Nortel Networksメーカー620の使用説明書/サービス説明書
ページ先へ移動 of 222
SpeedTouch™608WL and SpeedTouch™620 only SpeedT ouch™608(WL)/620 (Wireless) Business DSL Router IPSec Configuration Guide Power Ethernet W LA N Plug-in ISD N Internet.
.
SpeedTouch™ 608(WL)/620 IPSec Configuration Guide.
Copyright Copyright ©1999-2006 THOMSON. All rights reserved. Distribution and co pying of this do cument, use and communication o f its contents is not permitted witho ut written authorizatio n from THOMSON.
Contents E-DOC-CTC-20051 017-0169 v0.1 3 Contents About this IPSec Configur ation Guide ....................... 9 1 IPSec: Concept for secure IP connections ................. 11 1.1 IPSec Co ncepts .......... ........... .......... ........... .......
Contents E-DOC-CTC-2005 1017-0169 v0.1 4 3.3 VPN Serv er ........... .......... ........... ........... .......... ........... ........ ........... 63 3.3.1 VPN Server Page ................ ................. .............. .............. .............
Contents E-DOC-CTC-20051 017-0169 v0.1 5 4.4 Peer ... .......... ........... ........ ........... ........... .......... ........... .......... ....... 118 4.4.1 Peer parameters ....................... ................ ................. ..............
Contents E-DOC-CTC-2005 1017-0169 v0.1 6 5.3 Via the CLI: Debug command group ..... ............ ............. ........... 167 5.4 Via SNM P ........... .......... ........... .......... ........... ........... ........ ........... 170 5.5 Pinging from the S peedTouch™ to the remote private network 171 6 Advanced Features .
Contents E-DOC-CTC-20051 017-0169 v0.1 7 6.9 Peer O ptions .......... .......... ........... ........... .......... ........... .......... ..... 201 6.9.1 List all Peer Options lists .................... .............. .............. .................
Contents E-DOC-CTC-2005 1017-0169 v0.1 8.
About this IPSec Configuration Guide E-DOC-CTC-20051 017-0169 v1.0 9 About this IPSec Configuration Guide Abstract This document ex plains the IPSec fu ncti onality of the SpeedT o uch™ Release R5.4 and higher . A brief theore tical explanati on is provided where ne eded, but the main goal of this document is to b e a practical guide.
About this IPSec Configuration Guide E-DOC-CTC-2005 1017-0169 v1.0 10.
Chapter 1 IPSec: Concept for se cure IP connections E-DOC-CTC-20051 017-0169 v1.0 11 1 IPSec: Concept for secure IP connections Policies The introduction o f network security main ly involves the appl ication of traffic policies. Firstly , the polici es need to be defined, th en it should be w hether the policies are correctly applied.
Chapter 1 IPSec: Concept for secure IP connections E-DOC-CTC-2005 1017-0169 v1.0 12 1.1 IPSec Concepts Red and Black Network Followin g nomenclature wil l be used thro ughout this d ocument: The SpeedT ouch™ The IPSec capable DSL router The Red network Private or truste d side of the SpeedT ouch™.
Chapter 1 IPSec: Concept for se cure IP connections E-DOC-CTC-20051 017-0169 v1.0 13 Internet Key Exchange The Inte rnet Key Exchan ge (IKE) protocol is the negotiatio n protocol used to establish an SA by negotiating securi ty protocols and exchangin g keys.
Chapter 1 IPSec: Concept for secure IP connections E-DOC-CTC-2005 1017-0169 v1.0 14.
Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 15 2 SpeedTouch™ IPSec terminology Introduction In order to understand the IPSec config uration of the SpeedT ouch™, a number of concepts and definition s are introduced in this section.
Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 16 2.1 Policy What is ... Security is all abou t traffic policies and these can be configured using th e IPSec policy commands. By defa ult, policy rules are au tomatically gener ated when the IPSec connection is created and the user does not need to execute extra commands.
Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 17 2.2 Security Descriptor What is ... All security parameter s required to establish a se cure tunnel are grouped into a string called Security Descr iptor or si mply descriptor .
Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 18 2.3 Authentication Attribute What is ... T wo main methods for au thentication are suppor ted in the SpeedT ouch™: pre.
Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 19 2.4 Peer (Phase 1) What is ... The Peer is a term that refers to the re mote Security Gatewa y to which the IPSec secure tunnel(s) will be established.
Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 20 2.5 Connection (Phase 2) What is ... Bundles all th e parameters requir ed for th e Phase 2 SA (IPSec) negotiation: Peer Reference, pointing to the pe er configuration to be used .
Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 21 2.6 Network descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedT ouch™ R5.
Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 22.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 23 3 Configuration via Local Pages Prerequisites In order to use the VPN features in the SpeedT ouch™608(WL )/620, you should enable the VPN software module. T o activate this VPN module, you have to acquire the optional software ac tivation key .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 24 In this section The following topics are discussed in this section: Topic Page 3.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 25 3.1 LAN to LAN Application Reference network A simple LAN-to-LAN network con figuration is show n here. The figure show s two LAN networks connec ted via a SpeedT ouch ™ to the public Internet.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 26 Selecting the LAN to LAN application In Expert Mode , click VPN > LAN to LAN . As a result, the following page is shown This page contains two ma in tab pages. Select o ne of the alternative pages, according to w hich VPN context best describes your situation.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 27 3.1.1 Remote Gateway Address Known Page VPN context Y ou know the location of the Remote Gatewa y in the public Internet, either by its IP address or its FQDN . In this case, the Sp eedT ouch™ can conn ect either as an initiator or as a responder .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 28 Buttons Y ou can use one of the followi ng buttons: Remote Gateway The Remo te Gatewa y paramete rs identify the peer Secu rity Gateway in the IP network. Address or FQDN: Fill out the publi cly known network location of the remote Gateway .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 29 Miscellaneous Comprises the following settings: Primary Untrusted Physical Interf ace : This field s hows a list of your SpeedT ouch™ in terfaces. Y ou select the preferred Pr imary Untrusted Physical Inter face .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 30 IKE Security Descriptors The IKE Security Descriptor bundles the security para meters used for the IKE Security Associ ation (Phase1). A number of IKE Security Descriptors are pre-configured in th e SpeedT ouch™, and can be selected from a list.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 31 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated i.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 32 IKE Authentication with Preshared Key When you select Use Preshared K ey Authentica tion , the following fi elds have to be completed: Preshared Secret : A string to be used as a secret passw ord for the VPN conn ection.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 33 Example of a completed page The illustratio n below shows a completed page . The data in the various field s correspond with the VPN l ayout shown on page 25 : Pre-shared key was selected as authentica tion method.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 34 Buttons Y ou can use one of the followi ng buttons: Click ... To ... Stop All Connection s to this Gateway Stop all VPN co nnecti ons to the selected remote Security Gateway . Apply Apply modifi cation s made to the settings of the selected remo te Security Gateway .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 35 3.1.2 Remote Gateway Address Unknown Page VPN context Y our SpeedT ouch™ may have to set up (simultaneous) VPN connections with various remote Security Ga teways.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 36 Aggressive Mode versus Main Mode IKE specifies two modes of operation for the Phase 1 negotiations: main mode an d aggressive mode. Main mode is more secure while aggressive mode is qui cker .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 37 Miscellaneous Comprises the following settings: Primary Untrusted Physical Interf ace : This field s hows a list of your SpeedT ouch™ in terfaces. Y ou select the preferred Pr imary Untrusted Physical Inter face .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 38 IKE Security Descriptors The IKE Security Descriptor bundles the security para meters used for the IKE Security Associ ation (Phase1). A number of IKE Security Descriptors are pre-configured in th e SpeedT ouch™, and can be selected from a list.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 39 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated i.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 40 IKE Authentication with Preshared Key When you select Use Preshared K ey Authentica tion , the following fi elds have to be completed: Preshared Secret : A string to be used as a secret passw ord for the VPN conn ection.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 41 Main Mode initial page When you click Main M ode , the following page is displayed: By clicking a button, the page layout changes, reveali ng other fields and butt ons. More information ab out the various fields and buttons is found below .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 42 Page layout with additional Descriptors When you click Specify Additional Descriptors , the IKE Security Descriptors ar ea of t.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 43 Page layout for certificate authentication When you click Use Certificate Authentication , the IKE Authentication area of the p.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 44 Identification & Interface The Identificati on & Interface fields have to be fille d out with the following information.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 45 Example of a completed page The illustratio n below shows a completed page . The data in the various field s correspond with the VPN l ayout shown on page 25 : Pre-shared key was selected as authentica tion method.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 46 Buttons Y ou can use one of the followi ng buttons: Click ... To ... Stop All Connection s to this Gateway Stop all VPN co nnecti ons to the selected remote Security Gateway . Apply Apply modifi cation s made to the settings of the selected remo te Security Gateway .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 47 3.1.3 Connections Page Page layout When you click New Connection to this Gateway , the following fields are revealed: In this section of t he page, you fill out th e characteristics of the V irtual Private Network you are building.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 48 Trusted Network The Local and Remote T rusted Network parameters descr ibe which terminals have access to the secure connection at the lo cal and remote peers, respectively . T wo fields must be comp leted for each peer: T rusted Network T ype and T rusted Network IP .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 49 Port If the tcp or udp protocol is selected for the protocol parameter , then the access to the IPSec connection can be further restricted to a single port. Many well- known port numbers can be selecte d from the pull-down m enu.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 50 Starting and stopping a connection. A VPN connection is started automatically when data is sent or received that complies with th e traffic policy . Alternatively , you can manually start and st op a VPN connection by selecting it in the table.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 51 3.2 VPN Client VPN context For a VPN client-server scenari o a dedicated set of user -friendly configuration pages is available. Separate pages exist for the cl ient and server sides.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 52 3.2.1 VPN Client Page Initial page When you click VPN > VPN Client , the following page is displayed: The page contains a nu mber of buttons and fields to complete. It is recommend ed to fill out the page from top to bottom.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 53 Server IP Address or FQDN Fill out the publicly known network location of the remote Gatew ay . Y ou can sp ecify the public IP address, if it is invariable and known. More o ften, the publicly k nown FQDN (such as vpn.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 54 IPSec Security Descriptor The IPSec Security De scriptor bundles the se curity parame ters used for the Phase 2 Security Association. A number of IPSec Security Descriptors are pre-config ured in the SpeedT ouch™, and can be selected from a list.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 55 Primary Untrusted Physical Interface This field shows a l ist of your SpeedT ouch™ interfaces. Y ou select the preferred Primary Untrusted Physical Interf ace . This interface is used as the primary carrier for your VPN connection.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 56 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated i.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 57 Starting and stopping a VPN client connection T wo start mechanisms are defined: Manual Dialup Automatic Start. When you use pre-shared key authentica tion, both start mechanisms require a number of parameters to be se t.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 58 Local LAN IP Range In this field you have to configure the local access polic y . In other wor ds, you define which IP range of local term inals has access to the VPN. Y ou can specify either a single IP address , a subnet, or a range.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 59 3.2.2 Starting the VPN Client Connection Method 1: Automatic Start In section “ Starting and stopping a VP N client connection” on page 57 , the configuration o f the Automatic Start mechanism is explained.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 60 Dialling in 1 Select the VPN server fr om the table and click Dial-In at the bottom of the screen. As a result, th e VPN Client Connect page is shown. 2 Fill out the login parameters an d click Continue .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 61 Client Identification When for the IKE Authentication method th e Preshared Key method was selected, some Server V e ndor specific fields must be fi lled out.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 62 3.2.3 Closing a Connection Disconnect procedure At the bottom of the VPN Client Connection Configuration page, all active VPN connections are shown. Select the connection you wa nt to terminate and click Disconnect .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 63 3.3 VPN Server VPN context In a VPN client-server scenari o, the VPN se rver is alwa ys the responder in the IKE negotiations . V arious VPN clients can dial in to a VPN server , since i t supports multiple simultan eous VPN connections.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 64 3.3.1 VPN Server Page Initial page When you click VPN > VPN Server , the following pa ge is displayed: The page contains a nu mber of buttons and fields to complete. It is recommend ed to fill out the page from top to bottom.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 65 Buttons Y ou can use one of the followi ng buttons: Local Trusted Network The Local T rusted Network open to Remote Cli ents describes which part of the local network you want to make ac cessible for remote VPN clients.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 66 Page layout with additional Networks Clicking Specify Additional Networks allows you to designat e up to four addresses/ subnets in case the Local T rust ed Network can not be described by a single address/ subnet.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 67 Page layout with additional Descriptors When you click Specify Additional Descriptors , the IKE Security Descriptors ar ea of t.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 68 Miscellaneous Comprises the following settings: IKE Exchange Mode : IKE specifies two mode s of operation for the Phase 1 negotiations: main mode and aggressive mode. Main mode i s more secure wh ile aggressive mode is quicker .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 69 VPN Server settings Comprises the following settings: Virtual IP Range: Specifies the range of IP addresses fr om which the VPN cl ient addresses are selected. An address range or a subnet can be entered for this parameter .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 70 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated i.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 71 Remote ID (Filter) T ype and Remote ID Filter : The Remote ID Filter identifies the VPN client duri ng the Phase 1 ne gotiation. This identity is used as a filter for VPN clients when they join the VPN.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 72 Authorized Users List When you selected the use of XAuth (either generic or chap) in the VPN Ser ver Configuration page, then clicking Apply r eveals an additional section at the top of the page.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 73 3.4 Certificates Introduction The Certificates Navigation tab gives acce ss to four main pages for certificates management. Secure Storage page This page shows the list of certif icates stored in the SpeedT ouch™.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 74 CEP page This page allows co nfiguring the Certificates E nrollment Protocol settings . Enrollment URL This URL point to the location of the CEP script on t he Certificate Authority server .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 75 3.5 Advanced VPN Menu When to use T he Advanc ed VPN menu gives access to two ma in pages where the complete IPSec configuration can be done. These pa ges are component-ori ented, as opposed to the applicatio n-oriented pages describ ed in sections 3.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 76 Peer Profiles page When you click VPN > Advanced > Peers , the Peer Profiles page is displayed. The Peers page gives access to the following sub-p ages: All peer parameters explained in the CLI co nfiguration method can be filled out in these pages.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 77 Connection Prof iles page When you click VPN > Advanced > Connections , the Connection Profil es page is displayed.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 78 3.5.1 Peer Profiles Page Peer Profiles page layout The Peer Profi les page bundles all parameters that define a Peer . A number of parameters ma kes use of sy mbolic descriptors that are defined and managed on other su b-pages.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 79 Local ID The Local ID identifies the local Sp eedT ouch™ during the Phase 1 negotiatio n with the remote Security Gateway . This identity must m atch the settings in the remote Security Gateway in order to successfully set up the IKE Security Association.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 80 Primary Untrusted Physical Interface This field shows a l ist of your SpeedT ouch™ interfaces. Y ou select the preferred Primary Untrusted Physical Interf ace . This interface is used as the primary carrier for your VPN connection.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 81 Peer Options This optional param eter refers to the symboli c name of a peer option s list. The peer options modify the VPN behaviour . T he peer options lists are defined on the Peers Options sub-p age, see “3 .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 82 3.5.2 Authentication Page Authentication page layout The Authentication page allows you to define Authentication Attributes .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 83 3.5.3 Peer Descriptors Page Descriptors page layout A Peer Security Descriptor c ontains th e methods fo r message auth entication, encryption and hash ing, and the lifetime of the IKE Security Association.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 84 Crypto The table below shows the encryption al gorithms supporte d by the SpeedT ouch™ along with thei r corresponding key size: DES is relatively slow and is the weak est of the algorith ms, but it is the industry standard.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 85 3.5.4 Peer Options Page Options page layout The Option s page allows you to define Options li sts that you can later refer to in a Peer Profile . Peer options are de scribed in section “6.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 86 3.5.5 VPN-Client Page VPN-Cli ent page layout The VPN-Client page allows you to define VPN Clie nt Descriptors . Client descrip tor name This name is used internally to identi fy the VPN cli ent Descriptor .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 87 Type The Ty p e parameter determines which V irtual IP Address Mapping type is selected.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 88 3.5.6 VPN-Server Page VPN-Server page layout The VPN-Server page allows you to define VPN Server Descriptors . Server descriptor name This name is used internally to identify the VPN Server Des criptor .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 89 Secondary DNS The IP address of the seco n dary DNS server , pr ovided to the VPN clients via IKE Mode Config. This is the secondary DNS serv er in the local network that is open to VPN clients.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 90 3.5.7 VPN-Server-XAuth Page VPN-Server-XAuth page layout The VPN-Server-XAuth page allows you to define XAuth user pool s and to add authorized users to these pools. An XAuth user pool is a named list of authoriz ed users.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 91 3.5.8 Connection Profiles Page Connection Prof iles page layout The Connection Pro files page bundles all parameters that define an IPSec Connecti on to a Peer . In other words it bundles the Phas e 2 parameters.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 92 Local network This parameter is used in th e proposal presented to the remo te Security Gateway during the Ph ase 2 negotia tion. It determi nes which messages have access to the IPSec connection at the local side of the tunnel.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 93 Connection Options This optional parameter refe rs to th e symbolic name o f a connection option s list. The connection options modi fy the VPN beh aviour . The connection options lists are defined on the Connection Options sub-page, see “3.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 94 3.5.9 Networks Page Networks page layout The Networks page allows you to define Network Descriptors . What is a Network Descriptor? The concept of Network Descriptors is introduced for the first time in the SpeedT ouch™ R5.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 95 Protocol Optionally , the access to an IPSec connection can be restricted to a specific protocols by se lecting a protocol from the list. Select any if you do not want to restrict the co nnection to a specific protoc ol.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 96 3.5.10 Connection Descriptors Page Descriptors page layout A Connection Secu rity Descriptor contains the following se curity p.
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 97 Parameter table The following table summar izes the paramet ers comprised in the connecti on security descriptor: Connection Descriptor name Internal symbolic na me to iden tify the Connec tion Descriptor .
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 98 Integrity The SpeedT ouch™ supports two types of hashing algo rithms: HMAC is always used as integrity algo rithm, combined wi th either MD5 or SHA1. SHA1 is stronger than MD 5, but slightly slower .
Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 99 3.5.11 Connection Options Page Options page layout The Options page allows you to define Options li sts t hat you can later refer to in a Connecti on Profile . Connection options are described in section “6.
Chapter 3 Configuration via Local Pages E-DOC-CTC-2005 1017-0169 v0.1 100 3.5.12 Client Page Client page layout The Client page is used for dialling-in to a VPN server .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 101 4 Configuration via the Command Line Interface In this chapter This chapter describes the basic configuration steps fo r building an operation al IPSec via the Com mand Line Interfa ce.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 102 4.1 Basic IPSec configuration procedure Terminology The SpeedT ouch™ uses specific I PSec terms and definitions.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 103 Procedure In order to set up a basic IPSec configurat ion, the following main steps have to be executed.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 104 4.2 Peer: Authentication Attribute What is ... T wo main methods for user authentication are suppo rted in the.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 105 4.2.1 Authentication Attribute Parameters Parameter table The authentication attribute is a named descriptor , bu ndling the authentication parameters. The following data need to be provid ed: Parameter Possible values Description name Arbitrary .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 106 4.2.2 List all Authentication Attributes list command The ipsec peer auth list command shows al l previously created authentication attributes.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 107 4.2.3 Create a New Authentication Attribute add command The ipsec peer auth add command allows adding a new authentication attribute.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 108 4.2.4 Set or Modify the Authentication Attribute Parameters modify command The ipsec peer auth modify command allows to mo dify the auth entication attribute parameters.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 109 4.2.5 Delete an Authentication attribute delete command The IPSec peer auth delete command deletes a previously created authentication attribute. Example In the following exam ple the authentication attribut e, named secret2, is deleted.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 110 4.3 Peer Security Descriptor What is ... All security parameter s required to esta blish an IKE session are grouped into a string called a Peer Security Descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 111 4.3.1 Peer Security Descriptor Parameters Parameter table The following table summari z es the par ameters comprise d in the peer security descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 112 Cryptographic function [crypto] The table below shows the encryp tion algorithms suppor ted by the SpeedT ouch™ along with thei r corresponding key size: DES is relatively slow and is the weak est of the algorith ms, but it is the industry standard.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 113 IKE SA lifetime [lifetime_secs] The lifetime of a Security Association is specified in seconds: Lifetime measu.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 114 4.3.2 List all Peer Security Descriptors list command Th e ipsec peer descriptor list command show s the list of all defin ed peer security descriptors.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 115 4.3.3 Create a New Peer Security Descriptor add command A new Pe er Security Descri ptor is created with the ipsec peer descriptor add command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 116 4.3.4 Set or Modify the Peer Descriptor Parameters modify command The ipsec peer descriptor modify command sets or modifies the Peer Security Des criptor para meters.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 117 4.3.5 Delete a Peer Descriptor delete command The ipsec peer descriptor delete command deletes a Peer Security Descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 118 4.4 Peer What is ... Th e Peer is a term that refers to the remote Security Gatewa y the IPSec secure tunnel(s) will be connected to. In a first phase, an IKE Security Association is negotiated be tween the SpeedT ouch™ and a remote Security Gateway (peer).
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 119 4.4.1 Peer parameters Parameters table The fol lowing table shows the peer pa rameters: Peer name [name] The peer name identifies the peer entity . This name only has lo cal significance inside the SpeedT ouch™.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 120 Remote Security Gateway identifier [remoteaddr] This parameter localizes the remote Security Ga teway on the Inte rnet. Eith er the public IP address or the Fully Qualified Domain Nam e can be used as an iden tifier .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 121 Remote Identifier [remoteid] This parameter identifies the remote Secu rity Gateway during the Phase 1 negotiation. This identity must match the se ttings in the remote Security Gateway in order to successfully set up the IKE Security Association.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 122 Physical Interface [phyif] Y ou can tie the peer to one of your SpeedT ouch™ interfac es. This interface is then used as the primary carrier for your VPN connection.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 123 4.4.2 List all peer entities list command Th e ipsec peer list command shows the list of all defin ed peer entities. Example In the followin g example, a list of all defined peer entities is created.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 124 4.4.3 Create a new peer entity add command A new Peer is created with the ipsec peer add command. Example In the following example, a ne w peer is create d, named peer1 The result of this operatio n can be verified with the list command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 125 4.4.4 Set or modify the peer parameters modify command The ipsec peer modify command sets or modifie s the peer parameters.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 126 4.4.5 Delete a Peer entity delete command The ipsec peer delete command deletes a peer entity . Example In this example the peer , named peer1, is deleted: The result of this operation i s verified with the list command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 127 4.5 Connection Security Descriptor What is ... Al l security parameter s required to esta blish an IPSec tunnel are grouped into a string called Connection Secu rity Descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 128 4.5.1 Connection Security Descriptor parameters Parameters table The fol lowing table summar izes the parameters comprised in the connection security descripto r .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 129 Cryptographic function [crypto] The table below shows the cr yptographic functions supported by the SpeedT ouch™ along with thei r corresponding key size: DES is relatively slow and is the weak est of the algorith ms, but it is the industry standard.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 130 Perfect Forward Secrecy [pfs] Enables or disabl es the use of Perfect Forward Secre cy . A lot of vendor s have Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 131 4.5.2 List all Connection Security Descriptors list command Th e ipsec connection descriptor list command show s the list of all defined Connectio n Security Descriptors .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 132 4.5.3 Create a new Connection Security Descriptor add command A new Connection Se curity Descriptor is created with the ipsec connection descriptor add command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 133 4.5.4 Set the Connection Security Descriptor Parameters modify command The ipsec connection descriptor modify command sets or modi fies the connection descr iptor parameters.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 134 4.5.5 Delete a Connection Security Descriptor delete command The ipsec connection descriptor delete command dele tes a Connection Descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 135 4.6 Network Descriptor What is ... The concept of Network Descriptor s is introduced for the first time in the SpeedT ouch™ R5.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 136 4.6.1 Network Descriptor Parameters Parameters table The fol lowing table summar izes the parameters comprised in the Network Descriptor: Network name [name] This name is used intern ally to identify the Network Descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 137 Protocol [proto] Access to an IPSec co nnection can be restricted to specific protocols. This can optionally b e configured with the proto parameter . V alid entries are listed in the following table.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 138 4.6.2 Create a New Network Descriptor add command A new Network Descriptor is created with the ipsec connection network add command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 139 4.6.3 Set the Network Descriptor Parameters modify command The ipsec connection network modify command sets or modifies the Network Descriptor parameters.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 140 4.6.4 Delete a Network Descriptor delete command The ipsec connection network delete command deletes a Network Descriptor .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 141 4.7 Connection What is ... A Connection bundles all the pa rameters required for the PH2 SA negotiation: Peer Reference, pointing to the pe er configuration to be used .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 142 4.7.1 Connection Parameters Parameters table The table b elow shows the connection parameters. Connection name [name] This symbolic name on ly has local sign ific ance inside the SpeedT o uch™ router .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 143 Local network [localnetwork] This parameter is used in th e proposal presented to the remo te Security Gateway during the Ph ase 2 negotia tion. It determi nes which messages have access to the IPSec connection at the loca l side of the tunnel.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 144 Always-on connection [alwayson] This parameter determines whether the conn ection is permanentl y enabled or not. By default this parameter is set to disabl ed .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 145 4.7.2 List all Connections list command Th e ipsec connection list command shows the list of all defined connections. Example In the followin g example, a list of all defined connections is shown.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 146 4.7.3 Create a New Connection add command A new Connection is created with the ipsec connection add command. Example In the following example, a new co nnection is created, name d connect1 The result of this operatio n can be verified with the list command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 147 4.7.4 Set or Modify the Connection Parameters modify command The ipsec connection modify command sets or modifies the Connection parameters.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 148 4.7.5 Delete a Connection delete command The ipsec connection delete command deletes a Connection. Example In this example the connection, named connect1, is deleted: The result of this operation i s verified with the list command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 149 4.7.6 Start a Connection start command The ipsec connection start command tr iggers th e establishment of a Security Associat ion.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 150 4.7.7 Stop a connection stop command The ipsec connection stop command tears down th e designated Security Association. The IKE Security Associat ion is n ot stopped with this command.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 151 4.8 Auxiliary Commands In this section The following topics are discussed in this section: Topic Page 4.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 152 4.8.1 Config Command What is it used for This command serves two d ifferent purpos es. Withou t addition al parameter , the command displays th e current VPN settings.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 153 AutoPr oxyARP The automatic addition of Pr oxyARP entries in VPN client /server scenarios can be enabled or disabled. B y default this se tting is enabled. When disabled, the ProxyARP entries have to be entered manually .
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 154 An example of Auto ProxyARP As an example, suppose a VPN server is configure d on a SpeedT ouch™ with the subnet 192.168.1.0 as its private LAN addre ss range.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 155 4.8.2 Flush Command What is it used for This command flushes the co mplete IPSec configuration.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 156 4.8.3 Clear Command Group What is it used for This command group compri ses two commands, intended for clearin.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 157 4.9 Organisation of the IPSec Command Group Introduction In this section an overview is given of the IPSec Com mand Group stru cture. Underlined keywords represent a comman d group.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 158 Connection command group The following table shows the commands of the ipsec connection command group. Debug command group The following table shows t he commands of the ipsec debug com mand group.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 159 Peer command group The following table shows the commands of the ipsec peer command group.
Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 160 Show command group The following table shows the commands of the ipsec show command grou p.
Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 161 5 Troubleshooting SpeedTouch™ IPSec Introduction IPSec is a complex protocol suite and th erefore the SpeedT ouch™ offers a number of troubleshooti ng methods.
Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 162 5.1 Via the Debug Web pages How to see the status of the VPN connection Browse to Expert mode > VPN > Debug > Status . This page shows the status of the IKE Security Asso ciation (Phase 1) and the IPSec Security Associ ation(s) (Phase 2) .
Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 163 How to monitor the IPSec negotiations Proceed as fol lows: 1 Browse to Expert mode > VPN > Debug > Loggin g . 2 Select the desired level of T race Detail . Select high to see the most detailed level of loggin g.
Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 164 How to see the amount of traffic carried by a VPN connection Browse to Expert mode > VPN > Debug > Statistics . This pa ge shows the am ount of traffic carried over the IKE Security Association (Phase 1) and the IPSec Security Association(s) (Phase 2).
Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 165 5.2 Via the CLI: Show command group Show command group Y ou can check whether the secure tunnels are up: Y ou can check whether traffic is passing the tunnel and ke ep track of the number of packets and bytes.
Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 166 ... IPSecGlobalStats ---------------- IPSecGlobalActiveTunnels : 0 IPSecGlobalPreviousTunnels : 0 IPSecGlobalInOctets :.
Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 167 5.3 Via the CLI: Debug command group Traceconfig command The traceconfig comma nd sets the level of debugging messages that are dumped to the screen.
Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 168 Via Syslog messages The Syslog protocol i s a powerful mechanism to investig ate network issues.
Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 169 Syslog m essages Th e following table show s the syslog messages. Severity Contents ERROR unable to delete old SPD entry.
Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 170 5.4 Via SNMP Debugging via SNMP On the SpeedT ouch™, seve ral SNMP MIBs are availa ble allowing to r etrieve configuration and count er information. A MIB (Management In formation Base) can be considered as a repre sentation of a grou p of parameters.
Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 171 5.5 Pinging from the SpeedTouch™ to the remote private network Ping command In order to verify that an IPSec tunnel is active, you can use the :ip debug pi ng CLI command of the SpeedT ouch™.
Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 172.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 173 6 Advanced Features In this section The following topics are d escribed in this section : Topic Page 6.1 IPSec and the Stateful Inspection Firewall 174 6.3 Extended Authenti cation (XAuth) 176 6.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 174 6.1 IPSec and the Statef ul Inspection Firewall What about ... The SpeedT ouch™ has a built-i n firewall which is com plete ly configurable b y the user . A number of preset fire wall levels are defined that allow an easy configuration according to your security policy .
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 175 6.2 Surfing through the VPN tunnel Web Browsing Interception and surfing through a tunnel One of the SpeedT ouch™ feat ures for easy Internet acce ss is the so -called Web Browsing Interception, also referred to as Differentiated Servic es Detection (DSD).
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 176 6.3 Extended Authentication (XAuth) What is ... Extended Authenticati on, commonly referred to as the XAuth protocol, allows for performing extra user auth entication.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 177 6.4 VPN Client Introduction The SpeedT ouch™ can be configured as a VP N client. SpeedT ouch™. In this function, it su pports the IKE Mode Confi g protocol to receive c onfiguration parameters from the remote VPN server .
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 178 6.4.1 VPN Client parameters Parameters table The following table shows the VP N Client parameters. VPN Client parameters Parameter Keyword Descrip tion VPN client name name Mandatory . Symbolic name for the VP N server , used internally in the SpeedT ouch™.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 179 6.4.2 Create a new vpnclient add command A new vpnclient is created with the ipsec peer vpnclient add comma nd. Example In the following example, a new vpnclie nt entity is created, name d client1 The result of this operatio n can be verified with the list command.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 180 6.4.3 Set or modify the vpnclient parameters modify command The ipsec peer vpnclient modify command sets or modifies the vpnclient entity parameters.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 181 6.4.4 Attach the vpnclient entity to the peer entity modify the peer parameters The :ipsec peer modify name=peer1 client/server=client1 command attaches the previou sly defined vp nclient enti ty to the corresponding peer .
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 182 6.5 VPN Server Introduction In the previou s section the SpeedT ouch™ was used as a VPN client. The SpeedT ouch™ can be used equ ally well as a VPN server . In this function, it can be configured with a XAuth user pool, to ser ve remote clients.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 183 6.5.1 VPN Server parameters Parameters table The fol lowing table shows the VPN Se rver paramete rs. Connection name [name] This symbolic name on ly has local sign ific ance inside the SpeedT o uch™ router .
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 184 Push IP address [push_ip] The VPN server will always p rovide an IP address to the remote VPN clie nt. VPN clients can behave in two different ways. Either: the VPN client requests an IP address.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 185 6.5.2 Create a new VPN server add command A new VPN server is create d with the ipsec peer vpnserver add command. Example In the following example, a new vpnclie nt entity is created, name d client1 The result of this operatio n can be verified with the list command.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 186 6.5.3 Set or modify the vpnserver parameters modify command The ipsec peer vpnserver modify command sets or modifies the vpnserver entity parameters.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 187 6.5.4 Attach the vpnserver entity to the peer entity modify the peer parameters The :ipsec peer modify name=peer1 client/server=serv1 command attaches the previou sly defined vpnserver enti ty to the co rresponding peer .
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 188 6.6 XAuth Users Pool Introduction In the previou s section the application of the SpeedT ouch™ as a VPN server was described. In addition to the IPSec authentication mechan isms, the clients may support the use of the XAuth protocol.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 189 6.6.1 XAuth Pool parameters Parameters table The fol lowing table shows the XAuth Po ol parameters. XAuth Pool parameters Parameter Keyword Description XAuth pool name name Mandator y . Symbol ic name for the XA uth pool, used internally in the SpeedT ouch™.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 190 6.6.2 Create a new XAuth pool add command A new XAuth pool is created with the ipsec peer vpnserver xauthpool add command. Example In t he following example, a new xauthpool is created , named pool1 The result of this operatio n can be verified with the list command.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 191 6.6.3 Modify the xauthpool type modify command With the ipsec peer vpnserver xauthpool modify command it is possible to mod ify the pool type.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 192 6.6.4 Attach the xauthpool entity to the vpnserver entity modify the vpnserver parameters The :ipsec peer vpnserver modify name=serv1 xauthpool=pool1 command attaches the previ ously defi ned pool to the vp nserver , named se rv1.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 193 6.6.5 Delete an xauthpool entity delete command The ipsec peer vpnserver xauthpool delete command deletes a network. Example In this example the po ol , named pool 1, is deleted: The result of this operation i s verified with the list command.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 194 6.6.6 XAuth User parameters Parameters table The fol lowing table shows the XAuth Use r parameters.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 195 6.6.7 Create a new XAuth user adduser command A new XAuth user is created with the ipsec peer vpnserver xauthpool adduser command.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 196 6.6.8 Set or modify the password of an XAuth user moduser command The ipsec peer vpnserver xauthpool moduser command allows setting or modifying the XAuth user passw ord.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 197 6.6.9 Delete an xauthuser entity delete command The ipsec peer vpnserver xauthpool deluser command deletes a XAuth user entry from its pool. Example In this example the user , named user1, is deleted: The result of this operation i s verified with the list command.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 198 6.7 The Default Peer Concept Why the default peer concept Consider the network configuratio n shown below: When the SpeedT ouch™ [1] gets its IP ad dress dynamically assi gned (e.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 199 Example IPSec connection, applying the default peer concept SpeedT ouch™ [1] IPSec peer configuration: The paramete r localid can rem ain either unset, or an identifie r type can be use d that is independen t of the IP addr ess, such as the userfqdn.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 200 6.8 One Peer - Multiple Connections Multiple tunnels In order to setup a Phase 2 tunnel, a Phase 1 IKE tunnel is requir ed first. Via this Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are transferred.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 201 6.9 Peer Options Options list The pe er options alter the behaviou r of the VPN network. Options to be appli ed to Peer entities are stored in na med Option Li sts.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 202 Dead Peer Detection The SpeedT ouch™ supports the Dead Peer Detection protocol . By default, the use of this protocol i s enabled. This option allows disabling th e use of the DPD protocol.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 203 6.9.1 List all Peer Options lists list command Th e ipsec peer options list command shows all previously created options lists. Example In t he following example, a list of all previously created o ptions is shown.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 204 6.9.2 Create a Peer Options list add command Th e ipsec peer options add command allows adding a new options list. Example In the following example, a new op tions list is cr eated, named opt1 The result of this operatio n can be verified with the list command, as shown above.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 205 6.9.3 Set or modify the Peer Option list parameters modify command The ipsec peer options modify command allo ws to mo dify the options list parameters. Example In the following exampl e, the options list pa rameters are modified.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 206 6.9.4 Delete a Peer Options list delete command The ipsec peer options delete command deletes a previously crea ted options list. Example In the following example th e options list, nam ed opt2, is delete d.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 207 6.10 Connection Options Options list The connection options alter the behavi our of the VPN network.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 208 Don’t Fragment bit [force_df] IPSec encryption increases the packet length. When the MTU of a link is adjusted to pass the largest IP packet unfragmented, then messages encapsulated by IPSec will not pass if the Don’ t Fragment bit is set.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 209 6.10.1 List all Connection Options lists list command Th e ipsec connection options list command shows all p reviously created options lists. Example In the following example, all prev iously created options are listed.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 210 6.10.2 Create a Connection Options list add command Th e ipsec connection options add command allo ws adding a new options list.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 211 6.10.3 Set or modify the Connection Option list parameters modify command The ipsec connection options modify command allows to modify the options list parameters. Example In the following exampl e, the options list pa rameters are modified.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 212 6.10.4 Delete an Options list delete command The ipsec connection options delete command deletes a previo usly created options list. Example In the following example th e options list, named copt1, is deleted.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 213 6.11 Advanced Connection Introduction The Advanced command g roup is a sub-group of the Conn ection command group. It allows addition al connection se ttings in order to take full advantage of the dynamic policy capabilities of the SpeedT ouch™.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 214 Local network [localnetwork] This parameter is used in th e proposal presented to the remo te Security Gateway during the Ph ase 2 negotia tion. It determi nes which messages have access to the IPSec connection at the loca l side of the tunnel.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 215 Local match [localmatch] This setting is releva nt in responder mode only . It is optionall y filled out. In a basic configuration it is left unset. When unset, the SpeedT ouch™ uses its dynamic IPSec policy capabiliti es to complete this field.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 216 Remote match [remotematch] This setting is releva nt in responder mode only . It is optionall y filled out. In a basic configuration it is left unset. When unset, the SpeedT ouch™ uses its dynamic IPSec policy capabiliti es to complete this field.
Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 217 Local selector [localselector] The local selector expresses a static IPSec policy for access to the IPSec tunnel at the local end. This s etting can optionally be filled out manual ly . In a basic configuration it is left unset.
Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 218.
.
Need more help? Additional help is available online at www .speedtouch.com © THOMSON 2006 . All rights reserved . E-DOC- CTC-20051017- 0169 v1.0 ..
デバイスNortel Networks 620の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Nortel Networks 620をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはNortel Networks 620の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Nortel Networks 620の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Nortel Networks 620で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Nortel Networks 620を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はNortel Networks 620の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Nortel Networks 620に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちNortel Networks 620デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。