HPE FlexNetwork HSR6600 Security Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Network Router
  5. FlexNetwork HSR6600
  6. Security configuration manual
HPE FlexNetwork HSR6600 Security Configuration Manual

HPE FlexNetwork HSR6600 Security Configuration Manual

Comware 7
Hide thumbs Also See for FlexNetwork HSR6600:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual
HPE FlexNetwork HSR6600 Routers
Comware 7 Security Configuration Guide
Part number: 5200-3483
Software version: HSR6602-CMW710-R7607
Document version: 6W100-20170412

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork HSR6600 and is the answer not in the manual?

Questions and answers

Related Manuals for HPE FlexNetwork HSR6600

Summary of Contents for HPE FlexNetwork HSR6600

  • Page 1 HPE FlexNetwork HSR6600 Routers Comware 7 Security Configuration Guide Part number: 5200-3483 Software version: HSR6602-CMW710-R7607 Document version: 6W100-20170412...
  • Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring AAA ·············································································· 1 Overview ·································································································································· 1 RADIUS ···························································································································· 2 HWTACACS ······················································································································ 6 LDAP ································································································································ 9 AAA implementation on the device ························································································ 12 AAA for MPLS L3VPNs ······································································································ 14 Protocols and standards ····································································································· 14 RADIUS attributes ············································································································· 14 FIPS compliance······················································································································ 17 AAA configuration considerations and task list ···············································································...
  • Page 4 Portal configuration task list ········································································································ 89 Configuration prerequisites ········································································································ 90 Configuring a portal authentication server ····················································································· 90 Configuring a portal Web server ·································································································· 91 Enabling portal authentication ····································································································· 92 Configuration restrictions and guidelines ················································································ 93 Configuration procedure ····································································································· 93 Specifying a portal Web server ··································································································· 93 Controlling portal user access ·····································································································...
  • Page 5 Troubleshooting portal ············································································································ 160 No portal authentication page is pushed for users ·································································· 160 Cannot log out portal users on the access device ··································································· 160 Cannot log out portal users on the RADIUS server ································································· 161 Users logged out by the access device still exist on the portal authentication server ······················ 161 Re-DHCP portal authenticated users cannot log in successfully ················································...
  • Page 6 PKI architecture ·············································································································· 193 PKI operation ················································································································· 193 PKI applications ·············································································································· 194 Support for MPLS L3VPN ································································································· 194 FIPS compliance···················································································································· 195 PKI configuration task list ········································································································· 195 Configuring a PKI entity ··········································································································· 195 Configuring a PKI domain ········································································································ 196 Requesting a certificate ··········································································································· 198 Configuration guidelines ···································································································...
  • Page 7 Enabling logging for IPsec packets ······················································································ 252 Configuring the DF bit of IPsec packets ················································································ 252 Configuring IPsec RRI ······································································································ 253 Configuring IPsec for IPv6 routing protocols ················································································ 254 Configuration task list ······································································································· 254 Configuring a manual IPsec profile ······················································································ 254 Configuring IPsec for tunnels ····································································································...
  • Page 8 Configuring an IKEv2 policy ····································································································· 323 Configuring an IKEv2 proposal ·································································································· 324 Configuring an IKEv2 keychain ································································································· 325 Configure global IKEv2 parameters ···························································································· 326 Enabling the cookie challenging feature ··············································································· 326 Configuring the IKEv2 DPD feature ····················································································· 326 Configuring the IKEv2 NAT keepalive feature ········································································ 327 Configuring IKEv2 address pools ························································································...
  • Page 9 Specifying the source IP address for SFTP packets ································································ 384 Establishing a connection to an SFTP server ········································································· 385 Working with SFTP directories ··························································································· 386 Working with SFTP files ···································································································· 387 Displaying help information ································································································ 387 Terminating the connection with the SFTP server ··································································· 387 Configuring the device as an SCP client ·····················································································...
  • Page 10 Configuring SSL VPN access control ························································································· 439 About SSL VPN access control ·························································································· 439 Restrictions and guidelines ································································································ 441 Procedure ······················································································································ 441 Configuring VRF-aware SSL VPN ····························································································· 442 Associating an SSL VPN context with a VPN instance ····························································· 442 Specifying a VPN instance for an SSL VPN gateway ······························································ 442 Configuring HTTP redirection ···································································································...
  • Page 11 Session management task list ·································································································· 482 Setting the session aging time for different protocol states ······························································ 482 Setting the session aging time for different application layer protocols or applications ··························· 483 Specifying persistent sessions ·································································································· 484 Enabling session statistics collection for software fast forwarding ····················································· 485 Enabling top session statistics ··································································································...
  • Page 12 Client verification ··················································································································· 512 TCP client verification ······································································································· 512 DNS client verification ······································································································ 515 HTTP client verification ····································································································· 515 Attack detection and prevention configuration task list···································································· 516 Configuring an attack defense policy ·························································································· 517 Creating an attack defense policy ······················································································· 517 Configuring a single-packet attack defense policy ···································································...
  • Page 13 uRPF check modes ········································································································· 555 Features ························································································································ 555 uRPF operation ··············································································································· 556 Network application ········································································································· 559 Enabling uRPF ······················································································································ 559 Displaying and maintaining uRPF ······························································································ 560 uRPF configuration examples ··································································································· 560 uRPF configuration example for interfaces ············································································ 560 uRPF configuration example for security zones ······································································ 561 Configuring IPv6 uRPF ··································································...
  • Page 14 Documentation feedback ·································································································· 588 Index ························································································· 590...

  • Page 15: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 16: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 17 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 18 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
  • Page 19 Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information, see "Commonly used standard RADIUS attributes." Table 2 Commonly used RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause...

  • Page 20: Hwtacacs

    Attribute Attribute Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes can implement functions that the standard RADIUS protocol does not provide.
  • Page 21 passing authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs. Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability.
  • Page 22 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 23: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 24 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
  • Page 25 The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.

  • Page 26: Aaa Implementation On The Device

    The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
  • Page 27 user. The NAS also uses the methods configured for the access type in the domain to control the user's access. AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for which no AAA methods are configured. The device supports the following authentication methods: •...

  • Page 28: Aaa For Mpls L3Vpns

    • User role authentication—Authenticates each user that wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide. AAA for MPLS L3VPNs You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated.
  • Page 29 User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 30 Attribute Description Type of the physical port of the NAS that is authenticating the user. Possible values include: • 15—Ethernet. • 16—Any type of ADSL. • 17—Cable. (With cable for cable TV.) NAS-Port-Type • 19—WLAN-IEEE 802.11. • 201—VLAN. If the port is an Ethernet one and VLANs are implemented on it, the value of this attribute is 201.

  • Page 31: Fips Compliance

    Subattribute Description FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client. Exec_Privilege EXEC user priority.
  • Page 32 Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP schemes. Configure AAA methods for the users' ISP domains. Remote AAA methods need to use the configured RADIUS, HWTACACS, and LDAP schemes. Figure 11 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all...

  • Page 33: Configuring Aaa Schemes

    Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device.
  • Page 34 You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."...
  • Page 35 Step Command Remarks • For a network access user: service-type { advpn | ike | ipoe | lan-access | portal | ppp | sslvpn } • For a device management Assign services to the user: By default, no services are authorized to local user.
  • Page 36 Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure the password composition policy: password-control composition type-number By default, the local user uses (Optional.) Configure type-number [ type-length password control attributes of the user password control type-length ]...
  • Page 37 Step Command Remarks authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | Configure authorization { primary-dns | secondary-dns } By default, no authorization attributes for the user { ip ipv4-address | ipv6 attributes are configured for a group.
  • Page 38 Step Command Remarks Specify the name of the local By default, no name is specified for a full-name name-string guest. local guest. Specify the company of the By default, no company is specified company company-name local guest. for a local guest. Specify the phone number of By default, no phone number is phone phone-number...
  • Page 39 Step Command Remarks local-guest email format to Configure the subject and By default, no subject and body { guest | sponsor } { body body of email notifications. are configured. body-string | subject sub-string } Configure the email sender By default, no email sender address in the email local-guest email sender address is configured for the email...

  • Page 40: Configuring Radius Schemes

    Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Optional.)
  • Page 41 • The RADIUS server is manually set to the blocked state. • The RADIUS scheme is deleted. To configure a test profile for RADIUS server status detection: Step Command Remarks Enter system view. system-view Configure a test profile for By default, no test profiles exist. radius-server test-profile detecting the status of profile-name username name...
  • Page 42 Step Command Remarks • Specify the primary RADIUS authentication server: primary authentication By default, no authentication { ipv4-address | ipv6 servers are specified. ipv6-address } [ port-number | To support server status detection, key { cipher | simple } string | specify an existing test profile for test-profile profile-name | the RADIUS authentication server.
  • Page 43 Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key By default, no accounting { cipher | simple } string | servers are specified. vpn-instance Two accounting servers in a vpn-instance-name ] * Specify RADIUS accounting scheme, primary or...
  • Page 44 Step Command Remarks By default, a RADIUS Specify a VPN instance for the vpn-instance vpn-instance-name scheme belongs to the public RADIUS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
  • Page 45 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers function as the backup of the primary server.
  • Page 46 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active By default, a RADIUS server | block } is in active state.
  • Page 47 Step Command Remarks radius nas-ip { ipv4-address | By default, the IP address of the Specify a source IP address ipv6 ipv6-address } RADIUS packet outbound for outgoing RADIUS [ vpn-instance interface is used as the source IP packets. vpn-instance-name ] address.
  • Page 48 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Set the RADIUS server timer response-timeout The default setting is 3 seconds. response timeout timer. seconds Set the quiet timer for the timer quiet minutes The default setting is 5 minutes. servers.
  • Page 49 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Interpret the RADIUS class By default, the RADIUS class attribute attribute 25 car attribute as CAR parameters. is not interpreted as CAR parameters. Configuring the Login-Service attribute check method for SSH, FTP, and terminal users The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users: •...

  • Page 50: Configuring Hwtacacs Schemes

    Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts.
  • Page 51 Tasks at a glance (Optional.) Setting HWTACACS timers (Optional.) Displaying and maintaining HWTACACS Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used by multiple ISP domains.
  • Page 52 If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time. To specify HWTACACS authorization servers for an HWTACACS scheme: Step Command Remarks...
  • Page 53 Step Command Remarks • Specify the primary HWTACACS accounting server: primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting servers single-connection | are specified. vpn-instance Two HWTACACS accounting vpn-instance-name ] * Specify HWTACACS servers in a scheme, primary or...
  • Page 54 Setting the username format and traffic statistics units A username is typically in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name. By default, the ISP domain name is included in a username. If HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to send usernames without domain names to the servers.
  • Page 55 Step Command Remarks Enter system view. system-view hwtacacs nas-ip { ipv4-address | By default, the IP address of the Specify a source IP address ipv6 ipv6-address } HWTACACS packet outbound for outgoing HWTACACS [ vpn-instance interface is used as the source IP packets.
  • Page 56 • When the quiet timer of a server expires, the status of the server changes back to active. The device does not check the server again during the authentication, authorization, or accounting process. • When you remove a server in use, communication with the server times out. The device looks for a server in active state by first checking the primary server, and then checking secondary servers in the order they are configured.

  • Page 57: Configuring Ldap Schemes

    Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...
  • Page 58 Step Command Remarks By default, LDAPv3 is used. Specify the LDAP version. protocol-version { v2 | v3 } A Microsoft LDAP server supports only LDAPv3. Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out.
  • Page 59 • Username format. • User object class. If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. To improve efficiency, you can change the start point by specifying the search base DN.
  • Page 60 Step Command Remarks map ldap-attribute By default, an LDAP attribute map ldap-attribute-name [ prefix does not have any mapping entries. Configure a mapping prefix-value delimiter entry. Repeat this command to configure delimiter-value ] aaa-attribute multiple mapping entries. { user-group | user-profile } Creating an LDAP scheme You can configure a maximum of 16 LDAP schemes.

  • Page 61: Configuring Aaa Methods For Isp Domains

    Displaying and maintaining LDAP Execute display commands in any view. Task Command Display the configuration of LDAP schemes. display ldap scheme [ ldap-scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by specifying configured AAA schemes in ISP domain view.

  • Page 62: Configuring Isp Domain Attributes

    • An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command. • You can modify the settings of the system-defined ISP domain system, but you cannot delete the domain.
  • Page 63 Session timeout timer—The device logs off a user when the session timeout timer for the user expires. Authorization IPv6 address prefix—The device authorizes the IPv6 address prefix to authenticated IPoE or PPP users in the domain. IPv6 address pool—The device assigns IPv6 addresses from the pool to authenticated IPoE, portal, or PPP users in the domain.

  • Page 64: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minutes [ flow ] | igmp max-access-number max-access-number | ip-pool ipv4-pool-name | ipv6-pool Configure authorization By default, no authorization ipv6-pool-name | ipv6-prefix attributes for authenticated...
  • Page 65 • If the authentication method uses a RADIUS scheme and the authorization method does not use a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also includes the authorization information, but the device ignores the information.

  • Page 66: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks By default, the default authentication portal { ldap-scheme authentication methods Specify authentication ldap-scheme-name [ local ] [ none ] | local are used for portal users. methods for portal users. [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ local ] [ none ] } supported in FIPS mode.
  • Page 67 Step Command Remarks authorization default { hwtacacs-scheme hwtacacs-scheme-name By default, the authorization Specify default [ radius-scheme radius-scheme-name ] method is local. authorization methods for [ local ] [ none ] | local [ none ] | none | The none keyword is not all types of users.

  • Page 68: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization ppp { hwtacacs-scheme hwtacacs-scheme-name By default, the default [ radius-scheme radius-scheme-name ] authorization methods are 11. Specify authorization [ local ] [ none ] | local [ none ] | none | used for PPP users. methods for PPP users.
  • Page 69 Step Command Remarks By default, the default accounting command Specify the command accounting methods are hwtacacs-scheme accounting method. used for command hwtacacs-scheme-name accounting. accounting ipoe { broadcast By default, the default radius-scheme radius-scheme-name1 accounting methods are Specify accounting radius-scheme radius-scheme-name2 used for IPoE users.

  • Page 70: Configuring The Radius Session-Control Feature

    Step Command Remarks 14. Configure access control By default, the device logs for users that have used up accounting quota-out { offline | online } off users that have used up their data quotas. their data quotas. Configuring the RADIUS session-control feature The RADIUS session-control feature can only work with the RADIUS server running on IMC.

  • Page 71: Changing The Dscp Priority For Radius Packets

    • Disconnect Messages (DMs)—The DAC sends DM requests to the DAS to log off specific online users. • Change of Authorization Messages (CoA Messages)—The DAC sends CoA requests to the DAS to change the authorization information of specific online users. To configure the RADIUS DAS feature: Step Command...

  • Page 72: Configuring A Nas-Id Profile

    Configuring a NAS-ID profile By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests. A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.

  • Page 73: Aaa Configuration Examples

    AAA configuration examples Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 12, configure the router to meet the following requirements: • Use the RADIUS server for SSH user authentication and authorization. • Include domain names in the usernames sent to the RADIUS server.
  • Page 74 IP address specified by using the nas-ip command. IP address specified by using the radius nas-ip command. IP address of the outbound interface (the default). Figure 13 Adding the router as an access device # Add an account for device management: Click the User tab, and select Access User View >...
  • Page 75 Figure 14 Adding an account for device management Configure the router: # Configure the IP address of interface GigabitEthernet 1/1/1, through which the SSH user accesses the router. <Router> system-view [Router] interface gigabitethernet 1/1/1 [Router-GigabitEthernet1/1/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet1/1/1] quit # Configure the IP address of interface GigabitEthernet 1/1/2, through which the router communicates with the server.

  • Page 76: Local Authentication And Authorization For Ssh Users

    # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key to expert in plaintext form for secure communication with the server. [Router-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.

  • Page 77: Aaa For Ssh Users By An Hwtacacs Server

    # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a device management user. [Router] local-user ssh class manage # Assign the SSH service for the local user.
  • Page 78 Figure 16 Network diagram Configuration procedure Configure the HWTACACS server: # Set the shared keys to expert for secure communication with the router. (Details not shown.) # Add an account for the SSH user and specify the password. (Details not shown.) Configure the router: # Create an HWTACACS scheme.

  • Page 79: Authentication For Ssh Users By An Ldap Server

    [Router] role default-role enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Configure the IP address of interface GigabitEthernet 1/1/1, through which the SSH user accesses the router.
  • Page 80 NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456: a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed.
  • Page 81 Figure 19 Setting the user's password g. Click OK. # Add user aaa to group Users: h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
  • Page 82 Figure 20 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 21 Adding user aaa to group Users # Set the administrator password to admin!123456: a.
  • Page 83 # Configure the IP address of interface GigabitEthernet 1/1/1, through which the SSH user accesses the router. <Router> system-view [Router] interface gigabitethernet 1/1/1 [Router-GigabitEthernet1/1/1] ip address 192.168.1.20 24 [Router-GigabitEthernet1/1/1] quit # Configure the IP address of interface GigabitEthernet 1/1/2, through which the router communicates with the server.

  • Page 84: Authentication And Authorization For Ssl Vpn Users By An Ldap Server

    Verifying the configuration # Initiate an SSH connection to the router, and enter username aaa@bbb and password ldap!123456. The user logs in to the router. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Authentication and authorization for SSL VPN users by an LDAP server...
  • Page 85 Figure 23 Adding user aaa f. In the dialog box, enter password ldap!123456, select options as needed, and click Next. Figure 24 Setting the user's password g. Click OK. # Add user aaa to group Users: h. From the navigation tree, click Users under the ldap.com node. i.
  • Page 86 Figure 25 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 26 Adding user aaa to group Users # Set the administrator password to admin!123456: a.
  • Page 87 # Configure the IP address of interface GigabitEthernet 1/1/1, which is connected to the SSL VPN user. <Router> system-view [Router] interface gigabitethernet 1/1/1 [Router-GigabitEthernet1/1/1] ip address 192.168.1.70 24 [Router-GigabitEthernet1/1/1] quit # Configure the IP address of interface GigabitEthernet 1/1/2, which is connected to the LDAP server.
  • Page 88 # Specify the administrator password. [Router-ldap-server-ldap1] login-password simple admin!123456 # Configure the base DN for user search. [Router-ldap-server-ldap1] search-base-dn dc=ldap,dc=com [Router-ldap-server-ldap1] quit # Create an LDAP attribute map named test. [Router] ldap attribute-map test # Map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.

  • Page 89: Aaa For Ppp Users By An Hwtacacs Server

    AAA for PPP users by an HWTACACS server Network requirements As shown in Figure • Router A uses the HWTACACS server to perform PAP authentication for users from Router B. • The HWTACACS server is also the authorization server and accounting server of Router B. •...

  • Page 90: Local Guest Configuration And Management Example

    [RouterA-isp-bbb] authorization ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] quit # Enable PPP encapsulation on Serial 1/1/0. [RouterA] interface serial 1/1/0 [RouterA-Serial1/1/0] link-protocol ppp # Configure Serial 1/1/0 to authenticate the peer by using PAP in authentication domain bbb. [RouterA-Serial1/1/0] ppp authentication-mode pap domain bbb # Configure the IP address of Serial 1/1/0.
  • Page 91 Figure 28 Network diagram Configuration procedure Manage local guests: # Enable the guest auto-delete feature for expired local guests. <Router> system-view [Router] local-guest auto-delete enable # Specify an SMTP server to send local guest email notifications. [Router] local-guest email smtp-server smtp://192.168.0.112/smtp # Specify the email sender address as bbb@ccc.com in the email notifications sent by the device for local guests.

  • Page 92: Troubleshooting Radius

    # Specify the guest sponsor name as Sam. [Router-luser-network(guest)-user1] sponsor-full-name Sam # Configure the email address of the guest sponsor. [Router-luser-network(guest)-user1] sponsor-email Sam@aa.com # Configure the department of the guest sponsor as security. [Router-luser-network(guest)-user1] sponsor-department security [Router-luser-network(guest)-user1] quit Configure the device to send guest email notifications: # Send an email notification to the guest sponsor.

  • Page 93: Radius Packet Delivery Failure

    • The user is not configured on the RADIUS server. • The password entered by the user is incorrect. • The RADIUS server and the NAS are configured with different shared keys. Solution To resolve the problem: Verify the following items: The NAS and the RADIUS server can ping each other.

  • Page 94: Troubleshooting Hwtacacs

    • The accounting server IP address configured on the NAS is incorrect. For example, the NAS is configured to use a single server to provide authentication, authorization, and accounting services, but in fact the services are provided by different servers. Solution To resolve the problem: Verify the following items:...
  • Page 95 The user attributes (for example, the username attribute) configured on the NAS are consistent with those configured on the LDAP server. The user search base DN for authentication is specified. If the problem persists, contact Hewlett Packard Enterprise Support.

  • Page 96: Configuring Portal Authentication

    Users can access more network resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
  • Page 97 Figure 29 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 98: Portal System Using The Local Portal Web Server

    Web browser. When receiving the HTTP or HTTPS request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.

  • Page 99: Portal Authentication Modes

    The whole authentication process is finished. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.

  • Page 100: Portal Authentication Process

    EAP authentication. NOTE: • To use portal authentication that supports EAP, the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client. • Local portal authentication does not support EAP authentication.
  • Page 101 If the packet does not match any portal-free rule, the access device redirects the packet to the portal Web server. The portal Web server pushes the Web authentication page to the user for him to enter his username and password. The portal Web server submits the user authentication information to the portal authentication server.

  • Page 102: Portal Filtering Rules

    Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.

  • Page 103: Portal Configuration Task List

    Portal configuration task list Tasks at a glance (Optional.) Configuring a portal authentication server (Required.) Configuring a portal Web server (Required.) Enabling portal authentication (Required.) Specifying a portal Web server (Optional.) Controlling portal user access • Configuring a portal-free rule •...

  • Page 104: Configuration Prerequisites

    Tasks at a glance (Optional.) Configuring portal support for third-party authentication • Editing buttons and pages for third-party authentication • Configuring a third-party authentication server • Specifying an authentication domain for third-party authentication (Optional.) Configuring portal temporary pass Configuration prerequisites The portal feature provides a solution for user identity authentication and security check.

  • Page 105: Configuring A Portal Web Server

    Step Command Remarks Create a portal By default, no portal authentication server, portal server server-name authentication servers exist. and enter its view. • To specify an IPv4 portal server: ip ipv4-address [ vpn-instance Specify an IPv4 portal vpn-instance-name] [ key authentication server, an IPv6 { cipher | simple } string ] Specify the IP address of...

  • Page 106: Enabling Portal Authentication

    by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are configured for a portal Web server, the if-match command takes priority to perform URL redirection. The device does not detect the reachability of the redirection URL configured by the if-match command.

  • Page 107: Configuration Restrictions And Guidelines

    Configuration restrictions and guidelines When you enable portal authentication on an interface, follow these restrictions and guidelines: • Make sure the interface has a valid IP address before you enable re-DHCP portal authentication on the interface. • Do not add the Ethernet interface enabled with portal authentication to an aggregation group. Otherwise, portal authentication does not take effect.

  • Page 108: Controlling Portal User Access

    To automatically switch between the primary portal Web server and the backup portal Web server, configure portal Web server detection on both servers. You can specify both IPv4 and IPv6 portal Web servers on an interface. To specify a portal Web server on an interface: Step Command Remarks...

  • Page 109: Configuring An Authentication Source Subnet

    Step Command Remarks portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp Configure an tcp-port-number | udp By default, no IPv6-based IPv6-based portal-free udp-port-number ] | source ipv6 portal-free rule exists.. rule. { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]...

  • Page 110: Configuring An Authentication Destination Subnet

    In re-DHCP mode, the access device regards the authentication source subnet on an interface as the subnet to which the private IP address of the interface belongs. • If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.

  • Page 111: Setting The Maximum Number Of Portal Users

    To configure an IPv6 portal authentication destination subnet: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing ipv6-network-address prefix-length destination subnet.

  • Page 112: Specifying A Preauthentication Domain

    With an authentication domain specified on an interface, the device uses the authentication domain for AAA of portal users. This allows for flexible portal access control. The device selects the authentication domain for a portal user in this order: ISP domain specified for the interface. ISP domain carried in the username.

  • Page 113: Specifying A Preauthentication Ip Address Pool For Portal Users

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, no preauthentication Specify a preauthentication portal [ ipv6 ] pre-auth domain domain is specified on an domain. domain-name interface. Specifying a preauthentication IP address pool for portal users You must specify a preauthentication IP address pool on a portal-enabled interface in the following situation: •...

  • Page 114: Enabling Strict-Checking On Portal Authorization Information

    Enabling strict-checking on portal authorization information The strict checking mode allows a portal user to stay online only when the authorized information for the user is successfully deployed on the interface. You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both ACL checking and user profile checking, the user will be logged out if either checking fails.

  • Page 115: Configure Support Of Dual Stack For Portal Authentication

    To enable outgoing packets filtering on a portal-enabled interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, outgoing packets filtering Enable outgoing packets portal [ ipv6 ] outbound-filter is disabled. The interface can send filtering.

  • Page 116: Configuring Portal Authentication Server Detection

    • ARP or ND detection—Sends ARP or ND requests to the user and detects the ARP or ND entry status of the user at configurable intervals. If the ARP or ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP or ND entry.

  • Page 117: Configuring Portal Web Server Detection

    Only the IMC portal authentication server supports sending heartbeat packets. To test server reachability by detecting heartbeat packets, you must enable the server heartbeat feature on the IMC portal authentication server. You can configure the device to take one or more of the following actions when the server reachability status changes: •...

  • Page 118: Configuring Portal User Synchronization

    • Sending a log message, which contains the name, the current state, and the original state of the portal Web server. • Enabling portal fail-permit. When the portal Web server is unreachable, the portal fail-permit feature on an interface allows users on the interface to have network access. When the server recovers, it resumes portal authentication on the interface.

  • Page 119: Configuring The Portal Fail-Permit Feature

    Step Command Remarks Enter portal authentication portal server server-name server view. Configure portal user By default, portal user user-sync timeout timeout synchronization. synchronization is disabled. Configuring the portal fail-permit feature The portal fail-permit feature takes effects when the portal authentication server or portal Web server is unreachable.

  • Page 120: Specifying A Format For The Nas-Port-Id Attribute

    During a re-DHCP portal authentication or mandatory user logout process, the device sends portal notification packets to the portal authentication server. For the authentication or logout process to complete, make sure the BAS-IP/BAS-IPv6 attribute is the same as the device IP or IPv6 address specified on the portal authentication server.

  • Page 121: Enabling Portal Roaming

    To specify the device ID: Step Command Remarks Enter system view. system-view By default, a device is not Specify the device ID. portal device-id device-id configured with a device ID. Enabling portal roaming Portal roaming takes effect only on portal users logging in from VLAN interfaces. It does not take effect on portal users logging in from common Layer 3 interface.

  • Page 122: Disabling Traffic Accounting For Portal Users

    Disabling traffic accounting for portal users The accounting server might perform time-based or traffic-based accounting, or it might not perform accounting. If the accounting server does not perform traffic-based accounting, disable traffic accounting for portal users on the device. The device will provide quick accounting for portal users, and the traffic statistics will be imprecise.

  • Page 123: Configuring The Local Portal Web Server Feature

    You can apply a NAS-ID profile to a portal-enabled interface. If no NAS-ID profile is specified on the interface or no matching NAS-ID is found in the specified profile, the device uses the device name as the interface NAS-ID. To apply a NAS-ID profile to an interface: Step Command Remarks...
  • Page 124 Table 4 Main authentication page file names Main authentication page File name Logon page logon.htm Logon success page logonSuccess.htm Logon failure page logonFail.htm Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm Page request rules...

  • Page 125: Configuring A Local Portal Web Server

    • The name of a zip file can contain only letters, numbers, and underscores. • The authentication pages must be placed in the root directory of the zip file. • Zip files can be transferred to the device through FTP or TFTP and must be saved in the root directory of the device.

  • Page 126: Enabling Arp Or Nd Entry Conversion For Portal Clients

    Step Command Remarks portal local-web-server { http | Configure a local portal Web By default, no local portal Web https [ ssl-server-policy server and enter its view. servers exist. policy-name ] } Specify the default By default, a default authentication page file for default-logon-page filename authentication page file exists for the local portal Web server.

  • Page 127: Configuring Portal Safe-Redirect

    Step Command Remarks Enter system view. system-view By default, no SSL server policies exist on the device. The name of the SSL server policy Create an SSL server policy for HTTPS redirect must be ssl server-policy policy-name and enter its view. https_redirect.

  • Page 128: Configuring The Captive-Bypass Feature

    Step Command Remarks By default, the device can redirect (Optional.) Specify HTTP portal safe-redirect method only HTTP requests with GET request methods permitted { get | post } * method after portal safe-redirect by portal safe-redirect. is enabled. By default, no browser types are specified.

  • Page 129: Excluding An Attribute From Portal Protocol Packets

    Step Command Remarks By default, the captive-bypass feature is disabled. The device automatically pushes the portal Enable the captive-bypass captive-bypass [ android | ios authentication page to iOS mobile feature. [ optimize ] ] enable devices and some Android mobile devices when they are connected to a portal-enabled network.

  • Page 130: Configuring Portal Support For Third-Party Authentication

    Step Command Remarks Enter system view. system-view Enable logging for portal By default, portal user login and portal user log enable user logins and logouts. logout logging is disabled. Enable logging for portal By default, portal protocol packet portal packet log enable protocol packets.

  • Page 131: Configuring A Third-Party Authentication Server

    </html> No special requirements exist in the process of editing an email authentication button. Editing a third-party authentication page You only need to edit the email authentication page. The QQ authentication page is provided by Tencent. When you edit the email authentication page, follow the rules in "Customizing authentication pages"...

  • Page 132: Specifying An Authentication Domain For Third-Party Authentication

    Step Command Remarks By default, the redirection URL for QQ authentication success is http://lvzhou.abc.com/portal/qq Specify the redirection URL login.html. for QQ authentication redirect-url url-string The redirection URL must be the success. same as that specified during website application on the Tencent Open Platform.

  • Page 133: Configuring Portal Temporary Pass

    Configuring portal temporary pass Typically, a portal user cannot access the Internet before passing portal authentication. This feature allows a user to access the Internet temporarily if the user uses a WeChat account to perform portal authentication. During the temporary pass period, the user can provide WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication.

  • Page 134: Displaying And Maintaining Portal

    Step Command Remarks portal auth-fail-record export Export portal authentication url url-string [ start-time failure records to a path. start-date start-time end-time end-date end-time ] Enable portal authentication By default, portal authentication portal auth-error-record enable error recording. error recording is disabled. Set the maximum number of By default, the maximum number portal auth-error-record max...
  • Page 135 Task Command Display portal Web server information. display portal web-server [ server-name ] display portal packet statistics [extend-auth-server { cloud | mail | qq | wechat } | Display packet statistics for portal authentication servers. mac-trigger-server server-name | server server-name ] Display portal redirect packet statistics (in display portal redirect statistics [ slot standalone mode).

  • Page 136: Portal Configuration Examples

    Task Command Clear packet statistics for portal safe-redirect (in IRF reset portal safe-redirect statistics [ chassis chassis-number slot slot-number ] mode). Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 34, the host is directly connected to the router (the access device). The host is assigned a public IP address either manually or through DHCP.
  • Page 137 Figure 35 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 138 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e.
  • Page 139 Figure 39 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
  • Page 140 # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 1/2. [Router] interface gigabitethernet 1/1/2 [Router–GigabitEthernet1/1/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 1/1/2.

  • Page 141: Configuring Re-Dhcp Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal.
  • Page 142 Figure 40 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 40 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 143 # Enable RADIUS session control. [Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit...
  • Page 144 Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length Before passing the authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be...

  • Page 145: Configuring Cross-Subnet Portal Authentication

    redirected to the authentication page. After passing the authentication, the user can access other network resources. # After the user passes authentication, use the following command to display information about the portal user. [Router] display portal user interface gigabitethernet 1/1/2 Total portal users: 1 Username: abc Portal server: newpt...
  • Page 146 Configuration procedure Perform the following tasks on Router A. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <RouterA> system-view [RouterA] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
  • Page 147 [RouterA–GigabitEthernet1/1/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1. (Details not shown.) Verifying the configuration # Verify that the portal configuration has taken effect. [RouterA] display portal interface gigabitethernet 1/1/2 Portal information of GigabitEthernet1/1/2 NAS-ID profile: Not configured Authorization : Strict checking...

  • Page 148: Configuring Extended Direct Portal Authentication

    Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 149 Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 42 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the router. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
  • Page 150 # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 1/1/2. [Router] interface gigabitethernet 1/1/2 [Router–GigabitEthernet1/1/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 1/1/2.

  • Page 151: Configuring Extended Re-Dhcp Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 152 Configure extended re-DHCP portal authentication. Before passing portal authentication, the host is assigned a private IP address. After passing portal identity authentication, the host obtains a public IP address and accepts security check. If the host fails the security check, it can access only subnet 192.168.0.0/24.
  • Page 153 [Router-radius-rs1] key accounting simple radius [Router-radius-rs1] user-name-format without-domain # Enable RADIUS session control. [Router] radius session-control enable # Specify a session-control client with IP address 192.168.0.114 and shared key 12345 in plain text. [Router] radius session-control client ip 192.168.0.114 key simple 12345 Configure an authentication domain: # Create an ISP domain named dm1 and enter its view.
  • Page 154 [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on GigabitEthernet 1/1/2. [Router] interface gigabitethernet 1/1/2 [Router-GigabitEthernet1/1/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 1/1/2. [Router–GigabitEthernet1/1/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/1/2 to the portal authentication server.

  • Page 155: Configuring Extended Cross-Subnet Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 156 Figure 44 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 44 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 157 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [RouterA] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
  • Page 158 Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user are redirected to the authentication page. •...

  • Page 159: Configuring Portal Server Detection And Portal User Synchronization

    Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 8.8.8.2 GigabitEthernet1/1/2 Authorization information: DHCP IP pool: N/A User profile: N/A ACL: 3001 CAR: N/A Configuring portal server detection and portal user synchronization Network requirements As shown in Figure...
  • Page 160 • Configure the portal authentication server. Be sure to enable the server heartbeat function and the user heartbeat function. • Configure the router (access device) as follows: Configure direct portal authentication on GigabitEthernet 1/1/2, the interface to which the host is connected. Configure portal authentication server detection, so that the router can detect the reachability of the portal authentication server by cooperating with the portal server heartbeat function.
  • Page 161 e. Select a service group. This example uses the default group Ungrouped. f. Select Normal from the Action list. g. Click OK. Figure 47 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page.
  • Page 162 Figure 48 Adding a portal device Associate the portal device with the IP address group: a. As shown in Figure 49, click the icon in the Port Group Information Management column of device NAS to open the port group configuration page. b.
  • Page 163 Figure 50 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
  • Page 164 # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: set the server detection interval to 40 seconds, and send log messages upon reachability status changes. [Router-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval.

  • Page 165: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    unreachable log "Portal server newpt turns down from up." and disables portal authentication on the access interface, so the host can access the external network without authentication. Configuring cross-subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 51, the PE device Router A provides portal authentication for the host in VPN 1.
  • Page 166 [RouterA-radius-rs1] user-name-format without-domain # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures. [RouterA-radius-rs1] nas-ip 3.3.0.3 [RouterA-radius-rs1] quit # Enable RADIUS session control.

  • Page 167: Configuring Direct Portal Authentication With A Preauthentication Domain

    Portal server: newpt State: Online VPN instance: vpn3 VLAN Interface 0000-0000-0000 3.3.0.1 GigabitEthernet1/1/1 Authorization information: DHCP IP pool: N/A User profile: N/A ACL: N/A CAR: N/A Configuring direct portal authentication with a preauthentication domain Network requirements As shown in Figure 52, the host is directly connected to the router (the access device).
  • Page 168 # Enable the DHCP server on GigabitEthernet 1/1/2. [Router] interface gigabitethernet 1/1/2 [Router–GigabitEthernet1/1/2] dhcp select server [Router–GigabitEthernet1/1/2] quit Configure a preauthentication domain: # Create an ISP domain named abc and enter its view. [Router] domain abc # Specify authorization ACL 3010 in the domain. [Router-isp-abc] authorization-attribute acl 3010 [Router-isp-abc] quit # Configure a rule to permit access to the subnet 192.168.0.0/24.

  • Page 169: Configuring Re-Dhcp Portal Authentication With A Preauthentication Domain

    DHCP IP pool: N/A User profile: N/A ACL number: 3010 Inbound CAR: N/A Outbound CAR: N/A Configuring re-DHCP portal authentication with a preauthentication domain Network requirements As shown in Figure 53, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server.
  • Page 170 where the host resides. The public IP address range for the IP address group is the public subnet 20.20.20.0/24. • If you have configured a preauthentication IP address pool on portal-enabled interfaces, configure a DHCP relay address pool with the same name on the device. For the DHCP relay address pool, specify the subnet address where the unauthenticated users reside (with the export-router keyword specified) and the DHCP server address.

  • Page 171: Configuring Direct Portal Authentication Using The Local Portal Web Server

    [Router–GigabitEthernet1/1/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 1/1/2. [Router–GigabitEthernet1/1/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/1/2 to the portal authentication server. [Router–GigabitEthernet1/1/2] portal bas-ip 20.20.20.1 [Router–GigabitEthernet1/1/2] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command.
  • Page 172 Configuration procedure Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key authentication simple radius...
  • Page 173 [Router–GigabitEthernet1/1/2] quit Verifying the configuration # Verify that the portal configuration has taken effect. [Router] display portal interface gigabitethernet 1/1/2 Portal information of GigabitEthernet1/1/2 Authorization Strict checking Disabled User profile Disabled IPv4: Portal status: Enabled Authentication type: Direct Portal Web server: newpt(active) Secondary portal Web server: Not configured Authentication domain: Not configured Pre-auth domain: Not configured...

  • Page 174: Troubleshooting Portal

    A user can perform portal authentication through a Web page. Before passing the authentication, the user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

  • Page 175: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.

  • Page 176: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully

    Re-DHCP portal authenticated users cannot log in successfully Symptom The device performs re-DHCP portal authentication for users. A user enters the correct username and password, and the client successfully obtains the private and public IP addresses. However, the authentication result for the user is failure. Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server.

  • Page 177: Configuring User Profiles

    Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a CAR policy, a QoS policy, or a connection limit policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.

  • Page 178: Displaying And Maintaining User Profiles

    Displaying and maintaining user profiles Execute display commands in any view. Task Command Display configuration and online user information display user-profile [ name profile-name ] [ slot for the specified user profile or all user profiles (in slot-number ] standalone mode). Display configuration and online user information display user-profile [ name profile-name ] [ chassis for the specified user profile or all user profiles (in...

  • Page 179: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 180: Password Updating And Expiration

    when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

  • Page 181: User Login Control

    Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login If the global password control feature is enabled, users must change the password at first login before they can access the system.

  • Page 182: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.

  • Page 183: Setting Global Password Control Parameters

    Step Command Remarks Enter system view. system-view • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled, and cannot be disabled by default.

  • Page 184: Setting User Group Password Control Parameters

    Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-number each user. By default, the maximum number password-control login-attempt of login attempts is 3 and a user Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit.

  • Page 185: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local users exist. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.

  • Page 186: Displaying And Maintaining Password Control

    Step Command Remarks Enter system view. system-view Set the password aging time password-control super aging The default setting is 90 days. for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.

  • Page 187: Configuration Procedure

    • An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • A password expires after 30 days. •...

  • Page 188: Verifying The Configuration

    [Sysname] password-control super length 24 # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.
  • Page 189 Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type) # Display the password control configuration for local user test. <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type:...

  • Page 190: Configuring Keychains

    Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.

  • Page 191: Keychain Configuration Example

    Task Command Display keychain information. display keychain [ name keychain-name [ key key-id ] ] Keychain configuration example Network requirements As shown in Figure 55, establish an OSPF neighbor relationship between Router A and Router B, and use a keychain to authenticate packets between the routers. Configure key 1 and key 2 for the keychain and make sure key 2 is used immediately when key 1 expires.

  • Page 192: Verifying The Configuration

    [RouterA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [RouterA-keychain-abc-key-2] quit [RouterA-keychain-abc] quit # Configure GigabitEthernet 1/1/1 to use the keychain abc for authentication. [RouterA] interface GigabitEthernet 1/1/1 [RouterA-GigabitEthernet1/1/1] ospf authentication-mode keychain abc [RouterA-GigabitEthernet1/1/1] quit Configuring Router B # Configure IP addresses for interfaces. (Details not shown.) # Configure OSPF.
  • Page 193 # Display keychain information on Router A. The output shows that key 1 is the valid key. [RouterA] display keychain Keychain name : abc Mode : absolute Accept tolerance TCP kind value : 254 TCP algorithm value HMAC-MD5 Default send key ID : None Active send key ID Active accept key IDs: 1...
  • Page 194 Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Active Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06,...
  • Page 195 TCP kind value : 254 TCP algorithm value HMAC-MD5 Default send key ID : None Active send key ID Active accept key IDs: 1 Key ID Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Inactive Accept lifetime...

  • Page 196: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, such as SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 56.

  • Page 197: Creating A Local Key Pair

    Tasks at a glance (Optional.) Distributing a local host public key: • Exporting a host public key • Displaying a host public key (Optional.) Destroying a local key pair (Optional.) Configuring a peer host public key: • Importing a peer host public key from a public key file •...

  • Page 198: Distributing A Local Host Public Key

    Step Command Remarks Enter system view. system-view • In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name key-name ] Create a local key pair. By default, no local key pairs exist. •...

  • Page 199: Displaying A Host Public Key

    Step Command • Export an RSA host public key: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa [ name key-name ] { openssh | Export a local host public ssh2 } [ filename ] key.

  • Page 200: Importing A Peer Host Public Key From A Public Key File

    • Import the peer host public key from a public key file (recommended). • Manually enter (type or copy) the peer host public key. Importing a peer host public key from a public key file Before you perform this task, make sure you have exported the host public key to a file on the peer device and obtained the file from the peer device.

  • Page 201: Examples Of Public Key Management

    Task Command display public-key local { dsa | ecdsa | rsa } public [ name Display local public keys. key-name ] Display peer host public keys. display public-key peer [ brief | name publickey-name ] Examples of public key management Example for entering a peer host public key Network requirements As shown in...
  • Page 202 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 Configure Device B: # Enter the host public key of Device A in public key view. The key must be literally the same as displayed on Device A.

  • Page 203: Example For Importing A Public Key From A Public Key File

    Example for importing a public key from a public key file Network requirements As shown in Figure 58, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device •...
  • Page 204 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to file devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub # Enable the FTP server function, create an FTP user with username ftp and password 123, and configure the FTP user role as network-admin. [DeviceA] ftp server enable [DeviceA] local-user ftp [DeviceA-luser-manage-ftp] password simple 123...
  • Page 205 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001...

  • Page 206: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 207: Pki Architecture

    • The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 208: Pki Applications

    A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 209: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 210: Configuring A Pki Domain

    Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name enter its view. To create multiple PKI entities, repeat this step. • Configure individual DN attributes to construct the subject DN string: Set the common name attribute: common-name By default, no DN attributes common-name-sting...
  • Page 211 Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be Specify the trusted provided. The trusted CA name ca identifier name uniquely identifies the CA to be used if multiple CAs exist on the same CA server.

  • Page 212: Requesting A Certificate

    Step Command Remarks • Specify an RSA key pair: public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length By default, no key pair is key-length ] } * | general name specified. key-name [ length key-length ] } If the specified key pair does not •...

  • Page 213: Configuration Guidelines

    Configuration guidelines The following guidelines apply to certificate request for an entity in a PKI domain: • Make sure the device is time synchronized with the CA server. Otherwise, the certificate request might fail because the certificate might be considered to be outside of the validity period. For information about how to configure the system time, see Fundamentals Configuration Guide.

  • Page 214: Manually Requesting A Certificate

    Step Command Remarks By default, the manual certificate request mode auto request mode applies. [ password { cipher | simple } string | Set the certificate request In auto request mode, set renew-before-expire days mode to auto. a password for certificate [ reuse-public-key ] revocation as required by [ automatic-append common-name ] ] *...

  • Page 215: Obtaining Certificates

    Step Command Remarks pki abort-certificate-request This command is not saved in the Abort a certificate request. domain domain-name configuration file. Obtaining certificates You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the online mode: •...

  • Page 216: Verifying Pki Certificates

    Step Command Remarks • Import certificates in offline mode: pki import domain domain-name { der { ca | local | peer } filename filename | The pki p12 local filename filename | pem { ca | retrieve-certificate local | peer } [ filename filename ] } Obtain certificates.

  • Page 217: Verifying Certificates Without Crl Checking

    Step Command Remarks (Optional.) Specify the VPN By default, the certificate request instance where the vpn-instance reception authority and the CRL certificate request reception vpn-instance-name repository belong to the public authority and the CRL network. repository belong. By default, CRL checking is Enable CRL checking.

  • Page 218: Exporting Certificates

    Task Command Remarks By default, the device stores certificates and Specify the storage path for pki storage { certificates | CRLs in the PKI directory on the storage certificates and CRLs. crls } dir-path media of the device. Exporting certificates IMPORTANT: To export all certificates in the PKCS12 format, the PKI domain must have a minimum of one local certificate.

  • Page 219: Configuring A Certificate-Based Access Control Policy

    Step Command Remarks Enter system view. system-view If you use the peer keyword without pki delete-certificate domain domain-name { ca specifying a serial Remove a certificate. | local | peer [ serial serial-num ] } number, this command removes all peer certificates.

  • Page 220: Displaying And Maintaining Pki

    Step Command Remarks By default, no certificate access control rules are configured, and all certificates can pass the verification. Create a certificate access rule [ id ] { deny | permit } control rule. group-name You can create multiple certificate access control rules for a certificate-based access control policy.
  • Page 221 Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
  • Page 222 Generating Keys......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.

  • Page 223: Requesting A Certificate From A Windows Server 2003 Ca Server

    Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA...
  • Page 224 Modify the Internet information services attributes: a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory. d.
  • Page 225 fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request general certificate ... …...

  • Page 226: Requesting A Certificate From An Openca Server

    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9B X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2:...
  • Page 227 Configuring the OpenCA server Configure the OpenCA server as instructed in related manuals. (Details not shown.) Make sure the version of the OpenCA server is later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
  • Page 228 SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request general certificate ... … Request certificate of domain openca successfully Verifying the configuration # Display information about the local certificate in PKI domain openca.

  • Page 229: Ike Negotiation With Rsa Digital Signature From A Windows Server 2003 Ca Server

    User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption...
  • Page 230 Figure 64 Network diagram Configuring the Windows Server 2003 CA server "Requesting a certificate from a Windows Server 2003 CA server." Configuring Device A # Configure a PKI entity. <DeviceA> system-view [DeviceA] pki entity en [DeviceA-pki-entity-en] ip 2.2.2.1 [DeviceA-pki-entity-en] common-name devicea [DeviceA-pki-entity-en] quit # Configure a PKI domain.
  • Page 231 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceA] pki retrieve-certificate domain 1 ca # Submit a certificate request manually. [DeviceA] pki request-certificate domain 1 # Create IKE proposal 1, and configure the authentication method as RSA digital signature.

  • Page 232: Certificate Import And Export Configuration Example

    [DeviceB] pki retrieve-certificate domain 1 ca The trusted CA's finger print is: fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually.
  • Page 233 # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111. [DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename pkilocal.pem Now, Device A has three certificate files in PEM format:...
  • Page 234 -----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI7H0mb4O7/GACAggA … -----END ENCRYPTED PRIVATE KEY----- Download the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from Device A to the host through FTP. (Details not shown.) Upload the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from the host to Device B through FTP. (Details not shown.) Import the certificate files to Device B: # Disable CRL checking.
  • Page 235 6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83: ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42: ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2: 9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c: bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12: 01:31:69:bf:e3:91:71:ec:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier:...
  • Page 236 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption...

  • Page 237: Troubleshooting Pki Configuration

    DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 53:69:66:5f:93:f0:2f:8c:54:24:8f:a2:f2:f1:29:fa:15:16: 90:71:e2:98:e3:5c:c6:e3:d4:5f:7a:f6:a9:4f:a2:7f:ca:af: c4:c8:c7:2c:c0:51:0a:45:d4:56:e2:81:30:41:be:9f:67:a1: 23:a6:09:50:99:a1:40:5f:44:6f:be:ff:00:67:9d:64:98:fb: 72:77:9e:fd:f2:4c:3a:b2:43:d8:50:5c:48:08:e7:77:df:fb: 25:9f:4a:ea:de:37:1e:fb:bc:42:12:0a:98:11:f2:d9:5b:60: bc:59:72:04:48:59:cc:50:39:a5:40:12:ff:9d:d0:69:3a:5e: 3a:09:5a:79:e0:54:67:a0:32:df:bf:72:a0:74:63:f9:05:6f: 5e:28:d2:e8:65:49:e6:c7:b5:48:7d:95:47:46:c1:61:5a:29: 90:65:45:4a:88:96:e4:88:bd:59:25:44:3f:61:c6:b1:08:5b: 86:d2:4f:61:4c:20:38:1c:f4:a1:0b:ea:65:87:7d:1c:22:be: b6:17:17:8a:5a:0f:35:4c:b8:b3:73:03:03:63:b1:fc:c4:f5: e9:6e:7c:11:e8:17:5a:fb:39:e7:33:93:5b:2b:54:72:57:72: 5e:78:d6:97:ef:b8:d8:6d:0c:05:28:ea:81:3a:06:a0:2e:c3:...

  • Page 238: Failed To Obtain Local Certificates

    Solution Fix the network connection problems, if any. Verify that the required configurations are correct. Use the ping command to verify that the registration server is reachable. Synchronize the system time of the device with the CA server. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.

  • Page 239: Failed To Obtain Crls

    Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • The PKI domain does not have a CA certificate before the local certificate request is submitted. • The certificate request URL is incorrect or is not specified. •...

  • Page 240: Failed To Import The Ca Certificate

    • The CA does not issue CRLs. • The CA server does not accept the source IP address specified in the PKI domain, or no source IP address is specified. Solution Fix the network connection problems, if any. Obtain or import the CA certificate. If the URL of the CRL repository cannot be obtained, verify that the following conditions exist: The URL for certificate request is valid.

  • Page 241: Failed To Export Certificates

    • The certificate is out of the validity period. • The system time is wrong. Solution Obtain or import the CA certificate. Use the undo crl check enable command to disable CRL checking, or obtain the correct CRL before you import certificates. Make sure the format of the file to be imported is correct.
  • Page 242 Specify a valid storage path for certificates or CRLs. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support.

  • Page 243: Configuring Ipsec

    Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
  • Page 244 algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

  • Page 245: Security Association

    Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA includes the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...

  • Page 246: Ipsec Implementation

    • AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. Crypto engine The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks. The crypto engine processes all IPsec-protected packets and hands the processed packets back to the device for forwarding.
  • Page 247 Tunnel interface-based IPsec To implement tunnel interface-based IPsec, configure an IPsec profile and apply the IPsec profile to a tunnel interface. All traffic routed to the tunnel interface, including multicast traffic, is protected by IPsec. Tunnel interface-based IPsec supports only the tunnel encapsulation mode. In the current software version, tunnel interface-based IPsec is supported only on ADVPN tunnel interfaces.

  • Page 248: Ipsec Rri

    Figure 70 Tunnel interface de-encapsulation As shown in Figure 70, a tunnel interface de-encapsulates an IP packet as follows: Upon receiving an encapsulated packet, the inbound interface sends the packet to the forwarding module for routing. Because the packet is destined for the source IP address of the tunnel interface and the payload protocol is AH or ESP, the forwarding module sends the packet to the tunnel interface.

  • Page 249: Protocols And Standards

    Figure 71 IPsec VPN IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or static routes destined for peer IPsec tunnel gateways to a routing table. As shown in Figure 71, you can enable IPsec RRI on the gateway at the enterprise center.

  • Page 250: Ipsec Tunnel Establishment

    IPsec tunnel establishment CAUTION: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured. IPsec tunnels can be established in different methods.

  • Page 251: Configuring An Acl

    Tasks at a glance (Optional.) Configuring IPsec anti-replay redundancy (Optional.) Binding a source interface to an IPsec policy (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging for IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring IPsec RRI (Optional.) Configuring SNMP notifications for IPsec (Optional.)
  • Page 252 packets will be sent out as normal packets. If they match a permit statement at the receiving end, they will be dropped by IPsec. The following example shows how an improper statement causes unexpected packet dropping. Only the ACL-related configuration is presented. Assume Router A is connected to subnet 1.1.2.0/24 and Router B is connected to subnet 3.3.3.0/24, and the IPsec policy configuration on Router A and Router B is as follows: •...
  • Page 253 Figure 72 Mirror image ACLs ACL1: rule permit 1.1.1.1 -> 2.2.2.2 ACL2: rule permit 1.1.1.0/24 -> 2.2.2.0/24 Host A Host C 1.1.1.1 2.2.2.2 GE1/1/1 GE1/1/2 Network 1 Network 2 IP network 1.1.1.0/24 2.2.2.0/24 Router A Router B ACL1: rule permit 2.2.2.2 -> 1.1.1.1 ACL2: rule permit 2.2.2.0/24 ->...

  • Page 254: Configuring An Ipsec Transform Set

    keychain vpn1 match remote identity address 8.8.8.1 255.255.255.255 inside-vpn vpn-instance vpn1 Figure 74 IPsec for MPLS L3VPN Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms. Changes to an IPsec transform set affect only SAs negotiated after the changes.
  • Page 255 Step Command Remarks • (Low encryption.) Specify the encryption algorithm for ESP: esp encryption-algorithm des-cbc • (High encryption in non-FIPS mode.) Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | Configure at least one command. aes-ctr-128 | aes-ctr-192 | By default, no security algorithm is aes-ctr-256 | camellia-cbc-128 |...

  • Page 256: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the security protocol encapsulates IP packets in tunnel mode. The transport mode applies only (Optional.) Specify the when the source and destination mode in which the IP addresses of data flows match encapsulation-mode { transport | security protocol those of the IPsec tunnel.
  • Page 257 • The keys for the local and remote inbound and outbound SAs must be in the same format. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters. Configuration procedure To configure a manual IPsec policy: Step...

  • Page 258: Configuring An Ike-Based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } string • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA.
  • Page 259 • The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller. • The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Directly configuring an IKE-based IPsec policy Step Command...
  • Page 260 Step Command Remarks remote-address { [ ipv6 ] By default, the remote IP address Specify the remote IP host-name | ipv4-address | ipv6 of the IPsec tunnel is not address of the IPsec tunnel. ipv6-address } specified. sa duration { time-based 10.
  • Page 261 Step Command Remarks By default, no IKE profile is specified for the IPsec policy template. You can specify only one IKE Specify an IKE profile for the profile for an IPsec policy template ike-profile profile-name IPsec policy. and the IKE profile cannot be used by another IPsec policy template or IPsec policy.

  • Page 262: Applying An Ipsec Policy To An Interface

    Step Command Remarks 15. (Optional.) Enable the global IPsec SA idle timeout By default, the global IPsec SA ipsec sa idle-time seconds feature, and set the global idle timeout feature is disabled. SA idle timeout. 16. Create an IPsec policy by ipsec { ipv6-policy | policy } using the IPsec policy policy-name seq-number isakmp...

  • Page 263: Enabling Acl Checking For De-Encapsulated Packets

    Step Command Remarks By default, no traffic processing slot is specified. This step is required when the following conditions are met: • An IKE-based IPsec policy is • In IRF mode: (Optional.) Specify a traffic applied to global logical service chassis processing slot for the interfaces, such as VLAN chassis-number slot...

  • Page 264: Configuring Ipsec Anti-Replay Redundancy

    To configure IPsec anti-replay: Step Command Remarks Enter system view. system-view By default, IPsec anti-replay is Enable IPsec anti-replay. ipsec anti-replay check enabled. (Optional.) Set the size of the ipsec anti-replay window width The default size is 64. IPsec anti-replay window. Configuring IPsec anti-replay redundancy This feature synchronizes the following information from the active device to the standby device at configurable packet-based intervals:...

  • Page 265: Enabling Qos Pre-Classify

    Follow these guidelines when you perform this task: • Only the IKE-based IPsec policies can be bound to a source interface. • An IPsec policy can be bound to only one source interface. • A source interface can be bound to multiple IPsec policies. •...

  • Page 266: Enabling Logging For Ipsec Packets

    Enabling logging for IPsec packets Perform this task to enable logging for IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, SPI value, and sequence number of a discarded IPsec packet, and the reason for the discard.

  • Page 267: Configuring Ipsec Rri

    Step Command Remarks By default, IPsec copies the DF Configure the DF bit of ipsec global-df-bit { clear | copy | bit in the original IP header to the IPsec packets globally. set } new IP header. Configuring IPsec RRI Configuration guidelines When you enable or disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and the associated static routes.

  • Page 268: Configuring Ipsec For Ipv6 Routing Protocols

    Configuring IPsec for IPv6 routing protocols Configuration task list Complete the following tasks to configure IPsec for IPv6 routing protocols: Tasks at a glance (Required.) Configuring an IPsec transform set (Required.) Configuring a manual IPsec profile (Required.) Applying the IPsec profile to an IPv6 routing protocol (see Layer 3—IP Routing Configuration Guide) (Optional.) Enabling logging for IPsec packets...

  • Page 269: Configuring Ipsec For Tunnels

    Step Command Remarks By default, no IPsec transform set is specified in an IPsec profile. Specify an IPsec transform-set transform-set-name transform set. The specified IPsec transform set must use the transport mode. Configure an SPI for an sa spi { inbound | outbound } { ah | By default, no SPI is configured esp } spi-number for an SA.

  • Page 270: Configuring An Ike-Based Ipsec Profile

    Configuring an IKE-based IPsec profile An IKE-based IPsec profile is similar to an IKE-based IPsec policy. The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration. An IKE-based IPsec profile specifies the IPsec transform sets used for protecting data flows, and the IKE profile used for IKE negotiation.

  • Page 271: Applying An Ike-Based Ipsec Profile To A Tunnel Interface

    Step Command Remarks By default, the time-based SA ipsec sa global-duration (Optional.) Set the global lifetime is 3600 seconds, and the { time-based seconds | SA lifetime. traffic-based SA lifetime is traffic-based kilobytes } 1843200 kilobytes. 10. (Optional.) Enable the global IPsec SA idle By default, the global IPsec SA ipsec sa idle-time seconds...

  • Page 272: Configuring Ipsec Fragmentation

    Step Command Remarks snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | Enable SNMP encrypt-failure | invalid-sa-failure | By default, SNMP notifications for notifications for the no-sa-failure | policy-add | all failure and event types are specified failure or event policy-attach | policy-delete | disabled.

  • Page 273: Displaying And Maintaining Ipsec

    Step Command Remarks Enter system view. system-view Enable logging for IPsec ipsec logging negotiation By default, logging for IPsec negotiation. enable negotiation is disabled. Displaying and maintaining IPsec Execute display commands in any view and reset commands in user view. Task Command display ipsec { ipv6-policy | policy } [ policy-name...
  • Page 274 Figure 75 Network diagram Router A Router B GE1/1/2 GE1/1/2 2.2.2.1/24 2.2.3.1/24 Internet GE1/1/1 GE1/1/1 10.1.1.1/24 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure Configure Router A: # Configure IP addresses for interfaces. (Details not shown.) # Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
  • Page 275 # Configure the inbound and outbound SA keys for ESP. [RouterA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [RouterA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [RouterA-ipsec-policy-manual-map1-10] quit # Apply the IPsec policy map1 to interface GigabitEthernet 1/1/2. [RouterA] interface gigabitethernet 1/1/2 [RouterA-GigabitEthernet1/1/2] ip address 2.2.2.1 255.255.255.0 [RouterA-GigabitEthernet1/1/2] ipsec apply policy map1 [RouterA-GigabitEthernet1/1/2] quit...

  • Page 276: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    # Apply the IPsec policy use1 to interface GigabitEthernet 1/1/2. [RouterB] interface gigabitethernet1/1/2 [RouterB-GigabitEthernet1/1/2] ip address 2.2.3.1 255.255.255.0 [RouterB-GigabitEthernet1/1/2] ipsec policy use1 [RouterB-GigabitEthernet1/1/2] quit Verifying the configuration After the configuration is completed, an IPsec tunnel between Router A and Router B is established, and the traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is IPsec-protected.
  • Page 277 Figure 76 Network diagram Router A Router B GE1/1/2 GE1/1/2 2.2.2.1/24 2.2.3.1/24 Internet GE1/1/1 GE1/1/1 10.1.1.1/24 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure Configure Router A: # Configure IP addresses for interfaces. (Details not shown.) # Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
  • Page 278 # Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10. [RouterA] ipsec policy map1 10 isakmp # Apply ACL 3101. [RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1.
  • Page 279 [RouterB] ike profile profile1 [RouterB-ike-profile-profile1] keychain keychain1 [RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0 [RouterB-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10. [RouterB] ipsec policy use1 10 isakmp # Apply ACL 3101.

  • Page 280: Configuring An Ike-Based Ipsec Tunnel For Ipv6 Packets

    Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: ip dest addr: 2.2.2.1/0.0.0.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3769702703 (0xe0b1192f) Connection ID: 90194313219 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N...
  • Page 281 Configuration procedure Configure Router A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure an IPv6 advanced ACL to identify data flows from subnet 333::/64 to subnet 555::/64. <RouterA> system-view [RouterA] acl ipv6 advanced 3101 [RouterA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-ipv6-adv-3101] quit # Configure a static route to Host B.
  • Page 282 [RouterA-GigabitEthernet1/1/2] ipv6 address 111::1/64 [RouterA-GigabitEthernet1/1/2] ipsec apply ipv6-policy map1 [RouterA-GigabitEthernet1/1/2] quit Configure Router B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure an IPv6 advanced ACL to identify data flows from subnet 555::/64 to subnet 333::/64. <RouterB> system-view [RouterB] acl ipv6 advanced 3101 [RouterB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64 [RouterB-acl-ipv6-adv-3101] quit...
  • Page 283 # Apply the IPsec policy use1 to interface GigabitEthernet 1/1/2. [RouterB] interface gigabitethernet 1/1/2 [RouterB-GigabitEthernet1/1/2] ipv6 address 222::1/64 [RouterB-GigabitEthernet1/1/2] ipsec apply ipv6-policy use1 [RouterB-GigabitEthernet1/1/2] quit Verifying the configuration # Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec-protected.

  • Page 284: Configuring Ipsec For Ripng

    Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: N Status: Active Configuring IPsec for RIPng Network requirements As shown in Figure 78, Router A, Router B, and Router C learn IPv6 routes through RIPng. Establish an IPsec tunnel between the routers to protect the RIPng packets transmitted in between.
  • Page 285 [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [RouterA] ipsec profile profile001 manual [RouterA-ipsec-profile-manual-profile001] transform-set tran1 [RouterA-ipsec-profile-manual-profile001] sa spi outbound esp 123456 [RouterA-ipsec-profile-manual-profile001] sa spi inbound esp 123456 [RouterA-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg [RouterA-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg [RouterA-ipsec-profile-manual-profile001] quit # Apply the IPsec profile to RIPng process 1.
  • Page 286 # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <RouterC> system-view [RouterC] ripng 1 [RouterC-ripng-1] quit [RouterC] interface gigabitethernet 1/1/1 [RouterC-GigabitEthernet1/1/1] ripng 1 enable [RouterC-GigabitEthernet1/1/1] quit # Create and configure the IPsec transform set named tran1. [RouterC] ipsec transform-set tran1 [RouterC-ipsec-transform-set-tran1] encapsulation-mode transport [RouterC-ipsec-transform-set-tran1] protocol esp...

  • Page 287: Configuring Ipsec Rri

    # Use the display ipsec sa command to display the established IPsec SAs. [RouterA] display ipsec sa ------------------------------- Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile001 Mode: Manual ----------------------------- Encapsulation mode: transport [Inbound ESP SA] SPI: 123456 (0x3039) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA]...
  • Page 288 Figure 79 Network diagram Branch GE1/1/2 5.5.5.1/24 GE1/1/1 2.2.2.2/24 RouterB Host B Enterprise Center Branch GE1/1/1 GE1/1/2 1.1.1.1/24 4.4.4.1/24 Internet Router C Router A Host A Branch Router D Configuration procedure Assign IPv4 addresses to the interfaces on the routers according to Figure 79.
  • Page 289 [RouterA] ike proposal 1 [RouterA-ike-proposal-1] encryption-algorithm 3des-cbc [RouterA-ike-proposal-1] authentication-algorithm sha [RouterA-ike-proposal-1] authentication-method pre-share [RouterA-ike-proposal-1] quit # Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2. [RouterA] ike keychain key1 [RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [RouterA-ike-keychain-key1] quit...
  • Page 290 # Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method. [RouterB] ike proposal 1 [RouterB-ike-proposal-1] encryption-algorithm 3des-cbc [RouterB-ike-proposal-1] authentication-algorithm sha [RouterB-ike-proposal-1] authentication-method pre-share [RouterB-ike-proposal-1] quit # Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1.
  • Page 291 [Inbound ESP SAs] SPI: 1014286405 (0x3c74c845) Connection ID: 1 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max received sequence-number: 4 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: N Status: Active [Outbound ESP SAs] SPI: 4011716027 (0xef1dedbb)

  • Page 292: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...
  • Page 293 • Key exchange—Used for exchanging the DH public value and other values, such as the random number. The two peers use the exchanged data to generate key data and use the encryption key and authentication key to ensure the security of IP packets. •...

  • Page 294: Ike Security Mechanism

    Figure 82 IKE exchange process in aggressive mode IKE security mechanism IKE has a series of self-protection mechanisms and supports secure identity authentication, key distribution, and IPsec SA establishment on insecure networks. Identity authentication The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers.

  • Page 295: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. IKE configuration prerequisites Determine the following parameters prior to IKE configuration: •...
  • Page 296 Configure peer IDs. When an end needs to select an IKE profile, it compares the received peer ID with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation. Configure the IKE keychain or PKI domain for the IKE proposals to use: To use digital signature authentication, configure a PKI domain.
  • Page 297 Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profiles ike profile profile-name enter its view. exist. match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] By default, an IKE profile has | range low-ipv4-address no peer ID.

  • Page 298: Configuring An Ike Proposal

    Step Command Remarks By default, no inside VPN instance is specified for an IKE 10. (Optional.) Specify an inside inside-vpn vpn-instance profile, and the device forwards VPN instance. vpn-instance-name protected data to the VPN instance where the interface receiving the data resides. 11.

  • Page 299: Configuring An Ike Keychain

    Step Command Remarks • By default: In non-FIPS mode: • encryption-algorithm In non-FIPS mode, an IKE { 3des-cbc | aes-cbc-128 | proposal uses the 56-bit aes-cbc-192 | aes-cbc-256 | Specify an encryption DES encryption algorithm des-cbc | sm4-cbc } algorithm for the IKE in CBC mode.

  • Page 300: Configuring The Global Identity Information

    Step Command Remarks Create an IKE keychain ike keychain keychain-name By default, no IKE keychains and enter its view. [ vpn-instance vpn-instance-name ] exist. • In non-FIPS mode: pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 By default, no pre-shared key is ipv6-address [ prefix-length ] } | configured.

  • Page 301: Configuring The Ike Keepalive Feature

    Configuring the IKE keepalive feature IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

  • Page 302: Enabling Invalid Spi Recovery

    The local device sends a DPD message to the peer, and waits for a response from the peer. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message. If still no response is received within the retry interval, the local end sends the DPD message again.

  • Page 303: Setting The Maximum Number Of Ike Sas

    Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs. • The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.

  • Page 304: Enabling Logging For Ike Negotiation

    Step Command Remarks Enter system view system-view Enable SNMP By default, SNMP notifications notifications for IKE snmp-agent trap enable ike global for IKE are enabled. globally. snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | Enable SNMP decrypt-failure | encrypt-failure | By default, SNMP notifications notifications for the...

  • Page 305: Ike Configuration Examples

    IKE configuration examples Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in Figure 83, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. •...
  • Page 306 # Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2. [DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.0.0 key simple 123456TESTplat&! [DeviceA-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [DeviceA] ike profile profile1 # Specify IKE keychain keychain1.
  • Page 307 # Specify the encryption and authentication algorithms. [DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceB-ipsec-transform-set-tran1] quit # Create an IKE keychain named keychain1. [DeviceB]ike keychain keychain1 # Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1.
  • Page 308 default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400 [DeviceB] display ike proposal Priority Authentication Authentication Encryption Diffie-Hellman Duration method algorithm algorithm group (seconds) ---------------------------------------------------------------------------- default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400 # Display the IKE SA on Device A. [DeviceA] display ike sa Connection-ID Remote Flag...

  • Page 309: Aggressive Mode With Rsa Signature Authentication Configuration Example

    UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 738451674 (0x2c03e0da) Connection ID: 64424509441 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max sent sequence-number: UDP encapsulation used for NAT traversal: N Status: Active # Display the IKE SA and IPsec SAs on Device B.
  • Page 310 <DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set.
  • Page 311 [DeviceA-ike-profile-profile1] local-identity fqdn www.routera.com # Configure a peer ID with the identity type of FQDN name and the value of www.routerb.com. [DeviceA-ike-profile-profile1] match remote identity fqdn www.routerb.com [DeviceA-ike-profile-profile1] quit # Create an IKE proposal named 10. [DeviceA] ike proposal 10 # Specify the authentication algorithm as HMAC-MD5.
  • Page 312 [DeviceB-pki-entity-entity2] quit # Create a PKI domain named domain2. [DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate. [DeviceB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e # Specify the trusted CA 8088.
  • Page 313 # Create an IKE-based IPsec policy entry by using IPsec policy template template1. Specify the policy name as use1 and set the sequence number to 1. [DeviceB] ipsec policy use1 1 isakmp template template1 # Apply IPsec policy use1 to interface GigabitEthernet 1/1/1. [DeviceB] interface gigabitethernet 1/1/1 [DeviceB-GigabitEthernet1/1/1] ipsec apply policy use1 [DeviceB-GigabitEthernet1/1/1] quit...
  • Page 314 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42: 00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43: c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14: 70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27: d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb: 4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0: ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66: 2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33: 1b:31:03:78:4f:77:a0:db:af Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90: 08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8: 7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7: f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf: 55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9: 8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31: 57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d: 82:16 # Display the local certificate on Device A. [DeviceA] display pki certificate domain domain1 local Certificate: Data:...
  • Page 315 f0:e5:62:e7:d0:81:5d:de:d3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: URI:http://xx.rsa.com:447/8088.crl Signature Algorithm: sha1WithRSAEncryption 73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61: 9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e: cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98: 30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78: f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5: 21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff: 65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90: 7e:cd # Display the IPsec SA information on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/1/1 ------------------------------- ----------------------------- IPsec policy: map1...

  • Page 316: Aggressive Mode With Nat Traversal Configuration Example

    Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 738451674 (0x2c03e0da) Connection ID: 64424509441 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max sent sequence-number: UDP encapsulation used for NAT traversal: N Status: Active # Display the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device...
  • Page 317 # Assign an IP address to each interface. (Details not shown.) # Configure IPv4 advanced ACL 3000 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <DeviceA> system-view [DeviceA] acl advanced 3000 [DeviceA-acl-ipv4-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3000] quit # Create an IPsec transform set named transform1.
  • Page 318 [DeviceA] interface gigabitethernet 1/1/1 [DeviceA-GigabitEthernet1/1/1] ipsec apply policy policy1 [DeviceA-GigabitEthernet1/1/1] quit # Configure a static route to the subnet where Host B resides. This example uses 1.1.1.2 as the next hop IP address. [DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2 Configure Device B: # Assign an IP address to each interface.
  • Page 319 [DeviceB] interface gigabitethernet 1/1/1 [DeviceB-GigabitEthernet1/1/1] ipsec apply policy policy1 [DeviceB-GigabitEthernet1/1/1] quit # Configure a static route to the subnet where Host A resides. This example uses 2.2.2.1 as the next hop IP address. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1 Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation.

  • Page 320: Ike Remote Extended Authentication Configuration Example

    ------------------------------- ----------------------------- IPsec policy: policy1 Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1435 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0...
  • Page 321 • Configure the host and the device to use pre-shared key for authentication in the phase-1 IKE negotiation. • Configure the device to use RADIUS to perform remote extended authentication on the host. Figure 86 Network diagram Configuration procedure Before you configure the device, perform the following tasks: •...
  • Page 322 # Create an IKE keychain named keychain1. [Device] ike keychain keychain1 # Set the pre-shared key used for IKE negotiation with the peer 1.1.1.1. [Device-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&! [Device-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [Device] ike profile profile1 # Specify the IKE keychain for the IKE profile.

  • Page 323: Ike Local Extended Authentication And Address Pool Authorization Configuration Example

    Verifying the configuration # Initiate a connection from the host (1.1.1.1) to the device (2.2.2.2) to trigger IKE negotiation. (Details not shown.) # On the device, verify that an IKE SA to the peer 1.1.1.1 is established and that extended authentication is enabled for remote users.
  • Page 324 • Configure the device to use AAA to perform local extended authentication on the host and assign an IPv4 address to the host. Figure 87 Network diagram Configuration procedure Before you configure the device, perform the following tasks: • Make sure the device, host, and server can reach one another. •...
  • Page 325 [Device] ike profile profile1 # Specify the IKE keychain keychain1 for the IKE profile profile1. [Device-ike-profile-profile1] keychain keychain1 # Configure the local ID as the IP address 2.2.2.2. [Device-ike-profile-profile1] local-identity address 2.2.2.2 # Configure the peer ID for IKE profile matching. [Device-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.255 # Enable XAUTH authentication for clients.
  • Page 326 Configure the local ID and remote ID. (Details not shown.) Verifying the configuration # Initiate a connection from the host (1.1.1.1) to the server (3.3.3.50) to trigger IKE negotiation. (Details not shown.) # On the device, verify that an IKE SA to the peer 1.1.1.1 is established and client authentication is enabled.

  • Page 327: Troubleshooting Ike

    Perfect Forward Secrecy: Path MTU: 1427 Tunnel: local address: 2.2.2.2 remote address: 1.1.1.1 Flow: sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip dest addr: 20.1.1.2/255.255.255.255 port: 0 protocol: ip [Inbound ESP SAs] SPI: 2374047012 (0x8d811524) Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843198/3259 Max received sequence-number: 24 Anti-replay check enable: Y...

  • Page 328: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Specified Correctly

    When IKE event debugging and packet debugging are enabled, the following messages appear: IKE event debugging message: The attributes are unacceptable. IKE packet debugging message: Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IKE proposal settings are incorrect. Solution Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals.

  • Page 329: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
  • Page 330 Remote IP: 192.168.222.71 Remote ID type: IPV4_ADDR Remote ID: 192.168.222.71 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Verify that the IPsec policy is using an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1...
  • Page 331 ACL's step is 5 rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0 Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured. If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will fail: [Sysname] display ipsec policy...

  • Page 332: Configuring Ikev2

    Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.

  • Page 333: New Features In Ikev2

    New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.

  • Page 334: Configuring An Ikev2 Profile

    • The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
  • Page 335 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
  • Page 336 Step Command Remarks authentication-method { local | Configure the local and remote } { dsa-signature | By default, no local or remote identity remote identity ecdsa-signature | pre-share | authentication method is configured. authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile.

  • Page 337: Configuring An Ikev2 Policy

    Step Command Remarks 14. (Optional.) Set the By default, the global IKEv2 NAT IKEv2 NAT keepalive nat-keepalive seconds keepalive setting is used. interval. 15. (Optional.) Enable the config-exchange { request | set By default, all configuration configuration exchange { accept | send } } exchange options are disabled.

  • Page 338: Configuring An Ikev2 Proposal

    Configuring an IKEv2 proposal An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority. A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

  • Page 339: Configuring An Ikev2 Keychain

    Step Command Remarks In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does Specify the integrity not have any integrity protection protection algorithms. algorithms. In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode:...

  • Page 340: Configure Global Ikev2 Parameters

    Step Command Remarks • To configure a host name for the peer: hostname host-name • To configure a host IP address or address range for the peer: By default, no hostname, host IP address { ipv4-address address, address range, or identity [ mask | mask-length ] | ipv6 information is configured for an Configure the information...

  • Page 341: Configuring The Ikev2 Nat Keepalive Feature

    Step Command Remarks Enter system view. system-view Configure global IKEv2 ikev2 dpd interval interval [ retry By default, global DPD is DPD. seconds ] { on-demand | periodic } disabled. Configuring the IKEv2 NAT keepalive feature Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

  • Page 342: Ikev2 Configuration Examples

    Task Command Display the IKEv2 policy configuration. display ikev2 policy [ policy-name | default ] Display the IKEv2 profile configuration. display ikev2 profile [ profile-name ] display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance Display the IKEv2 SA information.
  • Page 343 [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
  • Page 344 [DeviceA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface GigabitEthernet 1/1/1. [DeviceA] interface gigabitethernet 1/1/1 [DeviceA-GigabitEthernet1/1/1] ipsec apply policy map1 [DeviceA-GigabitEthernet1/1/1] quit # Configure a static route to the subnet where Host B resides. This example uses 1.1.1.2 as the next hop IP address.
  • Page 345 # Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 1.1.1.1/16. [DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0 [DeviceA-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
  • Page 346 Interface: GigabitEthernet1/1/1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1456 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0...

  • Page 347: Ikev2 With Rsa Signature Authentication Configuration Example

    [DeviceB] display ikev2 sa [DeviceB] display ipsec sa IKEv2 with RSA signature authentication configuration example Network requirements As shown in Figure 90, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure Device A and Device B to use IKEv2 negotiation and RSA signature authentication.
  • Page 348 [DeviceA-ipsec-transform-set-tran1] quit # Create a PKI entity named entity1. [DeviceA] pki entity entity1 # Set the common name as routera for the PKI entity. [DeviceA-pki-entity-entity1] common-name routera [DeviceA-pki-entity-entity1] quit # Create a PKI domain named domain1. [DeviceA] pki domain domain1 # Set the certificate request mode to auto and set the password to 123 for certificate revocation.
  • Page 349 [DeviceA-ikev2-proposal-10] dh group1 # Specify the PRF algorithm as HMAC-MD5. [DeviceA-ikev2-proposal-10] prf md5 [DeviceA-ikev2-proposal-10] quit # Create an IKEv2 policy named 1. [DeviceA] ikev2 policy 1 # Specify the IKEv2 proposal 10 for the IKEv2 policy. [DeviceA-ikev2-policy-1] proposal 10 [DeviceA-ikev2-policy-1] quit # Create an IKE-based IPsec policy entry.
  • Page 350 # Create a PKI entity named entity2. [DeviceB] pki entity entity2 # Set the common name as routerb for the PKI entity. [DeviceB-pki-entity-entity2] common-name routerb [DeviceB-pki-entity-entity2] quit # Create a PKI domain named domain2. [DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
  • Page 351 [DeviceB-ikev2-proposal-10] quit # Create an IKEv2 policy named 1. [DeviceB] ikev2 policy 1 # Specify the IKEv2 proposal 10 for the IKEv2 policy. [DeviceB-ikev2-policy-1] proposal 10 [DeviceB-ikev2-policy-1] quit # Create an IPsec policy template entry. Specify the template name as template1 and set the sequence number to 1.
  • Page 352 IKEv2 policy : 1 Priority: 100 Match Local : any Match VRF : public Proposal : 10 [DeviceB] display ikev2 policy 1 IKEv2 policy : 1 Priority: 100 Match Local : any Match VRF : public Proposal : 10 # Display the IKEv2 SA on Device A. [DeviceA] display ikev2 sa Tunnel ID Local...
  • Page 353 7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7: f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf: 55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9: 8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31: 57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d: 82:16 # Display the local certificate on Device A. [DeviceA]display pki certificate domain domain1 local Certificate: Data: Version: 3 (0x2) Serial Number: a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=rnd, OU=sec, CN=8088 Validity Not Before: Sep 26 02:06:43 2012 GMT Not After : Sep 26 02:06:43 2013 GMT Subject: CN=devicea Subject Public Key Info:...
  • Page 354 # Display the IPsec SAs on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/1/1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1456 Tunnel:...

  • Page 355: Ikev2 With Nat Traversal Configuration Example

    # Display the information about the CA certificate, local certificate, IKEv2 SA, and IPsec SA on Device B. [DeviceB] display ikev2 sa [DeviceB] display pki certificate domain domain2 ca [DeviceB] display pki certificate domain domain2 local [DeviceB] display ipsec sa IKEv2 with NAT traversal configuration example Network requirements As shown in...
  • Page 356 [DeviceA] ikev2 keychain keychain1 # Create an IKEv2 peer named peer1. [DeviceA-ikev2-keychain-keychain1] peer peer1 # Specify the peer IP address 2.2.2.2/16. [DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16 # Specify the peer ID, which is the IP address 2.2.2.2. [DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2 # Specify 123 in plain text as the pre-shared key to be used with the peer.
  • Page 357 [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named transform1. <DeviceB> system-view [DeviceB] ipsec transform-set transform1 # Use the ESP protocol for the IPsec transform set. [DeviceB-ipsec-transform-set-transform1] protocol esp # Specify the encryption and authentication algorithms.
  • Page 358 [DeviceB-ipsec-policy-template-template1-1] quit # Create an IKE-based IPsec policy entry by using IPsec policy template template1. Specify the policy name as policy1 and set the sequence number to 1. [DeviceB] ipsec policy policy1 1 isakmp template template1 # Apply the IPsec policy policy1 to interface GigabitEthernet 1/1/1. [DeviceB] interface gigabitethernet 1/1/1 [DeviceB-GigabitEthernet1/1/1] ipsec apply policy policy1 [DeviceB-GigabitEthernet1/1/1] quit...
  • Page 359 Local window: 1 Remote window: 1 Local request message ID: 2 Remote request message ID: 0 Local next message ID: 2 Remote next message ID: 0 # Display the IPsec SAs on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/1/1 ------------------------------- ----------------------------- IPsec policy: policy1...

  • Page 360: Troubleshooting Ikev2

    SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max sent sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: Y Status: Active Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status.

  • Page 361: Ipsec Tunnel Establishment Failed

    IPsec tunnel establishment failed Symptom The ACLs and IKEv2 proposals are correctly configured on both ends. The two ends cannot establish an IPsec tunnel or cannot communicate through the established IPsec tunnel. Analysis The IKEv2 SA or IPsec SAs on either end are lost. The reason might be that the network is unstable and the device reboots.

  • Page 362: Configuring Group Domain Vpn

    Configuring group domain VPN Group Domain Virtual Private Network (group domain VPN) provides a point-to-multipoint tunnel-less VPN solution. It is mainly used to protect multicast traffic. Overview Group domain VPN uses a group-based IPsec model. Members in a group use a common IPsec policy, which includes security protocols, algorithms, and keys.

  • Page 363: Group Domain Vpn Establishment

    The KS maintains security policies for groups, and creates and maintains key information. It responds to registration requests from GMs and sends rekey messages to GMs. After a GM registers with the KS, the KS sends the IPsec policy and keys to the GM. The keys are periodically updated.

  • Page 364: Protocols And Standards

    Figure 93 Registration process 1) IKE negotiation 2) Group ID 3) SA policy 4) Acknowledgement 5) TEK and KEK A GM starts a GDOI registration timer when it initiates a registration to the KS. If the GM does not successfully register with the KS before the timer expires, the current registration fails and the GM re-registers to the KS.

  • Page 365: Fips Compliance

    • RFC 5374, Multicast Extensions to the Security Architecture for the Internet Protocol • RFC 6407, The Group Domain of Interpretation(GDOI) FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
  • Page 366 or a logical interface) as the registration interface to process registration packets and IPsec packets on different interfaces. • Supported KEK encryption algorithms—During GM registration, the GM terminates the negotiation with the KS if the KEK encryption algorithm sent by the KS is not supported by the GM, and the registration fails.

  • Page 367: Configuring A Gdoi Ipsec Policy

    Step Command Remarks By default, a GM supports the IPsec transform set configured with the following security parameters: • The ESP security protocol. • The tunnel or transport (Optional.) Specify IPsec encapsulation mode. client transform-sets transform sets supported • The DES-CBC, 3DES-CBC, transform-set-name&<1-6>...

  • Page 368: Applying A Gdoi Ipsec Policy To An Interface

    • During packet decryption, for packets in cipher text, the GM first uses the downloaded ACL to match packets, and then uses the local ACL. For packets in plain text, the GM first uses the local ACL to match packets, and then uses the downloaded ACL. Packets that fail to match the local and downloaded ACLs are forwarded in plain text.

  • Page 369: Group Domain Vpn Configuration Example

    Task Command Display GDOI GM group information. display gdoi gm [ group group-name ] display gdoi gm acl [ download | local ] [ group Display ACL information for GMs. group-name ] Display anti-replay information for GDOI GM display gdoi gm anti-replay [ group group-name ] groups.

  • Page 370: Configuration Prerequisites And Guidelines

    Figure 95 Network diagram Configuration prerequisites and guidelines Before configuration, make sure each GM (GM 1, GM 2, and GM 3) and each KS can reach each other, and the two KSs can reach each other. Make sure the multicast packets between the GMs and the multicast rekey messages between the KS and GMs can be forwarded correctly.
  • Page 371 [KS1-ike-peer-toks2] proposal 1 # Configure the pre-shared key as tempkey1 in plain text. [KS1-ike-peer-toks2] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 200.2.2.200. [KS1-ike-peer-toks2] remote-address 200.2.2.200 [KS1-ike-peer-toks2] quit # Create the IKE peer togm for IKE negotiation with GMs. [KS1] ike peer togm # Specify IKE proposal 1 for the IKE peer.
  • Page 372 # Create a local RSA key pair named rsa1. [KS1] public-key local create rsa name rsa1 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
  • Page 373 # Create an IPsec policy named 10 for the GDOI KS group. [KS1-gdoi-ks-group-ks1] ipsec 10 # Use the IPsec profile fortek. [KS1-gdoi-ks-group-ks1-ipsec-10] profile fortek # Use the ACL fortek. [KS1-gdoi-ks-group-ks1-ipsec-10] security acl name fortek [KS1-gdoi-ks-group-ks1-ipsec-10] quit # Specify the peer KS address as 200.2.2.200. [KS1-gdoi-ks-group-ks1] peer address 200.2.2.200 # Specify the source address for sending packets as 100.1.1.100.
  • Page 374 # Create an IPsec transform set named fortek. [KS2] ipsec transform-set fortek # Specify the security protocol as ESP for the IPsec transform set. [KS2-ipsec-transform-set-fortek] transform esp # Specify the encryption algorithm as AES-CBC 128 for the IPsec transform set. [KS2-ipsec-transform-set-fortek] esp encryption-algorithm aes-cbc-128 # Specify the authentication algorithm as SHA1 for the IPsec transform set.
  • Page 375 c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Please input the password: # Create a GDOI KS group named ks2. [KS2] gdoi ks group ks2 # Configure the group ID as 12345. [KS2-gdoi-ks-group-ks2] identity number 12345 # Use the key pair rsa1.
  • Page 376 [GM1-ike-proposal-1] dh group2 [GM1-ike-proposal-1] quit # Create an IKE keychain named keychain1. [GM1] ike keychain keychain1 # Configure the pre-shard key to be used for IKE negotiation with peer 100.1.1.100 as tempkey1 in plain text. [GM1-ike-keychain-keychain1] pre-shared-key address 100.1.1.100 255.255.255.0 key simple tempkey1 [GM1-ike-keychain-keychain1] quit # Create an IKE keychain named keychain2.
  • Page 377 [GM2] ike proposal 1 # Specify the encryption algorithm as AES-CBC 128 for the IKE proposal. [GM2-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm as SHA1 for the IKE proposal. [GM2-ike-proposal-1] authentication-algorithm sha # Specify DH group2 for the IKE proposal. [GM2-ike-proposal-1] dh group2 [GM2-ike-proposal-1] quit # Create an IKE keychain named keychain1.
  • Page 378 [GM2-GigabitEthernet1/1/1] ipsec apply policy map [GM2-GigabitEthernet1/1/1] quit Configuring GM 3 # Configure IP addresses for interfaces. (Details not shown.) # Create IKE proposal 1. <GM3> system-view [GM3] ike proposal 1 # Specify the encryption algorithm as AES-CBC 128 for the IKE proposal. [GM3-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm as SHA1 for the IKE proposal.

  • Page 379: Verifying The Configuration

    # Create a GDOI IPsec policy entry, and specify the IPsec policy name as map and the sequence number as 1. [GM3] ipsec policy map 1 gdoi # Specify GDOI GM group 1 for the GDOI IPsec policy. [GM3-ipsec-policy-gdoi-map-1] group 1 [GM3-ipsec-policy-gdoi-map-1] quit # Apply the GDOI IPsec policy map to GigabitEthernet 1/1/1.
  • Page 380 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/63 Status: Active SPI: 1611821838 (0x6012730e) Connection ID: 20 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/850 Status: Active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Connection ID: 6 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/63...
  • Page 381 Connection ID: 22 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/850 Status: Active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Connection ID: 8 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/63 Status: Active SPI: 1611821838 (0x6012730e) Connection ID: 23...
  • Page 382 [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Connection ID: 43 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/63 Status: Active SPI: 1611821838 (0x6012730e) Connection ID: 44 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/850 Status: Active ----------------------------- IPsec policy: map...
  • Page 383 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/63 Status: Active SPI: 1611821838 (0x6012730e) Connection ID: 13 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 0/900 SA remaining duration (kilobytes/sec): 0/850 Status: Active # Display registration information on GM 1. [GM1] display gdoi gm Group name: 1 Group identity : 12345...
  • Page 384 Remaining key lifetime : 86119 sec Encryption algorithm : 3DES-CBC Signature algorithm : RSA Signature hash algorithm : SHA1 Signature key length : 1024 bits TEK: : 0x2FC8FD45(801701189) Transform : ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 Remaining key lifetime : 900 sec : 0x6012730E(1611821838) Transform : ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 Remaining key lifetime...
  • Page 385 Primary address : 100.1.1.100 Sessions: Peer address : 200.2.2.200 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready # Display KS redundancy information on KS 2. <KS2> display gdoi ks redundancy Group Name :ks2 Local address : 200.2.2.200 Local version...

  • Page 386: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 387: Ssh Authentication Methods

    Stages Description SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation • Encryption algorithm for encrypting data. • Public key algorithm for the digital signature and authentication. •...

  • Page 388: Fips Compliance

    Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name. If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request.

  • Page 389: Generating Local Key Pairs

    Tasks at a glance Remarks Required if the authentication method is (Required.) Configuring a client's host public key publickey, password-publickey, or any. See "Configuring PKI." Required if the following conditions exist: • The authentication method is publickey. Configuring the PKI domain for verifying the client's •...

  • Page 390: Specifying The Ssh Service Port

    Step Command Remarks Enter system view. system-view public-key local create { dsa | By default, no local key pairs exist Generate local key pairs. ecdsa secp256r1 | rsa } on the server. Specifying the SSH service port The default port of the SSH service is 22. You can specify another port for the SSH service to improve security of SSH connections.

  • Page 391: Enabling The Scp Server

    Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...

  • Page 392: Configuring A Client's Host Public Key

    Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key. If they are the same, the server checks the digital signature that the client sends. The client generates the digital signature by using the private key that is paired with the client's host public key.

  • Page 393: Configuring An Ssh User

    Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.

  • Page 394: Configuring The Ssh Management Parameters

    Configuration procedure To configure an SSH user, and specify the service type and authentication method: Step Command Enter system view. system-view • In non-FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign { pki-domain Create an SSH user, and domain-name | publickey keyname } }...

  • Page 395: Configuring The Device As An Stelnet Client

    Step Command Remarks • Set the DSCP value in IPv4 The default setting is 48. packets: The DSCP value of a packet ssh server dscp dscp-value Set the DSCP value in the defines the priority of the packet • packets that the SSH server Set the DSCP value in IPv6 and affects the transmission sends to the SSH clients.

  • Page 396: Specifying The Source Ip Address For Ssh Packets

    Step Command Remarks public-key local create { dsa | By default, no local key pairs exist Generate local key pairs. ecdsa secp256r1 | rsa } on an Stelnet client. Specifying the source IP address for SSH packets As a best practice, specify the IP address of the loopback interface as the source IP address of SSH packets for the following purposes: •...
  • Page 397 Task Command Remarks • In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 } | prefer-stoc-cipher...

  • Page 398: Configuring The Device As An Sftp Client

    Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance Remarks Only required when the SFTP server uses (Required.) Generating local key pairs the authentication method publickey, password-publickey, or any. (Optional.) Specifying the source IP address for SFTP packets (Required.) Establishing a connection to an SFTP server (Optional.)

  • Page 399: Establishing A Connection To An Sftp Server

    Step Command Remarks Enter system view. system-view By default, the source IP address • Specify the source IPv4 address for SFTP packets is not for SFTP packets: configured. For IPv4 SFTP sftp client source { ip ip-address packets, the device uses the | interface interface-type primary IPv4 address of the Specify the source...

  • Page 400: Working With Sftp Directories

    Task Command Remarks • In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 } |...

  • Page 401: Working With Sftp Files

    Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the SFTP get remote-file [ local-file ] Available in SFTP client view. server and save it locally.

  • Page 402: Generating Local Key Pairs

    Generating local key pairs Generate local key pairs on the SCP client when the SCP server uses the authentication method publickey, password-publickey, or any. Configuration restrictions and guidelines When you generate local key pairs on an SCP client, follow these restrictions and guidelines: •...
  • Page 403 Task Command Remarks • In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |...

  • Page 404: Specifying Algorithms For Ssh2

    Task Command Remarks • In non-FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 405: Specifying Public Key Algorithms For Ssh2

    Step Command Remarks • In non-FIPS mode: By default, SSH2 uses the • In non-FIPS mode: key exchange algorithms ssh2 algorithm dh-group-exchange-sha1, key-exchange dh-group14-sha1, and { dh-group-exchange-sha1 dh-group1-sha1 in | dh-group14-sha1 | Specify key exchange descending order of priority dh-group1-sha1 } * algorithms for SSH2.

  • Page 406: Specifying Mac Algorithms For Ssh2

    Specifying MAC algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: By default, SSH2 uses the MAC algorithms sha1, sha1-96, md5, and md5-96 • In non-FIPS mode: in descending order of ssh2 algorithm mac { sha1 priority for algorithm | sha1-96 | md5 | md5-96 } * Specify MAC algorithms for...

  • Page 407: Configuring The Device As An Stelnet Server (Password Authentication)

    Configuring the device as an Stelnet server (password authentication) Network requirements As shown in Figure • The router acts as the Stelnet server and uses password authentication to authenticate the Stelnet client. The username and password of the client are saved on the router. •...
  • Page 408 Create the key pair successfully. # Enable the Stelnet server. [Router] ssh server enable # Assign an IP address to interface GigabitEthernet 1/1/1. The Stelnet client uses this IP address as the destination for SSH connection. [Router] interface gigabitethernet 1/1/1 [Router-GigabitEthernet1/1/1] ip address 192.168.1.40 255.255.255.0 [Router-GigabitEthernet1/1/1] quit # Set the authentication mode to AAA for the user lines.

  • Page 409: Configuring The Device As An Stelnet Server (Publickey Authentication)

    Figure 97 Specifying the host name (or IP address) d. Enter username client001 and password aabbcc to log in to the Stelnet server. Configuring the device as an Stelnet server (publickey authentication) Network requirements As shown in Figure • The router acts as the Stelnet server, and it uses publickey authentication and the RSA public key algorithm.
  • Page 410 There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58. The configuration procedure is as follows: Generate RSA key pairs on the Stelnet client: a. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 99 Generating a key pair on the client b.
  • Page 411 Figure 100 Generating process c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 101 Saving a key pair on the client a. Enter a file name (key.pub in this example), and click Save.
  • Page 412 b. On the page as shown in Figure 101, click Save private key to save the private key. A confirmation dialog box appears. c. Click Yes. A file saving window appears. d. Enter a file name (private.ppk in this example), and click Save. e.
  • Page 413 # Import the peer public key from the public key file key.pub and name it clientkey. [Router] public-key peer clientkey import sshkey key.pub # Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key clientkey to the user. [Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey # Create a local device management user named client002.
  • Page 414 Figure 103 Setting the preferred SSH version e. From the navigation tree, select Connection > SSH > Auth. The window shown in Figure 104 appears. f. Click Browse… to open the file selection window, and then select the private key file (private.ppk in this example).

  • Page 415: Configuring The Device As An Stelnet Client (Password Authentication)

    Figure 104 Specifying the private key file h. Enter username client002 to log in to the Stelnet server. Configuring the device as an Stelnet client (password authentication) Network requirements As shown in Figure 105: • Router B acts as the Stelnet server and uses password authentication to authenticate the Stelnet client.
  • Page 416 If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key modulus is (512 ~ 2048).
  • Page 417 Establish a connection to the Stelnet server: # Assign an IP address to interface GigabitEthernet 1/1/1. <RouterA> system-views [RouterA] interface gigabitethernet 1/1/1 [RouterA-GigabitEthernet1/1/1] ip address 192.168.1.56 255.255.255.0 [RouterA-GigabitEthernet1/1/1] quit [RouterA] quit Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.

  • Page 418: Configuring The Device As An Stelnet Client (Publickey Authentication)

    [RouterA] quit # Establish an SSH connection to the server, and specify the host public key of the server as key1. <RouterA> ssh2 192.168.1.40 public-key key1 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent,...
  • Page 419 • Router A acts as the Stelnet client. After the user on Router A logs in to Router B through Stelnet, the user can configure and manage Router B as a network administrator. Figure 106 Network diagram Configuration procedure In the server configuration, the client's host public key is required. Generate a DSA key pair on the client before configuring the Stelnet server.
  • Page 420 [RouterB] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 421: Sftp Configuration Examples

    ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** <RouterB> After you enter username client002 and then enter y to continue accessing the server, you can log in to the server successfully.
  • Page 422 Create the key pair successfully. # Generate a DSA key pair. [Router] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 423: Configuring The Device As An Sftp Client (Publickey Authentication)

    b. Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 108 SFTP client interface Configuring the device as an SFTP client (publickey authentication) Network requirements As shown in Figure 109: • Router B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm.
  • Page 424 # Generate RSA key pairs. [RouterA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 425 # Assign an IP address to interface GigabitEthernet 1/1/1. The client uses this address as the destination address for SSH connection. [RouterB] interface gigabitethernet 1/1/1 [RouterB-GigabitEthernet1/1/1] ip address 192.168.0.1 255.255.255.0 [RouterB-GigabitEthernet1/1/1] quit # Import the peer public key from the public key file pubkey, and name it routerkey. [RouterB] public-key peer routerkey import sshkey pubkey # Create an SSH user named client001.

  • Page 426: Configuring Scp With Password Authentication

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename the directory new1 to new2 and verify the result.

  • Page 427: Configuration Procedure

    Figure 110 Network diagram SCP client SCP server GE1/1/1 GE1/1/1 192.168.0.2/24 192.168.0.1/24 Router A Router B Configuration procedure Configure the SCP server: # Generate RSA key pairs. <RouterB> system-view [RouterB] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.

  • Page 428: Configuring Netconf Over Ssh With Password Authentication

    # Set the password to aabbcc in plain text for local user client001. [RouterB-luser-manage-client001] password simple aabbcc # Authorize local user client001 to use the SSH service. [RouterB-luser-manage-client001] service-type ssh # Assign the network-admin user role to local user client001. [RouterB-luser-manage-client001] authorization-attribute user-role network-admin [RouterB-luser-manage-client001] quit # Create an SSH user named client001.

  • Page 429: Configuration Procedure

    Figure 111 Network diagram Configuration procedure # Generate RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 430: Verifying The Configuration

    [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a local device management user named client001. [Router] local-user client001 class manage # Set the password to aabbcc in plain text for local user client001. [Router-luser-manage-client001] password simple aabbcc # Authorize local user client001 to use the SSH service. [Router-luser-manage-client001] service-type ssh # Assign the network-admin user role to local user client001.
  • Page 431 Figure 112 Connecting to the device Enter password aabbcc, and then click OK, as shown in Figure 113. Figure 113 Entering the password The NETCONF configuration interface appears when the client successfully establishes an NETCONF-over-SSH connection to the device. The Log tab of the interface displays the connection information, as shown in Figure 114.
  • Page 432 The following message is displayed in the Output XML area. <?xml version="1.0" encoding="utf-8"?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2"> <get-sessions> <Session> <SessionID>1</SessionID> <Line>vty1</Line> <UserName>client001</UserName> <Since>2016-02-03T15:05:30</Since> <LockHeld>false</LockHeld> </Session> </get-sessions> </rpc-reply>...

  • Page 433: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 434: Fips Compliance

    Figure 116 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
  • Page 435 Step Command Remarks Enter system view. system-view (Optional.) Disable SSL 3.0 on By default, SSL 3.0 is enabled ssl version ssl3.0 disable the device. on the device. (Optional.) Disable SSL By default, SSL session session renegotiation for the ssl renegotiation disable renegotiation is enabled.

  • Page 436: Configuring An Ssl Client Policy

    Step Command Remarks By default, the SSL server Enable the SSL server to send sends the server certificate the complete certificate chain certificate-chain-sending enable rather than the complete to the client during SSL certificate chain to the client negotiation. during negotiation. Configuring an SSL client policy An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server.

  • Page 437: Displaying And Maintaining Ssl

    Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s ha | dhe_rsa_aes_256_cbc_sh a | exp_rsa_des_cbc_sha | • In non-FIPS mode: exp_rsa_rc2_md5 | The default preferred cipher exp_rsa_rc4_md5 | suite is rsa_rc4_128_md5. rsa_3des_ede_cbc_sha | Specify the preferred cipher • In FIPS mode: rsa_aes_128_cbc_sha | suite for the SSL client policy.

  • Page 438: Configuring Ssl Vpn

    Configuring SSL VPN Overview SSL VPN is an SSL-based VPN technology. SSL VPN has the following benefits: • High security—Using the certificate authentication, data encryption, and integrity verification mechanisms that the SSL protocol provides, SSL VPN can establish secure connections at the application layer.

  • Page 439: Ssl Vpn Networking Modes

    Figure 117 SSL VPN network diagram Administrator Internet SSL VPN gateway Internal servers Remote user SSL VPN networking modes Gateway mode In gateway mode, the SSL VPN gateway acts as a gateway that connects remote users and the internal servers network, as shown in Figure 118.

  • Page 440: Ssl Vpn Access Modes

    Figure 119 Single-arm mode SSL VPN gateway User A Server A IP network IP network Users Servers Gateway User B Server B SSL VPN access modes Web access In Web access mode, remote users use browsers to access Web resources allowed by an SSL VPN gateway through HTTPS.
  • Page 441 Figure 120 Network diagram for Web access URL list Heading: Web URL: www.abc.com Web server IP network SSL VPN User gateway 2) The SSL VPN gateway resolves 1) The browser sends the Web access request to the the request and sends the request to SSL VPN gateway through an SSL connection.
  • Page 442 Figure 121 Network diagram for TCP access For mobile clients to use the TCP access mode, you do not need to configure port forwarding rules on the SSL VPN gateway. However, client software dedicated for mobile clients is required, and you must specify an Endpoint Mobile Office (EMO) server for mobile clients on the SSL VPN gateway.

  • Page 443: Resource Access Control

    As shown in Figure 123, the following uses a ping operation to illustrate the IP access implementation: The administrator creates an SSL VPN AC interface on the SSL VPN gateway and configures a routing entry to server. The routing entry will be issued to the SSL VPN client. The user installs the IP access client software and launches the client software to log in to the SSL VPN gateway.

  • Page 444: Vrf-Aware Ssl Vpn

    Figure 124 SSL VPN resource access control You can specify domain names or virtual host names for the SSL VPN contexts associated with an SSL VPN gateway. When a user logs in to the SSL VPN gateway, the SSL VPN gateway performs the following operations: Uses the domain name or virtual host name that the user entered to determine the SSL VPN context to which the user belongs.

  • Page 445: Restrictions And Guidelines: Ssl Vpn Configuration

    Figure 125 VRF-aware SSL VPN Restrictions and guidelines: SSL VPN configuration The SSL VPN gateway generates only one session for a user who accesses both Web and IP resources in the following method: First, the user accesses the SSL VPN gateway through a Web browser. Then, the user downloads the IP access client through the Web page and launches the IP access client.

  • Page 446: Configuring An Ssl Vpn Gateway

    Tasks at a glance Remarks (Optional.) Specifying a message server for mobile clients (Optional.) Configuring SSL VPN access control (Optional.) Configuring VRF-aware SSL VPN (Optional.) Configuring HTTP redirection (Optional.) Customizing SSL VPN webpages (Optional.) Configuring SSL VPN user control (Optional.) Enabling SSL VPN logging (Optional.) Enabling IMC SMS message authentication...

  • Page 447: Configuring An Ssl Vpn Context

    Configuring an SSL VPN context An SSL VPN context links an SSL VPN gateway and one or more policy groups. Policy groups determine the resources available to users. When you associate an SSL VPN context with an SSL VPN gateway, follow these guidelines: •...

  • Page 448: Configuring An Ssl Vpn Policy Group

    Step Command Remarks (Optional.) Enable dynamic By default, dynamic password dynamic-password enable password verification. verification is disabled. 10. (Optional.) Set the idle By default, the idle timeout timer for timeout timer for SSL VPN timeout idle minutes SSL VPN sessions is 30 minutes. sessions.

  • Page 449: Configuring Web Access Service Resources

    You can create multiple URI ACLs in an SSL VPN context. To configure a URI ACL: Step Command Remarks Enter system view. system-view Enter SSL VPN context sslvpn context context-name view. Create a URI ACL and uri-acl uri-acl-name By default, no URI ACLs exist. enter its view.

  • Page 450: Configuring A File Policy

    Configuring a file policy A file policy enables the SSL VPN gateway to rewrite Web page files before forwarding them to requesting Web access users. A file policy contains the following settings: • A URL that identifies the path of the file to which the file policy is applied. •...

  • Page 451: Configuring Ip Access Service Resources

    c. Assign the port forwarding items to the port forwarding list. In SSL VPN policy group view, assign the port forwarding list to the policy group. After the AAA server authorizes a user to use a policy group, the user can access the TCP services provided by the port forwarding list in the policy group.
  • Page 452 The SSL VPN gateway issues a default route to the SSL VPN client. The default route uses the VNIC as the output interface and has the highest priority among all default routes on the client. Packets for destinations not in the routing table are sent to the SSL VPN gateway through the VNIC.

  • Page 453: Specifying An Emo Server For Mobile Clients

    Step Command Remarks 18. (Optional.) Specify a DNS ip-tunnel dns-server { primary | By default, no DNS servers are server for IP access. secondary } ip-address specified for IP access. 19. (Optional.) Specify a WINS ip-tunnel wins-server { primary | By default, no WINS servers are server for IP access.
  • Page 454 To use an advanced ACL or a URI ACL for access filtering, you must specify the ACL by using a filter command, for example, the filter web-access acl command. Web access filtering The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request: Matches the request against the authorized URL list.

  • Page 455: Restrictions And Guidelines

    If the request matches a permit rule, the gateway forwards the request. If the request matches a deny rule, the gateway drops the request. If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

  • Page 456: Configuring Vrf-Aware Ssl Vpn

    Step Command Remarks • Specify an advanced ACL: filter web-access [ ipv6 ] acl By default, users can access only advanced-acl-number Configure Web access the Web resources authorized to • filtering. Specify a URI ACL: them through the URL list. filter web-access uri-acl uri-acl-name •...

  • Page 457: Configuring Http Redirection

    Step Command Remarks Enter system view. system-view Enter SSL VPN gateway view. sslvpn gateway gateway-name By default, an SSL VPN Specify a VPN instance for the vpn-instance gateway belongs to the public gateway. vpn-instance-name network. Configuring HTTP redirection An SSL VPN gateway communicates with users through HTTPS. To allow HTTP to access the SSL VPN gateway, you must configure HTTP redirection.

  • Page 458: Enabling Ssl Vpn Logging

    Step Command Remarks force-logout [ all | session Force online users to log out. session-id | user user-name ] Set the maximum number of By default, the maximum concurrent logins for each max-onlines number number of concurrent logins for account. each account is 32.

  • Page 459: Displaying And Maintaining Ssl Vpn

    Step Command Remarks sms-imc address ip-address port By default, no IMC server is Specify an IMC server. port-number specified. By default, IMC SMS message Enable IMC SMS message sms-imc enable authentication is disabled for the authentication. context. Displaying and maintaining SSL VPN Execute display commands in any view and reset commands in user view.
  • Page 460 Figure 126 Network diagram 20.2.2.2/24 VPN 1 IP network Server A Public network Router A GE1/1/1 GE1/1/3 User 40.1.1.1/24 1.1.1.2/24 IP network 2.2.2.2/24 GE1/1/2 3.3.3.3/24 VPN 2 Server B IP network 30.3.3.3/24 Configuration prerequisites Before configuring Web access control, perform the following tasks: •...
  • Page 461 # Create SSL VPN context ctx1, specify gateway gw and domain domain1 for the context, and associate the context with VPN instance VPN1. [DeviceA] sslvpn context ctx1 [DeviceA-sslvpn-context-ctx1] gateway gw domain domain1 [DeviceA-sslvpn-context-ctx1] vpn-instance VPN1 # Create a URL list named urllist in SSL VPN context ctx1. [DeviceA-sslvpn-context-ctx1] url-list urllist # Configure the heading as web for the URL list.
  • Page 462 [DeviceA] local-user sslvpn class network [DeviceA-luser-network-sslvpn] password simple 123456 [DeviceA-luser-network-sslvpn] service-type sslvpn [DeviceA-luser-network-sslvpn] authorization-attribute user-role network-operator [DeviceA-luser-network-sslvpn] authorization-attribute sslvpn-policy-group pgroup [DeviceA-luser-network-sslvpn] quit Verifying the configuration # Verify that SSL VPN gateway gw is up on Device A. [DeviceA] display sslvpn gateway Gateway name: gw Operation state: Up IP: 1.1.1.2...
  • Page 463 Figure 127 Domain list page # Select domain1 to enter the login page. # On the login page, enter username sslvpn and password 123456, and click Login. Figure 128 Login page # Display SSL VPN session information on Device A after the user logged in. [DeviceA] display sslvpn session context ctx1 SSL VPN context: ctx1 Users: 1...

  • Page 464: Tcp Access Configuration Example

    Figure 129 SSL VPN gateway homepage # Log out and restart the browser. Enter https://1.1.1.2:2000/ to enter the domain list page, and select domain2 to enter the login page. On the login page, enter username sslvpn and password 123456, and click Login. (Details not shown.) # Display SSL VPN session information on Device A after the user logged in.
  • Page 465 Figure 131 Network diagram Configuration prerequisites Before configuring TCP access control, perform the following tasks: • Configure IP addresses for interfaces on Device A. • Create a VPN instance and bind GigabitEthernet 1/1/2 to the VPN instance. • Obtain CA certificate file ca.cer and local certificate file server.pfx for Device A. •...
  • Page 466 [DeviceA-sslvpn-context-ctx-port-forward-item-pfitem1] local-port 2323 local-name 127.0.0.1 remote-server 20.2.2.2 remote-port 23 description telnet [DeviceA-sslvpn-context-ctx-port-forward-item-pfitem1] quit # Create a port forwarding list named plist, and then assign port forwarding item pfitem1 to the port forwarding list. [DeviceA-sslvpn-context-ctx] port-forward plist [DeviceA-sslvpn-context-ctx-port-forward-plist] resource port-forward-item pfitem1 [DeviceA-sslvpn-context-ctx-port-forward-plist] quit # Create an SSL VPN policy group named pgroup and assign port forwarding list plist to the group.
  • Page 467 # On the user PC, enter https://1.1.1.2:2000/ in the browser address bar to enter login page. # On the login page, enter username sslvpn and password 123456, and click Login. Figure 132 Login page The port forwarding item named pfitem1 is displayed in the TCP Resource area on the SSL VPN Web page, as shown in Figure 133.
  • Page 468 Figure 134 TCP access client software 无法显示链接的图像。该文件可能已被移动、重命名或删除。请验证该链接是否指向正确的文件和位置。 # Telnet local address (127.0.0.1) and local port (2323) on the PC. The user can remotely access the server. (Details not shown.) # Display SSL VPN session information on Device A. [DeviceA] display sslvpn session context ctx SSL VPN context: ctx Users: 1 Username...

  • Page 469: Ip Access Configuration Example

    IP access configuration example Network requirements As shown in Figure 135, Device A acts as an SSL VPN gateway that connects the public network and the private network VPN 1. Configure SSL VPN IP access control on Device A to allow the user to access the internal server in VPN 1.
  • Page 470 [DeviceA-sslvpn-gateway-gw] ip address 1.1.1.2 port 2000 [DeviceA-sslvpn-gateway-gw] ssl server-policy ssl # Enable SSL VPN gateway gw. [DeviceA-sslvpn-gateway-gw] service enable [DeviceA-sslvpn-gateway-gw] quit # Create an address pool named ippool and specify the address range as 10.1.1.1 to 10.1.1.10. [DeviceA] sslvpn ip address-pool ippool 10.1.1.1 10.1.1.10 # Create interface SSL VPN AC 1, bind the interface to VPN instance VPN1, and configure the IP address as 10.1.1.100/24 for the interface.
  • Page 471 [DeviceA-radius-rscheme] primary authentication 3.3.3.2 [DeviceA-radius-rscheme] primary accounting 3.3.3.2 [DeviceA-radius-rscheme] accounting-on enable [DeviceA-radius-rscheme] key authentication simple 123456 [DeviceA-radius-rscheme] key accounting simple 123456 # Exclude the domain name from the username sent to the RADIUS server. [DeviceA-radius-rscheme] user-name-format without-domain [DeviceA-radius-rscheme] quit # Create a user group named group1 and authorize the user group to use the SSL VPN policy group pgroup.
  • Page 472 # On the user PC, launch the IP access client software, and enter the address 1.1.1.2, port number 2000, username sslvpn, and password 123456 to log in to the SSL VPN gateway. (Details not shown.) # Display SSL VPN session information on Device A. [DeviceA] display sslvpn session context ctx SSL VPN context: ctx Users: 1...

  • Page 473: Configuring Aspf

    Configuring ASPF Overview Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve. An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection.

  • Page 474: Aspf Inspections

    • Source zone—A security zone from which the first packet of a traffic flow originates. • Destination zone—A security zone for which the first packet of a traffic flow is destined. For information about security zones, see Fundamentals Configuration Guide. ASPF inspections This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols.
  • Page 475 Figure 137 FTP inspection As shown in Figure 137, FTP connections are established and removed as follows: The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client.

  • Page 476: Aspf Configuration Restrictions And Guidelines

    ASPF configuration restrictions and guidelines Data connections can be established for multichannel application layer protocols when either of the following conditions exists: • The ALG feature is enabled in other service modules (such as NAT). • Other service modules with the ALG feature (such as DPI) are configured. In these cases, it is optional to configure ASPF inspection for multichannel protocols.

  • Page 477: Applying An Aspf Policy To An Interface

    Step Command Remarks By default, ICMP error message (Optional.) Enable ICMP icmp-error drop check is disabled. ASPF does not error message check. drop faked ICMP error messages. By default, TCP SYN check is disabled. ASPF does not drop the (Optional.) Enable TCP SYN tcp syn-check non-SYN packet when it is the first check.

  • Page 478: Enabling Icmp Error Message Sending For Packet Dropping By Security Policies Applied To Zone Pairs

    Step Command Remarks zone-pair security source For information about configuring Enter zone pair view. source-zone-name destination a zone pair, see Fundamentals Command Reference. destination-zone-name By default, the predefined ASPF policy is applied to the zone pair. With the predefined policy, ASPF Apply an ASPF policy to the aspf apply policy inspects FTP packets and...

  • Page 479: Aspf Configuration Examples

    Task Command reset aspf session [ ipv4 | ipv6 ] [ chassis Clear ASPF session statistics (in IRF mode). chassis-number slot slot-number ] ASPF configuration examples ASPF FTP application inspection configuration example Network requirements Configure an ASPF policy on Router A to inspect the FTP traffic flows passing through Router A. Only return packets for FTP connections initiated by users on the internal network are permitted to pass through Router A and get into the internal network.

  • Page 480: Aspf Tcp Application Inspection Configuration Example

    Initiator: Source IP/port: 192.168.1.2/1877 Destination IP/port: 2.2.2.11/21 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/1/1 Total sessions found: 1 # Verify that only the return packets of FTP connections can enter the internal network. (Details not shown.) ASPF TCP application inspection configuration example Network requirements Local users on the internal network need to access the external network.

  • Page 481: Aspf H.323 Application Inspection Configuration Example

    [RouterA] interface gigabitethernet 1/1/1 [RouterA-GigabitEthernet1/1/1] packet-filter 3111 inbound # Apply ASPF policy 1 to outgoing traffic on interface GigabitEthernet 1/1/1. [RouterA-GigabitEthernet1/1/1] aspf apply policy 1 outbound Verifying the configuration # Display the configuration of ASPF policy 1. <RouterA> display aspf policy 1 ASPF policy configuration: Policy number: 1 ICMP error message check: Enabled...
  • Page 482 [RouterA] aspf policy 1 [RouterA-aspf-policy-1] detect h323 [RouterA-aspf-policy-1] quit # Apply ACL 3200 to filter incoming packets on GigabitEthernet 1/1/1. [RouterA] interface gigabitethernet 1/1/1 [RouterA-GigabitEthernet1/1/1] packet-filter 3200 inbound # Apply ASPF policy 1 to incoming traffic on GigabitEthernet 1/1/1. [RouterA-GigabitEthernet1/1/1] aspf apply policy 1 inbound [RouterA-GigabitEthernet1/1/1] quit Verifying the configuration # Verify that ASPF sessions have been created between Gateway B and Gatekeeper/Gateway A.

  • Page 483: Aspf Application To A Zone Pair Configuration Example

    Total sessions found: 5 # Verify that only return packets that match the entries can pass through GigabitEthernet 1/1/1. (Details not shown.) ASPF application to a zone pair configuration example Network requirements Configure an ASPF policy on the router to inspect FTP traffic that passes through the router to implement the following filtering: •...
  • Page 484 Verifying the configuration # Verify that an ASPF session has been established for the FTP connection between the host and the server. <Router> display aspf session ipv4 Initiator: Source IP/port: 192.168.1.2/1877 Destination IP/port: 2.2.2.11/21 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/1/2 Source security zone: Trust Total sessions found: 1...

  • Page 485: Configuring Apr

    Configuring APR Overview The application recognition (APR) feature recognizes application protocols of packets for features such as QoS, ASPF, and bandwidth management. APR uses the following methods to recognize an application protocol: • Port-based application recognition (PBAR). • Network-based application recognition (NBAR). PBAR PBAR maps a port to an application protocol and recognizes packets of the application protocol according to the port-protocol mapping.

  • Page 486: Apr Signature Database Management

    You can add application protocols to an application group by using the following methods: • Add application protocols one by one to the application group. • Copy application protocols from another application group to the application group. APR signature database management APR signature database APR signature database is a resource library of character string signatures for application recognition.

  • Page 487: Configuring Pbar

    Configuring PBAR Step Command Remarks Enter system view. system-view By default, all application protocols map with well-known • Configure a general port mapping: ports. port-mapping application application-name port port-number You can configure these [ protocol protocol-name ] commands together. • Configure an ACL-based host-port APR selects a port mapping to mapping:...

  • Page 488: Configuring Application Groups

    Step Command Remarks Create a user-defined nbar application By default, no user-defined NBAR NBAR rule and enter its application-name protocol rules exist. view. { http | tcp | udp } By default, the user-defined NBAR (Optional.) Configure a description text rule is described as User defined description.

  • Page 489: Enabling Application Statistics On An Interface

    Step Command Remarks (Optional.) Configure a By default, the description is description for the description text User-defined application group. application group. By default, an application group does not contain any application protocols. Execute this command multiple times Add an application include application to add multiple application protocols to protocol to the group.

  • Page 490: Scheduling An Automatic Update For The Apr Signature Database

    Scheduling an automatic update for the APR signature database If the device can access the signature database services on the Hewlett Packard Enterprise website, you can schedule an automatic update. The automatic update enables the device to automatically update the local APR signature database at the scheduled update time. For a successful automatic update, make sure the following requirements are met: •...

  • Page 491: Performing A Manual Update For The Apr Signature Database

    Performing a manual update for the APR signature database If the device cannot access the signature database services on the Hewlett Packard Enterprise website, use one of the following methods to manually update the APR signature database on the device: •...

  • Page 492: Apr Configuration Examples

    Task Command Display statistics for application protocols display application statistics top number { bps | bytes | on an interface in descending order based packets | pps } interface interface-type interface-number on the specified criteria. Display information about predefined port display port-mapping pre-defined mappings.

  • Page 493: Nbar Configuration Example

    # Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy. [Router] qos policy 1 [Router-qospolicy-1] classifier classifier_1 behavior bdeny [Router-qospolicy-1] quit # Apply the QoS policy to the inbound direction of GigabitEthernet 1/1/1. [Router] interface gigabitethernet 1/1/1 [Router-GigabitEthernet1/1/1] qos apply policy 1 inbound [Router-GigabitEthernet1/1/1] quit...
  • Page 494 [Router] object-policy ip ipsfilter # Configure a rule to apply DPI application profile sec to packets that match source IPv4 address object group ipsfilter. [Router-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any [Router-object-policy-ip-ipsfilter] quit Apply the object policy to a zone pair: # Create a zone pair from security zone trust to security zone untrust.

  • Page 495: Managing Sessions

    Managing sessions Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the following purposes: • Fast match between packets and sessions. •...

  • Page 496: Session Management Functions

    Session management functions Session management enables the device to provide the following functions: • Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states. • Supports port mapping for application layer protocols (see "Configuring APR"), enabling application layer protocols to use customized ports.

  • Page 497: Setting The Session Aging Time For Different Application Layer Protocols Or Applications

    Step Command Remarks The default aging time for sessions in different protocol states is as follows: • FIN_WAIT: 30 seconds. • ICMP-REPLY: 30 seconds. • ICMP-REQUEST: 60 seconds. session aging-time state { fin | • icmp-reply | icmp-request | RAWIP-OPEN: 30 seconds. Set the session aging time rawip-open | rawip-ready | syn | •...

  • Page 498: Specifying Persistent Sessions

    Step Command Remarks By default, the session aging time is 1200 seconds except for the following application layer protocols and applications: • BOOTPC: 120 seconds. • BOOTPS: 120 seconds. • DNS: 1 second. • FTP: 3600 seconds. • FTP-DATA: 240 seconds. •...

  • Page 499: Enabling Session Statistics Collection For Software Fast Forwarding

    never-age-out persistent sessions. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries. For a TCP session in ESTABLISHED state, the priority order of the associated aging time is as follows: •...

  • Page 500: Specifying The Loose Mode For Session State Machine

    Step Command Remarks Enable the top session By default, the top session statistics session top-statistics enable statistics feature. feature is disabled. Specifying the loose mode for session state machine For asymmetric-path networks, to prevent the device from dropping packets abnormally, set the mode of the session state machine to loose.

  • Page 501: Displaying And Maintaining Session Management

    Step Command Remarks (Optional.) Enable By default, logging for session logging for session session log flow-begin creation is disabled. creation. (Optional.) Enable By default, logging for session logging for session session log flow-end deletion is disabled. deletion. Enter interface view. interface interface-type interface-number Enable session session log enable { ipv4 | ipv6 } [ acl...
  • Page 502 Task Command display session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] Display IPv6 unicast session table entries (in IRF mode). [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ] display session statistics ipv4 { source-ip source-ip |...
  • Page 503 Task Command Display relation table entries (in standalone display session relation-table { ipv4 | ipv6 } [ slot mode). slot-number ] display session relation-table { ipv4 | ipv6 } [ chassis Display relation table entries (in IRF mode). chassis-number slot slot-number ] display session top-statistics { last-1-hour | last-24-hours Display top session statistics.
  • Page 504 Task Command reset session table multicast ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | Clear IPv6 multicast session table entries (in IRF mode). raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Clear IPv4 and IPv6 multicast session table...

  • Page 505: Configuring Connection Limits

    Configuring connection limits Overview The connection limit feature enables the device to monitor and limit the number of established connections. As shown in Figure 144, configure the connection limit feature to resolve the following issues: • If Host B initiates a large number of connections in a short period of time, it might exhaust system resources and cause Host A to be unable to access the Internet.

  • Page 506: Configuring The Connection Limit Policy

    Configuring the connection limit policy To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria.

  • Page 507: Applying The Connection Limit Policy

    Step Command Remarks • In IPv4 connection limit policy view: limit limit-id acl { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ] limit limit-id acl ipv6 Configure a connection limit { acl-number | name...

  • Page 508: Displaying And Maintaining Connection Limits

    Step Command Remarks Enter system view. system-view • Apply a connection limit policy globally: connection-limit apply By default, no connection limit is global { ipv6-policy | applied. policy } policy-id Only one IPv4 connection limit • Apply a connection limit Apply a connection limit policy and one IPv6 connection policy to an interface:...
  • Page 509 the Internet and external users can access the internal servers. Configure connection limits to meet the following requirements: • All hosts on segment 192.168.0.0/24 can establish a maximum of 100000 connections to the external network. • Each host on segment 192.168.0.0/24 can establish a maximum of 100 connections to the external network.

  • Page 510: Troubleshooting Connection Limits

    [Router] connection-limit policy 2 # Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 90. [Router-connection-limit-policy-2] limit 1 acl 3000 per-source amount 100 90 [Router-connection-limit-policy-2] quit # Apply connection limit policy 1 globally.
  • Page 511 [Router-acl-ipv4-basic-2002] rule permit source 192.168.0.100 0 [Router-acl-ipv4-basic-2002] quit [Router] connection-limit policy 1 [Router-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 10 5 [Router-connection-limit-policy-1] limit 2 acl 2002 per-destination amount 100 10 As a result, the host at 192.168.0.100 can only initiate a maximum of 10 connections to the external network.

  • Page 512: Configuring Object Groups

    Configuring object groups Overview An object group is a group of objects that can be used by an ACL, object policy, or object group to identify packets. Object groups are divided into the following types: • IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet or match the user from whom a packet comes.

  • Page 513: Configuring A Port Object Group

    Step Command Remarks (Optional.) Configure a By default, an object group description for the IPv6 description text does not have a description. address object group. [ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | Configure an IPv6 range ipv6-address1 ipv6-address2 | By default, no objects exist.

  • Page 514: Renaming An Object Group

    Renaming an object group To rename an object group: Step Command Remarks Enter system view. system-view object-group rename You can only rename Rename an object group. old-object-group-name non-default object groups. new-object-group-name Displaying and maintaining object groups Execute display commands in any view. Task Command display object-group [ { { ip | ipv6 } address | service |...

  • Page 515: Configuring Object Policies

    Configuring object policies Overview An object policy is a set of rules for security control over packets between a source and a destination security zone. These two zones define a zone pair. The object policy matches the first packet of a traffic flow against the rules.

  • Page 516: Configuration Prerequisites

    Configuration prerequisites Before configuring an object policy, complete the following tasks: • Configure time ranges (see ACL and QoS Configuration Guide). • Configure IPv4 address objects, IPv6 address objects, and service objects (see "Configuring object groups"). Creating object policies Creating an IPv4 object policy Step Command Remarks...

  • Page 517: Configuring An Ipv6 Object Policy Rule

    • Application/application group—Used for matching PBAR-classified application IDs of packets. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see "Configuring ARP." To configure an IPv4 object policy rule: Step Command Remarks Enter system system-view view. Enter IPv4 object object-policy ip object-policy-name policy view.

  • Page 518: Applying Object Policies To Zone Pairs

    Step Command Remarks rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip By default, no IPv6 object { object-group-name | any } ] [ destination-ip policy rules are configured. Configure an IPv6 { object-group-name | any } ] [ service If you specify a nonexistent object policy rule.

  • Page 519: Changing The Rule Match Order

    Changing the rule match order The device matches packets against object policy rules in the order the rules were configured. You can change the rule match order by changing the position of an object policy rule in the rule list. To change the rule match order: Step Command...

  • Page 520: Object Policy Configuration Example

    Task Command Display information about the object display object-policy zone-pair security [ source policies applied to zone pairs. source-zone-name destination destination-zone-name ] Display statistics for object policies display object-policy statistics zone-pair security source source-zone-name destination destination-zone-name [ ip | ipv6 ] applied to a zone pair.
  • Page 521 [DeviceA-security-zone-finance] quit # Create a security zone named market, and add GigabitEthernet 1/1/4 to the zone. [DeviceA] security-zone name market [DeviceA-security-zone-market] import interface gigabitethernet 1/1/4 [DeviceA-security-zone-market] quit # Create a security zone named database, and add GigabitEthernet 1/1/1 to the zone. [DeviceA] security-zone name database [DeviceA-security-zone-database] import interface gigabitethernet 1/1/1 [DeviceA-security-zone-database] quit...

  • Page 522: Verifying The Configuration

    # Create an IPv4 object policy named market-database. Configure a rule that prohibits the marketing office from accessing the financial database server through HTTP at any time. [DeviceA] object-policy ip market-database [DeviceA-object-policy-ip-market-database] rule drop source-ip market destination-ip database service web [DeviceA-object-policy-ip-market-database] quit Apply object policies to zone pairs: # Create a zone pair from security zone president to security zone database.

  • Page 523: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, and client verification. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.

  • Page 524: Scanning Attacks

    Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than or IP fragment equal to 5, which causes the victim to malfunction or crash.

  • Page 525: Flood Attacks

    Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs. The device can detect and prevent the following types of flood attacks: •...

  • Page 526: Tcp Fragment Attack

    An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • UDP flood attack. A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.
  • Page 527 • FIN. • RST. The TCP client verification feature enables a TCP proxy on the device. TCP client verification can operate in the following modes: • Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators. The unidirectional TCP proxy is sufficient for most scenarios because attacks are often seen from clients.
  • Page 528 Figure 149 TCP proxy in safe reset mode TCP client TCP proxy TCP server (1) SYN (2) SYN ACK (invalid sequence number) (3) RST (4) SYN (retransmitting) (5) SYN (forwarding) (6) SYN ACK (7) ACK (8) ACK (forwarding) TCP proxy in SYN cookie mode As shown in Figure 150, SYN cookie mode requires two TCP connections to be established as...

  • Page 529: Dns Client Verification

    DNS client verification The DNS client verification feature protects DNS servers against DNS flood attacks. It is configured on the device where packets from the DNS clients to the DNS servers pass through. The device with DNS client verification feature configured is called a DNS client authenticator. As shown in Figure 151, the DNS client verification functions as follows:...

  • Page 530: Attack Detection And Prevention Configuration Task List

    After receiving the HTTP Redirect packet, the client terminates the TCP connection and then establishes a new TCP connection with the authenticator. When the authenticator receives the HTTP Get packet, it performs the second redirection verification. The authenticator verifies the following information: The client has passed the first redirection verification.

  • Page 531: Configuring An Attack Defense Policy

    Tasks at a glance (Required.) Perform at least one of the tasks: • Applying an attack defense policy to an interface • Applying an attack defense policy to the device (Required.) Applying an attack defense policy to a security zone (Optional.) Enabling log non-aggregation for single-packet attack events (Optional.)
  • Page 532 Step Command Remarks • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ] •...

  • Page 533: Configuring A Scanning Attack Defense Policy

    Step Command Remarks The default action is logging for single-packet attacks of the (Optional.) Specify the informational and low levels. signature level { high | info | low | actions against medium } action { { drop | logging } * | The default actions are single-packet attacks of a none }...
  • Page 534 Configuring a SYN flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global SYN flood By default, global SYN flood attack syn-flood detect non-specific attack detection. detection is disabled. Set the global trigger syn-flood threshold threshold for SYN flood...
  • Page 535 Step Command Remarks Set the global trigger syn-ack-flood threshold threshold for SYN-ACK The default setting is 1000. threshold-value flood attack prevention. Specify global actions By default, no global action is syn-ack-flood action against SYN-ACK flood specified for SYN-ACK flood { client-verify | drop | logging } * attacks.
  • Page 536 Step Command Remarks rst-flood detect { ip ipv4-address | ipv6 Configure IP ipv6-address } [ vpn-instance By default, IP address-specific RST address-specific RST flood vpn-instance-name ] [ threshold flood attack detection is not attack detection. threshold-value ] [ action configured. { { client-verify | drop | logging } * | none } ] Configuring an ICMP flood attack defense policy...
  • Page 537 Step Command Remarks Enter attack defense policy attack-defense policy view. policy-name Enable global UDP flood By default, global UDP flood attack udp-flood detect non-specific attack detection. detection is disabled. Set the global trigger udp-flood threshold threshold for UDP flood The default setting is 1000. threshold-value attack prevention.

  • Page 538: Configuring Attack Detection Exemption

    Step Command Remarks Set the global trigger http-flood threshold threshold for HTTP flood The default setting is 1000. threshold-value attack prevention. (Optional.) Specify the By default, HTTP flood attack global ports to be protected http-flood port port-list prevention protects port 80. against HTTP flood attacks.

  • Page 539: Applying An Attack Defense Policy To The Device

    If you apply an attack defense policy to a global interface, specify a service card to process traffic for the interface. If you do not specify a service card, the policy cannot correctly detect and prevent scanning and flood attacks. To apply an attack defense policy to an interface: Step Command...

  • Page 540: Enabling Log Non-Aggregation For Single-Packet Attack Events

    Enabling log non-aggregation for single-packet attack events Log aggregation aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common: • Attacks are detected on the same interface or security zone or are destined for the device. •...

  • Page 541: Configuring Tcp Client Verification

    Step Command Remarks By default, the top attack Enable the top attack attack-defense statistics ranking feature is statistics ranking feature. top-attack-statistics enable disabled. Configuring TCP client verification Configure TCP client verification on the interface or security zone that is connected to the external network.

  • Page 542: Configuring Http Client Verification

    IP addresses protected by DNS client verification can be manually added or automatically learned: • You can manually add protected IP addresses. The device performs client verification when it receives the first DNS query destined for a protected IP address. •...

  • Page 543: Configuring The Address Object Group Whitelist

    Step Command Remarks client-verify http protected { ip (Optional.) Specify an IP destination-ip-address | ipv6 By default, the HTTP client address to be protected by destination-ipv6-address } verification feature does not the HTTP client verification [ vpn-instance protect any IP address. feature.

  • Page 544: Displaying And Maintaining Attack Detection And Prevention

    Step Command Remarks By default, the login delay feature is disabled. The device does not Enable the login delay attack-defense login delay accepting a login request feature. reauthentication-delay seconds from a user who has failed a login attempt. Displaying and maintaining attack detection and prevention Use the display commands in any view and the reset commands in user view.
  • Page 545 Task Command display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 Display flood attack detection and prevention statistics for an IPv6 address (in IRF mode). [ ipv6-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]...
  • Page 546 Task Command display client-verify { dns | http | tcp } trusted ipv6 Display trusted IPv6 addresses for client [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis verification (in IRF mode). chassis-number slot slot-number ] [ count ] Clear attack detection and prevention statistics reset attack-defense statistics interface for an interface.
  • Page 547 Task Command display attack-defense { ack-flood | dns-flood | Display flood attack detection and prevention fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip statistics for an IPv4 address (in standalone mode).

  • Page 548: Attack Detection And Prevention Configuration Examples

    Task Command display client-verify { dns | http | tcp } protected ipv6 Display protected IPv6 addresses for client [ ipv6-address [ vpn vpn-instance-name ] ] [ port verification (in standalone mode). port-number ] [ slot slot-number ] [ count ] display client-verify { dns | http | tcp } protected ipv6 Display protected IPv6 addresses for client [ ipv6-address [ vpn vpn-instance-name ] ] [ port...

  • Page 549: Interface-Based Tcp Client Verification Configuration Example

    Figure 153 Network diagram Router GE1/1/1 GE1/1/2 Host A 192.168.1.1/16 202.1.0.1/16 IP network User 5.5.5.0/24 Host B Configuration procedure # Configure IP addresses for the interfaces on the router. (Details not shown.) # Enable the global whitelist feature. <Router> system-view [Router] whitelist global enable # Create IPv4 address object group obj1.

  • Page 550: Security Zone-Based Tcp Client Verification Configuration Example

    [Router] attack-defense policy a1 # Enable global SYN flood attack detection. [Router-attack-defense-policy-a1] syn-flood detect non-specific # Set the global threshold for triggering SYN flood attack prevention to 10000. [Router-attack-defense-policy-a1] syn-flood threshold 10000 # Specify logging and client-verify as the global actions against SYN flood attacks. [Router-attack-defense-policy-a1] syn-flood action logging client-verify [Router-attack-defense-policy-a1] quit # Apply the attack defense policy a1 to interface GigabitEthernet 1/1/1.

  • Page 551: Interface-Based Dns Client Verification Configuration Example

    <Router> system-view [Router] security-zone name trust [Router-security-zone-Trust] import interface gigabitethernet 1/1/2 [Router-security-zone-Trust] quit # Add GigabitEthernet 1/1/1 to the security zone Untrust. [Router] security-zone name untrust [Router-security-zone-Untrust] import interface gigabitethernet 1/1/1 [Router-security-zone-Untrust] quit # Create a zone pair with the source security zone Untrust and the destination security zone Trust. [Router] zone-pair security source untrust destination trust # Configure a security policy and apply it to the zone pair, so security zones Untrust and Trust can communicate.

  • Page 552: Security Zone-Based Dns Client Verification Configuration Example

    Figure 156 Network diagram Configuration procedure # Configure IP addresses for the interfaces on the router. (Details not shown.) # Create attack defense policy a1. <Router> system-view [Router] attack-defense policy a1 # Enable global DNS flood attack detection. [Router-attack-defense-policy-a1] dns-flood detect non-specific # Set the global threshold for triggering DNS flood attack prevention to 10000.
  • Page 553 Figure 157 Network diagram Configuration procedure # Configure IP addresses for the interfaces on the router. (Details not shown.) # Add GigabitEthernet 1/1/2 to the security zone Trust. <Router> system-view [Router] security-zone name trust [Router-security-zone-Trust] import interface gigabitethernet 1/1/2 [Router-security-zone-Trust] quit # Add GigabitEthernet 1/1/1 to the security zone Untrust.

  • Page 554: Interface-Based Http Client Verification Configuration Example

    Verifying the configuration # Launch a DNS flood attack. (Details not shown.) # Verify that the victim's IP address is added to the protected IP list for DNS client verification. [Router] display client-verify dns protected ip IP address VPN instance Port Type Requested Trusted...

  • Page 555: Security Zone-Based Http Client Verification Configuration Example

    Verifying the configuration # Launch an HTTP flood attack. (Details not shown.) # Verify that the victim's IP address is added to the protected IP list for HTTP client verification. [Router] display client-verify http protected ip IP address VPN instance Port Type Requested...
  • Page 556 [Router-attack-defense-policy-a1] http-flood detect non-specific # Set the global threshold for triggering HTTP flood attack prevention to 10000. [Router-attack-defense-policy-a1] http-flood threshold 10000 # Specify logging and client-verify as the global actions against HTTP flood attacks. [Router-attack-defense-policy-a1] http-flood action logging client-verify [Router-attack-defense-policy-a1] quit # Apply the attack defense policy a1 to the security zone Untrust.

  • Page 557: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 558: Configuring Arp Source Suppression

    device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route ages out before the device finishes all probes, the device deletes the blackhole route and does not perform the remaining probes.

  • Page 559: Configuration Example

    Configuration example Network requirements As shown in Figure 160, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets.

  • Page 560: Configuration Guidelines

    Configuration guidelines Configure this feature when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded. You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.

  • Page 561: Configuration Procedure

    • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address. You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers. Configuration procedure To configure source MAC-based ARP attack detection: Step...

  • Page 562: Configuration Example

    Configuration example Network requirements As shown in Figure 161, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.

  • Page 563: Configuring Arp Packet Source Mac Consistency Check

    Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.

  • Page 564: Configuration Example (On A Dhcp Server)

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable authorized ARP on arp authorized enable By default, authorized ARP is disabled. the interface. Configuration example (on a DHCP server) Network requirements As shown in Figure 162, configure authorized ARP on GigabitEthernet 1/1/1 of Device A (a DHCP server) to ensure user validity.

  • Page 565: Configuration Example (On A Dhcp Relay Agent)

    10.1.1.2 0012-3f86-e94c GE1/1/1 The output shows that IP address 10.1.1.2 has been assigned to Device B. Device B must use the IP address and MAC address in the authorized ARP entry to communicate with Device A. Otherwise, the communication fails. Thus user validity is ensured. Configuration example (on a DHCP relay agent) Network requirements As shown in...

  • Page 566: Configuring Arp Scanning And Fixed Arp

    # Enable DHCP relay agent on GigabitEthernet 1/1/2. [DeviceB-GigabitEthernet1/1/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1. [DeviceB-GigabitEthernet1/1/2] dhcp relay server-address 10.1.1.1 # Enable authorized ARP. [DeviceB-GigabitEthernet1/1/2] arp authorized enable [DeviceB-GigabitEthernet1/1/2] quit # Enable recording of relay entries on the relay agent. [DeviceB] dhcp relay client-information record Configure Device C: <DeviceC>...

  • Page 567: Configuration Procedure

    • Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion. • To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.

  • Page 568: Configuring Nd Attack Defense

    Configuring ND attack defense Overview IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...

  • Page 569: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 570: Urpf Operation

    Link layer check—Strict uRPF check can further perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check.
  • Page 571 Figure 165 uRPF work flow...
  • Page 572 uRPF checks address validity: uRPF permits a packet with a multicast destination address. For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) uRPF proceeds to step 7 if the packet has a non-broadcast destination address.

  • Page 573: Network Application

    Network application Figure 166 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 166, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. For special packets or users, you can configure ACLs.

  • Page 574: Displaying And Maintaining Urpf

    Step Command Remarks ip urpf { loose [ allow-default-route ] [ acl Enable uRPF on the acl-number ] | strict By default, uRPF is disabled. interface. [ allow-default-route ] [ acl acl-number ] [ link-check ] } To enable uRPF for a security zone: Step Command Remarks...

  • Page 575: Urpf Configuration Example For Security Zones

    Figure 167 Network diagram Configuration procedure Configure Router B: # Configure ACL 2010 to permit traffic from network 10.1.1.0/24. <RouterB> system-view [RouterB] acl basic 2010 [RouterB-acl-ipv4-basic-2010] rule permit source 10.1.1.0 0.0.0.255 [RouterB-acl-ipv4-basic-2010] quit # Specify an IP address for GigabitEthernet 1/1/1. [RouterB] interface gigabitethernet 1/1/1 [RouterB-GigabitEthernet1/1/1] ip address 1.1.1.2 255.255.255.0 # Configure strict uRPF check on GigabitEthernet 1/1/1.
  • Page 576 [RouterB-acl-ipv4-basic-2010] rule permit source 10.1.1.0 0.0.0.255 [RouterB-acl-ipv4-basic-2010] quit # Configure a security zone. For more information, see Fundamentals Configuration Guide. (Details not shown.) # Configure strict uRPF check for security zone Untrust and allow using ACL 2010 to match packets. <RouterB>...

  • Page 577: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 578: Ipv6 Urpf Operation

    IPv6 ACLs—To identify specific packets as valid packets, you can use an IPv6 ACL to match these packets. Even if the packets do not pass IPv6 uRPF check, they are still forwarded. IPv6 uRPF operation Figure 170 shows how IPv6 uRPF works. Figure 170 IPv6 uRPF work flow IPv6 uRPF checks whether the received packet carries a multicast destination address: If yes, IPv6 uRPF permits the packet.

  • Page 579: Network Application

    IPv6 uRPF checks whether the source address matches a unicast route: If yes, IPv6 uRPF proceeds to step 3. If no, IPv6 uRPF proceeds to step 6. A non-unicast source address matches a non-unicast route. IPv6 uRPF checks whether the matching route is to the host itself: If yes, the output interface of the matching route is an InLoop interface.

  • Page 580: Enabling Ipv6 Urpf

    As shown in Figure 171, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs. For special packets or users, you can configure IPv6 ACLs. Enabling IPv6 uRPF You can enable IPv6 uRPF on an interface or for a security zone.

  • Page 581: Ipv6 Urpf Configuration Examples

    Task Command Display IPv6 uRPF configuration (in display ipv6 urpf [ security-zone zone-name ] [ slot standalone mode). slot-number ] Display IPv6 uRPF configuration (in IRF display ipv6 urpf [ security-zone zone-name ] [ chassis chassis-number slot slot-number ] mode). Display IPv6 uRPF statistics for a security display ipv6 urpf statistics security-zone zone-name zone (in standalone mode).

  • Page 582: Ipv6 Urpf Configuration Example For Security Zones

    # Configure strict uRPF check on GigabitEthernet 1/1/1 and allow using the default route for IPv6 uRPF check. [RouterA-GigabitEthernet1/1/1] ipv6 urpf strict allow-default-route IPv6 uRPF configuration example for security zones Network requirements As shown in Figure 173, perform the following tasks: •...

  • Page 583: Configuring Crypto Engines

    Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.

  • Page 584: Configuring Fips

    Configuring FIPS The device that provides low encryption does not support FIPS. Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 585: Configuring Fips Mode

    • Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type.

  • Page 586: Configuration Changes In Fips Mode

    Set the minimum length of user passwords to 15 characters. Add a local user account for device management, including the following items: A username. A password that complies with the password control policies as described in step step 3. A user role of network-admin A service type of terminal.

  • Page 587: Exiting Fips Mode

    The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.

  • Page 588: Fips Self-Tests

    FIPS self-tests To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails, the slot where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information.

  • Page 589: Triggering Self-Tests

    previously generated number. The test fails if any two compared numbers are the same. This test can also be run when a DSA/RSA asymmetrical key-pair is generated. Triggering self-tests To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms.

  • Page 590: Entering Fips Mode Through Manual Reboot

    NOTE: After the system displays the Reboot the device automatically? prompt, do not press Ctrl+C to abort the process. If you press Ctrl+C to abort the process, you must use manual reboot to enter FIPS mode. For more information about manual reboot, see Manual reboot. Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB.
  • Page 591 [Sysname] password-control enable # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.

  • Page 592: Exiting Fips Mode Through Automatic Reboot

    confirm: Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console/AUX/Async port. Use the automatic reboot method to exit FIPS mode.
  • Page 593 # Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.

  • Page 594: Configuring Sma

    Configuring SMA Overview State Machine Based Anti-Spoofing (SMA) prevents IPv6 spoofing attacks between autonomous systems (ASs) by verifying source IPv6 addresses. SMA components Figure 174 SMA network diagram • Trust alliance—A group of ASs that trust each other. ASs in an alliance are member ASs that share the same alliance ID.

  • Page 595: Sma Processes For Packets

    Egress interface—Connected to an AER in another member AS. The device can operate only as an AER. SMA processes for packets SMA provides inter-AS IPv6 source address validation. It enforces source address validity on AERs. An AER validates source IPv6 addresses of packets between the local AS and other ASs in the same trust alliance.

  • Page 596: Displaying And Maintaining Sma

    Step Command Remarks Enter system view. system-view Enable SMA. sma-anti-spoof ipv6 enable By default, SMA is disabled. By default, the SSL link is not configured between the AER and Configure an SSL link sma-anti-spoof ipv6 server the ACS. between the AER and the ipv6-address ssl-client-policy For information about configuring ACS.
  • Page 597 [AER1] ssl client-policy sma # Disable the SSL client from authenticating SSL servers through digital certificates if SSL server authentication is not required. Server authentication is enabled by default. [AER1-ssl-client-policy-sma] undo server-verify enable [AER1-ssl-client-policy-sma] quit # Enable SMA on AER 1 and configure an SSL link between AER 1 and ACS 1. [AER1] sma-anti-spoof ipv6 enable [AER1] sma-anti-spoof ipv6 server 2001::1 ssl-client-policy sma # Configure SMA interfaces for AER 1.
  • Page 598 Effecting time: May 5 07:00:11 2014(i) Transition interval: 3600s...

  • Page 599: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.

  • Page 600: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 601: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 602: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 603 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
  • Page 604 Index LDAP scheme creation, Numerics LDAP server creation, 3DES LDAP server IP address, IPsec encryption algorithm, LDAP server SSH user authentication, LDAP server SSL VPN user authentication+authorization, LDAP user attribute, concurrent login user max, LDAP versions, configuration, 1, 17, 59 local guest attributes, device ID configuration, local guest configuration,...
  • Page 605 troubleshoot RADIUS accounting error, portal authentication type, troubleshoot RADIUS authentication address failure, Address Resolution Protocol. Use troubleshoot RADIUS packet delivery IPv6 uRPF configuration, failure, IPv6 uRPF configuration (interface), user group attribute, IPv6 uRPF configuration (security zone), user management by ISP domains, IPv6 uRPF enable, user management by user access types, uRPF configuration,...
  • Page 606 IPv6 uRPF network, scanning configuration, recognition. See source MAC-based attack detection, 546, 548 uRPF network, source MAC-based detection display, applying unresolvable IP attack, 543, 545 ASPF policy (interface), unresolvable IP attack blackhole routing, ASPF policy (zone pair), unresolvable IP attack protection display, attack D&P policy application unresolvable IP attack source suppression, (device),...
  • Page 607 client verification configuration ASPF application inspection (FTP), (TCP)(interface-based), ASPF application inspection (H.323), client verification configuration (TCP)(security ASPF application inspection (TCP), zone-based), ASPF configuration, 459, 462, 465 configuration, 509, 516, 534 attacking defense policy configuration, detection and prevention. See attack D&P defense policy configuration (ACK flood attribute attack),...
  • Page 608 IPsec IKE DSA signature authentication, AAA configuration, 1, 17, 59 IPsec IKE pre-shared key authentication, AAA ISP domain authorization method, IPsec IKE RSA signature authentication, AAA LDAP authorization, IPsec IKEv2 configuration (pre-shared key AAA LDAP process, authentication), AAA local SSH user IPsec IKEv2 configuration (RSA signature authentication+authorization, authentication),...
  • Page 609 troubleshooting PKI CA certificate import AAA command accounting method, failure, AAA command authorization method, troubleshooting PKI CA certificate obtain complexity checking (password control), failure, composition checking (password control), conditional self-test, AAA RADIUS class attribute as CAR configuring parameter, AAA, 1, 17, 59 certificate AAA device ID, authority.
  • Page 610 ARP attack detection (source attack D&P defense policy (scanning attack), MAC-based), 546, 548 attack D&P defense policy (single-packet ARP attack protection, attack), ARP attack protection (unresolvable IP attack D&P defense policy (SYN flood attack), 543, 545 attack), ARP attack protection blackhole routing attack D&P defense policy (SYN-ACK flood (unresolvable IP attack), attack),...
  • Page 611 IPsec IKEv2, 318, 319, 328 PKI certificate request abort, IPsec IKEv2 (NAT traversal), PKI certificate-based access control policy, IPsec IKEv2 (pre-shared key PKI domain, authentication), PKI entity, IPsec IKEv2 (RSA signature PKI OpenCA server certificate request, authentication), PKI RSA Keon CA server certificate request, IPsec IKEv2 address pool, PKI Windows 2003 CA server certificate IPsec IKEv2 DPD,...
  • Page 612 security portal authentication local portal Web support of dual stack for portal authentication, server, uRPF, 555, 560 service object group, uRPF (interface), session management, 481, 482 uRPF (security zone), session management logging, user profile, 163, 163 SMA, 580, 581, 582 VRF-aware SSL VPN, source MAC consistency check, connecting...
  • Page 613 SSL VPN Web access service attack D&P defense policy (flood attack), resources, 435, 435 attack D&P defense policy (ICMP flood attack), PKI, attack D&P defense policy (ICMPv6 flood attack), PKI architecture, attack D&P defense policy (scanning attack), PKI CA policy, attack D&P defense policy (single-packet PKI certificate export, attack),...
  • Page 614 AAA HWTACACS authentication server, attack D&P device-preventable attacks, AAA HWTACACS authorization server, attack D&P policy application (device), AAA HWTACACS implementation, attack D&P policy application (security zone), AAA HWTACACS scheme, authorized ARP configuration (DHCP server), AAA HWTACACS scheme VPN instance, connection limit configuration, 491, 494 AAA HWTACACS server PPP user, crypto engine configuration,...
  • Page 615 SSH Secure Telnet server configuration PKI certificate request (automatic), (publickey authentication), PKI certificate request (manual), SSH Secure Telnet server connection PKI certificate request abort, establishment, PKI certificate verification, SSH Secure Telnet server enable, PKI certificate-based access control policy, SSH server configuration, PKI configuration, 192, 195, 206 SSH SFTP client,...
  • Page 616 IPv6 uRPF, SSH Secure Telnet client configuration (publickey authentication), keychain, DSCP object group, AAA RADIUS packet DSCP priority change, object policy, dual stack password control, support of dual stack for portal authentication, PKI, portal authentication, public key, session management, portal support, SMA, ECDSA SSH,...
  • Page 617 session management statistics collection peer host public key, 186, 187 (software fast forwarding), SSH client host public key, session management top session statistics, IPsec security protocol 50, SSH SCP server, establishing SSH Secure Telnet server, group domain VPN, SSH SFTP server, IPsec tunnel establishment, SSL VPN logging, SSH SCP server connection,...
  • Page 618 mode entry, portal authentication forced type, mode entry (automatic reboot), format mode entry (manual reboot), AAA HWTACACS username, mode exit, AAA RADIUS packet format, mode exit (automatic reboot), AAA RADIUS username, mode exit (manual reboot), specifying NAS-Port-Id attribute format, mode system changes, forwarding self-test, ND attack defense configuration,...
  • Page 619 SSL VPN Web access service ASPF configuration, resources, 435, 435, 435 VRF-aware SSL VPN, H.323 VRF-aware SSL VPN configuration, ASPF application inspection (H.323), VRF-aware SSL VPN gateway VPN instance handshaking association, SSL handshake protocol, GDOI hardware group domain VPN GDOI GM configuration, crypto engine configuration, group domain VPN GDOI GM group,...
  • Page 620 display, group domain VPN GDOI IPsec policy application, HWTACACS/RADIUS differences, group domain VPN registration (IKE maintain, negotiation), outgoing packet source IP address, identity authentication, packet exchange process, IKE-based IPsec profile configuration, protocols and standards, invalid SPI recovery, scheme configuration, IPsec negotiation mode, scheme creation, IPsec policy (IKE-based/direct), scheme VPN instance,...
  • Page 621 policy configuration, AAA RADIUS class attribute as CAR parameter, profile configuration, intrusion detection/protection proposal configuration, session management, protocols and standards, session management configuration, SA rekeying, troubleshoot, security. Use IPsec troubleshoot negotiation failure (no proposal match), SSL VPN access control, SSL VPN configuration, 424, 431, 445 AAA RADIUS session-control, SSL VPN IP access configuration,...
  • Page 622 ACL-based implementation, IKEv2 configuration (pre-shared key authentication), ACL-based IPsec, IKEv2 configuration (RSA signature anti-replay redundancy, authentication), application-based IPsec, 233, 234 IKEv2 cookie challenge, authentication, IKEv2 DPD configuration, authentication algorithms, IKEv2 global parameters, configuration, 229, 259 IKEv2 keychain configuration, crypto engine, IKEv2 NAT keepalive, display, IKEv2 negotiation,...
  • Page 623 troubleshoot SA negotiation failure (no configuration (security zone), transform set match), 315, 346 display, troubleshoot SA negotiation failure (tunnel enable, failure), features, tunnel configuration, network application, tunnel establishment, operation, tunnel for IPv4 packets (IKE-based), ISAKAMP tunnel for IPv4 packets (manual), IPsec IKE configuration (remote extended tunnel for IPv6 packets (IKE-based), authentication),...
  • Page 624 IPsec IKE keychain configuration, limiting IPsec IKEv2 keychain configuration, ARP packet rate limit, troubleshooting IPsec IKE negotiation failure connection limit. See connection limit (no keychain specified correctly), link keyword uRPF link layer check, IPsec ACL rule keywords, local AAA local accounting method, group domain VPN structure, AAA local authentication, AAA local authentication configuration,...
  • Page 625 SSL services, minimum password length, MAC addressing mirroring ARP attack detection (source IPsec mirror image ACLs, MAC-based), 546, 548 IPsec non-mirror image ACLs, ARP attack protection configuration, mode ARP packet source MAC consistency attack D&P TCP proxy in safe reset mode, check, attack D&P TCP proxy in SYN cookie mode, maintaining...
  • Page 626 AAA device implementation, AAA ISP domain attribute, AAA HWTACACS implementation, AAA ISP domain authentication method, AAA LDAP implementation, AAA ISP domain authorization method, AAA MPLS L3VPN implementation, AAA ISP domain creation, AAA NAS-ID profile configuration, AAA ISP domain method, AAA RADIUS implementation, AAA LDAP implementation, NAS-ID AAA LDAP scheme,...
  • Page 627 attack D&P client verification configuration IPsec IKE configuration (aggressive mode+RSA (DNS)(security zone-based), signature authentication), attack D&P client verification configuration IPsec IKE configuration (main mode+pre-shared (HTTP)(interface-based), key authentication), attack D&P client verification configuration IPsec IKE configuration (remote extended (HTTP)(security zone-based), authentication), attack D&P client verification configuration IPsec IKE IPv4 address pool, (TCP)(interface-based),...
  • Page 628 password control parameters (global), portal authentication server detection+user synchronization, 145, 151 password control parameters (local user), portal authentication system components, password control parameters (super), portal preauthentication domain, password control parameters (user group), portal third-party authentication domain, peer host public key entry, public key import from file, PKI applications, Secure Telnet client user line,...
  • Page 629 SSH SFTP server configuration (password object group configuration, authentication), object policy configuration, 501, 501, 506 SSH SFTP server connection password control configuration, 165, 168, 172 establishment, PKI configuration, 192, 195, 206 SSH SFTP server connection termination, portal authentication configuration, 82, 89 SSH SFTP server enable, public key management, 182, 187...
  • Page 630 rule configuration, IPv6 uRPF configuration, 563, 567 rule match order, IPv6 uRPF configuration (interface), rule match order change, IPv6 uRPF configuration (security zone), rule matching acceleration enable, IPv6 uRPF enable, rule numbering, NBAR rule match, obtaining object group configuration, PKI certificate, portal authentication BAS-IP for unsolicited portal packets, offline...
  • Page 631 FIPS compliance, certificate request (automatic), maintain, certificate request (manual), max user account idle time, certificate request abort, parameters (global), certificate verification, parameters (local user), certificate verification (CRL checking), parameters (super), certificate verification (w/o CRL checking), parameters (user group), certificate-based access control policy, password complexity checking, configuration, 192, 195, 206...
  • Page 632 group domain VPN GDOI IPsec policy, authentication server, group domain VPN GDOI IPsec policy authentication source subnet, application, BAS-IP, IPsec application to interface, BAS-IPv6, IPsec configuration (manual), captive-bypass, IPsec IKEv2 configuration, client, IPsec policy (IKE-based/direct), client and local portal server interaction, IPsec policy (IKE-based/template), client ARP entry conversion enable, 112, 112...
  • Page 633 server detection+user synchronization applying attack D&P policy application configuration, 145, 151 (device), specifying NAS-Port-Id attribute format, applying attack D&P policy application (security zone), support of dual stack, applying connection limit policy, system component interaction, applying group domain VPN GDOI IPsec system components, policy, third-party authentication server,...
  • Page 634 configuring AAA RADIUS DAS, configuring attack D&P client verification (DNS)(security zone-based), configuring AAA RADIUS Login-Service attribute check method, configuring attack D&P client verification (HTTP), configuring AAA RADIUS scheme, configuring attack D&P client verification configuring AAA RADIUS server SSH user (HTTP)(interface-based), authentication+authorization, configuring attack D&P client verification configuring AAA RADIUS server status...
  • Page 635 configuring group domain VPN, configuring IPsec policy (IKE-based), configuring group domain VPN GDOI GM, configuring IPsec policy (IKE-based/direct), configuring group domain VPN GDOI GM configuring IPsec policy group, (IKE-based/template), configuring group domain VPN GDOI IPsec configuring IPsec policy (manual), policy, configuring IPsec RIPng, configuring IKE-based IPsec profile, configuring IPsec RRI,...
  • Page 636 configuring portal authentication configuring security portal authentication server cross-subnet, BAS-IP, configuring portal authentication destination configuring security portal authentication server subnet, BAS-IPv6, configuring portal authentication configuring security portal authentication server fail-permit, detection, configuring portal authentication HTTPS configuring security portal authentication server redirect, detection+user synchronization, 145, 151...
  • Page 637 configuring SSL VPN TCP access service displaying FIPS, resources, displaying group domain VPN GDOI GM configuring SSL VPN URI ACL, display, configuring SSL VPN user control, displaying host public key, configuring SSL VPN Web access, displaying IPsec, configuring SSL VPN Web access service displaying IPsec IKE, resources, displaying IPsec IKEv2,...
  • Page 638 enabling portal authorization strict-checking maintaining attack D&P, mode, maintaining connection limit, enabling portal logging, maintaining crypto engine, enabling rule matching acceleration, maintaining group domain VPN GDOI GM enabling security portal authentication display, roaming, maintaining IPsec, enabling session management statistics maintaining IPsec IKE, collection (software fast forwarding), maintaining IPsec IKEv2, enabling session management top session...
  • Page 639 specifying AAA HWTACACS authorization troubleshooting AAA RADIUS accounting server, error, specifying AAA HWTACACS outgoing packet troubleshooting AAA RADIUS authentication source IP address, failure, specifying AAA HWTACACS scheme VPN troubleshooting AAA RADIUS packet delivery instance, failure, specifying AAA HWTACACS shared keys, troubleshooting connection limit overlapping ACL segments, specifying AAA LDAP attribute map for...
  • Page 640 AAA NAS-ID profile configuration, host public key display, AAA RADIUS server status detection test host public key export, profile, local host public key distribution, IKE-based IPsec profile, local key pair creation, IKE-based IPsec profile tunnel interface local key pair destruction, application, management, 182, 187...
  • Page 641 maintain, redundancy outgoing packet source IP address, IPsec anti-replay redundancy, packet DSCP priority change, registering packet exchange process, group domain VPN registration, packet format, registration authority. Use portal authentication interface NAS-ID rekey profile, group domain VPN, protocols and standards, IKEv2 SA rekeying, Remanent_Volume attribute data relay agent measurement unit,...
  • Page 642 portal authentication roaming, IPsec ACL rule keywords, rollback NBAR rule match, APR signature database update, object policy, rolling back object policy configuration, 501, 501, 506 APR signature database, object policy rule configuration, route object policy rule match order, IPsec RRI, object policy rule match order change, IPsec RRI configuration, object policy rule matching acceleration,...
  • Page 643 client device configuration, attack D&P client verification (TCP), client local key pair generation, attack D&P configuration, 509, 516, 534 client local key pair generation attack D&P defense policy, restrictions, attack D&P detection exemption, configuration, attack D&P device-preventable attacks, server configuration (password attack D&P display, authentication), attack D&P log non-aggregation,...
  • Page 644 IPsec packet DF bit, setting maximum number of IPsec tunnels, IPsec packet logging enable, SSL VPN webpage customization, IPsec policy configuration restrictions, top attack statistics, IPsec policy configuration restrictions troubleshooting IPsec IKE, (IKE-based), troubleshooting IPsec IKEv2, IPsec protocols, troubleshooting PKI CA certificate failure, IPsec protocols and standards, troubleshooting PKI CA certificate import IPsec QoS pre-classify enable,...
  • Page 645 ARP packet source MAC consistency fixed ARP configuration restrictions, check, group domain VPN configuration, ARP scanning, group domain VPN configuration restrictions, ARP scanning configuration restrictions, group domain VPN GDOI GM display, ASPF application inspection (FTP), group domain VPN GDOI GM group, ASPF application inspection (H.323), group domain VPN GDOI GM maintain, ASPF application inspection (TCP),...
  • Page 646 PKI architecture, portal authentication re-DHCP configuration, PKI CA policy, portal authentication re-DHCP configuration+preauthentication domain, PKI certificate obtain, portal authentication roaming, PKI certificate request, 198, 198 portal authentication security check function, PKI certificate request (automatic), 199, 199 portal authentication server, PKI certificate request (manual), portal authentication server detection, PKI certificate request abort, portal authentication source subnet,...
  • Page 647 SSH local key pair configuration SSL configuration, 419, 420 restrictions, SSL display, SSH management parameters, SSL security services, SSH SCP client device, SSL server policy configuration, SSH SCP client local key pair generation, SSL VPN access control, SSH SCP file transfer+password SSL VPN access modes, authentication, SSL VPN configuration,...
  • Page 648 VRF-aware SSL VPN gateway VPN instance session state machine loose mode, association, session statistics collection enable (software fast security zone forwarding), APR NBAR configuration, top session statistics, object policy configuration, 501, 501, 506 setting server AAA concurrent login user max, AAA HWTACACS quiet timer, AAA HWTACACS timer, AAA HWTACACS response timeout timer,...
  • Page 649 AAA RADIUS, access device ID, signature NAS-Port-Id attribute format, APR signature database PKI storage path, management, 472, 475 portal authentication domain, APR signature database rollback, portal preauthentication domain, IPsec IKEv2 configuration (RSA signature portal third-party authentication domain, authentication), portal user preauthentication IP address pool for signature authentication (IKE), portal user, single-channel protocol (ASPF),...
  • Page 650 NETCONF-over-SSH+password user configuration, authentication configuration, user configuration restrictions, peer host public key entry, versions, public key import from file, SSH2 public key management, 182, 187 algorithms, SCP, algorithms (encryption), SCP client device, algorithms (key exchange), SCP client local key pair generation, algorithms (MAC), SCP file transfer+password algorithms (public key),...
  • Page 651 VRF-aware configuration, attack D&P client verification (HTTP), VRF-aware SSL VPN context+VPN instance attack D&P client verification (TCP), association, attack D&P client verification configuration VRF-aware SSL VPN gateway VPN instance (DNS)(interface-based), association, attack D&P client verification configuration Web access configuration, (DNS)(security zone-based), Web access service resources, 435, 435, 435 attack D&P client verification configuration...
  • Page 652 portal authentication configuration, SSH SFTP server connection, Secure Telnet client local key pair testing generation, AAA RADIUS server status detection test SMA configuration, 580, 581, 582 profile, SSH authentication methods, FIPS conditional self-test, SSH configuration, FIPS power-up self-test, SSH SCP client local key pair generation, FIPS triggered self-test, SSH server local key pair generation, TFTP...
  • Page 653 AAA RADIUS packet delivery failure, IPsec tunnel for IPv6 packets (IKE-based), connection limit overlapping ACL troubleshooting IPsec SA negotiation failure segments, (tunnel failure), connection limits, IPsec IKE, IPsec IKE negotiation failure (no proposal AAA RADIUS implementation, match), AAA RADIUS packet format, IPsec IKE negotiation failure (no proposal or AAA RADIUS request transmission attempts keychain specified correctly),...
  • Page 654 portal authentication re-DHCP PKI certificate with CRL checking, configuration, version portal authentication re-DHCP AAA LDAP, configuration+preauthentication domain, VLAN portal authentication roaming, ND attack defense configuration, portal authentication user access, portal authentication portal-free rule, portal authentication user online portal authentication roaming, detection, portal authentication user AAA HWTACACS scheme VPN instance,...
  • Page 655 portal authentication Web server detection, security portal authentication direct local portal Web server, security portal authentication local portal Web server, security portal authentication local portal web server, security portal authentication Web server specifying, SSL VPN access control, SSL VPN configuration, 424, 431, 445 SSL VPN file policy, SSL VPN IP access configuration,...

Table of Contents