SpeedTouch™608(WL)/620 (Wireless) Business DSL Router Inte rnet ISDN N W LA Plug -in Ethe er Pow SpeedTouch™608WL and SpeedTouch™620 only rnet IPSec Configuration Guide
SpeedTouch™ 608(WL)/620 IPSec Configuration Guide
Copyright Copyright ©1999-2006 THOMSON. All rights reserved. Distribution and copying of this document, use and communication of its contents is not permitted without written authorization from THOMSON. The content of this document is furnished for informational use only, may be subject to change without notice, and should not be construed as a commitment by THOMSON. THOMSON assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.
Contents Contents About this IPSec Configuration Guide ....................... 9 E-DOC-CTC-20051017-0169 v0.1 1 IPSec: Concept for secure IP connections................. 11 1.1 IPSec Concepts ............................................................................ 12 2 SpeedTouch™ IPSec terminology............................. 15 2.1 Policy ........................................................................................... 16 2.2 Security Descriptor .................................
Contents 4 3.3 VPN Server ................................................................................... 63 3.3.1 VPN Server Page............................................................................................................ 64 3.4 Certificates .................................................................................. 73 3.5 Advanced VPN Menu ................................................................... 75 3.5.1 Peer Profiles Page ..................................
Contents E-DOC-CTC-20051017-0169 v0.1 4.4 Peer ............................................................................................ 118 4.4.1 Peer parameters........................................................................................................... 119 4.4.2 List all peer entities...................................................................................................... 123 4.4.3 Create a new peer entity ............................................................
Contents 6 5.3 Via the CLI: Debug command group ......................................... 167 5.4 Via SNMP ................................................................................... 170 5.5 Pinging from the SpeedTouch™ to the remote private network 171 6 Advanced Features ................................................... 173 6.1 IPSec and the Stateful Inspection Firewall ................................ 174 6.2 Surfing through the VPN tunnel ..........................................
Contents 6.9 Peer Options .............................................................................. 201 6.9.1 List all Peer Options lists ............................................................................................. 203 6.9.2 Create a Peer Options list............................................................................................ 204 6.9.3 Set or modify the Peer Option list parameters......................................................... 205 6.9.
Contents 8 E-DOC-CTC-20051017-0169 v0.
About this IPSec Configuration Guide About this IPSec Configuration Guide Abstract Applicability This document explains the IPSec functionality of the SpeedTouch™ Release R5.4 and higher. A brief theoretical explanation is provided where needed, but the main goal of this document is to be a practical guide. This configuration guide applies to the following SpeedTouch™ products: The SpeedTouch™608/608WL (Wireless) Business DSL Routers Release R5.4 and higher.
About this IPSec Configuration Guide 10 E-DOC-CTC-20051017-0169 v1.
Chapter 1 IPSec: Concept for secure IP connections 1 IPSec: Concept for secure IP connections Policies The introduction of network security mainly involves the application of traffic policies. Firstly, the policies need to be defined, then it should be whether the policies are correctly applied. Security policies can apply to various levels. The IPSec protocol (Internet Protocol Security) applies to the IP layer.
Chapter 1 IPSec: Concept for secure IP connections 1.1 IPSec Concepts Red and Black Network Following nomenclature will be used throughout this document: The SpeedTouch™ The IPSec capable DSL router The Red network Private or trusted side of the SpeedTouch™. The Black network Public or non-trusted side of the SpeedTouch™. The black network is frequently referred to as the WAN side, being the connection towards the Internet.
Chapter 1 IPSec: Concept for secure IP connections Internet Key Exchange The Internet Key Exchange (IKE) protocol is the negotiation protocol used to establish an SA by negotiating security protocols and exchanging keys. First the IKE SA is set up, then the IKE channel acts as a signalling channel to negotiate a general purpose SA.
Chapter 1 IPSec: Concept for secure IP connections 14 E-DOC-CTC-20051017-0169 v1.
Chapter 2 SpeedTouch™ IPSec terminology 2 SpeedTouch™ IPSec terminology Introduction In order to understand the IPSec configuration of the SpeedTouch™, a number of concepts and definitions are introduced in this section. The Graphical User Interface (GUI) and the Command Line Interface (CLI) provide two alternative methods to configure the IPSec functions. The GUI contains some scenario-driven pages, which means that the configuration pages are grouped according to the intended network application.
Chapter 2 SpeedTouch™ IPSec terminology 2.1 Policy What is ... Security is all about traffic policies and these can be configured using the IPSec policy commands. By default, policy rules are automatically generated when the IPSec connection is created and the user does not need to execute extra commands. A set of rules defines whether a packet has to pass through a secure tunnel or not. These rules are expressed in terms of IP addresses, protocols and/or ports that have access to the secure connections.
Chapter 2 SpeedTouch™ IPSec terminology 2.2 Security Descriptor What is ... All security parameters required to establish a secure tunnel are grouped into a string called Security Descriptor or simply descriptor. Two different sets of descriptors are defined: IKE session descriptors IPSec descriptors A Descriptor contains the methods for message authentication, encryption and hashing, and the lifetime of the Security Association. A number of descriptors are pre-configured in the SpeedTouch™.
Chapter 2 SpeedTouch™ IPSec terminology 2.3 Authentication Attribute What is ... Two main methods for authentication are supported in the SpeedTouch™: pre-shared key certificates The authentication parameters used for the IKE negotiations are bundled in the SpeedTouch™ in a descriptor with a symbolic name. This symbolic descriptor is called the Authentication Attribute, and is encountered when you configure the SpeedTouch™ via the Command Line Interface.
Chapter 2 SpeedTouch™ IPSec terminology 2.4 Peer (Phase 1) What is ... The Peer is a term that refers to the remote Security Gateway to which the IPSec secure tunnel(s) will be established. In a first phase, an IKE Security Association is negotiated between the SpeedTouch™ and a remote Security Gateway (peer).
Chapter 2 SpeedTouch™ IPSec terminology 2.5 Connection (Phase 2) What is ... 20 Bundles all the parameters required for the Phase 2 SA (IPSec) negotiation: Peer Reference, pointing to the peer configuration to be used. In fact, this refers to the IKE channel used for the Phase 2 negotiations. Local/remote range Range of red IP addresses to which the IPSec policy applies. Reference to the Network Descriptors.
Chapter 2 SpeedTouch™ IPSec terminology 2.6 Network descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedTouch™ R5.3. Not only the classical idea of an IP network or subnet is comprised in this concept, but also the protocol and port number of the messages can be specified, such that access to the VPN can be restricted to certain hosts, protocols and port numbers.
Chapter 2 SpeedTouch™ IPSec terminology 22 E-DOC-CTC-20051017-0169 v1.
Chapter 3 Configuration via Local Pages 3 Configuration via Local Pages Prerequisites In order to use the VPN features in the SpeedTouch™608(WL)/620, you should enable the VPN software module. To activate this VPN module, you have to acquire the optional software activation key. To check whether the software activation key is present, browse to the SpeedTouch™ Web pages and go to Expert Mode > SpeedTouch > Add-On. This page shows which keys are enabled.
Chapter 3 Configuration via Local Pages In this section The following topics are discussed in this section: Topic 24 Page 3.1 LAN to LAN Application 25 3.2 VPN Client 51 3.3 VPN Server 63 3.4 Certificates 73 3.5 Advanced VPN Menu 75 E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.1 LAN to LAN Application Reference network A simple LAN-to-LAN network configuration is shown here. Internet SpeedTouch A SpeedTouch B 100.100.0.1 200.200.0.1 10.0.0.254 20.0.0.254 Host Host 10.0.0.1 20.0.0.5 Network 10.0.0.0/24 Network 20.0.0.0/24 The figure shows two LAN networks connected via a SpeedTouch™ to the public Internet.
Chapter 3 Configuration via Local Pages Selecting the LAN to LAN application In Expert Mode, click VPN > LAN to LAN. As a result, the following page is shown This page contains two main tab pages. Select one of the alternative pages, according to which VPN context best describes your situation.
Chapter 3 Configuration via Local Pages 3.1.1 Remote Gateway Address Known Page VPN context You know the location of the Remote Gateway in the public Internet, either by its IP address or its FQDN. In this case, the SpeedTouch™ can connect either as an initiator or as a responder. As an initiator of a connection you are capable of starting a secure connection from your SpeedTouch™. As a responder, a connection will be started when the remote Security Gateway initiates the negotiations.
Chapter 3 Configuration via Local Pages Buttons Remote Gateway 28 You can use one of the following buttons: Click ... To ... Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication. Use Certificate Authentication Reveal additional parameter fields required for the configuration of Certificate Authentication. Specify Additional Descriptors Reveal additional fields where you can specify alternative IKE Security Descriptors.
Chapter 3 Configuration via Local Pages Miscellaneous Comprises the following settings: Primary Untrusted Physical Interface: This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet.
Chapter 3 Configuration via Local Pages IKE Security Descriptors The IKE Security Descriptor bundles the security parameters used for the IKE Security Association (Phase1). A number of IKE Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list. Select a Security Descriptor in compliance with the IKE security parameters configured in the remote Security Gateway.
Chapter 3 Configuration via Local Pages Page layout for preshared key authentication E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages IKE Authentication with Preshared Key When you select Use Preshared Key Authentication, the following fields have to be completed: Preshared Secret: A string to be used as a secret password for the VPN connection. This secret needs to be identically configured at both peers (local and remote peer). Confirm Secret: The Preshared Secret value is not shown in clear text in the SpeedTouch™ Web page.
Chapter 3 Configuration via Local Pages Example of a completed page The illustration below shows a completed page. The data in the various fields correspond with the VPN layout shown on page 25: Pre-shared key was selected as authentication method. keyid was selected for the local and remote identity. After the page was completed, the remote gateway settings were added to the configuration by clicking Add. At the bottom of the screen additional buttons appear, which are explained below.
Chapter 3 Configuration via Local Pages Buttons 34 You can use one of the following buttons: Click ... To ... Stop All Connections to this Gateway Stop all VPN connections to the selected remote Security Gateway. Apply Apply modifications made to the settings of the selected remote Security Gateway. Delete Delete the selected remote Security Gateway from the configuration. New Gateway Start defining a new remote Security Gateway.
Chapter 3 Configuration via Local Pages 3.1.2 Remote Gateway Address Unknown Page VPN context Your SpeedTouch™ may have to set up (simultaneous) VPN connections with various remote Security Gateways. At the time you configure your SpeedTouch™, you have no clear idea about the location of the Remote Gateway(s) in the network. This may be the case in a central location of a large network, where remote locations may be added as time passes.
Chapter 3 Configuration via Local Pages Aggressive Mode versus Main Mode Buttons 36 IKE specifies two modes of operation for the Phase 1 negotiations: main mode and aggressive mode. Main mode is more secure while aggressive mode is quicker. You can use one of the following buttons: Click ... To ... Aggressive mode Switch to the Aggressive Mode configuration page. This page is shown by default when you click Remote Gateway Address Unknown. Main mode Switch to the Main Mode configuration page.
Chapter 3 Configuration via Local Pages Miscellaneous Comprises the following settings: Primary Untrusted Physical Interface: This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet.
Chapter 3 Configuration via Local Pages IKE Security Descriptors The IKE Security Descriptor bundles the security parameters used for the IKE Security Association (Phase1). A number of IKE Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list. Select a Security Descriptor in compliance with the IKE security parameters configured in the remote Security Gateway.
Chapter 3 Configuration via Local Pages Page layout for preshared key authentication E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages IKE Authentication with Preshared Key When you select Use Preshared Key Authentication, the following fields have to be completed: Preshared Secret: A string to be used as a secret password for the VPN connection. This secret needs to be identically configured at both peers (local and remote peer). Confirm Secret: The Preshared Secret value is not shown in clear text in the SpeedTouch™ Web page.
Chapter 3 Configuration via Local Pages Main Mode initial page When you click Main Mode, the following page is displayed: By clicking a button, the page layout changes, revealing other fields and buttons. More information about the various fields and buttons is found below. Buttons IKE Security Descriptors You can use one of the following buttons: Click ... To ... Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication.
Chapter 3 Configuration via Local Pages Page layout with additional Descriptors When you click Specify Additional Descriptors, the IKE Security Descriptors area of the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors: These will be used as alternative valid proposals in the IKE negotiations.
Chapter 3 Configuration via Local Pages Page layout for certificate authentication IKE Authentication: Certificate parameters Main mode expanded page When you click Use Certificate Authentication, the IKE Authentication area of the page is updated in the following way: When you select Use Certificate Authentication, you have to fill out the Distinguished Name of the local and remote Certificates.
Chapter 3 Configuration via Local Pages Identification & Interface The Identification & Interface fields have to be filled out with the following information: Local ID Type and Local ID: The Local ID identifies the local SpeedTouch™ during the Phase 1 negotiation with the remote Security Gateway. This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association.
Chapter 3 Configuration via Local Pages Example of a completed page The illustration below shows a completed page. The data in the various fields correspond with the VPN layout shown on page 25: Pre-shared key was selected as authentication method. keyid was selected for the local and remote identity. After the page was completed, the remote gateway settings were added to the configuration by clicking Add. At the bottom of the screen additional buttons appear, which are explained below.
Chapter 3 Configuration via Local Pages Buttons 46 You can use one of the following buttons: Click ... To ... Stop All Connections to this Gateway Stop all VPN connections to the selected remote Security Gateway. Apply Apply modifications made to the settings of the selected remote Security Gateway. Delete Delete the selected remote Security Gateway. New Gateway Start defining a new remote Security Gateway.
Chapter 3 Configuration via Local Pages 3.1.3 Connections Page Page layout When you click New Connection to this Gateway, the following fields are revealed: In this section of the page, you fill out the characteristics of the Virtual Private Network you are building. Specify the local and remote private network parameters. Specify the Security Descriptor you use for this IPSec connection. More information about the various fields and buttons is found below.
Chapter 3 Configuration via Local Pages Trusted Network The Local and Remote Trusted Network parameters describe which terminals have access to the secure connection at the local and remote peers, respectively. Two fields must be completed for each peer: Trusted Network Type and Trusted Network IP. The Trusted Network Type determines which type of value to use for the Trusted Network IP field. The following network types are supported.
Chapter 3 Configuration via Local Pages Port If the tcp or udp protocol is selected for the protocol parameter, then the access to the IPSec connection can be further restricted to a single port. Many well-known port numbers can be selected from the pull-down menu. Separate fields are foreseen for the local and remote ports. Typically, identical values are selected for both fields. In almost all cases, the value any is the most appropriate choice.
Chapter 3 Configuration via Local Pages Starting and stopping a connection. 50 A VPN connection is started automatically when data is sent or received that complies with the traffic policy. Alternatively, you can manually start and stop a VPN connection by selecting it in the table. At the bottom of the page, Start and Stop buttons appear, as shown below. E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.2 VPN Client VPN context For a VPN client-server scenario a dedicated set of user-friendly configuration pages is available. Separate pages exist for the client and server sides. In this section the VPN client configuration page is described. The VPN client in the SpeedTouch™ can replace a software VPN client installed on a computer. You can use it for example to connect from your home to your employer’s corporate network for teleworking.
Chapter 3 Configuration via Local Pages 3.2.1 VPN Client Page Initial page When you click VPN > VPN Client, the following page is displayed: The page contains a number of buttons and fields to complete. It is recommended to fill out the page from top to bottom. When you click a button, the page layout changes, revealing other fields and buttons. More information about the various fields and buttons is found below. Buttons 52 You can use one of the following buttons: Click ... To ...
Chapter 3 Configuration via Local Pages Server IP Address or FQDN Fill out the publicly known network location of the remote Gateway. You can specify the public IP address, if it is invariable and known. More often, the publicly known FQDN (such as vpn.corporate.com) will be used. When you specify an IP address, the SpeedTouch™ expects the VPN server to use an IP address as identifier during the IKE negotiations. When an FQDN is specified, the SpeedTouch™ expects the VPN server to use an FQDN as well.
Chapter 3 Configuration via Local Pages IPSec Security Descriptor The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Security Association. A number of IPSec Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list. Select a Security Descriptor in compliance with the IPSec security parameters configured in the remote VPN server.
Chapter 3 Configuration via Local Pages Primary Untrusted Physical Interface This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet. In the SpeedTouch™ the routing engine determines which interface is used for the VPN connection (your DSL connection to the Internet in most cases).
Chapter 3 Configuration via Local Pages Page layout for preshared key authentication When you click Use Preshared Key Authentication, the initial page is updated in the following way: IKE Authentication with Preshared Key When you select Use Preshared Key Authentication, the following fields have to be completed: Page layout for certificate authentication IKE Authentication: Certificate parameters 56 Preshared Secret: A string to be used as a secret password for the VPN connection.
Chapter 3 Configuration via Local Pages Starting and stopping a VPN client connection Two start mechanisms are defined: Manual Dialup Automatic Start. When you use pre-shared key authentication, both start mechanisms require a number of parameters to be set. The set of parameters depends on which Server Vendor you selected. Selecting the Manual Dialup method, no further parameters have to be configured. You have to dial in to the VPN server each time you need the secure connection.
Chapter 3 Configuration via Local Pages Local LAN IP Range Set of Server Vendor specific parameters In this field you have to configure the local access policy. In other words, you define which IP range of local terminals has access to the VPN. You can specify either a single IP address, a subnet, or a range. Local LAN IP range: Examples: a single IP address 10.0.0.15 a single IP subnet 10.0.0.0/24 a contiguous IP address range 10.0.0.5-10.0.0.56 10.0.0.
Chapter 3 Configuration via Local Pages 3.2.2 Starting the VPN Client Connection Method 1: Automatic Start Method 2: Manual Start In section “ Starting and stopping a VPN client connection” on page 57, the configuration of the Automatic Start mechanism is explained. All parameters required for starting the connection are stored in the SpeedTouch™ configuration file, and no further user interaction is required to start the VPN connection.
Chapter 3 Configuration via Local Pages Dialling in 1 Select the VPN server from the table and click Dial-In at the bottom of the screen. As a result, the VPN Client Connect page is shown. 2 Fill out the login parameters and click Continue. The SpeedTouch™ starts the negotiations to set up the secure VPN connection. The outcome of the dial-up procedure is shown on the screen. All active VPN connections are shown at the bottom of the VPN Client Connection Configuration page.
Chapter 3 Configuration via Local Pages Client Identification When for the IKE Authentication method the Preshared Key method was selected, some Server Vendor specific fields must be filled out. See “ Set of Server Vendor specific parameters” on page 58 Using XAuth When the VPN server uses the Extended Authentication protocol, you fill out your Username and Password in the optional fields: E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.2.3 Closing a Connection Disconnect procedure At the bottom of the VPN Client Connection Configuration page, all active VPN connections are shown. Select the connection you want to terminate and click Disconnect. The secure connection is closed and is removed from the list of active connections. 62 E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.3 VPN Server VPN context In a VPN client-server scenario, the VPN server is always the responder in the IKE negotiations. Various VPN clients can dial in to a VPN server, since it supports multiple simultaneous VPN connections. A VPN server does not know a priori which remote Security Gateway will attempt to set up a VPN connection. In time, new users may join the VPN.
Chapter 3 Configuration via Local Pages 3.3.1 VPN Server Page Initial page When you click VPN > VPN Server, the following page is displayed: The page contains a number of buttons and fields to complete. It is recommended to fill out the page from top to bottom. When you click a button, the page layout changes, revealing other fields and buttons. More information about the various fields and buttons is found below. 64 E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages Buttons Local Trusted Network You can use one of the following buttons: Click ... To ... Specify Additional Networks Reveal additional fields where you can specify additional descriptors for the local network open to remote terminals via a VPN connection. Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication.
Chapter 3 Configuration via Local Pages Page layout with additional Networks IKE Security Descriptor Clicking Specify Additional Networks allows you to designate up to four addresses/ subnets in case the Local Trusted Network can not be described by a single address/ subnet. The IKE Security Descriptor bundles the security parameters used for the IKE Security Association (Phase1). A number of IKE Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list.
Chapter 3 Configuration via Local Pages Page layout with additional Descriptors When you click Specify Additional Descriptors, the IKE Security Descriptors area of the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors: These will be used as alternative valid proposals in the IKE negotiations. IPSec Security Descriptor The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Security Association.
Chapter 3 Configuration via Local Pages Miscellaneous Comprises the following settings: IKE Exchange Mode: IKE specifies two modes of operation for the Phase 1 negotiations: main mode and aggressive mode. Main mode is more secure while aggressive mode is quicker. Primary Untrusted Physical Interface: This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection.
Chapter 3 Configuration via Local Pages VPN Server settings Comprises the following settings: Virtual IP Range: Specifies the range of IP addresses from which the VPN client addresses are selected. An address range or a subnet can be entered for this parameter. Examples: 10.20.30.[5-50] 10.20.30.* Netmask Specifies the netmask provided to the VPN client. Use the dotted decimal format. For example: 255.255.255.
Chapter 3 Configuration via Local Pages Page layout for preshared key authentication When you click Use Preshared Key Authentication, the initial page is updated in the following way: IKE Authentication with Preshared Key When you select Use Preshared Key Authentication, the following fields have to be completed: Preshared Secret: A string to be used as a secret password for the VPN connection. This secret needs to be identically configured at both peers (local and remote peer).
Chapter 3 Configuration via Local Pages Remote ID (Filter) Type and Remote ID Filter: The Remote ID Filter identifies the VPN client during the Phase 1 negotiation. This identity is used as a filter for VPN clients when they join the VPN. Its value must match the settings in the VPN client in order to successfully set up the IKE Security Association. The identity types supported in the SpeedTouch™ are listed in the table below. Identity type Keyword Examples 10.0.0.1 IP address addr 0.0.0.
Chapter 3 Configuration via Local Pages Authorized Users List When you selected the use of XAuth (either generic or chap) in the VPN Server Configuration page, then clicking Apply reveals an additional section at the top of the page. Compose a list of authorized users for the VPN: 72 1 Enter a User name and corresponding Password. 2 Click Add User. 3 Repeat the previous steps for each individual VPN client you want to grant access to the VPN. E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.4 Certificates Introduction The Certificates Navigation tab gives access to four main pages for certificates management. Secure Storage page This page shows the list of certificates stored in the SpeedTouch™. Request Import page This page allows importing new certificates from a Certificate Authority into the SpeedTouch™. CRL page CRL Distribution Point E-DOC-CTC-20051017-0169 v0.1 This page allows managing the use of Certificates Revocation Lists.
Chapter 3 Configuration via Local Pages CEP page Enrollment URL Subject DN 74 This page allows configuring the Certificates Enrollment Protocol settings. This URL point to the location of the CEP script on the Certificate Authority server. Usually, it has the following form: “http://[:]/”. is a numeric address, do not use a DNS name is the port number (by default port 80 is assumed) is the path to the script, e.g. cgi-bin/pkiclient.exe. See RFC1779.
Chapter 3 Configuration via Local Pages 3.5 Advanced VPN Menu When to use The Advanced VPN menu gives access to two main pages where the complete IPSec configuration can be done. These pages are component-oriented, as opposed to the application-oriented pages described in sections 3.1, 3.2 and 3.3. Componentoriented means that a number of components are constructed and subsequently combined. It is highly recommended to use the application-oriented Web pages for VPN configurations.
Chapter 3 Configuration via Local Pages Peer Profiles page When you click VPN > Advanced > Peers, the Peer Profiles page is displayed. The Peers page gives access to the following sub-pages: Advanced > Peers sub-pages See Peer Profiles “3.5.1 Peer Profiles Page” on page 78 Authentication “3.5.2 Authentication Page” on page 82 Descriptors “3.5.3 Peer Descriptors Page” on page 83 Options “3.5.4 Peer Options Page” on page 85 VPN-Client “3.5.5 VPN-Client Page” on page 86 VPN-Server “3.5.
Chapter 3 Configuration via Local Pages Connection Profiles page When you click VPN > Advanced > Connections, the Connection Profiles page is displayed. The Connections page gives access to the following sub-pages: Advanced > Connections sub-pages See Connection Profiles “3.5.8 Connection Profiles Page” on page 91 Networks “3.5.9 Networks Page” on page 94 Descriptors “3.5.10 Connection Descriptors Page” on page 96 Options “3.5.11 Connection Options Page” on page 99 Client “3.5.
Chapter 3 Configuration via Local Pages 3.5.1 Peer Profiles Page Peer Profiles page layout The Peer Profiles page bundles all parameters that define a Peer. A number of parameters makes use of symbolic descriptors that are defined and managed on other sub-pages. On the Profiles page, these descriptors are selected by their symbolic name from a list. Therefore, you need to prepare the descriptors in other Peers sub-pages, before a complete Peer Profile can be composed in the Peer Profiles page.
Chapter 3 Configuration via Local Pages Local ID The Local ID identifies the local SpeedTouch™ during the Phase 1 negotiation with the remote Security Gateway. This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association. The Local ID types supported in the SpeedTouch™ are listed in the following table. Local ID type Keyword Examples IP address addr 10.0.0.1 Fully qualified domain name fqdn sales.corporate.
Chapter 3 Configuration via Local Pages Primary Untrusted Physical Interface This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet. On the DSL line, various logical connections can be defined, eventually using different protocol stacks (IpoA, PPPoE, PPPoA,…).
Chapter 3 Configuration via Local Pages Peer Options E-DOC-CTC-20051017-0169 v0.1 This optional parameter refers to the symbolic name of a peer options list. The peer options modify the VPN behaviour. The peer options lists are defined on the Peers Options sub-page, see “3.5.4 Peer Options Page” on page 85. For a basic IPSec configuration, no options list is selected.
Chapter 3 Configuration via Local Pages 3.5.2 Authentication Page Authentication page layout The Authentication page allows you to define Authentication Attributes. Two main methods for user authentication are supported in the SpeedTouch™: pre-shared key certificates The user authentication parameters used for IKE negotiations are bundled in a descriptor with a symbolic name.This is called the Authentication Attribute. For pre-shared key authentication, this attribute holds the pre-shared key.
Chapter 3 Configuration via Local Pages 3.5.3 Peer Descriptors Page Descriptors page layout A Peer Security Descriptor contains the methods for message authentication, encryption and hashing, and the lifetime of the IKE Security Association. The Peer Descriptors page allows you to manage Peer Security Descriptors. A number of Peer Security Descriptors are pre-configured in the SpeedTouch™.
Chapter 3 Configuration via Local Pages Crypto Integrity The table below shows the encryption algorithms supported by the SpeedTouch™ along with their corresponding key size: Algorithm Valid key lengths (bits) DES 56 3DES 168 AES 128, 192, 256 DES is relatively slow and is the weakest of the algorithms, but it is the industry standard. 3DES is a stronger version of DES, but is the slowest of the supported algorithms (for a comparable key length).
Chapter 3 Configuration via Local Pages 3.5.4 Peer Options Page Options page layout The Options page allows you to define Options lists that you can later refer to in a Peer Profile. Peer options are described in section “6.9 Peer Options” on page 201. E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.5.5 VPN-Client Page VPN-Client page layout The VPN-Client page allows you to define VPN Client Descriptors. The configuration of a VPN client scenario is described in detail in section “3.2 VPN Client” on page 51 and following. The application-oriented VPN Client Web page is the recommended way to configure a VPN client. Client descriptor name Configuring XAuth This name is used internally to identify the VPN client Descriptor.
Chapter 3 Configuration via Local Pages Type The Type parameter determines which Virtual IP Address Mapping type is selected. Either dhcp or nat can be selected. Selecting dhcp has the effect that the virtual IP address attributed by the VPN server to the SpeedTouch™ VPN client is effectively assigned to the terminal. The SpeedTouch™ creates a new IP address pool, called a spoofing address pool.
Chapter 3 Configuration via Local Pages 3.5.6 VPN-Server Page VPN-Server page layout The VPN-Server page allows you to define VPN Server Descriptors. The configuration of a VPN server scenario is described in detail in section “3.3 VPN Server” on page 63 and following. The application-oriented VPN Server Web page is the recommended way to configure a VPN server. Server descriptor name Virtual IP Range Netmask This name is used internally to identify the VPN Server Descriptor.
Chapter 3 Configuration via Local Pages Secondary DNS Primary WINS The IP address of the secondary DNS server, provided to the VPN clients via IKE Mode Config. This is the secondary DNS server in the local network that is open to VPN clients. The IP address of the primary WINS server, provided to the VPN clients via IKE Mode Config. This is the primary WINS server in the local network that is open to VPN clients. A WINS server maps NETBIOS names to IP addresses.
Chapter 3 Configuration via Local Pages 3.5.7 VPN-Server-XAuth Page VPN-Server-XAuth page layout The VPN-Server-XAuth page allows you to define XAuth user pools and to add authorized users to these pools. An XAuth user pool is a named list of authorized users. Use Add User to define additional user records. The configuration of a VPN server scenario is described in detail in section “3.3 VPN Server” on page 63 and following.
Chapter 3 Configuration via Local Pages 3.5.8 Connection Profiles Page Connection Profiles page layout The Connection Profiles page bundles all parameters that define an IPSec Connection to a Peer. In other words it bundles the Phase 2 parameters. A number of parameters makes use of symbolic descriptors that are defined and managed on other sub-pages. On the Profiles page, these descriptors are selected by their symbolic name from a list.
Chapter 3 Configuration via Local Pages Local network This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is the basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the Phase 2 negotiations, a static IPSec policy is derived.
Chapter 3 Configuration via Local Pages Connection Options This optional parameter refers to the symbolic name of a connection options list. The connection options modify the VPN behaviour. The connection options lists are defined on the Connection Options sub-page, see “3.5.11 Connection Options Page” on page 99. For a basic IPSec configuration, no options list is selected. Connection enabled Select this box to enable the connection. E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.5.9 Networks Page Networks page layout What is a Network Descriptor? The Networks page allows you to define Network Descriptors. The concept of Network Descriptors is introduced for the first time in the SpeedTouch™ R5.3.
Chapter 3 Configuration via Local Pages Protocol Optionally, the access to an IPSec connection can be restricted to a specific protocols by selecting a protocol from the list. Select any if you do not want to restrict the connection to a specific protocol. If you want to restrict the protocols on your secure VPN link, and you need multiple protocols, then you define a new connection for every individual protocol. Separate IPSec tunnels will be established for each protocol.
Chapter 3 Configuration via Local Pages 3.5.10 Connection Descriptors Page Descriptors page layout A Connection Security Descriptor contains the following security parameters for an IPSec connection: Encryption method Message integrity method (also called message authentication) Selection to use Perfect Forward Secrecy, or not Lifetime of the IPSec (Phase 2) Security Association Encapsulation method. The Descriptors page allows you to manage Connection Security Descriptors.
Chapter 3 Configuration via Local Pages Parameter table Connection Descriptor name Crypto E-DOC-CTC-20051017-0169 v0.1 The following table summarizes the parameters comprised in the connection security descriptor: Parameter Description Descriptor name Symbolic name to identify the Descriptor. Crypto Cryptographic function to be used for the IPSec Security Association. Integrity Hashing function used for message authentication. Encapsulation Selects the ESP encapsulation mode.
Chapter 3 Configuration via Local Pages Integrity The SpeedTouch™ supports two types of hashing algorithms: Hashing algorithm MD5 SHA1 Encapsulation HMAC is always used as integrity algorithm, combined with either MD5 or SHA1. SHA1 is stronger than MD5, but slightly slower. Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec Security Gateway for the connected hosts. Transport mode can be used only for information streams generated or terminated by the SpeedTouch™ itself.
Chapter 3 Configuration via Local Pages 3.5.11 Connection Options Page Options page layout The Options page allows you to define Options lists that you can later refer to in a Connection Profile. Connection options are described in section “6.10 Connection Options” on page 207. E-DOC-CTC-20051017-0169 v0.
Chapter 3 Configuration via Local Pages 3.5.12 Client Page Client page layout The Client page is used for dialling-in to a VPN server. The configuration of a VPN client scenario is described in detail in section “3.2 VPN Client” on page 51 and following. The application-oriented VPN Client Web page is the recommended way to configure a VPN client and allows you to dial in to the VPN server. Connection Local ID Configuring XAuth Select from the list the name of the connection you want to start.
Chapter 4 Configuration via the Command Line Interface 4 Configuration via the Command Line Interface In this chapter Reference network This chapter describes the basic configuration steps for building an operational IPSec via the Command Line Interface. Firstly, a reference network is proposed, that serves in examples throughout the chapter. Then an outline of the configuration procedure is presented. The individual steps are described in detail in the subsequent sections.
Chapter 4 Configuration via the Command Line Interface 4.1 Basic IPSec configuration procedure Terminology The SpeedTouch™ uses specific IPSec terms and definitions. The following table relates these terms to the question to be solved when setting up an IPSec connection to a remote network What do we want to do? How do we configure it in the SpeedTouch™? Define the remote Security Gateway to which we want to set up an IKE session. Define a Peer.
Chapter 4 Configuration via the Command Line Interface Procedure In order to set up a basic IPSec configuration, the following main steps have to be executed. 1 Prepare the Peer attributes: Define a valid Authentication Attribute Define a valid Peer Security Descriptor 2 Create a new Peer entity 3 Modify the Peer parameters 4 Prepare a valid Connection Security Descriptor. 5 Prepare a valid Network Descriptor. 6 Create a new Connection. 7 Set the parameters of the new Connection.
Chapter 4 Configuration via the Command Line Interface 4.2 Peer: Authentication Attribute What is ... Two main methods for user authentication are supported in the SpeedTouch™: pre-shared key certificates The user authentication parameters used for IKE negotiations are bundled in a descriptor with a symbolic name. This is called the Authentication Attribute. For pre-shared key authentication, this attribute holds the pre-shared key.
Chapter 4 Configuration via the Command Line Interface 4.2.1 Authentication Attribute Parameters Parameter table The authentication attribute is a named descriptor, bundling the authentication parameters. The following data need to be provided: Parameter Possible values Description name Arbitrary. Syntax rules, see CLI Reference Guide The symbolic name by which the authentication attribute is referred to. preshared Pre-shared key authentication method is used.
Chapter 4 Configuration via the Command Line Interface 4.2.2 List all Authentication Attributes list command Example The ipsec peer auth list command shows all previously created authentication attributes. In this example, four attributes are shown: cert1: completely defined authentication attribute using certificates secret2: created, but not yet completely configured secret1: completely defined authentication attribute using pre-shared key.
Chapter 4 Configuration via the Command Line Interface 4.2.3 Create a New Authentication Attribute add command Example The ipsec peer auth add command allows adding a new authentication attribute. In the following example, a new authentication attribute is created, named secret1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>auth [ipsec peer auth]=>add name = secret1 :IPSec peer auth add name=secret1 [ipsec peer auth]=> The result of this operation can be verified with the list command.
Chapter 4 Configuration via the Command Line Interface 4.2.4 Set or Modify the Authentication Attribute Parameters modify command Example The ipsec peer auth modify command allows to modify the authentication attribute parameters. In this example, the parameters of the authentication attribute are set to use the pre-shared key authentication method. The secret password entered by the user is not shown in readable format on the screen. An encrypted version is shown instead.
Chapter 4 Configuration via the Command Line Interface 4.2.5 Delete an Authentication attribute delete command Example The IPSec peer auth delete command deletes a previously created authentication attribute. In the following example the authentication attribute, named secret2, is deleted. [ipsec [ipsec name = cert1 name = :ipsec [ipsec peer auth]=> peer auth]=>delete secret2 secret2 peer auth delete name=secret2 peer auth]=> secret1 The result of this operation can be verified with the list command.
Chapter 4 Configuration via the Command Line Interface 4.3 Peer Security Descriptor What is ... All security parameters required to establish an IKE session are grouped into a string called a Peer Security Descriptor. This descriptor contains the methods for message authentication, encryption and hashing, and the lifetime of the Security Association. The Peer Security Descriptor parameters are explained in section 4.3.1.
Chapter 4 Configuration via the Command Line Interface 4.3.1 Peer Security Descriptor Parameters Parameter table Example The following table summarizes the parameters comprised in the peer security descriptor. The table also indicates the keyword used in the CLI for each parameter: Parameter Keyword Description Cryptographic function crypto Cryptographic function used for encrypting the IKE messages Key length keylen Length of the cryptographic key.
Chapter 4 Configuration via the Command Line Interface Cryptographic function [crypto] Key length [keylen] The table below shows the encryption algorithms supported by the SpeedTouch™ along with their corresponding key size: Algorithm Valid key sizes (bits) Popular sizes Default size DES 56 56 56 3DES 168 168 168 AES 128, 192, 256 128, 192, 256 - DES is relatively slow and is the weakest of the algorithms, but it is the industry standard.
Chapter 4 Configuration via the Command Line Interface IKE SA lifetime [lifetime_secs] E-DOC-CTC-20051017-0169 v0.
Chapter 4 Configuration via the Command Line Interface 4.3.2 List all Peer Security Descriptors list command Example The ipsec peer descriptor list command shows the list of all defined peer security descriptors.
Chapter 4 Configuration via the Command Line Interface 4.3.3 Create a New Peer Security Descriptor add command A new Peer Security Descriptor is created with the ipsec peer descriptor add command.
Chapter 4 Configuration via the Command Line Interface 4.3.4 Set or Modify the Peer Descriptor Parameters modify command Example The ipsec peer descriptor modify command sets or modifies the Peer Security Descriptor parameters.
Chapter 4 Configuration via the Command Line Interface 4.3.5 Delete a Peer Descriptor delete command Example The ipsec peer descriptor delete command deletes a Peer Security Descriptor.
Chapter 4 Configuration via the Command Line Interface 4.4 Peer What is ... The Peer is a term that refers to the remote Security Gateway the IPSec secure tunnel(s) will be connected to. In a first phase, an IKE Security Association is negotiated between the SpeedTouch™ and a remote Security Gateway (peer). This IKE SA serves as a signalling channel for subsequent tunnel negotiations.
Chapter 4 Configuration via the Command Line Interface 4.4.1 Peer parameters Parameters table The following table shows the peer parameters: Peer parameters Parameter Keyword Description Peer name name Mandatory. Identifies the peer entity. Remote peer address remoteaddr Mandatory. The public IP address or host name of the remote Security Gateway. Backup remote peer address backupaddr Optional. The public IP address or host name of a backup remote Security Gateway.
Chapter 4 Configuration via the Command Line Interface Remote Security Gateway identifier [remoteaddr] This parameter localizes the remote Security Gateway on the Internet. Either the public IP address or the Fully Qualified Domain Name can be used as an identifier. Backup remote Security Gateway Identifier [backupaddr] When a redundant remote Security Gateway is available, its public IP address or host name can be specified here. In a basic IPSec configuration, this parameter is left unset.
Chapter 4 Configuration via the Command Line Interface Remote Identifier [remoteid] This parameter identifies the remote Security Gateway during the Phase 1 negotiation. This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association. The identity types supported in the SpeedTouch™ are listed in the following table. Identity type Keyword Examples 10.0.0.1 IP address (addr) 0.0.0.
Chapter 4 Configuration via the Command Line Interface Physical Interface [phyif] You can tie the peer to one of your SpeedTouch™ interfaces. This interface is then used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet. On the DSL line, various logical connections can be defined, eventually using different protocol stacks (IpoA, PPPoE, PPPoA,…). The peer entity has to be tied to the correct IP connection.
Chapter 4 Configuration via the Command Line Interface 4.4.2 List all peer entities list command Example The ipsec peer list command shows the list of all defined peer entities. In the following example, a list of all defined peer entities is created. [ipsec]=> [ipsec]=>peer [ipsec peer]=>list [peer1] Remote Address : Backup Remote Address: Physical IF : Exchange Mode : Local Identifier : Remote Identifier : Descriptors : Authentication : Client/Server : Options : 200.200.0.
Chapter 4 Configuration via the Command Line Interface 4.4.3 Create a new peer entity add command Example A new Peer is created with the ipsec peer add command. In the following example, a new peer is created, named peer1 =>IPSec [ipsec]=>peer [ipsec peer]=>add name = peer1 :IPSec peer add name=peer1 [ipsec peer]=> The result of this operation can be verified with the list command.
Chapter 4 Configuration via the Command Line Interface 4.4.4 Set or modify the peer parameters modify command Example The ipsec peer modify command sets or modifies the peer parameters. In this example, the parameters of the previously defined peer, named peer1, are set: [ipsec peer]=> [ipsec peer]=>modify name = peer1 [remoteaddr] = 200.200.0.1 [backupaddr] = [exchmode] = main [localid] = 100.100.0.1 [remoteid] = 200.200.0.
Chapter 4 Configuration via the Command Line Interface 4.4.5 Delete a Peer entity delete command Example The ipsec peer delete command deletes a peer entity. In this example the peer, named peer1, is deleted: [ipsec [ipsec name = :IPSec [ipsec peer]=> peer]=>delete peer1 peer delete name=peer1 peer]=> The result of this operation is verified with the list command. [ipsec peer]=>list [ipsec peer]=> If a peer is currently referred to by a Phase 2 connection, it cannot be deleted.
Chapter 4 Configuration via the Command Line Interface 4.5 Connection Security Descriptor What is ... All security parameters required to establish an IPSec tunnel are grouped into a string called Connection Security Descriptor. This descriptor contains the following parameters: Encryption method Message integrity method (also called message authentication) Selection to use Perfect Forward Secrecy, or not Lifetime of the Security Association Encapsulation method.
Chapter 4 Configuration via the Command Line Interface 4.5.1 Connection Security Descriptor parameters Parameters table Example: Connection Descriptor name [name] 128 The following table summarizes the parameters comprised in the connection security descriptor. The table also indicates the keyword used in the CLI for each parameter: Parameter Keyword Description Connection Descriptor name name Symbolic name to identify the Descriptor.
Chapter 4 Configuration via the Command Line Interface Cryptographic function [crypto] Key length [keylen] The table below shows the cryptographic functions supported by the SpeedTouch™ along with their corresponding key size: Algorithm Valid key sizes (bits) Popular sizes Default size DES 56 56 56 3DES 168 168 168 AES 128, 192, 256 128, 192, 256 - NULL - - - DES is relatively slow and is the weakest of the algorithms, but it is the industry standard.
Chapter 4 Configuration via the Command Line Interface Perfect Forward Secrecy [pfs] Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In order to configure this on the SpeedTouch™, the use of PFS must be enabled in the Connection Security Descriptor. PFS provides better security, but increases the key calculation overhead. With PFS enabled, the independence of Phase 2 keying material is guaranteed.
Chapter 4 Configuration via the Command Line Interface 4.5.2 List all Connection Security Descriptors list command Example The ipsec connection descriptor list command shows the list of all defined Connection Security Descriptors.
Chapter 4 Configuration via the Command Line Interface 4.5.3 Create a new Connection Security Descriptor add command A new Connection Security Descriptor is created with the ipsec connection descriptor add command.
Chapter 4 Configuration via the Command Line Interface 4.5.4 Set the Connection Security Descriptor Parameters modify command The ipsec connection descriptor modify command sets or modifies the connection descriptor parameters. The Descriptors must match at both tunnel ends in order to have a successful outcome of the Phase 2 negotiation.
Chapter 4 Configuration via the Command Line Interface 4.5.5 Delete a Connection Security Descriptor delete command Example The ipsec connection descriptor delete command deletes a Connection Descriptor. In this example the user-defined Connection Security Descriptor , named cnctdes1, is deleted: [ipsec name = :ipsec [ipsec connection descriptor]=>delete cnctdes1 connection descriptor delete name=cnctdes1 connection descriptor]=> The result of this operation is verified with the list command.
Chapter 4 Configuration via the Command Line Interface 4.6 Network Descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedTouch™ R5.3.0. Not only the classical idea of an IP network or subnet is comprised in this concept, but also the protocol and port number of the messages can be specified, such that access to the VPN can be restricted to certain hosts, protocols and port numbers.
Chapter 4 Configuration via the Command Line Interface 4.6.1 Network Descriptor Parameters Parameters table The following table summarizes the parameters comprised in the Network Descriptor: Parameter Keyword Description Network name name Mandatory. Symbolic name to identify the network. Mandatory. A network can either be: Type type a single IP address an IP subnet an IP address range IP address ip Mandatory. The IP address of the network Protocol proto Optional.
Chapter 4 Configuration via the Command Line Interface Protocol [proto] Access to an IPSec connection can be restricted to specific protocols. This can optionally be configured with the proto parameter. Valid entries are listed in the following table. Protocol ah egp esp ggp gre hmp icmp igmp pup rdp rsvp tcp udp vines xns-idp 6to4 Alternatively, any valid protocol number as assigned by IANA can be entered for the protocol parameter.
Chapter 4 Configuration via the Command Line Interface 4.6.2 Create a New Network Descriptor add command A new Network Descriptor is created with the ipsec connection network add command.
Chapter 4 Configuration via the Command Line Interface 4.6.3 Set the Network Descriptor Parameters modify command Example The ipsec connection network modify command sets or modifies the Network Descriptor parameters. In this example, the parameters of the previously defined network, named net1, are set: [ipsec connection network]=> [ipsec connection network]=>modify name = net1 [type] = address subnet [type] = subnet [ip] = 10.0.0.
Chapter 4 Configuration via the Command Line Interface 4.6.4 Delete a Network Descriptor delete command Example The ipsec connection network delete command deletes a Network Descriptor. In this example the Network Descriptor, named net1, is deleted: [ipsec name = :IPSec [ipsec connection network]=>delete net1 connection network delete name=net1 connection network]=> The result of this operation is verified with the list command.
Chapter 4 Configuration via the Command Line Interface 4.7 Connection What is ... A Connection bundles all the parameters required for the PH2 SA negotiation: Peer Reference, pointing to the peer configuration to be used. In fact, this refers to the IKE channel used for the Phase 2 negotiations. Local/remote range Range of private IP addresses to which the IPSec policy applies. Reference to the Network Descriptors or expressed by a dynamic policy.
Chapter 4 Configuration via the Command Line Interface 4.7.1 Connection Parameters Parameters table The table below shows the connection parameters. Connection parameters Parameter Keyword Description Connection name name Mandatory. Symbolic name for the connection, used internally in the SpeedTouch™. Peer peer Mandatory. Symbolic name of the peer entity to which the IPSec connection is set up. Local network localnetwork Mandatory.
Chapter 4 Configuration via the Command Line Interface Local network [localnetwork] This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the Phase2 negotiations, a static IPSec policy is derived.
Chapter 4 Configuration via the Command Line Interface Always-on connection [alwayson] This parameter determines whether the connection is permanently enabled or not. By default this parameter is set to disabled. In this case the IPSec connection is started only when traffic is sent that complies with the IPSec policy, or if the connection is started manually. When enabled, the connection is started as soon as the SpeedTouch™ is operational.
Chapter 4 Configuration via the Command Line Interface 4.7.2 List all Connections list command Example The ipsec connection list command shows the list of all defined connections. In the following example, a list of all defined connections is shown.
Chapter 4 Configuration via the Command Line Interface 4.7.3 Create a New Connection add command Example A new Connection is created with the ipsec connection add command. In the following example, a new connection is created, named connect1 [ipsec]=>connection [ipsec connection]=>add name = connect1 :IPSec connection add name=connect1 [ipsec connection]=> The result of this operation can be verified with the list command.
Chapter 4 Configuration via the Command Line Interface 4.7.4 Set or Modify the Connection Parameters modify command Example The ipsec connection modify command sets or modifies the Connection parameters.
Chapter 4 Configuration via the Command Line Interface 4.7.5 Delete a Connection delete command Example The ipsec connection delete command deletes a Connection. In this example the connection, named connect1, is deleted: [ipsec name = :ipsec [ipsec connection]=>delete connect1 connection delete name=connect1 connection]=> The result of this operation is verified with the list command. [ipsec connection]=>list [ipsec connection]=> 148 E-DOC-CTC-20051017-0169 v0.
Chapter 4 Configuration via the Command Line Interface 4.7.6 Start a Connection start command Example The ipsec connection start command triggers the establishment of a Security Association. If no IKE Security Association between the SpeedTouch™ and the remote Security Gateway exists, the Phase 1 negotiation is started, followed by the Phase 2 negotiation. If an IKE SA already exists, the Phase 2 tunnel negotiation is started immediately.
Chapter 4 Configuration via the Command Line Interface 4.7.7 Stop a connection stop command The ipsec connection stop command tears down the designated Security Association. The IKE Security Association is not stopped with this command. For clearing both the Phase 1 and 2 SAs, issue the “:IPSec clear session” command.
Chapter 4 Configuration via the Command Line Interface 4.8 Auxiliary Commands In this section The following topics are discussed in this section: Topic E-DOC-CTC-20051017-0169 v0.1 Page 4.8.1 Config Command 152 4.8.2 Flush Command 155 4.8.
Chapter 4 Configuration via the Command Line Interface 4.8.1 Config Command What is it used for Display the VPN configuration settings This command serves two different purposes. Without additional parameter, the command displays the current VPN settings. When an additional parameter is appended, the command controls the setting of this VPN parameter. Used without additional parameters, the command displays: the VPN status the general behaviour of the SpeedTouch™ as a VPN network node.
Chapter 4 Configuration via the Command Line Interface AutoProxyARP When do I need ProxyARP The automatic addition of ProxyARP entries in VPN client/server scenarios can be enabled or disabled. By default this setting is enabled. When disabled, the ProxyARP entries have to be entered manually. In a VPN scenario, you need ProxyARP at both sides when the local and remote private network address ranges are overlapping.
Chapter 4 Configuration via the Command Line Interface An example of Auto ProxyARP As an example, suppose a VPN server is configured on a SpeedTouch™ with the subnet 192.168.1.0 as its private LAN address range. The VPN server is configured to distribute Virtual IP addresses to the remote clients in the same range (Virtual IP range = 192.168.1.[64-74] ). In this case, automatically a ProxyARP entry is added to the ARP table of the SpeedTouch™ as soon as a VPN connection with a VPN client is established.
Chapter 4 Configuration via the Command Line Interface 4.8.2 Flush Command What is it used for E-DOC-CTC-20051017-0169 v0.1 This command flushes the complete IPSec configuration.
Chapter 4 Configuration via the Command Line Interface 4.8.3 Clear Command Group What is it used for This command group comprises two commands, intended for clearing Security Associations: clear all clear session The clear command group is accessed in the following way: => =>ipsec [ipsec]=>clear [ipsec clear]=> clear all This command clears all active Phase 1 and Phase 2 Security Associations for all defined peers. The command has no associated parameters.
Chapter 4 Configuration via the Command Line Interface 4.9 Organisation of the IPSec Command Group Introduction ipsec command group Clear command group In this section an overview is given of the IPSec Command Group structure. Underlined keywords represent a command group. Other keywords are commands. The ipsec command group comprises five main command groups and two commands, as shown in the following tables. The table shows cross-references to the structure tables of the individual command groups.
Chapter 4 Configuration via the Command Line Interface Connection command group The following table shows the commands of the ipsec connection command group. ipsec connection command group advanced add modify delete list descriptor add modify delete list dialup connect disconnect network add modify delete list option add modify delete list add modify delete list start stop Debug command group The following table shows the commands of the ipsec debug command group.
Chapter 4 Configuration via the Command Line Interface Peer command group The following table shows the commands of the ipsec peer command group. ipsec peer command group auth add modify delete list descriptor add modify delete list option add modify delete list subpeer add modify delete list vpnclient add modify delete list vpnserver xauthpool add delete modify adduser moduser deluser listpool list add modify delete list add modify delete E-DOC-CTC-20051017-0169 v0.
Chapter 4 Configuration via the Command Line Interface ipsec peer command group list Show command group The following table shows the commands of the ipsec show command group. ipsec show command group all config state sessions stats spd sadb 160 E-DOC-CTC-20051017-0169 v0.
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5 Troubleshooting SpeedTouch™ IPSec Introduction IPSec is a complex protocol suite and therefore the SpeedTouch™ offers a number of troubleshooting methods. Both the Web pages and the CLI interface allow you to check whether a tunnel setup was successful or has failed. Via the CLI you can check the Syslog messages showing you the history of tunnel negotiation. Each Syslog message has a timestamp attached.
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.1 Via the Debug Web pages How to see the status of the VPN connection Browse to Expert mode > VPN > Debug > Status. This page shows the status of the IKE Security Association (Phase 1) and the IPSec Security Association(s) (Phase 2). For an operational VPN connection, both an IKE Security Association and an IPSec Security Association should be active.
Chapter 5 Troubleshooting SpeedTouch™ IPSec How to monitor the IPSec negotiations Proceed as follows: 1 Browse to Expert mode > VPN > Debug > Logging. 2 Select the desired level of Trace Detail. Select high to see the most detailed level of logging. 3 Start the VPN connection. 4 Browse again to Expert mode > VPN > Debug > Logging. On the Logging page you can monitor the received and transmitted messages of the IKE and IPSec negotiations.
Chapter 5 Troubleshooting SpeedTouch™ IPSec How to see the amount of traffic carried by a VPN connection 164 Browse to Expert mode > VPN > Debug > Statistics. This page shows the amount of traffic carried over the IKE Security Association (Phase 1) and the IPSec Security Association(s) (Phase 2). E-DOC-CTC-20051017-0169 v0.
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.2 Via the CLI: Show command group Show command group You can check whether the secure tunnels are up: :IPSec show sadb You can check whether traffic is passing the tunnel and keep track of the number of packets and bytes.
Chapter 5 Troubleshooting SpeedTouch™ IPSec ...
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.3 Via the CLI: Debug command group Traceconfig command The traceconfig command sets the level of debugging messages that are dumped to the screen. This is shown below: [ipsec debug]=>traceconfig level none low medium high [ipsec debug]=>traceconfig level medium [ipsec debug]=> You can check the Phase 1 and 2 specific information being exchanged during tunnel setup via following command when you activate the tracing: Press .
Chapter 5 Troubleshooting SpeedTouch™ IPSec Via Syslog messages The Syslog protocol is a powerful mechanism to investigate network issues. It allows for logging events occurred on the device. The Syslog messages can be retrieved in two ways: locally Use these CLI command to retrieve the history of Syslog messages: :syslog msgbuf show IPSec related syslog messages are disabled by default.
Chapter 5 Troubleshooting SpeedTouch™ IPSec Syslog messages E-DOC-CTC-20051017-0169 v0.1 The following table shows the syslog messages.
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.4 Via SNMP Debugging via SNMP SpeedTouch 620 SNMP Manager SNMP messages IF MIB ADSL MIB IPSec MIB ... On the SpeedTouch™, several SNMP MIBs are available allowing to retrieve configuration and counter information. A MIB (Management Information Base) can be considered as a representation of a group of parameters. A huge amount of MIB values can be retrieved remotely (e.g. traffic counters, number of SAs, the Phase 1 and 2 parameters, …).
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.5 Pinging from the SpeedTouch™ to the remote private network Ping command In order to verify that an IPSec tunnel is active, you can use the :ip debug ping CLI command of the SpeedTouch™. With this command you are able to send ping messages from the SpeedTouch™ to an IP address in the remote private network. The transmission through an IPSec tunnel of messages originating from the SpeedTouch™ requires some adaptations to the SpeedTouch™ routing table.
Chapter 5 Troubleshooting SpeedTouch™ IPSec 172 E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6 Advanced Features In this section The following topics are described in this section: Topic E-DOC-CTC-20051017-0169 v0.1 Page 6.1 IPSec and the Stateful Inspection Firewall 174 6.3 Extended Authentication (XAuth) 176 6.4 VPN Client 177 6.5 VPN Server 182 6.6 XAuth Users Pool 188 6.7 The Default Peer Concept 198 6.8 One Peer - Multiple Connections 200 6.9 Peer Options 201 6.10 Connection Options 207 6.
Chapter 6 Advanced Features 6.1 IPSec and the Stateful Inspection Firewall What about ... The SpeedTouch™ has a built-in firewall which is completely configurable by the user. A number of preset firewall levels are defined that allow an easy configuration according to your security policy. In most cases, one of these preset levels will fulfill your requirements. All these preset firewall levels allow the IPSec communication to pass.
Chapter 6 Advanced Features 6.2 Surfing through the VPN tunnel Web Browsing Interception and surfing through a tunnel One of the SpeedTouch™ features for easy Internet access is the so-called Web Browsing Interception, also referred to as Differentiated Services Detection (DSD). This feature monitors your HTTP traffic and alerts you when you want to browse to a location that is not reachable due to the fact that the connection to your Service Provider is not active.
Chapter 6 Advanced Features 6.3 Extended Authentication (XAuth) What is ... Extended Authentication, commonly referred to as the XAuth protocol, allows for performing extra user authentication. A typical practical example is the mixed use of IKE tunnel negotiation using preshared key as authentication method and on top of that doing Extended Authentication. The VPN client functionality built in the SpeedTouch™ supports the (optional) use of XAuth. It acts as a XAuth client.
Chapter 6 Advanced Features 6.4 VPN Client Introduction E-DOC-CTC-20051017-0169 v0.1 The SpeedTouch™ can be configured as a VPN client. SpeedTouch™. In this function, it supports the IKE Mode Config protocol to receive configuration parameters from the remote VPN server. Optionally, you can enable the use of the Extended Authentication protocol as an additional level of security.
Chapter 6 Advanced Features 6.4.1 VPN Client parameters Parameters table The following table shows the VPN Client parameters. VPN Client parameters 178 Parameter Keyword Description VPN client name name Mandatory. Symbolic name for the VPN server, used internally in the SpeedTouch™. XAuth user name xauthuser Optional. This parameter defines the XAuth user name of the VPN client. Entering a user name and password enables XAuth. XAuth password xauthpas s Optional.
Chapter 6 Advanced Features 6.4.2 Create a new vpnclient add command Example A new vpnclient is created with the ipsec peer vpnclient add command. In the following example, a new vpnclient entity is created, named client1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>vpnclient [ipsec peer vpnclient]=>add name = client1 :ipsec peer vpnclient add name=client1 [ipsec peer vpnclient]=> The result of this operation can be verified with the list command.
Chapter 6 Advanced Features 6.4.3 Set or modify the vpnclient parameters modify command Example The ipsec peer vpnclient modify command sets or modifies the vpnclient entity parameters. In this example, the parameters of the previously defined vpnclient entity , named client1, are set: [ipsec peer vpnclient]=>modify name = client1 [xauthuser] = user1 [xauthpass] = ***** Please retype xauthpass for verification.
Chapter 6 Advanced Features 6.4.4 Attach the vpnclient entity to the peer entity modify the peer parameters Example The :ipsec peer modify name=peer1 client/server=client1 command attaches the previously defined vpnclient entity to the corresponding peer. In this example vpnclient1 is attached to peer1: [ipsec peer]=>modify name = peer1 [remoteaddr] = 20.50.10.2 [backupaddr] = [exchmode] = main [localid] = (addr)20.60.10.2 [remoteid] = (addr)20.50.10.
Chapter 6 Advanced Features 6.5 VPN Server Introduction 182 In the previous section the SpeedTouch™ was used as a VPN client. The SpeedTouch™ can be used equally well as a VPN server. In this function, it can be configured with a XAuth user pool, to serve remote clients. In this section the VPN server commands are explained. E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6.5.1 VPN Server parameters Parameters table The following table shows the VPN Server parameters. VPN Server parameters Connection name [name] E-DOC-CTC-20051017-0169 v0.1 Parameter Keyword Description VPN server name name Mandatory. Symbolic name for the VPN server, used internally in the SpeedTouch™. Push IP address push_ip Mandatory. Determines whether or not a client request for an IP address is awaited. VPN clients IP address range iprange Mandatory.
Chapter 6 Advanced Features Push IP address [push_ip] The VPN server will always provide an IP address to the remote VPN client. VPN clients can behave in two different ways. Either: the VPN client requests an IP address. Then the VPN server responds to this request, and provides a suitable IP address. Or: The VPN client does not issue a request for an IP address. In this case, the VPN server pushes an IP address to the VPN client. The client acknowledges the receipt of the IP address.
Chapter 6 Advanced Features 6.5.2 Create a new VPN server add command Example A new VPN server is created with the ipsec peer vpnserver add command. In the following example, a new vpnclient entity is created, named client1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>vpnserver [ipsec peer vpnserver]=>add name = serv1 :ipsec peer vpnserver add name=serv1 [ipsec peer vpnserver]=> The result of this operation can be verified with the list command.
Chapter 6 Advanced Features 6.5.3 Set or modify the vpnserver parameters modify command Example The ipsec peer vpnserver modify command sets or modifies the vpnserver entity parameters. In this example, the parameters of the previously defined vpnserver entity, named serv1, are set: [ipsec peer vpnserver]=>modify name = serv1 [push_ip] = disabled enabled [push_ip] = disabled [iprange] = 10.60.11.0/24 [netmask] = 255.255.255.0 [primdns] = 10.60.11.200 [secdns] = 10.60.11.201 [primwins] = 10.60.11.
Chapter 6 Advanced Features 6.5.4 Attach the vpnserver entity to the peer entity modify the peer parameters Example The :ipsec peer modify name=peer1 client/server=serv1 command attaches the previously defined vpnserver entity to the corresponding peer. In this example vpnclient1 is attached to peer1: [ipsec peer]=>modify name = peer1 [remoteaddr] = 20.50.10.2 [backupaddr] = [exchmode] = main [localid] = (addr)20.60.10.2 [remoteid] = (addr)20.50.10.
Chapter 6 Advanced Features 6.6 XAuth Users Pool Introduction 188 In the previous section the application of the SpeedTouch™ as a VPN server was described. In addition to the IPSec authentication mechanisms, the clients may support the use of the XAuth protocol. In this case, the SpeedTouch™ VPN server can serve as a database for authentication. Attaching a XAuth user pool to the vpnserver entity does this. The XAuth user pools are populated with users.
Chapter 6 Advanced Features 6.6.1 XAuth Pool parameters Parameters table The following table shows the XAuth Pool parameters. XAuth Pool parameters E-DOC-CTC-20051017-0169 v0.1 Parameter Keyword Description XAuth pool name name Mandatory. Symbolic name for the XAuth pool, used internally in the SpeedTouch™. Pool type type Mandatory. Two pool types are defined: generic and chap.
Chapter 6 Advanced Features 6.6.2 Create a new XAuth pool add command A new XAuth pool is created with the ipsec peer vpnserver xauthpool add command.
Chapter 6 Advanced Features 6.6.3 Modify the xauthpool type modify command Example With the ipsec peer vpnserver xauthpool modify command it is possible to modify the pool type.
Chapter 6 Advanced Features 6.6.4 Attach the xauthpool entity to the vpnserver entity modify the vpnserver parameters Example The :ipsec peer vpnserver modify name=serv1 xauthpool=pool1 command attaches the previously defined pool to the vpnserver, named serv1. In this example pool1 is attached to vpnserver1: [ipsec peer vpnserver]=>modify name = serv1 [push_ip] = disabled [iprange] = 10.60.11.0/24 [netmask] = 24 [primdns] = 10.60.11.200 [secdns] = 10.60.11.201 [primwins] = 10.60.11.100 [secwins] = 10.
Chapter 6 Advanced Features 6.6.5 Delete an xauthpool entity delete command Example The ipsec peer vpnserver xauthpool delete command deletes a network. In this example the pool , named pool1, is deleted: [ipsec name = :IPSec [ipsec peer vpnserver xauthpool]=>delete pool1 peer vpnserver xauthpool delete name=pool1 peer vpnserver xauthpool]=> The result of this operation is verified with the list command.
Chapter 6 Advanced Features 6.6.6 XAuth User parameters Parameters table 194 The following table shows the XAuth User parameters. Parameter Keyword Pool name poolname User name username Password password E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6.6.7 Create a new XAuth user adduser command A new XAuth user is created with the ipsec peer vpnserver xauthpool adduser command.
Chapter 6 Advanced Features 6.6.8 Set or modify the password of an XAuth user moduser command Example The ipsec peer vpnserver xauthpool moduser command allows setting or modifying the XAuth user password. In this example, the password of the previously defined user, named user1, is set: [ipsec peer vpnserver xauthpool]=>moduser poolname = pool1 username = user1 password = ***** Please retype password for verification.
Chapter 6 Advanced Features 6.6.9 Delete an xauthuser entity delete command Example The ipsec peer vpnserver xauthpool deluser command deletes a XAuth user entry from its pool. In this example the user, named user1, is deleted: [ipsec peer vpnserver xauthpool]=>deluser poolname = pool1 username = user1 :IPSec peer vpnserver xauthpool deluser poolname = pool1 username = use r1 [ipsec peer vpnserver xauthpool]=> The result of this operation is verified with the list command.
Chapter 6 Advanced Features 6.7 The Default Peer Concept Why the default peer concept Consider the network configuration shown below: Secure tunnel PPP SpeedTouch620 [1] Dynamically assigned IP address (via PPP protocol) PPP server SpeedTouch620 [2] Configure as default peer (allows for any IP address) When the SpeedTouch™ [1] gets its IP address dynamically assigned (e.g. during PPP tunnel setup), a remote IPSec peer cannot know in advance which IP address will be assigned.
Chapter 6 Advanced Features Example IPSec connection, applying the default peer concept SpeedTouch™ [1] IPSec peer configuration: [ipsec peer]=>add name = rempeer2 :ipsec peer add name=rempeer2 [ipsec peer]=>modify name = rempeer2 [remoteaddr] = 40.0.0.2 [backupaddr] = [exchmode] = main [localid] = [remoteid] = (addr)40.0.0.2 [phyif] = DIALUP_PPPOE [descr] = AES_MD5 [auth] = secret1 [client/server] = [options] = :ipsec peer modify name=rempeer2 remoteaddr=40.0.0.2 remoteid=(addr)40. 0.0.
Chapter 6 Advanced Features 6.8 One Peer - Multiple Connections Multiple tunnels In order to setup a Phase 2 tunnel, a Phase 1 IKE tunnel is required first. Via this Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are transferred. Phase 1 (IKE) tunnel (IKE1) Phase 2 tunnel (conn1) Phase 2 tunnel (conn2) SpeedTouch620 [1] SpeedTouch620 [2] The SpeedTouch™ allows setting up several Phase 2 tunnels, all using a common Phase 1 tunnel.
Chapter 6 Advanced Features 6.9 Peer Options Options list Local Address The peer options alter the behaviour of the VPN network. Options to be applied to Peer entities are stored in named Option Lists. An Option List contains the following options: Option Keyword Description Local Address local addr Address used as source address for tunnelled messages. NAT-Traversal NAT-T Enables or disables NAT Traversal.
Chapter 6 Advanced Features Dead Peer Detection The SpeedTouch™ supports the Dead Peer Detection protocol. By default, the use of this protocol is enabled. This option allows disabling the use of the DPD protocol. DPD DPD Idle Period Possible values default value enabled disabled enabled The DPD protocol defines a worry period. This is an idle time during which no IPSec traffic is detected from the remote peer.
Chapter 6 Advanced Features 6.9.1 List all Peer Options lists list command Example The ipsec peer options list command shows all previously created options lists. In the following example, a list of all previously created options is shown. =>ipsec [ipsec]=>peer [ipsec peer]=>options [ipsec peer options]=>list [opt1] Local address : NAT-T : enabled DPD : enabled DPD Idle Period: 180 s DPD Xmits : 3 DPD Timeout : 120 s Inactivity : 3600 s timeout [ipsec peer options]=> E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6.9.2 Create a Peer Options list add command Example The ipsec peer options add command allows adding a new options list. In the following example, a new options list is created, named opt1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>options [ipsec peer options]=>add name = opt1 :ipsec peer options add name=opt1 [ipsec peer options]=> The result of this operation can be verified with the list command, as shown above. 204 E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6.9.3 Set or modify the Peer Option list parameters modify command The ipsec peer options modify command allows to modify the options list parameters. Example In the following example, the options list parameters are modified. [ipsec peer options]=>modify name = opt1 [localaddr] = 10.0.0.
Chapter 6 Advanced Features 6.9.4 Delete a Peer Options list delete command Example The ipsec peer options delete command deletes a previously created options list. In the following example the options list, named opt2, is deleted. [ipsec name = :ipsec [ipsec [ipsec peer opt1 peer peer peer options]=>delete options delete name=opt1 options]=> options]=> The result of this operation can be verified with the list command.
Chapter 6 Advanced Features 6.10 Connection Options Options list IPSec routing mode [routed] The connection options alter the behaviour of the VPN network. Options to be applied to Connections are stored in named Option Lists. An Option List contains the following options: Option Keyword Description IPSec routing mode routed Selects routed or non-routed mode. Virtual interface virtual_if Defines the Virtual Interface for a connection.
Chapter 6 Advanced Features Don’t Fragment bit [force_df] IPSec encryption increases the packet length. When the MTU of a link is adjusted to pass the largest IP packet unfragmented, then messages encapsulated by IPSec will not pass if the Don’t Fragment bit is set. In some cases, it might be required to influence the fragmentation behaviour to remedy such problems. The SpeedTouch™ allows treating the DF bit in three different ways: Pass the DF bit unchanged. Force the DF bit to zero.
Chapter 6 Advanced Features 6.10.1 List all Connection Options lists list command Example The ipsec connection options list command shows all previously created options lists. In the following example, all previously created options are listed. [ipsec]=>connection [ipsec connection]=>options [ipsec connection options]=>list [opt1] mode : non routed Virtual IF : DF bit : Min MTU : 1000 add route : enabled [ipsec connection options]=> E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6.10.2 Create a Connection Options list add command Example The ipsec connection options add command allows adding a new options list. In the following example, a new options list is created, named copt1 [ipsec]=> [ipsec]=>connection [ipsec connection]=>options [ipsec connection options]=>add name = copt1 :ipsec connection options add name=copt1 [ipsec connection options]=> The result of this operation can be verified with the list command, as shown above.
Chapter 6 Advanced Features 6.10.3 modify command Example Set or modify the Connection Option list parameters The ipsec connection options modify command allows to modify the options list parameters. In the following example, the options list parameters are modified.
Chapter 6 Advanced Features 6.10.4 Delete an Options list delete command Example The ipsec connection options delete command deletes a previously created options list. In the following example the options list, named copt1, is deleted. [ipsec name = :ipsec [ipsec [ipsec 212 connection copt1 connection connection connection options]=>delete options delete name=opt1 options]=> options]=> E-DOC-CTC-20051017-0169 v0.
Chapter 6 Advanced Features 6.11 Advanced Connection Introduction Parameters table E-DOC-CTC-20051017-0169 v0.1 The Advanced command group is a sub-group of the Connection command group. It allows additional connection settings in order to take full advantage of the dynamic policy capabilities of the SpeedTouch™. The table below lists parameters that have enhanced functionality with respect to the basic Connection commands: Parameter Keyword Description Local network localnetwork Mandatory.
Chapter 6 Advanced Features Local network [localnetwork] Remote network [remotenetwork] This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™. As an outcome of the Phase2 negotiations, a static IPSec policy is derived.
Chapter 6 Advanced Features Local match [localmatch] This setting is relevant in responder mode only. It is optionally filled out. In a basic configuration it is left unset. When unset, the SpeedTouch™ uses its dynamic IPSec policy capabilities to complete this field. The ipsec connection advanced command group allows manual control over this parameter. The localmatch expresses the traffic policy for access to the local private network in responder mode.
Chapter 6 Advanced Features Remote match [remotematch] This setting is relevant in responder mode only. It is optionally filled out. In a basic configuration it is left unset. When unset, the SpeedTouch™ uses its dynamic IPSec policy capabilities to complete this field. The ipsec connection advanced command group allows manual control over this parameter. The remotematch expresses the traffic policy for access to a remote private network in responder mode.
Chapter 6 Advanced Features Local selector [localselector] The local selector expresses a static IPSec policy for access to the IPSec tunnel at the local end. This setting can optionally be filled out manually. In a basic configuration it is left unset. In such a case, the SpeedTouch™ uses its dynamic policy capabilities to derive a static policy as a result of the Phase 2 negotiation. A cloned connection is automatically created, with the localselector derived by the SpeedTouch™.
Chapter 6 Advanced Features 218 E-DOC-CTC-20051017-0169 v0.
© THOMSON 2006. All rights reserved. E-DOC-CTC-20051017-0169 v1.0 . Need more help? Additional help is available online at www.speedtouch.
