Nortel Networks 608(WL) User's Manual
Contents
1. E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface 4 4 1 Peer parameters Parameters table The following table shows the peer parameters Peer parameters Mandatory Identifies the peer entity Remote peer address remoteaddr Mandatory The public IP address or host name of the remote Security Gateway Backup remote peer backupaddr Optional The public IP address or host address name of a backup remote Security Gateway Exchange mode exchmode Mandatory Determines the IKE exchange mode Local identifier localid Mandatory Identifies the local Security Gateway during IKE negotiation Remote identifier remoteid Mandatory Identifies the remote Security Gateway during the Phase 1 negotiation Physical interface phyif Mandatory Identifies the Speedlouch physical interface to which the local IPSec peer is tied Descriptor descr Mandatory The name of the Peer Security Descriptor that applies to the Phase 1 negotiation Either a built in descriptor or a user defined descriptor can be used Authentication attribute auth Mandatory Holds the authentication method and Its associated parameters Client server client Optional Specifies a dialup VPN client server server descriptor S options Optional A number of options influencing the VPN behaviour can be set Option For a basic IPSec configuration only a subset of the peer parameters need to be set to a specified v2. F Frotocol any Local Fort any r Remote Port any ka IPSec Security Descriptors Descriptor unset specify Additional Descriptors Items marked with are mandatory In this section of the page you fill out the characteristics of the Virtual Private Network you are building Specify the local and remote private network parameters Specify the Security Descriptor you use for this IPSec connection More information about the various fields and buttons is found below To learn more about Security Descriptors see section 3 5 Advanced VPN Menu You can use one of the following buttons Specify Additional Descriptors Reveal additional fields where you can specify alternative IPSec Security Descriptors Confirm the connection parameters speedtouch Chapter 3 Configuration via Local Pages Trusted Network The Local and Remote Trusted Network parameters describe which terminals have Protocol access to the secure connection at the local and remote peers respectively Two fields must be completed for each peer Trusted Network Type and Trusted Network IP The Trusted Network Type determines which type of value to use for the Trusted Network IP field The following network types are supported we a contiguous IP address ange 10 0 0 5 10 0 0 56 range 9 10 0 0 5 56 The Trusted Network IP values are used during the Phase 1 negotiations and must comply with the values configured at the
3. Normally the VPN server sets this parameter during the tunnel negotiations Speedtouch 55 Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages Page layout for pre When you click Use Preshared Key Authentication the initial page is updated in the shared key following way authentication ea seen LIYPN Server Address Remote Trusted Network Empty table Use the fields below to add a new entry Server IP Address or FODN Backup Server IP 4ddress or FODN IKE Security Descriptor unset IPSec Security Descriptor unset Exchange Mode aggressive Server vendor unset Primary Untrusted Physical Interface any Virtual IP Mapping unset IKE Authentication Preshared Secret Confirm Secret Use Ceriticate Authentication Choose Start Mechanism automatic or manual Use Automatic start Always On Use Manual Dialup Optional Remote Network if not set by YPN server Remote Network Type unset Remote IP Items marked with are mandatory IKE Authentication with When you select Use Preshared Key Authentication the following fields have to be Preshared Key completed gt Preshared Secret A string to be used as a secret password for the VPN connection This secret needs to be identically configured at both peers local and remote peer gt Confirm Secret The Preshared Secret value is not shown in clear tex
4. Select this check box when you want the VPN server to take the initiative for assigning an IP address to the VPN clients via IKE Mode Config When the check box is not selected the VPN clients will request an IP address from the VPN server Domain name The domain name provided to the VPN clients via IKE Mode Config Primary DNS IP Address The IP address of the primary DNS server provided to the VPN clients via IKE Mode Config This is the primary DNS server in the local network that is open to VPN clients Secondary DNS IP Address The IP address of the secondary DNS server provided to the VPN clients via IKE Mode Config This is the secondary DNS server in the local network that is open to VPN clients Primary WINS IP Address The IP address of the primary WINS server provided to the VPN clients via IKE Mode Config This is the primary WINS server in the local network that is open to VPN clients A WINS server maps NETBIOS names to IP addresses Secondary WINS IP Address The IP address of the secondary WINS server provided to the VPN clients via IKE Mode Config This is the secondary WINS server in the local network that is open to VPN clients XAuth The SpeedTouch VPN server allows the use of the Extended Authorization protocol with an internal user list Two different types of Authentication protocols can be selected generic and chap When the use of XAuth is selected a list of authorized users is to be composed T
5. Speedtouch speed Tlouch 6038 WL 620 Wireless Business DSL Router JUL IPSec Configuration Guide A 93 THOMSON BRAND BE opeed I ouch 608 WL 620 IPSec Configuration Guide Speedtouch Copyright Copyright 1999 2006 THOMSON All rights reserved Distribution and copying of this document use and communication of its contents is not permitted without written authorization from THOMSON The content of this document is furnished for informational use only may be subject to change without notice and should not be construed as a commitment by THOMSON THOMSON assumes no responsibility or liability for any errors or inaccuracies that may appear in this document Thomson Telecom Belgium Prins Boudewijnlaan 47 B 2650 Edegem Belgium www speedtouch com Trademarks The following trademarks are used in this document gt SpeedTouch is a trademark of THOMSON gt Bluetooth word mark and logos are owned by the Bluetooth SIG Inc gt Ethernet is a trademark of Xerox Corporation gt Wi Fi and the Wi Fi logo are registered trademarks of the Wi Fi Alliance Wi Fi CERTIFIED Wi Fi ZONE Wi Fi Alli ance their respective logos and Wi Fi Protected Access are trademarks of the Wi Fi Alliance gt UPnP is a certification mark of the UPnP Implementers Corporation gt Microsoft MS DOS Windows and Windows NT are either registered trademarks or trademarks of Microsoft
6. Statistics Show the traffic carried by the VPN connections to the selected remote Security Gateway The data are shown at the bottom of the page S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 1 2 VPN context Example Aggressive Mode initial E DOC CTC 20051017 0169 v0 1 page Remote Gateway Address Unknown Page Your SpeedTouch may have to set up simultaneous VPN connections with various remote Security Gateways At the time you configure your SpeedTouch you have no clear idea about the location of the Remote Gateway s in the network This may be the case in a central location of a large network where remote locations may be added as time passes It is an asset if you can configure the SpeedTouch at the central location in such a way that the addition of new remote sites requires no intervention at the central site In this case the SpeedTouch is obviously not able to take the initiative to contact the Remote Gateway So the role of initiator is excluded Your SpeedTouch can only act as a responder for a Remote Gateway that request a VPN connection Of course both peers need to know and agree on the security parameters in order to have access to the VPN A secure connection will be established with any Remote Gateway that meets your SpeedTouch VPN settings regardless its location in the public network When this description fits best your VPN context then the Remote Gateway Address Unknown
7. ipsec show gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 5 9 Traceconfig command E DOC CTC 20051017 0169 v0 1 Chapter 5 Troubleshooting SpeedTouch IPSec Via the CLI Debug command group The traceconfig command sets the level of debugging messages that are dumped to the screen This is shown below ipsec debug gt traceconfig level none low medium high ipsec debug gt traceconfig level medium ipsec debug gt You can check the Phase 1 and 2 specific information being exchanged during tunnel setup via following command when you activate the tracing Press lt CRTL Q gt In the tracing a lot of very detailed protocol information exchanged during tunnel setup is shown Each tunnel negotiation rekeying will echo these traces on the screen You can stop the trace listing typing lt CTRL S gt You can clear the message buffer typing lt CTRL T gt speedtouch 167 Chapter 5 Troubleshooting SpeedTouch IPSec Via Syslog messages The Syslog protocol is a powerful mechanism to investigate network issues It allows for logging events occurred on the device The Syslog messages can be retrieved in two ways gt locally Use these CLI command to retrieve the history of Syslog messages syslog msgbuf show IPSec related syslog messages are disabled by default Logging can be enabled or disabled by the following command gt IPSec ipsec gt debug ipsec debug gt
8. As the IPSec MIB is not standardized a SpeedTouch proprietary IPSec MIB is available on the SpeedlTouch Setup CD ROM S D C d tO U C n E DOC CTC 20051017 0169 v0 1 9 0 Ping command Adapting the routing table E DOC CTC 20051017 0169 v0 1 Chapter 5 Troubleshooting SpeedTouch IPSec Pinging from the SpeedTouch to the remote private network In order to verify that an IPSec tunnel is active you can use the ip debug ping CLI command of the SpeedTouch With this command you are able to send ping messages from the SpeedTouch to an IP address in the remote private network The transmission through an IPSec tunnel of messages originating from the SpeedTouch requires some adaptations to the SpeedTouch routing table In general this kind of traffic does not comply with the traffic policy of the VPN tunnel Therefore some adaptations to the routing table are required which can only be performed via the Command Line Interface CLI The adaptations to the routing table are made via the CLI Proceed as follows 1 Add a route to the remote private network Explicitly specify the local LAN interface as the source interface in the route definition Example ip rtadd dst 20 0 0 0 24 intf ipsecO srcintf lanl 2 Setthe local private IP address of the SoeedTouch as the primary IP address Example ip ipconfig addr 10 0 0 254 primary enabled Speedtouch 171 Chapter 5 Troublesho
9. Connection Phase 2 s s cisssssrissannsinnen 20 Network descriptor 0000000001020512222222 21 Configuration via Local Pages csscsssesseeeeeees 23 LAN to LAN Application ccceessseneneeeeeeeeeeneeeeneeseenenneeeneees 25 Remote Gateway Address Known Page ccccccsscecsescecceeseeesaeeeesaeeeeseeeessaeeessaesessageees 27 Remote Gateway Address Unknown Page sccccsssccccessecesaeeeeseceeeseeeessaeeeesaeeessaeeees 35 Connections Page cecpeeccsdes cca cocesecncesnrceasadncecennessntedewtenctdaesecoctaeedovteecssaecucaueetenaraceventesesde 47 VPN CNN esas cts aie EENEN eee ere EEA etme EEEREN a E 51 VPN Client Pag res secticcecievecesracte auduchscacvoneeiseiseaciassanneesenssanasesdeteceaeeceounieass scan Petera riian 52 Starting the VPN Client Connection ss sssssssesnnnsernnsrrrnnnnrnrnnnrnnnrnnnrennrrennrrrnnrrennrnnnnnne 59 Closmg a Connectionin n E 62 speedtouch a Contents Contents 3 3 3 3 1 3 4 3 5 3 5 1 3 5 2 353 3 5 4 3 5 5 3 5 6 3 057 3 5 0 3 9 9 3 5 10 3 5 11 3 5 12 4 1 4 2 4 2 1 4 2 2 4 2 3 4 2 4 4 2 5 4 3 4 3 1 4 3 2 4 3 3 4 3 4 4 3 5 VPN SOR OP oe E ci tineerivineertidnenetisemeen 63 VPN Server PAG 6 vice consgectenocessssacectineretspetuutncdeaesteeetancerednetesnenedsadeciesnstedepeetedanteninandaxtecuete 64 OPEN GCOS rere eieasccwcceccraeeanaaeacwecsesedeussnieaasueniscusandeaca
10. ET Confirm Secret ET Use Certificate Authentication IKE Security Descriptors Descriptor AES_SHAI specity Additional Descriptors Miscellaneous Inactivity Timeout seconds 3600 Items marked with are mandatory Local ID Remote ID Local Network Remote Network State Empty table Use the fields below to add 4 new entry fentification amp Interface Local ID Type unset Local ID Remote ID Type Remote ID Primary Untrusted Physical Items marked with are mandatory The Identification amp Interface parameters are described below Speedtouch Chapter 3 Configuration via Local Pages Identification amp The Identification amp Interface fields have to be filled out with the following Interface information gt Local ID Type and Local ID The Local ID identifies the local SpeedTouch during the Phase 1 negotiation with the remote Security Gateway This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below Remote ID Type and Remote ID The Remote ID identifies the remote Security Gateway during the Phase 1 negotiation This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported
11. In a VPN scenario you need ProxyARP at both sides when the local and remote private network address ranges are overlapping Because the SpeedTouch is basically a router you need to emulate some bridging functions if the address ranges at both ends of the VPN tunnel overlap The main issue is that ARP messages are not propagated across a router If a host at one side of the tunnel wants to reach a host at the remote side it sends an ARP message because the destination address lies in the local address range The Security Gateway has to answer to the ARP request as a proxy In order to do so a ProxyARP entry is needed in the ARP table The SpeedTouch supports ProxyARP This technique allows two networks with overlapping IP ranges to be connected using an IPsec tunnel The SpeedTouch acting as a Security Gateway will reply to arp who has requests for IP addresses belonging to the remote network The IPsec policies will take care that packets destined for the remote network will indeed be forwarded through the IPsec tunnel When the IKE ModeConfig mechanism is used to establish the tunnel client server scenario the ProxyARP entries will automatically be added to the ProxyARP table of the SpeedTouch In all other cases the user has to add the ProxyARP entries manually At the time of writing the SpeedTouch can reliably forward every packet type through the IPsec tunnel except limited broadcasts ip dst 255 255 255 255 Speedtouch
12. Interface then a new incoming VPN connection on a backup interface is not accepted The SpeedTouch VPN server has no mechanism for re routing active VPN connections to a backup physical interface Even if your SpeedTouch is equipped with an ISDN backup interface all active VPN connections are lost when the primary interface of the VPN server fails The overall network topology determines whether a VPN client is capable of reaching the backup interface of the SpeedTouch VPN server It is the responsibility of the VPN client to set up a new VPN connection Inactivity Timeout When no traffic is detected at the peer for a certain period it is decided that the tunnel is not used any more and the IKE session is terminated All IPSec connections supported by the IKE session are terminated as well This option sets the value of the inactivity timer Inactivity Timeout default value seconds 3600 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 VPN Server settings E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Comprises the following settings gt Virtual IP Range Specifies the range of IP addresses from which the VPN client addresses are selected An address range or a subnet can be entered for this parameter Examples 10 20 30 5 50 10 20 30 Netmask Specifies the netmask provided to the VPN client Use the dotted decimal format For example 255 255 255 0 Push IP
13. Please retype secret for verification secret KK KKKKK IPSec peer auth modify name secretl type preshared secret DEV CE84DC8 OFO7F679B lpsec peer auth gt Pressing the TAB key when a user entry Is required displays the valid entries S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 2 5 delete command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface Delete an Authentication attribute The IPSec peer auth delete command deletes a previously created authentication attribute In the following example the authentication attribute named secret2 is deleted ilpsec peer auth gt ipsec peer auth gt delete name certl secret2 name secret2 ipsec peer auth delete name secret2 ipsec peer auth gt The result of this operation can be verified with the List command ipsec peer auth gt list certi1 Authtype cert secreti Authtype preshared Secret KKKKKKKK lpsec peer auth gt Speedtouch Chapter 4 Configuration via the Command Line Interface 4 3 What is How is it used In this section Peer Security Descriptor All security parameters required to establish an IKE session are grouped into a string called a Peer Security Descriptor This descriptor contains the methods for message authentication encryption and hashing and the lifetime of the Security Association The Peer Security De
14. Remote ID siteBid Primary Untrusted Physical Interface Internet gt Items marked with are mandatory stop All Connections to this Gateway Apply New Gateway New Connection to this Gateway statistics Speedtouch Chapter 3 Configuration via Local Pages Buttons You can use one of the following buttons Stop All Connections to this Stop all VPN connections to the selected Gateway remote Security Gateway Apply Apply modifications made to the settings of the selected remote Security Gateway Delete Delete the selected remote Security Gateway New Gateway Start defining a new remote Security Gateway New Connection to this Gateway Start defining a new connection to the selected remote Security Gateway Status Show the operational status of the connections to the selected remote Security Gateway The status is shown at the bottom of the page Statistics Show the traffic carried by the VPN connections to the selected remote Security Gateway The data are shown at the bottom of the page S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 1 3 Page layout Buttons E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Connections Page When you click New Connection to this Gateway the following fields are revealed Local Trusted Network Type luset Local Trusted Network IP Remote Trusted Network Type unset Remote Trusted Network IP
15. Set of Server Vendor specific parameters on page 58 When the VPN server uses the Extended Authentication protocol you fill out your Username and Password in the optional fields Extended 4uthentication Username Extended uthentication Password speedtouch Chapter 3 Configuration via Local Pages 3 2 3 Closing a Connection Disconnect procedure At the bottom of the VPN Client Connection Configuration page all active VPN connections are shown Client Id irtual IP Remote Network eyiduser_group address 10 0 2 9 subnet any romea h Select connection to disconnect Select the connection you want to terminate and click Disconnect The secure connection is closed and is removed from the list of active connections S D C d tO U C n E DOC CTC 20051017 0169 v0 1 eo VPN context selecting the VPN server application Outline of a VPN server configuration procedure E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages VPN Server In a VPN client server scenario the VPN server is always the responder in the IKE negotiations Various VPN clients can dial in to a VPN server since it supports multiple simultaneous VPN connections A VPN server does not know a priori which remote Security Gateway will attempt to set up a VPN connection In time new users may join the VPN It is an advantage that the SoeedTouch VPN server requires no modifications to its
16. expiration of this period re keying occurs The maximum data volume transported before re keying occurs Internal symbolic name to identify the Connection Descriptor The table below shows the cryptographic functions supported by the SpeedTouch along with their corresponding key size Algorithm Valid key lengths bits DES AES gt 3DES 128 192 256 DES is relatively slow and is the weakest of the algorithms but it is the industry standard 3DES is a stronger version of DES but is the slowest of the supported algorithms for a comparable key length AES is the new encryption standard selected by the American government to replace DES 3DES It is recommended to use AES since it is the most advanced of the supported encryption methods NULL encryption The message is not encrypted Selecting NULL encryption achieves authentication without encryption being equivalent to the use of the Authentication Header AH that is no longer supported from Release R5 3 0 onwards In addition NULL encryption may be useful for testing purposes since the messages on the communication link can be interpreted Message authentication remains active speedtouch Chapter 3 Configuration via Local Pages Integrity Encapsulation PFS Lifetime secs Lifetime kbytes The SpeedTouch supports two types of hashing algorithms Hashing algorithm gt HMAC ts always used as integrity algorithm comb
17. hash algo ADS group HODE ike in pkt 5 ike in bytes T22 ike in drop phts i ike ost phe ike oot bytes 05 ike ost drop pker i ike in il exchange ike irvalid in i exchange ike rejected in i exchange ike in A delete request ike ost 4 exchange 1 ike imvalid om 4 exchange ike rejected om 4 exchange ike ot A delete requests i ike in mode cig requests 1 ike in rejected mode cig requests ike ost mode cig requests ike ot rejected mode cig requests negotiated phase 34 pairs gt commection AUTOC_l01L 101 101 i7_ Rev john dorGcrorporate comb it 0 100 1 to th oe index estate READY ALWAYS OH spi s infOxQ3JEIeCDe cat 0 I137ELSB lifetime fhd s protocol EaP enc algo DES auth algo HAA HOS pis no ipsec in bytes i ipsec in packets ipsec in decrypt packets ipsec in ath packets ipsec ot bytes i ipsec ot packets ipsec ot cope packets ipsec ot auth packets ipsec in drops ipsec in replay drops ipsec in ath failed drop ipsec in decrypt failed drop ipsec ob drops ipsec ob auth failed drop ipsec ost crypt failed drop session Is active while the other peer has not established a session This is a flaw inherent to the IPSec protocol If you suspect such a situation you can use the button Tear Down All Tunnels to clear all tunnels The IKE negotiations may le
18. 10 60 11 100 Secondary WINS 110 60 11 101 Domain clients XAuth Pool gt poold ipsec peer vpnserver gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features 6 6 5 Delete an xauthpoo l entity delete command The ipsec peer vpnserver xauthpool delete command deletes a network Example In this example the pool named pool is deleted 1psec peer vpnserver xauthpool gt delete name pooll IPSec peer vpnserver xauthpool delete name pooll ipsec peer vpnserver xauthpool gt The result of this operation is verified with the List command 1psec peer vpnserver xauthpool gt list lpsec peer vpnserver xauthpool gt POO Speedtouch Chapter 6 Advanced Features 6 6 6 Parameters table XAuth User parameters The following table shows the XAuth User parameters Parameter Keyword User name username Password password S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 6 adduser command Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Create a new XAuth user A new XAuth user is created with the ipsec peer vpnserver xauthpool adduser command In the following example the pool named pool1 is populated with a new XAuth user named user1 gt ipsec ipsec gt peer ipsec peer gt vpnserver lpsec peer vpnserver gt xauthpool ipsec peer vpnserver xauthpool gt adduser poolname pooll
19. 3 Configuration via Local Pages 3 2 1 VPN Client Page Initial page When you click VPN gt VPN Client the following page is displayed Buttons Administrator Save All CLI Help Home gt PN gt PN Client PN Server Address Remote Trusted Network Start Mechanism Empty table SpeedTouch A 4 a w IP Router Use the fields below to add a new entry Server IP Address or FODN Backup Server IP Address or FQDN Connections IKE Authentication Use Preshared Key Authentication Use Certificate Authentication Choose Start Mechanism automatic or manual Use Automatic Start Always On Use Manual Dialup Optional Remote Network if not set by PN server e IKE Security Descriptor unset z IPSec Security Descriptor unset gt Local Networking Exchange Mode aggressive H Server Vendor funset ss lt i lt lt lt CS COi S YS Firewall 7 Pare usa Physical any gt Virtual IP Mapping unset gt LAN to LAN PN Client PN Server Remote Network Type unset Remote IP Certificates Items marked with are mandatory Advanced Debug Back to Basic A The page contains a number of buttons and fields to complete It is recommended to fill out the page from top to bottom When you click a button the page layout changes revealing other fields and buttons More inf
20. 4uthentication Password Use Manual Dialup Interworking with a Nortel VPN server is possible only when IKE o Authentication is done via Certificates Pre shared key authentication can not be used on an IPSec connection between a SpeedTouch VPN client and a Nortel VPN server speedtouch Chapter 3 Configuration via Local Pages Local LAN IP Range set of Server Vendor specific parameters Configuring XAuth In this field you have to configure the local access policy In other words you define which IP range of local terminals has access to the VPN You can specify either a single IP address a subnet or a range a single IP address 10 0 0 15 a single IP subnet 10 0 0 0 24 a contiguous IP address range 10 0 0 5 10 0 0 56 i 10 0 0 5 56 When for the IKE Authentication method the Preshared Key method was selected some Server Vendor specific fields must be filled out for the Automatic Start mechanism For a generic VPN server My email address You have to fill out your e mail address This e mail address User FODN is used as the local identity of the VPN client When building a VPN with multiple SpeedTouch devices configured as o VPN client at different locations you must take care to configure a unique e mail address in each VPN client The e mail address is used by the VPN server as an identifier to bind an IP address to the VPN client For a Cisco VPN server Group ID You have to
21. Connection Security Descriptor parameters are explained in section 4 5 1 A Connection Security Descriptor is required as one of the parameters to successfully create an operational Connection The Connection refers to the Connection Security Descriptor by its symbolic name A number of Peer Security Descriptors are pre configured in the SpeedTouch The user can modify these descriptors or define additional descriptors to fit his requirements The following topics are discussed in this section 4 5 1 Connection Security Descriptor parameters 4 5 2 List all Connection Security Descriptors 4 5 3 Create a new Connection Security Descriptor 4 5 4 Set the Connection Security Descriptor Parameters 4 5 5 Delete a Connection Security Descriptor speedtouch 127 Chapter 4 Configuration via the Command Line Interface 4 9 1 Connection Security Descriptor parameters Parameters table Connection Descriptor name name The following table summarizes the parameters comprised in the connection security descriptor The table also indicates the keyword used in the CLI for each parameter name name Descriptor Cryptographic function to be used Ey piograpmie iuncHON for the IPSec Security Association Length of the cryptographic key SOY rengin for the AES encryption algorithm message authentication Perfect Forward Secrecy Selects the use of Perfect Forward Secrecy The lifetime of the IPSec Security IPSec SA lifetim
22. Firewall IPSec Security Descriptors Descriptor Miscellaneous Settings LAN to LAN Exchange Mode Primary Untrusted Physical PN Client Interface Inactivity Timeout seconds PN Server n PN Server Settings Certificates Virtual IP Range Netmask Advanced Push IP Debug a Back to Basic F Domain Name Primary DNS IP Address Secondary DNS IP Address Primary WINS IP Address Auth Items marked with are mandatory Local Trusted Network open to Remote Clients Secondary WINS IP Address unset ha Save All CLI Help Specify Additional Networks unset gt Use Preshared Key Authentication Use Certificate Authentication Specify Additional Descriptors unset gt Specify Additional Descriptors aggressive any t 3600 The page contains a number of buttons and fields to complete It is recommended to fill out the page from top to bottom When you click a button the page layout changes revealing other fields and buttons More information about the various fields and buttons is found below Speedtouch E DOC CTC 20051017 0169 v0 1 Buttons Chapter 3 Configuration via Local Pages You can use one of the following buttons Specify Additional Networks Reveal additional fields where you can specify additional descriptors for the local network open to remote terminals via a VPN connection Use Preshared Key Auth
23. Mode initial page When you click Main Mode the following page is displayed IKE Authentication Use Preshared Key Authentication Use Cerificate Authentication IKE Security Descriptors Descriptor unset specify Additional Descriptors Miscellaneous Inactivity Timeout seconds 3600 Items marked with are mandatory Local ID Remote ID Local Network Remote Network Empty table By clicking a button the page layout changes revealing other fields and buttons More information about the various fields and buttons is found below Buttons You can use one of the following buttons Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication Use Certificate Authentication Reveal additional parameter fields required for the configuration of Certificate Authentication Specify Additional Descriptors Reveal additional fields where you can specify alternative IKE Security Descriptors Confirm the IKE Authentication IKE Security Descriptors and Miscellaneous parameters and reveal additional parameters to complete the remote Security Gateway profile IKE Security The IKE Security Descriptor bundles the security parameters used for the IKE Descriptors Security Association Phase1 A number of IKE Security Descriptors are pre configured in the SpeedTouch and can be selected from a list Select a Security Descriptor in compli
24. Pages When you click VPN gt Advanced gt Connections the Connection Profiles page is displayed ST ieor bescrintors options client Connection Peer Local Network Remote Network Descriptor State Empty table Use the fields below to add a new entry Connection name Peer name unset Local network unset Remote network unset Always on D Descriptor 1 nst Descriptor 2 fanst Descriptor 3 nst Descriptor 4 fanst Options fanst Connection enabled D The Connections page gives access to the following sub pages Advanced gt Connections S sub pages ee Connection Profiles 3 5 8 Connection Profiles Page on page 91 Nemore BS Newons Poe onpas Optons 88 11 Gomneeton Options Page one 99 All connection parameters explained in the CLI configuration method can be filled out in these pages The parameters of the various sub pages are combined in a Connection Profile which completely defines a connection Speedtouch Chapter 3 Configuration via Local Pages 3 95 1 Peer Profiles Page Peer Profiles The Peer Profiles page bundles all parameters that define a Peer page layout DEE EEE ae l VPN VPN VPN Server Authentication J Descriptors Hi Peer Remote Address Local Id Remote Id Client Server Empty table Use the fields below to add a new entry Peer name Remote address Backup remote address Local ID type
25. SoeedTouch 2 will never be 1 able to initiate outgoing connections as it does not know any IP address of a remote peer It can operate in responder mode only Speedtouch Chapter 6 Advanced Features Chapter 6 Advanced Features 6 8 Multiple tunnels One Peer Multiple Connections In order to setup a Phase 2 tunnel a Phase 1 IKE tunnel is required first Via this Phase 1 tunnel the signalling messages negotiating the Phase 2 tunnel are transferred o Phase 1 IKE tunnel IKE1 D Phase 2 tunnel conn1 Phase 2 tunnel conn2 SpeedTouch620 1 SpeedTouch620 2 The SpeedTouch allows setting up several Phase 2 tunnels all using a common Phase 1 tunnel In the configuration example below it is shown how a single peer has various connection attached to it Traffic originating from network 10 0 0 0 8 will be sent in one of the Phase 2 tunnels depending on the destination IP address If no IPSec policy match is found the packet is sent unencrypted connection gt network connection network gt list range 10 60 11 20 30 address 10 50 2 22 subnet 10 50 2 128 25 ipsec connection network gt ipsec connection gt list connectl Peer Local network Remote network Always on Descriptors Options State connect2 Peer Local network Remote network Always on Descriptors Options State ipsec connection gt f rempeer2 ni n2 disabled AES HMAC MD5
26. Symbols Terminology Documentation and software updates E DOC CTC 20051017 0169 v1 0 About this IPSec Configuration Guide This document explains the IPSec functionality of the SoeedTouch Release R5 4 and higher A brief theoretical explanation is provided where needed but the main goal of this document is to be a practical guide This configuration guide applies to the following SpeedTouch products gt The SpeedTouch 608 608WL Wireless Business DSL Routers Release R5 4 and higher gt The SpeedTouch 620 Wireless Business DSL Routers Release R5 4 and higher A In some SpeedTouch products the IPSec VPN features are bundled in an 1 optional VPN software module An optional VPN module is activated with a VPN software activation key By default this key is not installed If you want to use the SpeedTouch VPN features and the VPN software module is not activated on your SpeedTouch please contact your local dealer Activating the VPN software module is described in the SpeedTouch Operator s Guide The following symbols are used in this IPSec Configuration Guide A note provides additional information about a topic A tip provides an alternative method or shortcut to perform an action o A caution warns you about potential problems or specific precautions that need to be taken Generally the SpeedTouch 608 WL or SpeedTouch 620 will be referred to as SpeedTouch in this IPSec Conf
27. TUNNEL lt unset gt enabled rempeer2 nl n3 disabled NullEnc HMAC SHA1 TUNNEL lt unset gt enabled 3 The IPSec descriptors of the two Phase 2 configurations may be different E DOC CTC 20051017 0169 v0 1 speedtouch 6 9 Options list Local Address NAT Traversal E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Peer Options The peer options alter the behaviour of the VPN network Options to be applied to Peer entities are stored in named Option Lists An Option List contains the following options Local Address local addr Address used as source address for tunnelled messages NAT Traversal NAT T Enables or disables NAT Traversal Dead Peer Detection Enables or disables Dead Peer Detection DPD Idle Period dpd_idle_period Worry period of the Dead Peer Detection protocol DPD number of dpd_xmits Number of attempts for sending Transmits R U THERE messages DPD Timeout dpd_timeout Timeout period for R U THERE messages Tunnel inactivity inactivity IKE session timeout period timeout When multiple IP addresses are assigned to the SpeedTouch this option can force a specific address to be used as the IP source address for the messages transmitted by the peer This setting has priority over the routing table entries Valid values are all IP addresses assigned to the SpeedTouch regardless of the interface the IP address is assigned to Normally only the use of a bl
28. be configured using the IPSec policy commands By default policy rules are automatically generated when the IPSec connection is created and the user does not need to execute extra commands A set of rules defines whether a packet has to pass through a secure tunnel or not These rules are expressed in terms of IP addresses protocols and or ports that have access to the secure connections The user specifies and configures a general policy in function of his overall security policy and the VPN network topology In a static network environment with fixed IP addresses the policy can be completely defined and specific rules can be expressed in the configuration In a more dynamic network environment where IP addresses are dynamically assigned or where terminals may connect from various unknown locations it may be impossible to express a specific policy in the router configuration In order to cope with this situation the SpeedTouch allows expressing a general policy in the configuration This general policy may include some placeholders for information that becomes available only during the Security Association negotiations The specific policy rules are automatically derived from the general policy and the outcome of the negotiations S D e d tO U C n E DOC CTC 20051017 0169 v1 0 Pee What is IKE session Descriptor IPSec Descriptor E DOC CTC 20051017 0169 v1 0 Chapter 2 SpeedTouch IPSec terminology securi
29. by a keyword present in the SpeedTouch When the IPSec policy is expressed as a static policy a Network Descriptor describes the local and remote private networks As a consequence some valid Network Descriptors must be defined prior to the successful definition of a Connection When using a dynamic policy the networks are described by keyword see section 4 7 1 The following topics are discussed in this section 4 7 1 Connection Parameters 142 4 7 2 List all Connections 145 4 7 3 Create a New Connection 146 4 7 4 Set or Modify the Connection Parameters 147 4 7 5 Delete a Connection 148 4 7 6 Start a Connection 149 4 7 7 Stop a connection speedtouch Chapter 4 Configuration via the Command Line Interface 4 7 1 Connection Parameters Parameters table The table below shows the connection parameters Connection parameters Connection name Mandatory Symbolic name for the connection used internally in the SpeedTouch Peer peer Mandatory Symbolic name of the peer entity to which the IPSec connection is set up Local network localnetwork Mandatory The private local IP network that has access to the IPSec connection Remote network remotenetwork Mandatory The private remote IP network that has access to the IPSec connection Always on alwayson Mandatory The permanent character of the connection can be enabled or disabled Descriptors descr Mandatory Symbolic name of the Connection Secu
30. configuration when new clients are added to the VPN The SpeedTouch can establish a secure connection with any Remote Gateway that meets the VPN settings regardless its location in the public network The use of the Extended Authentication protocol can optionally be configured In this case a list of authorized users is composed and stored in the SpeedTouch In Expert Mode click VPN gt VPN Server The VPN Server Configuration page appears which combines all VPN server settings on a single Web page Perform the following steps to configure your VPN server 1 In Expert Mode select the VPN Server Web page from the VPN menu 2 Fill out the various parameter fields in the VPN Server Web page 3 Select the IKE Authentication method Either Preshared Key or Certificate Authentication can be selected 4 Click Apply to confirm the data and Save All to make the configuration permanent 5 Optional If you use the Extended Authentication protocol you have to compose an authorized users list The configuration pages you encounter during this procedure are described in detail below Speedtouch Chapter 3 Configuration via Local Pages 3 3 1 VPN Server Page Initial page When you click VPN gt VPN Server the following page is displayed Administrator Home gt PN gt PN Server SpeedTouch Type IP Router IP couneis IKE Authentication Local Networking IKE Security Descriptors Descriptor
31. d tO U C h Go Contents 5 3 5 4 5 5 6 1 6 2 6 3 6 4 6 4 1 6 4 2 6 4 3 6 4 4 6 5 6 5 1 6 5 2 6 5 3 6 5 4 6 6 6 6 1 6 6 2 6 6 3 6 6 4 6 6 5 6 6 6 6 6 7 6 6 8 6 6 9 6 7 6 8 Via the CLI Debug Command group 2 000sseeeesnneeenneeeenneenens 167 Via SNMP itso cect ce teases seen rA E EE 170 Pinging from the SpeedTouch to the remote private network 171 Advanced Features cccccccceceeceeeeeeeeeeeeeeeeeeeanees 173 IPSec and the Stateful Inspection Firewall 00ss000 174 Surfing through the VPN tunnel 200ccseeeeeneeeseneeeeeneeeeees 175 Extended Authentication XAuth 2 c 22eeeeeeeeeeeeeeeeeeeeeees 176 UPN GUONI iaviccnstccna ces cccacetaennecsanscacaidersatenabsivicadeintesetsivigadatndensenteas 177 VEN Clent parameters asssreiscin eea a a ene a 178 Create a new VNC CIN ceeds ce dectehet ec teveatesa coveiccivewoksratiesesaeieeteratneiealdtaagecvalereiecinsarsecdaiee 179 Set or modify the vpnclient parameters cccceecccssececesseceeseeceeseeeeeseeeeeeeeeessesseeesaees 180 Attach the vpnclient entity to the peer entity ccccecesseeeseseeseseeseeeeseeeesaeesseensaeees 181 WPN SOI VCR occa ctaesetenceser candace E 182 VPN Server et NIAC eS osgactse sg ethoce sauces teat oggecetancpeaedacsdedesseesnanassesesstedceteansseouiacasdatecsaed 183 Create a new VPN Server ssseases seen scntnccastccesatebonseatageusme
32. e d to U C h Chapter 3 Configuration via Local Pages IKE Security The IKE Security Descriptor bundles the security parameters used for the IKE Descriptors Security Association Phase1 A number of IKE Security Descriptors are pre configured in the SpeedTouch and can be selected from a list Select a Security Descriptor in compliance with the IKE security parameters configured in the remote Security Gateway For example the pre configured IKE Security Descriptor AES_MD5 used in various examples throughout this document contains the following settings Parameter Value for AES_MD5 Cryptographic function AES Hash function HMAC MD5 Diffie Hellman group MODP768 group 1 IKE SA lifetime in seconds 3600 seconds 1 hour The contents of the IKE Security Descriptors can be verified via Advanced gt Peers gt Security Descriptors It is recommended to use AES as preferred encryption method AES is more advanced compared to DES or 3DES It is faster for comparable key lengths and provides better security Page layout with When you click Specify Additional Descriptors the IKE Security Descriptors area of additional Descriptors the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors IKE Security Descriptors Descriptor fanst Descriptor 2 nst Descriptor 3 funs Descriptor 4 unset These will be used as alterna
33. for any remote IP address to initiate a secure tunnel Speedtouch ER Example IPSec connection applying the default peer concept E DOC CTC 20051017 0169 v0 1 Speed Touch 1 IPSec peer configuration ipsec peer gt add name rempeer2 ipsec peer add name rempeer2 lpsec peer gt modify name rempeer2 remoteaddr 40 0 0 2 backupaddr exchmode localid remoteid addr 40 0 0 2 phyif DIALUP PPPOE descr AES MD5 auth secretl main client server options ipsec peer modify name rempeer2 remoteaddr 40 0 0 2 remoteid addr 40 O02 lpsec peer gt The parameter localid can remain either unset or an identifier type can be used that is independent of the IP address such as the userfqdn SpeedTouch 2 IPSec peer configuration ipsec peer gt add name rempeerl ipsec peer add name rempeerl lpsec peer gt modify name rempeerl remoteaddr 0 0 0 0 backupaddr main localid addr 40 0 0 2 exchmode phyif DIALUP PPPOE descr 3sDES MDS auth secretl client server remoteid options ipsec peer modify name rempeerl remoteaddr 0 0 0 0 exchmode main phyif DIALUP PPPOE degcr 3DES MDD auth gecreti ipsec peer gt The parameter remoteid remains unset Any value will be accepted during the Phase 1 negotiation 4 When configured with a default peer the
34. gt list certi Authtype cert secret2 Authtype lt unset gt secreti Authtype preshared ipsec peer auth gt Speedtouch ER Chapter 4 Configuration via the Command Line Interface 42 3 Create a New Authentication Attribute add command The ipsec peer auth add command allows adding a new authentication attribute Example In the following example a new authentication attribute is created named secret ipsec gt ipsec gt peer ipsec peer gt auth ipsec peer auth gt add name secreti IPSec peer auth add name secretl ipsec peer auth gt The result of this operation can be verified with the List command ipsec peer auth gt list secretl Authtype lt unset gt lpsec peer auth gt E DOC CTC 20051017 0169 v0 1 S D e d tO U C n 107 Chapter 4 Configuration via the Command Line Interface 4 2 4 modify command Example set or Modify the Authentication Attribute Parameters The ipsec peer auth modify command allows to modify the authentication attribute parameters In this example the parameters of the authentication attribute are set to use the pre shared key authentication method The secret password entered by the user is not shown in readable format on the screen An encrypted version is shown instead ipsec peer auth gt modify name secretl type preshared cert type preshared secret kkKKK
35. in the SpeedTouch are listed in the table below IP address 10 0 0 1 name If you encounter problems during the IKE negotiations use the Debug gt Logging page to verify that the Identity Type and Identity of the two peer Security Gateways correspond with each other S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Example of a completed E DOC CTC 20051017 0169 v0 1 page Chapter 3 Configuration via Local Pages The illustration below shows a completed page The data in the various fields correspond with the VPN layout shown on page 25 gt Pre shared key was selected as authentication method gt keyid was selected for the local and remote identity After the page was completed the remote gateway settings were added to the configuration by clicking Add At the bottom of the screen additional buttons appear which are explained below Aggressive Mode Main Mode IKE Authentication Preshared Secret ET Confirm Secret ET Use Cerificate Authentication IKE Security Descriptors Descriptor AES_SHAI specify Additional Descriptors Miscellaneous Inactivity Timeout seconds 3600 Items marked with are mandatory Apple f Clear All Local ID Remote ID Local Network Remote Network State keyidisitedsid fkeyidsiteBid Use the fields below to change the selected entry Identification amp Interface Local ID Type keyid Local ID siteAid Remote ID Type keyid
36. list lpsec peer options gt Speedtouch a 6 10 Options list IPSec routing mode routed Virtual interface E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Connection Options The connection options alter the behaviour of the VPN network Options to be applied to Connections are stored in named Option Lists An Option List contains the following options IPSec routing mode Selects routed or non routed mode Virtual interface virtual_ if Defines the Virtual Interface for a connection Selects treatment of Don t Fragment bit Minimal MTU Minimal value for MTU Add route add_route Enables or disables automatic addition of routes to the routing table This parameter has two possible settings routed and non routed mode Routed mode means that the packets are routed to the IPSec interface This is the preferred mode of operation which is valid for all possible scenarios Non routed mode simulates the behaviour of previous SpeedTouch IPSec implementations In the present release it is recommended to not use the non routed mode because some scenarios are not supported in this mode The SpeedTouch uses the concept of a Virtual Interface to implement the IPSec processing By default the IPSec module uses the Virtual Interface named ipsecoO This interface is automatically created when IPSec is enabled Firewall rules for example can be attached to virtual interfaces In mo
37. of Peer Security Descriptors are pre configured in the SpeedTouch You can verify and modify the contents of the pre defined Security Descriptors or define your own Security Descriptors The following table summarizes the parameters comprised in the peer security descriptor Symbolic name to identify the Descriptor Cryptographic function used for encrypting the IKE messages Integrity Hashing function used for message authentication Diffie Hellman group for key exchange as The lifetime of the IKE Security Association At expiration of this period re keying occurs Lifetime secs This name is used internally to identify the Peer Security Descriptor This name appears in the Descriptor lists on the Peer Profiles page Speedtouch Chapter 3 Configuration via Local Pages Crypto The table below shows the encryption algorithms supported by the SpeedTouch along with their corresponding key size Algorithm Valid key lengths bits DES is relatively slow and is the weakest of the algorithms but it is the industry standard 3DES is a stronger version of DES but is the slowest of the supported algorithms for a comparable key length gt AES is the new encryption standard selected by the American government to replace DES 3DES It is recommended to use AES since it is the most advanced of the supported encryption methods Integrity The SpeedTouch supports two types of hashing algorithms H
38. or an IP subnet If the proposal of the remote initiator does not exactly match the designated net then the local responder does not establish a Security Association gt one_of_ lt network name gt The proposal of the remote initiator must contain an IP address that lies within the range described by the symbolic network name in order to successfully set up the Security Association gt subnet_of_ lt network name gt The proposal of the remote initiator must contain a subnet that lies within the range described by the symbolic network name in order to successfully set up the Security Association gt subrange_of_ lt network name gt The proposal of the remote initiator must contain a subrange that lies within the range described by the symbolic network name in order to successfully set up the Security Association gt black_ip The proposal of the remote initiator must contain the public IP address of the SpeedTouch Speedtouch 215 Chapter 6 Advanced Features Remote match remotematch This setting is relevant in responder mode only It is optionally filled out In a basic configuration it is left unset When unset the SpeedTouch uses its dynamic IPSec policy capabilities to complete this field The ipsec connection advanced command group allows manual control over this parameter The remotematch expresses the traffic policy for access to a remote private network in responder mode It desc
39. peer gt 20 50 10 2 lt unset gt DIALUP PPPOE main addr 20 60 10 2 addr 20 50 10 2 AES_MD5 secreti VPN Client Descriptor lt unset gt client1 speedtouch Chapter 6 Advanced Features 6 5 Introduction VPN Server In the previous section the SpeedTouch was used as a VPN client The SpeedTouch can be used equally well as a VPN server In this function it can be configured with a XAuth user pool to serve remote clients In this section the VPN server commands are explained S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features 6 9 1 VPN Server parameters Parameters table The following table shows the VPN Server parameters VPN Server parameters VPN server name name Mandatory Symbolic name for the VPN server used internally in the SpeedTouch Push IP address push_ip Mandatory Determines whether or not a client request for an IP address is awaited VPN clients IP address iprange Mandatory IP address range for range selecting a client IP address netmask Mandatory Netmask provided to VPN clients Primary DNS server primdns Mandatory IP address of primary DNS server to be used by VPN clients Secondary DNS server secdns Mandatory IP address of secondary DNS server to be used by VPN clients Primary WINS server primwins Mandatory IP address of primary WINS server to be used by VPN clients Secondary WINS server secwins Mandatory
40. specify up to four alternative IKE Security Descriptors IKE Security Descriptors Descriptor fanst Descriptor 2 unset Descriptor 3 unset Descriptor 4 luset These will be used as alternative valid proposals in the IKE negotiations The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Security Association A number of IPSec Security Descriptors are pre configured in the SpeedTouch and can be selected from the pull down menu Select a Security Descriptor in function of your security requirements The remote VPN clients must comply with the security parameters configured in the VPN server In the example shown above the pre configured IPSec Security Descriptor called DES_MD5_TUN is selected This descriptor contains following settings Parameter Example DES_MD5_TUN Cryptographic function DES Hash function HMAC MD5 Use of Perfect Forward Secrecy 0 IPSec SA lifetime in seconds IPSec SA volume lifetime in kbytes The ESP encapsulation mode The contents of the IPSec Security Descriptors can be verified via Advanced gt Connections gt Security Descriptors When you click Specify Additional Descriptors the IPSEC Security Descriptors area of the page is updated and shows additional fields where you can specify up to four alternative IPSec Security Descriptors IPSec Security Descriptors Descriptor nst Descriptor 2 unset Descriptor 3 luset
41. 017 0169 v0 1 Local match localmatch E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features This setting is relevant in responder mode only It is optionally filled out In a basic configuration it is left unset When unset the SpeedTouch uses its dynamic IPSec policy capabilities to complete this field The ipsec connection advanced command group allows manual control over this parameter The localmatch expresses the traffic policy for access to the local private network in responder mode It describes which IP addresses address ranges or subnets at the local side have access to the Security Association During the Phase 2 negotiations the proposals of the remote peer initiator are compared with the contents of the localmatch parameter As a result a local traffic selector is derived in compliance with the local and remote traffic policies The valid values for the localmatch parameter are limited to specific keywords Followed by a Network name exactly_ A symbolic name of a network one_of_ descriptor defined in the ipsec eventually followed by a network name subnet_of_ connection network command subrange_of_ group The meaning of the keywords is the following gt exactly_ lt network name gt The proposal issued by the remote initiator must exactly match the network described by the symbolic network name This network descriptor can designate an individual IP address an IP address range
42. 153 Chapter 4 Configuration via the Command Line Interface An example of Auto ProxyARP As an example suppose a VPN server is configured on a SpeedTouch with the subnet 192 168 1 0 as its private LAN address range The VPN server is configured to distribute Virtual IP addresses to the remote clients in the same range Virtual IP range 192 168 1 64 74 In this case automatically a ProxyARP entry is added to the ARP table of the SpoeedTouch as soon as a VPN connection with a VPN client is established The ARP table contents can be monitored with the command ip arplist gt ip arplist Interface IP address HW address Type 3 lanl 239 295 255 2950 01 00 5e 7f ff fa DYNAMIC 3 lan1 192 168 1 64 00 0e 50 0f fd 4c PROXY 3 lant 192 168 1 100 00 0d 56 1d f9 ba DYNAMIC gt In the output shown above the entry for 192 168 1 64 is the ProxyARP entry for the remote VPN client The entry for 192 168 1 100 is a locally connected terminal that received its IP address from the SpeedTouch DHCP server If the VPN client is a SpeedTouch that uses the dhcp method as virtual IP mapping method see Virtual IP mapping on page 55 then also here some ProxyARP entries are automatically added to the ARP table Below you find the ARP table of the VPN client SpeedTouch of our example gt ip arplist Interface IP address HW address Type 2 lanl 239 255 255 250 01 00 5e 7f ff DYNAMIC lanl 10 0 0 1 00 0d 88 65 c
43. 169 v0 1 3 5 11 Connection Options Page Options The Options page allows you to define Options lists that you can later refer to in a page layout Connection Profile Profiles Networks Descriptors S Options _ irtual 1 F Force DF Min MTU Add Route Empty table Use the fields below to add a new entry Options name Virtual I F Force DF unset Min MTU i000 4dd Route Jw Routed ia Connection options are described in section 6 10 Connection Options on page 207 POO Speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages 3 9 12 Client Page Client The Client page is used for dialling in to a VPN server page layout pa E E e E e Use the fields below to dialin to YPN Server Connection LocalID Type as_per_peer_profile LocalID Auth username Auth Password The configuration of a VPN client scenario is described in detail in section 3 2 VPN Client on page 51 and following The application oriented VPN Client Web page is the recommended way to configure a VPN client and allows you to dial in to the VPN server Connection Select from the list the name of the connection you want to start Local ID The local ID identifies the local SoeedTouch during the Phase 1 negotiation with the remote Security Gateway This identity must match the settings in the remote Security Gateway in order to successfully set up
44. 2 000eeseeeeeesenneeeeeeeeeeeees 200 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Contents 6 9 Peer Options ssuuu20222222 2u20 uu 5 2 201 6 9 1 List all Peer Options lists ccc ccceecccsssceeceeeeecseseeceeeeceseeeessaseeeeaeeeseeaeeeesaeesesaeeeesaeeees 203 6 9 2 Create a Peer Options liSt ccccccsccccssscecseeeceeseeceesseeeeseecseueeeeeaeeeesaeeeesaseessaseeeseaeees 204 6 9 3 Set or modify the Peer Option list ParaMetelsS c cccccssececeeeeeeeseseeeeeseesseseesssaeees 205 6 9 4 Delete a Peer Options liSt ccccsscccssscccesseeeeeeeeeceeeeecsaeeeseaseeeeaeseesaueeesaueeesaeeessaeeeeses 206 6 10 Connection Options 00cceeee ene eee eee e eee eeeeeeenneeneeeneneneeenenenees 207 6 10 1 List all Connection Options lists xccesccscanaccteacesvscancscscaccadencustecesecsancesutnccanestudateneseandedss 209 6 10 2 Create a Connection Options NISR is cccsstsesclontccctiessesonmecsentetsciccenieuseasesveaxecaeavecnicsatecens 210 6 10 3 Set or modify the Connection Option list ParaMeters ccccssccecsseeeceeeeeesseeesaees 211 6 10 4 Delete an Options liSt sessecccicecetcacsececvaresnsscxsanenesennceobincwetesaceteanseramnedestenouseetueasanseaentcesss 212 6 11 Advanced Connection 22011121222222222 22 213 POO Speedtouch Contents E Speedtouch a Abstract Applicability Used
45. 24 This reference model represents a small network that can be built with off the shelf equipment in a test lab In addition a small scale field trial in a statically configured network environment can be set up according to this model The model represents a network where two site managers are engaged in connecting their private LANs via a secure tunnel through the Internet At Site A the local network 10 0 0 0 24 is connected to the Internet by means of a SpeedTouch gateway At Site B the SpeedTouch gateway provides Internet access for the private network 20 0 0 0 24 An IPSec tunnel is established between both SpeedTouch routers in order to provide secure communication between hosts on the private networks over the public Internet It is assumed that IP connectivity is established between the two Security Gateways the local and remote SpeedTouch The IP connectivity is based on fixed public IP addresses at the WAN interfaces of the SpeedTouch routers unless otherwise noted Also the respective LAN sections are assumed to use statically configured IP addresses for all hosts Finally a basic application scenario is established for this reference network It is assumed that at both sides of the connection a single host is connected to the private LAN Speedtouch Chapter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command Line Interface 4 1 Terminology Basic IPSec c
46. 51017 0169 v0 1 Delete a Peer Descriptor Chapter 4 Configuration via the Command Line Interface The ipsec peer descriptor delete command deletes a Peer Security Descriptor In this example the user defined Peer Security Descriptor named peerdes1 is deleted 1psec peer gt descriptor lpsec peer descriptor gt delete name AES SHA1 3DES_MD5 AES SHA1 Adv name peerdes1l AES MD5 DES SHA1 peerdes1 3DES_ SHA1 DES MD5 IPSec peer descriptor delete name peerdes1 ipsec peer descriptor gt The result of this operation is verified with the List command ipsec peer descriptor gt ipsec peer descriptor gt list AES SHA1 AES MD5 3DES SHA1 DES SHA1 DES MD5 AES SHA1 Adv 3DES MD5 ipsec peer descriptor gt Speedtouch AES 128 SHA1 MODP1024 Lifetime 3600s AES 128 MD5 MODP1024 Lifetime 3600s 3DES SHA1 MODP1024 Lifetime 3600s 3DES MD5 MODP1024 Lifetime 3600s DES SHA1 MODP768 Lifetime 3600s DES MD5 MODP768 Lifetime 3600s AES 256 SHA1 MODP1536 Lifetime 86400s 117 Chapter 4 Configuration via the Command Line Interface 4 4 Peer What is The Peer is a term that refers to the remote Security Gateway the IPSec secure tunnel s will be connected to In a first phase an IKE Security Association is negotiated between the SpeedTouch and a remote Security Gateway peer This IKE SA serves as a signalling channel for subsequent t
47. 86400s Tunnel Mode NullEnc SHA1 TUN NULL HMAC SHA1 Lifetime 86400s Tunnel Mode ipsec connection descriptor gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 6 Network Descriptor What is How is it used In this section E DOC CTC 20051017 0169 v0 1 The concept of Network Descriptors is introduced for the first time in the SpeedTouch R5 3 0 Not only the classical idea of an IP network or subnet is comprised in this concept but also the protocol and port number of the messages can be specified such that access to the VPN can be restricted to certain hosts protocols and port numbers Both the origin and destination traffic policies are expressed by referring to a Network Descriptor To this end a symbolic name is attributed to a Network Descriptor The definition of relevant Network Descriptors is linked with the topology of the VPN that is constructed with the IPSec configuration The Network Descriptors determine the type of messages that will trigger the IPSec module The Network Descriptor parameters are explained in section 4 6 1 Network Descriptors can be used to express the origin and destination networks for an IPSec Connection In case a static PSec policy is used the local and remote private networks are described by referring to a Network Descriptor In this case relevant Network Descriptors have to be created prior to the definition of a Connection The Connection refers to the Netwo
48. A1 MODP1536 Lifetime 86400s ipsec peer descriptor gt ipsec peer gt ipsec gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 3 3 add command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface Create a New Peer Security Descriptor A new Peer Security Descriptor is created with the ipsec peer descriptor add command In the following example a new Peer Security Descriptor is created named peerdes1 gt ipsec 1psec gt peer 1psec peer gt descriptor ipsec peer descriptor gt add name peerdes1l ipsec peer descriptor add name peerdesl ipsec peer descriptor gt The result of this operation can be verified with the List command ipsec peer descriptor gt ipsec peer descriptor gt list AES SHA1 AES 128 SHA1 MODP1024 Lifetime 3600s AES MD5 AES 128 MD5 MODP1024 Lifetime 3600s 3DES SHA1 gt 3DES SHA1 MODP1024 Lifetime 3600s 3DES MD5 gt 3DES MD5 MODP1024 Lifetime 3600s DES SHAT DES SHAL MODP768 Lifetime 3600s DES MDS DES MDS MODP768 Lifetime 3600s AES SHA1 Adv AES 256 SHA1 MODP1536 Lifetime 86400s peerdes1 ipsec peer descriptor gt It is seen that the new descriptor named peerdes1 has been created but no parameters are assigned yet 4 Seven Peer Security Descriptors are pre defined in the SpeedTouch 7 covering th
49. AN have access to the secure connection and individual users do not need to authenticate The set of parameters required to access the VPN server are stored in the SpeedTouch configuration Furthermore you specify the range of local terminals that may access the secure VPN connection Once configured the automatic start procedure provides permanent access to the secure connection for the authorized terminals without further user interaction When you use pre shared key authentication and you click Use Automatic Start Always On an additional set of parameters is shown in the VPN Client Connection Configuration page The set of parameters depends on the selected Server Vendor When you selected generic the following set of parameters is shown Choose Start Mechanism automatic or manual Currently set to automatic Local LAN IP Range My email address Extended uthentication Username Extended 4uthentication Password Use Manual Dialup When you selected cisco the following set of parameters is shown Choose Start Mechanism automatic or manual Currently set to automatic Local LAN IP Range Group ID Extended 4uthentication Username Extended 4uthentication Password Use Manual Dialup When you selected nortel the following set of parameters is shown Choose Start Mechanism automatic or manual Currently set to automatic Local LAN IP Range Extended uthentication Username Extended
50. Corpo ration in the United States and or other countries gt Apple and Mac OS are registered trademarks of Apple Computer Incorporated registered in the United States and other countries gt UNIX is a registered trademark of UNIX System Laboratories Incorporated gt Adobe the Adobe logo Acrobat and Acrobat Reader are trademarks or registered trademarks of Adobe Systems Incor porated registered in the United States and or other countries gt Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation Other brands and product names may be trademarks or registered trademarks of their respective holders Document Information Status v1 0 January 2006 Reference E DOC CTC 20051017 0169 Short Title IPSec Configuration Guide ST608 WL 620 R5 4 speedtouch Contents E DOC CTC 20051017 0169 v0 1 1 1 2 1 2 2 2 3 2 4 2 5 2 6 3 1 a 3 1 2 3 1 3 3 2 3 21 32 2 3 2 3 About this IPSec Configuration Guide 00 9 IPSec Concept for secure IP connections 11 IPSec Concepts aire r asserted oenedeendvaetnaceneete aden emeuadmenndedie 12 SpeedTouch IPSec terminology 15 ae CY E E E A E EE E E A E E A A A 16 Security Descriptor 000000000050102225222222 17 Authentication Attribute 0000000000000000101unnnnnnnnnnnn 18 Peer Phase T cicoria OE 19
51. Descriptor 4 unset Items marked with are mandatory These will be used as alternative valid proposals in the Phase 2 negotiations Speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages Miscellaneous Comprises the following settings gt IKE Exchange Mode IKE specifies two modes of operation for the Phase 1 negotiations main mode and aggressive mode Main mode is more secure while aggressive mode is quicker Primary Untrusted Physical Interface This field shows a list of your SpeedTouch interfaces You select the preferred Primary Untrusted Physical Interface This interface is used as the primary carrier for your VPN connection In general the primary untrusted interface is your DSL connection to the public Internet In the SpeedTouch the routing engine determines which interface is used for the VPN connection your DSL connection to the Internet in most cases So what is the relevance to select a physical interface The VPN server handles incoming VPN connections only For this kind of connections where your SpeedTouch is the responder in the IKE negotiations the interface is part of the matching process for accepting the connection Using the default setting any has the effect of removing this matching criterion For a VPN server configuration this is the most convenient setting If you select a specific interface as Primary Untrusted Physical
52. IP address of secondary WINS server to be used by VPN clients Domain name domain Mandatory Domain name provided to VPN clients XAuth pool xauthpool Optional when clients use XAuth protocol Symbolic name of the XAuth users pool Connection name This symbolic name only has local significance inside the SpeedTouch router name POO Speedtouch Chapter 6 Advanced Features Push IP address push_ip VPN clients IP address range Client netmask XAuth pool The VPN server will always provide an IP address to the remote VPN client VPN clients can behave in two different ways Either the VPN client requests an IP address Then the VPN server responds to this request and provides a suitable IP address Or The VPN client does not issue a request for an IP address In this case the VPN server pushes an IP address to the VPN client The client acknowledges the receipt of the IP address Possible values default value disabled enabled VPN server does not await client request for IP address and pushes an IP address to client disabled VPN server waits for a client request before assigning an IP address to the client Specifies the range of IP addresses from which the client addresses are selected An address range or a subnet can be entered for this parameter Examples gt 10 20 30 5 50 gt 10 20 30 0 24 Specifies the netmask provided to the client Either the dotted decimal
53. Local Pages 3 95 8 Connection Profiles Page Connection Profiles The Connection Profiles page bundles all parameters that define an IPSec page layout Connection to a Peer In other words it bundles the Phase 2 parameters O ee E Networks Descriptors Options client Connection Peer Local Network Remote Network Empty table Use the fields below to add a new entry Connection name Peer name unset Local network unset Remote network unset Always on D Descriptor 1 unset Descriptor 2 unset Descriptor 3 unset Descriptor 4 unset Options unset Connection enabled D Add A number of parameters makes use of symbolic descriptors that are defined and managed on other sub pages On the Profiles page these descriptors are selected by their symbolic name from a list Therefore you need to prepare the descriptors in other Connections sub pages before a complete Connection Profile can be composed in the Connection Profiles page Connection name Give the connection a symbolic name This name only has local significance inside the SpeedTouch This parameter is not used in the IPSec negotiations with the remote Security Gateway Peer name Select from the list the name of the peer you want to connect to POO Speedtouch Chapter 3 Configuration via Local Pages Local network Remote network Always on Connection Descriptor This parameter is used in the proposal presented to t
54. SpeedTouch at the head quarter in such a way that it will accept new branch offices in the VPN without requiring any adaptation to its configuration E DOC CTC 20051017 0169 v0 1 S D e e d tO U C h EJ Chapter 3 Configuration via Local Pages Selecting the LAN to LAN application Outline of a configuration procedure In Expert Mode click VPN gt LAN to LAN As a result the following page is shown Administrator Save All CLI Help Home gt PN gt LAN to LAN Remote Gateway Address known imtelGateaAddress Unknown Sloat Local Network Remote Network State Empty table Use the fields below to add a new entry Remote Gateway Address or FODN Backup Address or FQDN IKE Authentication Use Preshared Key Authentication Use Certificate Authentication A SpeedTouch ii N IP Router Connections Local Networking Miscellaneous Primary Untrusted Physical alaala A Interface any Firewall IKE Exchange Mode unset gt Inactivity Timeout seconds 3600 IKE Security Descriptors Descriptor unset LAN to LAN Specify Additional Descriptors PN Client Items marked with are mandatory Add PN Server Certificates Advanced Debug Back to Basic This page contains two main tab pages Select one of the alternative pages according to which VPN context best describes your situation gt When you know the network address or
55. TO_ISAKMP gt OPI 3IZ E gt TRAHOPORMS 1 5 gt PAYLOAD TRANSFORM gt HEXT PAYLOAD HOHE gt TRANSFORM ID KEY_IKE 1 gt ENCEYFTION ALEORITHA 1 DES 1 gt H amp SH_ALGORITHY fi MDS 1 ienen AUTHENTICATION METHOD 2 PRE_SHARED 1 gt GROUP_DESCRIFTION 4 BODPTBS 1 Siscia LIFE_TYFE 11 SECONDS 1 LIFE_DUBATION 1i 2600 seconds gt PAYLOAD VERDOR gt HEAT PAYLOAD VENDOR gt LENLTH li gt VENDOR ID Xauth ib gt PAYLOAD VEHDOR gt HEXT PayLoal VENDOR gt LENLTH it gt VENDOR ID IFD gt PAYLOAD VERDOR gt HEAT PayLoal VEHDOR gt LENLTH it gt VENDOR ID HAT Traversal W gt PAYLOAD VEHDOR gt HET PayLoal VENDOR gt LENLTH it gt VENDOR ID N amp T Traversal W gt PAYLOAD VEHDOR gt HEXT PayLoal VEHDOR gt LENLTH it gt VENDOR ID HAT Traversal i gt E DOC CTC 20051017 0169 v0 1 Clear to clear the trace Refresh to refresh the screen Speedtouch Chapter 5 Troubleshooting SpeedTouch IPSec How to see the amount Browse to Expert mode gt VPN gt Debug gt Statistics This page shows the amount of of traffic carried by a traffic carried over the IKE Security Association Phase 1 and the IPSec Security VPN connection Association s Phase 2 IWF ihkeblobalitats ikeblobalactiveTummels ae 8 ikeblobalPrevio
56. TUNNEL 6400 lt unset gt e DES_MO5_TUN DES HM4AC MDS disabled TUNNEL 6400 lt unset gt e SES SH41_4d _TUN KES 256 HMAC SH41 enabled TUNNEL 6400 lt unset gt e 30DES_SH41_4d _TUN 3DES HMAC 5HA1 enabled TUNNEL 6400 lt unset gt e NullEnc_SH41_TUN MOLL HMAC SH41 disabled TUNNEL 6400 lt unset gt Use the fields below to add a new entry Descriptor name Crypto Integrity Encapsulation PFS Lifetime secs Lifetime kbytes ee unset unset unset r m m Aca A number of Connection Security Descriptors are pre configured in the SpeedTouch You can verify and modify the contents of the pre defined Security Descriptors or define your own Security Descriptors The Connection Profile refers to the Connection Security Descriptor by its symbolic name Speedtouch E DOC CTC 20051017 0169 v0 1 Parameter table Connection Descriptor name Crypto E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages The following table summarizes the parameters comprised in the connection security descriptor Symbolic name to identify the Descriptor crypto Cryptographic function to be used for the IPSec Security Crypto a Association Integrity Hashing function used for message authentication Selects the ESP encapsulation mode Selects the use of Perfect Forward Secrecy Lifetime kbytes FS The lifetime of the IPSec Security Association At Lifetime secs aoe
57. The result of this operation is verified with the commands of the show command group Speedtouch Chapter 4 Configuration via the Command Line Interface 4 7 Stop a connection stop command The ipsec connection stop command tears down the designated Security Association The IKE Security Association is not stopped with this command For clearing both the Phase 1 and 2 SAs issue the IPSec clear session command Example In this example the connection named connect1 is stopped lpsec connection gt lpsec connection gt stop conn connectl ipsec connection stop conn connectl lpsec connection gt The result of this operation is verified with the commands of the show command group Speedtouch ER Chapter 4 Configuration via the Command Line Interface 4 3 Auxiliary Commands In this section The following topics are discussed in this section 4 8 1 Config Command 152 4 8 2 Flush Command 155 4 8 3 Clear Command Group E DOC CTC 20051017 0169 v0 1 S D e e d to U C h 151 Chapter 4 4 3 1 What is it used for Display the VPN configuration settings Control of general VPN settings Example AutoRoute Configuration via the Command Line Interface Contig Command This command serves two different purposes Without additional parameter the command displays the current VPN settings When an additional parameter is appended the command controls the se
58. a DYNAMIC lanl 192 168 1 64 0d 88 65 STATIC lanl 192 168 1 100 0e 50 5a PROXY i lanl 192 168 1 0 24 0e 50 5a dd PROXY In the output shown above the last entry for 192 168 1 0 24 is the ProxyARP entry which is added when the VPN connection is established This entry means that the entire subnet is located behind the VPN connection The entry for 192 168 1 100 is an instantiation marked with i for a single remote terminal The instantiation is made on the moment when there is traffic for this IP address S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface 4 8 2 Flush Command What is it used for This command flushes the complete IPSec configuration E DOC CTC 20051017 0169 v0 1 S D e e d to U C h 155 Chapter 4 4 3 3 What is it used for clear all clear session Configuration via the Command Line Interface Clear Command Group This command group comprises two commands intended for clearing Security Associations gt clear all clear session The clear command group is accessed in the following way gt gt ipsec ipsec gt clear 1psec clear gt This command clears all active Phase 1 and Phase 2 Security Associations for all defined peers The command has no associated parameters The successful execution of the command is notified to the user ipsec clear gt all Ook ipsec clear gt 4 Aft
59. a Local Pages This optional parameter refers to the symbolic name of a connection options list The connection options modify the VPN behaviour The connection options lists are defined on the Connection Options sub page see 3 5 11 Connection Options Page on page 99 For a basic IPSec configuration no options list is selected Select this box to enable the connection Speedtouch Chapter 3 Configuration via Local Pages biote Networks page layout What is a Network Descriptor How is it used Network name Type of network and IP address Networks Page The Networks page allows you to define Network Descriptors J Network Type ip Protocol Port Empty table Use the fields below to add a new entry Network name Type unset IF Protocol unset Port unset The concept of Network Descriptors is introduced for the first time in the SpeedTouch R5 3 Not only the classical idea of an IP network or subnet is comprised in this concept but also the protocol and port number of the messages can be specified such that access to the VPN can be restricted to certain hosts protocols and port numbers Both the origin and destination traffic policies are expressed by referring to a Network Descriptor To this end a symbolic name is attributed to a Network Descriptor The definition of relevant Network Descriptors is linked with the topology of the VPN that is constructed with the IPS
60. ack IP address makes sense for this option since in the general case the red IP addresses are not routable in the public Internet Currently the SoeedTouch supports the following draft rfcs related to NAT Traversal draft ietf ipsec nat t ike 00 draft ietf ipsec nat t ike 03 and draft ietf lpsec nat t ike 06 By default NAT T is enabled and the use of NAT T is negotiated with the remote peer In case the remote peer does not support NAT T this option disables NAT T in the local SpoeedTouch NATT Possible values default value enabled enabled disabled speedtouch Chapter 6 Advanced Features Dead Peer Detection DPD Idle Period DPD number of Transmits DPD Timeout Tunnel inactivity timeout The SpeedTouch supports the Dead Peer Detection protocol By default the use of this protocol is enabled This option allows disabling the use of the DPD protocol DPD Possible values default value enabled enabled disabled The DPD protocol defines a worry period This is an idle time during which no IPSec traffic is detected from the remote peer At the expiry of this period the local peer transmits a number of R U THERE messages to detect the liveliness of the remote peer This option sets the duration of the idle period expressed in seconds dpd_idle_period default value ee This option determines the number of R U THERE transmitted by the local peer If none of these messages is ackno
61. ackup interface But when the DSL connection becomes available again the VPN connections are not re routed as long as the backup connection is available IKE Exchange Mode IKE specifies two modes of operation for the Phase 1 negotiations main mode and aggressive mode Main mode is more secure while aggressive mode is quicker Inactivity Timeout When no traffic is detected at the peer for a certain period it is decided that the tunnel is not used any more and the IKE session is terminated All IPSec connections supported by the IKE session are terminated as well This option sets the value of the inactivity timer Inactivity Timeout default value seconds speedtouch Chapter 3 Configuration via Local Pages IKE Security The IKE Security Descriptor bundles the security parameters used for the IKE Descriptors Security Association Phase1 A number of IKE Security Descriptors are pre configured in the SpeedTouch and can be selected from a list Select a Security Descriptor in compliance with the IKE security parameters configured in the remote Security Gateway For example the pre configured IKE Security Descriptor AES_MD5 used in various examples throughout this document contains the following settings Parameter Value for AES_MD5 Cryptographic function AES Hash function HMAC MD5 Diffie Hellman group MODP768 group 1 IKE SA lifetime in seconds 3600 seconds 1 hour The contents of
62. ad to a situation where one peer assumes that a S D C d tO U C n E DOC CTC 20051017 0169 v0 1 How to monitor the IPSec negotiations Proceed as follows Chapter 5 Troubleshooting SpeedTouch IPSec 1 Browse to Expert mode gt VPN gt Debug gt Logging 2 Select the desired level of Trace Detail Select high to see the most detailed level of logging 3 Start the VPN connection 4 Browse again to Expert mode gt VPN gt Debug gt Logging On the Logging page you can monitor the received and transmitted messages of the IKE and IPSec negotiations This can help you to diagnose problems during the establishment of VPN connections The figure shows the start of the IKE negotiations You can scroll through the traces to search for the cause of an eventual VPN connection establishment failure Statistics Logging Tear Down All Tunnels Trace Detail high 0 0 0 101 101 101 7 L16 gt sent G8 initiator main mode zert message id L len 199 ICOOKIE xibsTADb3bRESS99E ECOOKIE dxd0000000ONOOoOOD HEXT PAYLOAD J4 VERSION MAJOR 1 VERSION MINOR EXCHANGE TYPE ID FROT FLAGS BESACE ID oxhoonoogn LENGTH 199 gt PAYLOAD 34 gt HEXT PAYLOAD VENDIR gt LENGTH i gt DOI IPSEC gt SITUATION O 0001 SIT_IDENTITY_OMLY gt PAYLOAD PROPOSAL gt HEAT PAYLOAD HONE gt LENGTH 40 gt PROPOSAL MWUMBER 1 gt PROTOCOL S3KMP_PRO
63. alInPlSaDelRequests ikeGlobalOutP1SaDelRequests ikeGlobalInConfigs ikeGlobalOutConfigs ikeGlobalInConfigsRejects ikeGlobalOutConfigsRejects ikeGlobalHcPreviousTunnels 81483566645248 O nNODOGQOOO OOO OOOOOO OOODOOOO OOOOOOOOOOO OOO OO OOOO O ikeGlobalPreviousTunnelsWraps speedtouch Chapter 5 Troubleshooting SpeedTouch IPSec TPSecGlobalStats TPSecGlobalActiveTunnels TPSecGlobalPreviousTunnels IPSecGlobalInOctets IPSecGlobalHcInOctets TPSecGlobalInOctWraps IPSecGlobalInDecompOctets IPSecGlobalHcInDecompOctets TPSecGlobalInDecompOctWraps IPSecGlobaliInPkts IPSecGlobaliInDrops IPSecGlobalInReplayDrops TPSecGlobaltInAuths TPSecGlobalInAuthFails IPSecGlobaliInDecrypts TPSecGlobalInDecryptFails IPSecGlobalOutOctets IPSecGlobalHcOutOctets TPSecGlobalOutOctWraps IPSecGlobalOutUncompOctets IPSecGlobalHcOutUncompOctets TPSecGlobalOutUncompOctWraps IPSecGlobalOutPkts IPSecGlobalOutDrops TPSecGlobalOutAuths TPSecGlobalOutAuthFails IPSecGlobalOutEncrypts TPSecGlobalOutEncryptFails IPSecGlobalOutCompressedPkts TPSecGlobalOutCompSkippedPkts TPSecGlobalOutCompFailPkts TPSecGlobalOutCompTooSmallPkts TPSecGlobalProtocolUseFails TPSecGlobalNoSaFails TPSecGlobalSysCapFails TPSecGlobalHcPreviousTunnels 81483566645248 81483566645248 81483566645248 81483566645248 81483566645248 O N amp Oo 0 0 CO CO oO CO 0 COO CO OO ON COON CO OO 0 OC OC COO CG ON OC ON 0 OC O TPSecGlobalPreviousTunnelWraps
64. alue Some parameters may remain unset Peer name name The peer name identifies the peer entity This name only has local significance inside the SpeedTouch This parameter is not used in the IKE negotiations with the remote Security Gateway POO Speedtouch Chapter 4 Remote Security Gateway identifier remoteaddr Backup remote Security Gateway Identifier backupaddr Exchange mode exchmode Local Identifier localid Configuration via the Command Line Interface This parameter localizes the remote Security Gateway on the Internet Either the public IP address or the Fully Qualified Domain Name can be used as an identifier When a redundant remote Security Gateway is available its public IP address or host name can be specified here In a basic IPSec configuration this parameter is left unset This parameter determines the exchange mode used during the Phase 1 negotiation The SoeedTouch supports both main mode and aggressive mode Exchange mode exchmode main aggressive This parameter identifies the local SoeedTouch during the Phase 1 negotiation with the remote Security Gateway This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the following table Fully qualified domain name Fully qualified domain name domain name ad sales corpo
65. ameter table The authentication attribute is a named descriptor bundling the authentication parameters The following data need to be provided Parameter Possible values Description f Th mbolic nam Arbitrary Syntax rules a DOUE NA oy name l which the authentication see CLI Reference Guide i l attribute is referred to Pre shared key preshared authentication method is type used Authentication with cert _ certificates When pre shared key authentication is used the pre shared key password is entered here The secret has to be entered twice in order Sece Arbitrary Syntax rules to protect against typing see CLI Reference Guide Sore Irrelevant in case of authentication with certificates In this case leave this parameter unset The configuration of certificates is done via the main command group pki For more information see the CLI Reference Guide POO Speedtouch Chapter 4 Configuration via the Command Line Interface 42 2 List all Authentication Attributes list Command The ipsec peer auth list command shows all previously created authentication attributes Example In this example four attributes are shown gt cert1 completely defined authentication attribute using certificates gt secret2 created but not yet completely configured gt secret1 completely defined authentication attribute using pre shared key ipsec gt 1psec gt peer ipsec peer gt auth ipsec peer auth
66. ameters are stored in the SpeedTouch and can be regarded as a group authentication for all terminals that have access to the VPN In case of nat virtual IP mapping multiple terminals may simultaneously access the VPN In case of dhcp virtual IP mapping a single terminal at a time is allowed to access the VPN If the Manual Start mechanism is selected no connection startup parameters are configured in the SpeedTouch Each time you want access to the VPN you have to manually dial in and enter the login parameters A manual dial in page is available in the SpeedTouch Web pages The manual start mechanism is most suited in a teleworker scenario where a single user makes use of the VPN connection Speedtouch Chapter 3 Configuration via Local Pages Dialling in VPN Client Connect Page 1 Select the VPN server from the table and click Dial In at the bottom of the screen Dn Mice Oe ss Remote Trusted Network Start Mechanism vpn corporate com Retrieve From Server Manual Use i 7 to change the selected entry Server IP Address or FQDN vpn corporate com Backup Server IP Address or FODN IKE Security Descriptor AES_MD5 IPSec Security Descriptor AES_MD5_TUN Exchange Mode aggressive Server Vendor generic Sd i dr a Physical tenmt amp Virtual IP Mapping nat hi IKE Authentication Preshared Secret lecccce Confirm Secret lecccce Use Certificate Authentication C
67. an IP address to the VPN clients via IKE Mode Config When the check box is not selected the VPN clients will request an IP address from the VPN server The domain name provided to the VPN clients via IKE Mode Config The IP address of the primary DNS server provided to the VPN clients via IKE Mode Config This is the primary DNS server in the local network that is open to VPN clients S D C d tO U C n E DOC CTC 20051017 0169 v0 1 secondary DNS Primary WINS secondary WINS XAuth Pool E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages The IP address of the secondary DNS server provided to the VPN clients via IKE Mode Config This is the secondary DNS server in the local network that is open to VPN clients The IP address of the primary WINS server provided to the VPN clients via IKE Mode Config This is the primary WINS server in the local network that is open to VPN clients A WINS server maps NETBIOS names to IP addresses The IP address of the secondary WINS server provided to the VPN clients via IKE Mode Config This is the secondary WINS server in the local network that is open to VPN clients The SpeedTouch allows the optional use of the Extended Authorization protocol with an internal list of authorized users When you want to use XAuth a list of authorized users is to be composed This is explained in section 3 5 7 VPN Server XAuth Page on page 90 Once you have defin
68. ance with the IKE security parameters configured in the remote Security Gateway The contents of the IKE Security Descriptors can be verified via Advanced gt Peers gt Security Descriptors POO Speedtouch Chapter 3 Configuration via Local Pages Page layout with additional Descriptors Miscellaneous Page layout for pre IKE Authentication with Preshared Key shared key authentication When you click Specify Additional Descriptors the IKE Security Descriptors area of the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors IKE Security Descriptors Descriptor luset Descriptor 2 unset Descriptor 3 unset Descriptor 4 luset These will be used as alternative valid proposals in the IKE negotiations Comprises the following setting gt Inactivity Timeout When no traffic is detected at the peer for a certain period it is decided that the tunnel is not used any more and the IKE session is terminated All IPSec connections supported by the IKE session are terminated as well This option sets the value of the inactivity timer default value When you click Use Preshared Key Authentication the initial page is updated in the following way Preshared Secret Confirm Secret Use Cerificate Authentication IKE Security Descriptors Descriptor unset specify Additional Descriptors Mi
69. and Identity of VPN client and server correspond with each other When you click Use Certificate Authentication the IKE Authentication area of the page is updated in the following way IKE Authentication Certificate DN unset Remote OWN Filter Use Preshared Key Authentication When you select Use Certificate Authentication you have to fill out the Distinguished Name of the local and remote Certificates speedtouch Chapter 3 Configuration via Local Pages Authorized Users List When you selected the use of XAuth either generic or chap in the VPN Server Configuration page then clicking Apply reveals an additional section at the top of the page b UserZ gt useri Use the fields below to add a new user Username Password Confirm password a Compose a list of authorized users for the VPN 1 Enter a User name and corresponding Password 2 Click Add User 3 Repeat the previous steps for each individual VPN client you want to grant access to the VPN S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 4 Introduction secure Storage page Request Import page CRL page CRL Distribution Point E DOC CTC 20051017 0169 v0 1 Certificates The Certificates Navigation tab gives access to four main pages for certificates management This page shows the list of certificates stored in the SpoeedTouch Secure Storage Request Import Certificate Name Typ
70. anual control over this parameter Remote selector remoteselector Optional The Advanced command allows manual control over this parameter Speedtouch 213 Chapter 6 Advanced Features Local network localnetwork Remote network remotenetwork This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation It determines which messages have access to the IPSec connection at the local side of the tunnel This is basic parameter for the dynamic IPSec policy capabilities of the SoeedTouch As an outcome of the Phase2 negotiations a static IPSec policy is derived This results in a cloned connection where the parameters localmatch remotematch localselector remoteselector are automatically filled in by the SoeedTouch The valid settings are gt the keyword retrieve_from_server This setting can be used in an IPSec client server configuration It is only relevant at the client side of the connection where the SpeedTouch acts as an initiator for the IPSec Security Association gt the keyword black_ip This setting is used only for remote management scenarios where the IPSec tunnel is used exclusively for information generated or terminated by the SpeedTouch gt asymbolic name of a network descriptor This is the most common selection in a site to site application In this case the localnetwork parameter holds the symbolic name of the network descriptor
71. ashing algorithm SHA1 gt HMAC is always used as integrity algorithm combined with either MD5 or SHA1 gt SHAT is stronger than MD5 but slightly slower Group The table below shows the supported Diffie Hellman groups Diffie Hellman group number of bits Keyword eooo o i MODP768 0 MODP1536 Lifetime secs The lifetime of a Security Association is specified in seconds Lifetime measured in Minimum value Maximum value 240 4 minutes 31536000 1 year Speedtouch ER Chapter 3 Configuration via Local Pages 3 5 4 Peer Options Page Options The Options page allows you to define Options lists that you can later refer to in a page layout Peer Profile Peers Connections Profiles J Authentication f Descriptors VBN VPN VPN Server lien Server xAUuth Options NAT PD inactivity Empty table Use the fields below to add a new entry Options name NAT T disabled DPD DPD idle period DPO max mits DPO xmit timeout Inactivity Add Peer options are described in section 6 9 Peer Options on page 201 E DOC CTC 20051017 0169 v0 1 S D e e d tO U C R 85 Chapter 3 Configuration via Local Pages 3 5 9 VPN Client Page VPN Client The VPN Client page allows you to define VPN Client Descriptors peel u ese VPN VPN Server Descriptors Client Descriptor xAuth User Empty table Use the fields below to add a new en
72. ation Maximum licensed number lt NUMBER gt has already been reached INFO Cannot create peer Maximum licensed number lt NUMBER gt has already been reached INFO peer profile lt PROFILE_NAME gt in use INFO Cannot create connection Maximum licensed number lt NUMBER gt has already been reached INFO phase lt 112 gt sa delete ID local lt ID gt remote lt ID gt INFO phase 2 sa delete from lt IPADDRESS PORT INFO new phase lt 112 gt sa ID local lt ID gt remote lt ID gt INFO Cannot create IKE session Maximum licensed number lt NUMBER gt has already been reached INFO Certificate not found INFO delete SADB spi in 0x lt SPI gt out 0x lt SPI gt INFO delete SPDB spi in O0x lt SPI gt out 0x lt SPI gt INFO ipsec lt DIRECTIOM gt drop lt IPADDRESS gt gt lt IPADDRESS gt proto lt PROTOCOL_NUM gt spi lt SPI gt seq lt SEQ gt reason lt REASON gt POO Speedtouch Chapter 5 Troubleshooting SpeedTouch IPSec 0 4 Via SNMP Debugging via SNMP 170 SpeedTouch SNMP 620 Manager SNMP messages IF MIB lt ___ gt ADSL MIB IPSec MIB On the SpeedTouch several SNMP MIBs are available allowing to retrieve configuration and counter information A MIB Management Information Base can be considered as a representation of a group of parameters A huge amount of MIB values can be retrieved remotely e g traffic counters number of SAs the Phase 1 and 2 parameters
73. ation name Authentication with certificates When pre shared key authentication is used enter the pre shared key password here Secret A text string o Irrelevant in case of authentication with certificates In this case leave this parameter unset The Preshared Secret has to be entered twice in order to protect against typing errors S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 9 9 Descriptors page layout Parameter table Peer Descriptor name E DOC CTC 20051017 0169 v0 1 Peer Descriptors Page Chapter 3 Configuration via Local Pages A Peer Security Descriptor contains the methods for message authentication encryption and hashing and the lifetime of the IKE Security Association The Peer Descriptors page allows you to manage Peer Security Descriptors Peers Connections Se YPN YEN VPN Server S Options f amp r yeas 7a Profiles Authentication Descriptors Iptions Client eae Auth Descriptor Crypto Auth Group Lifetime secs b AES SHAL AES 126 SHAL MODPLO24 3600 b AES MDS AES 126 MDS MoODPLO24 3600 b SDES_SHAL SDES SHAL MoODPLO24 3600 b 3D0ES_MDO5 3DES MDS MoODPLO24 3600 b DES_SHA1 DES SHAL MODP 68 3600 Ld DES_ MDS DES MDS MODP 68 3600 b KES SHALL Ady AES 256 SHAL MODPIS36 agil b SDES_SHA1_Ady 3DES SHAL MOODPIS36 86400 Use the fields below to add a new entry Descriptor name Crypto unset Integrity luset Group luset Lifetime secs A number
74. ca lads a SRE EE aaraa E SESE En apaina 185 Set or modify the vpnserver PAraMEetelS ccccsecccesccceeeceeseeeeesueeeesaeeeeeeeeeeseuseessaees 186 Attach the vpnserver entity to the peer entity ccccccceseceeeeeeeeeeeeeseeseeeeeeeeeseeeeseaees 187 XAuth Users i 6 OM ase sasvintase carte se ctnenere snus saxwenstsesecaseeadassestaccenesesess 188 XAuth Pool parameters ccccceeceeeeeeeeeeeeeeeeeeeeeseeeeseeeeeeeeeseeeeseeeeseeeesseeeseeeeseeeeseeeeseeeenes 189 Create a new XAuth pOOl s ssssssssssnnsnrnnnnnrnnnnnnnnrrnnnnrnnrrnnnrrrnnnrnnnnnnnrennnrnnnnnnnnnennnnennnnnnnn 190 Modify the xauthpool TY DC saccocacsic do rawsawsccine cae necemestectoaxaausciuncceeupeeeered oasvsienceawuedienmd erences 191 Attach the xauthpool entity to the vpnserver entity cccceeceeseeeeeeeeeeeeeeseeeeseeeseaees 192 Delete an xa thpool entity cc cececeeeeceeeeceeesaeeeesaeeseaeeseaeesaueeesaeeesaeessaeeseeesseeessaes 193 PPE USs r paraime ors corsara iaaa O O 194 Create a new XAuth MISC s ssssssssssnsenrrennnrrnrnrrnnrrrrnrrnnrrrnnrernnnrnnnrnnnrennnnrnnnnrnnnnnnnennnnnennn 195 Set or modify the password of an XAuth US f s ssssssssnsrsnnnnrnnnnernnnennrrnnnrennrernnernnnne 196 Delete an xauthuser entity 20 ccc cceeecceeeeceeeeceeeeeeeeeeeeeeseeeeeeeeesaeeeseeeeseeeeesaeeseeeseeesanees 197 The Default Peer Concept 00000000000000500520512222 198 One Peer Multiple Connections 2
75. can be achieved by selecting ESP with NULL encryption Encapsulated Security The Encapsulated Security Payload ESP protocol provides data confidentiality and Payload ensures data integrity message authentication ESP supports various encryption algorithms thus making the data unreadable for an eavesdropper A Security Association SA consists of a set of parameters negotiated between two peers authentication type compression hashing or encryption algorithms key size key lifetime v v v v WG 12 S D e d tO U C n E DOC CTC 20051017 0169 v1 0 Internet Key Exchange The Internet Key Exchange IKE protocol is the negotiation protocol used to establish an SA by negotiating security protocols and exchanging keys First the IKE SA is set up then the IKE channel acts as a signalling channel to negotiate a general purpose SA Phase 1 yc etc Y SA ESP AH a sues O DY Phase 2 tunnel Security Associations Within the IKE protocol two phases are distinguished to set up a tunnel between two peers gt Phase 1 negotiate a bi directional IKE SA functioning as a signalling channel to negotiate the Phase 2 SAs gt Phase 2 negotiate unidirectional IPSec Security Associations that will carry general purpose traffic The IKE SA is bidirectional whereas the Phase 2 SA is unidirectional one Security Association must be set up in each direction The initiator and responder cookies uniquely identify a
76. cation system Descriptor Refers to the Phase 1 security descriptor The complete list of parameters is found in section 4 4 Peer on page 118 and in the CLI Reference Guide E DOC CTC 20051017 0169 v1 0 speedtouch Chapter 2 SpeedTouch IPSec terminology 2 5 Connection Phase 2 What is Bundles all the parameters required for the Phase 2 SA IPSec negotiation gt Peer Reference pointing to the peer configuration to be used In fact this refers to the IKE channel used for the Phase 2 negotiations gt Local remote range Range of red IP addresses to which the IPSec policy applies Reference to the Network Descriptors gt Descriptor Reference to the Phase 2 Security Descriptor grouping the security parameters 4 D aa d to UC he E DOC CTC 20051017 0169 v1 0 2 6 What is E DOC CTC 20051017 0169 v1 0 Chapter 2 SpeedTouch IPSec terminology Network descriptor The concept of Network Descriptors is introduced for the first time in the SpeedTouch R5 3 Not only the classical idea of an IP network or subnet is comprised in this concept but also the protocol and port number of the messages can be specified such that access to the VPN can be restricted to certain hosts protocols and port numbers Both the origin and destination traffic policies are expressed by referring to a Network Descriptor To this end a symbolic name is attributed to a Network Descriptor The defin
77. co requires a Group ID to be specified for the VPN clients see Set of Server Vendor specific parameters on page 58 you connect to a Nortel VPN server Speedtouch ER Primary Untrusted Physical Interface Virtual IP mapping Optional Remote network E DOC CTC 20051017 0169 v0 1 This field shows a list of your SpeedTouch interfaces You select the preferred Primary Untrusted Physical Interface This interface is used as the primary carrier for your VPN connection In general the primary untrusted interface is your DSL connection to the public Internet In the SpeedTouch the routing engine determines which interface is used for the VPN connection your DSL connection to the Internet in most cases So what is the relevance to select a physical interface In a VPN client the selection is relevant only when your SpeedTouch is equipped with a backup physical interface for example an ISDN backup interface This field determines the preferred interface for your VPN connection This interface is used whenever it is available When this interface fails the active VPN connections are re routed via the backup interface When the primary interface becomes available again the VPN connections are re routed to the primary interface On the other hand when you select any as the Primary Untrusted Physical Interface and this interface fails the active VPN connections are also re routed to the backup interface But
78. configuration of the SpeedTouch a number of concepts and definitions are introduced in this section The Graphical User Interface GUI and the Command Line Interface CLI provide two alternative methods to configure the IPSec functions The GUI contains some scenario driven pages which means that the configuration pages are grouped according to the intended network application The advanced GUI pages and the CLI are component driven which means that network components are configured independently of each other It is up to the user to combine the configuration of various components in order to build an operational node in the intended network environment The majority of IPSec configurations can be built with the Graphical User Interface Only in particular situations it may be required to access some advanced functions via the Command Line Interface The terminology used in the CLI and GUI is similar The clarification of the concepts and terms refers to the command structure of the CLI The IPSec command group comprises a number of underlying command groups each containing a number of commands in a hierarchical way The following topics are discussed in this section 2 1 Policy 2 2 Security Descriptor Speedtouch 15 Chapter 2 SpeedTouch IPSec terminology Chapter 2 SpeedTouch IPSec terminology 2 1 What is Static policy Dynamic policy Policy Security is all about traffic policies and these can
79. ct that no lower value than this minimal value is accepted forms a protection against an attack with ICMP fragmentation needed messages This option is relevant in routed mode only The option determines whether or not routes are automatically added to the routing table When enabled a route to the remote red network is automatically added to the routing table via the Physical Interface of the peer to which the connection is attached When disabled the routing table has to be adapted manually in order to ensure IP connectivity between the local and remote red networks add_route Possible values default value enabled enabled disabled S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features 6 10 1 List all Connection Options lists list Command The ipsec connection options list command shows all previously created options lists Example In the following example all previously created options are listed ipsec gt connection lpsec connection gt options ipsec connection options gt list optl mode non routed Virtual IF lt unset gt DE bit lt unset gt Min MTU 1000 add route enabled ipsec connection options gt E DOC CTC 20051017 0169 v0 1 S D e e d tO U C R 209 Chapter 6 Advanced Features 6 10 2 Create a Connection Options list add command The ipsec connection options add command allows adding a new options list Example In the follow
80. cts as an initiator for the IPSec Security Association gt the keyword allocated_virtual_ip This setting can be used in an IPSec client server configuration It is only relevant at the server side of the connection gt the keyword black_ip Designates the public IP address of the remote Security Gateway as the end user of the secure connection This setting is useful for a connection that serves secure remote management of the remote Security Gateway gt asymbolic name of a network descriptor This setting is used when the network environment at the remote side is completely known This is often the case in a site to site application where the VPN structure and the use of specific ranges of IP addresses are under the control of a network manager Select this check box when you want a VPN connection that automatically starts negotiations when the SpeedTouch is operational Select from the list the symbolic name of a Connection Security Descriptor to be used for the IPSec connection Up to four Descriptors can be selected in the Profiles page These Descriptors are presented as alternative proposals during the Phase 2 negotiations Connection Security Descriptors are managed on the Connection Descriptors sub page See 3 5 10 Connection Descriptors Page on page 96 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Connection Options Connection enabled E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration vi
81. d by client and server You can check this via the VPN gt Debug gt Logging page This field can optionally be filled out in a configuration with a backup VPN server If no backup VPN server is available you leave this field open The IKE Security Descriptor bundles the security parameters used for the IKE Security Association Phase1 A number of IKE Security Descriptors are pre configured in the SpeedTouch and can be selected from a list Select a Security Descriptor in compliance with the IKE security parameters configured in the remote VPN server For example the pre configured IKE Security Descriptor AES_MD5 used in various examples throughout this document contains the following settings Parameter Value for AES_MD5 Cryptographic function AES Hash function HMAC MD5 Diffie Hellman group MODP768 group 1 IKE SA lifetime in seconds 3600 seconds 1 hour The contents of the IKE Security Descriptors can be verified via Advanced gt Peers gt Security Descriptors It is recommended to use AES as preferred encryption method AES is more advanced compared to DES or 3DES It is faster for comparable key lengths and provides better security Speedtouch 53 Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages IPSec Security The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Descriptor Security Association A number of IPSec Securi
82. d from Release 5 3 onwards In addition NULL encryption may be useful for testing purposes since the messages on the communication link can be interpreted Message authentication remains active Key length keylen The SpeedTouch supports 3 different key lengths for the AES encryption algorithm The keylen parameter assigns the key length for this algorithm Three values are valid as specified in the table above The DES and 3DES algorithms have a fixed key length For these algorithms the keylen parameter is not shown in the CLI Authentication Hashing The SpeedTouch supports two types of hashing algorithms function integrity Hashing algorithm gt HMAC is always used as integrity algorithm combined with either MD5 or SHAT gt SHAT is stronger than MD5 but slightly slower POO Speedtouch Chapter 4 Configuration via the Command Line Interface Chapter 4 Perfect Forward secrecy pfs IPSec SA lifetime lifetime _secs IPSec SA volume lifetime lifetime_kbytes Encapsulation mode encapsulation Configuration via the Command Line Interface Enables or disables the use of Perfect Forward Secrecy A lot of vendors have Perfect Forward Secrecy PFS enabled by default for the Phase 2 negotiation In order to configure this on the SpeedTouch the use of PFS must be enabled in the Connection Security Descriptor EL PFS provides better security but increases the key calculation ove
83. d tO U C n E DOC CTC 20051017 0169 v0 1 6 6 9 delete command Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Delete an xauthuser entity The ipsec peer vpnserver xauthpool deluser command deletes a XAuth user entry from its pool In this example the user named user1 is deleted ipsec peer vpnserver xauthpool gt deluser poolname pooll username userl IPSec peer vpnserver xauthpool deluser poolname pooll username use ri ipsec peer vpnserver xauthpool gt The result of this operation is verified with the List command ipsec peer vpnserver xauthpool gt list lpsec peer vpnserver xauthpool gt Speedtouch 197 Chapter 6 Advanced Features 6 The Default Peer Concept Why the default peer Consider the network configuration shown below concept Secure tunnel SpeedTouch620 1 PPP server SpeedTouch620 2 Dynamically assigned Configure as default peer IP address allows for any IP address via PPP protocol When the SpeedTouch 1 gets its IP address dynamically assigned e g during PPP tunnel setup a remote IPSec peer cannot know in advance which IP address will be assigned Each time the SpeedTouch 1 sets up a PPP connection it will obtain an IP address from the ISP In order to cope with this situation the default peer concept has been implemented The remote IPSec peer address configured on the SpeedTouch 2 will allow
84. dTouch supports two types of hashing algorithms function integrity Hashing algorithm gt HMAC ts always used as integrity algorithm combined with either MD5 or SHAT gt SHAT is stronger than MD5 but slightly slower Diffie Hellman group The table below shows the supported Diffie Hellman groups group Diffie Hellman group number of bits Keyword number 112 S D e d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface IKE SA lifetime The lifetime of a Security Association is specified in seconds lifetime_secs Lifetime measured in Minimum value Maximum value 240 4 minutes 31536000 1 year E DOC CTC 20051017 0169 v0 1 S D e e d to U C h 113 Chapter 4 Configuration via the Command Line Interface 4 3 2 List all Peer Security Descriptors list Command The ipsec peer descriptor list command shows the list of all defined peer security descriptors Example The example below shows the pre defined Peer Security Descriptors of the SpeedTouch ipsec gt ipsec gt peer ipsec peer gt descriptor ipsec peer descriptor gt list AES SHA1 AES 128 SHA1 MODP1024 Lifetime 3600s AES MD5 AES 128 MDS MODP1024 Lifetime 3600s 3DES SHA1 3DES SHA1 MODP1024 Lifetime 3600s 3DES_ MD5 3DES MDS MODP1024 Lifetime 3600s DES SHA1 DES SHA1l MODP768 Lifetime 3600s DES MD5 DES MDS MODP768 Lifetime 3600s AES SHA1l Adv AES 256 SH
85. domain name of the remote Security Gateway your Speed Touch can either take the initiative to set up an IPSec tunnel to that remote Gateway or it can wait until the remote gateway requests to set up a tunnel If this is the VPN context that best describes you situation then select Remote Gateway Address Known and proceed with section 3 1 1 Remote Gateway Address Known Page on page 27 gt Alternatively there may be no need to take the initiative to set up a VPN tunnel In your situation you rather wait until a remote Gateway requests you to set up a tunnel In this situation you may not even know the location of the Remote Gateway In this case select Remote Gateway Address Unknown and proceed with section 3 1 2 Remote Gateway Address Unknown Page on page 35 In a simple LAN to LAN connection where two peers are connected at least one of the peers should be configured via Remote Gateway Address Known Perform the following steps to configure your LAN to LAN application 1 On the LAN to LAN Web page select either Remote Gateway Address Known or Remote Gateway Address Unknown 2 Configure the Remote Gateway parameters 3 Define the Connection parameters 4 Save the configuration The configuration pages you encounter during this procedure are described in more detail below S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 1 1 VPN context Initial page E DOC CTC 20051017 0169 v0 1 Remot
86. dress Local ID type Local ID Remote ID type Remote ID Primary untrusted physical interface Exchange mode Authentication Descriptor 1 Descriptor 2 Descriptor 3 Descriptor 4 Client Server Options o N unset YS A unset ists s SOCS e aeaee op O min unset iiti s s i SS unset unset i itsi s i i SS unset YS fJunset i itsi s i w SS unset iti s i s SS unset i iti s s s s YS Peer Profiles Authentication Descriptors VPN Client VPN Server VPN Server XAuth The Peers page gives access to the following sub pages 3 5 1 Peer Profiles Page on page 78 3 5 3 Peer Descriptors Page on page 83 3 5 4 Peer Options Page on page 85 3 5 5 VPN Client Page on page 86 3 5 6 VPN Server Page on page 88 3 5 7 VPN Server XAuth Page on page 90 e 3 5 2 Authentication Page on page 82 speedtouch All peer parameters explained in the CLI configuration method can be filled out in these pages The parameters of the various sub pages are combined in a Peer Profile which completely defines a Peer entity Enter the Connections page to configure a connection to a peer E DOC CTC 20051017 0169 v0 1 Connection Profiles E DOC CTC 20051017 0169 v0 1 page Chapter 3 Configuration via Local
87. dress 10 0 0 Fully qualified domain name sales corporate net User fully qualified domain asorta john doe corporate userfqdn name net If you encounter problems during the IKE negotiations use the Debug gt Logging page to verify that the Identity Type and Identity of the two peer Security Gateways correspond with each other When you click Use Certificate Authentication the IKE Authentication area of the page is updated in the following way IKE Authentication Certificate DN unset Remote OWN Filter Use Preshared Key Authentication When you select Use Certificate Authentication you have to fill out the Distinguished Name of the local and remote Certificates S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Example of a completed E DOC CTC 20051017 0169 v0 1 page Chapter 3 Configuration via Local Pages The illustration below shows a completed page The data in the various fields correspond with the VPN layout shown on page 25 gt Pre shared key was selected as authentication method gt keyid was selected for the local and remote identity After the page was completed the remote gateway settings were added to the configuration by clicking Add At the bottom of the screen additional buttons appear which are explained below Remote Gateway Address Known Remote Gateway Address Unknown so Gateway Address Local Network Remote Network Eee B 200 200 0 1 Use th
88. e Security Gateway in order to successfully set up the IKE Security Association The Local ID types supported in the SpeedTouch are listed in the following table P address 10 0 0 eile qualified domain icin dee uorperie ast For a VPN client server connection between a SpeedTouch VPN client and a Cisco IOS VPN server select keyid as Local ID type As Local ID value you type the user group name used in the Cisco configuration The Remote ID identifies the remote Security Gateway during the Phase 1 negotiation This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The Remote ID types supported in the SpeedTouch are listed in the following table P address 10 00 aia qualified domain E cormaraiainel any any Speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages Primary Untrusted Physical Interface Exchange mode Authentication Peer Descriptor Client Server This field shows a list of your SpeedTouch interfaces You select the preferred Primary Untrusted Physical Interface This interface is used as the primary carrier for your VPN connection In general the primary untrusted interface is your DSL connection to the public Internet On the DSL line various logical connections can be defined eventually using different protocol stacks IpoA PPPoE PPPoA The peer entity has
89. e Gateway Address Known Page You know the location of the Remote Gateway in the public Internet either by its IP address or its FODN In this case the SpeedTouch can connect either as an initiator or as a responder As an initiator of a connection you are capable of starting a secure connection from your SpeedTouch As a responder a connection will be started when the remote Security Gateway initiates the negotiations When this description fits best your VPN context then the Remote Gateway Address Known page is your starting page for the configuration of your LAN to LAN scenario When you click Remote Gateway Address Known the following page is displayed Gateway Address Unknown Gateway Address Local Network Remote Network Empty table Use the fields below to add a new entry Remote Gateway Address or FQODN Backup Address or FODN IKE Authentication Use Freshared Key Authentication Use Cerificate Authentication Primary Untrusted Physical Interface any IKE Exchange Mode unset Inactivity Timeout seconds 3600 IKE Security Descriptors Descriptor unset specify Additional Descriptors Miscellaneous Items marked with are mandatory The page contains a number of buttons and fields to complete It is recommended to fill out the page from top to bottom starting with the Remote Gateway address parameters When you click a button the page layout changes reveal
90. e LAN interface eth0 This could be 1 useful to set up a secure connection with a local host within the local LAN for testing purposes or when a redundant gateway to the public Internet other than the SpeedTouch is present in the LAN Select the exchange mode used during the Phase 1 negotiation The SoeedTouch supports both main mode and aggressive mode Select from the list the symbolic name of the applicable Authentication Attribute Either pre shared key or certificates can be used for authentication Authentication Attributes are defined on the Authentication sub page See 3 5 2 Authentication Page on page 82 Select from the list the symbolic name of a Peer Security Descriptor to be used for the IKE negotiation Up to four Descriptors can be selected in the Profiles page These Descriptors are presented as alternative proposals during the IKE negotiations Peer Security Descriptors are managed on the Peer Descriptors sub page See 3 5 3 Peer Descriptors Page on page 83 This optional parameter refers to a dialup VPN Client Server descriptor Client Server parameters are managed on separate sub pages See 3 5 5 VPN Client Page on page 86 for the VPN client configuration See 3 5 6 VPN Server Page on page 88 for the VPN server configuration S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Peer Options E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages This optional paramet
91. e fields below to change the selected entry Remote Gateway Address or FODN 200 200 0 1 Backup Address or FODN IKE Authentication Preshared Secret ET Confirm Secret ET Local ID Type keya stsi C Y Local ID stesia Remote ID Type lkeyid Remote ID lsteBid s Use Cerificate Authentication Miscellaneous Primary Untrusted Physical Interface Internet gt IKE Exchange Mode main Inactivity Timeout seconds 3600 IKE Security Descriptors Descriptor AES MD5 o Descriptor 2 AES SHAD i s lt lt s Descriptor 3 fanst Descriptor 4 fanst Items marked with are mandatory stop All Connections to this Gateway Apply New Gateway New Connection to this Gateway statistics Speedtouch Chapter 3 Configuration via Local Pages Buttons You can use one of the following buttons Stop All Connections to this Stop all VPN connections to the selected Gateway remote Security Gateway Apply Apply modifications made to the settings of the selected remote Security Gateway Delete Delete the selected remote Security Gateway from the configuration New Gateway Start defining a new remote Security Gateway New Connection to this Gateway Start defining a new connection to the selected remote Security Gateway Status Show the operational status of the connections to the selected remote Security Gateway The status is shown at the bottom of the page
92. e issuer Secure Storage Content empty This page allows importing new certificates from a Certificate Authority into the SpeedTouch ES SNR os Offline request Distinguished Name Overwrite pending offline request D Note Certificate Request will take several seconds This page allows managing the use of Certificates Revocation Lists E ELTE M e CRL detailed configuration CRL checking D CRL Distribution point HTTP Proxy server HTTP Proxy port foo Network Timeout fin seconds fi 0 Enforce time checks mj Look for CRL disribution point extension D Use expired CRL s D This field indicates the URL URI location a CRL should be retrieved from The values must be in the form of a URI and the supported protocols include LDAP and HTTP The server name portion of the distribution point should be in the form of an IP address Refer to RFCs 1738 1779 and 1957 for further details on URIs DNs and LDAP URIs respectively speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages CEP page Enrollment URL Subject DN This page allows configuring the Certificates Enrollment Protocol settings CEP configuration Enrollment URL http ZA Identity String Z MDS Fingerprint HTTP Proxy Server Subject DN Challenge Password Retype Password Key Length Force CEP Request Check Nonce Check Transaction ID 25093 Ex
93. e lifetime_secs Association At expiration of this period re keying occurs The maximum data volume lifetime_kbytes transported before re keying occurs Selects the ESP encapsulation Encapsulation encaps mod A Connection Security Descriptor is a text string comprising the parameters described in the table above An example is shown here IPSec SA volume lifetime E AES 128 HMAC SHA1 Lifetime 86400s TUNNEL MODE Cryptographic function Hash function IPsec SA lifetime Encapsulation key length mode This name is used internally to identify the Connection Descriptor S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Cryptographic function The table below shows the cryptographic functions supported by the SpeedTouch crypto along with their corresponding key size bits 168 168 168 C Es ee gt DES is relatively slow and is the weakest of the algorithms but it is the industry standard 3DES is a stronger version of DES but is the slowest of the supported algorithms for a comparable key length gt AES is the new encryption standard selected by the American government to replace DES 3DES It is recommended to use AES since it is the most advanced of the supported encryption methods gt NULL encryption The message is not encrypted Selecting NULL encryption achieves authentication without encryption being equivalent to the use of the Authentication Header AH that is no longer supporte
94. e most common settings In total up to 40 Security Descriptors can be defined This total includes both the Peer Security Descriptors and the Connection Security Descriptors see 4 5 Connection Security Descriptor on page 127 Speedtouch Chapter 4 Configuration via the Command Line Interface 4 3 4 Set or Modify the Peer Descriptor Parameters modify command The ipsec peer descriptor modify command sets or modifies the Peer Security Descriptor parameters Example In this example the parameters of the previously defined Peer Security Descriptor peerdes1 are set to the following values crypto AES keylen 128 integrity MD5 group MODP1536 lifetime secs 84600 v v v v wv ipsec peer descriptor gt modify name peerdes1 crypto DES crypto AES keylen 128 keylen 128 integrity MD5 integrity MD5 group MODP768 MODP1024 MODP1536 group MODP1536 lifetime secs 84600 IPSec peer descriptor modify name peerdesl crypto AES keylen 128 integrity MD5 group MODP1536 lifetime secs 84600 ipsec peer descriptor gt The parameters of the pre defined descriptors can also be changed with the modify command Use this feature for example if you want to change the lifetime parameter only The descriptors must match at both peers in order to have a successful outcome of the Phase 1 negotiation Speedtouch ER 4 3 9 delete command Example E DOC CTC 200
95. ec configuration The Network Descriptors determine the type of messages that will trigger the IPSec module Network Descriptors can be used to express the origin and destination networks for an IPSec Connection In case a static PSec policy is used the local and remote private networks are described by referring to a Network Descriptor In this case relevant Network Descriptors have to be created prior to the definition of a Connection Profile A Connection Profile refers to a Network Descriptor by its symbolic name Internal symbolic name to identify the Network Descriptor The Type and IP parameters locate the network in the IP address space In the IP field you enter a value corresponding to the network Type Type a single IP address 10 0 0 15 a single IP subnet 10 0 0 0 24 a contiguous IP address range range 10 0 0 519 00 56 j j 10 0 0 5 56 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Protocol E DOC CTC 20051017 0169 v0 1 Port Chapter 3 Configuration via Local Pages Optionally the access to an IPSec connection can be restricted to a specific protocols by selecting a protocol from the list Select any if you do not want to restrict the connection to a specific protocol If you want to restrict the protocols on your secure VPN link and you need multiple protocols then you define a new connection for every individual protocol Separate IPSec tunnels will be established for each protocol Op
96. eceseeceeeeeeeeeeeseeeeeeeeeeeeeesseeesaeeesaeeesaeeesseeenseeesanees 140 eT CONMECUUON nistsaserntesvcalensanisadensnrtesedsnunsedansasdedrinasiertcasiencessaninoiossions 141 4 7 1 Connection Parameters sodisiccecentcccnacw dices dastnccgeniecevtstenierssesse td dewteraieqtidinvetecteceavesneats 142 Adee WAS UAW COMME ONS sez a dedeccuen E E 145 4 7 3 Create a New COnNMeCt ON wadscceiccces wiecee ines cesninccsiereussuntdvmanesvecntsasarectuceoecaeiddemacesbersessns 146 4 7 4 Set or Modify the Connection Parameters ccccccccsssececeeeeeceeeeeeeseeeeeseeeeseeeessaeees 147 Ao Delete a Connecti Okana E E 148 ATG Starta ConneCthoON eissrreinirierii erain errai A EEEE E E OEA EELEE E TR 149 4 7 7 Stop a Connection s ssssssssssrsunnrsnnnrrnnnnrnrrrnnnrnnnnrrnrnrrnnrrnnnnnnnrennnnrnnnnnnnnnnnnnnnnnnnnnnenn neeem nne 150 4 8 Auxiliary Commands 0000000000000005002200122222 151 AST Conmigo Comman eeri AAEE 152 AoA FUSA COMMANA et 155 4 8 3 Clear Command Group sdiiccceseccagsevestcssadecstacvsscacedtetacnasvannenndensdendedcesestedvadtensanheceuencousess 156 4 9 Organisation of the IPSec Command Group 00000005002055222 157 5 Troubleshooting SpeedTouch IPSec 161 5 1 Via the Debug Web pages cc cceeeeeeneeeeeeeeeeeeeeeeeeeeeenneeeneees 162 5 2 Via the CLI Show command Group 00ccsseeessneeessneessnneenens 165 E DOC CTC 20051017 0169 v0 1 S D e e
97. ed a named list or authorized users select it from the XAuth Pool list to activate the use of Xauth in the VPN server Speedtouch Chapter 3 Configuration via Local Pages 3 9 VPN Server XAuth page layout XAuth pool name Type Username and Password VPN Server XAuth Page The VPN Server XAuth page allows you to define XAuth user pools and to add authorized users to these pools Lo Connections YEN Descriptors XAuth Pool E ee 4AuthPool generic usere b AUTOS _ AuthPoaol generic userd Use the fields below to add a new user and or pool Auth poolname Type generic Username Password Fassword confirmation Add User An XAuth user pool is a named list of authorized users Use Add User to define additional user records The configuration of a VPN server scenario is described in detail in section 3 3 VPN Server on page 63 and following The application oriented VPN Server Web page is the recommended way to configure a VPN server This name is used internally to identify the XAuth pool This name appears in the XAuth Pool list on the VPN Server page Two different types of user authentication protocols can be selected generic and chap You define a new record for an authorized user by typing a Username and Password Click Add User to add the user record to the XAuth pool S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via
98. eft unset In such a case the SpeedTouch uses its dynamic policy capabilities to derive a static policy as a result of the Phase 2 negotiation A cloned connection is automatically created with the remoteselector derived by the SpeedTouch In an advanced application it may in some cases be useful to manually fill in a static policy Entering a symbolic network name in the remoteselector parameter does this The following commands are available in the Advanced Connection command group add modify delete list vo v v WW The functionality of these commands is identical to the commands described in the basic connection command group The only difference is the enhanced control over the parameters in the modify command Speedtouch 217 Chapter 6 Advanced Features Chapter 6 Advanced Features Speedtouch a A 93 THOMSON BRAND O LA 69L0 LLOLG00Z 9 19 90G J paAsasel s1YyBU v 9002 NOSINOHL Need more help Additional help is available online at www speedtouch com A 93 THOMSON BRAND
99. elete name coptl ipsec connection options delete name optl ipsec connection options gt ipsec connection options gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 11 Introduction Parameters table E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Advanced Connection The Advanced command group is a sub group of the Connection command group It allows additional connection settings in order to take full advantage of the dynamic policy capabilities of the SoeedTouch The table below lists parameters that have enhanced functionality with respect to the basic Connection commands Local network localnetwork Mandatory The private local IP network that has access to the IPSec connection The Advanced command group allows an additional keyword Remote network remotenetwork Mandatory The private remote IP network that has access to the IPSec connection The Advanced command group allows an additional keyword Local match localmatch Optional Local policy determining which messages are transmitted via the secure connection and need IPSec processing The Advanced command allows manual control over this parameter Remote match remotematch Optional Local policy determining which messages are received via the secure connection and need to be decrypted The Advanced command allows manual control over this parameter Local selector localselector Optional The Advanced command allows m
100. entication Reveal additional parameter fields required for the configuration of Preshared Key Authentication Use Certificate Authentication Reveal additional parameter fields required for the configuration of Certificate Authentication Specify Additional Descriptors Reveal additional fields where you can specify alternative Security Descriptors Apply Confirm the VPN server settings Clear All Clear all VPN server settings Local Trusted Network The Local Trusted Network open to Remote Clients describes which part of the local E DOC CTC 20051017 0169 v0 1 network you want to make accessible for remote VPN clients Two fields must be completed Trusted Network Type and Trusted Network IP The Trusted Network Type determines which type of value to use for the Trusted Network IP field The following network types are supported Te The Trusted Network IP values are used during the Phase 1 negotiations and must comply with the values configured in the remote VPN client Speedtouch Chapter 3 Configuration via Local Pages Page layout with additional Networks IKE Security Descriptor Clicking Specify Additional Networks allows you to designate up to four addresses subnets in case the Local Trusted Network can not be described by a single address subnet Local Trusted Network open to Remote Clients Type unset IP O SYS Local Trusted Network 2 Type unset IF Local Trusted Network 3 Type un
101. er 6 Advanced Features Create a new vpnclient A new vpnclient is created with the ipsec peer vpnclient add command In the following example a new vpnclient entity is created named client ipsec gt ipsec gt peer lpsec peer gt vpnclient ipsec peer vpnclient gt add name clientl ipsec peer vpnclient add name clientl ipsec peer vpnclient gt The result of this operation can be verified with the List command 1psec peer vpnclient gt list client1 Xauth lt unset gt Client Type lt unset gt Virtual IP Map Mode lt unset gt Local LAN IP Range lt unset gt 1lpsec peer vpnclient gt For the newly created vpnclient entity in this example all parameters are unset Setting of the parameters is described in the next section Speedtouch 179 Chapter 6 Advanced Features 6 4 9 modify command Example set or modify the vpnclient parameters The ipsec peer vpnclient modify command sets or modifies the vpnclient entity parameters In this example the parameters of the previously defined vpnclient entity named client1 are set lpsec peer vpnclient gt modify name clientl xauthuser userl xauthpass Please retype xauthpass for verification xauthpass clienttype generic cisco nortel clienttype generic virtualip maptype none nat dhcp virtualip maptype none lan range 10 60 11 0 24 ipsec pee
102. er attributes prior to the creation of an operational peer A Connection bundles all the parameters related to a bi directional IPSec connection consisting of two Phase 2 Security Associations gt The Phase 2 security parameters are bundled in a Connection Security Descriptor gt A Network Descriptor describes the remote private network that is accessible via the IPSec connection A valid Connection contains a reference to both descriptors Therefore some valid descriptors should be present in the SpoeedTouch prior to the creation of an operational peer S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Procedure E DOC CTC 20051017 0169 v0 1 In order to set up a basic IPSec configuration the following main steps have to be executed 1 Prepare the Peer attributes gt Define a valid Authentication Attribute gt Define a valid Peer Security Descriptor Create a new Peer entity Modify the Peer parameters Prepare a valid Connection Security Descriptor Prepare a valid Network Descriptor Create a new Connection uO OF hh QO N Set the parameters of the new Connection gt Refer to the corresponding Peer gt Refer to the relevant Connection Security Descriptor gt Modify the Connection parameters 8 Start the Connection Each of these steps is explained in more detail in the subsequent sections The order of these sections corresponds to the sequence of the configuration steps Speedtouch Chap
103. er clearing the individual Security Associations can be established 7 again either by starting connections or triggered by traffic complying with the policy This command clears the IKE Security Association and all active Phase 2 Security Associations for one particular peer The peer is indicated by its name The result of the command is notified to the user In the following example no Security Association was active for the peer named peer at the time of execution of the command clear gt session peerl clear session name peerl to find session for peer peerl clear gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 9 Introduction Ipsec command group Clear command group E DOC CTC 20051017 0169 v0 1 Organisation of the IPSec Command Group In this section an overview is given of the IPSec Command Group structure Underlined keywords represent a command group Other keywords are commands The ipsec command group comprises five main command groups and two commands as shown in the following tables The table shows cross references to the structure tables of the individual command groups m 4 8 1 Config Command on page 152 4 8 2 Flush Command on page 155 The following table shows the commands of the ipsec clear command group ipsec clear command group speedtouch 157 Chapter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command L
104. er refers to the symbolic name of a peer options list The peer options modify the VPN behaviour The peer options lists are defined on the Peers Options sub page see 3 5 4 Peer Options Page on page 85 For a basic IPSec configuration no options list is selected Speedtouch Chapter 3 Configuration via Local Pages 3 95 2 Authentication Page Authentication The Authentication page allows you to define Authentication Attributes Peg level eers MA YPN VPN Server Descriptors Authentication Empty table Use the fields below to add a new entry Authentication name Type unset Secret Secret confirmation Add Two main methods for user authentication are supported in the SpeedTouch gt pre shared key gt certificates The user authentication parameters used for IKE negotiations are bundled in a descriptor with a symbolic name This is called the Authentication Attribute For pre shared key authentication this attribute holds the pre shared key For authentication with certificates it simply indicates the authentication method Parameter table The authentication attribute is a named descriptor bundling the authentication parameters The following data need to be provided Parameter Possible values Description The symbolic name of the A text string authentication attribute This name is used in the Peer Profile pacha Pre shared key authentication method p is used Authentic
105. ers on page 58 Nortel you connect to a Nortel VPN server Certificate authentication only S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Type The Type parameter determines which Virtual IP Address Mapping type is selected Either dhcp or nat can be selected gt Selecting dhcp has the effect that the virtual IP address attributed by the VPN server to the SpeedTouch VPN client is effectively assigned to the terminal The SpeedTouch creates a new IP address pool called a spoofing address pool The SpeedTouch will use this pool to provide a new IP address to the terminal that starts the secure connection Simultaneous access to the VPN of multiple terminals in the LAN is not possible The VPN server attributes a single virtual IP address The spoofing address pool inherits the lease time for IP addresses from the originally used address pool n order to have a swift renewal of IP addresses it is recommended to set a conveniently low lease time in the original dhcp address pool A value of 60 seconds is suggested Selecting nat has the effect that the VPN server attributes a virtual IP address to the SpeedTouch VPN client This virtual IP address is stored in the SoeedTouch The SpeedTouch will automatically create a new NAT entry to map the virtual IP address to the IP addresses used on the local network Simultaneous access to the VPN of multiple terminals is su
106. fill out the Group ID The value should correspond with the groupname as configured on the Cisco VPN server with the command crypto isakmp client configuration group groupname For a Nortel VPN server Interworking with a Nortel VPN server is possible only when IKE o Authentication is done via Certificates Pre shared key authentication can not be used on an IPSec connection between a SpeedTouch VPN client and a Nortel VPN server Optionally you can use the Extended Authentication protocol in combination with the Automatic Start mechanism Simply fill out a Username and Password in the optional fields and XAuth is used when the connection is established The Username and Password in this case act as a group key for all local terminals authorized to use the VPN connection Extended Authentication Username Extended 4uthentication Password S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Ler Method 1 Automatic Start Method 2 Manual Start E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Starting the VPN Client Connection In section Starting and stopping a VPN client connection on page 57 the configuration of the Automatic Start mechanism is explained All parameters required for starting the connection are stored in the SpeedlTouch configuration file and no further user interaction is required to start the VPN connection With XAuth configured the authentication par
107. format can be used or an integer between 0 and 32 can be entered Examples gt 255 255 255 0 24 This parameter contains the symbolic name of the XAuth users pool A specific command group is available to define a XAuth pool See section XAuth Users Pool E DOC CTC 20051017 0169 v0 1 Speedtouch 6 3 2 add command Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Create a new VPN server A new VPN server is created with the ipsec peer vpnserver add command In the following example a new vpnclient entity is created named client1 ipsec gt ipsec gt peer ipsec peer gt vpnserver ipsec peer vpnserver gt add name servl ipsec peer vpnserver add name servl ipsec peer vpnserver gt The result of this operation can be verified with the List command ipsec peer vpnserver gt list servl Push IP disabled Address Range lt unset gt Netmask gt lt unset gt Primary DNS lt unset gt Secondary DNS lt unset gt Primary WINS lt unset gt Secondary WINS lt unset gt Domain lt unset gt XAuth Pool gt lt unset gt ipsec peer vpnserver gt For the newly created vpnserver entity in this example all parameters are unset Setting of the parameters is described in the next section Speedtouch Chapter 6 Advanced Features 6 5 9 modify command Example set or modify the vpnserver parameters The ipsec
108. g through the VPN tunnel One of the SpeedTouch features for easy Internet access is the so called Web Browsing Interception also referred to as Differentiated Services Detection DSD This feature monitors your HTTP traffic and alerts you when you want to browse to a location that is not reachable due to the fact that the connection to your Service Provider is not active A SpeedTouch web page appears that allows you to log in to your Service Provider When you configure an IPSec VPN connection this feature has to be disabled in order to pass HTTP traffic through the VPN tunnel To verify that the Web Browsing Interception is disabled proceed as follows 1 2 3 Browse to Basic Mode gt SpeedTouch gt Configuration Click Configure Make sure that under System Configuration the Web Browsing Interception check box is not selected If needed clear the check box and click Apply to confirm the change Be aware that in case Web Browsing Interception is disabled the web address based filtering functionality is disabled as well Take this in mind if you use the web based filtering tool for parental control Speedtouch 175 Chapter 6 Advanced Features 176 6 3 What is How does it work Extended Authentication XAuth Extended Authentication commonly referred to as the XAuth protocol allows for performing extra user authentication A typical practical example is the mixed use of IKE tunnel ne
109. gotiation using preshared key as authentication method and on top of that doing Extended Authentication The VPN client functionality built in the SoeedTouch supports the optional use of XAuth It acts as a XAuth client In order to use this functionality it needs to be connected to a remote IPSec gateway capable of handling the XAuth protocol The VPN server functionality built in the SoeedTouch also supports the use of XAuth as an XAuth server It uses an internal list of authorized users Phase 1 negotiation QO XAuth authentication Phase 2 negotiation Black network SpeedTouch Remote IPSec 620 gateway 3 RADIUS authentication RADIUS server After the Phase 1 negotiation has been successful 1 the remote IPSec gateway will request the XAuth username and password 2 Typically the remote IPSec device will now contact a RADIUS server 3 to check for the credentials If the XAuth authentication is successful Phase 2 tunnel setup 4 will be initiated The VPN server in the SpeedTouch uses an internal list of authorized users It does not need a RADIUS server to check the credentials In the CLI the XAuth settings are found in the VPNCLIENT and VPNSERVER command groups E DOC CTC 20051017 0169 v0 1 Speedtouch 6 4 VPN Client Introduction E DOC CTC 20051017 0169 v0 1 The SpeedTouch can be configured as a VPN client SoeedTouch In this functio
110. he remote Security Gateway during the Phase 2 negotiation It determines which messages have access to the IPSec connection at the local side of the tunnel This is the basic parameter for the dynamic IPSec policy capabilities of the SoeedTouch As an outcome of the Phase 2 negotiations a static IPSec policy is derived The valid settings are gt the keyword retrieve_from_server This setting can be used in an IPSec client server configuration It is only relevant at the client side of the connection where the SpeedTouch acts as an initiator for the IPSec Security Association gt the keyword black_ip This setting is used only for remote management scenarios where the IPSec tunnel is used exclusively for information generated or terminated by the SpeedTouch gt asymbolic name of a network descriptor This is the most common selection in a LAN to LAN application In this case the Local network field holds the symbolic name of the network descriptor that refers to the local private network having access to the IPSec connection This parameter describes the remote network that may use the IPSec connection This parameter expresses a dynamic policy which during the Phase 2 negotiation results in a static policy The valid settings are gt the keyword retrieve_from_server This setting can be used in an IPSec client server configuration It is only relevant at the client side of the connection where the SpeedTouch a
111. his is explained in Authorized Users List on page 72 Speedtouch Chapter 3 Configuration via Local Pages Page layout for pre shared key authentication IKE Authentication with Preshared Key When you click Use Preshared Key Authentication the initial page is updated in the following way Local Trusted Network open to Remote Clients Type unset IP Specii Additional Networks IKE Authentication Preshared Secret Confirm Secret Local ID Type Local ID Remote ID Filter Type Remote ID Filter Use Cerificate Authentication When you select Use Preshared Key Authentication the following fields have to be completed gt Preshared Secret A string to be used as a secret password for the VPN connection This secret needs to be identically configured at both peers local and remote peer b Confirm Secret The Preshared Secret value is not shown in clear text in the SpeedTouch Web page In order to protect from typing errors you have to type the key twice in order to confirm your original entry gt Local ID Type and Local ID The Local ID identifies the VPN server during the Phase 1 negotiation with the remote VPN client This identity must match the settings in the VPN client in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below wildcards not allowed IP addres
112. hoose Start Mechanism automatic or manual Currently set to manual Use Automatic Start Always On Optional Remote Network if not set by PN server Remote Network Type unset Remote IP Items marked with are mandatory As a result the VPN Client Connect page is shown 2 Fill out the login parameters and click Continue The SpeedTouch starts the negotiations to set up the secure VPN connection The outcome of the dial up procedure is shown on the screen All active VPN connections are shown at the bottom of the VPN Client Connection Configuration page When you encounter problems to set up the VPN connection you can use the Debug page to diagnose the problem See 5 1 Via the Debug Web pages on page 162 The layout of the VPN Client Connect page depends on the IKE Authentication method and Server Vendor you selected in the VPN Client Connection Configuration page The Client Identification parameter is Server Vendor specific Below an example is shown for a connection to a Cisco VPN server Client Identification Group ID Optional Extended Authentication Username Password S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Client Identification Using XAuth E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages When for the IKE Authentication method the Preshared Key method was selected some Server Vendor specific fields must be filled out See
113. hreshold i937 ikeTunTotalRefreshes 0 ikeTumInOctets Oks ikeTumInPkt 24 ikeTumInDdropPkt oo ikeTumInnotity 0 ikeTumInPibxchg 0 ikeTumInPibxchglrvalid 0 ikeTumInPibxchghe jects 0 ikeTumInPid adel Re guests 0 ikerin Octet Logs S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 5 Troubleshooting SpeedTouch IPSec 9 2 Via the CLI Show command group show command group E DOC CTC 20051017 0169 v0 1 gt You can check whether the secure tunnels are up IPSec show sadb You can check whether traffic is passing the tunnel and keep track of the number of packets and bytes Therefore take a snapshot of the number of packets bytes that hit an IPSec policy rule via following CLI command ipsec gt show ipsec show gt stats ikeGlobalActiveTunnels ikeGlobalPreviousTunnels ikeGlobalInOctets ikeGlobalInPackets ikeGlobalInDropPackets ikeGlobalInNotify ikeGlobalInP2Exchgs ikeGlobalInP2ExchgsInvalids ikeGlobalInP2ExchgsRejects ikeGlobalInP2SaDelRequests ikeGlobalOutOctets ikeGlobalOutPackets ikeGlobalOutDropPackets ikeGlobalOutNotify ikeGlobalOutP2Exchgs ikeGlobalOutP2ExchgsInvalids ikeGlobalOutP2ExchgsRejects ikeGlobalOutP2SaDelRequests ikeGlobalInitTunnels ikeGlobalInitTunnelsFails ikeGlobalRespTunnelsFails ikeGlobalAuthFails ikeGlobalDecryptFails ikeGlobalHashValidFails ikeGlobalNoSaFails ikeGlobalRespTunnels ikeGlobalInXauthFailures ikeGlobalOutXauthFailures ikeGlob
114. iguration Guide THOMSON continuously develops new solutions but is also committed to improve its existing products For suggestions regarding this document please contact documentation speedtouch thomson net For more information on THOMSON s latest technological innovations documents and software releases visit us at www speedtouch com Speedtouch 9 About this IPSec Configuration Guide About this IPSec Configuration Guide D ce d to UC he E DOC CTC 20051017 0169 v1 0 Policies The Target of IPSec In this section E DOC CTC 20051017 0169 v1 0 Chapter 1 IPSec Concept for secure IP connections IPSec Concept for secure IP connections The introduction of network security mainly involves the application of traffic policies Firstly the policies need to be defined then it should be whether the policies are correctly applied Security policies can apply to various levels The IPSec protocol Internet Protocol Security applies to the IP layer This location of the IPSec protocol within the layered network model makes it a generic solution for a wide range of applications Types of policies supported in the IPSec protocol user entity authentication level of encryption gt gt gt validity time of the keys gt The main goals for using the IPSec protocol suite are gt Integrity of data It ensures that data has not been modified in transit gt Confidentiality of data On no
115. ine Interface Connection command The following table shows the commands of the ipsec connection command group group ipsec connection command group dial cio a a Debug command group The following table shows the commands of the ipsec debug command group ipsec debug command group Speedtouch ER Chapter 4 Configuration via the Command Line Interface Peer command group The following table shows the commands of the ipsec peer command group Ipsec peer Command group auth modify delete list descriptor modify delete list option modify delete list subpeer modify delete list vpnclient modify delete list vpnserver xauthpool delete modify adduser moduser deluser listpool list modify delete list modify delete E DOC CTC 20051017 0169 v0 1 S D C C d tO U C hn Chapter 4 Configuration via the Command Line Interface Ipsec peer Command group Show command group The following table shows the commands of the ipsec show command group ipsec show command group Speedtouch a o Introduction In this section E DOC CTC 20051017 0169 v0 1 Chapter 5 Troubleshooting SpeedTouch IPSec Troubleshooting SpeedTouch IPSec IPSec is a complex protocol suite and therefore the SpeedTouch offers a number of troubleshooting methods Both the Web pages and the CLI interface allow you to check whether a tunnel setup was successful or ha
116. ined with either MD5 or SHAT gt SHAT is stronger than MD5 but slightly slower Tunnel mode is used in all applications where the SpeedTouch is the IPSec Security Gateway for the connected hosts Transport mode can be used only for information streams generated or terminated by the SpeedTouch itself For example remote management applications may use this setting Enables or disables the use of Perfect Forward Secrecy A lot of vendors have Perfect Forward Secrecy PFS enabled by default for the Phase 2 negotiation In order to configure this on the SpeedTouch the use of PFS must be enabled in the Connection Security Descriptor by selecting the PFS check box A PFS provides better security but increases the key calculation overhead With PFS enabled the independence of Phase 2 keying material is guaranteed Each time the Phase 2 tunnel is rekeyed a Diffie Hellman exchange is performed Not enabling PFS means that the new Phase 2 key is derived from keying material present in the SpeedTouch as a result of the Diffie Hellman exchange during the Phase 1 negotiation The lifetime of an IPSec Security Association is specified in seconds lifetime measured in Minimum value Maximum value 240 4 minutes 31536000 1 year The data volume limit of an IPSec Security Association before re keying expressed in kilobytes lifetime measured in Minimum value Maximum value S D C d tO U C n E DOC CTC 20051017 0
117. ing a connection A VPN connection is started automatically when data is sent or received that complies with the traffic policy Alternatively you can manually start and stop a VPN connection by selecting It in the table At the bottom of the page Start and Stop buttons appear as shown below Items marked with are mandatory Analy Diere f Sion Son New Connection to this Gateway Statistics S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 2 VPN context Advantages of the speedlTouch VPN Client selecting the VPN Client application Outline of a VPN Client configuration procedure E DOC CTC 20051017 0169 v0 1 VPN Client For a VPN client server scenario a dedicated set of user friendly configuration pages is available Separate pages exist for the client and server sides In this section the VPN client configuration page is described The VPN client in the SoeedTouch can replace a software VPN client installed on a computer You can use it for example to connect from your home to your employer s corporate network for teleworking The VPN Client page allows you to configure a VPN client that functions in Initiator mode This means that the VPN client takes the initiative to set up a secure connection to a remote VPN server Using the VPN client in the SoeedTouch has several advantages over the use of VPN client software installed on the computer of the end user gt The adminis
118. ing example a new options list is created named copt1 ipsec gt ipsec connection gt options 1psec gt connection ipsec connection options gt add name coptl ipsec connection options add name coptl lpsec connection options gt The result of this operation can be verified with the List command as shown above Speedtouch ER 6 10 3 modify command Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features set or modify the Connection Option list parameters The ipsec connection options modify command allows to modify the options list parameters In the following example the options list parameters are modified gt ipsec ipsec gt connection lpsec connection gt options lpsec connection options gt modify name coptl virtual if anystring force df pass force set force clear force df pass min mtu 1200 add route enabled disabled add route enabled routed disabled ipsec connection options modify name copt1 virtual if anystring force df pass min mtu 1200 adad _route enabled ipsec connection options gt Speedtouch Chapter 6 Advanced Features 6 10 4 delete command Example Delete an Options list The ipsec connection options delete command deletes a previously created options list In the following example the options list named copt1 is deleted lpsec connection options gt d
119. ing other fields and buttons More information about the various fields and buttons is found below Speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages Buttons You can use one of the following buttons Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication Use Certificate Authentication Reveal additional parameter fields required for the configuration of Certificate Authentication Specify Additional Descriptors Reveal additional fields where you can specify alternative IKE Security Descriptors Add a completely configured peer to the configuration Remote Gateway The Remote Gateway parameters identify the peer Security Gateway in the IP network gt Address or FODN Fill out the publicly known network location of the remote Gateway You can specify the public IP address if it is invariable and known More often the publicly known FODN such as vpn corporate com will be used gt Backup Address or FODN This field can optionally be filled out in a configuration with a backup remote Security Gateway If no backup gateway is available you leave this field open Speedtouch ER Miscellaneous E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Comprises the following settings gt Primary Untrusted Physical Interface This field shows a list of you
120. ing the Phase 1 negotiation with the remote Security Gateway This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below gt Remote ID Type and Remote ID The Remote ID identifies the remote Security Gateway during the Phase 1 negotiation This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below P address 10 0 0 Fully qualified domain name sales corporate net User fully qualified domain john doe corporate userfqdn name net If you encounter problems during the IKE negotiations use the Debug gt Logging page to verify that the Identity Type and Identity of the two peer Security Gateways correspond with each other Page layout for When you click Use Certificate Authentication the IKE Authentication area of the certificate page is updated in the following way authentication IKE Authentication Certificate DN unset Remote OWN Filter Use Preshared Key Authentication IKE Authentication When you select Use Certificate Authentication you have to fill out the Certificate parameters Distinguished Name of the local and remote Certificates Speedtouch ER Chapter 3 Configuration via Local Pages Main
121. ional IPSec configuration by combining configuration components in a similar way as the underlying CLI commands VPN Menu All IPSec related configuration pages are accessed via Expert Mode gt VPN LAN to LAN iU a a Access to user friendly configuration VPN Client pages for these specific application scenarios VPN Server Certificates Access to the Certificate configuration pages Advanced Access to the Advanced configuration pages reflecting the commands and command groups of the CLI Debug Debugging pages allowing you to diagnose VPN connection problems LAN to LAN YPN Client TPH Server Certificates Advanced E DOC CTC 20051017 0169 v0 1 S D e e d tO U C h 23 Chapter 3 Configuration via Local Pages In this section The following topics are discussed in this section 3 1 LAN to LAN Application 3 2 VPN Client 3 3 VPN Server 3 4 Certificates 3 5 Advanced VPN Menu S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages 3 1 LAN to LAN Application Reference network A simple LAN to LAN network configuration is shown here SpeedTouch A J WN SpeedTouch B S a 10 0 0 254 A AN Network 10 0 0 0 24 Network 20 0 0 0 24 The figure shows two LAN networks connected via a SpeedTouch to the public Internet In each LAN segment the IP addresses of the terminals are typically managed by a DHCP server which may be the built i
122. ition of relevant Network Descriptors is linked with the topology of the VPN that is constructed with the IPSec configuration The Network Descriptors determine the type of messages that will trigger the IPSec module Speedtouch 21 Chapter 2 SpeedTouch IPSec terminology 22 S D e d tO U C n E DOC CTC 20051017 0169 v1 0 Chapter 3 Configuration via Local Pages 3 Configuration via Local Pages Prerequisites In order to use the VPN features in the SpeedTouch 608 WL 620 you should enable the VPN software module To activate this VPN module you have to acquire the optional software activation key To check whether the software activation key is present browse to the SpeedlTouch Web pages and go to Expert Mode gt SpeedTouch gt Add On This page shows which keys are enabled For more information see the SpeedTouch Operator s Guide IPSec Web Pages All IPSec configurations can be built by means of the SpeedTouch local Web pages Application oriented configuration pages gives you direct access to all relevant parameters Getting your IPSec configuration up and running is as easy as selecting your application and filling out a few Web pages The application oriented pages cover the most common application scenarios Additional Web pages are component oriented and allow to control advanced settings such as certificates management and debugging options The Advanced Web pages allow you to build an operat
123. marked with are mandatory Speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages IKE Authentication with Preshared Key Page layout for certificate authentication IKE Authentication Certificate parameters When you select Use Preshared Key Authentication the following fields have to be completed gt Preshared Secret A string to be used as a secret password for the VPN connection This secret needs to be identically configured at both peers local and remote peer gt Confirm Secret The Preshared Secret value is not shown in clear text in the SoeedTouch Web page In order to protect from typing errors you have to type the key twice in order to confirm your original entry gt Local ID Type and Local ID The Local ID identifies the local SoeedTouch during the Phase 1 negotiation with the remote Security Gateway This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below gt Remote ID Type and Remote ID The Remote ID identifies the remote Security Gateway during the Phase 1 negotiation This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below P ad
124. n gt list connectl Peer gt lt unset gt Local network lt unset gt Remote network lt unset gt Always on disabled Descriptors Options lt unset gt State disabled ipsec connection gt For the newly created connection in this example all parameters are unset Setting of the parameters is described in the next section S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 7 4 modify command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface set or Modify the Connection Parameters The ipsec connection modify command sets or modifies the Connection parameters In this example the parameters of the previously defined Connection named connect1 are set ipsec connection gt modify name connectl peer peerl localnetwork retrieve from server black ip localnetwork netl remotenetwork net2 alwayson disabled descr AES HMAC SHA1 TUNNEL AES HMAC MD5 TUNNEL AES HMAC SHA1 PFS TUNNE AES HMAC MD5 PFS TUNNEL AES HMAC SHA1 Adv TUNNE 3DE S HMAC SHA1 TUNNEL 3DES_HMAC MD5 TUNNEL 3DES_HMAC SHA1 PFS TUNN 3DES HMAC MD5 PFS TUNNE DES HMAC SHA1 TUNNEL DES HMAC MD5_ TUNNEL NullEnc HMAC SHA1 TUNNE cnctdesl descr enctdesl options state enabled IPSec connection modify name connectl peer peerl localnetwork netl rem otenetwork net2 descr cnctdesl ipsec connection gt Use the list command to verify the re
125. n it supports the IKE Mode Config protocol to receive configuration parameters from the remote VPN server Optionally you can enable the use of the Extended Authentication protocol as an additional level of security Speedtouch 177 Chapter 6 Advanced Features Chapter 6 Advanced Features 178 Parameters table 6 4 1 VPN Client parameters VPN Client parameters Parameter VPN client name name xauthuser xauthpas S clienttype Virtual IP map mode virtualip_ maptype Local LAN IP range XAuth user name XAuth password Type of VPN client speedtouch The following table shows the VPN Client parameters Mandatory Symbolic name for the VPN server used internally in the SpeedTouch Optional This parameter defines the XAuth user name of the VPN client Entering a user name and password enables XAuth Optional This parameter defines the XAuth password of the VPN client Entering a user name and password enables XAuth Mandatory Select the correct VPN server vendor to cope with vendor specific behaviour of VPN servers See Set of Server Vendor specific parameters on page 58 Mandatory Select either dhcp or nat See Virtual IP mapping on page 55 Mandatory Select which local terminals have access to the VPN connection See Local LAN IP Range on page 58 E DOC CTC 20051017 0169 v0 1 6 4 2 add command Example E DOC CTC 20051017 0169 v0 1 Chapt
126. n DHCP server of the SpeedTouch Making use of the VPN capabilities of the SpeedTouch it is possible to connect the two LAN segments via a secure VPN tunnel over the public Internet At each peer the SpeedTouch serves as an IPSec Security Gateway A dedicated set of user friendly configuration pages allows you to quickly and easily implement this scenario Selections are made in accordance to the data known to the user and the VPN layout The GUI pages are organized along two main alternative paths gt Path 1 You know exactly to which Remote Gateway you want to establish a VPN connection You know its location in the public Internet either the IP address or the domain name This generally is the case in a symmetrical LAN to LAN scenario gt Path 2 Your SpeedTouch is located in a central facility where services are provided to remote locations that require a secure connection For the moment you have no idea which Remote Gateway may want to establish a secure connection In this case your SoeedTouch always has the role of responder in the VPN connection establishment negotiations It can not initiate the establishment of a VPN connection This leads to an asymmetrical LAN to LAN scenario where one peer is always the responder while the remote peer s is are the initiator You can think of a corporate head quarter that constructs a hub and spoke VPN network with its branch offices It is convenient to configure the
127. n IKE SA while each PH2 SA is uniquely identified by a SPI Security Parameter Index value Per convention throughout this document the IKE SA is referred to as the Phase 1 SA and the ESP SAs are referred to as the Phase 2 SA gt Phase 1 SA IKE SA secure Phase 1 tunnel gt A pair of Phase 2 SAs a secure Phase 2 tunnel Tunnel Mode Using tunnel mode the complete IP packet including its IP header is encapsulated and a new IP header is attached This allows for the original source and destination IP addresses to be hidden from the outside world Red network SpeedTouch620 1 SpeedTouch620 2 Red network node node 2 AlB Red LAN Black LAN Red LAN Transport Mode In transport mode the IP header is transported unmodified The use of transport mode is limited to connections where the security gateway Is acting as a host e g for network management applications When the SpeedTouch is managed from a remote location via a VPN connection transport mode can be used because in this case the SpeedTouch is the end user of this information stream E DOC CTC 20051017 0169 v1 0 S D e d tO U C h 13 Chapter 1 IPSec Concept for secure IP connections Chapter 1 IPSec Concept for secure IP connections D ce d to UC he E DOC CTC 20051017 0169 v1 0 2 Introduction In this section E DOC CTC 20051017 0169 v1 0 opeedTouch PSec terminology In order to understand the IPSec
128. n order to have a successful outcome of the Phase 2 negotiation Speedtouch 133 Chapter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command Line Interface 4 9 9 Delete a Connection Security Descriptor delete command The ipsec connection descriptor delete command deletes a Connection Descriptor Example In this example the user defined Connection Security Descriptor named cnctdes1 is deleted connection descriptor gt delete cnctdes1l connection descriptor delete name cnctdesl connection descriptor gt The result of this operation is verified with the List command ipsec connection descriptor gt list AES SHA1 TUN AES 128 HMAC SHA1 Lifetime 86400s Tunnel Mode AES MD5 TUN AES 128 HMAC MD5 Lifetime 86400s Tunnel Mode ABS SHAL PFS TUN AES 128 HMAC SHA1 PFS Lifetime 86400s Tunnel Mode AES MDS PFS TUN AES 128 HMAC MD5 PFS Lifetime 86400s Tunnel Mode 3DES SHA1 TUN gt 3DES HMAC SHA1 Lifetime 86400s Tunnel Mode 3DES MD5 TUN 3DES HMAC MDS Lifetime 86400s Tunnel Mode 3DES SHA PFS TUN 3DES HMAC SHA1 PFS Lifetime 86400s Tunnel Mode ODES MDD PES TUN gt 3DES HMAC MDS PFs Lifetime 86400s Tunnel Mode DES SHA1l TUN DES HMAC SHA1 Lifetime 86400s Tunnel Mode DES MD5 TUN DES HMAC MD5 Lifetime 80400s Tunnel Mode AES SHA1l Adv TUN AES 256 HMAC SHA1 PFS Lifetime 86400s Tunnel Mode 3DES SHA1 Adv TUN 3DES HMAC SHA1 PFS Lifetime
129. n the IKE negotiations the interface is part of the matching process for accepting the connection Selecting any has the effect of removing this matching criterion If you select a specific interface as Primary Untrusted Physical Interface then a new incoming VPN connection on a backup interface is not accepted Secondly if your SoeedTouch is equipped with a backup physical interface for example an ISDN backup interface then this field determines the preferred interface for your VPN connection This interface is used whenever it is available When this interface fails the active VPN connections are re routed via the backup interface When the primary interface becomes available again the VPN connections are re routed to the primary interface On the other hand when you select any as the Primary Untrusted Physical Interface and this interface fails the active VPN connections are also re routed to the backup interface But when the DSL connection becomes available again the VPN connections are not re routed as long as the backup connection is available gt Inactivity Timeout When no traffic is detected at the peer for a certain period it is decided that the tunnel is not used any more and the IKE session is terminated All IPSec connections supported by the IKE session are terminated as well This option sets the value of the inactivity timer Inactivity Timeout default value seconds 3600 E DOC CTC 20051017 0169 v0 1 S D e
130. n trusted network sections the data is encrypted When this data is intercepted it cannot be interpreted by the eavesdropper gt User authentication Ensures that you know the party you are communicating with and that they are who they say they are The following items are discussed in this section 1 1 IPSec Concepts 12 speedtouch 1 Chapter 1 IPSec Concept for secure IP connections 1 1 IPSec Concepts Red and Black Network Following nomenclature will be used throughout this document gt The SpeedTouch The IPSec capable DSL router gt The Red network Private or trusted side of the SpeedTouch gt The Black network Public or non trusted side of the SpeedTouch The black network is frequently referred to as the WAN side being the connection towards the Internet Red network SpeedTouch 620 1 SpeedTouch 620 2 Red network node node Red LAN Black network Red LAN Trusted network side Non trusted network side Trusted network side Authentication Header The Authentication Header AH protocol allows to check the integrity of a data packet A digital signature hash is computed over the entire packet with the exception of the mutable fields fields that change during the transmission of the packet e g TTL counter As the use of the Authentication Header is deprecated the SpeedTouch from Release onwards only supports the ESP protocol Authentication without encryption
131. ns are also re routed to the backup interface But when the DSL connection becomes available again the VPN connections are not re routed as long as the backup connection is available 4 The IPSec peer can also be tied to the LAN interface eth0 This could be q useful to set up a secure connection with a local host within the local LAN for testing purposes or when a redundant gateway to the public Internet other than the SpeedTouch is present in the LAN This parameter refers to the symbolic name of the Peer Security Descriptor to be used for the IKE negotiation Pre defined as well as user defined peer descriptors can be referred to This parameter refers to the symbolic name of the applicable Authentication Attribute Either pre shared key or certificates can be used for authentication For pre shared key authentication the pre shared key value is part of this parameter In this document only pre shared key authentication is considered This optional parameter refers to a dialup VPN client server descriptor Client server connections are handled in chapter 6 as an advanced configuration This parameter refers to the symbolic name of an option list This option list contains a number of options that modify the VPN behaviour The options are handled in chapter 6 discussing the advanced features For a basic IPSec configuration no option list is selected S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 4 Configura
132. nst Local ID PO Remote ID type luset Remote ID PO Primary untiusted physical lop e Exchange mode main Authentication unset Descriptor 1 unset Descriptor 2 unset Descriptor 3 unset Descriptor 4 unset Client Server unset Options unset Add A number of parameters makes use of symbolic descriptors that are defined and managed on other sub pages On the Profiles page these descriptors are selected by their symbolic name from a list Therefore you need to prepare the descriptors in other Peers sub pages before a complete Peer Profile can be composed in the Peer Profiles page Peer name Give the peer a symbolic name This name only has local significance inside the SpeedTouch This parameter is not used in the IKE negotiations with the remote Security Gateway Remote address This address localizes the remote Security Gateway in the IP network Either the public IP address or the Fully Qualified Domain Name can be used as an identifier Backup remote address When a redundant remote Security Gateway is available its public IP address or domain name can be specified here In a basic IPSec configuration you leave this field open S D e d tO U C n E DOC CTC 20051017 0169 v0 1 Local ID The Local ID identifies the local SoeedTouch during the Phase 1 negotiation with Remote ID E DOC CTC 20051017 0169 v0 1 the remote Security Gateway This identity must match the settings in the remot
133. ocal Identifier addr 100 100 0 1 Remote Identifier addr 200 200 0 1 Descriptors peerdesl Authentication secreti Client Server lt unset gt Options lt unset gt ipsec peer gt E DOC CTC 20051017 0169 v0 1 S D e d tO U C hn Chapter 4 Configuration via the Command Line Interface 4 4 90 Delete a Peer entity delete command The ipsec peer delete command deletes a peer entity Example In this example the peer named peer is deleted ipsec peer gt ipsec peer gt delete name peerl IPSec peer delete name peerl lpsec peer gt The result of this operation is verified with the List command ipsec peer gt list ipsec peer gt 4 If a peer is currently referred to by a Phase 2 connection it cannot be deleted In order to delete the peer it needs to be detached from the connection first Speedtouch ER Chapter 4 Configuration via the Command Line Interface 4 9 Connection Security Descriptor What ts How is it used In this section E DOC CTC 20051017 0169 v0 1 All security parameters required to establish an IPSec tunnel are grouped into a string called Connection Security Descriptor This descriptor contains the following parameters Encryption method Message integrity method also called message authentication Selection to use Perfect Forward Secrecy or not Lifetime of the Security Association v v v WT wv Encapsulation method The
134. onfiguration procedure The SpeedTouch uses specific IPSec terms and definitions The following table relates these terms to the question to be solved when setting up an IPSec connection to a remote network What do we want to do How do we configure it in the SpeedTouch Define the remote Security Gateway to Define a Peer which we want to set up an IKE session Set how we will authenticate with this Define an Authentication Attribute remote Security Gateway Set what security will be applied to the Define a Peer Security Descriptor IKE session Define the characteristics of the IPSec Define a Connection connection Define which remote private network Define a Network Descriptor we want to access Set what security will be applied to the Define a Connection Security IPSec connection Descriptor Setting up a basic IPSec configuration with the SpeedTouch involves the creation of a Peer entity and an IPSec Connection A Peer bundles all the parameters related to the IKE Security Association also called Phase 1 SA Some Phase 1 parameters are grouped in peer attributes which are referred to by their symbolic name Two peer attributes are defined gt the Authentication Attribute refers to the user authentication parameters required to set up the IKE Security Association gt the Peer Security Descriptor groups the security parameters of the IKE Security Association It is required to create some valid pe
135. ormation about the various fields and buttons is found below You can use one of the following buttons Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication Use Certificate Authentication Reveal additional parameter fields required for the configuration of Certificate Authentication Use Automatic Start Always On Select the Automatic Start mechanism The VPN connection is started without any human intervention whenever the SpeedTouch is active Use Manual Dialup Select the Manual Start mechanism You start and stop the VPN connection via the Speedlouch Web pages Add a completely configured peer to the configuration S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Server IP Address or FQDN Backup Server IP Address or FADN IKE Security Descriptor E DOC CTC 20051017 0169 v0 1 Fill out the publicly known network location of the remote Gateway You can specify the public IP address if it is invariable and known More often the publicly known FODN such as vpn corporate com will be used When you specify an IP address the SpeedTouch expects the VPN server o to use an IP address as identifier during the IKE negotiations When an FODN is specified the SpeedTouch expects the VPN server to use an FODN as well If you encounter problems during the IKE negotiations a possible cause may be that different identity types are use
136. oting SpeedTouch IPSec 172 S D e d tO U C n E DOC CTC 20051017 0169 v0 1 6 In this section E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Advanced Features The following topics are described in this section 6 1 IPSec and the Stateful Inspection Firewall 6 3 Extended Authentication XAuth 6 4 VPN Client 6 5 VPN Server 6 6 XAuth Users Pool 6 7 The Default Peer Concept 6 8 One Peer Multiple Connections 6 9 Peer Options 6 10 Connection Options 6 11 Advanced Connection speedtouch Page 174 176 177 182 188 198 200 173 Chapter 6 Advanced Features 174 6 1 What about IPSec and the Stateful Inspection Firewall The SpeedTouch has a built in firewall which is completely configurable by the user A number of preset firewall levels are defined that allow an easy configuration according to your security policy In most cases one of these preset levels will fulfill your requirements All these preset firewall levels allow the IPSec communication to pass So you do not need to adjust the firewall settings when you use a VPN connection More information about the firewall is found in the SpeedTouch Stateful Inspection Firewall Configuration Guide S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 2 Web Browsing Interception and surfing through a tunnel E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Surfin
137. page is your starting page for the configuration of your LAN to LAN scenario As an example this context may be encountered at the head office of a company that is constructing a VPN with its remote offices New remote locations may join the VPN without the need of any reconfiguration actions at the head office When you click Remote Gateway Address Unknown the following page is displayed nooresive node M Local ID Remote ID Local Network Remote Network Empty table Use the fields below to add a new entry IKE Authentication Use Preshared Key Authentication Use Certificate Authentication iscellaneous Primary Untrusted Physical Interface aly x Inactivity Timeout seconds 3600 IKE Security Descriptors Descriptor unset specify Additional Descriptors Items marked with are mandatory At the top of the page you find a main selection between Aggressive Mode and Main Mode Furthermore the page contains a number of buttons and fields to complete By clicking a button the page layout changes revealing other fields and buttons More information about the various fields and buttons is found below Speedtouch 35 Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages Aggressive Mode versus Main Mode IKE specifies two modes of operation for the Phase 1 negotiations main mode and aggressive mode Main mode is more secure while aggressi
138. peer vpnserver modify command sets or modifies the vpnserver entity parameters In this example the parameters of the previously defined vpnserver entity named serv1 are set lpsec peer vpnserver gt modify name servl push_ip disabled disabled enabled 10 60 11 0 24 255 255 255 0 10 60 11 200 10 60 11 201 primwins 10 60 11 100 secwins 10 60 11 101 domain clients xauthpool ipsec peer vpnserver modify name serv1 push ip disabled iprange 10 60 ILs 07 24 netmask 24 primdns 10 60 11 200 secdns 10 60 11 201 primwins 10 60 1 1 100 secwins 10 60 11 101 domain clients ipsec peer vpnserver gt Use the List command to verify the results of the operation ipsec peer vpnserver gt list servl Push IP Address Range Netmask Primary DNS Secondary DNS Primary WINS Secondary WINS Domain XAuth Pool ipsec peer vpnserver gt disabled 10 60 11 0 24 259 295 255 0 10 60 11 200 10 60 11 201 10 60 11 100 10 60 11 101 clients lt unset gt speedtouch E DOC CTC 20051017 0169 v0 1 6 5 4 modify the peer parameters Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Attach the vpnserver entity to the peer entity The ipsec peer modify name peerl client server servl command attaches the previously defined vpnserver entity to the corresponding peer In this example vpnclient1 is attached to peer1 ilpsec peer gt modif
139. period re keying occurs A Peer Security Descriptor is a text string comprising the parameters described in the table above An example is shown here 3DES MD5 MODEP1024 Lifetime 3600s pS p MOE MOOT p FAm l Diffie Hellman group IPsec SA lifetime Hash function Cryptographic function This name is used internally to identify the Peer Security Descriptor speedtouch 111 Chapter 4 Configuration via the Command Line Interface Cryptographic function The table below shows the encryption algorithms supported by the SoeedTouch crypto along with their corresponding key size Algorithm Valid key sizes Popular sizes Default size DES DES is relatively slow and is the weakest of the algorithms but it is the industry standard gt 3DES is a stronger version of DES but is the slowest of the supported algorithms for a comparable key length gt AES is the new encryption standard selected by the American government to replace DES 3DES It is recommended to use AES since it is the most advanced of the supported encryption methods Key length keylen The SpeedTouch supports 3 different key lengths for the AES encryption algorithm The keylen parameter assigns the key length for this algorithm Three values are valid as specified in the table above The DES and 3DES algorithms have a fixed key length For these algorithms the keylen parameter is not shown in the CLI Authentication Hashing The Spee
140. pnserver xauthpool modify name pooll type chap ipsec peer vpnserver xauthpool gt Use the list or listpool command to verify the results of the operation lpsec peer vpnserver xauthpool gt 1 listpool list ipsec peer vpnserver xauthpool gt list Pool pooll type chap lpsec peer vpnserver xauthpool gt 1 listpool list lpsec peer vpnserver xauthpool gt listpool name pooll ipsec peer vpnserver xauthpool listpool name pooll Pool pooll type chap lpsec peer vpnserver xauthpool gt Speedtouch Chapter 6 Advanced Features 6 6 4 modify the vpnserver parameters Example Attach the xauthpool entity to the vpnserver entity The ipsec peer vpnserver modify name servl xauthpool pooll command attaches the previously defined pool to the vpnserver named serv1 In this example pool is attached to vpnserver1 lpsec peer vpnserver gt modify name servl push ip disabled iprange 10 60 11 0 24 netmask 24 primdns 10 60 11 200 secdns 10 60 11 201 primwins 10 60 11 100 secwins 10 60 11 101 domain clients xauthpool pooll ipsec peer vpnserver modify name servl xauthpool pooll ipsec peer vpnserver gt The result is shown when listing the vpnserver entities 1psec peer vpnserver gt list servl Push IP disabled Address Range 10 60 11 0 24 Netmask 2 2959 259 259 0 Primary DNS 110 60 11 200 Secondary DNS 10 60 11 201 Primary WINS
141. pported E DOC CTC 20051017 0169 v0 1 S D e e d to U C h Chapter 3 Configuration via Local Pages 3 9 6 VPN Server page layout server descriptor name Virtual IP Range Netmask Push IP Domain Primary DNS VPN Server Page The VPN Server page allows you to define VPN Server Descriptors Peers Connections arr F YPN VPN Server arr Profiles Authentication Descriptors Options Client N Auth Server Descriptor Virtual IP Range zAuth Pool Empty table Use the fields below to add a new entry Server descriptor name Virtual IP range Netmask PO Push IP D Domain Primary DNS Secondary DNS FT Primary WINS Secondary WINS Auth Pool unset Add The configuration of a VPN server scenario is described in detail in section 3 3 VPN Server on page 63 and following The application oriented VPN Server Web page is the recommended way to configure a VPN server This name is used internally to identify the VPN Server Descriptor This name appears in the Client Server list on the Peer Profiles page Specifies the range of IP addresses from which the VPN client addresses are selected An address range or a subnet can be entered for this parameter Specifies the netmask provided to the VPN client Use the dotted decimal format For example 255 255 255 0 Select this check box when you want the VPN server to take the initiative for assigning
142. primary untrusted interface is your DSL connection to the public Internet On the DSL line various logical connections can be defined eventually using different protocol stacks IpoA PPPoE PPPOA The peer entity has to be tied to the correct IP connection In the SpeedTouch the routing engine determines which interface is used for the VPN connection your DSL connection to the Internet in most cases So what is the relevance to select a physical interface First of all for incoming VPN connections where your SpeedTouch is the responder in the IKE negotiations the interface is part of the matching process for accepting the connection Selecting the default value any has the effect of removing this matching criterion If you select a specific interface as Primary Untrusted Physical Interface then a new incoming VPN connection on a backup interface is not accepted Secondly if your SpeedTouch is equipped with a backup physical interface for example an ISDN backup interface then this field determines the preferred interface for your VPN connection This interface is used whenever it is available When this interface fails the active VPN connections are re routed via the backup interface When the primary interface becomes available again the VPN connections are re routed to the primary interface On the other hand when you select any as the Primary Untrusted Physical Interface and this interface fails the active VPN connectio
143. psec gt peer ipsec peer gt options ipsec peer options gt add name optl ipsec peer options add name optl lpsec peer options gt The result of this operation can be verified with the List command as shown above Speedtouch a Chapter 6 Advanced Features 6 9 3 Set or modify the Peer Option list parameters modify command Example E DOC CTC 20051017 0169 v0 1 The ipsec peer options modify command allows to modify the options list parameters In the following example the options list parameters are modified ipsec peer options gt modify name optl localaddr 10 0 0 138 nat t enabled disabled nat t disabled dpd disabled enabled dpd enabled dpd idle period 150 dpd xmits 3 dpd timeout 120 inactivity 3600 ipsec peer options modify name opt1 localaddr 10 0 0 138 nat t disabled dpd enabled dpd idle period 150 lpsec peer options gt Speedtouch Chapter 6 Advanced Features 6 9 4 Delete a Peer Options list delete command The ipsec peer options delete command deletes a previously created options list Example In the following example the options list named opt2 is deleted ipsec peer options gt delete name optl ipsec peer options delete name optl lpsec peer options gt lpsec peer options gt The result of this operation can be verified with the List command lpsec peer options gt
144. r SpeedTouch interfaces You select the preferred Primary Untrusted Physical Interface This interface is used as the primary carrier for your VPN connection In general the primary untrusted interface is your DSL connection to the public Internet In the SpeedTouch the routing engine determines which interface is used for the VPN connection your DSL connection to the Internet in most cases So what is the relevance to select a physical interface First of all for incoming VPN connections where your SpeedTouch is the responder in the IKE negotiations the interface is part of the matching process for accepting the connection Selecting any has the effect of removing this matching criterion If you select a specific interface as Primary Untrusted Physical Interface then a new incoming VPN connection on a backup interface is not accepted Secondly if your SpeedTouch is equipped with a backup physical interface for example an ISDN backup interface then this field determines the preferred interface for your VPN connection This interface is used whenever it is available When this interface fails the active VPN connections are re routed via the backup interface When the primary interface becomes available again the VPN connections are re routed to the primary interface On the other hand when you select any as the Primary Untrusted Physical Interface and this interface fails the active VPN connections are also re routed to the b
145. r vpnclient modify name client1 xauthuser userl xauthpass DE V_4FDCAAB92D454D3A clienttype generic virtualip maptype none lan range 10 60 11 0 24 ipsec peer vpnclient gt Use the list command to verify the results of the operation ipsec peer vpnclient gt list clientl1 Xauth Ser hae Client Type generic Virtual IP Map Mode none Local LAN IP Range 10 60 11 0 24 lpsec peer vpnclient gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 4 4 modify the peer parameters Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Attach the vpnclient entity to the peer entity The ipsec peer modify name peerl client server clientl command attaches the previously defined vpnclient entity to the corresponding peer In this example vpnclient1 is attached to peer1 ilpsec peer gt modify name peerl remoteaddr backupaddr 20 50 10 2 main addr 20 60 10 2 remoteid addr 20 50 10 2 exchmode phyif DIALUP PPPOE localid descr AES MD5 auth secreti client server clientl options ipsec peer modify name peerl client server clientl ipsec peer gt The result is shown when listing the peer entities ipsec peer gt list peer1 Remote Address gt Backup Remote Address Physical IF Exchange Mode Local Identifier Remote Identifier Descriptors Authentication Client Server Options ipsec
146. rate net sales corporate net net me ae S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Remote Identifier remoteid E DOC CTC 20051017 0169 v0 1 This parameter identifies the remote Security Gateway during the Phase 1 negotiation This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the following table 10 0 0 1 IP address addr 0 0 0 0 any IP address accepted Fully qualified domain name fqdn john doe corporate net User fully qualified domain userfadn name corporate net C S 4 In order to make the configuration of a VPN server independent of the 7 number of VPN clients wildcards can be used in the userfqdn as shown in the table above For example corporate net will match with any e mail address in the domain corporate net The use of wildcards allows simultaneous connections with multiple VPN clients derived from a single peer profile Speedtouch 121 Chapter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command Line Interface Physical Interface phyif Peer descriptor descr Authentication Attribute auth client server options You can tie the peer to one of your SpeedTouch interfaces This interface is then used as the primary carrier for your VPN connection In general the
147. ration via the Command Line Interface 4 6 4 Delete a Network Descriptor delete command The ipsec connection network delete command deletes a Network Descriptor Example In this example the Network Descriptor named net1 is deleted connection network gt delete netl connection network delete name netl connection network gt The result of this operation is verified with the List command lpsec connection network gt list lpsec connection network gt Speedtouch a 4 What is How is it used In this section E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface Connection A Connection bundles all the parameters required for the PH2 SA negotiation gt Peer Reference pointing to the peer configuration to be used In fact this refers to the IKE channel used for the Phase 2 negotiations gt Local remote range Range of private IP addresses to which the IPSec policy applies Reference to the Network Descriptors or expressed by a dynamic policy gt Connection Security Descriptor Reference to the Phase 2 Security Descriptor grouping the security parameters The Connection parameters are explained in section 4 7 1 A Connection can be successfully configured from the moment when a Connection Security Descriptor is present in the SoeedTouch The local and remote private networks can be described either by a valid Network Descriptor or
148. remote Security Gateway In the example above it is assumed that all the hosts in the private sub networks communicate via the secure connection The local and remote networks cover the complete LAN segments 10 0 0 0 24 and 20 0 0 0 24 respectively In this field you can optionally restrict the IPSec connection to a single protocol Valid entries are listed in the following table Select any if you do not want to restrict the connection to a specific protocol If you want to restrict the protocols on your secure VPN link and you need multiple protocols then you define a new connection for every individual protocol Separate IPSec tunnels will be established for each protocol S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Port IPSec Security Descriptors Page layout with additional Descriptors E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages If the tcp or udp protocol is selected for the protocol parameter then the access to the IPSec connection can be further restricted to a single port Many well known port numbers can be selected from the pull down menu Separate fields are foreseen for the local and remote ports Typically identical values are selected for both fields In almost all cases the value any is the most appropriate choice If you want to restrict the ports on your secure VPN link and you need multiple ports then you define a new connection for every indi
149. requirements Only in these cases the Advanced VPN menu should be used Configuring an operational IPSec connection basically consists of the definition of a Peer Profile and a Connection Profile The Peer represents the remote Security Gateway and all the parameters required to set up an IKE Security Association to this Security Gateway A Connection represents the IPSec connection and all its associated parameters All parameters of an IPSec configuration can be adjusted so the functionality of these Web pages corresponds to the Command Line Interface CLI Choices have to be made in accordance to the data known to the user and the VPN layout The Advanced VPN menu should be used by skilled persons only as these o pages allow you to manually adjust configuration components that are in general automatically generated by the SpeedTouch Therefore take care when altering settings in the Advanced VPN menu speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages Peer Profiles page When you click VPN gt Advanced gt Peers the Peer Profiles page is displayed Peers Connections l l 2 YEN WEN YVEN Server _ _ J THI _ _ _ Profiles Authentication Descriptors f Options xAuth Peer Remote Address Local Id Remote Id Client Server Empty table Use the fields below to add a new entry Feer name Remote address Backup remote ad
150. rhead With PFS enabled the independence of Phase 2 keying material is guaranteed Each time the Phase 2 tunnel is rekeyed a Diffie Hellman exchange is performed Not enabling PFS means that the new Phase 2 key is derived from keying material present in the SpeedTouch as a result of the Diffie Hellman exchange during the Phase 1 negotiation The lifetime of a Security Association is specified in seconds lifetime measured in Minimum value Maximum value 240 4 minutes 31536000 1 year The data volume limit of a Security Association before re keying expressed in kilobytes The following table describes the encapsulation modes and their keywords Encapsulation mode Tunnel mode is used in all applications where the SpeedTouch is the IPSec Security Gateway for the connected hosts Transport mode can be used only for information streams generated or terminated by the SpeedTouch itself For example remote management applications may use this setting S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 9 2 list command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface List all Connection Security Descriptors The ipsec connection descriptor list command shows the list of all defined Connection Security Descriptors The example below shows the pre defined Connection Security Descriptors of the SpeedTouch gt ipsec ipsec gt connec
151. ribes which IP addresses address ranges or subnets can be reached in a remote private network through an IPSec Security Association During the Phase 2 negotiations the proposals of the remote peer initiator are compared with the contents of the remotematch parameter As a result a remote traffic selector is derived in compliance with the local and remote traffic policies The valid values for the remotematch parameter are limited to specific keywords Followed by a Network name exactly_ A symbolic name of a network one_of_ descriptor defined in the ipsec eventually followed by a network name subnet_of_ connection network command subrange_of_ group The meaning of the keywords is the following gt exactly_ lt network name gt The proposal issued by the remote initiator must exactly match the network described by the symbolic network name This network descriptor can designate an individual IP address an IP address range or an IP subnet in the remote private network If the proposal of the remote initiator does not exactly match the designated net then the local responder does not establish a Security Association gt one_of_ lt network name gt The proposal issued by the remote initiator must contain an IP address that lies within the range described by the symbolic network name in order to successfully set up the Security Association gt subnet_of_ lt network name gt The proposal of the remote initiator mus
152. rity Descriptor Options options Optional Refers an option list containing a number of options that influence the VPN behaviour Enables or disables the connection For a basic IPSec configuration only a subset of the peer parameters need to be set to a specified value Some parameters may remain unset Connection name This symbolic name only has local significance inside the SpeedTouch router name This parameter is not used in the Phase 2 negotiations with the remote Security Gateway Peer peer Holds the symbolic name of the peer to which the connection applies Speedtouch ER Local network localnetwork Remote network remotenetwork E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface This parameter is used in the proposal presented to the remote Security Gateway during the Phase 2 negotiation It determines which messages have access to the IPSec connection at the local side of the tunnel This is basic parameter for the dynamic IPSec policy capabilities of the SoeedTouch As an outcome of the Phase2 negotiations a static IPSec policy is derived This results in a cloned connection where the parameters localmatch remotematch localselector remoteselector are automatically filled in by the SpoeedTouch The valid settings are gt the keyword retrieve_from_server This setting can be used in an IPSec client server configuration It is only relevant at
153. rk Descriptors by their symbolic name The following topics are discussed in this section 4 6 1 Network Descriptor Parameters 4 6 2 Create a New Network Descriptor 4 6 3 Set the Network Descriptor Parameters 4 6 4 Delete a Network Descriptor Speedtouch 135 Chapter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command Line Interface 4 6 1 Parameters table Network name name Type of network and IP address type and ip Network Descriptor Parameters The following table summarizes the parameters comprised in the Network Descriptor eioremanie mame Mandatory Symbolic name to identify the network Mandatory A network can either be Type jee gt asingle IP address gt an IP subnet gt an IP address range IP address ip Mandatory The IP address of the network Optional The communication protocol allowed on Protocol proto the secure network Optional For UDP and TCP the port number that is port allowed to use the secure network This name is used internally to identify the Network Descriptor The type and ip parameters locate the network in the IP address space For ip enter a value corresponding to the network type So Valid network types Keyword are a contiguous IP address ange 10 0 0 5 10 0 0 56 range 9 10 0 0 5 56 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Protocol proto Port port E DOC CTC 20051017 0169
154. s ipsec peer gt For the newly created peer in this example all parameters are unset Setting of the ipsec gt peer lt unset gt lt unset gt lt unset gt lt unset gt lt unset gt lt unset gt lt unset gt lt unset gt lt unset gt parameters is described in the next section Speedtouch E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface 4 4 4 Set or modify the peer parameters modify command The ipsec peer modify command sets or modifies the peer parameters Example In this example the parameters of the previously defined peer named peer1 are set lpsec peer gt 1psec peer gt modify name peerl remoteaddr 200 200 0 1 backupaddr exchmode main localid 100 100 0 1 remoteid 200 200 0 1 payit abed DIALUP PPPOE loop phyif DIALUP PPPOE descr AES SHA1 AES MD5 3DES SHA1 3DES_ MD5 DES SHA1 DES MD5 AES SHAI Adv peerdes descr peerdes1l auth secretl client server options IPSec peer modify name peerl remoteaddr 200 200 0 1 exchmode main loca lid addr 100 100 0 1 remoteid addr 200 200 0 1 phyif DIALUP PPPOE descr peerdes auth secret lpsec peer gt Use the list command to verify the results of the operation ipsec peer gt list peer1 Remote Address 200 200 0 1 Backup Remote Address lt unset gt Physical IF DIALUP PPPOE Exchange Mode main L
155. s 10 0 0 1 name For more information about matching the settings of the built in VPN client of the SpeedTouch see Server IP Address or FODN on page 53 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Page layout for certificate authentication IKE Authentication Certificate parameters E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages gt Remote ID Filter Type and Remote ID Filter The Remote ID Filter identifies the VPN client during the Phase 1 negotiation This identity is used as a filter for VPN clients when they join the VPN Its value must match the settings in the VPN client in order to successfully set up the IKE Security Association The identity types supported in the SpeedTouch are listed in the table below 10 0 0 1 IP address addr 0 0 0 0 any address accepted Fully qualified domain name fqdn User fully qualified domain userfqdn corporate net name A SpeedTouch VPN client identifies itself with a userfqdn in the form of a unique e mail address when generic is selected for the Server Vendor In order to make the configuration of the VPN server independent of the number of VPN clients wildcards can be used as shown in the table above For example corporate net will match with any e mail address in the domain corporate net If you encounter problems during the IKE negotiations use the Debug gt Logging page to verify that the Identity Type
156. s failed Via the CLI you can check the Syslog messages showing you the history of tunnel negotiation Each Syslog message has a timestamp attached By contacting the SpeedTouch using the SNMP protocol you can access the IPSec MIB containing a lot of detailed tunnel information The following topics are discussed in this section 5 1 Via the Debug Web pages 5 2 Via the CLI Show command group 165 5 3 Via the CLI Debug command group 167 5 4 Via SNMP Speedtouch Chapter 5 Troubleshooting SpeedTouch IPSec 9 1 Via the Debug Web pages How to see the status Browse to Expert mode gt VPN gt Debug gt Status This page shows the status of the of the VPN connection IKE Security Association Phase 1 and the IPSec Security Association s Phase 2 For an operational VPN connection both an IKE Security Association and an IPSec Security Association should be active Status Statistics qging Tear Down All Tunnels session id local ID wtgdnf john doeGrorporate com remote ID ipwdf101L 101 101 i7 name AUTOR To 101 101 101 274 ohn doe Gcorporate com last role initiator role changes lastereen second ago nat status no nat fa count pl exchanged 1 pi exchanged 1 negotiated phase 1 3 s gt peer AUTOL_To L01L 101 101 i7 john doeGcorporate com index 3 state READY ALWAYS OH icookie UxibsTADB3bRESS99E Toookie Uxilidpligeaesbode lifetime 3456 5 enc algo DES
157. saeeesaeeesaeeesaeessaeeesaeeenaes 105 List all Authentication Attributes cccccccecceeeeeeeeeeseeeessseesaseesaeeesaeeesaeeesaeessaeessaneenaes 106 Create a New Authentication Attribute cccccccccseecccseeeeeseeeeeseeeeeseaeeessaeeeesaeeessaaes 107 Set or Modify the Authentication Attribute Parameters cccssccsseecesseeeseeseeeeees 108 Delete an Authentication attribute cccccccececeseeseeeeeeeeeeeeeeseeeseeeeseeeeeeaeeseaeeseaeessaeeees 109 Peer Security Descriptor 0000000000022202222222 22 110 Peer Security Descriptor Parameters cccccsccccseseceseseeceeeeeeeeaeeessaseeesauseesaueeessaeesseas 111 List all Peer Security DESCIDLOIF Se osccucscedetiaectesddovssarweusonssstueebeweconddebsetversuasindeateadweunvecds 114 Create a New Peer Security D SCIiPtOl cccccseccceesceceeeeeseeeeeseseeeseeeeeseeeeeseeseeesaues 115 Set or Modify the Peer Descriptor Parameters ccccssscccceeceeseeeeeceeeeeseeeeeseeseeesaees 116 D leie a Feer DESCIID VON siicciaincsas creduscansceatoscsarcesansedceseiicencsanandidiccaweetieiecedccecdeitaetecdtece 117 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Contents MA POOT iE A A EE E 118 4 4 1 Peer PAraMeters cccceccssececseeesseeesaeeseeesaaeesaeeesaueesaueesaueesaaeeseeeesaeeeseesesaeesseetsaetseaetegs 119 4 4 2 Listall peer entities tec arcatceccsaswannsescenmnencepecswanesensanadenseaceaianeswsseuadenetsec
158. scellaneous Inactivity Timeout seconds 3600 Items marked with are mandatory Local ID Remote ID Local Network Remote Network Empty table When you select Use Preshared Key Authentication the following fields have to be completed b Preshared Secret A string to be used as a secret password for the VPN connection This secret needs to be identically configured at both peers local and remote peer gt Confirm Secret The Preshared Secret value is not shown in clear text in the SoeedTouch Web page In order to protect from typing errors you have to type the key twice in order to confirm your original entry S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Page layout for certificate authentication IKE Authentication Certificate parameters Main mode expanded page E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages When you click Use Certificate Authentication the IKE Authentication area of the page is updated in the following way IKE Authentication Local DN unset Use Preshared Key Authentication When you select Use Certificate Authentication you have to fill out the Distinguished Name of the local and remote Certificates When you click Apply after you fill out the IKE Authentication IKE Security Descriptors and Miscellaneous parameters the following page is displayed Aggressive Mode Main Mode IKE Authentication Preshared Secret
159. scriptor parameters are explained in section 4 3 1 A Peer Security Descriptor is required as one of the parameters to successfully create an operational Peer The Peer refers to the Peer Security Descriptor by its symbolic name A number of Peer Security Descriptors are pre configured in the SpeedTouch The user can modify these descriptors or define additional descriptors to fit his requirements The following topics are discussed in this section 4 3 1 Peer Security Descriptor Parameters 111 4 3 2 List all Peer Security Descriptors 114 4 3 3 Create a New Peer Security Descriptor 4 3 4 Set or Modify the Peer Descriptor Parameters 4 3 5 Delete a Peer Descriptor S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 3 1 Parameter table Example Peer Descriptor name name E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface Peer Security Descriptor Parameters The following table summarizes the parameters comprised in the peer security descriptor The table also indicates the keyword used in the CLI for each parameter Cryptographic function used for Ciy pro grapmicancuen encrypting the IKE messages Key length Length of the cryptographic key i i ion for m Hash function integrity Bea used for message Diffie Hellman group Diffie Hellman group for key exchange The lifetime of the IKE Security IKE SA lifetime lifetime_secs Association At expiration of this
160. scriptors and the Connection Security Descriptors S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 9 4 modify command Example E DOC CTC 20051017 0169 v0 1 set the Connection Security Descriptor Parameters The ipsec connection descriptor modify command sets or modifies the connection descriptor parameters The Descriptors must match at both tunnel ends in order to have a successful outcome of the Phase 2 negotiation In this example the parameters of the previously defined Connection Security Descriptor cnctdes1 are set to the following values gt crypto AES key length 128 integrity HMAC MD5 Perfect Forward Secrecy disabled lifetime secs 3600 lifetime kbytes 10000 Encapsulation mode tunnel mode v v v v WT WW ipsec connection descriptor gt modify name cnctdesl crypto DES 3DES AES NULL crypto AES keylen 128 keylen 128 integrity HMAC MD5 HMAC SHA1 integrity HMAC MD5 disabled lifetime secs 3600 lifetime kbytes 10000 encapsulation tunnel ipsec connection descriptor modify name cnctdesl crypto AES keylen 128 integrity HMAC MDS lifetime secs 3600 lifetime kbytes 10000 lpsec connection descriptor gt The parameters of the pre defined descriptors can also be changed with the modify command Use this feature for example if you want to change the lifetime parameter only 4 The descriptors must match at both peers i
161. senmnstetusadenstseesent 123 443 Create afew peer GNTIY scescesteiniio a 124 4 4 4 Set or modify the peer parameters cccccsccccsssccceeseecceseeceeececeeeeeeeseeeeesaeeeeseeeesseeees 125 4 4 5 Delete a Peer Ontity cc ceecccscccsseecseeeceeeeseeeeeeeeeeaeeesaeeesaeeseeeeeaeeeeaeeseaeseeaeesegeesegeesneeeses 126 4 5 Connection Security Descriptor 000055000020022222222 127 4 5 1 Connection Security Descriptor parameters cccccesseeceeeeeeeeeeeeeseeeeeseeeeseeesssaees 128 4 5 2 List all Connection Security Descriptors cccccceeeeceeeseeceeeeeeeeeeeeeeaeeeeseeeesaeeesseaes 131 4 5 3 Create a new Connection Security DESCIiptOl cccccscccsseeeeseeeeeeseeeeeseeeeeseeesssaeess 132 4 5 4 Set the Connection Security Descriptor Parameters cccccceccceeseeeseeeeeseeeessaeeees 133 4 5 5 Delete a Connection Security Descriptor cccccseccceseeeceeeeeceseeceaeeeseaeeessaseeessaeeees 134 4 6 Network Descriptor 0000100000025502212222 2 135 4 6 1 Network Descriptor Parameters ccccccceecceseeceeeeeeeeeeeeeeeeeeceeeeeeesaeeseaeeseeeesseeeseeeessaees 136 4 6 2 Create a New Network Descriptor cccccsceccseseeceeseecseseeceeaeeceeeeeeesaeeeesaeeessaeeesseaeess 138 4 6 3 Set the Network Descriptor Parameters cccccccscccsseeceeeeeceeeeeceeaeeeeseeeeesaeeessaeeees 139 4 6 4 Delete a Network Descriptor ccccccce
162. set IF Local Trusted Network 4 Type unset IF The IKE Security Descriptor bundles the security parameters used for the IKE Security Association Phase1 A number of IKE Security Descriptors are pre configured in the SpeedTouch and can be selected from a list Select a Security Descriptor in function of your security requirements The remote VPN clients must comply with the IKE security parameters configured in the VPN server For example the pre configured IKE Security Descriptor AES_MD5 used in various examples throughout this document contains the following settings Parameter Value for AES_MD5 Cryptographic function AES Diffie Hellman group IKE SA lifetime in seconds i contents of the IKE Secu rity Descriptors can be verified via vanced gt Peers gt Security Descriptors It is recommended to use AES as preferred encryption method AES is more advanced compared to DES or 3DES It is faster for comparable key lengths and provides better security The IKE Security Descriptor bundles the security parameters used for the IKE Security Association Phase1 S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Page layout with additional Descriptors IPSec Security Descriptor Page layout with additional Descriptors E DOC CTC 20051017 0169 v0 1 When you click Specify Additional Descriptors the IKE Security Descriptors area of the page is updated and shows additional fields where you can
163. st cases the use of the default ipsecO virtual interface is sufficient Only in some very specific occasions it may be useful to create an additional virtual interface for IPSec For example if you want to apply different firewall rules to different IPSec tunnels an additional Virtual Interface can be created in the Connection Options list virtual_if Possible values A string value containing the name of the Virtual interface A typical situation where multiple IPSec virtual interfaces might be needed is the VPN hub and spoke model Speedtouch 207 Chapter 6 Advanced Features Dont Fragment bit force_df Minimal MTU min_mtu Add Route add_route IPSec encryption increases the packet length When the MTU of a link is adjusted to pass the largest IP packet unfragmented then messages encapsulated by IPSec will not pass if the Don t Fragment bit is set In some cases it might be required to influence the fragmentation behaviour to remedy such problems The SpeedTouch allows treating the DF bit in three different ways gt Pass the DF bit unchanged gt Force the DF bit to zero With the DF bit cleared fragmentation is allowed gt Force the DF bit to one With the DF bit set fragmentation of messages is not allowed Possible values default value pass force_set force_clear This option sets the minimal negotiated value of the Maximum Transmission Unit the largest packet size The fa
164. sults of the operation ipsec connection gt list connectl Peer peerl Local network netl Remote network net2 Always on disabled Descriptors cnctdesl Options lt unset gt State enabled lpsec connection gt Speedtouch 147 Chapter 4 Configuration via the Command Line Interface 4 7 5 Delete a Connection delete command The ipsec connection delete command deletes a Connection Example In this example the connection named connect1 is deleted lpsec connection gt delete name connectl ipsec connection delete name connectl ilpsec connection gt The result of this operation is verified with the List command ilpsec connection gt list lpsec connection gt Speedtouch a 4 7 6 start command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface Start a Connection The ipsec connection start command triggers the establishment of a Security Association If no IKE Security Association between the SpeedTouch and the remote Security Gateway exists the Phase 1 negotiation is started followed by the Phase 2 negotiation If an IKE SA already exists the Phase 2 tunnel negotiation is started immediately In this example the connection named connect1 is started lpsec connection gt ipsec connection gt start conn connecti ipsec connection start conn connectl lpsec connection gt
165. syslog state disabled enabled 1psec debug gt syslog state disabled ipsec debug gt gt remotely Configure a remote Syslog server to which all logged Syslog messages are sent Using the rule indicated below causes all Syslog messages with severity debug or higher to be sent towards the machine with IP address 90 0 0 138 syslog ruleadd fac all sev debug dest 90 0 0 138 Below a typical example of Syslog rules logging the rekeying of a Phase 2 tunnel First the new Phase 2 tunnel is negotiated and 4 seconds later the old and expired Phase 2 tunnel is deleted lt 6 gt SysUpTime 14 12 50 VPN Rekey Phase 2 Loc 141 Rem 192 168 1 50 0 0 139 lt 6 gt SysUpTime 14 12 50 VPN AddSa SPIs OUT IN D40467B8 5F0E9992 Loc 141 Rem 192 168 1 50 0 0 139 Prot ESP AES 128 HMAC MD5 Exp 0h 10m 00s lt 6 gt SysUpTime 14 12 54 VPN DelSa SPIs OUT IN 04D3EF01 1CF5AAF2 Time 0h 07m 41s S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 5 Troubleshooting SpeedTouch IPSec syslog messages The following table shows the syslog messages INFO added SPDB entry lt DIRECTION gt lt IPRANGE gt gt lt IPRANGE gt if lt IP_IFINDEX gt INFO added SADB entry dir lt DIRECTION gt spi lt SPI gt enc lt ENC_ALG gt auth lt AUTH_ALG gt INFO connection profile lt PROFILE_NAME gt in use INFO establish request for connection lt PROFILE_NAME gt INFO Cannot create authentic
166. t add name cnctdes1l ipsec connection descriptor add name cnctdesl ipsec connection descriptor gt The result of this operation can be verified with the List command ipsec connection descriptor gt list AES SHA TUN AES 128 HMAC SHA1 Lifetime 86400s Tunnel Mode AES MDS TUN AES 128 HMAC MDS Lifetime 86400s Tunnel Mode AES SHA1 PFS TUN AES 128 HMAC SHA1 PFS Lifetime 86400s Tunnel Mode AES MDS PFS TUN AEBS 128 HMAC MD5 PFS Lifetime 86400s Tunnel Mode 3DES SHA1 TUN 3DES HMAC SHA1 Lifetime 86400s Tunnel Mode 3DES MDS TUN 3DES HMAC MDS Lifetime 86400s Tunnel Mode 3DES SHA1 PFS TUN 3DES HMAC SHA1 PFS Lifetime 86400s Tunnel Mode 3DES MDS PFS _ TUN 3DES HMAC MD5 PFS Lifetime 86400s Tunnel Mode DES SHA1 TUN DES HMAC SHA1 Lifetime 86400s Tunnel Mode DES MDS TUN DES HMAC MD5 Lifetime 86400s Tunnel Mode AES SHA Adv TUN AES 256 HMAC SHA1 PFS Lifetime 86400s Tunnel Mode 3DES SHA1 Adv TUN 3DES HMAC SHA1 PFS Lifetime 86400s Tunnel Mode NullEnc SHA1 TUN NULL HMAC SHA1 Lifetime 86400s Tunnel Mode cnctdesl Tunnel Mode ipsec connection descriptor gt It is seen that the new descriptor named cnctdes1 has been created A Thirteen Connection Security Descriptors are pre defined in the 7 SpeedTouch covering the most common settings In total up to 40 Security Descriptors can be defined This total includes both the Peer Security De
167. t contain a subnet that lies within the range described by the symbolic network name in order to successfully set up the Security Association gt subrange_of_ lt network name gt The proposal of the remote initiator must contain a subrange that lies within the range described by the symbolic network name in order to successfully set up the Security Association gt black_ip The proposal of the remote initiator must contain the public IP address of the remote Security Gateway S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Local selector localselector Remote selector remoteselector Advanced Connection commands E DOC CTC 20051017 0169 v0 1 The local selector expresses a static IPSec policy for access to the IPSec tunnel at the local end This setting can optionally be filled out manually In a basic configuration it is left unset In such a case the SpeedTouch uses its dynamic policy capabilities to derive a static policy as a result of the Phase 2 negotiation A cloned connection is automatically created with the localselector derived by the SpeedTouch In an advanced application it may in some cases be useful to manually fill in a static policy Entering a symbolic network name in the localselector parameter does this The remote selector expresses a static IPSec policy for access to the IPSec tunnel at the remote end This setting can optionally be filled out manually In a basic configuration it is l
168. t in the SoeedTouch Web page In order to protect from typing errors you have to type the key twice in order to confirm your original entry Page layout for When you click Use Certificate Authentication the IKE Authentication area of the certificate page is updated in the following way authentication IKE Authentication Certificate DN unset Remote OWN Filter Use Preshared Key Authentication IKE Authentication When you select Use Certificate Authentication you have to fill out the Certificate parameters Distinguished Name of the local and remote Certificates S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Starting and stopping a VPN client connection Page layout for Automatic Start E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Two start mechanisms are defined gt Manual Dialup b Automatic Start When you use pre shared key authentication both start mechanisms require a number of parameters to be set The set of parameters depends on which Server Vendor you selected Choose Start Mechanism automatic or manual Use Automatic start Always On Use Manual Dialup Selecting the Manual Dialup method no further parameters have to be configured You have to dial in to the VPN server each time you need the secure connection Whenever you dial in you have to enter a set of parameters to join the VPN Select the Automatic Start method when multiple terminals in your L
169. tension Email 4ddress DAS Mame My Alt Subject ON Apply Submit Ags Note Submit request will take several seconds This URL point to the location of the CEP script on the Certificate Authority server Usually it has the following form http lt host gt lt port gt lt path gt gt lt host gt is a numeric address do not use a DNS name gt lt port gt is the port number by default port 80 is assumed gt lt path gt is the path to the script e g cgi bin pkiclient exe See RFC1779 This is the Distinguished Name for the certificate The value must be a valid distinguished name in string representation It can include a common name cn organization unit ou organization name o locality l province or state st and country c Use commas to separate the items S D C d tO U C n E DOC CTC 20051017 0169 v0 1 3 9 When to use E DOC CTC 20051017 0169 v0 1 Advanced VPN Menu The Advanced VPN menu gives access to two main pages where the complete IPSec configuration can be done These pages are component oriented as opposed to the application oriented pages described in sections 3 1 3 2 and 3 3 Component oriented means that a number of components are constructed and subsequently combined It is highly recommended to use the application oriented Web pages for VPN configurations Only in exceptional cases these pages will not be sufficiently flexible to fulfil your
170. ter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command Line Interface 4 2 What is How is it used In this section Peer Authentication Attribute Two main methods for user authentication are supported in the SpeedTouch gt pre shared key gt certificates The user authentication parameters used for IKE negotiations are bundled in a descriptor with a symbolic name This is called the Authentication Attribute For pre shared key authentication this attribute holds the pre shared key For authentication with certificates it simply indicates the authentication method The Authentication Attribute parameters are explained in section 4 2 1 An Authentication Attribute is required as one of the parameters to successfully create an operational peer The peer refers to the Authentication attribute by its symbolic name So as an initial preparatory step to define an operational peer a valid Authentication Attribute is created The following topics are discussed in this section 4 2 1 Authentication Attribute Parameters 105 4 2 2 List all Authentication Attributes 4 2 3 Create a New Authentication Attribute 107 4 2 4 Set or Modify the Authentication Attribute Parameters 4 2 5 Delete an Authentication attribute S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface 4 2 1 Authentication Attribute Parameters Par
171. ters The following table shows the XAuth Pool parameters XAuth Pool parameters XAuth pool name name Mandatory Symbolic name for the XAuth pool used internally in the SpeedTouch Pool type type Mandatory Two pool types are defined generic and chap Speedtouch Chapter 6 Advanced Features 6 6 2 Create a new XAuth pool add command Anew XAuth pool is created with the ipsec peer vpnserver xauthpool add command Example In the following example a new xauthpool is created named pool1 lpsec gt peer lpsec peer gt vpnserver lpsec peer vpnserver gt xauthpool ipsec peer vpnserver xauthpool gt add name pooll ipsec peer vpnserver xauthpool add name pooll ipsec peer vpnserver xauthpool gt lpsec peer vpnserver xauthpool gt The result of this operation can be verified with the List command ipsec peer vpnserver xauthpool gt list Pool pooll type generic lpsec peer vpnserver xauthpool gt S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 6 9 modify command Example E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features Modify the xauthpool type With the 1psec peer vpnserver xauthpool modify command itis possible to modify the pool type In this example the type of the previously defined pool named pool1 is set to chap lpsec peer vpnserver xauthpool gt modify name pooll type generic chap type chap ipsec peer v
172. that refers to the local private network having access to the IPSec connection As mentioned above the access can be restricted to a single protocol and port number This parameter describes the remote network that may use the IPSec connection This parameter expresses a dynamic policy which during the Phase 2 negotiation results in a static policy expressed by the localmatch remotematch and localselector and remoteselector parameters The valid settings are gt the keyword retrieve_from_server This setting can be used in an IPSec client server configuration It is only relevant at the client side of the connection where the SpeedTouch acts as an initiator for the IPSec Security Association gt the keyword allocated_virtual_ip This setting can be used in an IPSec client server configuration It is only relevant at the server side of the connection gt the keyword black_ip Designates the public IP address of the remote Security Gateway as the end user of the secure connection This setting is useful for a connection that serves secure remote management of the remote Security Gateway gt asymbolic name of a network descriptor This setting is used when the network environment at the remote side is completely known This is often the case in a site to site application where the VPN structure and the use of specific ranges of IP addresses are under the control of a network manager S D C d tO U C n E DOC CTC 20051
173. the IKE Security Association The Local ID types supported in the SpeedTouch are listed in the following table Local ID type ID Local ID type Keyword Examples Use the values of the peer ae p r beer profile profile D Fully Fully qualified domain name Fully qualified domain name name faan fin sales corporate net sales corporate net net Configuring XAuth When you use the Extended Authentication protocol on the connection you fill out an XAuth Username and Password in the optional fields The XAuth Password is not shown in clear text In order to protect from typing errors you have to confirm your entry The use of XAuth is further explained in section 6 3 Extended Authentication XAuth on page 176 and following Speedtouch ER In this chapter Reference network E DOC CTC 20051017 0169 v0 1 Configuration via the Command Line Interface This chapter describes the basic configuration steps for building an operational IPSec via the Command Line Interface Firstly a reference network is proposed that serves in examples throughout the chapter Then an outline of the configuration procedure is presented The individual steps are described in detail in the subsequent sections A simple yet realistic VPN reference set up is defined as shown below SpeedTouch B A SpeedTouch A Wl WN lt g gt 200 200 0 1 10 0 0 254 Yo Network 10 0 0 0 24 Network 20 0 0 0
174. the IKE Security Descriptors can be verified via Advanced gt Peers gt Security Descriptors It is recommended to use AES as preferred encryption method AES is more advanced compared to DES or 3DES It is faster for comparable key lengths and provides better security Page layout with When you click Specify Additional Descriptors the IKE Security Descriptors area of additional Descriptors the page is updated and shows additional fields where you can specify up to four alternative IKE Security Descriptors IKE Security Descriptors Descriptor fanst Descriptor 2 nst Descriptor 3 funs Descriptor 4 unset These will be used as alternative valid proposals in the IKE negotiations Speedtouch ER Page layout for pre shared key authentication E DOC CTC 20051017 0169 v0 1 When you click Use Preshared Key Authentication the initial page is updated in the following way Gateway Address Unknown Gateway Address Local Network Remote Network State Empty table Remote Gateway Address or FQODN Backup Address or FODN IKE Authentication Preshared Secret Confirm Secret Local ID Type Local ID Remote ID Type Remote ID Miscellaneous Primary Untrusted Physical Interface auy a IKE Exchange Mode unset Inactivity Timeout seconds 3600 IKE Security Descriptors Descriptor unset Specify Additional Descriptors Items
175. the client side of the connection where the SpeedTouch acts as an initiator for the IPSec Security Association gt the keyword black_ip This setting is used only for remote management scenarios where the IPSec tunnel is used exclusively for information generated or terminated by the SpeedTouch gt asymbolic name of a network descriptor This is the most common selection in a site to site application In this case the localnetwork parameter holds the symbolic name of the network descriptor that refers to the local private network having access to the IPSec connection As mentioned above the access can be restricted to a single protocol and port number This parameter describes the remote network that may use the IPSec connection It expresses a dynamic policy which during the Phase 2 negotiation results in a static policy expressed by the localmatch remotematch and localselector and remoteselector parameters The valid settings are gt the keyword retrieve_from_server This setting can be used in an IPSec client server configuration It is only relevant at the client side of the connection where the SpeedTouch acts as an initiator for the IPSec Security Association gt the keyword allocated_virtual_ip This setting can be used in an IPSec client server configuration It is only relevant at the server side of the connection gt the keyword black_ip Designates the public IP address of the remote Securit
176. tion ipsec connection gt descriptor ipsec connection descriptor gt list ipsec connection descriptor gt ipsec connection gt AES SHA1l TUN AES 128 HMAC SHA1 Lifetime 86400s Tunnel Mode ABS MDS TUN ABS 129 HMAC MD5 Lifetime 864005 Tunnel Mode AES SHA1l PFS TUN AES 128 HMAC SHA1 PFS Lifetime 86400s Tunnel Mode AES MD5 PFS TUN AES 128 HMAC MD5 PFS Lifetime 86400s Tunnel Mode 3DES SHA TUN 3DES HMAC SHA1 Lifetime 86400s Tunnel Mode 3DES MD5 TUN 3DES HMAC MDS Lifetime 86400s Tunnel Mode 3DES SHA1 PFS TUN 3DES HMAC SHA1 PFS Lifetime 86400s Tunnel Mode 3DES MD5 Pro TUN 3DES HMAC MD5 PFS Lifetime 864006 Tunnel Mode DES SHA1l TUN DES HMAC SHA1 Lifetime 860400s Tunnel Mode DES MD5 TUN DES HMAC MD5 Lifetime 86400s Tunnel Mode AES SHA Adv TUN AES 256 HMAC SHA1 PFS Lifetime 86400s Tunnel Mode 3DES SHA1 Adv TUN 3DES HMAC SHA1 PFS Lifetime 86400s Tunnel Mode NullEnc SHA1 TUN NULL HMAC SHA1 Lifetime 86400s Tunnel Mode ipsec gt Speedtouch Chapter 4 Configuration via the Command Line Interface 4 9 3 Create a new Connection Security Descriptor add command Anew Connection Security Descriptor is created with the ipsec connection descriptor add command Example In the following example a new Connection Security Descriptor is created named cnctdes1 ipsec gt connection ipsec connection gt descriptor ipsec connection descriptor g
177. tion list The options are handled in a separate chapter discussing the advanced features For a basic IPSec configuration no option list is selected This setting allows enabling or disabling the connection S D C d tO U C n E DOC CTC 20051017 0169 v0 1 4 7 2 list command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface List all Connections The ipsec connection list command shows the list of all defined connections In the following example a list of all defined connections is shown ilpsec connection gt list connectl Peer peerl Local network netl Remote network null Always on disabled Descriptors gt coctdes Nullenc AMAC SHAl TUNNEL Options lt unset gt State enabled lpsec connection gt 4 By default a SpeedTouch device does not contain any connections As a 7 consequence the list command will return an empty list on a new device Speedtouch Chapter 4 Configuration via the Command Line Interface 4 7 3 Create a New Connection add command Anew Connection is created with the ipsec connection add command Example In the following example a new connection is created named connect ipsec gt connection ipsec connection gt add name connectl IPSec connection add name connectl lpsec connection gt The result of this operation can be verified with the List command lpsec connectio
178. tion network gt list netl lt unset gt lpsec connection network gt For the newly created Network Descriptor in this example all parameters are unset Setting of the parameters is described in the next section Speedtouch ER 4 6 3 modify command Example E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface set the Network Descriptor Parameters The ipsec connection network modify command sets or modifies the Network Descriptor parameters In this example the parameters of the previously defined network named net1 are set ipsec connection network gt ipsec connection network gt modify name netl type address subnet type subnet ip 10 0 0 0 24 proto ah ggp icmp rdp udp 6to4 proto port at echo at nbp at rtmp at zis auth bgp biff bootpce bootps chargen clearcase daytime discard dns domain doom echo exec finger ftp port IPSec connection network modify name netl lpsec connection network gt In the example above the network is defined as an IP subnet 10 0 0 0 24 No protocol or port number are selected The TAB key was used to show the supported entries for the proto and port parameters Use the list command to verify the results of the operation lpsec connection network gt list net1 subnet 10 0 0 0 24 lpsec connection network gt Speedtouch Chapter 4 Configu
179. tion via the Command Line Interface 4 4 2 List all peer entities list command Example E DOC CTC 20051017 0169 v0 1 The ipsec peer list command shows the list of all defined peer entities In the following example a list of all defined peer entities is created ipsec gt ipsec gt peer ipsec peer gt list peerl Remote Address 200 200 0 1 Backup Remote Address lt unset gt Physical IF gt DIALUP PPPOE Exchange Mode main Local Identifier addr 100 100 0 1 Remote Identifier addr 200 200 0 1 Descriptors gt AES MD5 Authentication secretl Client Server lt unset gt Options lt unset gt ipsec peer gt A By default the SpeedTouch device does not contain any peer entities As a consequence the List command will return an empty list on new devices speedtouch Chapter 4 Configuration via the Command Line Interface 4 4 3 Create a new peer entity add command Example A new Peer is created with the ipsec peer add command In the following example a new peer is created named peer 1 gt IPSec 1psec gt peer ipsec peer gt add name peerl IPSec peer add name peerl lpsec peer gt The result of this operation can be verified with the List command ipsec peer gt list peer1 Remote Address Backup Remote Address Physical IF Exchange Mode Local Identifier Remote Identifier Descriptors Authentication Client Server Option
180. tionally if the tcp or udp protocol is selected for the protocol parameter then the access to the IPSec connection can be further restricted to a single port number Many well known port numbers can be selected from the list Select any if you do not want to restrict the connection to a specific port Speedtouch Chapter 3 Configuration via Local Pages 3 5 10 Descriptors page layout Connection Descriptors Page A Connection Security Descriptor contains the following security parameters for an IPSec connection gt Encryption method v v v wv Encapsulation method Selection to use Perfect Forward Secrecy or not Lifetime of the IPSec Phase 2 Security Association Message integrity method also called message authentication The Descriptors page allows you to manage Connection Security Descriptors m pe Pes eager isin aoe 4ES_ 5H41_ TUN AES 126 HMAC SHAL TN TUNNEL 6400 lt unset gt e 4E5_M05_TUN KES 128 HMAC MDS disabled TUNNEL 6400 lt unset gt e 4E5_5H41_PFS_TUN 4ES 128 HMAC SH41 enabled TUNNEL 6400 lt unset gt e 4E65_MD5_PFS_TUN 4ES 128 HMAC MDOS enabled TUNNEL 6400 lt unset gt 3DES_5H41_TUN aDES HMAC SH41 disabled TUNNEL 6400 lt unset gt e 3DES_MO5_TUN aDES HM4AC MDS disabled TUNNEL 6400 lt unset gt 3DES_5H41_PFS_TUN SDES HM4AC SH41 enabled TUNNEL 6400 lt unset gt e 3DES_MO5_PFS_TUN 3DES HMAC MD5 enabled TUNNEL 6400 lt unset gt e DES_3HA41_ TUN DES HMAC SH41 disabled
181. tive valid proposals in the IKE negotiations Speedtouch ER Page layout for pre shared key authentication E DOC CTC 20051017 0169 v0 1 When you click Use Preshared Key Authentication the initial page is updated in the following way Aaaressive Mode MARMA Local ID Remote ID Local Network Remote Network State Empty table Use the fields below to add 4 new entry IKE Authentication Preshared Secret Confirm Secret Local ID Type Local ID Remote ID Type Remote ID Primary Untrusted Physical Interface Inactivity Timeout seconds 3600 IKE Security Descriptors Descriptor unset specify Additional Descriptors Items marked with are mandatory Speedtouch Chapter 3 Configuration via Local Pages Chapter 3 Configuration via Local Pages IKE Authentication with When you select Use Preshared Key Authentication the following fields have to be Preshared Key completed gt Preshared Secret A string to be used as a secret password for the VPN connection This secret needs to be identically configured at both peers local and remote peer gt Confirm Secret The Preshared Secret value is not shown in clear text in the SoeedTouch Web page In order to protect from typing errors you have to type the key twice in order to confirm your original entry gt Local ID Type and Local ID The Local ID identifies the local SoeedTouch dur
182. to be tied to the correct IP connection In the SpeedTouch the routing engine determines which interface is used for the VPN connection your DSL connection to the Internet in most cases So what is the relevance to select a physical interface First of all for incoming VPN connections where your SpeedTouch is the responder in the IKE negotiations the interface is part of the matching process for accepting the connection Selecting the default value any has the effect of removing this matching criterion If you select a specific interface as Primary Untrusted Physical Interface then a new incoming VPN connection on a backup interface is not accepted Secondly if your SpeedTouch is equipped with a backup physical interface for example an ISDN backup interface then this field determines the preferred interface for your VPN connection This interface is used whenever it is available When this interface fails the active VPN connections are re routed via the backup interface When the primary interface becomes available again the VPN connections are re routed to the primary interface On the other hand when you select any as the Primary Untrusted Physical Interface and this interface fails the active VPN connections are also re routed to the backup interface But when the DSL connection becomes available again the VPN connections are not re routed as long as the backup connection is available The IPSec peer can also be tied to th
183. trator of the corporate network does not have to worry about upgrades of the Operating System on the teleworker s computer Microsoft Windows upgrades new service packs The operation of the VPN client in the SpeedTouch is not affected by these upgrades because it is OS independent gt Since the VPN client is fully integrated in the SpeedTouch it can not be tampered with and is probably more secure than software residing ona computer gt Adverse interactions with computer software such as firewalls PPPoE clients wireless drivers viruses and worms are avoided This guarantees a better stability and fewer functionality problems In Expert Mode click VPN gt VPN Client The VPN Client Connection Configuration page appears which combines all VPN client settings on a single Web page Perform the following steps to configure your VPN client 1 In Expert Mode select the VPN Client Web page from the VPN menu 2 Fill out the various parameter fields in the VPN Client Web page 3 Select the IKE Authentication method Either Preshared Key or Certificate Authentication can be selected A Select the Start Mechanism Either manual dial in or Automatic Start Always On can be selected 5 Click Add to confirm the data and Save All to save the configuration The configuration pages you encounter during this procedure are described in detail below Speedtouch 51 Chapter 3 Configuration via Local Pages Chapter
184. tribute and is encountered when you configure the Speed Touch via the Command Line Interface For pre shared key authentication this attribute holds the pre shared key For authentication with certificates it simply indicates the authentication method S D e d tO U C n E DOC CTC 20051017 0169 v1 0 Chapter 2 SpeedTouch IPSec terminology 2 4 Peer Phase 1 What is The Peer is a term that refers to the remote Security Gateway to which the IPSec secure tunnel s will be established In a first phase an IKE Security Association is negotiated between the SpeedTouch and a remote Security Gateway peer In the configuration of the SoeedTouch the Peer bundles all the parameters required to negotiate an IKE Security Association Phase 1 SA such as gt Address The public IP address of the remote IPSec peer Eventually a backup address can be defined Local ID The identity of the local peer which is presented to the remote peer during the Phase 1 negotiation Various identity types are supported such as IP address Distinguished Name FODN etc Remote ID Similar to the Local ID this parameter identifies the remote peer during the Phase 1 negotiation Various identity types are supported such as IP address Distinguished Name FODN etc Authtype Authentication method used preshared key or with certificates XAuth user and password Allows for a secondary authentication based on a legacy authenti
185. try Client descriptor name Auth username Auth password Auth password confirmation Gateway Vendor nst SOF Type unset Add 3 2 VPN Client on page 51 and following The application oriented VPN The configuration of a VPN client scenario is described in detail in section Client Web page is the recommended way to configure a VPN client Client descriptor name This name is used internally to identify the VPN client Descriptor This name appears in the Client Server list on the Peer Profiles page Configuring XAuth When you want to use Extended Authentication you can fill out an XAuth Username and Password in the optional fields Storing these parameters in the VPN Client Descriptor is required for always on connections A The XAuth Password is not shown in clear text In order to protect from typing errors you have to confirm your entry The use of XAuth is further explained in section 6 3 Extended Authentication XAuth on page 176 and following Gateway Vendor The SpeedTouch can interact with VPN servers of various vendors Because some vendors implement proprietary features it is required to select the Gateway Vendor Following vendors can be selected generic the VPN server is either a SpeedTouch or the vendor is unknown Cisco you connect to a Cisco VPN server Cisco requires a Group ID to be specified for the VPN clients see Set of Server Vendor specific paramet
186. tting of this VPN parameter Used without additional parameters the command displays gt the VPN status gt the general behaviour of the SpeedTouch as a VPN network node In the following example the VPN software is running and AutoRoute and AutoProxyARP are enabled gt ipsec 1psec gt config VPN Status running VPN client server AutoRoute enabled AutoProxyARP enabled ipsec gt The following VPN settings are controlled with the config command gt VPN state gt AutoRoute gt AutoProxyARP In the following example the VPN settings are controlled ipsec gt config state autoroute autoproxyarp ipsec gt IPSec config autoroute enabled disabled ipsec gt IPSec config autoroute enabled ipsec gt The AutoRoute setting determines whether a route to the remote peer is automatically injected in the routing table By default this option is enabled When disabled routes for the Security Associations have to be added manually in the routing table This option is relevant in VPN client server scenarios S D C d tO U C n E DOC CTC 20051017 0169 v0 1 AutoProxyARP When do need ProxyARP E DOC CTC 20051017 0169 v0 1 Chapter 4 Configuration via the Command Line Interface The automatic addition of ProxyARP entries in VPN client server scenarios can be enabled or disabled By default this setting is enabled When disabled the ProxyARP entries have to be entered manually
187. ty Descriptor All security parameters required to establish a secure tunnel are grouped into a string called Security Descriptor or simply descriptor Two different sets of descriptors are defined gt IKE session descriptors gt IPSec descriptors A Descriptor contains the methods for message authentication encryption and hashing and the lifetime of the Security Association A number of descriptors are pre configured in the SpeedTouch The user can modify these descriptors or define additional descriptors to fit his requirements The IKE descriptor contains the following parameters Encryption method Message integrity method also called message authentication Diffie Hellman group used for key generation v v v wv Lifetime of the Security Association The IPSec descriptor contains the following parameters Encryption method Message integrity method also called message authentication Selection to use Perfect Forward Secrecy or not Lifetime of the Security Association v v v WT wv Encapsulation method speedtouch Chapter 2 SpeedTouch IPSec terminology 2 9 What is Authentication Attribute Two main methods for authentication are supported in the SpeedTouch gt pre shared key gt certificates The authentication parameters used for the IKE negotiations are bundled in the SpeedTouch in a descriptor with a symbolic name This symbolic descriptor is called the Authentication At
188. ty Descriptors are pre configured in the Speed Touch and can be selected from a list Select a Security Descriptor in compliance with the IPSec security parameters configured in the remote VPN server For example the pre configured IPSec Security Descriptor AES_MD5_TUN used in various examples throughout this document contains the following settings Parameter Value for AES MD5_ TUN Cryptographic function AES Hash function HMAC MD5 Use of Perfect Forward Secrecy 0 IPSec SA lifetime in seconds IPSec SA volume lifetime in kbytes The ESP encapsulation mode The contents of the IPSec Security Descriptors can be verified via Advanced gt Connections gt Security Descriptors Exchange Mode IKE specifies two modes of operation for the Phase 1 negotiations main mode and aggressive mode Main mode is more secure while aggressive mode is quicker Server Vendor The SpeedTouch can interact with VPN servers of various vendors Because some vendors implement proprietary features it is required to select the server vendor The vendor specific features are reflected in the parameters required to dial in to the VPN server This is explained in more detail below Following vendors can be selected generic the VPN server is either a SoeedTouch or is unknown You need to specify your e mail address for the dial in procedure see Set of Server Vendor specific parameters on page 58 you connect to a Cisco VPN server Cis
189. ucuesewanseieeeoucns 73 Advanced VPN Menu iicsinniacee cncetwadacaseaeancesnedadecunvancwebipassaneicsatanenes 75 Peer Prones Page icccacvscsmecessccuassetecssanccoxeacctemtetennenansacasesesscesadectasntbsseeteovasadesuustenssectoniens 78 Authentication Page ssssssssssssssnnsrnssrrrnrrrnnnrrrrnnrrnnnrnnrrnnnnnrnnnnrnnrnnnnnnnrnnennnnnnnrnnnnnnnn mnene 82 Feer DesCHpIorsS Fage caowececnc cogsccanchcadee a sacoececenenesecetactuasennaseimasnestectuseeasiedetecsduesecusctonss 83 POT US FA cas ceccscaciss Shsee vases E A 85 NTN GUNG I IG ccr E segues oiteansesuwassennnsseatccmesassenetcee 86 MPN er Ve AOC io a maebuceevenyseuenesorenseceied 88 VPN Server XAUth PaQe cccccccssscccssececseeeeesaeceesaeeeesauseeesageessageessageeesaueeeseueeeseaeeessages 90 Connection Froles Page cecenii E E O 91 Networks Page seciccc fic scent stese sieves epawie nena iaire ie Terain rE eRe rrin ribe rE Tr ELE EEEE 94 Connection Descriptors PAGE ccsccccesecceeseecsseecesaeceesaeeeeeaseeesaceeeesaseeesaseeesaeseenaeeeees 96 Connection Options Paga siscsiiisriosisi isisisi ieni a arai ieaiai 99 CIENTE OE es etnies seen ence seca cre setateecamnecundeeede eee 100 Configuration via the Command Line Interface 101 Basic IPSec configuration ProCeCure 0ccsseeeeeesseneeeseeeeeees 102 Peer Authentication Attribute 0ccceeeeseeneeeeeeeeeeeneeeeees 104 Authentication Attribute Parameters cccccccccssseeseeeesseeesaees
190. unnel negotiations In the configuration of the SpeedTouch the Peer bundles all the parameters required to negotiate an IKE Security Association Phase 1 SA such as gt Address The public IP address of the remote IPSec peer Eventually a backup address can be defined gt Local ID The identity of the local peer which is presented to the remote peer during the Phase 1 negotiation Various identity types are supported such as IP address Distinguished Name FODN etc gt Remote ID Similar to the Local ID this parameter identifies the remote peer during the Phase 1 negotiation Various identity types are supported such as IP address Distinguished Name FODN etc gt Authtype Authentication method used preshared key or with certificates gt XAuth user and password Allows for a secondary authentication based on a legacy authentication system gt Descriptor Refers to the Phase 1 security descriptor The Peer parameters are explained in 4 4 1 Peer parameters on page 119 How is it used A Peer can be successfully configured from the moment when a valid Authentication Attribute and a Peer Security Descriptor are present in the SpeedTouch In this section The following topics are discussed in this section 4 4 1 Peer parameters 4 4 2 List all peer entities 4 4 3 Create a new peer entity 4 4 4 Set or modify the peer parameters 4 4 5 Delete a Peer entity Speedtouch 119 123 124 125
191. usTumnnels 4 ikeblobalIndctet 619 ikeGlobalInPkt ikellobalInUropPkt ikeblobalInwotify ikeblobalInPiExchg ikeblobalInPibxchgsIrvalid ikeblobalInPibxchgsRe jects ikeblobalInPid adel Re guests ikeblobalthredctet ikeGlobal hitPkts ikeblobal htDropPkht ikeblobalthrteHotity ikelblobalthmePitxchg ikeblobalthePitxchgsIrnvalids ikeblobalthmePitxchgsRe jects ikeblobalthrmePid adel Re guests ikeblobalInitTumnel ikeblobalInitTummelPails ikeblobalRespTurmelPails ikeblobalawthPail ikeblobalDecrpptPails ikeblobalHashiialidPail ikeblobalHodaFails ikellobalRespTumnels ikeblobalInxawthPailures ikeblobalthtxauthPailures ikeblobalInPli abel Re guests ikeblobalthrePli adel Re guests ikeblobalIn ontigs ikeblobal thre ontigs ikeblobalInf ontigsRejects ikeblobalthrelontigsRejects We m ak S S S 714 H m gt e gt gt SAAP S gt gt gt 2 gt 2 2 2 pe S SoN mw gt ikeGlobalHePrevi oasTumnnels Fee tee DEA tif ikeblobalPreviousTummelsiraps ikeblobaliysCapFails ikeTurmel Table ikeTumInde z ikeTumLoc alType 24 ikeTumLocalialue gt jokm dor Grorporate com ikeTumLocal4ddr 10 6 1 6 ikeTumLoc alHame ikeTumRemoteType ane 8 ikeTumnRemoteialue 4 TEL OLLIE ikeTumRemotedddr 101 101 101 27 ikeTumRemoteHame ihkeTumbe goods ikeTurDittHellmantrp t ikeTumBne mpl go l ikeTumHash l go t iheTum ubhbethod ame 8 ikeTumLifeTime BSB ihkeTum ctiveTime gt L iog ikeTumdaketreshT
192. username userl ipsec peer vpnserver xauthpool adduser poolname pooll username userl lpsec peer vpnserver xauthpool gt The result of this operation can be verified with the Listpool command lpsec peer vpnserver xauthpool gt listpool name pooll ipsec peer vpnserver xauthpool listpool name pooll Pool pooll type chap Username userl Password lt unset gt lpsec peer vpnserver xauthpool gt For the newly created vpnserver entity in this example the password is unset Setting of the password is described in the next section Speedtouch Chapter 6 Advanced Features 6 6 8 Set or modify the password of an XAuth user moduser command The ipsec peer vpnserver xauthpool moduser command allows setting or modifying the XAuth user password Example In this example the password of the previously defined user named user is set ipsec peer vpnserver xauthpool gt moduser poolname pooll username userl password Please retype password for verification password s ipsec peer vpnserver xauthpool moduser poolname pooll username userl p assword DEV 4FDCAAB92D454D3A lpsec peer vpnserver xauthpool gt Use the list command to verify the results of the operation lpsec peer vpnserver xauthpool gt listpool name pooll ipsec peer vpnserver xauthpool listpool name pooll Pool pooll type chap Username userl Password xxxxx ipsec peer vpnserver xauthpool gt S D C
193. v0 1 Access to an IPSec connection can be restricted to specific protocols This can optionally be configured with the proto parameter Valid entries are listed in the following table Protocol Ce Ces pee mm ime ene C a Alternatively any valid protocol number as assigned by IANA can be entered for the protocol parameter If you want to restrict the protocols on your secure VPN link and you need multiple protocols then you define a new connection for every individual protocol Separate IPSec tunnels will be established for each protocol If the tcp or udp protocol is selected for the protocol parameter then the access to the IPSec connection can be further restricted to a single port number Many well known port numbers can be identified by their port name as well Speedtouch 137 Chapter 4 Configuration via the Command Line Interface Chapter 4 Configuration via the Command Line Interface 4 6 2 Create a New Network Descriptor add command A new Network Descriptor is created with the ipsec connection network add command Example In the following example a new Network descriptor is created named net1 ipsec gt ipsec gt connection ipsec connection gt network ipsec connection network gt add name netl IPSec connection network add name netl lpsec connection network gt The result of this operation can be verified with the List command ilpsec connec
194. ve mode is quicker You can use one of the following buttons Aggressive mode Switch to the Aggressive Mode configuration page This page is shown by default when you click Remote Gateway Address Unknown Switch to the Main Mode configuration page Use Preshared Key Authentication Reveal additional parameter fields required for the configuration of Preshared Key Authentication Use Certificate Authentication Reveal additional parameter fields required for the configuration of Certificate Authentication Specify Additional Descriptors Reveal additional fields where you can specify alternative IKE Security Descriptors Add a completely configured peer to the configuration S D C d tO U C n E DOC CTC 20051017 0169 v0 1 Chapter 3 Configuration via Local Pages Miscellaneous Comprises the following settings gt Primary Untrusted Physical Interface This field shows a list of your SpeedTouch interfaces You select the preferred Primary Untrusted Physical Interface This interface is used as the primary carrier for your VPN connection In general the primary untrusted interface is your DSL connection to the public Internet In the SpeedTouch the routing engine determines which interface is used for the VPN connection your DSL connection to the Internet in most cases So what is the relevance to select a physical interface First of all for incoming VPN connections where your SpeedTouch is the responder i
195. vidual port Separate IPSec tunnels will be established for each port The IPSec Security Descriptor bundles the security parameters used for the Phase 2 Security Association A number of IPSec Security Descriptors are pre configured in the SpeedTouch and can be selected from a list Select a Security Descriptor in compliance with the IPSec security parameters configured in the remote Gateway For example the pre configured IPSec Security Descriptor AES_MD5_TUN used in various examples throughout this document contains the following settings Parameter Value for AES _ MD5_ TUN Cryptographic function AES Hash function HMAC MD5 IPSec SA lifetime in seconds 86400 seconds 24 hours PSec SA volume lifetime in kbytes The ESP encapsulation mode tunnel The contents of the IPSec Security Descriptors can be verified via the Advanced menu Select Connections and subsequently Security Descriptors When you click Specify Additional Descriptors the IPSEC Security Descriptors area of the page is updated and shows additional fields where you can specify up to four alternative IPSec Security Descriptors IPSec Security Descriptors Descriptor fanst Descriptor 2 funs Descriptor 3 unset Descriptor 4 unset Items marked with are mandatory These will be used as alternative valid proposals in the Phase 2 negotiations Speedtouch Chapter 3 Configuration via Local Pages Starting and stopp
196. when the DSL connection becomes available again the VPN connections are not re routed as long as the backup connection is available Either dhcp or nat can be selected gt Selecting dhcp as virtual IP address mapping has the effect that the virtual IP address attributed by the VPN server to the SpeedTouch VPN client is effectively assigned to the terminal The SoeedTouch creates a new IP address pool called a spoofing address pool The SpeedTouch will use this pool to provide a new IP address to the terminal that starts the secure connection Simultaneous access to the VPN of multiple terminals in the LAN is not possible The VPN server attributes a single virtual IP address from the originally used address pool In order to have a swift renewal of IP addresses it is recommended to set a conveniently low lease time in the original dhcp address pool A value of 60 seconds is suggested The spoofing address pool inherits the lease time for IP addresses gt Selecting nat as virtual IP address mapping has the effect that the VPN server attributes a virtual IP address to the SpoeedTouch VPN client This virtual IP address is stored in the SpeedTouch The SpeedTouch will automatically create a new NAT entry to map the virtual IP address to the IP addresses used on the local network Simultaneous access to the VPN of multiple terminals is supported These settings allow you to limit the accessible area on the remote network
197. wledged in due time by the remote peer it is decided that the remote peer is dead a This option determines the timeout value for the R U THERE messages Within this period an R U THERE acknowledge message from the remote peer is expected dpd_timeout default value es When no traffic is detected at the peer for a certain period it is decided that the tunnel is not used any more and the IKE session is terminated All IPSec connections supported by the IKE session are terminated as well This option sets the value of the inactivity timer S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 9 1 list command Example E DOC CTC 20051017 0169 v0 1 List all Peer Options lists Chapter 6 Advanced Features The ipsec peer options list command shows all previously created options lists In the following example a list of all previously created options is shown gt ipsec ipsec gt peer ipsec peer options gt list ipsec peer gt options optl Local address NAT T DPD DPD Idle Period DPD Xmits DPD Timeout Inactivity ipsec peer options gt lt unset gt enabled enabled 180 s 3 120 s 3600 s timeout Speedtouch Chapter 6 Advanced Features 6 9 2 Create a Peer Options list add command The ipsec peer options add command allows adding a new options list Example In the following example a new options list is created named opt1 ipsec gt i
198. y name peerl remoteaddr 20 50 10 2 backupaddr exchmode main localid addr 20 60 10 2 remoteid addr 20 50 10 2 phyif DIALUP PPPOE descr AES MD5 auth secretl client server servl options ipsec peer modify name peerl client server servl ipsec peer gt The result is shown when listing the peer entities ipsec peer gt list peer1 Remote Address gt Backup Remote Address Physical IF Exchange Mode Local Identifier Remote Identifier Descriptors Authentication Client Server Options ipsec peer gt 20 50 10 2 lt unset gt DIALUP PPPOE main addr 20 60 10 2 addr 20 50 10 2 AES MD5 secreti VPN Client Descriptor lt unset gt Speedtouch 187 Chapter 6 Advanced Features 188 6 6 Introduction Auth Users Pool In the previous section the application of the SoeedTouch as a VPN server was described In addition to the IPSec authentication mechanisms the clients may support the use of the XAuth protocol In this case the SpeedTouch VPN server can serve as a database for authentication Attaching a XAuth user pool to the vpnserver entity does this The XAuth user pools are populated with users This section explains how to handle XAuth pools and users S D C d tO U C n E DOC CTC 20051017 0169 v0 1 6 6 1 Parameters table E DOC CTC 20051017 0169 v0 1 Chapter 6 Advanced Features XAuth Pool parame
199. y Gateway as the end user of the secure connection This setting is useful for a connection that serves secure remote management of the remote Security Gateway gt asymbolic name of a network descriptor This setting is used when the network environment at the remote side is completely known This is often the case in a site to site application where the VPN structure and the use of specific ranges of IP addresses is under the control of a network manager Speedtouch Chapter 4 Configuration via the Command Line Interface Always on connection alwayson Descriptors descr Options options State state This parameter determines whether the connection is permanently enabled or not By default this parameter is set to disabled In this case the IPSec connection is started only when traffic is sent that complies with the IPSec policy or if the connection is started manually When enabled the connection is started as soon as the SpeedTouch is operational One or more alternative security descriptors can be defined for a connection If more than one selector is defined the initiator presents these alternative proposals during the Phase 2 negotiations The responder selects a descriptor complying with its capabilities A responder with multiple descriptors matches the proposed security descriptors with its own capabilities and selects one preferred descriptor This parameter refers to the symbolic name of an op
Download Pdf Manuals
Related Search