HP VSR1000 Security Configuration Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Network Router
  5. VSR1000
  6. Security configuration manual
HP VSR1000 Security Configuration Manual

HP VSR1000 Security Configuration Manual

Virtual services router
Hide thumbs Also See for VSR1000:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual
HP VSR1000 Virtual Services Router
Security

Configuration Guide

Part number: 5998-6033
Software version: VSR1000_HP-CMW710-R0202-X64
Document version: 6W100-20140418

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the VSR1000 and is the answer not in the manual?

Questions and answers

Related Manuals for HP VSR1000

Summary of Contents for HP VSR1000

  • Page 1: Configuration Guide

    HP VSR1000 Virtual Services Router Security Configuration Guide Part number: 5998-6033 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...

  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   Overview ············································································································································································ 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   LDAP ·········································································································································································· 9   AAA implementation on the device ····················································································································· 11   AAA for MPLS L3VPNs ········································································································································· 13   Protocols and standards ······································································································································· 14  ...
  • Page 4 Configuring a portal authentication server·················································································································· 70   Configuring a portal Web server ································································································································· 71   Enabling portal authentication on an interface ··········································································································· 71   Configuration restrictions and guidelines ··········································································································· 71   Configuration procedure ······································································································································ 72   Referencing a portal Web server for an interface ······································································································ 72  ...
  • Page 5 Managing public keys ············································································································································ 123   Overview ······································································································································································· 123   FIPS compliance ··························································································································································· 123   Creating a local key pair ············································································································································ 123   Configuration guidelines ···································································································································· 123   Configuration procedure ···································································································································· 124   Distributing a local host public key ···························································································································· 125  ...
  • Page 6 Failed to request local certificates ····················································································································· 166   Failed to obtain CRLs ·········································································································································· 167   Failed to import the CA certificate ····················································································································· 167   Failed to import a local certificate ····················································································································· 168   Failed to export certificates ································································································································ 168   Failed to set the storage path ·····························································································································...
  • Page 7 Configuring the IKE NAT keepalive function ············································································································ 221   Configuring IKE DPD···················································································································································· 222   Enabling invalid SPI recovery ····································································································································· 223   Setting the maximum number of IKE SAs ··················································································································· 223   Configuring SNMP notifications for IKE ···················································································································· 223   Displaying and maintaining IKE ································································································································· 224  ...
  • Page 8 Configuring SSL ······················································································································································· 282   Overview ······································································································································································· 282   SSL security mechanism ······································································································································ 282   SSL protocol stack ··············································································································································· 282   FIPS compliance ··························································································································································· 283   SSL configuration task list ············································································································································ 283   Configuring an SSL server policy ······························································································································· 283  ...
  • Page 9 Configuring ARP attack protection ························································································································· 313   ARP attack protection configuration task list ············································································································· 313   Configuring ARP source suppression ························································································································· 313   Displaying and maintaining ARP source suppression ····················································································· 314   Configuration example ······································································································································· 314   Configuring source MAC-based ARP attack detection ···························································································· 315  ...
  • Page 10 Exiting FIPS mode through automatic reboot ··································································································· 343   Exiting FIPS mode through manual reboot ······································································································· 344   Support and other resources ·································································································································· 346   Contacting HP ······························································································································································ 346   Subscription service ············································································································································ 346   Related information ······················································································································································ 346  ...

  • Page 11: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights, and controls the user's access to resources •...

  • Page 12: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
  • Page 13 User authentication methods The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP. Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 14 The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for the user. The RADIUS client notifies the user of the termination. RADIUS packet format RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client.
  • Page 15 The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code, • Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered padding and are ignored by the receiver. If the length of a received packet is less than this length, the packet is dropped.
  • Page 16 5, a sub-attribute encapsulated in attribute 26 consists of the following parts: Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a code • compliant to RFC 1700. The vendor ID of HP is 25506. • Vendor-Type—Type of the sub-attribute. Vendor-Length—Length of the sub-attribute.

  • Page 17: Hwtacacs

    Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
  • Page 18 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 19: Ldap

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
  • Page 20 Obtain the access rights to the LDAP server. Check the validity of user information. The search operation constructs search conditions and obtains the directory resource information of • the LDAP server. In LDAP authentication, the client completes the following tasks: Uses the LDAP server administrator DN to bind with the LDAP server.

  • Page 21: Aaa Implementation On The Device

    After receiving the request, the LDAP client establishes a TCP connection with the LDAP server. To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server. The LDAP server processes the request.
  • Page 22 Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal • users can access through a console port. Portal—Portal users must pass portal authentication to access the network. • • NOTE: The device also provides authentication modules (such as portal) for implementation of user authentication management policies.

  • Page 23: Aaa For Mpls L3Vpns

    No accounting—The NAS does not perform accounting for the users. • • Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account, but does not provide statistics for charging.

  • Page 24: Protocols And Standards

    Protocols and standards The following protocols and standards are related to AAA, RADIUS, HWTACACS, and LDAP: • RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support •...
  • Page 25 Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 26 Sub-attribute Description Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps. Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps.

  • Page 27: Fips Compliance

    Sub-attribute Description Number of packets input within an accounting interval in the unit set on Input-Interval-Packets the NAS. Number of packets output within an accounting interval in the unit set on Output-Interval-Packets the NAS. Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. Amount of bytes output within an accounting interval, in units of 4G Output-Interval-Gigawords bytes.

  • Page 28: Configuring Aaa Schemes

    To configure AAA, perform the following tasks: Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes • Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: (Required.)
  • Page 29 User group—Each local user belongs to a local user group and has all attributes of the group. The • attributes include the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." Binding attributes—Binding attributes control the scope of users, and are checked during local •...
  • Page 30 Step Command Remarks Network access user passwords are encrypted with the encryption algorithm and saved in ciphertext. Device management user passwords • For a network access user: are encrypted with the hash password { cipher | simple } algorithm and saved in ciphertext. password In non-FIPS mode, a •...
  • Page 31 Step Command Remarks The following default settings apply: • The ACL, idle timeout period, and VLAN authorization attributes are not configured for local users. • FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.
  • Page 32 Configuring user group attributes User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group.

  • Page 33: Configuring Radius Schemes

    Task Command Display the user group display user-group [ group-name ] configuration. Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types.
  • Page 34 If the device does not receive any response from the server within the interval, it sets the server to the • blocked state. The device refreshes the RADIUS server status at each detection interval according to the detection result. The device stops detecting the status of the RADIUS server when one of the following operations is performed: The RADIUS server is removed from the RADIUS scheme.
  • Page 35 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS Configure at least one command. authentication server: primary authentication By default, no authentication server { ipv4-address | ipv6 ipv6-address } is specified. [ port-number | key { cipher | To support server status detection, simple } string | test-profile...
  • Page 36 Step Command Remarks • Specify the primary RADIUS accounting server: Configure at least one primary accounting { ipv4-address | command. ipv6 ipv6-address } [ port-number | By default, no accounting key { cipher | simple } string | server is specified. vpn-instance vpn-instance-name ] * Specify RADIUS accounting Two accounting servers in a...
  • Page 37 Step Command Remarks Specify a VPN for the RADIUS By default, a RADIUS scheme vpn-instance vpn-instance-name scheme. belongs to the public network. Setting the username format and traffic statistics units A username is in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username.
  • Page 38 Step Command Remarks Set the maximum number of RADIUS retry retry-times The default setting is 3. request transmission attempts. Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active.
  • Page 39 Step Command Remarks Enter RADIUS scheme view. radius scheme radius-scheme-name • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } Configure at least one • Set the status of the primary RADIUS command.
  • Page 40 Step Command Remarks Enter system view. system-view radius nas-ip { ipv4-address | ipv6 By default, the IP address of the Specify a source IP address ipv6-address } [ vpn-instance RADIUS packet outbound interface for outgoing RADIUS packets. vpn-instance-name ] is used as the source IP address. To specify a source IP address for a RADIUS scheme: Step Command...
  • Page 41 NAS. The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
  • Page 42 Step Command Remarks By default, no security policy server security-policy-server { ipv4-address is specified for a scheme. Specify a security policy | ipv6 ipv6-address } [ vpn-instance server. You can specify up to eight security vpn-instance-name ] policy servers for a RADIUS scheme. Interpreting the RADIUS class attribute as CAR parameters A RADIUS server might deliver CAR parameters for user-based traffic monitoring and control by using the RADIUS class attribute (attribute 25).

  • Page 43: Configuring Hwtacacs Schemes

    Step Command Remarks Configure the service consistency check mode for attribute 15 check-mode { loose | The default check mode is strict. SSH, FTP, and terminal strict } users. Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: RADIUS server unreachable notification—The RADIUS server cannot be reached.
  • Page 44 Tasks at a glance (Required.) Specifying the HWTACACS authentication servers (Optional.) Specifying the HWTACACS authorization servers (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.)
  • Page 45 Step Command Remarks • Specify the primary HWTACACS authentication server: primary authentication { ipv4-address Configure at least one command. | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no authentication single-connection | vpn-instance server is specified.
  • Page 46 If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. HWTACACS does not support accounting for FTP, SFTP, and SCP users. To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command...
  • Page 47 Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, an HWTACACS Specify a VPN for the vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is in the format userid@isp-name, where isp-name represents the user's ISP domain name.
  • Page 48 The IP address specified in HWTACACS scheme view applies to one HWTACACS scheme. • • The IP address specified in system view applies to all HWTACACS schemes whose servers are in a VPN or the public network. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme.
  • Page 49 When the primary server is in active state, the device communicates with the primary server. • • If the primary server fails, the device performs the following tasks: Changes the server's status to blocked. Starts a quiet timer for the server. Tries to communicate with a secondary server in active state that has the highest priority.

  • Page 50: Configuring Ldap Schemes

    Task Command Display the configuration or server display hwtacacs scheme [ hwtacacs-server-name [ statistics ] statistics of HWTACACS schemes. reset hwtacacs statistics { accounting | all | authentication | Clear HWTACACS statistics. authorization } Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: •...
  • Page 51 To specify the LDAP version: Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, LDAPv3 is used. Specify the LDAP version. protocol-version { v2 | v3 } A Microsoft LDAP server supports only LDAPv3.
  • Page 52 LDAP provides a DN search mechanism for obtaining the user DN. According to the mechanism, an LDAP client sends search requests to the server based on the search policy determined by the LDAP user attributes of the LDAP client. The LDAP user attributes include: Search base DN •...

  • Page 53: Configuring Aaa Methods For Isp Domains

    Specifying the LDAP authentication server Step Command Remarks Enter system view. system-view Enter LDAP scheme view. ldap scheme ldap-scheme-name Specify the LDAP By default, no LDAP authentication authentication-server server-name authentication server. server is specified. Displaying and maintaining LDAP Execute the display command in any view. Task Command Display the configuration of LDAP schemes.

  • Page 54: Configuring Isp Domain Attributes

    The authentication domain specified for the access module. You can specify an authentication • domain for portal authentication. The ISP domain in the username. • The default ISP domain of the device. • The ISP domain configured for users that include unknown domain names. •...

  • Page 55: Configuring Authentication Methods For An Isp Domain

    User online duration including idle cut period—If a user goes offline due to connection failure or • malfunction, its online duration sent to the server includes the idle cut period or user online detection period. The online duration that is generated on the server is longer than the actual online duration of the user.

  • Page 56: Configuring Authorization Methods For An Isp Domain

    role authentication. The variable n has the same value as the variable n in the target user role level-n. Configuration procedure To configure authentication methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authentication default { hwtacacs-scheme By default, the default...

  • Page 57: Configuring Accounting Methods For An Isp Domain

    Configuration guidelines When configuring authorization methods, follow these guidelines: • The device supports HWTACACS authorization but not LDAP authorization. To use a RADIUS scheme as the authorization method, reference the same RADIUS scheme that is • configured as the authentication method for the ISP domain. If an invalid RADIUS scheme is specified as the authorization method, RADIUS authentication and authorization fail.
  • Page 58 Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service type. Determine whether to configure the default accounting method for all access types or service types. The default accounting method applies to all access users.

  • Page 59: Enabling The Session-Control Feature

    Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks...

  • Page 60: Changing The Dscp Priority For Radius Packets

    Changing the DSCP priority for RADIUS packets The DSCP priority in the ToS field determines the transmission priority of RADIUS packets. A larger value represents a higher priority. To change the DSCP priority for RADIUS packets: Step Command Remarks Enter system view. system-view Change the DSCP priority By default, the DSCP priority is 0 for...

  • Page 61: Aaa Configuration Examples

    Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
  • Page 62 The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router. The source IP address is chosen in the following order on the router: IP address specified by the nas-ip command IP address specified by the radius nas-ip command IP address of the outbound interface (the default) Figure 12 Adding the router as an access device...
  • Page 63 Figure 13 Adding an account for device management Configure the router: # Assign an IP address to interface GigabitEthernet 1/0, the SSH user access interface. <Router> system-view [Router] interface gigabitethernet 1/0 [Router-GigabitEthernet1/0] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet1/0] quit # Assign an IP address to interface GigabitEthernet 2/0, through which the router communicates with the server.

  • Page 64: Local Authentication And Authorization For Ssh Users

    [Router] role default-role enable # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Router-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.

  • Page 65: Aaa For Ssh Users By An Hwtacacs Server

    [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a device management user.
  • Page 66 Figure 15 Network diagram Configuration procedure Configure the HWTACACS server: # Set the shared keys for secure communication with the router to expert. (Details not shown.) # Add an account for the SSH user and specify the password. (Details not shown.) Configure the router: # Create an HWTACACS scheme.

  • Page 67: Authentication For Ssh Users By An Ldap Server

    # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Router] role default-role enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Assign an IP address to interface GigabitEthernet 1/0, the SSH user access interface.
  • Page 68 Configuration procedure Configure the LDAP server: NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. On the LDAP server, select Start > Control Panel > Administrative Tools. Double-click Active Directory Users and Computers.
  • Page 69 Figure 18 Setting the user's password Click OK. # Set the administrator password to admin!123456. From the user list on the right pane, right-click Administrator and select Set Password. In the dialog box, enter the administrator password. (Details not shown.) Configure the router: # Assign an IP address to interface GigabitEthernet 1/0, the SSH user access interface.

  • Page 70: Troubleshooting Radius

    [Router] role default-role enable # Configure an LDAP server. [Router] ldap server ldap1 # Specify the IP address of the LDAP authentication server. [Router-ldap-server-ldap1] ip 10.1.1.1 # Specify the administrator DN. [Router-ldap-server-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com # Specify the administrator password. [Router-ldap-server-ldap1] login-password simple admin!123456 # Configure the base DN for user search.

  • Page 71: Radius Packet Delivery Failure

    The password entered by the user is incorrect. • • The RADIUS server and the NAS are configured with different shared keys. Solution Check that: • The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and the ISP domain is correctly configured on the •...

  • Page 72: Troubleshooting Hwtacacs

    The accounting server IP address configured on the NAS is incorrect. For example, the NAS is • configured to use a single server to provide authentication, authorization, and accounting services, but in fact the services are provided by different servers. Solution Check that: The accounting port number is correctly configured.
  • Page 73 The user attributes (for example, the username attribute) configured on the NAS are consistent with • those configured on the LDAP server. The user search base DN for authentication is specified. •...

  • Page 74: Configuring Portal Authentication

    Users can access more Internet resources after passing security check. Security check must cooperate with the HP IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device, portal...
  • Page 75 Figure 19 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 76: Interaction Between Portal System Components

    Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.

  • Page 77: Portal Authentication Process

    Only the HP iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.
  • Page 78 The portal authentication server adds the username and password into an authentication request packet and sends it to the access device. Meanwhile, the portal authentication server starts a timer to wait for an authentication reply packet. The access device and the RADIUS server exchange RADIUS packets. The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure.

  • Page 79: Portal Configuration Task List

    The access device detects the IP change of the client through DHCP and then notifies the portal authentication server that it has detected an IP change of the client IP. After receiving the IP change notification packets sent by the client and the access device, the portal authentication server notifies the client of login success.

  • Page 80: Configuring A Portal Authentication Server

    The portal authentication server, portal Web server, and RADIUS server have been installed and • configured correctly. To use the re-DHCP portal authentication mode, make sure the DHCP relay agent is enabled on the • access device, and the DHCP server is installed and configured correctly. The portal client, access device, and servers can reach each other.

  • Page 81: Configuring A Portal Web Server

    Configuring a portal Web server A portal Web server pushes the authentication page to users during portal authentication. It is also the Web server to which the device redirects user HTTP requests. Perform this task to configure the following portal Web server parameters: URL of the portal Web server •...

  • Page 82: Configuration Procedure

    With re-DHCP portal authentication, HP recommends that you also configure authorized ARP on the • interface to make sure only valid users can access the network. With authorized ARP configured on the interface, the system learns ARP entries only from the users who have obtained a public address from DHCP.

  • Page 83: Controlling Portal User Access

    Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the source/destination IP address, TCP/UDP port number, source MAC address, and access interface. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.

  • Page 84: Configuring An Authentication Destination Subnet

    authentication source subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule. When you configure a portal authentication source subnet, follow these restrictions and guidelines: Authentication source subnets apply only to cross-subnet portal authentication. •...

  • Page 85: Setting The Maximum Number Of Portal Users

    If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect. You can configure multiple authentication destination subnets. If the destination subnets overlap, the subnet with the largest address scope (with the smallest mask or prefix) takes effect. To configure an IPv4 portal authentication destination subnet: Step Command...

  • Page 86: Configuring Portal Detection Functions

    After you specify a portal authentication domain on an interface, the device uses the specified authentication domain for AAA of all portal users on the interface, ignoring the domain names carried in the usernames. This allows for flexible portal access control. The device selects the authentication domain for a portal user on an interface in this order: the ISP domain specified for the interface, the ISP domain carried in the username, and the system default ISP domain.

  • Page 87: Configuring Portal Authentication Server Detection

    ARP and ND detections apply only to direct and re-DHCP portal authentication. ICMP detection applies to all portal authentication modes. To configure online detection of IPv4 portal users: Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number Configure online portal user-detect type { arp | icmp } By default, this function is disabled...

  • Page 88: Configuring Portal Web Server Detection

    detecting heartbeat packets, you must enable the server heartbeat function on the IMC portal authentication server. To configure the portal authentication server detection function: Step Command Remarks Enter system view. system-view N/A- Enter portal authentication server portal server server-name view. By default, portal authentication server detection is disabled.

  • Page 89: Configuring Portal User Synchronization

    Step Command Remarks Enter portal Web portal web-server server-name server view. By default, portal Web server detection is disabled. Configure the portal server-detect [ interval interval ] [ retry Web server detection This function takes effect regardless retries ] { log | trap } * function.

  • Page 90: Configuring The Portal Fail-Permit Function

    Configuring the portal fail-permit function Perform this task to configure the portal fail-permit function on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication. If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface disables portal authentication when either server is unreachable and resumes portal authentication when both servers are reachable.

  • Page 91: Logging Out Portal Users

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, the BAS-IP attribute of an IPv4 Configure BAS-IP for IPv4 portal response packet sent to the portal portal packets sent to the authentication server is the source IPv4 portal bas-ip ipv4-address portal authentication address of the packet, and that of an IPv4 server.

  • Page 92: Portal Configuration Examples

    Task Command Clear packet statistics for portal authentication reset portal packet statistics [ server server-name ] servers. Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 22, the host is directly connected to the router (the access device). The host is assigned with a public IP address either manually or through DHCP.
  • Page 93 Figure 23 Portal server configuration Configure the IP address group: Select User Access Policy > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
  • Page 94 Enter the key, which must be the same as that configured on the router. Select Directly Connected from the Access Method list. Select whether to support sever heartbeat and user heartbeat functions. In this example, select No for both Support Server Heartbeat and Support User Heartbeat. Click OK.
  • Page 95 Figure 27 Adding a port group Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
  • Page 96 [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on interface GigabitEthernet 2/0. [Router] interface gigabitethernet 2/0 [Router–GigabitEthernet2/0] portal enable method direct # Reference the portal Web server newpt on interface GigabitEthernet 2/0. [Router–GigabitEthernet2/0] portal apply web-server newpt # Configure the BAS-IP as 2.2.2.1 for portal packets sent from GigabitEthernet 2/0 to the portal authentication server.

  • Page 97: Configuring Re-Dhcp Portal Authentication

    IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 98 Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 28 and make sure the host, • router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24) and a private •...

  • Page 99: Configure Dhcp Relay

    # Configure DHCP relay. [Router] dhcp enable [Router] dhcp relay client-information record [Router] interface gigabitethernet 2/0 [Router–GigabitEthernet2/0] ip address 20.20.20.1 255.255.255.0 [Router–GigabitEthernet2/0] ip address 10.0.0.1 255.255.255.0 sub [Router-GigabitEthernet2/0] dhcp select relay [Router-GigabitEthernet2/0] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Router-GigabitEthernet2/0] arp authorized enable [Router-GigabitEthernet2/0] quit Configure portal authentication:...

  • Page 100: Configuring Cross-Subnet Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 101 Figure 29 Network diagram Router A GE1/0 192.168.0.100/24 Portal server 192.168.0.111/24 GE2/0 20.20.20.1/24 GE1/0 20.20.20.2/24 GE2/0 8.8.8.1/24 Host Router B 8.8.8.2/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 29 and make sure the host, router, and servers can reach each other.
  • Page 102 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

  • Page 103: Configuring Extended Direct Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 104 Figure 30 Network diagram Portal server 192.168.0.111/24 GE2/0 GE1/0 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Router 192.168.0.112/24 2.2.2.2/24 Gateway : 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites Configure IP addresses for the host, router, and servers as shown in Figure 30 and make sure they •...
  • Page 105 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [Router] domain default enable dm1 Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet resources: [Router] acl number 3000...
  • Page 106 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HP iNode client can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests from the user will be redirected to the authentication page.

  • Page 107: Configuring Extended Re-Dhcp Portal Authentication

    Configuring extended re-DHCP portal authentication Network requirements As shown in Figure 31, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server. A portal server serves as both a portal authentication server and a portal Web server.
  • Page 108 <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.113 [Router-radius-rs1] primary accounting 192.168.0.113 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius [Router-radius-rs1] user-name-format without-domain # Specify the security policy server.
  • Page 109 [Router] interface gigabitethernet 2/0 [Router–GigabitEthernet2/0] ip address 20.20.20.1 255.255.255.0 [Router–GigabitEthernet2/0] ip address 10.0.0.1 255.255.255.0 sub [Router-GigabitEthernet2/0] dhcp select relay [Router-GigabitEthernet2/0] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Router-GigabitEthernet2/0] arp authorized enable [Router-GigabitEthernet2/0] quit Configure portal authentication: # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100...

  • Page 110: Configuring Extended Cross-Subnet Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HP iNode client can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 111 Figure 32 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 32 and make sure the host, router, and servers can reach each other. Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 112 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
  • Page 113 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HP iNode client can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests from the user will be redirected to the authentication page.

  • Page 114: Configuring Portal Server Detection And Portal User Synchronization

    Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 33, the host is directly connected to the router (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server.
  • Page 115 Log in to IMC and click the User tab. Select User Access Policy > Portal Service > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server heartbeat interval and user heartbeat interval. Use the default settings for other parameters.
  • Page 116 Add a portal device: Select User Access Policy > Portal Service > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the router's interface connected to the host. Enter the key, which must be the same as that configured on the router.
  • Page 117 Figure 38 Adding a port group Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
  • Page 118 [Router-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: configure the server detection interval as 40 seconds, and send log messages upon reachability status changes. [Router-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval. # Configure portal user synchronization with the portal authentication server, and configure the synchronization detection interval as 600 seconds.

  • Page 119: Troubleshooting Portal

    Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the portal Web server for authentication, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.

  • Page 120: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HP IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
  • Page 121 If the BAS-IP or BAS-IPv6 address carried in the portal notification packet is different from the portal device IP address specified on the portal authentication server, the portal authentication server discards the portal notification packet. As a result, the portal authentication server regards the user has failed the authentication.

  • Page 122: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. Control user login status based on predefined policies. • Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 123: Password Updating And Expiration

    Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.

  • Page 124: User Login Control

    Password history With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters.

  • Page 125: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control functions can be configured in several different views, and different views support different functions.

  • Page 126: Setting Global Password Control Parameters

    Step Command Remarks • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • In FIPS mode, the global control feature. password control feature is enabled, and cannot be disabled by default. password-control { aging | (Optional.) Enable a specific By default, all four password...

  • Page 127: Setting User Group Password Control Parameters

    Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user. Specify the maximum number By default, the maximum number of login attempts and the password-control login-attempt of login attempts is 3 and a user action to be taken when a login-times [ exceed { lock | failing to log in after the specified...

  • Page 128: Setting Local User Password Control Parameters

    Step Command Remarks Specify the maximum number of login attempts and the password-control login-attempt By default, the login-attempt policy action to be taken when a login-times [ exceed { lock | of the user group equals the global user in the user group fails to lock-time time | unlock } ] login-attempt policy.

  • Page 129: Setting Super Password Control Parameters

    Step Command Remarks Specify the maximum number By default, the settings equal those of login attempts and the for the user group to which the password-control login-attempt action to be taken for the local local user belongs. If no login-times [ exceed { lock | user when the user fails to log login-attempt policy is configured lock-time time | unlock } ]...

  • Page 130: Password Control Configuration Example

    NOTE: The reset password-control history-record command can delete the history password records of one or all users even when the password history function is disabled. Password control configuration example Network requirements Configure a global password control policy to meet the following requirements: •...

  • Page 131: Verifying The Configuration

    # Specify that a user can log in five times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days. [Sysname] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username. [Sysname] password-control complexity user-name check # Specify that no character can be included three or more times consecutively in a password.
  • Page 132 Password aging: Enabled (30 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 4 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days Maximum login attempts: Action for exceeding login attempts: Lock Minimum interval between two updates: 36 hours User account idle time:...

  • Page 133: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA) and the Digital Signature Algorithm (DSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 39.

  • Page 134: Configuration Procedure

    The key pairs are automatically saved and can survive system reboots. • Table 5 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length HP recommendation • In non-FIPS mode: If you specify the key pair name, the command creates a host key •...

  • Page 135: Distributing A Local Host Public Key

    Distributing a local host public key When two devices communicate, you must distribute the host public keys of the two devices on each other for the following purposes: • Use the public key of the peer device to encrypt information sent to the peer device. Use the public key of the peer device to authenticate the digital signature signed by the peer •...

  • Page 136: Displaying A Host Public Key

    Step Command • Display RSA host public keys: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } Display local host public keys in a specific format. In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } •...

  • Page 137: Importing A Peer Host Public Key From A Public Key File

    IMPORTANT: key displayed by the display Manually enter (type or copy) If the peer device is an HP device, use public-key local { dsa | rsa } the peer public key the display public-key local { dsa |...

  • Page 138: Examples Of Public Key Management

    Task Command Display local public keys. display public-key local { dsa | rsa } public [ name key-name ] display public-key peer [ brief | name publickey-name ] [ name Display peer public keys. key-name ] Examples of public key management Example for entering a peer public key Network requirements As shown in...
  • Page 139 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 Configure Device B: # Enter the host public key of Device A in public key view. The key must be literally the same as displayed on Device A.

  • Page 140: Example For Importing A Public Key From A Public Key File

    CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements Figure 41, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B. Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A.
  • Page 141 Time when key pair created: 16:48:31 2013/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to the file devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit # Enable the FTP server function, create an FTP user with the username ftp and password 123, and configure the FTP user role as network-admin.
  • Page 142 Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001...

  • Page 143: Configuring Pki

    PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).

  • Page 144: Pki Architecture

    (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies. PKI architecture A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in Figure Figure 42 PKI architecture...

  • Page 145: Pki Applications

    The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other certificate repositories to provide directory navigation services, and notifies the PKI entity that the certificate is successfully issued.

  • Page 146: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 147: Configuring A Pki Domain

    Step Command Remarks Enter system view. system-view By default, no PKI entities exist. Create a PKI entity and enter pki entity entity-name To create multiple PKI entities, repeat its view. this step. Set a common name for the common-name By default, the common name is not set. entity.
  • Page 148 Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. Specify the trusted CA. ca identifier name The trusted CA name is in SCEP messages, and the CA server does not use this name unless the server has two CAs configured with the same registration server.

  • Page 149: Requesting A Certificate

    Step Command Remarks By default, the certificate is for all extended applications, including IKE, SSL clients, and SSL server. The extension of a certificate (Optional.) Specify the depends on the certificate user, extended application and it is not limited by PKI. usage { ike | ssl-client | ssl-server } * of the certificate.

  • Page 150: Manually Requesting A Certificate

    entity automatically submits a certificate request and saves the certificate locally after obtaining it from the CA. A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request. Configuration guidelines Make sure the system time is synchronized with the CA server.

  • Page 151: Aborting A Certificate Request

    Configuration guidelines A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA or • RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one for encryption.

  • Page 152: Obtaining Certificates

    Obtaining certificates You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the online mode: •...

  • Page 153: Verifying Pki Certificates

    Step Command Remarks • Import certificates in offline mode: pki import domain domain-name { der { ca | local | peer } filename filename | p12 local The pki filename filename | pem { ca | local | peer } retrieve-certificate [ filename filename ] } Import or obtain certificates.

  • Page 154: Verifying Certificates Without Crl Checking

    Step Command Remarks Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. Enable CRL checking. crl check enable By default, CRL checking is enabled.

  • Page 155: Exporting Certificates

    After you change the storage path for the certificates or CRLs, the certificate files (with the file extension .cer or .p12) and CRL files (with the extension .crl) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...

  • Page 156: Configuring A Certificate Access Control Policy

    Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private key is compromised, do the following tasks: Remove the local certificate. Use public-key local destroy to destroy the existing local key pair. Use public-key local create to generate a new key pair.

  • Page 157: Displaying And Maintaining Pki

    Step Command Remarks attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer name, By default, not attribute rule is subject-name } { dn | fqdn | ip } } subject name, or alternative configured.

  • Page 158: Certificate Request From An Rsa Keon Ca Server

    Certificate request from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 44 Network diagram Configuring the CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.
  • Page 159 # Specify the PKI entity name as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair.

  • Page 160: Certificate Request From A Windows 2003 Ca Server

    Not After : Aug 23 09:06:29 2014 GMT Subject: CN=Device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F...
  • Page 161 Configuring the CA server Install the certificate service component: Select Control Panel > Add or Remove Programs from the start menu. Select Add/Remove Windows Components > Certificate Services. Click Next to begin the installation. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: The Windows 2003 server does not support SCEP by default.
  • Page 162 [Device-pki-domain-winserver] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Specify the RA to accept certificate requests. [Device-pki-domain-winserver] certificate request from ra # Specify the PKI entity name as aaa. [Device-pki-domain-winserver] certificate request entity aaa # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-winserver] public-key rsa general name abc length 1024 [Device-pki-domain-winserver] quit Generate an RSA local key pair:...

  • Page 163: Certificate Request From An Openca Server

    Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001)
  • Page 164 Figure 46 Network diagram Configuring the CA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP.
  • Page 165 Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain openca ca The trusted CA's finger print is: fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y...
  • Page 166 X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B...

  • Page 167: Ike Negotiation With Rsa Digital Signature From A Windows 2003 Ca Server

    IKE negotiation with RSA digital signature from a Windows 2003 CA server Network requirements Device A and Device B establish an IPsec tunnel to protect the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet 1.1.1.0/24. Device A and Device use IKE to set up SAs, and the IKE proposal uses RSA digital signature for identity authentication.
  • Page 168 [DeviceA-pki-domain-1] ca identifier CA1 [DeviceA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [DeviceA-pki-domain-1] certificate request entity en [DeviceA-pki-domain-1] ldap-server host 1.1.1.102 # Specify the RA to accept certificate requests. [DeviceA-pki-domain-1] certificate request from ra # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [DeviceA-pki-domain-1] public-key rsa general name abc length 1024 [DeviceA-pki-domain-1] quit # Generate a local RSA key pair.

  • Page 169: Certificate Import And Export Configuration Example

    [DeviceB-pki-domain-1] certificate request from ra # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [DeviceB-pki-domain-1] public-key rsa general name abc length 1024 [DeviceB-pki-domain-1] quit # Generate a local RSA key pair. [DeviceB] public-key local create rsa name abc The range of public key size is (512 ~ 2048).
  • Page 170 Figure 48 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
  • Page 171 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=beijing/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
  • Page 172 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2013 GMT Not After : Nov 22 05:56:49 2014 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63:...
  • Page 173 Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2013 GMT Not After : Nov 22 05:58:26 2014 GMT...

  • Page 174: Troubleshooting Pki Configuration

    Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/...

  • Page 175: Failed To Obtain The Ca Certificate

    Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No trusted CA is specified. • The URL of the registration server is not correct or not specified.

  • Page 176: Failed To Request Local Certificates

    Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity. Obtain CRLs.

  • Page 177: Failed To Obtain Crls

    Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No CA certificate has been obtained before you try to obtain CRLs. •...

  • Page 178: Failed To Import A Local Certificate

    Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis The PKI domain has no CA certificate, and the certificate file to be imported does not contain the • CA certificate chain. CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. •...

  • Page 179: Failed To Set The Storage Path

    Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis The specified storage path does not exist. • • The specified storage path is illegal. The disk space is full. • Solution Use mkdir to create the path.

  • Page 180: Configuring Ipsec

    Configuring IPsec CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order.
  • Page 181 AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure • AH can provide data origin authentication, data integrity, and anti-replay services to prevent data tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for transmitting non-confidential data.

  • Page 182: Security Association

    • IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration mode is simple and has good expansibility. In medium- and large-scale dynamic networks, HP recommends setting up SAs through IKE negotiations. A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types: Time-based lifetime—Defines how long the SA can be valid after it is created.

  • Page 183: Ipsec Implementation

    Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure. Encryption algorithms IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The following encryption algorithms are available for IPsec on the device: DES—Encrypts a 64-bit plaintext block with a 56-bit key.

  • Page 184: Ipsec Rri

    IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the device processes the packet. Otherwise, it drops the packet. The device supports the following data flow protection modes: Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule •...

  • Page 185: Protocols And Standards

    Figure 52 IPsec VPN IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or static routes destined for peer IPsec tunnel gateways to a routing table. As shown in Figure 52, you can enable IPsec RRI on the gateway at the enterprise center.

  • Page 186: Ipsec Tunnel Establishment

    IPsec tunnel establishment CAUTION: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured.

  • Page 187: Configuring An Acl

    Tasks at a glance (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging of IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring IPsec RRI (Optional.) Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. To use IPsec to protect VPN traffic, you do not need to specify the VPN parameters in the ACL rules.
  • Page 188 The following example shows how an improper statement causes unexpected packet dropping. Only the ACL-related configurations are presented. Assume Router A connects subnet 1.1.2.0/24 and Router B connects subnet 3.3.3.0/24, and the IPsec policy configurations on Router A and Router B are as follows: IPsec configurations on Router A: •...

  • Page 189: Configuring An Ipsec Transform Set

    Figure 53 Mirror image ACLs If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met: The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other •...
  • Page 190 Step Command Remarks Enter system view. system-view Create an IPsec By default, no IPsec transform set transform set and enter ipsec transform-set transform-set-name exists. its view. Optional. Specify the security protocol for the IPsec protocol { ah | ah-esp | esp } By default, the IPsec transform set transform set.

  • Page 191: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • In non-FIPS mode: "Configuring IKE." pfs { dh-group1 | dh-group2 | (Optional.) Enable the The security level of the dh-group5 | dh-group14 | Perfect Forward Secrecy Diffie-Hellman (DH) group of the dh-group24 }...
  • Page 192 Step Command Remarks (Optional.) Configure a description for the IPsec description text By default, no description is configured. policy. By default, an IPsec policy references no ACL. Specify an ACL for the security acl [ ipv6 ] { acl-number | IPsec policy.

  • Page 193: Configuring An Ike-Based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format for sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication By default, no keys are configured for the key in character format for AH: IPsec SA.
  • Page 194 An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, • IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. •...
  • Page 195 Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv4 address of the IPsec tunnel is the first IPv6 address of the Specify the local IP address of local-address { ipv4-address | ipv6 interface to which the IPsec policy...
  • Page 196 Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy template policy-template } template-name template and enter its view. exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec policy description text configured.

  • Page 197: Applying An Ipsec Policy To An Interface

    Step Command Remarks (Optional.) Enable the global IPsec SA idle timeout function, By default, the global IPsec SA idle ipsec sa idle-time seconds and set the global SA idle timeout function is disabled. timeout. Create an IPsec policy by ipsec { ipv6-policy | policy } referencing the IPsec policy policy-name seq-number isakmp By default, no IPsec policy exists.

  • Page 198: Configuring The Ipsec Anti-Replay Function

    To enable ACL checking for de-encapsulated packets: Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.

  • Page 199: Enabling Qos Pre-Classify

    To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.

  • Page 200: Enabling Logging Of Ipsec Packets

    Enabling logging of IPsec packets Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded IPsec packet, and the reason for the failure.

  • Page 201: Configuring Ipsec Rri

    Step Command Remarks Enter system view. system-view By default, IPsec copies the DF bit Configure the DF bit of ipsec global-df-bit { clear | copy | set } in the original IP header to the IPsec packets globally. new IP header. Configuring IPsec RRI Configuration guidelines When you enable or disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs created by this...

  • Page 202: Configuring Ipsec For Ipv6 Routing Protocols

    Step Command Remarks (Optional.) Set the tag value for the static routes created by reverse-route tag tag-value The default value is 0. IPsec RRI. Configuring IPsec for IPv6 routing protocols Configuration task list Complete the following tasks to configure IPsec for IPv6 routing protocols: Tasks at a glance (Required.) Configuring an IPsec transform set...

  • Page 203: Configuring Snmp Notifications For Ipsec

    Step Command Remarks By default, no IPsec profile exists. Create a manual IPsec The manual keyword is not needed ipsec profile profile-name manual profile and enter its view. if you enter the view of an existing IPsec profile. (Optional.) Configure a By default, no description is description for the IPsec description text...

  • Page 204: Displaying And Maintaining Ipsec

    To configure SNMP notifications for IPsec: Step Command Remarks Enter system view system-view Enable SNMP notifications By default, SNMP notifications for snmp-agent trap enable ipsec global for IPsec globally. IPsec are disabled. snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | Enable SNMP notifications encrypt-failure | invalid-sa-failure | By default, SNMP notifications for...

  • Page 205: Ipsec Configuration Examples

    IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 55, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel as follows: Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as •...
  • Page 206 # Create a manual IPsec policy named map1, with the sequence number as 10. [RouterA] ipsec policy map1 10 manual # Apply ACL 3101. [RouterA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-policy-manual-map1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [RouterA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP.
  • Page 207 # Apply IPsec transform set tran1. [RouterB-ipsec-policy-manual-use1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.2.1. [RouterB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1 # Configure the inbound and outbound SPIs for ESP. [RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the inbound and outbound SA keys for ESP.

  • Page 208: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure 56, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the IPsec tunnel as follows: Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as •...
  • Page 209 # # Specify the plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.3.1. [RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1. [RouterA] ike profile profile1 [RouterA-ike-profile-profile1] keychain keychain1 [RouterA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0 [RouterA-ike-profile-profile1] quit...
  • Page 210 [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [RouterB] ike keychain keychain1 [RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&! [RouterB-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1. [RouterB] ike profile profile1 [RouterB-ike-profile-profile1] keychain keychain1 [RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0...

  • Page 211: Configuring An Ike-Based Ipsec Tunnel For Ipv6 Packets

    Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Path MTU: 1443 Tunnel: local address: 2.2.3.1 remote address: 2.2.2.1 Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: IP dest addr: 2.2.2.1/0.0.0.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 3769702703 (0xe0b1192f) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797...
  • Page 212 Figure 57 Network diagram Configuration procedure Configure Router A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Define an ACL to identify data flows from subnet 333::/64 to subnet 555::/64. <RouterA> system-view [RouterA] acl ipv6 number 3101 [RouterA-acl-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-adv-3101] quit # Configure a static route to Host B.
  • Page 213 # Apply IPv6 ACL 3101. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1 [RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1 # Apply the IKE profile profile1.
  • Page 214 # Create an IKE-based IPsec policy named use1, with the sequence number as 10. [RouterB] ipsec ipv6-policy use1 10 isakmp # Apply ACL 3101. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1 [RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1 # Apply the IKE profile profile1.

  • Page 215: Configuring Ipsec For Ripng

    Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 3840956402 (0xe4f057f2) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1...
  • Page 216 # Configure basic RIPng. <RouterA> system-view [RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface gigabitethernet 1/0 [RouterA-GigabitEthernet1/0] ripng 1 enable [RouterA-GigabitEthernet1/0] quit # Create and configure the IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 [RouterA-ipsec-transform-set-tran1] encapsulation-mode transport [RouterA-ipsec-transform-set-tran1] protocol esp [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit...
  • Page 217 [RouterB-ipsec-profile-profile001] transform-set tran1 [RouterB-ipsec-profile-profile001] sa spi outbound esp 123456 [RouterB-ipsec-profile-profile001] sa spi inbound esp 123456 [RouterB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [RouterB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [RouterB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [RouterB] ripng 1 [RouterB-ripng-1] enable ipsec-profile profile001 [RouterB-ripng-1] quit...

  • Page 218: Configuring Ipsec Rri

    Preference : 100 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time 30 sec(s) Timeout time 180 sec(s) Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s) Number of periodic updates sent : 186 Number of trigger updates sent : 1 IPsec profile name: profile001 # Use the display ipsec sa command to display the established IPsec SAs.
  • Page 219 Figure 59 Network diagram Branch GE2/0 5.5.5.1/24 GE1/0 2.2.2.2/24 RouterB Host B Enterprise Center Branch GE1/0 GE2/0 1.1.1.1/24 4.4.4.1/24 Internet Router C Router A Host A Branch Router D Configuration procedure Assign IPv4 addresses to the interfaces on the routers according to Figure 59.
  • Page 220 # Create an IKE keychain named key1 and specify the plaintext 123 as the pre-shared key to be used with the remote peer at 2.2.2.2. [RouterA] ike keychain key1 [RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [RouterA-ike-keychain-key1] quit # Apply the IPsec policy map1 to interface GigabitEthernet 1/0. [RouterA] interface gigabitethernet 1/0 [RouterA-GigabitEthernet1/0] ipsec apply policy map1 [RouterA-GigabitEthernet1/0] quit...
  • Page 221 Make sure Router B has a route to the peer private network, with the outgoing interface as GigabitEthernet 1/0. Configure Router C and Router D in the same way Router B is configured. Verifying the configuration Send traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B.
  • Page 222 The output shows that IPsec SAs are established. Use the display ip routing-table verbose command to display the routing table on Router A. The output shows that a correct static route is created by IPsec RRI. After the IPsec tunnels are established between Router A and Router C and Router D, the associated static routes are also created on Router A.

  • Page 223: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, dramatically simplifying the configuration and maintenance of IPsec.

  • Page 224: Ike Security Mechanism

    Figure 61 IKE exchange process in main mode As shown in Figure 61, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. Key exchange—Used for exchanging the DH public value and other values, such as the random •...

  • Page 225: Protocols And Standards

    the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.

  • Page 226: Configuring An Ike Profile

    Tasks at a glance Remarks Required when the IKE profile needs to (Optional.) Configuring an IKE proposal reference IKE proposals. Required when pre-shared authentication is (Optional.) Configuring an IKE keychain used in IKE negotiation phase 1. (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive function (Optional.)
  • Page 227 Specify a priority number for the IKE profile. To determine the priority of an IKE profile: First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers.

  • Page 228: Configuring An Ike Proposal

    Step Command Remarks By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in (Optional.) Configure IKE dpd interval interval-seconds [ retry system view. If the IKE DPD DPD.

  • Page 229: Configuring An Ike Keychain

    Step Command Remarks By default: • In non-FIPS mode: • In non-FIPS mode, an IKE encryption-algorithm { 3des-cbc | proposal uses the 56-bit DES aes-cbc-128 | aes-cbc-192 | Specify an encryption encryption algorithm in CBC aes-cbc-256 | des-cbc } algorithm for the IKE mode.

  • Page 230: Configuring The Global Identity Information

    Step Command Remarks Enter system view. system-view Create an IKE keychain and By default, no IKE keychain ike keychain keychain-name enter its view. exists. By default, no pre-shared key is configured. pre-shared-key { address { ipv4-address [ mask | mask-length ] | For security purposes, all Configure a pre-shared key.

  • Page 231: Configuring The Ike Keepalive Function

    Step Command Remarks By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. Configure this command on the local (Optional.) Configure the device when the following conditions local device to always obtain exist: ike signature-identity the identity information from...

  • Page 232: Configuring Ike Dpd

    To configure the IKE NAT keepalive function: Step Command Remarks Enter system view. system-view Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. Periodic DPD—Sends a DPD message at regular intervals.

  • Page 233: Enabling Invalid Spi Recovery

    Enabling invalid SPI recovery An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered.

  • Page 234: Displaying And Maintaining Ike

    parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide. To generate and output SNMP notifications for IKE for a specific failure or event type, enable SNMP notifications for IKE globally and for the specified type of failures or events.
  • Page 235 Configure Device A and Device B to use the default IKE proposal for the IKE negotiation to set up the IPsec SAs. Configure the two devices to use the pre-shared key authentication method for the IKE negotiation phase 1. Figure 62 Network diagram Configuration procedure Configure Device A: # Assign an IP address to each interface.
  • Page 236 # Configure the local ID with the identity type as IP address and the value as 1.1.1.1. [DeviceA-ike-profile-profile1] local-identity address 1.1.1.1 # Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/24. [DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0 [DeviceA-ike-profile-profile1] quit # Create an IPsec policy named map1, with the sequence number as 10, and the IPsec SA setup mode as IKE.
  • Page 237 [DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&! [DeviceB-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [DeviceB] ike profile profile1 # Specify IKE keychain keychain1 [DeviceB-ike-profile-profile1] keychain keychain1 # Configure the local ID with the identity type as IP address and the value as 2.2.2.2. [DeviceB-ike-profile-profile1] local-identity address 2.2.2.2 # Configure a peer ID with the identity type as IP address and the value as 1.1.1.1/24.
  • Page 238 Connection-ID Remote Flag ------------------------------------------------------------------ 2.2.2.2 IPSEC Flags: RD--READY RL--REPLACED FD-FADING # Display the IPsec SAs generated on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/0 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: isakmp ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1456...

  • Page 239: Aggressive Mode With Rsa Signature Authentication Configuration Example

    # Use the same command to verify the IKE SA and IPsec SA on Device B. (Details not shown.) Aggressive mode with RSA signature authentication configuration example This configuration example does not apply when the device operates in FIPS mode. Network requirements As shown in Figure...
  • Page 240 [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-transform-set-tran1] quit # Create a PKI entity named entity1. [DeviceA] pki entity entity1 # Set the common name as routera for the PKI entity. [DeviceA-pki-entity-entity1] common-name routera [DeviceA-pki-entity-entity1] quit # Create a PKI domain named domain1. [DeviceA] pki domain domain1 # Set the certificate request mode to auto and set the password to 123 for certificate revocation.
  • Page 241 [DeviceA-ike-proposal-10] quit # Create an IPsec policy named map1, with the sequence number as 10, and the IPsec SA setup mode as IKE. [DeviceA] ipsec policy map1 10 isakmp # Specify the remote IP address 2.2.2.2 for the IPsec tunnel. [DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2 # Reference IPsec transform set tran1 for the IPsec policy.
  • Page 242 [DeviceB-pki-domain-domain2] ca identifier 8088 # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses the URL of http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7. [DeviceB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [DeviceB-pki-domain-domain2] certificate request from ca # Specify the PKI entity for certificate request as entity2.
  • Page 243 [DeviceA] display ike proposal 10 Priority Authentication Authentication Encryption Diffie-Hellman Duration method algorithm algorithm group (seconds) ---------------------------------------------------------------------------- RSA-SIG AES-CBC-128 Group 1 5000 default PRE-SHARED-KEY SHA1 AES-CBC-128 Group 1 86400 [DeviceB] display ike proposal 10 Priority Authentication Authentication Encryption Diffie-Hellman Duration method algorithm algorithm...
  • Page 244 9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90: 08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8: 7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7: f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf: 55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9: 8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31: 57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d: 82:16 # Display the local certificate on Device A. [DeviceA] display pki certificate domain domain1 local Certificate: Data: Version: 3 (0x2) Serial Number: a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=rnd, OU=sec, CN=8088 Validity Not Before: Sep 26 02:06:43 2013 GMT Not After : Sep 26 02:06:43 2014 GMT Subject: CN=devicea...
  • Page 245 65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90: 7e:cd # Display the IPsec SA information on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/0 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: isakmp ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1456 Tunnel: local address: 1.1.1.1...

  • Page 246: Aggressive Mode With Nat Traversal Configuration Example

    Aggressive mode with NAT traversal configuration example This configuration example does not apply when the device operates in FIPS mode. Network requirements Device A is behind the NAT device. Configure an IPsec tunnel that uses IKE negotiation between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure Device A and Device B to use the default IKE proposal for the aggressive IKE negotiation to set up the IPsec SAs.
  • Page 247 [DeviceA-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [DeviceA] ike profile profile1 # Specify IKE keychain keychain1. [DeviceA-ike-profile-profile1] keychain keychain1 # Specify that IKE negotiation operates in aggressive mode. [DeviceA-ike-profile-profile1] exchange-mode aggressive # Set the local identity to the FQDN name www.devicea.com. [DeviceA-ike-profile-profile1] local-identity fqdn www.devicea.com # Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/24.
  • Page 248 [DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [DeviceB-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [DeviceB] ike profile profile1 # Reference IKE keychain keychain1. [DeviceB-ike-profile-profile1] keychain keychain1 # Specify that IKE negotiation operates in aggressive mode. [DeviceB-ike-profile-profile1] exchange-mode aggressive # Configure a peer ID with the identity type of FQDN name and the value of www.devicea.com.
  • Page 249 Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 84565 Exchange-mode: Aggressive Diffie-Hellman group: Group 1 NAT traversal: Detected # Display the IPsec SAs generated on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/0...

  • Page 250: Troubleshooting Ike

    [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: active Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom...

  • Page 251: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    ------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING The following IKE event debugging or packet debugging message appeared: IKE event debugging message: Notification PAYLOAD_MALFORMED is received. IKE packet debugging message: Construct notification packet: PAYLOAD_MALFORMED. Analysis If the following debugging information appeared, the matched IKE profile is not referencing the •...

  • Page 252: Ipsec Sa Negotiation Failed Due To Invalid Identity Information

    IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
  • Page 253 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.71 Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL referenced by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
  • Page 254 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove the reference.

  • Page 255: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.

  • Page 256: Ssh Authentication Methods

    CLI. The text pasted at one time must be no more than 2000 bytes. Interaction To execute the commands successfully, HP recommends that you paste commands that are in the same view. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.

  • Page 257: Fips Compliance

    NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication—The server authenticates a client through the digital signature. In a • publickey authentication, a client sends the server a publickey authentication request that contains the following information: Username.

  • Page 258: Generating Local Dsa Or Rsa Key Pairs

    Tasks at a glance Remarks "Configuring PKI." Required if the following conditions exist: • Publickey authentication is configured for users. Configuring the PKI domain for verifying the client • The clients send the public keys to the server certificate through digital certificates for validity check. The PKI domain must have the CA certificate to verify the client certificate.

  • Page 259: Enabling The Ssh Server Function

    Step Command Remarks Enter system view. system-view Generate local DSA or RSA By default, both DSA and RSA key public-key local create { dsa | rsa } key pairs. pairs do not exist. Enabling the SSH server function The SSH server function on the device allows clients to communicate with the device through SSH. The device that acts as an SSH server does not support SFTP or SCP connection initiated by an SSH1 client.

  • Page 260: Configuring A Client's Host Public Key

    For SSH servers that use publickey authentication, password-publickey authentication, or any authentication, you must perform the following tasks: Configure the client's DSA or RSA host public key on the server. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server.

  • Page 261: Configuring An Ssh User

    Step Command Remarks Return to system view. peer-public-key end Importing a client's host public key from the public key file Step Command Enter system view. system-view Import a client's public key public-key peer keyname import sshkey filename from the public key file. Configuring an SSH user To configure an SSH user that uses publickey authentication, perform the procedure in this section.

  • Page 262: Setting The Ssh Management Parameters

    For all authentication methods except password authentication, you must specify the client's host • public key or digital certificate. For a client that sends the user's public key information directly to the server, you must specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."...

  • Page 263: Configuring The Device As An Stelnet Client

    To set the SSH management parameters: Step Command Remarks Enter system view. system-view By default, the SSH server supports SSH1 clients. Enable the SSH server to ssh server compatible-ssh1x support SSH1 clients. enable This command is not available in FIPS mode. By default, the RSA server key pair is not updated.

  • Page 264: Specifying A Source Ip Address For Ssh Packets

    Specifying a source IP address for SSH packets HP recommends that you specify the IP address of the loopback or dialer interface as the source address for SSH packets for the following purposes: • Ensuring the communication between the Stelnet client and the Stelnet server.
  • Page 265 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 }...

  • Page 266: Configuring The Device As An Sftp Client

    Terminating the connection with the SFTP server Specifying a source IP address for SFTP packets HP recommends that you specify the IP address of the loopback or dialer interface as the source address for SFTP packets for the following purposes: Ensuring the communication between the SFTP client and the Stelnet server.
  • Page 267 In an insecure network, HP recommends that you configure the server's host public key on the device. After the connection is established, you can directly enter SFTP client view on the server to perform operations, such as working with directories or files.

  • Page 268: Working With Sftp Directories

    Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.

  • Page 269: Terminating The Connection With The Sftp Server

    If you choose to continue, the device accesses the server and downloads the server's host public • key. • If you choose to not continue, the connection cannot be established. In an insecure network, HP recommends that you configure the server's host public key on the device. To transfer files with an SCP server:...
  • Page 270 Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 271: Displaying And Maintaining Ssh

    Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address or source interface display sftp client source information configured for the SFTP client. Display the source IP address or source interface display ssh client source information configured for the Stelnet client.
  • Page 272 # Generate the RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 273: Publickey Authentication Enabled Stelnet Server Configuration Example

    There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58. To establish a connection to the Stelnet server: Launch PuTTY.exe to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.
  • Page 274 Figure 67 Network diagram Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
  • Page 275 Figure 69 Generating process After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 70 Saving a key pair on the client...
  • Page 276 Enter a file name (key.pub in this example), and click Save. On the page as shown in Figure 70, click Save private key to save the private key. A confirmation dialog box appears. Click Yes. A file saving window appears. Enter a file name (private.ppk in this example), and click Save.
  • Page 277 # Create SSH user client002. Specify the authentication method as publickey for the user. Assign the public key clientkey to the user. [Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey # Create a local device management user client002. Specify the service type as ssh for the user. Assign the user role network-admin to the user.
  • Page 278 Figure 72 Specifying the preferred SSH version Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 73 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example) and click OK.

  • Page 279: Password Authentication Enabled Stelnet Client Configuration Example

    Figure 73 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system prompts you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements...
  • Page 280 Configuration procedure Configure the Stelnet server: # Generate the RSA key pairs. <RouterB> system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 281 [RouterB] ssh user client001 service-type stelnet authentication-type password Establish a connection to the Stelnet server 192.168.1.40: # Assign an IP address to interface GigabitEthernet 1/0. <RouterA> system-views [RouterA] interface gigabitethernet 1/0 [RouterA-GigabitEthernet1/0] ip address 192.168.1.56 255.255.255.0 [RouterA-GigabitEthernet1/0] quit [RouterA] quit Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.

  • Page 282: Publickey Authentication Enabled Stelnet Client Configuration Example

    [RouterA-pkey-public-key-key1]485348 [RouterA-pkey-public-key-key1] peer-public-key end [RouterA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <RouterA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you log in to Router B successfully. If the client does not have the server's host public key, the system will prompt you to confirm the further access when you access the server.
  • Page 283 # Generate a DSA key pair. [RouterA] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 284: Sftp Configuration Examples

    # Set the authentication mode to AAA for the user lines. [RouterB] line vty 0 63 [RouterB-line-vty0-63] authentication-mode scheme [RouterB-line-vty0-63] quit # Import the peer public key from the file key.pub, and name it clientkey. [RouterB] public-key peer clientkey import sshkey key.pub # Create an SSH user client002.
  • Page 285 Figure 76 Network diagram Configuration procedure Configure the SFTP server: # Generate the RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 286: Publickey Authentication Enabled Sftp Client Configuration Example

    [Router-luser-manage-client002] service-type ssh [Router-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Router-luser-manage-client002] quit # Create an SSH user client002. Specify the authentication method as password and service type as sftp for the user. By default, password authentication is used if no SSH user is created. [Router] ssh user client002 service-type sftp authentication-type password Establish a connection to the SFTP server: The device supports different types of SFTP client software.
  • Page 287 After login, you are assigned the user role network-admin to execute file management and transfer • operations. Router B acts as the SFTP server and uses publickey authentication and the RSA public key • algorithm. Figure 78 Network diagram Configuration procedure In the server configuration, the client's host public key is required.
  • Page 288 ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 289: Scp File Transfer With Password Authentication

    -rwxrwxrwx 301 Dec 18 14:12 012.pub -rwxrwxrwx 301 Dec 18 14:12 013 z sftp> delete z Removing /z sftp> dir -l -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx 301 Dec 18 14:12 011.pub -rwxrwxrwx 301 Dec 18 14:12 012.pub # Add a directory named new1 and verify the result. sftp>...
  • Page 290 Network requirements As shown in Figure • You can log in to Router B through the SCP client that runs on Router A. After login, you are assigned the user role network-admin and can securely transfer files with • Router B. Router B uses the password authentication method.
  • Page 291 [RouterB-GigabitEthernet1/0] quit # Create a local device management user client001. Specify the plaintext password as aabbcc and the service type as ssh for the user. Assign the user role network-admin to the user. [RouterB] local-user client001 class manage [RouterB-luser-manage-client001] password simple aabbcc [RouterB-luser-manage-client001] service-type ssh [RouterB-luser-manage-client001] authorization-attribute user-role network-admin [RouterB-luser-manage-client001] quit...

  • Page 292: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security mechanism SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data.

  • Page 293: Fips Compliance

    SSL handshake protocol, SSL change cipher spec protocol, and SSL alert protocol at the upper • layer. Figure 81 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to •...
  • Page 294 NOTE: SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client Hello message from a client that supports both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication.

  • Page 295: Configuring An Ssl Client Policy

    Step Command Remarks By default, the SSL server does not authenticate SSL clients. When authenticating a client by using the digital certificate, the SSL server performs the following operations: Enable the SSL server to client-verify enable • Verifies the CA certificate authenticate SSL clients.

  • Page 296: Displaying And Maintaining Ssl

    Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | • In non-FIPS mode: rsa_3des_ede_cbc_sha | The default preferred cipher rsa_aes_128_cbc_sha | suite is rsa_rc4_128_md5. Specify the preferred cipher rsa_aes_256_cbc_sha | suite for the SSL client policy.

  • Page 297: Configuring Aspf

    Configuring ASPF Overview Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve. An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection.

  • Page 298: Aspf Inspections

    To protect the internal network, you can apply an ASPF in the outbound direction of the external interfaces or in the inbound direction of the internal interfaces of the device. ASPF inspections This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols.
  • Page 299 Figure 83 FTP inspection As shown in Figure 83, FTP connections are established and removed as follows: The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client.

  • Page 300: Aspf Configuration Task List

    For a multi-channel protocol, if you enable TCP or UDP inspection without configuring application • layer protocol inspection, the device might not be able to receive return packets. HP recommends that you enable application layer protocol inspection together with TCP/UDP inspection.

  • Page 301: Displaying And Maintaining Aspf

    You can apply both ASPF and packet filter to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows return packets from external to the internal network.
  • Page 302 Figure 84 Network diagram Configuration procedure # Configure ACL 31 1 1 to deny all IP packets. <RouterA> system-view [RouterA] acl number 3111 [RouterA-acl-adv-3111] rule deny ip [RouterA-acl-adv-3111] quit # Create ASPF policy 1 for FTP inspection. [RouterA] aspf-policy 1 [RouterA-aspf-policy-1] detect ftp [RouterA-aspf-policy-1] quit # Apply ACL 31 1 1 to deny all incoming IP packets on interface GigabitEthernet 1/0.

  • Page 303: Aspf Tcp Application Inspection Configuration Example

    ASPF TCP application inspection configuration example Network requirements Local users on the internal network need to access the external network. To protect the internal network against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A. Router A can then drop faked ICMP error messages and non-SYN packets that are the first packets over TCP connections.

  • Page 304: Aspf H.323 Application Inspection Configuration Example

    ASPF policy configuration: Policy number: 1 Enable ICMP error message check Enable TCP SYN packet check Detect these protocols: Router A can recognize faked ICMP error messages from external networks, and drop the non-SYN packets that are the first packets to establish TCP connections. ASPF H.323 application inspection configuration example Network requirements Figure 86...
  • Page 305 # Apply ASPF policy 1 to the inbound direction of interface GigabitEthernet 1/0. [RouterA-GigabitEthernet1/0] aspf apply policy 1 inbound [RouterA-GigabitEthernet1/0] quit Verifying the configuration # Display ASPF sessions on Router A. [RouterA] display aspf session ipv4 Initiator: Source IP/port: 1.1.1.111/33184 Destination IP/port: 192.168.1.3/32828 VLAN ID/VLL ID: -/- Protocol: UDP(17)

  • Page 306: Configuring Apr

    Configuring APR Overview The application recognition (APR) feature enables QoS and ASPF to recognize application protocols of packets sent on ports that are not well known. APR separately counts the number of packets or bytes that an interface has received or sent based on application protocols. It also calculates the transmission rates of the interface at the same time.

  • Page 307: Configuring Pbar

    You can add application protocols with the same properties to one application group, or copy application protocols from one application group to another. If a packet is recognized as the packet of an application protocol in an application group, the packet is considered to be the packet of the application group.

  • Page 308: Enabling Application Statistics On An Interface

    Step Command Remarks Create an application group and enter app-group group-name application group view. (Optional.) Configure a description for the By default, the description is description group-description user-defined application "User-defined application group." group. By default, the user-defined application group does not contain any application protocol.

  • Page 309: Displaying And Maintaining Apr

    Displaying and maintaining APR Execute display commands in any view and reset commands in user view. Task Command Display information about application display application [ name application-name | pre-defined | protocols. user-defined ] Display information about application display app-group [ name group-name | pre-defined | groups.

  • Page 310: Verifying The Configuration

    [Router-app-group-group1] quit # Map HTTP to TCP and port 8080. [Router] port-mapping application http port 8080 protocol tcp # Create a traffic class named classifier_1, and match group1 to the class. [Router] traffic classifier classifier_1 [Router-classifier-classifier_1] if-match app-group group1 [Router-classifier-classifier_1] quit # Create a traffic behavior named bdeny, and configure the action as deny.

  • Page 311: Managing Sessions

    Managing sessions Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the follow purposes: • Fast match between packets and sessions Management of transport layer protocol states •...

  • Page 312: Session Management Task List

    Creates sessions for protocol packets, updates session states, and sets aging time for sessions in • different protocol states. Supports port mapping for application layer protocols (see "Configuring PBAR"), enabling • application layer protocols to use customized ports. Sets aging time for sessions based on application layer protocols. •...

  • Page 313: Setting The Session Aging Time For Different Application Layer Protocols

    Step Command Remarks • The default aging time for sessions in different protocol states is as follows: • FIN_WAIT: 30 seconds. • ICMP-REPLY: 30 seconds. • ICMP-REQUEST: 60 seconds. • RAWIP-OPEN: 30 seconds. • RAWIP-READY: 60 seconds. • TCP SYN-SENT and SYN-RCV: 30 seconds.

  • Page 314: Specifying Persistent Sessions

    Step Command Remarks Enter system view. system-view By default, the session aging time is as follows: • DNS: 60 seconds. • FTP: 3600 seconds. • GTP: 60 seconds. • H.225: 3600 seconds. • H.245: 3600 seconds. • ILS: 3600 seconds. session aging-time application •...

  • Page 315: Displaying And Maintaining Session Management

    The device supports time-based or traffic-based logging: • Time-based logging—The device outputs session logs at an interval. Traffic-based logging—The device outputs a session log when the traffic amount of a session • reaches a threshold. After outputting a session log, the device resets the traffic counter for the session.
  • Page 316 Task Command reset session table ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp Clear IPv6 session table entries. | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Clear IPv4 and IPv6 session table entries.

  • Page 317: Configuring Connection Limits

    Configuring connection limits The connection limit feature enables the device to monitor and limit the number of established connections. As shown in Figure 88, the following problems might exist: If Host B initiates a large number of connections in a short period of time, it might exhaust system •...

  • Page 318: Configuring The Connection Limit Policy

    When a connection limit policy is applied, connections on the device match against all limit rules in the policy in ascending order of rule IDs. HP recommends that you specify a smaller range and more filtering methods in a rule with a smaller ID.

  • Page 319: Displaying And Maintaining Connection Limits

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no connection limit is applied to an interface. Only one IPv4 connection limit Apply a connection limit connection-limit apply policy and one IPv6 connection policy to an interface. { ipv6-policy | policy } policy-id limit policy can be applied to an interface.

  • Page 320: Connection Limit Configuration Example

    Connection limit configuration example Network requirements As shown in Figure 89, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The internal network address is 192.168.0.0/16. Configure NAT so that the internal users can access the Internet and external users can access the internal servers, and configure connection limits to meet the following requirements: All hosts on segment 192.168.0.0/24 can establish up to 100000 connections to the external •...
  • Page 321 # Configure connection limit rule 2 to permit up to 10000 connections to the servers that match ACL 3001. When the number of connections exceeds 10000, new connections cannot be established until the number drops below 9800. [Router-connlmt-policy-1] limit 2 acl 3001 per-destination amount 10000 9800 [Router-connlmt-policy-1] quit # Create connection limit policy 2.

  • Page 322: Troubleshooting Connection Limits Acls In The Connection Limit Rules With Overlapping Segments

    Troubleshooting connection limits ACLs in the connection limit rules with overlapping segments Symptom A connection limit policy has two rules. One rule sets the upper limit to 10 for the connections from each host on segment 192.168.0.0/24, and the other sets the upper limit to 100 for the connections from 192.168.0.100/24.

  • Page 323: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 324: Displaying And Maintaining Arp Source Suppression

    Step Command Remarks Enter system view. system-view arp source-suppression By default, ARP source suppression is Enable ARP source suppression. enable disabled. Set the maximum number of unresolvable packets that the arp source-suppression By default, the maximum number is 10. device can receive from a host limit limit-value within 5 seconds.

  • Page 325: Configuring Source Mac-Based Arp Attack Detection

    Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: Enable ARP source suppression. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5 seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.

  • Page 326: Displaying And Maintaining Source Mac-Based Arp Attack Detection

    NOTE: When an ARP attack entry expires, ARP packets sourced from the MAC address in the entry can be processed correctly. Displaying and maintaining source MAC-based ARP attack detection Execute display commands in any view. Task Command Display ARP attack entries detected by source display arp source-mac [ interface interface-type MAC-based ARP attack detection.

  • Page 327: Configuring Arp Packet Source Mac Consistency Check

    Enable source MAC-based ARP attack detection and specify the handling method as filter. Set the threshold. Set the lifetime for ARP attack entries. Exclude the MAC address of the server from this detection. Configuration procedure # Enable source MAC-based ARP attack detection, and specify the handling method as filter. <Device>...

  • Page 328: Configuring Authorized Arp

    Step Command Remarks Enable the ARP active arp active-ack [ strict ] By default, ARP active acknowledgement acknowledgement function. enable function is disabled. Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.

  • Page 329: Configuration Example (On A Dhcp Relay Agent)

    [RouterA] dhcp server ip-pool 1 [RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-1] quit # Enter Layer 3 Ethernet interface view. [RouterA] interface GigabitEthernet 1/0 # Enable authorized ARP. [RouterA-GigabitEthernet1/0] arp authorized enable [RouterA-GigabitEthernet1/0] quit Configure Router B: <RouterB> system-view [RouterB] interface GigabitEthernet 1/0 [RouterB-GigabitEthernet1/0] ip address dhcp-alloc [RouterB-GigabitEthernet1/0] quit After Router B obtains an IP address from Router A, display the authorized ARP entry information...
  • Page 330 [DeviceA-Ethernet1/1] ip address 10.1.1.1 24 [DeviceA-Ethernet1/1] quit # Configure DHCP. [DeviceA] dhcp enable [DeviceA] dhcp server ip-pool 1 [DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0 [DeviceA-dhcp-pool-1] gateway-list 10.10.1.1 [DeviceA-dhcp-pool-1] quit [DeviceA] ip route-static 10.10.1.0 24 10.1.1.2 Configure the router: # Enable DHCP. <Router>...

  • Page 331: Configuring Arp Automatic Scanning And Fixed Arp

    Configuring ARP automatic scanning and fixed ARP ARP automatic scanning is usually used together with the fixed ARP feature in small-scale networks such as a cybercafe. With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates dynamic ARP entries.

  • Page 332: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 333: Urpf Operation

    packets that can only match a default route. Typically, you do not need to configure the allow-default-route keyword on a PE device because it has no default route pointing to the customer edge (CE) device. If you enable uRPF on a CE that has a default route pointing to the PE, select the allow-default-route keyword.
  • Page 334 Figure 95 uRPF work flow...
  • Page 335 uRPF checks address validity: Permits a packet with a multicast destination address. For a packet with an all-zero source address, permits the packet if it has a broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.);...

  • Page 336: Network Application

    Network application Figure 96 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check • between ISPs. Configure ACLs for special packets or users. •...

  • Page 337: Displaying And Maintaining Urpf

    Step Command Remarks ip urpf { loose [ allow-default-route ] [ acl Enable uRPF globally. acl-number ] | strict By default, uRPF is disabled. [ allow-default-route ] [ acl acl-number ] [ link-check ] } To enable uRPF on an interface: Step Command Remarks...
  • Page 338 [RouterB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255 [RouterB-acl-basic-2010] quit # Specify the IP address of GigabitEthernet 1/0. [RouterB] interface gigabitethernet 1/0 [RouterB-GigabitEthernet1/0] ip address 1.1.1.2 255.255.255.0 # Configure strict uRPF check on GigabitEthernet 1/0. [RouterB-GigabitEthernet1/0] ip urpf strict acl 2010 Configure Router A: # Specify the IP address of GigabitEthernet 1/0.

  • Page 339: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 340: Ipv6 Urpf Operation

    default, IPv6 uRPF discards packets that can only match a default route. Typically, you do not need to configure the allow-default-route keyword on a PE device because it has no default route pointing to the CE device. If you enable IPv6 uRPF on a CE that has a default route pointing to the PE, select the allow-default-route keyword.
  • Page 341 Figure 99 IPv6 uRPF work flow IPv6 uRPF checks whether the received packet carries a multicast destination address: If yes, permits the packet. If no, proceeds to step 2. IPv6 uRPF checks whether the source address matches a unicast route: If yes, proceeds to step 3.

  • Page 342: Network Application

    If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface. If yes, permits the packet. If no, proceeds to step 6. If the source address is a link-local address and is the receiving interface address, also proceeds to step 6.

  • Page 343: Configuring Ipv6 Urpf

    Configure IPv6 ACLs for special packets or users. • Configuring IPv6 uRPF You can configure IPv6 uRPF globally or on a specific interface. Global IPv6 uRPF configuration takes effect on all interfaces. IPv6 uRPF configured on an interface takes effect on the interface only. When you configure IPv6 uRPF, follow these guidelines: •...

  • Page 344: Ipv6 Urpf Configuration Example

    IPv6 uRPF configuration example Network requirements As shown in Figure 101, configure strict IPv6 uRPF check on GigabitEthernet 1/0 of Router B and permit packets from network 1010::/64. Configure strict IPv6 uRPF check on GigabitEthernet 1/0 of Router A and allow using the default route for IPv6 uRPF check.

  • Page 345: Configuring Crypto Engines

    Configuring crypto engines VSR routers support only software crypto engines. Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or •...

  • Page 346: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device supports Level 2.

  • Page 347: Configuring Fips Mode

    If a device enters FIPS or non-FIPS mode through automatic reboot, the startup configuration file • does not support configuration rollback. To support configuration rollback, you must execute the save command before making other configurations. Configuring FIPS mode Entering FIPS mode After you enable FIPS mode and reboot the device, the device operates in FIPS mode, which has strict security requirements, and performs self-tests on cryptography modules to verify that they operate correctly.

  • Page 348: Configuration Changes In Fips Mode

    Delete the startup configuration file in binary format (an .mdb file). Reboot the device. The system enters in FIPS mode. You can use the configured username and password to log in to the device in FIPS mode. To enable FIPS mode: Step Command Remarks...

  • Page 349: Fips Self-Tests

    You can also trigger a self-test. If the power-up self-test fails, the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact HP Support.

  • Page 350: Power-Up Self-Tests

    Power-up self-tests The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the known-answer test fails.

  • Page 351: Displaying And Maintaining Fips

    Displaying and maintaining FIPS Execute the display command in any view. Task Command Display the FIPS mode state. display fips status FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.

  • Page 352: Entering Fips Mode Through Manual Reboot

    … <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. # Display the default configuration file. <Sysname> more fips-startup.cfg password-control enable local-user root class manage service-type terminal authorization-attribute user-role network-admin fips mode enable return <Sysname>...

  • Page 353: Exiting Fips Mode Through Automatic Reboot

    Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode. # Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file.

  • Page 354: Exiting Fips Mode Through Manual Reboot

    Configuration procedure # Disable FIPS mode. [Sysname] undo fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y The system will create a new startup configuration file for non-FIPS mode and then reboot automatically. Continue? [Y/N]:y Waiting for reboot... After reboot, the device will enter non-FIPS mode. Verifying the configuration After the device reboots, you can directly enter the system.
  • Page 355 Deleting file flash:/startup.mdb...Done. # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter the username test and password 12345zxcvb!@#$%ZXCVB to enter non-FIPS mode. Press ENTER to get started. login: test Password: Last successfully login time:… … <Sysname>...

  • Page 356: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 357: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 358 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 359: Index

    Connection limit configuration example,310 Configuring AAA schemes,18 Connection limit configuration task list,307 Configuring an ASPF policy,290 Contacting HP,346 Configuring an IKE keychain,219 Controlling portal user access,73 Configuring an IKE profile,216 Conventions,347 Configuring an IKE proposal,218 Creating a connection limit...
  • Page 360 Displaying and maintaining IPsec,194 Overview,170 Displaying and maintaining IPv6 uRPF,333 Overview,282 Displaying and maintaining password control,1 19 Overview,213 Displaying and maintaining PKI,147 Overview,245 Displaying and maintaining portal,81 Overview,64 Displaying and maintaining public keys,127 Overview,123 Displaying and maintaining session management,305 Overview,133 Displaying and maintaining SSH,261 Overview,329...
  • Page 361 Specifying the storage path for the certificates and Troubleshooting LDAP,62 CRLs,144 Troubleshooting PKI configuration,164 SSL configuration task list,283 Troubleshooting portal,109 Stelnet configuration examples,261 Troubleshooting RADIUS,60 Troubleshooting connection limits ACLs in the uRPF configuration example,327 connection limit rules with overlapping segments,312 Troubleshooting HWTACACS,62 Verifying PKI...

Table of Contents