer allow endpoints on the local subnet to send any traffic except to remote VPN clients. You might need to create Bypass policies. See “Configure Bypass and Deny IPsec Policies” on page 7-354.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-95. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously configured IKEv1 policy. Select the IKEv1 policy that specifies the remote gateway for the remote addresses configured in this policy’s traffic selector. 13.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-96. Add IPsec Policy Window—Step 3 of 4 17. The Step 3 of 4 window allows you to configure settings for IKE mode config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Figure 7-97. Add IPsec Policy Window—Step 4 of 4 18. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Move to the next task: configuring firewall access policies that permit traffic associated with the VPN. Create Access Policies for an IPsec Site-to-Site VPN that Uses IKE Before you begin configuring firewall access policies, determine the zone on which traffic from the remote gateway arrives. Typically, this is the External zone, but it could be another zone. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE might make the packets too large to be transmitted. Table 7-10 suggests a conservative value for the TCP MSS when the MTU is 1500. For more information on the TCP MSS, see the introduction to “Firewall Access Policies” on page 4-22 of Chapter 4: “Firewall.” Note The value for TCP MSS in the table is only a suggestion. You should determine the best MSS for your environment. Table 7-10.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE e. For Source, specify the IP address that you configured for the remote gateway in the IKE policy. You can select a previously configured address object or type the IP address manually (click Options and select Enter custom IP, IP/mask or IP-Range). f. For Destination, specify the IP address that you configured for the local gateway in the IKE policy.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE You can specify the address manually or select a previously configured address object. Alternatively, select Any Address. f. For Destination, specify the remote gateway IP address (either manually or by specifying a previously configured address object). Figure 7-101. Add Policy Window g. 7. Click Apply. Permit traffic from the local endpoints to the remote endpoints: a. For Action, leave the default, Permit Traffic. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE f. For Destination, specify the remote IP addresses which the local users are allowed to access. In the most basic setup, these are the same IP addresses configured as remote addresses in the IPsec traffic selector. You can specify the IP addresses manually or by selecting a previously configured address object. Figure 7-102. Add Policy Window 8. g. Click the Advanced tab. h.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE 9. e. For Source, specify the remote IP addresses allowed to send traffic on the VPN (either manually or by specifying a previously configured address object). f. For Destination, specify the local addresses which the remote users are allowed to access (either manually or by specifying a previously configured address object). g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with IKE Verify Routes for an IPsec Site-to-Site VPN In the Network > Routing > View Routes window, verify that the following routes exist. These routes can be static routes or routes discovered through a dynamic routing protocol: ■ A route to the remote VPN gateway The route’s forwarding interface must be the interface with the IP address that you specified as the local gateway address in the IKE policy. This can be a default route.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Configure an IPsec Site-to-Site VPN with Manual Keying To configure an IPsec VPN connection, you must complete these tasks: 1. Optionally, create named objects, which you can use in IPsec policies as well as corresponding firewall access policies. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects for the VPN (Optional)” on page 7-124. 2. Create an IPsec proposal.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying See “Named Objects” in Chapter 4: “Firewall” for step-by-step instructions for configuring objects. Table 7-11.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy. The algorithm or algorithms in that proposal will secure traffic that is part of IPsec tunnels (VPN connections) that are established with that policy. Follow these steps to configure an IPsec proposal: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Proposals tab.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying 5. For Encapsulation Mode, typically select Tunnel Mode. Tunnel mode allows endpoints behind the TMS zl Module and the remote gateway to forward traffic over the VPN. In transport mode, traffic must be originated by the TMS zl Module itself or by the remote gateway. This mode is typically used when you are creating a proposal for GRE over IPsec site-to-site VPNs or L2TP over IPsec client-to-site VPNs. 6.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying 10. Click Save. Create an IPsec Policy That Uses Manual Keying This section explains how to configure an IPsec policy for an IPsec SA that is established with manual keys. The advantages and disadvantages of using manual keying are listed below: ■ ■ Advantages • Manual keying does not depend on the IKE protocol, so less processing is used initially to negotiate the SA.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-109. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, keep the default, Apply. 7.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic is selected by the policy. For example, the selector might specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24 (a remote network).
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-110. Example IPsec Site-to-Site VPN 8. For Traffic Selector, configure these settings: a. For Protocol, specify the protocol for traffic allowed over the VPN: – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. – TCP or UDP—Select this option in conjunction with a remote port to allow local traffic destined for specific services in the remote network.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Note Typically, the local addresses are internal addresses on your private network while the local gateway address (which you configured in the IKE policy) is the TMS zl Module’s public or external address. If, however, for whatever reason the set of local addresses that you specify here includes the local gateway address, you must create a Bypass policy to exclude IKE traffic to and from the module from the VPN.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-111. Add IPsec Policy Window—Step 2 of 4 (Top Section) Refer to Figure 7-112 for help in configuring the next settings. Figure 7-112. Example IPsec Site-to-Site VPN 12. For Local Gateway, specify an IP address on the TMS zl Module that will act as the local VPN gateway (indicated by 1 in the figure). You have two options: • Select IP Address and type an IP address on the module in the box.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying • Select Use VLAN IP Address and select a VLAN from the list. Select the VLAN on which the remote gateway reaches the TMS zl Module. For example, if the remote gateway connects to the module through the Internet, select the VLAN on which the module has its connection to the Internet. 13. For Remote Gateway IP Address under Peer ID, specify the IP address of the remote gateway (indicated by 3 in the figure).
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying c. For Outbound Encryption Key (ESP only), type a character string of the specified length. The string must match the inbound encryption key on the remote gateway. d. For Inbound Authentication Key, type a character string of the specified length. The string must match the outbound authentication key on the remote gateway. e. For Outbound Authentication Key, type a character string of the specified length.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-115. Add IPsec Policy Window—Step 4 of 4 17. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 7-21. b.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the DF bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 7-23 for more information. d.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Create Access Policies for an IPsec Site-to-Site VPN with Manual Keying Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. Typically, this is the External zone, but it could be another zone. The instructions below will refer to this zone as the “remote zone.” You should also determine the zone for local endpoints allowed on the VPN.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Note The value for TCP MSS in the table is only a suggestion. You should determine the best MSS for your environment. Table 7-12.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-118. Add Policy Window 5. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1356. i. Click the Basic tab. j. Click Apply. Permit traffic from the remote endpoints to the local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. c. For To, select the local zone. d.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying f. For Destination, specify the local addresses which the remote users are allowed to access. You can specify the addresses manually or select a previously configured address object. 6. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1356. i. Click the Basic tab. j. Click Apply. In the Add Policy window, click Close.
Virtual Private Networks Configure an IPsec Site-to-Site VPN with Manual Keying Figure 7-119.
Virtual Private Networks Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to establish VPN connections. The TMS zl Module can act as a gateway for these endpoints, allowing them remote access to the private network. L2TP is a session-layer protocol (Layer 5) that mimics a data-link protocol (Layer 2).
Virtual Private Networks Configure an L2TP over IPsec VPN Configure an L2TP over IPsec VPN You must complete these tasks to establish a client-to-site VPN that uses L2TP over IPsec: 1. Create named objects (optional). 1. Create a client-to-site IKE policy. Only one IKE policy can specify the client-to-site type, main mode, and preshared keys. Therefore, if you are using pre-shared key authentication, you must configure a single policy that is valid for all of your remote L2TP users.
Virtual Private Networks Configure an L2TP over IPsec VPN 8. Configure the clients with compatible settings. For your reference, this chapter gives configuration guidelines for two clients that can be used in L2TP over IPsec VPNs. Note that the process for configuring a Windows 7 VPN client is similar to that for configuring a Vista VPN client.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-120. Example L2TP over IPsec VPN You can, of course, configure other objects that are appropriate for your environment. And you might choose not to configure some of the objects. For example, you might not know the actual IP address of every remote VPN client, particularly when remote users connect through the Internet.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-121. VPN > IPsec > IKEv1 Policies Window 3. Click Add IKE Policy. 4. For IKE Policy Name, type a string that is unique to this policy. For example, type ClientVPN. The string can include 1 to 15 alphanumeric characters. 5. For IKE Policy Type, select Client-to-Site (Responder). Figure 7-122. Add IKE Policy Window—Step 1 of 3 Remote endpoints will initiate the VPN connection. The TMS zl Module will respond to their IKE messages.
Virtual Private Networks Configure an L2TP over IPsec VPN Note Later you will configure firewall access policies to allow the IKE messages from the remote endpoints. Refer to Figure 7-123 for help configuring the next setting. Figure 7-123. Example L2TP over IPsec VPN 6. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway (indicated by 1 in the figure). You have two options: • Select IP Address and type an IP address in the box.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. (For more information about ID types, see “IKE Phase 1” on page 7-13.) a. For Type, select the ID type: – IP Address – Domain Name – Email Address – Distinguished Name b. For Value, type the correct value. You can select any type.
Virtual Private Networks Configure an L2TP over IPsec VPN Table 7-15. Valid Remote IDs for an L2TP over IPsec VPN to Windows Clients Remote ID Type Remote ID Value for Preshared Key IP Address 0.0.0.0 Domain Name Example: company.com Email not applicable Distinguished Name not applicable 9. Click Next. Figure 7-124. Add IKE Policy Window—Step 2 of 3 10. Under IKE Authentication, configure the authentication method for the IKE proposal: a. For Key Exchange Mode, select Main Mode.
Virtual Private Networks Configure an L2TP over IPsec VPN b. For Authentication Method, select Preshared Key. c. Type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box. Type the same string in the Confirm Preshared Key box. The string (which is case-sensitive) must match the string that is configured on the remote endpoints. 11. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA.
Virtual Private Networks Configure an L2TP over IPsec VPN b. For Encryption Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – DES – AES-128 (16) – 3DES – AES-192 (24) – AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. c. For Authentication Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – MD5 – SHA-1 d.
Virtual Private Networks Configure an L2TP over IPsec VPN 14. Click Finish. The IKE policy is displayed in the VPN > IPsec > IKEv1 Policies window. Figure 7-126.
Virtual Private Networks Configure an L2TP over IPsec VPN 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure 7-128. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select Transport Mode.
Virtual Private Networks Configure an L2TP over IPsec VPN 6. For Security Protocol, select ESP. 7. Select one of the following for Encryption Algorithm, referring to Table 7-17: • NULL If you select this option, traffic will not be encrypted. • DES • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8.
Virtual Private Networks Configure an L2TP over IPsec VPN Create an IPsec Policy for an L2TP over IPsec VPN This section explains how to configure an IPsec policy for an L2TP over IPsec VPN. The IPsec policy selects L2TP traffic between the TMS zl Module and remote endpoints. It also includes settings that will be negotiated during IKE phase 2. Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Policies tab.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-131. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure an L2TP over IPsec VPN • • Bypass—Traffic is forwarded to its destination but is not secured by the IPsec SA. Deny—Traffic is discarded. For information on configuring Bypass and Deny policies, see “Configure Bypass and Deny IPsec Policies” on page 7-354. 7. For Position, type a number. The position determines the order in which the TMS zl Module processes IPsec policies.
Virtual Private Networks Configure an L2TP over IPsec VPN Replace with the ID of the slot in which the TMS zl Module is installed. Replace with the IPsec policy name. (You can use the show ipsec policy command to view the name.) Note If your traffic selector will include traffic that is also selected for NAT, you must create a NAT exclusion policy. See “Exclusion NAT Policies” in Chapter 5: “Network Address Translation.” Refer to Figure 7-132 for help configuring the next setting.
Virtual Private Networks Configure an L2TP over IPsec VPN b. Note For Local Address, type the IP address configured as the local gateway in the IKE policy (indicated by 1 in the figure). You cannot specify an address object when the IPsec proposal specifies transport mode. c. For Local Port, type 1701. d. For Remote Address, select Any. Alternatively, you could specify a specific IP address, range of IP addresses, or subnet (indicated by 3 in the figure).
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-133. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select the previously configured IKEv1 policy. You must select a policy of the client-to-site type. 13. Leave the Enable PFS (Perfect Forward Secrecy) for keys check box clear. 14. For SA Lifetime in Seconds, leave the default 28800 (8 hours). 15. For SA Lifetime in Kilobytes, leave the default, 0.
Virtual Private Networks Configure an L2TP over IPsec VPN 16. Click Next. 17. Clear the Enable IP Address Pool for IRAS (Mode Config) check box. Figure 7-134. Add IPsec Policy Window—Step 3 of 4 18. Click Next.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-135. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure an L2TP over IPsec VPN c. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. d. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure an L2TP over IPsec VPN Configure L2TP User Authentication The TMS zl Module can force an L2TP user to authenticate in one of two ways: ■ Locally See “Configure Local L2TP Authentication” on page 7-165. ■ To an external RADIUS server. See “Configure L2TP Authentication to an External RADIUS Server” on page 7-170. Configure Local L2TP Authentication When authenticating users to the local database, you must: Note 1. Create a user group for the L2TP over IPsec users.
Virtual Private Networks Configure an L2TP over IPsec VPN 3. Click Add user group. Figure 7-138. Add user group Window 4. For Group Name, type a string to identify the L2TP user group. 5. Click OK. If you want, add other groups for your L2TP users. This will allow you to assign different rights to different remote users when you create firewall access policies. Add L2TP Users. When the TMS zl Module authenticates L2TP users locally, you must configure one account for each remote user.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-139. Network > Authentication > L2TP Users Window 3. Under Local Authentication, click Add L2TP User. Figure 7-140.
Virtual Private Networks Configure an L2TP over IPsec VPN 1. For User, type the username that the remote client will use to log on to the VPN connection. The name can be 1 to 16 alphanumeric characters. 2. For Password, type the password for the username. 3. For User Group, select one of the user groups that you configured on the TMS zl Module. When you configure firewall access policies that control this L2TP user’s traffic, you will configure them for this user group. 4.
Virtual Private Networks Configure an L2TP over IPsec VPN 6. Under Tunnel Configuration, for Server IP Address, type the IP address and subnet prefix length of the TMS zl Module in its capacity as L2TP Network Server (LNS). For example, type 172.16.80.1/24. This is a virtual IP address in an unused subnet (the subnet must not be configured as a TMS VLAN or a VLAN on the host switch). The subnet will be automatically placed in the External zone. 7.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-142. Network > Authentication > L2TP Users Window (Dial-in User Added) Move on to the next task: “Create Access Policies for an L2TP over IPsec VPN” on page 7-177. Configure L2TP Authentication to an External RADIUS Server When authenticating users to an external RADIUS server, you must: 1. Create user groups. See “Create a User Group” on page 7-171. 2.
Virtual Private Networks Configure an L2TP over IPsec VPN Create a User Group. When the RADIUS server authenticates an L2TP user, it can send the name of a group to the TMS zl Module (in the Filter-ID attribute). If you have configured that same group on the module, the module will then apply the firewall access policies associated with that group to that user.
Virtual Private Networks Configure an L2TP over IPsec VPN If you want to assign L2TP users to multiple groups, add the other groups now. For more information about user groups, see “Configure User Authentication” in Chapter 4: “Firewall.” Specify a RADIUS Server. This section includes the basic steps for specifying a RADIUS server. See “Configure Authentication to an External RADIUS Server” in Chapter 4: “Firewall” for more detailed instructions. 1.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. If you want, configure optional domain settings. The value that you configure for Domain Name determines the domain for L2TP users. If you do not want L2TP users to include a domain with their usernames when they authenticate, do not complete this setting. 8. Select the Strip domain from user name in RADIUS request check box if you want the TMS zl Module to remove the user’s domain name from the username submitted to the RADIUS server. 9.
Virtual Private Networks Configure an L2TP over IPsec VPN 4. For L2TP Server IP Address, type the IP address that the TMS zl Module will use on L2TP connections. This IP address cannot be on a subnet that is already configured on the TMS zl Module. It must be a virtual IP address in the same subnet as the virtual IP addresses that will be assigned to L2TP users. 5. Click Apply My Changes. 6. Click Save.
Virtual Private Networks Configure an L2TP over IPsec VPN If your RADIUS server does not provide dial-in addresses for authenticated L2TP clients, you must edit the RADIUS domain to create an IP address pool so that the TMS zl Module can assign the appropriate addresses. You can also specify DNS and WINS servers for the authenticated clients. Complete the following steps: 1. Click the Edit icon for the domain you are configuring. The Edit RADIUS domain window is displayed. Figure 7-148.
Virtual Private Networks Configure an L2TP over IPsec VPN Set Up a RADIUS Server to Work with the TMS zl Module. This section provides guidelines for setting up a RADIUS server so that it can provide L2TP authentication for the TMS zl Module. You should refer to your server’s documentation for precise instructions. You must complete the following on your RADIUS server: ■ Add the TMS zl Module as a client.
Virtual Private Networks Configure an L2TP over IPsec VPN Table 7-19. RADIUS Attributes Required for L2TP RADIUS Access-Accept Messages Attribute Value Service-Type Framed Filter-ID Name of a user group on the TMS zl Module Framed-IP-Address If each user’s account specifies an IP address (for example in AD): No setting necessary Note Additional Guidelines The value must match exactly a name that you configured in “Create a User Group” on page 7-171.
Virtual Private Networks Configure an L2TP over IPsec VPN After the remote endpoints have received virtual IP addresses, their traffic is considered to have originated in the External zone. You should also determine the zone for local endpoints allowed on the VPN. This might be the Internal zone or another zone. The instructions below will refer to this zone as the “local zone.” Figure 7-149 shows these zones in the example figure for an L2TP over IPsec VPN. Figure 7-149.
Virtual Private Networks Configure an L2TP over IPsec VPN Caution You must be very careful when you configure firewall access policies in the None user group that permit traffic from L2TP users. These users are in the External zone, so you can inadvertently open your network up to unauthorized access. At the very least, take great care to limit the firewall access policies to the specific virtual IP addresses that are assigned to L2TP clients.
Virtual Private Networks Configure an L2TP over IPsec VPN When Required User Group From Zone To Zone Service When NAT-T is used None Remote SELF When NAT-T is used None SELF Remote Source Destination TCP MSS Number of policies NAT-T 3 or Any (ipsecnat-t-udp) 1 — 1 NAT-T 1 (ipsecnat-t-udp) 3 or Any — 1 The exact steps for configuring these policies are given below: 1. In the left navigation bar of the Web browser interface, select Firewall > Access Policies.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-150. Add Policy Window g. 4. 5. Click Apply. Allow IKE messages to the remote endpoints. a. For Action, leave the default, Permit Traffic. b. For From, select SELF. c. For To, select the remote zone. d. For Service, select isakmp. e. For Source, leave Any Address or specify the IP address for the local VPN gateway. f. For Destination, leave Any Address or specify the address object for remote endpoints.
Virtual Private Networks Configure an L2TP over IPsec VPN f. For Destination, leave Any Address or specify the local gateway IP address. Figure 7-151. Add Policy Window g. 6. 7-182 Click Apply. Permit L2TP traffic from the module to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, select l2tp-udp. e. For Source, leave Any Address or specify the local gateway IP address. f.
Virtual Private Networks Configure an L2TP over IPsec VPN 7. 8. If L2TP users are assigned to user groups, follow these steps: a. Click Close. b. In the Firewall > Access Policies > Unicast window, for User Group, select the group to which L2TP users are assigned. c. Click Add a Policy. Permit traffic from the remote endpoints to local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select External. c. For To, select the local zone. d.
Virtual Private Networks Configure an L2TP over IPsec VPN e. For Source, specify Any Address. If you know the public addresses of all of your remote endpoints, you could create a named object with those addresses and specify that object here. f. For Destination, leave Any Address or specify the local gateway IP address. g. Click Apply. h. For From, select Self. i. For To, select the remote zone. j. For Service, select ipsec-nat-t-udp. k.
Virtual Private Networks Configure an L2TP over IPsec VPN Figure 7-152 shows an L2TP over IPsec VPN in which the remote clients are on the subnets 172.22.3.0/24 and 10.78.15.0/24. For this VPN, a default route through 192.168.115.1 would work. However, to better illustrate the necessary routes, the figure shows two specific routes: one to each remote subnet. For both routes, the gateway is 192.168.115.1.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts Generic Routing Encapsulation (GRE) Concepts GRE is a Layer 2 protocol that can encapsulate any protocol that Ethernet can encapsulate. GRE tunneling establishes a virtual point-to-point connection between two devices across an intervening network. For example, you could use GRE to tunnel FTP or HTTP traffic between two networks across an intervening network.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts In fact, a GRE tunnel will indicate that it is up before the other side of the tunnel is configured. This means that the local tunnel endpoint routes packets across the GRE tunnel even when the other endpoint is unreachable and the packets are lost. The TMS zl Module supports a GRE tunnel keepalive mechanism, which enables each GRE tunnel endpoint to verify that the other tunnel endpoint is reachable.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts Figure 7-153. Redundant GRE Figure 7-153 shows redundant GRE tunnels between the TMS zl Module at Site A and the Secure Routers at Site B. The tunnels allow the workstations in VLAN10 at Site A to access the servers in VLAN8 at Site B. The primary GRE tunnel has the TMS zl Module’s address in VLAN99 as the local gateway and one Secure Router's public IP address as the remote gateway.
Virtual Private Networks Generic Routing Encapsulation (GRE) Concepts Similarly, when you configure a redundant GRE tunnel, you must configure routes to remote networks through the redundant tunnel interface as well.
Virtual Private Networks Configure a GRE Tunnel Configure a GRE Tunnel To configure a GRE tunnel, complete the following tasks: 1. Optionally, create named objects, which you can use in firewall access policies related to the GRE tunnel. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects (Optional)” on page 7-190. 2. Create the GRE tunnel. See “Create a GRE Tunnel” on page 7-191. 3. Verify that there is a route to the remote tunnel gateway.
Virtual Private Networks Configure a GRE Tunnel See “Named Objects” in Chapter 4: “Firewall” for step-by-step instructions for configuring objects. Table 7-21.
Virtual Private Networks Configure a GRE Tunnel Figure 7-155. VPN > GRE > GRE Tunnels Window 3. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed. Figure 7-156. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5.
Virtual Private Networks Configure a GRE Tunnel Refer to Figure 7-157 for help configuring the next settings. Figure 7-157. Example GRE Tunnel (Including Tunnel Interface) 6. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 7.
Virtual Private Networks Configure a GRE Tunnel 10. For Destination IP Address, type an accessible IP address on the remote tunnel gateway (indicated by 3 in the figure and different from the address configured on the subnet reserved for the tunnel). 11. To enable the keepalive feature for the GRE tunnel, select Enable Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b.
Virtual Private Networks Configure a GRE Tunnel Note The TMS zl Module’s GRE functionality may not properly detect GRE keepalives if a non-TMS endpoint specifies GRE options such as a Checksum or Sequencing. Normal GRE traffic can be received with these options present, but GRE keepalives with these options are not handled properly. This results in the GRE tunnel being detected as down by the non-TMS endpoint of the GRE tunnel.
Virtual Private Networks Configure a GRE Tunnel In the example figure, the forwarding interface would be the Gateway VLAN, and the gateway for the route would be a router in this VLAN. Caution Dynamic routing can introduce an issue. The remote tunnel gateway might advertise a route to the tunnel destination address through the tunnel itself. If this is the best, most specific route to the destination, then the module will add it to its routing table.
Virtual Private Networks Configure a GRE Tunnel When you have a redundant GRE tunnel, you must create one route over the primary tunnel and a floating static route over the secondary tunnel. The floating static route has a higher metric than a primary static route or a primary default route. A floating static route has a higher administrative distance than a primary dynamic route. Configure Static Routes To configure static routes for the GRE tunnel, follow these steps: 1.
Virtual Private Networks Configure a GRE Tunnel Figure 7-162. Example GRE Tunnel 4. If you have selected Network or Host, type the Destination Address, which depends on the destination type that you chose: • Network—type the IP address and subnet mask of the destination network (behind the remote tunnel gateway). • Host—type the IP address of the host (behind the remote tunnel gateway). The correct address corresponds to 4 in the example figure. 5.
Virtual Private Networks Configure a GRE Tunnel Move on to the next task: “Create Access Policies for a GRE Tunnel” on page 7-203. Configure RIP on a GRE Tunnel Interface This section includes the most basic steps for configuring RIP on a GRE tunnel interface. Often you must complete more steps such as redistributing connected routes. For complete instructions for RIP configurations, see Chapter 9: “Routing.” 1. Click Network > Routing and click the RIP tab. Figure 7-163.
Virtual Private Networks Configure a GRE Tunnel Figure 7-164. Enable RIP on Interface Window 5. For Interface, select the GRE tunnel interface, which is listed by the name that you assigned to it. 6. For Version, select the version used by the remote tunnel gateway. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates. Therefore, you must select the version to match the remote gateway device or select both versions. 7.
Virtual Private Networks Configure a GRE Tunnel • MD5—The module and the remote tunnel gateway authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 10. Click OK. 11. Click Save. Move on to the next task: “Create Access Policies for a GRE Tunnel” on page 7-203.
Virtual Private Networks Configure a GRE Tunnel 1. Select the Enable OSPF check box. 2. Click Apply My Changes. 3. Click Enable OSPF on an interface. The Enable OSPF on a VLAN window is displayed. Figure 7-166. Enable OSPF on a Interface Window 7-202 4. For Interface, select the GRE tunnel interface which is listed by the name that you assigned to it. 5. For Area ID, type the number of the area to which you want to assign the GRE tunnel interface. 6.
Virtual Private Networks Configure a GRE Tunnel 9. Configure Authentication settings. These settings must match those on the remote tunnel gateway exactly. Do one of the following: • For Type, select None. • For Type, select Simple. i. For Password, type a password. • For Type, select MD5. i. For Key ID, type the authentication key ID (1-255). ii. For Key, type the 16-digit md5 key. 10. Click OK. 11. Click Save. Move on to the next task: creating access policies.
Virtual Private Networks Configure a GRE Tunnel Figure 7-167. Example GRE Tunnel (with Zones) Table 7-22 lists the necessary access policies; the numbers in the Source and Destination columns refer to the example figure above. (Note that all of these policies are typically configured for the None User group. However, if local users log in through the module, then the access policies with the local zone as the source zone would use that user group.
Virtual Private Networks Configure a GRE Tunnel Table 7-22.
Virtual Private Networks Configure a GRE Tunnel Exact steps for configuring these policies are given in the sections below. Unicast Access Policies 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies. You are at the Unicast tab. 2. Click Add a Policy. 3. Allow GRE messages from the remote tunnel gateway: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. c. For To, select SELF. d. For Service, specify (47) GRE. e.
Virtual Private Networks Configure a GRE Tunnel Figure 7-168. Add Policy Window g. Note Optionally, select the Enable logging on this Policy check box if you want to view log messages for this policy. It is not recommended that you enable logging permanently, because policy logging is processor-intensive. Use policy logging for troubleshooting and testing only. h. 4. Click Apply. Allow GRE traffic from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default, Permit Traffic.
Virtual Private Networks Configure a GRE Tunnel f. For Destination, specify the actual IP address of the remote tunnel endpoint. This is the Destination IP Address that you specified in the GRE tunnel. It is different from the address configured on the subnet reserved for the tunnel. g. 5. Click Apply. Permit local traffic that is sent across the tunnel (before it is encapsulated by GRE): a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c.
Virtual Private Networks Configure a GRE Tunnel g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1436. i. Click the Basic tab. j. Click Apply. 6. If necessary, repeat step 5 to permit other traffic. 7. Permit remote traffic that arrives on the tunnel (after it is unencapsulated from GRE): a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d.
Virtual Private Networks Configure a GRE Tunnel g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1436. i. Click the Basic tab. 8. Click Apply. 9. If you enabled a dynamic routing protocol (RIP or OSPF) on the tunnel, ensure that access policies permit this traffic between SELF and the tunnel zone. (This is the default setting.) 10. In the Add Policy window, click Close. 11. Click Save.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE d. For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic. e. For Source, specify the IP addresses of remote endpoints that are allowed to send traffic on the tunnel. f. For Destination, specify the appropriate multicast address. If you have selected a specific service, you can also leave Any Address if you choose. g. Click Apply. 3.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 5. Create an IKEv1 policy. See “Create an IKE Policy for a GRE over IPsec VPN” on page 7-224. 6. Install certificates for IKE (optional). See “Install Certificates for IKE” on page 7-232. 7. Create an IPsec proposal. The mode is typically transport mode because the TMS zl Module generates the GRE packets, but you can also use tunnel mode.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Table 7-23.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-172. VPN > GRE > GRE Tunnels Window 3. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed. Figure 7-173. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Refer to Figure 7-174 for help configuring the next settings. Figure 7-174. Example GRE over IPsec VPN (Including Tunnel Interface) 6. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 7.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 11. To enable the keepalive feature for the GRE tunnel, select Enable Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b. For Retries, type the number of keepalives that the TMS zl Module will send before declaring the tunnel “down” (1-255). Figure 7-175. Add GRE Tunnel Window 12. Click OK.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 13. Click Save. If you want, repeat these steps to create a redundant tunnel. Verify that a Route to the Remote Tunnel Gateway Exists To establish the GRE tunnel, the TMS zl Module requires a route to the tunnel’s destination address (indicated by 3 in the example figure). The route can be to the specific address or any network that includes that address. The route can be a static route or a route discovered with a routing protocol.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Configure Routes that Use the GRE Tunnel Interface In order for the TMS zl Module to send traffic over the GRE tunnel, it must have routes to the appropriate subnets that use the GRE tunnel interface. You can: ■ Create static routes See “Configure Static Routes” on page 7-218 ■ Set up RIP on the GRE tunnel interface See “Configure RIP on a GRE Tunnel Interface” on page 7-220.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 3. For Destination Type, select the destination type. You can select any type, including Default Gateway. The TMS zl Module supports multiple default routes, so this is a valid option even when you are configuring a floating static route for a redundant tunnel. Refer to Figure 7-179 for help configuring the next settings. Figure 7-179. Example GRE over IPsec VPN 4.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 7. For Distance, type the administrative distance. Typically, the distance for a static route is 1. However, if this is a route over a backup GRE tunnel, type a higher value than that for the primary route. For example, if the primary tunnel runs OSPF, type a value higher than OSPF’s administrative distance (by default, 110). 8. Click OK. The route is now displayed in the Network > Routing > Static Routes window. 9. Click Save.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 4. Click Enable RIP on an interface. The Enable RIP on Interface window is displayed. Figure 7-181. Enable RIP on Interface Window 5. For Interface, select the GRE tunnel interface, which is listed by the name that you assigned to it. 6. For Version, select the version used by the remote tunnel gateway. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE • MD5—The module and the remote tunnel gateway authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 10. Click OK. 11. Click Save. Move on the next task: “Create an IKE Policy for a GRE over IPsec VPN” on page 7-224.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 1. Select the Enable OSPF check box. 2. Click Apply My Changes. 3. Click Enable OSPF on an interface. The Enable OSPF on a VLAN window is displayed. Figure 7-183. Enable OSPF on a Interface Window 4. For Interface, select the GRE tunnel interface which is listed by the name that you assigned to it. 5. For Area ID, type the number of the area to which you want to assign the GRE tunnel interface. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 9. Configure Authentication settings. These settings must match those on the remote tunnel gateway exactly. Do one of the following: • For Type, select None. • For Type, select Simple. i. For Password, type a password. • For Type, select MD5. i. For Key ID, type the authentication key ID (1-255). ii. For Key, type the 16-digit md5 key. 10. Click OK. 11. Click Save. Move on the next task: creating an IKE policy.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-185. Add IKE Policy Window—Step 1 of 3 4. For IKE Policy Name, type a string that is unique to this policy. The string can include 1 to 32 alphanumeric characters. 5. For IKE Policy Type, select Site-to-Site (Initiator & Responder). The TMS zl Module will respond to IKE messages from the gateway at the remote site.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-186. Example GRE over IPsec VPN 6. For Local Gateway, specify the same IP address configured as the source IP address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). You have two options: • Select IP Address and type the IP address in the box. • Select Use VLAN IP Address and select a VLAN from the list.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note Later you will configure firewall access policies to allow the IKE messages from the remote gateway. 8. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. For more information about ID types, see “IKE Phase 1” on page 7-13. a.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-187. Add IKE Policy Window—Step 2 of 3 11. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See “IKE modes” on page 7-17 for guidelines. b.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 12. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman exchange: – Group 1 (768) – Group 2 (1024) – Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. b.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-188. Add IKE Policy Window—Step 3 of 3 14. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 15. You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote gateway): • 7-230 Select TMS acts as XAUTH Server.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-189. Add IKE Policy Window—Step 3 of 3 i. For Authentication Type, select Generic or CHAP. At some point, you must configure the username and password for the remote gateway in one of these locations: – An external RADIUS server—Remember, to add the RADIUS server in the Network > Authentication > RADIUS window.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-190. VPN > IPsec > IKEv1 Policies Window (Policy Added) Move to the next task: ■ If you selected DSA or RSA signatures for the authentication method, “Install Certificates for IKE” on page 7-232. ■ If you selected pre-shared key for the authentication method, “Create an IPsec Proposal” on page 7-247.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-191. VPN > Certificates > IPsec Certificates Window 3. 4. Add a private key. You have two options: • Generate the private key on the TMS zl Module. See step 4. • Import a private key generated elsewhere. See step 5. Generate the private key on the TMS zl Module a. In the Private Keys section, click Generate Private Key. Figure 7-192. Generate Private Key Window b.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE c. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method (see step 11b on page 7-228). Match this setting. d. For Key Size, select 512, 1024, or 2048, which determines the length of the key in bits. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. Figure 7-193.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-194. Import Private Key Window c. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key. d. For Select Private Key, type the path and filename for the private key. Alternatively, click Browse and navigate to the private key file. e. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. f. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 7. For Certificate Name, type a descriptive alphanumeric string. The name must be unique for this request. 8. For Signature Algorithm, select the algorithm used to sign the certificate: • MD5 with RSA • SHA-1 with RSA • SHA-1 with DSA You must select the same algorithm that is used by the private key. That is, select MD5 with RSA or SHA-1 with RSA for an RSA key; select SHA-1 with DSA for a DSA key. 9.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note The subject name or one of the subject alternate names must match these settings: • The local ID in your IKE policies that use this certificate • The remote ID in IKE policies on remote tunnel endpoints that verify this certificate The name must match in both type and value. For example, if you have typed TMS.company.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 13. Click the Edit icon in the Tools column for the certificate request. Figure 7-197. Certificate Request Data Window 14. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). Click OK in the Certificate Request Data window to close the window. 15.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-198. VPN > Certificates > Certificate Authorities Window 19. Click Import Certificate. Figure 7-199. Import Certificate Window 20. Under Select global trusted certificate, type the path and filename for the CA root certificate. Alternatively, click Browse and navigate to the CA root certificate file. 21. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure 7-200.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note If you receive an error message, the TMS zl Module cannot validate the CA certificate. A common problem is that the module has the incorrect time. The module takes its clock from the host switch. Verify that this switch has the correct time. 22. Next, you must import the module’s certificate. Click the IPsec Certificates tab. Figure 7-201. VPN > Certificates > IPsec Certificates Window 23. Click Import Certificate under Certificates.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 24. Under Select IPsec certificate, type the path and filename for the TMS zl Module’s certificate. Alternatively, click Browse and navigate to the certificate file. 25. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window. Figure 7-203. VPN > Certificates > IPsec Certificates (Certificate Installed) 26. Finally, you must install the CRL. Click the CRL tab. Figure 7-204.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-205. Import CRL Window 28. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. 29. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure 7-206. VPN > Certificates > CRL Window (CRL Added) 30. Click Save. Move to the next task: “Create an IPsec Proposal” on page 7-247.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-207. VPN > Certificates > SCEP Window 3. For SCEP Server IP Address/Domain Name, type either the IP address or FQDN of your CA server. The CA must, of course, support SCEP. 4. For SCEP Server Port, type the port number on which your CA server listens for SCEP messages. The default port is 80. 5. For CGI-Path, type the correct path to the program on the CA server that executes SCEP functions.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 10. Click Retrieve certificate through SCEP. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. (If the certificate is not imported, check the IP address or FQDN that you set in step 3 on page 7-243.) Figure 7-209. VPN > Certificates > Certificate Authorities Window 11. Click the CRL tab. Figure 7-210. VPN > Certificates > CRL Window 12. Click Retrieve CRL through SCEP. Figure 7-211.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-212. VPN > Certificates > CRL Window (CRL Added) 15. Next, you must import the TMS zl Module’s certificate. Contact your CA’s representatives and make sure that the CA is ready to issue the module a certificate. (Also, if you changed the CGI path to install the CRL, return to the SCEP tab and change the path to the correct one for the installing the module’s certificate.) Then click the IPsec Certificates tab. Figure 7-213.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-214. Retrieve IPsec Certificate through SCEP Window 17. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=. The remote tunnel endpoint will use this subject name to authenticate the module. Therefore, the subject name must match a remote ID that is configured on the remote endpoint. You should also specify this name for the local ID value in the IKE policy (the type is Distinguished Name). 18.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-215. VPN > Certificates > IPsec Certificates (Certificate Installed) Move to the next task: “Create an IPsec Proposal.” Create an IPsec Proposal Each IPsec proposal specifies the following: ■ IPsec mode (tunnel or transport) ■ IPsec security protocol: • AH and a single authentication algorithm • ESP, a single authentication algorithm, and a single encryption algorithm You can configure multiple IPsec proposals.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-216. VPN > IPsec > IPsec Proposals Window 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure 7-217. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9. • MD5 • SHA-1 • AES-XCBC Click OK.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-219. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. The Add IPsec Policy window is displayed. Figure 7-220.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Caution For this policy, you will specify a local TMS zl Module IP address. Be very careful to specify GRE for the protocol. Otherwise, you might be locked out of the Web browser interface. If you do lock yourself out, access the module and delete the IPsec policy: ■ If the module has multiple IP addresses in its management-access zone, you might be able to contact the module’s Web browser interface at one of the other addresses.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 8. For Traffic Selector, configure these settings: a. For Protocol, specify 47 (GRE). b. For Local Address, specify the local gateway address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). Note You cannot specify an address object when the IPsec proposal specifies transport mode. c. 9.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select a previously configured IKEv1 policy. Select the IKEv1 policy that specifies the remote tunnel endpoint as the remote gateway. 13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Note If you specify the SA lifetime both in seconds and in kilobytes, the SA is evaluated when the first limit is reached. 16. Click Next. Figure 7-223. Add IPsec Policy Window—Step 3 of 4 17. The Step 3 of 4 window allows you to configure settings for IKE mode config, which is not valid for this type of VPN. Click Next.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-224. Add IPsec Policy Window—Step 4 of 4 18. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE b. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 7-21 for more information. c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Create Access Policies for a GRE over IPsec VPN That Uses IKE Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s source IP address is configured. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the GRE and IP delivery headers might make the packets too large to be transmitted. Table 7-25 suggests a value for the TCP MSS when the MTU is 1500.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE When Required Type From Zone To Zone Service Source Destination MSS Number of policies • Dynamic routing over the tunnel • Default policies disabled Unicast SELF Tunnel OSPF or RIP 5 6 — 1 • Dynamic routing over the tunnel • Default policies disabled Multicast Tunnel SELF OSPF or RIP 6 Any Address — or multicast address 1 • Dynamic routing over the tunnel • Default policies disabled Multicast SELF Tunnel OSPF or RIP
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 4. 5. f. For Destination, leave Any Address or specify the IP address that you configured for the tunnel’s source IP address. g. Click Apply. Allow GRE messages from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, specify GRE. e.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-227. Add Policy Window g. 6. 7-262 Click Apply. If you are using IKE, permit IKE messages from the TMS zl Module to the remote tunnel endpoint: a. For Action, leave the default Permit Traffic. b. For From, select Self. c. For To, select the remote zone. d. For Service, select isakmp. e. For Source, leave Any Address or specify the IP address configured for the local gateway in the IKE policy. f.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-228. Add Policy Window g. 7. Click Apply. Permit local traffic that is sent across the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the tunnel zone. d. For Service, leave Any Service. This is the most basic configuration. You could also permit only certain types of traffic. e.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE Figure 7-229. Add Policy Window 8. g. Click the Advanced tab. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1388. i. Click the Basic tab. j. Click Apply. Permit remote traffic that arrives on the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d. For Service, leave Any Service.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE 9. h. For TCP MSS, type the value that you determined is best for your system. For example, type 1388. i. Click the Basic tab. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between the gateways), you must create access policies to allow the NAT-T traffic between the remote gateway and the module and vice versa: a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. c.
Virtual Private Networks Configure a GRE over IPsec VPN with IKE f. For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic. g. For Source, specify the local IP addresses that are allowed to send traffic on the tunnel. h. For Destination, specify the appropriate multicast address. If you specified a particular service, you can also leave Any Address if you choose. i. 2. Click Apply.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Configure a GRE over IPsec VPN with Manual Keying You must complete these tasks to configure GRE over IPsec with manual keying: 1. Optionally, create named objects, which you can use in VPN and firewall access policies related to the GRE tunnel. Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects (Optional)” on page 7-268. 2.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 8. Configure global IPsec settings (optional). See “Configure Global IPsec Settings” on page 7-351. 9. Configure the remote GRE over IPsec gateway with compatible settings. See you gateway device’s configuration guide for instructions. Create Named Objects (Optional) You might want to configure the named objects indicated in Table 7-26.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-230. Example GRE over IPsec VPN Create a GRE Tunnel Follow these steps to create a GRE tunnel: 1. In the left navigation pane of the Web browser interface, select VPN > GRE. 2. You are at the GRE Tunnels tab. Figure 7-231. VPN > GRE > GRE Tunnels Window 3. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-232. Add GRE Tunnel Window 4. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 5. By default, the Enable this tunnel check box is selected, which allows the GRE tunnel to be established as soon as you finish configuring it.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-233. Example GRE over IPsec VPN (Including Tunnel Interface) 6. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 7.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 11. To enable the keepalive feature for the GRE tunnel, select Enable Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b. For Retries, type the number of keepalives that the TMS zl Module will send before declaring the tunnel “down” (1-255). Figure 7-234. Add GRE Tunnel Window 12. Click OK.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 13. Click Save. If you want, repeat these steps to create a redundant tunnel. Verify that a Route to the Remote Tunnel Gateway Exists To establish the GRE tunnel, the TMS zl Module requires a route to the tunnel’s destination address (indicated by 3 in the example figure). The route can be to the specific address or any network that includes that address.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-236. Example GRE VPN Configure Routes that Use the GRE Tunnel Interface In order for the TMS zl Module to send traffic over the GRE tunnel, it must have routes to the appropriate subnets that use the GRE tunnel interface. You can: ■ Create static routes See “Configure Static Routes” on page 7-274 ■ Set up RIP on the GRE tunnel interface See “Configure RIP on a GRE Tunnel Interface” on page 7-276.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 2. Click Add static route. The Add static route window is displayed. Figure 7-237. Add static route Window 3. For Destination Type, select the destination type. You can select any type, including Default Gateway. The TMS zl Module supports multiple default routes, so this is a valid option even when you are configuring a floating static route for a redundant tunnel. Refer to Figure 7-238 for help configuring the next settings.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 4. If you selected Network or Host, type a Destination Address, which depends on the destination type that you chose: • Network—type the IP address and subnet mask of the destination network (behind the remote tunnel gateway). • Host—type the IP address of the host (behind the remote tunnel gateway). The correct address corresponds to 4 in the example figure. 5.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-239. Network > Routing > RIP Window 2. Select the Enable RIP check box. 3. Click Apply My Changes. 4. Click Enable RIP on an interface. The Enable RIP on Interface window is displayed.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-240. Enable RIP on Interface Window 5. For Interface, select the GRE tunnel interface, which is listed by the name that you assigned to it. 6. For Version, select the version used by the remote tunnel gateway. The TMS zl Module does not support RIP compatibility mode, so an interface listening for v2 updates will reject v1 updates.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying • MD5—The module and the remote tunnel gateway authenticate each other with MD5 authentication. – For Key ID, type the key ID, which must match the ID on other routers in this subnet. – For Key, type the key, which must match the key on other routers in this subnet. 10. Click OK. 11. Click Save. Move on the next task: “Create an IPsec Proposal” on page 7-281.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 1. Select the Enable OSPF check box. 2. Click Apply My Changes. 3. Click Enable OSPF on an interface. The Enable OSPF on a VLAN window is displayed. Figure 7-242. Enable OSPF on a Interface Window 7-280 4. For Interface, select the GRE tunnel interface which is listed by the name that you assigned to it. 5. For Area ID, type the number of the area to which you want to assign the GRE tunnel interface. 6.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 9. Configure Authentication settings. These settings must match those on the remote tunnel gateway exactly. Do one of the following: • For Type, select None. • For Type, select Simple. i. For Password, type a password. • For Type, select MD5. i. For Key ID, type the authentication key ID (1-255). ii. For Key, type the 16-digit md5 key. 10. Click OK. 11. Click Save. Move on the next task: creating an IPsec proposal.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure 7-244. Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select Transport Mode.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9. • MD5 • SHA-1 • AES-XCBC Click OK. The IPsec proposal is displayed in the VPN > IPsec > IPsec Proposals window. Figure 7-245. VPN > IPsec > IPsec Proposals Window (Proposal Added) 10.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying ■ Disadvantages • Keys can be leaked, and overall the tunnel is less secure. • Lengthy keys can be mistyped. • Keys can be difficult to manage with multiple remote sites. • Manual keying cannot be used to create a site-to-site IPsec VPN with the HP Secure Router 7000dl series. • Manual keying cannot be used to configure a client-to-site VPN or with IKE mode config. Follow these steps to create the IPsec policy: 1.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-247. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, keep the default, Apply. 7.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic will use the VPN tunnel. For a GRE over IPsec VPN, the traffic selector must specify the GRE traffic between the TMS zl Module and the remote tunnel endpoint.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-248. Example GRE over IPsec VPN 8. 9. For Traffic Selector, configure these settings: a. For Protocol, specify 47 (GRE). b. For Local Address, specify the local gateway address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). c.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-249. Add IPsec Policy Window—Step 2 of 4 (Top Section) 12. For Local Gateway, specify the same module IP address that you specified for the local address in the traffic selector. You have two options: • Select IP Address and type the IP address in the box. • Select Use VLAN IP Address and select the VLAN to which this address is assigned. 13.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 14. Next, set the SPI and keys for the protocol that you selected in the IPsec proposal (ESP, in the example displayed in Figure 7-250). The correct number of characters for a key depends on the algorithm that you selected in the IPsec proposal and is indicated to the right of the box. Note also that if you selected AH, you will not see boxes for encryption keys: a.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 15. Click Next. Figure 7-251. Add IPsec Policy Window—Step 3 of 4 16. The Step 3 of 4 window allows you to configure settings for IKE Mode Config, which is not valid for a site-to-site VPN. Click Next.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Figure 7-252. Add IPsec Policy Window—Step 4 of 4 17. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 7-21. b.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the DF bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 7-23 for more information. d.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying Create Access Policies for a GRE over IPsec VPN That Uses Manual Keying Before you begin configuring firewall access policies, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s source IP address is configured. The instructions below will refer to this zone as the “remote zone.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the GRE and IP delivery headers might make the packets too large to be transmitted. Table 7-27 suggests a value for the TCP MSS when the MTU is 1500.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying When Required Type From Zone To Zone Service Source Destination MSS Number of policies • Dynamic Multicast Tunnel routing over the tunnel • Default policies disabled SELF OSPF or RIP 6 Any Address — or multicast address 1 • Dynamic Multicast SELF routing over the tunnel • Default policies disabled Tunnel OSPF or RIP 5 Any Address — or multicast address 1 Exact steps for configuring these policies are given in the
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying 5. f. For Destination, specify the public IP address of the remote tunnel endpoint. g. Click Apply. Permit local traffic that is sent across the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone. c. For To, select the tunnel zone. d. For Service, leave Any Service. This is the most basic configuration. You could also permit only certain types of traffic. e.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying j. 6. Click Apply. Permit remote traffic that arrives on the tunnel: a. For Action, leave the default, Permit Traffic. b. For From, select the tunnel zone. c. For To, select the local zone. d. For Service, leave Any Service. This is the most basic configuration. You could also create access policies that permit only certain types of traffic. e.
Virtual Private Networks Configure a GRE over IPsec VPN with Manual Keying h. For Destination, specify the appropriate multicast address. If you specified a particular service, you can also leave Any Address if you choose. i. 2. Click Apply. Configure an access policy to permit remote multicast traffic that arrives on the tunnel, after it is encapsulated: a. Click Add Policy. b. For Action, accept the default, Permit Traffic. c. For From, select the local zone. d. For To, select the tunnel zone.
Virtual Private Networks GRE Examples GRE Examples This section contains examples of GRE implementations with step-by-step configuration instructions. The examples provided are: ■ Enabling OSPF on a GRE tunnel See “Enabling OSFP on a GRE tunnel” on page 7-299. ■ Configuring redundant GRE tunnels See “Redundant GRE Tunnels” on page 7-330. Enabling OSFP on a GRE tunnel This section provides step-by-step instructions for configuring a GRE tunnel between two Threat Management Services (TMS) zl Modules.
Virtual Private Networks GRE Examples Table 7-28 lists the configuration parameters that will be used for this configuration. Notice that for many of the parameters the local setting on one module is the same as the remote setting on the other module. Figure 7-256. OSPF over GRE Example Network Figure 7-257.
Virtual Private Networks GRE Examples Table 7-28. Configuration Parameters for GRE with OSPF Example Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Tunnel Name toVLAN70 toVLAN40 Tunnel IP Address 10.8.8.1 10.8.8.2 Peer IP Address 10.8.8.2 10.8.8.1 Firewall Zone Association Zone4 Zone4 Source IP Address 172.23.99.99 192.168.33.22 Destination IP Address 192.168.33.22 172.23.99.99 Destination type Host Host Destination address 192.168.33.22 172.23.99.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings To Self Self Service (47) GRE (47) GRE Source 192.168.33.22 172.23.99.99 Destination 172.23.99.99 192.168.33.22 Unicast Access Policy to permit OSPF messages to the remote gateway. Action Permit Permit From Self Self To Zone4 Zone4 Service (89) OSPFIGP (89) OSPFIGP Source 10.8.8.1 10.8.8.2 Destination 10.8.8.2 10.8.8.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Multicast Access Policy to permit OSPF traffic to the remote gateway. Action Permit Permit From Self Self To Zone4 Zone4 Service (89) OSPFIGP (89) OSPFIGP Source 10.8.8.1 10.8.8.2 Destination Any Address Any Address Multicast Access Policy to permit OSPF traffic from the remote gateway.
Virtual Private Networks GRE Examples Create the GRE Tunnel for Site A 1. In the left navigation pane of the Web browser interface, click VPN > GRE. You are at the GRE Tunnels tab. Figure 7-258. VPN > GRE > GRE Tunnels Window 2. Click Add GRE Tunnel. The Add GRE Tunnel window is displayed. 3. For Tunnel Name, type toVLAN40. 4. For Tunnel IP Address, type 10.8.8.1. 5. For Peer IP Address, type 10.8.8.2. 6. For Firewall Zone Association, select Zone4.
Virtual Private Networks GRE Examples Figure 7-259. Add GRE Tunnel Window 12. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Figure 7-260. VPN > GRE Window (Tunnel Added) 13. Click Save. Create a Route to the Remote Tunnel Gateway The TMS zl Module requires a route to the destination address for the GRE tunnel. In this example, you will create a static route. 1. Click Network > Routing and click the Static Routes tab. 2. Click Add static route.
Virtual Private Networks GRE Examples Figure 7-261. Add static route Window 3. For Destination Type, select Host. 4. For Destination Address, type 192.168.33.22. 5. For Gateway Address, type 172.23.99.1. 6. For Metric, leave the default, 0. 7. For Distance, type 1. 8. Click OK. Enable OSPF on the Site A Tunnel Interface 1. 7-306 Click Network > Routing and click the OSPF tab.
Virtual Private Networks GRE Examples Figure 7-262. Network > Routing > OSPF Window 2. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 3. For Interface, select toVLAN40 (toVLAN40). 4. For Area ID, type 0.
Virtual Private Networks GRE Examples Figure 7-263. Enable OSPF on a Interface Window 5. Accept the default values for the remaining options. 6. Click OK. 7. Click Save. Configure Other OSPF Settings for Site A If you have not configured other OSPF settings, you must do so now. Enable OSPF, set a unique router ID, and redistribute any routes that you want the module to advertise through the tunnel.
Virtual Private Networks GRE Examples Follow these steps to configure the OSPF settings: 1. To enable OSPF, click Network > Routing and click the OSPF tab. Figure 7-264. Network > Routing > OSPF Window 1. Select the Enable OSPF check box. 2. For Router Identifier, type 0.0.0.99. 3. Leave other settings at their defaults. 4. Click Apply My Changes. You should also configure any STUB or NSSA areas that you require. In this example, the local network at site A is a stub area. 5.
Virtual Private Networks GRE Examples Figure 7-265. Add Area Window 6. For Area ID, type 2. 7. For Area Type, select STUB. 8. For Metric, type 5. 9. Click OK. Finally, enable OSPF on the VLAN interface for the local network. 10. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 11. For Interface, select VLAN 70 (VLAN70). 12. For Area ID, type 2. 13. Accept the default values for the remaining options. 14. Click OK. 15. Click Save.
Virtual Private Networks GRE Examples If you want to disable the default OSPF policies and limit OSPF traffic to specific IP address, you must configure policies that do the following: ■ Permit unicast and multicast OSPF messages to the remote gateway. ■ Permit unicast and multicast OSPF messages from the remote gateway. To configure the necessary policies, complete the following steps: 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies.
Virtual Private Networks GRE Examples g. 4. Click Apply. Permit GRE messages from the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select EXTERNAL. c. For To, select SELF. d. For Service, click Options and click Enter custom Protocol/Port. Then select (47) GRE for Protocol. e. For Source, specify the remote module’s actual IP address: 192.168.33.22. f. For Destination, specify the local IP address that acts as the tunnel gateway: 172.23.99.99. Figure 7-267.
Virtual Private Networks GRE Examples e. For Source, specify the module’s IP address on the tunnel interface: 10.8.8.1. f. For Destination, specify the remote module’s tunnel IP address: 10.8.8.2. Figure 7-268. TMS zl Module—Add Policy Window g. 6. Click Apply. Permit OSPF messages from the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e.
Virtual Private Networks GRE Examples Figure 7-269. TMS zl Module—Add Policy Window g. 7. 7-314 Click Apply. Permit traffic from the local endpoints to the remote endpoints. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE6. c. For To, select ZONE4. d. For Service, accept the default, Any. e. For Source, specify the network 10.1.70.0/24. f. For Destination, specify the network 10.1.40.0/24.
Virtual Private Networks GRE Examples Figure 7-270. TMS zl Module—Add Policy Window 8. g. Click Apply. h. Click the Advanced tab. i. For TCP MSS, type 1436. Permit traffic from the remote endpoints to the local endpoints. a. Click the Basic tab. b. For Action, accept the default, Permit Traffic. c. For From, select ZONE4. d. For To, select ZONE6. e. For Service, accept the default, Any. f. For Source, specify the network 10.1.40.0/24. g. For Destination, specify the network 10.1.70/24.
Virtual Private Networks GRE Examples Figure 7-271. TMS zl Module—Add Policy Window 9. h. Click the Advanced tab. i. For TCP MSS, type 1436. j. Click Apply. Click Close. 10. Select the Multicast tab. 11. Click Add a Policy. 12. Permit multicast OSPF messages on the local tunnel interface: 7-316 a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select ZONE4. d. For Service, specify (89) OSPFIGP. e.
Virtual Private Networks GRE Examples 13. Permit multicast OSPF messages that arrive from the remote tunnel endpoint: a. For Action, accept the default, Permit Traffic. b. For From, select ZONE4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the module IP address on the tunnel interface: 10.8.8.2. f. For Destination, leave the default, Any Address. g. Click Apply. 14. Click Close. 15. Click Save. Create the GRE Tunnel for Site B 1.
Virtual Private Networks GRE Examples Figure 7-273. Add GRE Tunnel Window 11. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Figure 7-274. VPN > GRE Window (Tunnel Added) 12. Click Save. Create a Route to the Remote Tunnel Gateway The TMS zl Module requires a route to the destination address for the GRE tunnel. In this example, you will create a static route. 7-318 1. Click Network > Routing and click the Static Routes tab. 2. Click Add static route.
Virtual Private Networks GRE Examples Figure 7-275. Add static route Window 3. For Destination Type, select Host. 4. For Destination Address, type 172.23.99.99. 5. For Gateway Address, type 192.168.33.1. 6. For Metric, leave the default, 0. 7. For Distance, type 1. 8. Click OK. Enable OSPF on the Tunnel for Site B 1. Click Network > Routing and click the OSPF tab.
Virtual Private Networks GRE Examples Figure 7-276. Network > Routing > OSPF Window 7-320 2. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 3. For Interface, select toVLAN70. 4. For Area ID, type 0.
Virtual Private Networks GRE Examples Figure 7-277. Enable OSPF on a Interface Window 5. Accept the default values for the remaining options. 6. Click OK. 7. Click Save. Configure Other OSPF Settings for Site B Again, If you have not configured other OSPF settings, you must do so now. Enable OSPF, set a unique router ID, and redistribute any routes that you want the module to advertise through the tunnel. You should also configure any STUB or NSSA areas that you require.
Virtual Private Networks GRE Examples Follow these steps to configure the OSPF settings: 1. Click Network > Routing and click the OSPF tab. Figure 7-278. Network > Routing > OSPF Window 7-322 1. Select the Enable OSPF check box. 2. For Router Identifier, type 0.0.0.22. 3. Leave other settings at their defaults. 4. Click Apply My Changes. 5. In the Network > Routing > OSPF window, click Add NSSA or STUB Area.
Virtual Private Networks GRE Examples Figure 7-279. Add Area Window 6. For Area ID, type 1. 7. For Area Type, select STUB. 8. For Metric, type 5. 9. Click OK. 10. Click Enable OSPF on an interface. The Enable OSPF on a Interface window is displayed. 11. For Interface, select VLAN 40 (VLAN40). 12. For Area ID, type 1. 13. Accept the default values for the remaining options. 14. Click OK. 15. Click Save.
Virtual Private Networks GRE Examples To configure the necessary policies, complete the following steps: 1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies. You are at the Unicast tab. 2. Click Add a Policy. The Add Policy window is displayed. 3. Permit GRE messages to the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select EXTERNAL. d. For Service, specify (47) GRE. e.
Virtual Private Networks GRE Examples e. For Source, specify the IP address 192.168.33.22. f. For Destination, specify the tunnel’s source IP address, 172.23.99.99. Figure 7-281. TMS zl Module—Add Policy Window g. 5. Click Apply. Permit OSPF messages to the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select ZONE4. d. For Service, specify (89) OSPFIGP. e. For Source, specify the tunnel interface IP address, 10.8.8.2. f.
Virtual Private Networks GRE Examples Figure 7-282. TMS zl Module—Add Policy Window g. 6. 7-326 Click Apply. Permit OSPF messages from the remote gateway. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the remote tunnel gateway’s IP address on the tunnel interface, 10.8.8.1. f. For Destination, specify the TMS zl Module’s IP address on the tunnel interface, 10.8.8.2.
Virtual Private Networks GRE Examples Figure 7-283. TMS zl Module—Add Policy Window g. 7. Click Apply. Permit traffic from the local endpoints to the remote endpoints. a. For Action, accept the default, Permit Traffic. b. For From, select ZONE2. c. For To, select ZONE4. d. For Service, accept the default, Any. e. For Source, specify the network 10.1.40.0/24. f. For Destination, specify the network 10.1.70.0/24.
Virtual Private Networks GRE Examples Figure 7-284. TMS zl Module—Add Policy Window 8. 7-328 g. Click the Advanced tab. h. For TCP MSS, type 1436. i. Click Apply. Permit traffic from the remote endpoints to the local endpoints. a. Click the Basic tab. b. For Action, accept the default, Permit Traffic. c. For From, select ZONE4. d. For To, select ZONE2. e. For Service, accept the default, Any. f. For Source, specify the IP address 10.1.40.0/24. g.
Virtual Private Networks GRE Examples Figure 7-285. TMS zl Module—Add Policy Window 9. h. Click the Advanced tab. i. For TCP MSS, type 1436. j. Click Apply. Click Close. 10. Select the Multicast tab. 11. Click Add a Policy. 12. Permit multicast OSPF messages on the local tunnel interface: a. For Action, accept the default, Permit Traffic. b. For From, select SELF. c. For To, select Zone4. d. For Service, specify (89) OSPFIGP. e.
Virtual Private Networks GRE Examples 13. Permit multicast OSPF messages that arrive from the remote tunnel endpoint: a. For Action, accept the default, Permit Traffic. b. For From, select Zone4. c. For To, select SELF. d. For Service, specify (89) OSPFIGP. e. For Source, specify the module IP address on the tunnel interface: 10.8.8.1. f. For Destination, leave the default, Any Address. g. Click Apply. 14. Click Close. 15. Click Save.
Virtual Private Networks GRE Examples In this example, the devices that need to communicate are in VLAN 10, which is in ZONE1 at Site A, and in VLAN65, which is in ZONE2 at Site B. Figure 7-286 shows all of the IP addresses and zones that will be used for this configuration. Table 7-30 lists the configuration parameters that will be used for this configuration. Notice that for many of the parameters the local setting on one module is the same as the remote setting on the other module. Figure 7-286.
Virtual Private Networks GRE Examples Table 7-30. Configuration Parameters for Redundant GRE Example Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Tunnel Name toVLAN65 toVLAN10 Tunnel IP Address 10.8.8.1 10.8.8.2 Peer IP Address 10.8.8.2 10.8.8.1 Firewall Zone Association Zone5 Zone5 Source IP Address 172.23.20.99 192.168.55.22 Destination IP Address 192.168.55.22 172.23.20.99 Tunnel Name backupto65 backupto10 Tunnel IP Address 10.9.9.1 10.9.9.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Name VLAN10 VLAN10 Type Network (IP/mask) Network (IP/mask) Single-entry Value 10.1.10.0/24 10.1.10.0/24 Name VLAN65 VLAN65 Type Network (IP/mask) Network (IP/mask) Single-entry Value 10.1.65.0/24 10.1.65.
Virtual Private Networks GRE Examples Parameter TMS zl Module Site A Settings TMS zl Module Site B Settings Source VLAN10 VLAN65 Destination VLAN65 VLAN10 Access Policy to permit traffic from the remote endpoints to the local endpoints. Action Permit Permit From Zone5 Zone5 To Zone1 Zone2 Service Any Any Source VLAN65 VLAN10 Destination VLAN10 VLAN65 Static Route the Remote Primary GRE Tunnel Endpoint Destination Type Network Network Destination Address 192.168.55.0/24 172.
Virtual Private Networks GRE Examples Table 7-31 shows the tasks that you must complete to configure the TMS zl Module at each site for this example configuration. Table 7-31. Configuration Tasks for Redundant GRE Example Configuration task Steps for Module A Steps for Module B Create the primary GRE See “Create the Primary GRE Tunnel for Site tunnel. A” on page 7-335. See “Create the Primary GRE Tunnel for Site B” on page 7-345. Create the secondary GRE tunnel.
Virtual Private Networks GRE Examples 11. For Retries, accept the default setting, 3. Figure 7-288. Add GRE Tunnel Window 12. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Create the Secondary GRE tunnel for Site A 7-336 1. Click Add GRE Tunnel.The Add GRE Tunnel window is displayed. 2. For Tunnel Name, type backupto65. 3. For Tunnel IP Address, type 10.9.9.1. 4. For Peer IP Address, type 10.9.9.2. 5. For Firewall Zone Association, select ZONE5. 6.
Virtual Private Networks GRE Examples Figure 7-289. Add GRE Tunnel Window 9. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Figure 7-290. VPN > GRE Window (Tunnel Added) 10. Click Save.
Virtual Private Networks GRE Examples Create Named Objects for Site A 1. Click Firewall > Access Policies > Addresses. 2. Click Add an Address. 3. Create a single-entry network address object for VLAN10. a. For Name, type VLAN10. b. For Type, select Network (IP/mask). c. Select Single-entry and type 10.1.10.0/24. Figure 7-291. Add Address Window d. 4. 7-338 Click Apply. Create a single-entry network address object for VLAN65. a. For Name, type VLAN65. b. For Type, select Network (IP/mask).
Virtual Private Networks GRE Examples Figure 7-292. Add Address Window d. 5. 6. Click Apply. Create single-entry IP address objects for the local endpoints of the primary and secondary GRE tunnels. a. For Name, type siteAinterPrimary. b. For Type, select IP. c. Select Single-entry and type 172.23.20.99. d. Click Apply. e. For Name, type siteAinter2nd. f. For Type, select IP. g. Select Single-entry and type 172.23.21.99. h. Click Apply.
Virtual Private Networks GRE Examples 7. e. For Name, type siteBinter2nd. f. For Type, select IP. g. Select Single-entry and type 192.168.56.22. h. Click Apply. Click Close. Figure 7-293. Firewall > Access Policies > Addresses Window 8. 7-340 Create address groups for the GRE tunnel endpoints at each site. a. Click the Address Groups tab. b. Click Add Address Group. c. For Group Name, type siteAinterfaces. d. From the Available Addresses list, select siteAinterPrimary. e.
Virtual Private Networks GRE Examples Figure 7-294. Add Address Group Window h. Click Apply. i. For Group Name, type siteBinterfaces. j. From the Available Addresses list, select siteBinterPrimary. k. Click the Move Right button to move the object into the Group Members list. l. From the Available Addresses list, select siteBinter2nd. m. Click the Move Right button to move the object into the Group Members list. n. Click Apply. o. Click Close. Figure 7-295.
Virtual Private Networks GRE Examples Configure Firewall Access Policies for Site A You must configure the following policies: ■ Permit GRE messages to the remote gateway. ■ Permit GRE messages from the remote gateway. ■ Permit traffic from the local endpoints to the remote endpoints. ■ Permit traffic from the remote endpoints to the local endpoints. To configure the necessary policies, complete the following steps: 1.
Virtual Private Networks GRE Examples Figure 7-296. TMS zl Module—Add Policy Window g. 5. Permit traffic from the local endpoints to the remote endpoints. a. b. c. d. e. f. g. 6. Click Apply. For Action, accept the default, Permit Traffic. For From, select Zone1. For To, select Zone5. For Service, accept the default, Any. For Source, specify the network VLAN10. For Destination, specify the network VLAN65. Click Apply. Permit traffic from the remote endpoints to the local endpoints. a.
Virtual Private Networks GRE Examples Configure Routes for Site A 1. Click Network > Routing > Static Routes. 2. Create routes to the remote GRE tunnel endpoints: a. Click Add static route. b. For Destination Type, select Network. c. For Destination Address, type 192.168.55.0/24. d. For Gateway Address, type 172.23.20.1. e. For Metric, leave 0. f. For Distance, type 1. Figure 7-297. Add static route Window 3. g. Click OK. a. Click Add static route. b.
Virtual Private Networks GRE Examples 4. d. For Gateway Address, type 10.8.8.2. e. For Metric, leave 0. f. For Distance, type 1. g. Click OK. Create a floating static route to VLAN65 through the secondary GRE tunnel: a. Click Add static route. b. For Destination Type, select Network. c. For Destination Address, type 10.10.65.0/24. d. For Gateway Address, type 10.9.9.2. e. For Metric, leave 2. f. For Distance, type 1. g. Click OK. h. Click Save.
Virtual Private Networks GRE Examples 11. For Retries, accept the default setting, 3. Figure 7-299. Add GRE Tunnel Window 12. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. Create the Secondary GRE tunnel for Site B 7-346 1. In the left navigation pane of the Web browser interface, click VPN > GRE. You are at the GRE Tunnels tab. 2. Click Add GRE Tunnel.The Add GRE Tunnel window is displayed. 3. For Tunnel Name, type backupto10. 4. For Tunnel IP Address, type 10.9.
Virtual Private Networks GRE Examples Figure 7-300. Add GRE Tunnel Window 10. Click OK. The tunnel is now displayed in the VPN > GRE > GRE Tunnels window. 11. Click Save. Create Named Objects for Site B 1. Click Firewall > Access Policies > Addresses. 2. Click Add an Address. 3. Create a single-entry network address object for VLAN10. 4. a. For Name, type VLAN10. b. For Type, select Network (IP/mask). c. Select Single-entry and type 10.1.10.0/24. d. Click Apply.
Virtual Private Networks GRE Examples 5. 6. 7-348 Create single-entry IP address objects for the remote endpoints of the primary and secondary GRE tunnels. a. For Name, type siteAinterPrimary. b. For Type, select IP. c. Select Single-entry and type 172.23.20.99. d. Click Apply. e. For Name, type siteAinter2nd. f. For Type, select IP. g. Select Single-entry and type 172.23.21.99. h. Click Apply.
Virtual Private Networks GRE Examples l. From the Available Addresses list, select siteBinter2nd. m. Click the Move Right button to move the object into the Group Members list. n. Click Apply. o. Click Close. Configure Firewall Access Policies for Site B You must configure the following policies: ■ Permit GRE messages to the remote gateway. ■ Permit GRE messages from the remote gateway. ■ Permit traffic from the local endpoints to the remote endpoints.
Virtual Private Networks GRE Examples 5. 6. 7. Permit traffic from the local endpoints to the remote endpoints. a. For Action, accept the default, Permit Traffic. b. For From, select Zone2. c. For To, select Zone5. d. For Service, accept the default, Any. e. For Source, specify the network VLAN65. f. For Destination, specify the network VLAN10. g. Click Apply. Permit traffic from the remote endpoints to the local endpoints. a. For Action, accept the default, Permit Traffic. b.
Virtual Private Networks Configure Global IPsec Settings 3. 4. Create a route to VLAN65 through the primary GRE tunnel: a. Click Add static route. b. For Destination Type, select Network. c. For Destination Address, type 10.1.10.0/24. d. For Gateway Address, type 10.8.8.1. e. For Metric, leave 0. f. For Distance, type 1. g. Click OK. Create a floating static route to VLAN65 through the secondary GRE tunnel: a. Click Add static route. b. For Destination Type, select Network. c.
Virtual Private Networks Configure Global IPsec Settings Follow these steps to configure global IPsec settings: 1. In the Web browser interface left navigation bar, click VPN > IPsec. 2. Click the Settings tab. 3. By default, the Enable IPsec VPN check box is selected: • Clear the check box to disable IPsec VPN functionality on the entire TMS zl Module.
Virtual Private Networks Configure Global IPsec Settings • Select the Handle ICMP error messages check box to have the TMS zl Module accept incoming ICMP error messages. By default, this check box is selected. 5. For Maximum SA per Policy, type the maximum number of SAs that can be established using each IPsec policy. The valid range is 2 to 10000. The default is 10000. Each connection to a remote client requires 2 SAs (one inbound and one outbound).
Virtual Private Networks Configure Bypass and Deny IPsec Policies Configure Bypass and Deny IPsec Policies Bypass and Deny IPsec policies allow the TMS zl Module to select a subset of the traffic in a VPN for different handling. Bypass Policies The TMS zl Module forwards traffic that matches Bypass policies but it does not secure it with an IPsec SA. By default, the module has a Bypass policy that selects all traffic, allowing non-VPN traffic that the firewall permits to reach its destination.
Virtual Private Networks Configure Bypass and Deny IPsec Policies Configuration Steps Follow these steps to create a Bypass or Deny IPsec policy: 1. In the left navigation bar of the Web browser interface, select VPN > IPsec. 2. Click the IPsec Policies tab. Figure 7-302. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5.
Virtual Private Networks Configure Bypass and Deny IPsec Policies Note that you can specify a position that is already used by another policy. The new policy is inserted above the former policy. You can use the arrow icons in the Tools column in the VPN > IPsec > IPsec Policies window to rearrange policies. Remember the policy at the top of the display is the first policy processed.
Virtual Private Networks Manage VPN Connections and GRE Tunnels d. Remote Port is present if you selected TCP or UDP for Protocol. Type the port number for the service that you want to select. Leave the box empty to select all ports. e. If you selected ICMP for the protocol, for ICMP Type, select Any, Echo, or Timestamp. 10. Click Finish.
Virtual Private Networks Manage VPN Connections and GRE Tunnels Figure 7-303.
Virtual Private Networks Manage VPN Connections and GRE Tunnels Figure 7-304. Status ( - ) Window These details are displayed: ■ Peer Address—the IP address of the remote tunnel endpoint or client with which the module has established the SA ■ State—the current state of the IKE SA The state for an active IKE SA is SA_Mature.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Remote Gateway—the remote IP addresses in the traffic selector for this policy ■ Status—click the View status link to see more details. The Status window for that SA is displayed. Figure 7-305.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Bytes Processed—the number of bytes received or transmitted by this SA ■ NAT Status—whether the SA is using NAT-T ■ IP Compression Status—whether the SA supports IP compression Clear SAs Sometimes you might want to clear a VPN connection before the SA lifetime expires. Clearing a connection closes the associated SA or tunnel on the TMS zl Module.
Virtual Private Networks Manage VPN Connections and GRE Tunnels 4. To clear an IPsec tunnel, follow these steps: a. Select the SA from the list in the IPsec VPN Tunnels section. b. Click Flush above. View IP Address Pools You can view information about the pools that you have created for IKE Mode Config as well as addresses currently assigned to remote endpoints. In the left navigation bar, click VPN > IPsec. Click the IP Address Pool tab. Figure 7-307.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ IKE Policy—the IKE policy associated with the pool (through the IPsec policy) The Active IP Address Pool Sessions section displays the IP addresses currently assigned to remote endpoints: ■ Assigned IP Address—the IP address assigned to the remote endpoint through IKE Mode Config ■ Peer Address—the remote endpoint’s actual IP address (as it appears on the network through which it connects to the TMS zl Module) ■ Remote ID Type—the type
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Assigned Address—The virtual IP address assigned to the user’s device for the L2TP connection. The address could have been assigned by the RADIUS server itself or selected from a range of addresses configured for the domain on the TMS zl Module. View GRE Tunnels You can view information about your GRE tunnels. Click VPN > GRE. Figure 7-309.
Virtual Private Networks Manage VPN Connections and GRE Tunnels Figure 7-310. Example GRE Tunnel (with Zones) ■ Status Tunnels that do not use keepalives can have one of two statuses: • Enabled—The tunnel is enabled, and the TMS zl Module will send traffic across the tunnel (as specified by routes in the routing table). However, the remote tunnel gateway may or may not be able to actually receive this traffic. • Disabled—The tunnel is disabled.
Virtual Private Networks Manage VPN Connections and GRE Tunnels • Enabled/Down—The tunnel is enabled; however, the TMS zl Module has failed to receive a response to its keepalives. (The number of keepalives that must fail in a row is specified by the Retries setting in the tunnel configuration.) The module does not send traffic across this tunnel, and routes that use this tunnel as the forwarding interface are removed from the routing table.
Virtual Private Networks Manage VPN Connections and GRE Tunnels ■ Changes—The number of times that the status has changed since the TMS zl Module’s last reboot If this tunnel uses keepalives, the Keepalive Stats (since last change) area displays this information: ■ Sent—The number of keepalives sent since the last time the tunnel’s status has changed (for example, from up to down or from down to up) ■ Received—The number of those keepalives for which the module has received a response from the remote t
Virtual Private Networks Configure an HP ProCurve VPN Client Configure an HP ProCurve VPN Client This section includes step-by-step instructions for configuring an HP ProCurve VPN Client to establish an IPsec connection to the TMS zl Module. For the configuration to work, you must configure client-to-site IPsec settings on the module as described in “Configure an IPsec Client-to-Site VPN” on page 7-27.
Virtual Private Networks Configure an HP ProCurve VPN Client 3. Right-click the My Connections folder and click Add > Connection. 4. Type a meaningful name for the new connection. 5. If you desire, under Connection Security, select the Only Connect Manually check box. Figure 7-313. Security Policy Editor Window (Connection Added) 6. Under Remote Party Identity and Addressing, you specify the addresses in the internal network that the remote client can reach.
Virtual Private Networks Configure an HP ProCurve VPN Client b. Boxes are displayed depending on the ID Type that you selected. Type a string that exactly matches the value in the Local Address of the module’s IPsec policy traffic selector. c. For Protocol, match the protocol selected in the module’s IPsec policy traffic selector. If the module’s setting is Any, leave the default All. d.
Virtual Private Networks Configure an HP ProCurve VPN Client 10. In the left navigation pane, expand the connection and click My Identity. Figure 7-315. ProCurve VPN Client—Security Policy Editor—New Connection > My Identity Window 11.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-316. ProCurve VPN Client—Security Policy Editor— Pre-Shared Key Window iii. Click Enter Key and type the preshared key that you specified in the module’s IKE policy. iv. Click OK. 12. For ID Type, match the remote ID type in TMS zl Module’s IKE policy. 13. If you selected None for Select Certificate and Domain Name or E-mail Address for ID Type, you must configure the ID value.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-317. ProCurve VPN Client—Security Policy Editor—My Identity Note that the module’s IKE policy might use wildcards, which allows multiple values to match the policy. For example, the remote ID type and value in the module’s IKE policy might be Email Address and *@company.com. In the My Identity window, you would select E-mail Address for ID Type. You could then type, for example, user1@company.com in the box below.
Virtual Private Networks Configure an HP ProCurve VPN Client Note When you select IP Address for the ID Type, the ProCurve VPN client automatically submits the IP address on which it makes the connection. When the client uses a certificate, it automatically submits the subject name in the certificate for its ID. You must verify that the certificate includes a subject name of the type that you selected in the previous step and that the subject name matches the remote ID configured on the TMS zl Module. 14.
Virtual Private Networks Configure an HP ProCurve VPN Client c. For SA Life, select Seconds. Then type the number of seconds configured on the module. d. For Key Group, select the DH group configured on the module. Table 7-32 displays the default settings for a TMS zl Module IKE policy. Table 7-32. Default TMS zl Module IKE Settings Parameter Default Setting Authentication Algorithm MD5 Encryption Algorithm 3DES SA Life 28800 seconds Diffie-Hellman (DH) Group 1 17.
Virtual Private Networks Configure an HP ProCurve VPN Client 19. In the right pane, configure security settings to match those in the TMS zl Module’s IPsec proposal and IPsec policy: a. For SA Life, match the SA lifetime settings in the module’s IPsec policy: – If the setting for seconds on the module is 0, select KBytes. In the KBytes box, type the number of kilobytes configured on the module. – If the setting for kilobytes on the module is 0, select Seconds.
Virtual Private Networks Configure an HP ProCurve VPN Client Figure 7-320. ProCurve VPN Client—Security Policy Editor—Security Policy 21. For Select Phase 1 Negotiation Method, match the Key Exchange Mode setting in the TMS zl Module’s IKE policy. Select either Main Mode or Aggressive Mode. 22. If you enabled PFS in the module’s IPsec policy, select the Enable Perfect Forward Secrecy (PFS) check box. For PFS Key Group, match the group setting in the module’s IPsec policy. 23. Click the Save button. 24.
Virtual Private Networks Configure an HP ProCurve VPN Client sary routes should be in place on the TMS zl Module. In this configuration, the TMS zl Module reaches remote clients on a VLAN in the External zone (which is a typical configuration). Table 7-34.
Virtual Private Networks Configure an HP ProCurve VPN Client Parameter Valid Settings Local Port Matches the settings configured in step 6d on page 7-370 Remote Address Any Remote Port Empty Proposal IPsec proposal that you created for the IPsec connection IKEv1 Policy IKE policy that you created for the IPsec connection Enable PFS (Perfect Forward Secrecy) for keys Matches the setting configured in step 22 on page 7-377 SA Lifetime in Seconds Matches the settings configured in step 19 on pag
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Configure IPSecuritas (Macintosh VPN Client) This section includes step-by-step instructions for configuring a Macintosh IPSecuritas client to establish a VPN connection to the TMS zl Module. These instructions have been tested with the Macintosh OS X Leopard 10.x operating system and IPSecuritas 3.x. These instructions show which settings on IPSecuritas are compatible with the settings on the TMS zl Module.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) b. Create a certificate request for the IPSecuritas client: i. Click the Requests tab. Figure 7-322. IPSecuritas—Certificate Manager > Requests Tab ii. Click the icon to add a request. iii. For Request name, type a meaningful name. iv. For Common name, type the name (often, the client’s FQDN). When the TMS zl Module’s IKE policy remote ID is set to Distinguished Name for type, the remote ID value must match what you type here.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) vi. Set the Validity (time that the certificate is valid) and Key Length as you desire. Figure 7-323. IPSecuritas—Certificate Manager (Create Request) vii. Click OK. 7-382 c. Submit the certificate request to the CA that signed the TMS zl Module’s certificate. d. After you receive the certificate from the CA, import it into IPSecuritas: i. Copy the certificate file to the Macintosh endpoint. ii.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-324. IPSecuritas—Certificate Manager > Certificates Tab (Import a Certificate Icon) iii. In the Certificates tab, click the Import Certificate from a File icon. iv. Browse to the certificate file. v. For Certificate type, select PEM/DER encoded certificate without private key.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-325. IPSecuritas—Certificate Manager (Import Client Certificate) vi. Click Import. vii. You should see a message indicating that the import was successful. Figure 7-326. IPSecuritas—Matching Request Found Window e. 7-384 Install the TMS zl Module’s certificate: i. Copy the certificate to the Macintosh endpoint. ii. In the Certificates tab of the IPSecuritas Certificate Manager, click the Import Certificate from a File icon.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) v. Click Import. vi. You should see a message indicating that the certificate imported successfully. 3. In the IPSecuritas menu, click Connections > Edit Profiles to open the Profile Manager. Figure 7-327. IPSecuritas—Profile Manager 4. Click the Add Profile icon. Figure 7-328. IPSecuritas—Profile Manager Window (Profile Added) 5. Specify a meaningful name, for example, VPN–MainCampus. 6. Close the Profile Manager.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-329. IPSecuritas 7. For Profile, select the profile that you just created. Figure 7-330. IPSecuritas—Connections > Edit Connections 8. 7-386 Click Connections > Edit Connections.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-331. IPSecuritas—Connections > General Tab 9. Click the Add Connections icon. 10. Specify a significant name for the connection, such as Main Campus.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-332. IPSecuritas—Connections > General Tab 11. Click the General tab. 12. For Remote IPSec Device, type the IP address at which the client reaches the TMS zl Module. Often, this is the same address that the module’s IKE policy specifies as the local gateway. However, if NAT is performed on this module IP address, you must specify the NAT address. 13.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) These settings must match the Remote Address in the module’s traffic selector exactly. For example, if the module’s traffic selector indicates an entire subnet, you must select Network on the IPSecuritas client. b. For Remote Side, select the Endpoint Mode: – Host — Specifies one IP address on the internal network that the client is permitted to access. Type the address in the IP Address field.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-333. IPSecuritas—Connections > Phase 1 Tab 15. Accept the remaining defaults and click the Phase 2 tab. 16. Configure the following settings, which must match settings in the TMS zl Module’s IPsec proposal and IPsec policy: 7-390 a. For Lifetime, select Seconds and type a value in the box. b. For PFS Group, select one of the following: – 768 (1) — DH group 1 – 1024 (2) — DH group 2 – 1536 (5) — DH group 5 c.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-334. IPSecuritas—Connections > Phase 2 Tab 17. Click the ID tab and configure the following settings, which correspond to the identities and authentication method in the TMS zl Module IKE policy: a. Local Identifier—Select the identity type for the local endpoint (remote ID on the module) and type the value in the box provided, if any: i. User FQDN—Specify an email address in the box. ii. FQDN—Specify a domain name in the box.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) c. Authentication Method—Configure one of these options: – Select Preshared Key. In the Preshared Key box that is displayed, type the key that you specified in the TMS zl Module IKE policy. – Select Certificates. For Local Certificate, select the certificate that you installed for the client. For Remote Certificate, select the certificate that you installed for the TMS zl Module. Figure 7-335. IPSecuritas—Connections > ID Tab 18.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Figure 7-336. IPSecuritas—Connections > Options Tab 21. If you are using certificates for authentication, you must select these check boxes: • Request Certificate • Verify Certificate • Send Certificate 22. Close the Connections window. Figure 7-337.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) 23. In the IPSecuritas main menu, click Preferences. Figure 7-338. IPSecuritas—Preferences Window 24. Ensure that the Randomize and Exclusive Trail check boxes are selected. Accept the rest of the defaults and close the Preferences window. Figure 7-339.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) 25. To connect, select the profile that you just created. Then select the connection that you just configured. 26. Click Start. TMS zl Module Settings with the IPSecuritas Client For this configuration to work, you must configure IPsec settings on the module as described in “Configure an IPsec Client-to-Site VPN” on page 7-27. Valid settings are displayed in Table 7-35. The table also displays necessary firewall policies.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Table 7-35.
Virtual Private Networks Configure IPSecuritas (Macintosh VPN Client) Parameter Valid Settings Configuration Window Action Apply Add IPsec Policy—Step 1 of 4 Position Any but last Protocol Any Local Address Matches the setting configured in step 13b on page 7-389 Remote Address Matches the setting configured in step 13a on page 7-388 Proposal The IPsec proposal that you configured for the Macintosh clients IKEv1 Policy The client-to-site IKE policy that you configured for the Macintosh clie
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Configure a Windows XP SP2 Client for L2TP over IPsec This section includes step-by-step instructions for configuring a Windows XP SP2 client to establish a L2TP over IPsec connection to the TMS zl Module. You have two options for configuring the client: ■ Use the New Connection Wizard and its default IPsec policies. Using the default policies is the easiest way to set up the connection.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Configuration with the New Connection Wizard Before you configure the VPN connection, make sure to uninstall the HP ProCurve VPN client or any other third-party VPN client; these clients can interfere with the Windows XP client. Follow these steps to configure the Windows XP SP2 client: 1. On the Windows XP client, open the Network Connections window. 2. Click New Connection Wizard. 3. The wizard is launched. Click Next.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-341. Windows XP—New Connection Wizard 7. Click Next. 8. For Company Name, type a meaningful name. Figure 7-342.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 9. Click Next. Figure 7-343. Windows XP—New Connection Wizard 10. If the Public Network page is displayed, specify whether the client needs to make a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 11. Click Next. 12.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-344. Windows XP—New Connection Wizard 13. Click Next. 14. If the Smart Cards page is displayed, complete these steps: a. Select Do not use my smart card. Figure 7-345.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec b. Click Next. Figure 7-346. Windows XP—New Connection Wizard 15. If prompted, select whether only the current user can make this connection or all users on this workstation. Click Next. Figure 7-347.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 16. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 17. The Connect window should be displayed. Figure 7-348. Connect Window 18. Click Properties to open the Properties window. 19. Click the Networking tab. 20. For Type of VPN, select L2TP IPSec VPN.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-349. Windows XP— Properties Window > Networking Tab 21. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 22. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit. 23.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-350. Windows XP— Properties Window > Security Tab 25. Click Settings next to Advanced (custom settings).
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-351. Windows XP—Advanced Security Settings 26. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. 27. Select Allow these protocols. 28. Clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-352. Windows XP—IPSec Settings Window b. Select the Use pre-shared key for authentication check box. c. For Key, type the preshared key that you specified in the IKE policy on the TMS zl Module and click OK. 31. Click OK to close the Properties window and return to the Connect window. Figure 7-353. Connect Window 32.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 33. For Password, type the password specified for this user either in the module L2TP user account or on the external RADIUS server. 34. Click Connect. After a minute or so, you should see a message that informs you that the connection was successful.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Security Parameters Proposal Select one of these combinations: • DH Group = 2 Encryption Algorithm = 3DES Authentication Algorithm = MD5 SA Lifetime in Seconds = 28800 • DH Group = 2 Encryption Algorithm = 3DES Authentication Algorithm = SHA-1 SA Lifetime in Seconds = 28800 • DH Group = 1 Encryption Algorithm = DES Authentication Algorithm = MD5, SA Lifetime in Seconds = 28800 • D
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Action Apply Position Any position Add IPsec Policy— Step 1 of 4 Protocol UDP Local Address TMS zl Module’s public IP address Matches the IP address set in 12 on page 7-401 Local Port 1701 Matching Setting on the Windows XP Client IPsec policy Remote Address Any Remote Port Any (empty) Proposal IPsec proposal that you created for the L2TP connection IKEv1 Policy I
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Server IP Address Any IP address in a private subnet not in use in your Add L2TP User—Step network 2 of 2 User IP Address Any IP address that is: • In the same subnet as the server IP address • Not assigned to another dial-in user Matching Setting on the Windows XP Client • Primary DNS IP addresses of your network’s servers (to which Server TMS firewall access policies permit
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client Firewall access policies User Group None • Permit Self l2tp-udp Add Policy Any Any • Permit Self l2tp-udp Any Any • Permit Self isakmp Any Any • Permit Self isakmp Any Any User Group None • Permit External
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-354. Windows XP Registry Editor > HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters 4. Right-click the Parameters folder and click New > DWORD Value. 5. A new entry appears in the right panel. Name it ProhibitIpSec. Use the same spelling and capitalization as shown in Figure 7-355. Figure 7-355.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 6. Right-click ProhibitIpSec and click Modify. 7. For Value, type 1. Figure 7-356. Windows XP—Edit DWORD Value Window 8. Close the registry editor and restart the computer. 9. Click Start > Run. 10. Type secpol.msc and click OK. 11. Click IP Security Policies on Local Computer in the left pane. Figure 7-357. Windows XP—Local Security Settings Window 12. Click Action > Create IP Security Policy.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-358. Windows XP—IP Security Policy Wizard 13. In the IP Security Policy Wizard, click Next. Figure 7-359. Windows XP—IP Security Policy Wizard > IP Security Policy Name Page 14. For name, type a meaningful name such as TMS Remote Access. 15. Click Next. 16. Clear the Activate the default response rule check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-360. Windows XP—IP Security Policy Wizard > Requests for Secure Communication Page 17. Click Next. Figure 7-361. Windows XP—IP Security Policy Wizard > Completing the IP Security policy wizard Page 18. Leave the Edit properties check box selected and click Finish. 19. The Properties window is displayed. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-362. Windows XP— Properties Window 20. Click Add. Figure 7-363.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 21. In the New Rule Properties window, click Add on the IP Filter Lists tab. 22. In the IP Filter List window, for Name, type a meaningful string such as TMS L2TP Traffic. Figure 7-364. Windows XP—IP Filter List Window 23. Clear the Use Add Wizard check box. 24. Click Add.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-365. Windows XP—Filter Properties Window > Addressing Tab 25. In the Filter Properties window, the Addressing tab should be selected. 26. For Source address, select Any IP Address. Often, you want the TMS zl Module to use a single IPsec policy to negotiate connections to multiple remote clients. In this case, you would specify Any for the Remote Address in the IPsec policy traffic selector.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-366. Windows XP—Filter Properties Window > Addressing Tab (Addresses Configured) 29. Select the Protocol tab. 30. For Select a protocol, select UDP. 31. In the Set the IP protocol port section, select From this port. 32. Type 1701 in the box below. 33. In the Set the IP protocol port section, select To this port. 34. Type 1701 in the box below.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-367. Windows XP—Filter Properties Window > Protocol Tab 35. Click OK to close the Filter Properties window. 36. Click OK to close the IP Filter List window. 37. In the New Rule Properties window, select the IP filter list that you just created.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-368. Windows XP—New Rule Properties Window (IP Filter Selected) 38. Click the Filter Action tab. 39. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-369. Windows XP—New Rule Properties Window > Filter Action Window 40. Click Add.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-370. Windows XP—New Filter Action Properties Window 41. In the New Filter Action Properties window, click Add. 42. In the New Security Method window, select Custom.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-371. Windows XP—New Security Method Window 43. Click Settings. Figure 7-372.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 44. In the Custom Security Method Settings window, select settings that match the IPsec proposal and IPsec policy settings on the TMS zl Module: a. Select the Data integrity and encryption (ESP) check box. b. For Integrity algorithm, match the authentication algorithm in the module’s IPsec proposal. c. For Encryption algorithm, match the encryption algorithm in the module’s IPsec proposal. d.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-373. Windows XP—Custom Security Method Settings Window (Match Module’s Default Settings) 45. Click OK to close the Custom Security Settings window. 46. Click OK to close the New Security Method window. 47. In the New Filter Action Properties window, click the General tab.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-374. Windows XP—New Filter Action Properties Window > General Tab 48. For Name, type a meaningful string such as TMS IPsec Negotiation. 49. Click OK to close the New Filter Action Properties window. 50. In the New Rule Properties window, select the Filter Action that you just created.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-375. Windows XP—New Rule Properties Window > Filter Action Tab (Action Selected) 51. Click the Authentication Methods tab.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-376. New Rule Properties Window > Authentication Methods Tab 52. Click Edit.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-377. Windows XP—Edit Authentication Method Properties Window 53. Select Use this string (preshared key). Then type the preshared key specified in the module’s IKE policy.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-378. Windows XP—Edit Authentication Method Properties Window (Preshared key selected) 54. Click OK. 55. Click Close to close the New Rule Properties window. 56. In the Properties window, click the General tab.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-379. Windows XP— Properties Window > General Tab 57. Click Advanced. Figure 7-380. Windows XP—Key Exchange Settings Window 58. If the TMS zl Module IPsec policy enables PFS, select the Master key perfect forward secrecy (PFS) check box. Then select the group that matches the DH group in the module’s IPsec policy.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 59. In the minutes box under Authenticate and generate a new key after every, type a value that corresponds to the SA lifetime in the TMS zl Module’s IKE policy. Note that setting on the Windows client is in minutes while the setting on the TMS zl Module is in seconds. Make sure to divide the number on the module by 60. For example, if you left the default setting on the module (28800 seconds), type 480 in the minutes box. 60.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-382. Windows XP—IKE Security Algorithms Window 63. Configure settings to match the settings in the TMS zl Module’s IKE policy: a. For Integrity algorithm, match the module’s IKE authentication algorithm setting. b. For Encryption algorithm, match the module’s IKE encryption algorithm setting. c. For Diffie-Hellman Group, match the module’s DH group setting.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-383. Windows XP—Local Security Settings Window (Assign the Policy) 68. Open the Network Connections window. 69. Click New Connection Wizard. 70. The wizard is launched. Click Next. 71. Select Connect to the network at my workplace. Figure 7-384.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 72. Click Next. Figure 7-385. Windows XP—New Connection Wizard > Network Connection Page 73. Select Virtual Private Network connection. 74. Click Next.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-386. Windows XP—New Connection Wizard > Connection Name Page 75. For Company Name, type a meaningful name. 76. Click Next. Figure 7-387.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 77. If the Public Network page is displayed, specify whether the VPN connection should use a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 78.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-389. Windows XP—New Connection Wizard b. Click Next. Figure 7-390. Windows XP—New Connection Wizard 81. If prompted, select whether only the current user can make this connection or all users on this workstation. Click Next. 82. Click Next.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-391. Windows XP—New Connection Wizard > Completing the New Connection Wizard Page 83. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 84. The Connect window should display. Figure 7-392.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 85. Click Properties to open the Properties window. 86. Click the Networking tab. 87. For Type of VPN, select L2TP IPSec VPN. Figure 7-393. Windows XP— Properties Window > Networking Tab 88. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 89.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-394. Windows XP— Properties Window > Security Tab 92. Click Settings next to Advanced (custom settings).
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Figure 7-395. Windows XP—Advanced Security Settings 93. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. 94. Select Allow these protocols. 95. Clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box. If it is not already selected, select the check box for the authentication protocol specified in the TMS zl Module L2TP dial-in user account.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec 99. For Password, type the password specified for this user either in the module L2TP user account or on the external RADIUS server. 100.Click Connect. After a minute or so, you should see a message that informs you that the connection was successful.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Table 7-39.
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) Encapsulation Mode Transport Add IPsec Proposal Protocol ESP Custom Security Method Settings for the filter action (step 44 on page 7-427) Encryption Algorithm • DES • 3DES Encryption algorithm in Custom Security Method Settings for the filter action (step 44c on page 7-427) Authentication Algorithm • MD5 • SHA-1
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) Action Apply Position Any position Add IPsec Policy— Step 1 of 4 Protocol UDP Protocol in the IP filter (step 30 on page 7-421) Local Address TMS zl Module’s public IP address Matches the IP address set in step 78 on page 7-440 Destination address in the IP filter (step 27 on page 7-420) Local Port 1701 To this
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) L2TP User account (one user for each client if used) User Matches the username submitted by the remote client Password Match the string submitted by the remote client User Group The group on the TMS zl Module that has been configured with access policies for the remote user Authentication Protocol • • • • Server IP
Virtual Private Networks Configure a Windows XP SP2 Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows XP Client (Manual Method) L2TP RADIUS Authentication settings (if used) L2TP Server IP Address Any IP address in a private subnet not in use Network > in your network Authentication > L2TP Users Domain name The domain to which your users belong (or global = no name) Domain Name setting Domain name for user name in Add RADIUS server configured in
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Configure a Windows Vista Client for L2TP over IPsec This section includes step-by-step instructions for configuring a Windows Vista client to establish a L2TP over IPsec connection to the TMS zl Module. On Windows Vista, you must configure IPsec policies manually. Note If you are using Windows 7, the process of configuring this VPN client is very similar to the process of configuring a Vista VPN client.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec d. Click OK. Figure 7-397. Run Window 2. In the Run window, type regedit and click OK. 3. Navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. Figure 7-398. Registry Editor — HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters 4. Click Edit > New > DWORD (32-bit) Value.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-399. Registry Editor — Edit > New > DWORD (32-bit) Value 5. A new entry appears in the right panel. Name it ProhibitIpSec. Use the same spelling and capitalization as shown in Figure 7-400. Figure 7-400. Registry Editor — Name REG_DWORD ProhibitIpSec 6. 7-454 Right-click ProhibitIpSec and click Modify.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-401. Registry Editor — Modify ProhibitIpSec 7. In the Edit DWORD (32-bit) Value window, type 1 in the Value data box and click OK. Figure 7-402. Edit DWORD (32-bit) Value 8. Close the registry editor and restart the computer. 9. Click Start > Run. 10. Type secpol.msc and click OK. 11. Click IP Security Policies on Local Computer in the left pane.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-403. Windows Vista—Local Security Settings Window 12. Click Action > Create IP Security Policy. Figure 7-404. Windows Vista—IP Security Policy Wizard 13. In the IP Security Policy Wizard, click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-405. Windows Vista—IP Security Policy Wizard—IP Security Policy Name Page 14. For Name, type a meaningful name such as TMS Remote Access. 15. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-406. Windows Vista—IP Security Policy Wizard— Requests for Secure Communication Page 16. Make sure that the Activate the default response rule check box is not selected. 17. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-407. Windows Vista—IP Security Policy Wizard— Completing the IP Security policy wizard Page 18. Leave the Edit properties check box selected and click Finish. 19. The Properties window is displayed. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-408. Windows Vista— Properties Window 20. Click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-409. Windows Vista—New Rule Properties Window 21. In the New Rule Properties window, click Add in the IP Filter Lists section. 22. In the IP Filter List window, for Name, type a meaningful string such as TMS L2TP Traffic. 23. Clear the Use Add Wizard check box.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-410. Windows Vista—IP Filter List Window 24. Click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-411. Windows Vista—Filter Properties Window > Addressing Tab 25. In the Filter Properties window, the Addressing tab should be selected. 26. For Source address, typically, leave Any IP Address selected. Often, you want the TMS zl Module to use a single IPsec policy to negotiate connections to multiple remote clients. In this case, you would specify Any for the Remote Address in the IPsec policy traffic selector.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec This IP address must be the Local Gateway IP Address in the IKE policy configured on the TMS zl Module. It must also be the Local Address in the module’s IPsec policy traffic selector. Often, it is the IP address on a VLAN in the External zone. Figure 7-412. Windows Vista—Filter Properties Window > Addressing Tab (Addresses Configured) 29. Click the Protocol tab. 30. For Select a protocol, select UDP. 31.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-413. Windows Vista—Filter Properties Window > Protocol Tab 33. Click OK to close the Filter Properties window. 34. Click OK to close the IP Filter List window. 35. In the New Rule Properties window, select the IP filter list that you just created.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-414. Windows Vista—New Rule Properties Window (IP Filter Selected) 36. Click the Filter Action tab.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-415. Windows Vista—New Rule Properties Window > Filter Action Window 37. Clear the Use Add Wizard check box and click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-416. Windows Vista—New Filter Action Properties Window 38. In the New Filter Action Properties window, click Add.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-417. Windows Vista—New Security Method Window 39. In the New Security Method window, select Custom. 40. Click Settings.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-418. Windows Vista—Custom Security Method Settings Window 41. In the Custom Security Method Settings window, select settings that match the IPsec proposal and IPsec policy settings on the TMS zl Module: a. Select the Data integrity and encryption (ESP) check box. b. For Integrity algorithm, match the authentication algorithm in the module’s IPsec proposal. c.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Table 7-40. Default TMS zl Module IPsec Settings Parameter Default Setting Protocol ESP Encryption Algorithm 3DES Authentication Algorithm MD5 SA Lifetime in Seconds 28800 SA Lifetime in Kilobytes 0 (None) Figure 7-419. Windows Vista—Custom Security Method Settings Window (Match Module’s Default Settings) 42. Click OK to close the Custom Security Settings window.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-420. Windows Vista—New Filter Action Properties Window > General Tab 45. For Name, type a meaningful string such as TMS IPsec Negotiation. 46. Click OK to close the New Filter Action Properties window. 47. In the New Rule Properties window, select the filter action that you just created.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-421. Windows Vista—New Rule Properties Window > Filter Action Tab (Action Selected) 48. Click the Authentication Methods tab.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-422. Windows Vista—New Rule Properties Window > Authentication Methods Tab 49. Click Edit.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-423. Windows Vista—Edit Authentication Method Properties Window 50. Select Use this string (preshared key). Then type the preshared key specified in the module’s IKE policy.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-424. Windows Vista—Edit Authentication Method Properties Window (Preshared Key Selected) 51. Click OK. 52. Click Close to close the New Rule Properties window.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-425. Windows Vista— Properties Window > General Tab 53. In the Properties window, click the General tab. 54. Click Settings.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-426. Windows Vista—Key Exchange Settings Window 55. If the TMS zl Module IPsec policy enables PFS, select the Master key perfect forward secrecy (PFS) check box. Then select the group that matches the DH group in the module’s IPsec policy. 56. In the minutes box under Authenticate and generate a new key after every, type a value that corresponds to the SA lifetime in the TMS zl Module’s IKE policy.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-427. Windows Vista—Key Exchange Security Methods Window 58. To prevent the VPN client from sending unsupported parameters, remove the default security methods. Select each method and click Remove. (Click Yes to confirm the deletion). 59. Click Add. Figure 7-428.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 60. Configure settings to match the settings in the TMS zl Module’s IKE policy: a. For Integrity algorithm, match the module’s IKE authentication algorithm setting. b. For Encryption algorithm, match the module’s IKE encryption algorithm setting. c. For Diffie-Hellman Group, match the module’s DH group setting. Table 7-41 displays the default settings for a TMS zl Module IKE policy. Table 7-41.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-430. Windows Vista—Control Panel 66. Double-click Network and Sharing Center.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-431. Windows Vista—Control Panel > Network and Sharing Center 67. In the left navigation bar, click Set up a connection or network. 68. Select Connect to a workplace.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-432. Windows Vista—Set up a connection or network > Choose a connection option Page 69. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-433. Windows Vista—Connect to a workplace > How do you want to connect Page 70. Click Use my Internet connection (VPN). 71. For Internet address, type the TMS zl Module’s public IP address. This IP address must be the Local Gateway IP Address in the IKE policy configured on the TMS zl Module. Often, it is the IP address on a VLAN in the External zone. 72. For Destination name, type a meaningful name for the connection.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-434. Windows Vista—Connect to a workplace > Type the Internet address to connect to Page 74. Click Next.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-435. Windows Vista—Connect to a workplace > Type your username and password Page 75. For User Name, type the username specified either in a TMS zl Module L2TP user account or on an external RADIUS server. If the TMS zl Module attaches a specific domain name to the external RADIUS server, make sure to include that domain name in the username (for example, user1@company.com). 76.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-436. Windows Vista—Connect to a workplace > The connection is ready to use Page 79. Leave The connection is ready to use page open and return to the Network and Sharing Center window.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-437. Windows Vista—Control Panel > Network and Sharing Center 80. In the left navigation bar, click Manage network connections.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-438. Windows Vista—Network Connections Window 81. Double-click the connection that you just created. Figure 7-439.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec 82. Click Properties. 83. Click the Security tab. 84. Select Advanced (custom settings). Figure 7-440. Windows Vista— Properties Window > Security Tab 85. Click Settings. 86. Select Allow these protocols and clear the Microsoft CHAP Version 2 (MSCHAP v2) check box. Select the check box for the authentication protocol configured in the TMS zl Module’s dial-in user account.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-441. Windows Vista—Advanced Security Settings 87. Click OK. 88. Click the Networking tab. 89. For Type of VPN, select L2TP IPSec VPN.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Figure 7-442. Windows Vista— Properties Window > Networking Tab 90. Select Internet Protocol Version 4 (TCP/IPv4) in the This connection uses the following items box and click Properties. 91. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit. 92.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec TMS zl Module Settings for a Windows Vista Client Table 7-42 displays the settings that should be established on the TMS zl Module to support the L2TP over IPsec connection. The table also displays necessary firewall policies. Also note that VLANs and necessary routes should already be in place on the TMS zl Module.
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Key Exchange Mode Main Mode Add IKE Policy—Step 2 of 3 Matching Setting on the Windows Vista Client Authentication Meth- • Preshared Key od • RSA Signature • DSA Signature Setting in the Edit Authentication Methods window (step 50 on page 7-475) Preshared Key Matches the string configured on the remote client String in the Edit Authentication Methods window (step 50 on page
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client Action Apply Position Any position Add IPsec Policy—Step 1 of 4 Protocol UDP Protocol in the IP filter (step 30 on page 7-464) Local Address TMS zl Module’s public IP address Matches the IP address set in step 71 on page 7-484 Destination address in the IP filter (step 28 on page 7-463) Local Port 1701 To this port and From
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client L2TP User account (one user for each client if used) User Matches the username submitted by the Add L2TP User—Step 1 of User name configured in remote client 2 step 75 on page 7-486 Password Match the string submitted by the remote client User Group The group on the TMS zl Module that has been configured with access policies for the
Virtual Private Networks Configure a Windows Vista Client for L2TP over IPsec Parameter Valid Settings Configuration Window Matching Setting on the Windows Vista Client L2TP RADIUS Authentication settings (if used) L2TP Server IP Address Any IP address in a private subnet not in Network > Authentication use in your network > L2TP Users Domain name The domain to which your users belong (or global = no name) Domain Name setting in Add RADIUS server window IP Pool Range of IP addresses that are in th
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Configure a Shrew Soft VPN Client for Windows This section describes how to configure a Shrew Soft VPN Client for Windows to connect to the TMS zl Module. On the TMS zl Module, you must configure a client-to-site VPN as described in “Configure an IPsec Client-to-Site VPN” on page 7-27. See “TMS zl Module Settings for a Client-to-Site VPN with Shrew Soft VPN Clients” on page 7-511 for a table that shows all necessary settings.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-444. Shrew Soft VPN Client for Windows > General Tab 4. Define the remote host, which is the TMS zl Module with which this client is establishing a tunnel. Under Host Name or IP Address, type the IP address specified as the local gateway in the module’s IKEv1 policy. All IKE and IPsec communications will be sent to and from this IP address. 5.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-445. Shrew Soft VPN Client for Windows > General Tab 6. Click the Client tab. If a NAT device exists between your client and the TMS zl Module, ensure that enable is selected for NAT Traversal. 7. Click the Name Resolution tab. 8. Select the Enable DNS check box and the Enable WINS check box if your network provides that service. 9.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-446. Shrew Soft VPN Client for Windows > Name Resolution Tab 10. Click the Authentication tab. 11. For Authentication Method, select the method in the TMS zl Module’s IKEv1 policy. Remember to select the XAUTH option of the setting if the TMS zl Module enables the XAUTH server in that policy. Table 7-43.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows b. For Identification Type, select the same type that is selected for Remote ID Type in the module’s IKEv1 policy. c. In the field below, type a string that matches the Remote ID Value in the module’s IKEv1 policy.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows b. For Identification Type, select the Local ID Type specified in the TMS zl Module’s IKEv1 policy. c. In the field below, type a string that matches the Local ID Value in the module’s IKEv1 policy. If you selected IP Address for the type, you can select the Use a discovered remote host address check box. Figure 7-448. Shrew Soft VPN Client for Windows > Authentication Tab > Remote Identity Subtab 14.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-449. Shrew Soft VPN Client for Windows > Authentication Tab > Credentials Subtab 15. Click the Phase 1 tab. The table indicates which parameter in the TMS zl Module’s IKE v1 policy correspond to a parameter in the client’s policy. The settings for each corresponding parameter must match. Leave Key Life Data limit at 0. Table 7-44.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-450. Shrew Soft VPN Client for Windows > Phase 1 Tab Note Even when there is an auto option for a value, it is recommended that you select the parameter manually to match the TMS zl Module’s parameter. This practice helps to avoid negotiation problems. 16. Click the Phase 2 tab. The table indicates which parameter in the TMS zl Module’s IPsec proposal and IPsec policy correspond to a parameter in the client’s policy.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Table 7-45.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-452. Shrew Soft VPN Client for Windows > Policy Tab 19. Click Save. Your connection is displayed in the Access Manager. 20. To start the tunnel, click your connection and click the Connect button on the Shrew Soft VPN Access Manager main window.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-453. Shrew Soft VPN Client for Windows > Connect Tab 21. In the window that is display, click Connect. 22. If the connection is successful, the last message that you will see is tunnel enabled.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-454. Shrew Soft VPN Client for Windows> Connect Tab 23. It is possible that the connection has failed at the final step (bringing up the IPsec tunnel). Click the Network tab to confirm success.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-455. Shrew Soft VPN Client for Windows> Network Tab 24. You should see that the security association is established, and the tunnel status is connected. Note If the connection fails, you can troubleshoot from the TMS zl Module. See Chapter 10: “Troubleshooting” for detailed guidelines.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Figure 7-456. Windows Command Prompt You should see the adaptor for your physical connection and its IP address. If you are using a virtual adaptor, you should also see a new adaptor. This interface has the IP address assigned to it either manually or by the TMS zl Module using IRAS. Note You will not see a default gateway for the virtual adaptor. Do not worry. The client has a virtual point-to-point connection to the TMS zl Module.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Table 7-46.
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows Parameter Valid Settings Proposal IPsec proposal that you created for the IPsec connection IKEv1 Policy IKE policy that you created for the IPsec connection Enable PFS (Perfect Forward Secrecy) for keys Matches the setting configured in step 16 on page 7-505 SA Lifetime in Seconds Matches the settings configured in step 16 on page 7-505 SA Lifetime in Kilobytes Matches the settings configured in step 16 on page 7-505 Enable I
Virtual Private Networks Configure a Shrew Soft VPN Client for Windows 7-514
8 High Availability Contents Overview 2 Active-Standby Mode 2 Failover 3 Failover Process 4 Configuration and Boot Order for HA Members 4 Linking Inter-Chassis Clusters 5 Synchronization and Failover 6 IDS/IPS and HA 7 Configuring High Availability 8 Managing the HA Cluster 11 Verify Synchronization Between the Master and the Participant 13 View Connections on the Master 13 View Connections on the Participant 14 Comparing Master and Participant Connections 15 Disabling a Cluster 17 Remove Cluster Participan
High Availability Overview Overview High availability (HA) is a strategy for minimizing network downtime so that users can access the network with minimal interruption in the event that a network device fails. The best approach for providing HA for the Threat Management Services (TMS) zl Module is to implement an HA cluster—a group of modules that can take over the workload of another module if it fails. Note HA clusters are supported only when TMS zl Modules are operating in routing mode.
High Availability Overview Figure 8-1 shows the logical relationship between modules in active-standby mode. Figure 8-1. Active-Standby Mode In active-standby mode, the master handles all network traffic, so the participant does not have any IP addresses on the TMS VLANs; therefore, you cannot access the Web browser interface for the participant. Any configuration changes must be made to the master and then synchronized to the participant.
High Availability Overview Failover Process The failover process for each HA mode is detailed below: 1. The master fails. 2. The participant becomes the master, and a gratuitous ARP (Address Resolution Protocol) message is broadcast to the end nodes and routers to update their ARP tables to associate the cluster’s IP addresses with the new master’s MAC addresses. If the original participant (now the master) reboots while original master is still offline, you will not lose your configuration.
High Availability Overview Caution Be careful to configure and reboot cluster members in the appropriate order. You must configure HA on the intended master first and reboot it, so that it is the first member of the cluster. If the intended master is not configured and rebooted first, the intended participant will become the actual master, and you will lose the master’s configuration settings.
High Availability Overview If there is only one link between the host switches of an inter-chassis cluster, and that link fails, the cluster participant cannot receive the “heartbeat” messages from the master. The participant therefore assumes that the master has gone offline, so it assumes the role of master and begins to transmit gratuitous ARP messages over the network to associate the cluster’s IP addresses with the participant’s MAC addresses.
High Availability Overview Table 8-1.
High Availability Configuring High Availability Configuring High Availability Before you configure HA, review this summary of HA behavior and functionality: 8-8 ■ Only one HA cluster (two modules) is supported in a single switch chassis. ■ You cannot install HA cluster members that are members of different clusters in the same switch chassis. ■ All cluster members must be running the same software version.
High Availability Configuring High Availability Note HP recommends that you change the HA VLAN to a dedicated VLAN that does not carry general data traffic, even if you are not implementing HA. If you do not change the HA VLAN, general broadcast traffic will be received by the module on VLAN 1 and then dropped by the firewall. If firewall logging is set at Minor or below, you will see the following log message: “FW: packet appeared with invalid interface name. Packet dropped.
High Availability Configuring High Availability Figure 8-2. System > Settings > High Availability Window 3. Select a Cluster Scheme. If you do not plan to configure HA at this time, you should select None and configure the next section. 4. Under HA IP Configuration, for VLAN ID, type the ID number of the VLAN that will manage HA traffic.
High Availability Configuring High Availability 6. Under Cluster Information, assign the device to a cluster by selecting a Cluster ID from the list. Both members must have the same cluster ID, and each cluster must use a unique ID number. 7. For Multicast IP, accept the default multicast IP address (224.0.0.18 for the HA data protocol) or, if you are already using this address on your network for VRRP, type a new multicast IP address. Both members must have the same multicast IP address. 8.
High Availability Configuring High Availability Figure 8-3. System > Settings > High Availability on the Cluster Master Whenever you make configuration changes to the master, you should synchronize those changes to the participant.
High Availability Configuring High Availability Verify Synchronization Between the Master and the Participant After you have finalized your HA configuration and synchronized the cluster, you can verify the synchronization and ensure that the participant is prepared to act as the master in case the master fails. You can do this by comparing the connections on the master and on the participant; connections that will fail over from the master to the participant can be seen from the participant’s CLI.
High Availability Configuring High Availability 3. View the total number of connections originating from each zone: Syntax: show zones Displays the total number of connections originating from each zone, as well as the maximum number of connections permitted to originate from each zone. Note that the connection totals include both active connections and passive connections made by the Application Level Gateways (ALGs) that are enabled on the TMS zl Module. (By default, only the FTP ALG is enabled.
High Availability Configuring High Availability Some connections are not synchronized with the participant and will not be listed. For your reference, Table 8-2 lists the connections that will be synchronized and will be reflected in the output of the show zones command. Table 8-2.
High Availability Configuring High Availability ZONE1 1 21428 ZONE2 0 21428 ZONE3 0 21428 ZONE4 0 21428 ZONE5 0 21428 ZONE6 0 21428 ----------------- ------------ ------Total 1 599996 hostswitch(tms-module-C:config)# exit hostswitch(tms-module-C)# exit hostswitch# services d name tms-module hostswitch(tms-module-D)# configure terminal hostswitch(tms-module-D:config)# show zones Zone Connections Limit ----------------- ------------ ------SELF 0 21428 EXTERNAL 0 150000 INTERNAL 0
High Availability Configuring High Availability Disabling a Cluster When disabling an HA cluster, you must complete the following tasks in the order listed: ■ Remove the cluster participant (See “Remove Cluster Participant” on page 8-17.) ■ Remove the cluster master (See “Remove Cluster Master” on page 8-19.) Remove Cluster Participant When disabling the cluster, you should always remove the participant from the cluster first.
High Availability Configuring High Availability 4. Enter the participant’s global configuration. Syntax: configure terminal Enters the configuration context for the module. hostswitch(tms-module-E)# configure terminal 5. Disable high availability and delete HA settings. It is important to include the delete-cluster-data option to ensure that the participant does not retain the cluster IP settings.
High Availability Configuring High Availability Remove Cluster Master After you have removed the participant from the cluster, you must disable HA on the master. When removing the master from the cluster, you can choose to have the master retain the cluster’s IP settings, or you can clear the cluster IP addresses from the module. If you clear the cluster IP settings, you must reconfigure IP addresses on the master’s TMS VLANs. To retain the cluster IP addresses on the master, use the Web browser interface.
High Availability Configuring High Availability 2. Access the master’s Product OS context: Syntax: services < | name > Moves you to an OS context on the module. Replace with the letter for the chassis slot in which the module is installed. Replace with the product index assigned tot he TMS zl Module. See “Understanding Index Numbers” on page 2-18 of Chapter 2: “Initial Setup in Routing Mode.” Replace with tms-module.
High Availability Configuring High Availability For example: hostswitch(services-module-C:PR)# boot Device will be rebooted, do you want to continue [y/n]? y Do you want to save the current configuration [y/n]? y Saving running config... Performing user initiated reboot. 6. When the module has rebooted, access the module again and verify that the HA settings have been removed: Syntax: show high-availability Displays the module’s high availability settings. 7.
High Availability Updating Cluster Software Updating Cluster Software Caution This operation will cause you to lose network connectivity for 15–30 minutes; therefore, you should plan these software updates for a low network-utilization time.
High Availability Updating Cluster Software The instructions below tell you how to update the software on an HA cluster using primarily the Web browser interface. However, some of the steps require that you use the CLI. 1. On the cluster master, select System > Maintenance. 2. Click the Back Up/Restore tab. 3. Click Back Up. A window is displayed that prompts you to save the file to your workstation. 4. Select Save File and click OK.
High Availability Updating Cluster Software 3. Enter the participant’s global configuration. Syntax: configure terminal Enters the configuration context for the module. hostswitch(tms-module-E)# configure terminal 4. Disable high-availability on the participant. Syntax: no high-availability delete-cluster-data Disables high-availability on the module. hostswitch(tms-module-E:config)# no high-availability delete-cluster-data Success: The HA/Cluster has been deleted successfully.
High Availability Updating Cluster Software 3. Click the Reboot tab. 4. Click Reboot. 5. Click Save & reboot in the prompt. 6. Click No in the prompt that asks if you want to synchronize with the other cluster members. Update the Participant’s Software In this section, you will update the software on the participant. Perform these steps on the participant. Because this module was the cluster participant, it does not have any IP addresses.
High Availability Updating Cluster Software 2. Enter the global configuration context for the module: Syntax: configure terminal Enters the configuration context for the module. hostswitch(tms-module-C)# configure terminal 3. Configure an IP address for the TMS zl Module’s virtual interface on a VLAN in the management-access zone: Syntax: vlan ip address Configures a static IP address for VLAN.
High Availability Updating Cluster Software 4. For VLAN ID, type the cluster’s VLAN ID. This must be the same HA VLAN ID that is configured on the master. 5. For IP Address, type the module’s IP address on the HA VLAN. This address should be unique to this module. 6. For Subnet Mask, type the module’s subnet mask. This mask must match the master’s mask. 7. For Cluster ID, select the module’s cluster ID. This must be the same as the master’s cluster ID. 8.
High Availability Updating Cluster Software 8-28
9 Routing Contents Routing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Floating Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Configuring a Default Gateway . . . . . . . . . .
Routing Contents OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 OSPF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 LSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28 Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 Stub Areas and Stub Routers . .
Routing Routing Overview Routing Overview This chapter provides instructions for the module’s routing configuration.
Routing Static Routing If the module learns about more than 10,000 total routes as a result of either RIP or OSPF, routes after the 10,000th route will not be added to the routing table. The excess routes will be “floating” routes, which means that they exist but are not in the routing table. However, both routes in the routing table and floating routes are shown in the Web browser interface and the CLI. See “Viewing Unicast Routes” on page 9-53.
Routing Static Routing Floating Static Routes As mentioned, a floating route is a route that the module knows but does not currently exist in the module’s active routing table. Floating routes can be created when the module learns too many routes. You can also create floating routes deliberately. A floating static route is generally used in conjunction with redundant GRE tunnels. In this use model, two GRE tunnels offer a connection to the same remote network.
Routing Static Routing Configuring Static Routes To configure static routes, you must configure the following parameters: ■ Destination Type The TMS zl Module allows three destination types: ■ • Network—select this option if the destination is a subnet. • Host—select this option if the destination is a specific device. • Default Gateway—select this option when creating a default route. See “Configuring a Default Gateway” on page 9-9.
Routing Static Routing ■ For network routes, you should typically make the destination address as general as possible for the gateway address to still be valid for all matching packets. For example, instead of configuring separate routes to network 10.1.3.0/24 and network 10.1.2.0/24 on the TMS zl Module shown in Figure 9-1, you could enter a route to the entire 10.1.0.0/16 network through Router A. Router A knows more specific routes and forwards the traffic toward the correct destination.
Routing Static Routing When you use static routing in exclusion of other routing protocols, the router will not share its routing table with other routers. This means that the hosts serviced by this router will only be able to reach a destination if you add an entry for that destination. To add a static route to your network, complete the following steps: 1. Access the Network > Routing > Static Routes window. 2. Click Add Static Route. The Add Static Route window is displayed. Figure 9-3.
Routing Static Routing Configuring a Default Gateway A default gateway is a special static route that applies to all traffic. Typically, when the router receives a packet that it does not know how to forward, it drops it. A default gateway allows the router to forward all such packets toward the destination most likely to be able to route them. Chapter 2: “Initial Setup in Routing Mode” gives guidelines on selecting the default gateway and adding the VLAN on which that gateway resides to a zone.
Routing Dynamic Routing Note The TMS zl Module can know multiple default routes. The default route with the lowest administrative distance (or, in the case of a tie, the lowest administrative distance and the lowest metric) takes precedence. For example, the module might learn a default route from a routing protocol, and you might create a static default route as well. The route with the lower administrative distance is used. You can also create multiple static default routes.
Routing Dynamic Routing How Routing Protocols Work The module constructs its routing table using the information it receives from other modules and routers. The module changes its routing table in response to routing updates that provide additional information or notification that conditions in the network have changed (for example, a link has failed). This responsiveness explains why using a routing protocol is often called dynamic routing.
Routing Dynamic Routing ■ When routers send and receive updates and hellos—To lower overhead and conserve bandwidth, you can alter how often routers send certain messages. You can fine-tune the routing protocol to best fit your router’s role in your network topology. Some protocols provide more flexibility in implementation than others. In general, OSPF provides more options for customizing advertisements for your particular network environment.
Routing Dynamic Routing Option RIP OSPF The intervals when routers send and receive updates • Routers send updates every 30 seconds. • Routers send updates immediately after a change in network topology (triggered updates).
Routing Dynamic Routing The administrative distance for a protocol indicates how reliable the router considers routes discovered by that protocol to be. The lower the administrative distance, the more trusted the route. Table 9-4 shows the default administrative distance for the various types of routes that the TMS zl Module can learn. Table 9-4.
Routing RIP RIP RIP is a well-known and commonly used distance-vector routing protocol. RIP is simple to configure but can be slow to converge. Because route selection relies purely on hop count, RIP may not always generate the best routes. For example, WANs usually include links of varying bandwidth, so the lowest hop count is not always the fastest or best route. RIP Overview Read this section if you are interested in learning more about how RIP functions on the TMS zl Module.
Routing RIP ■ A different neighbor advertises a route with a lower metric. The module changes the route to list this neighbor as the next-hop address and enters the new metric. ■ The module does not receive information about the route for the entire length of the invalid interval. The module marks the route for deletion. RIP Updates, v1 and v2 RIP update packets contain different information, depending on whether the RIP version is 1 or 2.
Routing RIP When the module discovers a new or better route to a destination from a RIPv2 packet, it enters the route with the next-hop IP address specified in the packet. If the next-hop IP address field is all zeros, the module assumes that the source of the packet is the next-hop IP address. (This assumption provides some backward compatibility with RIPv1.) RIPv1 interfaces broadcast their routing updates to the entire subnet. RIPv2 routers join the group for the RIPv2 multicast address (224.0.0.
Routing RIP Authentication with MD5 is more secure than simple password authentication. Attackers can intercept a valid RIP packet and read the simple password. However, message digests are unique to each packet and impossible to generate without the secret key. Simple password authentication is most useful for ensuring routers do not send messages into networks in the wrong area. Just configure a different simple password for each interface.
Routing RIP Poison Reverse The TMS zl Module supports poison reverse, in which, when the module receives a route to a network from a neighbor, it advertises a poison route (metric 16) to that network back to the neighbor. This feature is intended to prevent convergence problems by ensuring that routers do not advertise routes back to the routers from which they received them. Poison reverse is enabled by default, but you can disable it if you choose.
Routing RIP Figure 9-5. Network > Routing > RIP Window 2. Select the Enable RIP check box. 3. Leave the Poison Reverse check box selected or clear it based on whether you want the TMS zl Module to use poison reverse. Poison reverse is a feature that helps RIP routers to speed convergence. It specifies that when a router receives a route from a neighbor, it sends a “poison update” for that route (a route with a metric of 16, indicating unreachable) back to that neighbor.
Routing RIP b. Under Router Redistribution, for Applies to, select one or more of these check boxes: – Connected – You must select this check box if you want the TMS zl Module to advertise routes to its TMS VLANs even if RIP is enabled on these VLANs. Static – Select this check box to advertise routes that were manually added to the routing table. OSPF Select this check box if your system uses both OSPF and RIP, and you want the TMS zl Module to include routes discovered by OSPF in RIP updates. 5.
Routing RIP 7. For Interface, select an interface from the list. The interfaces listed are TMS VLANs and GRE tunnels (on which RIP has not already been enabled). To learn how to create TMS VLANs, see “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.” To learn how to create GRE tunnel interfaces, see, “Configure a GRE Tunnel” in Chapter 7: “Virtual Private Networks.” 8. For Version, select the version used by other routers on this subnet.
Routing RIP Note You must set the same password or key for each interface on a network, but you can set different passwords or keys for different networks. However, you must use the same type of authentication (none, simple, or MD5) for every network in an area. Example RIP Setup Figure 9-7 shows an example RIP router setup using TMS zl Modules. Figure 9-7.
Routing RIP TMS zl Module A Settings This module must redistribute static and connected routes. Table 9-6. Module A RIP Settings Interface IP Passive Metric 2 no 1 10.1.2.1 Table 9-7. 9-24 Module A Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 172.16.1.2 0 vlan16 static 10.1.1.0/24 10.1.1.1 1 vlan1 connected 10.1.2.0/24 10.1.2.1 1 vlan2 connected 10.1.3.0/24 10.1.2.2 3 vlan2 rip 10.1.4.0/24 10.1.4.1 1 vlan4 connected 10.1.5.0/24 10.1.2.
Routing RIP TMS zl Module B Settings This module must redistribute connected routes. Table 9-8. Module B RIP Settings VLAN IP Passive Metric 2 10.1.2.1 no 1 5 10.1.5.1 no 1 Table 9-9. Module B Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.2.2 3 vlan2 rip 10.1.1.0/24 10.1.2.1 3 vlan2 rip 10.1.2.0/24 10.1.2.2 1 vlan2 connected 10.1.3.0/24 10.1.3.1 1 vlan3 connected 10.1.4.0/24 10.1.2.1 3 vlan2 rip 10.1.5.0/24 10.1.5.
Routing RIP Table 9-11. Module C Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.5.1 5 vlan5 rip 10.1.1.0/24 10.1.5.1 5 vlan5 rip 10.1.2.0/24 10.1.5.1 3 vlan5 rip 10.1.3.0/24 10.1.5.1 3 vlan5 rip 10.1.4.0/24 10.1.5.1 5 vlan5 rip 10.1.5.0/24 10.1.5.2 1 vlan5 connected 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.6.2 3 vlan6 rip 172.16.1.0/30 10.1.5.
Routing OSPF Destination Gateway Metric VLAN Type 10.1.7.0/24 10.1.7.1 1 vlan7 connected 172.16.1.0/30 10.1.6.1 7 vlan6 rip OSPF OSPF is a sophisticated routing protocol designed for large networks. Read the section below if you are interested in learning more about OSPF and how it functions on the TMS zl Module. If you are interested only in configuring OSPF on the module, move directly to “Enable OSPF” on page 9-40.
Routing OSPF Because OSPF routers send each other more messages than RIP routers send, OSPF can consume more bandwidth. However, OSPF minimizes the number of packets routers must send in several ways. In point-to-point networks, only neighboring routers fully exchange their databases. In multicast networks, only one router (the DR) floods LSAs. Also, OSPF interfaces only send updates on their own link states rather than sending all routes discovered by the protocol, as RIP interfaces do.
Routing OSPF OSPF defines specific rules for synchronizing databases with a minimum of traffic between routers. Any two routers running OSPF on the same interface are neighbors that could potentially send each other LSAs. However, not all neighbors establish full adjacency—that is, exchange LSAs. OSPF institutes protocols by which all routers can synchronize their databases without all of them exchanging LSAs.
Routing OSPF a non-local area network to the ABR that advertised the summary for that area.When this traffic arrives in Area 0, the ABRs route it toward the correct area. When the traffic arrives in the new area, internal routers use intra-area routing to direct it to its destination. Autonomous system border routers (ASBRs) support external traffic (in networks with one area or with multiple areas.) An ASBR connects to an external network and runs both OSPF and the external network’s routing protocol.
Routing OSPF Internal routers in a stub area are stub routers. At least one router in the area communicates with an ABR in Area 0. The network that the two routers have in common is defined as part of the stub area, making the Area 0 router part of both Area 0 and the stub area. This topology prevents routers from processing superfluous information. Routers in the stub area deal primarily with intra-area LSAs.
Routing OSPF an ASBR. Typically, OSPF would not permit the external routes to be distributed into the stub area. However, internal routers in an NSSA can receive specially defined LSAs for external routes. LSA Types Routers within an area exchange LSAs Type 1 and 2 to synchronize their databases. Routers can also transmit LSAs Type 3, 4, and 5 between areas so that they can learn how to route inter-area traffic. Table 9-14 summaries the different LSA types. Table 9-14.
Routing OSPF All routers generate Type 1 LSAs, which they use to advertise their own links.
Routing OSPF Depending on the type of LSAs that the router receives, the database can also include: ■ Links to ranges of networks in other areas ■ Links to external networks The router would use this information to generate inter-area and external routes. A router applies Dijkstra’s algorithm to its topological database to generate a routing tree with itself as the root. This action is also called performing the shortest path first (SPF) calculation.
Routing OSPF Note When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly. Otherwise, the peer may wrongly decide the interface is down. You can determine how many times longer the dead interval should be than the hello interval according to how reliable your network is.
Routing OSPF With MD5 authentication, a router uses a secret key and the MD5 algorithm to generate a message digest for a packet. Routers that receive the packet dehash the message digest using the same key. If the dehashed message digest matches the packet, the packet is authentic. Authentication with MD5 is more secure than simple password authentication. Attackers can intercept a valid OSPF packet and read the simple password.
Routing OSPF One common topology for a network is a headquarters, defined as Area 0, that connects to stub areas at one or more remote sites. In this topology, the headquarters’ routers that connect to the remote sites are ABRs. The routers at the remote sites are internal routers. If a router connects to a public or other external network, such as an ISP, it is an ASBR. (See Figure 9-9.) Figure 9-9.
Routing OSPF Figure 9-10. OSPF Network with WAN as Area 0 If these routers are the only routers at the remote sites or if the remote sites are quite small, you could leave the network undivided. (A general rule is that an area should include fewer than 50 routers.) In this case, all networks would be defined as part of Area 0. (See Figure 9-11.) Figure 9-11. OSPF Network with One Area When you configure a router to run OSPF, you should also consider the type of network.
Routing OSPF Table 9-16.
Routing OSPF Enable OSPF To enable OSPF, click Network > Routing and click the OSPF tab. Figure 9-12. Networking > Routing > OSPF Window 1. Select the Enable OSPF check box. 2. Click Apply My Changes. Set the Router ID When OSPF routers exchange certain types of messages, they include their router ID. Routers piece messages together into a coherent network topology. They can only complete this task if each router’s ID is unique, consistent, and significant for the entire network.
Routing OSPF Note 1. For Router Identifier, type the IP address that will uniquely identify the router. 2. Click Apply My Changes. You will briefly lose your connection with the module if you change the Router ID while connecting to the module through an OSPF-learned route. Once the module’s new router ID is propagated through the network, you will be able to reconnect. Set RFC 1583 Compatibility With RFC 1583, some configurations cause a problem with routing loops.
Routing OSPF Redistribute Routes Discovered by Other Methods Many networks use more than one routing protocol. Routing protocols discover routes in different ways. They provide overlapping, but not identical, services. For example, OSPF is an interior gateway protocol that cannot discover external routes. You can run two protocols on your TMS zl Module and redistribute routes from one protocol into the others. You can also redistribute directly connected routes and static routes. Redistributing RIP Routes.
Routing OSPF Enable OSPF on an Interface You must enable OSPF on each TMS VLAN or GRE tunnel that you want to participate in sending and receiving OSPF messages. When you enable OSPF on a TMS zl Module interface, you will also define the interface’s area and other settings. You can place more than one interface in the same OSPF area, and you can configure multiple OSPF areas. To place a enable OSPF on an interface and add it to an area, complete the following steps: 1.
Routing OSPF Figure 9-14. Enable OSPF on an Interface Window 3. For Interface, select an interface from the list. The interfaces listed are TMS VLANs and GRE tunnels (on which OSPF has not already been enabled). To learn how to create TMS VLANs, see “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.” To learn how to create GRE tunnel interfaces, see, “Configure a GRE Tunnel” in Chapter 7: “Virtual Private Networks.” 4. For Area ID, type the area to which you want to assign the interface.
Routing OSPF Note When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly. Otherwise, the peer may wrongly decide the interface is down. You can determine how many times longer the dead interval should be than the hello interval according to how reliable your network is.
Routing OSPF To configure an NSSA or stub area, complete the following: 1. Select Network > Routing and click the OSPF tab. Figure 9-15. Network > Routing > OSPF Window 2. Click Add NSSA or Stub Area. Figure 9-16.
Routing OSPF 3. For Area ID, type an identification number for the area. For Area ID, you can use integer or dotted-decimal (x.x.x.x) notation. On the OSPF routing window, the area ID will always be displayed in dotteddecimal notation. For example, 0.0.0.1 will be displayed if you type 1 as the area ID and 0.0.1.0 will be displayed if you type 256 as the area ID. 4. From the Area Type list, select the type of area you want to configure: NSSA or STUB. 5.
Routing OSPF To edit an existing OSPF firewall access policy, complete the following: 1. Click one of the following: • Firewall > Access Policies > Unicast • Firewall > Access Policies and click the Multicast tab. 2. Find the OSPF policy that you want to edit and click the Edit icon. 3. Edit the fields that you want to change. 4. Click Apply, then click Close. You can also add another OSPF firewall access policy. For example, if you wanted to deny unicast LSAs from network 10.18.154.
Routing OSPF 11. In the Position field, specify the priority of this access policy. Be sure that you set the position of this policy above the position of the policy that allows all Zone1-to-Internal zone OSPF traffic. 12. Click Apply. Then you can optionally click the Advanced tab to further narrow the policy. For more information about the Advanced tab, see “Create Firewall Access Policies” in Chapter 4: “Firewall.” 13. Click Close.
Routing OSPF Below is a sample of the settings and routing tables of the modules after all routes have been communicated. TMS zl Module A Settings OSPF Settings ■ Router ID — 9.9.9.9 ■ Administrative Distance — 110 ■ Default Metric — 10 ■ Redistribute—Static and connected routes Table 9-17. Module A VLAN and Area Settings VLAN IP Area ID Cost 2 10.1.2.1 0.0.0.1 1 Table 9-18. Module A Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 172.16.1.2 0 vlan16 static 10.1.1.
Routing OSPF Table 9-19. Module B VLAN and Area Settings VLAN IP Area ID Cost 2 10.1.2.2 0.0.0.1 1 5 10.1.5.1 0.0.0.0 1 Table 9-20. Module B Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.2.1 1 vlan2 ospf 10.1.1.0/24 10.1.2.1 1 vlan2 ospf 10.1.2.0/24 10.1.2.2 1 vlan2 connected 10.1.3.0/24 10.1.3.1 1 vlan3 connected 10.1.4.0/24 10.1.2.1 2 vlan2 ospf 10.1.5.0/24 10.1.5.1 1 vlan5 connected 10.1.6.0/24 10.1.5.2 2 vlan5 ospf 10.1.7.0/24 10.
Routing OSPF Table 9-22. Module C Stub Area Settings ID Area Type Metric 0.0.0.2 STUB 1 Metric Type Table 9-23. Module C Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.5.1 2 vlan5 ospf 10.1.1.0/0 10.1.5.1 2 vlan5 ospf 10.1.2.0/24 10.1.5.1 2 vlan5 ospf 10.1.3.0/24 10.1.5.1 1 vlan5 ospf 10.1.4.0/24 10.1.5.1 2 vlan5 ospf 10.1.5.0/24 10.1.5.2 1 vlan5 connected 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.6.2 2 vlan6 ospf 172.16.
Routing Viewing Unicast Routes Table 9-25. Module D Stub Area Settings ID Area Type Metric 0.0.0.2 STUB 1 Metric Type Table 9-26. Module D Routing Table Destination Gateway Metric VLAN Type 0.0.0.0/0 10.1.6.1 2 vlan6 ospf 10.1.2.0/24 10.1.6.1 3 vlan6 ospf 10.1.5.0/24 10.1.6.1 2 vlan6 ospf 10.1.6.0/24 10.1.6.1 1 vlan6 connected 10.1.7.0/24 10.1.7.
Routing Viewing Unicast Routes Figure 9-19. Network > Routing > View Routes Window The columns are as follows: ■ Destination Address — The route's destination, either a host or a network; the default gateway shows 0.0.0.0/0. ■ Gateway Address — The address of the gateway for that destination ■ Metric — The route’s metric; the default gateway is always 0. ■ Interface — The route’s VLAN or GRE tunnel.
Routing Multicast Multicast Many emerging applications rely on delivering the same information to many hosts. LAN TV, video conferencing, collaborative computing, and desktop conferencing all involve transmitting a great deal of information from a source, or many sources, to many hosts. Email systems can more efficiently deliver mail to multiple servers simultaneously rather than one by one.
Routing Multicast It is not hard to imagine the challenges broadcast messages pose for packet containment. A malfunctioning or misconfigured device can congest an entire network. Even properly functioning devices must flood all hosts with unnecessary information just to send a message to the hosts that do need it. IP multicasting addresses these problems by allowing a host to send a message to a select group. Figure 9-21.
Routing Multicast points can join and leave a group. They can belong to more than one group at once, and groups can contain any number of endpoints at any location in the network. IGMP IGMP is the protocol that allows endpoints to join and leave multicast groups. The TMS zl Module uses IGMP to determine which multicast groups have members in which interfaces so that it can properly forward multicast messages.
Routing Multicast Figure 9-23. Multicasting with IGMP You should enable IGMP on each interface (TMS VLAN or GRE tunnel) that includes endpoints that might need to join a multicast group. Multicast Routing Protocol, PIM-SM PIM-SM, which is a multicast routing protocol, which enables TMS zl Module to route multicast traffic that arrives on one interface (TMS VLAN or GRE tunnel) into other interfaces. PIM-SM creates trees for each multicast group. The tree includes a rendezvous point (RP).
Routing Multicast Configuring Multicast Routing To configure the TMS zl Module to receive multicasts, you complete these steps: 1. Enable IP multicast routing. 2. Configure IP multicast routing on each interface that uses multicast traffic. By default, multicast routing is disabled. To enable it, complete the following steps: 1. Click Network > Routing and click the Multicast tab. Figure 9-24. Network > Routing > Multicast Window 2.
Routing Multicast Figure 9-25. Enable Multicast on Interface Window 5. For Interface, select an interface from the list. The interfaces listed are TMS VLANs and GRE tunnels (on which multicast routing has not already been enabled). To learn how to create TMS VLANs, see “Plan the Zones” in Chapter 2: “Initial Setup in Routing Mode.” To learn how to create GRE tunnel interfaces, see, “Configure a GRE Tunnel” in Chapter 7: “Virtual Private Networks.” 6. For IGMP Enabled, select yes or no.
Routing Multicast 2. Select Multicast from the Show routes list. Figure 9-27. Network > Routing > View Routes Window (Multicast Routes) As you can see, multicast routes are different from unicast routes. Traffic destined to a multicast address is usually destined to many different devices. Therefore the TMS zl Module may need to copy a multicast packet and forward it on several interfaces. Therefore, instead of a gateway address, the route lists interfaces.
Routing Multicast 9-62
10 Troubleshooting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Basic Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 nslookup . . . . . . . . .
Troubleshooting Contents Troubleshooting DHCP Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-38 Workstations Cannot Receive an IP Address . . . . . . . . . . . . . . . 10-38 TMS VLAN Cannot Receive an IP Address . . . . . . . . . . . . . . . . . 10-38 Troubleshooting the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-39 Reviewing How the Firewall Operates . . . . . . . . . . . . . . . . . . . . 10-39 Strategy for Resolving Firewall Problems . . . . . . . . .
Troubleshooting Contents Troubleshooting the TMS zl Module in Monitor Mode . . . . . . . . . . . . . 10-123 Troubleshooting Problems Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-123 Resolve Specific Issues Related to Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-124 Using Log Messages to Troubleshoot Problems . . . . . . . . . . . . . . .
Troubleshooting Overview Overview This appendix provides some guidance for troubleshooting the HP Threat Management Services (TMS) zl Module.
Troubleshooting Basic Troubleshooting Tools ping The ping command is perhaps the most commonly used troubleshooting tool. You can use it to verify that traffic from one endpoint can reach another endpoint. Remember that when the TMS zl Module is operating in routing mode, you must perform an additional step to use ping. You must create an access policy that permits ICMP echo packets (pings) from one endpoint—the source—to another—the destination.
Troubleshooting Basic Troubleshooting Tools From the TMS zl Module’s CLI, enter the following command from either the manager-level context or the global configuration context: Syntax: ping < IP address | hostname > [repetitions <1-100000>] [data-size <065471>] Replace with the IP address of the ping destination. Replace with the host name of the ping destination. Include the repetitions option if you want to send multiple pings.
Troubleshooting Basic Troubleshooting Tools The module will display a route to a destination up to 255 hops away. You can end the traceroute process at any time by pressing Ctrl+Z. The following is example of the traceroute output: hostswitch(tms-module-C)# traceroute 10.1.1.2 traceroute to 10.1.1.2 (10.1.1.2), 30 hops max, 40 byte packets 1 10.1.1.2 (10.1.1.2) 0.311 ms 0.320 ms 0.201 ms You can set extended options for tracing a route by typing additional keywords after the IP address.
Troubleshooting Basic Troubleshooting Tools You can enter the following command from either the manager-level context or the global configuration context in the TMS zl Module’s CLI: Syntax: nslookup Replace with the host name that you want to resolve. For example, if you want to know the IP address for router5, enter: hostswitch(tms-module-C)# nslookup router5 show commands The TMS zl Module provides a number of helpful show commands, some of which are listed in Figure 10-2.
Troubleshooting Basic Troubleshooting Tools Command Syntax Description show management show management For monitor mode, shows the management settings for the dedicated management VLAN and the high availability (HA) VLAN. For routing mode, shows the zones from which you are managing the module. show operating-mode show operating-mode Displays the module’s operating mode. show running-config show running-config Displays the module’s runningconfiguration.
Troubleshooting Basic Troubleshooting Tools For example, Figure 10-2 shows the type of output you will see when you enter the show connections command. Figure 10-2. Output for the show connections Command If you enter the show system-information command, you will see output similar to that shown in Figure 10-3. Figure 10-3. Output for the show system-information Command Table 10-3 lists some useful show commands for the TMS zl Module when it is operating in routing mode.
Troubleshooting Basic Troubleshooting Tools Table 10-3. show Commands for the TMS zl Module in Routing Mode Only Command Syntax Description show access-policy show access-policy [group | multicast] [filter Displays the firewall access policies currently configured on the module.
Troubleshooting Basic Troubleshooting Tools Command Syntax Description show vlans show vlans [unassociated} Displays information about the TMS VLANs, including the IP address of the VLAN and the zone to which it belongs If unassociated is included, displays VLANs that the module has detected on the host switch but have not been added to a zone capture The capture command collects the TCP packets transmitted to and from a particular VLAN interface, a GRE tunnel, an HA interface, or all interfaces.
Troubleshooting Basic Troubleshooting Tools Table 10-4.
Troubleshooting Basic Troubleshooting Tools You would then see output similar to the following: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:24:10.280038 IP 192.168.115.61.51936 > 192.168.115.255.51936: UDP, length 38 20:24:12.280098 IP 192.168.115.61.51936 > 192.168.115.255.51936: UDP, length 38 20:24:14.280187 IP 192.168.115.61.51936 > 192.168.115.255.51936: UDP, length 38 ...
Troubleshooting Basic Troubleshooting Tools Figure 10-4. Using a Protocol Analyzer to View Output from the TMS zl Module’s capture Command If you are troubleshooting a virtual private network (VPN), on the other hand, you can install a protocol analyzer on the client and then view the packets that are being sent from the client. You can then determine if the client is sending the correct packet types.
Troubleshooting Basic Troubleshooting Tools Contacting HP Support If you follow the troubleshooting processes and tips outlined in this chapter but still cannot resolve the problem you are experiencing, you may decide to contact HP Support. Before doing so, HP Support recommends that you gather some troubleshooting information that will help HP Support begin to understand the problem. 1. Access the TMS zl Module’s CLI: hostswitch# services name tms-module 2.
Troubleshooting Troubleshooting Problems with the Installation and Boot Process Troubleshooting Problems with the Installation and Boot Process This section describes how to: ■ Monitor the front-panel LEDs to ensure that the TMS zl Module boots and functions properly ■ View or monitor the TMS zl Module’s status from the CLI ■ Resolve specific issues related to the installation and boot process Monitor the Front-Panel LEDs After you install the TMS zl Module, you should monitor the front-panel LEDs to
Troubleshooting Troubleshooting Problems with the Installation and Boot Process ■ Ensure that you installed the TMS zl Module according to the installation guidelines. You can install the TMS zl Module in an HP 5400zl or 8200zl Switch Series. Depending on if you install the module in a right slot or a left slot, you must ensure that the switch chassis does not exceed the following temperatures: • Any module in a right slot—The chassis temperature must not exceed 40° C (104° F).
Troubleshooting Troubleshooting Problems with the Installation and Boot Process ■ If the TMS zl Module is not listed, check the switch software version. If the show services command does not list all the TMS zl Modules that are installed in the switch, ensure that you are running a version of switch software that supports the TMS zl Module (K.13.55 or above).
Troubleshooting Troubleshooting Problems with the Installation and Boot Process You will continue to see updated output for the show services command. The following shows an example of the output you might see. The Current status information will vary, depending on the progress of the boot process. Status and Counters - Services Module E Status HP Services zl Module J9154A Versions : A.01.
Troubleshooting Troubleshooting Problems with the Installation and Boot Process Resolve Specific Issues Related to the Installation and Boot Process This section lists issues that you may encounter when installing or booting a TMS zl Module and provides a possible solution. ■ Problem updating the Services OS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • Install the product license key on the TMS zl Module. For routing mode, see “Install the Product License Key” in Chapter 2: “Initial Setup in Routing Mode.” For monitor mode, see “Install the Product License Key” in Chapter 3: “Initial Setup in Monitor Mode.” Troubleshooting the TMS zl Module in Routing Mode This section explains how to troubleshoot the TMS zl Module when it is operating in routing mode.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Management Interface Issues If you cannot access the TMS zl Module through a Secure Shell (SSH), Telnet, or HTTPS connection, use the suggestions outlined in this section to isolate the problem and fix it. ■ Ensure that you are using HTTPS, rather than HTTP. If you try to access the TMS zl Module’s Web browser interface through HTTP, you will not be successful. By default, the TMS zl Module supports only HTTPS.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode e. Verify that your management station’s VLAN has been configured correctly. In particular, make sure the VLAN has the right IP address and is assigned to the right zone: hostswitch(tms-module-C)# show vlan Replace with the VLAN on which you are attempting to access the TMS zl Module. You will see output similar to the following: Internet (IP) Service IP routing: enabled Default gateway: 10.1.32.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Ensure that your management workstation is in a managementaccess zone. If the management workstation is not in a management-access zone, you must either enable management access on its zone or create an access policy to enable SSH, Telnet, or HTTPS access. Because you cannot access the Web browser interface, you must enable management access or create these policies from the TMS zl Module’s CLI.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If IPS is blocking your management station’s traffic, you can disable IPS for the access policy that permits management access. To view the access policies between the management station’s zone and self, enter: hostswitch(tms-module-C)# show access-policy filter self Replace with the management station’s zone, such as internal.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Move to the module’s global configuration mode and remove this policy, using the following command: hostswitch(tms-module-C:config)# no access-policy self Replace with the number listed at the beginning of the access policy. For the example below, you would type 7.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check the network infrastructure. If all the settings on the TMS zl Module seem to be correct, you should check the network to ensure that traffic from the workstation can reach the TMS zl Module. To check connectivity, you can ping the module from the management workstation.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you are using Internet Explorer, complete the following steps: ■ a. Click Tools > Internet Options > Privacy. b. Click Sites. c. Type the module’s interface address and click Allow. d. Click OK to close each window. You receive an Invalid Login! error message. If you receive an Invalid Login! error, check the following: • Ensure that the username and password are entered correctly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Clicking Help does not have any effect. If you cannot access the TMS zl Module’s online help, disable pop-up blockers in your Web browser. Using Log Messages The main tool you will use to resolve problems is the TMS zl Module’s log messages. Enabling Logging for an Access Policy When the TMS zl Module is operating in routing mode, you must enable logging on the access policies that you want to monitor.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-5. Edit Policy Window 5. Click OK. The TMS zl Module will then begin to log messages related to this access policy. Changing the Log Level After you enable logging, you should lower the logging level to information so that the TMS zl Module will log all events. Complete the following steps: 1. Click System > Logging. 2. Click Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-6. System > Logging > Settings Window 3. Under Log Severity, select the most basic message level—Information. 4. You may also want to disable throttling, so that you can see all messages. 5. Click Apply My Changes. Checking the Time Settings The TMS zl Module synchronizes its time from the host switch. You should ensure that the host switch has the correct time so that the module also has the correct time.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-7. System > Logging > View Log Window 3. Note Use filters to display only the log messages that are helpful to you. If you have used a named object in an access policy, the log will show the name of the object instead of the values that the object contains. For example, you can use the Keyword field to perform specialized searches. You may want to use the following fields in your keyword searches.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ id=[log family] The log messages are divided into families and subfamilies. See Appendix C, “Log Messages” for a list of log family names. ■ mid=[integer] The message ID can help you find specific messages. Message IDs are unique within their log family, so you will need to search for both the log family (id=[log family]) and the message ID.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Interpreting Log Messages As you view log messages, you must learn to identify which ones are related to the firewall and which are related to IPS. Log messages related to the firewall begin with fw, such as fw_access_control or fw_l2l3_attack. For example, Figure 10-7 on page 10-33 shows log messages that include fw_1213_attack. Log messages related to IPS begin with ips, such as ips_attack_family or ips_protocol_anomaly_family.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Email. If you configure email logging, but there are still no logs reaching the mail server, check the following. 1. Verify the email logging settings by completing one of the following: • From the Web browser interface, click System > Logging > Email Forwarding. • From the CLI, enter: hostswitch(tms-module-C)# show logging email 2.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Ensure that the appropriate access policy is added to allow the TMS zl Module to send SNMP traps. The access policy should allow SNMP traffic between the Self zone and the zone that contains the SNMP trap receiver. • From the Web browser interface, click Firewall > Access Policies > Unicast. • From the CLI, enter: hostswitch(tms-module-C)# show access-policy All of your access policies will be listed.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting DHCP Problems This section explains how to troubleshoot problems with: ■ Workstations receiving an IP address ■ TMS zl Module VLANs receiving an IP address Workstations Cannot Receive an IP Address If workstations cannot receive a dynamic IP address, you must check two different settings: First, check the DHCP relay settings. Make sure that DHCP is enabled on the VLAN and that the DHCP server settings are correct.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. From the CLI, enter the following command to renew the IP address: hostswitch(tms-module-C:config)# vlan ip address dhcp Troubleshooting the Firewall When you are configuring and troubleshooting the firewall, you should review how the firewall operates. With these guidelines in mind, you can then apply the strategy outlined in this section to isolate your problem and fix it.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode For example, the firewall will match a packet against Unicast Internal-toExternal access policy 1 before it matches it to Unicast Internal-to-External access policy 2. The module takes the action that is specified in the first policy that the packet matches. It then stops processing policies for that packet. If the packet does not match any of the access policies in the policy set, the TMS zl Module drops the packet.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode You can assign a VLAN to any zone, but it is recommended that you assign the VLAN that includes your company’s WAN connection to the External zone. The extra protections will then be applied to traffic being transmitted from the Internet to your internal network. Strategy for Resolving Firewall Problems The advantage of using access policies is that you can tailor them to your company’s unique environment.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-8. Strategy for Troubleshooting Firewall Issues This strategy is outlined in the sections that follow. Define the Problem. When you define the problem, you should determine exactly what traffic is being handled incorrectly. List the source and destination addresses, the VLANs, the zones, and the type of traffic (both protocol and port). Then, list the exact problem, as you understand it at this point.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-6. Defining the Problem and Documenting the Troubleshooting Process Source (IP Address, VLAN, Zone) Destination (IP Type of Traffic Definition of the Address, Problem VLAN, Zone) • 10.1.10.0/24 • • Faculty • VLAN (VLAN 10) • Internal • zone 192.168.2.20 FTP, port 21 Server VLAN (VLAN 50) Zone1 Troubleshooting Steps Traffic is being denied 1. Enabled logging for but should be all the access permitted.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode The answers to these questions will help you narrow the cause of the problem so you can implement a solution. Move to the section that applies to your problem: ■ “Traffic Does Not Match an Access Policy” on page 10-44. ■ “Traffic Matches Another Access Policy” on page 10-48. ■ “Traffic Matches the Intended Access Policy But Does Not Arrive at Its Destination” on page 10-48. Traffic Does Not Match an Access Policy.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode does not block it. Then, try to ping the module from the endpoint that is experiencing the problem. If the endpoint cannot ping the module, check the network infrastructure. You may want to open the firewall to allow all traffic from the source zone to the destination zone—temporarily, of course. Create a temporary access policy that permits all services and addresses.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Check the intended access policy to see if it includes a schedule. The network administrator who created the access policy may have configured a schedule for it so that traffic is allowed only at certain times. ■ If user authentication is enabled, ensure that it is set up correctly, and the user authenticates successfully. You may also want to see if user authentication is enabled. If it is, make sure it is set up correctly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode To ensure that the TMS zl Module can resolve domain names successfully, complete the following steps: a. Ensure that your DNS settings are configured correctly so that the TMS zl Module can resolve the DNS name. Complete one of the following: – In the Web browser interface, click Network > Settings > General. – At the CLI, enter: hostswitch (tms-module-C)# show ip dns b.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Traffic Matches Another Access Policy. You may check the log messages and see that the packet has matched another access policy (not the one you intended it to match). For example, the following log message indicates that an access policy has denied, or blocked, certain traffic.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode To view the status of ALGs, enter: hostswitch (tms-module-C)# show alg You will see output similar to the following: ftp ike ils ils2 irc l2tp netbios pptp rtsp sql tftp : : : : : : : : : : : Enabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled To enable an ALG, enter: hostswitch (tms-module-C:config)# alg To achieve best performance and follow security best practices, only enable the ALG
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Missing routes or misconfigured routing protocols Ensure that the module’s default gateway can be reached, and the module has all the routes it needs to handle the traffic it receives. ■ Check to see if the firewall’s connection limitation has been exceeded. If the TMS zl Module is handling a high-volume of traffic, you should check the logs to see if the traffic exceeds the connection limitation.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting Specific Problems Related to the Firewall This section outlines a few specific problems that you may encounter when using firewall features and provides a possible solution. One or More Switch VLANs Are Not Shown in TMS zl Module’s DropDown List. If you try to add a VLAN to a zone and the VLAN is not listed in the drop-down list on the Add VLAN Association window, complete the following steps: 1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode You Suspect a Problem with an ALG. If you think there is a problem with an ALG, you may want to temporarily disable the ALG. To do so, complete the following steps: 1. Access the switch’s CLI and enter the following command: hostswitch# services name tms-module 2. Move to the global configuration context: hostswitch(tms-module-C)# configure terminal 3.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 4. Create or modify the permanent access policy based on the connectivity information provided by the logs. If IPS is enabled and you see log messages that indicate packets were dropped because IPS detected a problem, see “Troubleshooting IPS” on page 10-54. 5. When you have fixed the problem, remove the temporary access policy that you created to troubleshoot the problem.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ What happens if the TMS zl Module does not match traffic to a NAT policy? The TMS zl Module will continue to process the traffic if there are no NAT policy matches. The module will try to match the traffic against access policies, and if the traffic matches an access policy, it will not be dropped.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-9. Intrusion Prevention > Settings > Actions Window 4. If necessary, click Apply My Changes. You can also check the IPS setting from the CLI. Enter: hostswitch(tms-module-C)# show ips You will see output similar to the following. (The output of some commands will use IPDS, which refers to the IPS.) IPDS: Enabled Last Signature Status: Error occurred during last update.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note the problem indicated: the TMS zl Module was not able to resolve the domain name and download updated signatures. If you see this error, you should check your DNS settings and make sure your access policies allow DNS traffic. If you are using a proxy server, make sure your access policies allow traffic to this server. Enable IPS on an Access Policy By default, IPS is enabled for access policies.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Signature Is Triggered Too Frequently If an IPS signature is triggered, you should always investigate and find out if network security is being threatened. This is especially true if the IPS signature is triggered excessively. When an IPS signature is triggered frequently by the same device, you may sometimes find that a particular system behaves in a way that seems suspicious or mirrors the behavior of a known security problem.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. Locate the signature in the list and clear the Enable option. 4. Click Save. You can also disable a signature from the CLI. Enter: hostswitch(tms-module-C:config)# ips signatures disable Troubleshooting Problems with Downloading the IDS/IPS Signatures After you register your IDS/IPS signature subscription, you should be able to download the latest signatures from the HP signature server.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshooting VPNs The following sections help you to troubleshoot a VPN connection. The first section, “VPN Troubleshooting Tools” on page 10-59, provides you with some basic troubleshooting tools.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ Keyword is: • id=vpn_ • dstport=500 (IKE) • dstport=1723 (PPTP) • dstport=1701 (L2TP) • id=fw Use the CLI capture Command to Troubleshoot the VPN.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. Note Copy the file from the server to your management station. Open the packet trace file in a network protocol analyzer such as Wireshark to examine the packet contents and trace the tunnel negotiation. If the packet trace does not give enough detailed information, you can try setting the VPN key exchange mode to aggressive (in both the module’s and the client’s IKE policy).
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Assign the switch port to the VLAN on which module receives traffic from remote clients (this is also the forwarding VLAN in the route to these clients). For example, if the remote clients connect through the Internet, you should assign the switch port to the VLAN on which the TMS zl Module connects to the Internet router. 3.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Depending on what you see in the VPN > Connections > VPN Connections window, you can determine which part of the VPN connection you need to troubleshoot. ■ No IKE SA or IPsec tunnel If you do not see either an IKE SA or an IPsec tunnel for the connection, then IKE is not initiating or is failing to complete. If this is the case, begin by troubleshooting IKE. (See “Troubleshoot IKE for a Client-to-Site IPsec Connection” on page 10-63.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you use the CLI capture command to view IKE messages while you attempt to initiate a connection from the test client, you can pinpoint the problem more precisely using Table 10-7. Table 10-7. IKE capture Messages Example capture Messages Problem Begin Troubleshooting No messages The module is not receiving or not Step 1 on page 10-64 accepting the remote client’s IKE messages. IP tms1.isakmp > tms2.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit isakmp Any 172.16.1.254 Permit ipsec-nat-t-udp Any 172.16.1.254 Self to External Permit isakmp 172.16.1.254 Any Permit ipsec-nat-t-udp 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note When you create new access policies, enable logging on them for the purposes of troubleshooting. Your access policies might specify particular IP addresses for remote endpoints. If so, create temporary access policies that permit IKE and NAT-T traffic to and from any IP address. Assign these access policies the top priority. If the IKE SA is established, your original access policies are misconfigured.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 7. Check IKE settings on the TMS zl Module against settings on the remote clients. To establish an IKE SA, the TMS zl Module and the remote clients must agree on a number of settings. Table 10-8 displays those settings and how they should match up between the module and the remote device. Most settings must match exactly.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you make any corrections to the IKE policy, try to send VPN traffic from the test device. Then re-evaluate. If you must continue troubleshooting, leave any changes to the IKE policy that you are confident are corrections. However, if you experiment with a change and the experiment does not solve the problem, you should revert to your original settings. 8. In the previous step, you checked the general IKE policy.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode b. If the IKE SA comes up, you know that certificates were causing the problem. Look for these common errors: – Certificates are not properly loaded on the TMS zl Module. The module requires a certificate authority (CA) certificate and an IPsec certificate. If you cannot load the module’s IPsec certificate, verify that you have already loaded the CA certificate for the CA that issued the module’s certificate.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN. This section includes tips for troubleshooting IPsec settings. It is best practice to clear the IKE SA and attempt to establish the VPN connection from the test client after making each change. Then re-evaluate the connection: ■ If the traffic can reach its destination, you can stop troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you do not want to enter the capture command and view the output, try these tips in this order. (Use the Web browser interface to check these settings.) 1. Check the IPsec traffic selector, which is configured in the IPsec policy: The protocol, local addresses, and local ports (if configured) must match exactly the protocol, addresses, and ports configured for the remote network on the remote client.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-10.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode The most basic setup is an access policy that exactly matches the reverse of the IPsec traffic selector: ■ From zone = the zone configured for IKE mode config in the IPsec policy ■ To zone = the zone for local endpoints that the remote clients are allowed to access ■ Protocol = Any (or the same protocol in the traffic selector) ■ Source addresses = IKE mode config addresses ■ Source port = Any (or the remote port in the traffic sele
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 5. Attempt to initiate a VPN connection. If the VPN connection comes up and the test client can successfully send traffic across it, then you should look for problems such as the following: ■ The TMS zl Module and the actual remote clients cannot reach each other. Check the module’s routes and verify that it has a route to the remote clients (which may not be directly connected to a TMS VLAN as the test client is).
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-13.View VPN Connections This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > Connections > VPN connections window, you can plan which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ IKE SA but No IPsec tunnel If you see an IKE SA, click the Check status link. If the status indicates “SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel has not come up; the connection has failed partway through the process. In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN” on page 10-70.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ If the IPsec tunnel comes up on the TMS zl Module but the VPN connection on the test client does not, continue with “Troubleshoot L2TP Local Settings” on page 10-84. ■ If the IKE SA comes up but the IPsec tunnel does not, continue with “Troubleshoot IPsec Settings for a Client-to-Site L2TP over IPsec VPN” on page 10-83. ■ If the IKE SA does not come up, continue to the next tip.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note These policies must be configured for the None user group. Access policies External to Self Permit isakmp Any 172.16.1.254 Permit ipsec-nat-t Any 172.16.1.254 Permit l2tp-udp Any 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode You might also try configuring access policies that permit this traffic to and from each zone and the Self zone (in case you have mistaken the remote clients’ zone). Note When you create new access policies, enable logging on them for the purposes of troubleshooting. Your access policies might already permit the proper traffic but specify particular IP addresses for remote endpoints.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 5. Check the IKE policy on the TMS zl Module and verify that it uses Main for the key exchange mode. 6. Check all of your IKE policies and verify that a different policy than the one that you expect does not match your policy. Note that IKE policies remain active even when there are no active IPsec policies associated with them. 7. Check IKE settings on the TMS zl Module against settings on the remote clients.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-13. IKE Security Settings Proposed by Windows XP Clients Proposal Encryption Algorithm Authentication Algorithm Diffie-Hellman Group SA Lifetime in Seconds 1 3DES SHA-1 2 28800 2 3DES MD5 2 28800 3 DES SHA-1 1 28800 4 DES MD5 1 28800 Common errors include: • Note The local or remote ID has been miskeyed, or the remote device uses a different ID type.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 8. If the IKE policy specifies DSA Signature or RSA Signature for the Authentication mode, you should troubleshoot certificates: a. If possible, configure both ends of the VPN connection to use preshared keys instead of certificates and configure the same key on both devices. If the IKE SA still does not come up, change the authentication mode back to its original setting. The problem may be on the other side of the connection. b.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot IPsec Settings for a Client-to-Site L2TP over IPsec VPN. This section includes tips for troubleshooting IPsec settings. It is best practice to clear the IKE SA and attempt to re-establish the VPN connection after making each change. Then re-evaluate the connection: ■ If the traffic can reach its destination, you can stop troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-14. IPsec Security Settings Proposed by Windows XP Clients Proposal Protocol Encryption Algorithm Authentication Algorithm 1 ESP 3DES SHA-1 2 ESP 3DES MD5 3 ESP DES SHA-1 4 ESP DES MD5 In the module’s IPsec policy, disable Perfect Forward Secrecy (PFS) and set the lifetime to the default settings. Troubleshoot L2TP Local Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode h. Click the Security tab. Figure 10-15. Windows XP— Properties Window > Security Tab i. Select Advanced (custom settings) and click Settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-16. Windows XP—Advanced Security Settings 2. 10-86 j. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. k. Select Allow these protocols. l. Select the check box for the authentication protocol that is configured on the module. Clear all other check boxes.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot L2TP Authentication to a Remote RADIUS Server. If the VPN > Connections > VPN Connections window on the TMS zl Module shows that the IPsec tunnel is up but the VPN connection on the remote client still fails, the L2TP connection is failing. (Sometimes the IPsec tunnel is deleted soon after the L2TP connection fails.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. If you do see logs for the RADIUS request, open the log and view the reason for the rejection. Common reasons include: • The connection attempt did not match any remote access policy. Figure 10-17.Example IAS Error Message This error indicates that the attributes in the authentication request for the L2TP user do not match attributes that are set as conditions for the access policy.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Expand Remote Access Policies and find the policy intended for L2TP user authentication. iii. Right-click the policy and select Properties. iv. Examine the Policy conditions list. ii. It is very important that the conditions do not specify any other attributes than the following (they do not need to specify all of these): – Windows-Group The user must be in the specified group.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-18.Example IAS Remote Access Policy Note This error can occur when you set up your remote access policy using a wizard. The wizard adds attributes to the conditions without your realizing. Always double-check a policy that you create with a wizard and verify that the conditions are correct. • The RADIUS client is unknown or there is a problem with the message authenticator value. On IAS, check the client as follows: i.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Edit the remote access policy to change the authentication method. To change the policy on IAS, follow these steps: i. Open IAS from the Administrative Tools. ii. Expand Remote Access Policies and find the policy intended for L2TP user authentication. iii. Right-click the policy and select Properties. iv. Click Edit Profile. v. Click the Authentication tab. vi. Select the correct check box to match the client’s setting. 4.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-16. RADIUS Attributes Required for L2TP RADIUS Access-Accept Messages Attribute Value Service-Type Framed Filter-ID Name of a user group on the TMS zl Module Framed-IP-Address If each user’s account specifies an IP address (for example in AD): No setting necessary Note Additional Guidelines The value must match exactly a name that you configured in “Create a User Group” on page 7-165.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode On the TMS zl Module, reset the shared secret as follows: i. In the Web browser interface, select Network > Authentication > RADIUS. ii. Edit the RADIUS server entry and set the correct shared secret. Troubleshoot Access Policies for a Client-to-Site L2TP over IPsec VPN. If the VPN connection seems to be up but the remote client’s traffic cannot reach its destination, a firewall access policy is probably to blame.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Troubleshoot a Site-to-Site IPsec VPN This section outlines a process for troubleshooting a failed site-to-site IPsec VPN. Set up a Test Device. As you troubleshoot the VPN, you must periodically attempt to establish the VPN to determine whether you have fixed the problem. To test the site-to-site connection, you must attempt to send allowed traffic over the VPN from a local endpoint to a remote endpoint.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Figure 10-19.View VPN Connections This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a temporary tunnel that must be established before the IPsec tunnel can be established. The IPsec tunnel is the connection over which users send encrypted traffic. Depending on what you see in the VPN > Connections > VPN connections window, you can plan which part of the VPN connection you need to troubleshoot.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ IKE SA but no IPsec tunnel If you see an IKE SA, click the Check status link. If the status indicates “SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel has not come up; the connection has failed partway through the process. In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN” on page 10-70.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-17. IKE capture Messages Example capture Messages Problem Begin Troubleshooting At: No messages IKE is not initiating. Step 1 on page 10-97 IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 The module and the remote Step 7 on page 10-102 I ident gateway’s IKE security settings IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 do not match. R inf IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident IP tms2.isakmp > tms1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit isakmp 172.16.24.253 172 .16.1.254 Permit ipsec -nat-t-udp 172.16.24.253 172.16.1.254 Self to External Permit isakmp 172.16.1.254 172.16.24.253 Permit ipsec -nat-t-udp 172.16.1.254 172 .16.24.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 2. Check NAT policies and look for interference. The module applies NAT before it selects traffic for the VPN. Therefore, it might translate the source address of traffic that should be sent over the VPN to an address that is not specified in the IPsec traffic selector— preventing the connection from initiating. If you have implemented NAT on the TMS zl Module, you should make sure that NAT does not interfere with the VPN: a.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode i. In the Firewall > NAT > NAT Policies window, click Add Policy. ii. For Translate, select None. iii. For From Zone, select Internal, which is the zone for local endpoints in the example VPN. iv. For To Zone, select External, which is the zone for remote endpoints in the example VPN. v. For Source, specify 192.168.3.0/24, which are the local endpoints configured in the example IPsec policy traffic selector. vi. For Destination, specify 192.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode • The remote gateway If the module uses a default route to reach the remote gateway, that route suffices for the remote endpoints as well. However, when the TMS zl Module has a specific route to the remote VPN gateway, you must add a route to the remote network beyond the gateway. Use the same next-hop as the route to the remote gateway, as shown in Figure 10-24. Routes 172.16.24.0/24 through 172.16.1.1 192.168.5.0/24 through 172.16.1.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 7. Check IKE settings on the TMS zl Module against settings on the remote gateway. To establish an IKE SA, the TMS zl Module and the remote gateway must agree on a number of settings. Table 10-18 displays those settings and how they should match up between the module and the remote device. Table 10-18.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you make any corrections to the IKE policy, try to send VPN traffic from the test device. Then re-evaluate. If you must continue troubleshooting, leave any changes to the IKE policy that you are confident are corrections. However, if you experimented with a change, and the experiment did not solve the problem, you should revert to your original settings. 8. In the previous step, you checked the general IKE policy.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 9. c. After you make a configuration change, re-enable XAUTH in the IKE policy and on the remote gateway. d. Clear the IKE SA (and IPsec tunnel if present) and try to re-establish the VPN. e. Check the status of the VPN connection and determine your next step. If the IKE policy specifies DSA Signature or RSA Signature for the Authentication mode, you should troubleshoot certificates: a. b. c.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 10. At this point, at least the IKE SA should be up. If you were using XAUTH and have disabled it, re-enable this setting now. Clear the IKE SA and IPsec tunnel and verify that the IKE SA comes up. If it does not, you must troubleshoot XAUTH (see step 8-b on page 10-103.) 11. Verify that the IPsec tunnel is established after the IKE SA comes up and that the proper traffic can cross it. If necessary, continue troubleshooting.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Note • The local addresses on the local module do not match the remote addresses on the remote module, and vice versa. The modules do not consider the addresses to match even though the Any setting includes the necessary addresses within it. • The Local port setting on the local module does not match the Remote port setting on the remote gateway.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Table 10-19.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode If you can do so securely, try configuring these most basic policies and see if the traffic can reach its destination. Remember to enable logging on the policies in question so that you can see when traffic matches a policy. It is possible that the module is permitting the traffic but another security device is dropping it. Once you get traffic flowing across the tunnel, you can experiment with more restrictive policies.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Attempt to send traffic to a remote endpoint from the local test device: ■ If the traffic cannot reach its destination, you must troubleshoot the GRE tunnel (see “Troubleshoot the GRE Tunnel” on page 10-109). ■ If the traffic can reach its destination, the GRE tunnel is functioning correctly. Re-enable the IPsec policy. You must troubleshoot IKE and IPsec.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. Verify that the firewall access policies allow the following traffic: • Traffic between local and remote endpoints (which initiate the GRE tunnel) The correct zone for the remote endpoints is the Firewall Zone Association configured in the GRE tunnel settings.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Access policies External to Self Permit gre 172.16.24.1 172.16.1.254 Internal to Zone 1 Permit any 10.1.0.0/16 10.2.0.0/16 Self to External Permit gre 172.16.1.254 172.16.24.1 Zone1 to Internal Permit any 10.2.0.0/16 10.1.0.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 4. Check routes in the Network > Routing > Static Routes window and verify that these routes exist: • A route to the remote gateway The TMS zl Module requires this route to set up the GRE tunnel. • A route through the GRE tunnel to the remote network Troubleshooting Routing When the TMS zl Module is operating in routing mode, routing is always enabled.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode OSPF When you enable OSPF, the TMS zl Module uses version 2. Again, your access policies must allow the appropriate multicast and unicast traffic for OSPF.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Resolve Common Issues with an HA Cluster The following suggestions explain how to resolve common problems with setting up an HA cluster. If the specific problem you are experiencing is not listed in this section, see “Use the capture Command to Resolve Issues with an HA Cluster” on page 10-116. ■ After you configure a TMS zl Module and then set up an HA cluster, the configuration on the master was lost.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Each module must have a unique priority number. You can select a priority setting from 1 to 255. If the modules in the cluster are in different switches, you should also ensure that the HA VLAN and all TMS VLANs are configured on both switches. Figure 10-26. Sample HA Configuration ■ The master is down, but a failover does not occur.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode ■ An HA failover occurred, and the participant became the master. When the master came online again, it became the participant. This is the expected behavior of an HA cluster. If you want the new participant to once again be the master, you must reboot the current master so the cluster members’ roles will change once again. It is recommended that such a reboot take place during off hours to minimize the impact on the network.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode hostswitch (tms-module-D:config)# capture any You can use the extended options shown in Table 10-20 to capture certain types of traffic, based on protocol or Ethernet packet type, source IP address, destination IP address, source port, or destination port. You can specify several combinations of the extended options, and you can enter the options in almost any order. Table 10-20.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode Copy Snapshot and Other Files from the Participant in an HA Cluster When you are troubleshooting problems with an HA cluster, you may sometimes need to copy files from the participant to an external server. For example, you may want to send a snapshot to HP Support for further analysis. To copy files from the participant, complete the following steps.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 3. View the VLANs on the participant. hostswitch(tms-module-C)# show vlans You will see output similar to the following: Internet (IP) Service IP routing: enabled Default gateway: Domain suffix: example.com DNS server: ID VLAN --- ---*20 VLAN20 Zone IP Config IP Address ---- -------- --------ZONE1 static Subnet Mask ---------- *: Allow IP from switch on this VLAN.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 6. Create a VLAN in the management zone on the participant. This VLAN must be created on the switch but must not managed by the master in the HA cluster. hostswitch(tms-module-C:config)# vlan 40 zone zone1 allow Success: Added VLAN 40 to zone ZONE1. Note Remember these configuration changes are temporary. Do not save the VLAN you have created or any of the other changes you will make to the participant. 7.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode 10. Verify that the participant can access the external server. For example: hostswitch(tms-module-C)# ping 172.16.40.10 PING 172.16.40.10 (172.16.40.10) 32(60) bytes of data. 40 bytes from 172.16.40.10: icmp_seq=1 ttl=64 time=4.88 ms 40 bytes from 172.16.40.10: icmp_seq=2 ttl=64 time=0.121 ms 40 bytes from 172.16.40.10: icmp_seq=3 ttl=64 time=0.102 ms 40 bytes from 172.16.40.10: icmp_seq=4 ttl=64 time=0.107 ms --- 172.16.40.
Troubleshooting Troubleshooting the TMS zl Module in Routing Mode For example: hostswitch(tms-module-C)# copy snapshot scp 172.16.40.10 par.ss user feng Password: ******** Success: Copied snapshot file to: Host:172.16.40.10 File:par.ss TMS-zl-Module# " Verify that the snapshot file was copied to the external server. You may want to monitor the traffic between the master and participant to ensure that these steps have no impact on the master.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode Troubleshooting the TMS zl Module in Monitor Mode This section provides some guidelines for troubleshooting the TMS zl Module when it operates in monitor mode.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode You should also configure a default gateway: hostswitch(tms-module-C:config)# ip route 0.0.0.0/0 ■ The module’s management port is a tagged member of the management VLAN. When the TMS zl Module operates in monitor mode, its internal data 1 port is used to receive mirrored traffic. Its internal data 2 port is the management port. When you configure a management VLAN, port 2 is automatically tagged on that VLAN.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode If you are using Internet Explorer, complete the following steps: ■ a. Click Tools > Internet Options > Privacy. b. Click Sites. c. Type the module’s interface address and click Allow. d. Click OK to close each window. You receive an Invalid Login! error message. If you receive an Invalid Login! error, check the following: • Ensure that the username and password are entered correctly.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode ■ Clicking Help does not have any effect. If you cannot access the TMS zl Module’s online help, disable pop-up blockers in your Web browser. Using Log Messages to Troubleshoot Problems The main tool you will use to resolve problems is the TMS zl Module’s log messages.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode Checking the Time The TMS zl Module synchronizes its time from the host switch. You should ensure that the switch has the correct time so that the module also has the correct time. The time stamps on your log messages will then be accurate. Viewing Log Messages To use the log messages to monitor the TMS zl Module, complete the following steps. Note 1. Click System > Logging. 2. Click View Log. 3.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode ■ fw=[hostname] If you are reading logs that have been collected from several network devices (such as with SNMP traps or a syslog server), replace [hostname] with the name of a module to select only the messages that the module generated. ■ username=[manager | operator | userid] Search for the username to see when someone logged on to the module with that name or role.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode SNMP. If you configure an SNMP trap destination but no logs reach the SNMP trap receiver, verify the settings by completing one of the following: ■ From the Web browser interface, click System > Logging > SNMP Traps.
Troubleshooting Troubleshooting the TMS zl Module in Monitor Mode want to disable that signature. The first option is generally preferred so that the TMS zl Module can continue to protect your network from the attack that is detected by that particular signature. To disable a signature, complete the following steps: 1. Click Intrusion Detection > Signatures. 2. Click View. Figure 10-28.Intrusion Detection > Signatures > View Window 3. Locate the signature in the list and clear the Enable option. 4.
A Command-Line Reference Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11 CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12 List Available Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12 List Options for a Command . . . . . . . . . . . . . . .
Command-Line Reference Contents Services OS Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 show assigned-mac-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-23 show images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-24 show ip . . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42 write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43 Global Configuration Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-44 aaa . . . . . . . . . . . .
Command-Line Reference Contents high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-72 high-availability active-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . A-73 high-availability multicast-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-73 high-availability ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-74 high-availability synchronize . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-89 logging email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-89 logging snmpv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-90 logging snmpv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-90 logging syslog . . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-113 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-114 user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-115 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-115 vlan . . .
Command-Line Reference Contents IPsec Policy Apply Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-137 advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-138 apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-139 iras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-139 key-exchange-method . . . . . . . . . . . . . . . . . .
Command-Line Reference Contents OSPF Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-178 rfc1583-compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-179 restrict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-179 area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-179 area nssa . . .
Command-Line Reference Contents show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-196 show ip mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-197 show ip pim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-197 show ip igmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-197 show ip dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Reference Overview Overview This chapter describes the commands provided by the command line interface (CLI). The TMS zl Module CLI is context-based; different commands are available from different contexts. When you are managing the TMS zl Module and you try to use a command that is not supported from the current context, you will receive an error message. The following sections introduce groups of commands that are available from various CLI contexts.
Command-Line Reference Overview Figure A-1. CLI Context Command Groups Command Syntax Statements Syntax: copy [event-log | startup-config | snapshot | pcap] [tftp | scp] Vertical bars ( | ) separate alternative, mutually exclusive elements. Square brackets ( [ ] ) indicate optional elements.
Command-Line Reference Overview Braces ( < > ) enclose required elements. Vertical bars or braces within square brackets ( [ < > ] ) indicate a required element within an optional choice. Vertical bars or braces within braces ( < < > > ) indicate a required element within a required choice. All italics indicate variables for which you must supply a value when executing the command. For example, in the command above, you must provide the destination server location and the destination filename.
Command-Line Reference Overview List Options for a Command You can also use the ? to view the options for a particular command. For example, you might enter: hostswitch(tms-module-)# capture ? Command Completion You can also use the Tab key to complete the current word in a command. To do so, type one or more consecutive characters in a command and then press [Tab] (with no spaces allowed).
Command-Line Reference Services OS Operator Context Commands Services OS Operator Context Commands The Services OS operator context allows restricted access to some troubleshooting commands on the Services OS of the module. To access this context, enter the following command from the host switch’s operator-level context: Syntax: services < | name > Moves you to an OS context on the module.
Command-Line Reference Services OS Operator Context Commands Figure A-2. Services OS Operator Context The following sections describe commands that are available from the operator context of the Services OS. exit To leave a specific interface or configuration context, enter exit. The exit command moves you back one mode level. For example, if you were in the HA configuration context and entered exit, you would return to the global configuration context.
Command-Line Reference Services OS Operator Context Commands Note This command is not available unless the TMS zl Module is booted to the Services OS. For example: hostswitch(tms-module-)> ping 10.1.1.1 When you send ICMP echoes, the module displays the ping statistics to describe the types of responses the router receives. If you need to halt a ping operation, press Ctrl+Z. show See “Services OS Show Commands” on page A-23.
Command-Line Reference Services OS Manager Context Commands Services OS Manager Context Commands The Services OS manager context allows restricted access to the Services OS of the module, providing only a limited number of commands. From this mode, you can download and install software and licenses. CLI access to the Services OS is designed primarily for blade maintenance, not for configuring the module. The Services OS context is used to complete basic setup and maintenance tasks.
Command-Line Reference Services OS Manager Context Commands The commands in this section are the Services OS CLI commands with the Services OS booted. Figure A-3. Services OS To access all commands in the Services OS manager context, you must boot the module in the Services OS using the boot command. Until the module is booted in the Services OS, you can access a limited set of commands, including boot, licenses, exit, and some show commands.
Command-Line Reference Services OS Manager Context Commands delete This command deletes images from the module. To delete an image, enter the following command: Syntax: delete Replace with the filename of the image you want to delete. download This command downloads an image to the module’s blade.
Command-Line Reference Services OS Manager Context Commands ip This is the only configuration command available from the Services OS manager context. It allows you to configure the module’s IP address and default gateway. To configure the module’s IP address, enter the following command: Syntax: [no] ip < dhcp | address > Use the dhcp option to configure the module to receive a dynamic IP address.
Command-Line Reference Services OS Manager Context Commands ping Use this command to send an ICMP echo to a specified destination. Syntax: ping < IP address | hostname > Replace with the IP address of the ping destination. Replace with the hostname of the ping destination. The module displays the number of pings sent and responses received. For example: hostswitch(tms-module-)# ping 10.1.1.
Command-Line Reference Services OS Manager Context Commands usb The usb commands allow you to upload and download files to and from a USB drive hardware device. Before you can transfer files to or from a USB drive hardware device, you must mount the USB. To mount the USB, enter the following command: Syntax: usb mount Once the USB has been mounted, you can copy files to and from the device.
Command-Line Reference Services OS Show Commands Services OS Show Commands The Services OS show commands allow you to view information about the blade and to troubleshoot. These commands are available at both the operator and the manager level. The show commands available in the Services OS are described below. Figure A-4. CLI Services OS Context show assigned-mac-address This command shows the MAC address assigned to the module by the switch.
Command-Line Reference Services OS Show Commands show images This command shows the images in the images repository. Syntax: show images [details] show ip This command shows the IP settings of the module (IP address and default gateway). Syntax: show ip show licenses This command shows the license status for services. Syntax: show licenses [uninstalled] Enter the optional uninstalled keyword to view uninstalled licenses. show logging This command shows all of the logging information.
Command-Line Reference Product OS Operator Context Commands show version This command shows the software version. Syntax: show version [details] Product OS Operator Context Commands The Product OS operator context features a limited number of commands that allow an operator to collect troubleshooting information. To access the Product OS operator context, enter the operator context of the CLI of the switch in which the TMS zl Module.
Command-Line Reference Product OS Operator Context Commands The product index number is assigned to the TMS zl Module by the switch. This product index number varies, depending on whether or not any HP ONE Services zl Modules are also installed in the host switch. The ONE Services zl Module is a hardware platform that supports multiple products—such as the HP Data Center Connection Manager (DCM). (DCM provisions the network with the settings required for servers in a data center environment.
Command-Line Reference Product OS Operator Context Commands Table A-7 provides an example of a host switch that is running: ■ DCM on a ONE Services zl Module ■ TMS zl Module On this host switch, DCM was installed and booted first, so the host switch assigned it index number 2. It then assigned the TMS zl Module index number 3. Table A-3. CLI Display of Services Slot Index Description Name C,D, E 1. Services zl Module services-module D 2. Data Center Connection Manager dcm C,E 3.
Command-Line Reference Product OS Operator Context Commands capture The capture command shows the current packets on a VLAN interface, a GRE tunnel, a High-Availability (HA) interface, or all interfaces. This command is useful for troubleshooting connection problems and monitoring network activity because it allows you to see all of the packets that are sent across a VLAN or HA interface or a GRE tunnel.
Command-Line Reference Product OS Operator Context Commands Extended Command Option Purpose • • • • • • • ip ip arp rarp atalk aarp decnet sca • • • • • • • lat mopdl moprc iso stp ipx netbeui Specifies the transport protocol of the packet to be captured: • • • • • • • tcp udp icmp igmp eigrp gre lt2p • • • • • • pim ah esp vrrp ospf multicast For example: hostswitch(tms-module-)# capture terminal any pktcount 20 enable This command enables you to access the ma
Command-Line Reference Product OS Operator Context Commands logout Exit the current CLI session and return to the login screen. Syntax: logout nslookup This command is used to learn a device’s IP address according to its hostname by querying the TMS zl Module’s DNS server. Syntax: nslookup Replace with the hostname you want to resolve.
Command-Line Reference Product OS Operator Context Commands For example, to send a ping to a device with the IP address 192.168.115.104: hostswitch(tms-module-)> ping 192.168.115.104 When you send ICMP echoes, the module displays the ping statistics to describe the types of responses the router receives. If you need to halt a ping operation, press Ctrl+Z. Note If you cannot ping a device, check that an access policy allows ICMP/Echo traffic from the Self zone to the zone you are trying to ping.
Command-Line Reference Product OS Operator Context Commands You can set extended options for tracing a route by typing additional keywords after the IP address. You can specify any combination of the extended options shown in Table A-5, and you can enter the options in any order. Table A-5.
Command-Line Reference Product OS Manager Context Commands Product OS Manager Context Commands The Product OS manager context is used to configure the firewall, IDS or IPS, VPN, and other features provided by the TMS zl Module. To access the Product OS manager context, first access the manager context of the CLI of the switch in which the TMS zl Module resides as a manager: Syntax: services < | name > Moves you to an OS context on the module.
Command-Line Reference Product OS Manager Context Commands The product index number is assigned to the TMS zl Module by the switch. This product index number varies, depending on whether or not any HP ONE Services zl Modules are also installed in the host switch. The ONE Services zl Module is a hardware platform that supports multiple products—such as the HP Data Center Connection Manager (DCM). (DCM provisions the network with the settings required for servers in a data center environment.
Command-Line Reference Product OS Manager Context Commands Table A-7 provides an example of a host switch that is running: ■ DCM on a ONE Services zl Module ■ TMS zl Module On this host switch, DCM was installed and booted first, so the host switch assigned it index number 2. It then assigned the TMS zl Module index number 3. Table A-7. CLI Display of Services Slot Index Description Name C,D, E 1. Services zl Module services-module D 2. Data Center Connection Manager dcm C,E 3.
Command-Line Reference Product OS Manager Context Commands batch This command enables and disables batch, or scripting, mode. Turning on batch mode will put the CLI into a state that facilitates scripting: paging will be disabled and any user prompts (for example, Do you want to continue? [y/ n]) will be suppressed. Syntax: [no] batch This command is also available from the global configuration context. boot This command exits the current session and reboots the module.
Command-Line Reference Product OS Manager Context Commands If you want to capture packets for a high-availability (HA) interface, include the ha option. If you want to capture packets on all interfaces, include the any option. You can use the extended options to capture certain types of traffic, based on protocol, source IP address, destination IP address, source port, or destination port. You can set extended options for capturing an interface by typing additional keywords after the network interface.
Command-Line Reference Product OS Manager Context Commands This command is also available from the global configuration context. configure The command moves you to the Product OS CLI’s global configuration context. Syntax: configure [terminal] copy The copy commands are used to move various file types to and from the TMS zl Module. The copy command supports FTP, SCP, and TFTP transfer protocols.
Command-Line Reference Product OS Manager Context Commands Syntax: copy tftp < startup-config | image > Syntax: copy < ftp | scp > < startup-config | image > user Replace with the IP address of your TFTP or SCP server. Replace with the name of the file you are uploading from your server. Replace with the username on the account on your FTP or SCP server.
Command-Line Reference Product OS Manager Context Commands exit To leave a specific interface or configuration mode, enter exit. The exit command moves you back one mode level. For example, if you were in the HA configuration context and entered exit, you would return to the global configuration context. Syntax: exit This command is available from all contexts. logout Exit the current CLI session and return to the login screen.
Command-Line Reference Product OS Manager Context Commands nslookup This command is used to learn a device’s IP address according to its hostname. Syntax: nslookup Replace with the hostname you want to resolve. For example, if you wanted to know the IP address for router5, you would enter: hostswitch(tms-module-)# nslookup router5 page This command enables and disables page mode.
Command-Line Reference Product OS Manager Context Commands Note If you cannot ping a device, check that you have configured an access policy to allow ICMP/Echo traffic from the Self zone to the zone you are trying to ping. snapshot This command creates a restore point for your network.
Command-Line Reference Product OS Manager Context Commands Table A-9.
Command-Line Reference Global Configuration Context Global Configuration Context From the global configuration context, you can make configuration changes that apply to the entire module. You can configure the system’s global parameters such as the hostname, passwords, and banners. You can also configure other features: ■ Firewall ■ NAT ■ VPN ■ IDS/IPS ■ Routing Which of these options is available depends on the operating mode.
Command-Line Reference Global Configuration Context Some commands are not available when the TMS zl Module is in monitor operating mode. See Table A-10. Table A-10.
Command-Line Reference Global Configuration Context Command Routing mode Monitor mode nat X nslookup X X operating-mode X X page X X password X X ping X X port-map X X port-trigger X radius-server X rate-limit X router X schedule X service X service-group X snapshot X X snmpv2 X X snmpv3 X X time X X traceroute X X user X vlan X vpn X write X zone X show X X X X aaa This command configures how the TMS zl Module authenticates management users:
Command-Line Reference Global Configuration Context Recall that, on the TMS zl Module, you can assign a domain name to a RADIUS server. If you do so, users must submit their username followed by @ when authenticating to that server. access-policy You use the access-policy command to configure all of your firewall access policies.
Command-Line Reference Global Configuration Context The available promontories and options for the command are shown in Table A-11. At the end of the access-policy command, you can append various optional keywords, which are listed in Table A-11 as extended options. Table A-11.
Command-Line Reference Global Configuration Context Parameter Options protocol • • • • • • • • • • • • • service See “Services Available” on page A-100 for a table of the default service objects.
Command-Line Reference Global Configuration Context Parameter Options extended options • schedule This command must be entered before all other extended options commands. • log • ips-off • enable • disable • insert-at • update-at < position | id > • mss You can use any combination of the extra options—as many or as few as you like. Table A-12.
Command-Line Reference Global Configuration Context For example, if you want to allow a multicast policy for all FTP traffic between Zone3 and Zone5, you would enter the following command: hostswitch(tms-module-:config)# access-policy multicast zone3 zone5 permit service ftp any any address This command creates (or deletes) an address object. With this command you can create either single-entry or multi-entry objects.
Command-Line Reference Global Configuration Context To create (or delete) a new address group object, enter the following command: Syntax: [no] address-group [add
Command-Line Reference Global Configuration Context attack-setting This command enables (or disables) the firewall’s attack checks. Syntax: [no] attack-setting Replace with the attack against which you want the firewall to check. Available attacks are listed in Table A-14. Table A-14. Available Attack Checks Option Definition See Chapter 4: “Firewall.
Command-Line Reference Global Configuration Context banner Set the banner that is displayed on the Web browser interface login page. Syntax: [no] banner motd Replace with the text that you want to display on the Web browser interface login page. This text cannot contain any spaces or special characters. batch This command enables or disables batch, or scripting, mode. Syntax: [no] batch This command is also available from the Product OS manager context.
Command-Line Reference Global Configuration Context You can view the output to the terminal, or you can save the output in a pcap file. Syntax: capture < file | terminal > [vlan | gre | ha | any] If you want to capture packets on a VLAN, include the vlan option and specify an ID. If you want to capture packets on a GRE tunnel, include the gre option and specify the tunnel name.
Command-Line Reference Global Configuration Context Extended Command Option Purpose • • • • • • • tcp udp icmp igmp eigrp gre lt2p • • • • • • pim ah esp vrrp ospf multicast For example: hostswitch(tms-module-:config)# capture terminal vlan 100 pktcount 20 This command is also available from the Product OS manager context. certificates If you use DSA or RSA signatures for the authentication method in an IKEv1 policy, you must install certificates on the TMS zl Module.
Command-Line Reference Global Configuration Context Enter the following command to generate a certificate request: Syntax: certificates generate request signature private-key id subject [alternative-name ] Replace with a descriptive alphanumeric string. The name must be unique for this request. Replace with the string that you assigned to a private key.
Command-Line Reference Global Configuration Context Note The subject name or one of the alternate names must match these settings: ■ The local ID in IKE policies that use this certificate ■ The remote ID in IKE policies on remote tunnel endpoints that verify this certificate The name must match in both type and value. For example, if you have typed TMS.company123.
Command-Line Reference Global Configuration Context Replace with the full certificate, CRL, or private key filename as stored on the server. For example, c:/folder/cert.crt. Replace with the username on the account on your FTP or SCP server. After entering this command, you will be prompted for the user’s password. For example: hostswitch(tms-module-:config)# certificates import ca ftp 192.168.11.23 c:/folder/cert.
Command-Line Reference Global Configuration Context Replace with the value the CA uses to identify the TMS zl Module. A unique CA identifier is not always necessary (in which case, you can omit this segment of the command). Your CA should tell you if you need to specify a unique identifier and, if you do, what it is. For example: hostswitch(tms-module-:config)# certificates scep server 192.168.11.52 port 81 cgi-path /certsrv/ mscep/mscep.
Command-Line Reference Global Configuration Context Enter the following command to remove CA certificates, IPsec certificates, and CRLs: CRL, private keys, and certificate requests. Syntax: no certificates Replace with the name of the CA that issued the certificate you are deleting. Enter the following command to delete a private key: Syntax: no certificates private-key id Replace with a the ID of the private key you are deleting.
Command-Line Reference Global Configuration Context connection-settings limit This command sets the absolute maximum number for connections that a specified zone is allowed. Syntax: connection-settings limit Replace with the zone for which you are setting a connection limit. Note If you renamed a zone using a keyword in the CLI (such as GRE, VPN, or L2TP), include the zone name in quotation marks when you enter the connectionsettings command.
Command-Line Reference Global Configuration Context For example, to set an absolute maximum of 3000 connections for the external zone, enter the following command: hostswitch(tms-module-:config)# connectionsettings limit external 3000 connection-settings timeout Set a limit for the amount of time and inactive connection can stay open. You can set these limits for the default services or you can create a custom timeout setting.
Command-Line Reference Global Configuration Context Replace with the TCP or UDP port for the service. Replace with the number of seconds that you want an inactive session to remain open.
Command-Line Reference Global Configuration Context For example, network administrators at HP University want to create a connection reservation for the research faculty members in Zone1. They want to reserve 500 outbound connections, and the research faculty are assigned IP addresses 10.164.2.50–10.62.32.4. They enter the following command: hostswitch(tms-module-:config)# connectionsettings reservation zone1 outbound ip-range 10.164.2.50 10.62.32.
Command-Line Reference Global Configuration Context Replace with the username on the account on your FTP or SCP server. These commands are also available in the Product OS manager context. dhcp-relay This command enables (or disables) DHCP relay globally: Syntax: [no] dhcp-relay This command adds (or deletes) the DHCP servers to which the module forwards DHCP requests. Syntax: [no] dhcp-relay server Replace with the IP address for your DHCP server.
Command-Line Reference Global Configuration Context end To return to the manager context, enter end. The end command moves you back to the manager context, regardless of the context where you enter the command. Syntax: end This command is available from all contexts. erase This command exits the current session and reboots the router with the factory default startup-configuration.
Command-Line Reference Global Configuration Context no gre Enter the following command to delete a GRE tunnel: Syntax: no gre Replace with the character string that was configured for this tunnel. gre disable Enter the following command to disable a GRE tunnel: Syntax: gre disable Replace with the character string that was configured for this tunnel.
Command-Line Reference Global Configuration Context Replace with name of the GRE tunnel on which you are enabling or configuring RIP. The options available for the command are shown in Table A-20. Table A-20. RIP on GRE Command Options Command Option Purpose metric Specifies the cost added to routes advertised on this GRE tunnel (1-16). The default metric is 1. [v1-only | v2-only | v1-and-v2] Specifies the RIP version used by routers on this subnet.
Command-Line Reference Global Configuration Context Table A-21. OSPF on GRE Command Options Command Option Purpose area Specifies the area to which you want to assign the GRE tunnel. For , you can use integer or dotted-decimal (x.x.x.x) notation. However, the show ip ospf area command will always display the area ID in dotted-decimal notation. For example, 0.0.0.1 will be displayed if you type 1 as the area ID and 0.0.1.0 will be displayed if you type 256 as the area ID.
Command-Line Reference Global Configuration Context hostswitch(tms-module-:gre--pimsparse)# See “GRE PIM Context” on page A-121. gre keepalive This command enables the GRE tunnel keepalive mechanism. To configure keepalives for GRE tunnel, enter the following command: Syntax: gre keepalive Replace with name of the GRE tunnel on which you are enabling (or disabling) keepalive.
Command-Line Reference Global Configuration Context Replace with an IP address that does not exist on a subnet in your system and is not part of a TMS VLAN. This address is the IP address assigned the tunnel interface. Replace with a virtual address that is not already used by the device on the other end of the GRE tunnel. This will be the gateway address for routes that use the tunnel as the forwarding interface.
Command-Line Reference Global Configuration Context Option Result multicast-ip Sets the multicast address for HA protocols synchronize Propagates the cluster master’s startup-configuration to the other cluster member ip Sets the high-availability interface IP address vlan Sets the high-availability interface vlan high-availability active-standby To set the cluster scheme and configure the cluster’s parameters, enter the following command: Syntax: high-availability active-standby cluster
Command-Line Reference Global Configuration Context high-availability ip This command specifies the IP address of the TMS zl Module on the HA VLAN. To set the HA interface IP address, type the following command: Syntax: high-availability ip Replace with the IP address and subnet mask you want to assign to the module.
Command-Line Reference Global Configuration Context You must reboot the module after performing this command. hostname It is often useful to give the router a name that helps to distinguish it from other routers in your network. To change the router’s hostname, enter the following command: Syntax: hostname Replace with the hostname you want to assign to the module. This name can only include alphanumeric characters.
Command-Line Reference Global Configuration Context ip route This command creates static routes for the module, including the default route. To create (or delete) a static route, enter the following command: Syntax: [no] ip route < | > [metric ] [distance ] Replace with the IP address and subnet mask of the route’s destination. For a default route, type 0.0.0.0 0.0.0.0.
Command-Line Reference Global Configuration Context Syntax: [no] ip-reassembly [reassembly options] You can specify any of the extended options shown in Table A-23, but you can enter only one option at a time. Table A-23.
Command-Line Reference Global Configuration Context ips full-inspection By default, the TMS zl Module inspects only the first the first few kilobytes of each connection in each direction. However, you can specify that every packet in every session be inspected by the IDS/IPS. This option consumes more system resources but it also provides the best security effectiveness.
Command-Line Reference Global Configuration Context To configure HTTP protocol anomalies, enter the following command (you can configure only one parameter at a time): Syntax: ips protocol-anomaly http [header-size | header-line-size | uri-line-size | lines ] Replace with the maximum header size in bytes (100 to 5120). Replace with the maximum header line size in bytes (100 to 5120).
Command-Line Reference Global Configuration Context To enable or disable a specific signature, enter the following command: Syntax: ips signatures < enable | disable > Replace with the name of the signature family for which you want to enable or disable the checks. Replace with the signature ID of the threat for which you want to enable or disable checks.
Command-Line Reference Global Configuration Context For example, to drop packets classified as critical, enter the following command: hostswitch(tms-module-:config)# ips threatlevel critical terminate ips web-proxy The ips web-proxy command allows you to configure a web proxy for your IPS. To create a web proxy for your IPS, enter the following: Syntax: [no] ips web-proxy [ ] Replace with the IP address or hostname of your web proxy.
Command-Line Reference Global Configuration Context ■ IPsec policy context—the commands in this context enable you to specify the settings for an IPsec SA (the actual VPN connection). (See “IPsec Policy Context” on page A-131.) Within this context there are three additional contexts: • Auto Key Exchange context—from this context, you select the IKEv1 policy that this IPsec policy will use as well as the SA lifetime and the tunnel’s Perfect Forward Secrecy settings.
Command-Line Reference Global Configuration Context Replace with the unique name of the IKE policy that you are creating or editing (1–15 alphanumeric characters). After entering this command, you will be moved to the CLI’s IKEv1 context. See “IKEv1 Context” on page A-122. To delete an IKE policy, use the no option. Replace with the name of the IKE policy that you want to delete. ipsec ip-compression Use this command to set the minimum packet size for IP compression.
Replace with one of the following authentication protocols: ■ md5 ■ sha-1 ■ aes-xcbc ■ none Note, however, that you must select either an authentication or encryption protocol. You cannot configure none for the authentication protocol if null is selected for the encryption protocol. For example: hostswitch(tms-module-:config)# ipsec proposal testprop encapsulation tunnel security esp encryption des auth md5 Success: The IPsec proposal was added successfully.
Command-Line Reference Global Configuration Context Auto SA revalidation allows the TMS zl Module to automatically revalidate SAs when the associated policy is changed or when the time or bandwidth lifetime expires. If you disable auto SA revalidation, the TMS zl Module does not revalidate the SA until a packet arrives for that SA (which might slow processing for that packet). This feature is enabled by default.
Command-Line Reference Global Configuration Context ■ Note Optionally, you can create these settings for the domain associated with your RADIUS server: • The IP addresses assigned to L2TP clients • The DNS servers assigned to L2TP clients • The WINS servers assigned to L2TP clients Before you configure L2TP to use the RADIUS server, you should configure the RADIUS server that the TMS zl Module uses to provide user authentication and authorization.
Command-Line Reference Global Configuration Context Replace with the domain name that you specified for the RADIUS server in the radius-server host command. If this RADIUS server is not assigned to a specific domain—you did not include the domain-name option when you entered that command—replace with global. Replace and with the first and last IP addresses in the range of addresses that the remote clients will be assigned.
Command-Line Reference Global Configuration Context Parameter TMS zl Module Setting Global domain IP settings Start IP address 10.2.2.2 End IP address 10.2.2.224 Primary DNS server 192.168.12.200 Secondary DNS server — Primary WINS server — Secondary WINS server — hostswitch(tms-module-:config)# radius-server host 192.168.12.36 secret password nas-id tms-module hostswitch(tms-module-:config)# l2tp radiusauth 10.2.2.
Command-Line Reference Global Configuration Context logging The logging command allows you to set the severity level for logging; the module logs messages for events of the selected severity level or higher. It also allows you to configure the threshold for the suppression of duplicate log messages and to set up log forwarding using the following methods: ■ SNMP traps ■ Syslog messages ■ Email messages logging email To configure email forwarding, use the commands listed below.
Command-Line Reference Global Configuration Context For example, enter these commands to set up log forwarding: hostswitch(tms-module-:config)# logging enable hostswitch(tms-module-:config)# logging server 10.1.1.34 from-address tms@company123.com manager password password hostswitch(tms-module-:config)# logging address logger@company123.
Command-Line Reference Global Configuration Context Syntax: [no] logging snmpv3 user auth [md5 | sha] privacy [aes | des] This command specifies the SNMPv3 user to which you are forwarding logs. Replace < IP address> with IP address to which the module will forward logs. Replace with SNMPv3 user that the module will forward logs to. Replace with SNMPv3 user’s authentication passphrase.
Command-Line Reference Global Configuration Context Table A-25.
Command-Line Reference Global Configuration Context Table A-26. Options for the Logging Command Option Result severity [critical | major | minor Sets the minimum severity for an event in order for the | warning | information] module to log that event. See “Log Severity” on page A-93. enable Enables log throttling, which prevents the module for logging duplicate messages.
Command-Line Reference Global Configuration Context Replace with the number of duplicate events that you want to occur before the module logs a tally message (1–2147483647). The default number is 500. Replace with the number of seconds that you want to pass before the module logs a tally message with the number of duplicate events (150– 2147483647). The default is 600 seconds.
Command-Line Reference Global Configuration Context Replace with the ID for the VLAN for which you want to prioritize traffic. (This allows managers to access the module even when the network is highly congested or perhaps even in the case of a DoS attack.) management zone. To add a zone to the set of management zones, type the following command: Syntax: management zone Replace with the zone from which you want to manage the module.
Command-Line Reference Global Configuration Context For example, to assign the module IP address 10.10.15.72/24, enter the following command: hostswitch(tms-module-:config)# management ip 10.10.15.72 255.255.255.0 management vlan. To configure your management VLAN, enter the following command: Syntax: management vlan Replace with the VLAN ID number. The IP address that you assigned to the module must be part of a subnet associated with this VLAN.
Command-Line Reference Global Configuration Context The available parameters and options are shown in Table A-27. At the end of the access-policy command, you can append various optional keywords, which are listed in Table A-27 as .
Command-Line Reference Global Configuration Context Replace with the source zone of the policy that you want to delete. Replace with the destination zone of the policy that you want to delete. The destination zone for a destination NAT policy must be Self. Replace with the position of the policy that you want to delete. Table A-27.
Command-Line Reference Global Configuration Context Parameter Options protocol • • • • • • • • • • • • • service • See Table A-28 on page A-100.
Command-Line Reference Global Configuration Context Table A-28.
Command-Line Reference Global Configuration Context nslookup This command is used to learn a device’s IP address according to its hostname. Syntax: nslookup Replace with the hostname of the device for which you are looking up the IP address. For example, if you wanted to know the IP address for router5, you would enter: hostswitch(tms-module-)# nslookup router5 operating-mode This command sets the operating mode.
Command-Line Reference Global Configuration Context For example, to change the manager password to $tms*manager33, you would enter: hostswitch(tms-module-:config)# password manager New password for manager: $tms*manager33 Please retype new password for manager: $tms*manager33 ping This command sends an ICMP echo to a specified destination. Syntax: ping < IP address | hostname > [repetitions <1-100000>] [data-size <065471>] Replace with the IP address of the ping destination.
Command-Line Reference Global Configuration Context To configure (or delete) a port map, enter the following command: Syntax: [no] port-map < tcp | udp > Replace with the name of the service for which you are creating the map. Replace with the port to which the firewall and IDS/IPS will expect the service. Available services are listed in Table A-29. Table A-29.
Command-Line Reference Global Configuration Context • service See Table A-30 for available services. Replace with the ports allowed for dynamic negotiation. Replace and with the port range allowed for dynamic negotiation. To delete a port trigger policy, type the following command: Syntax: no port-trigger Replace with the name assigned to the policy.
Command-Line Reference Global Configuration Context sqlnet ssh syslog tacacs-tcp tacacs-udp talk-tcp talk-udp telnet tftp time uucp who whois xdmcp user-configured service objects radius-server Use this command to specify the TMS zl Module’s RADIUS server.
Command-Line Reference Global Configuration Context If you do not use the domain-name option, the server will be placed in the global domain. Users who log in without a domain name or with a domain name not assigned to another server are authenticated to this server. Note You must enter the domain-name option to specify the strip-domain option. If you want to the strip the domain from requests to a server that is not assigned a domain name, enter global for the domain-name option.
Command-Line Reference Global Configuration Context Replace with the rule ID of the firewall access policy. This rule ID is specific to the group and type of policy. Replace and with the options displayed in Table A-31. To delete a rate limiting policy, enter the following command: Syntax: no rate-limit [ group ] id Replace with the name of the group to which the firewall policy applies. This parameter is optional.
Command-Line Reference Global Configuration Context ■ The administrative distance ■ Route redistribution—connected, static, RIP ■ The default metric ■ The metric type ■ The router ID router ospf To configure OSPF settings, enter the following command: Syntax: router ospf The available options for the command are shown in Table A-32. Table A-32. OSPF Command Options Command Option Purpose distance Specifies the administrative distance for OSPF routes (1–255).
Command-Line Reference Global Configuration Context To enable OSPF and access the OSPF context, enter the following from the global configuration context: Syntax: router ospf See “OSPF Context” on page A-178. router pim For PIM, you can configure PIM’s Static Rendezvous Points (static RPs). To configure (or delete) static RPs, enter the following command: Syntax: [no] router pim rp-address Replace with the IP address of the static RP.
Command-Line Reference Global Configuration Context Replace with the day(s) of the week for which you want to allow access. Separate each day of the week with a comma. Replace and with the starting time and ending time for which you want to allow user access. This time should be entered in hhmm format, following a 24-hour clock. All parameters are mandatory. service This command creates (or deletes) a service object.
Command-Line Reference Global Configuration Context To configure (or delete) a service group object, enter the following command: Syntax: [no] service-group [add
Command-Line Reference Global Configuration Context Note You can only enable one version of SNMP at a time—either SNMPv2 or SNMPv3. This meant that when you enable SNMPv2, SNMPv3 is automatically disabled. To configure SNMPv2 communities and set access rights, enter the following command: Syntax: [no] snmpv2 server community [ < operator | manager > | ] Replace with the name that you want to assign to the SNMPv2 community.
Command-Line Reference Global Configuration Context Replace with the authentication protocol passphrase for the user. Type privacy and select aes or des. Replace with the privacy passphrase for the user. For the manager role, you must configure privacy settings. For the operator role, you may optionally configure privacy settings, but are not required to do so.
Command-Line Reference Global Configuration Context Table A-34.
Command-Line Reference Global Configuration Context user group This command can be used to create a user group object. To create (or delete) a user group object, enter the following command: Syntax: [no] user group Replace with the name of the user group object you are creating.
Command-Line Reference Global Configuration Context Note You cannot delete a VLAN association if DHCP relay or routing is enabled on the VLAN. vlan ip address To assign an IP address to the VLAN, enter the following command: Syntax: vlan ip address < dhcp | > Replace with the VLAN ID. The dhcp option configures the module to request a DHCP address on this VLAN.
Command-Line Reference Global Configuration Context To enable RIP and configure RIP settings for the VLAN, enter the following command: Syntax: [no] vlan ip rip Replace with the VLAN ID with the ID of a host switch VLAN. The options available for the command are shown in Table A-35. Use the no option with any of these options to disable the associated feature. Table A-35.
Command-Line Reference Global Configuration Context Table A-36. OSPF Command Options Command Option Purpose area Specifies the area to which you want to assign the VLAN. Replace with the ID for the area, which can be either a number (1–4294967294) or an IP address. cost Specifies the cost that the VLAN contributes to the overall metric (1-65535). hello-interval Specifies the number of seconds between sending hellos (1 to 65,535).
Command-Line Reference Global Configuration Context Replace with the VLAN ID. Replace with the zone to which you are assigning the VLAN. Valid options are: ■ internal ■ external ■ dmz ■ zone1 ■ zone2 ■ zone3 ■ zone4 ■ zone5 ■ zone6 ■ The allow-switch-ip option allows the switch to also have an IP address on this VLAN. The unique-mac option configures a unique MAC address for the TMS VLAN (otherwise, every TMS VLAN shares a MAC address).
Command-Line Reference Global Configuration Context zone This command enables you to rename some zones according to your needs. You can rename all the zones except the Self and External zones. Note When renaming zones, it is best practices to avoid using CLI keywords (such as GRE, VPN, or L2TP). If you use one of these key words, you will need to include the zone name in quotation marks when you enter commands that include a zone name as an option.
Command-Line Reference GRE PIM Context GRE PIM Context Figure A-8. GRE PIM Context From this context, which is available only when the TMS zl Module is in routing mode, you can assign a DR priority for the module on the GRE tunnel.
Command-Line Reference IKEv1 Context IKEv1 Context The IKEv1 context includes the commands for creating and editing an IKEv1 policy. The commands that you enter in the IKEv1 context do not take effect until you apply them. If you exit before applying your commands, your settings are lost. This context is available only when the TMS zl Module is in routing mode. Figure A-9.
Command-Line Reference IKEv1 Context From the IKEv1 context, you can: Note ■ Set the IKEv1 type, local gateway, and (for a site-to-site policy) remote gateway (page A-127) ■ Set the local and remote IDs (page A-124) ■ Set the IKEv1 mode and authentication method (page A-123) ■ Set the security parameters proposal (page A-126) ■ Configure XAUTH (page A-128) ■ Preview your IKE policy (page A-125) ■ Apply the policy (page A-123) You must configure the IKEv1 type and local gateway before you ca
Command-Line Reference IKEv1 Context For example: hostswitch(tms-module-:ikev1)# authentication exchange-mode main method preshared-key Preshared Key:********** Confirm Preshared Key:********** identities To configure the local ID that the TMS zl Module sends to authenticate itself and the remote ID that the remote gateway or clients sends to authenticate, type the following command: Syntax: identities local type remote For and specify one of the opti
Command-Line Reference IKEv1 Context Table A-37. Local and Remote IDs Command Option Purpose Format Wildcards for Remote IDs ip-addr Specifies an IP address A.B.C.D for the ID. Example: 192.168.1.100 This value must be the IP address for the module interface that handles incoming VPN traffic (also set as the local gateway address). 0.0.0.0 domain-name Specifies an FQDN for the ID. Example: company123.
Command-Line Reference IKEv1 Context *Local ID Type: Value: IP Address 10.10.50.54 *Remote ID Type: Value: Domain Name gateway.company123.
Command-Line Reference IKEv1 Context ■ md5 ■ sha-1 Replace with the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds (5 minutes) and 86400 seconds (1 day). For example: hostswitch(tms-module-:ikev1)# securityproposal dh-group group2-1024 encryption des auth sha-1 sa-lifetime 28800 type With this command, you specify the type of VPN that the IKEv1 policy will negotiate.
Command-Line Reference IKEv1 Context Replace with the IP address of the local gateway. Replace with the ID of the TMS VLAN on which the remote endpoint reaches the TMS zl Module. For example: hostswitch(tms-module-:ikev1)# type client-tosite local-gateway vlan 10 xauth When you configure XAUTH, an optional additional layer of security, the TMS zl Module can act either as a client (authenticate itself) or as a server (authenticate the remote gateway).
Command-Line Reference IKEv1 Context Parameter TMS zl Module Setting Local ID IP address—10.10.50.54 Remote ID IP address—172.15.16.2 Key exchange mode Main Authentication method Pre-shared key—passwordtestvpn Diffie-Hellman group Group 1 (768) Encryption algorithm 3DES Authentication algorithm MD5 SA lifetime 28800 XAUTH Disabled hostswitch(tms-module-:config)# ipsec ikev1 iketest hostswitch(tms-module-:ikev1)# type site-tosite local-gateway vlan 50 remote-gateway 172.
Command-Line Reference IKEv1 Context Preview IKEv1 policy --------------------------------------------*Policy Name: iketest *Policy Type: Site-to-Site *Local Gateway: VLAN 50 (VLAN50) *Remote Gateway: 172.15.16.2 *Local ID Type: Value: IP Address 10.10.50.54 *Remote ID Type: Value: IP Address 172.15.16.
Command-Line Reference IPsec Policy Context IPsec Policy Context Figure A-10. IPsec Policy Context The IPsec policy context, available only when the TMS zl Module is in routing mode, includes commands for creating (or editing) an IPsec policy.
Command-Line Reference IPsec Policy Context Therefore, it is very important that you are ready to complete the IPsec policy before entering the IPsec policy context. Otherwise, you will have to exit the IPsec policy context without entering the apply command, causing you to lose any configurations that you have made to your policy.
Command-Line Reference IPsec Policy Context action To specify how the TMS zl Module treats traffic that is selected by this policy, enter the following command: Syntax: action Use the apply option for a policy that selects traffic to be secured and sent over a VPN connection. Use the bypass option for a policy that selects traffic that is not secured by a VPN connection but is forwarded to its destination. Use the deny option to select traffic that should be dropped entirely.
Command-Line Reference IPsec Policy Context Replace with the position you want to assign the policy (1-65535). The module processes the policy with the lowest value first (for example, position 1 before position 2). The position matters most when policies have overlapping traffic selectors. In this case, assign the highest position (lowest value) to the IPsec policy with the most specific traffic selector. Note that you can specify a position that is already used by another policy.
Command-Line Reference IPsec Policy Context PFS (Perfect Forward Secrecy) for keys: Disabled SA Lifetime in Seconds: 28800 SA Lifetime in Kilobytes: 0 IP Address Pool for IRAS: Disabled Advanced Settings IP compression: Anti-Replay Window Size: Extended sequence number: Re-key on sequence number overflow: Persistent tunnel: Fragment before IPsec: Copy DSCP value from clear packet: DSCP Value: DF Bit Handling: Disabled 32 Disabled Enabled Disabled Enabled Disabled 9 Clear DF bit.
Command-Line Reference IPsec Policy Context To set the traffic selector, enter the following command: Syntax: traffic-selector protocol local remote address [port ] The available options for the command are shown in Table A-39. Table A-39.
Command-Line Reference IPsec Policy Context IPsec Policy Apply Context This context includes commands that are specific to configuring IPsec policies with the apply action. This context is available only when the TMS zl Module is in routing mode. Figure A-11. IPsec Policy Apply Context To enter the IPsec policy apply context, enter the following: Syntax: action apply To verify your location in the CLI, check the prompt.
Command-Line Reference IPsec Policy Context To exit the IPsec policy apply context, enter the following: Syntax: exit If you have not set all of the necessary configurations, you will be prompted to do so and asked whether you actually want to exit.
Command-Line Reference IPsec Policy Context Table A-40. Advanced IPsec Policy Options Extended Command Option Purpose ip-compression enable Enables the TMS zl Module to compress IP Disabled packets before encryption, which can help to increase network performance. Default setting extended-seq-num enable Enables 64 bit sequence numbers to allow up to 264 (18 quintillion) packets per SA.
Command-Line Reference IPsec Policy Context After entering this command, you move to the IPsec IRAS context. See “IPsec IRAS Context” on page A-149. key-exchange-method For the TMS zl Module’s IPsec policies, you can either use manual keys or use IKE. To set the key exchange method, enter the following command: Syntax: key-exchange-method After you enter this command, you move to the key exchange (manual or auto) context.
Command-Line Reference IPsec Policy Context traffic-selector With this command, you configure the VPN traffic selector, which determines the traffic to which this policy is applied. For example, the selector might specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/ 24 (a remote network). For a policy with the Apply action, the selected traffic is the traffic that is sent and received (and secured) on the IPsec SA.
Command-Line Reference IPsec Policy Context Table A-41.
Command-Line Reference IPsec Policy Context Figure A-12. IPsec Auto Keys Context To enter the IPsec auto keys context, enter the following command from the IPsec policy apply context: Syntax: key-exchange-method auto To verify your location in the CLI, check the prompt. In the Manual Key Exchange context, the prompt is hostswitch(tms-module-:ipsec:apply:auto)#.
Command-Line Reference IPsec Policy Context apply. Once you have configured all parts of the IPsec policy, you must apply the policy. The apply command verifies that all required settings are configured and then adds or edits the IPsec policy. (If the requirements are not met, the command does not take effect, and an error message indicates which settings are missing.
Command-Line Reference IPsec Policy Context Syntax: sa-lifetime seconds kilobytes Replace with the number of seconds that you want the SA to remain open. Type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). Replace with the number of kilobytes that the SA can handle. Type a value between 2560 and 4194304.
Command-Line Reference IPsec Policy Context Figure A-13. IPsec Manual Keys Context The IPsec Manual Keys context includes the commands that are specific to configuring an IPsec policy that uses manual keying. Before you can enter this context, you must set the IPsec proposal for the policy (use the proposal command in the IPsec policy apply context).
Command-Line Reference IPsec Policy Context From the IPsec manual keys context, you can: ■ Set the local gateway (page A-147) ■ Set the remote gateway (page A-147) ■ Set the authentication keys (page A-144) ■ Set the encryption keys (page A-148) ■ Set the SPI number (page A-149) apply. Once you have configured all parts of the IPsec policy, you must apply the policy. The apply command verifies that all required settings are configured and then adds or edits the IPsec policy.
Command-Line Reference IPsec Policy Context For example: hostswitch(tms-module-:ipsec:apply:manual)# remote-gateway 172.16.23.1 keys. This command sets the keys that the IPsec policy uses to secure the SA. Inbound keys on this TMS zl Module must match outbound keys on the remote gateway and vice versa.
Command-Line Reference IPsec Policy Context spi. This command sets the decimal number that uniquely identifies this IPsec SA. You must match the SPI on the remote gateway. (In log files and packet sniffers, this number may be represented in hexadecimal.) Syntax: spi Replace with a number between 256 and 2147483647 that will represent this SA.
Command-Line Reference IPsec Policy Context To enter the IPsec IRAS context, enter the following command from the IPsec policy apply context: Syntax: iras enable To verify your location in the CLI, check the prompt. In the IPsec IRAS context, the prompt is hostswitch(tms-module-:ipsec:apply:iras)#.
Command-Line Reference IPsec Policy Context Replace with the IP address (including the subnet mask) that the TMS zl Module will use to route traffic from the remote clients. Type an address in a subnet that you can reserve for the remote clients; this subnet cannot be configured on a TMS VLAN. If you select the host option, replace with the IP address that the TMS zl Module will use to route traffic from the remote clients. The IP address must not be in use on a TMS VLAN.
Command-Line Reference IPsec Policy Context dns. To configure the remote clients’ DNS servers while they are on the VPN connection, enter the following command: Syntax: dns primary [secondary ] Replace with the IP address of a DNS server that the remote client is allowed to access. wins.
Command-Line Reference IPsec Policy Context To enter the IPsec bypass context, enter the following command from the IPsec policy context: Syntax: action bypass To verify your location in the CLI, check the prompt.
Command-Line Reference IPsec Policy Context ports to the local addresses and ports. The outbound option applies the bypass action only to traffic from the local addresses and ports to the remote addresses and ports. traffic-selector With this command, you configure the VPN traffic selector, which determines the traffic to which this policy is applied. For a policy with the bypass action, this traffic is forwarded normally without being secured by an SA.
Command-Line Reference IPsec Policy Context For example: hostswitch(tms-module-:ipsec:bypass)# trafficselector protocol tcp local 192.168.2.0/26 port any remote host 192.168.2.1 port 443 preview Before you apply the IPsec policy, you should preview it to make sure everything is correct.
Command-Line Reference IPsec Policy Context Figure A-16. IPsec Policy Deny Context To enter the IPsec policy deny context, enter the following: Syntax: action deny To verify your location in the CLI, check the prompt. In the IPsec policy deny context, the prompt is hostswitch(tms-module-:ipsec:deny)#.
Command-Line Reference IPsec Policy Context apply Once you have configured all parts of the IPsec policy, you must apply the policy. The apply command verifies that all required settings are configured and then adds or edits the IPsec policy. (If the requirements are not met, the command does not take effect, and an error message indicates which settings are missing.
Command-Line Reference IPsec Policy Context Table A-43.
Command-Line Reference IPsec Policy Context For example: hostswitch(tms-module-:ipsec:deny)# preview IPsec policy ------------------------------------------------------*Policy Name: testpol Status: Enabled Action: Deny Direction: Outbound Position: 1 Traffic Selector *Protocol: Any *Local Address: 10.1.1.1 *Remote Address: 10.2.2.0/24 Example IPsec VPN The following is the complete command set to create the IPsec VPN with the parameters detailed in Table A-44. Table A-44.
Command-Line Reference IPsec Policy Context Parameter TMS zl Module Setting IPsec Proposal—testprop Encapsulation mode Tunnel mode Security protocol ESP Encryption algorithm 3DES Authentication algorithm MD5 IPsec Policy—policytest Position 1 Action Apply Protocol Any Local address 10.1.5.0/24 Remote address 10.2.15.
Command-Line Reference IPsec Policy Context hostswitch(tms-module-:ikev1)# authentication exchange-mode main method preshared-key Preshared Key: passwordtestvpn Confirm Preshared Key: passwordtestvpn hostswitch(tms-module-:ikev1)# securityproposal dh-group group1-768 encryption 3des auth md5 salifetime 28800 hostswitch(tms-module-:ikev1)# no xauth hostswitch(tms-module-:ikev1)# preview Preview IKEv1 policy --------------------------------------------*Policy Name: iketest
Command-Line Reference IPsec Policy Context hostswitch(tms-module-:config)# ipsec proposal testprop encapsulation tunnel security esp encryption 3des auth md5 hostswitch(tms-module-:config)# ipsec policy policytest hostswitch(tms-module-:ipsec)# action apply hostswitch(tms-module-:ipsec:apply)# trafficselector protocol any local 10.1.5.0/24 remote 10.2.15.
Command-Line Reference IPsec Policy Context hostswitch(tms-module-:ipsec:apply)# advanced copy-dscp enable df-bit-handling clear hostswitch(tms-module-:ipsec:apply)# preview IPsec policy ------------------------------------------------------*Policy Name: policytest Status: Enabled Action: Apply Direction: Both Position: 1 Traffic Selector *Protocol: Any *Local Address: 10.1.5.0/24 *Remote Address: 10.2.15.
Command-Line Reference L2TP User Context L2TP User Context The L2TP user context provides the commands for configuring L2TP authentication either to the TMS zl Module’s local database. It also enables you to configure the IP settings assigned to L2TP clients. The commands that you enter in the L2TP user context do not take effect until you apply them. If you exit before applying your commands, your settings are lost.
Command-Line Reference L2TP User Context To verify your location in the CLI, check the prompt. In the L2TP context, the prompt is hostswitch(tms-module-:l2tp-user)#. To exit the L2TP User context, enter the following: Syntax: exit If you have not applied your changes, you will be warned to do so and asked if you want to continue.
Command-Line Reference L2TP User Context Note For the group name, you can use up to 14 alphanumeric characters plus the space, period, comma, hyphen, (-), exclamation mark (!), string ($), at sign (@), asterisk (*), and underscore (_). Do not use the hash sign (#) in the group name. See “user group” on page A-115 for complete information.
Command-Line Reference L2TP User Context tunnel When L2TP clients authenticate locally, you must specify the IP settings that the client and the TMS zl Module use for the L2TP connection. To configure these settings, enter the following command: Syntax: tunnel user Replace with the IP address and subnet mask of the TMS zl Module in its capacity as L2TP Network Server (LNS).
Command-Line Reference L2TP User Context Table A-45. Policy Parameters Used in This Configuration Parameter TMS zl Module Setting User Group User group l2tpusers IKEv1 Policy—L2tpIke Type of policy Client-to-Site Local gateway VLAN 20 Remote gateway n/a Local ID IP address—172.16.20.103 Remote ID IP address—0.0.0.
Command-Line Reference L2TP User Context Parameter TMS zl Module Setting L2TP User—l2tpuser Tunnel server IP address 10.100.1.1/24 Tunnel user IP address 10.100.1.80 Tunnel authentication No Authentication Policy group name L2tpUsers Authentication Protocol Any User userx Password password Default gateway 10.100.1.1 Primary DNS server 10.1.2.100 Secondary DNS server 10.1.2.
Command-Line Reference L2TP User Context *Local ID Type: Value: *Remote ID Type: Value: IP Address 172.16.20.103 IP Address 0.0.0.
Command-Line Reference L2TP User Context hostswitch(tms-module-:ipsec:apply:auto)# exit hostswitch(tms-module-:ipsec:apply)# preview IPsec policy ------------------------------------------------------*Policy Name: L2tpIpsec Status: Enabled Action: Apply Direction: Both Position: 1 Traffic Selector *Protocol: *Local Address: *Local Port: *Remote Address: *Remote Port: UDP 172.16.20.
Command-Line Reference L2TP User Context hostswitch(tms-module-:ipsec)# exit hostswitch(tms-module-:config)# l2tp local-user l2tpuser hostswitch(tms-module-:l2tp-user)# tunnel 10.100.1.1/24 user 10.100.1.80 hostswitch(tms-module-:l2tp-user)# auth group l2tpusers protocol any Password: ******** hostswitch(tms-module-:l2tp-user)# dns primary 10.1.2.100 secondary 10.1.2.
Command-Line Reference L2TP User Context Table A-46. Policy Parameters Used in This Configuration Parameter TMS zl Module Setting IKEv1 Policy—l2tpIke Type of policy Client-to-Site Local gateway VLAN 20 Remote gateway n/a Local ID IP address—172.16.20.103 Remote ID IP address—0.0.0.
Command-Line Reference L2TP User Context Parameter TMS zl Module Setting IPsec proposal l2tpProp SA lifetime in seconds (SA life) 28800 SA lifetime in kilobytes 0 RADIUS Server RADIUS server IP address 172.16.22.55 Secret key password NAS ID tms-module Domain name hp.com L2TP Authentication Server Server IP address 10.2.2.1 Domain name hp.com Start IP address 10.2.2.2 End IP address 10.2.2.200 Primary DNS server 192.168.12.
Command-Line Reference L2TP User Context hostswitch(tms-module-:config)# ipsec proposal l2tpProp encapsulation transport security esp encryption 3des auth md5 hostswitch(tms-module-:config)# ipsec policy L2tpIpsec hostswitch(tms-module-:ipsec)# action apply hostswitch(tms-module-:ipsec:apply)# trafficselector protocol udp local host 172.16.20.
Command-Line Reference RIP Context RIP Context The RIP context provides commands for configuring global RIP settings. It is available only when the TMS zl Module is in routing mode. Figure A-18. RIP Context To enable RIP and access the RIP context, enter the following command from the global configuration context: Syntax: router rip To verify your location in the CLI, check the prompt. In the RIP context, the prompt is hostswitch(tms-module-:rip)#.
Command-Line Reference RIP Context default metric To set the default metric, which is the cost assigned to all RIP routes by default, enter the following command: Syntax: default-metric Replace with the new default metric for RIP routes (1–15). The default setting is 1. poison-reverse To enable (or disable) poison reverse, enter the following command: Syntax: [no] poison-reverse For information on poison reverse, see “RIP” on page 9-15 of Chapter 9: “Routing.
Command-Line Reference OSPF Context OSPF Context The OSPF context includes commands for configuring global OSPF settings. It is available only when the TMS zl Module is in routing mode. Figure A-19. OSPF Context To enable OSPF and access the OSPF context, enter the following from the global configuration context: Syntax: router ospf To verify your location in the CLI, check the prompt. In the OSPF context, the prompt is hostswitch(tms-module-:ospf)#.
Command-Line Reference OSPF Context rfc1583-compatibility To enable (or disable) RFC 1583 compatibility, enter the following command: Syntax: [no] rfc1583-compatibility For more information on this feature, see “OSPF” on page 9-27 in Chapter 9: “Routing.
Command-Line Reference OSPF Context area nssa To configure (or delete) an NSSA area, enter the following command: Syntax: [no] area nssa [metric-type < type1 | type2 > ] Replace with the ID for the area, which can be either a number (1–4294967294) or an IP address. Replace with the metric that will be assigned to the advertisements of routes to this area (1–65535). The metric-type option specifies the type for routes redistributed into OSPF.
Command-Line Reference OSPF Context For the authentication option, replace with one of the following options. ■ md5 ■ simple For md5, replace with the ID used in this area (1–255). Replace with the MD5 key, which is a string of up to 16 characters. For simple, replace with the password used in this area, a string of up 8 characters.
Command-Line Reference VLAN Context VLAN Context This context provides commands for configuring TMS VLAN settings. It is available only when the TMS zl Module operates in routing mode. The VLAN context for a specific VLAN is not available until you have assigned the VLAN to a zone with the vlan zone command. Figure A-20. VLAN Context To enter the VLAN context, enter the following: Syntax: vlan Replace with the VLAN ID. To verify your location in the CLI, check the prompt.
Command-Line Reference VLAN Context ip address To assign the VLAN IP settings, enter the following command: Syntax: ip address < dhcp | > If the TMS zl Module should receive a dynamic IP address on this VLAN, use the dhcp option. To assign the module a static IP address on this VLAN, replace with the module’s static IP address and the prefix length for its subnet.
Command-Line Reference VLAN Context Command Option Purpose dead-interval Specifies the number of seconds to wait for a hello before determining a link is down (1 to 65,535) priority Specifies the priority of the TMS zl Module in DR election (1–255). retransmit-interval Specifies the minimum number of seconds that the router must wait between sending LSAs (1. transmit-delay Specifies the number of seconds assumed for an LSA to reach a peer (1– 3600).
Command-Line Reference VLAN Context ip rip From the VLAN context you can configure the following RIP settings: ■ Metric ■ RIP version ■ Authentication ■ Passive interface (whether the module sends RIP updates on this VLAN) To enable (or disable) RIP on a VLAN, enter the following command: Syntax: [no] ip rip To enable RIP and configure RIP settings for the VLAN, enter the following command: Syntax: [no] ip rip The options available for the command are shown in Table A-48.
Command-Line Reference VLAN Context zone Use this command to change the zone with which the VLAN is associated. You can also configure whether the switch has an IP address on this VLAN or whether the VLAN has a unique MAC address on the module. Syntax: zone [allow-switch-ip] [unique-mac] Replace with the zone to which you want to assign the VLAN.
Command-Line Reference VLAN PIM Context VLAN PIM Context Figure A-21. VLAN PIM Context To enter the VLAN PIM context, which is available only when the TMS zl Module is in routing mode, enter the following command from the VLAN context: Syntax: ip pim-sparse To verify your location in the CLI, check the prompt. In the VLAN context, the prompt is hostswitch(tms-module-:vlan-pim-sparse)#. From this context, you can set the TMS zl Module’s DR priority on the VLAN.
Command-Line Reference Product OS Show Commands Product OS Show Commands The Product OS show commands allow you to view information about, or the current status of, an interface or feature. They help you to troubleshoot. The show commands available in the Product OS are described in the sections below. Most show commands are available with either operator or manager access; however manager access is required for a couple commands.
Command-Line Reference Product OS Show Commands Command Manager Routing Mode Operator Routing Mode Manager Monitor Operator Monitor Mode Mode show logging X X X X show management X X X X show nat X X show operating-mode X X X X show port-map X X X X show port-trigger X X show radius-server X X X X show rate-limit X X show running-config X show schedule X X show service X X show service-group X X show snmpv2 X X X X show snmpv3 X X X X show system-in
Command-Line Reference Product OS Show Commands show access-policy This command shows the firewall access policies currently configured on the module. You can view policies by type of policy (multicast or unicast) or by user group. Additionally, you can filter the results by source zone and destination zone.
Command-Line Reference Product OS Show Commands show address-group This command shows all or one of your address groups. The groups and their members are displayed. To view your address group or groups, enter the following command: Syntax: show address-group show alg This command shows the ALGs on the module and whether they are enabled or disabled. Syntax: show alg show arp This command shows the TMS zl Module’s ARP cache entries.
Command-Line Reference Product OS Show Commands show certificates This command shows information about certificates that have been installed on the TMS zl Module and related items: Syntax: show certificates Use the scep option to view the settings configured for SCEP, including the SCEP server’s IP address or domain name, the server’s port, the CGI path, and the unique CA identifier.
Command-Line Reference Product OS Show Commands show connections This command shows the active connections to your network.
Command-Line Reference Product OS Show Commands show gre This command shows the GRE tunnels that are configured. Syntax: show gre [tunnel name] For detailed information about a specific GRE tunnel, including traffic statistics, replace with the name of the GRE tunnel. If you do not include a tunnel name, all GRE tunnels are listed (with less information). show high-availability This command shows the HA configuration.
Command-Line Reference Product OS Show Commands show ip rip The show ip rip command shows information about RIP on the network. You can view: ■ Redistribution ■ RIP on a particular interface ■ (Optional) RIP peers ■ Restrictions To view RIP redistribution, enter the following command: Syntax: show ip rip redistribute To view RIP on a particular interface, enter the following command: Syntax: show ip rip interface [ | vlan ] Replace with the interface IP address.
Command-Line Reference Product OS Show Commands To view general information about OSPF, enter the following command: Syntax: show ip ospf general To view information about OSPF areas, enter the following command: Syntax: show ip ospf area To view information about OSPF area link-states, enter the following command: Syntax: show ip ospf area-link-state To view information about OSPF external link-states, enter the following command: Syntax: show ip ospf external-link-state [router-id ] Replace <
Command-Line Reference Product OS Show Commands This command displays: ■ Destination—Each network to which the module knows a route ■ Gateway—The IP address of the next-hop router in the path to this network ■ Metric—The cost for the route ■ Distance—The administrative distance for the route ■ VLAN—The forwarding VLAN for the route ■ Type—The method by which the route was discovered or configured show ip mroute To view the TMS zl Module’s multicast routing table, enter the following command: Sy
Command-Line Reference Product OS Show Commands To view IGMP settings (such as the VLANs on which IGMP is enabled), enter the following command: Syntax: show ip igmp config show ip dns To view the TMS zl Module’s domain and DNS server, enter the following command: Syntax: show ip dns show ip-mtu This command shows the module’s MTU. Syntax: show ip-mtu show ip-reassembly This command shows the IP reassembly constraints. Syntax: show ip-reassembly show ips This command shows your IPS settings.
Command-Line Reference Product OS Show Commands To view the IPS web-proxy settings, enter the following command: Syntax: show ips web-proxy To view the IPS protocol anomaly settings, enter the following command: Syntax: show ips protocol-anomaly To view if the IPS engine is using full session inspection, enter the following command: Syntax: show ips full-inspection To view the current IPS inspection-depth setting, enter the following command: Syntax: show ips inspection-depth show ipsec This command shows
Command-Line Reference Product OS Show Commands ■ IPsec proposals To view settings for your Enter the following command: Syntax: show ipsec proposal [proposal name] To view only one proposal, replace [proposal name] with the name of the proposal. Otherwise, all IPsec proposals are displayed. ■ IPsec policies Enter the following command: Syntax: show ipsec policy [policy name] To view detailed information about only one policy, replace [policy name] with the name of a specific policy.
Command-Line Reference Product OS Show Commands Syntax: show l2tp user [username] Optionally, replace [username] with the name of a specific user. In this case, you will see detailed information about the user. If you do not specify a user name, this command lists all local L2TP users with more limited information about them. show lldp This command shows the LLDP configuration. Syntax: show lldp show logging This command shows all of the logging information.
Command-Line Reference Product OS Show Commands Table A-50.
Command-Line Reference Product OS Show Commands Syntax: show nat show operating-mode Use this command to view your operating mode. Syntax: show operating-mode show port-map This command shows all of your port-maps. Syntax: show port-map show port-trigger This command shows your port trigger policies. Syntax: show port-trigger [trigger name] show radius-server This command shows information about your RADIUS server.
Command-Line Reference Product OS Show Commands show running-config This command shows the module’s running-configuration. For general troubleshooting, you should enter the show running-config (or just show run) command. Syntax: show running-config [display-credentials] Optionally, use the display-credentials option to display hidden credentials, such as the RADIUS server secret. show schedule This command shows the module’s schedule objects.
Command-Line Reference Product OS Show Commands show system-information This command shows all globally configured and operational system parameters. Syntax: show system-information show tech This command shows all of the information you will need for troubleshooting. Syntax: show tech show time This command displays the module’s time and date. Syntax: show time show user This command shows user and user group information.
Command-Line Reference Product OS Show Commands After you enter this command, you will see information similar to the following: ID VLAN MAC Address ----- ------------------ --------------*10 MGMT 00:1f:fe:82:5c:9d 20 VLAN20 00:21:f7:b0:05:b6 30 VLAN30 00:21:f7:b0:05:b6 40 VLAN40 00:21:f7:b0:05:b6 *: Unique MAC address assigned.
Command-Line Reference Product OS Show Commands Type the following command to view the IP settings that have been assigned to RADIUS authenticated L2TP users. Syntax: show vpn connections l2tp show vpn-config To view the section of running-config that is related to IPsec and certificate settings, enter this command: Syntax: show vpn-config show zone This command lists the names of your zones.
Command-Line Reference Product OS Show Commands A-208
B Glossary Numeric 3DES Triple DES. A version of DES in which three encryption phases are applied. A AAA Authentication, Authorization, and Accounting. Processes that are used to control network access and enforce security policies. For more information, see RFC 2989 at http://www.ietf.org/rfc/rfc2989.txt. See also authentication, authorization, and accounting. ABR Area Border Router. A router that is attached to more than one OSPF area. access policy See firewall access policy.
Glossary AF Assured Forwarding. A Differentiated Services PBH group comprised of four classes that allows a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. aggressive mode Aggressive mode uses three total messages during IKE phase 1—two from the initiator and one from the responder. AH Authentication Header. A part of the IPsec protocol suite that guarantees connectionless integrity and data origin authentication of IP packets.
Glossary ASN.1 Abstract Syntax Notation One. A standard notation to describe data structures for representing, encoding, transmitting, and decoding data. DER is an example of ASN.1 encoding rules. assured See AF. forwarding authenticated Network access that was granted after the user submitted credentials to an network access authentication server.
Glossary C CA Certificate Authority. An entity that issues digital certificates and acts as a trusted third party that verifies the identity of parties that want to communicate with one another. CA certificate A certificate that is issued by a CA that validates all other certificates that are issued by the CA. Also called a “CA root certificate.” You store CA certificates in VPN > Certificates > CA Certificates.
Glossary cipher block See AES-XCBC. chaining, extended circuit-level A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor the gateway establishment of sessions between trusted and untrusted devices. Some circuit-level gateways establish proxy sessions with untrusted hosts for their clients. Classless Inter- See CIDR. Domain Routing clear DF bit An option that permits you to set the DF bit to 0, which means that the packet can be fragmented in an IPsec SA.
Glossary connection A policy to give certain IP addresses a specified number of connections, reservation regardless of module workload. connection See timeout. timeout control messages Messages exchanged between the master and the participant in an HA cluster. convergence The time that it takes all routers on a network to receive the same information about network topology and the best routes to use to reach a particular destination.
Glossary Data Encryption See DES. Standard data port Physical port 1 on the TMS zl Module (J1 on the circuit board), which plugs into the host switch backplane. In routing mode, the data port is a tagged member of every TMS VLAN. In monitor mode, the data port receives mirrored traffic from the host switch. dead interval The amount of time an OSPF router waits for route advertisements from a peer router before declaring a route dead.
Glossary DHCP Dynamic Host Configuration Protocol. A protocol that allows network administrators to set up a server to manage IP addresses, automatically assigning IP addresses to devices on the network. DHCP simplifies IP management, eliminating the need to manually assign IP addresses to devices and then track those addresses.
Glossary DMZ Demilitarized Zone. A zone that is logically between the INTERNAL and EXTERNAL zones; it usually contains public Internet services. DN Distinguished Name. The ASN.1 name that is associated with a certificate. DNS Domain Name System. A protocol that translates between a human-readable address (www.example.com) and an IP address (10.1.2.15). Translation is performed in both directions. domain name A unique, human-readable name that is assigned to a device, such as ns1.company123.edu.
Glossary E EF A Differentiated Services PBH protocol intended to provide for low delay, low jitter and low loss services. email forwarding The TMS zl Module sends logs to as many as three email addresses. encapsulation The process of encapsulating one protocol within another. For example, L2TP can be encapsulated by IPsec to secure tunnel data. encapsulation The method IPsec uses to secure a VPN tunnel. The two encapsulation modes mode are tunnel mode and transport mode.
Glossary F failover The ability to automatically switch over to a secondary device in the event that the primary device fails. firewall access A rule that specifies which traffic can pass between TMS VLANs. Firewall policy access policies are classified by source and destination zones, multicast or unicast, and user group. firewall port map A port map shows which service and associated protocol are assigned to which port on your network.
Glossary G gain access A signature family for attacks wherein the attacker attempts to gain access to your network. gateway The network node that provides access to other networks or subnets. global maximum The cumulative maximum number of connections allowed for all zones. connections global trusted A digital certificate that is created by a trusted CA. Also known as a root certificate certificate. GRE Generic Routing Encapsulation.
Glossary high availability See HA. host An individual device. hostname The FQDN of a network device; for example: pop3.university.edu. host switch The HP 5400zl or 8212zl Switch Series that houses the TMS zl Module. HP ProCurve See PCM+. Manager Plus HP ProCurve VPN Software that can be installed on a Windows workstation that allows remote client VPN access to the corporate network. HTTP HyperText Transfer Protocol. HTTPS HyperText Transfer Protocol over Secure Socket Layer.
Glossary Identity Driven See IDM. Manager identity type A name that each endpoint of an IPsec VPN uses to authenticate itself. The identity is specified in the IKE policy and can be an IP address, a domain name, an email address, or a distinguished name. For multiple clients in a client-tosite policy, you can use wildcards. IDM Identity Driven Manager. An HP networking application that provides management of user-based profiles (including ACLs, QoS settings, and rate limits).
Glossary inbound The manual authentication key that a local device expects to receive from a authentication remote device when establishing a VPN. key inbound The manual encryption key that a local device expects to receive from a encryption key remote device when establishing a VPN. initiator On a VPN tunnel, the initiator starts the VPN negotiation and proposes the parameters. insert position The position at which a policy is inserted. integrity check See ICV.
Glossary IP reassembly An attack that degrades network performance by exploiting the network’s IP attack reassembly guidelines. IP spoofing Creating packets with a forged IP address. IP spoofing is used to conceal an attacker’s IP address or to deceive network devices into thinking a packet originated from a trusted IP address. IPDS Another name for IDS/IPS. IPS Intrusion Prevention System. A network device that can prevent network attacks before they begin or stop an attack in progress.
Glossary K key In cryptography, a key is a unique value or string of text that is used to encrypt data when that data is run through an encryption or hash algorithm. To decrypt or dehash the data, a device must apply the correct key to the encrypted data. The length of a key generally determines how difficult it will be to decrypt the data. Keys can be either symmetric or asymmetric. key exchange The method used to generate the keys used to negotiate an IPsec SA, either IKE method or manual keying.
Glossary local gateway The VPN gateway of the device that you are configuring. local mirroring Copying all traffic transmitted on one port (the monitored port) to another port on the same device (the mirror port). The TMS zl Module in monitor mode uses the host switch’s local mirroring capability to monitor traffic. local user A user in the local database. logging The process of documenting events (usually security events) detected by the TMS zl Module.
Glossary many-to-many A source NAT operation wherein a pool of NAT addresses is assigned to a limited number of outgoing connections. many-to-one A NAT operation whereby multiple IP addresses are assigned the same IP address. master The member of an HA cluster that coordinates the workload of an active-active cluster or performs the workload of an active-backup cluster and stores the primary configuration for the cluster. maximum See MTU. transmission unit MD5 Message-Digest algorithm 5.
Glossary mode See operating mode. monitor mode An operating mode in which the TMS zl Module acts as an offline IDS. MS-CHAP Microsoft CHAP. The Microsoft implementation of CHAP. For more information, see RFC 2759 at http://www.ietf.org/rfc/rfc2759.txt. MTU Maximum Transmission Unit. The MTU determines the size of the largest packet that can pass through the Data Link Layer (Layer 2) of a connection. multicast A send method wherein the packet is sent by one device and is destined for multiple other devices.
Glossary NAT Network Address Translation. A method of reusing IP addresses wherein endpoints inside one network have IP addresses that are different from those that are presented to the Internet or another network. For more information, see RFC 3022 at http://www.ietf.org/rfc/rfc3022.txt. NAT policy A rule that defines which addresses are translated, what they are translated into, and under what circumstances NAT-T NAT-Traversal.
Glossary operating mode A functionality set for the TMS zl Module, either routing (Layer 3) or monitor (IDS). operator account An administrative account with read-only privileges. orphaned access A firewall access policy that is configured to affect traffic in the same TMS policy VLAN. Orphaned policies cannot be enforced by the TMS zl Module because the policies operate at Layer 3, whereas the traffic between devices on the same TMS VLAN is at Layer 2. OSPF Open Shortest Path First.
Glossary PCM+ ProCurve Manager Plus. An HP network management platform. PDU Protocol Data Unit. The unit that gives the protocol control information, either the bit (Layer 1), the frame (Layer 2), the packet (Layer 3), the segment (Layer 4) or the data (all other layers). peer In VPNs, the peers are the two ends of the VPN tunnel. peer ID The identifier of the remote router in a site-to-site VPN. Generally the peer ID is the IP address of the router on the interface through which the VPN is established.
Glossary polymorphism The capability of an object to assume more than one property, often shifting from one property to another in response to external stimuli. port address See PAT. translation port forwarding The process in which traffic addressed to one port is forwarded to a different port. Port forwarding is often employed when a network is running wellknown protocols on non-standard ports.
Glossary Q QoS Quality of Service. A service provided by some network protocols such that the network prioritizes traffic or guarantees a particular level of performance to a type of data flow. R RADIUS Remote Authentication Dial-In User Service. An AAA protocol that allows a server to store all of the security information for a network in a single, central database. The server stores and manages end-user information so that it can authenticate the end-users.
Glossary responder In a VPN, the device that does not initiate the VPN negotiation. RFC Request For Comments. See tools.ietf.org. RIP Routing Information Protocol. A protocol that allows routers to tell other routers which routers they can reach and how far away those routers are. For more information, see RFC 1058 for version 1 at http://www.ietf.org/rfc/ rfc1058.txt or RFC 2453 for version 2 at http://www.ietf.org/rfc/rfc2453.txt.
Glossary S SA Security Association. Secure communication between two network devices that is created from shared security information. A SA is used in IKE. For more information, see RFC 4306 at http://www.ietf.org/rfc/rfc4603.txt. SA lifetime The time in seconds that can pass or amount of data in kilobytes that can be sent before the SA must be renegotiated. schedule object A named object that specifies the days and times of day that a specific firewall access policy applies.
Glossary services OS An underlying layer of software on which the TMS zl Module's product software runs.The services OS is designed primarily for blade maintenance. It is from this CLI context that you install licenses and update the module's software. SHA-1 Secure Hash Algorithm One. One of five cryptographic hash functions that were designated by the National Security Agency. SHA-1 is used in TLS, SSL, and IPsec and is considered to be a successor to MD5. For more information, see RFC 3174 at http://www.
Glossary SNMP trap A message which is initiated by a network element and sent to the network management system. For example, if PCM+ is configured as a trap destination, the TMS zl Module can send SNMP traps to PCM+. SNMP community A group that devices that run SNMPv1/v2c belong to. It helps define where information is sent. These devices will not respond to SNMP messages that are from other SNMP communities.
Glossary static route Routes that are manually added to the routing table. stub area An area that receives traffic destined for its hosts, but does not pass any traffic to another network. A stub area connects only with the normal area (backbone). subject alternate Names that you can specify along with a device’s CN that can identify the names device. These names are specified in a certificate request.
Glossary TMS VLAN A VLAN that has been associated with a zone on a TMS zl Module in routing mode. tools A column in many TMS zl Web browser interface windows that contains some or all of the following: move icon, to move the entry to a higher or lower position; edit icon, to edit the entry; delete icon, to delete the entry. ToS Type of Service. Now called Differentiated Services. traffic selector Traffic that is allowed over the IPsec SA (VPN tunnel).
Glossary V virtual interface Because the TMS zl Module only has two physical ports, VLANs are virtual interfaces instead of network interfaces. For ever virtual interface on the module there must be a network interface on the host switch. virtual IP address An IP address associated with a cluster rather than an individual member of a cluster. The cluster will still receive packets in the event that a specific network device fails. virus A computer program that can copy itself and damage a computer system.
Glossary W Web browser A management access method that requires an HTTPS over IP connection to interface the module plus a Web browser. Firefox 2.x and later and IE 7 and later are supported. well-known port The port on which the IANA has assigned a protocol to run. For example, the well-known port for HTTP is 80. WinNuke attack An attack that is launched by sending out-of-band (OOB) data to port 139. X XAUTH eXtended AUTHentication.
Glossary B-34
C Log Messages Contents Reading the Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 Finding the Log Message Family and ID . . . . . . . . . . . . . . . . . . . . . . . . C-4 Log Message Formats and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Firewall: Access Control . . . . . . . . . . . . . . . . . . . . . .
Log Messages Contents Network Access System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Client . . . . . . . . . . . . . . . . . . . . . C-18 Network Access System: DHCP Server . . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: IGMP Proxy . . . . . . . . . . . . . . . . . . . . . C-19 Network Access System: NTP Client . . . . . . . . . . . . . . . . . . . . . . . C-19 Routing . . . . . . . . . . . . . . . . . . . . . . . . .
Log Messages Reading the Log Messages Reading the Log Messages All log messages begin with the following fields, in this order: ■ time=[YYYY-MM-DD HH:MM:SS] The timestamp for the log message is derived from the host switch. ■ severity=[critical | major | minor | warning | info] One of five severity levels that is pre-assigned to each log message type. ■ pri=[0–7] Priority of the message.
Log Messages Reading the Log Messages • Configuration – config_configuration • User Authentication • Layer 2 Bridge – – • • user_statistics l2br_bridge Intrusion Detection/Protection System – ips_attack_family – ips_traffic_anomaly_family – ips_application_detection_family – session_open_logs_family – session_close_logs_family Network Access – netacc_dhcp_client – netacc_dhcp_server – netacc_igmp_proxy – netacc_ntp_client • IP Reassembly • Threat Management Services • RADIU
Log Messages Reading the Log Messages Figure C-1. Finding Log Message Families and Message IDs. You can use this information to filter the log messages. For example, in the Web browser interface, on System > Logging > View Logs, you can type id=vpn_ in the Keyword field to find all of the messages that the VPN engine has generated. You can also use the log family names and message IDs to filter log messages that have been exported and opened in a text editor or a spreadsheet program.
Log Messages Log Message Formats and Fields Log Message Formats and Fields The format for a log message varies according to the system that generated the message. Some types of log messages contain only the fields shown in “Reading the Log Messages” on page C-3 plus message texts. Others contain several other fields, which are included or omitted depending on the type of message. Listed below are the fields that each type of log message might contain, plus values and value types for some of the fields.
Log Messages Log Message Formats and Fields Field Name Value Format Description rcvdsc integer Total number of bytes received from the server to the client ruleaction [permit | deny] The value in the Action field of the access policy ruledsc [rule position] accesspolicy [source zone] [destination zone] [permit | deny] service [service] [source address] [destination address] (ID:[rule ID]) Description of the access policy in the format shown, which is the same format as in the CLI.
Log Messages Log Message Formats and Fields Firewall: Application Filters Log messages in the application filters family (id=fw_application_filters) may contain the following fields in addition to firewall access control fields, listed in alphabetical order: Table C-2.
Log Messages Log Message Formats and Fields High Availability Cluster: VSRP Messages from the VSRP (HA control) protocol (id=hacl_vsrp) may contain the following fields in addition to the HA cluster fields: Table C-4. High Availability VSRP Message Family Fields Field Name Value Format Description masterid [1 | 2] Identifier of the cluster master from the Device ID field mgmt_ipaddress [x.x.x.
Log Messages Log Message Formats and Fields VPN Log messages from the VPN engine (id=vpn_...) contain these fields, in this order: Table C-5. VPN Message Family Fields Field Name Value Format Description msg text Text of the message src [x.x.x.x] Source IP address in the IP packet header srcport 0–65535 Source port number in the IP packet header dst [x.x.x.
Log Messages Log Message Formats and Fields VPN: IPsec Log messages from IPsec version 4 (id=vpn_ipsecipv4) may contain these fields in addition to the VPN fields: Table C-6.
Log Messages Log Message Formats and Fields VPN: IKEv1 Log messages from IKE version 1 (id=vpn_ikev1) may contain these fields in addition to the VPN fields: Table C-7.
Log Messages Log Message Formats and Fields VPN: IKEv2 Log messages from IKE version 2 (id=vpn_ikev2) may contain these fields in addition to or instead of the VPN and IKEv1 fields: Table C-8.
Log Messages Log Message Formats and Fields System System errors (id=system_system_error) contain these fields: ■ srczone=SELF dstzone=SELF System messages always apply to the Self zone only. ■ errortype=[memory_allocation | socket | file_system | driver | resource_allocation] Type of error. Configuration Log messages from the configuration (id=config_configuration) may contain these fields, in this order: Table C-10.
Log Messages Log Message Formats and Fields Figure C-2. Finding the Signature Family and Signature ID Figure C-2 shows a log message that shows that rule 30091 of the DOS signature family was activated. Log messages from the IPS attack family (id=ips_attack_family) may also contain these fields: Table C-11.
Log Messages Log Message Formats and Fields Field Name Value Format Description rulefam [general | backdoor | DOS The signature family of the rule that was triggered exploits | gain | access | traffic | info | traffic | anomaly | protocol anomaly | reconnaissance | malware | virus | inappropriate | botnet | spamhaus] rulename text rulethreat [Critical | Severe | Minor | warning | Information] tcpoptions integer TCP options timetolive integer The time to live of the packet that triggered the IP
Log Messages Log Message Formats and Fields IPS: IPS Application Detection Family Log messages from the IPS application detection family (id=ips_application_detection_family) may also contain these fields: Table C-12.
Log Messages Log Message Formats and Fields Layer 2 Bridge Log messages from the Layer 2 bridge (id=l2br_bridge) contain these fields: ■ destination_macaddress=[aa:bb:cc:dd:ee:ff] The destination MAC address of the packet that triggered this log message ■ portname=[text] The name of the port (interface) on which the packet that triggered this log message was received or was being sent ■ packetlength=[integer] The length of the packet that triggered this log message Network Access System Log messages
Log Messages Log Message Formats and Fields Network Access System: DHCP Server Log messages from the DHCP server (id=netacc_dhcp_server) may contain these fields: Table C-15. DHCP Server Family Fields Field Name Value Format interfacename Description The interface on which the server has been enabled leaseinterval integer The lease interval in seconds leaseip [x.x.x.
Log Messages Log Message Formats and Fields Routing Log messages from routing (id=routing) contain this field: ■ date=[YYYY-MM-DD] ■ ■ time=[HH:MM:SS] msg=[text of the message] ■ severity=[critical | major | minor | warning | info] ■ mid=message ID CLI Log messages from the command line interface (CLI) (id=cli) contain these fields: ■ date=[YYYY-MM-DD] ■ ■ time=[HH:MM:SS] msg=[text of the message] ■ severity=[critical | major | minor | warning | info] ■ mid=message ID SSH Log messages from
Log Messages Log Message Abbreviations Log Message Abbreviations Table C-16 lists abbreviations that may be found in the log messages. For an explanation of the log message fields, see “Log Message Formats and Fields” on page C-6. Table C-16.
Log Messages Log Message Abbreviations C-22 Abbreviation Definition DIM dynamic interface management DOI domain of interpretation DPLB data plane load-balancing ESN extended sequence number ESP Encapsulation Security Protocol EXCP exception EXTN external FD file descriptor FIN finish FSM finite state machine FW firewall FW-TRPX firewall transparent proxy FWAR firewall association reservation FWCS firewall comp stats FWD forward(ing) FWHA firewall high availability FWILP
Log Messages Log Message Abbreviations Abbreviation Definition IPCP Internet Protocol Control Protocol IPFRAG IP fragmentation IPRATE IP rate IPROUTE IP routing IPS intrusion prevention system IRC Internet Relay Chat ISAKMP Internet Security Association and Key Management Protocol KE key exchange L2 Layer 2 L2FW Layer 2 firewall L2TP Layer 2 Transport Protocol L3 Layer 3 LB load-balancing LCP Link Control Protocol MACDB Media Access Control database MCAST multicast MD5 Mes
Log Messages Log Message Abbreviations C-24 Abbreviation Definition NONCE random number used during IKE negotiation PAC PPTP access concentrator PAP Password Authentication Protocol PFS Perfect Forward Secrecy PMTU path maximum transmission unit PNS PPTP network server POLGRP policy group PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol PRF preferences PRTSCN port scan PXTR proxy transport RADIUS Remote Access Dial-In User Service REJ reject RIP Routing Inf
Log Messages Log Message Abbreviations Abbreviation Definition Tx transmit UDP User Datagram Protocol UPN user principal name USERDB user database USERGRP user group VSRP Virtual Switch Redundancy Protocol XAUTH eXtended AUTHentication XMAS Christmas tree scan C-25
Log Messages Log Message Abbreviations C-26
Index A access policies … 1-43, 4-22, 4-29, 9-47 advanced … 4-31 basic … 4-29 default access policies … 4-25 delete … 4-39 examples rate-limiting … 4-44 schedule-based … 4-42 unicast … 4-40 implied deny … 1-48, 4-28 intra-VLAN … 4-27 modify … 4-33 multicast … 1-44 orphaned policies … 4-27 overlapping … 4-37 parameters … 1-45, 4-23 perimeter deployment, for … 1-28 policy groups … 4-22 position … 1-48, 4-28 processing … 1-47, 4-28 rate limiting … 1-47 reevaluate … 4-33 scheduled … 1-45 stateful … 1-43 traffic
C capture command for troubleshooting … 10-12 certificate CA import … 7-42, 7-95, 7-239 obtain with SCEP … 7-47, 7-100, 7-244 view … 7-43, 7-95, 7-239 CRL … 7-45, 7-97, 7-241 manual installation … 7-36, 7-88, 7-232 obtain with SCEP … 7-49, 7-102, 7-245 private key generate … 7-37, 7-89, 7-233 import … 7-38, 7-90, 7-234 request generate … 7-39, 7-91, 7-235 SCEP … 7-49, 7-102, 7-246 SCEP … 7-46, 7-98, 7-242 subject alternative names … 7-40, 7-92, 7-236 CGI path … 7-46, 7-99, 7-243 challenge password … 7-50, 7
F firewall … 1-43, 4-4 ALGs … 4-7, 4-88 attack checking … 4-6, 4-104 circuit-level gateway … 4-6 events … 1-61 IP reassembly … 4-127 packet-filtering … 4-6 perimeter deployment … 1-23 See also ALG See also attack checking See also connection reservations See also IP reassembly stateful … 4-6 timeouts … 4-113 TMS zl Module functionality … 4-7 troubleshooting … 1-60, 10-39 for … 5-23 fragmentation before IPsec … 7-22 FTP protocol anomaly … 6-16 G gain access … 6-10 gateway application-level … 4-7, 4-88 circu
IKE … 7-13 authentication method … 7-33, 7-83, 7-151, 7-228 local gateway client-to-site … 7-30, 7-148 site-to-site … 7-81, 7-226 local ID client-to-site … 7-30, 7-149 site-to-site … 7-82, 7-227 mode … 7-32, 7-83, 7-150, 7-228 phase 1 … 7-13 phase 2 … 7-17 policy configuration L2TP, for … 7-144 preshared key … 7-33 remote gateway … 7-81, 7-226 remote ID client-to-site … 7-31, 7-149 site-to-site … 7-82, 7-227 SA lifetime … 7-34, 7-84, 7-152, 7-229 view … 7-358 security proposal … 7-33, 7-84, 7-151, 7-229 IMA
L L2TP access policies for … 7-177, 7-413, 7-451, 7-497 authentication protocol … 7-168 configuration tasks … 7-144 dial-in user … 7-166 troubleshooting client-to-site … 10-73 user group … 7-168 username … 7-168 LED Fault … 10-17 HDD and CF Status … 10-17 Module Status … 10-17 Test … 10-17 licenses … 1-6 activate … 2-20, 3-13 IDS/IPS … 1-17, 1-26, 1-37 product … 1-17, 1-26 activate … 2-20, 2-25, 3-13, 3-17 install … 2-24, 3-16 local database … 4-60 user groups … 4-23 default groups … 4-61 users … 4-61 local
examples … 5-25 destination policy … 5-38 exclusion policy … 5-42 inside the LAN … 5-25 limited pool … 5-35 many-to-one source policy … 5-31 network merger … 5-25 port forwarding … 5-38 port translation … 5-38 single internet address … 5-31 source policy … 5-25, 5-31, 5-35 exclusion … 5-10 configure … 5-21 inside the LAN … 1-15, 5-2 packet flow … 5-10 destination … 5-13 source … 5-12 parameters … 1-63 perimeter deployment … 1-24, 5-2 port forwarding … 1-61, 1-62, 5-5, 5-8, 5-9, 5-10 port translation … 5-5,
packet fragmentation See IP reassembly passwords dial-in user … 7-168 L2TP … 7-168 management … 2-60, 3-40 SCEP … 7-50, 7-103, 7-246 SNMPv1/v2c … 2-87, 3-62 SNMPv3 … 2-89, 3-64 user … 4-62 XAUTH … 7-85, 7-230, A-128 PAT See NAT persistent tunnel … 7-22 PIM-SM See routing ping … 2-91, 3-66, 10-5 policy violations … 6-7 polymorphism … 1-39 POP3 protocol anomaly … 6-17 port address translation See NAT port maps … 1-39, 4-85, 6-17 configure … 4-86, 4-87, 6-21 default mappings … 1-40, 4-85 troubleshooting … 10-5
routing … 1-67, 9-3 IGMP … 9-57 multicast … 1-70, 9-55 OSPF … 1-68, 9-27 PIM-SM … 9-59 RIP … 1-67, 9-15 See also OSPF See also RIP static … 1-67, 9-4 switch, on the … 1-17 tables … 9-53, 9-60 to an external network with the host switch … 2-36 with the module … 2-35 troubleshooting … 10-112 routing mode … 1-7, 2-4 deployment … 2-5 features … 2-4 IPS … 6-15 packet flow … 1-73, 4-8 ports … 1-10, 2-15 traffic flow … 1-79 RPC protocol anomaly … 6-17 running configuration file … 2-47, 3-33 S SA … 7-11 flush … 7-
L2TP … 10-73 log messages … 10-30 management interface problems … 10-23 monitor mode … 10-123 NAT … 10-53 nslookup … 10-7 ping … 10-5 port maps … 10-54 protocol analyzer … 10-14 RADIUS, external … 10-87 routing … 10-112 show commands … 10-8 tools … 10-4 traceroute … 10-6 VPN … 10-59 client-to-site … 10-61 site-to-site … 10-94 tunnel GRE … 7-190 L2TP … 7-144 persistent IPsec SA … 7-22 U unicast access policies See access policies upgrade software See maintenance user authentication See authentication See lo
Z zero-day attacks … 1-39 zones … 1-12 access control … 1-12, 1-13, 2-9 associate VLANs with … 1-21, 2-68 best deployment practices … 1-13, 2-11 define … 2-8 DMZ … 1-13, 2-9, 2-11 example configuration … 2-13 External … 1-13, 2-9, 2-11, 2-58 Internal … 1-13, 2-9, 2-11 management-access … 1-18, 1-26, 2-10 Self … 1-12, 2-9 10 – Index
HP ProCurve Datacenter Connection Manager Controller Management and Configuration Guide
Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
