Download
Share
Print this page
Enterasys ANG-3000 Application Note
  1. Manuals
  2. Brands
  3. Enterasys Manuals
  4. Gateway
  5. Aurorean ANG-3000
  6. Application note
Enterasys ANG-3000 Application Note

Enterasys ANG-3000 Application Note

Ang configuration using the command line interface
Hide thumbs Also See for ANG-3000:

Advertisement

Quick Links

Download this manual See also: Installation and Servicing Manual
ANG Configuration Using the Command Line Interface
Introduction
Listing Data
IRC Configuration Utilities
AVN-AN-CLI-R11
APPLICATION NOTE
This Application Note describes the commands used to configure a remote
Aurorean Network Gateway (ANG) 7000/3000 series using the Command Line
Interface (CLI). The first section of the document defines the routing subsystem,
virtual IP subnets, naming servers, authentication service (user and group tables),
IPSec with El Gamal Key Exchange (IRPP) and PPTP tunnel protocol settings, and
site-to-site tunnels.
The second section of this document defines a suite of command line utilities that
manage IP Security (IPSec) with Internet Key Exchange (IKE) configuration on a
Remote (stand-alone) ANG. IPSec IKE commands available for the
ANG-3000/7000 are described.
The final section of the document details how to configure a tunnel between a
Remote ANG and a Cisco router. For more information on configuring IPSec
tunnels, consult the ANG-1100 User's Guide and the Rel. 3.5 Enhanced Support for
VPN Clients Application Note.
The Aurorean Network Gateway CLI is designed so that configuration data
exported to the file is in an easily displayed format, especially when that data
(such as static routes) consists of zero to N objects.
This is accomplished by:
! Displaying the configuration data as a fixed number of fields, without
labels. The name of each value is inferred by its position on the line. The
data is tabbed to display under column headers when printed.
! Displaying items such as static routes one route at a time. The output lists
route 1, route 2, for example.
Arguments
The term <arg> is used as a place-holder for actual argument data that is supplied
by the CLI. For example, the following command line information for the
Page 1 of 64

Advertisement

loading
Need help?

Need help?

Do you have a question about the ANG-3000 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Enterasys ANG-3000

Summary of Contents for Enterasys ANG-3000

  • Page 1 IP Security (IPSec) with Internet Key Exchange (IKE) configuration on a Remote (stand-alone) ANG. IPSec IKE commands available for the ANG-3000/7000 are described. The final section of the document details how to configure a tunnel between a Remote ANG and a Cisco router. For more information on configuring IPSec tunnels, consult the ANG-1100 User’s Guide and the Rel.
  • Page 2 IRC Configuration Utilities command PPTP is configured for 128-bit encryption, no 40-bit encryption, and compression enabled: ircpptp -1 Enabled -4 Disabled -c Enabled and the subsequent listing output (invoking the command: ircpptp -l) is: Enabled Disabled Enabled Switches Most of the functions include the “L” switch which provides column headers for display or print as shown in the example below.
  • Page 3 Application Note Login To log in to the ANG via the CLI requires that you enter a username and password only. Perform the following steps to log in to the ANG. 1. From Start, Programs menu, select an MS DOS Command Prompt. 2.
  • Page 4 ANG Configuration Commands Command irctunnel ircspecial ircauthcheck Authorization Check Tests whether the specified user is authenticated. Usage Example ircauthcheck -u admin -p 1234 -i 123.6.24.122 /usr/indus/irc/ircauthcheck: test_adduser results for netadmin - Reply returned IRresultOK ircbackup Backup Backs up the configuration information to a local floppy disk. Usage Example Backup the Configuration changes...
  • Page 5 Application Note ircdelivery Delivery Carries messages between all Aurorean components, including servers, Aurorean Clients, and the RiverMaster management application. Aurorean Delivery is a critical service that must be operational for Aurorean components to initialize properly and synchronize with one another. Usage True or False VPN Domain name...
  • Page 6 ANG Configuration Commands ircext External Routes Provides external routes to reach outside the trusted network. Usage Defaults Notes Example Configure an external route ircext -a -n 0.0.0.0 -m 0.0.0.0 -g 192.168.4.1 Example Modify an external route. ircext -n 0.0.0.0 -m 255.255.255.0 -g 192.168.4.1 Example List after the modification ircext -L Subnet...
  • Page 7 RiverMaster. It is recommended that you add a new login account to the Admin group, then remove the enterasys user account. NULL is used to clear the data for a group.
  • Page 8 The LCP Echo heartbeat mechanism is always Tunnel Scope. VPN Scope applies to the entire ANG-3000/7000 series. When a VPN scope heartbeat fails it indicates all VPN access must be immediately terminated.
  • Page 9 Application Note Applies a tunnel keep-alive interval to the Aurorean Network Gateway. This enables Uninterrupted Data Session failover between site-to-site tunnels, providing high availability for mission critical applications. Usage Defaults Notes AVN-AN-CLI-R11 ircheartbeat -a -d -n <name> -s -m -p -i -r -e -l <arg> -h -L <arg>...
  • Page 10 ANG Configuration Commands Example Change the default timeout used for all remote access and site-to-site tunnels. Note that this command would be used on the central ANG which accepts incoming site-to-site tunnels. ircheartbeat -n default -i 5000 -r 6 Example Assuming all site-to-site tunnel user accounts are in the group STS, create a heartbeat for that group that uses a 3.5 second interval and tries 4 times before terminating the tunnel.
  • Page 11 Application Note Example List ircheartbeat -L Name PPTP IRPP irchostname Hostname Applies a Host Domain Name to the Aurorean Network Gateway. Usage Defaults Notes Example Configure new FQDN name for the server irchostname -n ent.irvpn.com Example List irchostname -L Index AVN-AN-CLI-R11 Scope Mechanism...
  • Page 12 ANG Configuration Commands ircicr ICR Routing Intelligent Client Routing (ICR) provides a measure of control over an Aurorean Client’s access to the Internet. When enabled, ICR allows remote clients to browse the Internet directly outside the tunnel. Usage Enable or Disable Help None None...
  • Page 13 Application Note Sets the Trusted and External IP Address for the Aurorean Network Gateway. Usage None None Defaults Example Configure trusted (default) IP address ircipaddr -i 10.10.153.1 -m 255.255.255.0 -g 10.10.153.2 Example Configure external IP address using default mask and gateway ircipaddr -n external -i 192.168.4.25 Example List ircipaddr -L...
  • Page 14 ANG Configuration Commands ircirpp IRPP IRPP Tunneling Protocol uses the IP Security (IPSec) protocol with El Gamal key exchange to route packets through the Internet. Usage 3DES, DES, AF128, AF40, None 3DES, DES, AF128, AF40, None SHA, MD5, None Enabled / Disabled Duration in seconds Volume in kilobytes Preferred, Required, Disabled...
  • Page 15 Application Note Example List ircirpp -L Primary Encryption 3DES irclistusers List Users Entering irclistusers on the command line display all current users logged in. The data is displayed at the command line in the following form: User Name netadmin ircns Name Server Sets IP addresses for the Domain Name System (DNS) and Windows Internet Name Service (WINS) servers to be used by remote clients for name resolution.
  • Page 16 ANG Configuration Commands Example List of formatted IP addresses ircns -L Primary DNS Address 172.16.2.2 ircospf OSPF The Open Shortest Path First (OSPF) routing protocol is one of two routing protocols supported by Aurorean Client. Usage Defaults Example Configure OSPF routing protocol ircospf -o disable -r 0.0.0.0 -i 0.0.0.0 -a none Example List ircospf -L...
  • Page 17 Application Note ircpptp PPTP Point-to-Point Tunneling Protocol (PPTP) uses Point-to-Point Protocol (PPP) and Generic Routing Encapsulation (GRE) to route packets through the Internet. Usage Example Configure PPTP Tunneling Protocol. ircpptp -1 enable -4 disable -c enable Example List ircpptp -L 128-bit Encryption Enabled...
  • Page 18 ANG Configuration Commands The Routing Information Protocol (RIP) is one of two routing protocols supported by the Aurorean Client. Usage Notes Example Configure the RIP routing protocol ircrip -r enable -v2 -i enable -e enable -a none Example List ircrip -L Enabled ircstatic Static Routes...
  • Page 19 Application Note Limits access to certain subnets. Usage Defaults Notes Example Configure a static route ircstatic -a -n 10.10.3.0 -m 255.255.255.0 -g 10.10.170.100 Example List ircstatic -L Subnet 10.10.3.0 Example Modify a static route ircext -n 10.10.3.0 -g 192.168.4.1 AVN-AN-CLI-R11 ircstatic -a -d -n -m -g -l <arg>...
  • Page 20 ANG Configuration Commands Example List after the modification ircstatic -l 1 10.10.3.0 255.255.255.0 192.168.4.1 ircsts Site-to-Site Sets up Remote ANG site-to-site connections by first adding an ANG to an existing ANG configuration, then adding the tunnel itself. This is done by configuring a user on that server with the following values: an IP address or FQDN (Fully Qualified Domain Name) for the server, user name and password, and tunnel protocol (either IPSec with IKE, IRPP or PPTP).
  • Page 21 Application Note Example Configure a second site-to-site tunnel ircsts -n ang2 -s enable -g 192.168.4.12 -c irpp -u remote1 -p s2s2 Example List to view the second tunnel data ircsts -l 2 ang1 Example List to view all tunnels ircsts -L Name ang1 ang2...
  • Page 22 ANG Configuration Commands irctunnel Tunnel Displays statistics for any connected ANG tunnels. Usage Notes Example List to view formatted compression information irctunnel -C Protocol IRPP Page 22 of 64 ANG Configuration Using the Command Line Interface -d <name> -l <Nth> -a -c -C -e -E -v <name> -V <name -L <arg>...
  • Page 23 Application Note Example List to view formatted error statistics irctunnel -E Protocol IRPP Example List to view all site-to-site tunnel information irctunnel -L Protocol PPTP PPTP Example List to view all unformatted stats of a specified tunnel irctunnel- a 3 1086717963 client103 IKE 09/25/2001 14:04:40 192.168.223.23 2488 3077 100727 936872 0 0 0 0 0 0 0 0 0 Example List to view unformatted stats of a specified tunnel...
  • Page 24 ANG Configuration Commands ircspecial Special Sets the special feature. The ANG now supports advanced logging and tunnel forwarding. Usage –l –L Defaults Notes Example Page 24 of 64 ANG Configuration Using the Command Line Interface ircspecial -f <arg> -k <string> -s <string> -v <string> -e -d -h -l -L <arg>...
  • Page 25 Application Note Example Disable tunnel forwarding ircspecial -s tunnel_forward -e disabled Example Set the trace level to LOW irctrace -t LOW Example List for low trace level ircspecial -L Special Feature tunnel_forward ATT_logging ircuser Users Adds users to a group. Usage AVN-AN-CLI-R11 Value...
  • Page 26 -m joe -i 10.10.171.2 -n 255.255.255.255 Example List for all users after user “joe” is modified ircuser -l remote_v22 enterasys mike Page 26 of 64 ANG Configuration Using the Command Line Interface ircuser -a -g -p -i -m -d -n <name> -h -l <arg>...
  • Page 27 Application Note ircvsn Virtual Subnet IP addresses can be assigned to Aurorean Clients when they connect from one or more Virtual Subnets. When a user connects, an IP address from within a virtual subnet is allocated to that user for the duration of the connection. The ANG requires a pool from which it can assign IP addresses to its site-to-site tunnels when remote addresses are not taken from a virtual subnet.
  • Page 28 ANG Configuration Commands Example List for the first subnet ircvsn -l 1 10.10.170.0 Example List for all subnets ircvsn -L Subnet 10.10.170.0 10.10.171.0 Local Address Pool Subnet is 154.32.0.0. Local Pool Mask is 255.255.0.0. Page 28 of 64 ANG Configuration Using the Command Line Interface 255.255.255.0 Mask ICR Allowed...
  • Page 29 Application Note ircl2tp Layer 2 Tunnel Protocol Configures L2TP values including MS-Chap authentication, EAP and data compression. Usage Defaults Example List of formatted data PPP MS-Chap Authentication _ _ _ _ _ _ _ _ Enabled AVN-AN-CLI-R11 ircl2tp -m <arg> -e <arg> -c <arg> -l <arg> -L <arg>...
  • Page 30 IPSec/IKE Commands IPSec/IKE Commands This section defines a suite of command line utilities that manage Internet Key Exchange (IKE) and IP Security (IPSec) configuration on a remote ANG. You must define several network and security properties to successfully use IPSec with IKE to form site-to-site tunnels.
  • Page 31 Application Note Each object must be named and some objects have references to other objects by name. (This “points to” attribute is illustrated by the indentation in the preceding figure). Some objects can point to multiple objects farther down the hierarchy (such as an IKE Policy referencing multiple IKE Proposals).
  • Page 32 IPSec/IKE Commands IPSec/IKE Command Descriptions This section describes IPSec/IKE commands. Note that all configuration utilities for the ANG-3000/7000 series are stored in the directory /usr/indus/ipsec. As with the IRC commands, the order of command line switches in the commands is irrelevant.
  • Page 33 Application Note ikePolicy IKE Policy The IKE Policy object defines the IKE/IPSec authentication method and algorithm proposals. Multiple IKE policy objects are permitted so that separate and distinct policies can be created and bound to individual site-to-site tunnels. Usage AVN-AN-CLI-R11 ikePolicy -a -d -n <name>...
  • Page 34 IPSec/IKE Commands The IKE Policy object defines the IKE/IPSec authentication method and algorithm proposals. Multiple IKE policy objects are permitted so that separate and distinct policies can be created and bound to individual site-to-site tunnels. Usage Defaults Notes Example ikePolicy -a prime -e aggressive -m server -i default -p “psk” Example List ikePolicy -L Name...
  • Page 35 Application Note ikeProposal IKE Proposal An IKE proposal defines the type of peer authentication and the cryptographic algorithms used during Phase 1 of the IKE exchange. Usage Defaults Notes Example ikeProposal -n 1 -e DES -g Modp768 -s 3000 Example List ikeProposal -L Name AVN-AN-CLI-R11...
  • Page 36 IPSec/IKE Commands ipsecAh AH Transform Authentication Header (AH) protocol provides data integrity, data source authentication and optional protection against replay attacks. It defines the transformation applied to the associated datagram including the algorithm used, key sizes and how they are used, the transformation process, and any algorithmic-specific information.
  • Page 37 Application Note ipsecComp IPComp Transform The sole compression algorithm supported at this time is STAC-LZS. It is automatically selected if an IPComp transform is created. Usage Defaults Notes Example ipsecComp -a -n test -c STAC-LZS Example List ipsecComp -L Name test AVN-AN-CLI-R11 ipsecComp -a -d -n -c -l <arg>...
  • Page 38 IPSec/IKE Commands ipsecDefault IPSec Default The IPSec engine in the ANG and remote ANG acts as the External interface's firewall. Its proper configuration is vital to the security of the ANG and the intranet attached to the ANG’s Trusted interface. A default IPSec configuration is provided on the ANG and remote ANG that permits PPTP, IRPP, Firewall Traversal, and IKE/IPSec traffic but drops all other packets.
  • Page 39 Application Note # Determine the directory where IPSEC CLI commands live. They must be # in the same directory as this script. IPSEC=`dirname $0` # Quietly erase the current IPSEC configuration. $IPSEC/ipsecErase -Y -q # Define a default Policy for IKE. This enables IKE authentication using preshared # keys.
  • Page 40 IPSec/IKE Commands # Add the IPSec SPD rules to process L2TP, GRE (for IRPP) and to pass the other # tunnel control protocols in the clear. The GRE rule requires processing by IPSec but # has no Proposals because the Encryption and Integrity algorithms are negotiated by # the IRPP Key Exchange Protocol.
  • Page 41 Application Note ipsecErase IPSec Erase Deletes the IPSec and IKE configuration. IPSec Erase contrasts with the ipsecDefault command which, in addition to deleting the IPSec/IKE configuration, repopulates the configuration with factory default parameters. Usage Notes Example ipsecErase -q eng -f ipsecEsp ESP Transform Encapsulating Security Payload (ESP) protocol header which when inserted into an IP...
  • Page 42 IPSec/IKE Commands Encapsulating Security Payload (ESP) protocol header which when inserted into an IP datagram provides confidentiality, data origin authentication, anti-replay, and data integrity services. Usage Defaults Notes Example ipsecEsp -a -n 5 -e 3DES -i HMAC-MD5 -k 1000 -s 600 Example List ipsecEsp -L Name...
  • Page 43 Application Note ipsecProposal IPSec Proposal A proposal defines AH, ESP and Comp transforms which are applied to every IPSec packet. It also controls Perfect Forward Secrecy values, and time and data parameters to rekey the proposal. Usage Defaults Notes Example ipsecProposal -a -n 4 -p enable -g Modp1024 -T 30 -D 10 -e 5 -u 2 AVN-AN-CLI-R11 ipsecProposal -a -d -n -p -g -T -D -e -u -c -l <arg>...
  • Page 44 IPSec/IKE Commands Example List ipsecProposal -L Name ipsecRule IPSec Rule Each rule specifies the “disposition” of packets matching the selector. Packets may be Processed, Dropped, or Passed. Processed packets are subjected to IPSec encryption or decryption. Dropped packets are simply discarded. The Drop packet disposition can be used to create simple firewalls that discard some packets.
  • Page 45 Application Note Each rule specifies the “disposition” of packets matching the selector. Packets may be Processed, Dropped, or Passed. Processed packets are subjected to IPSec encryption or decryption. Dropped packets are simply discarded. The Drop packet disposition can be used to create simple firewalls that discard some packets.
  • Page 46 IPSec/IKE Commands Each rule specifies the “disposition” of packets matching the selector. Packets may be Processed, Dropped, or Passed. Processed packets are subjected to IPSec encryption or decryption. Dropped packets are simply discarded. The Drop packet disposition can be used to create simple firewalls that discard some packets.
  • Page 47 Application Note pptpOut r223 pptpIn rPing https irppOut irppIn ftpdata ftpctrl http telnet icmp ipsecSelector IPSec Selector An IPSec selector matches the various kinds of traffic that by default are allowed on the ANG external interface. These include IKE, inbound and outbound PPTP, inbound and outbound IRPP, and HTTPS.
  • Page 48 IPSec/IKE Commands An IPSec selector matches the various kinds of traffic that by default are allowed on the ANG external interface. These include IKE, inbound and outbound PPTP, inbound and outbound IRPP, and HTTPS. Usage Defaul Notes Example ipsecSelector -a -n 7 -o 172.16.0.0/16 -r 192.168.223.0/24 -p ANY -v 0 -w 0 Example List ipsecSelector -L Name...
  • Page 49 Application Note ftpdata ftpctrl http telnet icmp sHttps sGre sIrppOut sIrppIn sPptpOut sPptpIn sIke ipsecSpd IPSec SPD (Security Policy Database) The Security Policy Database contains a list of SPD rules. Usage AVN-AN-CLI-R11 Physical 0.0.0.0/0 Physical 0.0.0.0/0 Physical 0.0.0.0/0 Physical 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 Physical...
  • Page 50 IPSec/IKE Commands The Security Policy Database contains a list of SPD rules. Usage Notes Example ipsecSpd -a -n eth0 -r “4;3;5;2” Example List ipsecSpd -L Name trusted external You should configure the SPD for the External interface (i.e. eth1) Page 50 of 64 ANG Configuration Using the Command Line Interface ipsecSpd -a -d -n -r -l <arg>...
  • Page 51 Application Note version.txt Version.txt This script displays the release, patch and build numbers as well as the build name of the existing server code. Example more version.txt Aurorean Virtual Network Release 3.1 Patch 00 Build 120 (Puma) AVN-AN-CLI-R11 IPSec/IKE Commands Page 51 of 64...
  • Page 52 IPSec Sample Configuration on the ANG-3000/7000 Series IPSec Sample Configuration on the ANG-3000/7000 Series The diagram shown in Figure 2 illustrates two ANG-3000/7000 series systems connected via an IPSec tunnel. 192.168.10.0/24 The properties of the two Aurorean Network Gateways are:...
  • Page 53 2. Combine the Transforms into one or more Proposals. 3. Combine a set of Proposals with a Selector to form one IPSec Rule. AVN-AN-CLI-R11 IPSec Sample Configuration on the ANG-3000/7000 Series NOTE Each protocol (ESP, AH, and IPComp) is called a Transform.
  • Page 54 IPSec Sample Configuration on the ANG-3000/7000 Series 4. Insert the new IPSec rule into the Security Policy Database. Multiple Transforms may be offered in one Proposal and multiple Proposals may be attached to one Rule. But, in this example, assume this security policy: –...
  • Page 55 146.15.25.35. This network is 192.168.20.0/24. A Static Route must be added via RiverMaster, or equivalently, via the CLI using either: ircstatic -a -n 0.0.0.0 -m 0.0.0.0 -g 206.10.20.1 AVN-AN-CLI-R11 IPSec Sample Configuration on the ANG-3000/7000 Series NOTE Page 55 of 64...
  • Page 56 IPSec Sample Configuration on the ANG-3000/7000 Series ircstatic -a -n 192.168.20.0 -m 255.255.255.0 -g 206.10.20.1 The first case adds a default static route. This single route guarantees traffic to any network behind any remote gateway is transmitted via the external interface and subsequently processed by the external interface's IPSec SPD.
  • Page 57 Application Note Remote ANG-3000/7000 Series & Cisco Configuration This section describes how to configure a tunnel between a Remote ANG-3000/7000 series and a Cisco 2600 router. As shown in Figure 3, a Remote ANG with a Trusted interface of 192.168.20.1 and External interface of 146.15.25.35 is connected through the Internet to a Cisco router with a Trusted interface of 192.168.10.1 and External...
  • Page 58 Remote ANG-3000/7000 Series & Cisco Configuration Add an External Route to the Network ANG Commands ircext –a –n 0.0.0.0 –m 0.0.0.0 –g 146.15.25.1 Cisco Commands cisco_vpn(config)# ip route 0.0.0.0 0.0.0.0 146.15.25.1 Add a Static Router to the Network Behind the Remote...
  • Page 59 Security Selectors ANG Commands ipsecSelector -a -n S1 -o 192.168.20.0/24 -r 192.168.10.0/24 Cisco Commands cisco_vpn(config)# access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 AVN-AN-CLI-R11 Remote ANG-3000/7000 Series & Cisco Configuration NOTE NOTE NOTE Page 59 of 64...

  • Page 60: Security Policy

    Remote ANG-3000/7000 Series & Cisco Configuration Security Policy ANG Commands ./ipsecComp -a -n C1 -c STAC-LZS ./ipsecEsp -a -n E1 -e des -i hmac-md5 -k 10000 -s 7200 ./ipsecProposal -a -n P1 -e E1 -c C1 ./ipsecRule -a -n R1 -s S1 -p P1 -w process -e tunnel -g 146.15.24.36...
  • Page 61 1 ipsec-isakmp set peer 146.15.25.35 set security-association lifetime kilobytes 10000 set security-association lifetime seconds 7200 set transform-set des_md5_lzs set pfs group2 match address 110 AVN-AN-CLI-R11 Remote ANG-3000/7000 Series & Cisco Configuration Page 61 of 64...
  • Page 62 Remote ANG-3000/7000 Series & Cisco Configuration interface Ethernet0/0 ip address 192.168.10.1 255.255.255.0 no ip directed-broadcast interface Ethernet0/1 ip address 146.15.25.36 255.255.0.0 no ip directed-broadcast crypto map regular router rip redistribute connected network 192.168.10.0 ip classless ip route 192.168.20.0 255.255.255.0 146.15.25.35 ip route 0.0.0.0 0.0.0.0 146.15.25.1...
  • Page 63 -L Name PFS Enabled p-vsn Enabled ipsecEsp -L Name Encrypt e-vsn 3DES ipsecComp -L Name Algorithm STAC-LZS AVN-AN-CLI-R11 Remote ANG-3000/7000 Series & Cisco Configuration Exchange Mode Mode Config Aggressive Server Local Address Remote Address 192.168.20.0/24 192.168.10.0/24 Physical 0.0.0.0/0 Physical 0.0.0.0/0 Physical 0.0.0.0/0...
  • Page 64 Remote ANG-3000/7000 Series & Cisco Configuration ipsecRule -L Name https irppOut irppIn pptpOut pptpIn ipsecSpd -L external Page 64 of 64 ANG Configuration Using the Command Line Interface Selector Handling Mode Process Tunnel sHttps Pass Tunnel sIrppOut Pass Tunnel sIrppIn...

This manual is also suitable for:

Ang-7000