Upload
ahmed-helmy-hegazy
View
20
Download
0
Embed Size (px)
DESCRIPTION
(Security Configuration Guide)
Citation preview
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 1/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform Table of Contents
i
Table of Contents
Chapter 1 Configuration of AAA and RADIUS Protocol.. ........ ......... ........ ......... ........ ......... .. 1-1
1.1 Network Security Features Provided by VRP ......... ........ ......... ........ ......... ........ ......... .. 1-1
1.2 Introduction to AAA and RADIUS ........ ......... ......... ........ ......... ........ ......... ........ ......... .. 1-1
1.2.1 Overview to AAA............................................................................................. 1-1
1.2.2 Overview to RADIUS........ ........ ......... ......... ........ ......... ........ ......... ........ ......... .. 1-2
1.3 Configuration of AAA and RADIUS..... ......... ........ ......... ........ ......... ........ ......... ........ .... 1-2
1.3.1 AAA and RADIUS Configuration Task List ........ ......... ........ ......... ........ ......... ..... 1-2
1.3.2 Enabling/Disabling AAA............ ......... ......... ........ ......... ........ ......... ........ ......... .. 1-3
1.3.3 Configuring Authentication Method List for Login Users ........ ........ ......... ........ .... 1-3
1.3.4 Configure authentication method list for PPP Users........ ......... ........ ......... ........ . 1-4
1.3.5 Configuring the Local-First Authentication of AAA ......... ........ ......... ........ ......... .. 1-4
1.3.6 Configuring AAA Accounting Option ......... ........ ......... ........ ......... ........ ......... ..... 1-5
1.3.7 Configuring Local IP Address Pool ........ ........ ......... ......... ........ ......... ........ ........ 1-5
1.3.8 Assigning IP Address for PPP User ........ ......... ........ ......... ......... ........ ......... ...... 1-6
1.3.9 Configuring Local User Database........ ......... ......... ........ ......... ........ ......... ........ . 1-6
1.3.10 Configuring RADIUS Server............. ......... ........ ......... ........ ......... ........ ......... .. 1-8
1.4 Monitoring and maintenance of AAA and RADIUS ........ ........ ......... ........ ......... ........ .. 1-11
1.5 Examples of the Typical Configuration of AAA and RADIUS ........ ......... ........ ......... .... 1-11
1.5.1 Access User Authentication Case 1.......... ........ ......... ........ ......... ........ ......... ... 1-11
1.5.2 Access User Authentication Case 2.......... ........ ......... ........ ......... ........ ......... ... 1-12
1.5.3 Authentication of FTP User ......... ........ ......... ......... ........ ......... ........ ......... ....... 1-13
1.6 Fault Diagnosis and Troubleshooting of AAA and RADIUS ......... ........ ......... ........ ...... 1-14
Chapter 2 Configuration of Terminal Access Security........ ........ ......... ......... ........ ......... ...... 2-1
2.1 Terminal Access Security.......................................................................................... 2-1
2.1.1 Classification of Terminal Access Users ........ ......... ......... ........ ......... ........ ........ 2-1
2.1.2 Configuring EXEC Login Authentication..... ......... ........ ......... ........ ......... ........ .... 2-1
2.1.3 Security Features Provided by Command Line Interfaces for Terminal Users ...... 2-2
2.1.4 Modifying Privileged User Password......... ........ ......... ........ ......... ........ ......... ..... 2-2
2.2 Typical Configuration of EXEC........ ......... ........ ......... ........ ......... ......... ........ ......... ...... 2-2
2.2.1 Configuring EXEC Login Authentication from CONSOLE Port ......... ........ ......... .. 2-2
2.2.2 Configuring EXEC Login Authentication via Telnet ........ ........ ......... ........ ......... .. 2-3
Chapter 3 Configuration of Firewall .................................................................................... 3-1
3.1 Brief Introduction to Firewall.............. ........ ......... ........ ......... ........ ......... ........ ......... ..... 3-1
3.1.1 About Firewall................................................................................................. 3-1
3.1.2 Packet Filtering............................................................................................... 3-2
3.1.3 Access Control List ......................................................................................... 3-3
3.2 Configuring Firewall ..................................................................................................3-8
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 2/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform Table of Contents
ii
3.2.1 Firewall Configuration Task List ......... ......... ........ ......... ........ ......... ........ ......... .. 3-8
3.2.2 Enabling/Disabling Firewall ......... ........ ......... ......... ........ ......... ........ ......... ........ . 3-8
3.2.3 Configuring Standard Access Control List.... ........ ......... ........ ......... ........ ......... .. 3-8
3.2.4 Configuring Extended Access Control List ........ ......... ........ ......... ........ ......... ..... 3-9
3.2.5 Configuring the match sequence of access control list...... ........ ......... ........ ........ 3-9
3.2.6 Setting Default Firewall Filtering Mode.... ......... ........ ......... ......... ........ ......... .... 3-10
3.2.7 Configuring Special Timerange ......... ........ ......... ........ ......... ........ ......... ........ .. 3-10
3.2.8 Configuring Rules for Applying Access Control List on Interface...... ........ ......... 3-11
3.2.9 Specifying Logging Host................................................................................ 3-12
3.3 Monitoring and Maintenance of Firewall........... ........ ......... ......... ........ ......... ........ ...... 3-12
3.4 Typical Configuration of Firewall ........ ......... ........ ......... ........ ......... ........ ......... ........ .. 3-13
Chapter 4 Configuration of IPSec............ ........ ......... ........ ......... ......... ........ ......... ........ ........ 4-1
4.1 Brief Introduction to IPSec Protocol... ........ ......... ........ ......... ........ ......... ........ ......... ..... 4-1
4.2 Configuring IPSec..................................................................................................... 4-3
4.2.1 IPSec Configuration Task List..... ........ ......... ......... ........ ......... ........ ......... ........ . 4-3
4.2.2 Creating Encryption Access Control List ........ ......... ......... ........ ......... ........ ........ 4-3
4.2.3 Defining Transform Mode ................................................................................4-4
4.2.4 Selecting Encryption and Authentication Algorithm ........ ........ ......... ........ ......... .. 4-5
4.2.5 Creating Security Policy .................................................................................. 4-6
4.2.6 Applying Security Policy Group on Interface........ ........ ......... ........ ......... ........ .. 4-11
4.3 Maintenance and Monitoring of IPSec ......... ........ ......... ........ ......... ........ ......... ........ .. 4-12
4.4 Typical IPSec Configuration........ ........ ......... ......... ........ ......... ........ ......... ........ ......... 4-14
4.4.1 Creating SA Manually. ......... ........ ......... ........ ......... ......... ........ ......... ........ ...... 4-144.4.2 Creating SA in IKE Negotiation Mode.... ........ ......... ......... ........ ......... ........ ...... 4-16
Chapter 5 Configuration of IKE......... ........ ......... ........ ......... ........ ......... ......... ........ ......... ...... 5-1
5.1 Brief Introduction to IKE Protocol ........ ......... ......... ........ ......... ........ ......... ........ ......... .. 5-1
5.2 Configuring IKE ........................................................................................................ 5-2
5.2.1 IKE Configuration Task List ............................................................................. 5-2
5.2.2 Creating IKE Security Policy........ ......... ........ ......... ......... ........ ......... ........ ........ 5-2
5.2.3 Select Encryption Algorithm........ ........ ......... ......... ........ ......... ........ ......... ........ . 5-3
5.2.4 Select Authentication Algorithm.... ......... ........ ......... ......... ........ ......... ........ ........ 5-3
5.2.5 Set Pre-shared Key......................................................................................... 5-4
5.2.6 Select Hashing Algorithm.......... ......... ......... ........ ......... ........ ......... ........ ......... .. 5-4
5.2.7 Select DH Group ID........ ......... ......... ........ ......... ........ ......... ........ ......... ........ .... 5-4
5.2.8 Set Lifetime of IKE Association SA.... ........ ......... ........ ......... ........ ......... ........ .... 5-5
5.3 Monitoring and Maintenance of IKE.............. ......... ........ ......... ........ ......... ........ ......... .. 5-5
5.4 Typical Configuration of IKE............... ......... ........ ......... ........ ......... ........ ......... ........ .... 5-6
5.5 IKE Fault Diagnosis and Troubleshooting ........ ........ ......... ......... ........ ......... ........ ........ 5-7
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 3/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-1
Chapter 1 Configuration of AAA and RADIUS
Protocol
1.1 Network Security Features Provided by VRP
Before we begin introducing the configuration of AAA and RADIUS protocol, let’ s first
take a look at the new security features provided by VRP.
With the popularization of network applications, especially some security sensitive
applications (such as E-commerce), the issue of network security has become apressing demand nowadays. VRP provides the following network security
characteristics:l Network access security: AAA services, i.e. Authentication, Authorization and
Accounting. Secure server protocol: RADIUS is a distributed client-server system,realizing network access security through AAA, and preventing unauthorizedaccess.
l Authentication protocol: supporting CHAP and PAP authentication on PPP line.l Packet filtering: realized through access control list, enabling the designation of
packets that can pass (or can not pass) a router.
l Event log: it can be used to record system security events and trace illegal accessin real time.
l Address translation: hiding internal IP addresses.
l Adjacent router authentication: ensuring reliable route information to beexchanged.
l Terminal access user security mechanism: authentication for FTP users and EXECusers, by-level protection of command line, privileged user password, to preventillegal access of unauthorized users
l Techniques of encryption and key exchange: support standard layer-3 tunneling
encryption protocol IPSec and key exchange protocol IKE, as well as hardware andsoftware encryption algorithms.
In this chapter, RADIUS configuration, terminal access user security configuration,firewall configuration, IPSec and IKE configuration are described in detail.
1.2 Introduction to AAA and RADIUS
1.2.1 Overview to AAA
I. What is AAA?
AAA is short for authentication, authorization and accounting, providing an overall
configuration framework for the three security functions of authentication, authorization
and accounting. AAA configuration is actually a management over network security.Network security here refers mainly to access control, including:
l Which users can access network server?l Which services can the users with access authority obtain?l How to make accounting on users using network resources?
AAA can implement the following services:
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 4/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-2
l Authentication: to authenticate whether the user has the right of access. TheRADIUS protocol can be used.
l Authorization: to authorize the user with certain types of services.l Accounting: to record the information about network resources usage by users
AAA can be realized through the RADIUS (Remote Authentication Dial In User Service)protocol, which manages the large number of geographically dispersed users usingserial port and Modem.
II. Advantages of AAA
The following advantages are provided by AAA:
l Enhanced flexibility and control
l Standard authentication model Multiple standby systems
1.2.2 Overview to RADIUS
I. What is RADIUS?
RADIUS is abbreviated from Remote Authentication Dial-In User Service. It is a
distributed client/server system, which fends off the interference of unauthorizedaccess to the network. It is often used in various network environments, which requirehigher security and maintenance of remote user access (for example, the network used
to manage many sparse dialing users who are using serial ports and Modem). RADIUSclient runs on Quidway series routers, and sends authentication request to the centralRADIUS server, which consists of all user authentication and network service accessinformation.
II. RADIUS operation
The authentication of the user by RADIUS server often uses the agent authentication
function of the access server. Generally the whole operation procedure is as follows:
1) The Client sends the user name and encryption password to RADIUS server.
2) The user can receive one of the following response messages from RADIUSserver:
l ACCEPT: the user passes authentication.
l REJECT: the user fails authentication. The user is prompted to input user nameand password again, otherwise, his access will be rejected.
1.3 Configuration of AAA and RADIUS
1.3.1 AAA and RADIUS Configuration Task List
Configuration tasks of AAA and RADIUS are listed as follows:
l Enable AAAl Configure authentication method list for Login usersl Configure authentication method list for PPP users
l Configure AAA local-first authenticationl Configure AAA accounting optionl Configure local IP address pool
l Configure IP address to PPP user
l Configure user database
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 5/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-3
l Configure RADIUS server
1.3.2 Enabling/Disabling AAA
The following configurations can be conducted only after AAA is enabled.
Please perform the following tasks in the global configuration mode.
Table SC-1-1 Enable/disable AAA
Operation Command
Enable AAA aaa-enable
Disable AAA no aaa-enable
By default, AAA is disabled.
1.3.3 Configuring Authentication Method List for Login Users
An authentication method list defines the authentication methods, including the
authentication types, which can be executed, and their execution sequence. This list isused in sequence to authenticate users.
Login users are further divided into FTP users and EXEC users. EXEC means logging
on the router via telnet or other methods (such as Console port, asynchronous serialport, telnet, X.25 PAD calling) for router configuration. The two types of users have tobe authorized in local user database with the command user service-type. If RADIUS
server is used in authentication related user authorization (defining user name andpassword) should be set on RADIUS server, before starting RADIUS server.
Perform the following task in global configuration mode.
Table SC-1-2 Configure AAA login authentication
Operation Command
Configure login authentication method list of AAAaaa authentication login { default | list-name }
{method1} [method2 ... ]Delete login authentication method list of AAA no aaa authentication login {default | list-name }
By default, the Login method list is aaa authentication login default local.
If list-name is not defined by the user, the execution sequence of default method list
(default definition) will be used.
method is the authentication method, including the following 3:
l radius --- authentication with the RADIUS server l local --- local authentication
l none --- all users can have the access authority without authentication
While configuring the authentication method list, at least one authentication method
should be designated. If multiple authentication methods are designated, then in loginauthentication, only when there is no response to the preceding methods (when theserver is busy or the connection with server fails), can the subsequent methods be
used. If authentication fails after the preceding methods are used (i.e., the securityserver or the local user name database rejects access of the user), then the
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 6/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-4
authentication will be terminated, subsequent methods will not be used any more.Besides, the none method is meaningful only when it is the last item of the method lists.
Five combinations of the methods are legal as below:
l aaa authentication login default nonel aaa authentication login default local
l aaa authentication login default radiusl aaa authentication login default radius nonel aaa authentication login default radius local
FTP and EXEC are not standard attribute values in RADIUS protocol, so the following
two attribute value definitions should be added in the attribute login-service (standardattribute 15) of RADIUS server:
50 FTP; 51 EXEC
1.3.4 Configure authentication method list for PPP Users
Perform the following task in global configuration mode.
Table SC-1-3 Configure PPP authentication method list of AAA
Operation Command
Configure PPP authentication method list of AAAaaa authentication ppp { default | list-name } {method1}[ method2 ... ]
Cancel PPP authentication method list of AAA no aaa authentication ppp {default | list-name }
method is the authentication method, including the following 3:
l radius --- authentication using the RADIUS server l local --- local authenticationl none -- all users can have the access authority without authentication
While configuring the authentication method list, at least one authentication method
should be designated. If multiple authentication methods are designated, then in PPP
authentication, only when there is no response to the preceding methods (when theserver is busy or the connection with server fails), can the subsequent methods beused. If authentication fails after the preceding methods are used (i.e., the security
server or the local user name database rejects access of the user), then theauthentication will be terminated, and subsequent methods will not be attempted anymore. Besides, the none method is meaningful only when it is the last item of themethod list.
Five combinations of the methods are legal as follows:
l aaa authentication ppp default none
l aaa authentication ppp default locall aaa authentication ppp default radiusl aaa authentication ppp default radius none
l aaa authentication ppp default radius local
Multiple PPP authentication method lists can be configured for different interfaces.
1.3.5 Configuring the Local-First Authentication of AAA
When local-first authentication is configured, the user will first be authenticated locally.
If local authentication fails, the authentication method configured in the method list will
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 7/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-5
be used instead. Once local-first authentication is configured, it is applied by all usersusing PPP and login.
Perform the following task in global configuration mode.
Table SC-1-4 Configure AAA local-first authentication
Operation Command
Enable local-first authentication aaa authentication l ocal-first
Disable local-first authentication no aaa authentication local-first
By default, local-first authentication is disabled.
1.3.6 Configuring AAA Accounting Option
In case there is no available RADIUS accounting server, or the communication with theRADIUS accounting server fails, if aaa accounting optional command has been
configured, the user will still be able to use the network resources, and not bedisconnected.
Perform the following task in global configuration mode.
Table SC-1-5 Configure AAA accounting option
Operation Command
Turn on accounting option switch aaa accounting optionalTurn off accounting option switch no aaa accounting optional
By default, the accounting option switch is turned off, i.e. accounting for the user is
compulsory. When the method list of none is designated by the user, accounting isunnecessary.
1.3.7 Configuring Local IP Address Pool
Local address pool is mainly used to assign IP address for users logging in remote PPP.
If the ending IP address is not designated when IP address pool is defined, there will beonly one IP address in the address pool.
Perform the following task in global configuration mode.
Table SC-1-6 Configure local IP address pool
Operation Command
Configure local IP address pool ip local pool pool-number low-ip-address [high-ip-address ]
Cancel local IP address pool no ip local pool pool-number
By default, no address pool is defined by the system.
Here, the pool-number value ranges 0-99, i.e. the system can define at most 100 local
IP address pools. Addresses in each address pool must be consecutive, and eachaddress pool can have at most 256 addresses.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 8/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-6
1.3.8 Assigning IP Address for PPP User
The user dialing to access with remote PPP will obtain an address defined by the local
designated address pool. To let the user dialing to access with remote PPP obtain anaddress defined by the local designated address pool, the serial number of addresspool or specific addresses to be assigned should be configured.
Perform the following task in interface configuration mode.
Table SC-1-7 Assign IP address for PPP user
Operation Command
Assign IP address for PPP user peer default ip address {ip-address |pool [pool-number ] }
Cancel IP address of PPP user no peer default ip address
By default, pool-number is 0 (assigning address in address pool 0 to PPP user).
1.3.9 Configuring Local User Database
When a user dials to access, according to the lookup in the local database, the
following may occur:
l There is information about the user in the local database, so login of the user is
permitted.l There is no information about the user in the local database. If RADIUS server
authentication is configured, the user information will be sent to RADIUS server for
authentication, and the one who has passed authentication can log in normally,otherwise, he will be rejected.
l There is no the user information in the local database, neither RADIUS server authentication is configured, so login of the user is denied.
Various configuration tasks conducted in the local user database can be nested or
combined, and all local user databases can be configured in one command.
Perform the following task in global configuration mode.
I. Configure user and password
The user and the local authentication password can be configured in the local
database.
Table SC-1-8 Configuration of ordinary user and password
Operation Command
Configure the user and password user user-name [password { 0 |7 } password ]
Delete the user no user user-name
Here user-name is a user’ s name, and it can be the 1-32-bit character string or number. password is a user’ s password, and it can be the 1-16-bit character string or number.
II. Configure callback user
In the Callback technique, first the client (user side) originates a call and requires
Callback from the server. The server receives the call and decides whether to call back.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 9/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-7
The Callback technique enhances security. In processing of a Callback, the server calls
the client according to the call number configured locally, so as to avoid security risks
caused by leakage of user name or password. Besides, the server can also classifycall-in requests according to its configuration: refuse call, accept call (no call back) or
accept Callback, so as to exert different limitations upon different clients, and takeinitiative in ensuring resource access when there are incoming calls.
Callback technique has the following advantages:
l Save communication expenses (when the call charge rates of two directions are
different)l Change the call charge bearer l Combine call charge lists
l Quidway series security devices support Callback technique, which is divided intoISDN caller authentication Callback and Callback participated by PPP.
ISDN caller authentication Callback, involving no PPP, directly authenticates whether
the call-in number matches with the number configured by the server, so only theserver end needs corresponding configuration, and the client needs no modification.
Table SC-1-9 Configuration of callback user and the callback number
Operation Command
Configure the Callback user and the Callback number user user-name [callback-dialstring telephone-
number ]
Delete the Callback user and the Callback number no user user-name
A RADIUS server can be configured with callback-number, equivalent to callback-
dialstring , which is defined locally. If aaa authentication ppp default radius isconfigured, then callback-dialstring which is configured locally is invalid, and thenumber to be transmitted to PPP will be decided by callback-number set on RADIUS
server. If aaa authentication ppp default radius local is configured, localauthentication is used only when the RADIUS server does not respond, and herecallback-dialstring defined locally can work. If aaa authentication ppp default none isconfigured, callback-dialstring defined locally does not work.
III. Configure user with caller number
After users with caller numbers are configured, the call-in caller numbers of users
calling in can be authenticated in order. And at present, only ISDN users can beconfigured to be such type of users.
Table SC-1-10 Configure user with caller number
Operation Command
Configure a user with caller number user user-name [calling-station-id telephone-number ][ :sub-
calling-station-id telephone-number ]
Delete a user with caller number no user user-name
IV. Configure FTP user and the usable directory
An FTP user and the usable FTP directory can be configured in the local database. The
function is reserved temporarily for future extension.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 10/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-8
Table SC-1-11 Configure FTP user and the usable directory
Operation Command
Configure an FTP user and the usable directory user user-name [ ftp-directory directory]
Delete an FTP user and the usable directory no user user-name
V. Authorize a user with usable service types
The services which can be used by a user can be authorized in the local database.
Table SC-1-12 Configure authorizing a user with usable service types
Operation Command
Configure authorizing a user with usable services user user-name [service-type { [exec] [ ftp ] [ppp ] }]
Delete authorizing a user with usable services no user user-name
By default, users are authorized to use services of PPP type.
exec refers to the operation logging in a router via Telnet or other means (such as
Console port, AUX port and X.25 calling) for configuration.
ftp refers to logging in a router via the means of file transferring and being entitled withthe corresponding service.
ppp refers to the remote dialing service entitled to the user.
If the authentication method is radius, it must be defined at the RADIUS server (the two
attribute values are defined by Huawei.).
login-service (50) FTP or Login
login-service (51) EXEC
1.3.10 Configuring RADIUS Server
Perform the following task in global configuration mode.
I. Configure IP address, authentication port number and accounting portnumber of the server host
At most 3 RADIUS servers can be configured for the user.
RADIUS follows the principles below to select authentication and accounting server:
l Servers are used in the sequence in which they are configured, i.e. first configured,first used.
l When the RADIUS server used first does not respond, the succeeding servers areused in sequence.
l When the authentication or accounting port number is configured to 0, the client will
not use the authentication or accounting function provided by the server.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 11/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-9
Table SC-1-13 Configure IP address, authentication port number and accounting port number of the
server host
Operation Command
Configure IP address (or host name), authentication portnumber and accounting port number of RADIUS server host.
radius-server host {hostname | ip-address }
[ auth-port port-number ] [acct-port port-number ]
Cancel RADIUS server with designated host address or hostname
no radius-server host { hostname | ip-address }
The default authentication port number is 1812. When configured as 0, this server is
not used as an authentication server. The default accounting port number is 1813.When configured as 0, this server is not used as an accounting server.
II. Configure RADIUS server shared secret
The shared secret is used to encrypt user password and generate Response
Authenticator. When RADIUS sends authentication messages, MD5 encryption is
applied upon important information such as password, so the security of theauthentication information transmission in network can be ensured. To ensure theidentification validity of the two parties, the secret key of the router must be the same as
the one set by the RADIUS, so that it can pass the authentication of the RADIUSserver.
Table SC-1-14 Configure RADIUS server shared secret
Operation Command
Configure shared secret of RADIUS server radius-server key string
Delete shared secret of RADIUS server no radius-server key
III. Configure the time interval at which the request packet is sent beforeRADIUS server fails
To judge whether a RADIUS server fails, the router will send the authentication packet
periodically. So a timeout timer should be set, and the authentication request messagecan be sent again when the timer is timeout.
Table SC-1-15 Configure the time interval at which the request packet is sent before RADIUS server fails
Operation Command
Configure the time interval at which the authentication request packetis sent
radius-server t imeout seconds
Restore default value of the time interval at which the authenticationrequest packet is sent
no radius-server timeout
By default, the timeout interval is 10 seconds, range 1-65535 seconds.
IV. Configure the request retransmission times before RADIUS server fails
To judge whether a RADIUS server fails, the system will send the authentication
request packet periodically. If no RADIUS server response is received after the settimeout, the authentication request packet needs to be transmitted again. The user can
set the maximum times for the request retransmission, when the times of request
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 12/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-10
retransmission exceed it, the system will consider the server fails to work normally andset it to “ dead” .
Table SC-1-16 Configure the times of request retransmission before RADIUS server fails
Operation Command
Configure the times of request retransmission before RADIUS server fails radius-server retransmit retries
Restore default value of times of request retransmission no radius-server retransmit
By default, the times of request retransmission is 3, ranging 1-255.
V. Configure the time interval at which the inquiry packet is sent after RADIUSserver breaks down
After the first RADIUS server breaks down (such as line failure between NAS and the
server, or RADIUS process failure), the system will set this server to "dead", and query
whether it can work normally every certain time. If the server is found that it can worknormally, then after the currently used server breaks down, the system willautomatically use the first one.
Table SC-1-17 Configure the time interval at which the inquiry packet is sent after RADIUS server breaksdown
Operation Command
Configure the time interval at which the inquiry packet is sent after RADIUS server breaks down
radius-server dead-time minutes
Restore default value of time interval at which the inquiry packet is sent no radius-server dead-time
By default, the inquiry packet is sent at interval of 5 minutes after RADIUS server fails,and the interval ranges 1-255 minutes.
VI. Configure the time interval at which the real-time accounting packet is sentto RADIUS server
After a user passes authentication, NAS will send the user's real-time accounting
information to the RADIUS server every certain time. If the real-time accountingrequest fails, the user will be handled according to the configuration of the commandaccounting optional. if the command has been configured, the user can continue to usethe network services, otherwise, NAS will disconnect the user.
Usually, the server sends the accounting packet only according to the access time and
disconnection time. But for higher reliability, the time interval at which real-timeaccounting packet is sent to RADIUS server can be configured.
Table SC-1-18 Configure the time interval at which the real-time accounting packet is sent to RADIUSserver
Operation Command
Configure the time interval at which the real-timeaccounting packet is sent to RADIUS server
radius-server realtime-acct-timeout minutes
Restore default value of the time interval at which thereal-time accounting packet is sent
no radiu s-server realtime-acct-timeout
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 13/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-11
By default, the real-time accounting packet is sent to RADIUS server at interval of 0
seconds, indicating that real-time accounting is disabled. The interval ranges 0-32767seconds.
1.4 Monitoring and maintenance of AAA and RADIUS
Please use the following commands to perform the monitoring and maintenance in theprivileged user mode.
Table SC-1-19 Monitoring and maintenance of AAA and RADIUS
Operation Command
Show status of dial-in users show aaa user
View local user database show user
Enable RADIUS event debugging debug radius event
Enable RADIUS message debugging debug radius packet
Enable RADIUS primitive language debugging debug radius primitive
1) Show status of dial-in users
Quidway#show aaa user
UserName UserID UserType IPAddress AccountingTime CallingNumberliusongtao 2 PPP 10.110.10.100 00:48:10 1234567Total User: 1
The above information shows user name, user ID, user type, user IP address, user
accounting time and user calling number.
2) View local user database
Quidway#show user
No. username logintimes failed times------------------------------------------------------1 huawei 325 12
The information above shows the username, the times of successful authentication
with the correct username, as well as the times of the failed authentication resultedfrom password error.
1.5 Examples of the Typical Configuration of AAA andRADIUS
1.5.1 Access User Authentication Case 1
I. Networking requirements
RADIUS server is used for authentication. 129.7.66.66 acts as the first authentication
and accounting server, and 129.7.66.67 as the second authentication and accounting
server, both using default authentication port number 1812 and default accounting portnumber 1813.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 14/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-12
II. Networking diagram
Figure SC-1-1 Networking diagram of typical AAA and RADIUS configuration
III. Configuration procedure
1) Enable AAA and configure default authentication method list of PPP user.
Quidway (config)#aaa-enable
Quidway (config)#aaa authentication ppp default radius
2) Configure IP address and port of RADIUS server.
Quidway (config)#radius-server host 129.7.66.66
Quidway (config)#radius-server host 129.7.66.67
3) Configure RADIUS server shared secret, retransmission times, and accounting
option
Quidway (config)#radius-server key this-is-my-secret
Quidway (config)#radius-server retransmit 2
Quidway (config)# aaa accounting optional
Quidway (config)#radius-server timeout 5
1.5.2 Access User Authentication Case 2
I. Networking requirements
129.7.66.66 acts as the first authentication and accounting server, port numbers being
1000 and 1001 respectively.
129.7.66.67 acts as the second authentication and accounting server, port numbersbeing 1812 and 1813 respectively.
First use the local database for authentication, and if there is no response, use RADIUS
server.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 15/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-13
Charge all users in real time. The real-time accounting packet is sent at the interval of 5
minutes.
II. Networking diagram
Same as the diagram in the above case
III. Configuration procedure
1) Enable AAA and configure default authentication method list of PPP user.
Quidway (config)#aaa-enable
Quidway (config)#aaa authentication ppp default radius
2) Configure local-first authentication
Quidway (config)#aaa authentication local-first
3) Configure RADIUS server
Quidway (config)#radius-server host 129.7.66.66 auth-port 1000 acct-port 1001
Quidway (config)#radius-server host 129.7.66.67
4) Configure RADIUS server shared secret, retransmission times, and time length of timeout timer
Quidway (config)#radius-server key this-is-my-secret
Quidway (config)#radius-server retransmit 2
5) Configure real-time accounting with interval of 5 minutes
Quidway (config)#radius realtime-acct-timeout 5
1.5.3 Authentication of FTP User
I. Networking requirements
The authentication server is 129.7.66.66, numbers of ports being 1812 and 1813.
Authenticate and charge FTP users using RADIUS server first, and if there is no
response, do not authenticate or charge them.
II. Networking diagram
Same as the diagram in the above case
III. Configuration procedure
1) Enable AAA and configure default authentication method list of FTP user.
Quidway (config)#aaa-enable
Quidway (config)#aaa authentication login default radius none
2) Configure RADIUS server IP address and port, using default port number
Quidway (config)#radius-server host 129.7.66.68
3) Configure RADIUS server shared secret, retransmission times, timeout and
RADIUS server dead time.
Quidway (config)#radius-server key this-is-my-secret
Quidway (config)#radius-server retransmit 4
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 16/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-14
Quidway(config)#radius-server timeout 2
Quidway (config)#radius-server radius-server dead-time 1
4) Enable FTP server
Quidway(config)#ftp-server enable
1.6 Fault Diagnosis and Troubleshooting of AAA andRADIUS
Problem 1: Local user authentication is always rejected
Troubleshooting: please follow the steps below.
l Check whether correct password has been configured in user command.l Check whether the authorized service-type is correct.
l When RADIUS server accounting is used, and the command aaa accountingoptional is not configured, check whether the RADIUS server can be pingedthrough, and whether the address, port number and key of RADIUS server
configured on the router for accounting are identical with those on the RADIUSserver in use.
If the operation above does not work, use the radius-server host command to
reconfigure the RADIUS server. Because of the communication failure with the server just now, RADIUS server is considered by the system as unavailable. And as the
radius-server dead-time command has not been configured (defaulted as 5 minutes),or a relative long dead-time has been configured, the system does not know that theserver has recovered. Use no radius-server host command to delete the original
RADIUS server, and reconfigure it by radius-server host command to activate theserver immediately.
If none of the above operation can work, check whether the RADIUS server has been
configured correctly, and whether the modification has been activated
Problem 2: User’ s RADIUS authentication is always rejected
Troubleshooting: please follow the steps below.
l Check whether the special attribute of Huawei has been added into the attribute
dictionary of the RADIUS server.l Check whether the user name, password and service type are set correctly on
RADIUS server.
l Check whether the RADIUS server can be pinged through, and whether the
address, port number and key of RADIUS server configured on the router areidentical with those of the RADIUS server in use.
l Use the radius-server host command to reconfigure the RADIUS server.Because of the communication failure with the server, RADIUS server may beconsidered by the system as unavailable by the system. And as the radius-server
dead-time command has not been configured (defaulted as 5 minutes), or arelative long dead-time has been configured, the system does not know that theserver has recovered. Use no radius-server host command to delete the original
RADIUS server, and reconfigure it by radius-server host command to activate theserver immediately.
l Check whether the RADIUS server has been configured correctly, and whether the
modification made just now has been activated.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 17/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1Configuration of AAA and RADIUS Protocol
1-15
Problem 3: A connected user can not be seen in show aaa user
Troubleshooting: please follow the steps below.
l Check whether AAA has been enabled.
l Check whether the authentication methods contain "none", because users usingnone method will not be displayed in the command show aaa user .
Problem 4: No authentication is configured, yet users are still authenticated
AAA has been enabled, and the default authentication method in AAA default
authentication method list is "local". To disable the authentication, aaa authenticationppp default none should be configured. Meanwhile, it should be noted that no aaaauthentication ppp default can not delete the default method, it can only restore thelocal authentication.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 18/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 2Configuration of Terminal Access Securit
2-1
Chapter 2 Configuration of Terminal Access
Security
2.1 Terminal Access Security
2.1.1 Classification of Terminal Access Users
Quidway series routers adopt cascade protection for the command line interface, anddivide terminal access users into two types:
l Ordinary users
l Privileged users
An ordinary user can only view some simple running information of routers, but a
privileged user can not only view all the running information of a router, but alsoconfigure and debug the routers. Password is not necessary for ordinary users toaccess a router, but it is necessary for privileged users.
2.1.2 Configuring EXEC Login Authentication
All users accessing a router through various terminal means are called EXEC users.
Quidway series routers divide EXEC users into five types: asynchronous port terminalusers, X.25 PAD calling users, console port users, dumb terminal access users and
Telnet terminal users.
Quidway series routers now support the command line interpreters accessing terminals
from four types of interfaces:
l Accessing routers via remote X.25 PAD calling users
l Accessing routers via the asynchronous dialing port (working in Interactive mode)l Accessing routers via the local console portl Accessing routers via dumb terminal access mode
l Accessing routers via local/remote Telnet terminal
Please perform the following tasks in the global configuration mode.
Table SC-2-1 Configure EXEC login authentication
Operation Command
Configure login authentication of EXEC from asynchronous port login async
Cancel login authentication of EXEC from asynchronous port no login async
Configure login authentication of EXEC from Console port login con
Cancel login authentication of EXEC from Console port no login con
Configure EXEC login authentication to dumb terminal access server user login hwtty
Cancel EXEC login authentication to dumb terminal access server user no login hwtty
Configure login authentication to remote X.25 PAD calling user login padCancel login authentication to remote X.25 PAD calling user no login pad
Configure login authentication of EXEC via telnet login telnet
Cancel login authentication of EXEC via telnet no login telnet
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 19/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 2Configuration of Terminal Access Securit
2-2
2.1.3 Security Features Provided by Command Line Interfaces for TerminalUsers
A command line interface provides the following features for terminal users:l A terminal user will log in a router as an ordinary user by default. To become a
privileged user who can configure and manage the router, the enable commandshould be executed in the ordinary user mode and correct privileged user
password should be input.l For security, the privileged user password input will not be displayed on the
terminal screen.
l In case that illegal users attempt to enter different passwords times and again, theaccess will be disconnected automatically if wrong password has been input for three times.
l If a terminal user makes no keyboard input within 10 minutes, the access isdisconnected automatically (for Console port terminal users, this time limit is 3minutes). It is recommended that when a privileged user is away from a terminal for
a long time, it is recommended to exit to the ordinary user mode or disconnect therouter, so as to avoid illegal access to the router.
Table SC-2-2 Related operation of a privileged user
Operation Command
Privileged user password authentication enable
Exit from terminal user connection exit
Return from the privileged user mode to the ordinary user mode disable
Privileged user entering configuration mode configure
Disconnect the user upon timeout when nothing is input exec-timeoutDisable the disconnection of user when nothing is input no exec-timeout
2.1.4 Modifying Privileged User Password
No default privileged user password of a router is set at delivery, so when the router is
powered on for the first time, use the command enable password to modify theprivileged user password.
Table SC-2-3 Modify privileged user password
Operation Command
Modify privileged user password enable password password
2.2 Typical Configuration of EXEC
2.2.1 Configuring EXEC Login Authentication from CONSOLE Port
1) Enable AAA
Quidway (config)#aaa-enable
2) Configure the login authentication of entering EXEC from Console port
Quidway (config)#login con
3) Configure the local authentication user name and password of EXEC user type.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 20/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 2Configuration of Terminal Access Securit
2-3
Quidway (config)#user abc service-type exec password 0 hello
4) Configure the default authentication method list of EXEC users
Quidway (config)#aaa authentication login default radius local
5) Configure RADIUS server and the shared secretQuidway (config)#radius-server host 172.17.0.30 auth-port 1645 acct-port 1646
Quidway (config)#radius-server key quidway
In this example, the user name is abc, the password is hello. The user is first
authenticated by RADIUS server, then local authentication is used when the former authentication can not be carried out normally. When logging in the router connected
via the Console port, only the user whose user name is abc and password is hello canlog in successfully, otherwise, access to the router will be denied.
2.2.2 Configuring EXEC Login Authentication via Telnet
1) Enable AAA
Quidway (config)#aaa-enable
2) Configure the login authentication of entering EXEC via Telnet port
Quidway (config)#login telnet
3) Configure the local authentication user name and password of EXEC user type.
Quidway (config)#user abc service-type exec password 0 hello
4) Configure the authentication method list of EXEC users
Quidway (config)#aaa authentication login default local
In this example, the user name is abc, the password is hello. Local authentication is
conducted directly and only users passing the local authentication can log insuccessfully. Otherwise, access to the router will be denied.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 21/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-1
Chapter 3 Configuration of Firewall
3.1 Brief Introduction to Firewall
3.1.1 About Firewall
I. What is firewall
A firewall is used to control the network equipment, which will access the internal
network resource. It is located in the access point of the network. If a network has
multiple access points, then each of them should be configured with firewall for effective network access control. A firewall is usually located between the internalnetwork and the external network (such as Internet). After a firewall is used betweenthe network and Internet, communication flow from Internet must pass the firewallbefore entering the network.
A firewall is used not only to connect Internet, but also to control the access to some
special part of the internal network, such as to protect mainframes and importantresources (such as data) in the network. Access to the protected data must be filteredthrough the firewall, even if the access is from inside.
A firewall basically functions to monitor and filter communication flow. It can be simple
or sophisticated, which is up to the network requirement. A simple firewall is easy toconfigure and manage, but users may need sophisticated and flexible firewalls. At
present, many firewalls also have other characteristics, for example, to identify the user,and conduct security processing (encryption) for the information, etc.
After Quidway series routers are configured with firewall features, the routers become a
strong and effective firewall.
Ethernet
Internet
PC PC PC PCServer
Firewall
Figure SC-3-1 A firewall isolates the internal network from internet
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 22/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-2
II. Classification of firewalls
Usually firewalls are divided into two types: network layer firewalls and application layer
firewalls. A network layer firewall mainly obtains packet head information of data
packets, such as protocol number, source address, destination address anddestination port, or directly obtains the data of a packet head. But an application layer firewall will analyze the whole information stream.
Commonly used firewalls include the following:
l Application Gateway: check the application layer data of all data packets passingthrough this gateway. For example, the FTP application gateway will be a FTP
server to a connected Client end, but will be a FTP Client to the Server end. All FTPdata packets transmitted on the connection must pass through this FTP applicationgateway.
l Packet Filtering: filter each data packet using the user-defined items. For example,to check if the source address and destination address of a data packet meet therules. The packet filtering does not care about call status, nor does it analyze the
data. If data packets with port 21 or greater than/equal to 1024 are allowed to pass,then once a port meets this condition, the data packet can pass this firewall. If therules are configured practically, then many data packets with hidden security
troubles can be filtered out on this layer.l Proxy: normally refer to address proxy on a proxy server or a router. It replaces the
IP address and port of a host inside the network with the IP address and port of a
server or router. For example, the intranet address of an enterprise is 129.0.0.0network segment, and its formal external IP address is 02.38.160.2-202.38.160.6.When the internal host 129.9.10.100 accesses a certain external server in WWW
mode, the IP address and port might become 202.38.160.2:6080 after passingthrough the proxy server. An address mapping table is maintained in the proxyserver. When the external WWW server returns the result, the proxy server will
convert this IP address and port into the internal IP address and port 80 of the
network. The proxy server is used so that all the access between the externalnetwork hosts and the internal network will be realized through this proxy server. In
this way, the access to internal devices containing important resources can becontrolled.
III. Firewall features provided by VRP
With VRP firewall features a router can be configured to:
l Internet firewall or partial Internet firewalll Firewall between groups in the internal networkl Firewall providing secure connection with subsidiary departments
The firewall between the intranet of a company and the network of its partner also has
the following advantages:l Protect the internal networkl Monitor communication flow around the network
l Permit dealing on the network via WWW (World Wide Web)l VRP firewall is mainly applied for packet filtering and address translation.
Please see “ Network Protocol Configuration” in the chapter “ IP Address Configuration”in this manual for configuration of address translation.
3.1.2 Packet Filtering
Usually, packet filtering refers to filtering for IP data packets forwarded. For the data
packet which needs to be forwarded by a router, first the packet head information,including the number of the upper layer protocol carried by the IP layer, the packet's
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 23/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-3
source/destination address and source/destination port is obtained, then theinformation is compared with the set rules, and finally it is decided whether to transfer or discard the data packet according to the comparison result.
Packet filtering (for IP data packets) selects the following elements for judgment (in thefigure, the upper layer protocol carried by IP is TCP), as shown in the figure below.
Figure SC-3-2 Packet filtering schematic diagram
The following can be realized by data packet filtering:
l Prohibit logging on with telnet from outsidel Every E-mail is sent via SMTP (Simple Message Transfer Protocol).l One PC, rather than all other PCs, can send news to us via NNTP (Network News
Transfer Protocol).
Packet filtering of Quidway series security equipment features the following:
1) Based on access-list (Access Control List ACL): ACL is applied not only in packetfiltering but also in other features where data streams need to be classified, such
as address translation and IPSec.l
Support standard and extended ACL: set a simple address range with the standard ACL or set the specific protocol, source address range, destination address range,
source port range, destination port range, priority and service type with theextended ACL.
l Support time segment: set ACL functions in a specific period of time, such as
8:00-2:00 of every Monday, or it can be as specific as from a year/month/day toanother year/month/day.
2) Support ACL automatic sorting: you can select sorting ACLs of a specific category
to simplify the configuration and facilitate the maintenance.3) It can be as specific as indicating the input/output direction: for example, a special
packet filtering rule can be applied in the output direction of the interface that is
connected with WAN or another packet filtering rule is applied in the inputdirection.
4) Support interface based filtering: it can be set to prohibit or permit to forwardmessages from a specific interface in a specific direction of an interface.
5) Support creating log for message meeting the condition: record the relatedinformation of the message and provide a mechanism to guarantee that excessive
resources will not be consumed when a large number of logs are triggered in thesame way.
3.1.3 Access Control List
To filter data packet, some rules need to be configured.
The access control list is generally employed to configure the rules to filter data packet,
and the types of access control lists are as follows:
l Standard access control list
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 24/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-4
l Extended access control list
I. Standard access control list
access-list [ normal | special ] access-list-number { deny | permit } { any | source-addr [ source-wildcard-mask ] }
II. Extended access control list
access-list [ normal | special ] access-list-number { deny | permit } protocol { any |
source-addr source-wildcard-mask } { any | destination-addr destination-wildcard-mask } [ log ]
protocol is the type of the protocol carried by IP in the form of name or number. The
range of number is from 0 to 255, and the range of name is icmp, igmp, ip, tcp, udp, greand ospf.
The above command can also be written in following formats due to the different
protocol .
1) Command format when the protocol is ICMP:
access-list [ normal | special ] access-list-number { deny | permit } icmp { any
| source-addr source-wildcard-mask } { any | destination-addr destination-
wildcard-mask } [ icmp-type [ icmp-code ] ] [ log ]
2) Command format when the protocol is IGMP:
access-list [ normal | special ] access-list-number { deny | permit } igmp { any
| source-addr source-wildcard-mask } { any | destination-addr destination-
wildcard-mask } [ log ]
3) Command format when the protocol is IP:
access-list [ normal | special ] access-list-number { deny | permit } ip { any |
source-addr source-wildcard-mask } { any | destination-addr destination-
wildcard-mask } [ log ]
4) Command format when the protocol is GRE:
access-list [ normal | special ] access-list-number { deny | permit } gre { any |
source-addr source-wildcard-mask } { any | destination-addr destination-
wildcard-mask } [ log ]
5) Command format when the protocol is OSPF:
access-list [ normal | special ] access-list-number { deny | permit }ospf { any
| source-addr source-wildcard-mask } { any | destination-addr destination-
wildcard-mask } [ log ]
6) Command format when the protocol is TCP:
access-list access-list-number [ normal | special ] { deny | permit } tcp { any |
source-addr source-wildcard-mask } [ operator port-number ] { any |
destination-addr destination-wildcard-mask } [ operator port-number ] [ log ]
7) Command format when the protocol is UDP:
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 25/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-5
access-list access-list-number [ normal | special ] { deny | permit } udp { any
| source-addr source-wildcard-mask } [ operator port-number ] { any |
destination-addr destination-wildcard-mask } [ operator port-number ] [ log ]
Only the TCP and UDP protocols require specifying the port range. Listed below aresupported operators and their syntax.
Table SC-3-1 Operators of the extended access control list
Operator and Syntax Meaning
eq portnumber Equaling to ‘ portnumbe r’gt portnumber Greater than ‘ portnumber ’
l t portnumber Less than ‘ portnumber ’
neq portnumber Not equaling to ‘ portnumber ’
range portnumber1 portnumber2 Between ‘ portnumber1’’ and ‘ portnumber2’
In specifying the portnumber , following mnemonic symbols may be used to stand for
the actual meaning.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 26/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-6
Table SC-3-2 Mnemonic symbol of the port number
Protocol Mnemonic Symbol Meaning and Actual Value
TCP
Bgp
ChargenCmdDaytime
DiscardDomainEchoExec
Finger Ftp
Ftp-dataGopher
Hostname IrcChat
1Klogin
KshellLoginLpd
NntpPop2Pop3
SmtpSunrpcSyslogTacacs
TalkTelnet
TimeUucp
WhoisWww
Border Gateway Protocol (179)
Character generator (19)Remote commands (rcmd, 514)Daytime (13)
Discard (9)Domain Name Service (53)Echo (7)Exec (rsh, 512)
Finger (79)File Transfer Protocol (21)
FTP data connections (20)Gopher (70)
NIC hostname server (101)Internet Relay Chat (194)
Kerberos login (543)
Kerberos shell (544)Login (rlogin, 513)Printer service (515)
Network News Transport Protocol (119)Post Office Protocol v2 (109)Post Office Protocol v3 (110)
Simple Mail Transport Protocol (25)Sun Remote Procedure Call (111)Syslog (514)TAC Access Control System (49)
Talk (517)Telnet (23)
Time (37)Unix-to-Unix Copy Program (540)
Nicname (43)World Wide Web (HTTP, 80)
UDP
biff bootpc
bootpsdiscard
dnsdnsixechomobilip-ag
mobilip-mn
Mail notify (512)Bootstrap Protocol Client (68)
Bootstrap Protocol Server (67)Discard (9)
Domain Name Service (53)DNSIX Securit Attribute Token Map (90)Echo (7)MobileIP-Agent (434)
MobilIP-MN (435)
UDP
nameserver netbios-dgmnetbios-ns
netbios-ssnntpripsnmp
snmptrapsunrpcsyslogtacacs-ds
talktftptimewho
Xdmcp
Host Name Server (42)NETBIOS Datagram Service (138)NETBIOS Name Service (137)
NETBIOS Session Service (139)Network Time Protocol (123)Routing Information Protocol (520)SNMP (161)
SNMPTRAP (162)SUN Remote Procedure Call (111)Syslog (514)TACACS-Database Service (65)
Talk (517)Trivial File Transfer (69)Time (37)Who(513)
X Display Manager Control Protocol (177)
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 27/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-7
The ICMP packet type can be specified for the ICMP protocol and the default type is the
ICMP packet. You can use a number (ranging 0 to 255) or a mnemonic symbol tospecify the packet type, see Table SC-3-3
Table SC-3-3 Mnemonic symbol of the ICMP message type
Operator and Syntax Meaning
echoecho-reply
fragmentneed-DFsethost-redirecthost-tos-redirecthost-unreachable
information-replyinformation-requestnet-redirect
net-tos-redirectnet-unreachable
parameter-problemport-unreachableprotocol-unreachablereassembly-timeout
source-quenchsource-route-failedtimestamp-replytimestamp-request
ttl-exceeded
Type=8, Code=0Type=0, Code=0
Type=3, Code=4Type=5, Code=1Type=5, Code=3Type=3, Code=1
Type=16,Code=0Type=15,Code=0Type=5, Code=0
Type=5, Code=2Type=3, Code=0
Type=12,Code=0Type=3, Code=3Type=3, Code=2Type=11,Code=1
Type=4, Code=0Type=3, Code=5Type=14,Code=0Type=13,Code=0
Type=11,Code=0
By configuring the firewall and adding appropriate access rules, the user can employ
the packet filtering function to check IP packets that are to pass the Router and deniesthe passing of those unexpected to pass. Actually, the packet filtering helps to protect
the network security.
3. Configure the match sequence of access control list
A access control rule can be composed of several “ permit/deny” statements, and the
range of the data packet specified by each statement varies. The match sequenceneeds to be configured when matching a data packet and access control rule.
The maximum number of rules configured under an access-list-number is 100 ( that is,
100 rules can be configured in normal timerange, and 100 rules can also be configuredin special timerange). When there is a conflict among several rules, the system willconfigure the match rules according to the following principle:
l Rules with the same serial number can be defined. If two rules with the same serial
number conflict, use the “ Depth-first Principle” to judge the source-addr, source-wildcard-mask, destination-addr, destination-wildcard-mask, protocol number andport number, then determine the sequence of the rule.
l If the ranges defined by the rules are the same, then determine the sequence of therules according to the time sequence of definition. The system will choose the ruledefined earlier.
“Depth-first Principle” means matching the access rules with the smallest definition
range of data packets. It can be achieved by comparing the wildcards of address. The
smaller the wildcards are, the smaller the range specified by the host is. For example,129.102.1.1.0.0.0.0 specifies a host (the address is 129.102.1.1), while129.102.1.1.0.0.255.255 specifies a network segment (the range of the address is from
129.102.1.1 to 129.102.255.255), obviously the former will be arranged in the front of
access control rule.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 28/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-8
The special standard is the following:
As for the statement of standard access control rules, compare the wildcards of the
source addresses directly, and arrange according configuration sequence if thewildcards are the same.
As for the access control rules based on interface filtering, the rules configured with
“any” will be arranged behind, and the rest will be arranged according to theconfiguration sequence.
As for extended access control rules, compare the wildcards of source addresses. If
they are the same, then compare the wildcards of the destination address. If they arestill the same, compare the range of port numbers, and the rule with smaller range willbe arranged in the front. If the port numbers are the same, then match the rulesaccording the user’ s configuration sequence.
The command show access-list access-list-number can be used to view the
executive sequence of the system access rules, and the rules listed ahead will be
selected first.
3.2 Configuring Firewall
3.2.1 Firewall Configuration Task List
Firewall configuration task list is as follows:
l Enable/disable firewall
l Configure standard access listl Configure extended access listl
Configure the match sequence of access control listl Set default firewall filtering model Set special time rangel Configure rules for applying access control list on interface
l Specify logging host
3.2.2 Enabling/Disabling Firewall
Firewall should be enabled for filtering messages so as to set other configurations intoeffect.
Perform the following tasks in global configuration mode.
Table SC-3-4 Enable/Disable firewall
Operation Command
Enable firewall firewall enable
Disable firewall firewall disable
Firewall must be disabled by default.
3.2.3 Configuring Standard Access Control List
The value of the standard access control list is an integer from 1 to 99. Before
configuring the access control list, configure the match sequence of the access control
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 29/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-9
list first, then configure special access rules. If you do not configure the match order,auto mode will be adopted.
Perform the following tasks in global configuration mode.
Table SC-3-5 Configure standard access control list
Operation Command
Configure standard access listaccess-list [ normal |special ] access-list-number {deny | permit } { any |
source-addr [ source-wildcard-mask ] }
Delete standard access list no access-list [normal |special ] { al l | access-list-number [ subitem ] }
normal indicates that the rule works within the normal time range. special indicates
that the rule works in some special time range. While using special, the user shallspecify the special time range. The rules with the same sequence number will bematched based on the principle of “ depth preference” .
By default, normal is adopted.
3.2.4 Configuring Extended Access Control List
The value of the extended access control list is an integer from 100 to 199. Before
configuring the access control list, configure the match sequence of the access controllist first, then configure special access rules. If you do not configure the match order,auto mode will be adopted.
Perform the following tasks in global configuration mode.
Table SC-3-6 Configure extended access control list
Operation Command
Configure extended accesscontrol list of TCP/UDP protocol
access-list [normal |special ]access-list-number { deny |permit } { tcp |
udp } { any |source-addr source-wildcard-mask } [ operator port-number ]{ any |destination-addr destination-wildcard-mask } [ operator port-number ][ log ]
Configure extended accesscontrol list of ICMP protocol
access-list [normal |special ]access-list-number { deny |permit } icmp{ any |source-addr source-wildcard-mask } {any |destination-addr
destination-wildcard-mask } [ icmp-type [ icmp-code ] ] [ log ]
Configure extended accesscontrol list of other protocols
access-list [normal |special ]access-list-number {deny | permit }protocol {any |source-addr source-wildcard-mask } { any |destination-addr destination-wildcard-mask } [ log ]
Delete extended access list no access-list [normal |special ] { al l | access-list-number [ subitem ] }
normal indicates that the rule works within the normal time range. special indicates
that the rule works in some special time range. While using special, the user shallspecify the special time range. The rules with the same sequence number will bematched based on the principle of “ depth preference” .
By default, normal is adopted.
3.2.5 Configuring the match sequence of access control list
Perform the following tasks in global configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 30/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-10
Table SC-3-7 Configure the match sequence of access control list
Operation Command
Configure the match sequence of
access control list
access-list [ normal |special ] access-list-number sort [auto |manual ]
By default, auto mode is adopted to match the access control list.
3.2.6 Setting Default Firewall Filtering Mode
The default firewall filtering mode means: when there is no suitable access rule to
determine whether a user data packet can pass through, the default firewall filteringmode set by the user will determine whether to permit or inhibit this data packet to pass.
Perform the following tasks in global configuration mode.
Table SC-3-8 Set default firewall filtering mode
Operation Command
Set the default firewall filtering mode as message pass permitted firewall default permitSet the default firewall filtering mode as message pass inhibited firewall default deny
The default firewall filtering mode is message pass permitted by default.
3.2.7 Configuring Special Timerange
I. Enable/disable filtering according to timerange
Filtering according to timerange means in different timeranges the IP data packets are
filtered with different access rules. It is also called the special rules for special time.
The timeranges are classified into two types according to actual applications:
l Special timerange: time within the set timerange (specified by key word special)l Normal timerange: time beyond the specified timerange (specified by key word
normal)
Similarly, the access control rules are also classified into two types:
l Normal packet-filtering access rulesl Special timerange packet-filtering access rules
These two types of timeranges define different access control lists and access rules,which are not affected by each other. In actual applications, they can be considered as
two independent sets of rules, and the system will determine which one to use after viewing the current timerange (special or normal). For example, the current systemtime is in special timerange (which is defined by access-list special access-list-number ),
then the special timerange rules will be used for filtering. But when the current systemtime is switched to the normal timerange (which is defined by access-list normalaccess-list-number ), the normal timerange rules will be used for filtering.
Perform the following tasks in global configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 31/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-11
Table SC-3-9 Enable/disable filtering according to timerange
Operation Command
Enable filtering according to timerange timerange enable
Disable filtering according to timerange timerange disable
Only when the switch of filtering according to timerange is enabled will the special
timerange access rules set by the user be effective. But when this switch is disabled,the normal timerange access rules will be applied.
II. Set special timerange
When the user selects Enable message-filtering according to timerange, firewall will
adopt user defined special timerange access rules for filtering during the timerangedefined by the user. The newly defined special timerange becomes valid about 1
minute after it is defined, and that defined last time will become invalid automatically.
Perform the following tasks in global configuration mode.
Table SC-3-10 Set special timerange
Operation Command
Set special timerange settr begin-time end-time [ begin-time end-time...... ]
Cancel special timerange no settr
By default, the system adopts the access rules defined for normal timerange for
message filtering. The command settr can define 6 timeranges at the same time. The
format of the timerange is hh:mm. The value of hh is 0 - 23 hours and the value of mmis 0- - 59 minutes.
The command show route can be used to view the current clock status of the system.
3.2.8 Configuring Rules for Applying Access Control List on Interface
To apply access rules to specific interfaces to filter messages, it is necessary to apply
the access control list rules to the interfaces. Users can define different access controlrules for messages of both inbound and outbound directions at one interface.
Perform the following tasks in interface configuration mode.
Table SC-3-11 Configure rules for applying access control list on interface
Operation Command
Specify rule for filtering receive/send messages oninterface
ip access-group access-list-number [ i n | out ]
Cancel rule for filtering receive/send messages on
interfaceno ip access-group access-list-number [ in | out ]
By default, no rule for filtering messages on interface is specified.
In one direction of an interface (in or out), up to 20 access rules can be applied. That is
to say, 20 rules can be applied in ip access-group in, and 20 rules can be applied in ip
access-group out.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 32/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-12
If two rules with different sequence numbers conflict, then the number with greater
access-list-number should be matched preferentially.
3.2.9 Specifying Logging Host
Firewall supports logging function. When an access rule is matched, and if the user has
specified to generate logging for this rule, logs can be sent to and recorded and savedby the logging host.
Perform the following tasks in global configuration mode.
Table SC-3-12 Specify logging host
Operation Command
Specify logging host logging host unix-hostname ip-address
Cancel logging host no logging host
For detailed description about “ Logging host parameters” , please refer to the chapter “Logging Function” in “ Fundamental Configuration”.
3.3 Monitoring and Maintenance of Firewall
Please perform the monitoring and maintenance of firewall with the following
commands in privileged user mode.
Table SC-3-13 Monitoring and maintenance of firewall
Operation CommandShow firewall status show firewall
Show packet filtering rule and its application on interfaceshow access-lists { all |access-list-number
|interface interface-name }Show current timerange show timerange
Show whether the current time is within special timerange show isintr
Clear access rule counters clear access-list counters [ access-list-number ]
Enable the information debugging of firewall packet filtering debug filter { all | icmp | tcp |udp }
Disable the information debugging of firewall packet filtering no debug filter { all | icmp |tcp |udp }
1) Show relevant firewall statistics information of interface
Quidway#show firewall
Firewall is enable, default filtering method is 'permit'. TimeRange packet-filtering disable. InBound : 0 packets, 0 bytes, 0% permitted, 0 packets, 0 bytes, 0% denied, 52 packets, 3679 bytes, 88% permitted defaultly, 7 packets, 469 bytes, 11% denied defaultly; From 19:35:44 to 19:35:49 0 packets, 0 bytes, permitted, 0 packets, 0 bytes, denied, 0 packets, 0 bytes, permitted defaultly, 0 packets, 0 bytes, denied defaultly; OutBound: 0 packets, 0 bytes, 0% permitted, 7 packets, 588 bytes, 20% denied, 25 packets, 2100 bytes, 73% permitted defaultly, 2 packets, 168 bytes, 5% denied defaultly.
From 19:35:44 to 19:35:49 0 packets, 0 bytes, permitted,
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 33/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-13
0 packets, 0 bytes, denied, 0 packets, 0 bytes, permitted defaultly, 0 packets, 0 bytes, denied defaultly
The above information shows that firewall is enabled by the system, the default filtering
mode is data packet pass permitted, the timerange packet-filtering mode is disabled, aswell as the history statistics information about inbound/outbound messages in the
timerange from 19:35:44 to 19:35:49, such as how many packets are permitted to pass,how many are denied, how many are permitted by default and how many are denied bydefault.
2) Show packet filtering rule and its application on interface
Quidway#show access-list all
Normal time packet-filtering rules: 1 - 99 are empty. 100 deny icmp 10.10.1.1 0.0.0.255 10.10.1.3 0.0.0.255 (11 matches, 924bytes -- rule 1) 101 - 199 are empty.
TimeRange packet-filtering rules: 1 - 199 are empty.
The above information shows: Under normal time packet-filtering rules, the standard
access lists 1-99 and extended access lists 101-199 are empty (List 100 is used).Under special timerange packet-filtering rules, the access lists 1-199 are all empty.
To clear the counting information of access control list, the user can use the command
clear access-list counters to set the number of the matching data packets and thenumber of bytes to 0.
3) Show whether the current time is in the special timerange.
Quidway#show time-range
TimeRange packet-filtering enable. beginning of time range:
01:00 - 02:00 03:00 - 04:00 end of time range.
3.4 Typical Configuration of Firewall
The following is a sample firewall configuration in an enterprise.
I. Networking requirements
This enterprise accesses the Internet via interface Serial 0 of one Quidway router, and
the enterprise provides www, ftp and telnet services to outside. The internal sub-
network of the enterprise is 129.38.1.0, the internal ftp server address 129.38.1.1,internal telnet server address 129.38.1.2, and the internal www server address129.38.1.3. The enterprise address to outside is 202.38.160.1.Address conversion hasbeen configured on the router so that the internal PC can access the Internet, and the
external PC can access the internal server. By configuring a firewall, the following areexpected:
l Only specific users from external network can access the internal server.l Only specific internal host can access the external network.
In this example, assume that the IP address of a specific external user is 202.39.2.3.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 34/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 3Configuration of Firewall
3-14
II. Networking diagram
Enterprise Ethernet
Quidway router
www server
Specific internal PC
WAN
129.38.1.3Ftp server 129.38.1.1
Telnet server 129.38.1.2
129.38.1.4
129.38.1.5
202.38.160.1
Specific external PC
Figure SC-3-3 Sample networking of firewall configuration
III. Configuration procedure
1) Enable firewall
Quidway (config)#firewall enable
2) Configure firewall default filtering mode as packet pass permitted
Quidway (config)#firewall default permit
3) Configure access rules to inhibit passing of all packets
Quidway (config)#access-list 101 deny ip any any
4) Configure rules to permit specific host to access external network, to permitinternal server to access external network
Quidway (config)#access-list 101 permit ip 129.38.1.4 0 any
Quidway (config)#access-list 101 permit ip 129.38.1.1 0 any
Quidway (config)#access-list 101 permit ip 129.38.1.2 0 any
Quidway (config)#access-list 101 permit ip 129.38.1.3 0 any
5) Configure rules to permit specific external user to access internal server
Quidway (config)#access-list 102 permit tcp 202.39.2.3 0 202.38.160.1 0
6) Configure rules to permit specific user to obtain data (only packets of port greater than 1024) from an external network
Quidway (config)#access-list 102 permit tcp any 202.38.160.1 0 gt 1024
7) Apply rule 101 on packets coming in from interface Ethernet0
Quidway (config-if-Ethernet0)#ip access-group 101 in
8) Apply rule 102 on packets coming in from interface Serial0
Quidway (config-if-Serial0)#ip access-group 102 in
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 35/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-1
Chapter 4 Configuration of IPSec
4.1 Brief Introduction to IPSec Protocol
I. IPSec
IPSec is the general name of a series of network security protocols, which is developed
by IETF (Internet Engineering Task Force to provide services such as access control,
connectionless integrity, data authentication, anti-replay, encryption and encryption of data flow classification for both communication parties.
With IPSec, it is unnecessary to worry about the data to be monitored, modified or
forged when they are transmitted in public network. And this enables secure access toVPN (Virtual Private Network), including internal, external networks and that betweenremote users.
1) IPSec can provide the following network security services:l Data confidentiality: IPSec sender encrypts the packets before they are transmitted
through network.l Data integrity: IPSec receiver authenticates the packets from the sender to make
sure the data are not modified during transmission.
l Data authentication: IPSec receiver authenticates the source address of IPSecpackets. This is a service based on data integrity.
l Anti-replay: IPSec receiver can detect and deny receiving timeout or repeated
messages.
2) IPSec components include AH (Authentication Header), ESP (EncapsulatingSecurity Payload), SA (Security Association), IKE (Internet Key Exchange),
encryption and authentication algorithm, etc.l AH (Authentication Header), a message authentication header protocol, can be
used under both transport mode and tunnel mode, to provide data integrity and
authentication services for IP packets. The data integrity check can be used to judge whether the data packets are modified during transmission. And theauthentication mechanism can be used for the terminal system or network
equipment to verify users and applications and filter communication traffic, and itcan also prevent address fraud attack and replay attack.
l ESP (Encapsulating Security Payload), a message encapsulation security payload
protocol, can be used under both transport mode and tunnel mode. With encryptionand authentication mechanism, it provides services such as data authentication,
data integrity, anti-replay and confidentiality security for IP packets.l AH and ESP can be used either separately or together. Both AH and ESP have
authentication functions with their own characteristics: ESP requires high-intensitycryptology algorithm, which is strictly restricted by policy in many countries; while
AH defines a series of authentication measures, so it can be used freely throughoutthe world. Besides, in most cases, many people use only authentication service.
l IKE, internet key exchange protocol, implements hybrid protocol of both Oakley
and SKEME keys exchanges through ISAKMP (Internet Security Association &Key Management Protocol). This protocol defines standards for automaticallyauthenticating IPSec peer end, negotiating security service and generating shared
key, so as to provide services such as automatic key exchange negotiation andsecurity association creation, thus simplifying the use and management of IPSec.
3) Both AH and ESP supports both message encapsulation modes: tunnel mode and
transport mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 36/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-2
l Tunnel mode: encrypting or authenticating the whole IP messages, i.e., addingbefore the original IP message a new IP header, whose source and destination
addresses are respectively the IP addresses of both ends of security tunnel. Whenthis message encapsulation mode is adopted, the header message of AH or ESP is
inserted between internal and external IP headers.l Transport mode: directly encrypting or authenticating IP payload (i.e., TCP or UDP
data part) without protecting IP message header. When this messageencapsulation mode is adopted, the header message of AH or ESP is inserted
between IP header and upper-level protocol header (such as TCP or UDP).
II. IPSec processing on messages
IPSec can process messages as follows (with AH protocol as an example):
1) Add authentication header to messages: read out IP messages sent by the
module block from IPSec queue, then add AH header according to the configuredprotocol mode (transport or tunnel mode), then forward it via IP layer.
2) Cancel authentication header after messages are authenticated: the IP message
received at IP layer is analyzed as local host address with protocol number 51,then search corresponding protocol switch table item and call the correspondinginput processing function. This processing function authenticates the message to
make a comparison with the original authentication value. If the values are thesame, the added AH will be canceled, and original IP message will be restored,then IP input flow will be recalled for processing. Otherwise, this message will be
discarded.
III. IPSec related terms
l Data stream: a combination of a group of traffic, which is prescribed by source
address/mask, destination address/mask, encapsulation upper-level protocolnumber of IP message, source port number, destination port number, etc.
Generally, a data stream is defined by an access list, and all messages permittedby access list are called a data stream logically. A data stream can be a single TCPconnection between two hosts, or all the traffics between two subnets. IPSec canimplement different security protections for different data streams, for example, it
can use different security protocols for different data flow, algorithm and ciphering.l Security policy: which is configured manually by the user to define what security
measure to take for what data stream. The data stream is defined by configuring
multiple rules in an access list, and in security policy this access list is quoted todetermine to protect the data flow. A security policy is defined uniquely by “ Name”and “ Sequence number” together.
l Security policy group: the set of the security policies with the same name. Asecurity policy group can be applied or cancelled on an interface, applying multiplesecurity polices in the same security policy group to this interface, so as to
implement different security protection for different data streams. The securitypolicy with smaller sequence number in the same security policy group is of higher priority.
l SA (Security Association): IPSec provides security service for data streamsthrough security association, which includes protocol, algorithm, key and other contents and specifies how to process IP messages. An SA is a unidirectional
logical connection between two IPSec systems. Inbound data stream andoutbound data stream are processed separately by inbound SA and outbound SA.SA is identified uniquely by a triple (SPI, IP destination address and security
protocol number (AH or ESP). SA can be established through manual configurationor automatic negotiation. The manual mode to establish SA means establishing SAby the user setting at both ends manually some parameters, which should pass
matching and negotiation. Automatic negotiation mode is created and maintained
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 37/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-3
by IKE, i.e., both communication parties are matched and negotiated based ontheir own security policies without user’ s interface.
l SA update time: there are two SA update time modes: “ Time restricted” (i.e., SA isupdated at regular intervals) and “ Restrict by Traffic” (SA is updated whenever
certain bytes are transmitted).l SPI (Security Parameter Index): a 32-bit value, which is carried by each IPSec
message. The triple, i.e., SPI, IP destination address, security protocol number,identifies a specific SA uniquely. When SA is configured manually, SPI should also
be set manually. To ensure a unique SA, a different SPI must be used to configurean SA. When SA is generated with IKE negotiation, SPI will be generated atrandom.
l Transform mode: it includes security protocol, algorithm used by security protocol,and the mode how security protocol encapsulates messages, and prescribes howordinary IP messages are transformed into IPSec messages. In security policy, a
transform mode is quoted to prescribe the protocol and algorithm adopted by thissecurity policy.
4.2 Configuring IPSec
4.2.1 IPSec Configuration Task List
IPSec configuration task list is as follows:
l Create encryption access control listl Define transform model Select encryption algorithm and authentication algorithm
l Create security policyl Apply security policy group to interface
4.2.2 Creating Encryption Access Control List
I. Functions of encryption access control list
Encryption access list specifies which IP packets will be encrypted and which not
(these access control lists are different from the ordinary ones, because the ordinaryones only determine which data can pass an interface and which are stopped).Encryption access list is defined by extended IP access list.
For one kind of communication to accept one security protection mode (only
authentication, for instance), and another kind to accept a different one (bothauthentication and encryption, for instance), it is necessary to create two differentencryption access control lists and apply them to different security policies.
Encryption access control list can be used to judge both inbound communication and
outbound communication.
II. Create encryption access control list
Perform the following tasks in global configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 38/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-4
Table SC-4-1 Create encryption access control list
Operation Command
Create encryption access control listaccess-list [normal | special ]access-list-number { deny |permit }
protocol { any | source-addr source-wildcard-mask } { any |destination-addr destination-wildcard-mask }
Delete encryption access control listno access-list {normal | special } { al l |access-list-number [ subitem ] }
The information transmitted between the source and destination addresses specifiedby key word permit is encrypted/decrypted by the peer router.
The key word deny stops the communication information from being
encrypted/decrypted by the peer router (that is to say not allowing the policy defined in
this security policy to be applied). If all the security policies on an interface are denied,this communication will not be protected by encryption.
When encryption access list is created, the key word any is not recommended for the
user to specify the source and destination addresses. This is because when the data
packet enters the router, and is sent to a router not configured with encryption, the keyword any will cause the router to try to establish encryption session with a router without encryption.
The encryption access list defined at local router must have a mirror encryption access
list defined by the remote router so that the communication contents encrypted locallycan be decrypted remotely.
When the user uses the show ip access-list command to browse the access lists of
the router, all extended IP access lists, including those for both communication filtering
and for encryption, will be displayed in the command outputs. That is to say, these two
kinds of extended access lists for different purposes are not distinguished in the screenoutput information.
4.2.3 Defining Transform Mode
Transform is a specific combination of security protocol and algorithm. When IPSec is
in SA negotiation, the peer end will use the same transform mode to protect the specificdata stream.
I. Defining Transform Mode
Multiple transform modes can be defined, then one or many of them can be quoted in
one security policy. For the SA created manually, there is no negotiation process of both ends, so both parties must specify the same transform mode.
If the definition of a transform mode is modified, this modification will only be applied to
the security policy that quotes this transform mode. The modified transform mode willbe applied not to the current SA at once, but to the one newly created later. To make the
new setting effective at once, it is necessary to use the command clear crypto sa toclear part or all of the SA database.
Perform the following tasks in global configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 39/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-5
Table SC-4-2 Define transform mode
Operation Command
Define transform mode to enter the configuration
mode of security transform mode crypto ipsec transform transform-name
Delete transform mode no crypto ipsec transform transform-name
II. Setting the Mode for Security Protocol to Encapsulate IP Message
The IP message encapsulating mode selected by both ends of security tunnel must beconsistent.
Perform the following tasks in security transform configuration mode
Table SC-4-3 Set the mode for security protocol to encapsulate messages
Operation Command
Set the mode for security protocol to encapsulate messages mode { transport | tunnel }
Restore the default message encapsulating mode no mode
The default mode is tunnel-encapsulating mode.
III. Selecting Security Protocol
After the transport mode is defined, it is necessary to select the security protocol for the
transport mode. The security protocols available at present include AH and ESP, bothof which can also be used at the same time. Both ends of security tunnel must select
the same security protocols.
Perform the following tasks in security transform configuration mode.
Table SC-4-4 Select security protocol
Operation Command
Set security protocol used for transform mode transfor m { ah-new | esp-new | ah-esp-new }
Restore the default security protocol no transform
The authentication and encryption algorithm esp-new prescribed in RFC2406 is used
by default, and up to 50 kinds of transform modes can be configured.
4.2.4 Selecting Encryption and Authentication Algorithm
AH protocol can authenticate but not encrypt messages. ESP supports five securityencryption algorithms: 3des, des, blowfish, cast and skipjack.
The current security authentication algorithm includes MD5 (message digest Version 5)
and SHA (security hashing algorithm), both of which are HMAC variables. HMAC is a
hashing algorithm with key, which can authenticate data. The algorithm md5 uses128-bit key and the algorithm sha1 uses 160-bit key, and the former calculates faster than the latter while the latter is more secure than the former.
Both ends of security tunnel must select the same encryption algorithm and
authentication algorithm.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 40/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-6
Perform the following tasks in security transform configuration mode.
Table SC-4-5 Select encryption algorithm and authentication algorithm
Operation Command
Set the encryption algorithm adopted by ESP protocolesp-new encryption { 3des | des | blowfish|cast |skipjack}
Restore the encryption algorithm adopted by ESP
protocolno esp-new encryption
Set the authentication algorithm adopted by ESPprotocol
esp-new hash {md5-hmac-96 | sha1-hmac-96}
Restore the authentication algorithm adopted by ESPprotocol
no esp-new hash
Set the authentication algorithm adopted by AH protocol ah-new hash {md5-hmac-96 | sha1-hmac-96}
Restore the authentication algorithm adopted by AHprotocol
no ah-new hash
By default, ESP protocol adopts des encryption algorithm and md5-hmac-96authentication algorithm, and AH protocol adopts md5-hmac-96 authenticationalgorithm.
4.2.5 Creating Security Policy
The following should be clear before a security policy is created:
l What communications should be protected by IPSecl How long should the data stream be protected by SAl What security policies should be applied for these communications
l Is the security policy created manually or through IKE negotiation
The following aspects require attention when a security policy is created:
l To create a security policy, it is necessary to specify its negotiation mode. But tomodify one, it is unnecessary. Once a security policy is created, its negotiation
mode can not be modified. To create a new security policy, the current one must bedeleted. For example, a security policy of manual mode can not be modified to theone of isakmp mode, that is to say, only after the current security policy of manual
mode is deleted can the one of isakmp mode be created.l The security policies with the same name together comprise a security policy group.
A security policy is defined uniquely by the name and the sequence number
together, and a security policy group can include at most 100 security policies. Thesecurity policy with smaller sequence number in the same security policy group isof higher priority. When a security policy group is applied on an interface, actually
multiple different security policies in this security policy group are applied on it atthe same time, so that different data streams are protected by different SAs.
I. Create security policy manually
1) Create security policy manually
Perform the following tasks in global configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 41/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-7
Table SC-4-6 Create security policy manually
Operation Command
Create security policy manually to enter security
policy configuration mode crypto map map-name seq-num manual
Modify the created security policy manually crypto map map-name seq-numDelete the created security policy no crypto map map-name [ seq-num ]
By default, no security policy is created.
2) Configure access control list quoted in security policy
After a security policy is created, it is also necessary to specify the quoted encryption
access control list item for it so as to judge which inbound/outbound communicationsshould be encrypted and which should not.
Perform the following tasks in security policy configuration mode.
Table SC-4-7 Configure encryption access control list quoted in security policy
Operation Command
Configure encryption access control list quoted in security policy match address access-list-number
Cancel encryption access control list quoted in security policy no match address access-list-number
By default, no encryption access control list is quoted in the security policy.
3) Set start point and end point of security tunnel
The channel with security policy applied is usually called “ Security tunnel” . Security
tunnel is established between local gateway and peer gateway, so the local address
and the peer address must be set correctly for successfully establishing a securitytunnel.
For the security policy created manually, only one peer address can be specified. To set
a new peer address, the previously specified one must be deleted first. Only when bothlocal address and peer address are set correctly can a security tunnel be created.
Perform the following tasks in security policy configuration mode.
Table SC-4-8 Set start point and end point of security tunnel
Operation Command
Set local address of security tunnel set local-address ip-address
Delete local address of security tunnel no set local-address ip-address
Set peer address of security tunnel set peer ip-addressDelete peer address of security tunnel no set peer ip-address
By default, the start point and the end point of the security tunnel are not specified.
4) Set transform mode quoted in security policy
When SA is created manually, a security policy can quote only one transform mode,
and to set new transform mode, the previously configured one must be deleted first. If the local transform mode can not match the peer one completely, then SA can not beestablished, then the messages that require protection will be discarded.
Security policy determines its protocol, algorithm and encapsulation mode by quoting
the transform mode. A transform mode must be established before it is quoted.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 42/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-8
Perform the following tasks in security policy configuration mode.
Table SC-4-9 Set transform mode quoted in security policy
Operation CommandSet transform mode quoted in security policy set transform transform-nameCancel transform mode quoted in security policy no set transform
By default, the security policy quotes no transform mode.
5) Set SPI of security policy association and its adopted key
In security policy association established manually, if AH protocol is included in the
quoted transform mode, it is necessary to set manually the SPI of AH SA and thequoted authentication key for the inbound/outbound communications. if ESP protocol isincluded in the quoted transform mode, it is necessary to set manually the SPI of ESP
SA and the quoted authentication key and ciphering key for the inbound/outbound
communications. At both ends of a security tunnel, the SPI and the key of the local inbound SA must be
the same as those of the peer outbound SA, and the SPI and the key of the localoutbound SA must be the same as those of the peer inbound SA.
Perform the following tasks in security policy configuration mode.
(A) Set SPI parameters of security policy association
Table SC-4-10 Set SPI parameters of security policy association
Operation Command
Set SPI parameters of inbound SA of AH/ESP protocolset session-key inbound {ah |esp} spi spi-
number Delete SPI parameters of inbound SA of AH/ESP protocol no set session-key inbound {ah |esp} spi
Set SPI parameters of outbound SA of AH/ESP protocolset session-key outbound {ah |esp} sp i spi-number
Delete SPI parameters of outbound SA of AH/ESP protocol no set session-key outbound {ah |esp} spi
By default, no SPI value of inbound/outbound SA is set.
(B) Set key used by security policy association
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 43/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-9
Table SC-4-11 Set key used by security policy association
Operation Command
Set authentication key of AH protocol (input in
hexadecimal mode)
set session-key { inbound | outbound } ah hex-
key-string hex-key
Delete authentication key of AH protocol (inhexadecimal mode)
no set session-key { inbound | outbound } ah hex-key-string
Set authentication key of AH protocol (input in stringmode)
set session-key { inbound | outbound } { ahstring-key string-key
Delete authentication key of AH protocol (no set session-key { inbound | outbound } ahstring-key
Set authentication key of ESP protocol (input in
hexadecimal system)
set session-key { inbound | outbound } esp
authen-hex hex-key
Delete authentication key of ESP protocolno set session-key { inbound | outbound } espauthen-hex
Set ciphering key of ESP protocol (input in hexadecimalsystem)
set session-key { inbound | outbound } espcipher-hex hex-key
Delete ciphering key of ESP protocol no set session-key { inbound | outbound } espcipher-hex
Set both ciphering and authentication keys of ESP
protocol (input in string)
set session-key { inbound | outbound } esp
string-key string-key
Delete the ciphering and authentication keys of ESPprotocol
no set session-key { inbound | outbound } espstring-key
By default, no key is used by any security policy.
The keys input in string mode are of higher priority, that is to say, the keys are input in
two modes, those input in string mode will be preferred. At both ends of the securitytunnel, the keys should be input in the same mode. If the key is input at one end instring mode, but at the other end in hexadecimal mode, the security tunnel can not be
created correctly. To set a new key, the previous key must be deleted first.
II. Create security policy association with IKE
1) Create security policy association with IKE
Perform the following tasks in global configuration mode.
Table SC-4-12 Create security policy association with IKE negotiation mode
Operation Command
Create security policy association with IKE to enter security
policy configuration mode.crypto map map-name seq-num isakmp
Delete the created security policy no crypto map map-name [ seq-num ]
By default, no security policy is created.
2) Set access control list quoted by security policy
After a security policy is created, it is also necessary to specify the quoted encryption
access control list item for it so as to judge which inbound/outbound communicationsshould be encrypted and which should not.
Perform the following tasks in security policy configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 44/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-10
Table SC-4-13 Configure encryption access control list quoted in security policy.
Operation Command
Configure encryption access control list quoted in security policy match address access-list-number
Cancel encryption access control list quoted in security policy no match address access-list-number
By default, no encryption access control list is quoted in the security policy.
3) Set end point of security tunnel
For the security policy created with IKE negotiation mode, it is unnecessary to set local
address, for IKE can obtain local address from the interface that this security policy isapplied to
Perform the following tasks in security policy configuration mode.
Table SC-4-14 Set end point of security tunnel
Operation Command
Set peer address of security tunnel set peer ip-address
Delete peer address of security tunnel no set peer ip-address
By default, the end point of the security tunnel are not specified.
4) Set transform mode quoted in security policy
Perform the following tasks in security policy configuration mode.
Table SC-4-15 Set transform mode quoted in security policy
Operation Command
Set transform mode quoted in security policyset transform transform-name1 [transform-name2...transform-name6 ]
Cancel transform mode quoted in security policy no set transform
By default, the security policy quotes no transform mode.
When SA is created through IKE negotiation, a security policy can quote at most 6
transform modes, and IKE negotiation will search the completely matched transform
mode at both ends of the security tunnel. If IKE can not find completely matchedtransform mode, then SA can not be established, then the messages that requireprotection will be discarded.
Security policy determines its protocol, algorithm and encapsulation mode by quotingthe transform mode. A transform mode must be established before it is quoted
5) Set SA lifetime (optional)
(A) SA lifetime
There are two types of SA lifetime (or lifecycle) available at present: “ Time-based” and
“ Traffic-based” . SA will become invalid on the first expiration of either type of lifetime.
Before SA becomes invalid, IKE will establish new SA for IPSec negotiation, so a newSA is ready when the previous one becomes invalid. If the global lifetime is modifiedduring the valid period of the current SA, the new one will be applied not to the presentSA but to the later SA negotiation.
SA lifetime is only effective to SA established with IKE, and the SA establishedmanually does not involve the concept of lifetime.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 45/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-11
(B) Operating mode of SA lifetime
If a security policy is not configured with lifetime value, when the router applies for new
SA, it will specify a global lifetime value in the application sent to peer end and use this
value as the lifetime of new SA. When the local end receives the negotiation applicationfrom the peer end, it will select the smaller one of the peer end recommended lifetimevalue and locally configured one as the new SA lifetime value.
SA (and its related key) is timeout based on the first expiration of the lifetime by
seconds (specified by the key word seconds) or kilobytes of communication traffic(specified by the key word kilobytes).
To ensure that the new SA is ready for use when the previous SA expires, new SA must
be negotiated before the previous one is timeout. New SA will be negotiated when
there is 30 seconds left before seconds lifetime expiration or when the communicationtraffic reaches only 256 kilobytes left to kilobytes lifetime expiration in this tunnel(depending on the first expiration).
(C) Configure global SA lifetimeThere are two types of SA global lifetime (or lifecycle) available at present: “ Time-
based” and “Traffic-based” . SA will become invalid on the first expiration of either typeof lifetime.
Perform the following tasks in global configuration mode.
Table SC-4-16 Configure global SA lifetime
Operation Command
Set global SA “ Time-based” lifetime crypto ipsec sa lifetime seconds seconds
Restore the default value of the global SA “ Time-based” lifetime no crypto ipsec sa lifetime seconds
Set global SA “ Traffic-based” lifetime crypto ipsec sa lifetime kilobytes kilobytes
Restore the default value of the global SA “ Traffic-based” lifetime no crypto ipsec sa lifetime kilobytes
By default, “ Time-based” lifetime is 3600 seconds (a day),- and “Traffic-based” lifetimeis 1843200 kilobytes-.
(D) Configure separate SA lifetime (optional)
To be different from the global lifetime, SA should be configured with separate SA
lifetime. Perform the following tasks in global configuration mode.
Table SC-4-17 Configure separate SA lifetime
Operation Command
Set separate SA lifetime set sa lifetime {seconds seconds |kilobytes kilobytes }
Restore the default value of separate SA lifetime no set sa lifetime { seconds | kilobytes }
By default, the global SA lifetime is used.
4.2.6 Applying Security Policy Group on Interface
To put the defined SA into effective, it is necessary to apply a security policy to each
interface (logically or physically) that will encrypt site-out data and decrypt site-in data,
and this interface will provide encryption connection to the peer encrypting router.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 46/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-12
When the security policy group is deleted from the interface, this interface will not haveIPSec security protection function.
When messages are transmitted via an interface, the security policies in the security
policy group will be searched one by one from the smaller sequence number to thegreater one. If a message is matched with an access list quoted by a security policy,then this security policy will be used for processing this message. If a message has no
matched access list quoted by a security policy, then it will go on looking for nextsecurity policy. If a message is matched with no access list quoted by the securitypolicy, then the message will be directly transmitted (IPSec will not protect themessage).
One interface can be applied with only one security policy group, and one securitypolicy group can be applied to only one interface.
Perform the following tasks in the interface configuration mode.
Table SC-4-18 Apply security policy group on interface
Operation Command
Apply security policy group on interface crypto map map-name
Delete the security policy group applied on interface no crypto map
By default, no security policy group is applied to the interface.
4.3 Maintenance and Monitoring of IPSec
Please perform the maintenance and monitoring with the following commands in
privileged user mode.
Table SC-4-19 Maintenance and monitoring of IPSec
Operation Command
Show all created SA show crypto i psec sa all
Show all SA information briefly show crypto ipsec sa brief
Show the specific SA informationshow crypto ip sec sa entry peer-address {ah |
esp } spi-number Show global SA lifetime show crypto ips ec sa lifetime
Show SA established with specific peer ends show crypto ipsec sa peer peer-address
Show all security policy base informationshow crypto i psec sa map map-name [ map-number ]
Show statistic information related to security message show crypto ipsec statistics
Show configured transform mode show crypto ipsec transform [ transform-name ]Show all security policy base information show crypto map all
Show brief security policy base information show crypto map brief Show all security policy base information by name show cryp to map namemap-name [ map-number ]
Clear all SA clear crypto sa all
Clear specific SA informationclear crypto sa entry peer-address {ah | esp } [ spi-number ]
Clear SA of the specified security policy base clear crypto sa mapmap-name [ map-number ]
Clear SA established with specified peer ends clear crypto s a peerpeer-address
Clear statistic information related to security messages clear crypto statistics
information debugging related to IPSec debug ipsec { sa | packet | misc }
1) Show all created SA
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 47/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-13
Quidway#show crypto ipsec sa all
Interface: Ethernet 0crypto map name: map1crypto map sequence: 100
negotiation mode: isakmpin use settings = {tunnel}local address: 10.1.1.1peer address: 10.1.1.2
inbound esp SAs:spi: 400 (0x190)transform: ESP-HARDWARE ESP-AUTH-MD5key id: 1sa timing: remaining key lifetime (kilobytes/seconds): 432018/90max received sequence-number: 358
outbound esp SAs:spi: 300 (0x12c)transform: ESP-HARDWARE ESP-AUTH-MD5key id: 2
sa timing: remaining key lifetime (kilobytes/seconds): 430257/90max sent sequence-number: 2341
The information above shows the interface to which the SA is applied, the name of the
SA and its sequence, negotiation mode, message encapsulation mode, the localaddress and remote address of the security tunnel, information related to inbound and
outbound ESP SA, such as SPI, transform mode, secret key, SA lifetime and themaximum receive or send sequence number, etc.
2) Show all SA information briefly
Quidway#show crypto ipsec sa brief
Src Address Dst Address SPI Protocol Algorithm10.1.1.1 10.1.1.2 300 NEW_ESP E:Hardware; A:HMAC-MD5-9610.1.1.2 10.1.1.1 400 NEW_ESP E:Hardware; A:HMAC-MD5-96
The information above shows the source and destination address of SA, SPI, securityprotocol, authentication algorithm and encryption algorithm, etc.
3) Show global SA lifetime
Quidway#show crypto ipsec sa lifetime
crypto ipsec sa lifetime: 1843200 kilobytes crypto ipsec sa lifetime: 3600 seconds
The information above shows the indexes related to SA lifetime, for example, the traffic
is 1843200 kilobytes, and the time is 1 hour.
4) Show statistic information related to security message
Quidway#show crypto ipsec statistics
the security packet statistics:
input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0can't find SA: 0queue is full: 0authen failed: 0invalid length: 0replay packet: 0too long packet:0invalid SA: 0
The information above shows the statistic information of input/output SA packet (such
as the total number of packets, total number of bytes, the number of dropped packets).
It also shows the statistic information of the dropped packets caused by failing to find
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 48/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-14
SA, full queue, failed authentication, valid length, replay packet, too long packet andinvalid SA, etc.
4.4 Typical IPSec Configuration
4.4.1 Creating SA Manually
I. Configuration requirements
Establish a security tunnel between Router-A and Router-B to perform security
protection for the data streams between PC-A represented subnet (10.1.1.x) and PC-
B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, algorithmadopts DES, and authentication algorithm adopts sha1-hmac-96.
II. Networking diagram
PC A PC B
Internet
10.1.1.2
10.1.1.1
s0:202.38.163.1 s0:202.38.162.110.1.2.2
10.1.2.1
Router A Router B
Figure SC-4-1 Networking diagram of manually creating SA
III. Configuration procedure
Configuration of Router A:
! Configure an access list and define the data stream from Subnet 10.1.1x to Subnet
10.1.2x.
Quidway (config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Quidway (config)#access-list 101 deny ip any any
! Create the transform mode named trans1
Quidway (config)#crypto ipsec transform tran1
! Adopt tunnel mode as the message-encapsulating form
Quidway (config-crypto-transform-tran1)#mode tunnel
! Adopt ESP protocol as security protocol
Quidway(config-crypto-transform-tran1)# transform esp-new
! Select authentication algorithm and encryption algorithm
Quidway(config-crypto-transform-tran1)# esp-new encrypt des
Quidway(config-crypto-transform-tran1)# esp-new hash sha1-hmac-96
! Create a security policy with negotiation mode as manual
Quidway(config)# crypto map map1 10 manual
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 49/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-15
! Quote access list
Quidway(config-crypto-map-map1-10)# match address 101
! Quote transform mode
Quidway(config-crypto-map-map1-10)# set transform tran1
! Set local and peer addresses
Quidway (config-crypto-map-map1-10)#set local-address 202.38.163.1
Quidway (config-crypto-map-map1-10)#set peer 202.38.162.1
! Set SPI
Quidway (config-crypto-map-map1-10)#set session-key outbound esp spi 12345
Quidway (config-crypto-map-map1-10)#set session-key inbound esp spi 54321
! Set session key
Quidway (config-crypto-map-map1-10)#set session-key outbound esp string-key
abcdefg
Quidway (config-crypto-map-map1-10)#set session-key inbound esp string-key
gfedcba
! Apply security policy group on serial interface
Quidway (config)#interface serial 0
Quidway (config-if-Serial0)#crypto map map1
Configuration of Router B:
! Configure an access list and define the data stream from Subnet 10.1.2x to Subnet10.1.1x.
Quidway (config)#access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Quidway (config)#access-list 101 deny ip any any
! Create the transform mode named trans1
Quidway(config)# crypto ipsec transform tran1
! Adopt tunnel mode as the message-encapsulating form
Quidway (config-crypto-transform-tran1)#mode tunnel
! Adopt ESP protocol as security protocol
Quidway(config-crypto-transform-tran1)# transform esp-new
! Select authentication algorithm and encryption algorithm
Quidway(config-crypto-transform-tran1)# esp-new encrypt des
Quidway(config-crypto-transform-tran1)# esp-new hash sha1-hmac-96
! Create a security policy with negotiation mode as manual
Quidway (config)#crypto map use1 10 manual
! Quote access list
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 50/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-16
Quidway (config-crypto-map-use1-10)#match address 101
! Quote transform mode
Quidway(config-crypto-map-use1-10)# set transform tran1
! Set local and peer addresses
Quidway (config-crypto-map-use1-10)#set local-address 202.38.162.1
Quidway (config-crypto-map-use1-10)#set peer 202.38.163.1
! Set SPI
Quidway (config-crypto-map-use1-10)#set session-key outbound esp spi 54321
Quidway (config-crypto-map-use1-10)#set session-key inbound esp spi 12345
! Set session key
Quidway (config-crypto-map-use1-10)#set session-key outbound esp string-keygfedcba
Quidway (config-crypto-map-use1-10)#set session-key inbound esp string-key
abcdefg
! Exit to global configuration mode
Quidway (config-crypto-map-use1-10)#exit
! Enter serial interface configuration mode
Quidway (config)#interface serial 0
! Apply security policy group on serial interface
Quidway (config-if-Serial0)#crypto map use1
After the above configurations are completed, the security tunnel between Router-A
and Router-B is established, the data stream between Subnet 10.1.1.x and Subnet10.1.2.x will be transmitted with encryption.
4.4.2 Creating SA in IKE Negotiation Mode
I. Configuration requirements
Establish a security tunnel between Router-A and Router-B to perform security
protection for the data streams between PC-A represented subnet (10.1.1.x) and PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, algorithmadopts DES, and authentication algorithm adopts sha1-hmac-96.
II. Networking diagram
The same as the above example
III. Configuration procedure
Router-A is configured as follows:
! Configure an access list and define the data stream from Subnet 10.1.1x to Subnet
10.1.2x.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 51/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-17
Quidway (config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Quidway (config)#access-list 101 deny ip any any
! Create the transform mode named trans1
Quidway(config)# crypto ipsec transform tran1
! Adopt tunnel mode as the message-encapsulating form
Quidway (config-crypto-transform-tran1)#mode tunnel
! Adopt ESP protocol as security protocol
Quidway(config-crypto-transform-tran1)# transform esp-new
! Select authentication algorithm and encryption algorithm
Quidway(config-crypto-transform-tran1)# esp-new encrypt des
Quidway(config-crypto-transform-tran1)# esp-new hash sha1-hmac-96
! Create a security policy with negotiation mode as isakmp
Quidway (config)#crypto map map1 10 isakmp
! Set peer addresses
Quidway (config-crypto-map-map1-10)#set peer 202.38.162.1
! Quote transform mode
Quidway(config-crypto-map-map1-10)# set transform tran1
! Quote access list
Quidway (config-crypto-map-map1-10)#match address 101
! Exit to global configuration mode
Quidway (config-crypto-map-map1-10)#exit
! Enter serial interface configuration mode
Quidway (config)#interface serial 0
! Configure ip address of the serial interface
Quidway(config-if-Serial0)# ip address 202.38.163.1 255.255.255.0
! Apply security policy group on serial interface
Quidway (config-if-Serial0)# crypto map map1
! Configure corresponding IKE
Quidway (config)#crypto ike key abcde address 202.38.162.1
Router B is configured as follows:
! Configure an access list and define the data stream from Subnet 10.1.2x to Subnet
10.1.1x.
Quidway (config)#access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Quidway (config)#access-list 101 deny ip any any
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 52/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 4Configuration of IPSec
4-18
! Create the transform mode named trans1
Quidway(config)# crypto ipsec transform tran1
! Adopt tunnel mode as the message-encapsulating form
Quidway (config-crypto-transform-tran1)#mode tunnel
! Adopt ESP protocol as security protocol
Quidway(config-crypto-transform-tran1)# transform esp-new
! Select authentication algorithm and encryption algorithm
Quidway(config-crypto-transform-tran1)# esp-new encrypt des
Quidway(config-crypto-transform-tran1)# esp-new hash sha1-hmac-96
! Create a security policy with negotiation mode as isakmp
Quidway (config)#crypto map use1 10 isakmp
! Quote access list
Quidway (config-crypto-map-use1-10)#match address 101
! Set peer address
Quidway (config-crypto-map-use1-10)#set peer 202.38.163.1
! Quote transform mode
Quidway(config-crypto-map-use1-10)# set transform tran1
! Configure serial interface Serial0
Quidway(config-if-Serial0)# ip address 202.38.162.1 255.255.255.0
! Apply security policy group on serial interface
Quidway (config-if-Serial0)#crypto map use1
! Configure corresponding IKE
Quidway (config)#crypto ike key abcde address 202.38.163.1
After the above configurations are completed, if the messages between Subnet
10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be
triggered to negotiate to establish SA. After IKE negotiates successfully and SA isestablished, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be
transmitted with encryption.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 53/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-1
Chapter 5 Configuration of IKE
5.1 Brief Introduction to IKE Protocol
I. IKE
IKE, an Internet key exchange protocol, implements hybrid protocol of both Oakley and
SKEME key exchanges in ISAKMP network. This protocol defines standards for automatically authenticating IPSec peer end, negotiating security service andgenerating shared key, and provide services such as automatic key exchange
negotiation and security association creation, thus simplifying the use and
management of IPSec.
IKE has a set of self-protection mechanism, which enables to securely deliver keys,
authenticate ID and establish IPSec secure association in insecure network.
IKE uses ISAKMP at two stages:
l The first stage is to negotiate to create a communication channel and authenticateit, as well as to provide confidentiality, message integrity and message source
authentication services for further IKE communication between both parties.l The second stage is to use the created IKE SA to create IPSec SA.
The following figure shows the relationship between IKE and IPSec.
TCP/UD
P
IPSec
IKEIKE
IPSec
TCP/UDP SA SA
SA negotiation
Encrypted IP message
IP
Router Router B
Figure SC-5-1 Diagram of relationship between IKE and IPSec
II. IKE features
l Avoid specifying manually all IPSec security parameters in password mapping of both communication ends.
l Allow specifying the lifetime of IPSec SAl Allow exchanging ciphering key during IPSec sessionl Allow IPSec to provide anti-replay service
l Allow manageable and scalable IPSec to implement certificate authorizationsupport.
l Allow dynamic end-to-end authentication.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 54/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-2
5.2 Configuring IKE
5.2.1 IKE Configuration Task List
IKE configuration task list is as follows:
l Create IKE security policy
l Select encryption algorithml Select authentication algorithml Configure pre-shared key
l Select hashing algorithml Select DH group IDl Set IKE negotiation SA lifetime
5.2.2 Creating IKE Security Policy
I. Why these policies should be created?
IKE negotiation must be protected, so each IKE negotiation begins when each terminal
comes to the public (shared) IKE policy, which describes which security parameter touse to protect subsequent IKE negotiation.
When two terminals come to a policy, the security parameters of this policy are
identified by SA established by each terminal, and these SAs apply to all subsequentIKE communication during negotiation. Multiple policies with priority must be createdon each terminal so as to ensure that at least one policy can match that of the remoteterminal.
II. Parameters to be defined in policy
l Encryption algorithm: at present, it includes only 56-bit DES-CBC (DES-Cipher Block Chaining)
l Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC anamorphosis)algorithm
l Authentication method: RSA signature or RSA real-time encryption
l Diffie-Hellman group IDl SA lifetime
III. How to form matched policy
When IKE negotiation begins, IKE looks for a kind of IKE policy, which is consistent at
both terminals. The terminal that originates negotiation sends all its policies to theremote terminal, and the latter will try to find a matched policy by comparing its policieswith highest priorities with those received from the former. When the policies from thetwo terminals include the same encryption, hashing, authentication and Diffie-Hellman
parameters and when the specified lifetime of the policy from the remote terminal isshorter than or equal to the compared policy lifetime, the matching selection is made (if no lifetime is specified, the shorter one of the remote terminal policy will be used). If no
acceptable matched policy is found, IKE refuses to negotiate and will not establishIPSec. If a matched policy is found, IKE will complete negotiation then create IPSecsecurity tunnel.
IV. Create IKE policy
The following should be clear before IKE configuration:
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 55/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-3
l Determine the intensity of authentication algorithm, encryption algorithm andDiffie-Hellman algorithm (i.e., the calculation resources consumed and the security
capability provided). Different algorithms are of different intensities, and the higher the algorithm intensity is, the more difficult it is to decode the protected data, but the
more the consumed resources are. The longer key usually has higher algorithmintensity.
l Determine the security protection intensity needed in IKE exchange (includinghashing algorithm, encryption algorithm, ID authentication algorithm and DH
algorithm).l Determine the authentication algorithm, encryption algorithm, hashing algorithm
and Diffie-Hellman group.
l Determine the pre-shared key of both parties.1) Create IKE policy
The user can create multiple IKE policies, but must allocate a unique priority value for
each created policy. Both parties in negotiation must have at least one matched policyfor successfully negotiation, that is to say, a policy and the one in the remote terminal
must have the same encryption, hashing, authentication and Diffie-Hellman
parameters (the lifetime parameters may be a little different). If it is found there aremultiple matching policies after negotiation, the one with higher priority will be matchedfirst.
Please perform the following tasks in global configuration mode.
Table SC-5-1 Create IKE policy
Operation Command
Create IKE policy and enter IKE policy configuration mode crypto ike policy priority
Delete IKE policy no crypto ike policy priority
No IKE security policy is created by default.
5.2.3 Select Encryption Algorithm
There is only one encryption algorithm: 56-bit DES-Cipher Block Chaining (DES-CBC).
Before being encrypted, each plain text block will perform exclusive-OR operation withan encryption block, thus the same plain text block will never map the same encryptionand the security is enhanced.
Please perform the following tasks in IKE policy configuration mode.
Table SC-5-2 Select encryption algorithm
Operation Command
Select encryption algorithm encryption d es-cbc
Set the encryption algorithm to the default value no encryption
By default, DES-CBC encryption algorithm (i.e. parameter des-cbc ) is adopted.
5.2.4 Select Authentication Algorithm
There is only one authentication algorithm: pre-share key
Please perform the following tasks in IKE policy configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 56/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-4
Table SC-5-3 Select authentication method
Operation Command
Select authentication method authentication p re-share
Restore the authentication method to the default value no authentication p re-share
By default, pre share key (i.e., pre-share) algorithm is adopted.
5.2.5 Set Pre-shared Key
If pre-shared key authentication method is selected, it is necessary to configure pre-
shared key.
Perform the following tasks in global configuration mode.
Table SC-5-4 Configure pre-shared key
Operation Command
Configure pre-shared key crypto ike key keystring address peer-address
Delete pre-shared key to restore its default value no crypto i ke key keystring
By default, both ends of the security channel have no pre-shared keys.
5.2.6 Select Hashing Algorithm
Generally hashing algorithm uses HMAC framework to achieve its function. HMAC
algorithm adopts encryption hashing function to authenticate message, providingframeworks to insert various hashing algorithm, such as SHA-1 and MD5.
There are two hashing algorithm options: SHA-1 and MD5. Both algorithms provide
data source authentication and integrity protection mechanism. MD5 has less digest
information, so it is usually considered to be slightly faster than SHA-1. A kind of attacksubject to MD5 is proved successful (but it is very difficult), but HMAC anamorphosisused by IKE can stop such attacks.
Please perform the following tasks in IKE policy configuration mode.
Table SC-5-5 Select hashing algorithm
Operation Command
Select hashing algorithm hash { md5 | sha }
Set hashing algorithm to the default value no hash
By default SHA-1 hashing algorithm (i.e., parameter sha) is adopted.
5.2.7 Select DH Group ID
There are two DH (Diffie-Hellman) group ID options: 768-bit Diffie-Hellman group
(Group 1) or 1024-bit Diffie-Hellman group (Group 2). The 1024-bit Diffie-Hellmangroup (Group 2) takes longer CPU time
Please perform the following tasks in IKE policy configuration mode.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 57/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-5
Table SC-5-6 Select DH group ID
Operation CommandSelect DH group ID grou p {1 | 2}Restore the default value of DH group ID no group
By default, 768-bit Diffie-Hellman group (Group 1) is selected.
5.2.8 Set Lifetime of IKE Association SA
Lifetime means how long IKE exists before it becomes invalid. When IKE begins
negotiation, the first thing for it to do is to make its security parameters of the twoparties be consistent. SA quotes the consistent parameters at each terminal, and each
terminal keeps SA until its lifetime expires. Before SA becomes invalid, it can benegotiated by the subsequent IKE to be reused. The new SA is negotiated before thecurrent SA becomes invalid.
The shorter the lifetime is (to a critical point), the more secure the IKE negotiation is.
But to save time for setting IPSec, the longer IKE SA lifetime should be configured.
If the policy lifetimes of two terminals are different, only when the lifetime of originating
terminal must be greater than or equal to that of the peer end can IKE policy can beselected, and the shorter lifetime should be selected as IKE SA lifetime.
Perform the following tasks in IKE policy configuration mode.
Table SC-5-7 Set lifetime of IKE negotiation SA
Operation Command
Set lifetime of IKE SA lifetime seconds
Set lifetime as the default value no lifetime
By default, SA lifetime is 86400 seconds (a day). It is recommended that the configured
seconds should be greater than 10 minutes.
5.3 Monitoring and Maintenance of IKE
Please perform the monitoring and maintenance in privileged user mode.
Table SC-5-8 Monitoring and maintenance of IKE
Operation Command
Show IKE security association parameter show crypto ike saShow IKE security policy show crypto ike policy
Clear an SA clear crypto ike sa connection-id
1) Show IKE SA parameter
Quidway# show crypto ike saconn-id peer flags phase doi1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 58/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-6
Flag meaning:RD--Ready ST--Stayalive RT--Replaced FD--Fading
Execute the following command to clear security association 1.
Quidway# clear crypto ike sa 1Then the SA will show the following information:
Quidway# show crypto ike sa
conn-id peer flags phase doi2 202.38.0.2 RD|ST 2 IPSECFlag meaning:RD--Ready ST--Stayalive RT--Replaced FD--Fading
Table SC-5-9 Description about the command field show crypto ike sa
Operation Command
Security channel ID conn-id
Peer IP address of this SA peer
Show the status of this SANONE means this SA is being establishedREADY means this SA has been established successfully
STAYALIVE means that lifetime is negotiated, and this SA will be refreshedin fixed interval.REPLACED means that a timeout has happenedFADING means this SA has been replaced, and will be cleared
automatically after some time
Flags
Phase of SA phaseExplanation domain of SA doi
2) Show IKE security policy
Quidway# show crypto ike policyProtection suite priority 15 encryption algorithm: DES - CBC hash algorithm: MD5 authentication method: Pre-Shared Key Diffie-Hellman Group: MODP1024 Lifetime: 5000 seconds, no volume limitProtection suite priority 20 encryption algorithm: DES - CBC hash algorithm: SHA authentication method: Pre-Shared Key Diffie-Hellman Group: MODP768 lifetime: 10000 seconds, no volume limitDefault protection suite encryption algorithm: DES - CBC
hash algorithm: SHA authentication method: Pre-Shared Key Diffie-Hellman Group: MODP768 Lifetime: 86400 seconds, no volume limit
The information shows the protection priority, encryption algorithm, hashing algorithm,authentication algorithm, Diffie-Hellman group and IKE SA lifetime.
5.4 Typical Configuration of IKE
I. Networking requirements
l Hosts A and B communicates securely, and a security channel is established with
IKE automatic negotiation between security gateways A and B.
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 59/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
5-7
l Configure an IKE policy on Gateway A, with Policy 10 is of highest priority and thedefault IKE policy is of the lowest priority.
l Pre-shared key authentication algorithm is adopted.
II. Networking diagram
Host BHost A
Security Gateway
Internet
Security Gateway A
Serial 0202.38.160.1
Serial 0171.69.224.33
Figure SC-5-2 Networking diagram of IKE configuration example
III. Configuration procedure
Configuration on Security Gateway A.
! Configure a IKE Policy 10
Quidway (config)# crypto ike policy 10
! Specify the hashing algorithm used by IKE policy as MD5
Quidway (config-crypto-ike-policy-10)# hash md5
! Use pre-shared key authentication method
Quidway (config-crypto-ike-policy-10)# authentication pre-share
! Configure “ abcde” for peer 171.69.224.33
Quidway (config)# crypto ike key abcde address 171.69.224.33
! Configure IKE SA lifetime to 5000 seconds
Quidway (config-crypto-ike-policy-10)# lifetime 5000
Configuration on Security Gateway B.
! Use default IKE policy on Gateway B and configure the peer authentication word.
Quidway (config)# crypto ike key abcde address 202.38.160.1
The above are IKE negotiation configurations. To establish IPSec security channel for
secure communication, it is necessary to configure IPSec correspondingly. For detailedcontents, please refer to the configuration samples in the chapter IPSec Configuration.
5.5 IKE Fault Diagnosis and Troubleshooting
When configuring parameters to establish IPSec security channel, you can use the
debug ike error command to enable the Error debugging of IKE to help us findconfiguration problems. The command is as follows:
7/17/2019 (Security Configuration Guide)
http://slidepdf.com/reader/full/security-configuration-guide-56910a1d3c8a8 60/60
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 5Configuration of IKE
Problem 1: Invalid user ID information
Troubleshooting: please follow the steps below.
User ID information is the data for the user originating IPSec communication to identify
itself. In practical applications we can use user ID to establish different security path for protecting different data streams. At present we use the user IP address to identify theuser.
got NOTIFY of type INVALID_ID_INFORMATION
or
drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION
Check whether ACL contents in cryptomap configured at interfaces of both ends are
compatible. It is recommended for the user to configure ACL of both ends to mirror each other.
Problem 2: Unmatched policy
Troubleshooting: please follow the steps below.
Enable the debug ike error command, you can see the debugging information.
got NOTIFY of type NO_PROPOSAL_CHOSEN
or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
Both parties of negotiation have no matched policy. Check the protocol used by crypto
map configured on interfaces of both parties to see whether the encryption algorithmand authentication algorithm are the same.
Problem 3: Unable to establish security channel
Troubleshooting: please follow the steps below.
Check whether the network is stable and the security channel is established correctly.
Sometimes there is a security channel but there is no way to communicate, and ACL of both parties are checked to be configured correctly, and there is also matched policy. In
this case, the problem is usually cased by the restart of one router after the securitychannel is established.
Solution:
l Check whether the network is stable and whether the security channel has beenproperly established. You may encounter the situation as follows: the two partiescannot communicate via the existing security channel, while the access control list
of two parties have been properly configured and there is a matching policy. Thiscase is generally caused by restarting the router by a party after establishing the
security channel.l Use the command show crypto ike sa to check whether both parties have
established SA of Phase 1.l Use the command show crypto ipsec sa map to check whether the cryptomap on
interface has established IPSec SA.l If the above two results show that one party has SA but the other does not, then
use the command clear crypto ike sa to clear SA with error and re-originate
negotiation.