Page 1 Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 (323257-A)
Page 2 Nortel Networks. Except as expressly authorized in writing by Nortel Networks, the holder is granted no rights to use the information contained herein and this document shall not be published, copied, produced or reproduced, modiﬁed, translated, compiled, distributed, displayed or transmitted, in whole or part, in any form or media.
Page 3: Table Of Contents
NAT failover for ﬁrewalls 30 Scalability Interoperability with CS 1000 and MCS 5100 call servers 30 Cone NAT for CS 1000 30 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 4 Perfect forward secrecy 57 Dead peer detection 58 Security Policy Database 59 PMTU support 59 Firewall considerations with VPN 59 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 5: Contents
Firewall and NAT conﬁguration Conﬁguring global properties 79 Conﬁguring global ALGs 79 Conﬁguring global bypass trusted 80 Conﬁguring global DOS protection Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 6 Conﬁguring the IKE policy local ID 119 Conﬁguring the IKE policy remote ID 120 Conﬁguring the IKE mode 120 Conﬁguring the IKE exchange type 121 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 7 Authenticating the CA and importing a CA certiﬁcate Generating a certiﬁcate request for enrollment 170 Manually importing a self certiﬁcate 171 Manually importing an OCSP Responder certiﬁcate 171 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 8 Conﬁguring path MTU discovery for tunnel packets 186 Conﬁguring the tunnel as an untrusted interface for IPsec protection 187 Conﬁguring tunnel protection with IPsec 187 Conﬁguring tunnel ToS 188 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 9: Contents
Conﬁguring 802.1x 209 Conﬁguring 802.1x on an Ethernet interface 209 Enable 802.1x on the interface 209 Conﬁguring the maximum failed requests 210 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 10 Conﬁguration examples Conﬁguring an IPv4 packet ﬁlter 229 Conﬁguring an IPv6 packet ﬁlter 229 Conﬁguring a MAC packet ﬁlter 230 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 11: Contents
Capabilities 253 Secure router conﬁguration for BGP 254 Secure router conﬁguration for OSPF 255 Secure router conﬁguration for RIPv2 255 Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 13: New In This Release
New in this release The following section details what is new in Nortel Secure Router 4134 Security — Conﬁguration and Management (NN47263-600). Features See the following sections for information about supported features: Firewall and NAT The SR4134 implements a stateful inspection ﬁrewall. The stateful inspection ﬁrewall relies on building network connections and monitoring...
Page 14: Packet Filter
Remote access VPN For information on IPsec VPN fundamentals, see (page 43). For conﬁguration information, see (page 117). Copyright © 2007, Nortel Networks 21). For conﬁguration information, see 79). Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 15: Gre And Ipip Tunneling
PPPoE client session is established with a PPPoE server and trafﬁc is routed through this path until the primary connectivity is restored. For information on PPPoE client fundamentals, see fundamentals" (page conﬁguration" (page Copyright © 2007, Nortel Networks 65). For conﬁguration information, see 181). 69). For conﬁguration information, see 191).
Page 16: Authentication, Authorization, And Accounting
All accounting methods must be deﬁned through AAA. As with authentication and authorization, you conﬁgure AAA accounting by deﬁning a named list of accounting methods, and then applying that list to various interfaces Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 17: Ssh2
It is a protocol for secure remote login and other secure network services over an insecure network. It also supports compression. For information on SSH2 fundamentals, see 75). For conﬁguration information, see Copyright © 2007, Nortel Networks 71). For conﬁguration information, see "SSH2 conﬁguration" (page Nortel Secure Router 4134 Security —...
Page 19: Introduction
"PPPoE client conﬁguration" (page 191) • "AAA conﬁguration" (page 197) • "SSH2 conﬁguration" (page 217) • "Conﬁguration examples" (page 229) Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 21: Firewall And Nat Fundamentals
In a typical setup, only outbound rules are deﬁned to permit or deny certain types of trafﬁc. When allowing a packet Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 22: Stateful Inspection Elements
The SR4134 does not trust inbound connections on interfaces that are in the untrusted internet zone. These connections are blocked by default. Only interfaces from within a trusted zone are trusted to start new connections. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 23: Transit Policies On Trusted Zones Only
Outside of the internet zone, all other zones on the router are trusted zones. No trafﬁc is allowed into a trusted zone unless a session is initiated from within that zone. By default, all outbound connections from the trusted zone are allowed and all inbound connections are denied.
Page 24: Default Firewall
• Internet – The public untrusted network In this conﬁguration, untrusted SSH and IKE connections to the router itself are allowed. Trusted and untrusted HTTP connections to a DMZ web server are allowed. And the default, corp trusted zone with all outbound connections are allowed.
Page 25: Firewall Network Protection Features
• HTTP: allows for blocking of ActiveX, Java, jar and wild carded ﬁle extensions (such as *.gif, *.jpg) Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 26: Policy-Based Controls
Per virtual ﬁrewall basis: number of packets from and to the untrusted zone • Per connection basis: number of bytes received and transmitted Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 27: Alg Overview
H.323 (ASN1 PER encoding and decoding included) • NetMeeting • Intel Video Phone • CuseeMe 5.0 • Communication • Internet Chat Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007 ALG Overview 27...
Page 28: Nat Overview
• SIP ALG interoperability with Nortel MCS clients The SR4134 ﬁrewall supports a SIP ALG that enables Nortel MCS Clients, in tandem with the MCS 5100 Server, to complete calls via application-level address translation. It also dynamically opens the necessary pinholes for media trafﬁc to traverse the ﬁrewall.
Page 29: Static Nat
Typically, the range of external IP addresses is less than the number of internal addresses on the trusted side. Each time a request is made from a host on the private network, the router chooses an external IP address that is currently unused, and then performs the translation. Dynamic NAT picks external IP addresses in a round robin fashion to perform the translation.
Page 30: Nat Failover For Firewalls
(or echo server). To properly interact with STUN for NAT traversal, you must conﬁgure the NAT as a Cone NAT. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 31: Nortel Secure Router
ﬁrewall. The SIP ALG enables Nortel MCS Clients, in tandem with the MCS Server, to complete calls through application-level address translation. As shown in the following ﬁgure, all SIP trafﬁc can be divided into two types depending on the origination and termination point.
Page 32 SIP port, 5060. The SIP ALG translates the private IP address and port of the internal client in the outgoing SIP message body Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 33 The SIP ALG cannot work if the SIP messages are encrypted. If the SIP ALG encounters an encrypted packet, it cannot decipher the contents. However, if the Secure Router is the system operating both the ALG and the VPN, then there is no issue. Only when packets are encrypted by other devices do they become opaque to the Secure Router ﬁrewall.
Page 34 In this scenario, there can be only one MCS server behind the Firewall/NAT, supported by a single proxy NAT command. Figure 5 SIP trunk side conﬁguration Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 35: Nat Hairpinning
STUN • SIP-ALG Hairpinning is supported with the CS 1000 series call servers and Nortel IP Phones implementing a STUN-aware protocol and with the MCS 5100 implementing SIP. A limitation with SR4134 is that hairpinning and self policies are mutually exclusive on the router.
Page 36: Standards Compliance
RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations – Except support for twice NAT and RSIP • RFC 2694, DNS Extensions to Network Address Translators (DNS_ALG) Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 37: Packet Filter Fundamentals
ﬁlter can be applied. With Ethernet module interfaces, packet ﬁlters can only be applied to the inbound direction. There is no packet ﬁltering in the outbound direction. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 38: Maximum Allowable Filter Rules On Ethernet Modules
IGMP message types: ﬁlters can restrict IGMP trafﬁc to a limited set of message types. For example, the Group Membership Query packets can be refused. Copyright © 2007, Nortel Networks ATTENTION Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 39: Ipv6 Packet Filters
2. Keywords ﬁn, syn, ack, psh, rst and urg can be used to match the corresponding TCP header ﬂags. You can specify multiple TCP ﬂag Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 40: Mac Packet Filters
Each packet ﬁlter list can have up to 2000 rules attached to it. Ethernet module limits Ethernet module interfaces can only bind packet ﬁlters to the inbound direction. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 41: Conﬁguration Considerations
• The order in which you enter the ﬁltering rules is important. As the Secure Router 4134 is evaluating each packet, the OS tests the packet against each rule statement sequentially. After a match is found, no more rule statements are checked. For example, if the ﬁrst rule you create is a statement that explicitly permits all trafﬁc, all trafﬁc is passed...
Page 43: Ipsec Vpn Fundamentals
There are two basic types of VPN, each with an associated set of business requirements: • Site-to-Site VPN Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 44: Site-To-Site Vpn
In its basic conﬁguration, site-to-site VPN connects two remote ofﬁces or a branch ofﬁce to headquarters. In this case, each site is connected to the Internet through a secure router. The objective of the site-to-site VPN is to create a secure tunnel between the two secure routers through the Internet.
Page 45 Many to Many: connects many sites to many other sites in a mesh topology. In this case, communication is carried directly from one site to the next. Figure 8 Mesh VPN Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 46: Remote Access Vpn
Mode conﬁguration is used, and optionally Xauth. The SR4134 supports the following Safenet IPsec clients for remote access VPN connections. Figure 9 Remote access Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 47: Remote Access Vpn With L2Tp Server
IKE authenticates the VPN server and client, and PPP authenticates the user via a password/login prompt. User Authentication can be handled by a user list on the Secure Router, or through a RADIUS server. RADIUS servers can interact with Windows...
Page 48: Supported Ipsec Security Protocols
Negotiation of security parameters between IKE peers • Authentication of IKE peers (using certiﬁcates or pre-shared key) • Key Generation for encryption and hashing Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 49: Ike Modes
(that is, no NAT in the middle) between the peers and can therefore use main mode with identity protection. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 50: Peer Authentication Methods For Ike
Veriﬁcation of the signature provides authentication of the peers. This method is more secure, but requires a Public Key Infrastructure using X.509 digital certiﬁcates. RSA and DSS Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 51: User Authentication For Remote Access Vpn
Signature based IKE authentication (RSA/DSS) provides an explicit form of peer authentication after the Difﬁe Hellman exchange. Digital Signature Authentication involves public key cryptography and is a stronger and Copyright © 2007, Nortel Networks "Digital Certiﬁcates in IKE" (page Nortel Secure Router 4134 Security —...
Page 52: Internet X.509 Pki Certiﬁcate And Crl Proﬁle
In order conﬁrm the validity of the certiﬁcate, the CA periodically publishes a certiﬁcate revocation list (CRL) which contains the list of serial numbers of the revoked certiﬁcates. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 53: Certiﬁcate Enrollment Using Scep Client
In the CRL method, there can be a lag between the CA publishing an updated CRL and the SR4134 downloading the same CRL, creating a window of vulnerability. In this period, the router does not have a fool proof mechanism for validating the certiﬁcate. OCSP is used to overcome this vulnerability.
Page 54: Manual Certiﬁcate Enrollment
54 IPsec VPN fundamentals The secure router can use the certiﬁcates in IKE to establish IPsec security associations between two gateways. Manual certiﬁcate enrollment As an alternative to SCEP, the SR4134 also supports manual certiﬁcate enrollment. The steps that you must follow for manual enrollment are as follows: •...
Page 55: Multiple Ipsec Proposals
1 or ESP with proposal choice set 2. The following example illustrates some of the possibilities: 1. ESP AND AH with 3DES, SHA1,2000 seconds, tunnel mode Copyright © 2007, Nortel Networks Values PSK, RSA-SIG, DSS-SIG DES, 3DES, AES-128,...
Page 56: Identifying Trafﬁc To Be Encrypted With Vpn
This command allows you to specify at minimum the source IP address (or range) and destination IP address (or range) of the protected stream. Additional ﬁlter options are also available to specify a more granular stream. Copyright © 2007, Nortel Networks Values DES, 3DES, AES-128, AES-192, AES-256, null...
Page 57: Firewall Considerations For Trusted And Untrusted Vpn Interfaces
This command identiﬁes the interface as the source of tunnel trafﬁc. If trafﬁc meeting the match ﬁlter rules enters the router through an interface that is not identiﬁed as crypto trusted, the trafﬁc is not encrypted using the VPN.
Page 58: Dead Peer Detection
ACKs, the IKE phase 1 SA and all relevant IPsec SAs to the peer are torn down. After the tear down, if the router has trafﬁc to the same destination, the router attempts to re-negotiate IKE with the peer.
Page 59: Security Policy Database
Finally, to support L2TP and IPsec remote access VPN, in addition to allowing the IKE port connection, you must conﬁgure an inbound self ﬁrewall policy in the internet zone that allows L2TP connections to UDP port 1701. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 60: Qos Over Vpn
To enable this conﬁguration, packets arriving at the ingress point on the Ethernet interface must be marked with DSCP. For more information on QoS conﬁguration, see Nortel Secure Router 4134 Conﬁguration – Trafﬁc Management (NN47263-601). Crypto QoS (CBQ) for IPsec VPN The SR4134 crypto engine preforms encryption and hashing of packets for IPsec VPN tunnels.
Page 61 This bandwidth is used to calculate the average interface bandwidth using the exponentially weighted moving average. This ensures low latency without sacriﬁcing the interface bandwidth. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 62: Logging And Statistics
62 IPsec VPN fundamentals For more information on QoS conﬁguration, see Nortel Secure Router 4134 Conﬁguration – Trafﬁc Management (NN47263-601). Logging and Statistics VPN provides logging support on a global level, this logging can be on a system console or telnet session of a syslog server. Statistics are maintained for the number of packets and bytes processed in the inbound and outbound direction for each SA.
Page 63 PKI standards RFC number PKCS #1 PKCS #3 PKCS #7 PKCS #10 RFC2511 Copyright © 2007, Nortel Networks Description A Traffic-Based Method of Detecting Dead IKE Peers Network Address Translation (NAT) Compatibility Requirements IP in IP tunneling Generic Routing Encapsulation (GRE)
Page 64 RFC2560 RFC3494 Table 5 L2TP standards RFC number RFC2661 RFC3193 Copyright © 2007, Nortel Networks Description Internet X.509 Public Key Infrastructure Online Certificate Status Protocol Lightweight Directory Access Protocol version 2 (LDAPv2) description Layer 2 Tunnel Protocol (L2TP) Securing L2TP using IPsec Nortel Secure Router 4134 Security —...
Page 65: Gre And Ipip Tunneling Fundamentals
IP header, allowing intermediate routers to fragment or not depending on the value of the DF bit. IP Fragmentation is supported for IP packets that exceed the MTU after insertion of the GRE/IPIP header. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 66: Ipip
IPv6 domains over an IPv4 backbone. An IPv6 address is manually conﬁgured on a tunnel interface, and manually conﬁgured IPv4 addresses are assigned to the tunnel source and the tunnel destination. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 67: Ipv6 Over Ipv4 Gre Tunnels
The host or router at each end of a conﬁgured tunnel must support both the IPv4 and IPv6 protocol stacks. Manually conﬁgured tunnels can be conﬁgured between border routers or between a border router and a host. The entry tunnel end point (the encapsulating node) encapsulates the IPv6 packet with an IPv4 header with the conﬁgured IPv4 tunnel source...
Page 68 • RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers • RFC 3056, Connection of IPv6 Domains via IPv4 Clouds Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 69: Pppoe Client Fundamentals
The PPPoE client can learn its IP address from the remote PPPoE server. • The PPP session sends keepalives at a regular interval to detect PPPoE server failure. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 70: Standards Compliance
Conﬁgure the Ethernet interface on which PPPoE is running in the internet security zone. To allow trafﬁc to pass through the ﬁrewall, at least one other router interface must be conﬁgured in a trusted ﬁrewall zone (for example, corp).
Page 71: Authentication, Authorization, And Accounting Fundamentals
(ISP). Almost all network operating system remote servers support PAP. PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure.) Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 72: Chap Authentication
The client is the network access point between the remote users and the server. RADIUS authentication allows a remote server to authenticate users attempting to log on to the router from the local console or Telnet. TACACS Terminal access controller access control system (TACACS+) is a security...
Page 73: Eap Ieee 802.1X
You can use EAPoL to set up network access control on internal LANs and to exchange authentication information between any end station or server connected to the Secure Router and an authentication server (such as a RADIUS server). This security feature extends the beneﬁts of remote authentication to internal LAN clients.
Page 74: Authorization
AAA to determine the user’s actual capabilities and restrictions. The database can be located locally on the router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for speciﬁc rights...
Page 75: Ssh2 Fundamentals
The secure FTP (SFTP) client is used for secure interactive ﬁle transfer, similar to FTP. The SR4134 supports the SSH server, but not SSH clients. Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 76: Ssh Ciphers
SSH uses GNU ZLIB (LZ77) for compression. The ZLIB compression is described in RFC 1950 and in RFC 1951. By default, compression is enabled. Copyright © 2007, Nortel Networks Description 3 key DES in CBC mode Blowfish in CBC mode...
Page 77: Ssh Key Exchange Methods
The SSH client is authenticated to the SSH server using one of the following methods: Table 10 SSH user authentication methods Name public key password Copyright © 2007, Nortel Networks Description DH Group exchange draft draft-ietf-secsh-dh-grou p-exchange-03.txt Description Simple DSS for signature Simple RSA for signature...
Page 78: Ssh Public Key File Formats
SSH Fingerprint Format • draft-ietf-secsh-publickeyﬁle-03.txt: SSH Public Key File Format • draft-ietf-secsh-assignednumbers-01.txt: SSH Protocol Assigned Numbers Copyright © 2007, Nortel Networks Description openssh format The key generation command will generate public key file in this format draft-ietf-secsh-publickeyfile-03.txt Use key conversion command to convert between openssh...
Page 79: Firewall And Nat Conﬁguration
To specify global ALG conﬁguration, enter: algs To enable or disable the speciﬁed ALGs, enter: [no] {<alg>|enable-all} Table 12 Variable deﬁnitions Variable <alg> Copyright © 2007, Nortel Networks —End— Value aim enable/disable aim aimudp enable/disable nntp cuseeme enable/disable cuseeme dns enable/disable dns ftp enable/disable ftp...
Page 80: Conﬁguring Global Bypass Trusted
To enter conﬁguration mode, enter: configure terminal To specify global ﬁrewall conﬁguration, enter: firewall global To conﬁgure global bypass trusted, enter: [no] bypass-trusted Copyright © 2007, Nortel Networks Value ike enable/disable nntp ils enable/disable ils ils2 enable/disable nntp irc enable/disable irc...
Page 81: Conﬁguring Global Dos Protection
Variable deﬁnitions Variable Value <dos-protect-opt enable-all ion> dns-replay-attack Copyright © 2007, Nortel Networks Value Disables bypass trusted. —End— Enables/disables all DOS protect checks. Enables/disables DNS replay attack check. A DNS replay attack occurs when an individual intercepts traffic, analyzes the captured packets and obtains authentication information.
Page 82 Copyright © 2007, Nortel Networks When this command is enabled, the DNS connection limit is 2000. By default, this option is enabled. Enables/disables FTP bounce check. In a bounce attack, the hacker uploads a file to the FTP (File Transfer Protocol) server and then requests this file to be sent to an internal server.
Page 83: Conﬁguring Global Nat Hairpinning
To specify global ﬁrewall conﬁguration, enter: firewall global To enable or disable hairpinning, enter: [no] hairpinning-SelfIp Copyright © 2007, Nortel Networks Enable/disables TCP sequence number check. Prevents attempts to predict IP sequence numbers. If an attacker can predict the initial sequence number in the TCP (Transport Control Protocol) handshake, the attacker may be able to hijack the TCP session.
Page 84: Conﬁguring Global Ip Reassembly
Specify the IP reassembly fragment count to control the maximum number of fragments allowed per IP packet. This value limits the number of fragments into which a packet can be fragmented. Procedure steps Copyright © 2007, Nortel Networks Value Disables hairpinning. —End—...
Page 85 To specify global ﬁrewall conﬁguration, enter: firewall global To specify global IP reassembly conﬁguration, enter: ip-reassembly To conﬁgure fragment size, enter: fragment-size <1 - 65535> Copyright © 2007, Nortel Networks —End— Value Specifies the maximum number of fragments allowed per IP packet. Default value: 44.
Page 86 Set the IP reassembly timeout value. If a fragmented packet is not reassembled within this time limit, the packet is discarded. Procedure steps Step Action To enter conﬁguration mode, enter: Copyright © 2007, Nortel Networks Value Fragment header length. Default value: 28. —End— Value Specifies the size of the IP packet for reassembly.
Page 87: Conﬁguring Global Logging
To specify global ﬁrewall conﬁguration, enter: firewall global To specify global logging conﬁguration, enter: logging To conﬁgure attack logging, enter: attacks <1-2147483647> Copyright © 2007, Nortel Networks —End— Value Time value in seconds (default: 60) —End— Nortel Secure Router 4134 Security —...
Page 88 To conﬁgure policy logging, enter: policy <1-2147483647> Table 21 Variable deﬁnitions Variable <1-2147483647> Copyright © 2007, Nortel Networks Value Number of attacks logging events (default:100) —End— Value Specifies the events threshold for policy logging. Default value: 1. Nortel Secure Router 4134 Security —...
Page 89: Conﬁguring Global Maximum Connection Limits For The Firewall
To enter conﬁguration mode, enter: configure terminal To specify global ﬁrewall conﬁguration, enter: firewall global To conﬁgure maximum connection limits, enter: Copyright © 2007, Nortel Networks —End— Value Specifies the events threshold for VPN logging. Default value:100. Nortel Secure Router 4134 Security —...
Page 90: Conﬁguring Nat Failover
To specify global ﬁrewall conﬁguration, enter: firewall global To conﬁgure NAT failover, enter: nat-failover <primary-interface-name> <secondary-inte rface-name> Copyright © 2007, Nortel Networks —End— Value Specifies the number of allowed connections. Specifies maximum number of global self connections. Specifies maximum number of global connections from internet to self.
Page 91: Conﬁguring Proxy Nat
To specify timeout conﬁguration, enter: timeout To conﬁgure general timers , enter: general {tcp | udp | tcp-reset | icmp | ftp-inactivity | dns-inactivity} <0-65535> Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 92 To specify timeout conﬁguration, enter: timeout To conﬁgure service record timers , enter: service <service-name> {tcp | udp} <port-number> <0-65535> Copyright © 2007, Nortel Networks —End— Value Specifies the timeout in seconds. tcp: Specifies the Transport Control Protocol timeout.
Page 93: Conﬁguring Global Url Key Filters
Variable deﬁnitions Variable <key-names> [no] Conﬁguring port trigger records Conﬁgure a port trigger record. Copyright © 2007, Nortel Networks Value Specifies the name of the service. Specifies the timeout in seconds. tcp: TCP timeout udp: UDP timeout Specifies the TCP or UDP port number.
Page 94: Procedure Steps
Variable <record-name> port {<start-port> <end-port>} [protocol {tcp | udp}] [address <src-ip>] Copyright © 2007, Nortel Networks —End— Value Port trigger record name. Port trigger ports. Port trigger protocol. Default is TCP. Source IP address for port-trigger. Enter a valid IP address, or any.
Page 95: Conﬁguring Policy-Speciﬁc Properties
[http-filter <object-name> {deny | log} <web-extension s>] [nat-pool <object-name> {static | dynamic | pat} <NAT-startip> <NAT-endip>] Copyright © 2007, Nortel Networks Conﬁguring policy-speciﬁc properties 95 Value Specifies the protocol (TCP or UDP) and the port numbers (start and end port) to open in the same...
Page 96 <minutes>] [service <object-name> {tcp | udp} <port>] [smtp-filter <object-nam e> {permit | deny | log} <smtp-commands>] Copyright © 2007, Nortel Networks —End— Value IP address object. Can be specified as <start-address> <end-address> or <address> <prefix-len> List of FTP commands to permit (for example: put, get, ls, mkdir, cd, pasv).
Page 97: Conﬁguring Connection Reservations
To enter conﬁguration mode, enter: configure terminal To specify the map name to conﬁgure, or global ﬁrewall conﬁguration, enter: firewall {global | <map-name>} Copyright © 2007, Nortel Networks Conﬁguring policy-speciﬁc properties 97 —End— Value out: outbound direction in: inbound direction Number of connections to reserve.
Page 98: Conﬁguring Stealth Mode
Variable deﬁnitions Variable [<map-name>] [no] Conﬁguring ﬁrewall policies Conﬁgure ﬁrewall policies for a speciﬁc map. The maximum number of policies for each map is 1024. Copyright © 2007, Nortel Networks —End— Value Disables reset-invalid-acks. —End— Value Specifies the map name.
Page 99 {out|in} [action {permit | deny | reject}] [address <ipaddress>] [service <service-name >] Copyright © 2007, Nortel Networks Conﬁguring policy-speciﬁc properties 99 —End— Value Specifies the map priority, and also uniquely identifies the map. Specifies the traffic direction in which the policy is applied.
Page 100: Applying An Object To A Policy
<map-name> To specify the ﬁrewall policy to conﬁgure, enter: policy <1-1024> {out|in} To apply an object to the policy, enter: apply-object <object-type> <object-name> Copyright © 2007, Nortel Networks Value Can be one of the following: icmp Can be specified as <src-start>...
Page 101: Conﬁguring Bandwidth For The Policy
To specify the bandwidth for the policy in kilobytes per second, enter: [no] bandwidth <1-4194303> Table 34 Variable deﬁnitions Variable <1-4194303> [no] Copyright © 2007, Nortel Networks Conﬁguring policy-speciﬁc properties 101 Value Specifies the object type. Valid options are: ftp-filter http-filter smtp-filter...
Page 102: Conﬁguring The Maximum Connections For The Policy Within A Conﬁgured Timeframe
Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal Copyright © 2007, Nortel Networks —End— Value Specifies the maximum number of connections. Disables the feature. Specifies the sample time in seconds. Valid range is 1-36000. If not specified, the default value is used (1 second).
Page 103: Conﬁguring Policing For The Policy
To specify the ﬁrewall policy to conﬁgure, enter: policy <1-1024> {out|in} To conﬁgure policing for the policy, in packets per second, enter: [no] policing <1-2147483647> Copyright © 2007, Nortel Networks Conﬁguring policy-speciﬁc properties 103 —End— Value Specifies the maximum number of connections for the policy.
Page 104: Enabling The Policy
Add one or more interfaces to a map. Up to 32 interfaces can be added to one zone, with a maximum of ﬁve interfaces speciﬁed at one time. Copyright © 2007, Nortel Networks Value Specifies the maximum number of packets per second.
Page 105: Displaying Firewall Information
<map-name> [address <A.B.C.D>] [port <port>] [protocol <protocol>] [summary] hairpinning interface <map-name> ip-reassembly logging maps max-connection-limit <map-name> Copyright © 2007, Nortel Networks —End— Value The interface can be specified as one of the following: ethernet<slot/port> <bundle-name> <bundle-name>:<pvc-number> Up to five interfaces, separated by spaces, can be listed at once.
Page 106: Clearing Firewall Connections
To clear ﬁrewall connections, enter: clear firewall connection {<ip-address>|all} Clearing ﬁrewall statistics Step Action To clear ﬁrewall statistics, enter: clear firewall statistics Copyright © 2007, Nortel Networks —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 107: Packet Filter Conﬁguration
[icmpcode <icmp-code>] [igmptype <igmp-type>] [precedence <precedence>] [dscp <dscp>] [tos <tos>] [flags <tcp-flags>] [fragments {on|off}] [log {on|off}] [expire <expiry-time>] Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 108 <dst-address> [sport <src-port>] [dport <dst-port>] [icmptype <icmp-type>] [icmpcode <icmp-code >] Copyright © 2007, Nortel Networks Value Specifies the action to perform when a packet matches the filter rule: permit: allow the packet to cross the filter deny: drop the packet Specifies the name or number of an Internet protocol.
Page 109 Variable [igmptype <igmp-type>] [precedence <precedence>] [tos <tos>] [dscp <dscp>] [flags <tcp-flags>] [fragments {on|off}] [log {on|off}] [expire <expiry-time>] [no] Copyright © 2007, Nortel Networks Value Specifies the IGMP type: group-query v1-report dvmrp trace v2-report v2-leave mtrace-response mtrace v3-report mrt or 0-12 Specifies the IP header precedence value to be filtered.
Page 110: Conﬁguring Ipv6 Packet Filters
Variable deﬁnitions Variable {permit | deny} {tcp | udp | icmp | ip | igmp | <0-255>} Copyright © 2007, Nortel Networks —End— Value Specifies the action to perform when a packet matches the filter rule: permit: allow the packet to cross the filter...
Page 111 [dscp <dscp-value>] [flowlabel <flowlabel-va lue>] [flags <tcp-flags>] [routing {on|off}] Copyright © 2007, Nortel Networks Value Specifies the source host or network address, in format <A.B.C.D>. Or, enter any to specify a source address/wildcard of 0.0.0.0/32. Destination host or network address. Or, enter any to specify a destination address/wildcard of 0.0.0.0/32.
Page 112: Conﬁguring Mac Packet Filters
Variable deﬁnitions Variable {permit | deny} <src-mac> <dst-mac> Copyright © 2007, Nortel Networks Value Allows a logging message to be reported to the user when a rule match occurs (optional). on: Turns on logging of matching packets. off: Turns off logging the matching packet off...
Page 113: Applying A Packet Filter To An Interface
To enter conﬁguration mode, enter: configure terminal To specify the packet ﬁlter to create or conﬁgure, enter: {mac | ip | ipv6} packet-filter <packet-filter-name> Copyright © 2007, Nortel Networks Value Specifies MAC source mask. Specifies MAC destination mask. Specifies the Ethernet type: arp, mpls, aarp, ppp or Ethernet type value in hex.
Page 114: Deleting A Packet Filter
Displaying packet ﬁlters applied to an interface Procedure steps Step Action To display a packet ﬁlter, enter: show packet-filter-rules <interface-name> Copyright © 2007, Nortel Networks —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 115 Displaying packet ﬁlters applied to an interface 115 —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007 Copyright © 2007, Nortel Networks...
Page 117: Ipsec Vpn Conﬁguration
Even though the application trafﬁc, matching the IPsec policy, is getting tunneled, the built-in ﬁrewall uses the IP route to cross check whether the router is expected to handle this trafﬁc at all. Conﬁgure an inbound ﬁrewall policy in the internet zone for IKE negotiation (UDP 500).
Page 118: Conﬁguring Ike For Site-To-Site Vpn
Preshared Key, 3DES, SHA1, and DH-group2. Procedure steps Step Action To enter the conﬁguration mode, enter: Copyright © 2007, Nortel Networks —End— —End— Value Specifies the IKE policy name. Max 8 characters. Specifies the peer IP address for IKE negotiations.
Page 119: Conﬁguring The Ike Policy Local Id
To conﬁgure the local ID, enter: local-id {domain-name <fqdn> | email-id <email> | der-encoded-dn <name>} Table 44 Variable deﬁnitions Variable domain-name <fqdn> Copyright © 2007, Nortel Networks Conﬁguring IKE for site-to-site VPN 119 —End— —End— Value Specifies a fully qualified domain name (FQDN), like router.com.
Page 120: Conﬁguring The Ike Policy Remote Id
<name> Conﬁguring the IKE mode Conﬁgure the IKE mode for the policy. The default mode is main mode. Copyright © 2007, Nortel Networks Value Specifies a fully-qualified email user name string, like name@router.com. Specifies the x.500 (LDAP) distinguished name.
Page 121: Conﬁguring The Ike Exchange Type
To specify crypto conﬁguration for IPsec and IKE, enter: crypto To specify the IKE policy to conﬁgure, enter: Copyright © 2007, Nortel Networks Conﬁguring IKE for site-to-site VPN 121 —End— Value Specifies use of full negotiation to establish a security association.
Page 122: Conﬁguring The Pre-Shared Key For Ike
To specify the IKE policy to conﬁgure, enter: ike policy <policy-name> <peer-address> To conﬁgure the IKE key, enter: key <key-string> Copyright © 2007, Nortel Networks —End— Value Specifies that the policy cannot respond to IKE negotiations initiated by another party. This type...
Page 123: Enabling Or Disabling Pfs
To specify crypto conﬁguration for IPsec and IKE, enter: crypto To specify the IKE policy to conﬁgure, enter: ike policy <policy-name> <peer-address> Copyright © 2007, Nortel Networks Conﬁguring IKE for site-to-site VPN 123 Value Specifies the pre-shared key. Max 49 characters.
Page 124 To select the IKE proposal to conﬁgure, enter: proposal <priority> To conﬁgure the IKE authentication method, enter: authentication-method {pre-shared-key | dss-signature | rsa-signature} Copyright © 2007, Nortel Networks —End— Value Specifies the proposal priority, from 1 to 5. Deletes the proposal.
Page 125 To conﬁgure DH group for IKE proposal, enter: dh-group {group1 | group2 | group5} Table 51 Variable deﬁnitions Variable group1 Copyright © 2007, Nortel Networks Conﬁguring IKE for site-to-site VPN 125 Value Authentication using a pre-shared key, derived out of band. Authentication using Digital Signature Standard Authentication using RSA Signature —End—...
Page 126 Table 52 Variable deﬁnitions Variable des-cbc 3des-cbc aes128cbc aes192cbc aes256cbc Copyright © 2007, Nortel Networks Value 1024-bit. RFC 2409. 1536-bit. RFC2409. This is the highest level of security and requires more processing time than group 1 and group 2. —End— Value Specifies DES-CBC encryption.
Page 127 Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter: Copyright © 2007, Nortel Networks Conﬁguring IKE for site-to-site VPN 127 —End— Value Specifies a 128-bit message digest (RFC 1321). Specifies Secure Hash Standard, a 160-bit message digest (NIST,FIPS PUB 180-1).
Page 128: Conﬁguring Ocsp For The Ike Policy
Variable kilobytes <300-419430 3> seconds <300-864000> Conﬁguring OCSP for the IKE policy Enable OCSP to conﬁgure the router to contact the CA for veriﬁcation of the status of any certiﬁcate that the router receives. Procedure steps Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter:...
Page 129: Conﬁguring Ipsec For Site-To-Site Vpn
To specify crypto conﬁguration for IPsec and IKE, enter: crypto To specify the IPsec policy to conﬁgure, enter: ipsec policy <policy-name> <peer-gateway-ip> Copyright © 2007, Nortel Networks Conﬁguring IPsec for site-to-site VPN 129 —End— Value IPsec policy name. Max 8 characters.
Page 130: Enabling Or Disabling The Ipsec Policy Entry
To specify crypto conﬁguration for IPsec and IKE, enter: crypto To specify the IPsec policy to conﬁgure, enter: ipsec policy <policy-name> <peer-gateway-ip> Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 131: Conﬁguring Dh Prime Modulus Group For Pfs
[dport <0-65535>] Conﬁguring DH prime modulus group for PFS Conﬁgure the Difﬁe-Hellman prime modulus group for Perfect Forward Secrecy (PFS). Copyright © 2007, Nortel Networks Conﬁguring IPsec for site-to-site VPN 131 —End— Value Source IP address and subnet mask of the IP stream that is to be protected by the IPsec policy.
Page 132: Conﬁguring Ipsec Proposal
Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter: crypto Copyright © 2007, Nortel Networks —End— Value 768-bit. RFC 2409 1024-bit. RFC 2409. 1536-bit. RFC 2409. Nortel Secure Router 4134 Security —...
Page 133 To select the IPsec proposal to conﬁgure, enter: proposal <1-5> To conﬁgure the encryption algorithm for the proposal, enter: encryption-algorithm {des-cbc | 3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc} Copyright © 2007, Nortel Networks Conﬁguring IPsec for site-to-site VPN 133 —End— Value Specifies the proposal priority.
Page 134 <policy-name> <peer-address> To select the IPsec proposal to conﬁgure, enter: proposal <1-5> To conﬁgure the hash algorithm, enter: hash-algorithm {md5|sha1|null} Copyright © 2007, Nortel Networks Value Specifies DES-CBC encryption. Specifies 3DES-CBC encryption. Specifies AES-CBC encryption, with 128-bit key length.
Page 135 To select the IPsec proposal to conﬁgure, enter: proposal <1-5> To conﬁgure lifetime, enter: lifetime {kilobytes <300-4194303> | seconds <300-864000>} Copyright © 2007, Nortel Networks Conﬁguring IPsec for site-to-site VPN 135 Value A 128-bit message digest-RFC 1321 + RFC 2085 Secure Hash Standard: A 160-bit message...
Page 136 To select the IPsec proposal to conﬁgure, enter: proposal <1-5> To conﬁgure mode, enter: mode {transport | tunnel} Copyright © 2007, Nortel Networks Value Specifies the volume of traffic (in kilobytes) that can pass between IPsec peers using the given IPsec SA before that SA expires.
Page 137: Conﬁguring Remote Access Ike Policies
To create a remote access IKE policy, enter: ike policy <policy-name> {modecfg-group | l2tp-group} Copyright © 2007, Nortel Networks Conﬁguring remote access IKE policies 137 Value Specifies tunnel mode. In tunnel mode the IP header of the packet is encapsulated into a new IP header with a routable destination IP address.
Page 138 Conﬁgure the local ID to specify the IPsec identiﬁers for the host that is used in the identiﬁcation payload during IKE negotiation. Procedure steps Copyright © 2007, Nortel Networks Value Specifies the IKE policy name. modecfg-group: Mode config group. To configure...
Page 139 Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter: crypto Copyright © 2007, Nortel Networks Conﬁguring remote access IKE policies 139 —End— Value Specifies a fully qualified domain name (FQDN), like router.com.
Page 140 To specify the remote access IKE policy to conﬁgure, enter: ike policy <policy-name> {modecfg-group | l2tp-group} To conﬁgure the IKE mode, enter: Copyright © 2007, Nortel Networks —End— Value Specifies the fully qualified domain name (FQDN), like router.com. The value must be specified within quotes.
Page 141 <policy-name> modecfg-group To specify client conﬁguration, enter: client configuration To conﬁgure the mode-conﬁg address pool, enter: address-pool <1-3> <start-ip> <end-ip> Copyright © 2007, Nortel Networks Conﬁguring remote access IKE policies 141 —End— Value Specifies use of full negotiation to establish a security association.
Page 142 To conﬁgure the mode-conﬁg parameters: dns-server <primary-server-ip> <secondary-server-ip> Conﬁguring WINS server address for mode conﬁg Conﬁgure the WINS server address for mode conﬁg. Procedure steps Copyright © 2007, Nortel Networks —End— Value pool number start IP address end IP address —End—...
Page 143 To specify the remote access IKE policy to conﬁgure, enter: ike policy <policy-name> modecfg-group To specify client conﬁguration, enter: client authentication To conﬁgure the client authentication, enter: Copyright © 2007, Nortel Networks Conﬁguring remote access IKE policies 143 —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 144 <policy-name> {modecfg-group | l2tp-group} To conﬁgure the pre-shared key, enter: key <key-string> Table 69 Variable deﬁnitions Variable <key-string> Copyright © 2007, Nortel Networks —End— Value RADIUS-PAP authentication method. RADIUS-CHAP authentication method. —End— Value key string, max 49 characters.
Page 145 Enabling OCSP on the remote access IKE policy Enable OCSP to instruct the router to contact the CA for veriﬁcation of the status of any certiﬁcate that the router receives. Procedure steps Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter:...
Page 146: Conﬁguring An Ike Proposal For Remote Access Vpn
VPN Conﬁgure the IKE proposal authentication method for remote access VPN. Procedure steps Step Action To enter the conﬁguration mode, enter: Copyright © 2007, Nortel Networks —End— —End— Value Proposal value. Only one proposal is allows in aggressive mode.
Page 147 To specify crypto conﬁguration for IPsec and IKE, enter: crypto To specify conﬁguration of remote access IKE policies, enter: dynamic Copyright © 2007, Nortel Networks Conﬁguring remote access IKE policies 147 —End— Value Specifies authentication using a pre-shared key,...
Page 148 To specify the remote access IKE policy to conﬁgure, enter: ike policy <policy-name> {modecfg-group | l2tp-group} To specify the IKE proposal, enter: proposal <1-5> To conﬁgure the encryption algorithm for IKE: Copyright © 2007, Nortel Networks —End— Value 768-bit. RFC 2409. 1024-bit. RFC 2409.
Page 149 <policy-name> {modecfg-group | l2tp-group} To specify the IKE proposal, enter: proposal <1-5> To conﬁgure the hash algorithm for IKE: hash-algorithm {md5|sha1} Copyright © 2007, Nortel Networks Conﬁguring remote access IKE policies 149 —End— Value Specifies DES-CBC encryption. Specifies 3DES-CBC encryption.
Page 150 To specify the IKE proposal, enter: proposal <1-5> To conﬁgure the lifetime, enter: lifetime {kilobytes <300-4194303> | seconds <300-864000>} Copyright © 2007, Nortel Networks —End— Value A 128-bit message digest-RFC 1321 Secure Hash Standard: A 160-bit message digest-NIST,FIPS PUB 180-1 —End—...
Page 151: Conﬁguring Remote Access Ipsec Policies
<name> {modecfg-group | l2tp-group} Table 76 Variable deﬁnitions Variable group-type [modecfg-gr oup | l2tp-group] Copyright © 2007, Nortel Networks Conﬁguring remote access IPsec policies 151 Value Lifetime in kilobytes. Default: unlimited. Lifetime in seconds. Default: 86400 seconds. —End—...
Page 152: Specifying The Ip Stream On Which To Apply Ipsec For Remote Access Vpn
[address <A.B.C.D> <mask>] [source-end-ip <A.B.C.D>] [dest-start-ip <A.B.C.D>] Copyright © 2007, Nortel Networks —End— Value source IP address (start address if range is applicable) in the IP stream to be applied IPsec. source IP address (end address if range is applicable) in the IP stream to be applied IPsec...
Page 153: Conﬁguring Dh Prime Modulus Group For Pfs
To specify the remote access IPsec policy to conﬁgure, enter: ipsec policy <name> {modecfg-group | l2tp-group} To conﬁgure the PFS group, enter: pfs-group {group1 | group2 | group5} Copyright © 2007, Nortel Networks Conﬁguring remote access IPsec policies 153 Value Subnet mask.
Page 154: Conﬁguring Ipsec Proposal Template For Remote Access Vpn
<1-5> protocol {esp | ah} Table 79 Variable deﬁnitions Variable protocol [esp | ah] Copyright © 2007, Nortel Networks Value 768-bit. RFC 2409 1024-bit. RFC 2409. 1536-bit. RFC 2409. This is the highest level of security and requires more processing time than group 1 and group 2.
Page 155 Variable deﬁnitions Variable des-cbc 3des-cbc aes128cbc aes192cbc aes256cbc null Copyright © 2007, Nortel Networks Conﬁguring remote access IPsec policies 155 —End— Value Specifies DES-CBC encryption. Specifies 3DES-CBC encryption. Specifies AES-CBC encryption, with 128-bit key length. Specifies AES-CBC encryption, with 192-bit key length.
Page 156 Conﬁguring lifetime for IPsec proposal for remote access VPN Conﬁgure the lifetime of the remote access IPsec SA. When the SA expires, it is replaced by a new negotiated SA or terminated. Procedure steps Copyright © 2007, Nortel Networks —End— Value A 128-bit message digest-RFC 1321...
Page 157 Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter: crypto Copyright © 2007, Nortel Networks Conﬁguring remote access IPsec policies 157 —End— Value Lifetime in kilobytes. Default: 4194303. Lifetime in seconds. Default: 3600 seconds.
Page 158: Enabling The Dynamic Ipsec Policy
To specify conﬁguration of dynamic IKE policies for remote access, enter: dynamic To specify the remote access IPsec policy to conﬁgure, enter: Copyright © 2007, Nortel Networks —End— Value Specifies tunnel mode. In tunnel mode the IP header of the packet is encapsulated into a new IP header with a routable destination IP address.
Page 159: Conﬁguring L2Tp Server For L2Tp Remote Access
To select the L2TP access virtual interface, enter: interface l2tp-server <server-name> To conﬁgure the IP address of the L2TP server, enter: ip address <ipaddress> Copyright © 2007, Nortel Networks Conﬁguring L2TP server for L2TP remote access —End— Value Disables the policy.
Page 160: Conﬁguring Ipsec Protection For The L2Tp Access Interface
{remote-id-type {ip-address | domain-name | email-id| der-encoded-dn}} [remote-id-data <remote-id-data>] [key <key>] Copyright © 2007, Nortel Networks —End— —End— Value Name of crypto dynamic IKE and IPsec policy. Max 8 characters. Address of the local crypto untrusted interface that is used as the IKE authenticated tunnel endpoint.
Page 161: Conﬁguring Client Parameters For L2Tp Remote Access
To enter the conﬁguration mode, enter: configure terminal To select the L2TP access virtual interface, enter: interface l2tp-server <server-name> Copyright © 2007, Nortel Networks Conﬁguring L2TP server for L2TP remote access —End— Value Pool of IP addresses given to connecting clients.
Page 162: Shutting Down The L2Tp Access Interface
To specify crypto conﬁguration for IPsec and IKE, enter: crypto To enable or disable dead peer detection keepalive, enter: [no] keepalive enable Copyright © 2007, Nortel Networks —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 163: Conﬁguring The Keepalive Retry Interval
<10-3600> Conﬁguring PMTU Conﬁguring DF bit Conﬁgure the value of the Don’t Fragment (DF) bit for an interface. Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 164: Conﬁguring The Mtu Threshold Value
To conﬁgure threshold MTU value, enter: pmtu threshold-mtu <mtu-value> Conﬁguring processing of unsecured ICMP messages Enable or disable processing of clear, unsecured ICMP messages. Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 165: Conﬁguring Ca Trustpoint
To specify the CA trustpoint to conﬁgure, enter: ca trustpoint <ca-name> To enable or disable processing of unsecured ICMP messages, enter: enrollment {terminal | url <url> } Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 166: Conﬁguring Parameters For The Certiﬁcate Request
Variable deﬁnitions Variable url <url> terminal Conﬁguring parameters for the certiﬁcate request Conﬁguring the certiﬁcate subject name Specify the subject name that identiﬁes the Secure Router in the certiﬁcate request. Procedure steps Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter:...
Page 167 To specify the CA trustpoint to conﬁgure, enter: ca trustpoint <ca-name> To conﬁgure the fully-qualiﬁed domain name, enter: [no] fqdn <fqdn> Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 168 To specify the CA trustpoint to conﬁgure, enter: ca trustpoint <ca-name> To conﬁgure the key pair, enter: [no] keypair <keypair-name> {rsa | dss} {512 | 1024 | 2048} Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 169: Conﬁguring Certiﬁcate Password
If the enrollment method is SCEP, the system imports the digital certiﬁcate of the CA using the SCEP protocol. And if the enrollment method is terminal, the system prompts you to paste the certiﬁcate obtained from the CA. Copyright © 2007, Nortel Networks Authenticating the CA and importing a CA certiﬁcate —End—...
Page 170: Generating A Certiﬁcate Request For Enrollment
To specify crypto conﬁguration for IPsec and IKE, enter: crypto To generate the certiﬁcate request, enter: ca enroll <ca-name> Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 171: Manually Importing A Self Certiﬁcate
Manually importing a self certiﬁcate If you are not using SCEP to import certiﬁcates, you can manually import the router certiﬁcate into the router using the cut and paste method. Procedure steps Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter:...
Page 172: Conﬁguring Ldap Parameters
<ca-name> To conﬁgure the LDAP parameters, enter: crl query <url-with-ldap://> Table 89 Variable deﬁnitions Variable <url-with-ldap://> Copyright © 2007, Nortel Networks —End— —End— Value Specifies a complete URL (with ldap://) Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 173: Requesting A Crl From The Ca
Step Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter: Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 174: Displaying Ipsec Vpn Conﬁgurations
{<ca-name> | all} [detail] Displaying trustpoint Step Action To display trustpoint information, enter: show crypto ca trustpoint {<ca-name> | all} [detail] Copyright © 2007, Nortel Networks —End— —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 175: Displaying Ike Policies
[proposal-priority <1-5>] [detail] Displaying IPsec SA Step Action To display IPsec SA information, enter: show crypto ipsec sa {<policy-name> | all} [detail] Copyright © 2007, Nortel Networks Displaying IPsec VPN conﬁgurations 175 —End— —End— —End— —End— Nortel Secure Router 4134 Security —...
Page 176: Displaying Remote Access Ike Policies
Displaying status of interfaces as trusted or untrusted Step Action To display the status of interfaces, whether trusted or untrusted, enter: show crypto interfaces Copyright © 2007, Nortel Networks —End— —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 177: Displaying Dead Peer Detection Conﬁguration
To display IPsec-related statistics, enter: show crypto statistics Displaying L2TP server conﬁguration Step Action To display L2TP server conﬁguration, enter: show interface l2tp-server Copyright © 2007, Nortel Networks Displaying IPsec VPN conﬁgurations 177 —End— —End— —End— —End— Nortel Secure Router 4134 Security —...
Page 178: Clearing Ipsec Conﬁgurations
<key-id> Clearing IKE SA information Step Action To clear IKE SA information, enter: clear crypto ike sa {<policy-name> | all} Copyright © 2007, Nortel Networks —End— —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 179: Clearing Ipsec Sa Information
{<policy-name> | all} Clearing IPsec statistics Step Action To clear IPsec statistics, enter: clear crypto statistics Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 181: Gre And Ipip Tunnel Conﬁguration
Action To enter conﬁguration mode, enter: configure terminal To specify the name of the tunnel to create, enter: interface tunnel <tunnel-name> Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 182: Conﬁguring Tunnel Encapsulation Mode
To enter conﬁguration mode, enter: configure terminal To specify the name of the tunnel to conﬁgure, enter: interface tunnel <tunnel-name> To conﬁgure the IP address for the tunnel, enter: Copyright © 2007, Nortel Networks —End— —End— Value Specifies GRE encapsulation.
Page 183: Conﬁguring Tunnel Source
Procedure steps Step Action To enter conﬁguration mode, enter: Copyright © 2007, Nortel Networks —End— Value Specifies the IPv4 address and subnet mask. Specifies the IPv6 prefix address. You can also enter the IPv6 prefix name.
Page 184: Conﬁguring Gre Tunnel Parameters
Conﬁguring GRE tunnel parameters Conﬁguring keepalive for GRE tunnels Enable keepalive packets to keep track of the tunnel end points. The router sends a keepalive at every conﬁgured interval. If no response is received after the conﬁgured number of retries, the tunnel is brought down. You can only conﬁgure keepalive on GRE tunnels.
Page 185: Conﬁguring Checksum For Gre Tunnels
Conﬁguring checksum for GRE tunnels Enable end-to-end checksums to force the router to drop any corrupted packets. You can only conﬁgure checksum on GRE tunnels. By default, checksums are disabled. Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal To specify the name of the tunnel to conﬁgure, enter:...
Page 186: Conﬁguring Tunnel Sequencing
To enter conﬁguration mode, enter: configure terminal To specify the name of the tunnel to conﬁgure, enter: interface tunnel <tunnel-name> To enable or disable path MTU discovery, enter: Copyright © 2007, Nortel Networks Value Specifies the key value. —End— Nortel Secure Router 4134 Security —...
Page 187: Conﬁguring The Tunnel As An Untrusted Interface For Ipsec Protection
Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal Copyright © 2007, Nortel Networks —End— —End— Value Specifies that the tunnel is part of a trusted network. Specifies that the tunnel is part of an untrusted network.
Page 188: Conﬁguring Tunnel Tos
To specify the name of the tunnel to conﬁgure, enter: interface tunnel <tunnel-name> To conﬁgure tunnel ToS, enter: [no] tunnel tos <0-255> Copyright © 2007, Nortel Networks —End— Value Specifies the name of the IPsec policy. Enter a word of no more than eight characters.
Page 189: Conﬁguring Tunnel Ttl
To specify the name of the tunnel to conﬁgure, enter: interface tunnel <tunnel-name> To conﬁgure tunnel TTL, enter: [no] shutdown Copyright © 2007, Nortel Networks Value The ToS for the tunnel. Sets the ToS value to the default, which is 0 (no ToS).
Page 190: Displaying Tunnel Information
[tunnel <tunnel-name> | tunnels] Clearing tunnel counters Procedure steps Step Action To clear tunnel counter information, enter: clear interface [tunnel <tunnel-name> | tunnels] Copyright © 2007, Nortel Networks —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 191: Pppoe Client Conﬁguration
To specify the name of the PPPoE interface to create, enter: interface virtual-access <pppoe-interface> Conﬁguring IP address for PPPoE interface Conﬁgure the IP address for the PPPoE interface. Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 192: Conﬁguring Pppoe Tunneling Protocol
To specify the name of the PPPoE interface to conﬁgure, enter: interface virtual-access <pppoe-interface> To specify the IP address for this interface, enter: protocol pppoe pppoe-mode [client] Copyright © 2007, Nortel Networks —End— Value Specifies the IP address for the interface.
Page 193: Conﬁguring Pppoe Ethernet Interface
To conﬁgure the authentication method for the PPPoE interface, enter: ppp authentication {pap | chap | pap_chap | none} [sent-username <username>] [password <password>] Copyright © 2007, Nortel Networks Conﬁguring PPP authentication method and parameters 193 —End— —End— Nortel Secure Router 4134 Security —...
Page 194: Conﬁguring Pppoe Access Concentrator
Conﬁguring PPP keepalive Conﬁgure the PPP keepalive interval in seconds. This value speciﬁes the amount of time PPP stays up when there is no trafﬁc. Copyright © 2007, Nortel Networks Value Specifies the authentication method: one of PAP, CHAP, either, or none.
Page 195: Displaying Pppoe Client Information
Procedure steps Step Action To display PPPoE client conﬁguration information, enter: show interface virtual-access <pppoe-interface> Copyright © 2007, Nortel Networks Displaying PPPoE client information 195 —End— Value Specifies the amount of time in seconds that PPP stays up when there is no traffic.
Page 197: Authentication, Authorization, And Accounting Conﬁguration
Conﬁgure the login authentication methods. Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal To conﬁgure the login authentication methods, enter: Copyright © 2007, Nortel Networks —End— Value Disables AAA. Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 198: Conﬁguring Aaa Authentication Protocol
To enter conﬁguration mode, enter: configure terminal To conﬁgure the login authentication protocols, enter: aaa authentication protocol <protocols-list-name> <protocols> Copyright © 2007, Nortel Networks —End— Value The name of the login authentication list, either a character string or the word default. If list_name is default, all interfaces use this method list without further configuration.
Page 199: Applying Aaa Authentication To An Interface
Step Action To enter conﬁguration mode, enter: configure terminal Copyright © 2007, Nortel Networks Value The name of the protocol authentication list, either a character string or the word default. If list_name is default, all interfaces use this method list without further configuration.
Page 200: Applying Aaa Authorization To An Interface
To apply AAA authorization to the interface, enter: aaa authorization <commands-list-name> Conﬁguring AAA accounting Conﬁguring AAA accounting Conﬁgure accounting on the router. Copyright © 2007, Nortel Networks —End— Value The name of the authorization list, either a character string or the word default. If list_name is default, all interfaces use this method list without further configuration..
Page 201: Conﬁguring Aaa Accounting Update
To enter conﬁguration mode, enter: configure terminal To conﬁgure the accounting update scheme, enter: aaa accounting update {newinfo | periodic mins <1-5> } Copyright © 2007, Nortel Networks —End— Value commands: configure the accounting for commands. network: configure the accounting for network usage.
Page 202: Applying Aaa Accounting To An Interface
Conﬁgure the port used by the RADIUS server for accounting. Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal Copyright © 2007, Nortel Networks —End— Value Send UPDATE records when new info is available Send UPDATE records periodically Time in minutes if the scheme is periodic. Default is 5 mins.
Page 203: Conﬁguring Radius Server Port For Authentication
<1-65535> Conﬁguring the RADIUS server IP address Conﬁgures the IP address of the speciﬁed RADIUS server. (A primary RADIUS server must be conﬁgured to enable RADIUS.) Copyright © 2007, Nortel Networks Conﬁguring RADIUS primary and secondary servers 203 —End— Value The accounting port on the RADIUS server.
Page 204: Conﬁguring Radius Client Retries
To specify conﬁguration of the primary or secondary server, enter: aaa radius [primary_server | secondary_server] To conﬁgure the RADIUS client retries, enter: retries <1-5> Copyright © 2007, Nortel Networks —End— Value The IP address of the specified RADIUS server. —End—...
Page 205: Conﬁgure Radius Shared Secret Key
To specify conﬁguration of the primary or secondary server, enter: aaa radius [primary_server | secondary_server] To conﬁgure the RADIUS timeout, enter: Copyright © 2007, Nortel Networks Conﬁguring RADIUS primary and secondary servers 205 Value The number of attempts to contact the server.
Page 206: Conﬁguring Radius Client Source Address
To enter conﬁguration mode, enter: configure terminal To conﬁgure the IP address of the primary or secondary server, enter: aaa tacacs [primary_server |secondary_server] <A.B.C.D> Copyright © 2007, Nortel Networks —End— Value The timeout in seconds. The maximum value is 100. —End—...
Page 207: Conﬁguring Tacacs+ Retries
To specify TACACS+ conﬁguration, enter: aaa tacacs To conﬁgure the TACACS+ server port, enter: server_port <1-65535> Copyright © 2007, Nortel Networks Conﬁguring TACACS+ server port 207 —End— Value The number of attempts to contact the server. The range is 1-5. The default is 2.
Page 208: Conﬁguring Tacacs+ Shared Encryption Key
Action To enter conﬁguration mode, enter: configure terminal To specify TACACS+ conﬁguration, enter: aaa tacacs Copyright © 2007, Nortel Networks Value The port on the TACACS+ server. —End— Value A string of length less than or equal to 8 characters.
Page 209: Conﬁguring 802.1X
<slot/port> To specify 802.1x conﬁguration, enter: dot1x To enable or disable 802.1x on the interface, enter: [no] dot1x-enable Copyright © 2007, Nortel Networks Conﬁguring 802.1x on an Ethernet interface 209 —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 210: Conﬁguring The Maximum Failed Requests
To specify 802.1x conﬁguration, enter: dot1x To conﬁgure a forced 802.1x state for the port, enter: [no] port-control {auto | force-authorized | force-unauthorized} Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 211: Conﬁguring Quiet Period
To conﬁgure the quiet period, enter: quiet-period <1-65535> Enabling reauthentication Enable or disable reauthentication on a port. Copyright © 2007, Nortel Networks Conﬁguring 802.1x on an Ethernet interface 211 —End— Value Enable authentication on a port. Force a port to always be in an authorized state.
Page 212: Conﬁguring Reauthorization Period
To conﬁgure the reauthorization period in seconds, enter: reauth-period <1-65535> Conﬁguring authentication server response timeout Set the authentication sever response timeout. The default is 30 seconds. Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 213: Conﬁguring Supplicant Response Timeout
<slot/port> To specify 802.1x conﬁguration, enter: dot1x To conﬁgure the supplicant response timeout, in seconds, enter supplicant-timeout <1-65535> Copyright © 2007, Nortel Networks Conﬁguring 802.1x on an Ethernet interface 213 —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 214: Displaying Aaa Information
Displaying AAA interface information Step Action To display AAA interface information, enter: show aaa interface {bundle <bundle-name> | ethernet <slot/port> | console} Copyright © 2007, Nortel Networks —End— —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 215: Displaying Aaa Status
To display TACACS+ information, enter: show aaa tacacs Displaying 802.1x information Step Action To display 802.1x information, enter: show dot1x {detail | interface <if-name>| statistics} Copyright © 2007, Nortel Networks —End— —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 216: Clearing 802.1X Statistcs
216 Authentication, Authorization, and Accounting conﬁguration Clearing 802.1x statistcs Step Action To clear 802.1x statistics, enter: clear dot1x statistics Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 217: Ssh2 Conﬁguration
"<passphrase>"] [bits <512-2048>] [comment "<comment>"] Table 117 Variable deﬁnitions Variable {rsa | dsa} [outfile <filename>] Copyright © 2007, Nortel Networks —End— Value Specifies the type of key to generate, either RSA or DSA. Specifies the name of the files to contain the generated keys.
Page 218: Encrypting A Private Key File
This command can be used to encrypt the private key with keys unique to the Router. The "no" form of the command can be used to decrypt the ﬁle.
Page 219: Converting Public Key Files To Ssh Format
To specify SSH2 key conﬁguration, enter: ssh_keygen Change the passphrase, enter: convert {secsh | openssh} <key-filename> newfile <new-key-filename> Copyright © 2007, Nortel Networks —End— Value The current passphrase. Must be specified in double quotes. The new passphrase. Must be specified in double quotes.
Page 220: Generating A Public Key Digest Of A Key File
Table 120 Variable deﬁnitions Variable <public-key-filename> [digest {fingerprint | bubblebabble}] Copyright © 2007, Nortel Networks Value The type of conversion to perform: secsh: to convert from OpenSSH public key to SECSH public key openssh: to convert from unencrypted private or public SECSH key to OpenSSH.
Page 221: Conﬁguring Ssh2 Server Parameters
To specify SSH2 server conﬁguration, enter: ssh_server To conﬁgure the number of authentication retries, enter: authRetries <1-5> Copyright © 2007, Nortel Networks Conﬁguring SSH2 server parameters 221 —End— Value Specifies password based user authentication. Specifies public key based user authentication.
Page 222: Conﬁguring Ssh Encryption Algorithms
Variable 3descbc blowfishcbc aes128cbc aes192cbc aes256cbc Conﬁguring SSH compression Conﬁgure SSH compression. Copyright © 2007, Nortel Networks Value Specifies the number of authentication retries (default: 3). —End— Value Specifies DES encryption. Specifies blowfish encryption. Specifies AES, with 128-bit key length.
Page 223: Enabling And Disabling Ssh Server
To enable or disable the SSH server, enter: [no] enable Specifying host key ﬁle for the SSH server Specify the host key ﬁle for the SSH server. Copyright © 2007, Nortel Networks Conﬁguring SSH2 server parameters 223 —End— Value Specifies no compression.
Page 224: Enabling And Disabling Log Events
To enter conﬁguration mode, enter: configure terminal To specify SSH2 server conﬁguration, enter: ssh_server To enable or disable log events, enter: [no] logevents Copyright © 2007, Nortel Networks —End— Value Specifies the host key file name. Default: shdsakey —End— Nortel Secure Router 4134 Security —...
Page 225: Conﬁguring Mac Algorithms
Conﬁguring SSH listen port Conﬁgure the SSH listen port. Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal Copyright © 2007, Nortel Networks Conﬁguring SSH2 server parameters 225 —End— Value hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 Nortel Secure Router 4134 Security —...
Page 226: Restoring Default Ssh Parameter Values
Procedure steps Step Action To enter conﬁguration mode, enter: configure terminal To specify SSH2 server conﬁguration, enter: Copyright © 2007, Nortel Networks —End— Value Specifies the port value. Default: 22. —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 227: Conﬁguring Ssh Session Timeout
Variable 0-3600 Displaying SSH server conﬁguration Step Action To display the SSH server conﬁguration, enter: show ip ssh config Copyright © 2007, Nortel Networks Conﬁguring SSH2 server parameters 227 —End— Value Disables SFTP server. —End— Value default 900 seconds. 0 means no timeout Nortel Secure Router 4134 Security —...
Page 228: Displaying Ssh Server Sessions
{session <1-5> | sessions} Clearing SSH sessions Step Action To clear SSH server sessions, enter: clear ip ssh {session <1-5> | all} Copyright © 2007, Nortel Networks —End— —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 229: Conﬁguration Examples
<1000 add deny tcp any any dport <1000 add permit ipv6 any any Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 230: Conﬁguring A Mac Packet Filter
To apply the packet ﬁlter to an interface, enter: packet-filter-group ethernet6/1 in mac macfilter Conﬁguring a default ﬁrewall policy The following ﬁgure shows an example of a default ﬁrewall policy. Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security —...
Page 231: Conﬁguring A Simple Firewall Policy With Dmz
To add an interface to the trusted zone, enter: interface ethernet0/1 Conﬁguring a simple ﬁrewall policy with DMZ The following ﬁgure shows a simple ﬁrewall policy with DMZ. Copyright © 2007, Nortel Networks Conﬁguring a simple ﬁrewall policy with DMZ —End— Nortel Secure Router 4134 Security —...
Page 232 To add an interface to the untrusted zone, enter: interface wan1 exit To create the trusted corp zone, enter: firewall corp Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 233: Conﬁguring A Simple Pat Policy
Action To enter the conﬁguration mode, enter: configure terminal To specify crypto conﬁguration for IPsec and IKE, enter: crypto Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 234: Conﬁguring A Pat Policy With An Inbound Forwarding Policy
Conﬁguring a PAT policy with an inbound forwarding policy The following ﬁgure shows a PAT policy with an inbound forwarding policy. Figure 17 PAT policy with inbound forwarding policy Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 235: Conﬁguring Sip Alg Line-Side
To create the outbound NAT IP policy, enter: policy 1024 out nat-ip 47.1.1.1 Conﬁguring SIP ALG line-side The following ﬁgure shows a SIP ALG line-side conﬁguration. Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 236: Conﬁguring Sip Alg Trunk-Side
10 out nat-ip 47.100.1.1 Conﬁguring SIP ALG trunk-side The following ﬁgure shows a SIP ALG trunk-side conﬁguration. Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 237 20 in address 20.1.1.1 32 47.1.1.100 32 protocol udp port 5060 any nat-ip 10.1.1.1 arp 47.1.1.100 00:50:52:8e:4a:01 published (add arp for the nat-ip address) Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 238: Conﬁguring A Site-To-Site Ipsec Vpn
To conﬁgure the Ethernet port 0/1, enter: interface ethernet 0/1 ip address 10.1.2.1 24 crypto trusted exit To conﬁgure the IKE policy, enter: Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 239: Conﬁguring Sr4134 2
0/2 ip address 20.1.2.1 24 crypto trusted exit To conﬁgure the IKE policy, enter: crypto Copyright © 2007, Nortel Networks Conﬁguring a Site-to-site IPsec VPN 239 —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 240: Conﬁguring A Trust Point For Pki
To conﬁgure the trustpoint, enter: enrollment url http://certsrv.nortel.com/certsrv.dll subject-name “cn=srsubName,o=nortel” ip-address 192.168.118.33 fqdn sr4134.nortel.com email sr4134@nortel.com Copyright © 2007, Nortel Networks —End— trustpoint sr4134 Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 241: Conﬁguring A Remote Access Ipsec Vpn
To conﬁgure the Ethernet port 0/1, enter: interface ethernet 0/1 ip address 10.1.2.1 24 Copyright © 2007, Nortel Networks Conﬁguring a remote access IPsec VPN query ldap://ldap.nortel.com/ldap —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 242: Conﬁguring A Remote Access Vpn With L2Tp Server
5. Conﬁguring a remote access VPN with L2TP server To conﬁgure a remote access VPN with L2TP server, perform the following steps. Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 243: Conﬁguring An Ipv4 Tunnel
The source address speciﬁed here matches the address pool speciﬁed in step 2. Conﬁguring an IPv4 tunnel The following ﬁgure shows an IPv4 tunnel conﬁguration. Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 244: Sr4134 1
To conﬁgure the trusted Ethernet interface: interface ethernet 0/1 ip address 50.1.1.1 255.255.255.0 crypto trusted exit To conﬁgure the tunnel interface, enter: Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 245: Sr4134 2
To conﬁgure the trusted Ethernet interface: interface ethernet 0/2 ip address 20.1.1.1 255.255.255.0 crypto trusted exit Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007 Conﬁguring an IPv4 tunnel 245...
Page 246: Conﬁguring An Auto 6To4 Tunnel
101 in exit policy exit firewall Conﬁguring an auto 6to4 tunnel The following ﬁgure shows an auto 6to4 tunnel conﬁguration. Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 247: Sr4134 1
2002:c0a8:1b64::1/64 tunnel source 192.168.27.10 tunnel mode ipv6 6to4 exit Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007 Conﬁguring an auto 6to4 tunnel 247...
Page 248: Sr4134 2
Conﬁguring the ﬁrewall for NAT and IPsec tunnels This example shows how to properly conﬁgure the SR4134 ﬁrewall to implement NAT as well as allow IPsec trafﬁc within a Branch Ofﬁce Tunnel created between two SR4134s. Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security —...
Page 249: Firewall Conﬁguration For Sr4134 1
To conﬁgure the corp ﬁrewall for incoming IPsec tunnel trafﬁc, enter: firewall corp policy 1000 in permit address 20.1.1.0 24 10.1.1.0 24 exit Copyright © 2007, Nortel Networks Conﬁguring the ﬁrewall for NAT and IPsec tunnels 249 Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 250: Firewall Conﬁguration For Sr4134 2
1002 out permit address 20.1.1.2 20.1.1.254 any any nat-ip 200.1.1.2 exit To add the trusted Ethernet interface to the corp ﬁrewall, enter: interface ethernet0/1 Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard...
Page 251: Conﬁguring A Pppoe Client
To conﬁgure a PPPoE client on SR4134 1, perform the following steps. Step Action To conﬁgure the internet interface, enter: configure terminal Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 252: Sr4134 2
To conﬁgure the peer VPN gateway on SR4134 2, perform the following steps. Step Action To conﬁgure the internet interface, enter: configure terminal Copyright © 2007, Nortel Networks ethernet 0/2 address 20.1.1.2 255.255.255.0 ethernet 0/1 address 10.1.1.1 255.255.255.0 virtual-access test...
Page 253: Sr4134 Conﬁguration For Dynamic Route Exchange Over Ipsec Tunnel Interoperability With Vpn Router
SR4134 conﬁguration for dynamic route exchange over IPsec tunnel interoperability with VPN Router Both Secure Router and VPN router currently support dynamic routing over IPsec. Secure router conﬁguration for dynamic route exchange over IPsec Tunnel allows interoperability by using IP-on-IP over a transport mode IPsec connection.
Page 254: Secure Router Conﬁguration For Bgp
To conﬁgure BGP, enter: router bgp 100 neighbor 50.1.1.10 update-source 50.1.1.1 exit exit To conﬁgure the IP route, enter: Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 255: Secure Router Conﬁguration For Ospf
1 network toCes area 0 exit Secure router conﬁguration for RIPv2 Conﬁgure SR4134 for RIPv2 as follows: Copyright © 2007, Nortel Networks —End— —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 256: Nortel Secure Router
To conﬁgure the corp ﬁrewall, enter: firewall corp policy 101 in exit exit To conﬁgure internet ﬁrewall, enter: firewall internet Copyright © 2007, Nortel Networks Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 257 SR4134 conﬁguration for dynamic route exchange over IPsec tunnel interoperability with VPN policy 100 in self exit exit Copyright © 2007, Nortel Networks —End— Nortel Secure Router 4134 Security — Conﬁguration and Management NN47263-600 01.02 Standard 10.0 3 August 2007...
Page 260 This document is protected by copyright laws and international treaties. All information, copyrights and any other intellectual property rights contained in this document are the property of Nortel Networks. Except as expressly authorized in writing by Nortel Networks, the holder is granted no rights to use the information contained herein and this document shall not be published, copied, produced or reproduced, modiﬁed, translated, compiled, distributed, displayed or transmitted, in whole or part, in any form or media.

Nortel Secure 4134 Configuration

New in this Release

Introduction

Firewall and NAT Fundamentals

Packet Filter Fundamentals

Ipsec VPN Fundamentals

GRE and IPIP Tunneling Fundamentals

Pppoe Client Fundamentals

Authentication, Authorization, and Accounting Fundamentals

SSH2 Fundamentals

Firewall and NAT Conﬁguration

Packet Filter Conﬁguration

Ipsec VPN Conﬁguration

GRE and IPIP Tunnel Conﬁguration

Pppoe Client Conﬁguration

Authentication, Authorization, and Accounting Conﬁguration

Quick Links

Related Manuals for Nortel Secure 4134

Summary of Contents for Nortel Secure 4134