Specifications

Technical Concepts Nur für den internen Gebrauch
A31003-H3580-M103-2-76A9, 01-2009
9-36 HiPath 3000/5000 V8 - HG 1500 V8, Administrator Documentation
hg-09.fm
SSL and VPN
Pre-shared keys
Authentication by the opposite tunnel endpoint is performed using a "pre-shared key". This
is a key you select when configuring a tunnel. In order for VPN peers communicating via
the tunnel to authenticate themselves, the same password must be used for both tunnel
endpoints.
Digital signatures
Every VPN peer is assigned a certificate. For successful authentication, the VPN peers at
both tunnel endpoints must check the digital signature of their peer against a trusted CA.
9.6.7 SSL and VPN in HG 1500
SSL is designed for secure administration, while VPN is used for secure user data transmis-
sion. The following security levels are available:
Factory Default
This is the initial setting on delivery. The HXG3 board contains no configuration data. The
board can be configured using Telnet (CLI), V.24 (CLI), and HTTP (WBM).
Insecure Mode
This is the standard operating mode without SSL and VPN. The board is configured for in-
secure user data traffic. All IP protocols are open and the board can be administered using
Telnet (CLI), V.24 (CLI), and HTTP (WBM) in insecure mode (unencrypted). The board
does not contain any security data.
SSL Enabled
This is the status after the CLI command reset secure. In this mode, the board can only
be accessed and administered using V.24 (CLI). Additional services that can be accessed
using IP are closed down. Only commands for configuring the SSL function are possible.
Other data traffic is blocked. All data administered before SSL is enabled are deleted by
this action.
Secure Administration
This is the status after the first server certificate has been generated and the SSL function
has been enabled using the CLI command enable ssl. The board can now be adminis-
tered using V.24 (CLI) and HTTPS (WBM). Insecure access options (such as Telnet) and
protocols (such as FTP, TFTP) are blocked. An IPsec policy can be set up or edited but is
not, however, enabled in this mode. Insecure user data traffic is therefore possible.
Secure Mode
This is the status after the IPsec policy has been set up and enabled. The board is in the
same mode as secure administration. In addition, secure data traffic is activated in accor-
dance with the security policy configured.
>
If you switch a HG 1500 from insecure mode to secure mode with reset secure,
then you have to reset the data manually.