(security configuration command).pdf

7/27/2019 (Security Configuration Command).PDF

1/64

User Manual - Command Reference (Volume 3)

Versatile Routing Platform Table of Contents

i

Table of Contents

Chapter 1 AAA and RADIUS Configuration Commands........ ........ ......... ........ ......... ........ .... 1-11.1 aaa accounting optional........... ......... ........ ......... ........ ......... ........ ......... ........ ......... ..... 1-1

1.2 aaa authentication local-first ........ ......... ........ ......... ......... ........ ......... ........ ......... ........ . 1-21.3 aaa authentication login........ ......... ........ ......... ........ ......... ......... ........ ......... ........ ........ 1-21.4 aaa authentication ppp.............................................................................................. 1-4

1.5 aaa-enable............................................................................................................... 1-61.6 ip local pool .............................................................................................................. 1-61.7 peer default ip address........ ........ ......... ........ ......... ......... ........ ......... ........ ......... ........ . 1-7

1.8 radius-server dead-time........ ......... ........ ......... ........ ......... ......... ........ ......... ........ ........ 1-81.9 radius-server host..................................................................................................... 1-91.10 radius-server key ....................................................................................................1-9

1.11 radius-server realtime-acct-timeout ........ ........ ......... ........ ......... ......... ........ ......... .... 1-10

1.12 radius-server retransmit......... ......... ........ ......... ........ ......... ........ ......... ........ ......... ... 1-111.13 radius-server timeout.. ........ ......... ........ ......... ........ ......... ......... ........ ......... ........ ...... 1-11

1.14 user callback-dialstring .......................................................................................... 1-121.15 user calling-station-id................ ........ ......... ......... ........ ......... ........ ......... ........ ......... 1-131.16 user ftp-directory ...................................................................................................1-13

1.17 user password ...................................................................................................... 1-141.18 user service-type................................................................................................... 1-151.19 show aaa user ...................................................................................................... 1-16

1.20 show user.............................................................................................................1-161.21 debug radius......................................................................................................... 1-17

Chapter 2 Terminal Access Security Configuration Commands......... ........ ......... ........ ........ 2-12.1 enable password....................................................................................................... 2-1

2.2 login......................................................................................................................... 2-1Chapter 3 Firewall Configuration Commands........ ......... ........ ......... ........ ......... ........ ......... .. 3-1

3.1 access-list................................................................................................................ 3-13.2 clear access-list counters .......................................................................................... 3-4

3.3 firewall ..................................................................................................................... 3-43.4 firewall default .......................................................................................................... 3-53.5 ip access-group ........................................................................................................ 3-6

3.6 settr.........................................................................................................................3-63.7 timerange................................................................................................................. 3-73.8 show access-list ....................................................................................................... 3-8

3.9 show firewall............................................................................................................. 3-93.10 show isintr............................................................................................................ 3-103.11 show timerange.................................................................................................... 3-10

3.12 debug filter............... ......... ........ ......... ........ ......... ......... ........ ......... ........ ......... ....... 3-11

Chapter 4 IPSec Configuration Commands.............. ........ ......... ......... ........ ......... ........ ........ 4-14.1 ah-new hash............................................................................................................. 4-14.2 clear crypto sa .......................................................................................................... 4-2

4.3 clear crypto statistics ................................................................................................ 4-34.4 crypto ipsec sa lifetime.............................................................................................. 4-44.5 crypto ipsec transform............................................................................................... 4-5

4.6 crypto map (global mode) .......................................................................................... 4-64.7 crypto map (interface mode).... ......... ........ ......... ........ ......... ........ ......... ........ ......... ..... 4-74.8 esp-new encrypt ....................................................................................................... 4-8

4.9 esp-new hash........................................................................................................... 4-94.10 match address...................................................................................................... 4-10

4.11 mode....................................................................................................................4-11


2/64


Versatile Routing Platform Table of Contents

ii

4.12 set local-address................................................................................................... 4-124.13 set peer................................................................................................................ 4-134.14 set sa lifetime........................................................................................................4-14

4.15 set session-key ..................................................................................................... 4-154.16 set transform......................................................................................................... 4-17

4.17 transform.............................................................................................................. 4-184.18 show crypto ipsec sa............................................................................................. 4-184.19 show crypto ipsec sa lifetime........... ........ ......... ........ ......... ........ ......... ........ ......... ... 4-204.20 show crypto ipsec statistics ................................................................................... 4-20

4.21 show crypto ipsec transform............ ........ ......... ........ ......... ........ ......... ........ ......... ... 4-214.22 show crypto map................................................................................................... 4-224.23 debug ipsec .......................................................................................................... 4-23

Chapter 5 IKE Configuration Commands........ ........ ......... ......... ........ ......... ........ ......... ........ . 5-1

5.1 authentication........................................................................................................... 5-15.2 clear crypto ike sa.....................................................................................................5-25.3 crypto ike key ........................................................................................................... 5-2

5.4 crypto ike policy........................................................................................................ 5-3

5.5 encryption.................................................................................................................5-45.6 group .......................................................................................................................5-5

5.7 hash.........................................................................................................................5-65.8 lifetime ..................................................................................................................... 5-65.9 show crypto ike policy ............................................................................................... 5-7

5.10 show crypto ike sa ..................................................................................................5-85.11 debug ike................................................................................................................ 5-9


3/64


Versatile Routing Platform

Chapter 1AAA and RADIUS Configuration Commands

1-1

Chapter 1 AAA and RADIUS Configuration

Commands

AAA and RADIUS configuration commands include:

l aaa accounting optionall aaa authentication local-first

l aaa authentication loginl aaa authentication pppl aaa-enable

l ip local pooll peer default ip addressl radius-server dead-time

l radius-server hostl radius-server keyl radius-server realtime-acct-timeout

l radius-server retransmitl radius-server timeoutl user callback-dialstring

l user calling-station-idl user ftp-directoryl user password

l user service-typel show aaa userl show user

l debug radius

1.1 aaa accounting optional

To turn on the AAA accounting option switch, use the aaa accounting optional

command. To return to the default, use the no form of this command.

aaa accounting optional

no aaa accounting optional

Default

no aaa accounting optional, that is, accounting must be performed on the user.

Command Mode

Global configuration mode

Usage Guideline

If the aaa accounting optional command is configured when the RADIUS accounting

server is not available or communication with the RADIUS accounting server fails, then

the user can continue to use the network resources. Otherwise the user will bedisconnected.

This command is often used in the case of authentication without accounting. If this

command is configured, and if no accounting server is available after authentication is


4/64




1-2

successful, then the user is still connected. In this way, this command helps achieve thepurpose of authentication without accounting.

Example

! The following example turns on the AAA accounting option switch.

Quidway(config)#aaa accounting optional

Related Command

aaa-enable, aaa authentication login, aaa authentication ppp

1.2 aaa authentication local-first

To enable AAA authentication local first, use the aaa authentication local-first

command. To return to the default, so as to disable AAA authentication local first, usethe no form of this command.

aaa authentication local-first

no aaa authentication local-first

Default

no aaa authentication local-first.

Command Mode


Usage Guideline

When AAA authentication local first is used, the user is authenticated locally first. If the

authentication fails, then authenticate the user by the methods in the configuredauthentication methods table.

The user having passed the authentication local first still needs to be accounted for

charged via the RADIUS server. If the accounting is unnecessary, the user can achievethis by dispensing with accounting server and configuring aaa accounting optionalcommand.

When AAA authentication local first is configured, it is effective for all the applicationsusing AAA, including ppp and login, which adopt authentication local first.

Related Command

aaa authentication login, aaa authentication ppp

1.3 aaa authentication login

To configure the AAA login method list, use the aaa authentication login command.

To cancel the configured AAA login method list, use the no form of this command.

aaa authentication login { default | list-name } { method1 } [ method2 ... ]


5/64




1-3

no aaa authentication login { default | list-name }

Syntax Description

default Default login authentication method list name.

list-name Method list name input by the user.

methodAuthentication method. There are three authentication methods as mentioned

below:

l radius Authentication and accounting via the RADIUS server

l local Local authentication, and accounting via the RADIUS serverl none All user can access the network without any authentication and accounting

& Note:

1) Both radius and local authentication need to conduct accounting via the RADIUS server. If accountingis unnecessary, you don t need to configure the accounting server, and you use the aaa accountingoptional command to achieve the authentication.2) Only a login service authentication method list can be configured, but you can use different names. Thesubsequent authentication method list will cover the previous one. And the login services using AAA alladopt this method list.

When you are configuring the authentication method list, it is necessary to specify one

authentication method at least. When multiple authentication methods are specified,

method1 is used first during login authentication. If errors occur during theauthentication (like failing to set up communication with the RADIUS server), method2

is used, and so on. If the authentication fails (resulting in illegal access) after a certainmethod is used, the following methods are not used any more and the authentication isterminated. In addition, the none method is meaningful only when is placed at the end.

& Note:

The subsequent authentication method is used only when the authentication can not proceed normallyinstead of failing. Authentication unable to proceed normally means that communication with the RADIUSserver fails. Only when the radius method is used will abnormality occur in authentication.

Not all the method combinations are valid. There are five combinations permitted, listedas follows:

aaa authentication logindefault none

aaa authentication logindefault local

aaa authentication login default radius

aaa authentication logindefault radius none

aaa authentication logindefault radius local


6/64




1-4

Default

local authentication

Command Mode


Usage Guideline

In the AAA login authentication method list, three authentication methods can be

specified: local, radius and none. local is an authentication method via the local

database, radius is an authentication method via the RADIUS server, while noneindicates that no authentication is conducted.

The local database is configured via the usercommand.

As for non-default method lists, the no aaa authentication login command serves todelete a method list; as for default method lists, it can restore the default method tolocal authentication.

Example

! The following example configures the login default authentication method list with the

following requirements: use the RADIUS server for authentication first; if noacknowledgement is received, then change to the local authentication.

Quidway(config)#aaa authentication login default radius local

Related Command

aaa authentication local-first, user callback-dialstring user calling-station-id

user ftp-directory user password user service-type

1.4 aaa authentication ppp

To configure the AAA PPP authentication method list, use the aaa authentication ppp

command. To return to the default, so as to cancel the AAA PPP authentication list, usethe no form of this command.

aaa authentication ppp { default | list-name } { method1 } [ method2 ... ]

no aaa authentication ppp { default | list-name }

Syntax Description

default PPP default authentication method list name. This method list is used by

default if no authentication method is specified at the interface encapsulated with PPP.

list-name Method list name input by the user. It needs to be used together with the ppp

authentication command so that this list-name can be used for PPP authentication ata certain interface.

methodAuthentication method, including the following three:

l radius Authentication and accounting via the RADIUS server


7/64




1-5

l local Authentication carried out locally (please consult the PPP configuration),accounting via the RADIUS server

l none All the users can access the network without any authentication; noaccounting

Both radius and local authentication need to conduct accounting via the RADIUSserver. If accounting is unnecessary, you don't need to configure the accounting server,and you can use the aaa accounting optional command to achieve theauthentication.

Multiple PPP authentication method lists can be configured for different interfaces.

When you are configuring the authentication method list, it is necessary to specify an

authentication method at least. When multiple authentication methods are specified,method1 is used first during PPP authentication. If errors occur during the

authentication (like failing to set up communication with the RADIUS server), method2is used, and so on. If the authentication fails (resulting in illegal access) after a certainmethod is used, the following methods are not used any more and the authentication is

terminated. In addition, it is meaningful only when the none method is placed at theend.

The subsequent authentication method is used when the authentication can not

proceed normally instead of failing. Authentication unable to proceed normally means

that communication with the RADIUS server fails. Only when the RADIUS method isused will abnormality occur to authentication.

Below there are five combinations permitted:

aaa authentication pppdefault none

aaa authentication pppdefault local

aaa authentication pppdefault radius

aaa authentication pppdefault radius none

aaa authentication pppdefault radius local

Default

default authentication method list

Command Mode


Usage Guideline

PPP s CHAP or PAP authentication is only an authentication process, via which such

information as the peer username and password is authenticated. AAA determineswhether the authentication succeeds.

In AAA s PPP authentication method list, three authentication methods can be

specified: local, radius and none. local is an authentication method via the local

database, radius is an authentication method via the RADIUS server, while noneindicates that no authentication is conducted.

The local database is configured through the userand no usercommands.


8/64




1-6

As for non-default method lists, the no aaa authentication ppp command serves to

delete a method list; as for a default method list, this command serves to restore thedefault method to a default state, that is, local authentication.

Example

! The following example configures the PPP default authentication method list with the

following requirements: use the RADIUS server for authentication first; if noacknowledgement is received, then change to the local authentication.

Quidway(config)#aaa authentication ppp default radius local

Related Command

aaa authentication local-first, ppp authentication, user password user

callback-dialstring user calling-station-id user ftp-directory user service-type

1.5 aaa-enable

To enable AAA, use the aaa-enable command. To return to the default, so as to disable

AAA, use the no form of this command.

aaa-enable

noaaa-enable

Default

no aaa-enable

Command Mode


Usage Guideline

Only when AAA is enabled can other parameters of AAA be configured.

Example

! The following example enables AAA.

Quidway(config)#aaa-enable

1.6 ip local pool

To specify the local IP pool for allocating IP addresses for PPP users, use the ip local

pool command. To return to the default, so as to cancel the local IP pool, use the noform of this command.

ip local pool pool-number low-ip-address [ high-ip-address ]

no ip local poolpool-number


9/64




1-7

Syntax Description

pool-number Number of the IP address pool. Ranging 0 to 99, that is, 100 local IP

address pools can be defined at maximum.

low-ip-address and high-ip-address Start and end IP address respectively in the IP

address pool.

Default

no ip local pool.

Command Mode


Usage Guideline

The IP address pool is basically configured to allocate IP addresses for PPP users.

If not specifying the end IP address when an IP pool is defined, then this pool has only

an IP address, that is, the start IP address.

Example

! The following example configures local IP pool 0, in which addresses range from129.102.0.1 to 129.102.0.10.

Quidway(config)#ip local pool 0 129.102.0.1 129.102.0.10

Related Command

peer default ip address

1.7 peer default ip address

To allocate IP addresses for PPP users, use the peer default ip address command. To

return to the default, so as to cancel the IP address of a PPP user, use the no form ofthis command.

peer default ip address { ip-address | pool[ pool-number] }

no peer default ip address

Syntax Description

ip-address IP address allocated for a PPP user.

pool-number IP address pool allocated for a PPP user.

Default

Address in the IP address pool 0 allocated for a PPP user.


10/64




1-8

Command Mode

Interface configuration mode

Usage Guideline

Only when PPP is encapsulated at the interface can you configure an IP address for

the peer PPP user at this interface.

Example

! The following example encapsulates PPP at interface Serial0, and allocate

129.102.0.1. for the peer PPP user.

Quidway(config-if-Serial0)#encapsulation ppp

Quidway(config-if-Serial0)#peer default ip address 129.102.0.1

Related Command

encapsulation ppp, ip local pool

1.8 radius-server dead-time

To configure the resuming time after the RADIUS server fails, use the radius-server

dead-time command. To return to the default, use the no form of this command.

radius-server dead-time minutes

no radius-server dead-time

Syntax Description

minutes Recovery time after the server fails, in minute. Ranging 1 to 255.

Default

5 minutes.

Command Mode


Usage Guideline

When the RADIUS server fails (like the line between NAS and RADIUS has a loosened

screw or the RADIUS process fails to function), the system will set its status as down.

After the resuming time is configured above, the system will set its status as up. If theserver in service now fails, the system will auto-check whether or not the original servercan be put into service.

Example

! The following example configures 10 minutes as the resuming time after the failure ofthe RADIUS server.


11/64




1-9

Quidway(config)#radius-server dead-time 10

1.9 radius-server host

To configure the host IP address (or hostname) of the RADIUS server, authentication

port number and accounting port number, use the radius-server host command. To

return to the default, so as to cancel the RADIUS server with a specified host IPaddress or hostname, use the no form of this command.

radius-server host { hostname | ip-address } [ auth-port port-number ] [ acct-port

port-number]

no radius-server host { hostname | ip-address }

Syntax Description

hostname Host name of the RADIUS server.

ip-address IP address of the RADIUS server, in dotted decimal.

auth-port Authentication port number specified.

acct-port Authentication port number specified.

port-number Monitoring port number of the RADIUS server. 0 indicates not usingRADIUS's authentication or accounting function.

Default

Authentication port number: 1812, and accounting port number: 1813.

Command Mode


Usage Guideline

The user can execute this command many times to configure multiple RADIUS servers.

According to the time sequence configuration, the system will automatically select thenext server when a certain server fails, until the last server fails.

The system can configure three RADIUS servers at most.

Example

! The following example specifies the host with the IP address 129.102.0.2 as an

authentication server only, and the authentication port number as 1000.

Quidway(config)#radius-server host 129.102.0.2 auth-port 1000 acct-port 0

1.10 radius-server key

To configure the key for the RADIUS server, use the radius-server key command. To

return to the default, so as to delete the key of the RADIUS server, use the no form ofthis command.


12/64




1-10

radius-server keystring

no radius-server key

Syntax Description

string Key of the RADIUS server, ranging 1 to 16 characters.

Command Mode


Usage Guideline

The key is used to encrypt the user s password and generate the Response

Authenticator. The configured key must be the same as that specified in the RADIUSserver.

Example

! The following example configures the key of the RADIUS server as Quidway.

Quidway(config)#radius-server key Quidway

1.11 radius-server realtime-acct-timeout

To configure the timeout value for transmitting real-time accounting packet to RADIUS

server use the radius-server realtime-acct-timeout command. To return to thedefault, use the no form of this command.

radius-server realtime-acct-timeoutminutes

no radius-server realtime-acct-timeout

Syntax Description

minutes Timeout value for real-time accounting packet transmission, in second.

Ranging 0 to 32767.

Default

0 second.

Command Mode


Usage Guideline

After the user passed authentication, NAS transfers user's real-time accounting

information to the RADIUS server every specified time. If the real-time accounting

request fails, the user will be processed based on the configuration condition of the aaaaccounting optional command. If the aaa accounting optional command isconfigured, NAS will allow the user to continue using the network service, otherwiseNAS will disconnect the user.


13/64




1-11

Example

! The following example sets the timeout value to two minutes for transmitting RADIUS

real-time accounting packet.

Quidway(config)#radius-server realtime-acct-timeout 2

1.12 radius-server retransmit

To set the times of retransmitting request packet to RADIUS server, use the radius-

server retransmit command. To return to the default, use the no form of thiscommand.

radius-server retransmit retries

no radius-server retransmit

Syntax Description

retries Times of retransmitting request packet to RADIUS. Ranging 1 to 255.

Default

3 times.

Command Mode


Usage Guideline

If no acknowledgement is received from the RADIUS server within the timeout value

after an AAA request is sent to the RADIUS server, it is necessary to retransmit theAAA request. If the number of AAA request retries exceeds the specified number ofretries, it is deemed that this server can not work normally any more.

Example

! The following example sets the number of retranmsitting request packet to RADIUS

server to 2 times.

Quidway(config)#radius-server retransmit 2

1.13 radius-server timeout

To set the timeout value of the RADIUS server, use the radius-server timeout

command. To return to the default, use the no form of this command.

radius-server timeout seconds

no radius-server timeout

Syntax Description

seconds timeout value for the RADIUS server, in the second. Ranging 1 to 65535.


14/64




1-12

Default

10 seconds.

Command Mode


Usage Guideline

When replies are required for sent packets (like authenticating request packets), the

timeout value should be set, and packets will be retransmitted in case of timeout.

Example

! The following example sets the timeout value for the RADIUS server to 5 seconds.

Quidway(config)#radius-server timeout 5

1.14 user callback-dialstring

To set the callback user and callback number, use the user callback-dialstring

command. To return to the default, so as to cancel the callback user and callbacknumber, use the no form of this command.

useruser[callback-dialstring telephone-number]

nouseruser

Syntax Description

user Username.

telephone-number User s callback telephone number.

Default

No user.

Command Mode


Usage Guideline

This command can be used together with the user password command.

Example

! The following example adds a user, whose name is quidway, password is huawei

(encrypted when displayed), and callback number is 91882195.

Quidway(config)#user quidway callback-dialstring 91882195 password 7 huawei


15/64




1-13

Related Command

show user, user user password, aaa authentication ppp, ppp callback, dialer

caller, dialer callback-server

1.15 user calling-station-id

To set a user with a calling id, use the user calling-station-id command. To return to

the default, so as to cancel the user with a calling id, use the no form of this command.

useruser[calling-station-id telephone-number] [:sub-telephone-number]

nouseruser

Syntax Description

user Username.

telephone-number, sub-telephone-number user s calling id as well as calling sub-id.

Default

No user.

Command Mode


Usage Guideline

This command can be used together with the userpassword command. It provides

the ISDN user with double authentication, that is, password and calling idauthentication. If the calling-station-id is configured, this indicates that calling idauthentication for the user is necessary.

Example

! The following example adds a user, whose username is quidway, password is huawei(encrypted when displayed), calling id is 91882195, and calling sub-id is 2122.

Quidway(config)#user quidway calling-station-id 91882195:2122 password 7 huawei

Related Command

show user, user password, aaa authentication ppp

1.16 user ftp-directory

To set the FTP user database for authentication, use the user ftp-directory command.To return to the default, so as to delete the setting, use the no form of this command.

useruser[ftp-directory directory]

no useruser


16/64




1-14

Syntax Description

user Username.

directory Directory accessible to user.

Default

No FTP user to access the directory.

Command Mode


Usage Guideline

The command is reserved temporarily future extension.

Example

! The following example adds a user, whose username is quidway, password is huawei(encrypted when displayed), and accessible directory is \huawei\lst\ .

Quidway(config)#user quidway ftp-directory \huawei\lst\ password 7 huawei

Related Command

user password, aaa authentication login

1.17 user password

To set the user database for authentication, use the user password command. To

return to the default, so as to delete the setting, use the no form of this command.

useruser[ password{ 0 | 7 } password]

nouser user

Syntax Description

user Username, ranging 1 to 32 characters.

password User password for authentication, ranging 1 to 16, characters or figures.

0 Password displayed in plain text.

7 Password displayed in ciphered text.

Default

Authentication password.

Command Mode



17/64




1-15

Usage Guideline

The user s database can be used for CHAP authentication or PAP authentication. And

the user password should be displayed in ciphered text.

Example

! The following example adds a user, whose name and password are both Quidway1,and password must be displayed in ciphered text.

Quidway#user Quidway1 password 7 Quidway1

Related Command

show user, ppp chap host, ppp pap sent-username

1.18 user service-type

To set the user authentication and authorization service type, use the user service-

type command. To return to the default, so as to delete the setting, use the no form ofthis command.

useruser-name [ service-type { exec | ftp | ppp } ... ] ...

no useruser

Syntax Description

exec Authorized user can use EXEC, which means that the user can log onto the

router via Telnet or other methods (like Console port, Aux port and X.25 PAD calling,etc.) to make configurations.

ftpAuthorized user can use FTP.

ppp Authorized user can use PPP.

Default

PPP

Command Mode


Usage Guideline

This command can be used together with the user password command.

To authorize a single service, configure one of the three service-type parameters,

namely exec, ftp orppp. To authorize more than one service, you shall configure theneeded parameters consecutively after the service-type command, instead of using

the command for several times. That is because the newly configured service type willreplace the old one, instead of being added to it.


18/64




1-16

Example

! The following example enables user (username: quidway , password: huawei) to log

onto the router to make configurations. You need to make the following configuration.

Quidway(config)#user quidway password 7 huawei service-type exec

Related Command

user password, aaa authentication login, aaa authentication ppp

1.19 show aaa user

To show the condition of a dial-in user, use the show aaa usercommand.

show aaa user

Command Mode

Privileged user mode.

Usage Guideline

According to the information output through this command, the user can monitor thedial-in user and perform AAA fault diagnosis.

Example

Quidway#show aaa user

User Name UserID UserType IP Address AccountingTime Calling NumberLarry 2 PPP 10.110.10.100 00:48:10 1234567Total User: 1

The above information shows the username, user id, user type, IP address of the user,

accounting time, calling number, etc.

1.20 show user

To show the local user database, use the show usercommand.

showuser

Command Mode

Privileged user mode

Usage Guideline

The information shown through this command includes the username and password

configured for authentication. The password can be shown in plain text or encryptedtext, according to the configuration of the useruserpassword command.

Example

Quidway# show user


19/64




1-17

No. username logintimes failed times------------------------------------------------------1 huawei 325 12

The information above displays the username, the number of the times that the local

authentication has passed with the correct username, as well as the number of the thetimes that the authentication has failed caused by error password.

1.21 debug radius

To enable the RADIUS event debugging, use the debug radius command.

debug radius { event | packet | primitive }

Syntax Description

event Enable the RADIUS event debugging.

packet Enable the RADIUS debugging of sending and receiving packet conditions.

primitive Enable the RADIUS primitive debugging.

Command Mode



20/64



Chapter 2Terminal Access Security Configuration Commands

2-1

Chapter 2 Terminal Access Security Configuration

Commands

Terminal access security configuration commands include:

l enable passwordl login

2.1 enable password

To configure a password for the privileged user, use the enable password command.

enable [ passwordpassword]

Syntax Description

password Privileged user password. Ranging 1 to 16 characters or figures.

Default

None.

Command Mode


Usage Guideline

The privileged user password is configured to prevent unauthorized access. If you are

to be away from the terminal screen for a long time, you d better exit the command lineinterface with the exit command.

Example

! The following example sets the privileged user password for the router to quidway.

Quidway(config)#enable password quidway

Related Command

enable, disable

2.2 login

To turn on the authentication switch of the terminal user, use the login command. To

return to the default, so as to turn off the authentication switch of the terminal user, usethe no form of this command.

login { async | con | hwtty | pad | telnet }

no login { async | con | hwtty | pad | telnet }


21/64



Chapter 2Terminal Access Security Configuration Commands

2-2

Default

Turn off the authentication function of the terminal user.

Command Mode


Usage Guideline

Five terminal user authentication functions can be configured to prevent unauthorized

access.

l Async terminal user (async): disconnected if authentication fails three times inremote configuration mode.

l Console port terminal user (con): control the login authentication at the Consoleport and the AUX port, and require to continue authentication even if it fails.

lDumb terminal access user (hwtty): dumb terminal connection shut down ifauthentication fails three times.

l Remote X.25 PAD calling user (pad): X.25 PAD connection shut down ifauthentication fails three times.

l Telnet terminal user (telnet): Telnet connection shut down if authentication failsthree times.

Example

! The following example turns on the Telnet terminal user authentication switch.

Quidway(config)#login telnet

Related Command

aaa-enable, aaa authentication, user callback-dialstring user password user

calling-station-id user ftp-directory user service-type


22/64

User Manual - Command Reference (Volume 3)Versatile Routing Platform

Chapter 3Firewall Configuration Commands

3-1

Chapter 3 Firewall Configuration Commands

Firewall configuration commands include:

l access-listl clearaccess-listcountersl firewall

l firewall defaultl ip access-groupl settr

l timerangel show access-listl show firewall

l show isintrl show timerangel debug filter

3.1 access-list

To create access control list, use the access-list command. To return to the default, so

as to delete the specified access control list, use the no form of this command.

1) Creating standard access control list

access-list [ normal | special ] access-list-number1 { deny | permit } { any | source-addr [source-wildcard-mask ]}

2) Creating extended access control list

access-list [ normal | special ] access-list-number2{ deny | permit }protocol{ any |

source-addr source-wildcard-mask} [ operatorport1 [port2] ] { any | destination-addrdestination-wildcard-mask} [ operator port1 [port2] ] [ icmp-type [ icmp-code ] ] [ log ]

3) Configuring the matching order of access control list

access-list [ normal | special ]access-list-numbersort [ auto | manual ]

4) Deleting access control list

no access-list { normal | special } { all | access-list-number [ subitem ] }

Syntax Description

normal Specified rule added to normal time range.

special Specified rule added to special time range.

access-list-number1 Serial number of the standard access control list. Ranging 1 to

99.

access-list-number2 Serial number of the extended access control list. Ranging 100 to

199.

access list number Serial number of standard or extended access control list. Ranging1 to 199.

permit Qualified packets are permitted.

deny Qualified packets are denied.


23/64



3-2

protocol Type of protocols supported, including ICMP, TCP, and UDP, etc.; now there

is no comparison of ports .

source-addr Source address.

source-mask A wildcard character for source address, it is an option in the standard

access control list. When not input, it stands for the source mask 0.0.0.0.

destination-addr Destination address;

dest-mask A wildcard character for destination address.

Operator Port operation sign (optional), which supports port comparison when the

protocol is TCP or UDP. Comparison operations supported include eq (equal), gt(greater than), lt (less than), neq (not equal to) orrange . If the operation is a range sign,then it needs to be followed by two ports.

port1 Application port number when the protocol is TCP or UDP. Ranging 0 to 65535.

port2 Application port number when the protocol is TCP or UDP and the operation signis range. Ranging 0 to 65535.

icmp-type Appearing when the protocol is ICMP, standing for the ICMP packet type; It

can be a preset value for a key word (like echo-reply) or any value ranging 0 to 255.

icmp-code Appearing when the protocol is ICMP and the specified preset value is not

selected; it stands for the ICMP code and is a value in 0-255.

sortConfiguring the matching order of access control list.auto Indicating auto-sort of access control list according to intensive precedence rule.

manual Indicating to match according to the configuration order input by the user, and

the access control list rule configured first will be matched first.

log A packet needs to be logged if it is eligible.

Subitem Deleting the rules in access control list whose serial number is access-list-list.

Default

No access control rule

Command Mode


Usage Guideline

Before configuring the access control list, the matching order of the access control list

must be configured first, then configure the specific access control list. When changingthe matching order of the access control list to another mode, the specific accesscontrol list must be deleted first, then change the matching mode and reconfigure thespecific access control list rules in the new mode.

Access rules with the same serial number are arranged and selected according to acertain rule. This number can be shown via the show access-list command.


24/64



3-3

Example

! Disable the receiving and transmitting of RIP message, with the specified serial

number of the rule being 100.

Quidway(config)# access-list 100 deny udp any any eq rip

! Enable to transmit WWW message from the hosts whose network segment is

129.9.0.0 to the hosts whose network segment is 202.38.160.0, with the specifiedserial number of the rule being 100.

Quidway(config)# access-list 100 permit tcp 129.9.0.0 0.0.255.255 202.38.160.0

0.0.0.255 eq www

! Define the rule serial number is 100, disable the pass of ICMP host unreachable

message sent from the network segment 1.1.0.0.

Quidway(config)# access-list 100 deny icmp 1.1.0.0 0.0.255.255 any host-redirect

! Disable the connection between the hosts whose network segment is 129.9.0.0 and

the WWW port (80) of the hosts whose network segment is 202.38.160.0, and log theevent of disobeying the rule, with the specified serial number of the rule being 100.

Quidway(config)# access-list 100 deny tcp 129.9.0.0 0.0.255.255 202.38.160.0

0.0.0.255 eq www log

! Enable the connection between the hosts whose network segment is 129.9.8.0 and

the WWW port (80) of the hosts whose network segment is 202.38.160.0, with thespecified serial number of the rule being 100.

Quidway(config)# access-list 100 permit tcp 129.9.8.0 0.0.0.255 202.38.160.0

0.0.0.255 eq www

! Disable the telnet (23) connection between any host and the host whose IP address is202.38.160.1, with the specified serial number of the rule being 101.

Quidway(config)# access-list 101 deny tcp any 202.38.160.1 0.0.0.0 eq telnet

! Disable the UDP (user data packet protocol) connection between the hosts whose

network segment is 129.9.8.0 and the hosts whose port number is greater than 128 inthe network segment of 202.38.160.0.

Quidway(config)# access-list 102 deny udp 129.9.8.0 0.0.0.255 202.38.160.00.0.0.255 gt 128

! The following example permits WWW access with the source address 10.1.1.0 and

destination address 10.1.2.0, without using FTP.

Quidway(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq

www

Quidway(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq ftp

Related Command

ip access-group


25/64



3-4

3.2 clear access-list counters

To clear counters of access control list rules, use the clear access-list counters

command.

clear access-list counters [ access-list-number]

Syntax Description

access-list-number Serial numbers of the access rules whose counters are to be

deleted. If not specified, then the counters of all the access rules are deleted.

Default

No clear access-list counters.

Command Mode


Usage Guideline

This command is used to clear the counters of all access rules currently in service. If nonumbering of rules is specified, then the counters of all the access rules are deleted.

Example

! The following example clears the counters of all the access rules whose serial number

is 100.Quidway#clear access-list counters 100

! The following example clears the counters of all the access rules currently in service.

Quidway#clear access-list counters

Related Command

access-list

3.3 firewall

To enable or disable the firewall, use the firewall command.

firewall { enable | disable }

Syntax Description

enable For enabling the firewall.

disable For disabling the firewall.

Default

Firewall disable


26/64



3-5

Command Mode


Usage Guideline

This command is used to enable or disable the firewall, and the corresponding result

can be shown via the show firewall command. If time-based packet filtering is adopted,then this command is shut down when the firewall is shut down. This command controlsthe general switch of the firewall. When the firewall disable command is used to closethe firewall, the statistics of the firewall will be deleted at the same time.

Example

! The following example enables the firewall.

Quidway(config)#firewall enable

Related Command

access-list, ip access-group

3.4 firewall default

To configure the default filter mode when there is no matching access rule, use thefirewall default command.

firewall default { permit | deny }

Syntax Description

permit Default filter attribute is permit .

deny Default filter attribute is deny .

Default

Firewall permitted.

Command Mode


Usage Guideline

If none of the access rules applied at the interface can judge if a packet is permitted or

denied, the default filter attribute will function. If the default filter attribute is Permitted ,then the packet can pass, otherwise it will be dropped.

Example

! The following example sets the default filter attribute to Permitted .

Quidway(config)#firewall default permit


27/64



3-6

3.5 ip access-group

To apply the access rule at the interface, use the ip access-group command. To return

to the default, so as to delete the corresponding setting, use the no form of thiscommand.

ip access-group access-list-number{ in | out }

noip access-groupaccess-list-number{ in | out }

Syntax Description

access-list-number Serial number of access control lists. Ranging 1 to 199.

in Access rule is used to filter the packet received from the interface.

out Access rule is used to filter the packet sent from the interface.

Default

no ip access-group.

Command Mode

Interface configuration mode.

Usage Guideline

This command is used to apply access rules at the interface. To filter the packet

received from the interface, the key word in is used. To filter the packet forwarded fromthe interface, the key word out is used. If no direction parameter is specified, the key

word out is adopted. In a direction of the interface, 20 types of access rules can beapplied at most. These rules are arranged in ascending order of priority. During packetfiltering, obtaining the filter result by finding the matching rule is a method to expedite

the filter process. So it is recommended that, when access rules are configured, therules configured in the same network be placed in the access control list with the samenumber. In an access control list with the same number, the arrangement of rules andselection sequence can be shown via the show access-list command.

Example

! The following example applies access control list rule 101 to filter the packet received

from the Ethernet interface.

Quidway(config-if-Ethernet0)#ip access-group 101 in

Related Command

access-list

3.6 settr

To set a special time range, use the settrcommand. To return to the default, so as to

delete the set special time range, use the no form of this command.


28/64



3-7

settr{ begin-time end-time }...

no settr

Syntax Description

begin-time Begin time of the special time range, in the hh:mm format

end-time End time of the special time range, which should be greater than the begin

time, in the hh:mm format.

Default

No settr, that is, all are set to normal time ranges.

Command Mode


Usage Guideline

This command is used to set the time range. Six time ranges can be set at most at the

same time, and they can be shown via the show timerange command. If a time range

being used is to be modified, this modification will be take effect in a minute (the systemqueries the time interval for the time range). The time range should be set in the 24-hour system. If you want to set a time range from 9pm to 8am, you can set it to settr

21:00 23:59 0:00 8:00 . Because both ends of the set time range belong to the sametime range, no switching will take place within the time range. In addition, this settinghas withstood the Y2K test.

Example

! The following example sets the time range as 8:30 - 12:00, 14:00 - 17:00.

Quidway(config)#settr 8:30 12:00 14:00 17:00

Related Command

timerange, show timerange

3.7 timerange

To enable or disable the timerange packet filter function, use the timerange command.

timerange { enable | disable }

Syntax Description

enable For enabling the timerange packet filter function.

disable For disabling the timerange packet filter function.

Default

Timerange disable.


29/64



3-8

Command Mode


Usage Guideline

This function is used to enable or disable the timerange filter function. The

configuration result can be shown via the show firewall command, or via the showtimerange command. When this function is enabled, the system will determine if theaccess rules within the timerange (special) or outside the timerange (normal) are to be

used, according to the current time and the set time range. The precision at which thesystem queries the time is 1 minute. And the two ends of the set time range belong tothe time range.

Example

! The following example enables the timerange packet filter function.Quidway(config)#timerange enable

Related Command

settr, show timerange

3.8 show access-list

To show packet filter rules and their applications at the interface, use the show

access-list command.

show access-list [ all | access-list-number|interface type number]

Syntax Description

all Show all the rules, including the access rules within the normal and special time

ranges.

access-list-number Show the access rules whose number are access-list-numberin

the access control lists being used currently.

Interface Show the serial number of access rules to be applied at the interface.

type Type of the interface.

number Number of the interface.

Command Mode


Usage Guideline

This command is used to show the specified rules and the condition of packet filtered

by the rule. Each rule has a corresponding counter. If a packet was filtered based onthis rule, the counter will increase by 1. By observing the counter, you can see, amongthe configured rules, which rules are effective, and which are basically ineffective.


30/64



3-9

Example

! The following example shows the currently used rule with a number of 100.

Quidway#show access-list 100Using normal packet-filtering access rules now.100 deny icmp 10.1.0.0 0.0.255.255 any host-redirect(3 matches,252 bytes -- rule 1)100 permit icmp 10.1.0.0 0.0.255.255 any echo (no matches -- rule 2)100 deny udp any any eq rip (no matches -- rule 3)

! The following example shows rule application at Serial0.

Quidway#show access-list interface serial 0

Serial0:access-list filtering In-bound packets : 120access-list filtering Out-bound packets: None

Related Command

access-list

3.9 show firewall

To show the status of the firewall, use the show firewall command.

show firewall

Command Mode


Usage Guideline

This command is used to show the status of the firewall, for example, whether the

firewall is enabled or not, the timerange packet filtering is enabled or not when thefirewall is enabled, and some statistics about the firewall.

Example

! The following example shows the status of the firewall

Quidway#show firewall

Firewall is enable, default filtering method is 'permit'.TimeRange packet-filtering enable.InBound packets: None;OutBound packets: 0 packets, 0 bytes, 0% permitted,

0 packets, 0 bytes, 0% denied,packets, 104 bytes, 100% permitted defaultly,0 packets, 0 bytes, 100% denied defaultly.

From 00:13:02 to 06:13:21: 0 packets, 0 bytes, permitted.

Related Command

firewall


31/64



3-10

3.10 show isintr

To show whether the current time is within the special time range or not, use the show

isintrcommand.

show isintr

Command Mode


Usage Guideline

This command is used to show if the current time is within the set special timerange.

Example

! The following example shows if the current time is within the special timerange.

Quidway#show isintr

It is NOT in time ranges now.

The information above shows that the current time is not within the special timerange.

Related Command

timerange, settr

3.11 show timerangeTo show the information about timerange packet filtering, use the show timerange

command.

show timerange

Command Mode


Usage Guideline

This command is used to show if timerange packet filtering is currently enabled, and toshow the set timerange.

Example

! The following example shows the information about timerange packet filtering.

Quidway#show timerange

TimeRange packet-filtering enable.beginning of time range:

01:00 - 02:0003:00 - 04:00

end of time range.


32/64



3-11

Related Command

timerange, settr

3.12 debug filter

To enable the information debugging of the firewall, use the debug filtercommand.

The no form of this command is used to disable the corresponding informationdebugging of the firewall.

debug filter{ all | icmp |tcp | udp }

no debug filter{ all | icmp |tcp | udp }

Syntax Description

all Enable all the information debugging of the firewall.

icmp Enable the ICMP send and receive packets debugging of the firewall.

tcp Enable the TCP protocol information debugging of the firewall.

udp Enable the UDP protocol information debugging of the firewall.

Command Mode



33/64



Chapter 4IPSec Configuration Commands

4-1

Chapter 4 IPSec Configuration Commands

IPSec configuration commands include:

l ah-new hash

l clear crypto sal clear crypto statisticsl crypto ipsec sa lifetime

l crypto ipsec transforml crypto map (global mode)l crypto map (interface mode)

l esp-new encryptl esp-new hashl match address

l model set local-addressl set peer

l set sa lifetimel set session-keyl set transform

l transforml show crypto ipsec sal show crypto ipsec sa lifetime

l show crypto ipsec statisticl show crypto ipsec transforml show crypto map

l debug ipsec

4.1 ah-new hash

To set the authentication algorithm adopted by AH, use the ah-new hash command..

To return to the default, use the no form of this command.

ah-new hash { md5-hmac-96 | sha1-hmac-96 }

no ah-new hash

Syntax Description

md5-hmac-96 MD5 is adopted.

sha1-hmac-96 SHA1 is adopted.

Default

md5-hmac-96, that is the MD5 authentication algorithm.

Command Mode

IPSec transform configuration mode


34/64




4-2

Usage Guideline

AH does not have the encryption function, and is only responsible for packet

authentication.

HMAC algorithm uses encryption hashing function to authenticate the message, and

provides the integrity check based on the secret key. HMAC technology offers aframework to insert various hashing function, such as SHA-1 and MD5, so as toimplement the data source authentication and the integrity protection, and to ensurethat the data in the transmission are not modified.

sha1-hmac-96 algorithm performs on the basis of 64-byte data block, and produces a

160-digit authentication secret key. The security protection is provided mainly byHMAC and then SJA-1 algorithm.

md5-hmac-96 algorithm also performs on the basis of 64-byte data block, and

produces a 128-digit authentication secret key. The security protection is providedmainly by HMAC and then MD5 algorithm.

By comparison, MD5 is faster than SHA-1, while SHA-1 is more secure than MD5.

The IPSec transform method adopted by the security map set at both ends of the

security tunnel must be set as using the same authentication method.

Example

! The following example sets IPSec transform using AH and SHA1.

Quidway(config)#crypto ipsec transform trans1

Quidway(config-crypto-transform-trans1)#transform ah-new

Quidway(config-crypto-transform-trans1)#ah-new hash sha1-hmac-96

Related Command

crypto ipsec transform set transform set session-key transform

4.2 clear crypto sa

To delete the SA (security ally), use the clear crypto sa command.

clear crypto sa { all | peerip-address | mapmap-name [ map-number] | entrydest-

addressprotocolspi}

Syntax Description

all Delete all the SAs.

peer Delete an SA whose peer address is ip-address.

ip-address Specify peer address, in the IP address format: A.B.C.D.

map Delete the SA in a security map group whose name is map-name, with the serial

number of security map being map-number. .

map-name Specify the name of the security map group.

entry Delete the unique SA defined by the destination address, protocol, and SPI.


35/64




4-3

dest-address Specify the destination IP address in the format: A.B.C.D.

protocol Specify the protocol by inputting the key word ah oresp, case insensitive.

spi Specify the security parameter index (SPI), ranging 256 to 4294967295.

Command Mode


Usage Guideline

This command is used to delete an SA already set up (manually or through IKEnegotiation).

If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is

deleted, IKE will reestablish an SA through negotiation.

If an SA set up manually is deleted, the system will set up a new SA according to theparameter manually set up. To prevent the system from setting up a new SA, you candelete some parameters manually set in the map in manua l mode. (If the parametersset in MAP are not complete, the SA manually set will not be created.)

Example

! The following example deletes all the SAs.

Quidway#clear crypto sa all

! The following example deletes an SA whose peer IP address is 10.1.1.2.

Quidway#clear crypto sa peer 10.1.1.2

! The following example deletes the SAs in map1.

Quidway#clear crypto sa map map1

! The following example deletes an SA whose peer IP address is 10.1.1.2, security

protocol is AH, and SPI is 10000

Quidway#clear crypto sa entry 10.1.1.2 ah 10000

Related Command

show crypto ipsec sa

4.3 clear crypto statistics

To clear IPSec message statistics, use the clear crypto statistics command.

clear crypto statistics

Command Mode


Usage Guideline

Clear IPSec message statistics, and all the statistics are set to zero.


36/64




4-4

Example

! Clear IPSec message statistics.

Quidway# clear crypto statistics

Related Command

show crypto ipsec statistics

4.4 crypto ipsec sa lifetime

To set a global crypto SA lifetime, use the crypto ipsec sa lifetime command. To

return to the default, use the no form of this command.

crypto ipsec sa lifetime { seconds seconds | kilobyteskilobytes }

no crypto ipsec sa lifetime { seconds | kilobytes }

Syntax Description

seconds Global crypto lifetime in second. Ranging 30 to 4294967295 seconds.

kilobytes Global crypto lifetime in kilobyte. Ranging 256 to 4194303 kilobytes.

Default

By default, seconds is 3600 seconds (1 hour).

By default, kilobytes is 1843200.

Command Mode

Global configuration

Usage Guideline

This command is used to change the global SA lifetime. All Sas that have not been

configured individually in crypto map mode will adopt this global lifetime.

When IKE negotiates to set up an SA for IPSec, the lesser of the lifetime set locally andthat proposed by the peer is selected.

There are two types of lifetime: time-based and traffic-based lifetimes. No matter whichexpires first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up

a new SA for IPSec negotiation. So, a new SA is ready before the existing one getsinvalid.

Modifying the global lifetime will not affect a map that has individually set up its own

lifetime, or an SA already set up. But the modified global lifetime will be used to set upa new SA in the future IKE negotiation.

The secret key in the SA is invalidated when the SA is invalidated. A short lifetime will

make it difficult for the attacker to break the password, as the attacker can only get lessencrypted data about the same secret key. And a short lifetime will use more CPUresource to set up a new SA.


37/64




4-5

The lifetime does not function for an SA manually set up, that is, the SA manually set up

will never be invalidated.

Example

! The following example sets the global SA lifetime to 2 hours.

Quidway(config)#crypto ipsec sa lifetime seconds 7200

! The following example sets the global crypto SA lifetime to 10M bytes transmitted.

Quidway(config)#crypto ipsec sa lifetime kilobytes 10000

Related Command

set sa lifetime, show crypto ipsec sa lifetime

4.5 crypto ipsec transform

To create or modify a transform method named transform-name, and enter the crypto

transform configuration mode, use the crypto ipsec transform command. To return to

the default, so as to delete the specified transform set, use the no form of thiscommand.

crypto ipsec transform transform-name

no crypto ipsec transform

Syntax Description

transform-name Name of the specified transform set.

Command Mode


Usage Guideline

This transform method is a combination of the security protocol, algorithm and packet

encapsulation mode for implementing IPSec protection. A crypto map determines theprotocol, algorithm and encapsulation mode to be adopted by the use of the transformset. Before the crypto map uses a transform set, this transform set must have alreadybeen set up.

The transform set adopted by the crypto maps at both ends of the security tunnel mustbe set as having the same protocol, algorithm and encapsulation mode.

Each SA set up manually can only use one transform set.

Each SA set up through IKE negotiation can use six transform sets at most. IKE

negotiation can search for the completely matching transform set at both ends of thesecurity tunnel.

Example

! The following example sets a transform set whose name is newtrans1.

Quidway(config)#crypto ipsec transform newtrans1


38/64




4-6

Related Command

ah-new hash, esp-new encrypt, esp-new hash, mode, set transform,

show crypto ipsec transform, transform

4.6 crypto map (global mode)

To create or modify a crypto map, and enter the crypto map configuration mode, use

the crypto map command. To return to the default, so as to delete the specified cryptomap, use the no form of this command.

crypto mapmap-nameseq-num [ manual | isakmp ]

no crypto mapmap-name [seq-num]

Syntax Description

map-name Name of the crypto map. Ranging 1 to 30 characters.

seq-num Sequence number of the crypt map. Ranging 0 to 10000.

manual Set up SA manually.

isakmp Set up SA through IKE negotiation.

Default

No crypto map

Command Mode


Usage Guideline

This command is used to create or modify a crypto map. To create a crypto map, it is

necessary to specify the negotiation mode (manual orisakmp). To modify the cryptomap, it is not necessary to specify a negotiation mode.

Once the crypto map is created, its negotiation mode can not be modified. For example:

if a crypto map is created in manual mode, it can not be changed to isakmp mode, andthis crypto map must be deleted before a new one can be created.

Crypto maps with the same name constitute a crypto map group. The name and

sequence number are used together to define a unique crypto map. In a crypto mapgroup, 100 crypto maps can be set at maximum. In a crypto map, the smaller the

sequence number of a crypto map is, the higher is its preference. Apply a crypto mapgroup at an interface means applying multiple crypto maps in the group, so thatdifferent data streams can be protected with different SAs.

The no crypto mapmap-name command is used to delete a crypto map whose name

is map-name; and the no crypto mapmap-nameseq-num command is used to deletea crypto map whose name is map-name and sequence number is seq-num.

If IKE is setting up an SA for crypto map negotiation, then the crypto map can not be

deleted.


39/64




4-7

If a crypto map is the only one in a crypto map group and this group has been applied at

the interface, then this group must be deleted from the interface (no more applied atthis interface) before the crypto map can be deleted.

Example

! The following example sets a crypto map whose name is newmap1, sequence

number is 100, and negotiation mode is isakmp.

Quidway(config)#crypto map newmap1 100 isakmp

Related Command

crypto map (interface mode), match address, set local-address, set peer,

set sa lifetime, set session-key, set transform, show crypto map

4.7 crypto map (interface mode)

To apply a crypto map group at the interface, use the crypto map command. To cancelthe crypto map group, use the no form of this command

crypto mapmap-name

no crypto map

Syntax Description

map-name Specify the name of a crypto map group applied at the interface.

Command Mode

Interface configuration mode

Usage Guideline

At an interface, only one crypto map group can be applied. A crypto map group can

only be applied at one interface.

When a packet is sent from an interface, it searches for every crypto map in the crypto

map group by number in an ascending order. If the packet matches an access controllist used by a crypto map, then this crypto map is used to process the packet; otherwise

it continues to search for the next crypto map. If the packet does not match any of theaccess control lists used by all the crypto maps, it will be directly transmitted (that is,IPSec will not protect the packet).

To prevent transmitting any unencrypted packet from the interface, it is necessary to

use the firewall together with IPSec; the firewall is for dropping all the packets that donot need to be encrypted.

The crypto map group being applied at the interface must be deleted before another

group is applied at the interface.

Example

! The following example applies a crypto map whose name is map1 at Serial 0.


40/64




4-8

Quidway(config)#crypto map map1 100 manual

Quidway(config)#interface serial 0

Quidway(config-if-Serial0)#crypto map map1

Related Command

crypto map (global mode)

4.8 esp-new encrypt

To set the encryption algorithm adopted by ESP, use the esp-new encrypt command.

To set the encryption algorithm to vacant, use the no form of this command.

esp-new encrypt { 3des | des | blowfish | cast | skipjack }

no esp-new encrypt

Syntax Description

des, 3des, blowfish, cast, skipjack Encryption algorithms popular all over the world.

Default

des, that is, data encryption standard algorithm.

Command Mode


Usage Guideline

3des can meet the requirement of high confidentiality and security, but it is

comparatively slow. And other algorithms can satisfy the normal security requirements.

ESP enables a packet to be encrypted and authenticated concurrently, or it enableseither of encryption and authentication.

The encryption and authentication algorithms used by ESP can not be set to a vacant

value at the same time.

Example

! The following example sets 3des.


Quidway(config-crypto-transform-trans1)#transform esp-new

Quidway(config-crypto-transform-trans1)#esp-new encrypt 3des

Related Command

crypto ipsec transform, esp-new hash, set transform, set session-key, transform


41/64




4-9

4.9 esp-new hash

To set the authentication algorithm used by ESP, use the esp-new hash command. To

return to the default, use the no form of this command.

esp-new hash {md5-hmac-96 | sha1-hmac-96 }

no esp-new hash

Syntax Description

md5-hmac-96 Setting md5.

sha1-hmac-96 Setting sha1.

Default

Default is md5-hmac-96, that is, MD5.

Command Mode


Usage Guideline

HMAC algorithm uses encryption hashing function to authenticate the message, and

provides the integrity check based on the secret key. HMAC technology offers aframework to insert various hashing function, such as SHA-1 and MD5, so as toimplement the data source authentication and the integrity protection, and to ensurethat the data in the transmission are not modified.

sha1-hmac-96 algorithm performs on the basis of 64-byte data block, and produces a

160-digit authentication secret key. The security protection is provided mainly byHMAC and then SJA-1 algorithm.

md5-hmac-96 algorithm also performs on the basis of 64-byte data block, and

produces a 128-digit authentication secret key. The security protection is providedmainly by HMAC and then MD5 algorithm.

By comparison, MD5 is faster than SHA-1, while SHA-1 is more secure than MD5.

ESP enables a packet to be encrypted and authenticated concurrently, or it enables

either of encryption and authentication. The encryption and authentication algorithmsused by ESP can not be set to vacant at the same time.

no esp-new hash is not used to restore the authentication algorithm to the default

algorithm; instead it is used to set the authentication algorithm to vacant, i.e. noauthentication. When the encryption algorithm is vacant, the no esp-new hashcommand is invalidated.

The transform set used by the crypto maps set at both ends of the security tunnel mustbe set as having the same authentication algorithm.

Example

The following example sets a transform set that adopts ESP, is not encrypted, and

uses sha1.


42/64




4-10


Quidway(config-crypto-transform-trans1)#transform esp-new

Quidway(config-crypto-transform-trans1)#esp-new hash sha1-hmac-96

Quidway(config-crypto-transform-trans1)#no esp-new encrypt

Related Command

crypto ipsec transform, esp-new encrypt, set transform, set session-key,

transform

4.10 match address

To set an access control list used by the crypto map, use the match address command.

To return to the default, so as to delete the access control list used by the crypto map,use the no form of this command.

match addressaccess-list-number

no match address

Syntax Description

access-list-number Specify the number of the access control list used by the cryptomap. Ranging 1 to199.

Default

No match address.

Command Mode

Crypto map configuration mode

Usage Guideline

The access-list command is used to define the rules in an access control list.

According to these rules, IPSec determines which packets need security protection andwhich do not. The packet permitted by the access control list will be protected, and apacket denied by the access control list will not be protected.

The access control list used by the crypto map does not decide which packets arepermitted or denied at an interface. Only the access control list directly applied at theinterface will make such a decision.

Example

! The following example sets the crypto map as using access control list 101.

Quidway(config)#access-list 101 permit tcp 10.1.1.1 0.0.0.255 10.1.1.2 0.0.0.255

Quidway(config)#access-list 101 deny ip any any

Quidway(config)#crypto map beijing 100 manual

Quidway(config-crypto-map-beijing-100)#match address 101


43/64




4-11

Related Command

crypto map (global mode), crypto map (interface mode), set local-address,

set peer, set sa lifetime, set session-key, set transform

4.11 mode

To set the encapsulation modes by which IPSec encrypts and authenticates IP packets,

use the mode command. To return to the default, use the no form of this command.

mode { transport | tunnel }

no mode

Syntax Description

transport Setting transport mode.

tunnel Setting tunnel mode.

Default

Tunnel.

Command Mode


Usage Guideline

There are two encapsulation modes where IPSec is used to encrypt and authenticate

IP packets: transport mode and tunnel mode. In transport mode, IPSec protects the

data part of the IP packet, and does not protect the header of the IP packet; and intunnel mode, IPSec protects the whole IP packet, and adds a new IP header before theIP packet. The source and destination addresses of the new IP header are the IPaddresses of both ends of the tunnel.

Generally, the tunnel mode is used between two security gateways (routers ). A packet

encrypted in a security gateway can only be decrypted in another security gateway. Soan IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added;

the IP packet encapsulated in tunnel mode is sent to another security gateway before itis decrypted.

The transport mode is suitable for communication between two hosts, or for

communication between a host and a security gateway (like the network management

communication between the gateway workstation and a router). In transport mode, twodevices responsible for encrypting and decrypting packets must be the original senderand receiver of the packet. Most of the data traffic between two security gateways is not

incurred by the security gateway itself. So the transport mode is not used betweensecurity gateways.

The transform set used by the crypto maps set at both ends of the security tunnel must

be set as having the same packet encapsulation mode.


44/64




4-12

Example

! The following example sets the transform set whose name is trans as having the

transport mode.

Quidway(config)#crypto ipsec transform trans

Quidway(config-crypto-transform-trans)#mode transport

Related Command

ah-new hash, crypto ipsec transform, esp-new encrypt, esp-new hash

set transform, transform

4.12 set local-address

To set the local address of a security tunnel, use the set local-address command. To

return to the default, so as to delete the local address set in the crypto map, use the noform of this command.

set local-addressip-address

no set local-address

Syntax Description

ip-address Local address.

Default

No IP address at the local end of the security tunnel.

Command Mode

Crypto map configuration mode

Usage Guideline

It is not necessary to set a local address for a crypto map in isakmp mode, so this

command is invalid in this situation. IKE can automatically obtain the local address fromthe interface where this crypto map is applied.

As for the crypto map in manual mode, it is necessary to set the local address beforethe SA can be created. A security tunnel is set up between the local and peer end, sothe local address and peer address must be correctly configured before a securitytunnel can be set up.

Example

! The following example sets the local address for the crypto map, which is applied at

serial0 whose IP address is 10.0.0.1.

Quidway(config)#crypto map guangzhou 100 manual

Quidway(config-crypto-map-guangzhou-100)#set loca

(security configuration command).pdf

Documents