Page 1 SpeedTouch™608(WL)/620 (Wireless) Business DSL Router IPSec Configuration Guide SpeedTouch™608WL and SpeedTouch™620 only...
Page 3 SpeedTouch™ 608(WL)/620 IPSec Configuration Guide...
Page 4: Document Information
Copyright Copyright ©1999-2006 THOMSON. All rights reserved. Distribution and copying of this document, use and communication of its contents is not permitted without written authorization from THOMSON. The content of this document is furnished for informational use only, may be subject to change without notice, and should not be construed as a commitment by THOMSON.
Page 5: Table Of Contents
Contents About this IPSec Configuration Guide ... 9 1 IPSec: Concept for secure IP connections... 11 IPSec Concepts ... 12 2 SpeedTouch™ IPSec terminology... 15 Policy ... 16 Security Descriptor ... 17 Authentication Attribute ... 18 Peer (Phase 1) ... 19 Connection (Phase 2) ...
Page 6 Contents 3.3.1 3.5.1 3.5.2 3.5.3 3.5.4 3.5.5 3.5.6 3.5.7 3.5.8 3.5.9 3.5.10 3.5.11 3.5.12 4 Configuration via the Command Line Interface ... 101 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 VPN Server ... 63 VPN Server Page... 64 Certificates ...
Page 7 Peer ... 118 4.4.1 Peer parameters... 119 4.4.2 List all peer entities... 123 4.4.3 Create a new peer entity ... 124 4.4.4 Set or modify the peer parameters ... 125 4.4.5 Delete a Peer entity... 126 Connection Security Descriptor... 127 4.5.1 Connection Security Descriptor parameters ...
Page 8 Contents 6 Advanced Features ... 173 6.4.1 6.4.2 6.4.3 6.4.4 6.5.1 6.5.2 6.5.3 6.5.4 6.6.1 6.6.2 6.6.3 6.6.4 6.6.5 6.6.6 6.6.7 6.6.8 6.6.9 Via the CLI: Debug command group ... 167 Via SNMP ... 170 Pinging from the SpeedTouch™ to the remote private network 171 IPSec and the Stateful Inspection Firewall ...
Page 9 Peer Options ... 201 6.9.1 List all Peer Options lists ... 203 6.9.2 Create a Peer Options list... 204 6.9.3 Set or modify the Peer Option list parameters... 205 6.9.4 Delete a Peer Options list ... 206 6.10 Connection Options ... 207 6.10.1 List all Connection Options lists ...
Page 10 Contents E-DOC-CTC-20051017-0169 v0.1...
Page 11: About This Ipsec Configuration Guide
About this IPSec Configuration Guide Abstract This document explains the IPSec functionality of the SpeedTouch™ Release R5.4 and higher. A brief theoretical explanation is provided where needed, but the main goal of this document is to be a practical guide. Applicability This configuration guide applies to the following SpeedTouch™...
Page 12 About this IPSec Configuration Guide E-DOC-CTC-20051017-0169 v1.0...
Page 13: Ipsec: Concept For Secure Ip Connections
1 IPSec: Concept for secure IP connections Policies The introduction of network security mainly involves the application of traffic policies. Firstly, the policies need to be defined, then it should be whether the policies are correctly applied. Security policies can apply to various levels. The IPSec protocol (Internet Protocol Security) applies to the IP layer.
Page 14: Ipsec Concepts
Chapter 1 IPSec: Concept for secure IP connections 1.1 IPSec Concepts Red and Black Network Authentication Header Encapsulated Security Payload Following nomenclature will be used throughout this document: The SpeedTouch™ The IPSec capable DSL router The Red network Private or trusted side of the SpeedTouch™. The Black network Public or non-trusted side of the SpeedTouch™.
Page 15 Internet Key Exchange The Internet Key Exchange (IKE) protocol is the negotiation protocol used to establish an SA by negotiating security protocols and exchanging keys. First the IKE SA is set up, then the IKE channel acts as a signalling channel to negotiate a general purpose Security Associations Within the IKE protocol, two phases are distinguished to set up a tunnel between two peers:...
Page 16 Chapter 1 IPSec: Concept for secure IP connections E-DOC-CTC-20051017-0169 v1.0...
Page 17: Speedtouch™ Ipsec Terminology
2 SpeedTouch™ IPSec terminology Introduction In order to understand the IPSec configuration of the SpeedTouch™, a number of concepts and definitions are introduced in this section. The Graphical User Interface (GUI) and the Command Line Interface (CLI) provide two alternative methods to configure the IPSec functions.
Page 18: Policy
Chapter 2 SpeedTouch™ IPSec terminology 2.1 Policy What is ... Static policy Dynamic policy Security is all about traffic policies and these can be configured using the IPSec policy commands. By default, policy rules are automatically generated when the IPSec connection is created and the user does not need to execute extra commands. A set of rules defines whether a packet has to pass through a secure tunnel or not.
Page 19: Security Descriptor
2.2 Security Descriptor What is ... All security parameters required to establish a secure tunnel are grouped into a string called Security Descriptor or simply descriptor. Two different sets of descriptors are defined: IKE session descriptors IPSec descriptors A Descriptor contains the methods for message authentication, encryption and hashing, and the lifetime of the Security Association.
Page 20: Authentication Attribute
Chapter 2 SpeedTouch™ IPSec terminology 2.3 Authentication Attribute What is ... Two main methods for authentication are supported in the SpeedTouch™: pre-shared key certificates The authentication parameters used for the IKE negotiations are bundled in the SpeedTouch™ in a descriptor with a symbolic name. This symbolic descriptor is called the Authentication Attribute, and is encountered when you configure the SpeedTouch™...
Page 21: Peer (Phase 1)
2.4 Peer (Phase 1) What is ... The Peer is a term that refers to the remote Security Gateway to which the IPSec secure tunnel(s) will be established. In a first phase, an IKE Security Association is negotiated between the SpeedTouch™ and a remote Security Gateway (peer). In the configuration of the SpeedTouch™, the Peer bundles all the parameters required to negotiate an IKE Security Association (Phase 1 SA), such as: Address...
Page 22: Connection (Phase 2)
Chapter 2 SpeedTouch™ IPSec terminology 2.5 Connection (Phase 2) What is ... Bundles all the parameters required for the Phase 2 SA (IPSec) negotiation: Peer Reference, pointing to the peer configuration to be used. In fact, this refers to the IKE channel used for the Phase 2 negotiations. Local/remote range Range of red IP addresses to which the IPSec policy applies.
Page 23: Network Descriptor
Chapter 2 SpeedTouch™ IPSec terminology 2.6 Network descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedTouch™ R5.3. Not only the classical idea of an IP network or subnet is comprised in this concept, but also the protocol and port number of the messages can be specified, such that access to the VPN can be restricted to certain hosts, protocols and port numbers.
Page 24 Chapter 2 SpeedTouch™ IPSec terminology E-DOC-CTC-20051017-0169 v1.0...
Page 25: Configuration Via Local
3 Configuration via Local Pages Prerequisites In order to use the VPN features in the SpeedTouch™608(WL)/620, you should enable the VPN software module. To activate this VPN module, you have to acquire the optional software activation key. To check whether the software activation key is present, browse to the SpeedTouch™...
Page 26 Chapter 3 Configuration via Local Pages In this section The following topics are discussed in this section: Topic 3.1 LAN to LAN Application 3.2 VPN Client 3.3 VPN Server 3.4 Certificates 3.5 Advanced VPN Menu Page E-DOC-CTC-20051017-0169 v0.1...
Page 27: Lan To Lan Application
3.1 LAN to LAN Application Reference network A simple LAN-to-LAN network configuration is shown here. SpeedTouch A The figure shows two LAN networks connected via a SpeedTouch™ to the public Internet. In each LAN segment, the IP addresses of the terminals are typically managed by a DHCP server, which may be the built-in DHCP server of the SpeedTouch™.
Page 28 Chapter 3 Configuration via Local Pages Selecting the LAN to LAN application Outline of a configuration procedure In Expert Mode, click VPN > LAN to LAN. As a result, the following page is shown This page contains two main tab pages. Select one of the alternative pages, according to which VPN context best describes your situation.
Page 29: Remote Gateway Address Known Page
Chapter 3 Configuration via Local Pages 3.1.1 Remote Gateway Address Known Page VPN context You know the location of the Remote Gateway in the public Internet, either by its IP address or its FQDN. In this case, the SpeedTouch™ can connect either as an initiator or as a responder.
Page 30 Chapter 3 Configuration via Local Pages Buttons Remote Gateway You can use one of the following buttons: Click ... Use Preshared Key Authentication Use Certificate Authentication Specify Additional Descriptors The Remote Gateway parameters identify the peer Security Gateway in the IP network.
Page 31 Miscellaneous Comprises the following settings: Primary Untrusted Physical Interface: This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet.
Page 32 Chapter 3 Configuration via Local Pages IKE Security Descriptors Page layout with additional Descriptors The IKE Security Descriptor bundles the security parameters used for the IKE Security Association (Phase1). A number of IKE Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list.
Page 33 Chapter 3 Configuration via Local Pages Page layout for pre- When you click Use Preshared Key Authentication, the initial page is updated in the shared key following way: authentication E-DOC-CTC-20051017-0169 v0.1...
Page 34 Chapter 3 Configuration via Local Pages IKE Authentication with Preshared Key Page layout for certificate authentication IKE Authentication: Certificate parameters When you select Use Preshared Key Authentication, the following fields have to be completed: Preshared Secret: A string to be used as a secret password for the VPN connection. This secret needs to be identically configured at both peers (local and remote peer).
Page 35 Example of a completed The illustration below shows a completed page. The data in the various fields page correspond with the VPN layout shown on page 25: Pre-shared key was selected as authentication method. keyid was selected for the local and remote identity. After the page was completed, the remote gateway settings were added to the configuration by clicking Add.
Page 36 Chapter 3 Configuration via Local Pages Buttons You can use one of the following buttons: Click ... Stop All Connections to this Gateway Apply Delete New Gateway New Connection to this Gateway Status Statistics To ... Stop all VPN connections to the selected remote Security Gateway.
Page 37: Remote Gateway Address Unknown Page
Chapter 3 Configuration via Local Pages 3.1.2 Remote Gateway Address Unknown Page VPN context Your SpeedTouch™ may have to set up (simultaneous) VPN connections with various remote Security Gateways. At the time you configure your SpeedTouch™, you have no clear idea about the location of the Remote Gateway(s) in the network. This may be the case in a central location of a large network, where remote locations may be added as time passes.
Page 38 Chapter 3 Configuration via Local Pages Aggressive Mode versus Main Mode Buttons IKE specifies two modes of operation for the Phase 1 negotiations: main mode and aggressive mode. Main mode is more secure while aggressive mode is quicker. You can use one of the following buttons: Click ...
Page 39 Miscellaneous Comprises the following settings: Primary Untrusted Physical Interface: This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet.
Page 40 Chapter 3 Configuration via Local Pages IKE Security Descriptors Page layout with additional Descriptors The IKE Security Descriptor bundles the security parameters used for the IKE Security Association (Phase1). A number of IKE Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list.
Page 41 Chapter 3 Configuration via Local Pages Page layout for pre- When you click Use Preshared Key Authentication, the initial page is updated in the shared key following way: authentication E-DOC-CTC-20051017-0169 v0.1...
Page 42 Chapter 3 Configuration via Local Pages IKE Authentication with Preshared Key Page layout for certificate authentication IKE Authentication: Certificate parameters When you select Use Preshared Key Authentication, the following fields have to be completed: Preshared Secret: A string to be used as a secret password for the VPN connection. This secret needs to be identically configured at both peers (local and remote peer).
Page 43 Main Mode initial page When you click Main Mode, the following page is displayed: By clicking a button, the page layout changes, revealing other fields and buttons. More information about the various fields and buttons is found below. Buttons You can use one of the following buttons: Click ...
Page 44 Chapter 3 Configuration via Local Pages Page layout with additional Descriptors Miscellaneous Page layout for pre- shared key authentication IKE Authentication with Preshared Key When you click Specify Additional Descriptors, the IKE Security Descriptors area of the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors: These will be used as alternative valid proposals in the IKE negotiations.
Page 45 Chapter 3 Configuration via Local Pages Page layout for When you click Use Certificate Authentication, the IKE Authentication area of the certificate page is updated in the following way: authentication IKE Authentication: When you select Use Certificate Authentication, you have to fill out the Certificate parameters Distinguished Name of the local and remote Certificates.
Page 46 Chapter 3 Configuration via Local Pages Identification & Interface The Identification & Interface fields have to be filled out with the following information: Local ID Type and Local ID: The Local ID identifies the local SpeedTouch™ during the Phase 1 negotiation with the remote Security Gateway.
Page 47 Example of a completed The illustration below shows a completed page. The data in the various fields page correspond with the VPN layout shown on page 25: Pre-shared key was selected as authentication method. keyid was selected for the local and remote identity. After the page was completed, the remote gateway settings were added to the configuration by clicking Add.
Page 48 Chapter 3 Configuration via Local Pages Buttons You can use one of the following buttons: Click ... Stop All Connections to this Gateway Apply Delete New Gateway New Connection to this Gateway Status Statistics To ... Stop all VPN connections to the selected remote Security Gateway.
Page 49: Connections Page
3.1.3 Connections Page Page layout When you click New Connection to this Gateway, the following fields are revealed: In this section of the page, you fill out the characteristics of the Virtual Private Network you are building. Specify the local and remote private network parameters. Specify the Security Descriptor you use for this IPSec connection.
Page 50 Chapter 3 Configuration via Local Pages Trusted Network Protocol The Local and Remote Trusted Network parameters describe which terminals have access to the secure connection at the local and remote peers, respectively. Two fields must be completed for each peer: Trusted Network Type and Trusted Network IP.
Page 51 Port If the tcp or udp protocol is selected for the protocol parameter, then the access to the IPSec connection can be further restricted to a single port. Many well-known port numbers can be selected from the pull-down menu. Separate fields are foreseen for the local and remote ports. Typically, identical values are selected for both fields.
Page 52 Chapter 3 Configuration via Local Pages Starting and stopping a connection. A VPN connection is started automatically when data is sent or received that complies with the traffic policy. Alternatively, you can manually start and stop a VPN connection by selecting it in the table.
Page 53: Vpn Client
3.2 VPN Client VPN context For a VPN client-server scenario a dedicated set of user-friendly configuration pages is available. Separate pages exist for the client and server sides. In this section the VPN client configuration page is described. The VPN client in the SpeedTouch™ can replace a software VPN client installed on a computer.
Page 54: Vpn Client Page
Chapter 3 Configuration via Local Pages 3.2.1 VPN Client Page Initial page Buttons When you click VPN > VPN Client, the following page is displayed: The page contains a number of buttons and fields to complete. It is recommended to fill out the page from top to bottom. When you click a button, the page layout changes, revealing other fields and buttons.
Page 55 Server IP Address or Fill out the publicly known network location of the remote Gateway. You can specify FQDN the public IP address, if it is invariable and known. More often, the publicly known FQDN (such as vpn.corporate.com) will be used. Backup Server IP This field can optionally be filled out in a configuration with a backup VPN server.
Page 56 Chapter 3 Configuration via Local Pages IPSec Security Descriptor Exchange Mode Server Vendor The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Security Association. A number of IPSec Security Descriptors are pre-configured in the SpeedTouch™, and can be selected from a list. Select a Security Descriptor in compliance with the IPSec security parameters configured in the remote VPN server.
Page 57 Primary Untrusted This field shows a list of your SpeedTouch™ interfaces. You select the preferred Physical Interface Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet.
Page 58 Chapter 3 Configuration via Local Pages Page layout for pre- shared key authentication IKE Authentication with Preshared Key Page layout for certificate authentication IKE Authentication: Certificate parameters When you click Use Preshared Key Authentication, the initial page is updated in the following way: When you select Use Preshared Key Authentication, the following fields have to be completed:...
Page 59 Starting and stopping a Two start mechanisms are defined: VPN client connection Manual Dialup Automatic Start. When you use pre-shared key authentication, both start mechanisms require a number of parameters to be set. The set of parameters depends on which Server Vendor you selected.
Page 60 Chapter 3 Configuration via Local Pages Local LAN IP Range Set of Server Vendor specific parameters Configuring XAuth In this field you have to configure the local access policy. In other words, you define which IP range of local terminals has access to the VPN. You can specify either a single IP address, a subnet, or a range.
Page 61: Starting The Vpn Client Connection
3.2.2 Starting the VPN Client Connection Method 1: In section Automatic Start configuration of the Automatic Start mechanism is explained. All parameters required for starting the connection are stored in the SpeedTouch™ configuration file, and no further user interaction is required to start the VPN connection. With XAuth configured, the authentication parameters are stored in the SpeedTouch™...
Page 62 Chapter 3 Configuration via Local Pages Dialling in VPN Client Connect Page Select the VPN server from the table and click Dial-In at the bottom of the screen. As a result, the VPN Client Connect page is shown. Fill out the login parameters and click Continue. The SpeedTouch™...
Page 63 Chapter 3 Configuration via Local Pages Client Identification When for the IKE Authentication method the Preshared Key method was selected, some Server Vendor specific fields must be filled out. See “ Set of Server Vendor specific parameters” on page 58 Using XAuth When the VPN server uses the Extended Authentication protocol, you fill out your Username and Password in the optional fields:...
Page 64: Closing A Connection
Chapter 3 Configuration via Local Pages 3.2.3 Closing a Connection Disconnect procedure At the bottom of the VPN Client Connection Configuration page, all active VPN connections are shown. Select the connection you want to terminate and click Disconnect. The secure connection is closed and is removed from the list of active connections. E-DOC-CTC-20051017-0169 v0.1...
Page 65: Vpn Server
3.3 VPN Server VPN context In a VPN client-server scenario, the VPN server is always the responder in the IKE negotiations. Various VPN clients can dial in to a VPN server, since it supports multiple simultaneous VPN connections. A VPN server does not know a priori which remote Security Gateway will attempt to set up a VPN connection.
Page 66: Vpn Server Page
Chapter 3 Configuration via Local Pages 3.3.1 VPN Server Page Initial page When you click VPN > VPN Server, the following page is displayed: The page contains a number of buttons and fields to complete. It is recommended to fill out the page from top to bottom. When you click a button, the page layout changes, revealing other fields and buttons.
Page 67 Buttons You can use one of the following buttons: Click ... Specify Additional Networks Use Preshared Key Authentication Use Certificate Authentication Specify Additional Descriptors Apply Clear All Local Trusted Network The Local Trusted Network open to Remote Clients describes which part of the local network you want to make accessible for remote VPN clients.
Page 68 Chapter 3 Configuration via Local Pages Page layout with additional Networks IKE Security Descriptor Clicking Specify Additional Networks allows you to designate up to four addresses/ subnets in case the Local Trusted Network can not be described by a single address/ subnet.
Page 69 Page layout with When you click Specify Additional Descriptors, the IKE Security Descriptors area of additional Descriptors the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors: These will be used as alternative valid proposals in the IKE negotiations. IPSec Security The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Descriptor...
Page 70 Chapter 3 Configuration via Local Pages Miscellaneous Comprises the following settings: IKE Exchange Mode: IKE specifies two modes of operation for the Phase 1 negotiations: main mode and aggressive mode. Main mode is more secure while aggressive mode is quicker. Primary Untrusted Physical Interface: This field shows a list of your SpeedTouch™...
Page 71 Chapter 3 Configuration via Local Pages VPN Server settings Comprises the following settings: Virtual IP Range: Specifies the range of IP addresses from which the VPN client addresses are selected. An address range or a subnet can be entered for this parameter. Examples: 10.20.30.[5-50] 10.20.30.*...
Page 72 Chapter 3 Configuration via Local Pages Page layout for pre- shared key authentication IKE Authentication with Preshared Key When you click Use Preshared Key Authentication, the initial page is updated in the following way: When you select Use Preshared Key Authentication, the following fields have to be completed: Preshared Secret: A string to be used as a secret password for the VPN connection.
Page 73 Remote ID (Filter) Type and Remote ID Filter: The Remote ID Filter identifies the VPN client during the Phase 1 negotiation. This identity is used as a filter for VPN clients when they join the VPN. Its value must match the settings in the VPN client in order to successfully set up the IKE Security Association.
Page 74 Chapter 3 Configuration via Local Pages Authorized Users List When you selected the use of XAuth (either generic or chap) in the VPN Server Configuration page, then clicking Apply reveals an additional section at the top of the page. Compose a list of authorized users for the VPN: Enter a User name and corresponding Password.
Page 75: Certificates
Chapter 3 Configuration via Local Pages 3.4 Certificates Introduction The Certificates Navigation tab gives access to four main pages for certificates management. Secure Storage page This page shows the list of certificates stored in the SpeedTouch™. Request Import page This page allows importing new certificates from a Certificate Authority into the SpeedTouch™.
Page 76 Chapter 3 Configuration via Local Pages CEP page Enrollment URL Subject DN This page allows configuring the Certificates Enrollment Protocol settings. This URL point to the location of the CEP script on the Certificate Authority server. Usually, it has the following form: “http://<host>[:<port>]/<path>”. <host>...
Page 77: Advanced Vpn Menu
3.5 Advanced VPN Menu When to use The Advanced VPN menu gives access to two main pages where the complete IPSec configuration can be done. These pages are component-oriented, as opposed to the application-oriented pages described in sections 3.1, oriented means that a number of components are constructed and subsequently combined.
Page 78 Chapter 3 Configuration via Local Pages Peer Profiles page When you click VPN > Advanced > Peers, the Peer Profiles page is displayed. The Peers page gives access to the following sub-pages: Advanced > Peers sub-pages Peer Profiles Authentication Descriptors Options VPN-Client VPN-Server...
Page 79 Connection Profiles When you click VPN > Advanced > Connections, the Connection Profiles page is page displayed. The Connections page gives access to the following sub-pages: Advanced > Connections sub-pages Connection Profiles Networks Descriptors Options Client All connection parameters explained in the CLI configuration method can be filled out in these pages.
Page 80: Peer Profiles Page
Chapter 3 Configuration via Local Pages 3.5.1 Peer Profiles Page Peer Profiles page layout Peer name Remote address Backup remote address The Peer Profiles page bundles all parameters that define a Peer. A number of parameters makes use of symbolic descriptors that are defined and managed on other sub-pages.
Page 81 Local ID The Local ID identifies the local SpeedTouch™ during the Phase 1 negotiation with the remote Security Gateway. This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association. The Local ID types supported in the SpeedTouch™...
Page 82 Chapter 3 Configuration via Local Pages Primary Untrusted Physical Interface Exchange mode Authentication Peer Descriptor Client/Server This field shows a list of your SpeedTouch™ interfaces. You select the preferred Primary Untrusted Physical Interface. This interface is used as the primary carrier for your VPN connection.
Page 83 Chapter 3 Configuration via Local Pages Peer Options This optional parameter refers to the symbolic name of a peer options list. The peer options modify the VPN behaviour. The peer options lists are defined on the Peers Options sub-page, see “3.5.4 Peer Options Page”...
Page 84: Authentication Page
Chapter 3 Configuration via Local Pages 3.5.2 Authentication Page Authentication page layout Parameter table The Authentication page allows you to define Authentication Attributes. Two main methods for user authentication are supported in the SpeedTouch™: pre-shared key certificates The user authentication parameters used for IKE negotiations are bundled in a descriptor with a symbolic name.This is called the Authentication Attribute.
Page 85: Peer Descriptors Page
3.5.3 Peer Descriptors Page Descriptors A Peer Security Descriptor contains the methods for message authentication, page layout encryption and hashing, and the lifetime of the IKE Security Association. The Peer Descriptors page allows you to manage Peer Security Descriptors. A number of Peer Security Descriptors are pre-configured in the SpeedTouch™. You can verify and modify the contents of the pre-defined Security Descriptors or define your own Security Descriptors.
Page 86 Chapter 3 Configuration via Local Pages Crypto Integrity Group Lifetime-secs The table below shows the encryption algorithms supported by the SpeedTouch™ along with their corresponding key size: Algorithm 3DES DES is relatively slow and is the weakest of the algorithms, but it is the industry standard.
Page 87: Peer Options Page
Chapter 3 Configuration via Local Pages 3.5.4 Peer Options Page Options The Options page allows you to define Options lists that you can later refer to in a page layout Peer Profile. Peer options are described in section “6.9 Peer Options” on page 201.
Page 88: Vpn-Client Page
Chapter 3 Configuration via Local Pages 3.5.5 VPN-Client Page VPN-Client page layout Client descriptor name Configuring XAuth Gateway Vendor The VPN-Client page allows you to define VPN Client Descriptors. The configuration of a VPN client scenario is described in detail in section “3.2 VPN Client”...
Page 89 Type The Type parameter determines which Either dhcp or nat can be selected. Selecting dhcp has the effect that the virtual IP address attributed by the VPN server to the SpeedTouch™ VPN client is effectively assigned to the terminal. The SpeedTouch™ creates a new IP address pool, called a spoofing address pool.
Page 90: Vpn-Server Page
Chapter 3 Configuration via Local Pages 3.5.6 VPN-Server Page VPN-Server page layout Server descriptor name Virtual IP Range Netmask Push IP Domain Primary DNS The VPN-Server page allows you to define VPN Server Descriptors. The configuration of a VPN server scenario is described in detail in section “3.3 VPN Server”...
Page 91 Chapter 3 Configuration via Local Pages Secondary DNS The IP address of the secondary DNS server, provided to the VPN clients via IKE Mode Config. This is the secondary DNS server in the local network that is open to VPN clients. Primary WINS The IP address of the primary WINS server, provided to the VPN clients via IKE Mode Config.
Page 92: Vpn-Server-Xauth Page
Chapter 3 Configuration via Local Pages 3.5.7 VPN-Server-XAuth Page VPN-Server-XAuth page layout XAuth pool name Type Username and Password The VPN-Server-XAuth page allows you to define XAuth user pools and to add authorized users to these pools. An XAuth user pool is a named list of authorized users. Use Add User to define additional user records.
Page 93: Connection Profiles Page
Chapter 3 Configuration via Local Pages 3.5.8 Connection Profiles Page Connection Profiles The Connection Profiles page bundles all parameters that define an IPSec page layout Connection to a Peer. In other words it bundles the Phase 2 parameters. A number of parameters makes use of symbolic descriptors that are defined and managed on other sub-pages.
Page 94 Chapter 3 Configuration via Local Pages Local network Remote network Always on Connection Descriptor This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel.
Page 95 Chapter 3 Configuration via Local Pages Connection Options This optional parameter refers to the symbolic name of a connection options list. The connection options modify the VPN behaviour. The connection options lists are defined on the Connection Options sub-page, see “3.5.11 Connection Options Page”...
Page 96: Networks Page
Chapter 3 Configuration via Local Pages 3.5.9 Networks Page Networks page layout What is a Network Descriptor? How is it used? Network name Type of network and IP address The Networks page allows you to define Network Descriptors. The concept of Network Descriptors is introduced for the first time in the SpeedTouch™...
Page 97 Protocol Optionally, the access to an IPSec connection can be restricted to a specific protocols by selecting a protocol from the list. Select any if you do not want to restrict the connection to a specific protocol. Port Optionally, if the tcp or udp protocol is selected for the protocol parameter, then the access to the IPSec connection can be further restricted to a single port number.
Page 98: Connection Descriptors Page
Chapter 3 Configuration via Local Pages 3.5.10 Connection Descriptors Page Descriptors page layout A Connection Security Descriptor contains the following security parameters for an IPSec connection: Encryption method Message integrity method (also called message authentication) Selection to use Perfect Forward Secrecy, or not Lifetime of the IPSec (Phase 2) Security Association Encapsulation method.
Page 99 Parameter table The following table summarizes the parameters comprised in the connection security descriptor: Parameter Descriptor name Crypto Integrity Encapsulation Lifetime-secs Lifetime-kbytes Connection Descriptor Internal symbolic name to identify the Connection Descriptor. name Crypto The table below shows the cryptographic functions supported by the SpeedTouch™ along with their corresponding key size: Algorithm 3DES...
Page 100 Chapter 3 Configuration via Local Pages Integrity Encapsulation Lifetime-secs Lifetime-kbytes] The SpeedTouch™ supports two types of hashing algorithms: Hashing algorithm SHA1 HMAC is always used as integrity algorithm, combined with either MD5 or SHA1. SHA1 is stronger than MD5, but slightly slower. Tunnel mode is used in all applications where the SpeedTouch™...
Page 101: Connection Options Page
Chapter 3 Configuration via Local Pages 3.5.11 Connection Options Page Options The Options page allows you to define Options lists that you can later refer to in a page layout Connection Profile. Connection options are described in section “6.10 Connection Options” on page 207.
Page 102: Client Page
Chapter 3 Configuration via Local Pages 3.5.12 Client Page Client page layout Connection Local ID Configuring XAuth The Client page is used for dialling-in to a VPN server. The configuration of a VPN client scenario is described in detail in section “3.2 VPN Client”...
Page 103: Configuration Via The Command Line Interface
Chapter 4 Configuration via the Command Line Interface 4 Configuration via the Command Line Interface In this chapter This chapter describes the basic configuration steps for building an operational IPSec via the Command Line Interface. Firstly, a reference network is proposed, that serves in examples throughout the chapter.
Page 104: Basic Ipsec Configuration Procedure
Chapter 4 Configuration via the Command Line Interface 4.1 Basic IPSec configuration procedure Terminology The SpeedTouch™ uses specific IPSec terms and definitions. The following table relates these terms to the question to be solved when setting up an IPSec connection to a remote network What do we want to do? Define the remote Security Gateway to which we want to set up an IKE...
Page 105 Procedure In order to set up a basic IPSec configuration, the following main steps have to be executed. Prepare the Peer attributes: Create a new Peer entity Modify the Peer parameters Prepare a valid Connection Security Descriptor. Prepare a valid Network Descriptor. Create a new Connection.
Page 106: Peer: Authentication Attribute
Chapter 4 Configuration via the Command Line Interface 4.2 Peer: Authentication Attribute What is ... How is it used In this section Two main methods for user authentication are supported in the SpeedTouch™: pre-shared key certificates The user authentication parameters used for IKE negotiations are bundled in a descriptor with a symbolic name.
Page 107: Authentication Attribute Parameters
4.2.1 Authentication Attribute Parameters Parameter table The authentication attribute is a named descriptor, bundling the authentication parameters. The following data need to be provided: Parameter name type secret E-DOC-CTC-20051017-0169 v0.1 Possible values Arbitrary. Syntax rules, see CLI Reference Guide preshared cert Arbitrary.
Page 108: List All Authentication Attributes
Chapter 4 Configuration via the Command Line Interface 4.2.2 List all Authentication Attributes list command Example ipsec peer auth list command shows all previously created authentication attributes. In this example, four attributes are shown: cert1: completely defined authentication attribute using certificates secret2: created, but not yet completely configured secret1: completely defined authentication attribute using pre-shared key.
Page 109: Create A New Authentication Attribute
4.2.3 Create a New Authentication Attribute ipsec peer auth add add command attribute. Example In the following example, a new authentication attribute is created, named secret1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>auth [ipsec peer auth]=>add name = secret1 :IPSec peer auth add name=secret1 [ipsec peer auth]=>...
Page 110: Set Or Modify The Authentication Attribute Parameters
Chapter 4 Configuration via the Command Line Interface 4.2.4 Set or Modify the Authentication Attribute modify command Example Parameters ipsec peer auth modify attribute parameters. In this example, the parameters of the authentication attribute are set to use the pre-shared key authentication method. The secret password entered by the user is not shown in readable format on the screen.
Page 111: Delete An Authentication Attribute
4.2.5 Delete an Authentication attribute IPSec peer auth delete delete command authentication attribute. Example In the following example the authentication attribute, named secret2, is deleted. [ipsec peer auth]=> [ipsec peer auth]=>delete name = cert1 name = secret2 :ipsec peer auth delete name=secret2 [ipsec peer auth]=>...
Page 112: Peer Security Descriptor
Chapter 4 Configuration via the Command Line Interface 4.3 Peer Security Descriptor What is ... How is it used In this section All security parameters required to establish an IKE session are grouped into a string called a Peer Security Descriptor. This descriptor contains the methods for message authentication, encryption and hashing, and the lifetime of the Security Association.
Page 113: Peer Security Descriptor Parameters
4.3.1 Peer Security Descriptor Parameters Parameter table The following table summarizes the parameters comprised in the peer security descriptor. The table also indicates the keyword used in the CLI for each parameter: Parameter Cryptographic function Key length Hash function Diffie-Hellman group IKE SA lifetime Example A Peer Security Descriptor is a text string, comprising the parameters described in...
Page 114 Chapter 4 Configuration via the Command Line Interface Cryptographic function [crypto] Key length [keylen] Authentication Hashing function [integrity] Diffie-Hellman group [group] The table below shows the encryption algorithms supported by the SpeedTouch™ along with their corresponding key size: Algorithm Valid key sizes (bits) 3DES 128, 192, 256...
Page 115 IKE SA lifetime The lifetime of a Security Association is specified in seconds: [lifetime_secs] Lifetime measured in: seconds E-DOC-CTC-20051017-0169 v0.1 Configuration via the Command Line Interface Minimum value Maximum value 240 (=4 minutes) 31536000 (=1 year) Chapter 4...
Page 116: List All Peer Security Descriptors
Chapter 4 Configuration via the Command Line Interface 4.3.2 List all Peer Security Descriptors list command Example ipsec peer descriptor list peer security descriptors. The example below shows the pre-defined Peer Security Descriptors of the SpeedTouch™: [ipsec]=> [ipsec]=>peer [ipsec peer]=>descriptor [ipsec peer descriptor]=>list [AES_SHA1] : AES(128) SHA1 MODP1024 Lifetime 3600s [AES_MD5] : AES(128) MD5 MODP1024 Lifetime 3600s...
Page 117: Create A New Peer Security Descriptor
4.3.3 Create a New Peer Security Descriptor add command A new Peer Security Descriptor is created with the command. Example In the following example, a new Peer Security Descriptor is created, named peerdes1 =>ipsec [ipsec]=>peer [ipsec peer]=>descriptor [ipsec peer descriptor]=>add name = peerdes1 :ipsec peer descriptor add name=peerdes1 [ipsec peer descriptor]=>...
Page 118: Set Or Modify The Peer Descriptor Parameters
Chapter 4 Configuration via the Command Line Interface 4.3.4 Set or Modify the Peer Descriptor Parameters modify command Example ipsec peer descriptor modify Security Descriptor parameters. In this example, the parameters of the previously defined Peer Security Descriptor peerdes1 are set to the following values: crypto = AES keylen = 128 integrity = MD5...
Page 119: Delete A Peer Descriptor
4.3.5 Delete a Peer Descriptor ipsec peer descriptor delete delete command Descriptor. Example In this example the user-defined Peer Security Descriptor, named peerdes1, is deleted: [ipsec peer]=>descriptor [ipsec peer descriptor]=>delete name = AES_SHA1 3DES_MD5 AES_SHA1_Adv name = peerdes1 :IPSec peer descriptor delete name=peerdes1 [ipsec peer descriptor]=>...
Page 120: Peer
Chapter 4 Configuration via the Command Line Interface 4.4 Peer What is ... How is it used In this section The Peer is a term that refers to the remote Security Gateway the IPSec secure tunnel(s) will be connected to. In a first phase, an IKE Security Association is negotiated between the SpeedTouch™...
Page 121: Peer Parameters
4.4.1 Peer parameters Parameters table The following table shows the peer parameters: Peer parameters Parameter Peer name Remote peer address Backup remote peer address Exchange mode Local identifier Remote identifier Physical interface Descriptor Authentication attribute Client/server Options Peer name [name] The peer name identifies the peer entity.
Page 122 Chapter 4 Configuration via the Command Line Interface Remote Security Gateway identifier [remoteaddr] Backup remote Security Gateway Identifier [backupaddr] Exchange mode [exchmode] Local Identifier [localid] This parameter localizes the remote Security Gateway on the Internet. Either the public IP address or the Fully Qualified Domain Name can be used as an identifier. When a redundant remote Security Gateway is available, its public IP address or host name can be specified here.
Page 123 Remote Identifier This parameter identifies the remote Security Gateway during the Phase 1 [remoteid] negotiation. This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association. The identity types supported in the SpeedTouch™ are listed in the following table. Identity type IP address Fully qualified domain name...
Page 124 Chapter 4 Configuration via the Command Line Interface Physical Interface [phyif] Peer descriptor [descr] Authentication Attribute [auth] client/server options You can tie the peer to one of your SpeedTouch™ interfaces. This interface is then used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet.
Page 125: List All Peer Entities
4.4.2 List all peer entities ipsec peer list list command Example In the following example, a list of all defined peer entities is created. [ipsec]=> [ipsec]=>peer [ipsec peer]=>list [peer1] [ipsec peer]=> E-DOC-CTC-20051017-0169 v0.1 command shows the list of all defined peer entities. Remote Address : 200.200.0.1 Backup Remote Address: <unset>...
Page 126: Create A New Peer Entity
Chapter 4 Configuration via the Command Line Interface 4.4.3 Create a new peer entity add command Example ipsec peer add A new Peer is created with the In the following example, a new peer is created, named peer1 =>IPSec [ipsec]=>peer [ipsec peer]=>add name = peer1 :IPSec peer add name=peer1...
Page 127: Set Or Modify The Peer Parameters
4.4.4 Set or modify the peer parameters ipsec peer modify modify command Example In this example, the parameters of the previously defined peer, named peer1, are set: [ipsec peer]=> [ipsec peer]=>modify name = peer1 [remoteaddr] = 200.200.0.1 [backupaddr] = [exchmode] = main [localid] = 100.100.0.1 [remoteid] = 200.200.0.1 [phyif] =...
Page 128: Delete A Peer Entity
Chapter 4 Configuration via the Command Line Interface 4.4.5 Delete a Peer entity delete command Example ipsec peer delete command deletes a peer entity. In this example the peer, named peer1, is deleted: [ipsec peer]=> [ipsec peer]=>delete name = peer1 :IPSec peer delete name=peer1 [ipsec peer]=>...
Page 129: Connection Security Descriptor
4.5 Connection Security Descriptor What is ... All security parameters required to establish an IPSec tunnel are grouped into a string called Connection Security Descriptor. This descriptor contains the following parameters: Encryption method Message integrity method (also called message authentication) Selection to use Perfect Forward Secrecy, or not Lifetime of the Security Association Encapsulation method.
Page 130: Connection Security Descriptor Parameters
Chapter 4 Configuration via the Command Line Interface 4.5.1 Connection Security Descriptor parameters Parameters table Example: Connection Descriptor name [name] The following table summarizes the parameters comprised in the connection security descriptor. The table also indicates the keyword used in the CLI for each parameter: Parameter Keyword...
Page 131 Cryptographic function The table below shows the cryptographic functions supported by the SpeedTouch™ [crypto] along with their corresponding key size: Algorithm 3DES NULL DES is relatively slow and is the weakest of the algorithms, but it is the industry standard. 3DES is a stronger version of DES, but is the slowest of the supported algorithms (for a comparable key length).
Page 132 Chapter 4 Configuration via the Command Line Interface Perfect Forward Secrecy [pfs] IPSec SA lifetime [lifetime_secs] IPSec SA volume lifetime [lifetime_kbytes] Encapsulation mode [encapsulation] Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In order to configure this on the SpeedTouch™, the use of PFS must be enabled in the Connection Security Descriptor.
Page 133: List All Connection Security Descriptors
4.5.2 List all Connection Security Descriptors ipsec connection descriptor list list command defined Connection Security Descriptors. Example The example below shows the pre-defined Connection Security Descriptors of the SpeedTouch™: =>ipsec [ipsec]=>connection [ipsec connection]=>descriptor [ipsec connection descriptor]=>list [AES_SHA1_TUN] : AES(128) HMAC-SHA1 Lifetime 86400s Tunnel Mode [AES_MD5_TUN] : AES(128) HMAC-MD5 Lifetime 86400s Tunnel Mode [AES_SHA1_PFS_TUN] : AES(128) HMAC-SHA1 PFS Lifetime 86400s Tunnel Mode [AES_MD5_PFS_TUN] : AES(128) HMAC-MD5 PFS Lifetime 86400s Tunnel Mode...
Page 134: Create A New Connection Security Descriptor
Chapter 4 Configuration via the Command Line Interface 4.5.3 Create a new Connection Security Descriptor add command Example A new Connection Security Descriptor is created with the descriptor add command. In the following example, a new Connection Security Descriptor is created, named cnctdes1 [ipsec]=>connection [ipsec connection]=>descriptor...
Page 135: Set The Connection Security Descriptor Parameters
4.5.4 Set the Connection Security Descriptor Parameters ipsec connection descriptor modify modify command the connection descriptor parameters. Example In this example, the parameters of the previously defined Connection Security Descriptor cnctdes1 are set to the following values: crypto = AES key length = 128 integrity = HMAC-MD5 Perfect Forward Secrecy = disabled...
Page 136: Delete A Connection Security Descriptor
Chapter 4 Configuration via the Command Line Interface 4.5.5 Delete a Connection Security Descriptor delete command Example ipsec connection descriptor delete Connection Descriptor. In this example the user-defined Connection Security Descriptor , named cnctdes1, is deleted: [ipsec connection descriptor]=>delete name = cnctdes1 :ipsec connection descriptor delete name=cnctdes1 [ipsec connection descriptor]=>...
Page 137: Network Descriptor
4.6 Network Descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedTouch™ R5.3.0. Not only the classical idea of an IP network or subnet is comprised in this concept, but also the protocol and port number of the messages can be specified, such that access to the VPN can be restricted to certain hosts, protocols and port numbers.
Page 138: Network Descriptor Parameters
Chapter 4 Configuration via the Command Line Interface 4.6.1 Network Descriptor Parameters Parameters table Network name [name] Type of network and IP address [type] and [ip] The following table summarizes the parameters comprised in the Network Descriptor: Parameter Keyword Description Mandatory.
Page 139 Protocol [proto] Access to an IPSec connection can be restricted to specific protocols. This can optionally be configured with the proto parameter. Valid entries are listed in the following table. Protocol icmp 6to4 Alternatively, any valid protocol number as assigned by IANA can be entered for the protocol parameter.
Page 140: Create A New Network Descriptor
Chapter 4 Configuration via the Command Line Interface 4.6.2 Create a New Network Descriptor add command Example A new Network Descriptor is created with the command. In the following example, a new Network descriptor is created, named net1: [ipsec]=> [ipsec]=>connection [ipsec connection]=>network [ipsec connection network]=>add name = net1...
Page 141: Set The Network Descriptor Parameters
4.6.3 Set the Network Descriptor Parameters ipsec connection network modify modify command Network Descriptor parameters. Example In this example, the parameters of the previously defined network, named net1, are set: [ipsec connection network]=> [ipsec connection network]=>modify name = net1 [type] = address [type] = subnet [ip] = 10.0.0.0/24...
Page 142: Delete A Network Descriptor
Chapter 4 Configuration via the Command Line Interface 4.6.4 Delete a Network Descriptor delete command Example ipsec connection network delete Descriptor. In this example the Network Descriptor, named net1, is deleted: [ipsec connection network]=>delete name = net1 :IPSec connection network delete name=net1 [ipsec connection network]=>...
Page 143: Connection
4.7 Connection What is ... A Connection bundles all the parameters required for the PH2 SA negotiation: Peer Reference, pointing to the peer configuration to be used. In fact, this refers to the IKE channel used for the Phase 2 negotiations. Local/remote range Range of private IP addresses to which the IPSec policy applies.
Page 144: Connection Parameters
Chapter 4 Configuration via the Command Line Interface 4.7.1 Connection Parameters Parameters table Connection name [name] Peer [peer] The table below shows the connection parameters. Connection parameters Parameter Keyword Connection name name Peer peer Local network localnetwork Remote network remotenetwork Always-on alwayson Descriptors...
Page 145 Local network This parameter is used in the proposal presented to the remote Security Gateway [localnetwork] during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™.
Page 146 Chapter 4 Configuration via the Command Line Interface Always-on connection [alwayson] Descriptors [descr] Options [options] State [state] This parameter determines whether the connection is permanently enabled or not. By default this parameter is set to disabled. In this case the IPSec connection is started only when traffic is sent that complies with the IPSec policy, or if the connection is started manually.
Page 147: List All Connections
4.7.2 List all Connections ipsec connection list list command connections. Example In the following example, a list of all defined connections is shown. [ipsec connection]=>list [connect1] [ipsec connection]=> E-DOC-CTC-20051017-0169 v0.1 command shows the list of all defined Peer : peer1 Local network : net1 Remote network : (null)
Page 148: Create A New Connection
Chapter 4 Configuration via the Command Line Interface 4.7.3 Create a New Connection add command Example A new Connection is created with the In the following example, a new connection is created, named connect1 [ipsec]=>connection [ipsec connection]=>add name = connect1 :IPSec connection add name=connect1 [ipsec connection]=>...
Page 149: Set Or Modify The Connection Parameters
4.7.4 Set or Modify the Connection Parameters ipsec connection modify modify command parameters. Example In this example, the parameters of the previously defined Connection, named connect1, are set: [ipsec connection]=>modify name = connect1 [peer] = peer1 [localnetwork] = retrieve_from_server [localnetwork] = net1 [remotenetwork] = net2 [alwayson] = disabled [descr] =...
Page 150: Delete A Connection
Chapter 4 Configuration via the Command Line Interface 4.7.5 Delete a Connection delete command Example ipsec connection delete In this example the connection, named connect1, is deleted: [ipsec connection]=>delete name = connect1 :ipsec connection delete name=connect1 [ipsec connection]=> The result of this operation is verified with the [ipsec connection]=>list [ipsec connection]=>...
Page 151: Start A Connection
4.7.6 Start a Connection ipsec connection start start command Security Association. If no IKE Security Association between the SpeedTouch™ and the remote Security Gateway exists, the Phase 1 negotiation is started, followed by the Phase 2 negotiation. If an IKE SA already exists, the Phase 2 tunnel negotiation is started immediately.
Page 152: Stop A Connection
Chapter 4 Configuration via the Command Line Interface 4.7.7 Stop a connection stop command Example ipsec connection stop command tears down the designated Security Association. The IKE Security Association is not stopped with this command. For clearing both the Phase 1 and 2 SAs, issue the “:IPSec clear session” command.
Page 153: Auxiliary Commands
4.8 Auxiliary Commands In this section The following topics are discussed in this section: 4.8.1 Config Command 4.8.2 Flush Command 4.8.3 Clear Command Group E-DOC-CTC-20051017-0169 v0.1 Configuration via the Command Line Interface Topic Chapter 4 Page...
Page 154: Config Command
Chapter 4 Configuration via the Command Line Interface 4.8.1 Config Command What is it used for Display the VPN configuration settings Control of general VPN settings Example AutoRoute This command serves two different purposes. Without additional parameter, the command displays the current VPN settings. When an additional parameter is appended, the command controls the setting of this VPN parameter.
Page 155 Chapter 4 Configuration via the Command Line Interface AutoProxyARP The automatic addition of ProxyARP entries in VPN client/server scenarios can be enabled or disabled. By default this setting is enabled. When disabled, the ProxyARP entries have to be entered manually. When do I need In a VPN scenario, you need ProxyARP at both sides when the local and remote ProxyARP...
Page 156 Chapter 4 Configuration via the Command Line Interface An example of Auto ProxyARP As an example, suppose a VPN server is configured on a SpeedTouch™ with the subnet 192.168.1.0 as its private LAN address range. The VPN server is configured to distribute Virtual IP addresses to the remote clients in the same range (Virtual IP range = 192.168.1.[64-74] ).
Page 157: Flush Command
Chapter 4 Configuration via the Command Line Interface 4.8.2 Flush Command What is it used for This command flushes the complete IPSec configuration. E-DOC-CTC-20051017-0169 v0.1...
Page 158: Clear Command Group
Chapter 4 Configuration via the Command Line Interface 4.8.3 Clear Command Group What is it used for clear all clear session This command group comprises two commands, intended for clearing Security Associations: clear all clear session The clear command group is accessed in the following way: =>...
Page 159: Organisation Of The Ipsec Command Group
4.9 Organisation of the IPSec Command Group Introduction In this section an overview is given of the IPSec Command Group structure. Underlined keywords represent a command group. Other keywords are commands. ipsec command group The ipsec command group comprises five main command groups and two commands, as shown in the following tables.
Page 160 Chapter 4 Configuration via the Command Line Interface Connection command group Debug command group The following table shows the commands of the ipsec connection command group. ipsec connection command group advanced modify delete list descriptor modify delete list dialup connect disconnect network modify...
Page 161 Peer command group The following table shows the commands of the ipsec peer command group. ipsec peer command group auth descriptor option subpeer vpnclient vpnserver modify delete E-DOC-CTC-20051017-0169 v0.1 Configuration via the Command Line Interface modify delete list modify delete list modify delete...
Page 162 Chapter 4 Configuration via the Command Line Interface Show command group ipsec peer command group list The following table shows the commands of the ipsec show command group. ipsec show command group config state sessions stats sadb E-DOC-CTC-20051017-0169 v0.1...
Page 163: Troubleshooting Speedtouch™ Ipsec
5 Troubleshooting SpeedTouch™ IPSec Introduction IPSec is a complex protocol suite and therefore the SpeedTouch™ offers a number of troubleshooting methods. Both the Web pages and the CLI interface allow you to check whether a tunnel setup was successful or has failed. Via the CLI you can check the Syslog messages showing you the history of tunnel negotiation.
Page 164: Via The Debug Web
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.1 Via the Debug Web pages How to see the status of the VPN connection Browse to Expert mode > VPN > Debug > Status. This page shows the status of the IKE Security Association (Phase 1) and the IPSec Security Association(s) (Phase 2). For an operational VPN connection, both an IKE Security Association and an IPSec Security Association should be active.
Page 165 How to monitor the Proceed as follows: IPSec negotiations Browse to Expert mode > VPN > Debug > Logging. Select the desired level of Trace Detail. Select high to see the most detailed level of logging. Start the VPN connection. Browse again to Expert mode >...
Page 166 Chapter 5 Troubleshooting SpeedTouch™ IPSec How to see the amount of traffic carried by a VPN connection Browse to Expert mode > VPN > Debug > Statistics. This page shows the amount of traffic carried over the IKE Security Association (Phase 1) and the IPSec Security Association(s) (Phase 2).
Page 167: Via The Cli: Show Command Group
5.2 Via the CLI: Show command group Show command group You can check whether the secure tunnels are up: :IPSec show sadb You can check whether traffic is passing the tunnel and keep track of the number of packets and bytes. Therefore, take a snapshot of the number of packets/bytes that hit an IPSec policy rule via following CLI command: [ipsec]=>show [ipsec show]=>stats...
Page 168 Chapter 5 Troubleshooting SpeedTouch™ IPSec IPSecGlobalStats ---------------- IPSecGlobalActiveTunnels IPSecGlobalPreviousTunnels IPSecGlobalInOctets IPSecGlobalHcInOctets : 281483566645248 IPSecGlobalInOctWraps IPSecGlobalInDecompOctets IPSecGlobalHcInDecompOctets : 281483566645248 IPSecGlobalInDecompOctWraps IPSecGlobalInPkts IPSecGlobalInDrops IPSecGlobalInReplayDrops IPSecGlobalInAuths IPSecGlobalInAuthFails IPSecGlobalInDecrypts IPSecGlobalInDecryptFails IPSecGlobalOutOctets IPSecGlobalHcOutOctets : 281483566645248 IPSecGlobalOutOctWraps IPSecGlobalOutUncompOctets IPSecGlobalHcOutUncompOctets : 281483566645248 IPSecGlobalOutUncompOctWraps IPSecGlobalOutPkts IPSecGlobalOutDrops IPSecGlobalOutAuths IPSecGlobalOutAuthFails IPSecGlobalOutEncrypts IPSecGlobalOutEncryptFails IPSecGlobalOutCompressedPkts...
Page 169: Via The Cli: Debug Command Group
5.3 Via the CLI: Debug command group Traceconfig command The traceconfig command sets the level of debugging messages that are dumped to the screen. This is shown below: [ipsec debug]=>traceconfig level none high [ipsec debug]=>traceconfig level medium [ipsec debug]=> You can check the Phase 1 and 2 specific information being exchanged during tunnel setup via following command when you activate the tracing: Press <CRTL- Q>.
Page 170 Chapter 5 Troubleshooting SpeedTouch™ IPSec Via Syslog messages The Syslog protocol is a powerful mechanism to investigate network issues. It allows for logging events occurred on the device. The Syslog messages can be retrieved in two ways: locally Use these CLI command to retrieve the history of Syslog messages: :syslog msgbuf show IPSec related syslog messages are disabled by default.
Page 171 Syslog messages The following table shows the syslog messages. Severity ERROR ERROR ERROR NOTICE INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO INFO E-DOC-CTC-20051017-0169 v0.1 Troubleshooting SpeedTouch™ IPSec Contents unable to delete old SPD entry Peer local ID not configured unable to delete SPD entry invalid certificate <REASON>...
Page 172: Via Snmp
Chapter 5 Troubleshooting SpeedTouch™ IPSec 5.4 Via SNMP Debugging via SNMP SpeedTouch IF MIB ADSL MIB IPSec MIB On the SpeedTouch™, several SNMP MIBs are available allowing to retrieve configuration and counter information. A MIB (Management Information Base) can be considered as a representation of a group of parameters. A huge amount of MIB values can be retrieved remotely (e.g.
Page 173: Pinging From The Speedtouch™ To The Remote Private Network
5.5 Pinging from the SpeedTouch™ to the remote private network Ping command In order to verify that an IPSec tunnel is active, you can use the :ip debug ping CLI command of the SpeedTouch™. With this command you are able to send ping messages from the SpeedTouch™...
Page 174 Chapter 5 Troubleshooting SpeedTouch™ IPSec E-DOC-CTC-20051017-0169 v0.1...
Page 175: Advanced Features
6 Advanced Features In this section The following topics are described in this section: 6.1 IPSec and the Stateful Inspection Firewall 6.3 Extended Authentication (XAuth) 6.4 VPN Client 6.5 VPN Server 6.6 XAuth Users Pool 6.7 The Default Peer Concept 6.8 One Peer - Multiple Connections 6.9 Peer Options 6.10 Connection Options...
Page 176: Ipsec And The Stateful Inspection Firewall
Chapter 6 Advanced Features 6.1 IPSec and the Stateful Inspection Firewall What about ... The SpeedTouch™ has a built-in firewall which is completely configurable by the user. A number of preset firewall levels are defined that allow an easy configuration according to your security policy.
Page 177: Surfing Through The Vpn Tunnel
6.2 Surfing through the VPN tunnel Web Browsing One of the SpeedTouch™ features for easy Internet access is the so-called Web Interception and surfing Browsing Interception, also referred to as Differentiated Services Detection (DSD). This feature monitors your HTTP traffic and alerts you when you want to browse to through a tunnel a location that is not reachable due to the fact that the connection to your Service Provider is not active.
Page 178: Extended Authentication (Xauth)
Chapter 6 Advanced Features 6.3 Extended Authentication (XAuth) What is ... How does it work Extended Authentication, commonly referred to as the XAuth protocol, allows for performing extra user authentication. A typical practical example is the mixed use of IKE tunnel negotiation using preshared key as authentication method and on top of that doing Extended Authentication.
Page 179: Vpn Client
Chapter 6 Advanced Features 6.4 VPN Client Introduction The SpeedTouch™ can be configured as a VPN client. SpeedTouch™. In this function, it supports the IKE Mode Config protocol to receive configuration parameters from the remote VPN server. Optionally, you can enable the use of the Extended Authentication protocol as an additional level of security.
Page 180: Vpn Client Parameters
Chapter 6 Advanced Features 6.4.1 VPN Client parameters Parameters table The following table shows the VPN Client parameters. VPN Client parameters Parameter Keyword VPN client name name XAuth user name xauthuser XAuth password xauthpas Type of VPN client clienttype Virtual IP map mode virtualip_ maptype Local LAN IP range...
Page 181: Create A New Vpnclient
6.4.2 Create a new vpnclient add command A new vpnclient is created with the Example In the following example, a new vpnclient entity is created, named client1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>vpnclient [ipsec peer vpnclient]=>add name = client1 :ipsec peer vpnclient add name=client1 [ipsec peer vpnclient]=>...
Page 182: Set Or Modify The Vpnclient Parameters
Chapter 6 Advanced Features 6.4.3 Set or modify the vpnclient parameters modify command Example ipsec peer vpnclient modify vpnclient entity parameters. In this example, the parameters of the previously defined vpnclient entity , named client1, are set: [ipsec peer vpnclient]=>modify name = client1 [xauthuser] = user1 [xauthpass] = *****...
Page 183: Attach The Vpnclient Entity To The Peer Entity
6.4.4 Attach the vpnclient entity to the peer entity :ipsec peer modify name=peer1 client/server=client1 modify the peer parameters command attaches the previously defined vpnclient entity to the corresponding peer. Example In this example vpnclient1 is attached to peer1: [ipsec peer]=>modify name = peer1 [remoteaddr] = 20.50.10.2 [backupaddr] =...
Page 184: Vpn Server
Chapter 6 Advanced Features 6.5 VPN Server Introduction In the previous section the SpeedTouch™ was used as a VPN client. The SpeedTouch™ can be used equally well as a VPN server. In this function, it can be configured with a XAuth user pool, to serve remote clients. In this section the VPN server commands are explained.
Page 185: Vpn Server Parameters
6.5.1 VPN Server parameters Parameters table The following table shows the VPN Server parameters. VPN Server parameters Parameter VPN server name Push IP address VPN clients IP address range Client netmask Primary DNS server Secondary DNS server Primary WINS server Secondary WINS server Domain name XAuth pool...
Page 186 Chapter 6 Advanced Features Push IP address [push_ip] VPN clients IP address range Client netmask XAuth pool The VPN server will always provide an IP address to the remote VPN client. VPN clients can behave in two different ways. Either: the VPN client requests an IP address.
Page 187: Create A New Vpn Server
6.5.2 Create a new VPN server add command A new VPN server is created with the Example In the following example, a new vpnclient entity is created, named client1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>vpnserver [ipsec peer vpnserver]=>add name = serv1 :ipsec peer vpnserver add name=serv1 [ipsec peer vpnserver]=>...
Page 188: Set Or Modify The Vpnserver Parameters
Chapter 6 Advanced Features 6.5.3 Set or modify the vpnserver parameters modify command Example ipsec peer vpnserver modify vpnserver entity parameters. In this example, the parameters of the previously defined vpnserver entity, named serv1, are set: [ipsec peer vpnserver]=>modify name = serv1 [push_ip] = disabled enabled...
Page 189: Attach The Vpnserver Entity To The Peer Entity
6.5.4 Attach the vpnserver entity to the peer entity :ipsec peer modify name=peer1 client/server=serv1 modify the peer parameters command attaches the previously defined vpnserver entity to the corresponding peer. Example In this example vpnclient1 is attached to peer1: [ipsec peer]=>modify name = peer1 [remoteaddr] = 20.50.10.2 [backupaddr] =...
Page 190: Xauth Users Pool
Chapter 6 Advanced Features 6.6 XAuth Users Pool Introduction In the previous section the application of the SpeedTouch™ as a VPN server was described. In addition to the IPSec authentication mechanisms, the clients may support the use of the XAuth protocol. In this case, the SpeedTouch™ VPN server can serve as a database for authentication.
Page 191: Xauth Pool Parameters
6.6.1 XAuth Pool parameters Parameters table The following table shows the XAuth Pool parameters. XAuth Pool parameters Parameter XAuth pool name Pool type E-DOC-CTC-20051017-0169 v0.1 Keyword Description name Mandatory. Symbolic name for the XAuth pool, used internally in the SpeedTouch™. type Mandatory.
Page 192: Create A New Xauth Pool
Chapter 6 Advanced Features 6.6.2 Create a new XAuth pool add command Example A new XAuth pool is created with the command. In the following example, a new xauthpool is created, named pool1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>vpnserver [ipsec peer vpnserver]=>xauthpool [ipsec peer vpnserver xauthpool]=>add name = pool1 :ipsec peer vpnserver xauthpool add name=pool1...
Page 193: Modify The Xauthpool Type
6.6.3 Modify the xauthpool type modify command With the possible to modify the pool type. Example In this example, the type of the previously defined pool, named pool1, is set to chap: [ipsec peer vpnserver xauthpool]=>modify name = pool1 [type] = generic [type] = chap :ipsec peer vpnserver xauthpool modify name=pool1 type=chap...
Page 194: Attach The Xauthpool Entity To The Vpnserver Entity
Chapter 6 Advanced Features 6.6.4 Attach the xauthpool entity to the vpnserver modify the vpnserver parameters Example entity :ipsec peer vpnserver modify name=serv1 xauthpool=pool1 command attaches the previously defined pool to the vpnserver, named serv1. In this example pool1 is attached to vpnserver1: [ipsec peer vpnserver]=>modify name = serv1 [push_ip] = disabled...
Page 195: Delete An Xauthpool Entity
6.6.5 Delete an xauthpool entity ipsec peer vpnserver xauthpool delete delete command network. Example In this example the pool , named pool1, is deleted: [ipsec peer vpnserver xauthpool]=>delete name = pool1 :IPSec peer vpnserver xauthpool delete name=pool1 [ipsec peer vpnserver xauthpool]=> The result of this operation is verified with the [ipsec peer vpnserver xauthpool]=>list [ipsec peer vpnserver xauthpool]=>...
Page 196: Xauth User Parameters
Chapter 6 Advanced Features 6.6.6 XAuth User parameters Parameters table The following table shows the XAuth User parameters. Parameter Pool name User name Password Keyword poolname username password E-DOC-CTC-20051017-0169 v0.1...
Page 197: Create A New Xauth User
6.6.7 Create a new XAuth user adduser command A new XAuth user is created with the adduser Example In the following example the pool, named pool1, is populated with a new XAuth user, named user1: =>ipsec [ipsec]=>peer [ipsec peer]=>vpnserver [ipsec peer vpnserver]=>xauthpool [ipsec peer vpnserver xauthpool]=>adduser poolname = pool1 username = user1...
Page 198: Set Or Modify The Password Of An Xauth User
Chapter 6 Advanced Features 6.6.8 Set or modify the password of an XAuth user moduser command Example ipsec peer vpnserver xauthpool moduser setting or modifying the XAuth user password. In this example, the password of the previously defined user, named user1, is set: [ipsec peer vpnserver xauthpool]=>moduser poolname = pool1 username = user1...
Page 199: Delete An Xauthuser Entity
6.6.9 Delete an xauthuser entity ipsec peer vpnserver xauthpool deluser delete command XAuth user entry from its pool. Example In this example the user, named user1, is deleted: [ipsec peer vpnserver xauthpool]=>deluser poolname = pool1 username = user1 :IPSec peer vpnserver xauthpool deluser poolname = pool1 username = use [ipsec peer vpnserver xauthpool]=>...
Page 200: The Default Peer Concept
Chapter 6 Advanced Features 6.7 The Default Peer Concept Why the default peer concept Consider the network configuration shown below: Secure tunnel SpeedTouch620 [1] Dynamically assigned IP address (via PPP protocol) When the SpeedTouch™ [1] gets its IP address dynamically assigned (e.g. during PPP tunnel setup), a remote IPSec peer cannot know in advance which IP address will be assigned.
Page 201 Example IPSec SpeedTouch™ [1] IPSec peer configuration: connection, applying the default peer concept [ipsec peer]=>add name = rempeer2 :ipsec peer add name=rempeer2 [ipsec peer]=>modify name = rempeer2 [remoteaddr] = 40.0.0.2 [backupaddr] = [exchmode] = main [localid] = [remoteid] = (addr)40.0.0.2 [phyif] = DIALUP_PPPOE [descr] = AES_MD5 [auth] = secret1...
Page 202: One Peer - Multiple Connections
Chapter 6 Advanced Features 6.8 One Peer - Multiple Connections Multiple tunnels In order to setup a Phase 2 tunnel, a Phase 1 IKE tunnel is required first. Via this Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are transferred.
Page 203: Peer Options
6.9 Peer Options Options list The peer options alter the behaviour of the VPN network. Options to be applied to Peer entities are stored in named Option Lists. An Option List contains the following options: Option Local Address NAT-Traversal Dead Peer Detection DPD Idle Period DPD number of Transmits...
Page 204 Chapter 6 Advanced Features Dead Peer Detection DPD Idle Period DPD number of Transmits DPD Timeout Tunnel inactivity timeout The SpeedTouch™ supports the Dead Peer Detection protocol. By default, the use of this protocol is enabled. This option allows disabling the use of the DPD protocol.
Page 205: List All Peer Options Lists
6.9.1 List all Peer Options lists ipsec peer options list list command options lists. Example In the following example, a list of all previously created options is shown. =>ipsec [ipsec]=>peer [ipsec peer]=>options [ipsec peer options]=>list [opt1] [ipsec peer options]=> E-DOC-CTC-20051017-0169 v0.1 command shows all previously created Local address : <unset>...
Page 206: Create A Peer Options List
Chapter 6 Advanced Features 6.9.2 Create a Peer Options list add command Example ipsec peer options add In the following example, a new options list is created, named opt1 [ipsec]=> [ipsec]=>peer [ipsec peer]=>options [ipsec peer options]=>add name = opt1 :ipsec peer options add name=opt1 [ipsec peer options]=>...
Page 207: Set Or Modify The Peer Option List Parameters
6.9.3 Set or modify the Peer Option list parameters ipsec peer options modify modify command parameters. Example In the following example, the options list parameters are modified. [ipsec peer options]=>modify name = opt1 [localaddr] = 10.0.0.138 [nat-t] = enabled [nat-t] = disabled [dpd] = disabled [dpd] = enabled...
Page 208: Delete A Peer Options List
Chapter 6 Advanced Features 6.9.4 Delete a Peer Options list delete command Example ipsec peer options delete options list. In the following example the options list, named opt2, is deleted. [ipsec peer options]=>delete name = opt1 :ipsec peer options delete name=opt1 [ipsec peer options]=>...
Page 209: Connection Options
6.10 Connection Options Options list The connection options alter the behaviour of the VPN network. Options to be applied to Connections are stored in named Option Lists. An Option List contains the following options: Option IPSec routing mode Virtual interface DF bit Minimal MTU Add route...
Page 210 Chapter 6 Advanced Features Don’t Fragment bit [force_df] Minimal MTU [min_mtu] Add Route [add_route] IPSec encryption increases the packet length. When the MTU of a link is adjusted to pass the largest IP packet unfragmented, then messages encapsulated by IPSec will not pass if the Don’t Fragment bit is set.
Page 211: List All Connection Options Lists
6.10.1 List all Connection Options lists ipsec connection options list list command created options lists. Example In the following example, all previously created options are listed. [ipsec]=>connection [ipsec connection]=>options [ipsec connection options]=>list [opt1] [ipsec connection options]=> E-DOC-CTC-20051017-0169 v0.1 mode : non routed Virtual IF : <unset>...
Page 212: Create A Connection Options List
Chapter 6 Advanced Features 6.10.2 Create a Connection Options list add command Example ipsec connection options add options list. In the following example, a new options list is created, named copt1 [ipsec]=> [ipsec]=>connection [ipsec connection]=>options [ipsec connection options]=>add name = copt1 :ipsec connection options add name=copt1 [ipsec connection options]=>...
Page 213: Set Or Modify The Connection Option List Parameters
6.10.3 Set or modify the Connection Option list parameters ipsec connection options modify modify command options list parameters. Example In the following example, the options list parameters are modified. =>ipsec [ipsec]=>connection [ipsec connection]=>options [ipsec connection options]=>modify name = copt1 [virtual_if] = anystring [force_df] = pass [force_df] = pass...
Page 214: Delete An Options List
Chapter 6 Advanced Features 6.10.4 Delete an Options list delete command Example ipsec connection options delete created options list. In the following example the options list, named copt1, is deleted. [ipsec connection options]=>delete name = copt1 :ipsec connection options delete name=opt1 [ipsec connection options]=>...
Page 215: Advanced Connection
6.11 Advanced Connection Introduction The Advanced command group is a sub-group of the Connection command group. It allows additional connection settings in order to take full advantage of the dynamic policy capabilities of the SpeedTouch™. Parameters table The table below lists parameters that have enhanced functionality with respect to the basic Connection commands: Parameter Local network...
Page 216 Chapter 6 Advanced Features Local network [localnetwork] Remote network [remotenetwork] This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation. It determines which messages have access to the IPSec connection at the local side of the tunnel. This is basic parameter for the dynamic IPSec policy capabilities of the SpeedTouch™.
Page 217 Local match This setting is relevant in responder mode only. [localmatch] It is optionally filled out. In a basic configuration it is left unset. When unset, the SpeedTouch™ uses its dynamic IPSec policy capabilities to complete this field. The ipsec connection advanced this parameter.
Page 218 Chapter 6 Advanced Features Remote match [remotematch] This setting is relevant in responder mode only. It is optionally filled out. In a basic configuration it is left unset. When unset, the SpeedTouch™ uses its dynamic IPSec policy capabilities to complete this field. The ipsec connection advanced command group allows manual control over this parameter.
Page 219 Local selector The local selector expresses a static IPSec policy for access to the IPSec tunnel at [localselector] the local end. This setting can optionally be filled out manually. In a basic configuration it is left unset. In such a case, the SpeedTouch™ uses its dynamic policy capabilities to derive a static policy as a result of the Phase 2 negotiation.
Page 220 Chapter 6 Advanced Features E-DOC-CTC-20051017-0169 v0.1...
Page 222: Need More Help
Need more help? Additional help is available online at www.speedtouch.com...

This manual is also suitable for:

Speedtouch 620

THOMSON SpeedTouch 608WL Configuration Manual

1 Ipsec: Concept for Secure IP Connections

2 Speedtouch™ Ipsec Terminology

3 Configuration Via Local

4 Configuration Via the Command Line Interface

5 Troubleshooting Speedtouch™ Ipsec

6 Advanced Features

Quick Links

Related Manuals for THOMSON SpeedTouch 608WL

Summary of Contents for THOMSON SpeedTouch 608WL

This manual is also suitable for:

Table of Contents